CAPE-parsers 0.1.42__py3-none-any.whl → 0.1.45__py3-none-any.whl

cape_parsers/CAPE/community/Lumma.py

@@ -75,7 +75,6 @@ RULE_SOURCE_LUMMA_NEW_ENCRYPTED_C2 = """rule LummaConfigNewEncryptedStrings
 }"""
 
 
-
 def yara_scan_generator(raw_data, rule_source):
     yara_rules = yara.compile(source=rule_source)
     matches = yara_rules.match(data=raw_data)
@@ -198,10 +197,22 @@ def chacha20_block(key, nonce, blocknum):
     nonce_words = words_from_bytes(nonce)
 
     original_block = [
-        constant_words[0],  constant_words[1],  constant_words[2],  constant_words[3],
-        key_words[0],       key_words[1],       key_words[2],       key_words[3],
-        key_words[4],       key_words[5],       key_words[6],       key_words[7],
-        mask32(blocknum),   nonce_words[0],     nonce_words[1],     nonce_words[2],
+        constant_words[0],
+        constant_words[1],
+        constant_words[2],
+        constant_words[3],
+        key_words[0],
+        key_words[1],
+        key_words[2],
+        key_words[3],
+        key_words[4],
+        key_words[5],
+        key_words[6],
+        key_words[7],
+        mask32(blocknum),
+        nonce_words[0],
+        nonce_words[1],
+        nonce_words[2],
     ]
 
     permuted_block = list(original_block)
@@ -241,7 +252,7 @@ def extract_c2_domain(data):
 
 
 def find_encrypted_c2_blocks(data):
-    pattern = rb'(.{128})\x00'
+    pattern = rb"(.{128})\x00"
     for match in re.findall(pattern, data, re.DOTALL):
         yield match
 
@@ -251,9 +262,9 @@ def get_build_id(pe, data):
     image_base = pe.OPTIONAL_HEADER.ImageBase
     for offset in yara_scan_generator(data, RULE_SOURCE_BUILD_ID):
         try:
-            build_id_data_rva = struct.unpack('i', data[offset + 2 : offset + 6])[0]
+            build_id_data_rva = struct.unpack("i", data[offset + 2 : offset + 6])[0]
             build_id_dword_offset = pe.get_offset_from_rva(build_id_data_rva - image_base)
-            build_id_dword_rva = struct.unpack('i', data[build_id_dword_offset : build_id_dword_offset + 4])[0]
+            build_id_dword_rva = struct.unpack("i", data[build_id_dword_offset : build_id_dword_offset + 4])[0]
             build_id_offset = pe.get_offset_from_rva(build_id_dword_rva - image_base)
             build_id = pe.get_string_from_data(build_id_offset, data)
             if not contains_non_printable(build_id):
@@ -263,18 +274,20 @@ def get_build_id(pe, data):
             continue
     return build_id
 
+
 def get_build_id_new(data):
     build_id = ""
-    pattern = b'123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ\x00'
+    pattern = b"123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ\x00"
     offset = data.find(pattern)
     if offset != -1:
-        build_id = data[offset + len(pattern):].split(b'\x00', 1)[0]
+        build_id = data[offset + len(pattern) :].split(b"\x00", 1)[0]
         build_id = build_id.decode()
 
     return build_id
 
+
 def extract_config(data):
-    config_dict = {"C2": []}
+    config_dict = {}
 
     # try to load as a PE
     pe = None
@@ -287,37 +300,36 @@ def extract_config(data):
     key = None
     nonce = None
     for offset in yara_scan_generator(data, RULE_SOURCE_LUMMA_NEW_KEYS):
-        key_rva = struct.unpack('i', data[offset + 1 : offset + 5])[0]
+        key_rva = struct.unpack("i", data[offset + 1 : offset + 5])[0]
         key_offset = pe.get_offset_from_rva(key_rva - image_base)
         key = data[key_offset : key_offset + 32]
-        nonce_rva = struct.unpack('i', data[offset + 20 : offset + 24])[0]
+        nonce_rva = struct.unpack("i", data[offset + 20 : offset + 24])[0]
         nonce_offset = pe.get_offset_from_rva(nonce_rva - image_base)
-        nonce = b'\x00\x00\x00\x00' + data[nonce_offset : nonce_offset + 8]
+        nonce = b"\x00\x00\x00\x00" + data[nonce_offset : nonce_offset + 8]
 
