CAPE-parsers 0.1.55__py3-none-any.whl → 0.1.56__py3-none-any.whl

cape_parsers/CAPE/community/Amatera.py

@@ -0,0 +1,186 @@
+import base64
+import json
+import pefile
+import yara
+import struct
+import re
+import ipaddress
+from contextlib import suppress
+
+
+DESCRIPTION = "Amatera Stealer parser"
+AUTHOR = "YungBinary"
+
+RULE_SOURCE = """
+rule AmateraDecrypt
+{
+    meta:
+        author = "YungBinary"
+        description = "Find Amatera XOR key"
+    strings:
+        $decrypt = {
+            A1 ?? ?? ?? ??                  // mov     eax, dword ptr ds:szXorKey ; "852149723"
+            89 45 ??                        // mov     dword ptr [ebp+xor_key], eax
+            8B 0D ?? ?? ?? ??               // mov     ecx, dword ptr ds:szXorKey+4 ; "49723"
+            89 4D ??                        // mov     dword ptr [ebp+xor_key+4], ecx
+            66 8B 15 ?? ?? ?? ??            // mov     dx, word ptr ds:szXorKey+8 ; "3"
+            66 89 55 ??                     // mov     word ptr [ebp+xor_key+8], dx
+            8D 45 ??                        // lea     eax, [ebp+xor_key]
+            50                              // push    eax
+            E8                              // call
+        }
+    condition:
+        uint16(0) == 0x5A4D and $decrypt
+}
+"""
+
+
+RULE_SOURCE_AES_KEY = """
+rule AmateraAESKey
+{
+    meta:
+        author = "YungBinary"
+        description = "Find Amatera AES key"
+    strings:
+        $aes_key_on_stack = {
+            83 EC 2C                        // sub     esp, 2Ch
+            C6 45 D4 ??                     // mov     byte ptr [ebp-2Ch], ??
+            C6 45 D5 ??                     // mov     byte ptr [ebp-2Bh], ??
+            C6 45 D6 ??                     // mov     byte ptr [ebp-2Ah], ??
+            C6 45 D7 ??                     // mov     byte ptr [ebp-29h], ??
+            C6 45 D8 ??                     // mov     byte ptr [ebp-28h], ??
+            C6 45 D9 ??                     // mov     byte ptr [ebp-27h], ??
+            C6 45 DA ??                     // mov     byte ptr [ebp-26h], ??
+            C6 45 DB ??                     // mov     byte ptr [ebp-25h], ??
+            C6 45 DC ??                     // mov     byte ptr [ebp-24h], ??
+            C6 45 DD ??                     // mov     byte ptr [ebp-23h], ??
+            C6 45 DE ??                     // mov     byte ptr [ebp-22h], ??
+            C6 45 DF ??                     // mov     byte ptr [ebp-21h], ??
+            C6 45 E0 ??                     // mov     byte ptr [ebp-20h], ??
+            C6 45 E1 ??                     // mov     byte ptr [ebp-1Fh], ??
+            C6 45 E2 ??                     // mov     byte ptr [ebp-1Eh], ??
+            C6 45 E3 ??                     // mov     byte ptr [ebp-1Dh], ??
+            C6 45 E4 ??                     // mov     byte ptr [ebp-1Ch], ??
+            C6 45 E5 ??                     // mov     byte ptr [ebp-1Bh], ??
+            C6 45 E6 ??                     // mov     byte ptr [ebp-1Ah], ??
+            C6 45 E7 ??                     // mov     byte ptr [ebp-19h], ??
+            C6 45 E8 ??                     // mov     byte ptr [ebp-18h], ??
+            C6 45 E9 ??                     // mov     byte ptr [ebp-17h], ??
+            C6 45 EA ??                     // mov     byte ptr [ebp-16h], ??
+            C6 45 EB ??                     // mov     byte ptr [ebp-15h], ??
+            C6 45 EC ??                     // mov     byte ptr [ebp-14h], ??
+            C6 45 ED ??                     // mov     byte ptr [ebp-13h], ??
+            C6 45 EE ??                     // mov     byte ptr [ebp-12h], ??
+            C6 45 EF ??                     // mov     byte ptr [ebp-11h], ??
+            C6 45 F0 ??                     // mov     byte ptr [ebp-10h], ??
+            C6 45 F1 ??                     // mov     byte ptr [ebp-0Fh], ??
+            C6 45 F2 ??                     // mov     byte ptr [ebp-0Eh], ??
+            C6 45 F3 ??                     // mov     byte ptr [ebp-0Dh], ??
+            C7 45 F4 10 00 00 00            // mov     dword ptr [ebp-0Ch], 10h
+        }
+    condition:
+        uint16(0) == 0x5A4D and $aes_key_on_stack
+}
+"""
+
+DOMAIN_REGEX = r'^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$'
+
+
+def yara_scan(raw_data: bytes, rule_source: str):
+    yara_rules = yara.compile(source=rule_source)
+    matches = yara_rules.match(data=raw_data)
+
+    for match in matches:
+        for block in match.strings:
+            for instance in block.instances:
+                return instance.offset
+
+
+def extract_base64_strings(data: bytes, minchars: int, maxchars: int):
+    """
+    Generator that returns ASCII formatted base64 strings
+    """
+    apat = b"([A-Za-z0-9+/=]{" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00"
+    for s in re.findall(apat, data):
+        yield s.decode()
+
+
+def xor_data(data, key):
+    decoded = bytearray()
+    for i in range(len(data)):
+        decoded.append(key[i % len(key)] ^ data[i])
+    return decoded
+
+
+def is_public_ip(ip):
+    try:
+        # This will raise a ValueError if the IP format is incorrect
+        ip_obj = ipaddress.ip_address(ip.decode())
+        if ip_obj.is_private:
+            return False
+        return True
+    except Exception:
+        return False
+
+
+def is_valid_domain(data):
+    try:
+        if re.fullmatch(DOMAIN_REGEX, data.decode()):
+            return True
+        return False
+    except Exception:
+        return False
+
+
+def extract_config(data):
+    """
+    Extract Amatera malware configuration.
+    """
+    config_dict = {}
+
+    with suppress(Exception):
+        pe = pefile.PE(data=data)
+        image_base = pe.OPTIONAL_HEADER.ImageBase
+
+        # Identify XOR key decryption routine and extract key
+        offset = yara_scan(data, RULE_SOURCE)
+        if not offset:
+            return config_dict
+        key_str_va = struct.unpack('i', data[offset + 1: offset + 5])[0]
+        key_str = pe.get_string_at_rva(key_str_va - image_base, max_length=20) + b'\x00'
+
+        # Extract AES 256 key
+        aes_key_offset = yara_scan(data, RULE_SOURCE_AES_KEY)
+        aes_key = bytearray()
+        if aes_key_offset:
+            aes_block = data[aes_key_offset : aes_key_offset + 131]
+            for i in range(0, len(aes_block) - 4, 4):
+                aes_key.append(aes_block[i+6])
+
+        # Handle each base64 string -> decode -> decrypt with XOR key
+        for b64_str in extract_base64_strings(data, 8, 20):
+            try:
+                decoded = base64.b64decode(b64_str, validate=True)
+                decrypted = xor_data(decoded, key_str)
+                if not is_public_ip(decrypted) and not is_valid_domain(decrypted):
+                    continue
+
+                config_dict["CNCs"] = [f"https://{decrypted.decode()}"]
+
+                if aes_key:
+                    config_dict["cryptokey"] = aes_key.hex()
+                    config_dict["cryptokey_type"] = "AES"
+
+                return config_dict
+            except Exception:
+                continue
+
+    return config_dict
+
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        config_json = json.dumps(extract_config(f.read()), indent=4)
+        print(config_json)

