PyPI - CAPE-parsers - Versions diffs - 0.1.42__py3-none-any.whl → 0.1.54__py3-none-any.whl - Mend

CAPE-parsers 0.1.42py3-none-any.whl → 0.1.54py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (88) hide show

cape_parsers/CAPE/community/AgentTesla.py +25 -10
cape_parsers/CAPE/community/Amadey.py +199 -29
cape_parsers/CAPE/community/Arkei.py +13 -15
cape_parsers/CAPE/community/AsyncRAT.py +4 -2
cape_parsers/CAPE/community/AuroraStealer.py +9 -6
cape_parsers/CAPE/community/Carbanak.py +7 -7
cape_parsers/CAPE/community/CobaltStrikeBeacon.py +5 -4
cape_parsers/CAPE/community/CobaltStrikeStager.py +4 -1
cape_parsers/CAPE/community/DCRat.py +4 -2
cape_parsers/CAPE/community/Fareit.py +8 -9
cape_parsers/CAPE/community/KoiLoader.py +3 -3
cape_parsers/CAPE/community/LokiBot.py +11 -8
cape_parsers/CAPE/community/Lumma.py +58 -40
cape_parsers/CAPE/community/MonsterV2.py +93 -0
cape_parsers/CAPE/community/MyKings.py +52 -0
cape_parsers/CAPE/community/NanoCore.py +9 -9
cape_parsers/CAPE/community/Nighthawk.py +1 -0
cape_parsers/CAPE/community/Njrat.py +4 -4
cape_parsers/CAPE/community/PhemedroneStealer.py +2 -0
cape_parsers/CAPE/community/Snake.py +31 -18
cape_parsers/CAPE/community/SparkRAT.py +3 -1
cape_parsers/CAPE/community/Stealc.py +95 -63
cape_parsers/CAPE/community/VenomRAT.py +4 -2
cape_parsers/CAPE/community/WinosStager.py +75 -0
cape_parsers/CAPE/community/XWorm.py +4 -2
cape_parsers/CAPE/community/XenoRAT.py +4 -2
cape_parsers/CAPE/core/AdaptixBeacon.py +7 -5
cape_parsers/CAPE/core/AuraStealer.py +100 -0
cape_parsers/CAPE/core/Azorult.py +5 -3
cape_parsers/CAPE/core/BitPaymer.py +5 -2
cape_parsers/CAPE/core/BlackDropper.py +10 -5
cape_parsers/CAPE/core/Blister.py +12 -10
cape_parsers/CAPE/core/BruteRatel.py +20 -7
cape_parsers/CAPE/core/BumbleBee.py +34 -22
cape_parsers/CAPE/core/DarkGate.py +3 -3
cape_parsers/CAPE/core/DoppelPaymer.py +4 -2
cape_parsers/CAPE/core/DridexLoader.py +4 -3
cape_parsers/CAPE/core/Formbook.py +2 -2
cape_parsers/CAPE/core/GuLoader.py +2 -5
cape_parsers/CAPE/core/IcedID.py +5 -5
cape_parsers/CAPE/core/IcedIDLoader.py +4 -4
cape_parsers/CAPE/core/Latrodectus.py +14 -10
cape_parsers/CAPE/core/NitroBunnyDownloader.py +151 -0
cape_parsers/CAPE/core/Oyster.py +8 -6
cape_parsers/CAPE/core/PikaBot.py +6 -6
