CAPE-parsers 0.1.32__py3-none-any.whl → 0.1.34__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. cape_parsers/CAPE/community/Njrat.py +9 -9
  2. cape_parsers/CAPE/core/Latrodectus.py +4 -4
  3. {cape_parsers-0.1.32.dist-info → cape_parsers-0.1.34.dist-info}/METADATA +2 -2
  4. {cape_parsers-0.1.32.dist-info → cape_parsers-0.1.34.dist-info}/RECORD +6 -6
  5. {cape_parsers-0.1.32.dist-info → cape_parsers-0.1.34.dist-info}/WHEEL +1 -1
  6. {cape_parsers-0.1.32.dist-info → cape_parsers-0.1.34.dist-info}/LICENSE +0 -0
cape_parsers/CAPE/community/Njrat.py CHANGED
@@ -174,15 +174,15 @@ def extract_config(data):
174
174
  dotnet_file_parser = Parser(data=data)
175
175
  config_dict = get_config_dict(dotnet_file_parser, data)
176
176
  config = get_clean_config(config_dict)
177
-
178
- if config.get("domain") and config.get("port"):
179
- conf["cncs"] = [f"{config['domain']}:{config['port']}"]
180
-
181
- if config.get("campaign_id"):
182
- conf["campaign id"] = config["campaign_id"]
183
-
184
- if config.get("version"):
185
- conf["version"] = config["version"]
177
+ if config:
178
+ if config.get("domain") and config.get("port"):
179
+ conf["cncs"] = [f"{config['domain']}:{config['port']}"]
180
+
181
+ if config.get("campaign_id"):
182
+ conf["campaign id"] = config["campaign_id"]
183
+
184
+ if config.get("version"):
185
+ conf["version"] = config["version"]
186
186
 
187
187
  dotnet_file_parser.close()
188
188
  return conf
cape_parsers/CAPE/core/Latrodectus.py CHANGED
@@ -41,7 +41,7 @@ rule Latrodectus
41
41
  $fnvhash2 = {8B 0C 24 33 C8 8B C1 89 04 24 69 04 24 93 01 00 01}
42
42
  $procchk1 = {E8 [3] FF 85 C0 74 [2] FF FF FF FF E9 [4] E8 [4] 89 44 24 ?? E8 [4] 83 F8 4B 73 ?? 83 [3] 06}
43
43
  $procchk2 = {72 [2] FF FF FF FF E9 [4] E8 [4] 83 F8 32 73 ?? 83 [3] 06}
44
- $version = {C7 44 2? ?? 0? 00 00 00 C7 44 2? ?? 0? 00 00 00 C7 44 2? ?? 01 00 00 00 8B}
44
+ $version = {C7 44 2? ?? ?? 00 00 00 C7 44 2? ?? ?? 00 00 00 8B 05 [4] 89}
45
45
  condition:
46
46
  all of them
47
47
  }
@@ -59,7 +59,7 @@ rule Latrodectus_AES
59
59
  $key = {C6 44 2? ?? ?? [150] C6 44 2? ?? ?? B8 02}
60
60
  $aes_ctr_1 = {8B 44 24 ?? FF C8 89 44 24 ?? 83 7C 24 ?? 00 7C ?? 4? 63 44 24 ?? 4? 8B 4C 24 ?? 0F B6 84 01 F0 00 00 00 3D FF 00 00 00}
61
61
  $aes_ctr_2 = {48 03 C8 48 8B C1 0F B6 ?? 48 63 4C 24 ?? 0F B6 4C 0C ?? 33 C1 48 8B 4C 24 ?? 48 8B 54 24 ?? 48 03 D1 48 8B CA 88 01}
62
- $version = {C7 44 2? ?? 0? 00 00 00 C7 44 2? ?? 0? 00 00 00 C7 44 2? ?? 01 00 00 00 8B}
62
+ $version = {C7 44 2? ?? ?? 00 00 00 C7 44 2? ?? ?? 00 00 00 8B 05 [4] 89}
63
63
  condition:
64
64
  all of them
65
65
  }
@@ -150,8 +150,8 @@ def extract_config(filebuf):
150
150
  for instance in item.instances:
151
151
  if "$version" in item.identifier and not version:
152
152
  data = instance.matched_data[::-1]
153
- major = int.from_bytes(data[4:5], byteorder="big")
154
- minor = int.from_bytes(data[12:13], byteorder="big")
153
+ major = int.from_bytes(data[10:11], byteorder="big")
154
+ minor = int.from_bytes(data[18:19], byteorder="big")
155
155
  version = f"{major}.{minor}"
156
156
  if "$key" in item.identifier:
157
157
  key = instance.matched_data[4::5]
{cape_parsers-0.1.32.dist-info → cape_parsers-0.1.34.dist-info}/METADATA RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.3
2
2
  Name: CAPE-parsers
3
- Version: 0.1.32
3
+ Version: 0.1.34
4
4
  Summary: CAPE: Malware Configuration Extraction
5
5
  License: MIT
