CAPE-parsers 0.1.55__py3-none-any.whl → 0.1.57__py3-none-any.whl

cape_parsers/CAPE/community/AgentTesla.py

@@ -83,7 +83,13 @@ def extract_config(data: bytes):
                             config["CNCs"] = lines[base + index + x]
                             break
     if config or config_dict:
-        return config.setdefault("raw", config_dict)
+        config.setdefault("raw", config_dict)
+
+        # If the data exfiltration is done through SMTP, then patch the extracted CNCs to include SMTP credentials
+        if config_dict.get("Protocol") == "SMTP":
+            config['CNCs'] = [f"smtp://{config_dict.get('Username')}:{config_dict.get('Password')}@{domain}:{config_dict.get('Port','587')}" for domain in config_dict.get('CNCs', [])]
+
+        return config
 
 if __name__ == "__main__":
     import sys

cape_parsers/CAPE/community/Amatera.py

@@ -0,0 +1,186 @@
+import base64
+import json
+import pefile
+import yara
+import struct
+import re
+import ipaddress
+from contextlib import suppress
+
+
+DESCRIPTION = "Amatera Stealer parser"
+AUTHOR = "YungBinary"
+
+RULE_SOURCE = """
+rule AmateraDecrypt
+{
+    meta:
+        author = "YungBinary"
+        description = "Find Amatera XOR key"
+    strings:
+        $decrypt = {
+            A1 ?? ?? ?? ??                  // mov     eax, dword ptr ds:szXorKey ; "852149723"
+            89 45 ??                        // mov     dword ptr [ebp+xor_key], eax
+            8B 0D ?? ?? ?? ??               // mov     ecx, dword ptr ds:szXorKey+4 ; "49723"
+            89 4D ??                        // mov     dword ptr [ebp+xor_key+4], ecx
+            66 8B 15 ?? ?? ?? ??            // mov     dx, word ptr ds:szXorKey+8 ; "3"
+            66 89 55 ??                     // mov     word ptr [ebp+xor_key+8], dx
+            8D 45 ??                        // lea     eax, [ebp+xor_key]
+            50                              // push    eax
+            E8                              // call
+        }
+    condition:
+        uint16(0) == 0x5A4D and $decrypt
+}
+"""
+
+
+RULE_SOURCE_AES_KEY = """
+rule AmateraAESKey
+{
+    meta:
+        author = "YungBinary"
+        description = "Find Amatera AES key"
+    strings:
+        $aes_key_on_stack = {
+            83 EC 2C                        // sub     esp, 2Ch
+            C6 45 D4 ??                     // mov     byte ptr [ebp-2Ch], ??
+            C6 45 D5 ??                     // mov     byte ptr [ebp-2Bh], ??
+            C6 45 D6 ??                     // mov     byte ptr [ebp-2Ah], ??
+            C6 45 D7 ??                     // mov     byte ptr [ebp-29h], ??
+            C6 45 D8 ??                     // mov     byte ptr [ebp-28h], ??
+            C6 45 D9 ??                     // mov     byte ptr [ebp-27h], ??
+            C6 45 DA ??                     // mov     byte ptr [ebp-26h], ??
+            C6 45 DB ??                     // mov     byte ptr [ebp-25h], ??
+            C6 45 DC ??                     // mov     byte ptr [ebp-24h], ??
+            C6 45 DD ??                     // mov     byte ptr [ebp-23h], ??
+            C6 45 DE ??                     // mov     byte ptr [ebp-22h], ??
+            C6 45 DF ??                     // mov     byte ptr [ebp-21h], ??
+            C6 45 E0 ??                     // mov     byte ptr [ebp-20h], ??
+            C6 45 E1 ??                     // mov     byte ptr [ebp-1Fh], ??
+            C6 45 E2 ??                     // mov     byte ptr [ebp-1Eh], ??
+            C6 45 E3 ??                     // mov     byte ptr [ebp-1Dh], ??
+            C6 45 E4 ??                     // mov     byte ptr [ebp-1Ch], ??
+            C6 45 E5 ??                     // mov     byte ptr [ebp-1Bh], ??
+            C6 45 E6 ??                     // mov     byte ptr [ebp-1Ah], ??
