CAPE-parsers 0.1.52__tar.gz → 0.1.54__tar.gz

{cape_parsers-0.1.52 → cape_parsers-0.1.54}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: CAPE-parsers
-Version: 0.1.52
+Version: 0.1.54
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 License-File: LICENSE

{cape_parsers-0.1.52 → cape_parsers-0.1.54}/cape_parsers/CAPE/community/Lumma.py

@@ -5,7 +5,7 @@ import struct
 from contextlib import suppress
 import pefile
 import yara
-
+from Cryptodome.Cipher import ChaCha20
 
 RULE_SOURCE_BUILD_ID = """rule LummaBuildId
 {
@@ -142,7 +142,7 @@ def contains_non_printable(byte_array):
             return True
     return False
 
-
+"""
 def mask32(x):
     return x & 0xFFFFFFFF
 
@@ -242,7 +242,7 @@ def chacha20_xor(message, key, nonce, counter):
         xor_key.append(message[i] ^ key_stream[i])
 
     return xor_key
-
+"""
 
 def extract_c2_domain(data):
     pattern = rb"([\w-]+\.[\w]+)\x00"
@@ -315,7 +315,9 @@ def extract_config(data):
             counter = 2
             for i in range(12):
                 encrypted_string = data[encrypted_strings_offset : encrypted_strings_offset + 40]
-                decoded_c2 = chacha20_xor(encrypted_string, key, nonce, counter).split(b"\x00", 1)[0]
+                chacha20_cipher = ChaCha20.new(key=key, nonce=nonce)
+                chacha20_cipher.seek(counter)
+                decoded_c2 = chacha20_cipher.decrypt(encrypted_string).split(b"\x00", 1)[0]
                 if contains_non_printable(decoded_c2):
                     break
                 config.setdefault("CNCs", []).append("https://" + decoded_c2.decode())
@@ -348,7 +350,10 @@ def extract_config(data):
                     c2_encrypted = data[c2_dword_offset : c2_dword_offset + 0x80]
                     counters = [0, 2, 4, 6, 8, 10, 12, 14, 16]
                     for counter in counters:
-                        decrypted = chacha20_xor(c2_encrypted, key, nonce, counter)
+                        # decrypted = chacha20_xor(c2_encrypted, key, nonce, counter)
+                        chacha20_cipher = ChaCha20.new(key=key, nonce=nonce)
+                        chacha20_cipher.seek(counter)
+                        decrypted = chacha20_cipher.decrypt(c2_encrypted).split(b"\x00", 1)[0]
                         c2 = extract_c2_domain(decrypted)
                         if c2 is not None and len(c2) > 10:
                             config["CNCs"].append("https://" + c2.decode())

