maco optional (#2380)

* maco optional * Update poetry.lock
kevoreilly · Oct 30, 2024 · e112deb · e112deb
1 parent d087bf5
commit e112deb
Show file tree

Hide file tree

Showing 23 changed files with 630 additions and 518 deletions.
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -92,6 +92,8 @@ setproctitle = "1.3.2"
 # tmp dependency to fix vuln
 certifi = "2024.7.4"
 
+[tool.poetry.extras]
+maco = ["maco"]
 
 [tool.poetry.dev-dependencies]
 black = "^24.3.0"

diff --git a/tests_parsers/test_agenttesla.py b/tests_parsers/test_agenttesla.py
@@ -1,5 +1,10 @@
 from modules.processing.parsers.CAPE.AgentTesla import extract_config
-from modules.processing.parsers.MACO.AgentTesla import convert_to_MACO
+
+from contextlib import suppress
+HAVE_MACO = False
+with suppress(ImportError):
+    from modules.processing.parsers.MACO.AgentTesla import convert_to_MACO
+    HAVE_MACO = True
 
 
 def test_agenttesla():
@@ -16,26 +21,27 @@ def test_agenttesla():
             "ExternalIPCheckServices": ["http://ip-api.com/line/?fields=hosting"],
         }
 
-        assert convert_to_MACO(conf).model_dump(exclude_defaults=True, exclude_none=True) == {
-            "family": "AgentTesla",
-            "other": {
-                "Protocol": "SMTP",
-                "C2": "mail.guestequipment.com.au",
-                "Username": "[email protected]",
-                "Password": "Clone89!",
-                "EmailTo": "[email protected]",
-                "Persistence_Filename": "newfile.exe",
-                "ExternalIPCheckServices": ["http://ip-api.com/line/?fields=hosting"],
-            },
-            "smtp": [
-                {
-                    "username": "[email protected]",
-                    "password": "Clone89!",
-                    "hostname": "mail.guestequipment.com.au",
-                    "mail_to": ["[email protected]"],
-                    "usage": "c2",
-                }
-            ],
-            "http": [{"uri": "http://ip-api.com/line/?fields=hosting", "usage": "other"}],
-            "paths": [{"path": "newfile.exe", "usage": "storage"}],
-        }
+        if HAVE_MACO:
+            assert convert_to_MACO(conf).model_dump(exclude_defaults=True, exclude_none=True) == {
+                "family": "AgentTesla",
+                "other": {
+                    "Protocol": "SMTP",
+                    "C2": "mail.guestequipment.com.au",
+                    "Username": "[email protected]",
+                    "Password": "Clone89!",
+                    "EmailTo": "[email protected]",
+                    "Persistence_Filename": "newfile.exe",
+                    "ExternalIPCheckServices": ["http://ip-api.com/line/?fields=hosting"],
+                },
+                "smtp": [
+                    {
+                        "username": "[email protected]",
+                        "password": "Clone89!",
+                        "hostname": "mail.guestequipment.com.au",
+                        "mail_to": ["[email protected]"],
+                        "usage": "c2",
+                    }
+                ],
+                "http": [{"uri": "http://ip-api.com/line/?fields=hosting", "usage": "other"}],
+                "paths": [{"path": "newfile.exe", "usage": "storage"}],
+            }
diff --git a/tests_parsers/test_asyncrat.py b/tests_parsers/test_asyncrat.py
@@ -1,5 +1,9 @@
 from modules.processing.parsers.CAPE.AsyncRAT import extract_config
-from modules.processing.parsers.MACO.AsyncRAT import convert_to_MACO
+from contextlib import suppress
+HAVE_MACO = False
+with suppress(ImportError):
+    from modules.processing.parsers.MACO.AsyncRAT import convert_to_MACO
+    HAVE_MACO = True
 
 
 def test_asyncrat():
@@ -16,21 +20,22 @@ def test_asyncrat():
             "Pastebin": "null",
         }
 
