CAPE-parsers 0.1.44__py3-none-any.whl → 0.1.46__py3-none-any.whl

cape_parsers/CAPE/core/Rhadamanthys.py

@@ -11,12 +11,15 @@ AUTHOR = "kevoreilly, YungBinary"
 def mask32(x):
     return x & 0xFFFFFFFF
 
+
 def add32(x, y):
     return mask32(x + y)
 
+
 def left_rotate(x, n):
     return mask32(x << n) | (x >> (32 - n))
 
+
 def quarter_round(block, a, b, c, d):
     block[a] = add32(block[a], block[b])
     block[d] ^= block[a]
@@ -31,6 +34,7 @@ def quarter_round(block, a, b, c, d):
     block[b] ^= block[c]
     block[b] = left_rotate(block[b], 7)
 
+
 def chacha20_permute(block):
     for doubleround in range(10):
         quarter_round(block, 0, 4, 8, 12)
@@ -42,6 +46,7 @@ def chacha20_permute(block):
         quarter_round(block, 2, 7, 8, 13)
         quarter_round(block, 3, 4, 9, 14)
 
+
 def words_from_bytes(b):
     assert len(b) % 4 == 0
     return [int.from_bytes(b[4 * i : 4 * i + 4], "little") for i in range(len(b) // 4)]
@@ -50,11 +55,12 @@ def words_from_bytes(b):
 def bytes_from_words(w):
     return b"".join(word.to_bytes(4, "little") for word in w)
 
+
 def chacha20_block(key, nonce, blocknum):
     # This implementation doesn't support 16-byte keys.
     assert len(key) == 32
     assert len(nonce) == 12
-    assert blocknum < 2 ** 32
+    assert blocknum < 2**32
     constant_words = words_from_bytes(b"expand 32-byte k")
     key_words = words_from_bytes(key)
     nonce_words = words_from_bytes(nonce)
@@ -72,6 +78,7 @@ def chacha20_block(key, nonce, blocknum):
         permuted_block[i] = add32(permuted_block[i], original_block[i])
     return bytes_from_words(permuted_block)
 
+
 def chacha20_stream(key, nonce, length, blocknum):
     output = bytearray()
     while length > 0:
@@ -82,6 +89,7 @@ def chacha20_stream(key, nonce, length, blocknum):
         blocknum += 1
     return output
 
+
 def decrypt_config(data):
     decrypted_config = b"\x21\x52\x48\x59"
     data_len = len(data)
@@ -98,6 +106,7 @@ def decrypt_config(data):
             v8 -= 1
             v3 += 1
 
+
 def chacha20_xor(custom_b64_decoded, key, nonce):
     message_len = len(custom_b64_decoded)
     key_stream = chacha20_stream(key, nonce, message_len, 0x80)
@@ -108,6 +117,7 @@ def chacha20_xor(custom_b64_decoded, key, nonce):
 
     return xor_key
 
+
 def extract_strings(data, minchars, maxchars):
     apat = b"([\x20-\x7e]{" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00"
     strings = [string.decode() for string in re.findall(apat, data)]
@@ -118,11 +128,13 @@ def extract_strings(data, minchars, maxchars):
     strings.extend(str(ws.decode("utf-16le")) for ws in re.findall(upat, data))
     return strings
 
+
 def extract_c2_url(data):
     pattern = b"(http[\x20-\x7e]+)\x00"
     match = re.search(pattern, data)
     return match.group(1).decode()
 
+
 def is_potential_custom_base64(string):
     custom_alphabet = "ABC1fghijklmnop234NOPQRSTUVWXY567DEFGHIJKLMZ089abcdeqrstuvwxyz-|"
     for c in string:
@@ -130,6 +142,7 @@ def is_potential_custom_base64(string):
             return False
     return True
 
+
 def custom_b64decode(data):
     """Decodes base64 data using a custom alphabet."""
     standard_alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
@@ -138,11 +151,12 @@ def custom_b64decode(data):
     table = bytes.maketrans(custom_alphabet, standard_alphabet)
     return base64.b64decode(data.translate(table), validate=True)
 
