CAPE-parsers 0.1.42__py3-none-any.whl → 0.1.54__py3-none-any.whl

cape_parsers/CAPE/community/AgentTesla.py

@@ -6,8 +6,10 @@ except ImportError as e:
     print(f"Problem to import extract_strings: {e}")
 
 
-def extract_config(data):
+def extract_config(data: bytes):
+    config = {}
     config_dict = {}
+    is_c2_found = False
     with suppress(Exception):
         if data[:2] == b"MZ":
             lines = extract_strings(data=data, on_demand=True, minchars=3)
@@ -22,20 +24,24 @@ def extract_config(data):
             # Data Exfiltration via Telegram
             if "api.telegram.org" in lines[base + x]:
                 config_dict["Protocol"] = "Telegram"
-                config_dict["C2"] = lines[base + x]
+                config["CNCs"] = lines[base + x]
                 config_dict["Password"] = lines[base + x + 1]
+                is_c2_found = True
                 break
             # Data Exfiltration via Discord
             elif "discord" in lines[base + x]:
                 config_dict["Protocol"] = "Discord"
-                config_dict["C2"] = lines[base + x]
+                config["CNCs"] = [lines[base + x]]
+                is_c2_found = True
                 break
             # Data Exfiltration via FTP
             elif "ftp:" in lines[base + x]:
                 config_dict["Protocol"] = "FTP"
-                config_dict["C2"] = lines[base + x]
-                config_dict["Username"] = lines[base + x + 1]
-                config_dict["Password"] = lines[base + x + 2]
+                hostname = lines[base + x]
+                username = lines[base + x + 1]
+                password = lines[base + x + 2]
+                config["CNCs"] = [f"ftp://{username}:{password}@{hostname}"]
+                is_c2_found = True
                 break
             # Data Exfiltration via SMTP
             elif "@" in lines[base + x]:
@@ -45,15 +51,17 @@ def extract_config(data):
                     config_dict["Port"] = lines[base + x - 2]
                 elif lines[base + x - 2] in {"true", "false"} and lines[base + x - 3].isdigit() and len(lines[base + x - 3]) <= 5:
                     config_dict["Port"] = lines[base + x - 3]
-                config_dict["C2"] = lines[base + +x - 1]
+                config_dict["CNCs"] = [lines[base + +x - 1]]
                 config_dict["Username"] = lines[base + x]
                 config_dict["Password"] = lines[base + x + 1]
                 if "@" in lines[base + x + 2]:
                     config_dict["EmailTo"] = lines[base + x + 2]
+                is_c2_found = True
                 break
         # Get Persistence Payload Filename
         for x in range(2, 22):
-            if ".exe" in lines[base + x]:
+            # Only extract Persistence Filename when a C2 is detected.
+            if ".exe" in lines[base + x] and is_c2_found:
                 config_dict["Persistence_Filename"] = lines[base + x]
                 break
         # Get External IP Check Services
@@ -72,6 +80,13 @@ def extract_config(data):
                     for x in range(1, 8):
                         if any(s in lines[base + index + x] for s in temp_match):
                             config_dict["Protocol"] = "HTTP(S)"
-                            config_dict["C2"] = lines[base + index + x]
+                            config["CNCs"] = lines[base + index + x]
                             break
-        return config_dict
+    if config or config_dict:
+        return config.setdefault("raw", config_dict)
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        print(extract_config(f.read()))

cape_parsers/CAPE/community/Amadey.py

@@ -1,43 +1,213 @@
 import base64
+import yara
+import pefile
+import json
+import struct
 import re
 
-str_hash_data = 'd6052c4fe86a6346964a6bbbe2423e20'
-str_alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 '
 
-def is_ascii(s):
-    return all(c < 128 or c == 0 for c in s)
+RULE_SOURCE_KEY = """
+rule Amadey_Key_String
+{
+    meta:
+        author = "YungBinary"
+        description = "Find decryption key in Amadey."
+    strings:
+        $chunk_1 = {
+            6A 20
+            68 ?? ?? ?? ??
+            B9 ?? ?? ?? ??
+            E8 ?? ?? ?? ??
+            68 ?? ?? ?? ??
+            E8 ?? ?? ?? ??
+            59
+            C3
+        }
+    condition:
+        $chunk_1
+}
+"""
 
