CAPE-parsers 0.1.53__tar.gz → 0.1.54__tar.gz

{cape_parsers-0.1.53 → cape_parsers-0.1.54}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: CAPE-parsers
-Version: 0.1.53
+Version: 0.1.54
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 License-File: LICENSE

{cape_parsers-0.1.53 → cape_parsers-0.1.54}/cape_parsers/CAPE/community/Lumma.py

@@ -5,7 +5,7 @@ import struct
 from contextlib import suppress
 import pefile
 import yara
-
+from Cryptodome.Cipher import ChaCha20
 
 RULE_SOURCE_BUILD_ID = """rule LummaBuildId
 {
@@ -142,7 +142,7 @@ def contains_non_printable(byte_array):
             return True
     return False
 
-
+"""
 def mask32(x):
     return x & 0xFFFFFFFF
 
@@ -242,7 +242,7 @@ def chacha20_xor(message, key, nonce, counter):
         xor_key.append(message[i] ^ key_stream[i])
 
     return xor_key
-
+"""
 
 def extract_c2_domain(data):
     pattern = rb"([\w-]+\.[\w]+)\x00"
@@ -315,7 +315,9 @@ def extract_config(data):
             counter = 2
             for i in range(12):
                 encrypted_string = data[encrypted_strings_offset : encrypted_strings_offset + 40]
-                decoded_c2 = chacha20_xor(encrypted_string, key, nonce, counter).split(b"\x00", 1)[0]
+                chacha20_cipher = ChaCha20.new(key=key, nonce=nonce)
+                chacha20_cipher.seek(counter)
+                decoded_c2 = chacha20_cipher.decrypt(encrypted_string).split(b"\x00", 1)[0]
                 if contains_non_printable(decoded_c2):
                     break
                 config.setdefault("CNCs", []).append("https://" + decoded_c2.decode())
@@ -348,7 +350,10 @@ def extract_config(data):
                     c2_encrypted = data[c2_dword_offset : c2_dword_offset + 0x80]
                     counters = [0, 2, 4, 6, 8, 10, 12, 14, 16]
                     for counter in counters:
-                        decrypted = chacha20_xor(c2_encrypted, key, nonce, counter)
+                        # decrypted = chacha20_xor(c2_encrypted, key, nonce, counter)
+                        chacha20_cipher = ChaCha20.new(key=key, nonce=nonce)
+                        chacha20_cipher.seek(counter)
+                        decrypted = chacha20_cipher.decrypt(c2_encrypted).split(b"\x00", 1)[0]
                         c2 = extract_c2_domain(decrypted)
                         if c2 is not None and len(c2) > 10:
                             config["CNCs"].append("https://" + c2.decode())

