CAPE-parsers 0.1.52__tar.gz → 0.1.53__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (117) hide show
  1. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/PKG-INFO +1 -1
  2. cape_parsers-0.1.53/cape_parsers/CAPE/core/Rhadamanthys.py +296 -0
  3. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/pyproject.toml +1 -1
  4. cape_parsers-0.1.52/cape_parsers/CAPE/core/Rhadamanthys.py +0 -190
  5. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/LICENSE +0 -0
  6. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/README.md +0 -0
  7. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/__init__.py +0 -0
  8. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/AgentTesla.py +0 -0
  9. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/Amadey.py +0 -0
  10. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/Arkei.py +0 -0
  11. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/AsyncRAT.py +0 -0
  12. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/AuroraStealer.py +0 -0
  13. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/Carbanak.py +0 -0
  14. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/CobaltStrikeBeacon.py +0 -0
  15. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/CobaltStrikeStager.py +0 -0
  16. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/DCRat.py +0 -0
  17. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/Fareit.py +0 -0
  18. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/KoiLoader.py +0 -0
  19. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/LokiBot.py +0 -0
  20. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/Lumma.py +0 -0
  21. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/MonsterV2.py +0 -0
  22. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/MyKings.py +0 -0
  23. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/NanoCore.py +0 -0
  24. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/Nighthawk.py +0 -0
  25. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/Njrat.py +0 -0
  26. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/PhemedroneStealer.py +0 -0
  27. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/QuasarRAT.py +0 -0
  28. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/README.md +0 -0
  29. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/Snake.py +0 -0
  30. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/SparkRAT.py +0 -0
  31. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/Stealc.py +0 -0
  32. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/VenomRAT.py +0 -0
  33. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/WinosStager.py +0 -0
  34. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/XWorm.py +0 -0
  35. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/XenoRAT.py +0 -0
  36. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/community/__init__.py +0 -0
  37. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/AdaptixBeacon.py +0 -0
  38. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/AuraStealer.py +0 -0
  39. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/Azorult.py +0 -0
  40. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/BitPaymer.py +0 -0
  41. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/BlackDropper.py +0 -0
  42. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/Blister.py +0 -0
  43. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/BruteRatel.py +0 -0
  44. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/BumbleBee.py +0 -0
  45. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/DarkGate.py +0 -0
  46. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/DoppelPaymer.py +0 -0
  47. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/DridexLoader.py +0 -0
  48. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/Formbook.py +0 -0
  49. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/GuLoader.py +0 -0
  50. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/IcedID.py +0 -0
  51. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/IcedIDLoader.py +0 -0
  52. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/Latrodectus.py +0 -0
  53. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/Oyster.py +0 -0
  54. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/PikaBot.py +0 -0
  55. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/PlugX.py +0 -0
  56. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/QakBot.py +0 -0
  57. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/Quickbind.py +0 -0
  58. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/README.md +0 -0
  59. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/RedLine.py +0 -0
  60. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/Remcos.py +0 -0
  61. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/SmokeLoader.py +0 -0
  62. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/Socks5Systemz.py +0 -0
  63. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/SquirrelWaffle.py +0 -0
  64. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/Strrat.py +0 -0
  65. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/WarzoneRAT.py +0 -0
  66. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/Zloader.py +0 -0
  67. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/__init__.py +0 -0
  68. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/CAPE/core/test_cape.py +0 -0
  69. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/RATDecoders/README.md +0 -0
  70. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/RATDecoders/__init__.py +0 -0
  71. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/RATDecoders/test_rats.py +0 -0
