PyPI - CAPE-parsers - Versions diffs - 0.1.44__py3-none-any.whl → 0.1.46__py3-none-any.whl - Mend

CAPE-parsers 0.1.44py3-none-any.whl → 0.1.46py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

cape_parsers/CAPE/community/AgentTesla.py +18 -9
cape_parsers/CAPE/community/Arkei.py +13 -15
cape_parsers/CAPE/community/AsyncRAT.py +4 -2
cape_parsers/CAPE/community/AuroraStealer.py +9 -6
cape_parsers/CAPE/community/Carbanak.py +7 -7
cape_parsers/CAPE/community/CobaltStrikeBeacon.py +2 -1
cape_parsers/CAPE/community/CobaltStrikeStager.py +4 -1
cape_parsers/CAPE/community/DCRat.py +4 -2
cape_parsers/CAPE/community/Fareit.py +8 -9
cape_parsers/CAPE/community/KoiLoader.py +3 -3
cape_parsers/CAPE/community/LokiBot.py +1 -1
cape_parsers/CAPE/community/Lumma.py +49 -36
cape_parsers/CAPE/community/NanoCore.py +9 -9
cape_parsers/CAPE/community/Nighthawk.py +1 -0
cape_parsers/CAPE/community/Njrat.py +4 -4
cape_parsers/CAPE/community/PhemedroneStealer.py +2 -0
cape_parsers/CAPE/community/Snake.py +29 -16
cape_parsers/CAPE/community/SparkRAT.py +3 -1
cape_parsers/CAPE/community/Stealc.py +86 -64
cape_parsers/CAPE/community/VenomRAT.py +4 -2
cape_parsers/CAPE/community/XWorm.py +4 -2
cape_parsers/CAPE/community/XenoRAT.py +4 -2
cape_parsers/CAPE/community/monsterv2.py +96 -0
cape_parsers/CAPE/core/AdaptixBeacon.py +7 -5
cape_parsers/CAPE/core/Azorult.py +5 -3
cape_parsers/CAPE/core/BitPaymer.py +5 -2
cape_parsers/CAPE/core/BlackDropper.py +10 -5
cape_parsers/CAPE/core/Blister.py +12 -10
cape_parsers/CAPE/core/BruteRatel.py +20 -7
cape_parsers/CAPE/core/BumbleBee.py +29 -17
cape_parsers/CAPE/core/DarkGate.py +3 -3
cape_parsers/CAPE/core/DoppelPaymer.py +4 -2
cape_parsers/CAPE/core/DridexLoader.py +4 -3
cape_parsers/CAPE/core/Formbook.py +2 -2
cape_parsers/CAPE/core/GuLoader.py +2 -5
cape_parsers/CAPE/core/IcedID.py +5 -5
cape_parsers/CAPE/core/IcedIDLoader.py +4 -4
cape_parsers/CAPE/core/Latrodectus.py +10 -7
cape_parsers/CAPE/core/Oyster.py +8 -6
cape_parsers/CAPE/core/PikaBot.py +6 -6
cape_parsers/CAPE/core/PlugX.py +3 -1
cape_parsers/CAPE/core/QakBot.py +2 -1
cape_parsers/CAPE/core/Quickbind.py +7 -11
cape_parsers/CAPE/core/RedLine.py +2 -2
cape_parsers/CAPE/core/Remcos.py +58 -50
cape_parsers/CAPE/core/Rhadamanthys.py +18 -8
cape_parsers/CAPE/core/SmokeLoader.py +2 -2
cape_parsers/CAPE/core/Socks5Systemz.py +5 -5
cape_parsers/CAPE/core/SquirrelWaffle.py +3 -3
cape_parsers/CAPE/core/Strrat.py +1 -1
cape_parsers/CAPE/core/WarzoneRAT.py +3 -2
cape_parsers/CAPE/core/Zloader.py +21 -15
cape_parsers/RATDecoders/test_rats.py +1 -0
cape_parsers/__init__.py +13 -4
cape_parsers/deprecated/BlackNix.py +59 -0
cape_parsers/{CAPE/core → deprecated}/BuerLoader.py +1 -1
cape_parsers/{CAPE/core → deprecated}/ChChes.py +3 -3
cape_parsers/{CAPE/core → deprecated}/Enfal.py +1 -1
cape_parsers/{CAPE/core → deprecated}/EvilGrab.py +5 -6
cape_parsers/{CAPE/community → deprecated}/Greame.py +3 -1
cape_parsers/{CAPE/core → deprecated}/HttpBrowser.py +7 -8
cape_parsers/{CAPE/community → deprecated}/Pandora.py +2 -0
cape_parsers/{CAPE/community → deprecated}/Punisher.py +2 -1
cape_parsers/{CAPE/core → deprecated}/RCSession.py +7 -9
cape_parsers/{CAPE/community → deprecated}/REvil.py +10 -5
cape_parsers/{CAPE/core → deprecated}/RedLeaf.py +5 -7
cape_parsers/{CAPE/community → deprecated}/Retefe.py +0 -2
cape_parsers/{CAPE/community → deprecated}/Rozena.py +2 -5
cape_parsers/{CAPE/community → deprecated}/SmallNet.py +6 -2
{cape_parsers-0.1.44.dist-info → cape_parsers-0.1.46.dist-info}/METADATA +20 -1
cape_parsers-0.1.46.dist-info/RECORD +112 -0
cape_parsers/CAPE/community/BlackNix.py +0 -57
cape_parsers/CAPE/core/Stealc.py +0 -21
cape_parsers-0.1.44.dist-info/RECORD +0 -112
/cape_parsers/{CAPE/community → deprecated}/BackOffLoader.py +0 -0
/cape_parsers/{CAPE/community → deprecated}/BackOffPOS.py +0 -0
/cape_parsers/{CAPE/core → deprecated}/Emotet.py +0 -0
/cape_parsers/{CAPE/community → deprecated}/PoisonIvy.py +0 -0
/cape_parsers/{CAPE/community → deprecated}/TSCookie.py +0 -0
/cape_parsers/{CAPE/community → deprecated}/TrickBot.py +0 -0
/cape_parsers/{CAPE/core → deprecated}/UrsnifV3.py +0 -0
{cape_parsers-0.1.44.dist-info → cape_parsers-0.1.46.dist-info}/LICENSE +0 -0
{cape_parsers-0.1.44.dist-info → cape_parsers-0.1.46.dist-info}/WHEEL +0 -0