cape_parsers-0.1.54/cape_parsers/CAPE/core/NitroBunnyDownloader.py

@@ -0,0 +1,151 @@
+# Copyright (C) 2024 enzok
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import logging
+import struct
+
+import pefile
+import yara
+
+log = logging.getLogger(__name__)
+
+DESCRIPTION = "NitroBunnyDownloader configuration parser."
+AUTHOR = "enzok"
+
+yara_rule = """
+rule NitroBunnyDownloader
+{
+    meta:
+        author = "enzok"
+        description = "NitroBunnyDownloader Payload"
+        cape_type = "NitroBunnyDownloader Payload"
+        hash = "960e59200ec0a4b5fb3b44e6da763f5fec4092997975140797d4eec491de411b"
+    strings:
+        $config = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00}
+        $string1 = "X-Amz-User-Agent:" wide
+        $string2 = "Amz-Security-Flag:" wide
+        $string3 = "/cart" wide
+        $string4 = "Cookie: " wide
+        $string5 = "wishlist" wide
+    condition:
+        uint16(0) == 0x5A4D and $config and 2 of ($string*)
+}
+"""
+
+yara_rules = yara.compile(source=yara_rule)
+
+
+def yara_scan(raw_data):
+    try:
+        return yara_rules.match(data=raw_data)
+    except Exception as e:
+        print(e)
+        return None
+
+
+def read_dword(data, off):
+    if off + 4 > len(data):
+        raise ValueError(f"EOF reading dword at {off}")
+    val = struct.unpack_from("<I", data, off)[0]
+    return val, off + 4
+
+
+def read_qword(data, off):
+    """Read a 64-bit unsigned little-endian value."""
+    if off + 8 > len(data):
+        raise ValueError(f"EOF reading qword at {off}")
+    val = struct.unpack_from("<Q", data, off)[0]
+    return val, off + 8
+
+
+def read_utf16le_string(data, off, length):
+    if off + length > len(data):
+        raise ValueError(f"EOF reading string at {off} len={length}")
+    raw = data[off:off + length]
+    s = raw.decode("utf-16le", errors="replace").rstrip("\x00")
+    return s, off + length
+
+
+def read_string_list(data, off, count):
+    items = []
+    for i in range(count):
+        length_words, off = read_qword(data, off)
+        s, off = read_utf16le_string(data, off, length_words)
+        items.append(s)
+    return items, off
+
+
+def extract_config(filebuf):
+    yara_hit = yara_scan(filebuf)
+    if not yara_hit:
+        return None
+
+    cfg = {}
+    config_code_offset = None
+    for hit in yara_hit:
+        if hit.rule != "NitroBunnyDownloader":
+            continue
+
+        for item in hit.strings:
+            for instance in item.instances:
+                if "$config" in item.identifier:
+                    config_code_offset = instance.offset
+                    break
+
+    if config_code_offset is None:
+        return None
+
+    try:
+        pe = pefile.PE(data=filebuf, fast_load=True)
+        config_length = pe.get_dword_from_offset(config_code_offset + 7)
+        config_offset = pe.get_dword_from_offset(config_code_offset + 14)
+        rva = pe.get_rva_from_offset(config_code_offset + 18)
+        config_rva = rva + config_offset
+        data = pe.get_data(config_rva, config_length)
+        off = 0
+        raw = cfg["raw"] = {}
+        port, off = read_dword(data, off)
+        num, off = read_dword(data, off)
+        cncs, off = read_string_list(data, off, num)
+        num, off = read_qword(data, off)
+        raw["user_agent"], off = read_utf16le_string(data, off, num)
+        num, off = read_dword(data, off)
+        raw["http_header_items"], off = read_string_list(data, off, num)
+        num, off = read_dword(data, off)
+        raw["uri_list"], off = read_string_list(data, off, num)
+        raw["unknown_1"], off = read_dword(data, off)
+        raw["unknown_2"], off = read_dword(data, off)
+
+        if cncs:
+            cfg["CNCs"] = []
+            schema = {80: "http", 443: "https"}.get(port, "tcp")
+            for cnc in cncs:
+                cnc = f"{schema}://{cnc}"
+                if port not in (80, 443):
+                    cnc += f":{port}"
+
+                cfg["CNCs"].append(cnc)
+
+    except Exception as e:
+        log.error("Error: %s", e)
+        return None
+
+    return cfg
+
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        print(extract_config(f.read()))

