PyPI - CAPE-parsers - Versions diffs - 0.1.45__py3-none-any.whl → 0.1.46__py3-none-any.whl - Mend

CAPE-parsers 0.1.45py3-none-any.whl → 0.1.46py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

cape_parsers/CAPE/community/AgentTesla.py +18 -9
cape_parsers/CAPE/community/Arkei.py +13 -15
cape_parsers/CAPE/community/AsyncRAT.py +4 -2
cape_parsers/CAPE/community/AuroraStealer.py +9 -6
cape_parsers/CAPE/community/Carbanak.py +7 -7
cape_parsers/CAPE/community/CobaltStrikeBeacon.py +2 -1
cape_parsers/CAPE/community/CobaltStrikeStager.py +4 -1
cape_parsers/CAPE/community/DCRat.py +4 -2
cape_parsers/CAPE/community/Fareit.py +8 -9
cape_parsers/CAPE/community/KoiLoader.py +3 -3
cape_parsers/CAPE/community/LokiBot.py +1 -1
cape_parsers/CAPE/community/Lumma.py +19 -15
cape_parsers/CAPE/community/NanoCore.py +9 -9
cape_parsers/CAPE/community/Nighthawk.py +1 -0
cape_parsers/CAPE/community/Njrat.py +4 -4
cape_parsers/CAPE/community/PhemedroneStealer.py +2 -0
cape_parsers/CAPE/community/Snake.py +29 -16
cape_parsers/CAPE/community/SparkRAT.py +3 -1
cape_parsers/CAPE/community/Stealc.py +86 -64
cape_parsers/CAPE/community/VenomRAT.py +4 -2
cape_parsers/CAPE/community/XWorm.py +4 -2
cape_parsers/CAPE/community/XenoRAT.py +4 -2
cape_parsers/CAPE/community/monsterv2.py +96 -0
cape_parsers/CAPE/core/AdaptixBeacon.py +7 -5
cape_parsers/CAPE/core/Azorult.py +5 -3
cape_parsers/CAPE/core/BitPaymer.py +5 -2
cape_parsers/CAPE/core/BlackDropper.py +10 -5
cape_parsers/CAPE/core/Blister.py +12 -10
cape_parsers/CAPE/core/BruteRatel.py +20 -7
cape_parsers/CAPE/core/BumbleBee.py +29 -17
cape_parsers/CAPE/core/DarkGate.py +3 -3
cape_parsers/CAPE/core/DoppelPaymer.py +4 -2
cape_parsers/CAPE/core/DridexLoader.py +4 -3
cape_parsers/CAPE/core/Formbook.py +2 -2
cape_parsers/CAPE/core/GuLoader.py +2 -5
cape_parsers/CAPE/core/IcedID.py +5 -5
cape_parsers/CAPE/core/IcedIDLoader.py +4 -4
cape_parsers/CAPE/core/Latrodectus.py +10 -7
cape_parsers/CAPE/core/Oyster.py +8 -6
cape_parsers/CAPE/core/PikaBot.py +6 -6
cape_parsers/CAPE/core/PlugX.py +3 -1
cape_parsers/CAPE/core/QakBot.py +2 -1
cape_parsers/CAPE/core/Quickbind.py +7 -11