cape_parsers/CAPE/core/PlugX.py +3 -1
cape_parsers/CAPE/core/QakBot.py +2 -1
cape_parsers/CAPE/core/Quickbind.py +7 -11
cape_parsers/CAPE/core/RedLine.py +2 -2
cape_parsers/CAPE/core/Remcos.py +59 -51
cape_parsers/CAPE/core/Rhadamanthys.py +175 -36
cape_parsers/CAPE/core/SmokeLoader.py +2 -2
cape_parsers/CAPE/core/Socks5Systemz.py +5 -5
cape_parsers/CAPE/core/SquirrelWaffle.py +3 -3
cape_parsers/CAPE/core/Strrat.py +1 -1
cape_parsers/CAPE/core/WarzoneRAT.py +3 -2
cape_parsers/CAPE/core/Zloader.py +21 -15
cape_parsers/RATDecoders/test_rats.py +1 -0
cape_parsers/__init__.py +14 -5
cape_parsers/deprecated/BlackNix.py +59 -0
cape_parsers/{CAPE/core → deprecated}/BuerLoader.py +1 -1
cape_parsers/{CAPE/core → deprecated}/ChChes.py +3 -3
cape_parsers/{CAPE/core → deprecated}/Enfal.py +1 -1
cape_parsers/{CAPE/core → deprecated}/EvilGrab.py +5 -6
cape_parsers/{CAPE/community → deprecated}/Greame.py +3 -1
cape_parsers/{CAPE/core → deprecated}/HttpBrowser.py +7 -8
cape_parsers/{CAPE/community → deprecated}/Pandora.py +2 -0
cape_parsers/{CAPE/community → deprecated}/Punisher.py +2 -1
cape_parsers/{CAPE/core → deprecated}/RCSession.py +7 -9
cape_parsers/{CAPE/community → deprecated}/REvil.py +10 -5
cape_parsers/{CAPE/core → deprecated}/RedLeaf.py +5 -7
cape_parsers/{CAPE/community → deprecated}/Retefe.py +0 -2
cape_parsers/{CAPE/community → deprecated}/Rozena.py +2 -5
cape_parsers/{CAPE/community → deprecated}/SmallNet.py +6 -2
{cape_parsers-0.1.42.dist-info → cape_parsers-0.1.54.dist-info}/METADATA +24 -3
cape_parsers-0.1.54.dist-info/RECORD +117 -0
{cape_parsers-0.1.42.dist-info → cape_parsers-0.1.54.dist-info}/WHEEL +1 -1
cape_parsers/CAPE/community/BlackNix.py +0 -57
cape_parsers/CAPE/core/Stealc.py +0 -21
cape_parsers-0.1.42.dist-info/RECORD +0 -113
/cape_parsers/{CAPE/community → deprecated}/BackOffLoader.py +0 -0
/cape_parsers/{CAPE/community → deprecated}/BackOffPOS.py +0 -0
/cape_parsers/{CAPE/core → deprecated}/Emotet.py +0 -0
/cape_parsers/{CAPE/community → deprecated}/PoisonIvy.py +0 -0
/cape_parsers/{CAPE/community → deprecated}/TSCookie.py +0 -0
/cape_parsers/{CAPE/community → deprecated}/TrickBot.py +0 -0
/cape_parsers/{CAPE/core → deprecated}/UrsnifV3.py +0 -0
{cape_parsers-0.1.42.dist-info → cape_parsers-0.1.54.dist-info/licenses}/LICENSE +0 -0