cape_parsers/CAPE/community/Snake.py CHANGED Viewed

@@ -38,7 +38,7 @@ def handle_plain(dotnet_file, c2_type, user_strings):
     if c2_type == "Telegram":
         token = dotnet_file.net.user_strings.get(user_strings_list[15]).value.__str__()
         chat_id = dotnet_file.net.user_strings.get(user_strings_list[16]).value.__str__()
-        return {"Type": "Telegram", "C2": f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"}
+        return {"raw": {"Type": "Telegram"}, "CNCs": f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"}
     elif c2_type == "SMTP":
         smtp_from = dotnet_file.net.user_strings.get(user_strings_list[7]).value.__str__()
         smtp_password = dotnet_file.net.user_strings.get(user_strings_list[8]).value.__str__()
@@ -46,18 +46,26 @@ def handle_plain(dotnet_file, c2_type, user_strings):
         smtp_to = dotnet_file.net.user_strings.get(user_strings_list[10]).value.__str__()
         smtp_port = dotnet_file.net.user_strings.get(user_strings_list[11]).value.__str__()
         return {
-            "Type": "SMTP",
-            "Host": smtp_host,
-            "Port": smtp_port,
-            "From Address": smtp_from,
-            "To Address": smtp_to,
-            "Password": smtp_password,
+            "raw": {
+                "Type": "SMTP",
+                "Host": smtp_host,
+                "Port": smtp_port,
+                "From Address": smtp_from,
+                "To Address": smtp_to,
+                "Password": smtp_password,
+            },
+            "CNCs": [f"smtp://{smtp_host}:{smtp_port}"]
         }
     elif c2_type == "FTP":
         ftp_username = dotnet_file.net.user_strings.get(user_strings_list[12]).value.__str__()
         ftp_password = dotnet_file.net.user_strings.get(user_strings_list[13]).value.__str__()
         ftp_host = dotnet_file.net.user_strings.get(user_strings_list[14]).value.__str__()
-        return {"Type": "FTP", "Host": ftp_host, "Username": ftp_username, "Password": ftp_password}
+        return {
+            "raw": {
+                "Type": "FTP", "Host": ftp_host, "Username": ftp_username, "Password": ftp_password},
+            "CNCs": [f"ftp://{ftp_username}:{ftp_password}@{ftp_host}"]
+        }
 def handle_encrypted(dotnet_file, data, c2_type, user_strings):
@@ -98,20 +106,25 @@ def handle_encrypted(dotnet_file, data, c2_type, user_strings):
     if decrypted_strings:
         if c2_type == "Telegram":
             token, chat_id = decrypted_strings
-            config_dict = {"Type": "Telegram", "C2": f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"}
+            config_dict = {"raw": {"Type": "Telegram"}, "CNCs": f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"}
         elif c2_type == "SMTP":
             smtp_from, smtp_password, smtp_host, smtp_to, smtp_port = decrypted_strings
             config_dict = {
-                "Type": "SMTP",
-                "Host": smtp_host,
-                "Port": smtp_port,
-                "From Address": smtp_from,
-                "To Address": smtp_to,
-                "Password": smtp_password,
+                "raw": {
+                    "Type": "SMTP",
+                    "Host": smtp_host,
+                    "Port": smtp_port,
+                    "From Address": smtp_from,
+                    "To Address": smtp_to,
+                    "Password": smtp_password,
+                }
             }
         elif c2_type == "FTP":
             ftp_username, ftp_password, ftp_host = decrypted_strings
-            config_dict = {"Type": "FTP", "Host": ftp_host, "Username": ftp_username, "Password": ftp_password}
+            config_dict = {
+                "raw": {"Type": "FTP", "Host": ftp_host, "Username": ftp_username, "Password": ftp_password},
+                "CNCs": [f"ftp://{ftp_username}:{ftp_password}@{ftp_host}"]
+            }
     return config_dict

cape_parsers/CAPE/community/SparkRAT.py CHANGED Viewed

@@ -59,7 +59,9 @@ def extract_config(data):
             key = f.read(16)
             iv = f.read(16)
             enc_data = f.read(data_len - 32)
-        return decrypt_config(enc_data, key, iv)
+            config = decrypt_config(enc_data, key, iv)
+            if config:
+                return {"raw": config}
     except Exception as e:
         log.error("Configuration decryption failed: %s", e)
         return {}

