CAPE-parsers 0.1.47__tar.gz → 0.1.49__tar.gz

{cape_parsers-0.1.47 → cape_parsers-0.1.49}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: CAPE-parsers
-Version: 0.1.47
+Version: 0.1.49
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 Keywords: cape,parsers,malware,configuration

cape_parsers-0.1.49/cape_parsers/CAPE/community/Amadey.py

@@ -0,0 +1,213 @@
+import base64
+import yara
+import pefile
+import json
+import struct
+import re
+
+
+RULE_SOURCE_KEY = """
+rule Amadey_Key_String
+{
+    meta:
+        author = "YungBinary"
+        description = "Find decryption key in Amadey."
+    strings:
+        $chunk_1 = {
+            6A 20
+            68 ?? ?? ?? ??
+            B9 ?? ?? ?? ??
+            E8 ?? ?? ?? ??
+            68 ?? ?? ?? ??
+            E8 ?? ?? ?? ??
+            59
+            C3
+        }
+    condition:
+        $chunk_1
+}
+"""
+
+RULE_SOURCE_ENCODED_STRINGS = """
+rule Amadey_Encoded_Strings
+{
+    meta:
+        author = "YungBinary"
+        description = "Find encoded strings in Amadey."
+    strings:
+        $chunk_1 = {
+            6A ??
+            68 ?? ?? ?? ??
+            B9 ?? ?? ?? ??
+            E8 ?? ?? ?? ??
+            68 ?? ?? ?? ??
+            E8 ?? ?? ?? ??
+            59
+            C3
+        }
+    condition:
+        $chunk_1
+}
+"""
+
+
+def contains_non_printable(byte_array):
+    for byte in byte_array:
+        if not chr(byte).isprintable():
+            return True
+    return False
+
+
+def yara_scan_generator(raw_data, rule_source):
+    yara_rules = yara.compile(source=rule_source)
+    matches = yara_rules.match(data=raw_data)
+
+    for match in matches:
+        for block in match.strings:
+            for instance in block.instances:
+                yield instance.offset, block.identifier
+
+
+def get_keys(pe, data):
+    image_base = pe.OPTIONAL_HEADER.ImageBase
+    keys = []
+    for offset, _ in yara_scan_generator(data, RULE_SOURCE_KEY):
+        try:
+            key_string_rva = struct.unpack('i', data[offset + 3 : offset + 7])[0]
+            key_string_dword_offset = pe.get_offset_from_rva(key_string_rva - image_base)
+            key_string = pe.get_string_from_data(key_string_dword_offset, data)
+
+            if b"=" not in key_string:
+                keys.append(key_string.decode())
+
+            if len(keys) == 2:
+                return keys
+
+        except Exception:
+            continue
+
+    return []
+
+
+def get_encoded_strings(pe, data):
+    encoded_strings = []
+    image_base = pe.OPTIONAL_HEADER.ImageBase
+    for offset, _ in yara_scan_generator(data, RULE_SOURCE_ENCODED_STRINGS):
+
+        try:
+            encoded_string_size = data[offset + 1]
+            encoded_string_rva = struct.unpack('i', data[offset + 3 : offset + 7])[0]
+            encoded_string_dword_offset = pe.get_offset_from_rva(encoded_string_rva - image_base)
+            encoded_string = pe.get_string_from_data(encoded_string_dword_offset, data)
+
+            # Make sure the string matches length from operand
+            if encoded_string_size != len(encoded_string):
+                continue
+
+            encoded_strings.append(encoded_string.decode())
+
+        except Exception:
+            continue
+
+    return encoded_strings
+
+
+def decode_amadey_string(key: str, encoded_str: str) -> bytes:
+    """
+    Decode Amadey encoded strings that look like base64
+    """
+    alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 "
+
+    decoded = ""
+    for i in range(len(encoded_str)):
+        if encoded_str[i] == "=":
+            decoded += "="
+            continue
+
+        index_1 = alphabet.index(encoded_str[i % len(encoded_str)])
+        index_2 = alphabet.index(key[i % len(key)])
+
+        index_result = (index_1 + (0x3F - index_2) + 0x3F) % 0x3F
+
+        decoded += alphabet[index_result]
+
+    decoded = base64.b64decode(decoded)
+
+    return decoded
+
+
+def find_campaign_id(data):
+    pattern = br'\x00\x00\x00([0-9a-f]{6})\x00\x00'
+    matches = re.findall(pattern, data)
+    if matches:
+        return matches[0]
+
+
+def extract_config(data):
+    pe = pefile.PE(data=data, fast_load=True)
+    # image_base = pe.OPTIONAL_HEADER.ImageBase
+
+    keys = get_keys(pe, data)
+    if not keys:
+        return {}
+
+    decode_key = keys[0]
+    rc4_key = keys[1]
+    encoded_strings = get_encoded_strings(pe, data)
+
+    decoded_strings = []
+    for encoded_string in encoded_strings:
+        try:
+            decoded_string = decode_amadey_string(decode_key, encoded_string)
+            if not decoded_string or contains_non_printable(decoded_string):
+                continue
+            decoded_strings.append(decoded_string.decode())
+        except Exception:
+            continue
+
+    if not decoded_strings:
+        return {}
+
+    decoded_strings = decoded_strings[:10]
+    final_config = {}
+    version = ""
+    install_dir = ""
+    install_file = ""
+    version_pattern = r"^\d+\.\d{1,2}$"
+    install_dir_pattern = r"^[0-9a-f]{10}$"
+
+    for i in range(len(decoded_strings)):
+        s = decoded_strings[i]
+        if s.endswith(".php"):
+            c2 = decoded_strings[i-1]
+            final_config.setdefault("CNCs", []).append(f"http://{c2}{s}")
+        elif re.match(version_pattern, s):
+            version = s
+        elif re.match(install_dir_pattern, s):
+            install_dir = s
+        elif s.endswith(".exe"):
+            install_file = s
+
+    if version:
+        final_config["version"] = version
+    if install_dir:
+        final_config.setdefault("raw", {})["install_dir"] = install_dir
+    if install_file:
+        final_config.setdefault("raw", {})["install_file"] = install_file
+
+    final_config["cryptokey"] = rc4_key
+    final_config["cryptokey_type"] = "RC4"
+
+    campaign_id = find_campaign_id(data)
+    if campaign_id:
+        final_config["campaign_id"] = campaign_id.decode()
+
+    return final_config
+
+
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        print(json.dumps(extract_config(f.read()), indent=4))

