How to use malware parsers (mwcp, RATdecoders, malduck, MACO, cape-parsers), and what are the things that need to be configured to run the functions of these malware parsers?

[superonion7890]

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• I am running the latest version
• I did read the README!
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed
• I'm reporting the issue to the correct repository (for multi-repository projects)
• I have read and checked all configs (with all optional parts)

Expected Behavior

I don't know with the detailed how to use the malware parser function on this latest CAPEv2 version. I hope to gain more insights regarding the use of these malware parser functions.

Current Behavior

Some of function that I have enabled run normally, and no problem at all, I'm just confused about how to use the malware parser.

[kevoreilly]

Can you be more specific? Have you installed cape-parsers from their own repository as explained in the changelog recently?

We need specific details and machine output for your issue to be able to help.

[doomedraven]

to run those, just enable those in config https://github.com/kevoreilly/CAPEv2/blob/master/conf/default/processing.conf.default#L294-L316 in your case is in /opt/CAPEv2/conf/processing.conf. Then restart processing with systemctl restart cape-processor and run your malware samples in sandbbox, thats all

[superonion7890]

Can you be more specific? Have you installed cape-parsers from their own repository as explained in the changelog recently?

We need specific details and machine output for your issue to be able to help.

I've done the installation of CAPE-parsers, MACO, malduck, RAT-king-parser, MWCP, RATDecoders (a.k.a malwareconfig)

But the thing I'm confused is where the parser file is used, and how it works, and how to update the parser file when there is an update?

During this way I use and know is to run the command poetry run python3 utils/community.py -waf , in addition I also add a CAPE-parser directory sourced from https://github.com/CAPESandbox/CAPE-parsers/tree/main/cape_parsers into the directory /opt/CAPEv2/modules/processing/processing/parsers

Is the way I do right? I asked you for your feedback, thank you very much!

[doomedraven]

well you going too far from what you need, you just need:

1. use poetry install it will install cape-parsers
2. and restart processing by systemctl restart cape-processor

so if you just a user and not writting configs, just follow those 2 steps, if you write a parsers, then if you will contribbute, subbmit pull request of parser and unittest + sample to test files. If you gonna use pure python private parsers, just places them under custom/parsers.

about more details how it was loading in past you can find here, https://www.doomedraven.com/2020/02/cape-sandbox-config-extraction.html everything still pretty similar, but we just moved them to external folder