CAPE-parsers 0.1.42__py3-none-any.whl → 0.1.54__py3-none-any.whl

cape_parsers/CAPE/core/Quickbind.py

@@ -57,12 +57,7 @@ def extract_config(filebuf):
             encrypted_string = struct.unpack_from(data_format, data, offset)[0]
 
             with suppress(IndexError, UnicodeDecodeError, ValueError):
-                decrypted_result = (
-                    ARC4.new(key)
-                    .decrypt(encrypted_string)
-                    .replace(b"\x00", b"")
-                    .decode("utf-8")
-                )
+                decrypted_result = ARC4.new(key).decrypt(encrypted_string).replace(b"\x00", b"").decode("utf-8")
 
             if decrypted_result and all(32 <= ord(char) <= 127 for char in decrypted_result):
                 if len(decrypted_result) > 2:
@@ -105,12 +100,13 @@ def extract_config(filebuf):
                     campaign_found = True
 
             elif is_hex(item):
-                cfg["RC4 Key"] = item
+                cfg["cryptokey"] = item
+                cfg["cryptokey_type"] = "RC4"
                 if i == 1:
                     campaign_found = True
 
             elif "Mozilla" in item:
-                cfg["User-agent"] = item
+                cfg["user_agent"] = item
                 if i == 1:
                     campaign_found = True
 
@@ -119,13 +115,13 @@ def extract_config(filebuf):
                 campaign_found = True
 
         if campaign_found:
-            cfg["Campaign"] = campaign
+            cfg["campaign"] = campaign
 
         if c2s:
-            cfg["C2"] = c2s
+            cfg["CNCs"] = c2s
 
         if mutexes:
-            cfg["Mutex"] = list(set(mutexes))
+            cfg["mutex"] = list(set(mutexes))
 
     return cfg
 

cape_parsers/CAPE/core/RedLine.py

@@ -167,11 +167,11 @@ def extract_config(data):
     if not c2 or "." not in c2:
         return
 
-    config_dict = {"C2": c2, "Botnet": botnet, "Key": key}
+    config_dict = {"CNCs": c2, "botnet": botnet, "cryptokey": key}
     if "Authorization" in user_strings:
         base_location = user_strings.index("Authorization")
         if base_location:
-            config_dict["Authorization"] = user_strings[base_location - 1]
+            config_dict.setdefault("raw", {})["Authorization"] = user_strings[base_location - 1]
     return config_dict
 
 

