PyPI - CAPE-parsers - Versions diffs - 0.1.44__py3-none-any.whl → 0.1.46__py3-none-any.whl - Mend

CAPE-parsers 0.1.44py3-none-any.whl → 0.1.46py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

cape_parsers/CAPE/community/AgentTesla.py +18 -9
cape_parsers/CAPE/community/Arkei.py +13 -15
cape_parsers/CAPE/community/AsyncRAT.py +4 -2
cape_parsers/CAPE/community/AuroraStealer.py +9 -6
cape_parsers/CAPE/community/Carbanak.py +7 -7
cape_parsers/CAPE/community/CobaltStrikeBeacon.py +2 -1
cape_parsers/CAPE/community/CobaltStrikeStager.py +4 -1
cape_parsers/CAPE/community/DCRat.py +4 -2
cape_parsers/CAPE/community/Fareit.py +8 -9
cape_parsers/CAPE/community/KoiLoader.py +3 -3
cape_parsers/CAPE/community/LokiBot.py +1 -1
cape_parsers/CAPE/community/Lumma.py +49 -36
cape_parsers/CAPE/community/NanoCore.py +9 -9
cape_parsers/CAPE/community/Nighthawk.py +1 -0
cape_parsers/CAPE/community/Njrat.py +4 -4
cape_parsers/CAPE/community/PhemedroneStealer.py +2 -0
cape_parsers/CAPE/community/Snake.py +29 -16
cape_parsers/CAPE/community/SparkRAT.py +3 -1
cape_parsers/CAPE/community/Stealc.py +86 -64
cape_parsers/CAPE/community/VenomRAT.py +4 -2
cape_parsers/CAPE/community/XWorm.py +4 -2
cape_parsers/CAPE/community/XenoRAT.py +4 -2
cape_parsers/CAPE/community/monsterv2.py +96 -0
cape_parsers/CAPE/core/AdaptixBeacon.py +7 -5
cape_parsers/CAPE/core/Azorult.py +5 -3
cape_parsers/CAPE/core/BitPaymer.py +5 -2
cape_parsers/CAPE/core/BlackDropper.py +10 -5
cape_parsers/CAPE/core/Blister.py +12 -10
cape_parsers/CAPE/core/BruteRatel.py +20 -7
cape_parsers/CAPE/core/BumbleBee.py +29 -17
cape_parsers/CAPE/core/DarkGate.py +3 -3
cape_parsers/CAPE/core/DoppelPaymer.py +4 -2
cape_parsers/CAPE/core/DridexLoader.py +4 -3
cape_parsers/CAPE/core/Formbook.py +2 -2
cape_parsers/CAPE/core/GuLoader.py +2 -5
cape_parsers/CAPE/core/IcedID.py +5 -5
cape_parsers/CAPE/core/IcedIDLoader.py +4 -4
cape_parsers/CAPE/core/Latrodectus.py +10 -7
cape_parsers/CAPE/core/Oyster.py +8 -6
cape_parsers/CAPE/core/PikaBot.py +6 -6
cape_parsers/CAPE/core/PlugX.py +3 -1
cape_parsers/CAPE/core/QakBot.py +2 -1
cape_parsers/CAPE/core/Quickbind.py +7 -11
cape_parsers/CAPE/core/RedLine.py +2 -2
cape_parsers/CAPE/core/Remcos.py +58 -50
cape_parsers/CAPE/core/Rhadamanthys.py +18 -8
cape_parsers/CAPE/core/SmokeLoader.py +2 -2
cape_parsers/CAPE/core/Socks5Systemz.py +5 -5
cape_parsers/CAPE/core/SquirrelWaffle.py +3 -3
cape_parsers/CAPE/core/Strrat.py +1 -1
cape_parsers/CAPE/core/WarzoneRAT.py +3 -2
cape_parsers/CAPE/core/Zloader.py +21 -15
cape_parsers/RATDecoders/test_rats.py +1 -0
cape_parsers/__init__.py +13 -4
cape_parsers/deprecated/BlackNix.py +59 -0
cape_parsers/{CAPE/core → deprecated}/BuerLoader.py +1 -1
cape_parsers/{CAPE/core → deprecated}/ChChes.py +3 -3
cape_parsers/{CAPE/core → deprecated}/Enfal.py +1 -1
cape_parsers/{CAPE/core → deprecated}/EvilGrab.py +5 -6
cape_parsers/{CAPE/community → deprecated}/Greame.py +3 -1
cape_parsers/{CAPE/core → deprecated}/HttpBrowser.py +7 -8
cape_parsers/{CAPE/community → deprecated}/Pandora.py +2 -0
cape_parsers/{CAPE/community → deprecated}/Punisher.py +2 -1
cape_parsers/{CAPE/core → deprecated}/RCSession.py +7 -9
cape_parsers/{CAPE/community → deprecated}/REvil.py +10 -5
cape_parsers/{CAPE/core → deprecated}/RedLeaf.py +5 -7
cape_parsers/{CAPE/community → deprecated}/Retefe.py +0 -2
cape_parsers/{CAPE/community → deprecated}/Rozena.py +2 -5
cape_parsers/{CAPE/community → deprecated}/SmallNet.py +6 -2
{cape_parsers-0.1.44.dist-info → cape_parsers-0.1.46.dist-info}/METADATA +20 -1
cape_parsers-0.1.46.dist-info/RECORD +112 -0
cape_parsers/CAPE/community/BlackNix.py +0 -57
cape_parsers/CAPE/core/Stealc.py +0 -21
cape_parsers-0.1.44.dist-info/RECORD +0 -112
/cape_parsers/{CAPE/community → deprecated}/BackOffLoader.py +0 -0
/cape_parsers/{CAPE/community → deprecated}/BackOffPOS.py +0 -0
/cape_parsers/{CAPE/core → deprecated}/Emotet.py +0 -0
/cape_parsers/{CAPE/community → deprecated}/PoisonIvy.py +0 -0
/cape_parsers/{CAPE/community → deprecated}/TSCookie.py +0 -0
/cape_parsers/{CAPE/community → deprecated}/TrickBot.py +0 -0
/cape_parsers/{CAPE/core → deprecated}/UrsnifV3.py +0 -0
{cape_parsers-0.1.44.dist-info → cape_parsers-0.1.46.dist-info}/LICENSE +0 -0
{cape_parsers-0.1.44.dist-info → cape_parsers-0.1.46.dist-info}/WHEEL +0 -0