cape_parsers/CAPE/community/Lumma.py CHANGED Viewed

@@ -5,7 +5,7 @@ import struct
 from contextlib import suppress
 import pefile
 import yara
+from Cryptodome.Cipher import ChaCha20
 RULE_SOURCE_BUILD_ID = """rule LummaBuildId
 {
@@ -75,7 +75,6 @@ RULE_SOURCE_LUMMA_NEW_ENCRYPTED_C2 = """rule LummaConfigNewEncryptedStrings
 }"""
 def yara_scan_generator(raw_data, rule_source):
     yara_rules = yara.compile(source=rule_source)
     matches = yara_rules.match(data=raw_data)
@@ -143,7 +142,7 @@ def contains_non_printable(byte_array):
             return True
     return False
+"""
 def mask32(x):
     return x & 0xFFFFFFFF
@@ -198,10 +197,22 @@ def chacha20_block(key, nonce, blocknum):
     nonce_words = words_from_bytes(nonce)
     original_block = [
-        constant_words[0],  constant_words[1],  constant_words[2],  constant_words[3],
-        key_words[0],       key_words[1],       key_words[2],       key_words[3],
-        key_words[4],       key_words[5],       key_words[6],       key_words[7],
-        mask32(blocknum),   nonce_words[0],     nonce_words[1],     nonce_words[2],
+        constant_words[0],
+        constant_words[1],
+        constant_words[2],
+        constant_words[3],
+        key_words[0],
+        key_words[1],
+        key_words[2],
+        key_words[3],
+        key_words[4],
+        key_words[5],
+        key_words[6],
+        key_words[7],
+        mask32(blocknum),
+        nonce_words[0],
+        nonce_words[1],
+        nonce_words[2],
     ]
     permuted_block = list(original_block)
@@ -231,7 +242,7 @@ def chacha20_xor(message, key, nonce, counter):
         xor_key.append(message[i] ^ key_stream[i])
     return xor_key
+"""
 def extract_c2_domain(data):
     pattern = rb"([\w-]+\.[\w]+)\x00"
@@ -241,7 +252,7 @@ def extract_c2_domain(data):
 def find_encrypted_c2_blocks(data):
-    pattern = rb'(.{128})\x00'
+    pattern = rb"(.{128})\x00"
     for match in re.findall(pattern, data, re.DOTALL):
         yield match
@@ -251,9 +262,9 @@ def get_build_id(pe, data):
     image_base = pe.OPTIONAL_HEADER.ImageBase
     for offset in yara_scan_generator(data, RULE_SOURCE_BUILD_ID):
         try:
-            build_id_data_rva = struct.unpack('i', data[offset + 2 : offset + 6])[0]
+            build_id_data_rva = struct.unpack("i", data[offset + 2 : offset + 6])[0]
             build_id_dword_offset = pe.get_offset_from_rva(build_id_data_rva - image_base)
-            build_id_dword_rva = struct.unpack('i', data[build_id_dword_offset : build_id_dword_offset + 4])[0]
+            build_id_dword_rva = struct.unpack("i", data[build_id_dword_offset : build_id_dword_offset + 4])[0]
             build_id_offset = pe.get_offset_from_rva(build_id_dword_rva - image_base)
             build_id = pe.get_string_from_data(build_id_offset, data)
             if not contains_non_printable(build_id):
@@ -263,18 +274,20 @@ def get_build_id(pe, data):
             continue
     return build_id
 def get_build_id_new(data):
     build_id = ""
-    pattern = b'123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ\x00'
+    pattern = b"123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ\x00"
     offset = data.find(pattern)
     if offset != -1:
-        build_id = data[offset + len(pattern):].split(b'\x00', 1)[0]
+        build_id = data[offset + len(pattern) :].split(b"\x00", 1)[0]
         build_id = build_id.decode()
     return build_id
 def extract_config(data):
-    config_dict = {"C2": []}
+    config = {}
     # try to load as a PE
     pe = None
@@ -287,37 +300,38 @@ def extract_config(data):
     key = None
     nonce = None
     for offset in yara_scan_generator(data, RULE_SOURCE_LUMMA_NEW_KEYS):
-        key_rva = struct.unpack('i', data[offset + 1 : offset + 5])[0]
+        key_rva = struct.unpack("i", data[offset + 1 : offset + 5])[0]
         key_offset = pe.get_offset_from_rva(key_rva - image_base)
         key = data[key_offset : key_offset + 32]
-        nonce_rva = struct.unpack('i', data[offset + 20 : offset + 24])[0]
+        nonce_rva = struct.unpack("i", data[offset + 20 : offset + 24])[0]
         nonce_offset = pe.get_offset_from_rva(nonce_rva - image_base)
-        nonce = b'\x00\x00\x00\x00' + data[nonce_offset : nonce_offset + 8]
+        nonce = b"\x00\x00\x00\x00" + data[nonce_offset : nonce_offset + 8]
     if key and nonce:
         for offset in yara_scan_generator(data, RULE_SOURCE_LUMMA_NEW_ENCRYPTED_C2):
-            encrypted_strings_rva = struct.unpack('i', data[offset + 5 : offset + 9])[0]
+            encrypted_strings_rva = struct.unpack("i", data[offset + 5 : offset + 9])[0]