6
6
  Keywords: cape,parsers,malware,configuration
@@ -24,7 +24,7 @@ Requires-Dist: pycryptodomex (>=3.20.0)
24
24
  Requires-Dist: rat-king-parser (>=4.0.0)
25
25
  Requires-Dist: ruff (>=0.7.2)
26
26
  Requires-Dist: unicorn (==2.1.1)
27
- Requires-Dist: yara-python (==4.5.1)
27
+ Requires-Dist: yara-python (>=4.5.1)
28
28
  Description-Content-Type: text/markdown
29
29
 
30
30
  # CAPE-parsers
{cape_parsers-0.1.32.dist-info → cape_parsers-0.1.34.dist-info}/RECORD RENAMED
@@ -17,7 +17,7 @@ cape_parsers/CAPE/community/LokiBot.py,sha256=whdVVLqu760ai90Ep-_Ghc_Z1yaty9fMSO
17
17
  cape_parsers/CAPE/community/Lumma.py,sha256=o8XiT1f48e_JdkbjCUFJ04uzCUr-L57bhH_12duiFyE,8978
18
18
  cape_parsers/CAPE/community/NanoCore.py,sha256=0dqhCoAyDJaYgAlbXIwCa1esfEuQSk5AtH1Rl4bj1l8,6120
19
19
  cape_parsers/CAPE/community/Nighthawk.py,sha256=eXnDqwabnrlRROg503oXYLEgotMW4hKeYwLas8SrkTc,12104
20
- cape_parsers/CAPE/community/Njrat.py,sha256=UYK2KoSSPSk9BLUcrJymYdajQP553sxgKR-mS-MBoKI,4667
20
+ cape_parsers/CAPE/community/Njrat.py,sha256=_noQM5058BYwTMcYCpcTD9gIxw4ANI35tUSLMAlN97Q,4713
21
21
  cape_parsers/CAPE/community/Pandora.py,sha256=d6R3AsDr5WOfKKyA6HI0yQ5Eo7_Eif5LspW0cm2wM5M,2522
22
22
  cape_parsers/CAPE/community/PhemedroneStealer.py,sha256=T6jMW73htNCRTqlEqeec9Y3p7BKuSmit3RvWFfd8IJ8,7032
23
23
  cape_parsers/CAPE/community/PoisonIvy.py,sha256=EFO-E91gkv5Byny8He81d7Wy-9yKPkM1ndWFhQrQ1pQ,4150
@@ -56,7 +56,7 @@ cape_parsers/CAPE/core/GuLoader.py,sha256=2DgE2hMkkNO2KVdtF8B4PmuCDnkK64u7xPMHD-
56
56
  cape_parsers/CAPE/core/HttpBrowser.py,sha256=rlJhbv06m3XkPb_oIN3dGrfl_uNxwR1tDv0M4ctstx8,4539
57
57
  cape_parsers/CAPE/core/IcedID.py,sha256=lKJZoRWQa-q0TNaylLCmm2hoj1h0wNP6eUmp-uI94pQ,4023
58
58
  cape_parsers/CAPE/core/IcedIDLoader.py,sha256=SQ3cqAnQ4elTiOrDQb5hMkFG-ymzek97yRNZd1967pA,1588
59
- cape_parsers/CAPE/core/Latrodectus.py,sha256=bWksR29BzrtzV-mlyWKToilvppG5ia_0DGGm4xZQvEk,7519
59
+ cape_parsers/CAPE/core/Latrodectus.py,sha256=qmMyFSiUsEhyZdEfxyG11ib1nRqX2Ojmwfwm1ahVAiI,7493
60
60
  cape_parsers/CAPE/core/Oyster.py,sha256=WVUimz6M3DxSnM6pnUI2s6hbLIQKiwhVs4KNwxEbJhE,4818
61
61
  cape_parsers/CAPE/core/PikaBot.py,sha256=s3jJL--NNwsvy9FkAADutbmqndlCZP6-ZI3W11p4QjE,5264
62
62
  cape_parsers/CAPE/core/PlugX.py,sha256=NiXAqkE5fFBioyRYALX8azaIo9pvfFfPP6xiLzO3TRQ,13156
@@ -104,7 +104,7 @@ cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvE
104
104
  cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
105
105
  cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
106
106
  cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
107
- cape_parsers-0.1.32.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
108
- cape_parsers-0.1.32.dist-info/METADATA,sha256=gNE-5dIOxmJ0qnA1-PEX1UWVWqPciYvXtcD5-YD2c9I,1149
109
- cape_parsers-0.1.32.dist-info/WHEEL,sha256=IYZQI976HJqqOpQU6PHkJ8fb3tMNBFjg-Cn-pwAbaFM,88
110
- cape_parsers-0.1.32.dist-info/RECORD,,
107
+ cape_parsers-0.1.34.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
108
+ cape_parsers-0.1.34.dist-info/METADATA,sha256=HnvgbMBb9WjgTkKl3jSneLTneEzBi9x_LDjb2KVEEMA,1149
109
+ cape_parsers-0.1.34.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
110
+ cape_parsers-0.1.34.dist-info/RECORD,,
{cape_parsers-0.1.32.dist-info → cape_parsers-0.1.34.dist-info}/WHEEL RENAMED
@@ -1,4 +1,4 @@
1
1
  Wheel-Version: 1.0
2
- Generator: poetry-core 2.0.1
2
+ Generator: poetry-core 2.1.3
3
3
  Root-Is-Purelib: true
4
4
  Tag: py3-none-any