init mars stealer module #1
Conversation
| Section = namedtuple("Section", | ||
| ["name", "id", "paddr", "size", | ||
| "vaddr", "vsize", "perm"]) | ||
| HAVE_CSPARSER = True |
There was a problem hiding this comment.
This constant name is odd (probably the result of a copy-paste ?)
| def unxor(string: List[Any], key: List[Any]) -> str: | ||
| """Method to unxor obfuscated data from llcppc section""" | ||
|
|
||
| unxored = "" | ||
|
|
||
| for c1, c2 in zip(string, key): | ||
| unxored += chr(c1 ^ c2) | ||
|
|
||
| return unxored | ||
|
|
||
|
|
||
| def decrypt_rc4(key: bytes, ciphertext: bytes) -> bytes: | ||
| """Decrypt RC4 encrypt data""" | ||
|
|
||
| algorithm = algorithms.ARC4(key) | ||
| cipher = Cipher(algorithm, mode=None) | ||
| decryptor = cipher.decryptor() | ||
| cleartext = decryptor.update(ciphertext) | ||
|
|
||
| return cleartext |
There was a problem hiding this comment.
FYI you can probably find equivalent functions and more in malduck to speed up module development
|
|
||
| class MarsStealerC2Extractor(ProcessingModule): | ||
|
|
||
| name: str = "mars_stealer_c2" |
There was a problem hiding this comment.
| name: str = "mars_stealer_c2" | |
| name: str = "mars_stealer" |
When there is a match, the name of the module is added as a tag so it is a convention to give the module the name of what it is able to recognize.
| class MarsStealerC2Extractor(ProcessingModule): | ||
|
|
||
| name: str = "mars_stealer_c2" | ||
| description: str = "Mars Stealer command and control configuration extractor" |
There was a problem hiding this comment.
There should probably be an acts_on property here to specify the type of file needed.
It may also need a triggered_by property if this should not be run automatically on all executables.
| try: | ||
| c2 = self.get_c2(r2, sections) | ||
| except Exception as err: | ||
| print(f"Error getting c2: {err}") |
There was a problem hiding this comment.
You should use self.log instead of print every time you would like to have the information directly in the logs on the analysis page
| self.add_ioc(dest, ["marsstealer", "c2"]) | ||
| self.add_ioc(c2_url, ["marsstealer", "c2"]) | ||
|
|
||
| self.add_tag("marsstealer") |
There was a problem hiding this comment.
As mentioned earlier, this is done automatically if this is the module's name. You should probably replace it by self.add_probable_name("Mars Stealer")
Initial version of the Mars Stealer C2 configuration extractor.