cape_parsers/CAPE/community/Stealc.py CHANGED Viewed

@@ -1,31 +1,35 @@
 import struct
 import pefile
 import yara
+from contextlib import suppress
-# Hash = 619751f5ed0a9716318092998f2e4561f27f7f429fe6103406ecf16e33837470
+# V1 hash = 619751f5ed0a9716318092998f2e4561f27f7f429fe6103406ecf16e33837470
+# V2 hash = 2f42dcf05dd87e6352491ff9d4ea3dc3f854df53d548a8da0c323be42df797b6 (32-bit payload)
+# V2 hash = 8301936f439f43579cffe98e11e3224051e2fb890ffe9df680bbbd8db0729387 (64-bit payload)
-RULE_SOURCE = """rule StealC
+RULE_SOURCE = """
+rule StealC
 {
     meta:
         author = "Yung Binary"
     strings:
-        $decode_1 = {
-            6A ??
-            68 ?? ?? ?? ??
-            68 ?? ?? ?? ??
-            E8 ?? ?? ?? ??
-        }
-        $decode_2 = {
-            6A ??
-            68 ?? ?? ?? ??
-            68 ?? ?? ?? ??
-            [0-5]
-            E8 ?? ?? ?? ??
-        }
+        $decode_1 = {6A ?? 68 [4] 68 [4] E8}
+        $decode_2 = {6A ?? 68 [4] 68 [4] [0-5] E8}
     condition:
         any of them
-}"""
+}
+rule StealcV2
+{
+    meta:
+        author = "kevoreilly"
+    strings:
+        $botnet32 = {AB AB AB AB 89 4B ?? C7 43 ?? 0F 00 00 00 88 0B A0 [4] EB 12 3C 20 74 0B 0F B6 06 8B CB 50 E8}
+        $botnet64 = {0F 11 01 48 C7 41 ?? 00 00 00 00 48 8B D9 48 C7 41 ?? 0F 00 00 00 C6 01 00 8A 05 [4] EB ?? 3C 20 74 ?? 48 8B 4B ?? 44 8A 0F}
+    condition:
+        any of them
+}
+"""
 def yara_scan(raw_data):
@@ -45,78 +49,96 @@ def xor_data(data, key):
     return decoded
-def extract_config(data):
-    config_dict = {}
+def extract_ascii_string(data: bytes, offset: int, max_length=4096) -> str:
+    if offset >= len(data):
+        raise ValueError("Offset beyond data bounds")
+    end = data.find(b'\x00', offset, offset + max_length)
+    if end == -1:
+        end = offset + max_length
+    return data[offset:end].decode('ascii', errors='replace')
-    # Attempt to extract via old method
-    try:
-        domain = ""
-        uri = ""
+def parse_text(data):
+    global domain, uri
+    with suppress(Exception):
         lines = data.decode().split("\n")
+        if not lines:
+            return
         for line in lines:
             if line.startswith("http") and "://" in line:
                 domain = line
             if line.startswith("/") and line[-4] == ".":
                 uri = line
-        if domain and uri:
-            config_dict.setdefault("C2", []).append(f"{domain}{uri}")
-            return config_dict
-    except Exception:
-        pass
-    # Try with new method
-    #config_dict["Strings"] = []
-    pe = pefile.PE(data=data, fast_load=True)
-    image_base = pe.OPTIONAL_HEADER.ImageBase
-    domain = ""
-    uri = ""
-    botnet_id = ""
+def parse_pe(data):
+    global domain, uri, botnet_id
+    pe = None
+    image_base = 0
     last_str = ""
+    with suppress(Exception):
+        pe = pefile.PE(data=data, fast_load=True)
+        if not pe:
+            return
+        image_base = pe.OPTIONAL_HEADER.ImageBase
+        if not image_base:
+            return
     for match in yara_scan(data):
         try:
             rule_str_name, str_decode_offset = match
+            if rule_str_name.startswith("$botnet"):
+                botnet_var = struct.unpack("I", data[str_decode_offset - 4 : str_decode_offset])[0]
+                if hasattr(pe, 'OPTIONAL_HEADER'):
+                    magic = pe.OPTIONAL_HEADER.Magic
+                    if magic == 0x10b: # 32-bit
+                        botnet_offset = pe.get_offset_from_rva(botnet_var - image_base)