{cape_parsers-0.1.47 → cape_parsers-0.1.49}/cape_parsers/CAPE/community/CobaltStrikeBeacon.py

@@ -360,11 +360,11 @@ class cobaltstrikeConfig:
             if parsed_setting == "Not Found" and quiet:
                 continue
             if not isinstance(parsed_setting, list):
-                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val=parsed_setting))
+                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val=parsed_setting)) # noqa: G001
             elif parsed_setting == []:
-                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val="Empty"))
+                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val="Empty")) # noqa: G001
             else:
-                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val=parsed_setting[0]))
+                log.debug("{: <{width}} - {val}".format(conf_name, width=COLUMN_WIDTH - 3, val=parsed_setting[0])) # noqa: G001
                 for val in parsed_setting[1:]:
                     log.debug(" " * COLUMN_WIDTH, end="")
                     print(val)

{cape_parsers-0.1.47 → cape_parsers-0.1.49}/cape_parsers/CAPE/community/LokiBot.py

@@ -23,7 +23,7 @@
 import re
 import struct
 import sys
-
+from contextlib import suppress
 import pefile
 from Cryptodome.Cipher import DES3
 from Cryptodome.Util.Padding import unpad
@@ -128,7 +128,8 @@ def decoder(data):
     else:
         x = bytearray(img)
 
-    url_re = rb"https?:\/\/[a-zA-Z0-9\/\.:?\-_]+"
+    # ToDo add \.php
+    url_re = rb"https?:\/\/[a-zA-Z0-9\/\.:?\-_]+\.php"
     urls = re.findall(url_re, x)
     if not urls:
         for i in range(len(x)):
@@ -144,21 +145,23 @@ def decoder(data):
     confs = find_conf(img)
     if iv and iv not in (b"", -1) and confs != []:
         for conf in confs:
-            try:
+            with suppress(ValueError):
                 dec = DES3.new(key, DES3.MODE_CBC, iv)
                 temp = dec.decrypt(conf)
                 temp = unpad(temp, 8)
-                urls.append(b"http://" + temp)
-            except ValueError:
-                # wrong padding
-                pass
+                if not temp.endswith(b".php"):
+                    continue
+                urls.append("http://" + temp.decod())
     return urls
 
 
 def extract_config(filebuf):
 
     urls = decoder(filebuf)
-    return {"CNCs": [url.decode() for url in urls]}
+    if urls:
+        return {"CNCs": urls}
+    else:
+        return {}
 
 
 if __name__ == "__main__":