             encrypted_strings_offset = pe.get_offset_from_rva(encrypted_strings_rva - image_base)
             step_size = 0x80
             counter = 2
             for i in range(12):
-                encrypted_string = data[encrypted_strings_offset:encrypted_strings_offset+40]
-                decoded_c2 = chacha20_xor(encrypted_string, key, nonce, counter).split(b'\x00', 1)[0]
+                encrypted_string = data[encrypted_strings_offset : encrypted_strings_offset + 40]
+                chacha20_cipher = ChaCha20.new(key=key, nonce=nonce)
+                chacha20_cipher.seek(counter)
+                decoded_c2 = chacha20_cipher.decrypt(encrypted_string).split(b"\x00", 1)[0]
                 if contains_non_printable(decoded_c2):
                     break
-                config_dict["C2"].append(decoded_c2.decode())
+                config.setdefault("CNCs", []).append("https://" + decoded_c2.decode())
                 encrypted_strings_offset = encrypted_strings_offset + step_size
                 counter += 2
-        if config_dict["C2"]:
+        if config.get("CNCs"):
             # If found C2 servers try to find build ID
             build_id = get_build_id_new(data)
             if build_id:
-                config_dict["Build ID"] = build_id
+                config["build"] = build_id
     # If no C2s try with the version after Jan 21, 2025
-    if not config_dict["C2"]:
+    if "CNCs" not in config:
         offset = yara_scan(data, RULE_SOURCE_LUMMA)
         if offset:
             key = data[offset + 16 : offset + 48]
@@ -327,7 +341,7 @@ def extract_config(data):
                 try:
                     start_offset = offset + 56 + (i * 4)
                     end_offset = start_offset + 4
-                    c2_dword_rva = struct.unpack('i', data[start_offset : end_offset])[0]
+                    c2_dword_rva = struct.unpack("i", data[start_offset:end_offset])[0]
                     if pe:
                         c2_dword_offset = pe.get_offset_from_rva(c2_dword_rva - image_base)
                     else:
@@ -336,25 +350,26 @@ def extract_config(data):
                     c2_encrypted = data[c2_dword_offset : c2_dword_offset + 0x80]
                     counters = [0, 2, 4, 6, 8, 10, 12, 14, 16]
                     for counter in counters:
-                        decrypted = chacha20_xor(c2_encrypted, key, nonce, counter)
+                        # decrypted = chacha20_xor(c2_encrypted, key, nonce, counter)
+                        chacha20_cipher = ChaCha20.new(key=key, nonce=nonce)
+                        chacha20_cipher.seek(counter)
+                        decrypted = chacha20_cipher.decrypt(c2_encrypted).split(b"\x00", 1)[0]
                         c2 = extract_c2_domain(decrypted)
                         if c2 is not None and len(c2) > 10:
-                            config_dict["C2"].append(c2.decode())
+                            config["CNCs"].append("https://" + c2.decode())
                             break
                 except Exception:
                     continue
-        if config_dict["C2"] and pe is not None:
+        if "CNCs" in config and config["CNCs"] and pe is not None:
             # If found C2 servers try to find build ID
             build_id = get_build_id(pe, data)
             if build_id:
-                config_dict["Build ID"] = build_id
+                config["build"] = build_id
     # If no C2s try with version prior to Jan 21, 2025
-    if not config_dict["C2"]:
+    if "CNCs" not in config:
         try:
             if pe is not None:
                 rdata = get_rdata(pe, data)
@@ -374,21 +389,24 @@ def extract_config(data):
                     decoded_c2 = xor_data(encoded_c2, xor_key)
                     if not contains_non_printable(decoded_c2):
-                        config_dict["C2"].append(decoded_c2.decode())
-                except Exception:
+                        config.setdefault("CNCs", []).append("https://" + decoded_c2.decode())
+                except Exception as e:
+                    print(e)
                     continue
-        except Exception:
+        except Exception as e:
+            print(e)
             return
-        if config_dict["C2"] and pe is not None:
+        if "CNCs" in config and pe is not None:
             # If found C2 servers try to find build ID
             build_id = get_build_id(pe, data)
             if build_id:
-                config_dict["Build ID"] = build_id
+                config["build"] = build_id
-    return config_dict
+    print(config)
+    if config:
+        return config
 if __name__ == "__main__":

