CAPE-parsers 0.1.42__py3-none-any.whl → 0.1.54__py3-none-any.whl

cape_parsers/CAPE/core/Zloader.py

@@ -76,8 +76,8 @@ def string_from_offset(data, offset):
 
 def parse_config(data):
     parsed = {}
-    parsed["Botnet Id"] = data[4:].split(b"\x00", 1)[0].decode("utf-8")
-    parsed["Campaign Id"] = data[25:].split(b"\x00", 1)[0].decode("utf-8")
+    parsed["botnet"] = data[4:].split(b"\x00", 1)[0].decode("utf-8")
+    parsed["campaign"] = data[25:].split(b"\x00", 1)[0].decode("utf-8")
     c2s = []
     c2_data = data[46:686]
     for i in range(10):
@@ -85,16 +85,17 @@ def parse_config(data):
         chunk = chunk.rstrip(b"\x00")
         if chunk:
             c2s.append(chunk.decode("utf-8"))
-    parsed["C2s"] = c2s
-    parsed["Public Key"] = data[704:].split(b"\x00", 1)[0]
+    parsed["CNCs"] = c2s
+    parsed["cryptokey"] = data[704:].split(b"\x00", 1)[0]
+    parsed["cryptokey_type"] = "RSA Public Key"
     dns_data = data[1004:].split(b"\x00", 1)[0]
     parsed["TLS SNI"] = dns_data.split(b"~")[0].decode("utf-8").rstrip()
     parsed["DNS C2"] = dns_data.split(b"~")[1].decode("utf-8").strip()
     dns_ips = []
-    dns_ips.append(socket.inet_ntoa(data[1204:1208].split(b"\x00",1)[0]))
+    dns_ips.append(socket.inet_ntoa(data[1204:1208].split(b"\x00", 1)[0]))
     dns_ip_data = data[1208:1248]
     for i in range(10):
-        chunk = dns_ip_data[i * 4:(i + 1) * 4]
+        chunk = dns_ip_data[i * 4 : (i + 1) * 4]
         chunk = chunk.rstrip(b"\x00")
         if chunk:
             dns_ips.append(socket.inet_ntoa(chunk))
@@ -103,6 +104,7 @@ def parse_config(data):
 
 
 def extract_config(filebuf):
+    config = {}
     end_config = {}
     pe = pefile.PE(data=filebuf, fast_load=False)
     image_base = pe.OPTIONAL_HEADER.ImageBase
@@ -167,14 +169,15 @@ def extract_config(filebuf):
         enc_data = filebuf[data_offset:].split(b"\0\0", 1)[0]
         raw = decrypt_rc4(key, enc_data)
         items = list(filter(None, raw.split(b"\x00\x00")))
-        end_config["Botnet name"] = items[1].lstrip(b"\x00")
-        end_config["Campaign ID"] = items[2]
+        config["botnet"] = items[1].lstrip(b"\x00")
+        config["campaign"] = items[2]
         for item in items:
             item = item.lstrip(b"\x00")
             if item.startswith(b"http"):
-                end_config.setdefault("address", []).append(item)
+                config.setdefault("CNCs", []).append(item)
             elif len(item) == 16:
-                end_config["RC4 key"] = item
+                config["cryptokey"] = item
+                config["cryptokey_type"] = "RC4"
     elif conf_type == "2" and decrypt_key:
         conf_va = struct.unpack("I", filebuf[decrypt_conf + cva : decrypt_conf + cva + 4])[0]
         conf_offset = pe.get_offset_from_rva(conf_va + pe.get_rva_from_offset(decrypt_conf) + cva + 4)
@@ -186,14 +189,15 @@ def extract_config(filebuf):
         conf_data = filebuf[conf_offset : conf_offset + conf_size]
         raw = decrypt_rc4(key, conf_data)
         items = list(filter(None, raw.split(b"\x00\x00")))
-        end_config["Botnet name"] = items[0].decode("utf-8")
-        end_config["Campaign ID"] = items[1].decode("utf-8")
+        config["botnet"] = items[0].decode("utf-8")
+        config["campaign"] = items[1].decode("utf-8")
         for item in items:
             item = item.lstrip(b"\x00")
             if item.startswith(b"http"):
-                end_config.setdefault("address", []).append(item.decode("utf-8"))
+                config.setdefault("CNCs", []).append(item.decode("utf-8"))
             elif b"PUBLIC KEY" in item:
-                end_config["Public key"] = item.decode("utf-8").replace("\n", "")
+                config["cryptokey"] = item.decode("utf-8").replace("\n", "")
+                config["cryptokey_type"] = "RSA Public key"
     elif conf_type == "3" and rc4_chunk1 and rc4_chunk2:
         conf_va = struct.unpack("I", filebuf[decrypt_conf : decrypt_conf + 4])[0]
         conf_offset = pe.get_offset_from_rva(conf_va + pe.get_rva_from_offset(decrypt_conf) + 4)
@@ -208,8 +212,10 @@ def extract_config(filebuf):
         conf = decrypt_rc4(decrypt_key, conf_data)
         end_config = parse_config(conf)
 