cape_parsers/CAPE/core/Remcos.py

@@ -25,34 +25,34 @@ FLAG = {b"\x00": "Disable", b"\x01": "Enable"}
 
 # From JPCERT and Elastic Security Labs
 idx_list = {
-    0: "Host:Port:Password", # String containing "domain:port:enable_tls" separated by the "\x1e" characte
-    1: "Botnet", # Name of the botnet
-    2: "Connect interval", # Interval in second between connection attempt to C2
-    3: "Install flag", # Install REMCOS on the machine host
-    4: "Setup HKCU\\Run", # Enable setup of the persistence in the registry
-    5: "Setup HKLM\\Run", # Enable setup of the persistence in the registry
+    0: "Host:Port:Password",  # String containing "domain:port:enable_tls" separated by the "\x1e" characte
+    1: "Botnet",  # Name of the botnet
+    2: "Connect interval",  # Interval in second between connection attempt to C2
+    3: "Install flag",  # Install REMCOS on the machine host
+    4: "Setup HKCU\\Run",  # Enable setup of the persistence in the registry
+    5: "Setup HKLM\\Run",  # Enable setup of the persistence in the registry
     6: "Setup HKLM\\Explorer\\Run",
-    7: "Keylog file max size", # Maximum size of the keylogging data before rotation
-    8: "Setup HKLM\\Explorer\\Run", # Enable setup of the persistence in the registry
-    9: "Install parent directory", # Parent directory of the install folder. Integer mapped to an hardcoded path
-    10: "Install filename", # Name of the REMCOS binary once installed
+    7: "Keylog file max size",  # Maximum size of the keylogging data before rotation
+    8: "Setup HKLM\\Explorer\\Run",  # Enable setup of the persistence in the registry
+    9: "Install parent directory",  # Parent directory of the install folder. Integer mapped to an hardcoded path
+    10: "Install filename",  # Name of the REMCOS binary once installed
     11: "Startup value",
-    12: "Hide file", # Enable super hiding the install directory and binary as well as setting them to read only
-    13: "Process injection flag", # 	Enable running the malware injected in another process
-    14: "Mutex", # String used as the malware mutex and registry key
-    15: "Keylogger mode", # Set keylogging capability. Keylogging mode, 0 = disabled, 1 = keylogging everything, 2 = keylogging specific window(s)
-    16: "Keylogger parent directory", # Parent directory of the keylogging folder. Integer mapped to an hardcoded path
-    17: "Keylogger filename", # Filename of the keylogged data
-    18: "Keylog crypt", # Enable encryption RC4 of the keylogger data file
-    19: "Hide keylog file", # Enable super hiding of the keylogger data file
-    20: "Screenshot flag", # Enable screen recording capability
-    21: "Screenshot time", # The time interval in minute for capturing each screenshot
-    22: "Take Screenshot option", # Enable screen recording for specific window names
-    23: "Take screenshot title", # String containing window names separated by the ";” character
-    24: "Take screenshot time", #s The time interval in second for capturing each screenshot when a specific window name is found in the current foreground window title
-    25: "Screenshot parent directory", # Parent directory of the screenshot folder. Integer mapped to an hardcoded path
-    26: "Screenshot folder", # Name of the screenshot folder
-    27: "Screenshot crypt flag", # Enable encryption of screenshots
+    12: "Hide file",  # Enable super hiding the install directory and binary as well as setting them to read only
+    13: "Process injection flag",  # 	Enable running the malware injected in another process
+    14: "Mutex",  # String used as the malware mutex and registry key
+    15: "Keylogger mode",  # Set keylogging capability. Keylogging mode, 0 = disabled, 1 = keylogging everything, 2 = keylogging specific window(s)
+    16: "Keylogger parent directory",  # Parent directory of the keylogging folder. Integer mapped to an hardcoded path
+    17: "Keylogger filename",  # Filename of the keylogged data
+    18: "Keylog crypt",  # Enable encryption RC4 of the keylogger data file
+    19: "Hide keylog file",  # Enable super hiding of the keylogger data file
+    20: "Screenshot flag",  # Enable screen recording capability
+    21: "Screenshot time",  # The time interval in minute for capturing each screenshot
+    22: "Take Screenshot option",  # Enable screen recording for specific window names
+    23: "Take screenshot title",  # String containing window names separated by the ";" character
+    24: "Take screenshot time",  # s The time interval in second for capturing each screenshot when a specific window name is found in the current foreground window title
+    25: "Screenshot parent directory",  # Parent directory of the screenshot folder. Integer mapped to an hardcoded path
+    26: "Screenshot folder",  # Name of the screenshot folder
+    27: "Screenshot crypt flag",  # Enable encryption of screenshots
     28: "Mouse option",
     29: "Unknown29",
     30: "Delete file",
@@ -60,28 +60,28 @@ idx_list = {
     32: "Unknown32",
     33: "Unknown33",
     34: "Unknown34",
-    35: "Audio recording flag", # Enable audio recording capability
-    36: "Audio record time", # Duration in second of each audio recording
-    37: "Audio parent directory", # Parent directory of the audio recording folder. Integer mapped to an hardcoded path
-    38: "Audio folder", # Name of the audio recording folder
-    39: "Disable UAC flage", # Disable UAC in the registry
-    40: "Logging mode", # Set logging mode: 0 = disabled, 1 = minimized in tray, 2 = console logging
-    41: "Connect delay", # Delay in second before the first connection attempt to the C2
-    42: "Keylogger specific window names", # String containing window names separated by the ";” character
-    43: "Browser cleaning on startup flag", # Enable cleaning web browsers’ cookies and logins on REMCOS startup
-    44: "Browser cleaning only for the first run flag", # Enable web browsers cleaning only on the first run of Remcos
-    45: "Browser cleaning sleep time in minutes", # Sleep time in minute before cleaning the web browsers
-    46: "UAC bypass flag", # Enable UAC bypass capability
+    35: "Audio recording flag",  # Enable audio recording capability
+    36: "Audio record time",  # Duration in second of each audio recording
+    37: "Audio parent directory",  # Parent directory of the audio recording folder. Integer mapped to an hardcoded path
+    38: "Audio folder",  # Name of the audio recording folder
+    39: "Disable UAC flage",  # Disable UAC in the registry
+    40: "Logging mode",  # Set logging mode: 0 = disabled, 1 = minimized in tray, 2 = console logging
+    41: "Connect delay",  # Delay in second before the first connection attempt to the C2
+    42: "Keylogger specific window names",  # String containing window names separated by the ";"" character
+    43: "Browser cleaning on startup flag",  # Enable cleaning web browsers cookies and logins on REMCOS startup
+    44: "Browser cleaning only for the first run flag",  # Enable web browsers cleaning only on the first run of Remcos
+    45: "Browser cleaning sleep time in minutes",  # Sleep time in minute before cleaning the web browsers
+    46: "UAC bypass flag",  # Enable UAC bypass capability
     47: "Unkown47",
-    48: "Install directory", # Name of the install directory
-    49: "Keylogger root directory", # Name of the keylogger directory
-    50: "Watchdog flag", # Enable watchdog capability
+    48: "Install directory",  # Name of the install directory
+    49: "Keylogger root directory",  # Name of the keylogger directory
+    50: "Watchdog flag",  # Enable watchdog capability
     51: "Unknown51",
-    52: "License", # License serial
-    53: "Screenshot mouse drawing flag", # Enable drawing the mouse on each screenshot
-    54: "TLS raw certificate (base64)", # Certificate in raw format used with tls enabled C2 communication
-    55: "TLS key (base64)", # Key of the certificate
-    56: "TLS raw peer certificate (base64)", # C2 public certificate in raw format
+    52: "License",  # License serial
+    53: "Screenshot mouse drawing flag",  # Enable drawing the mouse on each screenshot
+    54: "TLS raw certificate (base64)",  # Certificate in raw format used with tls enabled C2 communication
+    55: "TLS key (base64)",  # Key of the certificate
+    56: "TLS raw peer certificate (base64)",  # C2 public certificate in raw format
     57: "TLS client private key (base64)",
     58: "TLS server certificate (base64)",
     59: "Unknown59",
@@ -107,7 +107,15 @@ setup_list = {
     8: "%ProgramData%",
 }
 