-        assert convert_to_MACO(conf).model_dump(exclude_defaults=True, exclude_none=True) == {
-            "family": "AsyncRAT",
-            "version": "0.5.7B",
-            "capability_disabled": ["persistence"],
-            "mutex": ["AsyncMutex_6SI8OkPnk"],
-            "other": {
-                "C2s": ["todfg.duckdns.org"],
-                "Ports": "6745",
-                "Version": "0.5.7B",
-                "Folder": "%AppData%",
-                "Filename": "updateee.exe",
-                "Install": "false",
-                "Mutex": "AsyncMutex_6SI8OkPnk",
-                "Pastebin": "null",
-            },
-            "http": [{"hostname": "todfg.duckdns.org", "port": 6, "usage": "c2"}],
-            "paths": [{"path": "%AppData%/updateee.exe", "usage": "install"}],
-        }
+        if HAVE_MACO:
+            assert convert_to_MACO(conf).model_dump(exclude_defaults=True, exclude_none=True) == {
+                "family": "AsyncRAT",
+                "version": "0.5.7B",
+                "capability_disabled": ["persistence"],
+                "mutex": ["AsyncMutex_6SI8OkPnk"],
+                "other": {
+                    "C2s": ["todfg.duckdns.org"],
+                    "Ports": "6745",
+                    "Version": "0.5.7B",
+                    "Folder": "%AppData%",
+                    "Filename": "updateee.exe",
+                    "Install": "false",
+                    "Mutex": "AsyncMutex_6SI8OkPnk",
+                    "Pastebin": "null",
+                },
+                "http": [{"hostname": "todfg.duckdns.org", "port": 6, "usage": "c2"}],
+                "paths": [{"path": "%AppData%/updateee.exe", "usage": "install"}],
+            }
diff --git a/tests_parsers/test_aurorastealer.py b/tests_parsers/test_aurorastealer.py
@@ -1,5 +1,9 @@
 from modules.processing.parsers.CAPE.AuroraStealer import extract_config
-from modules.processing.parsers.MACO.AuroraStealer import convert_to_MACO
+from contextlib import suppress
+HAVE_MACO = False
+with suppress(ImportError):
+    from modules.processing.parsers.MACO.AuroraStealer import convert_to_MACO
+    HAVE_MACO = True
 
 
 def test_aurorastealer():
@@ -15,16 +19,17 @@ def test_aurorastealer():
             "Date": "2023-04-06 19",
         }
 
-        assert convert_to_MACO(conf).model_dump(exclude_defaults=True, exclude_none=True) == {
-            "family": "AuroraStealer",
-            "other": {
-                "BuildID": "x64pump",
-                "MD5Hash": "f29f33b296b35ec5e7fc3ee784ef68ee",
-                "C2": "77.91.85.73",
-                "Architecture": "X64",
-                "BuildGroup": "x64pump",
-                "BuildAccept": "0",
-                "Date": "2023-04-06 19",
-            },
-            "http": [{"hostname": "77.91.85.73", "usage": "c2"}],
-        }
+        if HAVE_MACO:
+            assert convert_to_MACO(conf).model_dump(exclude_defaults=True, exclude_none=True) == {
+                "family": "AuroraStealer",
+                "other": {
+                    "BuildID": "x64pump",
+                    "MD5Hash": "f29f33b296b35ec5e7fc3ee784ef68ee",
+                    "C2": "77.91.85.73",
+                    "Architecture": "X64",
+                    "BuildGroup": "x64pump",
+                    "BuildAccept": "0",
+                    "Date": "2023-04-06 19",
+                },
+                "http": [{"hostname": "77.91.85.73", "usage": "c2"}],
+            }
diff --git a/tests_parsers/test_blackdropper.py b/tests_parsers/test_blackdropper.py
@@ -3,7 +3,12 @@
 # See the file 'docs/LICENSE' for copying permission.
 
 from modules.processing.parsers.CAPE.BlackDropper import extract_config
-from modules.processing.parsers.MACO.BlackDropper import convert_to_MACO
+from contextlib import suppress
+HAVE_MACO = False
+with suppress(ImportError):
+    from modules.processing.parsers.MACO.BlackDropper import convert_to_MACO
+    HAVE_MACO = True
+
 
 
 def test_blackdropper():
@@ -15,14 +20,15 @@ def test_blackdropper():
             "campaign": "oFwQ0aQ3v",
         }
 
