Create hwp.py

for analysis *.hwp(Hangul (Korean) Word Processor File 5.x) malware P.S install Hangul Word Processor 2010 ver. at analysis VM and Snapshot ex) hangul malware example - http://blog.talosintelligence.com/2017/02/korean-maldoc.htm - http://blog.trendmicro.com/trendlabs-security-intelligence/hangul-word-processor-postscript-abused-malicious-attachments/
cuckoosandbox · Oct 19, 2017 · 8365f5a · 8365f5a
1 parent d9719d9
commit 8365f5a
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/cuckoo/data/analyzer/windows/modules/packages/hwp.py b/cuckoo/data/analyzer/windows/modules/packages/hwp.py
@@ -0,0 +1,20 @@
+# Copyright (C) 2012-2013 Claudio Guarnieri.
+# Copyright (C) 2014-2017 Cuckoo Foundation.
+# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
+# See the file 'docs/LICENSE' for copying permission.
+
+from _winreg import HKEY_CURRENT_USER
+
+from lib.common.abstracts import Package
+
+class HWP(Package):
+    """Hangul (Korean) Word Processor File 5.x analysis package."""
+    PATHS = [
+        ("ProgramFiles", "Hnc", "Hwp80", "Hwp.exe"),
+    ]
+
+    def start(self, path):
+        word = self.get_path("Hangul (Korean) Word Processor File 5.x")
+        return self.execute(
+            word, args=[path], mode="office", trigger="file:%s" % path
+        )