CAPE-parsers 0.1.45__py3-none-any.whl → 0.1.47__py3-none-any.whl

cape_parsers/CAPE/community/Stealc.py

@@ -1,31 +1,35 @@
 import struct
 import pefile
 import yara
+from contextlib import suppress
 
 
-# Hash = 619751f5ed0a9716318092998f2e4561f27f7f429fe6103406ecf16e33837470
+# V1 hash = 619751f5ed0a9716318092998f2e4561f27f7f429fe6103406ecf16e33837470
+# V2 hash = 2f42dcf05dd87e6352491ff9d4ea3dc3f854df53d548a8da0c323be42df797b6 (32-bit payload)
+# V2 hash = 8301936f439f43579cffe98e11e3224051e2fb890ffe9df680bbbd8db0729387 (64-bit payload)
 
-RULE_SOURCE = """rule StealC
+RULE_SOURCE = """
+rule StealC
 {
     meta:
         author = "Yung Binary"
     strings:
-        $decode_1 = {
-            6A ??
-            68 ?? ?? ?? ??
-            68 ?? ?? ?? ??
-            E8 ?? ?? ?? ??
-        }
-        $decode_2 = {
-            6A ??
-            68 ?? ?? ?? ??
-            68 ?? ?? ?? ??
-            [0-5]
-            E8 ?? ?? ?? ??
-        }
+        $decode_1 = {6A ?? 68 [4] 68 [4] E8}
+        $decode_2 = {6A ?? 68 [4] 68 [4] [0-5] E8}
     condition:
         any of them
-}"""
+}
+rule StealcV2
+{
+    meta:
+        author = "kevoreilly"
+    strings:
+        $botnet32 = {AB AB AB AB 89 4B ?? C7 43 ?? 0F 00 00 00 88 0B A0 [4] EB 12 3C 20 74 0B 0F B6 06 8B CB 50 E8}
+        $botnet64 = {0F 11 01 48 C7 41 ?? 00 00 00 00 48 8B D9 48 C7 41 ?? 0F 00 00 00 C6 01 00 8A 05 [4] EB ?? 3C 20 74 ?? 48 8B 4B ?? 44 8A 0F}
+    condition:
+        any of them
+}
+"""
 
 
 def yara_scan(raw_data):
@@ -45,78 +49,96 @@ def xor_data(data, key):
     return decoded
 
 
-def extract_config(data):
-    config_dict = {}
+def extract_ascii_string(data: bytes, offset: int, max_length=4096) -> str:
+    if offset >= len(data):
+        raise ValueError("Offset beyond data bounds")
+    end = data.find(b'\x00', offset, offset + max_length)
+    if end == -1:
+        end = offset + max_length
+    return data[offset:end].decode('ascii', errors='replace')
 