-def decrypt(str_data, str_hash_data, str_alphabet):
-    str_hash = ''
+RULE_SOURCE_ENCODED_STRINGS = """
+rule Amadey_Encoded_Strings
+{
+    meta:
+        author = "YungBinary"
+        description = "Find encoded strings in Amadey."
+    strings:
+        $chunk_1 = {
+            6A ??
+            68 ?? ?? ?? ??
+            B9 ?? ?? ?? ??
+            E8 ?? ?? ?? ??
+            68 ?? ?? ?? ??
+            E8 ?? ?? ?? ??
+            59
+            C3
+        }
+    condition:
+        $chunk_1
+}
+"""
 
-    for i in range(len(str_data)):
-        str_hash += str_hash_data[i % len(str_hash_data)]
 
-    out = ''
+def contains_non_printable(byte_array):
+    for byte in byte_array:
+        if not chr(byte).isprintable():
+            return True
+    return False
 
-    for i in range(len(str_data)):
-        if str_data[i] not in str_alphabet:
-            out += str_data[i]
+
+def yara_scan_generator(raw_data, rule_source):
+    yara_rules = yara.compile(source=rule_source)
+    matches = yara_rules.match(data=raw_data)
+
+    for match in matches:
+        for block in match.strings:
+            for instance in block.instances:
+                yield instance.offset, block.identifier
+
+
+def get_keys(pe, data):
+    image_base = pe.OPTIONAL_HEADER.ImageBase
+    keys = []
+    for offset, _ in yara_scan_generator(data, RULE_SOURCE_KEY):
+        try:
+            key_string_rva = struct.unpack('i', data[offset + 3 : offset + 7])[0]
+            key_string_dword_offset = pe.get_offset_from_rva(key_string_rva - image_base)
+            key_string = pe.get_string_from_data(key_string_dword_offset, data)
+
+            if b"=" not in key_string:
+                keys.append(key_string.decode())
+
+            if len(keys) == 2:
+                return keys
+
+        except Exception:
+            continue
+
+    return []
+
+
+def get_encoded_strings(pe, data):
+    encoded_strings = []
+    image_base = pe.OPTIONAL_HEADER.ImageBase
+    for offset, _ in yara_scan_generator(data, RULE_SOURCE_ENCODED_STRINGS):
+
+        try:
+            encoded_string_size = data[offset + 1]
+            encoded_string_rva = struct.unpack('i', data[offset + 3 : offset + 7])[0]
+            encoded_string_dword_offset = pe.get_offset_from_rva(encoded_string_rva - image_base)
+            encoded_string = pe.get_string_from_data(encoded_string_dword_offset, data)
+
+            # Make sure the string matches length from operand
+            if encoded_string_size != len(encoded_string):
+                continue
+
+            encoded_strings.append(encoded_string.decode())
+
+        except Exception:
+            continue
+
+    return encoded_strings
+
+
+def decode_amadey_string(key: str, encoded_str: str) -> bytes:
+    """
+    Decode Amadey encoded strings that look like base64
+    """
+    alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 "
+
+    decoded = ""
+    for i in range(len(encoded_str)):
+        if encoded_str[i] == "=":
+            decoded += "="
             continue
-        alphabet_count = str_alphabet.find(str_data[i])
-        hash_count = str_alphabet.find(str_hash[i])
-        index_calc = (alphabet_count + len(str_alphabet) - hash_count) % len(str_alphabet)
-        out += str_alphabet[index_calc]
 
