First of all
MERRY CHRISTMAS / SEASONS GREETINGS AND A HAPPY NEW YEAR
In my last post I talked about extracting configurations from malware samples . If you haven’t already read it you can find it here.
In the article I created several python scripts that would extract the relevant configuration sections. There are also many scripts and techniques out on the interwebs that other researchers have created and shared.
My project for the upcoming months is to create a public framework and web application that will simplify the process of extracting, storing, searching and sharing these configurations.
Currently and somewhat unimaginatively named as the “Malware Sample Configuration Extractor” it is capable of extracting Configs from the following:
- Bozok Rat
- Pandora Rat V2
Soon To Be Supported
- Greame Rat
- As Many More as I can work on
Heres how it works. It uploads your sample to the server and scans it with yara first to identify the malware and check to see if it’s on the supported list. If it’s on the supported list it will run the decode function and present you with the configuration. It will also provide you with a unique ID you can use to share your sample.
Only the configuration and hashes are stored in the database, the submitted sample is not.
As I continue to develop the platform I plan to add the following features.
- Option to submit to VirusTotal
- Option to retrieve from VirusTotal - Will require a valid VT API key
- Option to share with public or not
- Display Snort Rules for your specific version or for the malware in general
- Display the Yara Rule that matched your sample.
The site is open to public access at http://msce.doesntexist.com:7171. you can submit and share your own samples but there is no function to search the datasets yet. you can see a couple of screens below.
In January, once I have finalized some of the core functions and DB schema, I will release the Source for the site and for all the individual decoding functions.
If you are interested in helping, sharing some decode modules or just have a better name for it, Stick a Fork in the Git (when I release it), Mail me on firstname.lastname@example.org or as usual Questions Queries Comments below.