+
 def extract_config(data):
     config_dict = {}
     magic = struct.unpack("I", data[:4])[0]
     if magic == 0x59485221:
-        config_dict["C2"] = data[24:].split(b"\0", 1)[0].decode()
+        config_dict["CNCs"] = [data[24:].split(b"\0", 1)[0].decode()]
         return config_dict
     else:
         key = b"\x52\xAB\xDF\x06\xB6\xB1\x3A\xC0\xDA\x2D\x22\xDC\x6C\xD2\xBE\x6C\x20\x17\x69\xE0\x12\xB5\xE6\xEC\x0E\xAB\x4C\x14\x73\x4A\xED\x51"
@@ -157,15 +171,12 @@ def extract_config(data):
                 custom_b64_decoded = custom_b64decode(string)
                 xor_key = chacha20_xor(custom_b64_decoded, key, nonce)
                 decrypted_config = decrypt_config(xor_key)
-                reexecution_delay = int.from_bytes(decrypted_config[5:7], byteorder='little')
+                reexecution_delay = int.from_bytes(decrypted_config[5:7], byteorder="little")
 
                 c2_url = extract_c2_url(decrypted_config)
                 if not c2_url:
                     continue
-                config_dict = {
-                    "Reexecution_delay": reexecution_delay,
-                    "C2": [c2_url]
-                }
+                config_dict = {"raw": {"Reexecution_delay": reexecution_delay}, "CNCs": [c2_url]}
                 return config_dict
             except Exception:
                 continue
@@ -177,4 +188,3 @@ if __name__ == "__main__":
     with open(sys.argv[1], "rb") as f:
         config_json = json.dumps(extract_config(f.read()), indent=4)
         print(config_json)
-

cape_parsers/CAPE/core/SmokeLoader.py

@@ -37,7 +37,7 @@ def rc4_decrypt(key, ciphertext):
 
 
 def swap32(x):
-    return int.from_bytes(x.to_bytes(4, byteorder='little'), byteorder='big', signed=False)
+    return int.from_bytes(x.to_bytes(4, byteorder="little"), byteorder="big", signed=False)
 
 
 def decode(buffer):
@@ -104,7 +104,7 @@ def extract_config(filebuf):
             break
         c2list_offset += delta
     if c2list != []:
-        cfg["C2s"] = sorted(list(set(c2list)))
+        cfg["CNCs"] = sorted(list(set(c2list)))
     return cfg
 
 

cape_parsers/CAPE/core/Socks5Systemz.py

@@ -11,15 +11,15 @@ def _is_ip(ip):
 
 
 def extract_config(data):
-    config_dict = {"C2s": []}
+    config_dict = {}
     with suppress(Exception):
         if data[:2] == b"MZ":
             return
         for line in data.decode().split("\n"):
-            if _is_ip(line) and line not in config_dict["C2s"]:
-                config_dict["C2s"].append(line)
+            if _is_ip(line) and line not in config_dict.get("CNCs", []):
+                config_dict["CNCs"].append(line)
             elif line and "\\" in line:
                 config_dict.setdefault("Timestamp path", []).append(line)
-            elif "." in line and "=" not in line and line not in config_dict["C2s"]:
-                config_dict.setdefault("Dummy domain", []).append(line)
+            elif "." in line and "=" not in line and line not in config_dict["CNCs"]:
+                config_dict.setdefault("raw", {}).setdefault("Dummy domain", []).append(line)
         return config_dict

cape_parsers/CAPE/core/SquirrelWaffle.py

@@ -68,9 +68,9 @@ def extract_config(data):
                 try:
                     decrypted = xor_data(line, chunks[i + 1]).decode()
                     if "\r\n" in decrypted and "|" not in decrypted:
-                        config["IP Blocklist"] = list(filter(None, decrypted.split("\r\n")))
+                        config.setdefault("raw", {})["IP Blocklist"] = list(filter(None, decrypted.split("\r\n")))
                     elif "|" in decrypted and "." in decrypted and "\r\n" not in decrypted:
-                        config["URLs"] = list(filter(None, decrypted.split("|")))
+                        config["CNCs"] = list(filter(None, decrypted.split("|")))
                 except Exception:
                     continue
         matches = yara_rules.match(data=data)
@@ -84,5 +84,5 @@ def extract_config(data):
                     c2key_offset = item.instances[0].offset
                     key_rva = struct.unpack("i", data[c2key_offset + 28 : c2key_offset + 32])[0] - pe.OPTIONAL_HEADER.ImageBase
                     key_offset = pe.get_offset_from_rva(key_rva)
-                    config["C2 key"] = string_from_offset(data, key_offset).decode()
+                    config["cryptokey"] = string_from_offset(data, key_offset).decode()
                     return config

