CAPE-parsers 0.1.45__py3-none-any.whl → 0.1.46__py3-none-any.whl

cape_parsers/{CAPE/community → deprecated}/REvil.py

@@ -47,7 +47,7 @@ def decodeREvilConfig(config_key, config_data):
     ECX = EAX = ESI = 0
 
     for char in init255:
-        ESI = ((char & 0xFF) + (ord(key[EAX % len(key)]) + ESI)) & 0xFF
+        ESI = ((char & 0xFF) + (key[EAX % len(key)] + ESI)) & 0xFF
         init255[EAX] = init255[ESI] & 0xFF
         EAX += 1
         init255[ESI] = char & 0xFF
@@ -61,7 +61,7 @@ def decodeREvilConfig(config_key, config_data):
         ESI = (ESI + DL) & 0xFF
         init255[ECX] = init255[ESI]
         init255[ESI] = DL
-        decoded_config.append((init255[((init255[ECX] + DL) & 0xFF)]) ^ ord(char))
+        decoded_config.append((init255[((init255[ECX] + DL) & 0xFF)]) ^ char)
         EAX = LOCAL1
 
     return json.loads("".join(map(chr, decoded_config)))
@@ -74,12 +74,17 @@ def extract_config(data):
 
     if len(pe.sections) == 5:
         section_names = getSectionNames(pe.sections)
-        required_sections = (".text", ".rdata", ".data", ".reloc")
+        required_sections = (b".text", b".rdata", b".data", b".reloc")
 
-        # print section_names
         if all(sections in section_names for sections in required_sections):
             # print("all required section names found")
-            config_section_name = [resource for resource in section_names if resource not in required_sections][0]
+            section_names_set = set(section_names)
+            required_sections_set = set(required_sections)
+            config_section_names = section_names_set - required_sections_set
+            if len(config_section_names) == 1:
+                config_section_name = config_section_names.pop()
+            else:
+                return None # Or raise an exception, depending on desired behavior
             config_key, config_data = getREvilKeyAndConfig(pe.sections, config_section_name)
             if config_key and config_data:
                 return decodeREvilConfig(config_key, config_data)

cape_parsers/{CAPE/core → deprecated}/RedLeaf.py

@@ -16,9 +16,7 @@ DESCRIPTION = "RedLeaf configuration parser."
 AUTHOR = "kevoreilly"
 
 import struct
-
 import pefile
-
 import yara
 
 rule_source = """
@@ -90,21 +88,21 @@ def extract_config(filebuf):
     end_config = {}
     c2_address = tmp_config[8 : 8 + MAX_IP_STRING_SIZE]
     if c2_address:
-        end_config.setdefault("c2_address", []).append(c2_address)
+        end_config.setdefault("CNCs", []).append(c2_address)
     c2_address = tmp_config[0x48 : 0x48 + MAX_IP_STRING_SIZE]
     if c2_address:
-        end_config.setdefault("c2_address", []).append(c2_address)
+        end_config.setdefault("CNCs", []).append(c2_address)
     c2_address = tmp_config[0x88 : 0x88 + MAX_IP_STRING_SIZE]
     if c2_address:
-        end_config.setdefault("c2_address", []).append(c2_address)
+        end_config.setdefault("CNCs", []).append(c2_address)
     missionid = string_from_offset(tmp_config, 0x1EC)
     if missionid:
-        end_config["missionid"] = missionid
+        end_config.setdefault("raw", {})["missionid"] = missionid
     mutex = unicode_string_from_offset(tmp_config, 0x508)
     if mutex:
         end_config["mutex"] = mutex
     key = string_from_offset(tmp_config, 0x832)
     if key:
-        end_config["key"] = key
+        end_config["cryptokey"] = key
 
     return end_config

cape_parsers/{CAPE/community → deprecated}/Retefe.py

@@ -7,9 +7,7 @@ DESCRIPTION = "Retefe configuration parser."
 AUTHOR = "Tomasuh"
 
 import struct
-
 import pefile
-
 import yara
 
 rule_source = """

cape_parsers/{CAPE/community → deprecated}/Rozena.py

@@ -9,8 +9,5 @@ def extract_config(data: bytes):
     if matches:
         ip = "".join(".".join(f"{c}" for c in matches[0][0]))
         port = int.from_bytes(matches[0][1], byteorder="big")
-
-        config_dict["C2"] = ip
-        config_dict["Port"] = port
-
-    return config_dict
+        config_dict["CNCs"] = f"{ip}:{port}"
+    return {}

cape_parsers/{CAPE/community → deprecated}/SmallNet.py

@@ -96,8 +96,12 @@ def ver_5(data):
 
 
 def extract_config(data):
+    config = {}
     if "!!<3SAFIA<3!!" in data:
-        return ver_52(data)
+        config = ver_52(data)
 
     elif "!!ElMattadorDz!!" in data:
-        return ver_5(data)
+        config = ver_5(data)
+
+    if config:
+        return {"raw": config}

{cape_parsers-0.1.45.dist-info → cape_parsers-0.1.46.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: CAPE-parsers
-Version: 0.1.45
+Version: 0.1.46
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 Keywords: cape,parsers,malware,configuration
@@ -32,3 +32,22 @@ CAPE core and community parsers
 
 [![PyPI version](https://img.shields.io/pypi/v/CAPE-parsers)](https://pypi.org/project/CAPE-parsers/)
 
