CAPE-parsers 0.1.42__py3-none-any.whl → 0.1.54__py3-none-any.whl

cape_parsers/CAPE/community/Stealc.py

@@ -1,31 +1,36 @@
 import struct
 import pefile
 import yara
+import ipaddress
+from contextlib import suppress
 
 
-# Hash = 619751f5ed0a9716318092998f2e4561f27f7f429fe6103406ecf16e33837470
+# V1 hash = 619751f5ed0a9716318092998f2e4561f27f7f429fe6103406ecf16e33837470
+# V2 hash = 2f42dcf05dd87e6352491ff9d4ea3dc3f854df53d548a8da0c323be42df797b6 (32-bit payload)
+# V2 hash = 8301936f439f43579cffe98e11e3224051e2fb890ffe9df680bbbd8db0729387 (64-bit payload)
 
-RULE_SOURCE = """rule StealC
+RULE_SOURCE = """
+rule StealC
 {
     meta:
         author = "Yung Binary"
     strings:
-        $decode_1 = {
-            6A ??
-            68 ?? ?? ?? ??
-            68 ?? ?? ?? ??
-            E8 ?? ?? ?? ??
-        }
-        $decode_2 = {
-            6A ??
-            68 ?? ?? ?? ??
-            68 ?? ?? ?? ??
-            [0-5]
-            E8 ?? ?? ?? ??
-        }
+        $decode_1 = {6A ?? 68 [4] 68 [4] E8}
+        $decode_2 = {6A ?? 68 [4] 68 [4] [0-5] E8}
     condition:
         any of them
-}"""
+}
+rule StealcV2
+{
+    meta:
+        author = "kevoreilly"
+    strings:
+        $botnet32 = {AB AB AB AB 89 4B ?? C7 43 ?? 0F 00 00 00 88 0B A0 [4] EB 12 3C 20 74 0B 0F B6 06 8B CB 50 E8}
+        $botnet64 = {0F 11 01 48 C7 41 ?? 00 00 00 00 48 8B D9 48 C7 41 ?? 0F 00 00 00 C6 01 00 8A 05 [4] EB ?? 3C 20 74 ?? 48 8B 4B ?? 44 8A 0F}
+    condition:
+        any of them
+}
+"""
 
 
 def yara_scan(raw_data):
@@ -38,6 +43,13 @@ def yara_scan(raw_data):
                 yield block.identifier, instance.offset
 
 
+def _is_ip(ip):
+    try:
+        ipaddress.ip_address(ip)
+        return True
+    except Exception:
+        return False
+
 def xor_data(data, key):
     decoded = bytearray()
     for i in range(len(data)):
@@ -45,78 +57,98 @@ def xor_data(data, key):
     return decoded
 
 
-def extract_config(data):
-    config_dict = {}
+def extract_ascii_string(data: bytes, offset: int, max_length=4096) -> str:
+    if offset >= len(data):
+        raise ValueError("Offset beyond data bounds")
+    end = data.find(b'\x00', offset, offset + max_length)
+    if end == -1:
+        end = offset + max_length
+    return data[offset:end].decode('ascii', errors='replace')
 
-    # Attempt to extract via old method
-    try:
-        domain = ""
-        uri = ""
+
+def parse_text(data):
+    global domain, uri
+    with suppress(Exception):
         lines = data.decode().split("\n")
+        if not lines:
+            return
         for line in lines:
             if line.startswith("http") and "://" in line:
                 domain = line
-            if line.startswith("/") and line[-4] == ".":
+            elif _is_ip(line):
+                domain = line
+            if line.startswith("/") and len(line) >= 4 and line[-4] == ".":
                 uri = line
-        if domain and uri:
-            config_dict.setdefault("C2", []).append(f"{domain}{uri}")
-            return config_dict
-    except Exception:
-        pass
 
