卡顿服务配置提取器

使用malduck引擎从样本和内存转储中提取静态配置。

作者: CERT.pl

维护者: nazywam, psrok1, msm

消耗

{
    "type": "sample",
    "stage": "recognized",
    "kind": "runnable",
    "platform": "win32"
},
{
    "type": "sample",
    "stage": "recognized",
    "kind": "runnable",
    "platform": "win64"
},
{
    "type": "sample",
    "stage": "recognized",
    "kind": "runnable",
    "platform": "linux"
},
{
    "type": "analysis",
},

当“sample”类型不言而喻时，“analysis”类型可能有些令人困惑。分析任务是一个沙箱（drakvuf-sandbox、cuckoo或joesandbox）的输出。分析是一个附加了额外内存转储的样本。

分析类型任务应采用以下格式

task = Task(
    headers={"type": "analysis"}
    payload={
        "sample": <sample>,
        "dumps.zip": Resource.from_directory("dumps.zip", dumps_path.as_posix()),
        "dumps_metadata": [
            {"filename": <dump1_filename>, "base_address": <dump1_base_address>},
            {"filename": <dump2_filename>, "base_address": <dump2_base_address>},
            {"filename": <dump3_filename>, "base_address": <dump3_base_address>},
            [...]
        ],
    }
)

其中，dumps_metadata 包含有关 dumps.zip 中每个内存转储的文件名和基本地址的信息。以下属性包括：

• filename 是相对于 dumps.zip 内容的相对路径；
• base_address 是转储的基本地址的十六进制编码（支持以 0x 开头）。如果相同的内存转储在不同基本地址上找到，可以指定多个条目。

提取器会尝试从每个内存转储中检索配置，并从每个恶意软件家族中选择最佳候选者。

生成

# Dropped dumps related with static configuration
{
    "type": "sample",
    "stage": "analyzed",
    "kind": "dump",
    "platform": "win32",
    "extension": "exe"
    "payload": {
        "sample": <Resource>, # Dump where config was found
        "parent": <Resource>  # Original executable
    }
}

# Static configuration
{
    "type": "config",
    "family": <str>, # Family name
    "payload": {
        "config": <dict>,     # Static configuration
        "sample": <Resource>, # Dump where config was found
        "parent": <Resource>, # Original executable
    }
}

用法

首先，请确保您已设置好核心系统： https://github.com/CERT-Polska/karton

然后从PyPi安装 karton-config-extractor

$ pip install karton-config-extractor

$ karton-config-extractor --modules malduck-extractor-modules/