CAPE-parsers 0.1.35__py3-none-any.whl → 0.1.36__py3-none-any.whl

cape_parsers/CAPE/community/AsyncRAT.py

@@ -1,5 +1,29 @@
+import importlib.util
+import sys
+import os
+
 from rat_king_parser.rkp import RATConfigParser
 
+HAVE_ASYNCRAT_COMMON = False
+module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+if os.path.exists(module_file_path):
+    try:
+        module_name = os.path.basename(module_file_path).replace('.py', '')
+        spec = importlib.util.spec_from_file_location(module_name, module_file_path)
+        asyncrat_common = importlib.util.module_from_spec(spec)
+        sys.modules[module_name] = asyncrat_common
+        spec.loader.exec_module(asyncrat_common)
+        HAVE_ASYNCRAT_COMMON = True
+    except Exception as e:
+        print("Error loading asyncrat_common.py", e)
 
 def extract_config(data: bytes):
-    return RATConfigParser(data=data).report.get("config", {})
+    config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
+    if config and HAVE_ASYNCRAT_COMMON:
+        config = asyncrat_common.convert_config(config)
+
+    return config
+
+if __name__ == "__main__":
+    data = open(sys.argv[1], "rb").read()
+    print(extract_config(data))

cape_parsers/CAPE/community/DCRat.py

@@ -1,5 +1,29 @@
+import importlib.util
+import sys
+import os
+
 from rat_king_parser.rkp import RATConfigParser
 
+HAVE_ASYNCRAT_COMMON = False
+module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+if os.path.exists(module_file_path):
+    try:
+        module_name = os.path.basename(module_file_path).replace('.py', '')
+        spec = importlib.util.spec_from_file_location(module_name, module_file_path)
+        asyncrat_common = importlib.util.module_from_spec(spec)
+        sys.modules[module_name] = asyncrat_common
+        spec.loader.exec_module(asyncrat_common)
+        HAVE_ASYNCRAT_COMMON = True
+    except Exception as e:
+        print("Error loading asyncrat_common.py", e)
 
 def extract_config(data: bytes):
-    return RATConfigParser(data=data).report.get("config", {})
+    config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
+    if config and HAVE_ASYNCRAT_COMMON:
+        config = asyncrat_common.convert_config(config)
+
+    return config
+
+if __name__ == "__main__":
+    data = open(sys.argv[1], "rb").read()
+    print(extract_config(data))

cape_parsers/CAPE/community/VenomRAT.py

@@ -1,5 +1,29 @@
+import importlib.util
+import sys
+import os
+
 from rat_king_parser.rkp import RATConfigParser
 
+HAVE_ASYNCRAT_COMMON = False
+module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+if os.path.exists(module_file_path):
+    try:
+        module_name = os.path.basename(module_file_path).replace('.py', '')
+        spec = importlib.util.spec_from_file_location(module_name, module_file_path)
+        asyncrat_common = importlib.util.module_from_spec(spec)
+        sys.modules[module_name] = asyncrat_common
+        spec.loader.exec_module(asyncrat_common)
+        HAVE_ASYNCRAT_COMMON = True
+    except Exception as e:
+        print("Error loading asyncrat_common.py", e)
 
 def extract_config(data: bytes):
-    return RATConfigParser(data=data).report.get("config", {})
+    config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
+    if config and HAVE_ASYNCRAT_COMMON:
+        config = asyncrat_common.convert_config(config)
+
+    return config
+
+if __name__ == "__main__":
+    data = open(sys.argv[1], "rb").read()
+    print(extract_config(data))

cape_parsers/CAPE/community/XWorm.py

@@ -1,5 +1,29 @@
+import importlib.util
+import sys
+import os
+
 from rat_king_parser.rkp import RATConfigParser
 
+HAVE_ASYNCRAT_COMMON = False
+module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+if os.path.exists(module_file_path):
+    try:
+        module_name = os.path.basename(module_file_path).replace('.py', '')
+        spec = importlib.util.spec_from_file_location(module_name, module_file_path)
+        asyncrat_common = importlib.util.module_from_spec(spec)
+        sys.modules[module_name] = asyncrat_common
+        spec.loader.exec_module(asyncrat_common)
+        HAVE_ASYNCRAT_COMMON = True
+    except Exception as e:
+        print("Error loading asyncrat_common.py", e)
 
 def extract_config(data: bytes):
-    return RATConfigParser(data=data).report.get("config", {})
+    config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
+    if config and HAVE_ASYNCRAT_COMMON:
+        config = asyncrat_common.convert_config(config)
+
+    return config
+
+if __name__ == "__main__":
+    data = open(sys.argv[1], "rb").read()
+    print(extract_config(data))

cape_parsers/CAPE/community/XenoRAT.py

@@ -1,5 +1,29 @@
+import importlib.util
+import sys
+import os
+
 from rat_king_parser.rkp import RATConfigParser
 
