CAPE-parsers 0.1.42__py3-none-any.whl → 0.1.54__py3-none-any.whl

cape_parsers/CAPE/core/BruteRatel.py

@@ -2,22 +2,35 @@ from contextlib import suppress
 
 
 def extract_config(data):
-    config_dict = {}
+    config = {}
 
     with suppress(Exception):
         i = 0
         lines = data.decode().split("\n")
         for line in lines:
             if line.startswith("Mozilla"):
-                config_dict["User Agent"] = line
-                config_dict["C2"] = list(set(lines[i - 2].split(",")))
-                config_dict["Port"] = lines[i - 1]
-                config_dict["URI"] = lines[i + 3].split(",")
-                config_dict["Keys"] = [lines[i + 1], lines[i + 2]]
+                cncs = list(set(lines[i - 2].split(",")))
+                port = lines[i - 1]
+                uris = lines[i + 3].split(",")
+                keys = [lines[i + 1], lines[i + 2]]
+
+                for cnc in cncs:
+                    # ToDo need to verify if we have schema and uri has slash
+                    for uri in uris:
+                        config.setdefault("CNCs", []).append(f"{cnc}:{port}{uri}")
+
+                config["raw"] = {
+                    "User Agent": line,
+                    "C2": cncs,
+                    "Port": port,
+                    "URI": uri,
+                    # ToDo move to proper field
+                    "Keys": keys,
+                }
                 break
             i += 1
 
-    return config_dict
+    return config
 
 
 if __name__ == "__main__":

cape_parsers/CAPE/core/BumbleBee.py

@@ -6,6 +6,7 @@ import traceback
 from contextlib import suppress
 
 import pefile
+
 # import regex as re
 # test
 import re
@@ -49,7 +50,7 @@ def extract_key_data(data, pe, key_match):
         # Read arbitrary number of byes from key offset and split on null bytes to extract key
         key = data[key_offset : key_offset + 0x40].split(b"\x00")[0]
     except Exception as e:
-        log.debug(f"There was an exception extracting the key: {e}")
+        log.debug("There was an exception extracting the key: %s", str(e))
         log.debug(traceback.format_exc())
         return False
     return key
@@ -69,7 +70,7 @@ def extract_config_data(data, pe, config_match):
         )
         campaign_id_ct = data[campaign_id_offset : campaign_id_offset + 0x10]
     except Exception as e:
-        log.debug(f"There was an exception extracting the campaign id: {e}")
+        log.debug("There was an exception extracting the campaign id: %s", str(e))
         log.debug(traceback.format_exc())
         return False, False, False
 
@@ -83,7 +84,7 @@ def extract_config_data(data, pe, config_match):
         )
         botnet_id_ct = data[botnet_id_offset : botnet_id_offset + 0x10]
     except Exception as e:
-        log.debug(f"There was an exception extracting the botnet id: {e}")
+        log.debug("There was an exception extracting the botnet id: %s", str(e))
         log.debug(traceback.format_exc())
         return False, False, False
 
@@ -98,7 +99,7 @@ def extract_config_data(data, pe, config_match):
         c2s_offset = pe.get_offset_from_rva(c2s_rva + int.from_bytes(config_match.group("c2s"), byteorder="little"))
         c2s_ct = data[c2s_offset : c2s_offset + 0x400]
     except Exception as e:
-        log.debug(f"There was an exception extracting the C2s: {e}")
+        log.debug("There was an exception extracting the C2s: %s", str(e))
         log.debug(traceback.format_exc())
         return False, False, False
 
@@ -106,7 +107,7 @@ def extract_config_data(data, pe, config_match):
 
 
 def extract_2024(pe, filebuf):
-    cfg = {}
+    config = {}
     rc4key_init_offset = 0
     botid_init_offset = 0
     port_init_offset = 0
@@ -142,45 +143,55 @@ def extract_2024(pe, filebuf):
     key_offset = pe.get_dword_from_offset(rc4key_init_offset + 57)
     key_rva = pe.get_rva_from_offset(rc4key_init_offset + 61) + key_offset
     key = pe.get_string_at_rva(key_rva)
-    cfg["RC4 key"] = key.decode()
 