     if key and nonce:
         for offset in yara_scan_generator(data, RULE_SOURCE_LUMMA_NEW_ENCRYPTED_C2):
-            encrypted_strings_rva = struct.unpack('i', data[offset + 5 : offset + 9])[0]
+            encrypted_strings_rva = struct.unpack("i", data[offset + 5 : offset + 9])[0]
             encrypted_strings_offset = pe.get_offset_from_rva(encrypted_strings_rva - image_base)
             step_size = 0x80
             counter = 2
             for i in range(12):
-                encrypted_string = data[encrypted_strings_offset:encrypted_strings_offset+40]
-                decoded_c2 = chacha20_xor(encrypted_string, key, nonce, counter).split(b'\x00', 1)[0]
+                encrypted_string = data[encrypted_strings_offset : encrypted_strings_offset + 40]
+                decoded_c2 = chacha20_xor(encrypted_string, key, nonce, counter).split(b"\x00", 1)[0]
                 if contains_non_printable(decoded_c2):
                     break
-                config_dict["C2"].append(decoded_c2.decode())
+                config_dict.setdefault("C2", []).append(decoded_c2.decode())
                 encrypted_strings_offset = encrypted_strings_offset + step_size
                 counter += 2
 
-        if config_dict["C2"]:
+        if config_dict.get("C2"):
             # If found C2 servers try to find build ID
             build_id = get_build_id_new(data)
             if build_id:
                 config_dict["Build ID"] = build_id
 
-
     # If no C2s try with the version after Jan 21, 2025
-    if not config_dict["C2"]:
+    if "C2" not in config_dict:
         offset = yara_scan(data, RULE_SOURCE_LUMMA)
         if offset:
             key = data[offset + 16 : offset + 48]
@@ -327,7 +339,7 @@ def extract_config(data):
                 try:
                     start_offset = offset + 56 + (i * 4)
                     end_offset = start_offset + 4
-                    c2_dword_rva = struct.unpack('i', data[start_offset : end_offset])[0]
+                    c2_dword_rva = struct.unpack("i", data[start_offset:end_offset])[0]
                     if pe:
                         c2_dword_offset = pe.get_offset_from_rva(c2_dword_rva - image_base)
                     else:
@@ -345,16 +357,14 @@ def extract_config(data):
                 except Exception:
                     continue
 
-        if config_dict["C2"] and pe is not None:
+        if "C2" in config_dict and config_dict["C2"] and pe is not None:
             # If found C2 servers try to find build ID
             build_id = get_build_id(pe, data)
             if build_id:
                 config_dict["Build ID"] = build_id
 
-
     # If no C2s try with version prior to Jan 21, 2025
-    if not config_dict["C2"]:
-
+    if "C2" not in config_dict:
         try:
             if pe is not None:
                 rdata = get_rdata(pe, data)
@@ -374,20 +384,19 @@ def extract_config(data):
                     decoded_c2 = xor_data(encoded_c2, xor_key)
 
                     if not contains_non_printable(decoded_c2):
-                        config_dict["C2"].append(decoded_c2.decode())
+                        config_dict.setdefault("C2", []).append(decoded_c2.decode())
                 except Exception:
                     continue
 
         except Exception:
             return
 
-        if config_dict["C2"] and pe is not None:
+        if "C2" in config_dict and pe is not None:
             # If found C2 servers try to find build ID
             build_id = get_build_id(pe, data)
             if build_id:
                 config_dict["Build ID"] = build_id
 
-
     return config_dict
 
 

{cape_parsers-0.1.42.dist-info → cape_parsers-0.1.45.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: CAPE-parsers
-Version: 0.1.42
+Version: 0.1.45
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 Keywords: cape,parsers,malware,configuration
@@ -23,7 +23,7 @@ Requires-Dist: pefile
 Requires-Dist: pycryptodomex (>=3.20.0)
 Requires-Dist: rat-king-parser (>=4.1.0)
 Requires-Dist: ruff (>=0.7.2)
-Requires-Dist: unicorn (==2.1.1)
+Requires-Dist: unicorn (>=2.1.1)
 Requires-Dist: yara-python (>=4.5.1)
 Description-Content-Type: text/markdown
 

