-->

Karton - Distributed Malware Processing Framework Based On Python, Redis And MinIO


Distributed malware processing framework based on Python, Redis and MinIO.


The idea

Karton is a robust framework for creating flexible and lightweight malware analysis backends. It can be used to connect malware* analysis systems into a robust pipeline with very little effort.

We've been in the automation business for a long time. We're dealing with more and more threats, and we have to automate everything to keep up with incidents. Because of this, we often end up with many scripts stuck together with duck duct tape and WD-40. These scripts are written by analysts in the heat of the moment, fragile and ugly - but they work, and produce intel that must be stored, processed further, sent to other systems or shared with other organisations.

We needed a way to take our PoC scripts and easily insert them into our analysis pipeline. We also wanted to monitor their execution, centralise logging, improve robustness, reduce development inertia... For this exact purpose, we created Karton.

* while Karton was designed with malware analysis in mind, it works nicely in every microservice-oriented project.


Installation

Installation is as easy as a single pip install command:

pip3 install karton-core

In order to setup the whole backend environment you will also need MinIO and Redis, see the docs for details.


Example usage

To use karton you have to provide class that inherits from Karton.

from karton.core import Karton, Task, Resourceclass GenericUnpacker(Karton):    """    Performs sample unpacking    """    identity = "karton.generic-unpacker"    filters = [        {            "type": "sample",            "kind": "runnable",            "platform": "win32"        }    ]    def process(self, task: Task) -> None:        # Get sample object        packed_sample = task.get_resource('sample')        # Log with self.log        self.log.info(f"Hi {packed_sample.name}, let me analyze you!")        ...        # Send our results for further processing or reporting        task = Task(            {               "type": "sample",               "kind": "raw"            }, payload = {               "parent": packed_sample,               "sample": Resource(filename, unpacked)            })        self.send_task(task)<   br/>if __name__ == "__main__":    # Here comes the main loop    GenericUnpacker().loop()

Karton systems

Some Karton systems are universal and useful to everyone. We decided to share them with the community.


karton

This repository. It contains the karton.system service - main service, responsible for dispatching tasks within the system. It also contains the karton.core module, that is used as a library by other systems.


karton-dashboard

A small Flask dashboard for task and queue management and monitoring.


karton-classifier

The "router". It recognises samples/files and produces various task types depending on the file format. Thanks to this, other systems may only listen for tasks with a specific format (for example, only zip archives).


karton-archive-extractor

Generic archive unpacker. Archives uploaded into the system will be extracted, and every file will be processed individually.


karton-config-extractor

Malware extractor. It uses Yara rules and Python modules to extract static configuration from malware samples and analyses. It's a fishing rod, not a fish - we don't share the modules themselves. But it's easy to write your own!


karton-mwdb-reporter

A very important part of the pipeline. Reporter submits all files, tags, comments and other intel produced during the analysis to MWDB. If you don't use MWDB yet or just prefer other backends, it's easy to write your own reporter.


karton-yaramatcher

Automatically runs Yara rules on all files in the pipeline, and tags samples appropriately. Rules not included ;).


karton-asciimagic

Karton system that decodes files encoded with common methods, like hex, base64, etc. (You wouldn't believe how common it is).


karton-autoit-ripper

A small wrapper around AutoIt-Ripper that extracts embedded AutoIt scripts and resources from compiled AutoIt executables.


DRAKVUF Sandbox

Automated black-box malware analysis system with DRAKVUF engine under the hood, which does not require an agent on guest OS.

Coming soon:


karton-misp-pusher

A reporter, that submits observed events to MISP.

This is how these systems can be used to form a basic malware analysis pipeline:



Disqus Comments