CAPE-parsers 0.1.49__py3-none-any.whl → 0.1.50__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- cape_parsers/CAPE/community/AuroraStealer.py +1 -1
- cape_parsers/CAPE/community/Stealc.py +1 -1
- cape_parsers/CAPE/core/AuraStealer.py +18 -11
- cape_parsers/CAPE/core/Latrodectus.py +4 -3
- {cape_parsers-0.1.49.dist-info → cape_parsers-0.1.50.dist-info}/METADATA +1 -1
- {cape_parsers-0.1.49.dist-info → cape_parsers-0.1.50.dist-info}/RECORD +8 -8
- {cape_parsers-0.1.49.dist-info → cape_parsers-0.1.50.dist-info}/LICENSE +0 -0
- {cape_parsers-0.1.49.dist-info → cape_parsers-0.1.50.dist-info}/WHEEL +0 -0
|
@@ -32,7 +32,7 @@ def extract_config(data):
|
|
|
32
32
|
key = item.split(":")[0].strip("{").strip('"')
|
|
33
33
|
value = item.split(":")[1].strip('"')
|
|
34
34
|
if key == "IP":
|
|
35
|
-
config_dict["CNCs"] = [value]
|
|
35
|
+
config_dict["CNCs"] = [f"tcp://{value}"]
|
|
36
36
|
elif key == "BuildID":
|
|
37
37
|
config_dict["build"] = value
|
|
38
38
|
else:
|
|
@@ -7,6 +7,14 @@ import pefile
|
|
|
7
7
|
from Cryptodome.Cipher import AES
|
|
8
8
|
from Cryptodome.Util.Padding import unpad
|
|
9
9
|
|
|
10
|
+
# Define the format for the fixed-size header part.
|
|
11
|
+
# < : little-endian
|
|
12
|
+
# 32s : 32-byte string (for aes_key)
|
|
13
|
+
# 16s : 16-byte string (for iv)
|
|
14
|
+
# I : 4-byte unsigned int (for dword1)
|
|
15
|
+
# I : 4-byte unsigned int (for dword2)
|
|
16
|
+
HEADER_FORMAT = "<32s16sII"
|
|
17
|
+
HEADER_SIZE = struct.calcsize(HEADER_FORMAT) # This will be 32 + 16 + 4 + 4 = 56 bytes
|
|
10
18
|
|
|
11
19
|
def parse_blob(data: bytes):
|
|
12
20
|
"""
|
|
@@ -16,15 +24,9 @@ def parse_blob(data: bytes):
|
|
|
16
24
|
- Next 2 DWORDs (8 bytes total) = XOR to get cipher data size
|
|
17
25
|
- Remaining bytes = cipher data of that size
|
|
18
26
|
"""
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
iv = data[offset:offset + 16]
|
|
23
|
-
offset += 16
|
|
24
|
-
dword1, dword2 = struct.unpack_from("<II", data, offset)
|
|
25
|
-
cipher_size = dword1 ^ dword2
|
|
26
|
-
offset += 8
|
|
27
|
-
cipher_data = data[offset:offset + cipher_size]
|
|
27
|
+
aes_key, iv, dword1, dword2 = struct.unpack_from(HEADER_FORMAT, data, 0)
|
|
28
|
+
ciphertext_size = dword1 ^ dword2
|
|
29
|
+
cipher_data = data[HEADER_SIZE : HEADER_SIZE + ciphertext_size]
|
|
28
30
|
return aes_key, iv, cipher_data
|
|
29
31
|
|
|
30
32
|
|
|
@@ -37,7 +39,8 @@ def decrypt(data: bytes) -> Tuple[bytes, bytes, bytes]:
|
|
|
37
39
|
|
|
38
40
|
def extract_config(data: bytes) -> Dict[str, Any]:
|
|
39
41
|
cfg: Dict[str, Any] = {}
|
|
40
|
-
plaintext = ""
|
|
42
|
+
plaintext = b""
|
|
43
|
+
|
|
41
44
|
pe = pefile.PE(data=data, fast_load=True)
|
|
42
45
|
try:
|
|
43
46
|
data_section = [s for s in pe.sections if s.Name.find(b".data") != -1][0]
|
|
@@ -63,7 +66,11 @@ def extract_config(data: bytes) -> Dict[str, Any]:
|
|
|
63
66
|
offset -= 1
|
|
64
67
|
|
|
65
68
|
if plaintext:
|
|
66
|
-
|
|
69
|
+
try:
|
|
70
|
+
parsed = json.loads(plaintext.decode("utf-8", errors="ignore").rstrip("\x00"))
|
|
71