cape_parsers/CAPE/core/RedLine.py +2 -2
cape_parsers/CAPE/core/Remcos.py +58 -50
cape_parsers/CAPE/core/Rhadamanthys.py +18 -8
cape_parsers/CAPE/core/SmokeLoader.py +2 -2
cape_parsers/CAPE/core/Socks5Systemz.py +5 -5
cape_parsers/CAPE/core/SquirrelWaffle.py +3 -3
cape_parsers/CAPE/core/Strrat.py +1 -1
cape_parsers/CAPE/core/WarzoneRAT.py +3 -2
cape_parsers/CAPE/core/Zloader.py +21 -15
cape_parsers/RATDecoders/test_rats.py +1 -0
cape_parsers/__init__.py +13 -4
cape_parsers/deprecated/BlackNix.py +59 -0
cape_parsers/{CAPE/core → deprecated}/BuerLoader.py +1 -1
cape_parsers/{CAPE/core → deprecated}/ChChes.py +3 -3
cape_parsers/{CAPE/core → deprecated}/Enfal.py +1 -1
cape_parsers/{CAPE/core → deprecated}/EvilGrab.py +5 -6
cape_parsers/{CAPE/community → deprecated}/Greame.py +3 -1
cape_parsers/{CAPE/core → deprecated}/HttpBrowser.py +7 -8
cape_parsers/{CAPE/community → deprecated}/Pandora.py +2 -0
cape_parsers/{CAPE/community → deprecated}/Punisher.py +2 -1
cape_parsers/{CAPE/core → deprecated}/RCSession.py +7 -9
cape_parsers/{CAPE/community → deprecated}/REvil.py +10 -5
cape_parsers/{CAPE/core → deprecated}/RedLeaf.py +5 -7
cape_parsers/{CAPE/community → deprecated}/Retefe.py +0 -2
cape_parsers/{CAPE/community → deprecated}/Rozena.py +2 -5
cape_parsers/{CAPE/community → deprecated}/SmallNet.py +6 -2
{cape_parsers-0.1.45.dist-info → cape_parsers-0.1.46.dist-info}/METADATA +20 -1
cape_parsers-0.1.46.dist-info/RECORD +112 -0
cape_parsers/CAPE/community/BlackNix.py +0 -57
cape_parsers/CAPE/core/Stealc.py +0 -21
cape_parsers-0.1.45.dist-info/RECORD +0 -112
/cape_parsers/{CAPE/community → deprecated}/BackOffLoader.py +0 -0
/cape_parsers/{CAPE/community → deprecated}/BackOffPOS.py +0 -0
/cape_parsers/{CAPE/core → deprecated}/Emotet.py +0 -0
/cape_parsers/{CAPE/community → deprecated}/PoisonIvy.py +0 -0
/cape_parsers/{CAPE/community → deprecated}/TSCookie.py +0 -0
/cape_parsers/{CAPE/community → deprecated}/TrickBot.py +0 -0
/cape_parsers/{CAPE/core → deprecated}/UrsnifV3.py +0 -0
{cape_parsers-0.1.45.dist-info → cape_parsers-0.1.46.dist-info}/LICENSE +0 -0
{cape_parsers-0.1.45.dist-info → cape_parsers-0.1.46.dist-info}/WHEEL +0 -0