+    botid = ""
     botid_offset = pe.get_dword_from_offset(botid_init_offset + 51)
     botid_rva = pe.get_rva_from_offset(botid_init_offset + 55) + botid_offset
     botid_len_offset = pe.get_dword_from_offset(botidlgt_init_offset + 31)
     botid_data = pe.get_data(botid_rva)[:botid_len_offset]
     with suppress(Exception):
         botid = ARC4.new(key).decrypt(botid_data).split(b"\x00")[0].decode()
-        cfg["Botid"] = botid
 
+    port = ""
     port_offset = pe.get_dword_from_offset(port_init_offset + 23)
     port_rva = pe.get_rva_from_offset(port_init_offset + 27) + port_offset
     port_len_offset = pe.get_dword_from_offset(botidlgt_init_offset + 4)
     port_data = pe.get_data(port_rva)[:port_len_offset]
     with suppress(Exception):
         port = ARC4.new(key).decrypt(port_data).split(b"\x00")[0].decode()
-        cfg["Port"] = port
 
     dgaseed_offset = pe.get_dword_from_offset(dga1_init_offset + 15)
     dgaseed_rva = pe.get_rva_from_offset(dga1_init_offset + 19) + dgaseed_offset
     dgaseed_data = pe.get_qword_at_rva(dgaseed_rva)
-    cfg["DGA seed"] = str(int(dgaseed_data))
 
     numdga_offset = pe.get_dword_from_offset(dga1_init_offset + 22)
     numdga_rva = pe.get_rva_from_offset(dga1_init_offset + 26) + numdga_offset
     numdga_data = pe.get_string_at_rva(numdga_rva)
-    cfg["Number DGA domains"] = numdga_data.decode()
 
     domainlen_offset = pe.get_dword_from_offset(dga2_init_offset + 3)
     domainlen_rva = pe.get_rva_from_offset(dga2_init_offset + 7) + domainlen_offset
     domainlen_data = pe.get_string_at_rva(domainlen_rva)
-    cfg["Domain length"] = domainlen_data.decode()
 
     tld_offset = pe.get_dword_from_offset(dga2_init_offset + 37)
     tld_rva = pe.get_rva_from_offset(dga2_init_offset + 41) + tld_offset
     tld_data = pe.get_string_at_rva(tld_rva).decode()
-    cfg["TLD"] = tld_data
 
-    return cfg
+    config = {
+        "dga_seed": str(int(dgaseed_data)),
+        "cryptokey": key.decode(),
+        "cryptokey_type": "RC4",
+        "raw": {
+            "TLD": tld_data,
+            "Domain length": domainlen_data.decode(),
+            "Number DGA domains": numdga_data.decode(),
+        },
+    }
+    if port:
+        config["raw"]["port"] = port
+    if botid:
+        config["botnet"] = botid
+
+    return config
 
 
 def extract_config(data):
@@ -209,29 +220,30 @@ def extract_config(data):
                 if not key:
                     continue
                 if index == 0:
-                    cfg["Botnet ID"] = key.decode()
+                    cfg["botnet"] = key.decode()
                 elif index == 1:
-                    cfg["Campaign ID"] = key.decode()
+                    cfg["campaign"] = key.decode()
                 elif index == 2:
-                    cfg["Data"] = key.decode("latin-1")
+                    cfg.setdefault("raw", {})["Data"] = key.decode("latin-1")
                 elif index == 3:
-                    cfg["C2s"] = list(key.decode().split(","))
+                    cfg["CNCs"] = list(key.decode().split(","))
         elif len(key_match) == 1:
             key = extract_key_data(data, pe, key_match[0])
             if not key:
                 return cfg
-            cfg["RC4 Key"] = key.decode()
+            cfg["cryptokey"] = key.decode()
+            cfg["cryptokey_type"] = "RC4"
         # Extract config ciphertext
         config_match = regex.search(data)
         campaign_id, botnet_id, c2s = extract_config_data(data, pe, config_match)
         if campaign_id:
-            cfg["Campaign ID"] = ARC4.new(key).decrypt(campaign_id).split(b"\x00")[0].decode()
+            cfg["campaign"] = ARC4.new(key).decrypt(campaign_id).split(b"\x00")[0].decode()
         if botnet_id:
-            cfg["Botnet ID"] = ARC4.new(key).decrypt(botnet_id).split(b"\x00")[0].decode()
+            cfg["botnet"] = ARC4.new(key).decrypt(botnet_id).split(b"\x00")[0].decode()
         if c2s:
-            cfg["C2s"] = list(ARC4.new(key).decrypt(c2s).split(b"\x00")[0].decode().split(","))
+            cfg["CNCs"] = list(ARC4.new(key).decrypt(c2s).split(b"\x00")[0].decode().split(","))
     except Exception as e:
-        log.error("This is broken: %s", str(e), exc_info=True)
+        log.exception("This is broken: %s", str(e))
 