+### Configs structure
+```
+CNCs: []
+campaign: str
+botnet: str
+dga_seed: hex str
+version: str
+mutex: str
+user_agent: str
+build: str
+cryptokey: str
+cryptokey_type: str (algorithm). Ex: RC4, RSA public key. salsa20, (x)chacha20
+raw: {any other data goes here}
+```
+* All CNC entries should be in URL format. aka `<schema>://<hostname>:<port>/<uri>`
+    * Schema examples: `tcp://`, `ftp://`, `udp://`, `http(s)`, etc.
+    * Old CAPE configs still have lack of this structures as most of them are dead families.
+    * This CNC simplification make it easier to parse with tools like `tldextract` or `urlparse`
+

cape_parsers-0.1.46.dist-info/RECORD

@@ -0,0 +1,112 @@
+cape_parsers/CAPE/__init__.py,sha256=JcY8WPKzUFYgexwV1eyKIuT1JyNZzMJjBynlPSzxY_I,7
+cape_parsers/CAPE/community/AgentTesla.py,sha256=rHhTmINQ0bGZEiJ5NhCKPhGobcifq3FDWZItgHTpBC8,3796
+cape_parsers/CAPE/community/Arkei.py,sha256=k36qHxdo5yPa9V1cg7EImSWP06kMog0rBda4KXqLKCY,3783
+cape_parsers/CAPE/community/AsyncRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
+cape_parsers/CAPE/community/AuroraStealer.py,sha256=C0j9SZDJRi107PbfYZ9G168MCyqYItrI-XK5k0Bp4tE,2632
+cape_parsers/CAPE/community/Carbanak.py,sha256=Smi_vTWDfWxYBQa661ZIy0624IYJA22LMHAJEQbstpk,5607
+cape_parsers/CAPE/community/CobaltStrikeBeacon.py,sha256=Z40uxQ_OExtky7dIC372golAiuW9bR-_5TDBMBqsCo0,19427
+cape_parsers/CAPE/community/CobaltStrikeStager.py,sha256=HLxROBjz453uHNq1bPz0VSAhtyWDfz79ZacTPdjuWmY,7535
+cape_parsers/CAPE/community/DCRat.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
+cape_parsers/CAPE/community/Fareit.py,sha256=OyKeZdcvyAhjxZgJqkDPJHP4Npv1ArvTHJZ5F0C1Iac,1875
+cape_parsers/CAPE/community/KoiLoader.py,sha256=F2gsgCvrVuwxY1bg8rlexsjCjikAP5HIGGOqU8zhT8E,4008
+cape_parsers/CAPE/community/LokiBot.py,sha256=YGYfQ7Wr8PA2QW37yfoyh5cFAz2zxgOmpHOHIvy9CsM,5657
+cape_parsers/CAPE/community/Lumma.py,sha256=Hz72U6i2apU6N5gj5IXnZ9HkbOqKDvW1EMnIge8sNQc,12167
+cape_parsers/CAPE/community/NanoCore.py,sha256=8QZnf1AcY9481kSfsf3SHQShwPLn97peGAf8_xEasQc,6230
+cape_parsers/CAPE/community/Nighthawk.py,sha256=8ss8yvslrwUt53zV6U0xuwGKU3hgYfOt13S5lkOVpNo,12105
+cape_parsers/CAPE/community/Njrat.py,sha256=GiwSENBB43RUqyJ7zT7ZPkPUYqo8Ew4kd5MJUj0jzdc,4702
+cape_parsers/CAPE/community/PhemedroneStealer.py,sha256=Z7_PdxC8bmd6P3AqOm7AHVRrbEVuREwMWbyLVHaAhK0,7095
+cape_parsers/CAPE/community/QuasarRAT.py,sha256=dzVInOc-BPVRdArk92oEY4PKq1AEW04NUToL8UV-UGk,146
+cape_parsers/CAPE/community/README.md,sha256=SHgVQraCdp033IQjM4Cm6t70U4kULn1MfSwTq3rsZv8,22
+cape_parsers/CAPE/community/Snake.py,sha256=-x3Bfhs2HAuxNakUnAX1mm-mgtarJkD9U_fucmVY3u4,6638
+cape_parsers/CAPE/community/SparkRAT.py,sha256=OVDty_1i9PTGuEumT0BHoDn0bD2UtdhHVNjThah80pg,2140
+cape_parsers/CAPE/community/Stealc.py,sha256=RddvMmFmq85J3pCqtpACT1n6k02P1_GsxXIidtveNa4,5102
+cape_parsers/CAPE/community/VenomRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
+cape_parsers/CAPE/community/XWorm.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
+cape_parsers/CAPE/community/XenoRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
+cape_parsers/CAPE/community/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+cape_parsers/CAPE/community/monsterv2.py,sha256=Y9DDN7OvC08QMGjN90sGA7E6A0fKG4tIKaQLiEcdjvQ,2995
+cape_parsers/CAPE/core/AdaptixBeacon.py,sha256=40wMfrXt-7UG30WsLC5GxUtG6tSUaaP1OT-ntWzPZn0,2956
+cape_parsers/CAPE/core/Azorult.py,sha256=YkMIhC6zRTxEkLVMUdr2MMsbV9iAnZ8hUS8be9GZ5N4,2150
+cape_parsers/CAPE/core/BitPaymer.py,sha256=HQwoE0o7HMiXItxE08vBenf2ZWMxZp84-Hf_1eZ8QdE,3050
+cape_parsers/CAPE/core/BlackDropper.py,sha256=sCSu2T5oPvcFHlSAzSsLj_gCv2Tldl0UPguwy0MVg6A,3282