+HAVE_ASYNCRAT_COMMON = False
+module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+if os.path.exists(module_file_path):
+    try:
+        module_name = os.path.basename(module_file_path).replace('.py', '')
+        spec = importlib.util.spec_from_file_location(module_name, module_file_path)
+        asyncrat_common = importlib.util.module_from_spec(spec)
+        sys.modules[module_name] = asyncrat_common
+        spec.loader.exec_module(asyncrat_common)
+        HAVE_ASYNCRAT_COMMON = True
+    except Exception as e:
+        print("Error loading asyncrat_common.py", e)
 
 def extract_config(data: bytes):
-    return RATConfigParser(data=data).report.get("config", {})
+    config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
+    if config and HAVE_ASYNCRAT_COMMON:
+        config = asyncrat_common.convert_config(config)
+
+    return config
+
+if __name__ == "__main__":
+    data = open(sys.argv[1], "rb").read()
+    print(extract_config(data))

cape_parsers/CAPE/core/Socks5Systemz.py

@@ -20,6 +20,6 @@ def extract_config(data):
                 config_dict["C2s"].append(line)
             elif line and "\\" in line:
                 config_dict.setdefault("Timestamp path", []).append(line)
-            elif "." in line:
+            elif "." in line and "=" not in line and line not in config_dict["C2s"]:
                 config_dict.setdefault("Dummy domain", []).append(line)
         return config_dict

{cape_parsers-0.1.35.dist-info → cape_parsers-0.1.36.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: CAPE-parsers
-Version: 0.1.35
+Version: 0.1.36
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 Keywords: cape,parsers,malware,configuration
@@ -21,7 +21,7 @@ Requires-Dist: maco (==1.1.8) ; extra == "maco"
 Requires-Dist: netstruct (==1.1.2)
 Requires-Dist: pefile
 Requires-Dist: pycryptodomex (>=3.20.0)
-Requires-Dist: rat-king-parser (>=4.0.0)
+Requires-Dist: rat-king-parser (>=4.1.0)
 Requires-Dist: ruff (>=0.7.2)
 Requires-Dist: unicorn (==2.1.1)
 Requires-Dist: yara-python (>=4.5.1)