{cape_parsers-0.1.47 → cape_parsers-0.1.49}/cape_parsers/CAPE/community/Lumma.py

@@ -318,7 +318,7 @@ def extract_config(data):
                 decoded_c2 = chacha20_xor(encrypted_string, key, nonce, counter).split(b"\x00", 1)[0]
                 if contains_non_printable(decoded_c2):
                     break
-                config.setdefault("CNCs", []).append(decoded_c2.decode())
+                config.setdefault("CNCs", []).append("https://" + decoded_c2.decode())
                 encrypted_strings_offset = encrypted_strings_offset + step_size
                 counter += 2
 
@@ -351,7 +351,7 @@ def extract_config(data):
                         decrypted = chacha20_xor(c2_encrypted, key, nonce, counter)
                         c2 = extract_c2_domain(decrypted)
                         if c2 is not None and len(c2) > 10:
-                            config["CNCs"].append(c2.decode())
+                            config["CNCs"].append("https://" + c2.decode())
                             break
 
                 except Exception:
@@ -384,7 +384,7 @@ def extract_config(data):
                     decoded_c2 = xor_data(encoded_c2, xor_key)
 
                     if not contains_non_printable(decoded_c2):
-                        config.setdefault("CNCs", []).append(decoded_c2.decode())
+                        config.setdefault("CNCs", []).append("https://" + decoded_c2.decode())
                 except Exception as e:
                     print(e)
                     continue

{cape_parsers-0.1.47 → cape_parsers-0.1.49}/cape_parsers/CAPE/community/Snake.py

@@ -133,7 +133,7 @@ def extract_config(data):
     try:
         dotnet_file = dnfile.dnPE(data=data)
     except Exception as e:
-        log.debug(f"Exception when attempting to parse .NET file: {e}")
+        log.debug("Exception when attempting to parse .NET file: %s", str(e))
         log.debug(traceback.format_exc())
 
     # ldstr, stsfld
@@ -165,7 +165,7 @@ def extract_config(data):
             else:
                 user_strings[field_name] = string_index
         except Exception as e:
-            log.debug(f"There was an exception parsing user strings: {e}")
+            log.debug("There was an exception parsing user strings: %s", str(e))
             log.debug(traceback.format_exc())
 
     if c2_type is None:

{cape_parsers-0.1.47 → cape_parsers-0.1.49}/cape_parsers/CAPE/community/Stealc.py

@@ -1,6 +1,7 @@
 import struct
 import pefile
 import yara
+import ipaddress
 from contextlib import suppress
 
 
@@ -42,6 +43,13 @@ def yara_scan(raw_data):
                 yield block.identifier, instance.offset
 
 
+def _is_ip(ip):
+    try:
+        ipaddress.ip_address(ip)
+        return True
+    except Exception:
+        return False
+
 def xor_data(data, key):
     decoded = bytearray()
     for i in range(len(data)):
@@ -67,6 +75,8 @@ def parse_text(data):
         for line in lines:
             if line.startswith("http") and "://" in line:
                 domain = line
+            elif _is_ip(line):
+                domain = line
             if line.startswith("/") and line[-4] == ".":
                 uri = line
 