cape_parsers/CAPE/core/Strrat.py

@@ -72,6 +72,6 @@ def extract_config(data):
     configdata = unzip_config(data)
 
     if configdata:
-        raw_config["config"] = decode(configdata)
+        raw_config["raw"] = decode(configdata)
 
     return raw_config

cape_parsers/CAPE/core/WarzoneRAT.py

@@ -92,7 +92,8 @@ def extract_config(data):
         c2_host = dtxt[offset : offset + c2_size].decode("utf-16")
         offset += c2_size
         c2_port = struct.unpack("H", dtxt[offset : offset + 2])[0]
-        cfg["C2"] = f"{c2_host}:{c2_port}"
+        # ToDo missed schema
+        cfg["CNCs"] = [f"{c2_host}:{c2_port}"]
         offset += 2
         # unk1 = dtxt[offset : offset + 7]
         offset += 7
@@ -104,7 +105,7 @@ def extract_config(data):
         offset += 2
         runkey_size = struct.unpack("i", dtxt[offset : offset + 4])[0]
         offset += 4
-        cfg["Run Key Name"] = dtxt[offset : offset + runkey_size].decode("utf-16")
+        cfg.setdefault("raw", {})["Run Key Name"] = dtxt[offset : offset + runkey_size].decode("utf-16")
     except struct.error:
         # there is a lot of failed data validation muting it
         return

cape_parsers/CAPE/core/Zloader.py

@@ -76,8 +76,8 @@ def string_from_offset(data, offset):
 
 def parse_config(data):
     parsed = {}
-    parsed["Botnet Id"] = data[4:].split(b"\x00", 1)[0].decode("utf-8")
-    parsed["Campaign Id"] = data[25:].split(b"\x00", 1)[0].decode("utf-8")
+    parsed["botnet"] = data[4:].split(b"\x00", 1)[0].decode("utf-8")
+    parsed["campaign"] = data[25:].split(b"\x00", 1)[0].decode("utf-8")
     c2s = []
     c2_data = data[46:686]
     for i in range(10):
@@ -85,16 +85,17 @@ def parse_config(data):
         chunk = chunk.rstrip(b"\x00")
         if chunk:
             c2s.append(chunk.decode("utf-8"))
-    parsed["C2s"] = c2s
-    parsed["Public Key"] = data[704:].split(b"\x00", 1)[0]
+    parsed["CNCs"] = c2s
+    parsed["cryptokey"] = data[704:].split(b"\x00", 1)[0]
+    parsed["cryptokey_type"] = "RSA Public Key"
     dns_data = data[1004:].split(b"\x00", 1)[0]
     parsed["TLS SNI"] = dns_data.split(b"~")[0].decode("utf-8").rstrip()
     parsed["DNS C2"] = dns_data.split(b"~")[1].decode("utf-8").strip()
     dns_ips = []
-    dns_ips.append(socket.inet_ntoa(data[1204:1208].split(b"\x00",1)[0]))
+    dns_ips.append(socket.inet_ntoa(data[1204:1208].split(b"\x00", 1)[0]))
     dns_ip_data = data[1208:1248]
     for i in range(10):
-        chunk = dns_ip_data[i * 4:(i + 1) * 4]
+        chunk = dns_ip_data[i * 4 : (i + 1) * 4]
         chunk = chunk.rstrip(b"\x00")
         if chunk:
             dns_ips.append(socket.inet_ntoa(chunk))
@@ -103,6 +104,7 @@ def parse_config(data):
 