-    # Try with new method
 
-    #config_dict["Strings"] = []
-    pe = pefile.PE(data=data, fast_load=True)
-    image_base = pe.OPTIONAL_HEADER.ImageBase
-    domain = ""
-    uri = ""
-    botnet_id = ""
+def parse_pe(data):
+    global domain, uri, botnet_id
+    pe = None
+    image_base = 0
     last_str = ""
+    with suppress(Exception):
+        pe = pefile.PE(data=data, fast_load=True)
+        if not pe:
+            return
+        image_base = pe.OPTIONAL_HEADER.ImageBase
+        if not image_base:
+            return
     for match in yara_scan(data):
         try:
             rule_str_name, str_decode_offset = match
+            if rule_str_name.startswith("$botnet"):
+                botnet_var = struct.unpack("I", data[str_decode_offset - 4 : str_decode_offset])[0]
+                if hasattr(pe, 'OPTIONAL_HEADER'):
+                    magic = pe.OPTIONAL_HEADER.Magic
+                    if magic == 0x10b: # 32-bit
+                        botnet_offset = pe.get_offset_from_rva(botnet_var - image_base)
+                    elif magic == 0x20b: # 64-bit
+                        botnet_offset = pe.get_offset_from_rva(pe.get_rva_from_offset(str_decode_offset) + botnet_var)
+                    if botnet_offset:
+                        botnet_id = extract_ascii_string(data, botnet_offset)
             str_size = int(data[str_decode_offset + 1])
             # Ignore size 0 strings
             if not str_size:
                 continue
-
             if rule_str_name.startswith("$decode"):
                 key_rva = data[str_decode_offset + 3 : str_decode_offset + 7]
                 encoded_str_rva = data[str_decode_offset + 8 : str_decode_offset + 12]
-                #dword_rva = data[str_decode_offset + 21 : str_decode_offset + 25]
-
-            key_offset = pe.get_offset_from_rva(struct.unpack("i", key_rva)[0] - image_base)
-            encoded_str_offset = pe.get_offset_from_rva(struct.unpack("i", encoded_str_rva)[0] - image_base)
-            #dword_offset = struct.unpack("i", dword_rva)[0]
-            #dword_name = f"dword_{hex(dword_offset)[2:]}"
-
-            key = data[key_offset : key_offset + str_size]
-            encoded_str = data[encoded_str_offset : encoded_str_offset + str_size]
-            decoded_str = xor_data(encoded_str, key).decode()
-            #config_dict["Strings"].append({dword_name : decoded_str})
-
-            if last_str in ("http://", "https://"):
-                domain += decoded_str
-            elif decoded_str in ("http://", "https://"):
-                domain = decoded_str
-            elif "http" in decoded_str and "://" in decoded_str:
-                domain = decoded_str
-            elif uri == "" and decoded_str.startswith("/") and decoded_str[-4] == ".":
-                uri = decoded_str
-            elif last_str[0] == '/' and last_str[-1] == '/':
-                botnet_id = decoded_str
-
-            last_str = decoded_str
-
+                key_offset = pe.get_offset_from_rva(struct.unpack("i", key_rva)[0] - image_base)
+                encoded_str_offset = pe.get_offset_from_rva(struct.unpack("i", encoded_str_rva)[0] - image_base)
+                key = data[key_offset : key_offset + str_size]
+                encoded_str = data[encoded_str_offset : encoded_str_offset + str_size]
+                decoded_str = xor_data(encoded_str, key).decode()
+                if last_str in ("http://", "https://"):
+                    domain += decoded_str
+                elif decoded_str in ("http://", "https://"):
+                    domain = decoded_str
+                elif "http" in decoded_str and "://" in decoded_str:
+                    domain = decoded_str
+                elif uri is None and decoded_str.startswith("/") and decoded_str[-4] == ".":
+                    uri = decoded_str
+                elif last_str[0] == "/" and last_str[-1] == "/":
+                    botnet_id = decoded_str
+                last_str = decoded_str
         except Exception:
             continue
+    return
+
+
+def extract_config(data):
+    global domain, uri, botnet_id
+    domain = uri = botnet_id = None
+    config_dict = {}
+
+    if data[:2] == b'MZ':
+        parse_pe(data)
+    else:
+        parse_text(data)
 
     if domain and uri:
-        config_dict.setdefault("C2", []).append(f"{domain}{uri}")
+        config_dict.setdefault("CNCs", []).append(f"{domain}{uri}")
 
