CAPE-parsers 0.1.37__py3-none-any.whl → 0.1.38__py3-none-any.whl

cape_parsers/CAPE/community/Lumma.py

@@ -3,10 +3,10 @@ import json
 import re
 import struct
 from contextlib import suppress
-
 import pefile
 import yara
 
+
 RULE_SOURCE_BUILD_ID = """rule LummaBuildId
 {
     meta:
@@ -37,6 +37,42 @@ RULE_SOURCE_LUMMA = """rule LummaConfig
         $chunk_1
 }"""
 
+RULE_SOURCE_LUMMA_NEW_KEYS = """rule LummaConfigNewKeys
+{
+    meta:
+        author = "YungBinary"
+    strings:
+        $key_nonce = {
+            88 44 24 ??
+            B8 ?? ?? ?? ??
+            BF ?? ?? ?? ??
+            B9 08 00 00 00
+            96
+            F3 A5
+            96
+            B8 ?? ?? ?? ??
+        }
+    condition:
+        uint16(0) == 0x5A4D and $key_nonce
+}"""
+
+RULE_SOURCE_LUMMA_NEW_ENCRYPTED_C2 = """rule LummaConfigNewEncryptedStrings
+{
+    meta:
+        author = "YungBinary"
+    strings:
+        $encrypted_array = {
+            0F B6 C?
+            C1 E0 07
+            8D 80 ?? ?? ?? ??
+            8D 74 24 10
+            FF
+        }
+    condition:
+        uint16(0) == 0x5A4D and $encrypted_array
+}"""
+
+
 
 def yara_scan_generator(raw_data, rule_source):
     yara_rules = yara.compile(source=rule_source)
@@ -225,6 +261,15 @@ def get_build_id(pe, data):
             continue
     return build_id
 
+def get_build_id_new(data):
+    build_id = ""
+    pattern = b'123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ\x00'
+    offset = data.find(pattern)
+    if offset != -1:
+        build_id = data[offset + len(pattern):].split(b'\x00', 1)[0]
+        build_id = build_id.decode()
+
+    return build_id
 
 def extract_config(data):
     config_dict = {"C2": []}
@@ -236,32 +281,73 @@ def extract_config(data):
         pe = pefile.PE(data=data, fast_load=True)
         image_base = pe.OPTIONAL_HEADER.ImageBase
 
-    offset = yara_scan(data, RULE_SOURCE_LUMMA)
-    if offset:
-        key = data[offset + 16 : offset + 48]
-        nonce = b"\x00\x00\x00\x00" + data[offset + 48 : offset + 56]
-
-        for i in range(9):
-            try:
-                start_offset = offset + 56 + (i * 4)
-                end_offset = start_offset + 4
-                c2_dword_rva = struct.unpack('i', data[start_offset : end_offset])[0]
-                if pe:
-                    c2_dword_offset = pe.get_offset_from_rva(c2_dword_rva - image_base)
-                else:
-                    c2_dword_offset = c2_dword_rva - image_base
+    # Parse the latest version
+    key = None
+    nonce = None
+    for offset in yara_scan_generator(data, RULE_SOURCE_LUMMA_NEW_KEYS):
+        key_rva = struct.unpack('i', data[offset + 5 : offset + 9])[0]
+        key_offset = pe.get_offset_from_rva(key_rva - image_base)
+        key = data[key_offset : key_offset + 32]
+        nonce_rva = struct.unpack('i', data[offset + 24 : offset + 28])[0]
+        nonce_offset = pe.get_offset_from_rva(nonce_rva - image_base)
+        nonce = b'\x00\x00\x00\x00' + data[nonce_offset : nonce_offset + 8]
+
+    if key and nonce:
+        for offset in yara_scan_generator(data, RULE_SOURCE_LUMMA_NEW_ENCRYPTED_C2):
+            encrypted_strings_rva = struct.unpack('i', data[offset + 8 : offset + 12])[0]
+            encrypted_strings_offset = pe.get_offset_from_rva(encrypted_strings_rva - image_base)
+            step_size = 0x80
+            counter = 2
+            for i in range(12):
+                encrypted_string = data[encrypted_strings_offset:encrypted_strings_offset+40]
+                decoded_c2 = chacha20_xor(encrypted_string, key, nonce, counter).split(b'\x00', 1)[0]
+                if contains_non_printable(decoded_c2):
+                    break
+                config_dict["C2"].append(decoded_c2.decode())
+                encrypted_strings_offset = encrypted_strings_offset + step_size
+                counter += 2
+
+        if config_dict["C2"]:
+            # If found C2 servers try to find build ID
+            build_id = get_build_id_new(data)
+            if build_id:
+                config_dict["Build ID"] = build_id
+
+
+    # If no C2s try with the version after Jan 21, 2025
+    if not config_dict["C2"]:
+        offset = yara_scan(data, RULE_SOURCE_LUMMA)
+        if offset:
+            key = data[offset + 16 : offset + 48]
+            nonce = b"\x00\x00\x00\x00" + data[offset + 48 : offset + 56]
 