cape_parsers/CAPE/core/BruteRatel.py CHANGED Viewed

@@ -2,22 +2,35 @@ from contextlib import suppress
 def extract_config(data):
-    config_dict = {}
+    config = {}
     with suppress(Exception):
         i = 0
         lines = data.decode().split("\n")
         for line in lines:
             if line.startswith("Mozilla"):
-                config_dict["User Agent"] = line
-                config_dict["C2"] = list(set(lines[i - 2].split(",")))
-                config_dict["Port"] = lines[i - 1]
-                config_dict["URI"] = lines[i + 3].split(",")
-                config_dict["Keys"] = [lines[i + 1], lines[i + 2]]
+                cncs = list(set(lines[i - 2].split(",")))
+                port = lines[i - 1]
+                uris = lines[i + 3].split(",")
+                keys = [lines[i + 1], lines[i + 2]]
+                for cnc in cncs:
+                    # ToDo need to verify if we have schema and uri has slash
+                    for uri in uris:
+                        config.setdefault("CNCs", []).append(f"{cnc}:{port}{uri}")
+                config["raw"] = {
+                    "User Agent": line,
+                    "C2": cncs,
+                    "Port": port,
+                    "URI": uri,
+                    # ToDo move to proper field
+                    "Keys": keys,
+                }
                 break
             i += 1
-    return config_dict
+    return config
 if __name__ == "__main__":