     if botnet_id:
-        config_dict.setdefault("Botnet ID", botnet_id)
+        config_dict.setdefault("botnet", botnet_id)
 
     return config_dict
 

cape_parsers/CAPE/community/VenomRAT.py

@@ -5,10 +5,10 @@ import os
 from rat_king_parser.rkp import RATConfigParser
 
 HAVE_ASYNCRAT_COMMON = False
-module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+module_file_path = "/opt/CAPEv2/data/asyncrat_common.py"
 if os.path.exists(module_file_path):
     try:
-        module_name = os.path.basename(module_file_path).replace('.py', '')
+        module_name = os.path.basename(module_file_path).replace(".py", "")
         spec = importlib.util.spec_from_file_location(module_name, module_file_path)
         asyncrat_common = importlib.util.module_from_spec(spec)
         sys.modules[module_name] = asyncrat_common
@@ -17,6 +17,7 @@ if os.path.exists(module_file_path):
     except Exception as e:
         print("Error loading asyncrat_common.py", e)
 
+
 def extract_config(data: bytes):
     config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
     if config and HAVE_ASYNCRAT_COMMON:
@@ -24,6 +25,7 @@ def extract_config(data: bytes):
 
     return config
 
+
 if __name__ == "__main__":
     data = open(sys.argv[1], "rb").read()
     print(extract_config(data))

cape_parsers/CAPE/community/WinosStager.py

@@ -0,0 +1,75 @@
+"""
+Description: Winos 4.0 "OnlineModule" config parser
+Author: x.com/YungBinary
+"""
+
+from contextlib import suppress
+import re
+
+
+CONFIG_KEY_MAP = {
+    "dd": "execution_delay_seconds",
+    "cl": "communication_interval_seconds",
+    "bb": "version",
+    "bz": "comment",
+    "jp": "keylogger",
+    "bh": "end_bluescreen",
+    "ll": "anti_traffic_monitoring",
+    "dl": "entrypoint",
+    "sh": "process_daemon",
+    "kl": "process_hollowing"
+}
+
+
+def find_config(data):
+    start = ":db|".encode("utf-16le")
+    end = ":1p|".encode("utf-16le")
+    pattern = re.compile(re.escape(start) + b".*?" + re.escape(end), re.DOTALL)
+    match = pattern.search(data)
+    if match:
+        return match.group(0).decode("utf-16le")
+
+
+def extract_config(data: bytes) -> dict:
+    config_dict = {}
+    final_config = {}
+
+    with suppress(Exception):
+        config = find_config(data)
+        if not config:
+            return config_dict
+
+        # Reverse the config string, which is delimited by '|'
+        config = config[::-1]
+        # Remove leading/trailing pipes and split into key/value pairs
+        elements = [element for element in config.strip('|').split('|') if ':' in element]
+        # Split each element for key : value in a dictionary
+        config_dict = dict(element.split(':', 1) for element in elements)
+        if config_dict:
+            # Handle extraction and formatting of CNCs
+            for i in range(1, 4):
+                p, o, t = config_dict.get(f"p{i}"), config_dict.get(f"o{i}"), config_dict.get(f"t{i}")
+                if p and p != "127.0.0.1" and o:
+                    protocol = {"0": "udp", "1": "tcp"}.get(t)
+                    if protocol:
+                        cnc = f"{protocol}://{p}:{o}"
+                        final_config.setdefault("CNCs", []).append(cnc)
+
+            if "CNCs" not in final_config:
+                return {}
+
+            final_config["CNCs"] = list(set(final_config["CNCs"]))
+            # Extract campaign ID
+            final_config["campaign_id"] = "default" if config_dict["fz"] == "\u9ed8\u8ba4" else config_dict["fz"]
+
+            # Map keys, e.g. dd -> execution_delay_seconds
+            final_config["raw"] = {v: config_dict[k] for k, v in CONFIG_KEY_MAP.items() if k in config_dict}
+
+    return final_config
+
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        print(extract_config(f.read()))