cape_parsers-0.1.49/cape_parsers/CAPE/core/AuraStealer.py

@@ -0,0 +1,93 @@
+import json
+import struct
+from contextlib import suppress
+from typing import Any, Dict, Tuple
+
+import pefile
+from Cryptodome.Cipher import AES
+from Cryptodome.Util.Padding import unpad
+
+
+def parse_blob(data: bytes):
+    """
+    Parse the blob according to the scheme:
+      - 32 bytes = AES key
+      - Next 16 bytes = IV
+      - Next 2 DWORDs (8 bytes total) = XOR to get cipher data size
+      - Remaining bytes = cipher data of that size
+    """
+    offset = 0
+    aes_key = data[offset:offset + 32]
+    offset += 32
+    iv = data[offset:offset + 16]
+    offset += 16
+    dword1, dword2 = struct.unpack_from("<II", data, offset)
+    cipher_size = dword1 ^ dword2
+    offset += 8
+    cipher_data = data[offset:offset + cipher_size]
+    return aes_key, iv, cipher_data
+
+
+def decrypt(data: bytes) -> Tuple[bytes, bytes, bytes]:
+    aes_key, iv, cipher_data = parse_blob(data)
+    cipher = AES.new(aes_key, AES.MODE_CBC, iv)
+    plaintext_padded = cipher.decrypt(cipher_data)
+    return aes_key, iv, unpad(plaintext_padded, AES.block_size)
+
+
+def extract_config(data: bytes) -> Dict[str, Any]:
+    cfg: Dict[str, Any] = {}
+    plaintext = ""
+    pe = pefile.PE(data=data, fast_load=True)
+    try:
+        data_section = [s for s in pe.sections if s.Name.find(b".data") != -1][0]
+    except IndexError:
+        return cfg
+
+    if not data_section:
+        return cfg
+
+    data = data_section.get_data()
+    block_size = 4096
+    zeros = b"\x00" * block_size
+    offset = data.find(zeros)
+    if offset == -1:
+        return cfg
+
+    while offset > 0:
+        with suppress(Exception):
+            aes_key, iv, plaintext = decrypt(data[offset : offset + block_size])
+            if plaintext and b"conf" in plaintext:
+                break
+
+        offset -= 1
+
+    if plaintext:
+        parsed = json.loads(plaintext.decode("utf-8", errors="ignore").rstrip("\x00"))
+        conf = parsed.get("conf", {})
+        build = parsed.get("build", {})
+        if conf:
+            cfg = {
+                "CNCs": conf.get("hosts"),
+                "user_agent": conf.get("useragents"),
+                "version": build.get("ver"),
+                "build": build.get("build_id"),
+                "cryptokey": aes_key.hex(),
+                "cryptokey_type": "AES",
+                "raw": {
+                    "iv": iv.hex(),
+                    "anti_vm": conf.get("anti_vm"),
+                    "anti_dbg": conf.get("anti_dbg"),
+                    "self_del": conf.get("self_del"),
+                    "run_delay": conf.get("run_delay"),
+                }
+            }
+
+    return cfg
+
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        print(extract_config(f.read()))

{cape_parsers-0.1.47 → cape_parsers-0.1.49}/cape_parsers/CAPE/core/BumbleBee.py

@@ -50,7 +50,7 @@ def extract_key_data(data, pe, key_match):
         # Read arbitrary number of byes from key offset and split on null bytes to extract key
         key = data[key_offset : key_offset + 0x40].split(b"\x00")[0]
     except Exception as e:
-        log.debug(f"There was an exception extracting the key: {e}")
+        log.debug("There was an exception extracting the key: %s", str(e))
         log.debug(traceback.format_exc())
         return False
     return key
@@ -70,7 +70,7 @@ def extract_config_data(data, pe, config_match):
         )
         campaign_id_ct = data[campaign_id_offset : campaign_id_offset + 0x10]
     except Exception as e:
-        log.debug(f"There was an exception extracting the campaign id: {e}")
+        log.debug("There was an exception extracting the campaign id: %s", str(e))
         log.debug(traceback.format_exc())
         return False, False, False
 
@@ -84,7 +84,7 @@ def extract_config_data(data, pe, config_match):
         )
         botnet_id_ct = data[botnet_id_offset : botnet_id_offset + 0x10]
     except Exception as e:
-        log.debug(f"There was an exception extracting the botnet id: {e}")
+        log.debug("There was an exception extracting the botnet id: %s", str(e))
         log.debug(traceback.format_exc())
         return False, False, False
 
@@ -99,7 +99,7 @@ def extract_config_data(data, pe, config_match):
         c2s_offset = pe.get_offset_from_rva(c2s_rva + int.from_bytes(config_match.group("c2s"), byteorder="little"))
         c2s_ct = data[c2s_offset : c2s_offset + 0x400]
     except Exception as e:
-        log.debug(f"There was an exception extracting the C2s: {e}")
+        log.debug("There was an exception extracting the C2s: %s", str(e))
         log.debug(traceback.format_exc())
         return False, False, False
 
@@ -243,7 +243,7 @@ def extract_config(data):
         if c2s:
             cfg["CNCs"] = list(ARC4.new(key).decrypt(c2s).split(b"\x00")[0].decode().split(","))
     except Exception as e:
-        log.error("This is broken: %s", str(e), exc_info=True)
+        log.exception("This is broken: %s", str(e))
 
     if not cfg:
         cfg = extract_2024(pe, data)