cape_parsers/CAPE/community/AgentTesla.py CHANGED Viewed

@@ -6,7 +6,8 @@ except ImportError as e:
     print(f"Problem to import extract_strings: {e}")
-def extract_config(data):
+def extract_config(data: bytes):
+    config = {}
     config_dict = {}
     with suppress(Exception):
         if data[:2] == b"MZ":
@@ -22,20 +23,21 @@ def extract_config(data):
             # Data Exfiltration via Telegram
             if "api.telegram.org" in lines[base + x]:
                 config_dict["Protocol"] = "Telegram"
-                config_dict["C2"] = lines[base + x]
+                config["CNCs"] = lines[base + x]
                 config_dict["Password"] = lines[base + x + 1]
                 break
             # Data Exfiltration via Discord
             elif "discord" in lines[base + x]:
                 config_dict["Protocol"] = "Discord"
-                config_dict["C2"] = lines[base + x]
+                config["CNCs"] = [lines[base + x]]
                 break
             # Data Exfiltration via FTP
             elif "ftp:" in lines[base + x]:
                 config_dict["Protocol"] = "FTP"
-                config_dict["C2"] = lines[base + x]
-                config_dict["Username"] = lines[base + x + 1]
-                config_dict["Password"] = lines[base + x + 2]
+                hostname = lines[base + x]
+                username = lines[base + x + 1]
+                password = lines[base + x + 2]
+                config["CNCs"] = [f"ftp://{username}:{password}@{hostname}"]
                 break
             # Data Exfiltration via SMTP
             elif "@" in lines[base + x]:
@@ -45,7 +47,7 @@ def extract_config(data):
                     config_dict["Port"] = lines[base + x - 2]
                 elif lines[base + x - 2] in {"true", "false"} and lines[base + x - 3].isdigit() and len(lines[base + x - 3]) <= 5:
                     config_dict["Port"] = lines[base + x - 3]
-                config_dict["C2"] = lines[base + +x - 1]
+                config_dict["CNCs"] = [lines[base + +x - 1]]
                 config_dict["Username"] = lines[base + x]
                 config_dict["Password"] = lines[base + x + 1]
                 if "@" in lines[base + x + 2]:
@@ -72,6 +74,13 @@ def extract_config(data):
                     for x in range(1, 8):
                         if any(s in lines[base + index + x] for s in temp_match):
                             config_dict["Protocol"] = "HTTP(S)"
-                            config_dict["C2"] = lines[base + index + x]
+                            config["CNCs"] = lines[base + index + x]
                             break
-        return config_dict
+    if config or config_dict:
+        return config.setdefault("raw", config_dict)
+if __name__ == "__main__":
+    import sys
+    with open(sys.argv[1], "rb") as f:
+        print(extract_config(f.read()))

cape_parsers/CAPE/community/Arkei.py CHANGED Viewed

@@ -1,7 +1,7 @@
 import struct
 import pefile
 import yara
+from contextlib import suppress
 # Hash = 69ba4e2995d6b11bb319d7373d150560ea295c02773fe5aa9c729bfd2c334e1e
@@ -46,10 +46,10 @@ def xor_data(data, key):
 def extract_config(data):
-    config_dict = {}
+    config = {}
     # Attempt to extract via old method
-    try:
+    with suppress(Exception):
         domain = ""
         uri = ""
         lines = data.decode().split("\n")
@@ -59,14 +59,12 @@ def extract_config(data):
             if line.startswith("/") and line[-4] == ".":
                 uri = line
         if domain and uri:
-            config_dict.setdefault("C2", []).append(f"{domain}{uri}")
-            return config_dict
-    except Exception:
-        pass
+            config.setdefault("CNCs", []).append(f"{domain}{uri}")
+            return config
     # Try with new method
-    #config_dict["Strings"] = []
+    # config_dict["Strings"] = []
     pe = pefile.PE(data=data, fast_load=True)
     image_base = pe.OPTIONAL_HEADER.ImageBase
     domain = ""
@@ -84,17 +82,17 @@ def extract_config(data):
             if rule_str_name.startswith("$decode"):
                 key_rva = data[str_decode_offset + 3 : str_decode_offset + 7]
                 encoded_str_rva = data[str_decode_offset + 8 : str_decode_offset + 12]
-                #dword_rva = data[str_decode_offset + 21 : str_decode_offset + 25]
+                # dword_rva = data[str_decode_offset + 21 : str_decode_offset + 25]
             key_offset = pe.get_offset_from_rva(struct.unpack("i", key_rva)[0] - image_base)
             encoded_str_offset = pe.get_offset_from_rva(struct.unpack("i", encoded_str_rva)[0] - image_base)
-            #dword_offset = struct.unpack("i", dword_rva)[0]
-            #dword_name = f"dword_{hex(dword_offset)[2:]}"
+            # dword_offset = struct.unpack("i", dword_rva)[0]
+            # dword_name = f"dword_{hex(dword_offset)[2:]}"
             key = data[key_offset : key_offset + str_size]
             encoded_str = data[encoded_str_offset : encoded_str_offset + str_size]
             decoded_str = xor_data(encoded_str, key).decode()
-            #config_dict["Strings"].append({dword_name : decoded_str})
+            # config_dict["Strings"].append({dword_name : decoded_str})
             if last_str in ("http://", "https://"):
                 domain += decoded_str
@@ -114,12 +112,12 @@ def extract_config(data):
             continue
     if domain and uri:
-        config_dict.setdefault("C2", []).append(f"{domain}{uri}")
+        config.setdefault("CNCs", []).append(f"{domain}{uri}")
     if botnet_id:
-        config_dict.setdefault("Botnet ID", botnet_id)
+        config.setdefault("botnet", botnet_id)
-    return config_dict
+    return config
 if __name__ == "__main__":