+cape_parsers/CAPE/core/Blister.py,sha256=wprcJMHixv4JHGqBjQeu26BJ6HgXeBMobh10Y-H6-Xg,18173
+cape_parsers/CAPE/core/BruteRatel.py,sha256=_hFAYLbOsHdekWPOMXRmIYNXTNeNQSs3LZqh7xAVI2U,1147
+cape_parsers/CAPE/core/BumbleBee.py,sha256=qyfvRw1pkc3lPsSrwg8y2W6_ciW3sluijdYcHe27iHY,10062
+cape_parsers/CAPE/core/DarkGate.py,sha256=ppSRDfw-u2NltzQlrVvRwqxGaprShuv5CrwbNbnSvaw,3477
+cape_parsers/CAPE/core/DoppelPaymer.py,sha256=LPAQ-7imcAWFciAd7Qb_r6js2PdIsTt9fRdYKoEkFMg,2537
+cape_parsers/CAPE/core/DridexLoader.py,sha256=8NKppvGz7tVXnNTGEgS7R3LGn5vtW4xslQYbo38wQUg,7087
+cape_parsers/CAPE/core/Formbook.py,sha256=rvf0BRuRl_v8K9SJuSSfbVVMWLSTEemIgP3NtPp2vFM,550
+cape_parsers/CAPE/core/GuLoader.py,sha256=wH6t1e7rO60Bwe0ulqFdZq12-M087zT5WQtC_Wn2biU,354
+cape_parsers/CAPE/core/IcedID.py,sha256=TEsvFq8qHz_D5kIURKWSC4lbvWaQbMriDZ3jQsVu2VA,4029
+cape_parsers/CAPE/core/IcedIDLoader.py,sha256=YUOEILpTycO01KK4qqAxGSplsRVs2EzjscUw4T-DGWs,1602
+cape_parsers/CAPE/core/Latrodectus.py,sha256=j7qq_R2fB9ls3jnm1zwWe-md29QONZN71I2MAQ0T0h4,7614
+cape_parsers/CAPE/core/Oyster.py,sha256=QStBScevJuLyd5d4Rw093SxTlbRG1LFkDwYgmjZx-EQ,4881
+cape_parsers/CAPE/core/PikaBot.py,sha256=6Q8goXfMsSoU8UkdE9iuZY2KTxX_AmWhH1szke_HfWA,5280
+cape_parsers/CAPE/core/PlugX.py,sha256=lGwr1T3mttG6CTbZCj_Cf5HnOad60A3LP264jlCsGsc,13192
+cape_parsers/CAPE/core/QakBot.py,sha256=SmXRuwOiaDLL7uN9RwCiQP62P3ctxGJ6y54zJG9yuyM,18230
+cape_parsers/CAPE/core/Quickbind.py,sha256=5A077RFQQOL8dtr2Q9vmlTKsWk96JkRWuHGseApyTmU,3675
+cape_parsers/CAPE/core/README.md,sha256=Zd84WEUj9NzKzGnVZV1jx6gMiEOtz01m32B7xEuS91k,17
+cape_parsers/CAPE/core/RedLine.py,sha256=bZeKLvxaS6HDpWY4RDXtSEBt93qTNzZG5iE6FNS0dOY,5734
+cape_parsers/CAPE/core/Remcos.py,sha256=nKn_4lwjX7xGkLGFmt3WAG1HEgmKCncIbkv7Je7W6vM,9477
+cape_parsers/CAPE/core/Rhadamanthys.py,sha256=mx7kEF1e8LJZbwh2uUwU56ZKgrpLqZvYVDoqm-Dvl9w,6075
+cape_parsers/CAPE/core/SmokeLoader.py,sha256=ruQ_GDiZvqtGxUTbN2N6fajUYWkIylFTvMXijgZ8L20,3890
+cape_parsers/CAPE/core/Socks5Systemz.py,sha256=jSt6QejL5K99dIB3qdItvUHL28w6N60xuwc8EQHM5Mk,783
+cape_parsers/CAPE/core/SquirrelWaffle.py,sha256=UMha7l60fL64VPHxueFUnCEGaO-CXau5ftEyK-Wv__o,3308
+cape_parsers/CAPE/core/Strrat.py,sha256=PAKTzGZCdblXr4pNKsOpNOPhvcaAfRCiE9BtKAeOp0M,2240
+cape_parsers/CAPE/core/WarzoneRAT.py,sha256=aHB6n-EX4uMZA93_R4yiFzRsvoqxfh7sdbtlAA-Ia2E,3780
+cape_parsers/CAPE/core/Zloader.py,sha256=Etjowu5fZOW7fFykPNOTDhLWjTcdvtPZUy3s6R8ln8M,9598
+cape_parsers/CAPE/core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+cape_parsers/CAPE/core/test_cape.py,sha256=CrmghlO43hpnTLv0X8Dw4hTcrVHuJ0X20dPXcFpeWYo,31
+cape_parsers/RATDecoders/README.md,sha256=SHgVQraCdp033IQjM4Cm6t70U4kULn1MfSwTq3rsZv8,22
+cape_parsers/RATDecoders/__init__.py,sha256=JcY8WPKzUFYgexwV1eyKIuT1JyNZzMJjBynlPSzxY_I,7
+cape_parsers/RATDecoders/test_rats.py,sha256=swkWvbnCd6_2aUP6MnIF4hyPL8zsdhtjlsBfx5Phgk4,610
+cape_parsers/__init__.py,sha256=1xtenBXY23B8jf2x1fQ103qYFy0lBW12SN3HFJL7YfE,6243
+cape_parsers/deprecated/BackOffLoader.py,sha256=gIwNDsWm1xGR9whKEEj1eTBB1-KTLY0_yNE50xVScKo,1402
+cape_parsers/deprecated/BackOffPOS.py,sha256=lG7a_bXD3Exaoy-_lHpa90yiv_DesICFqClhqS_d8nk,1486
+cape_parsers/deprecated/BlackNix.py,sha256=NPqXiHWt_UtLm35gi58UriEJRt_L_UWGfS8jvblAECM,2667
+cape_parsers/deprecated/BuerLoader.py,sha256=ZA3IBl5JClHhgGxEVOS4DcihpZkX9FWPEituZcK6p58,1460
+cape_parsers/deprecated/ChChes.py,sha256=RhuY8RnpUWVIZUNSCSComeyi4nHC9CyTwJdNVvhMxzg,2891
+cape_parsers/deprecated/Emotet.py,sha256=aeQ0vwYvZXE8zZ0cgO7Funqsg53ogZow27LA7WeAFGM,41226
+cape_parsers/deprecated/Enfal.py,sha256=J66KDwl3VBaEBt_zhAZ-ZYc_LVsE97armEOzCS0urz0,3902
