CAPE-parsers 0.1.51__tar.gz → 0.1.52__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (116) hide show
  1. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/PKG-INFO +1 -1
  2. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/MonsterV2.py +6 -9
  3. cape_parsers-0.1.52/cape_parsers/CAPE/community/MyKings.py +52 -0
  4. cape_parsers-0.1.52/cape_parsers/CAPE/community/WinosStager.py +75 -0
  5. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/pyproject.toml +1 -1
  6. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/LICENSE +0 -0
  7. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/README.md +0 -0
  8. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/__init__.py +0 -0
  9. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/AgentTesla.py +0 -0
  10. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Amadey.py +0 -0
  11. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Arkei.py +0 -0
  12. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/AsyncRAT.py +0 -0
  13. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/AuroraStealer.py +0 -0
  14. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Carbanak.py +0 -0
  15. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/CobaltStrikeBeacon.py +0 -0
  16. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/CobaltStrikeStager.py +0 -0
  17. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/DCRat.py +0 -0
  18. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Fareit.py +0 -0
  19. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/KoiLoader.py +0 -0
  20. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/LokiBot.py +0 -0
  21. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Lumma.py +0 -0
  22. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/NanoCore.py +0 -0
  23. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Nighthawk.py +0 -0
  24. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Njrat.py +0 -0
  25. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/PhemedroneStealer.py +0 -0
  26. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/QuasarRAT.py +0 -0
  27. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/README.md +0 -0
  28. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Snake.py +0 -0
  29. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/SparkRAT.py +0 -0
  30. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/Stealc.py +0 -0
  31. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/VenomRAT.py +0 -0
  32. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/XWorm.py +0 -0
  33. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/XenoRAT.py +0 -0
  34. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/__init__.py +0 -0
  35. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/AdaptixBeacon.py +0 -0
  36. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/AuraStealer.py +0 -0
  37. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Azorult.py +0 -0
  38. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/BitPaymer.py +0 -0
  39. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/BlackDropper.py +0 -0
  40. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Blister.py +0 -0
  41. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/BruteRatel.py +0 -0
  42. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/BumbleBee.py +0 -0
  43. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/DarkGate.py +0 -0
  44. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/DoppelPaymer.py +0 -0
  45. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/DridexLoader.py +0 -0
  46. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Formbook.py +0 -0
  47. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/GuLoader.py +0 -0
  48. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/IcedID.py +0 -0
  49. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/IcedIDLoader.py +0 -0
  50. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Latrodectus.py +0 -0
  51. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Oyster.py +0 -0
  52. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/PikaBot.py +0 -0
  53. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/PlugX.py +0 -0
  54. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/QakBot.py +0 -0
  55. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Quickbind.py +0 -0
  56. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/README.md +0 -0
  57. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/RedLine.py +0 -0
  58. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Remcos.py +0 -0
  59. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Rhadamanthys.py +0 -0
  60. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/SmokeLoader.py +0 -0
  61. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Socks5Systemz.py +0 -0
