PyPI - CAPE-parsers - Versions diffs - 0.1.38__py3-none-any.whl → 0.1.41__py3-none-any.whl - Mend

CAPE-parsers 0.1.38py3-none-any.whl → 0.1.41py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

cape_parsers/CAPE/community/Lumma.py CHANGED Viewed

@@ -43,7 +43,6 @@ RULE_SOURCE_LUMMA_NEW_KEYS = """rule LummaConfigNewKeys
         author = "YungBinary"
     strings:
         $key_nonce = {
-            88 44 24 ??
             B8 ?? ?? ?? ??
             BF ?? ?? ?? ??
             B9 08 00 00 00
@@ -62,11 +61,12 @@ RULE_SOURCE_LUMMA_NEW_ENCRYPTED_C2 = """rule LummaConfigNewEncryptedStrings
         author = "YungBinary"
     strings:
         $encrypted_array = {
-            0F B6 C?
-            C1 E0 07
-            8D 80 ?? ?? ?? ??
+            C1 E? 07
+            8D 8? [4]
             8D 74 24 10
-            FF
+            FF [1-3]
+            56
+            5?
         }
     condition:
         uint16(0) == 0x5A4D and $encrypted_array
@@ -285,16 +285,16 @@ def extract_config(data):
     key = None
     nonce = None
     for offset in yara_scan_generator(data, RULE_SOURCE_LUMMA_NEW_KEYS):
-        key_rva = struct.unpack('i', data[offset + 5 : offset + 9])[0]
+        key_rva = struct.unpack('i', data[offset + 1 : offset + 5])[0]
         key_offset = pe.get_offset_from_rva(key_rva - image_base)
         key = data[key_offset : key_offset + 32]
-        nonce_rva = struct.unpack('i', data[offset + 24 : offset + 28])[0]
+        nonce_rva = struct.unpack('i', data[offset + 20 : offset + 24])[0]
         nonce_offset = pe.get_offset_from_rva(nonce_rva - image_base)
         nonce = b'\x00\x00\x00\x00' + data[nonce_offset : nonce_offset + 8]
     if key and nonce:
         for offset in yara_scan_generator(data, RULE_SOURCE_LUMMA_NEW_ENCRYPTED_C2):
-            encrypted_strings_rva = struct.unpack('i', data[offset + 8 : offset + 12])[0]
+            encrypted_strings_rva = struct.unpack('i', data[offset + 5 : offset + 9])[0]
             encrypted_strings_offset = pe.get_offset_from_rva(encrypted_strings_rva - image_base)
             step_size = 0x80
             counter = 2

{cape_parsers-0.1.38.dist-info → cape_parsers-0.1.41.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: CAPE-parsers
-Version: 0.1.38
+Version: 0.1.41
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 Keywords: cape,parsers,malware,configuration

{cape_parsers-0.1.38.dist-info → cape_parsers-0.1.41.dist-info}/RECORD RENAMED Viewed

@@ -14,7 +14,7 @@ cape_parsers/CAPE/community/Fareit.py,sha256=NYkcF7Ddf7SqaSJwGesGTumTJ2p8AT9qBE4
 cape_parsers/CAPE/community/Greame.py,sha256=99W1aUoSNAQ9KMO85liel5rAN0Wutzo-m176iwfOzds,3633
 cape_parsers/CAPE/community/KoiLoader.py,sha256=ZTDm7tGGNFyW8N9l35_ta7ucBuE5AL9YprNR36kfid8,4029
 cape_parsers/CAPE/community/LokiBot.py,sha256=whdVVLqu760ai90Ep-_Ghc_Z1yaty9fMSOcnY5IajXc,5660
-cape_parsers/CAPE/community/Lumma.py,sha256=XX3mMJyRqxyqKevSDlkFOFAOLUaYqAe0qBcGFbrGPfg,12009
+cape_parsers/CAPE/community/Lumma.py,sha256=GgoiPIXufe2-hTSMjNSkTCOj8sSmISEiMwieOR2_45k,11991
 cape_parsers/CAPE/community/NanoCore.py,sha256=0dqhCoAyDJaYgAlbXIwCa1esfEuQSk5AtH1Rl4bj1l8,6120
 cape_parsers/CAPE/community/Nighthawk.py,sha256=eXnDqwabnrlRROg503oXYLEgotMW4hKeYwLas8SrkTc,12104
 cape_parsers/CAPE/community/Njrat.py,sha256=_noQM5058BYwTMcYCpcTD9gIxw4ANI35tUSLMAlN97Q,4713
@@ -105,7 +105,7 @@ cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvE
 cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
 cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
 cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
-cape_parsers-0.1.38.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
-cape_parsers-0.1.38.dist-info/METADATA,sha256=7KCoZihNV7M_C9WmWwwcQPZpOSGNWUnKIvD2Y1rS5kY,1149
-cape_parsers-0.1.38.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
-cape_parsers-0.1.38.dist-info/RECORD,,
+cape_parsers-0.1.41.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
+cape_parsers-0.1.41.dist-info/METADATA,sha256=h1u3DgL4J0c8rRPHjVRQo3Cw4Jmgs3XPOJUgdx-t5i4,1149
+cape_parsers-0.1.41.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
+cape_parsers-0.1.41.dist-info/RECORD,,

{cape_parsers-0.1.38.dist-info → cape_parsers-0.1.41.dist-info}/LICENSE RENAMED Viewed

File without changes

{cape_parsers-0.1.38.dist-info → cape_parsers-0.1.41.dist-info}/WHEEL RENAMED Viewed

File without changes

CAPE-parsers 0.1.38__py3-none-any.whl → 0.1.41__py3-none-any.whl

CAPE-parsers 0.1.38py3-none-any.whl → 0.1.41py3-none-any.whl