cape_parsers-0.1.54/cape_parsers/CAPE/core/Rhadamanthys.py

@@ -0,0 +1,319 @@
+import struct
+import base64
+import re
+import json
+
+
+DESCRIPTION = "Rhadamanthys parser"
+AUTHOR = "kevoreilly, YungBinary"
+
+
+def mask32(x):
+    return x & 0xFFFFFFFF
+
+
+def add32(x, y):
+    return mask32(x + y)
+
+
+def left_rotate(x, n):
+    return mask32(x << n) | (x >> (32 - n))
+
+
+def quarter_round(block, a, b, c, d):
+    block[a] = add32(block[a], block[b])
+    block[d] ^= block[a]
+    block[d] = left_rotate(block[d], 16)
+    block[c] = add32(block[c], block[d])
+    block[b] ^= block[c]
+    block[b] = left_rotate(block[b], 12)
+    block[a] = add32(block[a], block[b])
+    block[d] ^= block[a]
+    block[d] = left_rotate(block[d], 8)
+    block[c] = add32(block[c], block[d])
+    block[b] ^= block[c]
+    block[b] = left_rotate(block[b], 7)
+
+
+def chacha20_permute(block):
+    for doubleround in range(10):
+        quarter_round(block, 0, 4, 8, 12)
+        quarter_round(block, 1, 5, 9, 13)
+        quarter_round(block, 2, 6, 10, 14)
+        quarter_round(block, 3, 7, 11, 15)
+        quarter_round(block, 0, 5, 10, 15)
+        quarter_round(block, 1, 6, 11, 12)
+        quarter_round(block, 2, 7, 8, 13)
+        quarter_round(block, 3, 4, 9, 14)
+
+
+def words_from_bytes(b):
+    assert len(b) % 4 == 0
+    return [int.from_bytes(b[4 * i : 4 * i + 4], "little") for i in range(len(b) // 4)]
+
+
+def bytes_from_words(w):
+    return b"".join(word.to_bytes(4, "little") for word in w)
+
+
+def chacha20_block(key, nonce, blocknum):
+    # This implementation doesn't support 16-byte keys.
+    assert len(key) == 32
+    assert len(nonce) == 12
+    assert blocknum < 2**32
+    constant_words = words_from_bytes(b"expand 32-byte k")
+    key_words = words_from_bytes(key)
+    nonce_words = words_from_bytes(nonce)
+    # fmt: off
+    original_block = [
+        constant_words[0],  constant_words[1],  constant_words[2],  constant_words[3],
+        key_words[0],       key_words[1],       key_words[2],       key_words[3],
+        key_words[4],       key_words[5],       key_words[6],       key_words[7],
+        mask32(blocknum),   nonce_words[0],     nonce_words[1],     nonce_words[2],
+    ]
+    # fmt: on
+    permuted_block = list(original_block)
+    chacha20_permute(permuted_block)
+    for i in range(len(permuted_block)):
+        permuted_block[i] = add32(permuted_block[i], original_block[i])
+    return bytes_from_words(permuted_block)
+
+
+def chacha20_stream(key, nonce, length, blocknum):
+    output = bytearray()
+    while length > 0:
+        block = chacha20_block(key, nonce, blocknum)
+        take = min(length, len(block))
+        output.extend(block[:take])
+        length -= take
+        blocknum += 1
+    return output
+
+
+def decrypt_config(data):
+    decrypted_config = b""
+    data_len = len(data)
+    v3 = 0
+    while True:
+        v8 = 4
+        while v8:
+            if data_len <= (v3 + 4):
+                return decrypted_config
+            a = data[v3]
+            b = data[v3 + 4]
+            c = a ^ b
+            decrypted_config += bytes([c])
+            v8 -= 1
+            v3 += 1
+
+
+def chacha20_xor(custom_b64_decoded, key, nonce):
+    message_len = len(custom_b64_decoded)
+    key_stream = chacha20_stream(key, nonce, message_len, 0x80)
+
+    xor_key = bytearray()
+    for i in range(message_len):
+        xor_key.append(custom_b64_decoded[i] ^ key_stream[i])
+
+    return xor_key
+
+
+def extract_base64_strings(data, minchars, maxchars):
+    apat = b"([A-Za-z0-9-|]{" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00"
+    strings = [s.decode() for s in re.findall(apat, data)]
+    upat = b"((?:[A-Za-z0-9-|]\x00){" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00\x00"
+    strings.extend(ws.decode("utf-16le") for ws in re.findall(upat, data))
