def __init__(self, *args, **kwargs) -> None:
super().__init__(*args, **kwargs)
yara_path = Path(__file__).parent / "autoit.yar"
self.yara = Yara(rule_paths={"autoit": yara_path.as_posix()})
__decoders__.update(ratdecoders_local_modules)
except ImportError:
logging.info("Missed RATDecoders -> pip3 install git+https://github.com/kevthehermit/RATDecoders")
except Exception as e:
logging.error(e, exc_info=True)
HAVE_MALDUCK = False
if process_cfg.malduck.enabled:
try:
from lib.cuckoo.common.load_extra_modules import malduck_load_decoders
from malduck.extractor import ExtractorModules, ExtractManager
from malduck.extractor.extractor import Extractor
# from malduck.extractor.loaders import load_modules
from malduck.yara import Yara
malduck_rules = Yara.__new__(Yara)
malduck_modules = ExtractorModules.__new__(ExtractorModules)
# tmp_modules = load_modules(os.path.join(CUCKOO_ROOT, process_cfg.malduck.modules_path))
# malduck_modules_names = dict((k.split(".")[-1], v) for k, v in tmp_modules.items())
malduck_modules_names = malduck_load_decoders(CUCKOO_ROOT)
malduck_modules.extractors = Extractor.__subclasses__()
HAVE_MALDUCK = True
# del tmp_modules
except ImportError:
logging.info("Missed MalDuck -> pip3 install git+https://github.com/CERT-Polska/malduck/")
HAVE_CAPE_EXTRACTORS = False
if process_cfg.CAPE_extractors.enabled:
from lib.cuckoo.common.load_extra_modules import cape_load_decoders
cape_malware_parsers = cape_load_decoders(CUCKOO_ROOT)
class AutoItRipperKarton(Karton):
"""
Extracts embedded AutoIt scripts from binaries and additionaly
tries to extract some binary drops from scripts
"""
identity = "karton.autoit-ripper"
version = __version__
persistent = True
filters = [
{
"type": "sample",
"stage": "recognized",
"kind": "runnable",
"platform": "win32",
},
{
"type": "sample",
"stage": "recognized",
"kind": "runnable",
"platform": "win64",
},
]
def __init__(self, *args, **kwargs) -> None:
super().__init__(*args, **kwargs)
yara_path = Path(__file__).parent / "autoit.yar"
self.yara = Yara(rule_paths={"autoit": yara_path.as_posix()})
def process(self, task: Task) -> None:
sample = task.get_resource("sample")
resources = None
m = self.yara.match(data=sample.content)
if "autoit_v3_00" in m:
self.log.info("Found a possible autoit v3.00 binary")
resources = extract(data=sample.content,
version=AutoItVersion.EA05)
elif "autoit_v3_26" in m:
self.log.info("Found a possible autoit v3.26+ binary")
resources = extract(data=sample.content,
version=AutoItVersion.EA06)
if resources:
self.log.info("Found embedded data, reporting!")
for res_name, res_data in resources:
if res_name.endswith(".dll") or res_name.endswith(".exe"):
task_params = {
"type": "sample",
"kind": "raw",
}
elif res_name == "script.au3":
task_params = {
"type": "sample",
"kind": "script",
"stage": "analyzed",
"extension": "au3",
}
else:
continue
self.log.info("Sending a task with %s", res_name)
script = Resource(res_name, res_data)
self.send_task(
Task(task_params,
payload={
"sample": script,
"parent": sample
}))
if res_name == "script.au3":
self.log.info(
"Looking for a binary embedded in the script")
drop = extract_binary(res_data.decode())
if drop:
self.log.info("Found an embedded binary")
self.send_task(
Task(
{
"type": "sample",
"kind": "raw"
},
payload={
"sample":
Resource(name="autoit_drop.exe",
content=drop),
"parent":
script,
},
))