CAPE-parsers 0.1.54__py3-none-any.whl → 0.1.55__py3-none-any.whl

cape_parsers/CAPE/community/KoiLoader.py

@@ -118,8 +118,9 @@ def extract_config(data):
 
         encoded_payload = remove_nulls(encoded_payload, encoded_payload_size)
         decoded_payload = xor_data(encoded_payload, xor_key)
-
-        config["CNCs"] = find_c2(decoded_payload)
+        cncs = find_c2(decoded_payload)
+        if cncs and list(filter(cncs, None)):
+            config["CNCs"] = cncs
 
     return config
 

cape_parsers/CAPE/community/Lumma.py

@@ -5,7 +5,7 @@ import struct
 from contextlib import suppress
 import pefile
 import yara
-from Cryptodome.Cipher import ChaCha20
+
 
 RULE_SOURCE_BUILD_ID = """rule LummaBuildId
 {
@@ -142,7 +142,7 @@ def contains_non_printable(byte_array):
             return True
     return False
 
-"""
+
 def mask32(x):
     return x & 0xFFFFFFFF
 
@@ -242,7 +242,7 @@ def chacha20_xor(message, key, nonce, counter):
         xor_key.append(message[i] ^ key_stream[i])
 
     return xor_key
-"""
+
 
 def extract_c2_domain(data):
     pattern = rb"([\w-]+\.[\w]+)\x00"
@@ -315,9 +315,7 @@ def extract_config(data):
             counter = 2
             for i in range(12):
                 encrypted_string = data[encrypted_strings_offset : encrypted_strings_offset + 40]
-                chacha20_cipher = ChaCha20.new(key=key, nonce=nonce)
-                chacha20_cipher.seek(counter)
-                decoded_c2 = chacha20_cipher.decrypt(encrypted_string).split(b"\x00", 1)[0]
+                decoded_c2 = chacha20_xor(encrypted_string, key, nonce, counter).split(b"\x00", 1)[0]
                 if contains_non_printable(decoded_c2):
                     break
                 config.setdefault("CNCs", []).append("https://" + decoded_c2.decode())
@@ -350,10 +348,7 @@ def extract_config(data):
                     c2_encrypted = data[c2_dword_offset : c2_dword_offset + 0x80]
                     counters = [0, 2, 4, 6, 8, 10, 12, 14, 16]
                     for counter in counters:
-                        # decrypted = chacha20_xor(c2_encrypted, key, nonce, counter)
-                        chacha20_cipher = ChaCha20.new(key=key, nonce=nonce)
-                        chacha20_cipher.seek(counter)
-                        decrypted = chacha20_cipher.decrypt(c2_encrypted).split(b"\x00", 1)[0]
+                        decrypted = chacha20_xor(c2_encrypted, key, nonce, counter)
                         c2 = extract_c2_domain(decrypted)
                         if c2 is not None and len(c2) > 10:
                             config["CNCs"].append("https://" + c2.decode())

cape_parsers/CAPE/core/NitroBunnyDownloader.py

@@ -32,14 +32,15 @@ rule NitroBunnyDownloader
         cape_type = "NitroBunnyDownloader Payload"
         hash = "960e59200ec0a4b5fb3b44e6da763f5fec4092997975140797d4eec491de411b"
     strings:
-        $config = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00}
+        $config1 = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00}
+        $config2 = {E8 [3] 00 48 8D 15 [3] 00 41 B8 ?? ?? 00 00 48 89 C1 48 89 ?? E8 [3] 00}        
         $string1 = "X-Amz-User-Agent:" wide
         $string2 = "Amz-Security-Flag:" wide
         $string3 = "/cart" wide
         $string4 = "Cookie: " wide
         $string5 = "wishlist" wide
     condition:
-        uint16(0) == 0x5A4D and $config and 2 of ($string*)
+        uint16(0) == 0x5A4D and 1 of ($config*) and 2 of ($string*)
 }
 """
 
@@ -93,25 +94,41 @@ def extract_config(filebuf):
 
     cfg = {}
     config_code_offset = None
+    config_size_offset = None
+    config_offset = None
+    rva_offset = None
+
     for hit in yara_hit:
         if hit.rule != "NitroBunnyDownloader":
             continue
 
         for item in hit.strings:
             for instance in item.instances:
-                if "$config" in item.identifier:
+                if item.identifier == "$config1":
+                    config_code_offset = instance.offset
+                    config_size_offset = 7
+                    config_offset= 14
+                    rva_offset = 18
+                    break
+                elif item.identifier == "$config2":
                     config_code_offset = instance.offset
+                    config_size_offset = 14
+                    config_offset= 8
+                    rva_offset = 12
                     break
 