{cape_parsers-0.1.35.dist-info → cape_parsers-0.1.36.dist-info}/RECORD

@@ -1,7 +1,7 @@
 cape_parsers/CAPE/__init__.py,sha256=JcY8WPKzUFYgexwV1eyKIuT1JyNZzMJjBynlPSzxY_I,7
 cape_parsers/CAPE/community/AgentTesla.py,sha256=T1gUd28eoCGA5by3ylAAK1naenF0fE3jgYx7UBkCRDk,3559
 cape_parsers/CAPE/community/Arkei.py,sha256=kXn949PC2CksavsL1BgvKgiAUDcq2NQUirosCTQcDF0,3790
-cape_parsers/CAPE/community/AsyncRAT.py,sha256=dzVInOc-BPVRdArk92oEY4PKq1AEW04NUToL8UV-UGk,146
+cape_parsers/CAPE/community/AsyncRAT.py,sha256=0nGLNnwnO93SPbCTgoIMvkh6_smuzQxDcYtL77afGx8,1001
 cape_parsers/CAPE/community/AuroraStealer.py,sha256=UUoxgJtDan3fE1r8aDEKweC_URkV97QHBp1Hq_n7ShI,2419
 cape_parsers/CAPE/community/BackOffLoader.py,sha256=gIwNDsWm1xGR9whKEEj1eTBB1-KTLY0_yNE50xVScKo,1402
 cape_parsers/CAPE/community/BackOffPOS.py,sha256=lG7a_bXD3Exaoy-_lHpa90yiv_DesICFqClhqS_d8nk,1486
@@ -9,7 +9,7 @@ cape_parsers/CAPE/community/BlackNix.py,sha256=ToI6roQfjwJWb_a7mzwub8gqJnoUXmz-g
 cape_parsers/CAPE/community/Carbanak.py,sha256=G-v2wb1Zs5NTkFFfpnvlNaX_YZzDEAE2_sB5_blWxtM,5567
 cape_parsers/CAPE/community/CobaltStrikeBeacon.py,sha256=zZqvrK1TNLFsiQgTxo_0EN4sNIpM_WzyH7RGyk5oOnY,19399
 cape_parsers/CAPE/community/CobaltStrikeStager.py,sha256=fdT3gPfCtjqtohwYD5Z7bRWQgKqwbM_e4LuuaZxvl7g,7473
-cape_parsers/CAPE/community/DCRat.py,sha256=dzVInOc-BPVRdArk92oEY4PKq1AEW04NUToL8UV-UGk,146
+cape_parsers/CAPE/community/DCRat.py,sha256=0nGLNnwnO93SPbCTgoIMvkh6_smuzQxDcYtL77afGx8,1001
 cape_parsers/CAPE/community/Fareit.py,sha256=NYkcF7Ddf7SqaSJwGesGTumTJ2p8AT9qBE4tNpiS9Ao,2003
 cape_parsers/CAPE/community/Greame.py,sha256=99W1aUoSNAQ9KMO85liel5rAN0Wutzo-m176iwfOzds,3633
 cape_parsers/CAPE/community/KoiLoader.py,sha256=ZTDm7tGGNFyW8N9l35_ta7ucBuE5AL9YprNR36kfid8,4029
@@ -33,9 +33,9 @@ cape_parsers/CAPE/community/SparkRAT.py,sha256=Fh7VPgIuTAiIzDbd-OS7WukQdgBfXIvVc
 cape_parsers/CAPE/community/Stealc.py,sha256=UyAcdt47Tgo-dSncW9J62egnqMa2vKVlFW6Zxd7hUGA,3763
 cape_parsers/CAPE/community/TSCookie.py,sha256=f4b4HCnn6v3YkMrrmonR5WMdGO0vEiNe-ENhYHqfctk,5632
 cape_parsers/CAPE/community/TrickBot.py,sha256=EdKOQtKlU0gLkWFiibpBmTIueRVYSqwYo0WCHmaRgGA,6967
-cape_parsers/CAPE/community/VenomRAT.py,sha256=dzVInOc-BPVRdArk92oEY4PKq1AEW04NUToL8UV-UGk,146
-cape_parsers/CAPE/community/XWorm.py,sha256=dzVInOc-BPVRdArk92oEY4PKq1AEW04NUToL8UV-UGk,146
-cape_parsers/CAPE/community/XenoRAT.py,sha256=dzVInOc-BPVRdArk92oEY4PKq1AEW04NUToL8UV-UGk,146
+cape_parsers/CAPE/community/VenomRAT.py,sha256=0nGLNnwnO93SPbCTgoIMvkh6_smuzQxDcYtL77afGx8,1001
+cape_parsers/CAPE/community/XWorm.py,sha256=0nGLNnwnO93SPbCTgoIMvkh6_smuzQxDcYtL77afGx8,1001
+cape_parsers/CAPE/community/XenoRAT.py,sha256=0nGLNnwnO93SPbCTgoIMvkh6_smuzQxDcYtL77afGx8,1001
 cape_parsers/CAPE/community/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cape_parsers/CAPE/core/Azorult.py,sha256=7AWPeOWhji7n13qTjq-XNPA8LDKcCOOUy8nbT0TUU_I,2145
 cape_parsers/CAPE/core/BitPaymer.py,sha256=N3Ssi_zNliKn1vt2Z1UndMGZg4CIOjf75XDdpCx2ITc,2898
@@ -69,7 +69,7 @@ cape_parsers/CAPE/core/RedLine.py,sha256=4veoGo4X1pApCn9dAFmFamfDsS-BROh_PuwiWcI
 cape_parsers/CAPE/core/Remcos.py,sha256=WusmTiu5hwIeLCO75xmtrDFhIvaYefUJv79nSVhBdX4,9384
 cape_parsers/CAPE/core/Rhadamanthys.py,sha256=TuhWqOssRiTOEuCk_UXBd3SPz-V71pOCYLwpSaZXX2I,6107
 cape_parsers/CAPE/core/SmokeLoader.py,sha256=y3PGuAhGkvRSlbi1-PViv66LW4N8AA2Rc5UzxV_nRvw,3889
-cape_parsers/CAPE/core/Socks5Systemz.py,sha256=TvJMsyhlxaak-kLQ6sqm6gSqotltmTFkDRuQjYgNSTg,704
+cape_parsers/CAPE/core/Socks5Systemz.py,sha256=k5AdoNKl32m6g1MlOWw4EXvfqMJOFuyw5I0VkQicjRs,759
 cape_parsers/CAPE/core/SquirrelWaffle.py,sha256=ErCT5eeo5xiQTBzhpaS22PQ8pp-u-G4cjJ4bapjKT2U,3283
 cape_parsers/CAPE/core/Strrat.py,sha256=StKPm9Qx8iIIjWb-2P7Naow6sMSJ9tclXJcUQ8JUcWc,2243
 cape_parsers/CAPE/core/UrsnifV3.py,sha256=Nu4X2l_zwlVMjvEa5gQRaR9SgYKL-C-C9onSmd2DtuU,5510
@@ -104,7 +104,7 @@ cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvE
 cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
 cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
 cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
-cape_parsers-0.1.35.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
-cape_parsers-0.1.35.dist-info/METADATA,sha256=7IbXTRH1P7-s8iXn9gbqE0d6BzwpP9dUdaNa6GjqylY,1149
-cape_parsers-0.1.35.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
-cape_parsers-0.1.35.dist-info/RECORD,,
+cape_parsers-0.1.36.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
+cape_parsers-0.1.36.dist-info/METADATA,sha256=toAGrERdqyq9eJJ53tbwbnZd0U3ACbxnieK1ssQgBYU,1149
+cape_parsers-0.1.36.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
+cape_parsers-0.1.36.dist-info/RECORD,,