cape_parsers/CAPE/core/BumbleBee.py CHANGED Viewed

@@ -6,6 +6,7 @@ import traceback
 from contextlib import suppress
 import pefile
 # import regex as re
 # test
 import re
@@ -106,7 +107,7 @@ def extract_config_data(data, pe, config_match):
 def extract_2024(pe, filebuf):
-    cfg = {}
+    config = {}
     rc4key_init_offset = 0
     botid_init_offset = 0
     port_init_offset = 0
@@ -142,45 +143,55 @@ def extract_2024(pe, filebuf):
     key_offset = pe.get_dword_from_offset(rc4key_init_offset + 57)
     key_rva = pe.get_rva_from_offset(rc4key_init_offset + 61) + key_offset
     key = pe.get_string_at_rva(key_rva)
-    cfg["RC4 key"] = key.decode()
+    botid = ""
     botid_offset = pe.get_dword_from_offset(botid_init_offset + 51)
     botid_rva = pe.get_rva_from_offset(botid_init_offset + 55) + botid_offset
     botid_len_offset = pe.get_dword_from_offset(botidlgt_init_offset + 31)
     botid_data = pe.get_data(botid_rva)[:botid_len_offset]
     with suppress(Exception):
         botid = ARC4.new(key).decrypt(botid_data).split(b"\x00")[0].decode()
-        cfg["Botid"] = botid
+    port = ""
     port_offset = pe.get_dword_from_offset(port_init_offset + 23)
     port_rva = pe.get_rva_from_offset(port_init_offset + 27) + port_offset
     port_len_offset = pe.get_dword_from_offset(botidlgt_init_offset + 4)
     port_data = pe.get_data(port_rva)[:port_len_offset]
     with suppress(Exception):
         port = ARC4.new(key).decrypt(port_data).split(b"\x00")[0].decode()
-        cfg["Port"] = port
     dgaseed_offset = pe.get_dword_from_offset(dga1_init_offset + 15)
     dgaseed_rva = pe.get_rva_from_offset(dga1_init_offset + 19) + dgaseed_offset
     dgaseed_data = pe.get_qword_at_rva(dgaseed_rva)
-    cfg["DGA seed"] = str(int(dgaseed_data))
     numdga_offset = pe.get_dword_from_offset(dga1_init_offset + 22)
     numdga_rva = pe.get_rva_from_offset(dga1_init_offset + 26) + numdga_offset
     numdga_data = pe.get_string_at_rva(numdga_rva)
-    cfg["Number DGA domains"] = numdga_data.decode()
     domainlen_offset = pe.get_dword_from_offset(dga2_init_offset + 3)
     domainlen_rva = pe.get_rva_from_offset(dga2_init_offset + 7) + domainlen_offset
     domainlen_data = pe.get_string_at_rva(domainlen_rva)
-    cfg["Domain length"] = domainlen_data.decode()
     tld_offset = pe.get_dword_from_offset(dga2_init_offset + 37)
     tld_rva = pe.get_rva_from_offset(dga2_init_offset + 41) + tld_offset
     tld_data = pe.get_string_at_rva(tld_rva).decode()
-    cfg["TLD"] = tld_data
-    return cfg
+    config = {
+        "dga_seed": str(int(dgaseed_data)),
+        "cryptokey": key.decode(),
+        "cryptokey_type": "RC4",
+        "raw": {
+            "TLD": tld_data,
+            "Domain length": domainlen_data.decode(),
+            "Number DGA domains": numdga_data.decode(),
+        },
+    }
+    if port:
+        config["raw"]["port"] = port
+    if botid:
+        config["botnet"] = botid
+    return config
 def extract_config(data):
@@ -209,27 +220,28 @@ def extract_config(data):
                 if not key:
                     continue
                 if index == 0:
-                    cfg["Botnet ID"] = key.decode()
+                    cfg["botnet"] = key.decode()
                 elif index == 1:
-                    cfg["Campaign ID"] = key.decode()
+                    cfg["campaign"] = key.decode()
                 elif index == 2:
-                    cfg["Data"] = key.decode("latin-1")
+                    cfg.setdefault("raw", {})["Data"] = key.decode("latin-1")
                 elif index == 3:
-                    cfg["C2s"] = list(key.decode().split(","))
+                    cfg["CNCs"] = list(key.decode().split(","))
         elif len(key_match) == 1:
             key = extract_key_data(data, pe, key_match[0])
             if not key:
                 return cfg
-            cfg["RC4 Key"] = key.decode()
+            cfg["cryptokey"] = key.decode()
+            cfg["cryptokey_type"] = "RC4"
         # Extract config ciphertext
         config_match = regex.search(data)
         campaign_id, botnet_id, c2s = extract_config_data(data, pe, config_match)
         if campaign_id:
-            cfg["Campaign ID"] = ARC4.new(key).decrypt(campaign_id).split(b"\x00")[0].decode()
+            cfg["campaign"] = ARC4.new(key).decrypt(campaign_id).split(b"\x00")[0].decode()
         if botnet_id:
-            cfg["Botnet ID"] = ARC4.new(key).decrypt(botnet_id).split(b"\x00")[0].decode()
+            cfg["botnet"] = ARC4.new(key).decrypt(botnet_id).split(b"\x00")[0].decode()
         if c2s:
-            cfg["C2s"] = list(ARC4.new(key).decrypt(c2s).split(b"\x00")[0].decode().split(","))
+            cfg["CNCs"] = list(ARC4.new(key).decrypt(c2s).split(b"\x00")[0].decode().split(","))
     except Exception as e:
         log.error("This is broken: %s", str(e), exc_info=True)

