Is it possible to extract malware configuration without actually running the sample?

[nikhilh-20]

Hello,

I was using the public CAPE instance at capesandbox.com and I came across the option Try to extract config without VM. I couldn't find a description of that option in the documentation (or perhaps, I missed it).

If that option is checked, does that mean that there will be no execution of the sample, if possible? And if so, which malware families is this option effective for? Usually, one sample would take a few minutes to complete execution. With the Try to extract config without VM option, I was wondering if I could get config information within seconds since there would be no execution.

Thank you.

[doomedraven]

hello

Try to extract config without VM. - will try to extract without run sample in vm, but if not extracted it will submit to vm, You have static(last one) tab to just try static extraction without submit to vm if not extracted

About the families you need to see those folders: https://github.com/kevoreilly/CAPEv2/tree/master/modules/processing/parsers + https://github.com/kevthehermit/RATDecoders

here a bit more info: https://www.doomedraven.com/2020/02/cape-sandbox-config-extraction.html

[nikhilh-20]

Thanks! I'll take a look and I'll ask here if I have more questions. Else, I'll close this issue. Please keep this open for the next 2 days.

[doomedraven]

well you can post here even if issue is closed, i will get notification anyway ;) so closing , but feel free to post question here

[nikhilh-20]

So, I tried running LostDoor and DarkComet (config for both can be extracted statically as can be seen in the supported RATs list on https://github.com/kevthehermit/RATDecoders). I checked the Try to extract config without VM option during submission. However, both samples were executed on the VM and so, I got the reports 5 minutes later instead of in a few seconds (since static extraction is possible). Do you know why this might have happened?

Also, I don't think config was extracted for the LostDoor sample. There's no CAPE tab.

LostDoor run: https://capesandbox.com/analysis/66267/ DarkComet run: https://capesandbox.com/analysis/66268/

If I wanted to modify CAPE code such that sample is NOT submitted to the VM if static config extraction is not possible, which files/code would I need to look at? I wanted to play around with CAPE code in my fork.

Thanks!

[doomedraven]

as i toold there is static tab last one, that one won't send to vm, so you don't need to modify nothing at all, + parsers can be outdated or contain bugs, did you try them in local first?

[nikhilh-20]

Oh! I didn't notice the Static tab. Thanks! I'm able to do the static extraction now. I didn't try the parsers locally yet. I was looking at how to do the static extraction through CAPE which I've understood now. Is there an API to interact (submit sample / retrieve report) with the Static tab? Something like capesandbox.com:<port>/api/... ? I'm guessing it's one of the values mentioned in https://capesandbox.com/api/

[doomedraven]

yes so first try it locally, all parsers can be used standalone, you can see in code how, but should be pretty simple as i pointed you to my blog about that and the projects has documentation, once you sure that it works you can test it, as i saw many bugs, you can see issues in each project,but i won't fix that as i don't using those parsers, so you are welcome to fix that if that is required

[doomedraven]

the api about static is missed i will add that once i will have some spare time

[nikhilh-20]

Awesome, thanks!

[kevoreilly]

It is a shame to hear that there are RATDecoders parsers in CAPE that don't work but as this is a time-poor project we haven't got time to fix them as they are not significant enough current threats to justify it. You can probably imagine the mountainous to-do lists. But if you do end up fixing them or adding any nice features to your fork they will of course be gratefully received!

[doomedraven]

hello, just pushed the static api code, so now you can use it

[nikhilh-20]

That's awesome, thanks!

[doomedraven]

enjoy, i will see if that possible to return config directly apart of the job id, but no promises here as it might require huge rewrote of many logics

[nikhilh-20]

No problem :) If I wanted to write my own static config parser for a family, I would need to

• create a Py script in modules/processing/parsers/mwcp/ directory, and
• create a yara rule with the same filename as Py script in data/yara/CAPE

Is the above correct? From your blog, @doomedraven it looks like modules/processing/parsers/mwcp/DridexLoader.py is a good reference for writing a static parser, yes?

[doomedraven]

Hello, yes correct, and yes dridex is a good example as it includes external yara so less places to modify in future :)

El vie., 2 oct. 2020 10:41, Nikhil Hegde notifications@github.com escribió:

No problem :) If I wanted to write my own static config parser for a family, I would need to

• create a Py script in modules/processing/parsers/mwcp/ directory, and
• create a yara rule with the same filename as Py script in data/yara/CAPE

Is the above correct? From your blog, @doomedraven https://github.com/doomedraven it looks like modules/processing/parsers/mwcp/DridexLoader.py is a good reference for writing a static parser, yes?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/285#issuecomment-702603669, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH33PVOLE4PMQVJ6K3ADSIWGZ7ANCNFSM4RZDVQWA .

