def extract()

in nightMARE/src/nightmare/malware/smokeloader/configuration.py [0:0]

• 17 lines of code
• 4 McCabe index (conditional complexity)

def extract(data: bytes) -> dict[str, typing.Any]:
    """
    Extracts configuration from SmokeLoader.

    :param data: The binary data to extract information from.

    :return: A dictionary containing the extracted configuration.
    """
    if config_decrypt_func_offset := utils.yara_scan(data, SMOKELOADER_64_RULES):
        extracted_addr = _extract_encryption_addresses(
            data, config_decrypt_func_offset, is_64=True
        )
    elif config_decrypt_func_offset := utils.yara_scan(data, SMOKELOADER_32_RULES):
        extracted_addr = _extract_encryption_addresses(
            data, config_decrypt_func_offset, is_64=False
        )
    else:
        raise RuntimeError("The sample does not appear to be SmokeLoader")

    if not extracted_addr:
        raise RuntimeError(
            "Unable to extract the configuration: Cannot find addresses of encrypted configuration"
        )

    decrypted_c2 = _decrypt_configuration(extracted_addr, data)
    return {"c2": decrypted_c2.decode("utf-8")}