cape_parsers/CAPE/community/KoiLoader.py

@@ -119,7 +119,7 @@ def extract_config(data):
         encoded_payload = remove_nulls(encoded_payload, encoded_payload_size)
         decoded_payload = xor_data(encoded_payload, xor_key)
         cncs = find_c2(decoded_payload)
-        if cncs and list(filter(cncs, None)):
+        if cncs:
             config["CNCs"] = cncs
 
     return config

cape_parsers/CAPE/core/NitroBunnyDownloader.py

@@ -33,7 +33,7 @@ rule NitroBunnyDownloader
         hash = "960e59200ec0a4b5fb3b44e6da763f5fec4092997975140797d4eec491de411b"
     strings:
         $config1 = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00}
-        $config2 = {E8 [3] 00 48 8D 15 [3] 00 41 B8 ?? ?? 00 00 48 89 C1 48 89 ?? E8 [3] 00}        
+        $config2 = {E8 [3] 00 48 8D 15 [3] 00 41 B8 ?? ?? 00 00 48 89 C1 48 89 ?? E8 [3] 00}
         $string1 = "X-Amz-User-Agent:" wide
         $string2 = "Amz-Security-Flag:" wide
         $string3 = "/cart" wide

{cape_parsers-0.1.55.dist-info → cape_parsers-0.1.56.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: CAPE-parsers
-Version: 0.1.55
+Version: 0.1.56
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 License-File: LICENSE