cape_parsers/CAPE/community/MonsterV2.py ADDED Viewed

@@ -0,0 +1,93 @@
+import hashlib
+from Crypto.Cipher import ChaCha20_Poly1305
+from contextlib import suppress
+import zlib
+import struct
+import json
+import yara
+import pefile
+RULE_SOURCE = """rule MonsterV2Config
+{
+    meta:
+        author = "doomedraven,YungBinary"
+    strings:
+        $chunk_1 = {
+            41 B8 0E 04 00 00
+            48 8D 15 ?? ?? ?? 00
+            48 8B C?
+            E8 ?? ?? ?? ?? [3-17]
+            4C 8B C?
+            48 8D 54 24 28
+            48 8B CE
+            E8 ?? ?? ?? ??
+        }
+    condition:
+        $chunk_1
+}"""
+def derive_chacha_key_nonce_blake2b(seed: bytes):  # -> tuple[bytes, bytes]:
+    """
+    Derives a 32-byte ChaCha20 key and a 24-byte ChaCha20 nonce
+    using BLAKE2b from a given seed.
+    """
+    output_length = 56  # 32 bytes for key + 24 bytes for nonce
+    h = hashlib.blake2b(digest_size=output_length)
+    h.update(seed)
+    derived_material = h.digest()
+    chacha20_key = derived_material[0:32]
+    chacha20_nonce = derived_material[32:56]
+    return chacha20_key, chacha20_nonce
+def yara_scan(raw_data, rule_source):
+    yara_rules = yara.compile(source=rule_source)
+    matches = yara_rules.match(data=raw_data)
+    for match in matches:
+        for block in match.strings:
+            for instance in block.instances:
+                return instance.offset
+def extract_config(data: bytes) -> dict:
+    config_dict = {}
+    with suppress(Exception):
+        pe = pefile.PE(data=data)
+        offset = yara_scan(data, RULE_SOURCE)
+        # image_base = pe.OPTIONAL_HEADER.ImageBase
+        disp_offset = data[offset + 9 : offset + 13]
+        disp_offset = struct.unpack('i', disp_offset)[0]
+        instruction_pointer_va = pe.get_rva_from_offset(offset + 13)
+        config_offset_va = instruction_pointer_va + disp_offset
+        config_offset = pe.get_offset_from_rva(config_offset_va)
+        blake_seed = data[config_offset : config_offset + 32]
+        chacha20_key, chacha20_nonce = derive_chacha_key_nonce_blake2b(blake_seed)
+        cipher_len = int.from_bytes(data[config_offset + 32 : config_offset + 40], byteorder="big")
+        cipher_text = data[config_offset + 40 : config_offset + 40 + cipher_len]
+        cipher = ChaCha20_Poly1305.new(key=chacha20_key, nonce=chacha20_nonce)
+        decrypted_zlib_data = cipher.decrypt(cipher_text)
+        decompressed_data = zlib.decompress(decrypted_zlib_data)
+        config_dict = json.loads(decompressed_data)
+    if config_dict:
+        final_config = {"raw": config_dict}
+        if "ip" in config_dict and "port" in config_dict:
+            final_config["CNCs"] = [f"tcp://{config_dict['ip']}:{config_dict['port']}"]
+        if "build_name" in config_dict:
+            final_config["build"] = config_dict["build_name"]
+        return final_config
+    return {}
+if __name__ == "__main__":
+    import sys
+    with open(sys.argv[1], "rb") as f:
+        print(extract_config(f.read()))

cape_parsers/CAPE/community/MyKings.py ADDED Viewed

@@ -0,0 +1,52 @@
+"""
+Description: MyKings AKA Smominru config parser
+Author: x.com/YungBinary
+"""
+from contextlib import suppress
+import json
+import re
+import base64
+def contains_non_printable(byte_array):
+    for byte in byte_array:
+        if not chr(byte).isprintable():
+            return True
+    return False
+def extract_base64_strings(data: bytes, minchars: int, maxchars: int) -> list:
+    pattern = b"([A-Za-z0-9+/=]{" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00{4}"
+    strings = []
+    for string in re.findall(pattern, data):
+        decoded_string = base64_and_printable(string.decode())
+        if decoded_string:
+            strings.append(decoded_string)
+    return strings
+def base64_and_printable(b64_string: str):
+    with suppress(Exception):
+        decoded_bytes = base64.b64decode(b64_string)
+        if not contains_non_printable(decoded_bytes):
+            return decoded_bytes.decode('ascii')
+def extract_config(data: bytes) -> dict:
+    config_dict = {}
+    with suppress(Exception):
+        cncs = extract_base64_strings(data, 12, 60)
+        if cncs:
+            # as they don't have schema they going under raw
+            config_dict["raw"] = {"CNCs": cncs}
+            return config_dict
+    return {}
+if __name__ == "__main__":
+    import sys
+    with open(sys.argv[1], "rb") as f:
+        print(json.dumps(extract_config(f.read()), indent=4))