cape_parsers/CAPE/community/AsyncRAT.py CHANGED Viewed

@@ -5,10 +5,10 @@ import os
 from rat_king_parser.rkp import RATConfigParser
 HAVE_ASYNCRAT_COMMON = False
-module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+module_file_path = "/opt/CAPEv2/data/asyncrat_common.py"
 if os.path.exists(module_file_path):
     try:
-        module_name = os.path.basename(module_file_path).replace('.py', '')
+        module_name = os.path.basename(module_file_path).replace(".py", "")
         spec = importlib.util.spec_from_file_location(module_name, module_file_path)
         asyncrat_common = importlib.util.module_from_spec(spec)
         sys.modules[module_name] = asyncrat_common
@@ -17,6 +17,7 @@ if os.path.exists(module_file_path):
     except Exception as e:
         print("Error loading asyncrat_common.py", e)
 def extract_config(data: bytes):
     config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
     if config and HAVE_ASYNCRAT_COMMON:
@@ -24,6 +25,7 @@ def extract_config(data: bytes):
     return config
 if __name__ == "__main__":
     data = open(sys.argv[1], "rb").read()
     print(extract_config(data))

cape_parsers/CAPE/community/AuroraStealer.py CHANGED Viewed

@@ -32,9 +32,12 @@ def extract_config(data):
             key = item.split(":")[0].strip("{").strip('"')
             value = item.split(":")[1].strip('"')
             if key == "IP":
-                key = "C2"
-            if value:
-                config_dict[key] = value
+                config_dict["CNCs"] = [value]
+            elif key == "BuildID":
+                config_dict["build"] = value
+            else:
+                if value:
+                    config_dict.setdefault("raw", {})[key] = value
     grabber_found = False
@@ -47,13 +50,13 @@ def extract_config(data):
             data_dict = json.loads(decoded_str)
             for elem in data_dict:
                 if elem["Method"] == "DW":
-                    config_dict["Loader module"] = elem
+                    config_dict.setdefault("raw", {})["Loader module"] = elem
         if b"PS" in decoded_str:
             data_dict = json.loads(decoded_str)
             for elem in data_dict:
                 if elem["Method"] == "PS":
-                    config_dict["PowerShell module"] = elem
+                    config_dict.setdefault("raw", {})["PowerShell module"] = elem
         if b"Path" in decoded_str:
             grabber_found = True
@@ -68,6 +71,6 @@ def extract_config(data):
                 if not grabber_found:
                     grabber_found = True
-                    config_dict["Grabber"] = cleanup_str
+                    config_dict.setdefault("raw", {})["Grabber"] = cleanup_str
     return config_dict

cape_parsers/CAPE/community/Carbanak.py CHANGED Viewed

@@ -158,22 +158,22 @@ def extract_config(filebuf):
                 if dec:
                     ver = re.findall(r"^(\d+\.\d+)$", dec)
                     if ver:
-                        cfg["Version"] = ver[0]
+                        cfg["version"] = ver[0]
     data = data_sections[0].get_data()
     items = data.split(b"\x00")
     with suppress(IndexError, UnicodeDecodeError, ValueError):
-        cfg["Unknown 1"] = decode_string(items[0], sbox).decode("utf8")
-        cfg["Unknown 2"] = decode_string(items[8], sbox).decode("utf8")
+        cfg.setdefault("raw", {})["Unknown 1"] = decode_string(items[0], sbox).decode("utf8")
+        cfg.setdefault("raw", {})["Unknown 2"] = decode_string(items[8], sbox).decode("utf8")
         c2_dec = decode_string(items[10], sbox).decode("utf8")
         if "|" in c2_dec:
             c2_dec = c2_dec.split("|")
-        cfg["C2"] = c2_dec
-        if float(cfg["Version"]) < 1.7:
-            cfg["Campaign Id"] = decode_string(items[276], sbox).decode("utf8")
+        cfg["CNCs"] = c2_dec
+        if float(cfg["version"]) < 1.7:
+            cfg["campaign"] = decode_string(items[276], sbox).decode("utf8")
         else:
-            cfg["Campaign Id"] = decode_string(items[25], sbox).decode("utf8")
+            cfg["campaign"] = decode_string(items[25], sbox).decode("utf8")
     return cfg

