CAPE-parsers 0.1.44__tar.gz → 0.1.46__tar.gz

{cape_parsers-0.1.44 → cape_parsers-0.1.46}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: CAPE-parsers
-Version: 0.1.44
+Version: 0.1.46
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 Keywords: cape,parsers,malware,configuration
@@ -32,3 +32,22 @@ CAPE core and community parsers
 
 [![PyPI version](https://img.shields.io/pypi/v/CAPE-parsers)](https://pypi.org/project/CAPE-parsers/)
 
+### Configs structure
+```
+CNCs: []
+campaign: str
+botnet: str
+dga_seed: hex str
+version: str
+mutex: str
+user_agent: str
+build: str
+cryptokey: str
+cryptokey_type: str (algorithm). Ex: RC4, RSA public key. salsa20, (x)chacha20
+raw: {any other data goes here}
+```
+* All CNC entries should be in URL format. aka `<schema>://<hostname>:<port>/<uri>`
+    * Schema examples: `tcp://`, `ftp://`, `udp://`, `http(s)`, etc.
+    * Old CAPE configs still have lack of this structures as most of them are dead families.
+    * This CNC simplification make it easier to parse with tools like `tldextract` or `urlparse`
+

cape_parsers-0.1.46/README.md

@@ -0,0 +1,23 @@
+# CAPE-parsers
+CAPE core and community parsers
+
+[![PyPI version](https://img.shields.io/pypi/v/CAPE-parsers)](https://pypi.org/project/CAPE-parsers/)
+
+### Configs structure
+```
+CNCs: []
+campaign: str
+botnet: str
+dga_seed: hex str
+version: str
+mutex: str
+user_agent: str
+build: str
+cryptokey: str
+cryptokey_type: str (algorithm). Ex: RC4, RSA public key. salsa20, (x)chacha20
+raw: {any other data goes here}
+```
+* All CNC entries should be in URL format. aka `<schema>://<hostname>:<port>/<uri>`
+    * Schema examples: `tcp://`, `ftp://`, `udp://`, `http(s)`, etc.
+    * Old CAPE configs still have lack of this structures as most of them are dead families.
+    * This CNC simplification make it easier to parse with tools like `tldextract` or `urlparse`

{cape_parsers-0.1.44 → cape_parsers-0.1.46}/cape_parsers/CAPE/community/AgentTesla.py

@@ -6,7 +6,8 @@ except ImportError as e:
     print(f"Problem to import extract_strings: {e}")
 
 
-def extract_config(data):
+def extract_config(data: bytes):
+    config = {}
     config_dict = {}
     with suppress(Exception):
         if data[:2] == b"MZ":
@@ -22,20 +23,21 @@ def extract_config(data):
             # Data Exfiltration via Telegram
             if "api.telegram.org" in lines[base + x]:
                 config_dict["Protocol"] = "Telegram"
-                config_dict["C2"] = lines[base + x]
+                config["CNCs"] = lines[base + x]
                 config_dict["Password"] = lines[base + x + 1]
                 break
             # Data Exfiltration via Discord
             elif "discord" in lines[base + x]:
                 config_dict["Protocol"] = "Discord"
-                config_dict["C2"] = lines[base + x]
+                config["CNCs"] = [lines[base + x]]
                 break
             # Data Exfiltration via FTP
             elif "ftp:" in lines[base + x]:
                 config_dict["Protocol"] = "FTP"
-                config_dict["C2"] = lines[base + x]
-                config_dict["Username"] = lines[base + x + 1]
-                config_dict["Password"] = lines[base + x + 2]
+                hostname = lines[base + x]
+                username = lines[base + x + 1]
+                password = lines[base + x + 2]
+                config["CNCs"] = [f"ftp://{username}:{password}@{hostname}"]
                 break
             # Data Exfiltration via SMTP
             elif "@" in lines[base + x]:
@@ -45,7 +47,7 @@ def extract_config(data):
                     config_dict["Port"] = lines[base + x - 2]
                 elif lines[base + x - 2] in {"true", "false"} and lines[base + x - 3].isdigit() and len(lines[base + x - 3]) <= 5:
                     config_dict["Port"] = lines[base + x - 3]
-                config_dict["C2"] = lines[base + +x - 1]
+                config_dict["CNCs"] = [lines[base + +x - 1]]
                 config_dict["Username"] = lines[base + x]
                 config_dict["Password"] = lines[base + x + 1]
                 if "@" in lines[base + x + 2]:
@@ -72,6 +74,13 @@ def extract_config(data):
                     for x in range(1, 8):
                         if any(s in lines[base + index + x] for s in temp_match):
                             config_dict["Protocol"] = "HTTP(S)"
-                            config_dict["C2"] = lines[base + index + x]
+                            config["CNCs"] = lines[base + index + x]
                             break
-        return config_dict
+    if config or config_dict:
+        return config.setdefault("raw", config_dict)
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        print(extract_config(f.read()))