cape_parsers/CAPE/community/NanoCore.py CHANGED Viewed

@@ -174,21 +174,21 @@ def extract_config(filebuf):
                     pass
                 elif DataType.DATETIME == param["type"]:
                     dt = param["value"]
-                    config_dict[item_name] = dt.strftime("%Y-%m-%d %H:%M:%S.%f")
+                    config_dict.setdefault("raw", {})[item_name] = dt.strftime("%Y-%m-%d %H:%M:%S.%f")
                 else:
-                    config_dict[item_name] = str(param["value"])
+                    config_dict.setdefault("raw", {})[item_name] = str(param["value"])
     except Exception as e:
         log.error("nanocore error: %s", e)
     cncs = []
-    if config_dict.get("PrimaryConnectionHost"):
-        cncs.append(config_dict["PrimaryConnectionHost"])
-    if config_dict.get("PrimaryConnectionHost"):
-        cncs.append(config_dict["BackupConnectionHost"])
-    if config_dict.get("ConnectionPort") and cncs:
-        port = config_dict["ConnectionPort"]
-        config_dict["cncs"] = [f"{cnc}:{port}" for cnc in cncs]
+    if config_dict.get("raw", {}).get("PrimaryConnectionHost"):
+        cncs.append(config_dict["raw"]["PrimaryConnectionHost"])
+    if config_dict.get("raw", {}).get("PrimaryConnectionHost"):
+        cncs.append(config_dict["raw"]["BackupConnectionHost"])
+    if config_dict.get("raw", {}).get("ConnectionPort") and cncs:
+        port = config_dict["raw"]["ConnectionPort"]
+        config_dict["CNCs"] = [f"{cnc}:{port}" for cnc in cncs]
     return config_dict

cape_parsers/CAPE/community/Nighthawk.py CHANGED Viewed

@@ -4,6 +4,7 @@ import json
 import struct
 import pefile
 # import regex as re
 import re
 from Cryptodome.Cipher import AES

cape_parsers/CAPE/community/Njrat.py CHANGED Viewed

@@ -176,11 +176,11 @@ def extract_config(data):
     config = get_clean_config(config_dict)
     if config:
         if config.get("domain") and config.get("port"):
-            conf["cncs"] = [f"{config['domain']}:{config['port']}"]
+            conf["CNCs"] = [f"{config['domain']}:{config['port']}"]
         if config.get("campaign_id"):
-            conf["campaign id"] = config["campaign_id"]
+            conf["campaign"] = config["campaign_id"]
         if config.get("version"):
             conf["version"] = config["version"]

cape_parsers/CAPE/community/PhemedroneStealer.py CHANGED Viewed

@@ -188,4 +188,6 @@ def extract_config(data):
                             value_data = inst_.split(".")[-1].strip()
                             config_field_name, str_list = check_next_inst(pe, body, DnfileParse, index)
                             config_dict[config_field_name] = value_data
+    if config_dict:
+        config_dict = {"raw": config_dict}
     return config_dict