-utf_16_string_list = ["Keylogger specific window names", "Install filename", "Install directory", "Startup value", "Keylogger filename", "Take screenshot title", "Keylogger root directory"]
+utf_16_string_list = [
+    "Keylogger specific window names",
+    "Install filename",
+    "Install directory",
+    "Startup value",
+    "Keylogger filename",
+    "Take screenshot title",
+    "Keylogger root directory",
+]
 logger = logging.getLogger(__name__)
 
 
@@ -170,7 +178,7 @@ def extract_config(filebuf):
             key = blob[1 : keylen + 1]
             decrypted_data = ARC4.new(key).decrypt(blob[keylen + 1 :])
             p_data = OrderedDict()
-            p_data["Version"] = check_version(filebuf)
+            config["version"] = check_version(filebuf)
 
             configs = re.split(rb"\|\x1e\x1e\x1f\|", decrypted_data)
 
@@ -189,7 +197,7 @@ def extract_config(filebuf):
                     # various separators have been observed
                     separator = next((x for x in (b"|", b"\x1e", b"\xff\xff\xff\xff") if x in cont))
                     host, port, password = cont.split(separator, 1)[0].split(b":")
-                    p_data["Control"] = f"tcp://{host.decode()}:{port.decode()}"
+                    config["CNCs"] = [f"tcp://{host.decode()}:{port.decode()}"]
                     p_data["Password"] = password.decode()
                 else:
                     p_data[idx_list[i]] = cont
@@ -200,10 +208,10 @@ def extract_config(filebuf):
                 if isinstance(v, bytes):
                     with suppress(Exception):
                         v = v.decoed()
-                config[k] = v
+                config.setdefault("raw", {})[k] = v
 
     except Exception as e:
-        logger.error(f"Caught an exception: {e}")
+        logger.error("Caught an exception: %s", str(e))
 
     return config
 

cape_parsers/CAPE/core/Rhadamanthys.py

@@ -11,12 +11,15 @@ AUTHOR = "kevoreilly, YungBinary"
 def mask32(x):
     return x & 0xFFFFFFFF
 