|
+
except json.JSONDecodeError:
|
|
72
|
+
return cfg
|
|
73
|
+
|
|
67
74
|
conf = parsed.get("conf", {})
|
|
68
75
|
build = parsed.get("build", {})
|
|
69
76
|
if conf:
|
|
@@ -41,7 +41,7 @@ rule Latrodectus
|
|
|
41
41
|
$fnvhash2 = {8B 0C 24 33 C8 8B C1 89 04 24 69 04 24 93 01 00 01}
|
|
42
42
|
$procchk1 = {E8 [3] FF 85 C0 74 [2] FF FF FF FF E9 [4] E8 [4] 89 44 24 ?? E8 [4] 83 F8 4B 73 ?? 83 [3] 06}
|
|
43
43
|
$procchk2 = {72 [2] FF FF FF FF E9 [4] E8 [4] 83 F8 32 73 ?? 83 [3] 06}
|
|
44
|
-
$version = {C7 44 2? ?? ?? 00 00 00 C7 44 2? ?? ?? 00 00 00 8B 05 [4] 89}
|
|
44
|
+
$version = {C7 44 2? ?? ?? 00 00 00 C7 44 2? ?? ?? 00 00 00 C7 44 2? ?? ?? 00 00 00 8B 05 [4] 89}
|
|
45
45
|
condition:
|
|
46
46
|
all of them
|
|
47
47
|
}
|
|
@@ -59,7 +59,7 @@ rule Latrodectus_AES
|
|
|
59
59
|
$key = {C6 44 2? ?? ?? [150] C6 44 2? ?? ?? B8 02}
|
|
60
60
|
$aes_ctr_1 = {8B 44 24 ?? FF C8 89 44 24 ?? 83 7C 24 ?? 00 7C ?? 4? 63 44 24 ?? 4? 8B 4C 24 ?? 0F B6 84 01 F0 00 00 00 3D FF 00 00 00}
|
|
61
61
|
$aes_ctr_2 = {48 03 C8 48 8B C1 0F B6 ?? 48 63 4C 24 ?? 0F B6 4C 0C ?? 33 C1 48 8B 4C 24 ?? 48 8B 54 24 ?? 48 03 D1 48 8B CA 88 01}
|
|
62
|
-
$version = {C7 44 2? ?? ?? 00 00 00 C7 44 2? ?? ?? 00 00 00 8B 05 [4] 89}
|
|
62
|
+
$version = {C7 44 2? ?? ?? 00 00 00 C7 44 2? ?? ?? 00 00 00 C7 44 2? ?? ?? 00 00 00 8B 05 [4] 89}
|
|
63
63
|
condition:
|
|
64
64
|
all of them
|
|
65
65
|
}
|
|
@@ -152,7 +152,8 @@ def extract_config(filebuf):
|
|
|
152
152
|
data = instance.matched_data[::-1]
|
|
153
153
|
major = int.from_bytes(data[10:11], byteorder="big")
|
|
154
154
|
minor = int.from_bytes(data[18:19], byteorder="big")
|
|
155
|
-
|
|
155
|
+
release = int.from_bytes(data[26:27], byteorder="big")
|
|
156
|
+
version = f"{major}.{minor}.{release}"
|
|
156
157
|
if "$key" in item.identifier:
|
|
157
158
|
key = instance.matched_data[4::5]
|
|
158
159
|
try:
|
|
@@ -3,7 +3,7 @@ cape_parsers/CAPE/community/AgentTesla.py,sha256=rHhTmINQ0bGZEiJ5NhCKPhGobcifq3F
|
|
|
3
3
|
cape_parsers/CAPE/community/Amadey.py,sha256=IUyt909q9IDQPPip6UW9uD16rJMD_gvkwvNZ8NHTW-k,5577
|
|
4
4
|
cape_parsers/CAPE/community/Arkei.py,sha256=k36qHxdo5yPa9V1cg7EImSWP06kMog0rBda4KXqLKCY,3783
|
|
5
5
|
cape_parsers/CAPE/community/AsyncRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
|
|
6
|
-
cape_parsers/CAPE/community/AuroraStealer.py,sha256=
|
|
6
|
+
cape_parsers/CAPE/community/AuroraStealer.py,sha256=LRu2QFBYkGhRGDJBw3GlcKub4E0_TBWmjdR2PnobDZM,2643
|
|
7
7
|
cape_parsers/CAPE/community/Carbanak.py,sha256=Smi_vTWDfWxYBQa661ZIy0624IYJA22LMHAJEQbstpk,5607
|
|
8
8
|
cape_parsers/CAPE/community/CobaltStrikeBeacon.py,sha256=U4Q0ObCrPRpiO5B5fBmkgr63jXdizujNth8v6kUPnEQ,19466
|
|
9
9
|
cape_parsers/CAPE/community/CobaltStrikeStager.py,sha256=HLxROBjz453uHNq1bPz0VSAhtyWDfz79ZacTPdjuWmY,7535
|
|
@@ -20,14 +20,14 @@ cape_parsers/CAPE/community/QuasarRAT.py,sha256=dzVInOc-BPVRdArk92oEY4PKq1AEW04N
|
|
|
20
20
|
cape_parsers/CAPE/community/README.md,sha256=SHgVQraCdp033IQjM4Cm6t70U4kULn1MfSwTq3rsZv8,22
|
|
21
21
|