cape_parsers/CAPE/community/CobaltStrikeBeacon.py CHANGED Viewed

@@ -460,4 +460,5 @@ def extract_config(data):
     output = cobaltstrikeConfig(data).parse_config(as_json=True)
     if output is None:
         output = cobaltstrikeConfig(data).parse_encrypted_config(as_json=True)
-    return output
+    if output:
+        return {"raw": output}

cape_parsers/CAPE/community/CobaltStrikeStager.py CHANGED Viewed

@@ -187,4 +187,7 @@ class StagerConfig:
 def extract_config(data):
     """Config extraction function for CapeV2"""
-    return StagerConfig(data).get_config()
+    config = StagerConfig(data).get_config()
+    if config:
+        return {"raw": config}
+    return {}

cape_parsers/CAPE/community/DCRat.py CHANGED Viewed

@@ -5,10 +5,10 @@ import os
 from rat_king_parser.rkp import RATConfigParser
 HAVE_ASYNCRAT_COMMON = False
-module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+module_file_path = "/opt/CAPEv2/data/asyncrat_common.py"
 if os.path.exists(module_file_path):
     try:
-        module_name = os.path.basename(module_file_path).replace('.py', '')
+        module_name = os.path.basename(module_file_path).replace(".py", "")
         spec = importlib.util.spec_from_file_location(module_name, module_file_path)
         asyncrat_common = importlib.util.module_from_spec(spec)
         sys.modules[module_name] = asyncrat_common
@@ -17,6 +17,7 @@ if os.path.exists(module_file_path):
     except Exception as e:
         print("Error loading asyncrat_common.py", e)
 def extract_config(data: bytes):
     config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
     if config and HAVE_ASYNCRAT_COMMON:
@@ -24,6 +25,7 @@ def extract_config(data: bytes):
     return config
 if __name__ == "__main__":
     data = open(sys.argv[1], "rb").read()
     print(extract_config(data))

cape_parsers/CAPE/community/Fareit.py CHANGED Viewed

@@ -35,10 +35,8 @@ def extract_config(memdump_path, read=False):
     if buf and len(buf[0]) > 200:
         cData = buf[0][200:]
     """
-    artifacts_raw = {
-        "controllers": [],
-        "downloads": [],
-    }
+    config = {}
+    artifacts_raw = {}
     start = F.find(b"YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0")
     if start:
@@ -53,15 +51,16 @@ def extract_config(memdump_path, read=False):
                 # url = self._check_valid_url(url)
                 if url is None:
                     continue
+                url = url.lower()
                 if gate_url.match(url):
-                    artifacts_raw["controllers"].append(url.lower().decode())
+                    config.setdefault("CNCs", []).append(url.decode())
                 elif exe_url.match(url) or dll_url.match(url):
-                    artifacts_raw["downloads"].append(url.lower().decode())
+                    artifacts_raw["downloads"].append(url.decode())
         except Exception as e:
             print(e, sys.exc_info(), "PONY")
-    artifacts_raw["controllers"] = list(set(artifacts_raw["controllers"]))
-    artifacts_raw["downloads"] = list(set(artifacts_raw["downloads"]))
-    return artifacts_raw if len(artifacts_raw["controllers"]) != 0 or len(artifacts_raw["downloads"]) != 0 else False
+    config["CNCs"] = list(set(config["controllers"]))
+    config.setdefault("raw", {})["downloads"] = list(set(artifacts_raw["downloads"]))
+    return config
 if __name__ == "__main__":