cape_parsers-0.1.54/cape_parsers/CAPE/core/NitroBunnyDownloader.py

@@ -0,0 +1,151 @@
+# Copyright (C) 2024 enzok
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import logging
+import struct
+
+import pefile
+import yara
+
+log = logging.getLogger(__name__)
+
+DESCRIPTION = "NitroBunnyDownloader configuration parser."
+AUTHOR = "enzok"
+
+yara_rule = """
+rule NitroBunnyDownloader
+{
+    meta:
+        author = "enzok"
+        description = "NitroBunnyDownloader Payload"
+        cape_type = "NitroBunnyDownloader Payload"
+        hash = "960e59200ec0a4b5fb3b44e6da763f5fec4092997975140797d4eec491de411b"
+    strings:
+        $config = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00}
+        $string1 = "X-Amz-User-Agent:" wide
+        $string2 = "Amz-Security-Flag:" wide
+        $string3 = "/cart" wide
+        $string4 = "Cookie: " wide
+        $string5 = "wishlist" wide
+    condition:
+        uint16(0) == 0x5A4D and $config and 2 of ($string*)
+}
+"""
+
+yara_rules = yara.compile(source=yara_rule)
+
+
+def yara_scan(raw_data):
+    try:
+        return yara_rules.match(data=raw_data)
+    except Exception as e:
+        print(e)
+        return None
+
+
+def read_dword(data, off):
+    if off + 4 > len(data):
+        raise ValueError(f"EOF reading dword at {off}")
+    val = struct.unpack_from("<I", data, off)[0]
+    return val, off + 4
+
+
+def read_qword(data, off):
+    """Read a 64-bit unsigned little-endian value."""
+    if off + 8 > len(data):
+        raise ValueError(f"EOF reading qword at {off}")
+    val = struct.unpack_from("<Q", data, off)[0]
+    return val, off + 8
+
+
+def read_utf16le_string(data, off, length):
+    if off + length > len(data):
+        raise ValueError(f"EOF reading string at {off} len={length}")
+    raw = data[off:off + length]
+    s = raw.decode("utf-16le", errors="replace").rstrip("\x00")
+    return s, off + length
+
+
+def read_string_list(data, off, count):
+    items = []
+    for i in range(count):
+        length_words, off = read_qword(data, off)
+        s, off = read_utf16le_string(data, off, length_words)
+        items.append(s)
+    return items, off
+
+
+def extract_config(filebuf):
+    yara_hit = yara_scan(filebuf)
+    if not yara_hit:
+        return None
+
+    cfg = {}
+    config_code_offset = None
+    for hit in yara_hit:
+        if hit.rule != "NitroBunnyDownloader":
+            continue
+
+        for item in hit.strings:
+            for instance in item.instances:
+                if "$config" in item.identifier:
+                    config_code_offset = instance.offset
+                    break
+
+    if config_code_offset is None:
+        return None
+
+    try:
+        pe = pefile.PE(data=filebuf, fast_load=True)
+        config_length = pe.get_dword_from_offset(config_code_offset + 7)
+        config_offset = pe.get_dword_from_offset(config_code_offset + 14)
+        rva = pe.get_rva_from_offset(config_code_offset + 18)
+        config_rva = rva + config_offset
+        data = pe.get_data(config_rva, config_length)
+        off = 0
+        raw = cfg["raw"] = {}
+        port, off = read_dword(data, off)
+        num, off = read_dword(data, off)
+        cncs, off = read_string_list(data, off, num)
+        num, off = read_qword(data, off)
+        raw["user_agent"], off = read_utf16le_string(data, off, num)
+        num, off = read_dword(data, off)
+        raw["http_header_items"], off = read_string_list(data, off, num)
+        num, off = read_dword(data, off)
+        raw["uri_list"], off = read_string_list(data, off, num)
+        raw["unknown_1"], off = read_dword(data, off)
+        raw["unknown_2"], off = read_dword(data, off)
+
+        if cncs:
+            cfg["CNCs"] = []
+            schema = {80: "http", 443: "https"}.get(port, "tcp")
+            for cnc in cncs:
+                cnc = f"{schema}://{cnc}"
+                if port not in (80, 443):
+                    cnc += f":{port}"
+
+                cfg["CNCs"].append(cnc)
+
+    except Exception as e:
+        log.error("Error: %s", e)
+        return None
+
+    return cfg
+
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        print(extract_config(f.read()))

{cape_parsers-0.1.53 → cape_parsers-0.1.54}/cape_parsers/CAPE/core/Rhadamanthys.py

@@ -150,6 +150,8 @@ def lzo_noheader_decompress(data: bytes, decompressed_size: int):
         ctrl = data[src]
         src += 1
 