-    return base64.b64decode(out)
+        index_1 = alphabet.index(encoded_str[i % len(encoded_str)])
+        index_2 = alphabet.index(key[i % len(key)])
+
+        index_result = (index_1 + (0x3F - index_2) + 0x3F) % 0x3F
+
+        decoded += alphabet[index_result]
+
+    decoded = base64.b64decode(decoded)
+
+    return decoded
+
+
+def find_campaign_id(data):
+    pattern = br'\x00\x00\x00([0-9a-f]{6})\x00\x00'
+    matches = re.findall(pattern, data)
+    if matches:
+        return matches[0]
+
+
+def extract_config(data):
+    pe = pefile.PE(data=data, fast_load=True)
+    # image_base = pe.OPTIONAL_HEADER.ImageBase
+
+    keys = get_keys(pe, data)
+    if not keys:
+        return {}
+
+    decode_key = keys[0]
+    rc4_key = keys[1]
+    encoded_strings = get_encoded_strings(pe, data)
+
+    decoded_strings = []
+    for encoded_string in encoded_strings:
+        try:
+            decoded_string = decode_amadey_string(decode_key, encoded_string)
+            if not decoded_string or contains_non_printable(decoded_string):
+                continue
+            decoded_strings.append(decoded_string.decode())
+        except Exception:
+            continue
+
+    if not decoded_strings:
+        return {}
+
+    decoded_strings = decoded_strings[:10]
+    final_config = {}
+    version = ""
+    install_dir = ""
+    install_file = ""
+    version_pattern = r"^\d+\.\d{1,2}$"
+    install_dir_pattern = r"^[0-9a-f]{10}$"
+
+    for i in range(len(decoded_strings)):
+        s = decoded_strings[i]
+        if s.endswith(".php"):
+            c2 = decoded_strings[i-1]
+            final_config.setdefault("CNCs", []).append(f"http://{c2}{s}")
+        elif re.match(version_pattern, s):
+            version = s
+        elif re.match(install_dir_pattern, s):
+            install_dir = s
+        elif s.endswith(".exe"):
+            install_file = s
+
+    if version:
+        final_config["version"] = version
+    if install_dir:
+        final_config.setdefault("raw", {})["install_dir"] = install_dir
+    if install_file:
+        final_config.setdefault("raw", {})["install_file"] = install_file
+
+    final_config["cryptokey"] = rc4_key
+    final_config["cryptokey_type"] = "RC4"
+
+    campaign_id = find_campaign_id(data)
+    if campaign_id:
+        final_config["campaign_id"] = campaign_id.decode()
+
+    return final_config
 
-file_data = open('/tmp/amadey.bin','rb').read()
 
-strings = []
-for m in re.finditer(rb'[a-zA-Z =0-9]{4,}',file_data):
-    strings.append(m.group().decode('utf-8'))
 
-for s in strings:
-    try:
-        temp = decrypt(s, str_hash_data, str_alphabet)
-        if is_ascii(temp) and len(temp) > 3:
-            print(temp.decode('utf-8'))
-    except:
-        continue
+if __name__ == "__main__":
+    import sys
 
-decrypt('1RydQIOr3Zcp6emn RYv8IGzgUKS6r5ThSdqDVBERAP2Ir 0JQ1=', str_hash_data, str_alphabet)
+    with open(sys.argv[1], "rb") as f:
+        print(json.dumps(extract_config(f.read()), indent=4))

cape_parsers/CAPE/community/Arkei.py

@@ -1,7 +1,7 @@
 import struct
 import pefile
 import yara
-
+from contextlib import suppress
 
 # Hash = 69ba4e2995d6b11bb319d7373d150560ea295c02773fe5aa9c729bfd2c334e1e
 
@@ -46,10 +46,10 @@ def xor_data(data, key):
 
 
 def extract_config(data):
-    config_dict = {}
+    config = {}
 
     # Attempt to extract via old method
-    try:
+    with suppress(Exception):
         domain = ""
         uri = ""
         lines = data.decode().split("\n")
@@ -59,14 +59,12 @@ def extract_config(data):
             if line.startswith("/") and line[-4] == ".":
                 uri = line
         if domain and uri:
-            config_dict.setdefault("C2", []).append(f"{domain}{uri}")
-            return config_dict
-    except Exception:
-        pass
+            config.setdefault("CNCs", []).append(f"{domain}{uri}")
+            return config
 
