CAPE-parsers 0.1.51__py3-none-any.whl → 0.1.52__py3-none-any.whl

cape_parsers/CAPE/community/MonsterV2.py

@@ -14,15 +14,12 @@ RULE_SOURCE = """rule MonsterV2Config
         author = "doomedraven,YungBinary"
     strings:
         $chunk_1 = {
-            41 B8 ?? ?? ?? ??
-            48 8D 15 ?? ?? ?? ??
-            48 8B CB
-            E8 ?? ?? ?? ??
-            48 8D 83 ?? ?? ?? ??
-            48 89 44 24 ??
-            48 89 6C 24 ??
-            4C 8B C7
-            48 8D 54 24 ??
+            41 B8 0E 04 00 00
+            48 8D 15 ?? ?? ?? 00
+            48 8B C?
+            E8 ?? ?? ?? ?? [3-17]
+            4C 8B C?
+            48 8D 54 24 28
             48 8B CE
             E8 ?? ?? ?? ??
         }

cape_parsers/CAPE/community/MyKings.py

@@ -0,0 +1,52 @@
+"""
+Description: MyKings AKA Smominru config parser
+Author: x.com/YungBinary
+"""
+
+from contextlib import suppress
+import json
+import re
+import base64
+
+
+def contains_non_printable(byte_array):
+    for byte in byte_array:
+        if not chr(byte).isprintable():
+            return True
+    return False
+
+
+def extract_base64_strings(data: bytes, minchars: int, maxchars: int) -> list:
+    pattern = b"([A-Za-z0-9+/=]{" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00{4}"
+    strings = []
+    for string in re.findall(pattern, data):
+        decoded_string = base64_and_printable(string.decode())
+        if decoded_string:
+            strings.append(decoded_string)
+    return strings
+
+
+def base64_and_printable(b64_string: str):
+    with suppress(Exception):
+        decoded_bytes = base64.b64decode(b64_string)
+        if not contains_non_printable(decoded_bytes):
+            return decoded_bytes.decode('ascii')
+
+
+def extract_config(data: bytes) -> dict:
+    config_dict = {}
+    with suppress(Exception):
+        cncs = extract_base64_strings(data, 12, 60)
+        if cncs:
+            # as they don't have schema they going under raw
+            config_dict["raw"] = {"CNCs": cncs}
+            return config_dict
+
+    return {}
+
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        print(json.dumps(extract_config(f.read()), indent=4))

cape_parsers/CAPE/community/WinosStager.py

@@ -0,0 +1,75 @@
+"""
+Description: Winos 4.0 "OnlineModule" config parser
+Author: x.com/YungBinary
+"""
+
+from contextlib import suppress
+import re
+
+
+CONFIG_KEY_MAP = {
+    "dd": "execution_delay_seconds",
+    "cl": "communication_interval_seconds",
+    "bb": "version",
+    "bz": "comment",
+    "jp": "keylogger",
+    "bh": "end_bluescreen",
+    "ll": "anti_traffic_monitoring",
+    "dl": "entrypoint",
+    "sh": "process_daemon",
+    "kl": "process_hollowing"
+}
+
+
+def find_config(data):
+    start = ":db|".encode("utf-16le")
+    end = ":1p|".encode("utf-16le")
+    pattern = re.compile(re.escape(start) + b".*?" + re.escape(end), re.DOTALL)
+    match = pattern.search(data)
+    if match:
+        return match.group(0).decode("utf-16le")
+
+
+def extract_config(data: bytes) -> dict:
+    config_dict = {}
+    final_config = {}
+
+    with suppress(Exception):
+        config = find_config(data)
+        if not config:
+            return config_dict
+
+        # Reverse the config string, which is delimited by '|'
+        config = config[::-1]
+        # Remove leading/trailing pipes and split into key/value pairs
+        elements = [element for element in config.strip('|').split('|') if ':' in element]
+        # Split each element for key : value in a dictionary
+        config_dict = dict(element.split(':', 1) for element in elements)
+        if config_dict:
+            # Handle extraction and formatting of CNCs
+            for i in range(1, 4):
+                p, o, t = config_dict.get(f"p{i}"), config_dict.get(f"o{i}"), config_dict.get(f"t{i}")
+                if p and p != "127.0.0.1" and o:
+                    protocol = {"0": "udp", "1": "tcp"}.get(t)
+                    if protocol:
+                        cnc = f"{protocol}://{p}:{o}"
+                        final_config.setdefault("CNCs", []).append(cnc)
+
+            if "CNCs" not in final_config:
+                return {}
+
+            final_config["CNCs"] = list(set(final_config["CNCs"]))
+            # Extract campaign ID
+            final_config["campaign_id"] = "default" if config_dict["fz"] == "\u9ed8\u8ba4" else config_dict["fz"]
+
+            # Map keys, e.g. dd -> execution_delay_seconds
+            final_config["raw"] = {v: config_dict[k] for k, v in CONFIG_KEY_MAP.items() if k in config_dict}
+
+    return final_config
+
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        print(extract_config(f.read()))