-    # Attempt to extract via old method
-    try:
-        domain = ""
-        uri = ""
+
+def parse_text(data):
+    global domain, uri
+    with suppress(Exception):
         lines = data.decode().split("\n")
+        if not lines:
+            return
         for line in lines:
             if line.startswith("http") and "://" in line:
                 domain = line
             if line.startswith("/") and line[-4] == ".":
                 uri = line
-        if domain and uri:
-            config_dict.setdefault("C2", []).append(f"{domain}{uri}")
-            return config_dict
-    except Exception:
-        pass
-
-    # Try with new method
-
-    #config_dict["Strings"] = []
-    pe = pefile.PE(data=data, fast_load=True)
-    image_base = pe.OPTIONAL_HEADER.ImageBase
-    domain = ""
-    uri = ""
-    botnet_id = ""
+
+
+def parse_pe(data):
+    global domain, uri, botnet_id
+    pe = None
+    image_base = 0
     last_str = ""
+    with suppress(Exception):
+        pe = pefile.PE(data=data, fast_load=True)
+        if not pe:
+            return
+        image_base = pe.OPTIONAL_HEADER.ImageBase
+        if not image_base:
+            return
     for match in yara_scan(data):
         try:
             rule_str_name, str_decode_offset = match
+            if rule_str_name.startswith("$botnet"):
+                botnet_var = struct.unpack("I", data[str_decode_offset - 4 : str_decode_offset])[0]
+                if hasattr(pe, 'OPTIONAL_HEADER'):
+                    magic = pe.OPTIONAL_HEADER.Magic
+                    if magic == 0x10b: # 32-bit
+                        botnet_offset = pe.get_offset_from_rva(botnet_var - image_base)
+                    elif magic == 0x20b: # 64-bit
+                        botnet_offset = pe.get_offset_from_rva(pe.get_rva_from_offset(str_decode_offset) + botnet_var)
+                    if botnet_offset:
+                        botnet_id = extract_ascii_string(data, botnet_offset)
             str_size = int(data[str_decode_offset + 1])
             # Ignore size 0 strings
             if not str_size:
                 continue
-
             if rule_str_name.startswith("$decode"):
                 key_rva = data[str_decode_offset + 3 : str_decode_offset + 7]
                 encoded_str_rva = data[str_decode_offset + 8 : str_decode_offset + 12]
-                #dword_rva = data[str_decode_offset + 21 : str_decode_offset + 25]
-
-            key_offset = pe.get_offset_from_rva(struct.unpack("i", key_rva)[0] - image_base)
-            encoded_str_offset = pe.get_offset_from_rva(struct.unpack("i", encoded_str_rva)[0] - image_base)
-            #dword_offset = struct.unpack("i", dword_rva)[0]
-            #dword_name = f"dword_{hex(dword_offset)[2:]}"
-
-            key = data[key_offset : key_offset + str_size]
-            encoded_str = data[encoded_str_offset : encoded_str_offset + str_size]
-            decoded_str = xor_data(encoded_str, key).decode()
-            #config_dict["Strings"].append({dword_name : decoded_str})
-
-            if last_str in ("http://", "https://"):
-                domain += decoded_str
-            elif decoded_str in ("http://", "https://"):
-                domain = decoded_str
-            elif "http" in decoded_str and "://" in decoded_str:
-                domain = decoded_str
-            elif uri == "" and decoded_str.startswith("/") and decoded_str[-4] == ".":
-                uri = decoded_str
-            elif last_str[0] == '/' and last_str[-1] == '/':
-                botnet_id = decoded_str
-
-            last_str = decoded_str
-
+                key_offset = pe.get_offset_from_rva(struct.unpack("i", key_rva)[0] - image_base)
+                encoded_str_offset = pe.get_offset_from_rva(struct.unpack("i", encoded_str_rva)[0] - image_base)
+                key = data[key_offset : key_offset + str_size]
+                encoded_str = data[encoded_str_offset : encoded_str_offset + str_size]
+                decoded_str = xor_data(encoded_str, key).decode()
+                if last_str in ("http://", "https://"):
+                    domain += decoded_str
+                elif decoded_str in ("http://", "https://"):
+                    domain = decoded_str
+                elif "http" in decoded_str and "://" in decoded_str:
+                    domain = decoded_str
+                elif uri is None and decoded_str.startswith("/") and decoded_str[-4] == ".":
+                    uri = decoded_str
+                elif last_str[0] == "/" and last_str[-1] == "/":
+                    botnet_id = decoded_str
+                last_str = decoded_str
         except Exception:
             continue
+    return
+
+
+def extract_config(data):
+    global domain, uri, botnet_id
+    domain = uri = botnet_id = None
+    config_dict = {}
+
+    if data[:2] == b'MZ':
+        parse_pe(data)
+    else:
+        parse_text(data)
 
     if domain and uri:
-        config_dict.setdefault("C2", []).append(f"{domain}{uri}")
+        config_dict.setdefault("CNCs", []).append(f"{domain}{uri}")
 
     if botnet_id:
-        config_dict.setdefault("Botnet ID", botnet_id)
+        config_dict.setdefault("botnet", botnet_id)
 
     return config_dict
 

cape_parsers/CAPE/community/VenomRAT.py

@@ -5,10 +5,10 @@ import os
 from rat_king_parser.rkp import RATConfigParser
 
 HAVE_ASYNCRAT_COMMON = False
-module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+module_file_path = "/opt/CAPEv2/data/asyncrat_common.py"
 if os.path.exists(module_file_path):
     try:
-        module_name = os.path.basename(module_file_path).replace('.py', '')
+        module_name = os.path.basename(module_file_path).replace(".py", "")
         spec = importlib.util.spec_from_file_location(module_name, module_file_path)
         asyncrat_common = importlib.util.module_from_spec(spec)
         sys.modules[module_name] = asyncrat_common
@@ -17,6 +17,7 @@ if os.path.exists(module_file_path):
     except Exception as e:
         print("Error loading asyncrat_common.py", e)
 