[nikhilh-20]

So, I was trying to do the API call for static extraction and I'm hitting an error:

$ curl -F file=@/home/nikhilh-20/5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac https://capesandbox.com/api/tasks/create/static/
{
    "error": true,
    "error_value": "vtdl (hash list) value is empty"
}

$ ls
5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac

$ file 5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac
5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac: PE32 executable (GUI) Intel 80386, for MS Windows

$ du -h 5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac
756K    5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac

Am I doing the API call incorrectly? My curl version is 7.68.0

[doomedraven]

nah there was a c&p bug, fixed now it will works just fine, thanks for catch it

[nikhilh-20]

I still seem to be hitting an error when doing the api call:

# curl -F file=@/root/Downloads/5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac https://capesandbox.com/api/tasks/create/static/

# du -h 5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac 
756K    5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac

# file 5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac 
5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac: PE32 executable (GUI) Intel 80386, for MS Windows

Curl version: 7.66.0. I've attached the response content that I received. static_extraction_api_call_error.txt

[doomedraven]

Try again

El 5 oct 2020, a las 16:51, Nikhil Hegde notifications@github.com escribió:

I still seem to be hitting an error when doing the api call:

curl -F file=@/root/Downloads/5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac https://capesandbox.com/api/tasks/create/static/

du -h 5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac

756K 5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac

file 5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac

5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac: PE32 executable (GUI) Intel 80386, for MS Windows Curl version: 7.66.0. I've attached the response content that I received. static_extraction_api_call_error.txt https://github.com/kevoreilly/CAPEv2/files/5328108/static_extraction_api_call_error.txt — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/285#issuecomment-703683172, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH34PCI3SW5GUHDUFH3DSJHMN5ANCNFSM4RZDVQWA.

[nikhilh-20]

The submission went through:

# curl -F file=@/root/Downloads/5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac https://capesandbox.com/api/tasks/create/static/
{
    "error": false,
    "data": {
        "message": "Task IDs  have been submitted"
    },
    "url": []
}

I didn't get the task ID in the response (expected?). I was checking the GUI but it looks like CAPEv2 is busy processing many other tasks, so my task hasn't shown up yet. It looks like tasks are stuck at the Processing stage starting from task ID, 68269

[doomedraven]

well i see that it works just fine, it just to many tasks to process :)

about staatic issue, hm for some reason it not matches hits = File(path).get_yara(category="CAPE") in static_extraction but if i submit via webgui it detects it, i will back to this once i will have some free time this week

[doomedraven]

curl -F file=@5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac https://capesandbox.com/api/tasks/create/static/
{
    "error": false,
    "data": {
        "task_ids": [
            68304
        ],
        "message": "Task ID(s) 68304 has been submitted"
    },
    "url": [
        "https://www.capesandbox.com/submit/status/68304/"
    ]
}%

fixed, i will push code to repo later as i need to fix some other stuff

[doomedraven]

btw @nikhilh-20 thanks for betatesting it, i have an extra for you :P

curl -F file=@5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac https://capesandbox.com/api/tasks/create/static/
{
    "error": false,
    "data": {
        "task_ids": [
            68323
        ],
        "cape_config": {
                "PWD": [
                    "passw0rd"
                ],
                "MUTEX": [
                    "DC_MUTEX-3ZSAD3N"
                ],
                "SID": [
                    "Guest16"
                ],
                "FWB": [
                    "1"
                ],
                "NETDATA": [
                    "192.168.22.237:80|192.168.22.237:8080|192.168.22.237:443"
                ],
                "GENCODE": [
                    "89MqADvg2eUv"
                ],
                "INSTALL": [
                    "1"
                ],
                "COMBOPATH": [
                    "7"
                ],
                "EDTPATH": [
                    "MSDCSC\\msdcsc.exe"
                ],
                "KEYNAME": [
                    "MicroUpdate"
                ],
                "EDTDATE": [
                    "16/04/2016"
                ],
                "PERSINST": [
                    "1"
                ],
                "MELT": [
                    "0"
                ],
                "CHANGEDATE": [
                    "1"
                ],
                "DIRATTRIB": [
                    "0"
                ],
                "FILEATTRIB": [
                    "6"
                ],
                "OFFLINEK": [
                    "1"
                ],
                "Version": [
                    "#KCMDDC51#-890"
                ]
        },
        "message": "Task ID(s) 68323 has been submitted"
    },
    "url": [
        "https://www.capesandbox.com/submit/status/68323/"
    ]
}%

[nikhilh-20]

This is superb @doomedraven :D Thanks for all the help and support!