+    return strings
+
+
+def extract_c2_url(data):
+    pattern = b"(http[\x20-\x7e]+)\x00"
+    match = re.search(pattern, data)
+    if match:
+        return match.group(1).decode()
+
+
+def custom_b64decode(data: bytes, custom_alphabet: bytes):
+    """Decodes base64 data using a custom alphabet."""
+    standard_alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
+    # Translate the data back to the standard alphabet before decoding
+    table = bytes.maketrans(custom_alphabet, standard_alphabet)
+    return base64.b64decode(data.translate(table), validate=True)
+
+
+def lzo_noheader_decompress(data: bytes, decompressed_size: int):
+    src = 0
+    dst = bytearray()
+    length = len(data)
+
+    while src < length:
+        ctrl = data[src]
+        src += 1
+
+        # Special short match
+        # Copies exactly 3 bytes from dst starting match_len + 1 bytes back.
+        if ctrl == 0x20:
+            match_len = data[src]
+            src += 1
+            start = len(dst) - match_len - 1
+            end = start + 3
+            #print(f"Control code: {hex(ctrl)}, Offset backtrack length: {hex(match_len)}, Current offset: {hex(len(dst))}, New offset: {hex(start)}")
+            dst.extend(dst[start:end])
+
+        elif ctrl >= 0xE0 or ctrl == 0x40:
+            # Compute base copy length from the upper bits of ctrl
+            base_len = ((ctrl >> 5) - 1) + 3
+
+            if ctrl >= 0xE0:
+                # Long copy: extra length byte follows
+                copy_len = base_len + data[src]
+                # Offset is byte after
+                start = data[src + 1]
+                src += 2
+            elif ctrl == 0x40:
+                # Short copy: offset byte after control code
+                copy_len = base_len
+                start = data[src]
+                src += 1
+
+            # Calculate offset in output buffer
+            offset = len(dst) - start - 1
+
+            #print(f"Control code: {hex(ctrl)}, Offset backtrack length: {hex(start)}, Current offset: {hex(len(dst))}, New offset: {hex(len(dst) - start)}, Length to copy: {hex(copy_len)}")
+
+            # Copy from previously decompressed data
+            dst.extend(dst[offset:offset + copy_len])
+
+        else:
+            # Literal run
+            literal_len = (ctrl & 0x1F) + 1
+            #print(f"Control code: {hex(ctrl)}, Literal length: {hex(literal_len)}")
+            dst.extend(data[src:src+literal_len])
+            src += literal_len
+
+        if len(dst) == decompressed_size:
+            return bytes(dst)
+
+
+def parse_compression_header(config: bytes):
+    """Parse compressed size, decompressed size, and data offset from config"""
+
+    # 0x2A when looking at the config in memory
+    base_offset = 0x26
+
+    # Compressed data offset field, for calculating the offset to the compressed buffer
+    comp_offset_field = config[base_offset]
+    # Number of bytes the field spans
+    comp_offset_size_len = (comp_offset_field & 3) + 1
+    for i in range(1, comp_offset_size_len):
+        comp_offset_field |= config[base_offset + i] << (8 * i)
+
+    comp_size_offset = comp_offset_field >> 2
+
+    # Compressed size field, for finding the size of the compressed buffer
+    comp_offset = base_offset + comp_offset_size_len
+    comp_size_field = config[comp_offset]
+    # Number of bytes the field spans
+    comp_size_len = (comp_size_field & 3) + 1
+    for i in range(1, comp_size_len):
+        comp_size_field |= config[comp_offset + i] << (8 * i)
+
+    # Decompressed size field
+    decomp_field_offset = base_offset + comp_offset_size_len + comp_size_len
+    decomp_size_field = config[decomp_field_offset]
+    # Number of bytes the field spans
+    decomp_field_len = (decomp_size_field & 3) + 1
+    for i in range(1, decomp_field_len):
