CAPE-parsers 0.1.42__tar.gz → 0.1.45__tar.gz

{cape_parsers-0.1.42 → cape_parsers-0.1.45}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: CAPE-parsers
-Version: 0.1.42
+Version: 0.1.45
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 Keywords: cape,parsers,malware,configuration
@@ -23,7 +23,7 @@ Requires-Dist: pefile
 Requires-Dist: pycryptodomex (>=3.20.0)
 Requires-Dist: rat-king-parser (>=4.1.0)
 Requires-Dist: ruff (>=0.7.2)
-Requires-Dist: unicorn (==2.1.1)
+Requires-Dist: unicorn (>=2.1.1)
 Requires-Dist: yara-python (>=4.5.1)
 Description-Content-Type: text/markdown
 

{cape_parsers-0.1.42 → cape_parsers-0.1.45}/cape_parsers/CAPE/community/Lumma.py

@@ -75,7 +75,6 @@ RULE_SOURCE_LUMMA_NEW_ENCRYPTED_C2 = """rule LummaConfigNewEncryptedStrings
 }"""
 
 
-
 def yara_scan_generator(raw_data, rule_source):
     yara_rules = yara.compile(source=rule_source)
     matches = yara_rules.match(data=raw_data)
@@ -198,10 +197,22 @@ def chacha20_block(key, nonce, blocknum):
     nonce_words = words_from_bytes(nonce)
 
     original_block = [
-        constant_words[0],  constant_words[1],  constant_words[2],  constant_words[3],
-        key_words[0],       key_words[1],       key_words[2],       key_words[3],
-        key_words[4],       key_words[5],       key_words[6],       key_words[7],
-        mask32(blocknum),   nonce_words[0],     nonce_words[1],     nonce_words[2],
+        constant_words[0],
+        constant_words[1],
+        constant_words[2],
+        constant_words[3],
+        key_words[0],
+        key_words[1],
+        key_words[2],
+        key_words[3],
+        key_words[4],
+        key_words[5],
+        key_words[6],
+        key_words[7],
+        mask32(blocknum),
+        nonce_words[0],
+        nonce_words[1],
+        nonce_words[2],
     ]
 
     permuted_block = list(original_block)
@@ -241,7 +252,7 @@ def extract_c2_domain(data):
 
 
 def find_encrypted_c2_blocks(data):
-    pattern = rb'(.{128})\x00'
+    pattern = rb"(.{128})\x00"
     for match in re.findall(pattern, data, re.DOTALL):
         yield match
 
@@ -251,9 +262,9 @@ def get_build_id(pe, data):
     image_base = pe.OPTIONAL_HEADER.ImageBase
     for offset in yara_scan_generator(data, RULE_SOURCE_BUILD_ID):
         try:
-            build_id_data_rva = struct.unpack('i', data[offset + 2 : offset + 6])[0]
+            build_id_data_rva = struct.unpack("i", data[offset + 2 : offset + 6])[0]
             build_id_dword_offset = pe.get_offset_from_rva(build_id_data_rva - image_base)
-            build_id_dword_rva = struct.unpack('i', data[build_id_dword_offset : build_id_dword_offset + 4])[0]
+            build_id_dword_rva = struct.unpack("i", data[build_id_dword_offset : build_id_dword_offset + 4])[0]
             build_id_offset = pe.get_offset_from_rva(build_id_dword_rva - image_base)
             build_id = pe.get_string_from_data(build_id_offset, data)
             if not contains_non_printable(build_id):
@@ -263,18 +274,20 @@ def get_build_id(pe, data):
             continue
     return build_id
 
+
 def get_build_id_new(data):
     build_id = ""
-    pattern = b'123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ\x00'
+    pattern = b"123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ\x00"
     offset = data.find(pattern)
     if offset != -1:
-        build_id = data[offset + len(pattern):].split(b'\x00', 1)[0]
+        build_id = data[offset + len(pattern) :].split(b"\x00", 1)[0]
         build_id = build_id.decode()
 
     return build_id
 
+
 def extract_config(data):
-    config_dict = {"C2": []}
+    config_dict = {}
 
     # try to load as a PE
     pe = None
@@ -287,37 +300,36 @@ def extract_config(data):
     key = None
     nonce = None
     for offset in yara_scan_generator(data, RULE_SOURCE_LUMMA_NEW_KEYS):
-        key_rva = struct.unpack('i', data[offset + 1 : offset + 5])[0]
+        key_rva = struct.unpack("i", data[offset + 1 : offset + 5])[0]
         key_offset = pe.get_offset_from_rva(key_rva - image_base)
         key = data[key_offset : key_offset + 32]
-        nonce_rva = struct.unpack('i', data[offset + 20 : offset + 24])[0]
+        nonce_rva = struct.unpack("i", data[offset + 20 : offset + 24])[0]
         nonce_offset = pe.get_offset_from_rva(nonce_rva - image_base)
-        nonce = b'\x00\x00\x00\x00' + data[nonce_offset : nonce_offset + 8]
+        nonce = b"\x00\x00\x00\x00" + data[nonce_offset : nonce_offset + 8]
 