-    return end_config
+    if config and end_config:
+        config = config.update({"raw": end_config})
 
+    return config
 
 if __name__ == "__main__":
     import sys

cape_parsers/RATDecoders/test_rats.py

@@ -5,6 +5,7 @@ HAVE_MLW_CONFIGS = False
 with suppress(ImportError):
     # We do not install this by default as is outdated now, but if installed will be imported
     from malwareconfig.common import Decoder
+
     HAVE_MLW_CONFIGS = True
 
 

cape_parsers/__init__.py

@@ -12,10 +12,11 @@ from typing import Dict, Tuple
 PARSERS_ROOT = Path(__file__).absolute().parent
 log = logging.getLogger()
 
-def load_cape_parsers(load: str="all", exclude_parsers: list = []):
+
+def load_cape_parsers(load: str = "all", exclude_parsers: list = []):
     """
-        load: all, core, community
-        exclude_parsers: [names of parsers that will be ignored]
+    load: all, core, community
+    exclude_parsers: [names of parsers that will be ignored]
     """
     versions = {
         "cape": "core",
@@ -25,7 +26,9 @@ def load_cape_parsers(load: str="all", exclude_parsers: list = []):
     cape_parsers = {}
     CAPE_DECODERS = {
         "cape": [os.path.basename(decoder)[:-3] for decoder in glob.glob(os.path.join(PARSERS_ROOT, "CAPE", "core", "[!_]*.py"))],
-        "community": [os.path.basename(decoder)[:-3] for decoder in glob.glob(os.path.join(PARSERS_ROOT, "CAPE", "community", "[!_]*.py"))],
+        "community": [
+            os.path.basename(decoder)[:-3] for decoder in glob.glob(os.path.join(PARSERS_ROOT, "CAPE", "community", "[!_]*.py"))
+        ],
     }
 
     for version, names in CAPE_DECODERS.items():
@@ -54,6 +57,7 @@ def load_mwcp_parsers() -> Tuple[Dict[str, str], ModuleType]:
     with suppress(ImportError):
         # We do not install this by default
         import mwcp
+
         HAVE_MWCP = True
 
     if not HAVE_MWCP:
@@ -66,6 +70,7 @@ def load_mwcp_parsers() -> Tuple[Dict[str, str], ModuleType]:
         return {}, mwcp
     return _malware_parsers, mwcp
 
+
 def _malduck_load_decoders():
 
     malduck_modules = {}
@@ -80,6 +85,7 @@ def _malduck_load_decoders():
 
     return malduck_modules
 
+
 """
 def load_malduck_parsers():
     HAVE_MALDUCK = False
@@ -108,6 +114,7 @@ def load_malduck_parsers():
     return malduck_modules
 """
 
+
 def load_malwareconfig_parsers() -> Tuple[bool, dict, ModuleType]:
     try:
         from malwareconfig import fileparser
@@ -122,15 +129,17 @@ def load_malwareconfig_parsers() -> Tuple[bool, dict, ModuleType]:
     except ImportError:
         log.info("Missed RATDecoders -> poetry run pip install malwareconfig")
     except Exception as e:
-        log.error(e, exc_info=True)
+        log.exception(e)
     return False, False, False
 