+        # Special short match
+        # Copies exactly 3 bytes from dst starting match_len + 1 bytes back.
         if ctrl == 0x20:
             match_len = data[src]
             src += 1
@@ -159,21 +161,28 @@ def lzo_noheader_decompress(data: bytes, decompressed_size: int):
             dst.extend(dst[start:end])
 
         elif ctrl >= 0xE0 or ctrl == 0x40:
-            x = ((ctrl >> 5) - 1) + 3
-            if ctrl >= 0xE0:
-                copy_len = data[src] + x
-            elif ctrl == 0x40:
-                copy_len = x
-            start = data[src + 1]
-            if ctrl == 0x40:
-                start = data[src]
+            # Compute base copy length from the upper bits of ctrl
+            base_len = ((ctrl >> 5) - 1) + 3
+
             if ctrl >= 0xE0:
+                # Long copy: extra length byte follows
+                copy_len = base_len + data[src]
+                # Offset is byte after
+                start = data[src + 1]
                 src += 2
             elif ctrl == 0x40:
+                # Short copy: offset byte after control code
+                copy_len = base_len
+                start = data[src]
                 src += 1
+
+            # Calculate offset in output buffer
             offset = len(dst) - start - 1
+
             #print(f"Control code: {hex(ctrl)}, Offset backtrack length: {hex(start)}, Current offset: {hex(len(dst))}, New offset: {hex(len(dst) - start)}, Length to copy: {hex(copy_len)}")
-            dst.extend(dst[offset:offset+copy_len])
+
+            # Copy from previously decompressed data
+            dst.extend(dst[offset:offset + copy_len])
 
         else:
             # Literal run
@@ -243,11 +252,12 @@ def extract_config(data):
 
         custom_alphabets = [
             b"ABC1fghijklmnop234NOPQRSTUVWXY567DEFGHIJKLMZ089abcdeqrstuvwxyz-|",
-            b"4NOPQRSTUVWXY567DdeEqrstuvwxyz-ABC1fghop23Fijkbc|lmnGHIJKLMZ089a"
+            b"4NOPQRSTUVWXY567DdeEqrstuvwxyz-ABC1fghop23Fijkbc|lmnGHIJKLMZ089a", # 0.9.2
+            b"3Fijkbc|l4NOPQRSTUVWXY567DdewxEqrstuvyz-ABC1fghop2mnGHIJKLMZ089a", # 0.9.3
         ]
 
         # Extract base64 strings
-        extracted_strings = extract_base64_strings(data, 140, 256)
+        extracted_strings = extract_base64_strings(data, 100, 256)
         if not extracted_strings:
             return config_dict
 
@@ -267,7 +277,7 @@ def extract_config(data):
                     return config_dict
                 else:
                     # Handle new variants that compress the Command and Control server(s)
-                    custom_b64_decoded = custom_b64decode(string, custom_alphabets[1])
+                    custom_b64_decoded = custom_b64decode(string, custom_alphabets[2])
                     xor_key = chacha20_xor(custom_b64_decoded, key, nonce)
                     config = decrypt_config(xor_key)
 
@@ -277,6 +287,19 @@ def extract_config(data):
 
                     decompressed = lzo_noheader_decompress(parsed['compressed_data'], parsed['decompressed_size'])
 
+                    # Try old alphabet for 0.9.2
+                    if not decompressed:
+                        custom_b64_decoded = custom_b64decode(string, custom_alphabets[1])
+                        xor_key = chacha20_xor(custom_b64_decoded, key, nonce)
+                        config = decrypt_config(xor_key)
+
+                        parsed = parse_compression_header(config)
+                        if not parsed:
+                            return config_dict
+
+                        decompressed = lzo_noheader_decompress(parsed['compressed_data'], parsed['decompressed_size'])
+
+
                     cncs = [f"https://{chunk.decode()}" for chunk in pattern.split(decompressed) if chunk]
                     if cncs:
                         config_dict = {"CNCs": cncs}

{cape_parsers-0.1.53 → cape_parsers-0.1.54}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "CAPE-parsers"
-version = "0.1.53"
+version = "0.1.54"
 description = "CAPE: Malware Configuration Extraction"
 authors = ["Kevin O'Reilly <kev@capesandbox.com>", "doomedraven <doomedraven@capesandbox.com>"]
 license = "MIT"