  62. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/SquirrelWaffle.py +0 -0
  63. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Strrat.py +0 -0
  64. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/WarzoneRAT.py +0 -0
  65. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/Zloader.py +0 -0
  66. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/__init__.py +0 -0
  67. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/core/test_cape.py +0 -0
  68. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/RATDecoders/README.md +0 -0
  69. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/RATDecoders/__init__.py +0 -0
  70. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/RATDecoders/test_rats.py +0 -0
  71. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/__init__.py +0 -0
  72. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/BackOffLoader.py +0 -0
  73. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/BackOffPOS.py +0 -0
  74. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/BlackNix.py +0 -0
  75. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/BuerLoader.py +0 -0
  76. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/ChChes.py +0 -0
  77. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/Emotet.py +0 -0
  78. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/Enfal.py +0 -0
  79. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/EvilGrab.py +0 -0
  80. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/Greame.py +0 -0
  81. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/Hancitor.py +0 -0
  82. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/HttpBrowser.py +0 -0
  83. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/JavaDropper.py +0 -0
  84. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/Nymaim.py +0 -0
  85. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/Pandora.py +0 -0
  86. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/PoisonIvy.py +0 -0
  87. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/PredatorPain.py +0 -0
  88. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/Punisher.py +0 -0
  89. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/RCSession.py +0 -0
  90. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/REvil.py +0 -0
  91. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/RedLeaf.py +0 -0
  92. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/Retefe.py +0 -0
  93. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/Rozena.py +0 -0
  94. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/SmallNet.py +0 -0
  95. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/TSCookie.py +0 -0
  96. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/TrickBot.py +0 -0
  97. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/UrsnifV3.py +0 -0
  98. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/_ShadowTech.py +0 -0
  99. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/_VirusRat.py +0 -0
  100. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/_jRat.py +0 -0
  101. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/unrecom.py +0 -0
  102. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/deprecated/xRAT.py +0 -0
  103. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/malduck/LICENSE +0 -0
  104. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/malduck/README.md +0 -0
  105. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/malduck/__init__.py +0 -0
  106. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/malduck/test_malduck.py +0 -0
  107. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/mwcp/README.md +0 -0
  108. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/mwcp/__init__.py +0 -0
  109. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/mwcp/test_mwcp.py +0 -0
  110. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/utils/__init__.py +0 -0
  111. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/utils/aplib.py +0 -0
  112. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/utils/blzpack.py +0 -0
  113. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/utils/blzpack_lib.so +0 -0
  114. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/utils/dotnet_utils.py +0 -0
  115. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/utils/lznt1.py +0 -0
  116. {cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/utils/strings.py +0 -0
{cape_parsers-0.1.51 → cape_parsers-0.1.52}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: CAPE-parsers
3
- Version: 0.1.51
3
+ Version: 0.1.52
4
4
  Summary: CAPE: Malware Configuration Extraction
5
5
  License: MIT
6
6
  License-File: LICENSE
{cape_parsers-0.1.51 → cape_parsers-0.1.52}/cape_parsers/CAPE/community/MonsterV2.py RENAMED
@@ -14,15 +14,12 @@ RULE_SOURCE = """rule MonsterV2Config
14
14
  author = "doomedraven,YungBinary"
15
15
  strings:
16
16