cape_parsers/CAPE/community/KoiLoader.py CHANGED Viewed

@@ -89,7 +89,7 @@ def xor_data(data, key):
 def extract_config(data):
-    config_dict = {"C2": []}
+    config = {}
     xor_key = b""
     encoded_payload = b""
@@ -119,9 +119,9 @@ def extract_config(data):
         encoded_payload = remove_nulls(encoded_payload, encoded_payload_size)
         decoded_payload = xor_data(encoded_payload, xor_key)
-        config_dict["C2"] = find_c2(decoded_payload)
+        config["CNCs"] = find_c2(decoded_payload)
-    return config_dict
+    return config
 if __name__ == "__main__":

cape_parsers/CAPE/community/LokiBot.py CHANGED Viewed

@@ -158,7 +158,7 @@ def decoder(data):
 def extract_config(filebuf):
     urls = decoder(filebuf)
-    return {"address": [url.decode() for url in urls]}
+    return {"CNCs": [url.decode() for url in urls]}
 if __name__ == "__main__":

cape_parsers/CAPE/community/Lumma.py CHANGED Viewed

@@ -287,7 +287,7 @@ def get_build_id_new(data):
 def extract_config(data):
-    config_dict = {}
+    config = {}
     # try to load as a PE
     pe = None
@@ -318,18 +318,18 @@ def extract_config(data):
                 decoded_c2 = chacha20_xor(encrypted_string, key, nonce, counter).split(b"\x00", 1)[0]
                 if contains_non_printable(decoded_c2):
                     break
-                config_dict.setdefault("C2", []).append(decoded_c2.decode())
+                config.setdefault("CNCs", []).append(decoded_c2.decode())
                 encrypted_strings_offset = encrypted_strings_offset + step_size
                 counter += 2
-        if config_dict.get("C2"):
+        if config.get("CNCs"):
             # If found C2 servers try to find build ID
             build_id = get_build_id_new(data)
             if build_id:
-                config_dict["Build ID"] = build_id
+                config["build"] = build_id
     # If no C2s try with the version after Jan 21, 2025
-    if "C2" not in config_dict:
+    if "CNCs" not in config:
         offset = yara_scan(data, RULE_SOURCE_LUMMA)
         if offset:
             key = data[offset + 16 : offset + 48]
@@ -351,20 +351,20 @@ def extract_config(data):
                         decrypted = chacha20_xor(c2_encrypted, key, nonce, counter)
                         c2 = extract_c2_domain(decrypted)
                         if c2 is not None and len(c2) > 10:
-                            config_dict["C2"].append(c2.decode())
+                            config["CNCs"].append(c2.decode())
                             break
                 except Exception:
                     continue
-        if "C2" in config_dict and config_dict["C2"] and pe is not None:
+        if "CNCs" in config and config["CNCs"] and pe is not None:
             # If found C2 servers try to find build ID
             build_id = get_build_id(pe, data)
             if build_id:
-                config_dict["Build ID"] = build_id
+                config["build"] = build_id
     # If no C2s try with version prior to Jan 21, 2025
-    if "C2" not in config_dict:
+    if "CNCs" not in config:
         try:
             if pe is not None:
                 rdata = get_rdata(pe, data)
@@ -384,20 +384,24 @@ def extract_config(data):
                     decoded_c2 = xor_data(encoded_c2, xor_key)
                     if not contains_non_printable(decoded_c2):
-                        config_dict.setdefault("C2", []).append(decoded_c2.decode())
-                except Exception:
+                        config.setdefault("CNCs", []).append(decoded_c2.decode())
+                except Exception as e:
+                    print(e)
                     continue
-        except Exception:
+        except Exception as e:
+            print(e)
             return
-        if "C2" in config_dict and pe is not None:
+        if "CNCs" in config and pe is not None:
             # If found C2 servers try to find build ID
             build_id = get_build_id(pe, data)
             if build_id:
-                config_dict["Build ID"] = build_id
+                config["build"] = build_id
-    return config_dict
+    print(config)
+    if config:
+        return config
 if __name__ == "__main__":