cape_parsers/CAPE/community/XWorm.py

@@ -5,10 +5,10 @@ import os
 from rat_king_parser.rkp import RATConfigParser
 
 HAVE_ASYNCRAT_COMMON = False
-module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+module_file_path = "/opt/CAPEv2/data/asyncrat_common.py"
 if os.path.exists(module_file_path):
     try:
-        module_name = os.path.basename(module_file_path).replace('.py', '')
+        module_name = os.path.basename(module_file_path).replace(".py", "")
         spec = importlib.util.spec_from_file_location(module_name, module_file_path)
         asyncrat_common = importlib.util.module_from_spec(spec)
         sys.modules[module_name] = asyncrat_common
@@ -17,6 +17,7 @@ if os.path.exists(module_file_path):
     except Exception as e:
         print("Error loading asyncrat_common.py", e)
 
+
 def extract_config(data: bytes):
     config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
     if config and HAVE_ASYNCRAT_COMMON:
@@ -24,6 +25,7 @@ def extract_config(data: bytes):
 
     return config
 
+
 if __name__ == "__main__":
     data = open(sys.argv[1], "rb").read()
     print(extract_config(data))

cape_parsers/CAPE/community/XenoRAT.py

@@ -5,10 +5,10 @@ import os
 from rat_king_parser.rkp import RATConfigParser
 
 HAVE_ASYNCRAT_COMMON = False
-module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+module_file_path = "/opt/CAPEv2/data/asyncrat_common.py"
 if os.path.exists(module_file_path):
     try:
-        module_name = os.path.basename(module_file_path).replace('.py', '')
+        module_name = os.path.basename(module_file_path).replace(".py", "")
         spec = importlib.util.spec_from_file_location(module_name, module_file_path)
         asyncrat_common = importlib.util.module_from_spec(spec)
         sys.modules[module_name] = asyncrat_common
@@ -17,6 +17,7 @@ if os.path.exists(module_file_path):
     except Exception as e:
         print("Error loading asyncrat_common.py", e)
 
+
 def extract_config(data: bytes):
     config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
     if config and HAVE_ASYNCRAT_COMMON:
@@ -24,6 +25,7 @@ def extract_config(data: bytes):
 
     return config
 
+
 if __name__ == "__main__":
     data = open(sys.argv[1], "rb").read()
     print(extract_config(data))

cape_parsers/CAPE/core/AdaptixBeacon.py

@@ -26,11 +26,12 @@ def parse_http_config(rc4_key: bytes, data: bytes) -> dict:
 
     def read_str(length: int):
         nonlocal offset
-        value = data[offset:offset + length].decode("utf-8", errors="replace")
+        value = data[offset : offset + length].decode("utf-8", errors="replace")
         offset += length
         return value
 
-    config["config_rc4_key"] = rc4_key.hex()
+    config["cryptokey"] = rc4_key.hex()
+    config["cryptokey_type"] = "RC4"
     config["agent_type"] = f"{read('<I'):8X}"
     config["use_ssl"] = read("<B")
     host_count = read("<I")
@@ -58,7 +59,8 @@ def parse_http_config(rc4_key: bytes, data: bytes) -> dict:
     config["sleep_delay"] = read("<I")
     config["jitter_delay"] = read("<I")
 
-    return config
+    return {"raw": config}
+
 
 def extract_config(filebuf: bytes) -> dict:
     pe = pefile.PE(data=filebuf, fast_load=True)
@@ -78,9 +80,9 @@ def extract_config(filebuf: bytes) -> dict:
             pos = start_offset + 1
             continue
 
-        encrypted_data = data[pos:pos + key_offset]
+        encrypted_data = data[pos : pos + key_offset]
         pos += key_offset
-        rc4_key = data[pos:pos + 16]
+        rc4_key = data[pos : pos + 16]
 