{cape_parsers-0.1.51.dist-info → cape_parsers-0.1.52.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: CAPE-parsers
-Version: 0.1.51
+Version: 0.1.52
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 License-File: LICENSE

{cape_parsers-0.1.51.dist-info → cape_parsers-0.1.52.dist-info}/RECORD

@@ -12,7 +12,8 @@ cape_parsers/CAPE/community/Fareit.py,sha256=OyKeZdcvyAhjxZgJqkDPJHP4Npv1ArvTHJZ
 cape_parsers/CAPE/community/KoiLoader.py,sha256=F2gsgCvrVuwxY1bg8rlexsjCjikAP5HIGGOqU8zhT8E,4008
 cape_parsers/CAPE/community/LokiBot.py,sha256=355kqLx0LNMr8XcGfPL7cxG8QZalcmE7ttVBqoWtTWE,5754
 cape_parsers/CAPE/community/Lumma.py,sha256=Iqd9yvt3g0FeV_bYRmL1RKp4C1H92qeGg4fXivVDSxw,12206
-cape_parsers/CAPE/community/MonsterV2.py,sha256=eVEs4VIeS3PiZtRjNb69itmDq2Zkbrpn5k3M68GujiI,2995
+cape_parsers/CAPE/community/MonsterV2.py,sha256=cFxhYxo7FruTMmFY3OtBO-E0hDyxfsC3zWX3BlcB-qI,2915
+cape_parsers/CAPE/community/MyKings.py,sha256=bcypBMJf6Jeg0yrHZ-J-XjnhHvFbb-lpDF_zwW63gOk,1397
 cape_parsers/CAPE/community/NanoCore.py,sha256=8QZnf1AcY9481kSfsf3SHQShwPLn97peGAf8_xEasQc,6230
 cape_parsers/CAPE/community/Nighthawk.py,sha256=8ss8yvslrwUt53zV6U0xuwGKU3hgYfOt13S5lkOVpNo,12105
 cape_parsers/CAPE/community/Njrat.py,sha256=GiwSENBB43RUqyJ7zT7ZPkPUYqo8Ew4kd5MJUj0jzdc,4702
@@ -23,6 +24,7 @@ cape_parsers/CAPE/community/Snake.py,sha256=v_MAPmg86ZdgGOkzc9GVHbi-lu4nLa1_0Lp9
 cape_parsers/CAPE/community/SparkRAT.py,sha256=OVDty_1i9PTGuEumT0BHoDn0bD2UtdhHVNjThah80pg,2140
 cape_parsers/CAPE/community/Stealc.py,sha256=18EkQ-lMMAreKV5vA9xLBmOK5B4JtYcBwVqNfof4K2A,5321
 cape_parsers/CAPE/community/VenomRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
+cape_parsers/CAPE/community/WinosStager.py,sha256=6jkfTJiVdz6oyyqTjh3I4qunYgXbD4qXS_bd-uogwGA,2407
 cape_parsers/CAPE/community/XWorm.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
 cape_parsers/CAPE/community/XenoRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
 cape_parsers/CAPE/community/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -108,7 +110,7 @@ cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvE
 cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
 cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
 cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
-cape_parsers-0.1.51.dist-info/METADATA,sha256=vSKRRgEfohGbql5yBH3B_8mkBBWfhBNutBqb1xQ_jaE,1826
-cape_parsers-0.1.51.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
-cape_parsers-0.1.51.dist-info/licenses/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
-cape_parsers-0.1.51.dist-info/RECORD,,
+cape_parsers-0.1.52.dist-info/METADATA,sha256=c354f-gNdv6cYW0XkKCvLw0tjVbE8flYpLsW1TrS7zw,1826
+cape_parsers-0.1.52.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
+cape_parsers-0.1.52.dist-info/licenses/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
+cape_parsers-0.1.52.dist-info/RECORD,,