+cape_parsers/deprecated/EvilGrab.py,sha256=atGMTIpXSoCIZNR0WdKzHtL9Fhr_G7WRB4phyp74xfY,3996
+cape_parsers/deprecated/Greame.py,sha256=pNxxyZzWuquZhZPmmkVhJvs_0444l_buqmsi8uOWILg,3690
+cape_parsers/deprecated/Hancitor.py,sha256=onjSmfNGdw9fR96mTjwvJHFCxT6b7d-7fjP2PUsJP1g,2313
+cape_parsers/deprecated/HttpBrowser.py,sha256=Ao0ZhMg6H7jGX6j86G7swF483TaIlvLppuHuhI025Ug,4541
+cape_parsers/deprecated/JavaDropper.py,sha256=lbnvziAskmfeSs3un3uCujmQRTzV9cDDZKFSSXOJIYU,2716
+cape_parsers/deprecated/Nymaim.py,sha256=OOHI1VlHZzCZW4SqiILUZVeQESpsMFxpCRYg_mksM04,8368
+cape_parsers/deprecated/Pandora.py,sha256=LtGdlqU2rwDrEU3R2VzRNF5b-Mpry0w0bx9hc8WY4dI,2596
+cape_parsers/deprecated/PoisonIvy.py,sha256=EFO-E91gkv5Byny8He81d7Wy-9yKPkM1ndWFhQrQ1pQ,4150
+cape_parsers/deprecated/PredatorPain.py,sha256=CNG6zeak34_zGdeSaqFA5NNlvSWcVrjxpkUgqIsqjFs,6318
+cape_parsers/deprecated/Punisher.py,sha256=vnvcOkAiv-LW_x0vxpb-uWP5MGcXhP9dZ13hOFt_Nbg,1354
+cape_parsers/deprecated/RCSession.py,sha256=B6fuouLJQLOaPV9EPdnOByJjL9Nj0VPncW5M9nXlP1k,4397
+cape_parsers/deprecated/REvil.py,sha256=8xxryaTlEtGnUTFQ1LMULVKOj09hBiPapaX4G7dbpW0,3055
+cape_parsers/deprecated/RedLeaf.py,sha256=ID8R1hl4l83cZCnapkdDxCA9FVXWiSkJpYAuxUSjTXI,3947
+cape_parsers/deprecated/Retefe.py,sha256=l2PcGcBDZFUhhOy1ACPREeykabt63dNtDZOnwREnqeU,5180
+cape_parsers/deprecated/Rozena.py,sha256=z31LEQ8rwr-bkKlOrX3Hm1DmDg8HR-UwydWFDgy44G8,382
+cape_parsers/deprecated/SmallNet.py,sha256=wKwDLBp1zTLrPOJkWX07mEPTp9izFLWCyd0r1fGt0_s,3948
+cape_parsers/deprecated/TSCookie.py,sha256=f4b4HCnn6v3YkMrrmonR5WMdGO0vEiNe-ENhYHqfctk,5632
+cape_parsers/deprecated/TrickBot.py,sha256=EdKOQtKlU0gLkWFiibpBmTIueRVYSqwYo0WCHmaRgGA,6967
+cape_parsers/deprecated/UrsnifV3.py,sha256=Nu4X2l_zwlVMjvEa5gQRaR9SgYKL-C-C9onSmd2DtuU,5510
+cape_parsers/deprecated/_ShadowTech.py,sha256=aMLJSVagsrg5Eb9LJyAZCUm78AtCHtRQOFAlWBQ_E10,3890
+cape_parsers/deprecated/_VirusRat.py,sha256=ricU_b_7bEOqWoT3Z9u47YkHzTJ2o65P_8jZfsFH-ms,2697
+cape_parsers/deprecated/_jRat.py,sha256=kZfrCaeLaiUKK_BXOWwqq3-xYPsiSDCQv1fs9zL5IzE,6575
+cape_parsers/deprecated/unrecom.py,sha256=UxLwpW6w-aGsV6yUx8z35Qxj1v-5Z0pyCND894XXbgU,2076
+cape_parsers/deprecated/xRAT.py,sha256=dey-MyJtnJOFsymC96xD_zlVyIwL0_Q7Lx2BgUu7494,4166
+cape_parsers/malduck/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
+cape_parsers/malduck/README.md,sha256=AnQYFz7opU0BriSbmNXP23lXYVo5a3s0MOsZRrKIUqI,1186
+cape_parsers/malduck/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+cape_parsers/malduck/test_malduck.py,sha256=fiX-NXhgAFKN17bDQXVnTKQlMtCXIOSy-DZczrQ-_tE,243
+cape_parsers/mwcp/README.md,sha256=SHgVQraCdp033IQjM4Cm6t70U4kULn1MfSwTq3rsZv8,22
+cape_parsers/mwcp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+cape_parsers/mwcp/test_mwcp.py,sha256=ZORPEQxIJeH68aKT_guI7EZqcwFrg4br5GgmsOvlbzo,191
+cape_parsers/utils/__init__.py,sha256=JcY8WPKzUFYgexwV1eyKIuT1JyNZzMJjBynlPSzxY_I,7
+cape_parsers/utils/aplib.py,sha256=U8m9p_IorZtcqk057eelaediLiyaIBdwqgP9JbIGcQY,5059
+cape_parsers/utils/blzpack.py,sha256=y-myrTTkpY9qtM5WhyPxLeq-lQRaVZ5tLycwhjWWyAE,3042
+cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvEYmUc,33368
+cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
+cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
+cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
+cape_parsers-0.1.46.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
+cape_parsers-0.1.46.dist-info/METADATA,sha256=Kth4z4ynvX9pPUos60-6ZkId0-qpwLRegMArC-S5y-8,1753
+cape_parsers-0.1.46.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
+cape_parsers-0.1.46.dist-info/RECORD,,

