CAPE-parsers 0.1.50__py3-none-any.whl → 0.1.51__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. cape_parsers/CAPE/community/AgentTesla.py +7 -1
  2. {cape_parsers-0.1.50.dist-info → cape_parsers-0.1.51.dist-info}/METADATA +4 -2
  3. {cape_parsers-0.1.50.dist-info → cape_parsers-0.1.51.dist-info}/RECORD +6 -6
  4. {cape_parsers-0.1.50.dist-info → cape_parsers-0.1.51.dist-info}/WHEEL +1 -1
  5. /cape_parsers/CAPE/community/{monsterv2.py → MonsterV2.py} +0 -0
  6. {cape_parsers-0.1.50.dist-info → cape_parsers-0.1.51.dist-info/licenses}/LICENSE +0 -0
cape_parsers/CAPE/community/AgentTesla.py CHANGED
@@ -9,6 +9,7 @@ except ImportError as e:
9
9
  def extract_config(data: bytes):
10
10
  config = {}
11
11
  config_dict = {}
12
+ is_c2_found = False
12
13
  with suppress(Exception):
13
14
  if data[:2] == b"MZ":
14
15
  lines = extract_strings(data=data, on_demand=True, minchars=3)
@@ -25,11 +26,13 @@ def extract_config(data: bytes):
25
26
  config_dict["Protocol"] = "Telegram"
26
27
  config["CNCs"] = lines[base + x]
27
28
  config_dict["Password"] = lines[base + x + 1]
29
+ is_c2_found = True
28
30
  break
29
31
  # Data Exfiltration via Discord
30
32
  elif "discord" in lines[base + x]:
31
33
  config_dict["Protocol"] = "Discord"
32
34
  config["CNCs"] = [lines[base + x]]
35
+ is_c2_found = True
33
36
  break
34
37
  # Data Exfiltration via FTP
35
38
  elif "ftp:" in lines[base + x]:
@@ -38,6 +41,7 @@ def extract_config(data: bytes):
38
41
  username = lines[base + x + 1]
39
42
  password = lines[base + x + 2]
40
43
  config["CNCs"] = [f"ftp://{username}:{password}@{hostname}"]
44
+ is_c2_found = True
41
45
  break
42
46
  # Data Exfiltration via SMTP
43
47
  elif "@" in lines[base + x]:
@@ -52,10 +56,12 @@ def extract_config(data: bytes):
52
56
  config_dict["Password"] = lines[base + x + 1]
53
57
  if "@" in lines[base + x + 2]:
54
58
  config_dict["EmailTo"] = lines[base + x + 2]
59
+ is_c2_found = True
55
60
  break
56
61
  # Get Persistence Payload Filename
57
62
  for x in range(2, 22):
58
- if ".exe" in lines[base + x]:
63
+ # Only extract Persistence Filename when a C2 is detected.
64
+ if ".exe" in lines[base + x] and is_c2_found:
59
65
  config_dict["Persistence_Filename"] = lines[base + x]
60
66
  break
61
67
  # Get External IP Check Services
{cape_parsers-0.1.50.dist-info → cape_parsers-0.1.51.dist-info}/METADATA RENAMED
@@ -1,8 +1,9 @@
1
- Metadata-Version: 2.3
1
+ Metadata-Version: 2.4
2
2
  Name: CAPE-parsers
3
- Version: 0.1.50
3
+ Version: 0.1.51
4
4
  Summary: CAPE: Malware Configuration Extraction
5
5
  License: MIT
6
+ License-File: LICENSE
6
7
  Keywords: cape,parsers,malware,configuration
7
8
  Author: Kevin O'Reilly
8
9
  Author-email: kev@capesandbox.com
@@ -13,6 +14,7 @@ Classifier: Programming Language :: Python :: 3.10
13
14
  Classifier: Programming Language :: Python :: 3.11
14
15
  Classifier: Programming Language :: Python :: 3.12
15
16
  Classifier: Programming Language :: Python :: 3.13
17
+ Classifier: Programming Language :: Python :: 3.14
16
18
  Provides-Extra: maco
17
19
  Requires-Dist: capstone (>=4.0.2)
18
20
  Requires-Dist: dncil (>=1.0.2)
{cape_parsers-0.1.50.dist-info → cape_parsers-0.1.51.dist-info}/RECORD RENAMED
@@ -1,5 +1,5 @@
1
1
  cape_parsers/CAPE/__init__.py,sha256=JcY8WPKzUFYgexwV1eyKIuT1JyNZzMJjBynlPSzxY_I,7