  $chunk_1 = {
17
- 41 B8 ?? ?? ?? ??
18
- 48 8D 15 ?? ?? ?? ??
19
- 48 8B CB
20
- E8 ?? ?? ?? ??
21
- 48 8D 83 ?? ?? ?? ??
22
- 48 89 44 24 ??
23
- 48 89 6C 24 ??
24
- 4C 8B C7
25
- 48 8D 54 24 ??
17
+ 41 B8 0E 04 00 00
18
+ 48 8D 15 ?? ?? ?? 00
19
+ 48 8B C?
20
+ E8 ?? ?? ?? ?? [3-17]
21
+ 4C 8B C?
22
+ 48 8D 54 24 28
26
23
  48 8B CE
27
24
  E8 ?? ?? ?? ??
28
25
  }
cape_parsers-0.1.52/cape_parsers/CAPE/community/MyKings.py ADDED
@@ -0,0 +1,52 @@
1
+ """
2
+ Description: MyKings AKA Smominru config parser
3
+ Author: x.com/YungBinary
4
+ """
5
+
6
+ from contextlib import suppress
7
+ import json
8
+ import re
9
+ import base64
10
+
11
+
12
+ def contains_non_printable(byte_array):
13
+ for byte in byte_array:
14
+ if not chr(byte).isprintable():
15
+ return True
16
+ return False
17
+
18
+
19
+ def extract_base64_strings(data: bytes, minchars: int, maxchars: int) -> list:
20
+ pattern = b"([A-Za-z0-9+/=]{" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00{4}"
21
+ strings = []
22
+ for string in re.findall(pattern, data):
23
+ decoded_string = base64_and_printable(string.decode())
24
+ if decoded_string:
25
+ strings.append(decoded_string)
26
+ return strings
27
+
28
+
29
+ def base64_and_printable(b64_string: str):
30
+ with suppress(Exception):
31
+ decoded_bytes = base64.b64decode(b64_string)
32
+ if not contains_non_printable(decoded_bytes):
33
+ return decoded_bytes.decode('ascii')
34
+
35
+
36
+ def extract_config(data: bytes) -> dict:
37
+ config_dict = {}
38
+ with suppress(Exception):
39
+ cncs = extract_base64_strings(data, 12, 60)
40
+ if cncs:
41
+ # as they don't have schema they going under raw
42
+ config_dict["raw"] = {"CNCs": cncs}
43
+ return config_dict
44
+
45
+ return {}
46
+
47
+
48
+ if __name__ == "__main__":
49
+ import sys
50
+
51
+ with open(sys.argv[1], "rb") as f:
52
+ print(json.dumps(extract_config(f.read()), indent=4))
cape_parsers-0.1.52/cape_parsers/CAPE/community/WinosStager.py ADDED
@@ -0,0 +1,75 @@
1
+ """
2
+ Description: Winos 4.0 "OnlineModule" config parser
3
+ Author: x.com/YungBinary
4
+ """
5
+
6
+ from contextlib import suppress
7
+ import re
8
+
9
+
10
+ CONFIG_KEY_MAP = {
11
+ "dd": "execution_delay_seconds",
12
+ "cl": "communication_interval_seconds",
13
+ "bb": "version",
14
+ "bz": "comment",
15
+ "jp": "keylogger",
16
+ "bh": "end_bluescreen",
17
+ "ll": "anti_traffic_monitoring",
18
+ "dl": "entrypoint",
19
+ "sh": "process_daemon",
20
+ "kl": "process_hollowing"
21
+ }
22
+
23
+
24
+ def find_config(data):
25
+ start = ":db|".encode("utf-16le")
26
+ end = ":1p|".encode("utf-16le")
27
+ pattern = re.compile(re.escape(start) + b".*?" + re.escape(end), re.DOTALL)
28
+ match = pattern.search(data)
29
+ if match:
30
+ return match.group(0).decode("utf-16le")
31
+
32
+
33
+ def extract_config(data: bytes) -> dict:
34
+ config_dict = {}
35
+ final_config = {}
36
+
37
+ with suppress(Exception):
38
+ config = find_config(data)
39
+ if not config:
40
+ return config_dict
41
+
42
+ # Reverse the config string, which is delimited by '|'
43
+ config = config[::-1]
44
+ # Remove leading/trailing pipes and split into key/value pairs
45
+ elements = [element for element in config.strip('|').split('|') if ':' in element]
46
+ # Split each element for key : value in a dictionary
47
+ config_dict = dict(element.split(':', 1) for element in elements)
48
+ if config_dict:
49
+ # Handle extraction and formatting of CNCs
50
+ for i in range(1, 4):
51
+ p, o, t = config_dict.get(f"p{i}"), config_dict.get(f"o{i}"), config_dict.get(f"t{i}")
52
+ if p and p != "127.0.0.1" and o:
53
+ protocol = {"0": "udp", "1": "tcp"}.get(t)
54
+ if protocol:
55
+ cnc = f"{protocol}://{p}:{o}"
56
+ final_config.setdefault("CNCs", []).append(cnc)
57
+
58
+ if "CNCs" not in final_config:
59
+ return {}
60
+
61
+ final_config["CNCs"] = list(set(final_config["CNCs"]))
62
+ # Extract campaign ID
63
+ final_config["campaign_id"] = "default" if config_dict["fz"] == "\u9ed8\u8ba4" else config_dict["fz"]
64
+
65
+ # Map keys, e.g. dd -> execution_delay_seconds
66
+ final_config["raw"] = {v: config_dict[k] for k, v in CONFIG_KEY_MAP.items() if k in config_dict}
67
+
68
+ return final_config
69
+
70
+
71
+ if __name__ == "__main__":
72
+ import sys
73
+
74
+ with open(sys.argv[1], "rb") as f:
75
+ print(extract_config(f.read()))
{cape_parsers-0.1.51 → cape_parsers-0.1.52}/pyproject.toml RENAMED
@@ -1,6 +1,6 @@
1
1
  [tool.poetry]
2
2
  name = "CAPE-parsers"
3
- version = "0.1.51"
3
+ version = "0.1.52"
4
4
  description = "CAPE: Malware Configuration Extraction"
5
5
  authors = ["Kevin O'Reilly <kev@capesandbox.com>", "doomedraven <doomedraven@capesandbox.com>"]
6
6
  license = "MIT"
{cape_parsers-0.1.51 → cape_parsers-0.1.52}/LICENSE RENAMED
File without changes
{cape_parsers-0.1.51 → cape_parsers-0.1.52}/README.md RENAMED
File without changes