{cape_parsers-0.1.44 → cape_parsers-0.1.46}/cape_parsers/CAPE/community/Arkei.py

@@ -1,7 +1,7 @@
 import struct
 import pefile
 import yara
-
+from contextlib import suppress
 
 # Hash = 69ba4e2995d6b11bb319d7373d150560ea295c02773fe5aa9c729bfd2c334e1e
 
@@ -46,10 +46,10 @@ def xor_data(data, key):
 
 
 def extract_config(data):
-    config_dict = {}
+    config = {}
 
     # Attempt to extract via old method
-    try:
+    with suppress(Exception):
         domain = ""
         uri = ""
         lines = data.decode().split("\n")
@@ -59,14 +59,12 @@ def extract_config(data):
             if line.startswith("/") and line[-4] == ".":
                 uri = line
         if domain and uri:
-            config_dict.setdefault("C2", []).append(f"{domain}{uri}")
-            return config_dict
-    except Exception:
-        pass
+            config.setdefault("CNCs", []).append(f"{domain}{uri}")
+            return config
 
     # Try with new method
 
-    #config_dict["Strings"] = []
+    # config_dict["Strings"] = []
     pe = pefile.PE(data=data, fast_load=True)
     image_base = pe.OPTIONAL_HEADER.ImageBase
     domain = ""
@@ -84,17 +82,17 @@ def extract_config(data):
             if rule_str_name.startswith("$decode"):
                 key_rva = data[str_decode_offset + 3 : str_decode_offset + 7]
                 encoded_str_rva = data[str_decode_offset + 8 : str_decode_offset + 12]
-                #dword_rva = data[str_decode_offset + 21 : str_decode_offset + 25]
+                # dword_rva = data[str_decode_offset + 21 : str_decode_offset + 25]
 
             key_offset = pe.get_offset_from_rva(struct.unpack("i", key_rva)[0] - image_base)
             encoded_str_offset = pe.get_offset_from_rva(struct.unpack("i", encoded_str_rva)[0] - image_base)
-            #dword_offset = struct.unpack("i", dword_rva)[0]
-            #dword_name = f"dword_{hex(dword_offset)[2:]}"
+            # dword_offset = struct.unpack("i", dword_rva)[0]
+            # dword_name = f"dword_{hex(dword_offset)[2:]}"
 
             key = data[key_offset : key_offset + str_size]
             encoded_str = data[encoded_str_offset : encoded_str_offset + str_size]
             decoded_str = xor_data(encoded_str, key).decode()
-            #config_dict["Strings"].append({dword_name : decoded_str})
+            # config_dict["Strings"].append({dword_name : decoded_str})
 
             if last_str in ("http://", "https://"):
                 domain += decoded_str
@@ -114,12 +112,12 @@ def extract_config(data):
             continue
 
     if domain and uri:
-        config_dict.setdefault("C2", []).append(f"{domain}{uri}")
+        config.setdefault("CNCs", []).append(f"{domain}{uri}")
 
     if botnet_id:
-        config_dict.setdefault("Botnet ID", botnet_id)
+        config.setdefault("botnet", botnet_id)
 