 
 def extract_config(filebuf):
+    config = {}
     end_config = {}
     pe = pefile.PE(data=filebuf, fast_load=False)
     image_base = pe.OPTIONAL_HEADER.ImageBase
@@ -167,14 +169,15 @@ def extract_config(filebuf):
         enc_data = filebuf[data_offset:].split(b"\0\0", 1)[0]
         raw = decrypt_rc4(key, enc_data)
         items = list(filter(None, raw.split(b"\x00\x00")))
-        end_config["Botnet name"] = items[1].lstrip(b"\x00")
-        end_config["Campaign ID"] = items[2]
+        config["botnet"] = items[1].lstrip(b"\x00")
+        config["campaign"] = items[2]
         for item in items:
             item = item.lstrip(b"\x00")
             if item.startswith(b"http"):
-                end_config.setdefault("address", []).append(item)
+                config.setdefault("CNCs", []).append(item)
             elif len(item) == 16:
-                end_config["RC4 key"] = item
+                config["cryptokey"] = item
+                config["cryptokey_type"] = "RC4"
     elif conf_type == "2" and decrypt_key:
         conf_va = struct.unpack("I", filebuf[decrypt_conf + cva : decrypt_conf + cva + 4])[0]
         conf_offset = pe.get_offset_from_rva(conf_va + pe.get_rva_from_offset(decrypt_conf) + cva + 4)
@@ -186,14 +189,15 @@ def extract_config(filebuf):
         conf_data = filebuf[conf_offset : conf_offset + conf_size]
         raw = decrypt_rc4(key, conf_data)
         items = list(filter(None, raw.split(b"\x00\x00")))
-        end_config["Botnet name"] = items[0].decode("utf-8")
-        end_config["Campaign ID"] = items[1].decode("utf-8")
+        config["botnet"] = items[0].decode("utf-8")
+        config["campaign"] = items[1].decode("utf-8")
         for item in items:
             item = item.lstrip(b"\x00")
             if item.startswith(b"http"):
-                end_config.setdefault("address", []).append(item.decode("utf-8"))
+                config.setdefault("CNCs", []).append(item.decode("utf-8"))
             elif b"PUBLIC KEY" in item:
-                end_config["Public key"] = item.decode("utf-8").replace("\n", "")
+                config["cryptokey"] = item.decode("utf-8").replace("\n", "")
+                config["cryptokey_type"] = "RSA Public key"
     elif conf_type == "3" and rc4_chunk1 and rc4_chunk2:
         conf_va = struct.unpack("I", filebuf[decrypt_conf : decrypt_conf + 4])[0]
         conf_offset = pe.get_offset_from_rva(conf_va + pe.get_rva_from_offset(decrypt_conf) + 4)
@@ -208,8 +212,10 @@ def extract_config(filebuf):
         conf = decrypt_rc4(decrypt_key, conf_data)
         end_config = parse_config(conf)
 
-    return end_config
+    if config and end_config:
+        config = config.update({"raw": end_config})
 
+    return config
 
 if __name__ == "__main__":
     import sys

cape_parsers/RATDecoders/test_rats.py

@@ -5,6 +5,7 @@ HAVE_MLW_CONFIGS = False
 with suppress(ImportError):
     # We do not install this by default as is outdated now, but if installed will be imported
     from malwareconfig.common import Decoder
+
     HAVE_MLW_CONFIGS = True
 
 

cape_parsers/__init__.py

@@ -12,10 +12,11 @@ from typing import Dict, Tuple
 PARSERS_ROOT = Path(__file__).absolute().parent
 log = logging.getLogger()
 
-def load_cape_parsers(load: str="all", exclude_parsers: list = []):
+
+def load_cape_parsers(load: str = "all", exclude_parsers: list = []):
     """
-        load: all, core, community
-        exclude_parsers: [names of parsers that will be ignored]
+    load: all, core, community
+    exclude_parsers: [names of parsers that will be ignored]
     """
     versions = {
         "cape": "core",
@@ -25,7 +26,9 @@ def load_cape_parsers(load: str="all", exclude_parsers: list = []):
     cape_parsers = {}
     CAPE_DECODERS = {
         "cape": [os.path.basename(decoder)[:-3] for decoder in glob.glob(os.path.join(PARSERS_ROOT, "CAPE", "core", "[!_]*.py"))],
-        "community": [os.path.basename(decoder)[:-3] for decoder in glob.glob(os.path.join(PARSERS_ROOT, "CAPE", "community", "[!_]*.py"))],
+        "community": [
+            os.path.basename(decoder)[:-3] for decoder in glob.glob(os.path.join(PARSERS_ROOT, "CAPE", "community", "[!_]*.py"))
+        ],
     }
 