+
 def add32(x, y):
     return mask32(x + y)
 
+
 def left_rotate(x, n):
     return mask32(x << n) | (x >> (32 - n))
 
+
 def quarter_round(block, a, b, c, d):
     block[a] = add32(block[a], block[b])
     block[d] ^= block[a]
@@ -31,6 +34,7 @@ def quarter_round(block, a, b, c, d):
     block[b] ^= block[c]
     block[b] = left_rotate(block[b], 7)
 
+
 def chacha20_permute(block):
     for doubleround in range(10):
         quarter_round(block, 0, 4, 8, 12)
@@ -42,6 +46,7 @@ def chacha20_permute(block):
         quarter_round(block, 2, 7, 8, 13)
         quarter_round(block, 3, 4, 9, 14)
 
+
 def words_from_bytes(b):
     assert len(b) % 4 == 0
     return [int.from_bytes(b[4 * i : 4 * i + 4], "little") for i in range(len(b) // 4)]
@@ -50,11 +55,12 @@ def words_from_bytes(b):
 def bytes_from_words(w):
     return b"".join(word.to_bytes(4, "little") for word in w)
 
+
 def chacha20_block(key, nonce, blocknum):
     # This implementation doesn't support 16-byte keys.
     assert len(key) == 32
     assert len(nonce) == 12
-    assert blocknum < 2 ** 32
+    assert blocknum < 2**32
     constant_words = words_from_bytes(b"expand 32-byte k")
     key_words = words_from_bytes(key)
     nonce_words = words_from_bytes(nonce)
@@ -72,6 +78,7 @@ def chacha20_block(key, nonce, blocknum):
         permuted_block[i] = add32(permuted_block[i], original_block[i])
     return bytes_from_words(permuted_block)
 
+
 def chacha20_stream(key, nonce, length, blocknum):
     output = bytearray()
     while length > 0:
@@ -82,8 +89,9 @@ def chacha20_stream(key, nonce, length, blocknum):
         blocknum += 1
     return output
 
+
 def decrypt_config(data):
-    decrypted_config = b"\x21\x52\x48\x59"
+    decrypted_config = b""
     data_len = len(data)
     v3 = 0
     while True:
@@ -98,6 +106,7 @@ def decrypt_config(data):
             v8 -= 1
             v3 += 1
 
+
 def chacha20_xor(custom_b64_decoded, key, nonce):
     message_len = len(custom_b64_decoded)
     key_stream = chacha20_stream(key, nonce, message_len, 0x80)
@@ -108,68 +117,199 @@ def chacha20_xor(custom_b64_decoded, key, nonce):
 
     return xor_key
 
-def extract_strings(data, minchars, maxchars):
-    apat = b"([\x20-\x7e]{" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00"
-    strings = [string.decode() for string in re.findall(apat, data)]
-    match = re.search(apat, data)
-    if not match:
-        return None
-    upat = b"((?:[\x20-\x7e][\x00]){" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00\x00"
-    strings.extend(str(ws.decode("utf-16le")) for ws in re.findall(upat, data))
+
+def extract_base64_strings(data, minchars, maxchars):
+    apat = b"([A-Za-z0-9-|]{" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00"
+    strings = [s.decode() for s in re.findall(apat, data)]
+    upat = b"((?:[A-Za-z0-9-|]\x00){" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00\x00"
+    strings.extend(ws.decode("utf-16le") for ws in re.findall(upat, data))
     return strings
 
+
 def extract_c2_url(data):
     pattern = b"(http[\x20-\x7e]+)\x00"
     match = re.search(pattern, data)
-    return match.group(1).decode()
+    if match:
+        return match.group(1).decode()
 
-def is_potential_custom_base64(string):
-    custom_alphabet = "ABC1fghijklmnop234NOPQRSTUVWXY567DEFGHIJKLMZ089abcdeqrstuvwxyz-|"
-    for c in string:
-        if c not in custom_alphabet:
-            return False
-    return True
 
-def custom_b64decode(data):
+def custom_b64decode(data: bytes, custom_alphabet: bytes):
     """Decodes base64 data using a custom alphabet."""
     standard_alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
-    custom_alphabet = b"ABC1fghijklmnop234NOPQRSTUVWXY567DEFGHIJKLMZ089abcdeqrstuvwxyz-|"
     # Translate the data back to the standard alphabet before decoding
     table = bytes.maketrans(custom_alphabet, standard_alphabet)
     return base64.b64decode(data.translate(table), validate=True)
 