-    return config_dict
+    return config
 
 
 if __name__ == "__main__":

{cape_parsers-0.1.44 → cape_parsers-0.1.46}/cape_parsers/CAPE/community/AsyncRAT.py

@@ -5,10 +5,10 @@ import os
 from rat_king_parser.rkp import RATConfigParser
 
 HAVE_ASYNCRAT_COMMON = False
-module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+module_file_path = "/opt/CAPEv2/data/asyncrat_common.py"
 if os.path.exists(module_file_path):
     try:
-        module_name = os.path.basename(module_file_path).replace('.py', '')
+        module_name = os.path.basename(module_file_path).replace(".py", "")
         spec = importlib.util.spec_from_file_location(module_name, module_file_path)
         asyncrat_common = importlib.util.module_from_spec(spec)
         sys.modules[module_name] = asyncrat_common
@@ -17,6 +17,7 @@ if os.path.exists(module_file_path):
     except Exception as e:
         print("Error loading asyncrat_common.py", e)
 
+
 def extract_config(data: bytes):
     config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
     if config and HAVE_ASYNCRAT_COMMON:
@@ -24,6 +25,7 @@ def extract_config(data: bytes):
 
     return config
 
+
 if __name__ == "__main__":
     data = open(sys.argv[1], "rb").read()
     print(extract_config(data))

{cape_parsers-0.1.44 → cape_parsers-0.1.46}/cape_parsers/CAPE/community/AuroraStealer.py

@@ -32,9 +32,12 @@ def extract_config(data):
             key = item.split(":")[0].strip("{").strip('"')
             value = item.split(":")[1].strip('"')
             if key == "IP":
-                key = "C2"
-            if value:
-                config_dict[key] = value
+                config_dict["CNCs"] = [value]
+            elif key == "BuildID":
+                config_dict["build"] = value
+            else:
+                if value:
+                    config_dict.setdefault("raw", {})[key] = value
 
     grabber_found = False
 
@@ -47,13 +50,13 @@ def extract_config(data):
             data_dict = json.loads(decoded_str)
             for elem in data_dict:
                 if elem["Method"] == "DW":
-                    config_dict["Loader module"] = elem
+                    config_dict.setdefault("raw", {})["Loader module"] = elem
 
         if b"PS" in decoded_str:
             data_dict = json.loads(decoded_str)
             for elem in data_dict:
                 if elem["Method"] == "PS":
-                    config_dict["PowerShell module"] = elem
+                    config_dict.setdefault("raw", {})["PowerShell module"] = elem
 
         if b"Path" in decoded_str:
             grabber_found = True
@@ -68,6 +71,6 @@ def extract_config(data):
 
                 if not grabber_found:
                     grabber_found = True
-                    config_dict["Grabber"] = cleanup_str
+                    config_dict.setdefault("raw", {})["Grabber"] = cleanup_str
 
     return config_dict

{cape_parsers-0.1.44 → cape_parsers-0.1.46}/cape_parsers/CAPE/community/Carbanak.py

@@ -158,22 +158,22 @@ def extract_config(filebuf):
                 if dec:
                     ver = re.findall(r"^(\d+\.\d+)$", dec)
                     if ver:
-                        cfg["Version"] = ver[0]
+                        cfg["version"] = ver[0]
 
     data = data_sections[0].get_data()
     items = data.split(b"\x00")
 
     with suppress(IndexError, UnicodeDecodeError, ValueError):
-        cfg["Unknown 1"] = decode_string(items[0], sbox).decode("utf8")
-        cfg["Unknown 2"] = decode_string(items[8], sbox).decode("utf8")
+        cfg.setdefault("raw", {})["Unknown 1"] = decode_string(items[0], sbox).decode("utf8")
+        cfg.setdefault("raw", {})["Unknown 2"] = decode_string(items[8], sbox).decode("utf8")
         c2_dec = decode_string(items[10], sbox).decode("utf8")
         if "|" in c2_dec:
             c2_dec = c2_dec.split("|")
-        cfg["C2"] = c2_dec
-        if float(cfg["Version"]) < 1.7:
-            cfg["Campaign Id"] = decode_string(items[276], sbox).decode("utf8")
+        cfg["CNCs"] = c2_dec
+        if float(cfg["version"]) < 1.7:
+            cfg["campaign"] = decode_string(items[276], sbox).decode("utf8")
         else:
-            cfg["Campaign Id"] = decode_string(items[25], sbox).decode("utf8")
+            cfg["campaign"] = decode_string(items[25], sbox).decode("utf8")
 