+                    elif magic == 0x20b: # 64-bit
+                        botnet_offset = pe.get_offset_from_rva(pe.get_rva_from_offset(str_decode_offset) + botnet_var)
+                    if botnet_offset:
+                        botnet_id = extract_ascii_string(data, botnet_offset)
             str_size = int(data[str_decode_offset + 1])
             # Ignore size 0 strings
             if not str_size:
                 continue
             if rule_str_name.startswith("$decode"):
                 key_rva = data[str_decode_offset + 3 : str_decode_offset + 7]
                 encoded_str_rva = data[str_decode_offset + 8 : str_decode_offset + 12]
-                #dword_rva = data[str_decode_offset + 21 : str_decode_offset + 25]
-            key_offset = pe.get_offset_from_rva(struct.unpack("i", key_rva)[0] - image_base)
-            encoded_str_offset = pe.get_offset_from_rva(struct.unpack("i", encoded_str_rva)[0] - image_base)
-            #dword_offset = struct.unpack("i", dword_rva)[0]
-            #dword_name = f"dword_{hex(dword_offset)[2:]}"
-            key = data[key_offset : key_offset + str_size]
-            encoded_str = data[encoded_str_offset : encoded_str_offset + str_size]
-            decoded_str = xor_data(encoded_str, key).decode()
-            #config_dict["Strings"].append({dword_name : decoded_str})
-            if last_str in ("http://", "https://"):
-                domain += decoded_str
-            elif decoded_str in ("http://", "https://"):
-                domain = decoded_str
-            elif "http" in decoded_str and "://" in decoded_str:
-                domain = decoded_str
-            elif uri == "" and decoded_str.startswith("/") and decoded_str[-4] == ".":
-                uri = decoded_str
-            elif last_str[0] == '/' and last_str[-1] == '/':
-                botnet_id = decoded_str
-            last_str = decoded_str
+                key_offset = pe.get_offset_from_rva(struct.unpack("i", key_rva)[0] - image_base)
+                encoded_str_offset = pe.get_offset_from_rva(struct.unpack("i", encoded_str_rva)[0] - image_base)
+                key = data[key_offset : key_offset + str_size]
+                encoded_str = data[encoded_str_offset : encoded_str_offset + str_size]
+                decoded_str = xor_data(encoded_str, key).decode()
+                if last_str in ("http://", "https://"):
+                    domain += decoded_str
+                elif decoded_str in ("http://", "https://"):
+                    domain = decoded_str
+                elif "http" in decoded_str and "://" in decoded_str:
+                    domain = decoded_str
+                elif uri is None and decoded_str.startswith("/") and decoded_str[-4] == ".":
+                    uri = decoded_str
+                elif last_str[0] == "/" and last_str[-1] == "/":
+                    botnet_id = decoded_str
+                last_str = decoded_str
         except Exception:
             continue
+    return
+def extract_config(data):
+    global domain, uri, botnet_id
+    domain = uri = botnet_id = None
+    config_dict = {}
+    if data[:2] == b'MZ':
+        parse_pe(data)
+    else:
+        parse_text(data)
     if domain and uri:
-        config_dict.setdefault("C2", []).append(f"{domain}{uri}")
+        config_dict.setdefault("CNCs", []).append(f"{domain}{uri}")
     if botnet_id:
-        config_dict.setdefault("Botnet ID", botnet_id)
+        config_dict.setdefault("botnet", botnet_id)
     return config_dict

