CAPE-parsers 0.1.50__tar.gz → 0.1.52__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/PKG-INFO +4 -2
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/AgentTesla.py +7 -1
- cape_parsers-0.1.50/cape_parsers/CAPE/community/monsterv2.py → cape_parsers-0.1.52/cape_parsers/CAPE/community/MonsterV2.py +6 -9
- cape_parsers-0.1.52/cape_parsers/CAPE/community/MyKings.py +52 -0
- cape_parsers-0.1.52/cape_parsers/CAPE/community/WinosStager.py +75 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/pyproject.toml +1 -1
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/LICENSE +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/README.md +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/__init__.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Amadey.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Arkei.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/AsyncRAT.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/AuroraStealer.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Carbanak.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/CobaltStrikeBeacon.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/CobaltStrikeStager.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/DCRat.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Fareit.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/KoiLoader.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/LokiBot.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Lumma.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/NanoCore.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Nighthawk.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Njrat.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/PhemedroneStealer.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/QuasarRAT.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/README.md +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Snake.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/SparkRAT.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Stealc.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/VenomRAT.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/XWorm.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/XenoRAT.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/__init__.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/AdaptixBeacon.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/AuraStealer.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Azorult.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/BitPaymer.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/BlackDropper.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Blister.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/BruteRatel.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/BumbleBee.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/DarkGate.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/DoppelPaymer.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/DridexLoader.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Formbook.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/GuLoader.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/IcedID.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/IcedIDLoader.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Latrodectus.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Oyster.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/PikaBot.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/PlugX.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/QakBot.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Quickbind.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/README.md +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/RedLine.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Remcos.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Rhadamanthys.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/SmokeLoader.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Socks5Systemz.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/SquirrelWaffle.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Strrat.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/WarzoneRAT.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Zloader.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/__init__.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/test_cape.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/RATDecoders/README.md +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/RATDecoders/__init__.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/RATDecoders/test_rats.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/__init__.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/BackOffLoader.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/BackOffPOS.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/BlackNix.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/BuerLoader.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/ChChes.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/Emotet.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/Enfal.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/EvilGrab.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/Greame.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/Hancitor.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/HttpBrowser.