cape_parsers/CAPE/community/Snake.py CHANGED Viewed

@@ -38,7 +38,7 @@ def handle_plain(dotnet_file, c2_type, user_strings):
     if c2_type == "Telegram":
         token = dotnet_file.net.user_strings.get(user_strings_list[15]).value.__str__()
         chat_id = dotnet_file.net.user_strings.get(user_strings_list[16]).value.__str__()
-        return {"Type": "Telegram", "C2": f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"}
+        return {"raw": {"Type": "Telegram"}, "CNCs": f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"}
     elif c2_type == "SMTP":
         smtp_from = dotnet_file.net.user_strings.get(user_strings_list[7]).value.__str__()
         smtp_password = dotnet_file.net.user_strings.get(user_strings_list[8]).value.__str__()
@@ -46,18 +46,26 @@ def handle_plain(dotnet_file, c2_type, user_strings):
         smtp_to = dotnet_file.net.user_strings.get(user_strings_list[10]).value.__str__()
         smtp_port = dotnet_file.net.user_strings.get(user_strings_list[11]).value.__str__()
         return {
-            "Type": "SMTP",
-            "Host": smtp_host,
-            "Port": smtp_port,
-            "From Address": smtp_from,
-            "To Address": smtp_to,
-            "Password": smtp_password,
+            "raw": {
+                "Type": "SMTP",
+                "Host": smtp_host,
+                "Port": smtp_port,
+                "From Address": smtp_from,
+                "To Address": smtp_to,
+                "Password": smtp_password,
+            },
+            "CNCs": [f"smtp://{smtp_host}:{smtp_port}"]
         }
     elif c2_type == "FTP":
         ftp_username = dotnet_file.net.user_strings.get(user_strings_list[12]).value.__str__()
         ftp_password = dotnet_file.net.user_strings.get(user_strings_list[13]).value.__str__()
         ftp_host = dotnet_file.net.user_strings.get(user_strings_list[14]).value.__str__()
-        return {"Type": "FTP", "Host": ftp_host, "Username": ftp_username, "Password": ftp_password}
+        return {
+            "raw": {
+                "Type": "FTP", "Host": ftp_host, "Username": ftp_username, "Password": ftp_password},
+            "CNCs": [f"ftp://{ftp_username}:{ftp_password}@{ftp_host}"]
+        }
 def handle_encrypted(dotnet_file, data, c2_type, user_strings):
@@ -98,20 +106,25 @@ def handle_encrypted(dotnet_file, data, c2_type, user_strings):
     if decrypted_strings:
         if c2_type == "Telegram":
             token, chat_id = decrypted_strings
-            config_dict = {"Type": "Telegram", "C2": f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"}
+            config_dict = {"raw": {"Type": "Telegram"}, "CNCs": f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"}
         elif c2_type == "SMTP":
             smtp_from, smtp_password, smtp_host, smtp_to, smtp_port = decrypted_strings
             config_dict = {
-                "Type": "SMTP",
-                "Host": smtp_host,
-                "Port": smtp_port,
-                "From Address": smtp_from,
-                "To Address": smtp_to,
-                "Password": smtp_password,
+                "raw": {
+                    "Type": "SMTP",
+                    "Host": smtp_host,
+                    "Port": smtp_port,
+                    "From Address": smtp_from,
+                    "To Address": smtp_to,
+                    "Password": smtp_password,
+                }
             }
         elif c2_type == "FTP":
             ftp_username, ftp_password, ftp_host = decrypted_strings
-            config_dict = {"Type": "FTP", "Host": ftp_host, "Username": ftp_username, "Password": ftp_password}
+            config_dict = {
+                "raw": {"Type": "FTP", "Host": ftp_host, "Username": ftp_username, "Password": ftp_password},
+                "CNCs": [f"ftp://{ftp_username}:{ftp_password}@{ftp_host}"]
+            }
     return config_dict
@@ -120,7 +133,7 @@ def extract_config(data):
     try:
         dotnet_file = dnfile.dnPE(data=data)
     except Exception as e:
-        log.debug(f"Exception when attempting to parse .NET file: {e}")
+        log.debug("Exception when attempting to parse .NET file: %s", str(e))
         log.debug(traceback.format_exc())
     # ldstr, stsfld
@@ -152,7 +165,7 @@ def extract_config(data):
             else:
                 user_strings[field_name] = string_index
         except Exception as e:
-            log.debug(f"There was an exception parsing user strings: {e}")
+            log.debug("There was an exception parsing user strings: %s", str(e))
             log.debug(traceback.format_exc())
     if c2_type is None:

cape_parsers/CAPE/community/SparkRAT.py CHANGED Viewed

@@ -59,7 +59,9 @@ def extract_config(data):
             key = f.read(16)
             iv = f.read(16)
             enc_data = f.read(data_len - 32)
-        return decrypt_config(enc_data, key, iv)
+            config = decrypt_config(enc_data, key, iv)
+            if config:
+                return {"raw": config}
     except Exception as e:
         log.error("Configuration decryption failed: %s", e)
         return {}

CAPE-parsers 0.1.42__py3-none-any.whl → 0.1.54__py3-none-any.whl

CAPE-parsers 0.1.42py3-none-any.whl → 0.1.54py3-none-any.whl