CAPE-parsers 0.1.41__py3-none-any.whl → 0.1.42__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. cape_parsers/CAPE/community/Amadey.py +43 -0
  2. cape_parsers/CAPE/community/Lumma.py +6 -4
  3. cape_parsers/CAPE/core/Stealc.py +21 -0
  4. {cape_parsers-0.1.41.dist-info → cape_parsers-0.1.42.dist-info}/METADATA +1 -1
  5. {cape_parsers-0.1.41.dist-info → cape_parsers-0.1.42.dist-info}/RECORD +7 -5
  6. {cape_parsers-0.1.41.dist-info → cape_parsers-0.1.42.dist-info}/LICENSE +0 -0
  7. {cape_parsers-0.1.41.dist-info → cape_parsers-0.1.42.dist-info}/WHEEL +0 -0
cape_parsers/CAPE/community/Amadey.py ADDED
@@ -0,0 +1,43 @@
1
+ import base64
2
+ import re
3
+
4
+ str_hash_data = 'd6052c4fe86a6346964a6bbbe2423e20'
5
+ str_alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 '
6
+
7
+ def is_ascii(s):
8
+ return all(c < 128 or c == 0 for c in s)
9
+
10
+ def decrypt(str_data, str_hash_data, str_alphabet):
11
+ str_hash = ''
12
+
13
+ for i in range(len(str_data)):
14
+ str_hash += str_hash_data[i % len(str_hash_data)]
15
+
16
+ out = ''
17
+
18
+ for i in range(len(str_data)):
19
+ if str_data[i] not in str_alphabet:
20
+ out += str_data[i]
21
+ continue
22
+ alphabet_count = str_alphabet.find(str_data[i])
23
+ hash_count = str_alphabet.find(str_hash[i])
24
+ index_calc = (alphabet_count + len(str_alphabet) - hash_count) % len(str_alphabet)
25
+ out += str_alphabet[index_calc]
26
+
27
+ return base64.b64decode(out)
28
+
29
+ file_data = open('/tmp/amadey.bin','rb').read()
30
+
31
+ strings = []
32
+ for m in re.finditer(rb'[a-zA-Z =0-9]{4,}',file_data):
33
+ strings.append(m.group().decode('utf-8'))
34
+
35
+ for s in strings:
36
+ try:
37
+ temp = decrypt(s, str_hash_data, str_alphabet)
38
+ if is_ascii(temp) and len(temp) > 3:
39
+ print(temp.decode('utf-8'))
40
+ except:
41
+ continue
42
+
43
+ decrypt('1RydQIOr3Zcp6emn RYv8IGzgUKS6r5ThSdqDVBERAP2Ir 0JQ1=', str_hash_data, str_alphabet)
cape_parsers/CAPE/community/Lumma.py CHANGED
@@ -43,13 +43,15 @@ RULE_SOURCE_LUMMA_NEW_KEYS = """rule LummaConfigNewKeys
43
43
  author = "YungBinary"
44
44
  strings:
45
45
  $key_nonce = {
46
- B8 ?? ?? ?? ??
47
- BF ?? ?? ?? ??
46
+ B8 [4]
47
+ (BF ?? ?? ?? ??
48
+ B9 08 00 00 00|
48
49
  B9 08 00 00 00
50
+ BF ?? ?? ?? ??)
49
51
  96
50
52
  F3 A5
51
53
  96
52
- B8 ?? ?? ?? ??
54
+ B8
53
55
  }
54
56
  condition:
55
57
  uint16(0) == 0x5A4D and $key_nonce
@@ -63,7 +65,7 @@ RULE_SOURCE_LUMMA_NEW_ENCRYPTED_C2 = """rule LummaConfigNewEncryptedStrings
63
65
  $encrypted_array = {
64
66
  C1 E? 07
65
67
  8D 8? [4]
66
- 8D 74 24 10
68
+ 8D 74 24 ??
67
69
  FF [1-3]
68
70
  56
69
71
  5?