+            if config_code_offset:
+                break
+
     if config_code_offset is None:
         return None
 
     try:
         pe = pefile.PE(data=filebuf, fast_load=True)
-        config_length = pe.get_dword_from_offset(config_code_offset + 7)
-        config_offset = pe.get_dword_from_offset(config_code_offset + 14)
-        rva = pe.get_rva_from_offset(config_code_offset + 18)
-        config_rva = rva + config_offset
+        config_length = pe.get_dword_from_offset(config_code_offset + config_size_offset)
+        config = pe.get_dword_from_offset(config_code_offset + config_offset)
+        rva = pe.get_rva_from_offset(config_code_offset + rva_offset)
+        config_rva = rva + config
         data = pe.get_data(config_rva, config_length)
         off = 0
         raw = cfg["raw"] = {}

cape_parsers/CAPE/core/Rhadamanthys.py

@@ -7,6 +7,15 @@ import json
 DESCRIPTION = "Rhadamanthys parser"
 AUTHOR = "kevoreilly, YungBinary"
 
+CUSTOM_ALPHABETS = [
+    b"3Fijkbc|l4NOPQRSTUVWXY567DdewxEqrstuvyz-ABC1fghop2mnGHIJKLMZ089a", # 0.9.3
+    b"4NOPQRSTUVWXY567DdeEqrstuvwxyz-ABC1fghop23Fijkbc|lmnGHIJKLMZ089a", # 0.9.2
+    b"ABC1fghijklmnop234NOPQRSTUVWXY567DEFGHIJKLMZ089abcdeqrstuvwxyz-|", # 0.9.X
+]
+
+CHACHA_KEY = b"\x52\xAB\xDF\x06\xB6\xB1\x3A\xC0\xDA\x2D\x22\xDC\x6C\xD2\xBE\x6C\x20\x17\x69\xE0\x12\xB5\xE6\xEC\x0E\xAB\x4C\x14\x73\x4A\xED\x51"
+CHACHA_NONCE = b"\x5F\x14\xD7\x9C\xFC\xFC\x43\x9E\xC3\x40\x6B\xBA"
+
 
 def mask32(x):
     return x & 0xFFFFFFFF
@@ -240,76 +249,71 @@ def parse_compression_header(config: bytes):
     }
 