  72. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/__init__.py +0 -0
  73. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/BackOffLoader.py +0 -0
  74. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/BackOffPOS.py +0 -0
  75. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/BlackNix.py +0 -0
  76. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/BuerLoader.py +0 -0
  77. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/ChChes.py +0 -0
  78. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/Emotet.py +0 -0
  79. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/Enfal.py +0 -0
  80. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/EvilGrab.py +0 -0
  81. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/Greame.py +0 -0
  82. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/Hancitor.py +0 -0
  83. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/HttpBrowser.py +0 -0
  84. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/JavaDropper.py +0 -0
  85. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/Nymaim.py +0 -0
  86. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/Pandora.py +0 -0
  87. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/PoisonIvy.py +0 -0
  88. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/PredatorPain.py +0 -0
  89. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/Punisher.py +0 -0
  90. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/RCSession.py +0 -0
  91. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/REvil.py +0 -0
  92. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/RedLeaf.py +0 -0
  93. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/Retefe.py +0 -0
  94. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/Rozena.py +0 -0
  95. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/SmallNet.py +0 -0
  96. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/TSCookie.py +0 -0
  97. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/TrickBot.py +0 -0
  98. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/UrsnifV3.py +0 -0
  99. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/_ShadowTech.py +0 -0
  100. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/_VirusRat.py +0 -0
  101. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/_jRat.py +0 -0
  102. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/unrecom.py +0 -0
  103. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/deprecated/xRAT.py +0 -0
  104. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/malduck/LICENSE +0 -0
  105. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/malduck/README.md +0 -0
  106. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/malduck/__init__.py +0 -0
  107. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/malduck/test_malduck.py +0 -0
  108. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/mwcp/README.md +0 -0
  109. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/mwcp/__init__.py +0 -0
  110. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/mwcp/test_mwcp.py +0 -0
  111. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/utils/__init__.py +0 -0
  112. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/utils/aplib.py +0 -0
  113. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/utils/blzpack.py +0 -0
  114. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/utils/blzpack_lib.so +0 -0
  115. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/utils/dotnet_utils.py +0 -0
  116. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/utils/lznt1.py +0 -0
  117. {cape_parsers-0.1.52 → cape_parsers-0.1.53}/cape_parsers/utils/strings.py +0 -0
{cape_parsers-0.1.52 → cape_parsers-0.1.53}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: CAPE-parsers
3
- Version: 0.1.52
3
+ Version: 0.1.53
4
4
  Summary: CAPE: Malware Configuration Extraction
5
5
  License: MIT
6
6
  License-File: LICENSE
cape_parsers-0.1.53/cape_parsers/CAPE/core/Rhadamanthys.py ADDED
@@ -0,0 +1,296 @@
1
+ import struct
2
+ import base64
3
+ import re
4
+ import json
5
+
6
+
7
+ DESCRIPTION = "Rhadamanthys parser"
8
+ AUTHOR = "kevoreilly, YungBinary"
9
+
10
+
11
+ def mask32(x):
12
+ return x & 0xFFFFFFFF
13
+
14
+
15
+ def add32(x, y):
16
+ return mask32(x + y)
17
+
18
+
19
+ def left_rotate(x, n):
20
+ return mask32(x << n) | (x >> (32 - n))
21
+
22
+
23
+ def quarter_round(block, a, b, c, d):
24
+ block[a] = add32(block[a], block[b])
25
+ block[d] ^= block[a]
26
+ block[d] = left_rotate(block[d], 16)
27
+ block[c] = add32(block[c], block[d])
28
+ block[b] ^= block[c]
29
+ block[b] = left_rotate(block[b], 12)
30
+ block[a] = add32(block[a], block[b])
31
+ block[d] ^= block[a]
32
+ block[d] = left_rotate(block[d], 8)
33
+ block[c] = add32(block[c], block[d])
34
+ block[b] ^= block[c]
35
+ block[b] = left_rotate(block[b], 7)
36
+
37
+
38
+ def chacha20_permute(block):
39
+ for doubleround in range(10):
40
+ quarter_round(block, 0, 4, 8, 12)
41
+ quarter_round(block, 1, 5, 9, 13)
42
+ quarter_round(block, 2, 6, 10, 14)
43
+ quarter_round(block, 3, 7, 11, 15)
44
+ quarter_round(block, 0, 5, 10, 15)
45
+ quarter_round(block, 1, 6, 11, 12)
46
+ quarter_round(block, 2, 7, 8, 13)
47
+ quarter_round(block, 3, 4, 9, 14)
48
+
49
+
50
+ def words_from_bytes(b):
51
+ assert len(b) % 4 == 0
52
+ return [int.from_bytes(b[4 * i : 4 * i + 4], "little") for i in range(len(b) // 4)]
53
+
54
+
55
+ def bytes_from_words(w):
56
+ return b"".join(word.to_bytes(4, "little") for word in w)
57
+
58
+
59
+ def chacha20_block(key, nonce, blocknum):
60
+ # This implementation doesn't support 16-byte keys.