cape_parsers/CAPE/core/DarkGate.py CHANGED Viewed

@@ -70,7 +70,7 @@ def parse_config(data, conf_map):
         except KeyError:
             config[f"unknown_{k}"] = v
-    return config
+    return {"raw": config}
 def decode(data):
@@ -81,7 +81,7 @@ def decode(data):
             strval = translate_string(strval.decode("utf-8"))
             decoded_str = base64.b64decode(strval)
             if decoded_str.startswith(b"http"):
-                config["C2"] = [x for x in decoded_str.decode("utf-8").split("|") if x.strip() != ""]
+                config["CNCs"] = [x for x in decoded_str.decode("utf-8").split("|") if x.strip() != ""]
             elif b"1=Yes" in decoded_str or b"1=No" in decoded_str:
                 config.update(parse_config(decoded_str, config_map_1))
             else:
@@ -102,7 +102,7 @@ def extract_config(data):
         config = {}
         for item in data.split(b"\r\n")[:-1]:
             if item.startswith(b"0="):
-                config["C2"] = [x for x in item[2:].decode("utf-8").split("|") if x.strip() != ""]
+                config["CNCs"] = [x for x in item[2:].decode("utf-8").split("|") if x.strip() != ""]
             else:
                 config.update(parse_config(item, config_map_2))
         return config

cape_parsers/CAPE/core/DoppelPaymer.py CHANGED Viewed

@@ -72,7 +72,9 @@ def extract_config(filebuf):
         for item in raw.split(b"\x00"):
             data = "".join(convert_char(c) for c in item)
             if len(data) == 406:
-                config["RSA public key"] = data
+                config.setdefault("cryptokey", data)
+                # ToDO proper naming here
+                config.setdefault("raw", {})["cryptokey_type"] = "RSA public key"
             elif len(data) > 1 and "\\x" not in data:
-                config["strings"] = data
+                config.setdefault("raw", {})["strings"] = data
     return config

cape_parsers/CAPE/core/DridexLoader.py CHANGED Viewed

@@ -132,7 +132,7 @@ def extract_config(filebuf):
         port = str(struct.unpack("H", filebuf[c2_offset + 4 : c2_offset + 6])[0])
         if c2_address and port:
-            cfg.setdefault("address", []).append(f"{c2_address}:{port}")
+            cfg.setdefault("CNCs", []).append(f"{c2_address}:{port}")
         c2_offset += 6 + delta
@@ -155,7 +155,8 @@ def extract_config(filebuf):
                 )
             for item in raw.split(b"\x00"):
                 if len(item) == LEN_BLOB_KEY - 1:
-                    cfg["RC4 key"] = item.split(b";", 1)[0].decode()
+                    cfg["cryptokey"] = item.split(b";", 1)[0].decode()
+                    cfg["cryptokey_type"] = "RC4"
     if botnet_code:
         botnet_rva = struct.unpack("i", filebuf[botnet_code + 23 : botnet_code + 27])[0] - image_base
@@ -163,7 +164,7 @@ def extract_config(filebuf):
         with suppress(struct.error):
             botnet_offset = pe.get_offset_from_rva(botnet_rva)
             botnet_id = struct.unpack("H", filebuf[botnet_offset : botnet_offset + 2])[0]
-            cfg["Botnet ID"] = str(botnet_id)
+            cfg["botnet"] = str(botnet_id)
     return cfg

cape_parsers/CAPE/core/Formbook.py CHANGED Viewed

@@ -12,11 +12,11 @@ def extract_config(data):
             i += 1
     elif "www." not in lines[0]:
         return
-    config_dict["C2"] = lines[i]
+    config_dict["CNCs"] = lines[i]
     decoys = []
     i += 1
     while len(lines[i]) > 0:
         decoys.append(lines[i])
         i += 1
-    config_dict["Decoys"] = decoys
+    config_dict.setdefault("raw", {})["Decoys"] = decoys
     return config_dict

cape_parsers/CAPE/core/GuLoader.py CHANGED Viewed

@@ -1,7 +1,4 @@
-try:
-    import re2 as re
-except ImportError:
-    import re
+import re
 url_regex = re.compile(rb"http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+")
@@ -10,7 +7,7 @@ def extract_config(data):
     try:
         urls = [url.lower().decode() for url in url_regex.findall(data)]
         if urls:
-            return {"URLs": urls}
+            return {"CNCs": urls}
     except Exception as e:
         print(e)