2
- cape_parsers/CAPE/community/AgentTesla.py,sha256=rHhTmINQ0bGZEiJ5NhCKPhGobcifq3FDWZItgHTpBC8,3796
2
+ cape_parsers/CAPE/community/AgentTesla.py,sha256=ln5MqFXkTb7WrlDrUHNTnMWBYRHDSqyK4VHeq0ZldtA,4047
3
3
  cape_parsers/CAPE/community/Amadey.py,sha256=IUyt909q9IDQPPip6UW9uD16rJMD_gvkwvNZ8NHTW-k,5577
4
4
  cape_parsers/CAPE/community/Arkei.py,sha256=k36qHxdo5yPa9V1cg7EImSWP06kMog0rBda4KXqLKCY,3783
5
5
  cape_parsers/CAPE/community/AsyncRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
@@ -12,6 +12,7 @@ cape_parsers/CAPE/community/Fareit.py,sha256=OyKeZdcvyAhjxZgJqkDPJHP4Npv1ArvTHJZ
12
12
  cape_parsers/CAPE/community/KoiLoader.py,sha256=F2gsgCvrVuwxY1bg8rlexsjCjikAP5HIGGOqU8zhT8E,4008
13
13
  cape_parsers/CAPE/community/LokiBot.py,sha256=355kqLx0LNMr8XcGfPL7cxG8QZalcmE7ttVBqoWtTWE,5754
14
14
  cape_parsers/CAPE/community/Lumma.py,sha256=Iqd9yvt3g0FeV_bYRmL1RKp4C1H92qeGg4fXivVDSxw,12206
15
+ cape_parsers/CAPE/community/MonsterV2.py,sha256=eVEs4VIeS3PiZtRjNb69itmDq2Zkbrpn5k3M68GujiI,2995
15
16
  cape_parsers/CAPE/community/NanoCore.py,sha256=8QZnf1AcY9481kSfsf3SHQShwPLn97peGAf8_xEasQc,6230
16
17
  cape_parsers/CAPE/community/Nighthawk.py,sha256=8ss8yvslrwUt53zV6U0xuwGKU3hgYfOt13S5lkOVpNo,12105
17
18
  cape_parsers/CAPE/community/Njrat.py,sha256=GiwSENBB43RUqyJ7zT7ZPkPUYqo8Ew4kd5MJUj0jzdc,4702
@@ -25,7 +26,6 @@ cape_parsers/CAPE/community/VenomRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6Q
25
26
  cape_parsers/CAPE/community/XWorm.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
26
27
  cape_parsers/CAPE/community/XenoRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
27
28
  cape_parsers/CAPE/community/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
28
- cape_parsers/CAPE/community/monsterv2.py,sha256=eVEs4VIeS3PiZtRjNb69itmDq2Zkbrpn5k3M68GujiI,2995
29
29
  cape_parsers/CAPE/core/AdaptixBeacon.py,sha256=40wMfrXt-7UG30WsLC5GxUtG6tSUaaP1OT-ntWzPZn0,2956
30
30
  cape_parsers/CAPE/core/AuraStealer.py,sha256=RSiclflsvcrcNLHpRokc_qF2cdQKXGBKg8Ti-Q-XmaM,3021
31
31
  cape_parsers/CAPE/core/Azorult.py,sha256=YkMIhC6zRTxEkLVMUdr2MMsbV9iAnZ8hUS8be9GZ5N4,2150
@@ -108,7 +108,7 @@ cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvE
108
108
  cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
109
109
  cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
110
110
  cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
111
- cape_parsers-0.1.50.dist-info/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
112
- cape_parsers-0.1.50.dist-info/METADATA,sha256=YGNfid-gqksdDmXIK8SiFMi3lSJ-66va-mpHEUBA7uQ,1753
113
- cape_parsers-0.1.50.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
114
- cape_parsers-0.1.50.dist-info/RECORD,,
111
+ cape_parsers-0.1.51.dist-info/METADATA,sha256=vSKRRgEfohGbql5yBH3B_8mkBBWfhBNutBqb1xQ_jaE,1826
112
+ cape_parsers-0.1.51.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
113
+ cape_parsers-0.1.51.dist-info/licenses/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
114
+ cape_parsers-0.1.51.dist-info/RECORD,,
{cape_parsers-0.1.50.dist-info → cape_parsers-0.1.51.dist-info}/WHEEL RENAMED
@@ -1,4 +1,4 @@
1
1
  Wheel-Version: 1.0
2
- Generator: poetry-core 2.1.3
2
+ Generator: poetry-core 2.2.1
3
3
  Root-Is-Purelib: true
4
4
  Tag: py3-none-any