         if key_offset == 787:
             pass

cape_parsers/CAPE/core/AuraStealer.py

@@ -0,0 +1,100 @@
+import json
+import struct
+from contextlib import suppress
+from typing import Any, Dict, Tuple
+
+import pefile
+from Cryptodome.Cipher import AES
+from Cryptodome.Util.Padding import unpad
+
+# Define the format for the fixed-size header part.
+# <   : little-endian
+# 32s : 32-byte string (for aes_key)
+# 16s : 16-byte string (for iv)
+# I   : 4-byte unsigned int (for dword1)
+# I   : 4-byte unsigned int (for dword2)
+HEADER_FORMAT = "<32s16sII"
+HEADER_SIZE = struct.calcsize(HEADER_FORMAT)  # This will be 32 + 16 + 4 + 4 = 56 bytes
+
+def parse_blob(data: bytes):
+    """
+    Parse the blob according to the scheme:
+      - 32 bytes = AES key
+      - Next 16 bytes = IV
+      - Next 2 DWORDs (8 bytes total) = XOR to get cipher data size
+      - Remaining bytes = cipher data of that size
+    """
+    aes_key, iv, dword1, dword2 = struct.unpack_from(HEADER_FORMAT, data, 0)
+    ciphertext_size = dword1 ^ dword2
+    cipher_data = data[HEADER_SIZE : HEADER_SIZE + ciphertext_size]
+    return aes_key, iv, cipher_data
+
+
+def decrypt(data: bytes) -> Tuple[bytes, bytes, bytes]:
+    aes_key, iv, cipher_data = parse_blob(data)
+    cipher = AES.new(aes_key, AES.MODE_CBC, iv)
+    plaintext_padded = cipher.decrypt(cipher_data)
+    return aes_key, iv, unpad(plaintext_padded, AES.block_size)
+
+
+def extract_config(data: bytes) -> Dict[str, Any]:
+    cfg: Dict[str, Any] = {}
+    plaintext = b""
+
+    pe = pefile.PE(data=data, fast_load=True)
+    try:
+        data_section = [s for s in pe.sections if s.Name.find(b".data") != -1][0]
+    except IndexError:
+        return cfg
+
+    if not data_section:
+        return cfg
+
+    data = data_section.get_data()
+    block_size = 4096
+    zeros = b"\x00" * block_size
+    offset = data.find(zeros)
+    if offset == -1:
+        return cfg
+
+    while offset > 0:
+        with suppress(Exception):
+            aes_key, iv, plaintext = decrypt(data[offset : offset + block_size])
+            if plaintext and b"conf" in plaintext:
+                break
+
+        offset -= 1
+
+    if plaintext:
+        try:
+            parsed = json.loads(plaintext.decode("utf-8", errors="ignore").rstrip("\x00"))
+        except json.JSONDecodeError:
+            return cfg
+
+        conf = parsed.get("conf", {})
+        build = parsed.get("build", {})
+        if conf:
+            cfg = {
+                "CNCs": conf.get("hosts"),
+                "user_agent": conf.get("useragents"),
+                "version": build.get("ver"),
+                "build": build.get("build_id"),
+                "cryptokey": aes_key.hex(),
+                "cryptokey_type": "AES",
+                "raw": {
+                    "iv": iv.hex(),
+                    "anti_vm": conf.get("anti_vm"),
+                    "anti_dbg": conf.get("anti_dbg"),
+                    "self_del": conf.get("self_del"),
+                    "run_delay": conf.get("run_delay"),
+                }
+            }
+
+    return cfg
+
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        print(extract_config(f.read()))

cape_parsers/CAPE/core/Azorult.py

@@ -30,7 +30,7 @@ rule Azorult
         cape_type = "Azorult Payload"
     strings:
         $ref_c2 = {6A 00 6A 00 6A 00 6A 00 68 ?? ?? ?? ?? FF 55 F0 8B D8 C7 47 10 ?? ?? ?? ?? 90 C7 45 B0 C0 C6 2D 00 6A 04 8D 45 B0 50 6A 06 53 FF 55 D4}
-   condition:
+    condition:
         uint16(0) == 0x5A4D and all of them
 }
 """
@@ -48,16 +48,18 @@ def extract_config(filebuf):
             for instance in block.instances:
                 try:
                     cnc_offset = struct.unpack("i", instance.matched_data[21:25])[0]
-                    cnc = pe.get_data(cnc_offset-image_base, 32).split(b"\x00")[0]
+                    cnc = pe.get_data(cnc_offset - image_base, 32).split(b"\x00")[0]
                     if cnc:
                         if not cnc.startswith(b"http"):
                             cnc = b"http://" + cnc
-                        return {"cncs": [cnc.decode()]}
+                        return {"CNCs": [cnc.decode()]}
                 except Exception as e:
                     log.error("Error parsing Azorult config: %s", e)
     return {}
 