61
+ assert len(key) == 32
62
+ assert len(nonce) == 12
63
+ assert blocknum < 2**32
64
+ constant_words = words_from_bytes(b"expand 32-byte k")
65
+ key_words = words_from_bytes(key)
66
+ nonce_words = words_from_bytes(nonce)
67
+ # fmt: off
68
+ original_block = [
69
+ constant_words[0], constant_words[1], constant_words[2], constant_words[3],
70
+ key_words[0], key_words[1], key_words[2], key_words[3],
71
+ key_words[4], key_words[5], key_words[6], key_words[7],
72
+ mask32(blocknum), nonce_words[0], nonce_words[1], nonce_words[2],
73
+ ]
74
+ # fmt: on
75
+ permuted_block = list(original_block)
76
+ chacha20_permute(permuted_block)
77
+ for i in range(len(permuted_block)):
78
+ permuted_block[i] = add32(permuted_block[i], original_block[i])
79
+ return bytes_from_words(permuted_block)
80
+
81
+
82
+ def chacha20_stream(key, nonce, length, blocknum):
83
+ output = bytearray()
84
+ while length > 0:
85
+ block = chacha20_block(key, nonce, blocknum)
86
+ take = min(length, len(block))
87
+ output.extend(block[:take])
88
+ length -= take
89
+ blocknum += 1
90
+ return output
91
+
92
+
93
+ def decrypt_config(data):
94
+ decrypted_config = b""
95
+ data_len = len(data)
96
+ v3 = 0
97
+ while True:
98
+ v8 = 4
99
+ while v8:
100
+ if data_len <= (v3 + 4):
101
+ return decrypted_config
102
+ a = data[v3]
103
+ b = data[v3 + 4]
104
+ c = a ^ b
105
+ decrypted_config += bytes([c])
106
+ v8 -= 1
107
+ v3 += 1
108
+
109
+
110
+ def chacha20_xor(custom_b64_decoded, key, nonce):
111
+ message_len = len(custom_b64_decoded)
112
+ key_stream = chacha20_stream(key, nonce, message_len, 0x80)
113
+
114
+ xor_key = bytearray()
115
+ for i in range(message_len):
116
+ xor_key.append(custom_b64_decoded[i] ^ key_stream[i])
117
+
118
+ return xor_key
119
+
120
+
121
+ def extract_base64_strings(data, minchars, maxchars):
122
+ apat = b"([A-Za-z0-9-|]{" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00"
123
+ strings = [s.decode() for s in re.findall(apat, data)]
124
+ upat = b"((?:[A-Za-z0-9-|]\x00){" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00\x00"
125
+ strings.extend(ws.decode("utf-16le") for ws in re.findall(upat, data))
126
+ return strings
127
+
128
+
129
+ def extract_c2_url(data):
130
+ pattern = b"(http[\x20-\x7e]+)\x00"
131
+ match = re.search(pattern, data)
132
+ if match:
133
+ return match.group(1).decode()
134
+
135
+
136
+ def custom_b64decode(data: bytes, custom_alphabet: bytes):
137
+ """Decodes base64 data using a custom alphabet."""
