Skip to content

CERT-Polska/karton-config-extractor

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 9 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.github/workflows
 
 
karton/config_extractor
 
 
.gitignore
 
 
Dockerfile
 
 
LICENSE
 
 
README.md
 
 
pyproject.toml
 
 
requirements.txt
 
 
setup.cfg
 
 
setup.py
 
 
Config-extractor karton service Usage

README.md

Config-extractor karton service

Extracts static configuration from samples and memory dumps using the malduck engine.

Author: CERT.pl

Maintainers: nazywam, psrok1, msm

Consumes:

{
    "type": "sample",
    "stage": "recognized",
    "kind": "runnable",
    "platform": "win32"
},
{
    "type": "sample",
    "stage": "recognized",
    "kind": "runnable",
    "platform": "win64"
},
{
    "type": "sample",
    "stage": "recognized",
    "kind": "runnable",
    "platform": "linux"
},
{
    "type": "analysis",
},

While sample type is self explanatory, the analysis type might be confusing. The analysis task is an output from one of sandboxes: drakvuf-sandbox, cuckoo, or joesandbox. Analysis is a sample with additional memory dumps attached.

The analysis type task is expected to be in format:

task = Task(
    headers={"type": "analysis"}
    payload={
        "sample": <sample>,
        "dumps.zip": Resource.from_directory("dumps.zip", dumps_path.as_posix()),
        "dumps_metadata": [
            {"filename": <dump1_filename>, "base_address": <dump1_base_address>},
            {"filename": <dump2_filename>, "base_address": <dump2_base_address>},
            {"filename": <dump3_filename>, "base_address": <dump3_base_address>},
            [...]
        ],
    }
)

where dumps_metadata contains information about filename and base address for every memory dump in dumps.zip. The following attributes are:

  • filename which is relative path to the dumps.zip contents;
  • base_address which hex-encoded base address for dump (leading 0x is supported) You can specify multiple entries for the same file if the same memory dump was found on different base addresses.

The extractor tries to retrieve config from each memory dump and will pick only the best candidate from each malware family.

Produces:

# Dropped dumps related with static configuration
{
    "type": "sample",
    "stage": "analyzed",
    "kind": "dump",
    "platform": "win32",
    "extension": "exe"
    "payload": {
        "sample": <Resource>, # Dump where config was found
        "parent": <Resource>  # Original executable
    }
}

# Static configuration
{
    "type": "config",
    "family": <str>, # Family name
    "payload": {
        "config": <dict>,     # Static configuration
        "sample": <Resource>, # Dump where config was found
        "parent": <Resource>, # Original executable
    }
}

Usage

First of all, make sure you have setup the core system: https://github.com/CERT-Polska/karton

Then install karton-config-extractor from PyPi:

$ pip install karton-config-extractor

$ karton-config-extractor --modules malduck-extractor-modules/

Co-financed by the Connecting Europe Facility by of the European Union

About

Static configuration extractor for the Karton framework

github.com/CERT-Polska/karton

Topics

pipeline cybersecurity cert csirt malware-analysis malware-research karton

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

7 stars

Watchers

5 watching

Forks

4 forks
Report repository

Releases 9

v2.2.0 Latest
Sep 7, 2023
+ 8 releases

Contributors 6

Languages