+
 def load_ratdecoders_parsers():
     dec_modules = {}
     HAVE_MLW_CONFIGS = False
     with suppress(ImportError):
         # We do not install this by default as is outdated now, but if installed will be imported
         from malwareconfig.common import Decoder
+
         HAVE_MLW_CONFIGS = True
 
     if not HAVE_MLW_CONFIGS:

cape_parsers/deprecated/BlackNix.py

@@ -0,0 +1,59 @@
+import pefile
+
+
+def extract_raw_config(raw_data):
+    try:
+        pe = pefile.PE(data=raw_data)
+        rt_string_idx = [entry.id for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries].index(pefile.RESOURCE_TYPE["RT_RCDATA"])
+        rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]
+        for entry in rt_string_directory.directory.entries:
+            if str(entry.name) == "SETTINGS":
+                data_rva = entry.directory.entries[0].data.struct.OffsetToData
+                size = entry.directory.entries[0].data.struct.Size
+                data = pe.get_memory_mapped_image()[data_rva : data_rva + size]
+                return data.split("}")
+    except Exception:
+        return None
+
+
+def decode(line):
+    return "".join(chr(ord(char) - 1) for char in line)
+
+
+def domain_parse(config):
+    return [domain.split(":", 1)[0] for domain in config["Domains"].split(";")]
+
+
+def extract_config(data):
+    try:
+        config_raw = extract_raw_config(data)
+        if config_raw:
+            return {
+                "mutex": decode(config_raw[1])[::-1],
+                "raw": {
+                    "Anti Sandboxie": decode(config_raw[2])[::-1],
+                    "Max Folder Size": decode(config_raw[3])[::-1],
+                    "Delay Time": decode(config_raw[4])[::-1],
+                    "Password": decode(config_raw[5])[::-1],
+                    "Kernel Mode Unhooking": decode(config_raw[6])[::-1],
+                    "User More Unhooking": decode(config_raw[7])[::-1],
+                    "Melt Server": decode(config_raw[8])[::-1],
+                    "Offline Screen Capture": decode(config_raw[9])[::-1],
+                    "Offline Keylogger": decode(config_raw[10])[::-1],
+                    "Copy To ADS": decode(config_raw[11])[::-1],
+                    "Domain": decode(config_raw[12])[::-1],
+                    "Persistence Thread": decode(config_raw[13])[::-1],
+                    "Active X Key": decode(config_raw[14])[::-1],
+                    "Registry Key": decode(config_raw[15])[::-1],
+                    "Active X Run": decode(config_raw[16])[::-1],
+                    "Registry Run": decode(config_raw[17])[::-1],
+                    "Safe Mode Startup": decode(config_raw[18])[::-1],
+                    "Inject winlogon.exe": decode(config_raw[19])[::-1],
+                    "Install Name": decode(config_raw[20])[::-1],
+                    "Install Path": decode(config_raw[21])[::-1],
+                    "Campaign Name": decode(config_raw[22])[::-1],
+                    "Campaign Group": decode(config_raw[23])[::-1],
+                }
+            }
+    except Exception:
+        return None

cape_parsers/{CAPE/core → deprecated}/BuerLoader.py

@@ -35,5 +35,5 @@ def extract_config(filebuf):
         with suppress(Exception):
             dec = decrypt_string(item.lstrip(b"\x00").rstrip(b"\x00").decode())
         if "dll" not in dec and " " not in dec and ";" not in dec and "." in dec:
-            cfg.setdefault("address", []).append(dec)
+            cfg.setdefault("CNCs", []).append(dec)
         return cfg

cape_parsers/{CAPE/core → deprecated}/ChChes.py

@@ -55,7 +55,7 @@ def string_from_offset(data, offset):
 
 
 def extract_config(filebuf):
-    tmp_config = {}
+    config = {}
     yara_matches = yara_scan(filebuf)
 
     c2_offsets = []
@@ -70,6 +70,6 @@ def extract_config(filebuf):
     for c2_offset in c2_offsets:
         c2_url = string_from_offset(filebuf, c2_offset)
         if c2_url:
-            tmp_config.setdefault("c2_url", []).append(c2_url)
+            config.setdefault("CNCs", []).append(c2_url)
 
-    return tmp_config
+    return config

cape_parsers/{CAPE/core → deprecated}/Enfal.py

@@ -64,7 +64,7 @@ def extract_config(filebuf):
 
         c2_address = string_from_offset(filebuf, yara_offset + 0x2E8)
         if c2_address:
-            return_conf["c2_address"] = c2_address
+            return_conf["CNCs"] = c2_address
 
         c2_url = string_from_offset(filebuf, yara_offset + 0xE8)
         if c2_url:

cape_parsers/{CAPE/core → deprecated}/EvilGrab.py

@@ -16,9 +16,7 @@ DESCRIPTION = "EvilGrab configuration parser."
 AUTHOR = "kevoreilly"
 
 import struct
-
 import pefile
-
 import yara
 
 rule_source = """
@@ -88,21 +86,22 @@ def extract_config(filebuf):
 
         yara_offset = int(yara_matches[key])
 
