Elastic Security Labs

PARALLAX Payload Extractor

Python script to extract the payload from PARALLAX samples.

2 min readTools
PARALLAX Payload Extractor

Python script to extract the payload from PARALLAX samples.

Download parallax-payload-extractor.tar.gz

For information on the PARALLAX malware loader and campaign observations, check out our blog posts detailing this intrusion set.

Getting started

Docker

The recommended and easiest way to get going is to use Docker. From the directory this README is in, you can build a local container.

docker build . -t parallax_loader_payload_extractor

Then we run the container with the -v flag to map a host directory to the docker container directory.

docker run -ti --rm -v $(pwd)/data:/data parallax_loader_payload_extractor:latest --help

Running it locally

As mentioned above, Docker is the recommended approach to running this project, however you can also run this locally. This project uses Poetry to manage dependencies, testing, and metadata. If you have Poetry installed already, from this directory, you can simply run the following commands to run the tool. This will setup a virtual environment, install the dependencies, activate the virtual environment, and run the console script.

poetry lock
poetry install
poetry shell
parallax_loader_payload_extractor --help

Usage

We can either specify a single sample with -f option or a directory of samples with -d. You can use the -o switch to set the output directory of the payloads.

docker run -ti --rm -v $(pwd)/data:/data parallax_loader_payload_extractor:latest -d /data -o /data

PARALLAX payload extractor

You can collect the extracted payloads from the directory you set when running the extractor, the data directory in the root of the extractor in the above example.