cape_parsers/CAPE/core/IcedID.py CHANGED Viewed

@@ -77,12 +77,12 @@ def extract_config(filebuf):
                         decrypted_data = ARC4.new(key).decrypt(enc_config)
                         config = list(filter(None, decrypted_data.split(b"\x00")))
                         return {
-                            "family": "IcedID",
                             "version": str(struct.unpack("I", decrypted_data[4:8])[0]),
-                            "paths": [{"path": config[1].decode(), "usage": "other"}],
-                            "http": [{"uri": controller[1:].decode()} for controller in config[2:]],
-                            "other": {
-                                "Bot ID": str(struct.unpack("I", decrypted_data[:4])[0]),
+                            "botnet": str(struct.unpack("I", decrypted_data[:4])[0]),
+                            "raw": {
+                                "family": "IcedID",
+                                "paths": [{"path": config[1].decode(), "usage": "other"}],
+                                "http": [{"uri": controller[1:].decode()} for controller in config[2:]],
                             },
                         }
             except Exception as e:

cape_parsers/CAPE/core/IcedIDLoader.py CHANGED Viewed

@@ -19,7 +19,7 @@ import pefile
 def extract_config(filebuf):
-    cfg = {}
+    config = {}
     pe = None
     with suppress(Exception):
         pe = pefile.PE(data=filebuf, fast_load=False)
@@ -35,9 +35,9 @@ def extract_config(filebuf):
                 if n > 32:
                     break
             campaign, c2 = struct.unpack("I30s", bytes(dec))
-            cfg["C2"] = c2.split(b"\00", 1)[0].decode()
-            cfg["Campaign"] = campaign
-            return cfg
+            config["CNCs"] = c2.split(b"\00", 1)[0].decode()
+            config["campaign"] = campaign
+            return config
 if __name__ == "__main__":

cape_parsers/CAPE/core/Latrodectus.py CHANGED Viewed

@@ -197,17 +197,20 @@ def extract_config(filebuf):
                     str_vals.remove(item)
                 cfg = {
-                    "C2": c2,
-                    "Group name": campaign,
-                    "Campaign ID": fnv_hash(campaign.encode()),
-                    "Version": version,
-                    "RC4 key": rc4_key,
-                    "Strings": str_vals,
+                    "CNCs": c2,
+                    "campaign": fnv_hash(campaign.encode()),
+                    "version": version,
+                    "cryptokey": rc4_key,
+                    "cryptokey_type": "RC4",
+                    "raw": {
+                        "Strings": str_vals,
+                        "Group name": campaign,
+                    },
                 }
             except Exception as e:
                 log.error("Error: %s", e)
-        if not cfg.get("C2", False) and not cfg.get("Group name", False):
+        if not cfg.get("C2", False) and not cfg.get("raw", {}).get("Group name", False):
             cfg = None
     return cfg

cape_parsers/CAPE/core/Oyster.py CHANGED Viewed

@@ -75,7 +75,7 @@ def yara_scan(raw_data):
 def extract_config(filebuf):
     yara_hit = yara_scan(filebuf)
-    cfg = {}
+    config = {}
     for hit in yara_hit:
         if hit.rule == "Oyster":
@@ -121,14 +121,16 @@ def extract_config(filebuf):
                         if c2_matches:
                             c2.extend(c2_matches)
-                cfg = {
-                    "C2": c2,
-                    "Dll Version": dll_version,
-                    "Strings": str_vals,
+                config = {
+                    "CNCs": c2,
+                    'version': dll_version,
+                    "raw": {
+                        "Strings": str_vals,
+                    },
                 }
             except Exception as e:
                 log.error("Error: %s", e)
-    return cfg
+    return config
 if __name__ == "__main__":

cape_parsers/CAPE/core/PikaBot.py CHANGED Viewed

@@ -105,13 +105,13 @@ def get_config(input_data):
     c2s = get_c2s(data, number_of_c2s)
     return {
-        "Version": version,
-        "Campaign Name": campaign_name,
-        "Registry Key": registry_key,
-        "User Agent": user_agent,
+        "version": version,
+        "campaign": campaign_name,
+        "raw": {"Registry Key": registry_key},
+        "user_agent": user_agent,
         # "request_headers": request_headers,
         # "api_cmds": api_cmds,
-        "C2s": c2s,
+        "CNCs": c2s,
     }
@@ -152,7 +152,7 @@ def extract_config(filebuf):
                     out = wide_finder(test_out_ptxt).decode("utf-16le")
         if out:
             url = get_url(out)
-            return {"C2": [url], "PowerShell": out}
+            return {"CNCs": [url], "raw": {"PowerShell": out}}
     if data:
         yara_hit = yara_scan(filebuf)

