def test_example_01_maldoc(self): data = self.download_from_malshare( '81a1fca7a1fb97fe021a1f2cf0bf9011dd2e72a5864aad674f8fea4ef009417b') pipeline = xlxtr( '9.5:11.5', '15.15', '12.5:14.5' )[scope('-n', 3) | chop('-t', 5)[sorted | snip('2:') | sep] | pack(10) | sub('dec:ev:n' )] | carve_b64z | deob_ps1 | carve_b64z | deob_ps1 | xtp( 'domain', filter=True) with BytesIO(data) as sample: c2servers = set(sample | pipeline) self.assertSetEqual( c2servers, set( c2 % 0x2E for c2 in { b'udatapost%cred', b'marvellstudio%conline', b'sdkscontrol%cpw', b'abrakam%csite', b'hiteronak%cicu', b'ublaznze%conline', b'sutsyiekha%ccasa', b'makretplaise%cxyz', }))
def test_real_world_01(self): encoded = B'''301815214850156721331018480063340936214488055910529404970112631124608113197561534315323106291311611118111571030916590053421252410301171850583912575068111856414554157930507606789054031912510227182600807906431133491248306004123002146510940169690710820141169320955312014120171102115059068660995810412198261688106236171480925510919175470806111215112451580216678065680593716920140350943309471097820618705622181381760512207200740695112292051860572813684059730540612867133770664415988405914129061377506879064041396607792051271161313019124720712811569074680757406931112780654609788055291148605702141810628505815128490945608789054940492611748095590847706617126221215309060083411027606705138001434509852091211222411908135111322312025118181250314030113440993311087056570868006343100341090114209134640795408939104470969005365078580853510871072121313211155088071361612710133620813710651092820619305073070401034210170073610823810550093830603610763080201236707691052400143051380813527116720712411948095460972511826117830604909480063550881313020123700732911434109111327107252091820612112243100171263111266077191245908460083860575009354089740698805569074161279005364079321115309035108401031812509134770666308092051560874210137106680758405975068670761013351092730709105236107381053311058085141294409981062930500713676067850583910402141121311512865078790647806541102620815708606137890546108294049031402811547096011424509822121301130413987056231204''' decoded = B'''wMIc 'prOcess' "cALl" crEAtE "powErsHell -NoNiNtErAC -NoPrOFi -WIn 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000''' pl = chop(476, '[') | chop(5, '-t', '[') | dedup( sort=True) | snip('2:') | sep(']') | pack(10) | blockop( '--ctr', 'B+S-A', 'ev:n', ']') self.assertEqual(decoded, pl(encoded))
def process(self, data): return (r.carve('-lt1', 'string') | r.snip('1:-1'))(data)
def test_depth3(self): pl = r.snip(':3', 3, 4, '5:')[r.scope('1:3') | r.rex('.')[r.rep(3)[r.ccp('X')]]] self.assertEqual(B'AAAXBXBXBXCXCXCDDD', pl(B'AAABCDDD'))