     return cfg
 

{cape_parsers-0.1.44 → cape_parsers-0.1.46}/cape_parsers/CAPE/community/CobaltStrikeBeacon.py

@@ -460,4 +460,5 @@ def extract_config(data):
     output = cobaltstrikeConfig(data).parse_config(as_json=True)
     if output is None:
         output = cobaltstrikeConfig(data).parse_encrypted_config(as_json=True)
-    return output
+    if output:
+        return {"raw": output}

{cape_parsers-0.1.44 → cape_parsers-0.1.46}/cape_parsers/CAPE/community/CobaltStrikeStager.py

@@ -187,4 +187,7 @@ class StagerConfig:
 
 def extract_config(data):
     """Config extraction function for CapeV2"""
-    return StagerConfig(data).get_config()
+    config = StagerConfig(data).get_config()
+    if config:
+        return {"raw": config}
+    return {}

{cape_parsers-0.1.44 → cape_parsers-0.1.46}/cape_parsers/CAPE/community/DCRat.py

@@ -5,10 +5,10 @@ import os
 from rat_king_parser.rkp import RATConfigParser
 
 HAVE_ASYNCRAT_COMMON = False
-module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+module_file_path = "/opt/CAPEv2/data/asyncrat_common.py"
 if os.path.exists(module_file_path):
     try:
-        module_name = os.path.basename(module_file_path).replace('.py', '')
+        module_name = os.path.basename(module_file_path).replace(".py", "")
         spec = importlib.util.spec_from_file_location(module_name, module_file_path)
         asyncrat_common = importlib.util.module_from_spec(spec)
         sys.modules[module_name] = asyncrat_common
@@ -17,6 +17,7 @@ if os.path.exists(module_file_path):
     except Exception as e:
         print("Error loading asyncrat_common.py", e)
 
+
 def extract_config(data: bytes):
     config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
     if config and HAVE_ASYNCRAT_COMMON:
@@ -24,6 +25,7 @@ def extract_config(data: bytes):
 
     return config
 
+
 if __name__ == "__main__":
     data = open(sys.argv[1], "rb").read()
     print(extract_config(data))

{cape_parsers-0.1.44 → cape_parsers-0.1.46}/cape_parsers/CAPE/community/Fareit.py

@@ -35,10 +35,8 @@ def extract_config(memdump_path, read=False):
     if buf and len(buf[0]) > 200:
         cData = buf[0][200:]
     """
-    artifacts_raw = {
-        "controllers": [],
-        "downloads": [],
-    }
+    config = {}
+    artifacts_raw = {}
 
     start = F.find(b"YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0")
     if start:
@@ -53,15 +51,16 @@ def extract_config(memdump_path, read=False):
                 # url = self._check_valid_url(url)
                 if url is None:
                     continue
+                url = url.lower()
                 if gate_url.match(url):
-                    artifacts_raw["controllers"].append(url.lower().decode())
+                    config.setdefault("CNCs", []).append(url.decode())
                 elif exe_url.match(url) or dll_url.match(url):
-                    artifacts_raw["downloads"].append(url.lower().decode())
+                    artifacts_raw["downloads"].append(url.decode())
         except Exception as e:
             print(e, sys.exc_info(), "PONY")
-    artifacts_raw["controllers"] = list(set(artifacts_raw["controllers"]))
-    artifacts_raw["downloads"] = list(set(artifacts_raw["downloads"]))
-    return artifacts_raw if len(artifacts_raw["controllers"]) != 0 or len(artifacts_raw["downloads"]) != 0 else False
+    config["CNCs"] = list(set(config["controllers"]))
+    config.setdefault("raw", {})["downloads"] = list(set(artifacts_raw["downloads"]))
+    return config
 
 
 if __name__ == "__main__":