{cape_parsers-0.1.55.dist-info → cape_parsers-0.1.56.dist-info}/RECORD

@@ -1,6 +1,7 @@
 cape_parsers/CAPE/__init__.py,sha256=JcY8WPKzUFYgexwV1eyKIuT1JyNZzMJjBynlPSzxY_I,7
 cape_parsers/CAPE/community/AgentTesla.py,sha256=ln5MqFXkTb7WrlDrUHNTnMWBYRHDSqyK4VHeq0ZldtA,4047
 cape_parsers/CAPE/community/Amadey.py,sha256=IUyt909q9IDQPPip6UW9uD16rJMD_gvkwvNZ8NHTW-k,5577
+cape_parsers/CAPE/community/Amatera.py,sha256=8s94SW58r04bs2KuIdJJ5-dm4WfoOrwINEqdSuFJKHk,7096
 cape_parsers/CAPE/community/Arkei.py,sha256=k36qHxdo5yPa9V1cg7EImSWP06kMog0rBda4KXqLKCY,3783
 cape_parsers/CAPE/community/AsyncRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
 cape_parsers/CAPE/community/AuroraStealer.py,sha256=LRu2QFBYkGhRGDJBw3GlcKub4E0_TBWmjdR2PnobDZM,2643
@@ -9,7 +10,7 @@ cape_parsers/CAPE/community/CobaltStrikeBeacon.py,sha256=U4Q0ObCrPRpiO5B5fBmkgr6
 cape_parsers/CAPE/community/CobaltStrikeStager.py,sha256=HLxROBjz453uHNq1bPz0VSAhtyWDfz79ZacTPdjuWmY,7535
 cape_parsers/CAPE/community/DCRat.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
 cape_parsers/CAPE/community/Fareit.py,sha256=OyKeZdcvyAhjxZgJqkDPJHP4Npv1ArvTHJZ5F0C1Iac,1875
-cape_parsers/CAPE/community/KoiLoader.py,sha256=cWV3TcVz5Qg7kkmMYYtuh5cXhAKohGAk6d6aXuId0lc,4077
+cape_parsers/CAPE/community/KoiLoader.py,sha256=tCl22pzNnuzC9dvlh13oa_KEBlMwchrEhy5KjipfyiM,4048
 cape_parsers/CAPE/community/LokiBot.py,sha256=355kqLx0LNMr8XcGfPL7cxG8QZalcmE7ttVBqoWtTWE,5754
 cape_parsers/CAPE/community/Lumma.py,sha256=Iqd9yvt3g0FeV_bYRmL1RKp4C1H92qeGg4fXivVDSxw,12206
 cape_parsers/CAPE/community/MonsterV2.py,sha256=cFxhYxo7FruTMmFY3OtBO-E0hDyxfsC3zWX3BlcB-qI,2915
@@ -44,7 +45,7 @@ cape_parsers/CAPE/core/GuLoader.py,sha256=wH6t1e7rO60Bwe0ulqFdZq12-M087zT5WQtC_W
 cape_parsers/CAPE/core/IcedID.py,sha256=TEsvFq8qHz_D5kIURKWSC4lbvWaQbMriDZ3jQsVu2VA,4029
 cape_parsers/CAPE/core/IcedIDLoader.py,sha256=YUOEILpTycO01KK4qqAxGSplsRVs2EzjscUw4T-DGWs,1602
 cape_parsers/CAPE/core/Latrodectus.py,sha256=1K9yUUYtzRJ2c3unrYIUaA8nE--Zoqi5pjXY7t7t1qg,7751
-cape_parsers/CAPE/core/NitroBunnyDownloader.py,sha256=nxySGP7t5yv7-YL31-IiMxzkKCYKrDQgzWfMXadha2g,5265
+cape_parsers/CAPE/core/NitroBunnyDownloader.py,sha256=EbQbfwGQXiOv2_cOK1-lcwbpKYo9t2cqHBv0FAw3keI,5257
 cape_parsers/CAPE/core/Oyster.py,sha256=QStBScevJuLyd5d4Rw093SxTlbRG1LFkDwYgmjZx-EQ,4881
 cape_parsers/CAPE/core/PikaBot.py,sha256=6Q8goXfMsSoU8UkdE9iuZY2KTxX_AmWhH1szke_HfWA,5280
 cape_parsers/CAPE/core/PlugX.py,sha256=lGwr1T3mttG6CTbZCj_Cf5HnOad60A3LP264jlCsGsc,13192
@@ -111,7 +112,7 @@ cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvE
 cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
 cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
 cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
-cape_parsers-0.1.55.dist-info/METADATA,sha256=eQvSMB-kC-_Hrdc78Sv-uxnNrVywaTqlLf_cjIG-gy8,1826
-cape_parsers-0.1.55.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
-cape_parsers-0.1.55.dist-info/licenses/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
-cape_parsers-0.1.55.dist-info/RECORD,,
+cape_parsers-0.1.56.dist-info/METADATA,sha256=ZF16inhJ6lLHbtRig0HNpioM6cBkYIeCILPFpcxfQbA,1826
+cape_parsers-0.1.56.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
+cape_parsers-0.1.56.dist-info/licenses/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
+cape_parsers-0.1.56.dist-info/RECORD,,