This Assemblyline service extracts malware configurations (such as IP, URL and domain) for various malware family by leveraging the ConfigExtractor Python library for analysis.
The updater for this service requires matches on directories containing parsers.
For example, the CAPE source will have a match pattern of ^\/tmp\/w+\/CAPE\/$ in which we're trying to target the parsers in the root directory only.
The updater assumes that you have attached a storage volume to store your collection of sources. Contrary to other services, this updater relies on a storage volume to maintain persistence rather than Assemblyline's datastore.
The updater is able to scan through the root directory containing parsers and look for a requirements.txt file and install Python packages to a directory that should get passed onto service instances.
If you require a proxy connection for package installation, add environment variable PIP_PROXY to the container configuration.
ConfigExtractor Python Library (now available on PyPI)
All parser directories that are able to work with this library should also be compatible with the service.
At the time of writing, we officially support the following frameworks:
Thanks to everyone who have contributed to this project:
| Contributor | Contribution(s) | License |
|---|---|---|
 |
Added MACO extractors in rat_king_parser |  |
 |
Added MACO extractors in apophis-YARA-Rules | |
 |
Added MACO extractors in CAPESandbox community |  |