+
 def extract_config(data: bytes):
     config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
     if config and HAVE_ASYNCRAT_COMMON:
@@ -24,6 +25,7 @@ def extract_config(data: bytes):
 
     return config
 
+
 if __name__ == "__main__":
     data = open(sys.argv[1], "rb").read()
     print(extract_config(data))

cape_parsers/CAPE/community/XWorm.py

@@ -5,10 +5,10 @@ import os
 from rat_king_parser.rkp import RATConfigParser
 
 HAVE_ASYNCRAT_COMMON = False
-module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+module_file_path = "/opt/CAPEv2/data/asyncrat_common.py"
 if os.path.exists(module_file_path):
     try:
-        module_name = os.path.basename(module_file_path).replace('.py', '')
+        module_name = os.path.basename(module_file_path).replace(".py", "")
         spec = importlib.util.spec_from_file_location(module_name, module_file_path)
         asyncrat_common = importlib.util.module_from_spec(spec)
         sys.modules[module_name] = asyncrat_common
@@ -17,6 +17,7 @@ if os.path.exists(module_file_path):
     except Exception as e:
         print("Error loading asyncrat_common.py", e)
 
+
 def extract_config(data: bytes):
     config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
     if config and HAVE_ASYNCRAT_COMMON:
@@ -24,6 +25,7 @@ def extract_config(data: bytes):
 
     return config
 
+
 if __name__ == "__main__":
     data = open(sys.argv[1], "rb").read()
     print(extract_config(data))

cape_parsers/CAPE/community/XenoRAT.py

@@ -5,10 +5,10 @@ import os
 from rat_king_parser.rkp import RATConfigParser
 
 HAVE_ASYNCRAT_COMMON = False
-module_file_path = '/opt/CAPEv2/data/asyncrat_common.py'
+module_file_path = "/opt/CAPEv2/data/asyncrat_common.py"
 if os.path.exists(module_file_path):
     try:
-        module_name = os.path.basename(module_file_path).replace('.py', '')
+        module_name = os.path.basename(module_file_path).replace(".py", "")
         spec = importlib.util.spec_from_file_location(module_name, module_file_path)
         asyncrat_common = importlib.util.module_from_spec(spec)
         sys.modules[module_name] = asyncrat_common
@@ -17,6 +17,7 @@ if os.path.exists(module_file_path):
     except Exception as e:
         print("Error loading asyncrat_common.py", e)
 
+
 def extract_config(data: bytes):
     config = RATConfigParser(data=data, remap_config=True).report.get("config", {})
     if config and HAVE_ASYNCRAT_COMMON:
@@ -24,6 +25,7 @@ def extract_config(data: bytes):
 
     return config
 
+
 if __name__ == "__main__":
     data = open(sys.argv[1], "rb").read()
     print(extract_config(data))

cape_parsers/CAPE/community/monsterv2.py

@@ -0,0 +1,96 @@
+import hashlib
+from Crypto.Cipher import ChaCha20_Poly1305
+from contextlib import suppress
+import zlib
+import struct
+import json
+import yara
+import pefile
+
+
+RULE_SOURCE = """rule MonsterV2Config
+{
+    meta:
+        author = "doomedraven,YungBinary"
+    strings:
+        $chunk_1 = {
+            41 B8 ?? ?? ?? ??
+            48 8D 15 ?? ?? ?? ??
+            48 8B CB
+            E8 ?? ?? ?? ??
+            48 8D 83 ?? ?? ?? ??
+            48 89 44 24 ??
+            48 89 6C 24 ??
+            4C 8B C7
+            48 8D 54 24 ??
+            48 8B CE
+            E8 ?? ?? ?? ??
+        }
+    condition:
+        $chunk_1
+}"""
+
+
+def derive_chacha_key_nonce_blake2b(seed: bytes):  # -> tuple[bytes, bytes]:
+    """
+    Derives a 32-byte ChaCha20 key and a 24-byte ChaCha20 nonce
+    using BLAKE2b from a given seed.
+    """
+    output_length = 56  # 32 bytes for key + 24 bytes for nonce
+    h = hashlib.blake2b(digest_size=output_length)
+    h.update(seed)
+    derived_material = h.digest()
+    chacha20_key = derived_material[0:32]
+    chacha20_nonce = derived_material[32:56]
+    return chacha20_key, chacha20_nonce
+
+
+def yara_scan(raw_data, rule_source):
+    yara_rules = yara.compile(source=rule_source)
+    matches = yara_rules.match(data=raw_data)
+
+    for match in matches:
+        for block in match.strings:
+            for instance in block.instances:
+                return instance.offset
+
+def extract_config(data: bytes) -> dict:
+    config_dict = {}
+    with suppress(Exception):
+        pe = pefile.PE(data=data)
+        offset = yara_scan(data, RULE_SOURCE)
+
+        # image_base = pe.OPTIONAL_HEADER.ImageBase
+        disp_offset = data[offset + 9 : offset + 13]
+        disp_offset = struct.unpack('i', disp_offset)[0]
+        instruction_pointer_va = pe.get_rva_from_offset(offset + 13)
+        config_offset_va = instruction_pointer_va + disp_offset
+        config_offset = pe.get_offset_from_rva(config_offset_va)
+
+
+        blake_seed = data[config_offset : config_offset + 32]
+        chacha20_key, chacha20_nonce = derive_chacha_key_nonce_blake2b(blake_seed)
+        cipher_len = int.from_bytes(data[config_offset + 32 : config_offset + 40], byteorder="big")
+        cipher_text = data[config_offset + 40 : config_offset + 40 + cipher_len]
+
+        cipher = ChaCha20_Poly1305.new(key=chacha20_key, nonce=chacha20_nonce)
+        decrypted_zlib_data = cipher.decrypt(cipher_text)
+        decompressed_data = zlib.decompress(decrypted_zlib_data)
+        config_dict = json.loads(decompressed_data)
+
+    if config_dict:
+        final_config = {"raw": config_dict}
+        if "ip" in config_dict and "port" in config_dict:
+            final_config["CNCs"] = [f"tcp://{config_dict['ip']}:{config_dict['port']}"]
+        if "build_name" in config_dict:
+            final_config["build"] = config_dict["build_name"]
+        return final_config
+
+    return {}
+
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        print(extract_config(f.read()))