     if not cfg:
         cfg = extract_2024(pe, data)

cape_parsers/CAPE/core/DarkGate.py

@@ -70,7 +70,7 @@ def parse_config(data, conf_map):
         except KeyError:
             config[f"unknown_{k}"] = v
 
-    return config
+    return {"raw": config}
 
 
 def decode(data):
@@ -81,7 +81,7 @@ def decode(data):
             strval = translate_string(strval.decode("utf-8"))
             decoded_str = base64.b64decode(strval)
             if decoded_str.startswith(b"http"):
-                config["C2"] = [x for x in decoded_str.decode("utf-8").split("|") if x.strip() != ""]
+                config["CNCs"] = [x for x in decoded_str.decode("utf-8").split("|") if x.strip() != ""]
             elif b"1=Yes" in decoded_str or b"1=No" in decoded_str:
                 config.update(parse_config(decoded_str, config_map_1))
             else:
@@ -102,7 +102,7 @@ def extract_config(data):
         config = {}
         for item in data.split(b"\r\n")[:-1]:
             if item.startswith(b"0="):
-                config["C2"] = [x for x in item[2:].decode("utf-8").split("|") if x.strip() != ""]
+                config["CNCs"] = [x for x in item[2:].decode("utf-8").split("|") if x.strip() != ""]
             else:
                 config.update(parse_config(item, config_map_2))
         return config

cape_parsers/CAPE/core/DoppelPaymer.py

@@ -72,7 +72,9 @@ def extract_config(filebuf):
         for item in raw.split(b"\x00"):
             data = "".join(convert_char(c) for c in item)
             if len(data) == 406:
-                config["RSA public key"] = data
+                config.setdefault("cryptokey", data)
+                # ToDO proper naming here
+                config.setdefault("raw", {})["cryptokey_type"] = "RSA public key"
             elif len(data) > 1 and "\\x" not in data:
-                config["strings"] = data
+                config.setdefault("raw", {})["strings"] = data
     return config

cape_parsers/CAPE/core/DridexLoader.py

@@ -132,7 +132,7 @@ def extract_config(filebuf):
         port = str(struct.unpack("H", filebuf[c2_offset + 4 : c2_offset + 6])[0])
 
         if c2_address and port:
-            cfg.setdefault("address", []).append(f"{c2_address}:{port}")
+            cfg.setdefault("CNCs", []).append(f"{c2_address}:{port}")
 
         c2_offset += 6 + delta
 
@@ -155,7 +155,8 @@ def extract_config(filebuf):
                 )
             for item in raw.split(b"\x00"):
                 if len(item) == LEN_BLOB_KEY - 1:
-                    cfg["RC4 key"] = item.split(b";", 1)[0].decode()
+                    cfg["cryptokey"] = item.split(b";", 1)[0].decode()
+                    cfg["cryptokey_type"] = "RC4"
 
     if botnet_code:
         botnet_rva = struct.unpack("i", filebuf[botnet_code + 23 : botnet_code + 27])[0] - image_base
@@ -163,7 +164,7 @@ def extract_config(filebuf):
         with suppress(struct.error):
             botnet_offset = pe.get_offset_from_rva(botnet_rva)
             botnet_id = struct.unpack("H", filebuf[botnet_offset : botnet_offset + 2])[0]
-            cfg["Botnet ID"] = str(botnet_id)
+            cfg["botnet"] = str(botnet_id)
 
     return cfg
 

cape_parsers/CAPE/core/Formbook.py

@@ -12,11 +12,11 @@ def extract_config(data):
             i += 1
     elif "www." not in lines[0]:
         return
-    config_dict["C2"] = lines[i]
+    config_dict["CNCs"] = lines[i]
     decoys = []
     i += 1
     while len(lines[i]) > 0:
         decoys.append(lines[i])
         i += 1
-    config_dict["Decoys"] = decoys
+    config_dict.setdefault("raw", {})["Decoys"] = decoys
     return config_dict

cape_parsers/CAPE/core/GuLoader.py

@@ -1,7 +1,4 @@
-try:
-    import re2 as re
-except ImportError:
-    import re
+import re
 
 url_regex = re.compile(rb"http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+")
 