cape_parsers/CAPE/community/NanoCore.py CHANGED Viewed

@@ -174,21 +174,21 @@ def extract_config(filebuf):
                     pass
                 elif DataType.DATETIME == param["type"]:
                     dt = param["value"]
-                    config_dict[item_name] = dt.strftime("%Y-%m-%d %H:%M:%S.%f")
+                    config_dict.setdefault("raw", {})[item_name] = dt.strftime("%Y-%m-%d %H:%M:%S.%f")
                 else:
-                    config_dict[item_name] = str(param["value"])
+                    config_dict.setdefault("raw", {})[item_name] = str(param["value"])
     except Exception as e:
         log.error("nanocore error: %s", e)
     cncs = []
-    if config_dict.get("PrimaryConnectionHost"):
-        cncs.append(config_dict["PrimaryConnectionHost"])
-    if config_dict.get("PrimaryConnectionHost"):
-        cncs.append(config_dict["BackupConnectionHost"])
-    if config_dict.get("ConnectionPort") and cncs:
-        port = config_dict["ConnectionPort"]
-        config_dict["cncs"] = [f"{cnc}:{port}" for cnc in cncs]
+    if config_dict.get("raw", {}).get("PrimaryConnectionHost"):
+        cncs.append(config_dict["raw"]["PrimaryConnectionHost"])
+    if config_dict.get("raw", {}).get("PrimaryConnectionHost"):
+        cncs.append(config_dict["raw"]["BackupConnectionHost"])
+    if config_dict.get("raw", {}).get("ConnectionPort") and cncs:
+        port = config_dict["raw"]["ConnectionPort"]
+        config_dict["CNCs"] = [f"{cnc}:{port}" for cnc in cncs]
     return config_dict

cape_parsers/CAPE/community/Nighthawk.py CHANGED Viewed

@@ -4,6 +4,7 @@ import json
 import struct
 import pefile
 # import regex as re
 import re
 from Cryptodome.Cipher import AES

cape_parsers/CAPE/community/Njrat.py CHANGED Viewed

@@ -176,11 +176,11 @@ def extract_config(data):
     config = get_clean_config(config_dict)
     if config:
         if config.get("domain") and config.get("port"):
-            conf["cncs"] = [f"{config['domain']}:{config['port']}"]
+            conf["CNCs"] = [f"{config['domain']}:{config['port']}"]
         if config.get("campaign_id"):
-            conf["campaign id"] = config["campaign_id"]
+            conf["campaign"] = config["campaign_id"]
         if config.get("version"):
             conf["version"] = config["version"]

cape_parsers/CAPE/community/PhemedroneStealer.py CHANGED Viewed

@@ -188,4 +188,6 @@ def extract_config(data):
                             value_data = inst_.split(".")[-1].strip()
                             config_field_name, str_list = check_next_inst(pe, body, DnfileParse, index)
                             config_dict[config_field_name] = value_data
+    if config_dict:
+        config_dict = {"raw": config_dict}
     return config_dict