cape_parsers/CAPE/community/BlackNix.py

@@ -1,57 +0,0 @@
-import pefile
-
-
-def extract_raw_config(raw_data):
-    try:
-        pe = pefile.PE(data=raw_data)
-        rt_string_idx = [entry.id for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries].index(pefile.RESOURCE_TYPE["RT_RCDATA"])
-        rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]
-        for entry in rt_string_directory.directory.entries:
-            if str(entry.name) == "SETTINGS":
-                data_rva = entry.directory.entries[0].data.struct.OffsetToData
-                size = entry.directory.entries[0].data.struct.Size
-                data = pe.get_memory_mapped_image()[data_rva : data_rva + size]
-                return data.split("}")
-    except Exception:
-        return None
-
-
-def decode(line):
-    return "".join(chr(ord(char) - 1) for char in line)
-
-
-def domain_parse(config):
-    return [domain.split(":", 1)[0] for domain in config["Domains"].split(";")]
-
-
-def extract_config(data):
-    try:
-        config_raw = extract_raw_config(data)
-        if config_raw:
-            return {
-                "Mutex": decode(config_raw[1])[::-1],
-                "Anti Sandboxie": decode(config_raw[2])[::-1],
-                "Max Folder Size": decode(config_raw[3])[::-1],
-                "Delay Time": decode(config_raw[4])[::-1],
-                "Password": decode(config_raw[5])[::-1],
-                "Kernel Mode Unhooking": decode(config_raw[6])[::-1],
-                "User More Unhooking": decode(config_raw[7])[::-1],
-                "Melt Server": decode(config_raw[8])[::-1],
-                "Offline Screen Capture": decode(config_raw[9])[::-1],
-                "Offline Keylogger": decode(config_raw[10])[::-1],
-                "Copy To ADS": decode(config_raw[11])[::-1],
-                "Domain": decode(config_raw[12])[::-1],
-                "Persistence Thread": decode(config_raw[13])[::-1],
-                "Active X Key": decode(config_raw[14])[::-1],
-                "Registry Key": decode(config_raw[15])[::-1],
-                "Active X Run": decode(config_raw[16])[::-1],
-                "Registry Run": decode(config_raw[17])[::-1],
-                "Safe Mode Startup": decode(config_raw[18])[::-1],
-                "Inject winlogon.exe": decode(config_raw[19])[::-1],
-                "Install Name": decode(config_raw[20])[::-1],
-                "Install Path": decode(config_raw[21])[::-1],
-                "Campaign Name": decode(config_raw[22])[::-1],
-                "Campaign Group": decode(config_raw[23])[::-1],
-            }
-    except Exception:
-        return None

cape_parsers/CAPE/core/Stealc.py

@@ -1,21 +0,0 @@
-import socket
-from contextlib import suppress
-
-
-def _is_ip(ip):
-    try:
-        socket.inet_aton(ip)
-        return True
-    except Exception:
-        return False
-
-
-def extract_config(data):
-    config_dict = {"C2s": []}
-    with suppress(Exception):
-        if data[:2] == b"MZ":
-            return
-        for line in data.decode().split("\n"):
-            if _is_ip(line) and line not in config_dict["C2s"]:
-                config_dict["C2s"].append(line)
-        return config_dict