     # Try with new method
 
-    #config_dict["Strings"] = []
+    # config_dict["Strings"] = []
     pe = pefile.PE(data=data, fast_load=True)
     image_base = pe.OPTIONAL_HEADER.ImageBase
     domain = ""
@@ -84,17 +82,17 @@ def extract_config(data):
             if rule_str_name.startswith("$decode"):
                 key_rva = data[str_decode_offset + 3 : str_decode_offset + 7]
                 encoded_str_rva = data[str_decode_offset + 8 : str_decode_offset + 12]
-                #dword_rva = data[str_decode_offset + 21 : str_decode_offset + 25]
+                # dword_rva = data[str_decode_offset + 21 : str_decode_offset + 25]
 
             key_offset = pe.get_offset_from_rva(struct.unpack("i", key_rva)[0] - image_base)
             encoded_str_offset = pe.get_offset_from_rva(struct.unpack("i", encoded_str_rva)[0] - image_base)
-            #dword_offset = struct.unpack("i", dword_rva)[0]
-            #dword_name = f"dword_{hex(dword_offset)[2:]}"
+            # dword_offset = struct.unpack("i", dword_rva)[0]
+            # dword_name = f"dword_{hex(dword_offset)[2:]}"
 
             key = data[key_offset : key_offset + str_size]
             encoded_str = data[encoded_str_offset : encoded_str_offset + str_size]
             decoded_str = xor_data(encoded_str, key).decode()
-            #config_dict["Strings"].append({dword_name : decoded_str})
+            # config_dict["Strings"].append({dword_name : decoded_str})
 
             if last_str in ("http://", "https://"):
                 domain += decoded_str
@@ -114,12 +112,12 @@ def extract_config(data):
             continue
 
     if domain and uri:
-        config_dict.setdefault("C2", []).append(f"{domain}{uri}")
+        config.setdefault("CNCs", []).append(f"{domain}{uri}")
 
     if botnet_id:
-        config_dict.setdefault("Botnet ID", botnet_id)
+        config.setdefault("botnet", botnet_id)
 
-    return config_dict
+    return config
 
 
 if __name__ == "__main__":

cape_parsers/CAPE/community/AsyncRAT.py

@@ -5,10 +5,10 @@ import os
 from rat_king_parser.rkp import RATConfigParser
 
 HAVE_ASYNCRAT_COMMON = False
-module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+module_file_path = "/opt/CAPEv2/data/asyncrat_common.py"
 if os.path.exists(module_file_path):
     try:
-        module_name = os.path.basename(module_file_path).replace('.py', '')
+        module_name = os.path.basename(module_file_path).replace(".py", "")
         spec = importlib.util.spec_from_file_location(module_name, module_file_path)
         asyncrat_common = importlib.util.module_from_spec(spec)
         sys.modules[module_name] = asyncrat_common
@@ -17,6 +17,7 @@ if os.path.exists(module_file_path):
     except Exception as e:
         print("Error loading asyncrat_common.py", e)
 
+
 def extract_config(data: bytes):
     config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
     if config and HAVE_ASYNCRAT_COMMON:
@@ -24,6 +25,7 @@ def extract_config(data: bytes):
 
     return config
 
+
 if __name__ == "__main__":
     data = open(sys.argv[1], "rb").read()
     print(extract_config(data))

cape_parsers/CAPE/community/AuroraStealer.py

@@ -32,9 +32,12 @@ def extract_config(data):
             key = item.split(":")[0].strip("{").strip('"')
             value = item.split(":")[1].strip('"')
             if key == "IP":
-                key = "C2"
-            if value:
-                config_dict[key] = value
+                config_dict["CNCs"] = [f"tcp://{value}"]
+            elif key == "BuildID":
+                config_dict["build"] = value
+            else:
+                if value:
+                    config_dict.setdefault("raw", {})[key] = value
 
     grabber_found = False
 
@@ -47,13 +50,13 @@ def extract_config(data):
             data_dict = json.loads(decoded_str)
             for elem in data_dict:
                 if elem["Method"] == "DW":
-                    config_dict["Loader module"] = elem
+                    config_dict.setdefault("raw", {})["Loader module"] = elem
 
         if b"PS" in decoded_str:
             data_dict = json.loads(decoded_str)
             for elem in data_dict:
                 if elem["Method"] == "PS":
-                    config_dict["PowerShell module"] = elem
+                    config_dict.setdefault("raw", {})["PowerShell module"] = elem
 