[nikhilh-20]

So, DarkComet worked great. I moved on to DarkRAT which is also supported by RATDecoders (https://github.com/kevthehermit/RATDecoders) and that hit an 'Internal Server Error`:

# curl -F file=@/root/Downloads/785162637380f917a4f3a187ab532a1f0d408ff892324af32c6d962ecf2d67db https://capesandbox.com/api/tasks/create/static/

<!doctype html>
<html lang="en">
<head>
  <title>Server Error (500)</title>
</head>
<body>
  <h1>Server Error (500)</h1><p></p>
</body>
</html>

DarkRAT source:

• https://urlhaus.abuse.ch/browse/signature/DarkRAT/
• https://www.virustotal.com/gui/file/785162637380f917a4f3a187ab532a1f0d408ff892324af32c6d962ecf2d67db/detection

Here's a screenshot of the error I see in the Django dev server logs of my local setup:

[nikhilh-20]

I think static_extraction(file) returned False here: https://github.com/kevoreilly/CAPEv2/blob/f10327870ad6326b4050f7cae593c4ed19709a95/lib/cuckoo/core/database.py#L1344

and get_yara returned [] here: https://github.com/kevoreilly/CAPEv2/blob/f10327870ad6326b4050f7cae593c4ed19709a95/lib/cuckoo/common/cape_utils.py#L239

I wonder if this behavior is expected if RATDecoders doesn't have a matching YARA rule for the sample (so, get_yara returns []). If this is the case, would it make sense to handle this scenario in CAPEv2 more gracefully?

[doomedraven]

fixed that, ya that was abit diffrent issue than that, variable was set to False instead of dict()

[nikhilh-20]

The 500 error remains for DarkRAT btw. I'll test it locally soon to see if the AttributeError is resolved atleast.

# curl -F file=@/root/Downloads/785162637380f917a4f3a187ab532a1f0d408ff892324af32c6d962ecf2d67db https://capesandbox.com/api/tasks/create/static/

<!doctype html>
<html lang="en">
<head>
  <title>Server Error (500)</title>
</head>
<body>
  <h1>Server Error (500)</h1><p></p>
</body>
</html>

[doomedraven]

I can’t reproduce it

curl -F file=@5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac https://capesandbox.com/api/tasks/create/static/
{
    "error": false,
    "data": {
        "task_ids": [
            68578
        ],
        "config": {
            "PWD": [
                "passw0rd"
            ],
            "MUTEX": [
                "DC_MUTEX-3ZSAD3N"
            ],
            "SID": [
                "Guest16"
            ],
            "FWB": [
                "1"
            ],
            "NETDATA": [
                "192.168.22.237:80|192.168.22.237:8080|192.168.22.237:443"
            ],
            "GENCODE": [
                "89MqADvg2eUv"
            ],
            "INSTALL": [
                "1"
            ],
            "COMBOPATH": [
                "7"
            ],
            "EDTPATH": [
                "MSDCSC\\msdcsc.exe"
            ],
            "KEYNAME": [
                "MicroUpdate"
            ],
            "EDTDATE": [
                "16/04/2016"
            ],
            "PERSINST": [
                "1"
            ],
            "MELT": [
                "0"
            ],
            "CHANGEDATE": [
                "1"
            ],
            "DIRATTRIB": [
                "0"
            ],
            "FILEATTRIB": [
                "6"
            ],
            "OFFLINEK": [
                "1"
            ],
            "Version": [
                "#KCMDDC51#-890"
            ]
        },
        "message": "Task ID(s) 68578 has been submitted"
    },
    "url": [
        "https://www.capesandbox.com/submit/status/68578/"
    ]
}%

El 6 oct 2020, a las 14:07, Nikhil Hegde notifications@github.com escribió:

The 500 error remains for DarkRAT btw. I'll test it locally soon to see if the AttributeError is resolved atleast.

curl -F file=@/root/Downloads/785162637380f917a4f3a187ab532a1f0d408ff892324af32c6d962ecf2d67db https://capesandbox.com/api/tasks/create/static/

<!doctype html>

Server Error (500)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/285#issuecomment-704223895, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH34V74KVGBEVKRGKTLDSJMB7RANCNFSM4RZDVQWA.

[nikhilh-20]

Oh yeah, you're using the hash for DarkComet which is 5ea3092330302ec211e0627235b5020f41e6d8da130dc7eb4548b0e739072cac. Extraction for DarkComet works fine. I was using the hash of DarkRAT which was on the supported list in RATDecoders. Hash of DarkRAT is 785162637380f917a4f3a187ab532a1f0d408ff892324af32c6d962ecf2d67db

[doomedraven]

Fixed

[nikhilh-20]

Nice! So, when samples cannot be statically analyzed, I can expect to see a response like:

# curl -F file=@/root/Downloads/785162637380f917a4f3a187ab532a1f0d408ff892324af32c6d962ecf2d67db https://capesandbox.com/api/tasks/create/static/
{
    "error": false,
    "data": {
        "task_ids": []
    }
}

Is this correct?

[doomedraven]

exactly, if n oconfig and no task_ids then can't extract statically

[nikhilh-20]

Awesome, thanks for the support @doomedraven :D

[doomedraven]

Thanks for beta testing and patience, night coding gives too many 500 status code xD ahahahah

El 7 oct 2020, a las 10:56, Nikhil Hegde notifications@github.com escribió:

Awesome, thanks for the support @doomedraven https://github.com/doomedraven :D

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/285#issuecomment-704794799, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH34NYRSV5P6ZGURC64TSJQUL5ANCNFSM4RZDVQWA.