     for version, names in CAPE_DECODERS.items():
@@ -54,6 +57,7 @@ def load_mwcp_parsers() -> Tuple[Dict[str, str], ModuleType]:
     with suppress(ImportError):
         # We do not install this by default
         import mwcp
+
         HAVE_MWCP = True
 
     if not HAVE_MWCP:
@@ -66,6 +70,7 @@ def load_mwcp_parsers() -> Tuple[Dict[str, str], ModuleType]:
         return {}, mwcp
     return _malware_parsers, mwcp
 
+
 def _malduck_load_decoders():
 
     malduck_modules = {}
@@ -80,6 +85,7 @@ def _malduck_load_decoders():
 
     return malduck_modules
 
+
 """
 def load_malduck_parsers():
     HAVE_MALDUCK = False
@@ -108,6 +114,7 @@ def load_malduck_parsers():
     return malduck_modules
 """
 
+
 def load_malwareconfig_parsers() -> Tuple[bool, dict, ModuleType]:
     try:
         from malwareconfig import fileparser
@@ -125,12 +132,14 @@ def load_malwareconfig_parsers() -> Tuple[bool, dict, ModuleType]:
         log.error(e, exc_info=True)
     return False, False, False
 
+
 def load_ratdecoders_parsers():
     dec_modules = {}
     HAVE_MLW_CONFIGS = False
     with suppress(ImportError):
         # We do not install this by default as is outdated now, but if installed will be imported
         from malwareconfig.common import Decoder
+
         HAVE_MLW_CONFIGS = True
 
     if not HAVE_MLW_CONFIGS:

cape_parsers/deprecated/BlackNix.py

@@ -0,0 +1,59 @@
+import pefile
+
+
+def extract_raw_config(raw_data):
+    try:
+        pe = pefile.PE(data=raw_data)
+        rt_string_idx = [entry.id for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries].index(pefile.RESOURCE_TYPE["RT_RCDATA"])
+        rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]
+        for entry in rt_string_directory.directory.entries:
+            if str(entry.name) == "SETTINGS":
+                data_rva = entry.directory.entries[0].data.struct.OffsetToData
+                size = entry.directory.entries[0].data.struct.Size
+                data = pe.get_memory_mapped_image()[data_rva : data_rva + size]
+                return data.split("}")
+    except Exception:
+        return None
+
+
+def decode(line):
+    return "".join(chr(ord(char) - 1) for char in line)
+
+
+def domain_parse(config):
+    return [domain.split(":", 1)[0] for domain in config["Domains"].split(";")]
+
+
+def extract_config(data):
+    try:
+        config_raw = extract_raw_config(data)
+        if config_raw:
+            return {
+                "mutex": decode(config_raw[1])[::-1],
+                "raw": {
+                    "Anti Sandboxie": decode(config_raw[2])[::-1],
+                    "Max Folder Size": decode(config_raw[3])[::-1],
+                    "Delay Time": decode(config_raw[4])[::-1],
+                    "Password": decode(config_raw[5])[::-1],
+                    "Kernel Mode Unhooking": decode(config_raw[6])[::-1],
+                    "User More Unhooking": decode(config_raw[7])[::-1],
+                    "Melt Server": decode(config_raw[8])[::-1],
+                    "Offline Screen Capture": decode(config_raw[9])[::-1],
+                    "Offline Keylogger": decode(config_raw[10])[::-1],
+                    "Copy To ADS": decode(config_raw[11])[::-1],
+                    "Domain": decode(config_raw[12])[::-1],
+                    "Persistence Thread": decode(config_raw[13])[::-1],
+                    "Active X Key": decode(config_raw[14])[::-1],
+                    "Registry Key": decode(config_raw[15])[::-1],
+                    "Active X Run": decode(config_raw[16])[::-1],
+                    "Registry Run": decode(config_raw[17])[::-1],
+                    "Safe Mode Startup": decode(config_raw[18])[::-1],
+                    "Inject winlogon.exe": decode(config_raw[19])[::-1],
+                    "Install Name": decode(config_raw[20])[::-1],
+                    "Install Path": decode(config_raw[21])[::-1],
+                    "Campaign Name": decode(config_raw[22])[::-1],
+                    "Campaign Group": decode(config_raw[23])[::-1],
+                }
+            }
+    except Exception:
+        return None