{cape_parsers-0.1.44 → cape_parsers-0.1.46}/cape_parsers/CAPE/community/KoiLoader.py

@@ -89,7 +89,7 @@ def xor_data(data, key):
 
 
 def extract_config(data):
-    config_dict = {"C2": []}
+    config = {}
 
     xor_key = b""
     encoded_payload = b""
@@ -119,9 +119,9 @@ def extract_config(data):
         encoded_payload = remove_nulls(encoded_payload, encoded_payload_size)
         decoded_payload = xor_data(encoded_payload, xor_key)
 
-        config_dict["C2"] = find_c2(decoded_payload)
+        config["CNCs"] = find_c2(decoded_payload)
 
-    return config_dict
+    return config
 
 
 if __name__ == "__main__":

{cape_parsers-0.1.44 → cape_parsers-0.1.46}/cape_parsers/CAPE/community/LokiBot.py

@@ -158,7 +158,7 @@ def decoder(data):
 def extract_config(filebuf):
 
     urls = decoder(filebuf)
-    return {"address": [url.decode() for url in urls]}
+    return {"CNCs": [url.decode() for url in urls]}
 
 
 if __name__ == "__main__":

{cape_parsers-0.1.44 → cape_parsers-0.1.46}/cape_parsers/CAPE/community/Lumma.py

@@ -75,7 +75,6 @@ RULE_SOURCE_LUMMA_NEW_ENCRYPTED_C2 = """rule LummaConfigNewEncryptedStrings
 }"""
 
 
-
 def yara_scan_generator(raw_data, rule_source):
     yara_rules = yara.compile(source=rule_source)
     matches = yara_rules.match(data=raw_data)
@@ -198,10 +197,22 @@ def chacha20_block(key, nonce, blocknum):
     nonce_words = words_from_bytes(nonce)
 
     original_block = [
-        constant_words[0],  constant_words[1],  constant_words[2],  constant_words[3],
-        key_words[0],       key_words[1],       key_words[2],       key_words[3],
-        key_words[4],       key_words[5],       key_words[6],       key_words[7],
-        mask32(blocknum),   nonce_words[0],     nonce_words[1],     nonce_words[2],
+        constant_words[0],
+        constant_words[1],
+        constant_words[2],
+        constant_words[3],
+        key_words[0],
+        key_words[1],
+        key_words[2],
+        key_words[3],
+        key_words[4],
+        key_words[5],
+        key_words[6],
+        key_words[7],
+        mask32(blocknum),
+        nonce_words[0],
+        nonce_words[1],
+        nonce_words[2],
     ]
 
     permuted_block = list(original_block)
@@ -241,7 +252,7 @@ def extract_c2_domain(data):
 
 
 def find_encrypted_c2_blocks(data):
-    pattern = rb'(.{128})\x00'
+    pattern = rb"(.{128})\x00"
     for match in re.findall(pattern, data, re.DOTALL):
         yield match
 
@@ -251,9 +262,9 @@ def get_build_id(pe, data):
     image_base = pe.OPTIONAL_HEADER.ImageBase
     for offset in yara_scan_generator(data, RULE_SOURCE_BUILD_ID):
         try:
-            build_id_data_rva = struct.unpack('i', data[offset + 2 : offset + 6])[0]
+            build_id_data_rva = struct.unpack("i", data[offset + 2 : offset + 6])[0]
             build_id_dword_offset = pe.get_offset_from_rva(build_id_data_rva - image_base)
-            build_id_dword_rva = struct.unpack('i', data[build_id_dword_offset : build_id_dword_offset + 4])[0]
+            build_id_dword_rva = struct.unpack("i", data[build_id_dword_offset : build_id_dword_offset + 4])[0]
             build_id_offset = pe.get_offset_from_rva(build_id_dword_rva - image_base)
             build_id = pe.get_string_from_data(build_id_offset, data)
             if not contains_non_printable(build_id):
@@ -263,18 +274,20 @@ def get_build_id(pe, data):
             continue
     return build_id
 