138
+ standard_alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
139
+ # Translate the data back to the standard alphabet before decoding
140
+ table = bytes.maketrans(custom_alphabet, standard_alphabet)
141
+ return base64.b64decode(data.translate(table), validate=True)
142
+
143
+
144
+ def lzo_noheader_decompress(data: bytes, decompressed_size: int):
145
+ src = 0
146
+ dst = bytearray()
147
+ length = len(data)
148
+
149
+ while src < length:
150
+ ctrl = data[src]
151
+ src += 1
152
+
153
+ if ctrl == 0x20:
154
+ match_len = data[src]
155
+ src += 1
156
+ start = len(dst) - match_len - 1
157
+ end = start + 3
158
+ #print(f"Control code: {hex(ctrl)}, Offset backtrack length: {hex(match_len)}, Current offset: {hex(len(dst))}, New offset: {hex(start)}")
159
+ dst.extend(dst[start:end])
160
+
161
+ elif ctrl >= 0xE0 or ctrl == 0x40:
162
+ x = ((ctrl >> 5) - 1) + 3
163
+ if ctrl >= 0xE0:
164
+ copy_len = data[src] + x
165
+ elif ctrl == 0x40:
166
+ copy_len = x
167
+ start = data[src + 1]
168
+ if ctrl == 0x40:
169
+ start = data[src]
170
+ if ctrl >= 0xE0:
171
+ src += 2
172
+ elif ctrl == 0x40:
173
+ src += 1
174
+ offset = len(dst) - start - 1
175
+ #print(f"Control code: {hex(ctrl)}, Offset backtrack length: {hex(start)}, Current offset: {hex(len(dst))}, New offset: {hex(len(dst) - start)}, Length to copy: {hex(copy_len)}")
176
+ dst.extend(dst[offset:offset+copy_len])
177
+
178
+ else:
179
+ # Literal run
180
+ literal_len = (ctrl & 0x1F) + 1
181
+ #print(f"Control code: {hex(ctrl)}, Literal length: {hex(literal_len)}")
182
+ dst.extend(data[src:src+literal_len])
183
+ src += literal_len
184
+
185
+ if len(dst) == decompressed_size:
186
+ return bytes(dst)
187
+
188
+
189
+ def parse_compression_header(config: bytes):
190
+ """Parse compressed size, decompressed size, and data offset from config"""
191
+
192
+ # 0x2A when looking at the config in memory
193
+ base_offset = 0x26
194
+
195
+ # Compressed data offset field, for calculating the offset to the compressed buffer
196
+ comp_offset_field = config[base_offset]
197
+ # Number of bytes the field spans
198
+ comp_offset_size_len = (comp_offset_field & 3) + 1
199
+ for i in range(1, comp_offset_size_len):
200
+ comp_offset_field |= config[base_offset + i] << (8 * i)
201
+
202
+ comp_size_offset = comp_offset_field >> 2
203
+
204
+ # Compressed size field, for finding the size of the compressed buffer
205
+ comp_offset = base_offset + comp_offset_size_len
206
+ comp_size_field = config[comp_offset]
207
+ # Number of bytes the field spans
208
+ comp_size_len = (comp_size_field & 3) + 1
209
+ for i in range(1, comp_size_len):
210
+ comp_size_field |= config[comp_offset + i] << (8 * i)
211
+
212
+ # Decompressed size field
213
+ decomp_field_offset = base_offset + comp_offset_size_len + comp_size_len
214
+ decomp_size_field = config[decomp_field_offset]
215
+ # Number of bytes the field spans
216
+ decomp_field_len = (decomp_size_field & 3) + 1
217
+ for i in range(1, decomp_field_len):
218
+ decomp_size_field |= config[decomp_field_offset + i] << (8 * i)
219
+
220
+ # Calculate return values
221
+ decompressed_size = decomp_size_field >> 2