cape_parsers/CAPE/community/Snake.py CHANGED Viewed

@@ -38,7 +38,7 @@ def handle_plain(dotnet_file, c2_type, user_strings):
     if c2_type == "Telegram":
         token = dotnet_file.net.user_strings.get(user_strings_list[15]).value.__str__()
         chat_id = dotnet_file.net.user_strings.get(user_strings_list[16]).value.__str__()
-        return {"Type": "Telegram", "C2": f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"}
+        return {"raw": {"Type": "Telegram"}, "CNCs": f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"}
     elif c2_type == "SMTP":
         smtp_from = dotnet_file.net.user_strings.get(user_strings_list[7]).value.__str__()
         smtp_password = dotnet_file.net.user_strings.get(user_strings_list[8]).value.__str__()
@@ -46,18 +46,26 @@ def handle_plain(dotnet_file, c2_type, user_strings):
         smtp_to = dotnet_file.net.user_strings.get(user_strings_list[10]).value.__str__()
         smtp_port = dotnet_file.net.user_strings.get(user_strings_list[11]).value.__str__()
         return {
-            "Type": "SMTP",
-            "Host": smtp_host,
-            "Port": smtp_port,
-            "From Address": smtp_from,
-            "To Address": smtp_to,
-            "Password": smtp_password,
+            "raw": {
+                "Type": "SMTP",
+                "Host": smtp_host,
+                "Port": smtp_port,
+                "From Address": smtp_from,
+                "To Address": smtp_to,
+                "Password": smtp_password,
+            },
+            "CNCs": [f"smtp://{smtp_host}:{smtp_port}"]
         }
     elif c2_type == "FTP":
         ftp_username = dotnet_file.net.user_strings.get(user_strings_list[12]).value.__str__()
         ftp_password = dotnet_file.net.user_strings.get(user_strings_list[13]).value.__str__()
         ftp_host = dotnet_file.net.user_strings.get(user_strings_list[14]).value.__str__()
-        return {"Type": "FTP", "Host": ftp_host, "Username": ftp_username, "Password": ftp_password}
+        return {
+            "raw": {
+                "Type": "FTP", "Host": ftp_host, "Username": ftp_username, "Password": ftp_password},
+            "CNCs": [f"ftp://{ftp_username}:{ftp_password}@{ftp_host}"]
+        }
 def handle_encrypted(dotnet_file, data, c2_type, user_strings):
@@ -98,20 +106,25 @@ def handle_encrypted(dotnet_file, data, c2_type, user_strings):
     if decrypted_strings:
         if c2_type == "Telegram":
             token, chat_id = decrypted_strings
-            config_dict = {"Type": "Telegram", "C2": f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"}
+            config_dict = {"raw": {"Type": "Telegram"}, "CNCs": f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"}
         elif c2_type == "SMTP":
             smtp_from, smtp_password, smtp_host, smtp_to, smtp_port = decrypted_strings
             config_dict = {
-                "Type": "SMTP",
-                "Host": smtp_host,
-                "Port": smtp_port,
-                "From Address": smtp_from,
-                "To Address": smtp_to,
-                "Password": smtp_password,
+                "raw": {
+                    "Type": "SMTP",
+                    "Host": smtp_host,
+                    "Port": smtp_port,
+                    "From Address": smtp_from,
+                    "To Address": smtp_to,
+                    "Password": smtp_password,
+                }
             }
         elif c2_type == "FTP":
             ftp_username, ftp_password, ftp_host = decrypted_strings
-            config_dict = {"Type": "FTP", "Host": ftp_host, "Username": ftp_username, "Password": ftp_password}
+            config_dict = {
+                "raw": {"Type": "FTP", "Host": ftp_host, "Username": ftp_username, "Password": ftp_password},
+                "CNCs": [f"ftp://{ftp_username}:{ftp_password}@{ftp_host}"]
+            }
     return config_dict

cape_parsers/CAPE/community/SparkRAT.py CHANGED Viewed

@@ -59,7 +59,9 @@ def extract_config(data):
             key = f.read(16)
             iv = f.read(16)
             enc_data = f.read(data_len - 32)
-        return decrypt_config(enc_data, key, iv)
+            config = decrypt_config(enc_data, key, iv)
+            if config:
+                return {"raw": config}
     except Exception as e:
         log.error("Configuration decryption failed: %s", e)
         return {}

CAPE-parsers 0.1.45__py3-none-any.whl → 0.1.46__py3-none-any.whl

CAPE-parsers 0.1.45py3-none-any.whl → 0.1.46py3-none-any.whl