+        decomp_size_field |= config[decomp_field_offset + i] << (8 * i)
+
+    # Calculate return values
+    decompressed_size = decomp_size_field >> 2
+    compressed_data_offset = decomp_field_offset + decomp_field_len + comp_size_offset
+    compressed_size_key = config[0x28] << 8
+    compressed_size = (compressed_size_key | comp_size_field) >> 2
+    compressed_data = config[compressed_data_offset : compressed_data_offset + compressed_size]
+
+    return {
+        "compressed_size": compressed_size,
+        "decompressed_size": decompressed_size,
+        "compressed_data": compressed_data
+    }
+
+
+def extract_config(data):
+    config_dict = {}
+    magic = struct.unpack("I", data[:4])[0]
+    if magic == 0x59485221:
+        config_dict["CNCs"] = [data[24:].split(b"\0", 1)[0].decode()]
+        return config_dict
+    else:
+        key = b"\x52\xAB\xDF\x06\xB6\xB1\x3A\xC0\xDA\x2D\x22\xDC\x6C\xD2\xBE\x6C\x20\x17\x69\xE0\x12\xB5\xE6\xEC\x0E\xAB\x4C\x14\x73\x4A\xED\x51"
+        nonce = b"\x5F\x14\xD7\x9C\xFC\xFC\x43\x9E\xC3\x40\x6B\xBA"
+
+        custom_alphabets = [
+            b"ABC1fghijklmnop234NOPQRSTUVWXY567DEFGHIJKLMZ089abcdeqrstuvwxyz-|",
+            b"4NOPQRSTUVWXY567DdeEqrstuvwxyz-ABC1fghop23Fijkbc|lmnGHIJKLMZ089a", # 0.9.2
+            b"3Fijkbc|l4NOPQRSTUVWXY567DdewxEqrstuvyz-ABC1fghop2mnGHIJKLMZ089a", # 0.9.3
+        ]
+
+        # Extract base64 strings
+        extracted_strings = extract_base64_strings(data, 100, 256)
+        if not extracted_strings:
+            return config_dict
+
+        pattern = re.compile(b'.\x80')
+        for string in extracted_strings:
+            try:
+                custom_b64_decoded = custom_b64decode(string, custom_alphabets[0])
+
+                xor_key = chacha20_xor(custom_b64_decoded, key, nonce)
+
+                # Decrypted, but may still be the compressed malware configuration
+                config = decrypt_config(xor_key)
+                # Attempt to extract C2 url, only works in version prior to 0.9.2
+                c2_url = extract_c2_url(config)
+                if c2_url:
+                    config_dict = {"CNCs": [c2_url]}
+                    return config_dict
+                else:
+                    # Handle new variants that compress the Command and Control server(s)
+                    custom_b64_decoded = custom_b64decode(string, custom_alphabets[2])
+                    xor_key = chacha20_xor(custom_b64_decoded, key, nonce)
+                    config = decrypt_config(xor_key)
+
+                    parsed = parse_compression_header(config)
+                    if not parsed:
+                        return config_dict
+
+                    decompressed = lzo_noheader_decompress(parsed['compressed_data'], parsed['decompressed_size'])
+
+                    # Try old alphabet for 0.9.2
+                    if not decompressed:
+                        custom_b64_decoded = custom_b64decode(string, custom_alphabets[1])
+                        xor_key = chacha20_xor(custom_b64_decoded, key, nonce)
+                        config = decrypt_config(xor_key)
+
+                        parsed = parse_compression_header(config)
+                        if not parsed:
+                            return config_dict
+
+                        decompressed = lzo_noheader_decompress(parsed['compressed_data'], parsed['decompressed_size'])
+
+
+                    cncs = [f"https://{chunk.decode()}" for chunk in pattern.split(decompressed) if chunk]
+                    if cncs:
+                        config_dict = {"CNCs": cncs}
+                        return config_dict
+
+            except Exception:
+                continue
+
+        return config_dict
+
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        config_json = json.dumps(extract_config(f.read()), indent=4)
+        print(config_json)