     if key and nonce:
         for offset in yara_scan_generator(data, RULE_SOURCE_LUMMA_NEW_ENCRYPTED_C2):
-            encrypted_strings_rva = struct.unpack('i', data[offset + 5 : offset + 9])[0]
+            encrypted_strings_rva = struct.unpack("i", data[offset + 5 : offset + 9])[0]
             encrypted_strings_offset = pe.get_offset_from_rva(encrypted_strings_rva - image_base)
             step_size = 0x80
             counter = 2
             for i in range(12):
-                encrypted_string = data[encrypted_strings_offset:encrypted_strings_offset+40]
-                decoded_c2 = chacha20_xor(encrypted_string, key, nonce, counter).split(b'\x00', 1)[0]
+                encrypted_string = data[encrypted_strings_offset : encrypted_strings_offset + 40]
+                decoded_c2 = chacha20_xor(encrypted_string, key, nonce, counter).split(b"\x00", 1)[0]
                 if contains_non_printable(decoded_c2):
                     break
-                config_dict["C2"].append(decoded_c2.decode())
+                config_dict.setdefault("C2", []).append(decoded_c2.decode())
                 encrypted_strings_offset = encrypted_strings_offset + step_size
                 counter += 2
 
-        if config_dict["C2"]:
+        if config_dict.get("C2"):
             # If found C2 servers try to find build ID
             build_id = get_build_id_new(data)
             if build_id:
                 config_dict["Build ID"] = build_id
 
-
     # If no C2s try with the version after Jan 21, 2025
-    if not config_dict["C2"]:
+    if "C2" not in config_dict:
         offset = yara_scan(data, RULE_SOURCE_LUMMA)
         if offset:
             key = data[offset + 16 : offset + 48]
@@ -327,7 +339,7 @@ def extract_config(data):
                 try:
                     start_offset = offset + 56 + (i * 4)
                     end_offset = start_offset + 4
-                    c2_dword_rva = struct.unpack('i', data[start_offset : end_offset])[0]
+                    c2_dword_rva = struct.unpack("i", data[start_offset:end_offset])[0]
                     if pe:
                         c2_dword_offset = pe.get_offset_from_rva(c2_dword_rva - image_base)
                     else:
@@ -345,16 +357,14 @@ def extract_config(data):
                 except Exception:
                     continue
 
-        if config_dict["C2"] and pe is not None:
+        if "C2" in config_dict and config_dict["C2"] and pe is not None:
             # If found C2 servers try to find build ID
             build_id = get_build_id(pe, data)
             if build_id:
                 config_dict["Build ID"] = build_id
 
-
     # If no C2s try with version prior to Jan 21, 2025
-    if not config_dict["C2"]:
-
+    if "C2" not in config_dict:
         try:
             if pe is not None:
                 rdata = get_rdata(pe, data)
@@ -374,20 +384,19 @@ def extract_config(data):
                     decoded_c2 = xor_data(encoded_c2, xor_key)
 
                     if not contains_non_printable(decoded_c2):
-                        config_dict["C2"].append(decoded_c2.decode())
+                        config_dict.setdefault("C2", []).append(decoded_c2.decode())
                 except Exception:
                     continue
 
         except Exception:
             return
 
-        if config_dict["C2"] and pe is not None:
+        if "C2" in config_dict and pe is not None:
             # If found C2 servers try to find build ID
             build_id = get_build_id(pe, data)
             if build_id:
                 config_dict["Build ID"] = build_id
 
-
     return config_dict
 
 

{cape_parsers-0.1.42 → cape_parsers-0.1.45}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "CAPE-parsers"
-version = "0.1.42"
+version = "0.1.45"
 description = "CAPE: Malware Configuration Extraction"
 authors = ["Kevin O'Reilly <kev@capesandbox.com>", "doomedraven <doomedraven@capesandbox.com>"]
 license = "MIT"
@@ -23,7 +23,7 @@ maco = "1.1.8"
 yara-python = ">=4.5.1"
 dnfile = ">=0.15.1"
 dncil = ">=1.0.2"
-unicorn = "2.1.1"
+unicorn = ">=2.1.1"
 rat-king-parser = ">=4.1.0"
 
 ruff = ">=0.7.2"

cape_parsers-0.1.42/cape_parsers/CAPE/community/Amadey.py

@@ -1,43 +0,0 @@
-import base64
-import re
-
-str_hash_data = 'd6052c4fe86a6346964a6bbbe2423e20'
-str_alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 '
-
-def is_ascii(s):
-    return all(c < 128 or c == 0 for c in s)
-
-def decrypt(str_data, str_hash_data, str_alphabet):
-    str_hash = ''
-
-    for i in range(len(str_data)):
-        str_hash += str_hash_data[i % len(str_hash_data)]
-
-    out = ''
-
-    for i in range(len(str_data)):
-        if str_data[i] not in str_alphabet:
-            out += str_data[i]
-            continue
-        alphabet_count = str_alphabet.find(str_data[i])
-        hash_count = str_alphabet.find(str_hash[i])
-        index_calc = (alphabet_count + len(str_alphabet) - hash_count) % len(str_alphabet)
-        out += str_alphabet[index_calc]
-
-    return base64.b64decode(out)
-
-file_data = open('/tmp/amadey.bin','rb').read()
-
-strings = []
-for m in re.finditer(rb'[a-zA-Z =0-9]{4,}',file_data):
-    strings.append(m.group().decode('utf-8'))
-
-for s in strings:
-    try:
-        temp = decrypt(s, str_hash_data, str_alphabet)
-        if is_ascii(temp) and len(temp) > 3:
-            print(temp.decode('utf-8'))
-    except:
-        continue
-
-decrypt('1RydQIOr3Zcp6emn RYv8IGzgUKS6r5ThSdqDVBERAP2Ir 0JQ1=', str_hash_data, str_alphabet)