-        assert convert_to_MACO(conf).model_dump(exclude_defaults=True, exclude_none=True) == {
-            "family": "BlackDropper",
-            "campaign_id": ["oFwQ0aQ3v"],
-            "other": {
-                "urls": ["http://72.5.42.222:8568/api/dll/", "http://72.5.42.222:8568/api/fileZip"],
-                "directories": ["\\Music\\dkcydqtwjv"],
-                "campaign": "oFwQ0aQ3v",
-            },
-            "http": [{"uri": "http://72.5.42.222:8568/api/dll/"}, {"uri": "http://72.5.42.222:8568/api/fileZip"}],
-            "paths": [{"path": "\\Music\\dkcydqtwjv"}],
-        }
+        if HAVE_MACO:
+            assert convert_to_MACO(conf).model_dump(exclude_defaults=True, exclude_none=True) == {
+                "family": "BlackDropper",
+                "campaign_id": ["oFwQ0aQ3v"],
+                "other": {
+                    "urls": ["http://72.5.42.222:8568/api/dll/", "http://72.5.42.222:8568/api/fileZip"],
+                    "directories": ["\\Music\\dkcydqtwjv"],
+                    "campaign": "oFwQ0aQ3v",
+                },
+                "http": [{"uri": "http://72.5.42.222:8568/api/dll/"}, {"uri": "http://72.5.42.222:8568/api/fileZip"}],
+                "paths": [{"path": "\\Music\\dkcydqtwjv"}],
+            }
diff --git a/tests_parsers/test_bumblebee.py b/tests_parsers/test_bumblebee.py
@@ -3,18 +3,23 @@
 # See the file 'docs/LICENSE' for copying permission.
 
 from modules.processing.parsers.CAPE.BumbleBee import extract_config
-from modules.processing.parsers.MACO.BumbleBee import convert_to_MACO
+from contextlib import suppress
+HAVE_MACO = False
+with suppress(ImportError):
+    from modules.processing.parsers.MACO.BumbleBee import convert_to_MACO
+    HAVE_MACO = True
 
 
 def test_bumblebee():
     with open("tests/data/malware/f8a6eddcec59934c42ea254cdd942fb62917b5898f71f0feeae6826ba4f3470d", "rb") as data:
         conf = extract_config(data.read())
         assert conf == {"Botnet ID": "YTBSBbNTWU", "Campaign ID": "1904r", "Data": "XNgHUGLrCD", "C2s": ["444"]}
-        assert convert_to_MACO(conf).model_dump(exclude_defaults=True, exclude_none=True) == {
-            "family": "BumbleBee",
-            "campaign_id": ["1904r"],
-            "identifier": ["YTBSBbNTWU"],
-            "other": {"Botnet ID": "YTBSBbNTWU", "Campaign ID": "1904r", "Data": "XNgHUGLrCD", "C2s": ["444"]},
-            "binaries": [{"data": "XNgHUGLrCD"}],
-            "http": [{"hostname": "444", "usage": "c2"}],
-        }
+        if HAVE_MACO:
+            assert convert_to_MACO(conf).model_dump(exclude_defaults=True, exclude_none=True) == {
+                "family": "BumbleBee",
+                "campaign_id": ["1904r"],
+                "identifier": ["YTBSBbNTWU"],
+                "other": {"Botnet ID": "YTBSBbNTWU", "Campaign ID": "1904r", "Data": "XNgHUGLrCD", "C2s": ["444"]},
+                "binaries": [{"data": "XNgHUGLrCD"}],
+                "http": [{"hostname": "444", "usage": "c2"}],
+            }
diff --git a/tests_parsers/test_carbanak.py b/tests_parsers/test_carbanak.py
@@ -1,13 +1,18 @@
 from modules.processing.parsers.CAPE.Carbanak import extract_config
-from modules.processing.parsers.MACO.Carbanak import convert_to_MACO
+from contextlib import suppress
+HAVE_MACO = False
+with suppress(ImportError):
+    from modules.processing.parsers.MACO.Carbanak import convert_to_MACO
+    HAVE_MACO = True
 
 
 def test_carbanak():
     with open("tests/data/malware/c9c1b06cb9c9bd6fc4451f5e2847a1f9524bb2870d7bb6f0ee09b9dd4e3e4c84", "rb") as data:
         conf = extract_config(data.read())
         assert conf["C2"] == ["5.161.223.210:443", "207.174.30.226:443"]
-        assert convert_to_MACO(conf).model_dump(exclude_defaults=True, exclude_none=True) == {
-            "family": "Carbanak",
-            "other": {"C2": ["5.161.223.210:443", "207.174.30.226:443"]},
-            "http": [{"hostname": "5.161.223.210:443", "usage": "c2"}, {"hostname": "207.174.30.226:443", "usage": "c2"}],
-        }
+        if HAVE_MACO:
+            assert convert_to_MACO(conf).model_dump(exclude_defaults=True, exclude_none=True) == {
+                "family": "Carbanak",
+                "other": {"C2": ["5.161.223.210:443", "207.174.30.226:443"]},
+                "http": [{"hostname": "5.161.223.210:443", "usage": "c2"}, {"hostname": "207.174.30.226:443", "usage": "c2"}],
+            }