Update Ursnif config item labels (thanks enzok)

ctxis · Jan 29, 2018 · 337dd30 · 337dd30
1 parent 6f942b4
commit 337dd30
Showing 1 changed file with 18 additions and 16 deletions.
diff --git a/modules/processing/parsers/malwareconfig/Ursnif.py b/modules/processing/parsers/malwareconfig/Ursnif.py
@@ -41,48 +41,50 @@ def config(raw_data):
         if section_type == 1:
             data_offset = struct.unpack('I', raw_data[section_offset+8:section_offset+12])[0]
             config_item = get_config_item(raw_data, section_offset + data_offset)
+            if config_item == None:
+                continue
             if section_key == 0xD0665BF6:
                 config_dict['Asset URLs'] = config_item
             elif section_key == 0x73177345:
                 config_dict['DGA Seed Document'] = config_item
             elif section_key == 0xCD850E68:
-                config_dict['Hex Value'] = config_item
+                config_dict['DGA CRC'] = config_item
             elif section_key == 0xC61EFA7A:
-                config_dict['Domain Suffixes'] = config_item
+                config_dict['DGA TLDs'] = config_item
             elif section_key == 0x510F22D2:
                 config_dict['TOR Asset URLs'] = config_item
             elif section_key == 0xDF351E24:
-                config_dict['Download URLs'] = config_item
+                config_dict['32-bit DLL URLs'] = config_item
             elif section_key == 0x4B214F54:
-                config_dict['Alternate Download URLs'] = config_item
+                config_dict['64-bit DLL URLs'] = config_item
             elif section_key == 0xEC99DF2E:
                 config_dict['IP check URL'] = config_item
             elif section_key == 0x11271C7F:
                 config_dict['Base64 string'] = config_item
             elif section_key == 0xDF2E7488:
-                config_dict['Value1'] = config_item
+                config_dict['DGA Season'] = config_item
             elif section_key == 0x556AED8F:
-                config_dict['Value2'] = config_item
+                config_dict['Server'] = config_item
             elif section_key == 0x4FA8693E:
-                config_dict['Value3'] = config_item
+                config_dict['Encryption key'] = config_item
             elif section_key == 0xD7A003C9:
-                config_dict['Value4'] = config_item
+                config_dict['Config Fail Timeout'] = config_item
             elif section_key == 0x18A632BB:
-                config_dict['Value5'] = config_item
+                config_dict['Config Timeout'] = config_item
             elif section_key == 0x31277BD5:
-                config_dict['Value6'] = config_item            
+                config_dict['Task Timeout'] = config_item            
             elif section_key == 0x955879A6:
-                config_dict['Value7'] = config_item
+                config_dict['Send Timeout'] = config_item
             elif section_key == 0xACC79A02:
-                config_dict['Value8'] = config_item
+                config_dict['Knocker Timeout'] = config_item
             elif section_key == 0x6DE85128:
-                config_dict['Value9'] = config_item
+                config_dict['BC Timeout'] = config_item
             elif section_key == 0x656B798A:
-                config_dict['Value10'] = config_item
+                config_dict['Botnet ID'] = config_item
             elif section_key == 0xEFC574AE:
                 config_dict['Value11'] = config_item
-            elif section_key == 0x584E5925:
-                config_dict['Value12'] = config_item
+            #elif section_key == 0x584E5925:
+            #    config_dict['EndPointer'] = config_item
 
         section_count += 1
         section_offset += 24