-
Notifications
You must be signed in to change notification settings - Fork 14
Decoders
These decoders are meant to automate the exposure of various IoCs malware conceals. This information is useful for network defenders and intel analysts. There are many frameworks out there designed to accommodate this process. Some are standalone file processors, like MWCP or Viper. Others combine YARA signatures with a collection of decoders to recursively scan files such as, Stoq, the File Scanning Framework or LaikaBOSS.
In order to ensure portability between frameworks, reversers are encouraged to develop their decoders as importable modules in Python where instance variables contain the IoCs of interest. These modules should also have a standalone component as well. The advantages of this design philosophy are as follows:
- It allows us to be free from out of scope framework requirements, such as a narrowly defined data model or runtime requirement.
- Abstraction of the insights gained from reversing (like how something is decrypted and parsed) allow us to integrate with more than one project. This method helps ensure the utility of this knowledge remains relevant. Even as desires to explore alternative file processing capabilities arise.
- It keeps us focused on maintaining the scripts compatibility with a dynamic malware family.
A rough template for accomplishing may be found here...
Modules whose purpose is to retrieve, decrypt, and return embedded data (typically inside malware). Examples of return data might be configurations or embedded files.