cape_parsers/CAPE/community/Snake.py,sha256=v_MAPmg86ZdgGOkzc9GVHbi-lu4nLa1_0Lp90qiCg8s,6650
|
|
22
22
|
cape_parsers/CAPE/community/SparkRAT.py,sha256=OVDty_1i9PTGuEumT0BHoDn0bD2UtdhHVNjThah80pg,2140
|
|
23
|
-
cape_parsers/CAPE/community/Stealc.py,sha256=
|
|
23
|
+
cape_parsers/CAPE/community/Stealc.py,sha256=18EkQ-lMMAreKV5vA9xLBmOK5B4JtYcBwVqNfof4K2A,5321
|
|
24
24
|
cape_parsers/CAPE/community/VenomRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
|
|
25
25
|
cape_parsers/CAPE/community/XWorm.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
|
|
26
26
|
cape_parsers/CAPE/community/XenoRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
|
|
27
27
|
cape_parsers/CAPE/community/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
28
28
|
cape_parsers/CAPE/community/monsterv2.py,sha256=eVEs4VIeS3PiZtRjNb69itmDq2Zkbrpn5k3M68GujiI,2995
|
|
29
29
|
cape_parsers/CAPE/core/AdaptixBeacon.py,sha256=40wMfrXt-7UG30WsLC5GxUtG6tSUaaP1OT-ntWzPZn0,2956
|
|
30
|
-
cape_parsers/CAPE/core/AuraStealer.py,sha256=
|
|
30
|
+
cape_parsers/CAPE/core/AuraStealer.py,sha256=RSiclflsvcrcNLHpRokc_qF2cdQKXGBKg8Ti-Q-XmaM,3021
|
|
31
31
|
cape_parsers/CAPE/core/Azorult.py,sha256=YkMIhC6zRTxEkLVMUdr2MMsbV9iAnZ8hUS8be9GZ5N4,2150
|
|
32
32
|
cape_parsers/CAPE/core/BitPaymer.py,sha256=HQwoE0o7HMiXItxE08vBenf2ZWMxZp84-Hf_1eZ8QdE,3050
|
|
33
33
|
cape_parsers/CAPE/core/BlackDropper.py,sha256=sCSu2T5oPvcFHlSAzSsLj_gCv2Tldl0UPguwy0MVg6A,3282
|
|
@@ -41,7 +41,7 @@ cape_parsers/CAPE/core/Formbook.py,sha256=rvf0BRuRl_v8K9SJuSSfbVVMWLSTEemIgP3NtP
|
|
|
41
41
|
cape_parsers/CAPE/core/GuLoader.py,sha256=wH6t1e7rO60Bwe0ulqFdZq12-M087zT5WQtC_Wn2biU,354
|
|
42
42
|
cape_parsers/CAPE/core/IcedID.py,sha256=TEsvFq8qHz_D5kIURKWSC4lbvWaQbMriDZ3jQsVu2VA,4029
|
|
43
43
|
cape_parsers/CAPE/core/IcedIDLoader.py,sha256=YUOEILpTycO01KK4qqAxGSplsRVs2EzjscUw4T-DGWs,1602
|
|
44
|
-
cape_parsers/CAPE/core/Latrodectus.py,sha256=
|
|
44
|
+
cape_parsers/CAPE/core/Latrodectus.py,sha256=1K9yUUYtzRJ2c3unrYIUaA8nE--Zoqi5pjXY7t7t1qg,7751
|
|
45
45
|
cape_parsers/CAPE/core/Oyster.py,sha256=QStBScevJuLyd5d4Rw093SxTlbRG1LFkDwYgmjZx-EQ,4881
|
|
46
46
|
cape_parsers/CAPE/core/PikaBot.py,sha256=6Q8goXfMsSoU8UkdE9iuZY2KTxX_AmWhH1szke_HfWA,5280
|
|
47
47
|
cape_parsers/CAPE/core/PlugX.py,sha256=lGwr1T3mttG6CTbZCj_Cf5HnOad60A3LP264jlCsGsc,13192
|
|
@@ -108,7 +108,7 @@ cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvE
|
|
|
108
108
|
cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
|
|
109
109
|
cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
|
|
110
110
|
cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
|
|
111
|
-
cape_parsers-0.1.
|
|
112
|
-
cape_parsers-0.1.
|
|
113
|
-
cape_parsers-0.1.
|
|
114
|
-
cape_parsers-0.1.
|
|
111
|
+
cape_parsers-0.1.50.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
|
|
112
|
+
cape_parsers-0.1.50.dist-info/METADATA,sha256=YGNfid-gqksdDmXIK8SiFMi3lSJ-66va-mpHEUBA7uQ,1753
|
|
113
|
+
cape_parsers-0.1.50.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
|
|
114
|
+
cape_parsers-0.1.50.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|