{cape_parsers-0.1.52 → cape_parsers-0.1.54}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "CAPE-parsers"
-version = "0.1.52"
+version = "0.1.54"
 description = "CAPE: Malware Configuration Extraction"
 authors = ["Kevin O'Reilly <kev@capesandbox.com>", "doomedraven <doomedraven@capesandbox.com>"]
 license = "MIT"

cape_parsers-0.1.52/cape_parsers/CAPE/core/Rhadamanthys.py

@@ -1,190 +0,0 @@
-import struct
-import base64
-import re
-import json
-
-
-DESCRIPTION = "Rhadamanthys parser"
-AUTHOR = "kevoreilly, YungBinary"
-
-
-def mask32(x):
-    return x & 0xFFFFFFFF
-
-
-def add32(x, y):
-    return mask32(x + y)
-
-
-def left_rotate(x, n):
-    return mask32(x << n) | (x >> (32 - n))
-
-
-def quarter_round(block, a, b, c, d):
-    block[a] = add32(block[a], block[b])
-    block[d] ^= block[a]
-    block[d] = left_rotate(block[d], 16)
-    block[c] = add32(block[c], block[d])
-    block[b] ^= block[c]
-    block[b] = left_rotate(block[b], 12)
-    block[a] = add32(block[a], block[b])
-    block[d] ^= block[a]
-    block[d] = left_rotate(block[d], 8)
-    block[c] = add32(block[c], block[d])
-    block[b] ^= block[c]
-    block[b] = left_rotate(block[b], 7)
-
-
-def chacha20_permute(block):
-    for doubleround in range(10):
-        quarter_round(block, 0, 4, 8, 12)
-        quarter_round(block, 1, 5, 9, 13)
-        quarter_round(block, 2, 6, 10, 14)
-        quarter_round(block, 3, 7, 11, 15)
-        quarter_round(block, 0, 5, 10, 15)
-        quarter_round(block, 1, 6, 11, 12)
-        quarter_round(block, 2, 7, 8, 13)
-        quarter_round(block, 3, 4, 9, 14)
-
-
-def words_from_bytes(b):
-    assert len(b) % 4 == 0
-    return [int.from_bytes(b[4 * i : 4 * i + 4], "little") for i in range(len(b) // 4)]
-
-
-def bytes_from_words(w):
-    return b"".join(word.to_bytes(4, "little") for word in w)
-
-
-def chacha20_block(key, nonce, blocknum):
-    # This implementation doesn't support 16-byte keys.
-    assert len(key) == 32
-    assert len(nonce) == 12
-    assert blocknum < 2**32
-    constant_words = words_from_bytes(b"expand 32-byte k")
-    key_words = words_from_bytes(key)
-    nonce_words = words_from_bytes(nonce)
-    # fmt: off
-    original_block = [
-        constant_words[0],  constant_words[1],  constant_words[2],  constant_words[3],
-        key_words[0],       key_words[1],       key_words[2],       key_words[3],
-        key_words[4],       key_words[5],       key_words[6],       key_words[7],
-        mask32(blocknum),   nonce_words[0],     nonce_words[1],     nonce_words[2],
-    ]
-    # fmt: on
-    permuted_block = list(original_block)
-    chacha20_permute(permuted_block)
-    for i in range(len(permuted_block)):
-        permuted_block[i] = add32(permuted_block[i], original_block[i])
-    return bytes_from_words(permuted_block)
-
-
-def chacha20_stream(key, nonce, length, blocknum):
-    output = bytearray()
-    while length > 0:
-        block = chacha20_block(key, nonce, blocknum)
-        take = min(length, len(block))
-        output.extend(block[:take])
-        length -= take
-        blocknum += 1
-    return output
-
-
-def decrypt_config(data):
-    decrypted_config = b"\x21\x52\x48\x59"
-    data_len = len(data)
-    v3 = 0
-    while True:
-        v8 = 4
-        while v8:
-            if data_len <= (v3 + 4):