cape_parsers/CAPE/core/AdaptixBeacon.py

@@ -26,11 +26,12 @@ def parse_http_config(rc4_key: bytes, data: bytes) -> dict:
 
     def read_str(length: int):
         nonlocal offset
-        value = data[offset:offset + length].decode("utf-8", errors="replace")
+        value = data[offset : offset + length].decode("utf-8", errors="replace")
         offset += length
         return value
 
-    config["config_rc4_key"] = rc4_key.hex()
+    config["cryptokey"] = rc4_key.hex()
+    config["cryptokey_type"] = "RC4"
     config["agent_type"] = f"{read('<I'):8X}"
     config["use_ssl"] = read("<B")
     host_count = read("<I")
@@ -58,7 +59,8 @@ def parse_http_config(rc4_key: bytes, data: bytes) -> dict:
     config["sleep_delay"] = read("<I")
     config["jitter_delay"] = read("<I")
 
-    return config
+    return {"raw": config}
+
 
 def extract_config(filebuf: bytes) -> dict:
     pe = pefile.PE(data=filebuf, fast_load=True)
@@ -78,9 +80,9 @@ def extract_config(filebuf: bytes) -> dict:
             pos = start_offset + 1
             continue
 
-        encrypted_data = data[pos:pos + key_offset]
+        encrypted_data = data[pos : pos + key_offset]
         pos += key_offset
-        rc4_key = data[pos:pos + 16]
+        rc4_key = data[pos : pos + 16]
 
         if key_offset == 787:
             pass

cape_parsers/CAPE/core/Azorult.py

@@ -30,7 +30,7 @@ rule Azorult
         cape_type = "Azorult Payload"
     strings:
         $ref_c2 = {6A 00 6A 00 6A 00 6A 00 68 ?? ?? ?? ?? FF 55 F0 8B D8 C7 47 10 ?? ?? ?? ?? 90 C7 45 B0 C0 C6 2D 00 6A 04 8D 45 B0 50 6A 06 53 FF 55 D4}
-   condition:
+    condition:
         uint16(0) == 0x5A4D and all of them
 }
 """
@@ -48,16 +48,18 @@ def extract_config(filebuf):
             for instance in block.instances:
                 try:
                     cnc_offset = struct.unpack("i", instance.matched_data[21:25])[0]
-                    cnc = pe.get_data(cnc_offset-image_base, 32).split(b"\x00")[0]
+                    cnc = pe.get_data(cnc_offset - image_base, 32).split(b"\x00")[0]
                     if cnc:
                         if not cnc.startswith(b"http"):
                             cnc = b"http://" + cnc
-                        return {"cncs": [cnc.decode()]}
+                        return {"CNCs": [cnc.decode()]}
                 except Exception as e:
                     log.error("Error parsing Azorult config: %s", e)
     return {}
 