cape_parsers/CAPE/community/VenomRAT.py CHANGED Viewed

@@ -5,10 +5,10 @@ import os
 from rat_king_parser.rkp import RATConfigParser
 HAVE_ASYNCRAT_COMMON = False
-module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+module_file_path = "/opt/CAPEv2/data/asyncrat_common.py"
 if os.path.exists(module_file_path):
     try:
-        module_name = os.path.basename(module_file_path).replace('.py', '')
+        module_name = os.path.basename(module_file_path).replace(".py", "")
         spec = importlib.util.spec_from_file_location(module_name, module_file_path)
         asyncrat_common = importlib.util.module_from_spec(spec)
         sys.modules[module_name] = asyncrat_common
@@ -17,6 +17,7 @@ if os.path.exists(module_file_path):
     except Exception as e:
         print("Error loading asyncrat_common.py", e)
 def extract_config(data: bytes):
     config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
     if config and HAVE_ASYNCRAT_COMMON:
@@ -24,6 +25,7 @@ def extract_config(data: bytes):
     return config
 if __name__ == "__main__":
     data = open(sys.argv[1], "rb").read()
     print(extract_config(data))

cape_parsers/CAPE/community/XWorm.py CHANGED Viewed

@@ -5,10 +5,10 @@ import os
 from rat_king_parser.rkp import RATConfigParser
 HAVE_ASYNCRAT_COMMON = False
-module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+module_file_path = "/opt/CAPEv2/data/asyncrat_common.py"
 if os.path.exists(module_file_path):
     try:
-        module_name = os.path.basename(module_file_path).replace('.py', '')
+        module_name = os.path.basename(module_file_path).replace(".py", "")
         spec = importlib.util.spec_from_file_location(module_name, module_file_path)
         asyncrat_common = importlib.util.module_from_spec(spec)
         sys.modules[module_name] = asyncrat_common
@@ -17,6 +17,7 @@ if os.path.exists(module_file_path):
     except Exception as e:
         print("Error loading asyncrat_common.py", e)
 def extract_config(data: bytes):
     config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
     if config and HAVE_ASYNCRAT_COMMON:
@@ -24,6 +25,7 @@ def extract_config(data: bytes):
     return config
 if __name__ == "__main__":
     data = open(sys.argv[1], "rb").read()
     print(extract_config(data))