+        # ToDo missed schema
         c2_address = string_from_va(pe, yara_offset + values[0])
         if c2_address:
-            end_config["c2_address"] = c2_address
+            end_config["CNCs"] = c2_address
         port = str(struct.unpack("h", filebuf[yara_offset + values[1] : yara_offset + values[1] + 2])[0])
         if port:
-            end_config["port"] = [port, "tcp"]
+            end_config.setdefault("raw", {})["port"] = [port, "tcp"]
         missionid = string_from_va(pe, yara_offset + values[3])
         if missionid:
-            end_config["missionid"] = missionid
+            end_config.setdefault("raw", {})["missionid"] = missionid
         version = string_from_va(pe, yara_offset + values[4])
         if version:
             end_config["version"] = version
         injectionprocess = string_from_va(pe, yara_offset + values[5])
         if injectionprocess:
-            end_config["injectionprocess"] = injectionprocess
+            end_config.setdefault("raw", {})["injectionprocess"] = injectionprocess
         if key != "$configure3":
             mutex = string_from_va(pe, yara_offset - values[6])
             if mutex:

cape_parsers/{CAPE/community → deprecated}/Greame.py

@@ -87,4 +87,6 @@ def parse_config(raw_config):
 def extract_config(data):
     raw_config = get_config(data)
     if raw_config:
-        return parse_config(raw_config)
+        config =  parse_config(raw_config)
+        if config:
+            return {"raw": config}

cape_parsers/{CAPE/core → deprecated}/HttpBrowser.py

@@ -17,9 +17,7 @@ AUTHOR = "kevoreilly"
 
 
 import struct
-
 import pefile
-
 import yara
 
 rule_source = """
@@ -91,6 +89,7 @@ def extract_config(filebuf):
     # image_base = pe.OPTIONAL_HEADER.ImageBase
 
     yara_matches = yara_scan(filebuf)
+    config = {}
     tmp_config = {}
     for key, values in match_map.keys():
         if yara_matches.get(key):
@@ -103,23 +102,23 @@ def extract_config(filebuf):
 
                 c2_address = unicode_from_va(pe, yara_offset + values[1])
                 if c2_address:
-                    tmp_config.setdefault("c2_address", []).append(c2_address)
+                    config.setdefault("CNCs", []).append(c2_address)
 
                 if key == "$connect_3":
                     c2_address = unicode_from_va(pe, yara_offset + values[2])
                     if c2_address:
-                        tmp_config.setdefault("c2_address", []).append(c2_address)
+                        config.setdefault("CNCs", []).append(c2_address)
             else:
                 c2_address = unicode_from_va(pe, yara_offset + values[0])
                 if c2_address:
-                    tmp_config["c2_address"] = c2_address
+                    config["CNCs"] = [c2_address]
 
                 filepath = unicode_from_va(pe, yara_offset + values[1])
                 if filepath:
-                    tmp_config["filepath"] = filepath
+                    config["filepath"] = filepath
 
                 injectionprocess = unicode_from_va(pe, yara_offset - values[2])
                 if injectionprocess:
-                    tmp_config["injectionprocess"] = injectionprocess
+                    config["injectionprocess"] = injectionprocess
 
-    return tmp_config
+    return {"raw": tmp_config}.update(config)

cape_parsers/{CAPE/community → deprecated}/Pandora.py

@@ -74,4 +74,6 @@ def extract_config(data):
             clean_config = version_21(raw_config)
         elif len(raw_config) == 20:
             clean_config = version_22(raw_config)
+        if clean_config:
+            clean_config = {"raw": clean_config}
         return clean_config

cape_parsers/{CAPE/community → deprecated}/Punisher.py

@@ -32,4 +32,5 @@ def extract_config(data):
         config_dict["Install Path"] = "TEMP"
     if config_parts[19] == "True":
         config_dict["Install Path"] = "Documents"
-    return config_dict
+    if config_dict:
+        return {"raw": config_dict}