cape_parsers-0.1.45.dist-info/RECORD

@@ -1,112 +0,0 @@
-cape_parsers/CAPE/__init__.py,sha256=JcY8WPKzUFYgexwV1eyKIuT1JyNZzMJjBynlPSzxY_I,7
-cape_parsers/CAPE/community/AgentTesla.py,sha256=T1gUd28eoCGA5by3ylAAK1naenF0fE3jgYx7UBkCRDk,3559
-cape_parsers/CAPE/community/Arkei.py,sha256=kXn949PC2CksavsL1BgvKgiAUDcq2NQUirosCTQcDF0,3790
-cape_parsers/CAPE/community/AsyncRAT.py,sha256=0nGLNnwnO93SPbCTgoIMvkh6_smuzQxDcYtL77afGx8,1001
-cape_parsers/CAPE/community/AuroraStealer.py,sha256=UUoxgJtDan3fE1r8aDEKweC_URkV97QHBp1Hq_n7ShI,2419
-cape_parsers/CAPE/community/BackOffLoader.py,sha256=gIwNDsWm1xGR9whKEEj1eTBB1-KTLY0_yNE50xVScKo,1402
-cape_parsers/CAPE/community/BackOffPOS.py,sha256=lG7a_bXD3Exaoy-_lHpa90yiv_DesICFqClhqS_d8nk,1486
-cape_parsers/CAPE/community/BlackNix.py,sha256=ToI6roQfjwJWb_a7mzwub8gqJnoUXmz-gLk_VPdH55o,2536
-cape_parsers/CAPE/community/Carbanak.py,sha256=G-v2wb1Zs5NTkFFfpnvlNaX_YZzDEAE2_sB5_blWxtM,5567
-cape_parsers/CAPE/community/CobaltStrikeBeacon.py,sha256=zZqvrK1TNLFsiQgTxo_0EN4sNIpM_WzyH7RGyk5oOnY,19399
-cape_parsers/CAPE/community/CobaltStrikeStager.py,sha256=fdT3gPfCtjqtohwYD5Z7bRWQgKqwbM_e4LuuaZxvl7g,7473
-cape_parsers/CAPE/community/DCRat.py,sha256=0nGLNnwnO93SPbCTgoIMvkh6_smuzQxDcYtL77afGx8,1001
-cape_parsers/CAPE/community/Fareit.py,sha256=NYkcF7Ddf7SqaSJwGesGTumTJ2p8AT9qBE4tNpiS9Ao,2003
-cape_parsers/CAPE/community/Greame.py,sha256=99W1aUoSNAQ9KMO85liel5rAN0Wutzo-m176iwfOzds,3633
-cape_parsers/CAPE/community/KoiLoader.py,sha256=ZTDm7tGGNFyW8N9l35_ta7ucBuE5AL9YprNR36kfid8,4029
-cape_parsers/CAPE/community/LokiBot.py,sha256=whdVVLqu760ai90Ep-_Ghc_Z1yaty9fMSOcnY5IajXc,5660
-cape_parsers/CAPE/community/Lumma.py,sha256=0SxjHg61qvhXnqADEW3uS3aD_qbtPZUDKGhGsbNdQXE,12131
-cape_parsers/CAPE/community/NanoCore.py,sha256=0dqhCoAyDJaYgAlbXIwCa1esfEuQSk5AtH1Rl4bj1l8,6120
-cape_parsers/CAPE/community/Nighthawk.py,sha256=eXnDqwabnrlRROg503oXYLEgotMW4hKeYwLas8SrkTc,12104
-cape_parsers/CAPE/community/Njrat.py,sha256=_noQM5058BYwTMcYCpcTD9gIxw4ANI35tUSLMAlN97Q,4713
-cape_parsers/CAPE/community/Pandora.py,sha256=d6R3AsDr5WOfKKyA6HI0yQ5Eo7_Eif5LspW0cm2wM5M,2522
-cape_parsers/CAPE/community/PhemedroneStealer.py,sha256=T6jMW73htNCRTqlEqeec9Y3p7BKuSmit3RvWFfd8IJ8,7032
-cape_parsers/CAPE/community/PoisonIvy.py,sha256=EFO-E91gkv5Byny8He81d7Wy-9yKPkM1ndWFhQrQ1pQ,4150
-cape_parsers/CAPE/community/Punisher.py,sha256=1CRo8Bg6O_S6k0aql7sSWH0bwU3Y5Ti_Rh6FRyeWYm0,1321
-cape_parsers/CAPE/community/QuasarRAT.py,sha256=dzVInOc-BPVRdArk92oEY4PKq1AEW04NUToL8UV-UGk,146
-cape_parsers/CAPE/community/README.md,sha256=SHgVQraCdp033IQjM4Cm6t70U4kULn1MfSwTq3rsZv8,22
-cape_parsers/CAPE/community/REvil.py,sha256=tTbcJPN0wdNeSZjD3egZ8_FKjLgf5IVOzUE1p-hPUdw,2806
-cape_parsers/CAPE/community/Retefe.py,sha256=belXWSqYPS5ApaepergVMF6I9iAI7k-mmPjQVEDRsS4,5182
-cape_parsers/CAPE/community/Rozena.py,sha256=NpU3GtNwrFivRNqMbjEqLueZCl76WP6RNuV0KDEpwuE,414
-cape_parsers/CAPE/community/SmallNet.py,sha256=Xg9jschAue_LnXZCUk1KUFj_CkKCdN7fHp6KWPROi_o,3881
-cape_parsers/CAPE/community/Snake.py,sha256=mpUSZmVyxvJA9rdlWV5J7nshT4zKYIucCddvFxnR4BI,6195
-cape_parsers/CAPE/community/SparkRAT.py,sha256=Fh7VPgIuTAiIzDbd-OS7WukQdgBfXIvVcT1Sx9OfxkA,2070
-cape_parsers/CAPE/community/Stealc.py,sha256=UyAcdt47Tgo-dSncW9J62egnqMa2vKVlFW6Zxd7hUGA,3763
-cape_parsers/CAPE/community/TSCookie.py,sha256=f4b4HCnn6v3YkMrrmonR5WMdGO0vEiNe-ENhYHqfctk,5632
-cape_parsers/CAPE/community/TrickBot.py,sha256=EdKOQtKlU0gLkWFiibpBmTIueRVYSqwYo0WCHmaRgGA,6967
