Nighthawk yara rule triggered but configuration wasn't extracted

[nikhilh-20]

Expected Behavior

After server restart, CAPE correctly triggers the yara rule on the sample. The configuration is expected to be extracted even statically from the submitted hash: 0551ca07f05c2a8278229c1dc651a2b1273a39914857231b075733753cb2b988

$ git rev-parse --short HEAD
96a2c0ca

In [1]: with open("0551ca07f05c2a8278229c1dc651a2b1273a39914857231b075733753cb2b988", "rb") as f:
   ...:     data = f.read()
   ...: 

In [2]: from Nighthawk import extract_config

In [3]: cfg = extract_config(data)

In [4]: cfg
Out[4]: 
{'Plaintext Alphabet': b'K:sPZv2oAH,MkB_Ow)?pa$ b{F0V-YC4<uUJ^TQG6+ytz;=iqL9IW.ng/S7X1R(rxc5]elD[*8hfE>3m&Nj!d}\x00',
 'Ciphertext Alphabet': b'JCljOF5fN?TZLyuBt6x-[nYe,E42U.)wD+Qh$zIGVK_]rm9A}{d(c3^=>17g!P&SMW:Xsk iq;Rop/v0<a8Hb*\x00',
 'Config AES-128 CBC Decryption Key': b'8CVKEWJUVHSW4CBC',
 'Implant Config': {'implant-config': {'general-config': {'code-modules': {'encoders': [],
     'p2p-transports': [],
     'egress-transports': []},
    'injector': {'methods': {'ProtectMemory': 'VirtualProtectNative',
      'ExecuteMemory': 'CreateThreadNative',
      'ProcessOpen': 'OpenProcessNative',
      'WriteMemory': 'WriteProcMemNative',
      'ProcessCreate': 'CreateProcessWinApi',
      'AllocMemory': 'VirtualAllocNative'},
     'spawn-to': 'C:\\windows\\system32\\browser_broker.exe',
     'parent-process': 'C:\\windows\\explorer.exe'},
    'opsec': {'unhook-dlls': ['kernel32.dll',
      'ntdll.dll',
      'kernelbase.dll',
      'winhttp.dll'],
     'clear-veh-on-imp-res': True,
     'unhook-syscalls': True,
     'use-syscalls': True,
     'loader-export': 'ReadFile',
     'self-encrypt-while-listening': True,
     'disable-pi-callback': True,
     'indirect-syscalls': True,
     'masquerade-thread-stacks': True,
     'self-encrypt': True,
     'ordinary-export': '',
     'clear-hwbp-on-imp-res': True,
     'clear-veh-on-unhook': True,
     'unhook-using-wpm': True,
     'self-encrypt-after': 5000,
     'encrypt-heap-mode': 'implant',
     'report-self-encrypt-status': True,
     'hide-windows': False,
     'clear-hwbp-on-unhook': True,
     'self-encrypt-no-rx-stub': True,
     'unhook-on-self-encrypt': True,
     'clear-dll-notifications': True,
     'stomp-pe-header': True,
     'stack-commit-size': 262144,
     '--backing-module': {'x86': 'chakra.dll', 'x64': 'chakra.dll'},
     'thread-start-addresses': ['ntdll!RtlUserThreadStart']},
    'settings': {'interval': 10000, 'expire-after': 1640998861, 'jitter': 40}},
   'p2p-config': {'p2p-listener-uri': ['smb://googlecrashpad'],
    'aes-128-iv': 'Vnzix2bnX2cpeCw4',
    'promote-after': 1,
    'aes-128-key': 'TZNZ4PdCXeu3Aq7i',
    'promote': False},
   'mode': 'p2p'}}}

Current Behavior

While the yara rule triggers correctly, configuration isn't extracted from the submitted hash.

• Static extraction submission: https://capesandbox.com/analysis/343568/
• Dynamic extraction submission: https://capesandbox.com/analysis/343575/

I don't see any interesting failures in the "Show Log" field content. Do you have any idea why the parser works standalone but not in CAPE?

[github-actions[bot]]

@nikhilh-20: hello! :wave:

This issue is being automatically closed because it does not follow the issue template.

This is open source project! So please apreciate our time that we sacrify from other thing that we could enjoy, instead of asking boring things over and over.

[kevoreilly]

but not in CAPE?

The parser works in CAPE. I tested it before merging, and wouldn't have merged it if it didn't.

What you are describing is not an issue. It is simply that I didn't update capesandbox.com in time for your first submission, then I needed to update a Python crypto library to get the parser to work, but due to current site issues with scrapers (timeouts viewing pages) I wasn't aware of this when I first updated.

I have now reprocessed 343557, 323568 and 3443575 so they all show the parser output. I am doing my best to maintain that site in my free time but an issue with the site is not necessarily an issue 'in CAPE'.

[nikhilh-20]

What you are describing is not an issue

I submitted those tasks after you restarted the server (#1269) - you see them having yara detections which was initially (before you updated the server) not the case. So, I assumed the parser was active during the time of those submissions. And absolutely, I wasn't trying to say there's an issue with CAPE; just that I don't know of another way to ask a question without creating a issue. If there's another way to ask a question, please let me know :)

Thanks for your efforts! I didn't mean to push you. I just didn't realize the server wasn't updated.