+
+def lzo_noheader_decompress(data: bytes, decompressed_size: int):
+    src = 0
+    dst = bytearray()
+    length = len(data)
+
+    while src < length:
+        ctrl = data[src]
+        src += 1
+
+        # Special short match
+        # Copies exactly 3 bytes from dst starting match_len + 1 bytes back.
+        if ctrl == 0x20:
+            match_len = data[src]
+            src += 1
+            start = len(dst) - match_len - 1
+            end = start + 3
+            #print(f"Control code: {hex(ctrl)}, Offset backtrack length: {hex(match_len)}, Current offset: {hex(len(dst))}, New offset: {hex(start)}")
+            dst.extend(dst[start:end])
+
+        elif ctrl >= 0xE0 or ctrl == 0x40:
+            # Compute base copy length from the upper bits of ctrl
+            base_len = ((ctrl >> 5) - 1) + 3
+
+            if ctrl >= 0xE0:
+                # Long copy: extra length byte follows
+                copy_len = base_len + data[src]
+                # Offset is byte after
+                start = data[src + 1]
+                src += 2
+            elif ctrl == 0x40:
+                # Short copy: offset byte after control code
+                copy_len = base_len
+                start = data[src]
+                src += 1
+
+            # Calculate offset in output buffer
+            offset = len(dst) - start - 1
+
+            #print(f"Control code: {hex(ctrl)}, Offset backtrack length: {hex(start)}, Current offset: {hex(len(dst))}, New offset: {hex(len(dst) - start)}, Length to copy: {hex(copy_len)}")
+
+            # Copy from previously decompressed data
+            dst.extend(dst[offset:offset + copy_len])
+
+        else:
+            # Literal run
+            literal_len = (ctrl & 0x1F) + 1
+            #print(f"Control code: {hex(ctrl)}, Literal length: {hex(literal_len)}")
+            dst.extend(data[src:src+literal_len])
+            src += literal_len
+
+        if len(dst) == decompressed_size:
+            return bytes(dst)
+
+
+def parse_compression_header(config: bytes):
+    """Parse compressed size, decompressed size, and data offset from config"""
+
+    # 0x2A when looking at the config in memory
+    base_offset = 0x26
+
+    # Compressed data offset field, for calculating the offset to the compressed buffer
+    comp_offset_field = config[base_offset]
+    # Number of bytes the field spans
+    comp_offset_size_len = (comp_offset_field & 3) + 1
+    for i in range(1, comp_offset_size_len):
+        comp_offset_field |= config[base_offset + i] << (8 * i)
+
+    comp_size_offset = comp_offset_field >> 2
+
+    # Compressed size field, for finding the size of the compressed buffer
+    comp_offset = base_offset + comp_offset_size_len
+    comp_size_field = config[comp_offset]
+    # Number of bytes the field spans
+    comp_size_len = (comp_size_field & 3) + 1
+    for i in range(1, comp_size_len):
+        comp_size_field |= config[comp_offset + i] << (8 * i)
+
+    # Decompressed size field
+    decomp_field_offset = base_offset + comp_offset_size_len + comp_size_len
+    decomp_size_field = config[decomp_field_offset]
+    # Number of bytes the field spans
+    decomp_field_len = (decomp_size_field & 3) + 1
+    for i in range(1, decomp_field_len):
+        decomp_size_field |= config[decomp_field_offset + i] << (8 * i)
+
+    # Calculate return values
+    decompressed_size = decomp_size_field >> 2
+    compressed_data_offset = decomp_field_offset + decomp_field_len + comp_size_offset
+    compressed_size_key = config[0x28] << 8
+    compressed_size = (compressed_size_key | comp_size_field) >> 2
+    compressed_data = config[compressed_data_offset : compressed_data_offset + compressed_size]
+
+    return {
+        "compressed_size": compressed_size,
+        "decompressed_size": decompressed_size,
+        "compressed_data": compressed_data
+    }
+
+
 def extract_config(data):
     config_dict = {}
     magic = struct.unpack("I", data[:4])[0]
     if magic == 0x59485221:
-        config_dict["C2"] = data[24:].split(b"\0", 1)[0].decode()
+        config_dict["CNCs"] = [data[24:].split(b"\0", 1)[0].decode()]
         return config_dict
     else:
         key = b"\x52\xAB\xDF\x06\xB6\xB1\x3A\xC0\xDA\x2D\x22\xDC\x6C\xD2\xBE\x6C\x20\x17\x69\xE0\x12\xB5\xE6\xEC\x0E\xAB\x4C\x14\x73\x4A\xED\x51"
         nonce = b"\x5F\x14\xD7\x9C\xFC\xFC\x43\x9E\xC3\x40\x6B\xBA"
 
