CAPE-parsers 0.1.36__tar.gz → 0.1.37__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (111) hide show
  1. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/PKG-INFO +1 -1
  2. cape_parsers-0.1.37/cape_parsers/CAPE/core/AdaptixBeacon.py +102 -0
  3. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/pyproject.toml +1 -1
  4. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/LICENSE +0 -0
  5. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/README.md +0 -0
  6. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/__init__.py +0 -0
  7. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/AgentTesla.py +0 -0
  8. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/Arkei.py +0 -0
  9. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/AsyncRAT.py +0 -0
  10. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/AuroraStealer.py +0 -0
  11. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/BackOffLoader.py +0 -0
  12. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/BackOffPOS.py +0 -0
  13. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/BlackNix.py +0 -0
  14. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/Carbanak.py +0 -0
  15. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/CobaltStrikeBeacon.py +0 -0
  16. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/CobaltStrikeStager.py +0 -0
  17. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/DCRat.py +0 -0
  18. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/Fareit.py +0 -0
  19. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/Greame.py +0 -0
  20. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/KoiLoader.py +0 -0
  21. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/LokiBot.py +0 -0
  22. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/Lumma.py +0 -0
  23. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/NanoCore.py +0 -0
  24. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/Nighthawk.py +0 -0
  25. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/Njrat.py +0 -0
  26. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/Pandora.py +0 -0
  27. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/PhemedroneStealer.py +0 -0
  28. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/PoisonIvy.py +0 -0
  29. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/Punisher.py +0 -0
  30. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/QuasarRAT.py +0 -0
  31. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/README.md +0 -0
  32. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/REvil.py +0 -0
  33. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/Retefe.py +0 -0
  34. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/Rozena.py +0 -0
  35. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/SmallNet.py +0 -0
  36. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/Snake.py +0 -0
  37. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/SparkRAT.py +0 -0
  38. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/Stealc.py +0 -0
  39. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/TSCookie.py +0 -0
  40. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/TrickBot.py +0 -0
  41. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/VenomRAT.py +0 -0
  42. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/XWorm.py +0 -0
  43. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/XenoRAT.py +0 -0
  44. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/community/__init__.py +0 -0
  45. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/Azorult.py +0 -0
  46. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/BitPaymer.py +0 -0
  47. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/BlackDropper.py +0 -0
  48. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/Blister.py +0 -0
  49. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/BruteRatel.py +0 -0
  50. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/BuerLoader.py +0 -0
  51. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/BumbleBee.py +0 -0
  52. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/ChChes.py +0 -0
  53. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/DarkGate.py +0 -0
  54. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/DoppelPaymer.py +0 -0
  55. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/DridexLoader.py +0 -0
  56. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/Emotet.py +0 -0
  57. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/Enfal.py +0 -0
  58. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/EvilGrab.py +0 -0
  59. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/Formbook.py +0 -0
  60. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/GuLoader.py +0 -0
  61. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/HttpBrowser.py +0 -0
  62. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/IcedID.py +0 -0
  63. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/IcedIDLoader.py +0 -0
  64. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/Latrodectus.py +0 -0
  65. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/Oyster.py +0 -0
  66. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/PikaBot.py +0 -0
  67. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/PlugX.py +0 -0
  68. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/QakBot.py +0 -0
  69. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/Quickbind.py +0 -0
  70. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/RCSession.py +0 -0
  71. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/README.md +0 -0
  72. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/RedLeaf.py +0 -0
  73. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/RedLine.py +0 -0
  74. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/Remcos.py +0 -0
  75. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/Rhadamanthys.py +0 -0
  76. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/SmokeLoader.py +0 -0
  77. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/Socks5Systemz.py +0 -0
  78. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/SquirrelWaffle.py +0 -0
  79. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/Strrat.py +0 -0
  80. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/UrsnifV3.py +0 -0
  81. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/WarzoneRAT.py +0 -0
  82. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/Zloader.py +0 -0
  83. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/__init__.py +0 -0
  84. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/CAPE/core/test_cape.py +0 -0
  85. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/RATDecoders/README.md +0 -0
  86. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/RATDecoders/__init__.py +0 -0
  87. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/RATDecoders/test_rats.py +0 -0
  88. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/__init__.py +0 -0
  89. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/deprecated/Hancitor.py +0 -0
  90. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/deprecated/JavaDropper.py +0 -0
  91. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/deprecated/Nymaim.py +0 -0
  92. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/deprecated/PredatorPain.py +0 -0
  93. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/deprecated/_ShadowTech.py +0 -0
  94. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/deprecated/_VirusRat.py +0 -0
  95. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/deprecated/_jRat.py +0 -0
  96. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/deprecated/unrecom.py +0 -0
  97. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/deprecated/xRAT.py +0 -0
  98. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/malduck/LICENSE +0 -0
  99. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/malduck/README.md +0 -0
  100. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/malduck/__init__.py +0 -0
  101. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/malduck/test_malduck.py +0 -0
  102. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/mwcp/README.md +0 -0
  103. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/mwcp/__init__.py +0 -0
  104. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/mwcp/test_mwcp.py +0 -0
  105. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/utils/__init__.py +0 -0
  106. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/utils/aplib.py +0 -0
  107. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/utils/blzpack.py +0 -0
  108. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/utils/blzpack_lib.so +0 -0
  109. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/utils/dotnet_utils.py +0 -0
  110. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/utils/lznt1.py +0 -0
  111. {cape_parsers-0.1.36 → cape_parsers-0.1.37}/cape_parsers/utils/strings.py +0 -0
{cape_parsers-0.1.36 → cape_parsers-0.1.37}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.3
2
2
  Name: CAPE-parsers
3
- Version: 0.1.36
3
+ Version: 0.1.37
4
4
  Summary: CAPE: Malware Configuration Extraction
5
5
  License: MIT
6
6
  Keywords: cape,parsers,malware,configuration
cape_parsers-0.1.37/cape_parsers/CAPE/core/AdaptixBeacon.py ADDED
@@ -0,0 +1,102 @@
1
+ import logging
2
+ import struct
3
+ from contextlib import suppress
4
+
5
+ import pefile
6
+ from Cryptodome.Cipher import ARC4
7
+
8
+ log = logging.getLogger(__name__)
9
+
10
+ DESCRIPTION = "Adaptix beacon configuration parser."