-                return decrypted_config
-            a = data[v3]
-            b = data[v3 + 4]
-            c = a ^ b
-            decrypted_config += bytes([c])
-            v8 -= 1
-            v3 += 1
-
-
-def chacha20_xor(custom_b64_decoded, key, nonce):
-    message_len = len(custom_b64_decoded)
-    key_stream = chacha20_stream(key, nonce, message_len, 0x80)
-
-    xor_key = bytearray()
-    for i in range(message_len):
-        xor_key.append(custom_b64_decoded[i] ^ key_stream[i])
-
-    return xor_key
-
-
-def extract_strings(data, minchars, maxchars):
-    apat = b"([\x20-\x7e]{" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00"
-    strings = [string.decode() for string in re.findall(apat, data)]
-    match = re.search(apat, data)
-    if not match:
-        return None
-    upat = b"((?:[\x20-\x7e][\x00]){" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00\x00"
-    strings.extend(str(ws.decode("utf-16le")) for ws in re.findall(upat, data))
-    return strings
-
-
-def extract_c2_url(data):
-    pattern = b"(http[\x20-\x7e]+)\x00"
-    match = re.search(pattern, data)
-    return match.group(1).decode()
-
-
-def is_potential_custom_base64(string):
-    custom_alphabet = "ABC1fghijklmnop234NOPQRSTUVWXY567DEFGHIJKLMZ089abcdeqrstuvwxyz-|"
-    for c in string:
-        if c not in custom_alphabet:
-            return False
-    return True
-
-
-def custom_b64decode(data):
-    """Decodes base64 data using a custom alphabet."""
-    standard_alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
-    custom_alphabet = b"ABC1fghijklmnop234NOPQRSTUVWXY567DEFGHIJKLMZ089abcdeqrstuvwxyz-|"
-    # Translate the data back to the standard alphabet before decoding
-    table = bytes.maketrans(custom_alphabet, standard_alphabet)
-    return base64.b64decode(data.translate(table), validate=True)
-
-
-def extract_config(data):
-    config_dict = {}
-    magic = struct.unpack("I", data[:4])[0]
-    if magic == 0x59485221:
-        config_dict["CNCs"] = [data[24:].split(b"\0", 1)[0].decode()]
-        return config_dict
-    else:
-        key = b"\x52\xAB\xDF\x06\xB6\xB1\x3A\xC0\xDA\x2D\x22\xDC\x6C\xD2\xBE\x6C\x20\x17\x69\xE0\x12\xB5\xE6\xEC\x0E\xAB\x4C\x14\x73\x4A\xED\x51"
-        nonce = b"\x5F\x14\xD7\x9C\xFC\xFC\x43\x9E\xC3\x40\x6B\xBA"
-
-        extracted_strings = extract_strings(data, 0x100, 0x100)
-        for string in extracted_strings:
-            try:
-                if not is_potential_custom_base64(string):
-                    continue
-
-                custom_b64_decoded = custom_b64decode(string)
-                xor_key = chacha20_xor(custom_b64_decoded, key, nonce)
-                decrypted_config = decrypt_config(xor_key)
-                reexecution_delay = int.from_bytes(decrypted_config[5:7], byteorder="little")
-
-                c2_url = extract_c2_url(decrypted_config)
-                if not c2_url:
-                    continue
-                config_dict = {"raw": {"Reexecution_delay": reexecution_delay}, "CNCs": [c2_url]}
-                return config_dict
-            except Exception:
-                continue
-
-
-if __name__ == "__main__":
-    import sys
-
-    with open(sys.argv[1], "rb") as f:
-        config_json = json.dumps(extract_config(f.read()), indent=4)
-        print(config_json)