def extract_configuration()

in nightMARE/src/nightmare/malware/blister/configuration.py [0:0]

• 51 lines of code
• 3 McCabe index (conditional complexity)

def extract_configuration(data: bytes) -> Configuration:
    """
    Extracts configuration data from Blister sample using the provided BlisterHelper instance.

    :param data: bytes of a Blister sample to extract the configuration and payload
    :return: Extracted configuration data from the Blister sample.
    """
    pe = lief.parse(raw=data)
    rsrc_data = utils.get_section_content(pe, ".rsrc")
    blister_helper = decrypt_core(pe, data, rsrc_data)

    if (
        config_tag_offset := utils.yara_scan(
            data=blister_helper.decrypted_memory, compiled_rule=CONFIG_TAG_RULE
        )
    ) is None:
        raise SignatureNotFoundException("")

    config_tag = utils.get_data(
        blister_helper.decrypted_memory,
        config_tag_offset + CONFIG_TAG_YARA_OFFSET,
        MAGIC_TAG_SIZE,
    )

    config_blob_offset = (
        blister_helper.decrypted_memory.rfind(config_tag) + MAGIC_TAG_SIZE
    )

    if config_blob_offset == -1:
        raise SignatureNotFoundException("")

    config_blob = blister_helper.decrypted_memory[config_blob_offset:]

    flag = cast.u32(utils.get_data(config_blob, 0, 4))
    domain_hash = cast.u32(utils.get_data(config_blob, 4, 4))
    payload_export_hash = cast.u32(utils.get_data(config_blob, 8, 4))
    sleep_time = cast.u32(utils.get_data(config_blob, SLEEP_TIME_OFFSET, 4))
    rabbit_key = utils.get_data(config_blob, RABBIT_KEY_OFFSET, 16)
    rabbit_iv = utils.get_data(config_blob, RABBIT_IV_OFFSET, 8)
    compressed_data_size = cast.u32(utils.get_data(config_blob, COMPRESSED_DATA_SIZE, 4))
    uncompressed_data_size = cast.u32(utils.get_data(config_blob, UNCOMPRESSED_DATA_SIZE, 4))

    encrypted_payload = rsrc_data[
        blister_helper.encrypted_memory_offset
        + config_blob_offset
        + CONFIG_SIZE : blister_helper.encrypted_memory_offset
        + config_blob_offset
        + CONFIG_SIZE
        + compressed_data_size
    ]

    cipher = crypto.Rabbit(rabbit_key, rabbit_iv)
    decrypted_payload = cipher.crypt(encrypted_payload)
    blister_payload = lznt1(decrypted_payload)

    return Configuration(
        flag,
        domain_hash,
        payload_export_hash,
        sleep_time,
        rabbit_key,
        rabbit_iv,
        compressed_data_size,
        uncompressed_data_size,
        blister_payload,
    )