-                c2_encrypted = data[c2_dword_offset : c2_dword_offset + 0x80]
-                counters = [0, 2, 4, 6, 8, 10, 12, 14, 16]
-                for counter in counters:
-                    decrypted = chacha20_xor(c2_encrypted, key, nonce, counter)
-                    c2 = extract_c2_domain(decrypted)
-                    if c2 is not None and len(c2) > 10:
-                        config_dict["C2"].append(c2.decode())
-                        break
+            for i in range(9):
+                try:
+                    start_offset = offset + 56 + (i * 4)
+                    end_offset = start_offset + 4
+                    c2_dword_rva = struct.unpack('i', data[start_offset : end_offset])[0]
+                    if pe:
+                        c2_dword_offset = pe.get_offset_from_rva(c2_dword_rva - image_base)
+                    else:
+                        c2_dword_offset = c2_dword_rva - image_base
+
+                    c2_encrypted = data[c2_dword_offset : c2_dword_offset + 0x80]
+                    counters = [0, 2, 4, 6, 8, 10, 12, 14, 16]
+                    for counter in counters:
+                        decrypted = chacha20_xor(c2_encrypted, key, nonce, counter)
+                        c2 = extract_c2_domain(decrypted)
+                        if c2 is not None and len(c2) > 10:
+                            config_dict["C2"].append(c2.decode())
+                            break
 
-            except Exception:
-                continue
+                except Exception:
+                    continue
+
+        if config_dict["C2"] and pe is not None:
+            # If found C2 servers try to find build ID
+            build_id = get_build_id(pe, data)
+            if build_id:
+                config_dict["Build ID"] = build_id
 
 
     # If no C2s try with version prior to Jan 21, 2025
@@ -293,11 +379,12 @@ def extract_config(data):
         except Exception:
             return
 
-    if config_dict["C2"] and pe is not None:
-        # If found C2 servers try to find build ID
-        build_id = get_build_id(pe, data)
-        if build_id:
-            config_dict["Build ID"] = build_id
+        if config_dict["C2"] and pe is not None:
+            # If found C2 servers try to find build ID
+            build_id = get_build_id(pe, data)
+            if build_id:
+                config_dict["Build ID"] = build_id
+
 
     return config_dict
 

{cape_parsers-0.1.37.dist-info → cape_parsers-0.1.38.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: CAPE-parsers
-Version: 0.1.37
+Version: 0.1.38
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 Keywords: cape,parsers,malware,configuration

{cape_parsers-0.1.37.dist-info → cape_parsers-0.1.38.dist-info}/RECORD

@@ -14,7 +14,7 @@ cape_parsers/CAPE/community/Fareit.py,sha256=NYkcF7Ddf7SqaSJwGesGTumTJ2p8AT9qBE4
 cape_parsers/CAPE/community/Greame.py,sha256=99W1aUoSNAQ9KMO85liel5rAN0Wutzo-m176iwfOzds,3633
 cape_parsers/CAPE/community/KoiLoader.py,sha256=ZTDm7tGGNFyW8N9l35_ta7ucBuE5AL9YprNR36kfid8,4029
 cape_parsers/CAPE/community/LokiBot.py,sha256=whdVVLqu760ai90Ep-_Ghc_Z1yaty9fMSOcnY5IajXc,5660
-cape_parsers/CAPE/community/Lumma.py,sha256=o8XiT1f48e_JdkbjCUFJ04uzCUr-L57bhH_12duiFyE,8978
+cape_parsers/CAPE/community/Lumma.py,sha256=XX3mMJyRqxyqKevSDlkFOFAOLUaYqAe0qBcGFbrGPfg,12009
 cape_parsers/CAPE/community/NanoCore.py,sha256=0dqhCoAyDJaYgAlbXIwCa1esfEuQSk5AtH1Rl4bj1l8,6120
 cape_parsers/CAPE/community/Nighthawk.py,sha256=eXnDqwabnrlRROg503oXYLEgotMW4hKeYwLas8SrkTc,12104
 cape_parsers/CAPE/community/Njrat.py,sha256=_noQM5058BYwTMcYCpcTD9gIxw4ANI35tUSLMAlN97Q,4713
@@ -105,7 +105,7 @@ cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvE
 cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
 cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
 cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
-cape_parsers-0.1.37.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
-cape_parsers-0.1.37.dist-info/METADATA,sha256=P_Q2_z1zWOvRibQcJzs0DfetfEoqFCI4H9edQLnlHeM,1149
-cape_parsers-0.1.37.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
-cape_parsers-0.1.37.dist-info/RECORD,,
+cape_parsers-0.1.38.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
+cape_parsers-0.1.38.dist-info/METADATA,sha256=7KCoZihNV7M_C9WmWwwcQPZpOSGNWUnKIvD2Y1rS5kY,1149
+cape_parsers-0.1.38.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
+cape_parsers-0.1.38.dist-info/RECORD,,