 
+def handle_encrypted_string(encrypted_string: str) -> list:
+    """
+    Args:
+        encrypted_string: a str representing
+    Returns:
+        Command and Control server list, may be empty
+    """
+
+    for alphabet in CUSTOM_ALPHABETS:
+        try:
+            custom_b64_decoded = custom_b64decode(encrypted_string, alphabet)
+            xor_key = chacha20_xor(custom_b64_decoded, CHACHA_KEY, CHACHA_NONCE)
+            # Decrypted, may still be the compressed malware configuration
+            config = decrypt_config(xor_key)
+
+            # First byte should be 0xFF
+            if config[0] != 0xFF:
+                continue
+
+            # Attempt to extract C2 url, only works in version prior to 0.9.2
+            c2_url = extract_c2_url(config)
+            if c2_url:
+                return [c2_url]
+
+            # Parse header
+            parsed = parse_compression_header(config)
+            if not parsed:
+                continue
+
+            # Decompress LZO-like compression
+            decompressed = lzo_noheader_decompress(parsed['compressed_data'], parsed['decompressed_size'])
+            pattern = re.compile(b'.' + bytes([decompressed[1]]))
+
+            cncs = [f"https://{chunk.decode()}" for chunk in pattern.split(decompressed) if chunk]
+            return cncs
+        except Exception:
+            continue
+
+    return []
+
+
 def extract_config(data):
+    """
+    Extract Rhadamanthys malware configuration.
+    """
     config_dict = {}
+    # Extract very old variant
     magic = struct.unpack("I", data[:4])[0]
     if magic == 0x59485221:
         config_dict["CNCs"] = [data[24:].split(b"\0", 1)[0].decode()]
         return config_dict
-    else:
-        key = b"\x52\xAB\xDF\x06\xB6\xB1\x3A\xC0\xDA\x2D\x22\xDC\x6C\xD2\xBE\x6C\x20\x17\x69\xE0\x12\xB5\xE6\xEC\x0E\xAB\x4C\x14\x73\x4A\xED\x51"
-        nonce = b"\x5F\x14\xD7\x9C\xFC\xFC\x43\x9E\xC3\x40\x6B\xBA"
-
-        custom_alphabets = [
-            b"ABC1fghijklmnop234NOPQRSTUVWXY567DEFGHIJKLMZ089abcdeqrstuvwxyz-|",
-            b"4NOPQRSTUVWXY567DdeEqrstuvwxyz-ABC1fghop23Fijkbc|lmnGHIJKLMZ089a", # 0.9.2
-            b"3Fijkbc|l4NOPQRSTUVWXY567DdewxEqrstuvyz-ABC1fghop2mnGHIJKLMZ089a", # 0.9.3
-        ]
-
-        # Extract base64 strings
-        extracted_strings = extract_base64_strings(data, 100, 256)
-        if not extracted_strings:
-            return config_dict
-
-        pattern = re.compile(b'.\x80')
-        for string in extracted_strings:
-            try:
-                custom_b64_decoded = custom_b64decode(string, custom_alphabets[0])
-
-                xor_key = chacha20_xor(custom_b64_decoded, key, nonce)
-
-                # Decrypted, but may still be the compressed malware configuration
-                config = decrypt_config(xor_key)
-                # Attempt to extract C2 url, only works in version prior to 0.9.2
-                c2_url = extract_c2_url(config)
-                if c2_url:
-                    config_dict = {"CNCs": [c2_url]}
-                    return config_dict
-                else:
-                    # Handle new variants that compress the Command and Control server(s)
-                    custom_b64_decoded = custom_b64decode(string, custom_alphabets[2])
-                    xor_key = chacha20_xor(custom_b64_decoded, key, nonce)
-                    config = decrypt_config(xor_key)
-
-                    parsed = parse_compression_header(config)
-                    if not parsed:
-                        return config_dict
-
-                    decompressed = lzo_noheader_decompress(parsed['compressed_data'], parsed['decompressed_size'])
-
-                    # Try old alphabet for 0.9.2
-                    if not decompressed:
-                        custom_b64_decoded = custom_b64decode(string, custom_alphabets[1])
-                        xor_key = chacha20_xor(custom_b64_decoded, key, nonce)
-                        config = decrypt_config(xor_key)
-
-                        parsed = parse_compression_header(config)
-                        if not parsed:
-                            return config_dict
-
-                        decompressed = lzo_noheader_decompress(parsed['compressed_data'], parsed['decompressed_size'])
-
-
-                    cncs = [f"https://{chunk.decode()}" for chunk in pattern.split(decompressed) if chunk]
-                    if cncs:
-                        config_dict = {"CNCs": cncs}
-                        return config_dict
-
-            except Exception:
-                continue
 
+    # New variants, extract base64 strings
+    extracted_strings = extract_base64_strings(data, 100, 256)
+    if not extracted_strings:
         return config_dict
 
+    # Handle each encrypted string
+    for string in extracted_strings:
+        cncs = handle_encrypted_string(string)
+        if cncs:
+            return {"CNCs": cncs}
+
+    return config_dict
+
 
 if __name__ == "__main__":
     import sys

{cape_parsers-0.1.54.dist-info → cape_parsers-0.1.55.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: CAPE-parsers
-Version: 0.1.54
+Version: 0.1.55
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 License-File: LICENSE