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/JavaDropper.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/Nymaim.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/Pandora.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/PoisonIvy.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/PredatorPain.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/Punisher.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/RCSession.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/REvil.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/RedLeaf.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/Retefe.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/Rozena.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/SmallNet.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/TSCookie.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/TrickBot.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/UrsnifV3.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/_ShadowTech.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/_VirusRat.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/_jRat.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/unrecom.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/deprecated/xRAT.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/malduck/LICENSE +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/malduck/README.md +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/malduck/__init__.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/malduck/test_malduck.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/mwcp/README.md +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/mwcp/__init__.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/mwcp/test_mwcp.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/utils/__init__.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/utils/aplib.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/utils/blzpack.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/utils/blzpack_lib.so +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/utils/dotnet_utils.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/utils/lznt1.py +0 -0
- {cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/utils/strings.py +0 -0
|
@@ -1,8 +1,9 @@
|
|
|
1
|
-
Metadata-Version: 2.
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
2
|
Name: CAPE-parsers
|
|
3
|
-
Version: 0.1.
|
|
3
|
+
Version: 0.1.52
|
|
4
4
|
Summary: CAPE: Malware Configuration Extraction
|
|
5
5
|
License: MIT
|
|
6
|
+
License-File: LICENSE
|
|
6
7
|
Keywords: cape,parsers,malware,configuration
|
|
7
8
|
Author: Kevin O'Reilly
|
|
8
9
|
Author-email: kev@capesandbox.com
|
|
@@ -13,6 +14,7 @@ Classifier: Programming Language :: Python :: 3.10
|
|
|
13
14
|
Classifier: Programming Language :: Python :: 3.11
|
|
14
15
|
Classifier: Programming Language :: Python :: 3.12
|
|
15
16
|
Classifier: Programming Language :: Python :: 3.13
|
|
17
|
+
Classifier: Programming Language :: Python :: 3.14
|
|
16
18
|
Provides-Extra: maco
|
|
17
19
|
Requires-Dist: capstone (>=4.0.2)
|
|
18
20
|
Requires-Dist: dncil (>=1.0.2)
|
|
@@ -9,6 +9,7 @@ except ImportError as e:
|
|
|
9
9
|
def extract_config(data: bytes):
|
|
10
10
|
config = {}
|
|
11
11
|
config_dict = {}
|
|
12
|
+
is_c2_found = False
|
|
12
13
|
with suppress(Exception):
|
|
13
14
|
if data[:2] == b"MZ":
|
|
14
15
|
lines = extract_strings(data=data, on_demand=True, minchars=3)
|
|
@@ -25,11 +26,13 @@ def extract_config(data: bytes):
|
|
|
25
26
|
config_dict["Protocol"] = "Telegram"
|
|
26
27
|
config["CNCs"] = lines[base + x]
|
|
27
28
|
config_dict["Password"] = lines[base + x + 1]
|
|
29
|
+
is_c2_found = True
|
|
28
30
|
break
|
|
29
31
|
# Data Exfiltration via Discord
|
|
30
32
|
elif "discord" in lines[base + x]:
|
|
31
33
|
config_dict["Protocol"] = "Discord"
|
|
32
34
|
config["CNCs"] = [lines[base + x]]
|
|
35
|
+
is_c2_found = True
|
|
33
36
|
break
|
|
34
37
|
# Data Exfiltration via FTP
|
|
35
38
|
elif "ftp:" in lines[base + x]:
|
|
@@ -38,6 +41,7 @@ def extract_config(data: bytes):
|
|
|
38
41
|
username = lines[base + x + 1]
|
|
39
42
|
password = lines[base + x + 2]
|
|
40
43
|
config["CNCs"] = [f"ftp://{username}:{password}@{hostname}"]
|
|
44
|
+
is_c2_found = True
|
|
41
45
|
break
|
|
42
46
|
# Data Exfiltration via SMTP
|
|
43
47
|
elif "@" in lines[base + x]:
|
|
@@ -52,10 +56,12 @@ def extract_config(data: bytes):
|
|
|
52
56
|
config_dict["Password"] = lines[base + x + 1]
|
|
53
57
|
if "@" in lines[base + x + 2]:
|
|
54
58
|
config_dict["EmailTo"] = lines[base + x + 2]
|
|
59
|
+
is_c2_found = True
|
|
55
60
|
break
|
|
56
61
|
# Get Persistence Payload Filename
|
|
57
62
|
for x in range(2, 22):
|
|
58
|
-
|
|
63
|
+
# Only extract Persistence Filename when a C2 is detected.
|
|
64
|
+
if ".exe" in lines[base + x] and is_c2_found:
|
|
59
65
|
config_dict["Persistence_Filename"] = lines[base + x]
|
|
60
66
|
break
|
|
61
67
|
# Get External IP Check Services
|
|
@@ -14,15 +14,12 @@ RULE_SOURCE = """rule MonsterV2Config
|
|
|
14
14
|
author = "doomedraven,YungBinary"
|
|
15
15
|
strings:
|
|
16
16
|
$chunk_1 = {
|
|
17
|
-
41 B8
|
|
18
|
-
48 8D 15 ?? ?? ??
|
|
19
|
-
48 8B
|
|
20
|
-
E8 ?? ?? ?? ??
|
|
21
|
-
|
|
22
|
-
48
|
|
23
|
-
48 89 6C 24 ??
|
|
24
|
-
4C 8B C7
|
|
25
|