cape_parsers/CAPE/community/XenoRAT.py CHANGED Viewed

@@ -5,10 +5,10 @@ import os
 from rat_king_parser.rkp import RATConfigParser
 HAVE_ASYNCRAT_COMMON = False
-module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+module_file_path = "/opt/CAPEv2/data/asyncrat_common.py"
 if os.path.exists(module_file_path):
     try:
-        module_name = os.path.basename(module_file_path).replace('.py', '')
+        module_name = os.path.basename(module_file_path).replace(".py", "")
         spec = importlib.util.spec_from_file_location(module_name, module_file_path)
         asyncrat_common = importlib.util.module_from_spec(spec)
         sys.modules[module_name] = asyncrat_common
@@ -17,6 +17,7 @@ if os.path.exists(module_file_path):
     except Exception as e:
         print("Error loading asyncrat_common.py", e)
 def extract_config(data: bytes):
     config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
     if config and HAVE_ASYNCRAT_COMMON:
@@ -24,6 +25,7 @@ def extract_config(data: bytes):
     return config
 if __name__ == "__main__":
     data = open(sys.argv[1], "rb").read()
     print(extract_config(data))

cape_parsers/CAPE/community/monsterv2.py ADDED Viewed

@@ -0,0 +1,96 @@
+import hashlib
+from Crypto.Cipher import ChaCha20_Poly1305
+from contextlib import suppress
+import zlib
+import struct
+import json
+import yara
+import pefile
+RULE_SOURCE = """rule MonsterV2Config
+{
+    meta:
+        author = "doomedraven,YungBinary"
+    strings:
+        $chunk_1 = {
+            41 B8 0E 04 00 00
+            48 8D 15 ?? ?? ?? 00
+            48 8B CB
+            E8 ?? ?? ?? ??
+            48 8D 83 0E 04 00 00
+            48 89 44 24 30
+            48 89 6C 24 70
+            4C 8B C7
+            48 8D 54 24 28
+            48 8B CE
+            E8 ?? ?? ?? ??
+        }
+    condition:
+        $chunk_1
+}"""
+def derive_chacha_key_nonce_blake2b(seed: bytes):  # -> tuple[bytes, bytes]:
+    """
+    Derives a 32-byte ChaCha20 key and a 24-byte ChaCha20 nonce
+    using BLAKE2b from a given seed.
+    """
+    output_length = 56  # 32 bytes for key + 24 bytes for nonce
+    h = hashlib.blake2b(digest_size=output_length)
+    h.update(seed)
+    derived_material = h.digest()
+    chacha20_key = derived_material[0:32]
+    chacha20_nonce = derived_material[32:56]
+    return chacha20_key, chacha20_nonce
+def yara_scan(raw_data, rule_source):
+    yara_rules = yara.compile(source=rule_source)
+    matches = yara_rules.match(data=raw_data)
+    for match in matches:
+        for block in match.strings:
+            for instance in block.instances:
+                return instance.offset
+def extract_config(data: bytes) -> dict:
+    config_dict = {}
+    with suppress(Exception):
+        pe = pefile.PE(data=data)
+        offset = yara_scan(data, RULE_SOURCE)
+        # image_base = pe.OPTIONAL_HEADER.ImageBase
+        disp_offset = data[offset + 9 : offset + 13]
+        disp_offset = struct.unpack('i', disp_offset)[0]
+        instruction_pointer_va = pe.get_rva_from_offset(offset + 13)
+        config_offset_va = instruction_pointer_va + disp_offset
+        config_offset = pe.get_offset_from_rva(config_offset_va)
+        blake_seed = data[config_offset : config_offset + 32]
+        chacha20_key, chacha20_nonce = derive_chacha_key_nonce_blake2b(blake_seed)
+        cipher_len = int.from_bytes(data[config_offset + 32 : config_offset + 40], byteorder="big")
+        cipher_text = data[config_offset + 40 : config_offset + 40 + cipher_len]
+        cipher = ChaCha20_Poly1305.new(key=chacha20_key, nonce=chacha20_nonce)
+        decrypted_zlib_data = cipher.decrypt(cipher_text)
+        decompressed_data = zlib.decompress(decrypted_zlib_data)
+        config_dict = json.loads(decompressed_data)
+    if config_dict:
+        final_config = {"raw": config_dict}
+        if "ip" in config_dict and "port" in config_dict:
+            final_config["CNCs"] = [f"tcp://{config_dict['ip']}:{config_dict['port']}"]
+        if "build_name" in config_dict:
+            final_config["build"] = config_dict["build_name"]
+        return final_config
+    return {}
+if __name__ == "__main__":
+    import sys
+    with open(sys.argv[1], "rb") as f:
+        print(extract_config(f.read()))