cape_parsers/CAPE/core/PlugX.py CHANGED Viewed

@@ -322,4 +322,6 @@ def extract_config(cfg_blob):
                 reg_list.append(reg_name)
         if reg_list:
             config_output.update({"Registry black list": reg_list})
-    return config_output
+    if config_output:
+        return {"raw": config_output}

cape_parsers/CAPE/core/QakBot.py CHANGED Viewed

@@ -493,7 +493,8 @@ def extract_config(filebuf):
         config = parse_config(filebuf[: len(filebuf) - 20])
         for k, v in config.items():
             end_config.setdefault(k, v)
-    return end_config
+    if end_config:
+        return {"raw": end_config}
 if __name__ == "__main__":

cape_parsers/CAPE/core/Quickbind.py CHANGED Viewed

@@ -57,12 +57,7 @@ def extract_config(filebuf):
             encrypted_string = struct.unpack_from(data_format, data, offset)[0]
             with suppress(IndexError, UnicodeDecodeError, ValueError):
-                decrypted_result = (
-                    ARC4.new(key)
-                    .decrypt(encrypted_string)
-                    .replace(b"\x00", b"")
-                    .decode("utf-8")
-                )
+                decrypted_result = ARC4.new(key).decrypt(encrypted_string).replace(b"\x00", b"").decode("utf-8")
             if decrypted_result and all(32 <= ord(char) <= 127 for char in decrypted_result):
                 if len(decrypted_result) > 2:
@@ -105,12 +100,13 @@ def extract_config(filebuf):
                     campaign_found = True
             elif is_hex(item):
-                cfg["RC4 Key"] = item
+                cfg["cryptokey"] = item
+                cfg["cryptokey_type"] = "RC4"
                 if i == 1:
                     campaign_found = True
             elif "Mozilla" in item:
-                cfg["User-agent"] = item
+                cfg["user_agent"] = item
                 if i == 1:
                     campaign_found = True
@@ -119,13 +115,13 @@ def extract_config(filebuf):
                 campaign_found = True
         if campaign_found:
-            cfg["Campaign"] = campaign
+            cfg["campaign"] = campaign
         if c2s:
-            cfg["C2"] = c2s
+            cfg["CNCs"] = c2s
         if mutexes:
-            cfg["Mutex"] = list(set(mutexes))
+            cfg["mutex"] = list(set(mutexes))
     return cfg

cape_parsers/CAPE/core/RedLine.py CHANGED Viewed

@@ -167,11 +167,11 @@ def extract_config(data):
     if not c2 or "." not in c2:
         return
-    config_dict = {"C2": c2, "Botnet": botnet, "Key": key}
+    config_dict = {"CNCs": c2, "botnet": botnet, "cryptokey": key}
     if "Authorization" in user_strings:
         base_location = user_strings.index("Authorization")
         if base_location:
-            config_dict["Authorization"] = user_strings[base_location - 1]
+            config_dict.setdefault("raw", {})["Authorization"] = user_strings[base_location - 1]
     return config_dict