{cape_parsers-0.1.47 → cape_parsers-0.1.49}/cape_parsers/CAPE/core/Remcos.py

@@ -211,7 +211,7 @@ def extract_config(filebuf):
                 config.setdefault("raw", {})[k] = v
 
     except Exception as e:
-        logger.error(f"Caught an exception: {e}")
+        logger.error("Caught an exception: %s", str(e))
 
     return config
 

{cape_parsers-0.1.47 → cape_parsers-0.1.49}/cape_parsers/__init__.py

@@ -129,7 +129,7 @@ def load_malwareconfig_parsers() -> Tuple[bool, dict, ModuleType]:
     except ImportError:
         log.info("Missed RATDecoders -> poetry run pip install malwareconfig")
     except Exception as e:
-        log.error(e, exc_info=True)
+        log.exception(e)
     return False, False, False
 
 

{cape_parsers-0.1.47 → cape_parsers-0.1.49}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "CAPE-parsers"
-version = "0.1.47"
+version = "0.1.49"
 description = "CAPE: Malware Configuration Extraction"
 authors = ["Kevin O'Reilly <kev@capesandbox.com>", "doomedraven <doomedraven@capesandbox.com>"]
 license = "MIT"
@@ -27,7 +27,6 @@ unicorn = ">=2.1.1"
 rat-king-parser = ">=4.1.0"
 
 ruff = ">=0.7.2"
-# isort = ">=5.13.2"
 
 [tool.distutils.bdist_wheel]
 universal = false
@@ -36,8 +35,6 @@ universal = false
 maco = ["maco"]
 
 [tool.poetry.group.dev.dependencies]
-black = "^24.3.0"
-isort = "^5.10.1"
 pytest = "7.2.2"
 pytest-pretty = "1.1.0"
 pytest-cov = "3.0.0"
@@ -51,37 +48,11 @@ httpretty = "^1.1.4"
 func-timeout = "^4.3.5"
 pre-commit = "^2.19.0"
 
-# Doesnt work on github CI
-# [tool.poetry.requires-plugins]
-# poetry-plugin-export = ">=1.8"
-
-[tool.ruff]
-exclude = [
-    "./analyzer/linux/dbus_next",
-]
-
-[tool.black]
-line-length = 132
-include = "\\.py(_disabled)?$"
-
-[tool.isort]
-profile = "black"
-no_lines_before = ["FUTURE", "STDLIB"]
-line_length = 132
-supported_extensions = ["py", "py_disabled"]
-
-[tool.flake8]
-max-line-length = 132
-exclude = ".git,__pycache__,.cache,.venv"
-
 [tool.pytest.ini_options]
 pythonpath = ["."]
 testpaths = ["tests"]
 norecursedirs = "tests/zip_compound"
-
-[lint]
-select = ["E", "F"]
-ignore = ["E402","E501"]
+asyncio_mode = "auto"
 
 [tool.poetry-dynamic-versioning]
 enable = false # Master switch to enable the plugin
@@ -89,3 +60,40 @@ enable = false # Master switch to enable the plugin
 [build-system]
 requires = ["poetry-core>=1.0.0", "poetry-dynamic-versioning"]
 build-backend = "poetry.core.masonry.api"
+
+[tool.ruff]
+line-length = 132
+
+[tool.ruff.lint]
+select = [
+	"F",       # pyflakes
+	"E",       # pycodestyle errors
+	"W",       # pycodestyle warnings
+	# "I",       # isort
+	# "N",       # pep8-naming
+	"G",       # flake8-logging-format
+]
+
+ignore = [
+    "E501",    # ignore due to conflict with formatter
+    "N818",    # exceptions don't need the Error suffix
+    "E741",    # allow ambiguous variable names
+    "E402",
+    "W605",    # ToDo to fix - Invalid escape sequence
+]
+
+fixable = ["ALL"]
+
+
+[tool.ruff.format]
+quote-style = "double"
+indent-style = "space"
+skip-magic-trailing-comma = false
+line-ending = "auto"
+
+[tool.ruff.lint.isort]
+known-first-party = ["libqtile", "test"]
+default-section = "third-party"
+
+[tool.mypy]
+warn_unused_configs = true