+
 def get_build_id_new(data):
     build_id = ""
-    pattern = b'123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ\x00'
+    pattern = b"123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ\x00"
     offset = data.find(pattern)
     if offset != -1:
-        build_id = data[offset + len(pattern):].split(b'\x00', 1)[0]
+        build_id = data[offset + len(pattern) :].split(b"\x00", 1)[0]
         build_id = build_id.decode()
 
     return build_id
 
+
 def extract_config(data):
-    config_dict = {"C2": []}
+    config = {}
 
     # try to load as a PE
     pe = None
@@ -287,37 +300,36 @@ def extract_config(data):
     key = None
     nonce = None
     for offset in yara_scan_generator(data, RULE_SOURCE_LUMMA_NEW_KEYS):
-        key_rva = struct.unpack('i', data[offset + 1 : offset + 5])[0]
+        key_rva = struct.unpack("i", data[offset + 1 : offset + 5])[0]
         key_offset = pe.get_offset_from_rva(key_rva - image_base)
         key = data[key_offset : key_offset + 32]
-        nonce_rva = struct.unpack('i', data[offset + 20 : offset + 24])[0]
+        nonce_rva = struct.unpack("i", data[offset + 20 : offset + 24])[0]
         nonce_offset = pe.get_offset_from_rva(nonce_rva - image_base)
-        nonce = b'\x00\x00\x00\x00' + data[nonce_offset : nonce_offset + 8]
+        nonce = b"\x00\x00\x00\x00" + data[nonce_offset : nonce_offset + 8]
 
     if key and nonce:
         for offset in yara_scan_generator(data, RULE_SOURCE_LUMMA_NEW_ENCRYPTED_C2):
-            encrypted_strings_rva = struct.unpack('i', data[offset + 5 : offset + 9])[0]
+            encrypted_strings_rva = struct.unpack("i", data[offset + 5 : offset + 9])[0]
             encrypted_strings_offset = pe.get_offset_from_rva(encrypted_strings_rva - image_base)
             step_size = 0x80
             counter = 2
             for i in range(12):
-                encrypted_string = data[encrypted_strings_offset:encrypted_strings_offset+40]
-                decoded_c2 = chacha20_xor(encrypted_string, key, nonce, counter).split(b'\x00', 1)[0]
+                encrypted_string = data[encrypted_strings_offset : encrypted_strings_offset + 40]
+                decoded_c2 = chacha20_xor(encrypted_string, key, nonce, counter).split(b"\x00", 1)[0]
                 if contains_non_printable(decoded_c2):
                     break
-                config_dict["C2"].append(decoded_c2.decode())
+                config.setdefault("CNCs", []).append(decoded_c2.decode())
                 encrypted_strings_offset = encrypted_strings_offset + step_size
                 counter += 2
 
-        if config_dict["C2"]:
+        if config.get("CNCs"):
             # If found C2 servers try to find build ID
             build_id = get_build_id_new(data)
             if build_id:
-                config_dict["Build ID"] = build_id
-
+                config["build"] = build_id
 
     # If no C2s try with the version after Jan 21, 2025
-    if not config_dict["C2"]:
+    if "CNCs" not in config:
         offset = yara_scan(data, RULE_SOURCE_LUMMA)
         if offset:
             key = data[offset + 16 : offset + 48]
@@ -327,7 +339,7 @@ def extract_config(data):
                 try:
                     start_offset = offset + 56 + (i * 4)
                     end_offset = start_offset + 4
-                    c2_dword_rva = struct.unpack('i', data[start_offset : end_offset])[0]
+                    c2_dword_rva = struct.unpack("i", data[start_offset:end_offset])[0]
                     if pe:
                         c2_dword_offset = pe.get_offset_from_rva(c2_dword_rva - image_base)
                     else:
@@ -339,22 +351,20 @@ def extract_config(data):
                         decrypted = chacha20_xor(c2_encrypted, key, nonce, counter)
                         c2 = extract_c2_domain(decrypted)
                         if c2 is not None and len(c2) > 10:
-                            config_dict["C2"].append(c2.decode())
+                            config["CNCs"].append(c2.decode())
                             break
 