         if b"Path" in decoded_str:
             grabber_found = True
@@ -68,6 +71,6 @@ def extract_config(data):
 
                 if not grabber_found:
                     grabber_found = True
-                    config_dict["Grabber"] = cleanup_str
+                    config_dict.setdefault("raw", {})["Grabber"] = cleanup_str
 
     return config_dict

cape_parsers/CAPE/community/Carbanak.py

@@ -158,22 +158,22 @@ def extract_config(filebuf):
                 if dec:
                     ver = re.findall(r"^(\d+\.\d+)$", dec)
                     if ver:
-                        cfg["Version"] = ver[0]
+                        cfg["version"] = ver[0]
 
     data = data_sections[0].get_data()
     items = data.split(b"\x00")
 
     with suppress(IndexError, UnicodeDecodeError, ValueError):
-        cfg["Unknown 1"] = decode_string(items[0], sbox).decode("utf8")
-        cfg["Unknown 2"] = decode_string(items[8], sbox).decode("utf8")
+        cfg.setdefault("raw", {})["Unknown 1"] = decode_string(items[0], sbox).decode("utf8")
+        cfg.setdefault("raw", {})["Unknown 2"] = decode_string(items[8], sbox).decode("utf8")
         c2_dec = decode_string(items[10], sbox).decode("utf8")
         if "|" in c2_dec:
             c2_dec = c2_dec.split("|")
-        cfg["C2"] = c2_dec
-        if float(cfg["Version"]) < 1.7:
-            cfg["Campaign Id"] = decode_string(items[276], sbox).decode("utf8")
+        cfg["CNCs"] = c2_dec
+        if float(cfg["version"]) < 1.7:
+            cfg["campaign"] = decode_string(items[276], sbox).decode("utf8")
         else:
-            cfg["Campaign Id"] = decode_string(items[25], sbox).decode("utf8")
+            cfg["campaign"] = decode_string(items[25], sbox).decode("utf8")
 
     return cfg
 

cape_parsers/CAPE/community/CobaltStrikeBeacon.py

@@ -360,11 +360,11 @@ class cobaltstrikeConfig:
             if parsed_setting == "Not Found" and quiet:
                 continue
             if not isinstance(parsed_setting, list):
-                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val=parsed_setting))
+                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val=parsed_setting)) # noqa: G001
             elif parsed_setting == []:
-                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val="Empty"))
+                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val="Empty")) # noqa: G001
             else:
-                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val=parsed_setting[0]))
+                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val=parsed_setting[0])) # noqa: G001
                 for val in parsed_setting[1:]:
                     log.debug(" " * COLUMN_WIDTH, end="")
                     print(val)
@@ -460,4 +460,5 @@ def extract_config(data):
     output = cobaltstrikeConfig(data).parse_config(as_json=True)
     if output is None:
         output = cobaltstrikeConfig(data).parse_encrypted_config(as_json=True)
-    return output
+    if output:
+        return {"raw": output}

cape_parsers/CAPE/community/CobaltStrikeStager.py

@@ -187,4 +187,7 @@ class StagerConfig:
 
 def extract_config(data):
     """Config extraction function for CapeV2"""
-    return StagerConfig(data).get_config()
+    config = StagerConfig(data).get_config()
+    if config:
+        return {"raw": config}
+    return {}

cape_parsers/CAPE/community/DCRat.py

@@ -5,10 +5,10 @@ import os
 from rat_king_parser.rkp import RATConfigParser
 
 HAVE_ASYNCRAT_COMMON = False
-module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+module_file_path = "/opt/CAPEv2/data/asyncrat_common.py"
 if os.path.exists(module_file_path):
     try:
-        module_name = os.path.basename(module_file_path).replace('.py', '')
+        module_name = os.path.basename(module_file_path).replace(".py", "")
         spec = importlib.util.spec_from_file_location(module_name, module_file_path)
         asyncrat_common = importlib.util.module_from_spec(spec)
         sys.modules[module_name] = asyncrat_common
@@ -17,6 +17,7 @@ if os.path.exists(module_file_path):
     except Exception as e:
         print("Error loading asyncrat_common.py", e)
 