@@ -10,7 +7,7 @@ def extract_config(data):
     try:
         urls = [url.lower().decode() for url in url_regex.findall(data)]
         if urls:
-            return {"URLs": urls}
+            return {"CNCs": urls}
     except Exception as e:
         print(e)
 

cape_parsers/CAPE/core/IcedID.py

@@ -77,12 +77,12 @@ def extract_config(filebuf):
                         decrypted_data = ARC4.new(key).decrypt(enc_config)
                         config = list(filter(None, decrypted_data.split(b"\x00")))
                         return {
-                            "family": "IcedID",
                             "version": str(struct.unpack("I", decrypted_data[4:8])[0]),
-                            "paths": [{"path": config[1].decode(), "usage": "other"}],
-                            "http": [{"uri": controller[1:].decode()} for controller in config[2:]],
-                            "other": {
-                                "Bot ID": str(struct.unpack("I", decrypted_data[:4])[0]),
+                            "botnet": str(struct.unpack("I", decrypted_data[:4])[0]),
+                            "raw": {
+                                "family": "IcedID",
+                                "paths": [{"path": config[1].decode(), "usage": "other"}],
+                                "http": [{"uri": controller[1:].decode()} for controller in config[2:]],
                             },
                         }
             except Exception as e:

cape_parsers/CAPE/core/IcedIDLoader.py

@@ -19,7 +19,7 @@ import pefile
 
 
 def extract_config(filebuf):
-    cfg = {}
+    config = {}
     pe = None
     with suppress(Exception):
         pe = pefile.PE(data=filebuf, fast_load=False)
@@ -35,9 +35,9 @@ def extract_config(filebuf):
                 if n > 32:
                     break
             campaign, c2 = struct.unpack("I30s", bytes(dec))
-            cfg["C2"] = c2.split(b"\00", 1)[0].decode()
-            cfg["Campaign"] = campaign
-            return cfg
+            config["CNCs"] = c2.split(b"\00", 1)[0].decode()
+            config["campaign"] = campaign
+            return config
 
 
 if __name__ == "__main__":

cape_parsers/CAPE/core/Latrodectus.py

@@ -41,7 +41,7 @@ rule Latrodectus
         $fnvhash2 = {8B 0C 24 33 C8 8B C1 89 04 24 69 04 24 93 01 00 01}
         $procchk1 = {E8 [3] FF 85 C0 74 [2] FF FF FF FF E9 [4] E8 [4] 89 44 24 ?? E8 [4] 83 F8 4B 73 ?? 83 [3] 06}
         $procchk2 = {72 [2] FF FF FF FF E9 [4] E8 [4] 83 F8 32 73 ?? 83 [3] 06}
-		$version = {C7 44 2? ?? ?? 00 00 00 C7 44 2? ?? ?? 00 00 00 8B 05 [4] 89}
+		$version = {C7 44 2? ?? ?? 00 00 00 C7 44 2? ?? ?? 00 00 00 C7 44 2? ?? ?? 00 00 00 8B 05 [4] 89}
     condition:
         all of them
 }
@@ -59,7 +59,7 @@ rule Latrodectus_AES
 		$key =  {C6 44 2? ?? ?? [150] C6 44 2? ?? ?? B8 02}
 		$aes_ctr_1 = {8B 44 24 ?? FF C8 89 44 24 ?? 83 7C 24 ?? 00 7C ?? 4? 63 44 24 ?? 4? 8B 4C 24 ?? 0F B6 84 01 F0 00 00 00 3D FF 00 00 00}
 		$aes_ctr_2 = {48 03 C8 48 8B C1 0F B6 ?? 48 63 4C 24 ?? 0F B6 4C 0C ?? 33 C1 48 8B 4C 24 ?? 48 8B 54 24 ?? 48 03 D1 48 8B CA 88 01}
-		$version = {C7 44 2? ?? ?? 00 00 00 C7 44 2? ?? ?? 00 00 00 8B 05 [4] 89}
+		$version = {C7 44 2? ?? ?? 00 00 00 C7 44 2? ?? ?? 00 00 00 C7 44 2? ?? ?? 00 00 00 8B 05 [4] 89}
     condition:
         all of them
 }
@@ -152,7 +152,8 @@ def extract_config(filebuf):
                         data = instance.matched_data[::-1]
                         major = int.from_bytes(data[10:11], byteorder="big")
                         minor = int.from_bytes(data[18:19], byteorder="big")
-                        version = f"{major}.{minor}"
+                        release = int.from_bytes(data[26:27], byteorder="big")
+                        version = f"{major}.{minor}.{release}"
                     if "$key" in item.identifier:
                         key = instance.matched_data[4::5]
             try:
@@ -197,17 +198,20 @@ def extract_config(filebuf):
                     str_vals.remove(item)
 