{cape_parsers-0.1.42.dist-info → cape_parsers-0.1.45.dist-info}/RECORD

@@ -1,6 +1,5 @@
 cape_parsers/CAPE/__init__.py,sha256=JcY8WPKzUFYgexwV1eyKIuT1JyNZzMJjBynlPSzxY_I,7
 cape_parsers/CAPE/community/AgentTesla.py,sha256=T1gUd28eoCGA5by3ylAAK1naenF0fE3jgYx7UBkCRDk,3559
-cape_parsers/CAPE/community/Amadey.py,sha256=LuYt72sYa_c_srekD-H5hzZZQUlcGaeY1iT2HXO2YwE,1258
 cape_parsers/CAPE/community/Arkei.py,sha256=kXn949PC2CksavsL1BgvKgiAUDcq2NQUirosCTQcDF0,3790
 cape_parsers/CAPE/community/AsyncRAT.py,sha256=0nGLNnwnO93SPbCTgoIMvkh6_smuzQxDcYtL77afGx8,1001
 cape_parsers/CAPE/community/AuroraStealer.py,sha256=UUoxgJtDan3fE1r8aDEKweC_URkV97QHBp1Hq_n7ShI,2419
@@ -15,7 +14,7 @@ cape_parsers/CAPE/community/Fareit.py,sha256=NYkcF7Ddf7SqaSJwGesGTumTJ2p8AT9qBE4
 cape_parsers/CAPE/community/Greame.py,sha256=99W1aUoSNAQ9KMO85liel5rAN0Wutzo-m176iwfOzds,3633
 cape_parsers/CAPE/community/KoiLoader.py,sha256=ZTDm7tGGNFyW8N9l35_ta7ucBuE5AL9YprNR36kfid8,4029
 cape_parsers/CAPE/community/LokiBot.py,sha256=whdVVLqu760ai90Ep-_Ghc_Z1yaty9fMSOcnY5IajXc,5660
-cape_parsers/CAPE/community/Lumma.py,sha256=Q0n7Tl4WLUvW3Btg2jgPLQ2pmWejIMNJzWrhWO-fFAc,12028
+cape_parsers/CAPE/community/Lumma.py,sha256=0SxjHg61qvhXnqADEW3uS3aD_qbtPZUDKGhGsbNdQXE,12131
 cape_parsers/CAPE/community/NanoCore.py,sha256=0dqhCoAyDJaYgAlbXIwCa1esfEuQSk5AtH1Rl4bj1l8,6120
 cape_parsers/CAPE/community/Nighthawk.py,sha256=eXnDqwabnrlRROg503oXYLEgotMW4hKeYwLas8SrkTc,12104
 cape_parsers/CAPE/community/Njrat.py,sha256=_noQM5058BYwTMcYCpcTD9gIxw4ANI35tUSLMAlN97Q,4713
@@ -107,7 +106,7 @@ cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvE
 cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
 cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
 cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
-cape_parsers-0.1.42.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
-cape_parsers-0.1.42.dist-info/METADATA,sha256=Oh2BVCGc0yb_4cW3oR2f11JlCKhkXaZoY25ZbSVIZEw,1149
-cape_parsers-0.1.42.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
-cape_parsers-0.1.42.dist-info/RECORD,,
+cape_parsers-0.1.45.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
+cape_parsers-0.1.45.dist-info/METADATA,sha256=pWGudbNe69KiEDcgrBiRneTOsE-pIWMCLdqa7Umj_pw,1149
+cape_parsers-0.1.45.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
+cape_parsers-0.1.45.dist-info/RECORD,,

cape_parsers/CAPE/community/Amadey.py

@@ -1,43 +0,0 @@
-import base64
-import re
-
-str_hash_data = 'd6052c4fe86a6346964a6bbbe2423e20'
-str_alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 '
-
-def is_ascii(s):
-    return all(c < 128 or c == 0 for c in s)
-
-def decrypt(str_data, str_hash_data, str_alphabet):
-    str_hash = ''
-
-    for i in range(len(str_data)):
-        str_hash += str_hash_data[i % len(str_hash_data)]
-
-    out = ''
-
-    for i in range(len(str_data)):
-        if str_data[i] not in str_alphabet:
-            out += str_data[i]
-            continue
-        alphabet_count = str_alphabet.find(str_data[i])
-        hash_count = str_alphabet.find(str_hash[i])
-        index_calc = (alphabet_count + len(str_alphabet) - hash_count) % len(str_alphabet)
-        out += str_alphabet[index_calc]
-
-    return base64.b64decode(out)
-
-file_data = open('/tmp/amadey.bin','rb').read()
-
-strings = []
-for m in re.finditer(rb'[a-zA-Z =0-9]{4,}',file_data):
-    strings.append(m.group().decode('utf-8'))
-
-for s in strings:
-    try:
-        temp = decrypt(s, str_hash_data, str_alphabet)
-        if is_ascii(temp) and len(temp) > 3:
-            print(temp.decode('utf-8'))
-    except:
-        continue
-
-decrypt('1RydQIOr3Zcp6emn RYv8IGzgUKS6r5ThSdqDVBERAP2Ir 0JQ1=', str_hash_data, str_alphabet)