-cape_parsers/CAPE/community/VenomRAT.py,sha256=0nGLNnwnO93SPbCTgoIMvkh6_smuzQxDcYtL77afGx8,1001
-cape_parsers/CAPE/community/XWorm.py,sha256=0nGLNnwnO93SPbCTgoIMvkh6_smuzQxDcYtL77afGx8,1001
-cape_parsers/CAPE/community/XenoRAT.py,sha256=0nGLNnwnO93SPbCTgoIMvkh6_smuzQxDcYtL77afGx8,1001
-cape_parsers/CAPE/community/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cape_parsers/CAPE/core/AdaptixBeacon.py,sha256=vjb2tK_Wpx4h71bImTJWyPJjrmr_4d6Z9_P827w_-48,2908
-cape_parsers/CAPE/core/Azorult.py,sha256=7AWPeOWhji7n13qTjq-XNPA8LDKcCOOUy8nbT0TUU_I,2145
-cape_parsers/CAPE/core/BitPaymer.py,sha256=N3Ssi_zNliKn1vt2Z1UndMGZg4CIOjf75XDdpCx2ITc,2898
-cape_parsers/CAPE/core/BlackDropper.py,sha256=OyplMDY4GFcBgqoZqbpCRIusNHhcxK2qZuH8bQu8qlw,3173
-cape_parsers/CAPE/core/Blister.py,sha256=JAh_lmWNGLjgMH53SDmN73J_x6RW2yrRsUKHGZ-U9ug,18106
-cape_parsers/CAPE/core/BruteRatel.py,sha256=8FhDHhVGB7qBEjKSujHHTgMeV1LlTXiljqb_yK6BS7U,758
-cape_parsers/CAPE/core/BuerLoader.py,sha256=X1PwdDypVyvOTEF7I44rED68uCQGBFQrcNOuJ9p60ic,1463
-cape_parsers/CAPE/core/BumbleBee.py,sha256=spDp7mAr6cAXvHFkVJqLdMwcDRonTLk2_EoTTrOiVVM,9837
-cape_parsers/CAPE/core/ChChes.py,sha256=h230wjgdLaAFYPWybHnz6Lve2OKPkzprxW5szBcK9hE,2905
-cape_parsers/CAPE/core/DarkGate.py,sha256=QGz6od5OGwdHHkmeU5OyXcevT7SapkNa8luu9WtNfKM,3464
-cape_parsers/CAPE/core/DoppelPaymer.py,sha256=jND9-9iqpAirrg0N9kCTgdiz6cvdKUx4k_1TC2DHIf0,2386
-cape_parsers/CAPE/core/DridexLoader.py,sha256=iABJTcq7Al6sdMrWfvi0BPj0znUyL-VQTffU1F4EpxA,7041
-cape_parsers/CAPE/core/Emotet.py,sha256=aeQ0vwYvZXE8zZ0cgO7Funqsg53ogZow27LA7WeAFGM,41226
-cape_parsers/CAPE/core/Enfal.py,sha256=4t2ccKq2MqQkPwnsiZBe2C00DutollcozCpNFNTsOT8,3908
-cape_parsers/CAPE/core/EvilGrab.py,sha256=gaxmG65ntiE8Y_MRKMtELICbBym1tvKpolpk1WMgN4I,3909
-cape_parsers/CAPE/core/Formbook.py,sha256=EMnrc-vNr2rfuQGkMiwKjodhsJV_qM5wQRvos1VHD3g,526
-cape_parsers/CAPE/core/GuLoader.py,sha256=2DgE2hMkkNO2KVdtF8B4PmuCDnkK64u7xPMHD--UZ8U,407
-cape_parsers/CAPE/core/HttpBrowser.py,sha256=rlJhbv06m3XkPb_oIN3dGrfl_uNxwR1tDv0M4ctstx8,4539
-cape_parsers/CAPE/core/IcedID.py,sha256=lKJZoRWQa-q0TNaylLCmm2hoj1h0wNP6eUmp-uI94pQ,4023
-cape_parsers/CAPE/core/IcedIDLoader.py,sha256=SQ3cqAnQ4elTiOrDQb5hMkFG-ymzek97yRNZd1967pA,1588
-cape_parsers/CAPE/core/Latrodectus.py,sha256=19bQUZBjPJ7sxz6OMpNVvsboq8LHO5z-fGGj9qC-lfA,7493
-cape_parsers/CAPE/core/Oyster.py,sha256=WVUimz6M3DxSnM6pnUI2s6hbLIQKiwhVs4KNwxEbJhE,4818
-cape_parsers/CAPE/core/PikaBot.py,sha256=s3jJL--NNwsvy9FkAADutbmqndlCZP6-ZI3W11p4QjE,5264
-cape_parsers/CAPE/core/PlugX.py,sha256=NiXAqkE5fFBioyRYALX8azaIo9pvfFfPP6xiLzO3TRQ,13156
-cape_parsers/CAPE/core/QakBot.py,sha256=SfYl6I78pSptAldoljdALJYFDyahCw9zfC26knPC69c,18198
-cape_parsers/CAPE/core/Quickbind.py,sha256=g5HQ7_yHROCy2Nv5o741GI7dH5mo8kD_beluc7NCY54,3728
-cape_parsers/CAPE/core/RCSession.py,sha256=U8O7fDI-uU1gJ_BLRjosF80FuNqhIgSV0RQXfQ9XXSg,4301
-cape_parsers/CAPE/core/README.md,sha256=Zd84WEUj9NzKzGnVZV1jx6gMiEOtz01m32B7xEuS91k,17
-cape_parsers/CAPE/core/RedLeaf.py,sha256=Eo49AKDSNmaIOnoRq1nVVhsxGEniejNkTiOXop8c_fw,3939
-cape_parsers/CAPE/core/RedLine.py,sha256=4veoGo4X1pApCn9dAFmFamfDsS-BROh_PuwiWcIwY8E,5704
-cape_parsers/CAPE/core/Remcos.py,sha256=WusmTiu5hwIeLCO75xmtrDFhIvaYefUJv79nSVhBdX4,9384
-cape_parsers/CAPE/core/Rhadamanthys.py,sha256=TuhWqOssRiTOEuCk_UXBd3SPz-V71pOCYLwpSaZXX2I,6107