11
+ AUTHOR = "enzok"
12
+
13
+
14
+ def parse_http_config(rc4_key: bytes, data: bytes) -> dict:
15
+ config = {}
16
+ offset = 0
17
+ servers = []
18
+ ports = []
19
+
20
+ def read(fmt: str):
21
+ nonlocal offset
22
+ size = struct.calcsize(fmt)
23
+ value = struct.unpack_from(fmt, data, offset)
24
+ offset += size
25
+ return value if len(value) > 1 else value[0]
26
+
27
+ def read_str(length: int):
28
+ nonlocal offset
29
+ value = data[offset:offset + length].decode("utf-8", errors="replace")
30
+ offset += length
31
+ return value
32
+
33
+ config["config_rc4_key"] = rc4_key.hex()
34
+ config["agent_type"] = f"{read('<I'):8X}"
35
+ config["use_ssl"] = read("<B")
36
+ host_count = read("<I")
37
+ for host in range(host_count):
38
+ host_length = read("<I")
39
+ servers.append(read_str(host_length).strip("\x00"))
40
+ ports.append(read("<I"))
41
+
42
+ config["servers"] = servers
43
+ config["ports"] = ports
44
+ method_length = read("<I")
45
+ config["http_method"] = read_str(method_length).strip("\x00")
46
+ uri_length = read("<I")
47
+ config["uri"] = read_str(uri_length).strip("\x00")
48
+ parameter_length = read("<I")
49
+ config["parameter"] = read_str(parameter_length).strip("\x00")
50
+ useragent_length = read("<I")
51
+ config["user_agent"] = read_str(useragent_length).strip("\x00")
52
+ headers_length = read("<I")
53
+ config["http_headers"] = read_str(headers_length).strip("\x00")
54
+ config["ans_pre_size"] = read("<I")
55
+ config["ans_size"] = read("<I")
56
+ config["kill_date"] = read("<I")
57
+ config["working_time"] = read("<I")
58
+ config["sleep_delay"] = read("<I")
59
+ config["jitter_delay"] = read("<I")
60
+
61
+ return config
62
+
63
+ def extract_config(filebuf: bytes) -> dict:
64
+ pe = pefile.PE(data=filebuf, fast_load=True)
65
+ data_sections = [s for s in pe.sections if b".rdata" in s.Name]
66
+ if not data_sections:
67
+ return
68
+
69
+ data = data_sections[0].get_data()
70
+ data_len = len(data)
71
+ pos = 0
72
+ while pos + 4 <= data_len:
73
+ start_offset = pos
74
+ key_offset = struct.unpack_from("<I", data, pos)[0]
75
+ pos += 4
76
+
77
+ if pos + key_offset + 32 > data_len:
78
+ pos = start_offset + 1
79
+ continue
80
+
81
+ encrypted_data = data[pos:pos + key_offset]
82
+ pos += key_offset
83
+ rc4_key = data[pos:pos + 16]
84
+
85
+ if key_offset == 787:
86
+ pass
87
+
88
+ with suppress(Exception):
89
+ decrypted = ARC4.new(rc4_key).decrypt(encrypted_data)
90
+ if b"User-Agent" in decrypted:
91
+ return parse_http_config(rc4_key, decrypted)
92
+
93
+ pos = start_offset + 1
94
+
95
+ return None
96
+
97
+
98
+ if __name__ == "__main__":
99
+ import sys
100
+
101
+ with open(sys.argv[1], "rb") as f:
102
+ print(extract_config(f.read()))
{cape_parsers-0.1.36 → cape_parsers-0.1.37}/pyproject.toml RENAMED
@@ -1,6 +1,6 @@
1
1
  [tool.poetry]
2
2
  name = "CAPE-parsers"
3
- version = "0.1.36"
3
+ version = "0.1.37"
4
4
  description = "CAPE: Malware Configuration Extraction"
5
5
  authors = ["Kevin O'Reilly <kev@capesandbox.com>", "doomedraven <doomedraven@capesandbox.com>"]
6
6
  license = "MIT"
{cape_parsers-0.1.36 → cape_parsers-0.1.37}/LICENSE RENAMED
File without changes
{cape_parsers-0.1.36 → cape_parsers-0.1.37}/README.md RENAMED
File without changes