cape_parsers/CAPE/core/AdaptixBeacon.py CHANGED Viewed

@@ -26,11 +26,12 @@ def parse_http_config(rc4_key: bytes, data: bytes) -> dict:
     def read_str(length: int):
         nonlocal offset
-        value = data[offset:offset + length].decode("utf-8", errors="replace")
+        value = data[offset : offset + length].decode("utf-8", errors="replace")
         offset += length
         return value
-    config["config_rc4_key"] = rc4_key.hex()
+    config["cryptokey"] = rc4_key.hex()
+    config["cryptokey_type"] = "RC4"
     config["agent_type"] = f"{read('<I'):8X}"
     config["use_ssl"] = read("<B")
     host_count = read("<I")
@@ -58,7 +59,8 @@ def parse_http_config(rc4_key: bytes, data: bytes) -> dict:
     config["sleep_delay"] = read("<I")
     config["jitter_delay"] = read("<I")
-    return config
+    return {"raw": config}
 def extract_config(filebuf: bytes) -> dict:
     pe = pefile.PE(data=filebuf, fast_load=True)
@@ -78,9 +80,9 @@ def extract_config(filebuf: bytes) -> dict:
             pos = start_offset + 1
             continue
-        encrypted_data = data[pos:pos + key_offset]
+        encrypted_data = data[pos : pos + key_offset]
         pos += key_offset
-        rc4_key = data[pos:pos + 16]
+        rc4_key = data[pos : pos + 16]
         if key_offset == 787:
             pass

cape_parsers/CAPE/core/Azorult.py CHANGED Viewed

@@ -30,7 +30,7 @@ rule Azorult
         cape_type = "Azorult Payload"
     strings:
         $ref_c2 = {6A 00 6A 00 6A 00 6A 00 68 ?? ?? ?? ?? FF 55 F0 8B D8 C7 47 10 ?? ?? ?? ?? 90 C7 45 B0 C0 C6 2D 00 6A 04 8D 45 B0 50 6A 06 53 FF 55 D4}
-   condition:
+    condition:
         uint16(0) == 0x5A4D and all of them
 }
 """
@@ -48,16 +48,18 @@ def extract_config(filebuf):
             for instance in block.instances:
                 try:
                     cnc_offset = struct.unpack("i", instance.matched_data[21:25])[0]
-                    cnc = pe.get_data(cnc_offset-image_base, 32).split(b"\x00")[0]
+                    cnc = pe.get_data(cnc_offset - image_base, 32).split(b"\x00")[0]
                     if cnc:
                         if not cnc.startswith(b"http"):
                             cnc = b"http://" + cnc
-                        return {"cncs": [cnc.decode()]}
+                        return {"CNCs": [cnc.decode()]}
                 except Exception as e:
                     log.error("Error parsing Azorult config: %s", e)
     return {}
 if __name__ == "__main__":
     import sys
     with open(sys.argv[1], "rb") as f:
         print(extract_config(f.read()))