222
+ compressed_data_offset = decomp_field_offset + decomp_field_len + comp_size_offset
223
+ compressed_size_key = config[0x28] << 8
224
+ compressed_size = (compressed_size_key | comp_size_field) >> 2
225
+ compressed_data = config[compressed_data_offset : compressed_data_offset + compressed_size]
226
+
227
+ return {
228
+ "compressed_size": compressed_size,
229
+ "decompressed_size": decompressed_size,
230
+ "compressed_data": compressed_data
231
+ }
232
+
233
+
234
+ def extract_config(data):
235
+ config_dict = {}
236
+ magic = struct.unpack("I", data[:4])[0]
237
+ if magic == 0x59485221:
238
+ config_dict["CNCs"] = [data[24:].split(b"\0", 1)[0].decode()]
239
+ return config_dict
240
+ else:
241
+ key = b"\x52\xAB\xDF\x06\xB6\xB1\x3A\xC0\xDA\x2D\x22\xDC\x6C\xD2\xBE\x6C\x20\x17\x69\xE0\x12\xB5\xE6\xEC\x0E\xAB\x4C\x14\x73\x4A\xED\x51"
242
+ nonce = b"\x5F\x14\xD7\x9C\xFC\xFC\x43\x9E\xC3\x40\x6B\xBA"
243
+
244
+ custom_alphabets = [
245
+ b"ABC1fghijklmnop234NOPQRSTUVWXY567DEFGHIJKLMZ089abcdeqrstuvwxyz-|",
246
+ b"4NOPQRSTUVWXY567DdeEqrstuvwxyz-ABC1fghop23Fijkbc|lmnGHIJKLMZ089a"
247
+ ]
248
+
249
+ # Extract base64 strings
250
+ extracted_strings = extract_base64_strings(data, 140, 256)
251
+ if not extracted_strings:
252
+ return config_dict
253
+
254
+ pattern = re.compile(b'.\x80')
255
+ for string in extracted_strings:
256
+ try:
257
+ custom_b64_decoded = custom_b64decode(string, custom_alphabets[0])
258
+
259
+ xor_key = chacha20_xor(custom_b64_decoded, key, nonce)
260
+
261
+ # Decrypted, but may still be the compressed malware configuration
262
+ config = decrypt_config(xor_key)
263
+ # Attempt to extract C2 url, only works in version prior to 0.9.2
264
+ c2_url = extract_c2_url(config)
265
+ if c2_url:
266
+ config_dict = {"CNCs": [c2_url]}
267
+ return config_dict
268
+ else:
269
+ # Handle new variants that compress the Command and Control server(s)
270
+ custom_b64_decoded = custom_b64decode(string, custom_alphabets[1])
271
+ xor_key = chacha20_xor(custom_b64_decoded, key, nonce)
272
+ config = decrypt_config(xor_key)
273
+
274
+ parsed = parse_compression_header(config)
275
+ if not parsed:
276
+ return config_dict
277
+
278
+ decompressed = lzo_noheader_decompress(parsed['compressed_data'], parsed['decompressed_size'])
279
+
280
+ cncs = [f"https://{chunk.decode()}" for chunk in pattern.split(decompressed) if chunk]
281
+ if cncs:
282
+ config_dict = {"CNCs": cncs}
283
+ return config_dict
284
+
285
+ except Exception:
286
+ continue
287
+
288
+ return config_dict
289
+
290
+
291
+ if __name__ == "__main__":
292
+ import sys
293
+
294
+ with open(sys.argv[1], "rb") as f:
295
+ config_json = json.dumps(extract_config(f.read()), indent=4)
296
+ print(config_json)
{cape_parsers-0.1.52 → cape_parsers-0.1.53}/pyproject.toml RENAMED
@@ -1,6 +1,6 @@
1
1
  [tool.poetry]
2
2
  name = "CAPE-parsers"
3
- version = "0.1.52"
3
+ version = "0.1.53"
4
4
  description = "CAPE: Malware Configuration Extraction"
5
5
  authors = ["Kevin O'Reilly <kev@capesandbox.com>", "doomedraven <doomedraven@capesandbox.com>"]
6
6
  license = "MIT"
cape_parsers-0.1.52/cape_parsers/CAPE/core/Rhadamanthys.py DELETED