cape_parsers/{CAPE/core → deprecated}/BuerLoader.py

@@ -35,5 +35,5 @@ def extract_config(filebuf):
         with suppress(Exception):
             dec = decrypt_string(item.lstrip(b"\x00").rstrip(b"\x00").decode())
         if "dll" not in dec and " " not in dec and ";" not in dec and "." in dec:
-            cfg.setdefault("address", []).append(dec)
+            cfg.setdefault("CNCs", []).append(dec)
         return cfg

cape_parsers/{CAPE/core → deprecated}/ChChes.py

@@ -55,7 +55,7 @@ def string_from_offset(data, offset):
 
 
 def extract_config(filebuf):
-    tmp_config = {}
+    config = {}
     yara_matches = yara_scan(filebuf)
 
     c2_offsets = []
@@ -70,6 +70,6 @@ def extract_config(filebuf):
     for c2_offset in c2_offsets:
         c2_url = string_from_offset(filebuf, c2_offset)
         if c2_url:
-            tmp_config.setdefault("c2_url", []).append(c2_url)
+            config.setdefault("CNCs", []).append(c2_url)
 
-    return tmp_config
+    return config

cape_parsers/{CAPE/core → deprecated}/Enfal.py

@@ -64,7 +64,7 @@ def extract_config(filebuf):
 
         c2_address = string_from_offset(filebuf, yara_offset + 0x2E8)
         if c2_address:
-            return_conf["c2_address"] = c2_address
+            return_conf["CNCs"] = c2_address
 
         c2_url = string_from_offset(filebuf, yara_offset + 0xE8)
         if c2_url:

cape_parsers/{CAPE/core → deprecated}/EvilGrab.py

@@ -16,9 +16,7 @@ DESCRIPTION = "EvilGrab configuration parser."
 AUTHOR = "kevoreilly"
 
 import struct
-
 import pefile
-
 import yara
 
 rule_source = """
@@ -88,21 +86,22 @@ def extract_config(filebuf):
 
         yara_offset = int(yara_matches[key])
 
+        # ToDo missed schema
         c2_address = string_from_va(pe, yara_offset + values[0])
         if c2_address:
-            end_config["c2_address"] = c2_address
+            end_config["CNCs"] = c2_address
         port = str(struct.unpack("h", filebuf[yara_offset + values[1] : yara_offset + values[1] + 2])[0])
         if port:
-            end_config["port"] = [port, "tcp"]
+            end_config.setdefault("raw", {})["port"] = [port, "tcp"]
         missionid = string_from_va(pe, yara_offset + values[3])
         if missionid:
-            end_config["missionid"] = missionid
+            end_config.setdefault("raw", {})["missionid"] = missionid
         version = string_from_va(pe, yara_offset + values[4])
         if version:
             end_config["version"] = version
         injectionprocess = string_from_va(pe, yara_offset + values[5])
         if injectionprocess:
-            end_config["injectionprocess"] = injectionprocess
+            end_config.setdefault("raw", {})["injectionprocess"] = injectionprocess
         if key != "$configure3":
             mutex = string_from_va(pe, yara_offset - values[6])
             if mutex:

cape_parsers/{CAPE/community → deprecated}/Greame.py

@@ -87,4 +87,6 @@ def parse_config(raw_config):
 def extract_config(data):
     raw_config = get_config(data)
     if raw_config:
-        return parse_config(raw_config)
+        config =  parse_config(raw_config)
+        if config:
+            return {"raw": config}

cape_parsers/{CAPE/core → deprecated}/HttpBrowser.py

@@ -17,9 +17,7 @@ AUTHOR = "kevoreilly"
 