                 except Exception:
                     continue
 
-        if config_dict["C2"] and pe is not None:
+        if "CNCs" in config and config["CNCs"] and pe is not None:
             # If found C2 servers try to find build ID
             build_id = get_build_id(pe, data)
             if build_id:
-                config_dict["Build ID"] = build_id
-
+                config["build"] = build_id
 
     # If no C2s try with version prior to Jan 21, 2025
-    if not config_dict["C2"]:
-
+    if "CNCs" not in config:
         try:
             if pe is not None:
                 rdata = get_rdata(pe, data)
@@ -374,21 +384,24 @@ def extract_config(data):
                     decoded_c2 = xor_data(encoded_c2, xor_key)
 
                     if not contains_non_printable(decoded_c2):
-                        config_dict["C2"].append(decoded_c2.decode())
-                except Exception:
+                        config.setdefault("CNCs", []).append(decoded_c2.decode())
+                except Exception as e:
+                    print(e)
                     continue
 
-        except Exception:
+        except Exception as e:
+            print(e)
             return
 
-        if config_dict["C2"] and pe is not None:
+        if "CNCs" in config and pe is not None:
             # If found C2 servers try to find build ID
             build_id = get_build_id(pe, data)
             if build_id:
-                config_dict["Build ID"] = build_id
-
+                config["build"] = build_id
 
-    return config_dict
+    print(config)
+    if config:
+        return config
 
 
 if __name__ == "__main__":

{cape_parsers-0.1.44 → cape_parsers-0.1.46}/cape_parsers/CAPE/community/NanoCore.py

@@ -174,21 +174,21 @@ def extract_config(filebuf):
                     pass
                 elif DataType.DATETIME == param["type"]:
                     dt = param["value"]
-                    config_dict[item_name] = dt.strftime("%Y-%m-%d %H:%M:%S.%f")
+                    config_dict.setdefault("raw", {})[item_name] = dt.strftime("%Y-%m-%d %H:%M:%S.%f")
                 else:
-                    config_dict[item_name] = str(param["value"])
+                    config_dict.setdefault("raw", {})[item_name] = str(param["value"])
     except Exception as e:
         log.error("nanocore error: %s", e)
 
     cncs = []
 
-    if config_dict.get("PrimaryConnectionHost"):
-        cncs.append(config_dict["PrimaryConnectionHost"])
-    if config_dict.get("PrimaryConnectionHost"):
-        cncs.append(config_dict["BackupConnectionHost"])
-    if config_dict.get("ConnectionPort") and cncs:
-        port = config_dict["ConnectionPort"]
-        config_dict["cncs"] = [f"{cnc}:{port}" for cnc in cncs]
+    if config_dict.get("raw", {}).get("PrimaryConnectionHost"):
+        cncs.append(config_dict["raw"]["PrimaryConnectionHost"])
+    if config_dict.get("raw", {}).get("PrimaryConnectionHost"):
+        cncs.append(config_dict["raw"]["BackupConnectionHost"])
+    if config_dict.get("raw", {}).get("ConnectionPort") and cncs:
+        port = config_dict["raw"]["ConnectionPort"]
+        config_dict["CNCs"] = [f"{cnc}:{port}" for cnc in cncs]
     return config_dict
 
 

{cape_parsers-0.1.44 → cape_parsers-0.1.46}/cape_parsers/CAPE/community/Nighthawk.py

@@ -4,6 +4,7 @@ import json
 import struct
 
 import pefile
+
 # import regex as re
 import re
 from Cryptodome.Cipher import AES