@@ -1,190 +0,0 @@
1
- import struct
2
- import base64
3
- import re
4
- import json
5
-
6
-
7
- DESCRIPTION = "Rhadamanthys parser"
8
- AUTHOR = "kevoreilly, YungBinary"
9
-
10
-
11
- def mask32(x):
12
- return x & 0xFFFFFFFF
13
-
14
-
15
- def add32(x, y):
16
- return mask32(x + y)
17
-
18
-
19
- def left_rotate(x, n):
20
- return mask32(x << n) | (x >> (32 - n))
21
-
22
-
23
- def quarter_round(block, a, b, c, d):
24
- block[a] = add32(block[a], block[b])
25
- block[d] ^= block[a]
26
- block[d] = left_rotate(block[d], 16)
27
- block[c] = add32(block[c], block[d])
28
- block[b] ^= block[c]
29
- block[b] = left_rotate(block[b], 12)
30
- block[a] = add32(block[a], block[b])
31
- block[d] ^= block[a]
32
- block[d] = left_rotate(block[d], 8)
33
- block[c] = add32(block[c], block[d])
34
- block[b] ^= block[c]
35
- block[b] = left_rotate(block[b], 7)
36
-
37
-
38
- def chacha20_permute(block):
39
- for doubleround in range(10):
40
- quarter_round(block, 0, 4, 8, 12)
41
- quarter_round(block, 1, 5, 9, 13)
42
- quarter_round(block, 2, 6, 10, 14)
43
- quarter_round(block, 3, 7, 11, 15)
44
- quarter_round(block, 0, 5, 10, 15)
45
- quarter_round(block, 1, 6, 11, 12)
46
- quarter_round(block, 2, 7, 8, 13)
47
- quarter_round(block, 3, 4, 9, 14)
48
-
49
-
50
- def words_from_bytes(b):
51
- assert len(b) % 4 == 0
52
- return [int.from_bytes(b[4 * i : 4 * i + 4], "little") for i in range(len(b) // 4)]
53
-
54
-
55
- def bytes_from_words(w):
56
- return b"".join(word.to_bytes(4, "little") for word in w)
57
-
58
-
59
- def chacha20_block(key, nonce, blocknum):
60
- # This implementation doesn't support 16-byte keys.
61
- assert len(key) == 32
62
- assert len(nonce) == 12
63
- assert blocknum < 2**32
64
- constant_words = words_from_bytes(b"expand 32-byte k")
65
- key_words = words_from_bytes(key)
66
- nonce_words = words_from_bytes(nonce)
67
- # fmt: off
68
- original_block = [
69
- constant_words[0], constant_words[1], constant_words[2], constant_words[3],
70
- key_words[0], key_words[1], key_words[2], key_words[3],
71
- key_words[4], key_words[5], key_words[6], key_words[7],
72
- mask32(blocknum), nonce_words[0], nonce_words[1], nonce_words[2],
73
- ]
74
- # fmt: on
75
- permuted_block = list(original_block)
76
- chacha20_permute(permuted_block)
77
- for i in range(len(permuted_block)):
78
- permuted_block[i] = add32(permuted_block[i], original_block[i])
79
- return bytes_from_words(permuted_block)
80
-
81
-
82
- def chacha20_stream(key, nonce, length, blocknum):
83
- output = bytearray()
84
- while length > 0:
85
- block = chacha20_block(key, nonce, blocknum)
86
- take = min(length, len(block))
87
- output.extend(block[:take])
88
- length -= take
89
- blocknum += 1
90
- return output
91
-
92
-
93
- def decrypt_config(data):
94
- decrypted_config = b"\x21\x52\x48\x59"
95
- data_len = len(data)
96
- v3 = 0
97
- while True:
98
- v8 = 4
99
- while v8:
100
- if data_len <= (v3 + 4):
101
- return decrypted_config
102
- a = data[v3]
103
- b = data[v3 + 4]
104
- c = a ^ b
105
- decrypted_config += bytes([c])
106
- v8 -= 1
107
- v3 += 1
108
-
109
-
110
- def chacha20_xor(custom_b64_decoded, key, nonce):