cape_parsers/CAPE/core/Remcos.py CHANGED Viewed

@@ -25,34 +25,34 @@ FLAG = {b"\x00": "Disable", b"\x01": "Enable"}
 # From JPCERT and Elastic Security Labs
 idx_list = {
-    0: "Host:Port:Password", # String containing "domain:port:enable_tls" separated by the "\x1e" characte
-    1: "Botnet", # Name of the botnet
-    2: "Connect interval", # Interval in second between connection attempt to C2
-    3: "Install flag", # Install REMCOS on the machine host
-    4: "Setup HKCU\\Run", # Enable setup of the persistence in the registry
-    5: "Setup HKLM\\Run", # Enable setup of the persistence in the registry
+    0: "Host:Port:Password",  # String containing "domain:port:enable_tls" separated by the "\x1e" characte
+    1: "Botnet",  # Name of the botnet
+    2: "Connect interval",  # Interval in second between connection attempt to C2
+    3: "Install flag",  # Install REMCOS on the machine host
+    4: "Setup HKCU\\Run",  # Enable setup of the persistence in the registry
+    5: "Setup HKLM\\Run",  # Enable setup of the persistence in the registry
     6: "Setup HKLM\\Explorer\\Run",
-    7: "Keylog file max size", # Maximum size of the keylogging data before rotation
-    8: "Setup HKLM\\Explorer\\Run", # Enable setup of the persistence in the registry
-    9: "Install parent directory", # Parent directory of the install folder. Integer mapped to an hardcoded path
-    10: "Install filename", # Name of the REMCOS binary once installed
+    7: "Keylog file max size",  # Maximum size of the keylogging data before rotation
+    8: "Setup HKLM\\Explorer\\Run",  # Enable setup of the persistence in the registry
+    9: "Install parent directory",  # Parent directory of the install folder. Integer mapped to an hardcoded path
+    10: "Install filename",  # Name of the REMCOS binary once installed
     11: "Startup value",
-    12: "Hide file", # Enable super hiding the install directory and binary as well as setting them to read only
-    13: "Process injection flag", # 	Enable running the malware injected in another process
-    14: "Mutex", # String used as the malware mutex and registry key
-    15: "Keylogger mode", # Set keylogging capability. Keylogging mode, 0 = disabled, 1 = keylogging everything, 2 = keylogging specific window(s)
-    16: "Keylogger parent directory", # Parent directory of the keylogging folder. Integer mapped to an hardcoded path
-    17: "Keylogger filename", # Filename of the keylogged data
-    18: "Keylog crypt", # Enable encryption RC4 of the keylogger data file
-    19: "Hide keylog file", # Enable super hiding of the keylogger data file
-    20: "Screenshot flag", # Enable screen recording capability
-    21: "Screenshot time", # The time interval in minute for capturing each screenshot
-    22: "Take Screenshot option", # Enable screen recording for specific window names
-    23: "Take screenshot title", # String containing window names separated by the ";” character
-    24: "Take screenshot time", #s The time interval in second for capturing each screenshot when a specific window name is found in the current foreground window title
-    25: "Screenshot parent directory", # Parent directory of the screenshot folder. Integer mapped to an hardcoded path
-    26: "Screenshot folder", # Name of the screenshot folder
-    27: "Screenshot crypt flag", # Enable encryption of screenshots
+    12: "Hide file",  # Enable super hiding the install directory and binary as well as setting them to read only
+    13: "Process injection flag",  # 	Enable running the malware injected in another process
+    14: "Mutex",  # String used as the malware mutex and registry key
+    15: "Keylogger mode",  # Set keylogging capability. Keylogging mode, 0 = disabled, 1 = keylogging everything, 2 = keylogging specific window(s)
+    16: "Keylogger parent directory",  # Parent directory of the keylogging folder. Integer mapped to an hardcoded path
+    17: "Keylogger filename",  # Filename of the keylogged data
+    18: "Keylog crypt",  # Enable encryption RC4 of the keylogger data file
+    19: "Hide keylog file",  # Enable super hiding of the keylogger data file
+    20: "Screenshot flag",  # Enable screen recording capability
+    21: "Screenshot time",  # The time interval in minute for capturing each screenshot
+    22: "Take Screenshot option",  # Enable screen recording for specific window names
+    23: "Take screenshot title",  # String containing window names separated by the ";" character
+    24: "Take screenshot time",  # s The time interval in second for capturing each screenshot when a specific window name is found in the current foreground window title
+    25: "Screenshot parent directory",  # Parent directory of the screenshot folder. Integer mapped to an hardcoded path
+    26: "Screenshot folder",  # Name of the screenshot folder
+    27: "Screenshot crypt flag",  # Enable encryption of screenshots
     28: "Mouse option",
     29: "Unknown29",
     30: "Delete file",
@@ -60,28 +60,28 @@ idx_list = {
     32: "Unknown32",
     33: "Unknown33",
     34: "Unknown34",
-    35: "Audio recording flag", # Enable audio recording capability
-    36: "Audio record time", # Duration in second of each audio recording