+
 if __name__ == "__main__":
     import sys
+
     with open(sys.argv[1], "rb") as f:
         print(extract_config(f.read()))

cape_parsers/CAPE/core/BitPaymer.py

@@ -86,7 +86,10 @@ def extract_config(file_data):
         for item in raw.split(b"\x00"):
             data = "".join(convert_char(c) for c in item)
             if len(data) == 760:
-                config["RSA public key"] = data
+                config.setdefault("cryptokey", data)
+                # ToDO proper naming here
+                config.setdefault("raw", {})["cryptokey_type"] = "RSA public key"
+
             elif len(data) > 1 and "\\x" not in data:
-                config["strings"] = data
+                config.setdefault("raw", {})["strings"] = data
     return config

cape_parsers/CAPE/core/BlackDropper.py

@@ -55,7 +55,7 @@ def extract_config(data: bytes) -> dict:
         return {}
 
     rdata_data = rdata_section.get_data()
-    patterns = [br"Builder\.dll\x00", br"Builder\.exe\x00"]
+    patterns = [rb"Builder\.dll\x00", rb"Builder\.exe\x00"]
     matches = []
     for pattern in patterns:
         matches.extend(re.finditer(pattern, rdata_data))
@@ -66,7 +66,7 @@ def extract_config(data: bytes) -> dict:
         end = min(len(rdata_data), match.end() + 1024)
         found_strings.update(re.findall(b"[\x20-\x7E]{4,}?\x00", rdata_data[start:end]))
 
-    result = {}
+    config = {}
     urls = []
     directories = []
     campaign = ""
@@ -74,7 +74,7 @@ def extract_config(data: bytes) -> dict:
     if found_strings:
         key = get_year(pe)
         if not key:
-            return result
+            return {}
         for string in found_strings:
             with suppress(UnicodeDecodeError):
                 decoded_string = string.decode("utf-8").rstrip("\x00")
@@ -88,9 +88,14 @@ def extract_config(data: bytes) -> dict:
             elif re.match(r"^(?![A-Z]{6,}$)[a-zA-Z0-9\-=]{6,}$", decoded_string):
                 campaign = decoded_string
 
-        result = {"urls": sorted(urls), "directories": directories, "campaign": campaign}
+        if urls:
+            config["CNCs"] = sorted(urls)
+        if campaign:
+            config["campaign"] = campaign
+        if directories:
+            config["raw"] = {"directories": directories}
 
-    return result
+    return config
 
 
 if __name__ == "__main__":

cape_parsers/CAPE/core/Blister.py

@@ -542,16 +542,18 @@ def extract_config(data):
             injection_method = "Process hollowing IE or Werfault"
 
     config = {
-        "Flag": hex(flag),
-        "Payload export hash": hex(u32(payload_export_hash)),
-        "Payload filename": w_payload_filename_and_cmdline,
-        "Compressed data size": hex(u32(compressed_data_size)),
-        "Uncompressed data size": hex(u32(uncompressed_data_size)),
-        "Rabbit key": binascii.hexlify(key).decode(),
-        "Rabbit IV": binascii.hexlify(iv).decode(),
-        "Persistence": persistance,
-        "Sleep after injection": sleep_after_injection,
-        "Injection method": injection_method,
+        "raw": {
+            "Flag": hex(flag),
+            "Payload export hash": hex(u32(payload_export_hash)),
+            "Payload filename": w_payload_filename_and_cmdline,
+            "Compressed data size": hex(u32(compressed_data_size)),
+            "Uncompressed data size": hex(u32(uncompressed_data_size)),
+            "Rabbit key": binascii.hexlify(key).decode(),
+            "Rabbit IV": binascii.hexlify(iv).decode(),
+            "Persistence": persistance,
+            "Sleep after injection": sleep_after_injection,
+            "Injection method": injection_method,
+        }
     }
 
     return config