 
 import struct
-
 import pefile
-
 import yara
 
 rule_source = """
@@ -91,6 +89,7 @@ def extract_config(filebuf):
     # image_base = pe.OPTIONAL_HEADER.ImageBase
 
     yara_matches = yara_scan(filebuf)
+    config = {}
     tmp_config = {}
     for key, values in match_map.keys():
         if yara_matches.get(key):
@@ -103,23 +102,23 @@ def extract_config(filebuf):
 
                 c2_address = unicode_from_va(pe, yara_offset + values[1])
                 if c2_address:
-                    tmp_config.setdefault("c2_address", []).append(c2_address)
+                    config.setdefault("CNCs", []).append(c2_address)
 
                 if key == "$connect_3":
                     c2_address = unicode_from_va(pe, yara_offset + values[2])
                     if c2_address:
-                        tmp_config.setdefault("c2_address", []).append(c2_address)
+                        config.setdefault("CNCs", []).append(c2_address)
             else:
                 c2_address = unicode_from_va(pe, yara_offset + values[0])
                 if c2_address:
-                    tmp_config["c2_address"] = c2_address
+                    config["CNCs"] = [c2_address]
 
                 filepath = unicode_from_va(pe, yara_offset + values[1])
                 if filepath:
-                    tmp_config["filepath"] = filepath
+                    config["filepath"] = filepath
 
                 injectionprocess = unicode_from_va(pe, yara_offset - values[2])
                 if injectionprocess:
-                    tmp_config["injectionprocess"] = injectionprocess
+                    config["injectionprocess"] = injectionprocess
 
-    return tmp_config
+    return {"raw": tmp_config}.update(config)

cape_parsers/{CAPE/community → deprecated}/Pandora.py

@@ -74,4 +74,6 @@ def extract_config(data):
             clean_config = version_21(raw_config)
         elif len(raw_config) == 20:
             clean_config = version_22(raw_config)
+        if clean_config:
+            clean_config = {"raw": clean_config}
         return clean_config

cape_parsers/{CAPE/community → deprecated}/Punisher.py

@@ -32,4 +32,5 @@ def extract_config(data):
         config_dict["Install Path"] = "TEMP"
     if config_parts[19] == "True":
         config_dict["Install Path"] = "Documents"
-    return config_dict
+    if config_dict:
+        return {"raw": config_dict}

cape_parsers/{CAPE/core → deprecated}/RCSession.py

@@ -16,9 +16,7 @@ DESCRIPTION = "RCSession configuration parser."
 AUTHOR = "kevoreilly"
 
 import struct
-
 import pefile
-
 import yara
 
 rule_source = """
@@ -99,24 +97,24 @@ def extract_config(filebuf):
 
     c2_address = str(tmp_config[156 : 156 + MAX_IP_STRING_SIZE])
     if c2_address:
-        end_config.setdefault("c2_address", []).append(c2_address)
+        end_config.setdefault("CNCs", []).append(c2_address)
     c2_address = str(tmp_config[224 : 224 + MAX_IP_STRING_SIZE])
     if c2_address:
-        end_config.setdefault("c2_address", []).append(c2_address)
+        end_config.setdefault("CNCs", []).append(c2_address)
     installdir = unicode_string_from_offset(bytes(tmp_config), 0x2A8, 128)
     if installdir:
-        end_config["directory"] = installdir
+        end_config.setdefault("raw", {})["directory"] = installdir
     executable = unicode_string_from_offset(tmp_config, 0x4B0, 128)
     if executable:
-        end_config["filename"] = executable
+        end_config.setdefault("raw", {})["filename"] = executable
     servicename = unicode_string_from_offset(tmp_config, 0x530, 128)
     if servicename:
-        end_config["servicename"] = servicename
+        end_config.setdefault("raw", {})["servicename"] = servicename
     displayname = unicode_string_from_offset(tmp_config, 0x738, 128)
     if displayname:
-        end_config["servicedisplayname"] = displayname
+        end_config.setdefault("raw", {})["servicedisplayname"] = displayname
     description = unicode_string_from_offset(tmp_config, 0x940, 512)
     if description:
-        end_config["servicedescription"] = description
+        end_config.setdefault("raw", {})["servicedescription"] = description
 
     return end_config