Skip to content

CybercentreCanada/assemblyline-service-extract

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

629 Commits

.vscode

.vscode

 
 

extract

extract

 
 

pipelines

pipelines

 
 

tests

tests

 
 

.dockerignore

.dockerignore

 
 

.gitignore

.gitignore

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

Dockerfile

Dockerfile

 
 

LICENCE.md

LICENCE.md

 
 

README.md

README.md

 
 

requirements.txt

requirements.txt

 
 

service_manifest.yml

service_manifest.yml

 
 

Repository files navigation

Extract Service

This Assemblyline service extracts embedded files from file containers (like ZIP, RAR, 7z ...)

NOTE: This service does not require you to buy any licence

Execution

The service uses the 7zip library to extract files out of containers then resubmits them for analysis.

It will also:

  • Use the python tnefparse library to parse tnef files;
  • Use the xxxswf library to extract compressed swf files;
  • Use unace to extract winace compressed files;
  • Use mstools and custom script to attempt to decode MSOffice files;
  • Extract attachments from .eml files;
  • Attempt automatic decoding using:
    • A default list of passwords (see section below)
    • An optional user-supplied password (see section below)
    • The body of an .eml file (separated once by whitespace characters and second on [a-zA-Z0-9]+)
  • Use pdfdetach in poppler-utils to extract attachments from pdf samples;
  • Use the NSIS Reversing Suite to recover a preview of the the original Setup.nsi
  • Debloat bloated files:
    • Windows executables: debloat and custom scripts
    • Windows installers (.msi)
    • Every other files by using a generic entropy-based calculator
  • Integrates the capabilities of the now-archived AutoItRipper service

Once this service has completed its processing, it will block samples from continuing to other services unless they are identified as the following file types:

- Executables
- Java files
- Android/APK packages
- Document files (i.e. Microsoft Office and PDF)
- Apple/IPA packages

NOTE: This service will avoid adding unnecessary files if the files are known to the system to be safe. This can be overridden by running the service task with deep_scan enabled.

Submission Parameters & Configuration

Parameters:

  • Password: An additional password can be provided to the service on submission to decode a container.
  • Extract PE Sections: Using the 7zip library, the service will extract sections from an executable file.
  • Continue After Extract: When true, AL will continue processing an eml sample to other services after any attachments have been extracted.

Config (set by administrator):

  • default_pw_list: List of passwords used when attempting to extract from protected archives.
  • max_email_attachment_size: Maximum size attachment to extract from a .eml file.
  • named_email_attachments_only: When true, the service will only extract attachment files from .eml when the file name is provided.

About

Assemblyline 4 File extraction service

cybercentrecanada.github.io/assemblyline4_docs/

Topics

extraction file archive malware-analysis assemblyline

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

4 stars

Watchers

2 watching

Forks

8 forks
Report repository

Releases 164

v4.5.0.stable9 Latest
Apr 18, 2024
+ 163 releases

Packages

No packages published

Contributors 9

Languages