+
 if __name__ == "__main__":
     import sys
+
     with open(sys.argv[1], "rb") as f:
         print(extract_config(f.read()))

cape_parsers/CAPE/core/BitPaymer.py

@@ -86,7 +86,10 @@ def extract_config(file_data):
         for item in raw.split(b"\x00"):
             data = "".join(convert_char(c) for c in item)
             if len(data) == 760:
-                config["RSA public key"] = data
+                config.setdefault("cryptokey", data)
+                # ToDO proper naming here
+                config.setdefault("raw", {})["cryptokey_type"] = "RSA public key"
+
             elif len(data) > 1 and "\\x" not in data:
-                config["strings"] = data
+                config.setdefault("raw", {})["strings"] = data
     return config

cape_parsers/CAPE/core/BlackDropper.py

@@ -55,7 +55,7 @@ def extract_config(data: bytes) -> dict:
         return {}
 
     rdata_data = rdata_section.get_data()
-    patterns = [br"Builder\.dll\x00", br"Builder\.exe\x00"]
+    patterns = [rb"Builder\.dll\x00", rb"Builder\.exe\x00"]
     matches = []
     for pattern in patterns:
         matches.extend(re.finditer(pattern, rdata_data))
@@ -66,7 +66,7 @@ def extract_config(data: bytes) -> dict:
         end = min(len(rdata_data), match.end() + 1024)
         found_strings.update(re.findall(b"[\x20-\x7E]{4,}?\x00", rdata_data[start:end]))
 
-    result = {}
+    config = {}
     urls = []
     directories = []
     campaign = ""
@@ -74,7 +74,7 @@ def extract_config(data: bytes) -> dict:
     if found_strings:
         key = get_year(pe)
         if not key:
-            return result
+            return {}
         for string in found_strings:
             with suppress(UnicodeDecodeError):
                 decoded_string = string.decode("utf-8").rstrip("\x00")
@@ -88,9 +88,14 @@ def extract_config(data: bytes) -> dict:
             elif re.match(r"^(?![A-Z]{6,}$)[a-zA-Z0-9\-=]{6,}$", decoded_string):
                 campaign = decoded_string
 
-        result = {"urls": sorted(urls), "directories": directories, "campaign": campaign}
+        if urls:
+            config["CNCs"] = sorted(urls)
+        if campaign:
+            config["campaign"] = campaign
+        if directories:
+            config["raw"] = {"directories": directories}
 
-    return result
+    return config
 
 
 if __name__ == "__main__":

cape_parsers/CAPE/core/Blister.py

@@ -542,16 +542,18 @@ def extract_config(data):
             injection_method = "Process hollowing IE or Werfault"
 
     config = {
-        "Flag": hex(flag),
-        "Payload export hash": hex(u32(payload_export_hash)),
-        "Payload filename": w_payload_filename_and_cmdline,
-        "Compressed data size": hex(u32(compressed_data_size)),
-        "Uncompressed data size": hex(u32(uncompressed_data_size)),
-        "Rabbit key": binascii.hexlify(key).decode(),
-        "Rabbit IV": binascii.hexlify(iv).decode(),
-        "Persistence": persistance,
-        "Sleep after injection": sleep_after_injection,
-        "Injection method": injection_method,
+        "raw": {
+            "Flag": hex(flag),
+            "Payload export hash": hex(u32(payload_export_hash)),
+            "Payload filename": w_payload_filename_and_cmdline,
+            "Compressed data size": hex(u32(compressed_data_size)),
+            "Uncompressed data size": hex(u32(uncompressed_data_size)),
+            "Rabbit key": binascii.hexlify(key).decode(),
+            "Rabbit IV": binascii.hexlify(iv).decode(),
+            "Persistence": persistance,
+            "Sleep after injection": sleep_after_injection,
+            "Injection method": injection_method,
+        }
     }
 
     return config

cape_parsers/CAPE/core/BruteRatel.py

@@ -2,22 +2,35 @@ from contextlib import suppress
 
 
 def extract_config(data):
-    config_dict = {}
+    config = {}
 
     with suppress(Exception):
         i = 0
         lines = data.decode().split("\n")
         for line in lines:
             if line.startswith("Mozilla"):
-                config_dict["User Agent"] = line
-                config_dict["C2"] = list(set(lines[i - 2].split(",")))
-                config_dict["Port"] = lines[i - 1]
-                config_dict["URI"] = lines[i + 3].split(",")
-                config_dict["Keys"] = [lines[i + 1], lines[i + 2]]
+                cncs = list(set(lines[i - 2].split(",")))
+                port = lines[i - 1]
+                uris = lines[i + 3].split(",")
+                keys = [lines[i + 1], lines[i + 2]]
+
+                for cnc in cncs:
+                    # ToDo need to verify if we have schema and uri has slash
+                    for uri in uris:
+                        config.setdefault("CNCs", []).append(f"{cnc}:{port}{uri}")
+
+                config["raw"] = {
+                    "User Agent": line,
+                    "C2": cncs,
+                    "Port": port,
+                    "URI": uri,
+                    # ToDo move to proper field
+                    "Keys": keys,
+                }
                 break
             i += 1
 
-    return config_dict
+    return config
 
 
 if __name__ == "__main__":