{cape_parsers-0.1.54.dist-info → cape_parsers-0.1.55.dist-info}/RECORD

@@ -9,9 +9,9 @@ cape_parsers/CAPE/community/CobaltStrikeBeacon.py,sha256=U4Q0ObCrPRpiO5B5fBmkgr6
 cape_parsers/CAPE/community/CobaltStrikeStager.py,sha256=HLxROBjz453uHNq1bPz0VSAhtyWDfz79ZacTPdjuWmY,7535
 cape_parsers/CAPE/community/DCRat.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
 cape_parsers/CAPE/community/Fareit.py,sha256=OyKeZdcvyAhjxZgJqkDPJHP4Npv1ArvTHJZ5F0C1Iac,1875
-cape_parsers/CAPE/community/KoiLoader.py,sha256=F2gsgCvrVuwxY1bg8rlexsjCjikAP5HIGGOqU8zhT8E,4008
+cape_parsers/CAPE/community/KoiLoader.py,sha256=cWV3TcVz5Qg7kkmMYYtuh5cXhAKohGAk6d6aXuId0lc,4077
 cape_parsers/CAPE/community/LokiBot.py,sha256=355kqLx0LNMr8XcGfPL7cxG8QZalcmE7ttVBqoWtTWE,5754
-cape_parsers/CAPE/community/Lumma.py,sha256=0xwX6kOWR3ezrHxN1y1A5RD2-n8XRKx5hj3ynQjgRKU,12583
+cape_parsers/CAPE/community/Lumma.py,sha256=Iqd9yvt3g0FeV_bYRmL1RKp4C1H92qeGg4fXivVDSxw,12206
 cape_parsers/CAPE/community/MonsterV2.py,sha256=cFxhYxo7FruTMmFY3OtBO-E0hDyxfsC3zWX3BlcB-qI,2915
 cape_parsers/CAPE/community/MyKings.py,sha256=bcypBMJf6Jeg0yrHZ-J-XjnhHvFbb-lpDF_zwW63gOk,1397
 cape_parsers/CAPE/community/NanoCore.py,sha256=8QZnf1AcY9481kSfsf3SHQShwPLn97peGAf8_xEasQc,6230
@@ -44,7 +44,7 @@ cape_parsers/CAPE/core/GuLoader.py,sha256=wH6t1e7rO60Bwe0ulqFdZq12-M087zT5WQtC_W
 cape_parsers/CAPE/core/IcedID.py,sha256=TEsvFq8qHz_D5kIURKWSC4lbvWaQbMriDZ3jQsVu2VA,4029
 cape_parsers/CAPE/core/IcedIDLoader.py,sha256=YUOEILpTycO01KK4qqAxGSplsRVs2EzjscUw4T-DGWs,1602
 cape_parsers/CAPE/core/Latrodectus.py,sha256=1K9yUUYtzRJ2c3unrYIUaA8nE--Zoqi5pjXY7t7t1qg,7751
-cape_parsers/CAPE/core/NitroBunnyDownloader.py,sha256=2HD7UOqZ8gtVxwR84OMCB4NSv0VqPAEMONuDSEgtDqk,4627
+cape_parsers/CAPE/core/NitroBunnyDownloader.py,sha256=nxySGP7t5yv7-YL31-IiMxzkKCYKrDQgzWfMXadha2g,5265
 cape_parsers/CAPE/core/Oyster.py,sha256=QStBScevJuLyd5d4Rw093SxTlbRG1LFkDwYgmjZx-EQ,4881
 cape_parsers/CAPE/core/PikaBot.py,sha256=6Q8goXfMsSoU8UkdE9iuZY2KTxX_AmWhH1szke_HfWA,5280
 cape_parsers/CAPE/core/PlugX.py,sha256=lGwr1T3mttG6CTbZCj_Cf5HnOad60A3LP264jlCsGsc,13192
@@ -53,7 +53,7 @@ cape_parsers/CAPE/core/Quickbind.py,sha256=5A077RFQQOL8dtr2Q9vmlTKsWk96JkRWuHGse
 cape_parsers/CAPE/core/README.md,sha256=Zd84WEUj9NzKzGnVZV1jx6gMiEOtz01m32B7xEuS91k,17
 cape_parsers/CAPE/core/RedLine.py,sha256=bZeKLvxaS6HDpWY4RDXtSEBt93qTNzZG5iE6FNS0dOY,5734
 cape_parsers/CAPE/core/Remcos.py,sha256=MIpO2FwehBGIhO7hS0TT2hdDsgvxlI5ps4rAwyFwdTY,9483
-cape_parsers/CAPE/core/Rhadamanthys.py,sha256=kvkNj_Ydv_ewjctBNyBvJk31nRnXLl6pU18Ihq9bTXE,11259
+cape_parsers/CAPE/core/Rhadamanthys.py,sha256=0vj3M1IC4oPISj1R7ELl9JZm1Uha9DTdbNJraJGdbh0,10725
 cape_parsers/CAPE/core/SmokeLoader.py,sha256=ruQ_GDiZvqtGxUTbN2N6fajUYWkIylFTvMXijgZ8L20,3890
 cape_parsers/CAPE/core/Socks5Systemz.py,sha256=jSt6QejL5K99dIB3qdItvUHL28w6N60xuwc8EQHM5Mk,783
 cape_parsers/CAPE/core/SquirrelWaffle.py,sha256=UMha7l60fL64VPHxueFUnCEGaO-CXau5ftEyK-Wv__o,3308
@@ -111,7 +111,7 @@ cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvE
 cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
 cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
 cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
-cape_parsers-0.1.54.dist-info/METADATA,sha256=LH-LzvpGEEy_jgRIxzLAAvpmyqZAbL6f934-B4aEkGI,1826
-cape_parsers-0.1.54.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
-cape_parsers-0.1.54.dist-info/licenses/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
-cape_parsers-0.1.54.dist-info/RECORD,,
+cape_parsers-0.1.55.dist-info/METADATA,sha256=eQvSMB-kC-_Hrdc78Sv-uxnNrVywaTqlLf_cjIG-gy8,1826
+cape_parsers-0.1.55.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
+cape_parsers-0.1.55.dist-info/licenses/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
+cape_parsers-0.1.55.dist-info/RECORD,,