111
- message_len = len(custom_b64_decoded)
112
- key_stream = chacha20_stream(key, nonce, message_len, 0x80)
113
-
114
- xor_key = bytearray()
115
- for i in range(message_len):
116
- xor_key.append(custom_b64_decoded[i] ^ key_stream[i])
117
-
118
- return xor_key
119
-
120
-
121
- def extract_strings(data, minchars, maxchars):
122
- apat = b"([\x20-\x7e]{" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00"
123
- strings = [string.decode() for string in re.findall(apat, data)]
124
- match = re.search(apat, data)
125
- if not match:
126
- return None
127
- upat = b"((?:[\x20-\x7e][\x00]){" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00\x00"
128
- strings.extend(str(ws.decode("utf-16le")) for ws in re.findall(upat, data))
129
- return strings
130
-
131
-
132
- def extract_c2_url(data):
133
- pattern = b"(http[\x20-\x7e]+)\x00"
134
- match = re.search(pattern, data)
135
- return match.group(1).decode()
136
-
137
-
138
- def is_potential_custom_base64(string):
139
- custom_alphabet = "ABC1fghijklmnop234NOPQRSTUVWXY567DEFGHIJKLMZ089abcdeqrstuvwxyz-|"
140
- for c in string:
141
- if c not in custom_alphabet:
142
- return False
143
- return True
144
-
145
-
146
- def custom_b64decode(data):
147
- """Decodes base64 data using a custom alphabet."""
148
- standard_alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
149
- custom_alphabet = b"ABC1fghijklmnop234NOPQRSTUVWXY567DEFGHIJKLMZ089abcdeqrstuvwxyz-|"
150
- # Translate the data back to the standard alphabet before decoding
151
- table = bytes.maketrans(custom_alphabet, standard_alphabet)
152
- return base64.b64decode(data.translate(table), validate=True)
153
-
154
-
155
- def extract_config(data):
156
- config_dict = {}
157
- magic = struct.unpack("I", data[:4])[0]
158
- if magic == 0x59485221:
159
- config_dict["CNCs"] = [data[24:].split(b"\0", 1)[0].decode()]
160
- return config_dict
161
- else:
162
- key = b"\x52\xAB\xDF\x06\xB6\xB1\x3A\xC0\xDA\x2D\x22\xDC\x6C\xD2\xBE\x6C\x20\x17\x69\xE0\x12\xB5\xE6\xEC\x0E\xAB\x4C\x14\x73\x4A\xED\x51"
163
- nonce = b"\x5F\x14\xD7\x9C\xFC\xFC\x43\x9E\xC3\x40\x6B\xBA"
164
-
165
- extracted_strings = extract_strings(data, 0x100, 0x100)
166
- for string in extracted_strings:
167
- try:
168
- if not is_potential_custom_base64(string):
169
- continue
170
-
171
- custom_b64_decoded = custom_b64decode(string)
172
- xor_key = chacha20_xor(custom_b64_decoded, key, nonce)
173
- decrypted_config = decrypt_config(xor_key)
174
- reexecution_delay = int.from_bytes(decrypted_config[5:7], byteorder="little")
175
-
176
- c2_url = extract_c2_url(decrypted_config)
177
- if not c2_url:
178
- continue
179
- config_dict = {"raw": {"Reexecution_delay": reexecution_delay}, "CNCs": [c2_url]}
180
- return config_dict
181
- except Exception:
182
- continue
183
-
184
-
185
- if __name__ == "__main__":
186
- import sys
187
-
188
- with open(sys.argv[1], "rb") as f:
189
- config_json = json.dumps(extract_config(f.read()), indent=4)
190
- print(config_json)
{cape_parsers-0.1.52 → cape_parsers-0.1.53}/LICENSE RENAMED
File without changes
{cape_parsers-0.1.52 → cape_parsers-0.1.53}/README.md RENAMED
File without changes