cape_parsers/CAPE/core/Stealc.py ADDED
@@ -0,0 +1,21 @@
1
+ import socket
2
+ from contextlib import suppress
3
+
4
+
5
+ def _is_ip(ip):
6
+ try:
7
+ socket.inet_aton(ip)
8
+ return True
9
+ except Exception:
10
+ return False
11
+
12
+
13
+ def extract_config(data):
14
+ config_dict = {"C2s": []}
15
+ with suppress(Exception):
16
+ if data[:2] == b"MZ":
17
+ return
18
+ for line in data.decode().split("\n"):
19
+ if _is_ip(line) and line not in config_dict["C2s"]:
20
+ config_dict["C2s"].append(line)
21
+ return config_dict
{cape_parsers-0.1.41.dist-info → cape_parsers-0.1.42.dist-info}/METADATA RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.3
2
2
  Name: CAPE-parsers
3
- Version: 0.1.41
3
+ Version: 0.1.42
4
4
  Summary: CAPE: Malware Configuration Extraction
5
5
  License: MIT
6
6
  Keywords: cape,parsers,malware,configuration
{cape_parsers-0.1.41.dist-info → cape_parsers-0.1.42.dist-info}/RECORD RENAMED
@@ -1,5 +1,6 @@
1
1
  cape_parsers/CAPE/__init__.py,sha256=JcY8WPKzUFYgexwV1eyKIuT1JyNZzMJjBynlPSzxY_I,7
2
2
  cape_parsers/CAPE/community/AgentTesla.py,sha256=T1gUd28eoCGA5by3ylAAK1naenF0fE3jgYx7UBkCRDk,3559
3
+ cape_parsers/CAPE/community/Amadey.py,sha256=LuYt72sYa_c_srekD-H5hzZZQUlcGaeY1iT2HXO2YwE,1258
3
4
  cape_parsers/CAPE/community/Arkei.py,sha256=kXn949PC2CksavsL1BgvKgiAUDcq2NQUirosCTQcDF0,3790
4
5
  cape_parsers/CAPE/community/AsyncRAT.py,sha256=0nGLNnwnO93SPbCTgoIMvkh6_smuzQxDcYtL77afGx8,1001
5
6
  cape_parsers/CAPE/community/AuroraStealer.py,sha256=UUoxgJtDan3fE1r8aDEKweC_URkV97QHBp1Hq_n7ShI,2419
@@ -14,7 +15,7 @@ cape_parsers/CAPE/community/Fareit.py,sha256=NYkcF7Ddf7SqaSJwGesGTumTJ2p8AT9qBE4
14
15
  cape_parsers/CAPE/community/Greame.py,sha256=99W1aUoSNAQ9KMO85liel5rAN0Wutzo-m176iwfOzds,3633
15
16
  cape_parsers/CAPE/community/KoiLoader.py,sha256=ZTDm7tGGNFyW8N9l35_ta7ucBuE5AL9YprNR36kfid8,4029
16
17
  cape_parsers/CAPE/community/LokiBot.py,sha256=whdVVLqu760ai90Ep-_Ghc_Z1yaty9fMSOcnY5IajXc,5660
17
- cape_parsers/CAPE/community/Lumma.py,sha256=GgoiPIXufe2-hTSMjNSkTCOj8sSmISEiMwieOR2_45k,11991
18
+ cape_parsers/CAPE/community/Lumma.py,sha256=Q0n7Tl4WLUvW3Btg2jgPLQ2pmWejIMNJzWrhWO-fFAc,12028
18
19
  cape_parsers/CAPE/community/NanoCore.py,sha256=0dqhCoAyDJaYgAlbXIwCa1esfEuQSk5AtH1Rl4bj1l8,6120
19
20
  cape_parsers/CAPE/community/Nighthawk.py,sha256=eXnDqwabnrlRROg503oXYLEgotMW4hKeYwLas8SrkTc,12104
20
21
  cape_parsers/CAPE/community/Njrat.py,sha256=_noQM5058BYwTMcYCpcTD9gIxw4ANI35tUSLMAlN97Q,4713
@@ -72,6 +73,7 @@ cape_parsers/CAPE/core/Rhadamanthys.py,sha256=TuhWqOssRiTOEuCk_UXBd3SPz-V71pOCYL
72
73
  cape_parsers/CAPE/core/SmokeLoader.py,sha256=y3PGuAhGkvRSlbi1-PViv66LW4N8AA2Rc5UzxV_nRvw,3889
73
74
  cape_parsers/CAPE/core/Socks5Systemz.py,sha256=k5AdoNKl32m6g1MlOWw4EXvfqMJOFuyw5I0VkQicjRs,759
74
75
  cape_parsers/CAPE/core/SquirrelWaffle.py,sha256=ErCT5eeo5xiQTBzhpaS22PQ8pp-u-G4cjJ4bapjKT2U,3283
76
+ cape_parsers/CAPE/core/Stealc.py,sha256=LJivSCnho9KrSp5Lbw5oRa8vdKm3y7cNxXaev4tdl-8,488
75
77
  cape_parsers/CAPE/core/Strrat.py,sha256=StKPm9Qx8iIIjWb-2P7Naow6sMSJ9tclXJcUQ8JUcWc,2243
76
78
  cape_parsers/CAPE/core/UrsnifV3.py,sha256=Nu4X2l_zwlVMjvEa5gQRaR9SgYKL-C-C9onSmd2DtuU,5510
77
79
  cape_parsers/CAPE/core/WarzoneRAT.py,sha256=Gk0eZVCNGgscNlpsbB123v4P5rvCeyf8avcTHRAd4aA,3725
@@ -105,7 +107,7 @@ cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvE
105
107
  cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
106
108
  cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
107
109
  cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
108
- cape_parsers-0.1.41.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
109
- cape_parsers-0.1.41.dist-info/METADATA,sha256=h1u3DgL4J0c8rRPHjVRQo3Cw4Jmgs3XPOJUgdx-t5i4,1149
110
- cape_parsers-0.1.41.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
111
- cape_parsers-0.1.41.dist-info/RECORD,,
110
+ cape_parsers-0.1.42.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
111
+ cape_parsers-0.1.42.dist-info/METADATA,sha256=Oh2BVCGc0yb_4cW3oR2f11JlCKhkXaZoY25ZbSVIZEw,1149
112
+ cape_parsers-0.1.42.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
113
+ cape_parsers-0.1.42.dist-info/RECORD,,