                 cfg = {
-                    "C2": c2,
-                    "Group name": campaign,
-                    "Campaign ID": fnv_hash(campaign.encode()),
-                    "Version": version,
-                    "RC4 key": rc4_key,
-                    "Strings": str_vals,
+                    "CNCs": c2,
+                    "campaign": fnv_hash(campaign.encode()),
+                    "version": version,
+                    "cryptokey": rc4_key,
+                    "cryptokey_type": "RC4",
+                    "raw": {
+                        "Strings": str_vals,
+                        "Group name": campaign,
+                    },
                 }
             except Exception as e:
                 log.error("Error: %s", e)
 
-        if not cfg.get("C2", False) and not cfg.get("Group name", False):
+        if not cfg.get("C2", False) and not cfg.get("raw", {}).get("Group name", False):
             cfg = None
     return cfg
 

cape_parsers/CAPE/core/NitroBunnyDownloader.py

@@ -0,0 +1,151 @@
+# Copyright (C) 2024 enzok
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import logging
+import struct
+
+import pefile
+import yara
+
+log = logging.getLogger(__name__)
+
+DESCRIPTION = "NitroBunnyDownloader configuration parser."
+AUTHOR = "enzok"
+
+yara_rule = """
+rule NitroBunnyDownloader
+{
+    meta:
+        author = "enzok"
+        description = "NitroBunnyDownloader Payload"
+        cape_type = "NitroBunnyDownloader Payload"
+        hash = "960e59200ec0a4b5fb3b44e6da763f5fec4092997975140797d4eec491de411b"
+    strings:
+        $config = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00}
+        $string1 = "X-Amz-User-Agent:" wide
+        $string2 = "Amz-Security-Flag:" wide
+        $string3 = "/cart" wide
+        $string4 = "Cookie: " wide
+        $string5 = "wishlist" wide
+    condition:
+        uint16(0) == 0x5A4D and $config and 2 of ($string*)
+}
+"""
+
+yara_rules = yara.compile(source=yara_rule)
+
+
+def yara_scan(raw_data):
+    try:
+        return yara_rules.match(data=raw_data)
+    except Exception as e:
+        print(e)
+        return None
+
+
+def read_dword(data, off):
+    if off + 4 > len(data):
+        raise ValueError(f"EOF reading dword at {off}")
+    val = struct.unpack_from("<I", data, off)[0]
+    return val, off + 4
+
+
+def read_qword(data, off):
+    """Read a 64-bit unsigned little-endian value."""
+    if off + 8 > len(data):
+        raise ValueError(f"EOF reading qword at {off}")
+    val = struct.unpack_from("<Q", data, off)[0]
+    return val, off + 8
+
+
+def read_utf16le_string(data, off, length):
+    if off + length > len(data):
+        raise ValueError(f"EOF reading string at {off} len={length}")
+    raw = data[off:off + length]
+    s = raw.decode("utf-16le", errors="replace").rstrip("\x00")
+    return s, off + length
+
+
+def read_string_list(data, off, count):
+    items = []
+    for i in range(count):
+        length_words, off = read_qword(data, off)
+        s, off = read_utf16le_string(data, off, length_words)
+        items.append(s)
+    return items, off
+
+
+def extract_config(filebuf):
+    yara_hit = yara_scan(filebuf)
+    if not yara_hit:
+        return None
+
+    cfg = {}
+    config_code_offset = None
+    for hit in yara_hit:
+        if hit.rule != "NitroBunnyDownloader":
+            continue
+
+        for item in hit.strings:
+            for instance in item.instances:
+                if "$config" in item.identifier:
+                    config_code_offset = instance.offset
+                    break
+
+    if config_code_offset is None:
+        return None
+
+    try:
+        pe = pefile.PE(data=filebuf, fast_load=True)
+        config_length = pe.get_dword_from_offset(config_code_offset + 7)
+        config_offset = pe.get_dword_from_offset(config_code_offset + 14)
+        rva = pe.get_rva_from_offset(config_code_offset + 18)
+        config_rva = rva + config_offset
+        data = pe.get_data(config_rva, config_length)
+        off = 0
+        raw = cfg["raw"] = {}
+        port, off = read_dword(data, off)
+        num, off = read_dword(data, off)
+        cncs, off = read_string_list(data, off, num)
+        num, off = read_qword(data, off)
+        raw["user_agent"], off = read_utf16le_string(data, off, num)
+        num, off = read_dword(data, off)
+        raw["http_header_items"], off = read_string_list(data, off, num)
+        num, off = read_dword(data, off)
+        raw["uri_list"], off = read_string_list(data, off, num)
+        raw["unknown_1"], off = read_dword(data, off)
+        raw["unknown_2"], off = read_dword(data, off)
+
+        if cncs:
+            cfg["CNCs"] = []
+            schema = {80: "http", 443: "https"}.get(port, "tcp")
+            for cnc in cncs:
+                cnc = f"{schema}://{cnc}"
+                if port not in (80, 443):
+                    cnc += f":{port}"
+
+                cfg["CNCs"].append(cnc)
+
+    except Exception as e:
+        log.error("Error: %s", e)
+        return None
+
+    return cfg
+
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        print(extract_config(f.read()))