-
48 8D 54 24 ??
|
|
17
|
+
41 B8 0E 04 00 00
|
|
18
|
+
48 8D 15 ?? ?? ?? 00
|
|
19
|
+
48 8B C?
|
|
20
|
+
E8 ?? ?? ?? ?? [3-17]
|
|
21
|
+
4C 8B C?
|
|
22
|
+
48 8D 54 24 28
|
|
26
23
|
48 8B CE
|
|
27
24
|
E8 ?? ?? ?? ??
|
|
28
25
|
}
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
"""
|
|
2
|
+
Description: MyKings AKA Smominru config parser
|
|
3
|
+
Author: x.com/YungBinary
|
|
4
|
+
"""
|
|
5
|
+
|
|
6
|
+
from contextlib import suppress
|
|
7
|
+
import json
|
|
8
|
+
import re
|
|
9
|
+
import base64
|
|
10
|
+
|
|
11
|
+
|
|
12
|
+
def contains_non_printable(byte_array):
|
|
13
|
+
for byte in byte_array:
|
|
14
|
+
if not chr(byte).isprintable():
|
|
15
|
+
return True
|
|
16
|
+
return False
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
def extract_base64_strings(data: bytes, minchars: int, maxchars: int) -> list:
|
|
20
|
+
pattern = b"([A-Za-z0-9+/=]{" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00{4}"
|
|
21
|
+
strings = []
|
|
22
|
+
for string in re.findall(pattern, data):
|
|
23
|
+
decoded_string = base64_and_printable(string.decode())
|
|
24
|
+
if decoded_string:
|
|
25
|
+
strings.append(decoded_string)
|
|
26
|
+
return strings
|
|
27
|
+
|
|
28
|
+
|
|
29
|
+
def base64_and_printable(b64_string: str):
|
|
30
|
+
with suppress(Exception):
|
|
31
|
+
decoded_bytes = base64.b64decode(b64_string)
|
|
32
|
+
if not contains_non_printable(decoded_bytes):
|
|
33
|
+
return decoded_bytes.decode('ascii')
|
|
34
|
+
|
|
35
|
+
|
|
36
|
+
def extract_config(data: bytes) -> dict:
|
|
37
|
+
config_dict = {}
|
|
38
|
+
with suppress(Exception):
|
|
39
|
+
cncs = extract_base64_strings(data, 12, 60)
|
|
40
|
+
if cncs:
|
|
41
|
+
# as they don't have schema they going under raw
|
|
42
|
+
config_dict["raw"] = {"CNCs": cncs}
|
|
43
|
+
return config_dict
|
|
44
|
+
|
|
45
|
+
return {}
|
|
46
|
+
|
|
47
|
+
|
|
48
|
+
if __name__ == "__main__":
|
|
49
|
+
import sys
|
|
50
|
+
|
|
51
|
+
with open(sys.argv[1], "rb") as f:
|
|
52
|
+
print(json.dumps(extract_config(f.read()), indent=4))
|
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
"""
|
|
2
|
+
Description: Winos 4.0 "OnlineModule" config parser
|
|
3
|
+
Author: x.com/YungBinary
|
|
4
|
+
"""
|
|
5
|
+
|
|
6
|
+
from contextlib import suppress
|
|
7
|
+
import re
|
|
8
|
+
|
|
9
|
+
|
|
10
|
+
CONFIG_KEY_MAP = {
|
|
11
|
+
"dd": "execution_delay_seconds",
|
|
12
|
+
"cl": "communication_interval_seconds",
|
|
13
|
+
"bb": "version",
|
|
14
|
+
"bz": "comment",
|
|
15
|
+
"jp": "keylogger",
|
|
16
|
+
"bh": "end_bluescreen",
|
|
17
|
+
"ll": "anti_traffic_monitoring",
|
|
18
|
+
"dl": "entrypoint",
|
|
19
|
+
"sh": "process_daemon",
|
|
20
|
+
"kl": "process_hollowing"
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
|
|
24
|
+
def find_config(data):
|
|
25
|
+
start = ":db|".encode("utf-16le")
|
|
26
|
+
end = ":1p|".encode("utf-16le")
|
|
27
|
+
pattern = re.compile(re.escape(start) + b".*?" + re.escape(end), re.DOTALL)
|
|
28
|
+
match = pattern.search(data)
|
|
29
|
+
if match:
|
|
30
|
+
return match.group(0).decode("utf-16le")
|
|
31
|
+
|
|
32
|
+
|
|
33
|
+
def extract_config(data: bytes) -> dict:
|
|
34
|
+
config_dict = {}
|
|
35
|
+
final_config = {}
|
|
36
|
+
|
|
37
|
+
with suppress(Exception):
|
|
38
|
+
config = find_config(data)
|
|
39
|
+
if not config:
|
|
40
|
+
return config_dict
|
|
41
|
+
|
|
42
|
+
# Reverse the config string, which is delimited by '|'
|
|
43
|
+
config = config[::-1]
|
|
44
|
+
# Remove leading/trailing pipes and split into key/value pairs
|
|
45
|
+
elements = [element for element in config.strip('|').split('|') if ':' in element]
|
|
46
|
+
# Split each element for key : value in a dictionary
|
|
47
|
+
config_dict = dict(element.split(':', 1) for element in elements)
|
|
48
|
+
if config_dict:
|
|
49
|
+
# Handle extraction and formatting of CNCs
|
|
50
|
+
for i in range(1, 4):
|
|
51
|
+
p, o, t = config_dict.get(f"p{i}"), config_dict.get(f"o{i}"), config_dict.get(f"t{i}")
|
|
52
|
+
if p and p != "127.0.0.1" and o:
|
|
53
|
+
protocol = {"0": "udp", "1": "tcp"}.get(t)
|
|
54
|
+
if protocol:
|
|
55
|
+
cnc = f"{protocol}://{p}:{o}"
|
|
56
|
+
final_config.setdefault("CNCs", []).append(cnc)
|
|
57
|
+
|
|
58
|
+
if "CNCs" not in final_config:
|
|
59
|
+
return {}
|
|
60
|
+
|
|
61
|
+
final_config["CNCs"] = list(set(final_config["CNCs"]))
|
|
62
|
+
# Extract campaign ID
|
|
63
|
+
final_config["campaign_id"] = "default" if config_dict["fz"] == "\u9ed8\u8ba4" else config_dict["fz"]
|
|
64
|
+
|
|
65
|
+
# Map keys, e.g. dd -> execution_delay_seconds
|
|
66
|
+
final_config["raw"] = {v: config_dict[k] for k, v in CONFIG_KEY_MAP.items() if k in config_dict}
|
|
67
|
+
|
|
68
|
+
return final_config
|
|
69
|
+
|
|
70
|
+
|
|
71
|
+
if __name__ == "__main__":
|
|
72
|
+
import sys
|
|
73
|
+
|
|
74
|
+
with open(sys.argv[1], "rb") as f:
|
|
75
|
+
print(extract_config(f.read()))
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
{cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/CobaltStrikeBeacon.py
RENAMED
|
File without changes
|
{cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/CobaltStrikeStager.py
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
{cape_parsers-0.1.50 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/PhemedroneStealer.py
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|