-    37: "Audio parent directory", # Parent directory of the audio recording folder. Integer mapped to an hardcoded path
-    38: "Audio folder", # Name of the audio recording folder
-    39: "Disable UAC flage", # Disable UAC in the registry
-    40: "Logging mode", # Set logging mode: 0 = disabled, 1 = minimized in tray, 2 = console logging
-    41: "Connect delay", # Delay in second before the first connection attempt to the C2
-    42: "Keylogger specific window names", # String containing window names separated by the ";” character
-    43: "Browser cleaning on startup flag", # Enable cleaning web browsers’ cookies and logins on REMCOS startup
-    44: "Browser cleaning only for the first run flag", # Enable web browsers cleaning only on the first run of Remcos
-    45: "Browser cleaning sleep time in minutes", # Sleep time in minute before cleaning the web browsers
-    46: "UAC bypass flag", # Enable UAC bypass capability
+    35: "Audio recording flag",  # Enable audio recording capability
+    36: "Audio record time",  # Duration in second of each audio recording
+    37: "Audio parent directory",  # Parent directory of the audio recording folder. Integer mapped to an hardcoded path
+    38: "Audio folder",  # Name of the audio recording folder
+    39: "Disable UAC flage",  # Disable UAC in the registry
+    40: "Logging mode",  # Set logging mode: 0 = disabled, 1 = minimized in tray, 2 = console logging
+    41: "Connect delay",  # Delay in second before the first connection attempt to the C2
+    42: "Keylogger specific window names",  # String containing window names separated by the ";"" character
+    43: "Browser cleaning on startup flag",  # Enable cleaning web browsers cookies and logins on REMCOS startup
+    44: "Browser cleaning only for the first run flag",  # Enable web browsers cleaning only on the first run of Remcos
+    45: "Browser cleaning sleep time in minutes",  # Sleep time in minute before cleaning the web browsers
+    46: "UAC bypass flag",  # Enable UAC bypass capability
     47: "Unkown47",
-    48: "Install directory", # Name of the install directory
-    49: "Keylogger root directory", # Name of the keylogger directory
-    50: "Watchdog flag", # Enable watchdog capability
+    48: "Install directory",  # Name of the install directory
+    49: "Keylogger root directory",  # Name of the keylogger directory
+    50: "Watchdog flag",  # Enable watchdog capability
     51: "Unknown51",
-    52: "License", # License serial
-    53: "Screenshot mouse drawing flag", # Enable drawing the mouse on each screenshot
-    54: "TLS raw certificate (base64)", # Certificate in raw format used with tls enabled C2 communication
-    55: "TLS key (base64)", # Key of the certificate
-    56: "TLS raw peer certificate (base64)", # C2 public certificate in raw format
+    52: "License",  # License serial
+    53: "Screenshot mouse drawing flag",  # Enable drawing the mouse on each screenshot
+    54: "TLS raw certificate (base64)",  # Certificate in raw format used with tls enabled C2 communication
+    55: "TLS key (base64)",  # Key of the certificate
+    56: "TLS raw peer certificate (base64)",  # C2 public certificate in raw format
     57: "TLS client private key (base64)",
     58: "TLS server certificate (base64)",
     59: "Unknown59",
@@ -107,7 +107,15 @@ setup_list = {
     8: "%ProgramData%",
 }
-utf_16_string_list = ["Keylogger specific window names", "Install filename", "Install directory", "Startup value", "Keylogger filename", "Take screenshot title", "Keylogger root directory"]
+utf_16_string_list = [
+    "Keylogger specific window names",
+    "Install filename",
+    "Install directory",
+    "Startup value",
+    "Keylogger filename",
+    "Take screenshot title",
+    "Keylogger root directory",
+]
 logger = logging.getLogger(__name__)
@@ -170,7 +178,7 @@ def extract_config(filebuf):
             key = blob[1 : keylen + 1]
             decrypted_data = ARC4.new(key).decrypt(blob[keylen + 1 :])
             p_data = OrderedDict()
-            p_data["Version"] = check_version(filebuf)
+            config["version"] = check_version(filebuf)
             configs = re.split(rb"\|\x1e\x1e\x1f\|", decrypted_data)
@@ -189,7 +197,7 @@ def extract_config(filebuf):
                     # various separators have been observed
                     separator = next((x for x in (b"|", b"\x1e", b"\xff\xff\xff\xff") if x in cont))
                     host, port, password = cont.split(separator, 1)[0].split(b":")
-                    p_data["Control"] = f"tcp://{host.decode()}:{port.decode()}"
+                    config["CNCs"] = [f"tcp://{host.decode()}:{port.decode()}"]
                     p_data["Password"] = password.decode()
                 else:
                     p_data[idx_list[i]] = cont
@@ -200,7 +208,7 @@ def extract_config(filebuf):
                 if isinstance(v, bytes):
                     with suppress(Exception):
                         v = v.decoed()
-                config[k] = v
+                config.setdefault("raw", {})[k] = v
     except Exception as e:
         logger.error(f"Caught an exception: {e}")

CAPE-parsers 0.1.44__py3-none-any.whl → 0.1.46__py3-none-any.whl

CAPE-parsers 0.1.44py3-none-any.whl → 0.1.46py3-none-any.whl