+
 def extract_config(data: bytes):
     config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
     if config and HAVE_ASYNCRAT_COMMON:
@@ -24,6 +25,7 @@ def extract_config(data: bytes):
 
     return config
 
+
 if __name__ == "__main__":
     data = open(sys.argv[1], "rb").read()
     print(extract_config(data))

cape_parsers/CAPE/community/Fareit.py

@@ -35,10 +35,8 @@ def extract_config(memdump_path, read=False):
     if buf and len(buf[0]) > 200:
         cData = buf[0][200:]
     """
-    artifacts_raw = {
-        "controllers": [],
-        "downloads": [],
-    }
+    config = {}
+    artifacts_raw = {}
 
     start = F.find(b"YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0")
     if start:
@@ -53,15 +51,16 @@ def extract_config(memdump_path, read=False):
                 # url = self._check_valid_url(url)
                 if url is None:
                     continue
+                url = url.lower()
                 if gate_url.match(url):
-                    artifacts_raw["controllers"].append(url.lower().decode())
+                    config.setdefault("CNCs", []).append(url.decode())
                 elif exe_url.match(url) or dll_url.match(url):
-                    artifacts_raw["downloads"].append(url.lower().decode())
+                    artifacts_raw["downloads"].append(url.decode())
         except Exception as e:
             print(e, sys.exc_info(), "PONY")
-    artifacts_raw["controllers"] = list(set(artifacts_raw["controllers"]))
-    artifacts_raw["downloads"] = list(set(artifacts_raw["downloads"]))
-    return artifacts_raw if len(artifacts_raw["controllers"]) != 0 or len(artifacts_raw["downloads"]) != 0 else False
+    config["CNCs"] = list(set(config["controllers"]))
+    config.setdefault("raw", {})["downloads"] = list(set(artifacts_raw["downloads"]))
+    return config
 
 
 if __name__ == "__main__":

cape_parsers/CAPE/community/KoiLoader.py

@@ -89,7 +89,7 @@ def xor_data(data, key):
 
 
 def extract_config(data):
-    config_dict = {"C2": []}
+    config = {}
 
     xor_key = b""
     encoded_payload = b""
@@ -119,9 +119,9 @@ def extract_config(data):
         encoded_payload = remove_nulls(encoded_payload, encoded_payload_size)
         decoded_payload = xor_data(encoded_payload, xor_key)
 
-        config_dict["C2"] = find_c2(decoded_payload)
+        config["CNCs"] = find_c2(decoded_payload)
 
-    return config_dict
+    return config
 
 
 if __name__ == "__main__":

cape_parsers/CAPE/community/LokiBot.py

@@ -23,7 +23,7 @@
 import re
 import struct
 import sys
-
+from contextlib import suppress
 import pefile
 from Cryptodome.Cipher import DES3
 from Cryptodome.Util.Padding import unpad
@@ -128,7 +128,8 @@ def decoder(data):
     else:
         x = bytearray(img)
 
-    url_re = rb"https?:\/\/[a-zA-Z0-9\/\.:?\-_]+"
+    # ToDo add \.php
+    url_re = rb"https?:\/\/[a-zA-Z0-9\/\.:?\-_]+\.php"
     urls = re.findall(url_re, x)
     if not urls:
         for i in range(len(x)):
@@ -144,21 +145,23 @@ def decoder(data):
     confs = find_conf(img)
     if iv and iv not in (b"", -1) and confs != []:
         for conf in confs:
-            try:
+            with suppress(ValueError):
                 dec = DES3.new(key, DES3.MODE_CBC, iv)
                 temp = dec.decrypt(conf)
                 temp = unpad(temp, 8)
-                urls.append(b"http://" + temp)
-            except ValueError:
-                # wrong padding
-                pass
+                if not temp.endswith(b".php"):
+                    continue
+                urls.append("http://" + temp.decod())
     return urls
 
 
 def extract_config(filebuf):
 
     urls = decoder(filebuf)
-    return {"address": [url.decode() for url in urls]}
+    if urls:
+        return {"CNCs": urls}
+    else:
+        return {}
 
 
 if __name__ == "__main__":