{ "info": { "author": "Kevin Breen", "author_email": "thehermit@malwareconfig.com", "bugtrack_url": null, "classifiers": [], "description": "RATDecoders\n===========\n\nMalconf is a python3 library that can be used to staticly analyse specific malware families and extract the Configuration data that can be used by \nIncident Responders during an incident. \n\nAs a library it can also be installed in to automated malware analysis pipelines. \n\n\n![Coverage](https://codecov.io/gh/kevthehermit/RATDecoders/branch/master/graph/badge.svg \"Coverage\")\n\n[![Build Status](https://travis-ci.org/kevthehermit/RATDecoders.svg?branch=master)](https://travis-ci.org/kevthehermit/RATDecoders)\n\n\n## Installation\n\n#### Requirements\n\nThere are some pre-reqs that are included in the pip setup and the requirements.txt\n\n- pefile\n- pbkdf2\n- javaobj-py3\n- pycrypto\n- androguard\n\nFor all the decoders you will need yara and yara-python. For dealing with .NET malware you will need to install yara-python with dotnet support\n\n##### yara-python with dotnet support\n\ngit clone --recursive https://github.com/VirusTotal/yara-python\npython3 setup.py build --enable-magic --enable-dotnet\nsudo python3 setup.py install\n\n#### Install from pip\n\npip3 install --upgrade malwareconfig\n\n#### Install from repo\n\n```\ngit clone git@github.com:kevthehermit/RATDecoders.git\ncd RATDecoders\npip3 install -r requirements.txt\npython3 setup.py install\n```\n\n### Current Rats\nHere is a list of the currently supported RATS:\n\n - LostDoor\n - Xtreme\n - AAR\n - AdWind\n - Adzok\n - AlienSpy\n - Alina\n - Arcom\n - BlackNix\n - BlackShades\n - BlueBanana\n - Bozok\n - ClientMesh\n - CyberGate\n - DarkComet\n - DarkRAT\n - HawkEye\n - Hrat / hworm / WSH\n - Jbifrost\n - JRat\n - LuminosityLink\n - LuxNet\n - NanoCore\n - NetWire\n - njRat\n - Plasma\n - Remcos\n - Saefko\n - Sakula\n - SpyNote / Mobihook\n\n### Upcoming RATS\n\n- Still migrating old ones!\n\n### Usage\n\nUsing the supplied command line tool `malconf` you can pass in a single file or a directory with the `-r` flag and it will attempt to automagically detect the family and extract any config. \n\nYou can also use the `-o` option to write results out to a file.\n\n\n```malconf```\n\n```malconf -l``` This will list all the supported rats\n\n```malconf /path/to/sample ``` This will automagically detect the family and run the decoder\n\n```\n\u21d2 malconf tests/samples/alienspy \n\n __ __ _ ____ __ \n| \\/ | __ _| |/ ___|___ _ __ / _|\n| |\\/| |/ _` | | | / _ \\| '_ \\| |_ \n| | | | (_| | | |__| (_) | | | | _|\n|_| |_|\\__,_|_|\\____\\___/|_| |_|_| \n\nMalware Configuration Parser by @kevthehermit\n\n[+] Loading File: tests/samples/alienspy\n [-] Found: AlienSpy\n [-] Running Decoder\n [-] Config Output\n\n{'ConfigKey': 'fzGUoTaQH3SUW7E82IKQK2J2J2IISIS',\n 'NAME': 'ok',\n 'Version': 'B',\n 'connetion_time': '0',\n 'desktop': 'true',\n 'dns': '213.208.129.211',\n 'extensionname': 'qQJ',\n 'folder': 'java',\n 'instalar': 'true',\n\n\n```\n\n### Library\n\nIf you pip install you can also use it is a library. \n\n```\nfrom malwareconfig import fileparser\nfrom malwareconfig.modules import __decoders__, __preprocessors__\n\n# Open and parse the file\nsample_path = '/path/to/sample.exe'\nfile_info = fileparser.FileParser(file_path=sample_path)\n\n# Check for a valid decoder and then parse\nif file_info.malware_name in __decoders__:\n module = __decoders__[file_info.malware_name]['obj']()\n module.set_file(file_info)\n module.get_config()\n conf = module.config\n pprint(conf)\n\n```\n\n\n### Thanks\n\nFull credit where credit is due. \n\nMalware.lu for the initial xtreme Rat Writeup - https://code.google.com/p/malware-lu/wiki/en_xtreme_RAT\n\nFireye for their Poison Ivy and Xtreme rat WriteUps (Even though they ignored my tweets :-) ) - http://www.fireeye.com/blog/technical/2014/02/xtremerat-nuisance-or-threat.html\n\nShawn Denbow and Jesse Herts for their paper here - http://www.matasano.com/research/PEST-CONTROL.pdf Saved me a lot of time", "description_content_type": "text/markdown", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://malwareconfig.com", "keywords": "", "license": "GNU V3", "maintainer": "", "maintainer_email": "", "name": "malwareconfig", "package_url": "https://pypi.org/project/malwareconfig/", "platform": "", "project_url": "https://pypi.org/project/malwareconfig/", "project_urls": { "Homepage": "https://malwareconfig.com" }, "release_url": "https://pypi.org/project/malwareconfig/1.0.3/", "requires_dist": null, "requires_python": "", "summary": "Malware Config Extraction", "version": "1.0.3" }, "last_serial": 5935022, "releases": { "1.0.0": [ { "comment_text": "", "digests": { "md5": "456d95f0be576491cc04a064d2747264", "sha256": "a2221eb852844435e1edd4a69115feea9810dcdd1f6495253cfb8ef6856197b8" }, "downloads": -1, "filename": "malwareconfig-1.0.0.tar.gz", "has_sig": false, "md5_digest": "456d95f0be576491cc04a064d2747264", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 39587, "upload_time": "2019-10-05T19:30:24", "url": "https://files.pythonhosted.org/packages/40/ee/3614cd982eab570986f395f4e4279dcf59df07cabad8ed24544373f6942c/malwareconfig-1.0.0.tar.gz" } ], "1.0.1": [ { "comment_text": "", "digests": { "md5": "89438955bf05e15b32bbe2e1e3e8a4c2", "sha256": "3c5857f0bc52d54d3d083e82fc3feb0a33a31439f5684bde4e437692e7d5be0a" }, "downloads": -1, "filename": "malwareconfig-1.0.1.tar.gz", "has_sig": false, "md5_digest": "89438955bf05e15b32bbe2e1e3e8a4c2", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 40426, "upload_time": "2019-10-06T00:27:54", "url": "https://files.pythonhosted.org/packages/15/b3/bd696967e8a268be2540596ca6a89d82fdc103c41676cc25341fed1d4bcc/malwareconfig-1.0.1.tar.gz" } ], "1.0.2": [ { "comment_text": "", "digests": { "md5": "050ab763e4d0f28afb0f44edee77bb79", "sha256": "693892e9d7d33e53e97b97865b8b15b2c17fd74b0e74363eacac5bff949d4587" }, "downloads": -1, "filename": "malwareconfig-1.0.2.tar.gz", "has_sig": false, "md5_digest": "050ab763e4d0f28afb0f44edee77bb79", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 41028, "upload_time": "2019-10-06T08:54:37", "url": "https://files.pythonhosted.org/packages/60/43/ffbc8a03125a453bfe0e0bf7b45ba14a4f592ce361a66116238a7e6f8651/malwareconfig-1.0.2.tar.gz" } ], "1.0.3": [ { "comment_text": "", "digests": { "md5": "fefcebb98b09fece3291676788d2d7b3", "sha256": "ac905de84b8e61336b364d9c18176c46ae713db76651a5ea2f39ad25dade697a" }, "downloads": -1, "filename": "malwareconfig-1.0.3.tar.gz", "has_sig": false, "md5_digest": "fefcebb98b09fece3291676788d2d7b3", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 42593, "upload_time": "2019-10-06T14:23:16", "url": "https://files.pythonhosted.org/packages/19/9b/80c5b0099c5c6fd06d1287f1ab747f05914cf4ad41c158b2db584b625c6e/malwareconfig-1.0.3.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "fefcebb98b09fece3291676788d2d7b3", "sha256": "ac905de84b8e61336b364d9c18176c46ae713db76651a5ea2f39ad25dade697a" }, "downloads": -1, "filename": "malwareconfig-1.0.3.tar.gz", "has_sig": false, "md5_digest": "fefcebb98b09fece3291676788d2d7b3", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 42593, "upload_time": "2019-10-06T14:23:16", "url": "https://files.pythonhosted.org/packages/19/9b/80c5b0099c5c6fd06d1287f1ab747f05914cf4ad41c158b2db584b625c6e/malwareconfig-1.0.3.tar.gz" } ] }