-cape_parsers/CAPE/core/SmokeLoader.py,sha256=y3PGuAhGkvRSlbi1-PViv66LW4N8AA2Rc5UzxV_nRvw,3889
-cape_parsers/CAPE/core/Socks5Systemz.py,sha256=k5AdoNKl32m6g1MlOWw4EXvfqMJOFuyw5I0VkQicjRs,759
-cape_parsers/CAPE/core/SquirrelWaffle.py,sha256=ErCT5eeo5xiQTBzhpaS22PQ8pp-u-G4cjJ4bapjKT2U,3283
-cape_parsers/CAPE/core/Stealc.py,sha256=LJivSCnho9KrSp5Lbw5oRa8vdKm3y7cNxXaev4tdl-8,488
-cape_parsers/CAPE/core/Strrat.py,sha256=StKPm9Qx8iIIjWb-2P7Naow6sMSJ9tclXJcUQ8JUcWc,2243
-cape_parsers/CAPE/core/UrsnifV3.py,sha256=Nu4X2l_zwlVMjvEa5gQRaR9SgYKL-C-C9onSmd2DtuU,5510
-cape_parsers/CAPE/core/WarzoneRAT.py,sha256=Gk0eZVCNGgscNlpsbB123v4P5rvCeyf8avcTHRAd4aA,3725
-cape_parsers/CAPE/core/Zloader.py,sha256=OQI2zM_L98QiElOK1l26QGV0253sXbPoUfYLR2M2uHQ,9403
-cape_parsers/CAPE/core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cape_parsers/CAPE/core/test_cape.py,sha256=CrmghlO43hpnTLv0X8Dw4hTcrVHuJ0X20dPXcFpeWYo,31
-cape_parsers/RATDecoders/README.md,sha256=SHgVQraCdp033IQjM4Cm6t70U4kULn1MfSwTq3rsZv8,22
-cape_parsers/RATDecoders/__init__.py,sha256=JcY8WPKzUFYgexwV1eyKIuT1JyNZzMJjBynlPSzxY_I,7
-cape_parsers/RATDecoders/test_rats.py,sha256=84bha95FLKXiLDzP_yAn6E9BJlfBPPE77KWSa4OzS4k,609
-cape_parsers/__init__.py,sha256=KeYDB482ZnBsNNXYGZNjFFdFJkSIOjmgGnAGlTRgCek,6220
-cape_parsers/deprecated/Hancitor.py,sha256=onjSmfNGdw9fR96mTjwvJHFCxT6b7d-7fjP2PUsJP1g,2313
-cape_parsers/deprecated/JavaDropper.py,sha256=lbnvziAskmfeSs3un3uCujmQRTzV9cDDZKFSSXOJIYU,2716
-cape_parsers/deprecated/Nymaim.py,sha256=OOHI1VlHZzCZW4SqiILUZVeQESpsMFxpCRYg_mksM04,8368
-cape_parsers/deprecated/PredatorPain.py,sha256=CNG6zeak34_zGdeSaqFA5NNlvSWcVrjxpkUgqIsqjFs,6318
-cape_parsers/deprecated/_ShadowTech.py,sha256=aMLJSVagsrg5Eb9LJyAZCUm78AtCHtRQOFAlWBQ_E10,3890
-cape_parsers/deprecated/_VirusRat.py,sha256=ricU_b_7bEOqWoT3Z9u47YkHzTJ2o65P_8jZfsFH-ms,2697
-cape_parsers/deprecated/_jRat.py,sha256=kZfrCaeLaiUKK_BXOWwqq3-xYPsiSDCQv1fs9zL5IzE,6575
-cape_parsers/deprecated/unrecom.py,sha256=UxLwpW6w-aGsV6yUx8z35Qxj1v-5Z0pyCND894XXbgU,2076
-cape_parsers/deprecated/xRAT.py,sha256=dey-MyJtnJOFsymC96xD_zlVyIwL0_Q7Lx2BgUu7494,4166
-cape_parsers/malduck/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
-cape_parsers/malduck/README.md,sha256=AnQYFz7opU0BriSbmNXP23lXYVo5a3s0MOsZRrKIUqI,1186
-cape_parsers/malduck/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cape_parsers/malduck/test_malduck.py,sha256=fiX-NXhgAFKN17bDQXVnTKQlMtCXIOSy-DZczrQ-_tE,243
-cape_parsers/mwcp/README.md,sha256=SHgVQraCdp033IQjM4Cm6t70U4kULn1MfSwTq3rsZv8,22
-cape_parsers/mwcp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cape_parsers/mwcp/test_mwcp.py,sha256=ZORPEQxIJeH68aKT_guI7EZqcwFrg4br5GgmsOvlbzo,191
-cape_parsers/utils/__init__.py,sha256=JcY8WPKzUFYgexwV1eyKIuT1JyNZzMJjBynlPSzxY_I,7
-cape_parsers/utils/aplib.py,sha256=U8m9p_IorZtcqk057eelaediLiyaIBdwqgP9JbIGcQY,5059
-cape_parsers/utils/blzpack.py,sha256=y-myrTTkpY9qtM5WhyPxLeq-lQRaVZ5tLycwhjWWyAE,3042
-cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvEYmUc,33368
-cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
-cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
-cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
-cape_parsers-0.1.45.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
-cape_parsers-0.1.45.dist-info/METADATA,sha256=pWGudbNe69KiEDcgrBiRneTOsE-pIWMCLdqa7Umj_pw,1149
-cape_parsers-0.1.45.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
-cape_parsers-0.1.45.dist-info/RECORD,,