cape_parsers/CAPE/core/BitPaymer.py CHANGED Viewed

@@ -86,7 +86,10 @@ def extract_config(file_data):
         for item in raw.split(b"\x00"):
             data = "".join(convert_char(c) for c in item)
             if len(data) == 760:
-                config["RSA public key"] = data
+                config.setdefault("cryptokey", data)
+                # ToDO proper naming here
+                config.setdefault("raw", {})["cryptokey_type"] = "RSA public key"
             elif len(data) > 1 and "\\x" not in data:
-                config["strings"] = data
+                config.setdefault("raw", {})["strings"] = data
     return config

cape_parsers/CAPE/core/BlackDropper.py CHANGED Viewed

@@ -55,7 +55,7 @@ def extract_config(data: bytes) -> dict:
         return {}
     rdata_data = rdata_section.get_data()
-    patterns = [br"Builder\.dll\x00", br"Builder\.exe\x00"]
+    patterns = [rb"Builder\.dll\x00", rb"Builder\.exe\x00"]
     matches = []
     for pattern in patterns:
         matches.extend(re.finditer(pattern, rdata_data))
@@ -66,7 +66,7 @@ def extract_config(data: bytes) -> dict:
         end = min(len(rdata_data), match.end() + 1024)
         found_strings.update(re.findall(b"[\x20-\x7E]{4,}?\x00", rdata_data[start:end]))
-    result = {}
+    config = {}
     urls = []
     directories = []
     campaign = ""
@@ -74,7 +74,7 @@ def extract_config(data: bytes) -> dict:
     if found_strings:
         key = get_year(pe)
         if not key:
-            return result
+            return {}
         for string in found_strings:
             with suppress(UnicodeDecodeError):
                 decoded_string = string.decode("utf-8").rstrip("\x00")
@@ -88,9 +88,14 @@ def extract_config(data: bytes) -> dict:
             elif re.match(r"^(?![A-Z]{6,}$)[a-zA-Z0-9\-=]{6,}$", decoded_string):
                 campaign = decoded_string
-        result = {"urls": sorted(urls), "directories": directories, "campaign": campaign}
+        if urls:
+            config["CNCs"] = sorted(urls)
+        if campaign:
+            config["campaign"] = campaign
+        if directories:
+            config["raw"] = {"directories": directories}
-    return result
+    return config
 if __name__ == "__main__":

cape_parsers/CAPE/core/Blister.py CHANGED Viewed

@@ -542,16 +542,18 @@ def extract_config(data):
             injection_method = "Process hollowing IE or Werfault"
     config = {
-        "Flag": hex(flag),
-        "Payload export hash": hex(u32(payload_export_hash)),
-        "Payload filename": w_payload_filename_and_cmdline,
-        "Compressed data size": hex(u32(compressed_data_size)),
-        "Uncompressed data size": hex(u32(uncompressed_data_size)),
-        "Rabbit key": binascii.hexlify(key).decode(),
-        "Rabbit IV": binascii.hexlify(iv).decode(),
-        "Persistence": persistance,
-        "Sleep after injection": sleep_after_injection,
-        "Injection method": injection_method,
+        "raw": {
+            "Flag": hex(flag),
+            "Payload export hash": hex(u32(payload_export_hash)),
+            "Payload filename": w_payload_filename_and_cmdline,
+            "Compressed data size": hex(u32(compressed_data_size)),
+            "Uncompressed data size": hex(u32(uncompressed_data_size)),
+            "Rabbit key": binascii.hexlify(key).decode(),
+            "Rabbit IV": binascii.hexlify(iv).decode(),
+            "Persistence": persistance,
+            "Sleep after injection": sleep_after_injection,
+            "Injection method": injection_method,
+        }
     }
     return config

CAPE-parsers 0.1.44__py3-none-any.whl → 0.1.46__py3-none-any.whl

CAPE-parsers 0.1.44py3-none-any.whl → 0.1.46py3-none-any.whl