-        extracted_strings = extract_strings(data, 0x100, 0x100)
+        custom_alphabets = [
+            b"ABC1fghijklmnop234NOPQRSTUVWXY567DEFGHIJKLMZ089abcdeqrstuvwxyz-|",
+            b"4NOPQRSTUVWXY567DdeEqrstuvwxyz-ABC1fghop23Fijkbc|lmnGHIJKLMZ089a", # 0.9.2
+            b"3Fijkbc|l4NOPQRSTUVWXY567DdewxEqrstuvyz-ABC1fghop2mnGHIJKLMZ089a", # 0.9.3
+        ]
+
+        # Extract base64 strings
+        extracted_strings = extract_base64_strings(data, 100, 256)
+        if not extracted_strings:
+            return config_dict
+
+        pattern = re.compile(b'.\x80')
         for string in extracted_strings:
             try:
-                if not is_potential_custom_base64(string):
-                    continue
+                custom_b64_decoded = custom_b64decode(string, custom_alphabets[0])
 
-                custom_b64_decoded = custom_b64decode(string)
                 xor_key = chacha20_xor(custom_b64_decoded, key, nonce)
-                decrypted_config = decrypt_config(xor_key)
-                reexecution_delay = int.from_bytes(decrypted_config[5:7], byteorder='little')
-
-                c2_url = extract_c2_url(decrypted_config)
-                if not c2_url:
-                    continue
-                config_dict = {
-                    "Reexecution_delay": reexecution_delay,
-                    "C2": [c2_url]
-                }
-                return config_dict
+
+                # Decrypted, but may still be the compressed malware configuration
+                config = decrypt_config(xor_key)
+                # Attempt to extract C2 url, only works in version prior to 0.9.2
+                c2_url = extract_c2_url(config)
+                if c2_url:
+                    config_dict = {"CNCs": [c2_url]}
+                    return config_dict
+                else:
+                    # Handle new variants that compress the Command and Control server(s)
+                    custom_b64_decoded = custom_b64decode(string, custom_alphabets[2])
+                    xor_key = chacha20_xor(custom_b64_decoded, key, nonce)
+                    config = decrypt_config(xor_key)
+
+                    parsed = parse_compression_header(config)
+                    if not parsed:
+                        return config_dict
+
+                    decompressed = lzo_noheader_decompress(parsed['compressed_data'], parsed['decompressed_size'])
+
+                    # Try old alphabet for 0.9.2
+                    if not decompressed:
+                        custom_b64_decoded = custom_b64decode(string, custom_alphabets[1])
+                        xor_key = chacha20_xor(custom_b64_decoded, key, nonce)
+                        config = decrypt_config(xor_key)
+
+                        parsed = parse_compression_header(config)
+                        if not parsed:
+                            return config_dict
+
+                        decompressed = lzo_noheader_decompress(parsed['compressed_data'], parsed['decompressed_size'])
+
+
+                    cncs = [f"https://{chunk.decode()}" for chunk in pattern.split(decompressed) if chunk]
+                    if cncs:
+                        config_dict = {"CNCs": cncs}
+                        return config_dict
+
             except Exception:
                 continue
 