cape_parsers/{CAPE/core → deprecated}/RCSession.py

@@ -16,9 +16,7 @@ DESCRIPTION = "RCSession configuration parser."
 AUTHOR = "kevoreilly"
 
 import struct
-
 import pefile
-
 import yara
 
 rule_source = """
@@ -99,24 +97,24 @@ def extract_config(filebuf):
 
     c2_address = str(tmp_config[156 : 156 + MAX_IP_STRING_SIZE])
     if c2_address:
-        end_config.setdefault("c2_address", []).append(c2_address)
+        end_config.setdefault("CNCs", []).append(c2_address)
     c2_address = str(tmp_config[224 : 224 + MAX_IP_STRING_SIZE])
     if c2_address:
-        end_config.setdefault("c2_address", []).append(c2_address)
+        end_config.setdefault("CNCs", []).append(c2_address)
     installdir = unicode_string_from_offset(bytes(tmp_config), 0x2A8, 128)
     if installdir:
-        end_config["directory"] = installdir
+        end_config.setdefault("raw", {})["directory"] = installdir
     executable = unicode_string_from_offset(tmp_config, 0x4B0, 128)
     if executable:
-        end_config["filename"] = executable
+        end_config.setdefault("raw", {})["filename"] = executable
     servicename = unicode_string_from_offset(tmp_config, 0x530, 128)
     if servicename:
-        end_config["servicename"] = servicename
+        end_config.setdefault("raw", {})["servicename"] = servicename
     displayname = unicode_string_from_offset(tmp_config, 0x738, 128)
     if displayname:
-        end_config["servicedisplayname"] = displayname
+        end_config.setdefault("raw", {})["servicedisplayname"] = displayname
     description = unicode_string_from_offset(tmp_config, 0x940, 512)
     if description:
-        end_config["servicedescription"] = description
+        end_config.setdefault("raw", {})["servicedescription"] = description
 
     return end_config

cape_parsers/{CAPE/community → deprecated}/REvil.py

@@ -47,7 +47,7 @@ def decodeREvilConfig(config_key, config_data):
     ECX = EAX = ESI = 0
 
     for char in init255:
-        ESI = ((char & 0xFF) + (ord(key[EAX % len(key)]) + ESI)) & 0xFF
+        ESI = ((char & 0xFF) + (key[EAX % len(key)] + ESI)) & 0xFF
         init255[EAX] = init255[ESI] & 0xFF
         EAX += 1
         init255[ESI] = char & 0xFF
@@ -61,7 +61,7 @@ def decodeREvilConfig(config_key, config_data):
         ESI = (ESI + DL) & 0xFF
         init255[ECX] = init255[ESI]
         init255[ESI] = DL
-        decoded_config.append((init255[((init255[ECX] + DL) & 0xFF)]) ^ ord(char))
+        decoded_config.append((init255[((init255[ECX] + DL) & 0xFF)]) ^ char)
         EAX = LOCAL1
 
     return json.loads("".join(map(chr, decoded_config)))
@@ -74,12 +74,17 @@ def extract_config(data):
 
     if len(pe.sections) == 5:
         section_names = getSectionNames(pe.sections)
-        required_sections = (".text", ".rdata", ".data", ".reloc")
+        required_sections = (b".text", b".rdata", b".data", b".reloc")
 
-        # print section_names
         if all(sections in section_names for sections in required_sections):
             # print("all required section names found")
-            config_section_name = [resource for resource in section_names if resource not in required_sections][0]
+            section_names_set = set(section_names)
+            required_sections_set = set(required_sections)
+            config_section_names = section_names_set - required_sections_set
+            if len(config_section_names) == 1:
+                config_section_name = config_section_names.pop()
+            else:
+                return None # Or raise an exception, depending on desired behavior
             config_key, config_data = getREvilKeyAndConfig(pe.sections, config_section_name)
             if config_key and config_data:
                 return decodeREvilConfig(config_key, config_data)

cape_parsers/{CAPE/core → deprecated}/RedLeaf.py

@@ -16,9 +16,7 @@ DESCRIPTION = "RedLeaf configuration parser."
 AUTHOR = "kevoreilly"
 