cape_parsers/CAPE/core/Oyster.py

@@ -75,7 +75,7 @@ def yara_scan(raw_data):
 
 def extract_config(filebuf):
     yara_hit = yara_scan(filebuf)
-    cfg = {}
+    config = {}
 
     for hit in yara_hit:
         if hit.rule == "Oyster":
@@ -121,14 +121,16 @@ def extract_config(filebuf):
                         if c2_matches:
                             c2.extend(c2_matches)
 
-                cfg = {
-                    "C2": c2,
-                    "Dll Version": dll_version,
-                    "Strings": str_vals,
+                config = {
+                    "CNCs": c2,
+                    'version': dll_version,
+                    "raw": {
+                        "Strings": str_vals,
+                    },
                 }
             except Exception as e:
                 log.error("Error: %s", e)
-    return cfg
+    return config
 
 
 if __name__ == "__main__":

cape_parsers/CAPE/core/PikaBot.py

@@ -105,13 +105,13 @@ def get_config(input_data):
     c2s = get_c2s(data, number_of_c2s)
 
     return {
-        "Version": version,
-        "Campaign Name": campaign_name,
-        "Registry Key": registry_key,
-        "User Agent": user_agent,
+        "version": version,
+        "campaign": campaign_name,
+        "raw": {"Registry Key": registry_key},
+        "user_agent": user_agent,
         # "request_headers": request_headers,
         # "api_cmds": api_cmds,
-        "C2s": c2s,
+        "CNCs": c2s,
     }
 
 
@@ -152,7 +152,7 @@ def extract_config(filebuf):
                     out = wide_finder(test_out_ptxt).decode("utf-16le")
         if out:
             url = get_url(out)
-            return {"C2": [url], "PowerShell": out}
+            return {"CNCs": [url], "raw": {"PowerShell": out}}
 
     if data:
         yara_hit = yara_scan(filebuf)

cape_parsers/CAPE/core/PlugX.py

@@ -322,4 +322,6 @@ def extract_config(cfg_blob):
                 reg_list.append(reg_name)
         if reg_list:
             config_output.update({"Registry black list": reg_list})
-    return config_output
+
+    if config_output:
+        return {"raw": config_output}

cape_parsers/CAPE/core/QakBot.py

@@ -493,7 +493,8 @@ def extract_config(filebuf):
         config = parse_config(filebuf[: len(filebuf) - 20])
         for k, v in config.items():
             end_config.setdefault(k, v)
-    return end_config
+    if end_config:
+        return {"raw": end_config}
 
 
 if __name__ == "__main__":