+        return config_dict
+
 
 if __name__ == "__main__":
     import sys
@@ -177,4 +317,3 @@ if __name__ == "__main__":
     with open(sys.argv[1], "rb") as f:
         config_json = json.dumps(extract_config(f.read()), indent=4)
         print(config_json)
-

cape_parsers/CAPE/core/SmokeLoader.py

@@ -37,7 +37,7 @@ def rc4_decrypt(key, ciphertext):
 
 
 def swap32(x):
-    return int.from_bytes(x.to_bytes(4, byteorder='little'), byteorder='big', signed=False)
+    return int.from_bytes(x.to_bytes(4, byteorder="little"), byteorder="big", signed=False)
 
 
 def decode(buffer):
@@ -104,7 +104,7 @@ def extract_config(filebuf):
             break
         c2list_offset += delta
     if c2list != []:
-        cfg["C2s"] = sorted(list(set(c2list)))
+        cfg["CNCs"] = sorted(list(set(c2list)))
     return cfg
 
 

cape_parsers/CAPE/core/Socks5Systemz.py

@@ -11,15 +11,15 @@ def _is_ip(ip):
 
 
 def extract_config(data):
-    config_dict = {"C2s": []}
+    config_dict = {}
     with suppress(Exception):
         if data[:2] == b"MZ":
             return
         for line in data.decode().split("\n"):
-            if _is_ip(line) and line not in config_dict["C2s"]:
-                config_dict["C2s"].append(line)
+            if _is_ip(line) and line not in config_dict.get("CNCs", []):
+                config_dict["CNCs"].append(line)
             elif line and "\\" in line:
                 config_dict.setdefault("Timestamp path", []).append(line)
-            elif "." in line and "=" not in line and line not in config_dict["C2s"]:
-                config_dict.setdefault("Dummy domain", []).append(line)
+            elif "." in line and "=" not in line and line not in config_dict["CNCs"]:
+                config_dict.setdefault("raw", {}).setdefault("Dummy domain", []).append(line)
         return config_dict

cape_parsers/CAPE/core/SquirrelWaffle.py

@@ -68,9 +68,9 @@ def extract_config(data):
                 try:
                     decrypted = xor_data(line, chunks[i + 1]).decode()
                     if "\r\n" in decrypted and "|" not in decrypted:
-                        config["IP Blocklist"] = list(filter(None, decrypted.split("\r\n")))
+                        config.setdefault("raw", {})["IP Blocklist"] = list(filter(None, decrypted.split("\r\n")))
                     elif "|" in decrypted and "." in decrypted and "\r\n" not in decrypted:
-                        config["URLs"] = list(filter(None, decrypted.split("|")))
+                        config["CNCs"] = list(filter(None, decrypted.split("|")))
                 except Exception:
                     continue
         matches = yara_rules.match(data=data)
@@ -84,5 +84,5 @@ def extract_config(data):
                     c2key_offset = item.instances[0].offset
                     key_rva = struct.unpack("i", data[c2key_offset + 28 : c2key_offset + 32])[0] - pe.OPTIONAL_HEADER.ImageBase
                     key_offset = pe.get_offset_from_rva(key_rva)
-                    config["C2 key"] = string_from_offset(data, key_offset).decode()
+                    config["cryptokey"] = string_from_offset(data, key_offset).decode()
                     return config

cape_parsers/CAPE/core/Strrat.py

@@ -72,6 +72,6 @@ def extract_config(data):
     configdata = unzip_config(data)
 
     if configdata:
-        raw_config["config"] = decode(configdata)
+        raw_config["raw"] = decode(configdata)
 
     return raw_config

cape_parsers/CAPE/core/WarzoneRAT.py

@@ -92,7 +92,8 @@ def extract_config(data):
         c2_host = dtxt[offset : offset + c2_size].decode("utf-16")
         offset += c2_size
         c2_port = struct.unpack("H", dtxt[offset : offset + 2])[0]
-        cfg["C2"] = f"{c2_host}:{c2_port}"
+        # ToDo missed schema
+        cfg["CNCs"] = [f"{c2_host}:{c2_port}"]
         offset += 2
         # unk1 = dtxt[offset : offset + 7]
         offset += 7
@@ -104,7 +105,7 @@ def extract_config(data):
         offset += 2
         runkey_size = struct.unpack("i", dtxt[offset : offset + 4])[0]
         offset += 4
-        cfg["Run Key Name"] = dtxt[offset : offset + runkey_size].decode("utf-16")
+        cfg.setdefault("raw", {})["Run Key Name"] = dtxt[offset : offset + runkey_size].decode("utf-16")
     except struct.error:
         # there is a lot of failed data validation muting it
         return