 import struct
-
 import pefile
-
 import yara
 
 rule_source = """
@@ -90,21 +88,21 @@ def extract_config(filebuf):
     end_config = {}
     c2_address = tmp_config[8 : 8 + MAX_IP_STRING_SIZE]
     if c2_address:
-        end_config.setdefault("c2_address", []).append(c2_address)
+        end_config.setdefault("CNCs", []).append(c2_address)
     c2_address = tmp_config[0x48 : 0x48 + MAX_IP_STRING_SIZE]
     if c2_address:
-        end_config.setdefault("c2_address", []).append(c2_address)
+        end_config.setdefault("CNCs", []).append(c2_address)
     c2_address = tmp_config[0x88 : 0x88 + MAX_IP_STRING_SIZE]
     if c2_address:
-        end_config.setdefault("c2_address", []).append(c2_address)
+        end_config.setdefault("CNCs", []).append(c2_address)
     missionid = string_from_offset(tmp_config, 0x1EC)
     if missionid:
-        end_config["missionid"] = missionid
+        end_config.setdefault("raw", {})["missionid"] = missionid
     mutex = unicode_string_from_offset(tmp_config, 0x508)
     if mutex:
         end_config["mutex"] = mutex
     key = string_from_offset(tmp_config, 0x832)
     if key:
-        end_config["key"] = key
+        end_config["cryptokey"] = key
 
     return end_config

cape_parsers/{CAPE/community → deprecated}/Retefe.py

@@ -7,9 +7,7 @@ DESCRIPTION = "Retefe configuration parser."
 AUTHOR = "Tomasuh"
 
 import struct
-
 import pefile
-
 import yara
 
 rule_source = """

cape_parsers/{CAPE/community → deprecated}/Rozena.py

@@ -9,8 +9,5 @@ def extract_config(data: bytes):
     if matches:
         ip = "".join(".".join(f"{c}" for c in matches[0][0]))
         port = int.from_bytes(matches[0][1], byteorder="big")
-
-        config_dict["C2"] = ip
-        config_dict["Port"] = port
-
-    return config_dict
+        config_dict["CNCs"] = f"{ip}:{port}"
+    return {}

cape_parsers/{CAPE/community → deprecated}/SmallNet.py

@@ -96,8 +96,12 @@ def ver_5(data):
 
 
 def extract_config(data):
+    config = {}
     if "!!<3SAFIA<3!!" in data:
-        return ver_52(data)
+        config = ver_52(data)
 
     elif "!!ElMattadorDz!!" in data:
-        return ver_5(data)
+        config = ver_5(data)
+
+    if config:
+        return {"raw": config}

{cape_parsers-0.1.42.dist-info → cape_parsers-0.1.54.dist-info}/METADATA

@@ -1,8 +1,9 @@
-Metadata-Version: 2.3
+Metadata-Version: 2.4
 Name: CAPE-parsers
-Version: 0.1.42
+Version: 0.1.54
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
+License-File: LICENSE
 Keywords: cape,parsers,malware,configuration
 Author: Kevin O'Reilly
 Author-email: kev@capesandbox.com
@@ -13,6 +14,7 @@ Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
 Provides-Extra: maco
 Requires-Dist: capstone (>=4.0.2)
 Requires-Dist: dncil (>=1.0.2)
@@ -23,7 +25,7 @@ Requires-Dist: pefile
 Requires-Dist: pycryptodomex (>=3.20.0)
 Requires-Dist: rat-king-parser (>=4.1.0)
 Requires-Dist: ruff (>=0.7.2)
-Requires-Dist: unicorn (==2.1.1)
+Requires-Dist: unicorn (>=2.1.1)
 Requires-Dist: yara-python (>=4.5.1)
 Description-Content-Type: text/markdown
 
@@ -32,3 +34,22 @@ CAPE core and community parsers
 
 [![PyPI version](https://img.shields.io/pypi/v/CAPE-parsers)](https://pypi.org/project/CAPE-parsers/)
 
+### Configs structure
+```
+CNCs: []
+campaign: str
+botnet: str
+dga_seed: hex str
+version: str
+mutex: str
+user_agent: str
+build: str
+cryptokey: str
+cryptokey_type: str (algorithm). Ex: RC4, RSA public key. salsa20, (x)chacha20
+raw: {any other data goes here}
+```
+* All CNC entries should be in URL format. aka `<schema>://<hostname>:<port>/<uri>`
+    * Schema examples: `tcp://`, `ftp://`, `udp://`, `http(s)`, etc.
+    * Old CAPE configs still have lack of this structures as most of them are dead families.
+    * This CNC simplification make it easier to parse with tools like `tldextract` or `urlparse`
+