in nightMARE/src/nightmare/malware/netwire/configuration.py [0:0]
def extract(data: bytes) -> dict[str, typing.Any]:
config = list()
pe = lief.parse(raw=data)
netwire_rules = yara.compile(source=NETWIRE_YARA)
disassembler = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
disassembler.detail = True
if not netwire_rules.match(data=data):
raise RuntimeError("The sample does not appear to be NetWire")
config_decrypt_func_offset = utils.yara_scan(data, netwire_rules)
extracted_values_list = __extract_encryption_addresses(
disassembler, data, config_decrypt_func_offset
)
if len(extracted_values_list) == 0:
raise RuntimeError(
"Unable to extract the configuration: Cannot find addresses of encrypted configuration"
)
size_rva_encrypted = list()
for i in range(0, len(extracted_values_list), 2):
size_rva_encrypted.append(
(extracted_values_list[i], extracted_values_list[i + 1])
)
config = __decrypt_configuration(size_rva_encrypted, pe)
netwire_config = __parse_and_set_config(config)
return netwire_config