+            C6 45 E7 ??                     // mov     byte ptr [ebp-19h], ??
+            C6 45 E8 ??                     // mov     byte ptr [ebp-18h], ??
+            C6 45 E9 ??                     // mov     byte ptr [ebp-17h], ??
+            C6 45 EA ??                     // mov     byte ptr [ebp-16h], ??
+            C6 45 EB ??                     // mov     byte ptr [ebp-15h], ??
+            C6 45 EC ??                     // mov     byte ptr [ebp-14h], ??
+            C6 45 ED ??                     // mov     byte ptr [ebp-13h], ??
+            C6 45 EE ??                     // mov     byte ptr [ebp-12h], ??
+            C6 45 EF ??                     // mov     byte ptr [ebp-11h], ??
+            C6 45 F0 ??                     // mov     byte ptr [ebp-10h], ??
+            C6 45 F1 ??                     // mov     byte ptr [ebp-0Fh], ??
+            C6 45 F2 ??                     // mov     byte ptr [ebp-0Eh], ??
+            C6 45 F3 ??                     // mov     byte ptr [ebp-0Dh], ??
+            C7 45 F4 10 00 00 00            // mov     dword ptr [ebp-0Ch], 10h
+        }
+    condition:
+        uint16(0) == 0x5A4D and $aes_key_on_stack
+}
+"""
+
+DOMAIN_REGEX = r'^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$'
+
+
+def yara_scan(raw_data: bytes, rule_source: str):
+    yara_rules = yara.compile(source=rule_source)
+    matches = yara_rules.match(data=raw_data)
+
+    for match in matches:
+        for block in match.strings:
+            for instance in block.instances:
+                return instance.offset
+
+
+def extract_base64_strings(data: bytes, minchars: int, maxchars: int):
+    """
+    Generator that returns ASCII formatted base64 strings
+    """
+    apat = b"([A-Za-z0-9+/=]{" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00"
+    for s in re.findall(apat, data):
+        yield s.decode()
+
+
+def xor_data(data, key):
+    decoded = bytearray()
+    for i in range(len(data)):
+        decoded.append(key[i % len(key)] ^ data[i])
+    return decoded
+
+
+def is_public_ip(ip):
+    try:
+        # This will raise a ValueError if the IP format is incorrect
+        ip_obj = ipaddress.ip_address(ip.decode())
+        if ip_obj.is_private:
+            return False
+        return True
+    except Exception:
+        return False
+
+
+def is_valid_domain(data):
+    try:
+        if re.fullmatch(DOMAIN_REGEX, data.decode()):
+            return True
+        return False
+    except Exception:
+        return False
+
+
+def extract_config(data):
+    """
+    Extract Amatera malware configuration.
+    """
+    config_dict = {}
+
+    with suppress(Exception):
+        pe = pefile.PE(data=data)
+        image_base = pe.OPTIONAL_HEADER.ImageBase
+
+        # Identify XOR key decryption routine and extract key
+        offset = yara_scan(data, RULE_SOURCE)
+        if not offset:
+            return config_dict
+        key_str_va = struct.unpack('i', data[offset + 1: offset + 5])[0]
+        key_str = pe.get_string_at_rva(key_str_va - image_base, max_length=20) + b'\x00'
+
+        # Extract AES 256 key
+        aes_key_offset = yara_scan(data, RULE_SOURCE_AES_KEY)
+        aes_key = bytearray()
+        if aes_key_offset:
+            aes_block = data[aes_key_offset : aes_key_offset + 131]
+            for i in range(0, len(aes_block) - 4, 4):
+                aes_key.append(aes_block[i+6])
+
+        # Handle each base64 string -> decode -> decrypt with XOR key
+        for b64_str in extract_base64_strings(data, 8, 20):
+            try:
+                decoded = base64.b64decode(b64_str, validate=True)
+                decrypted = xor_data(decoded, key_str)
+                if not is_public_ip(decrypted) and not is_valid_domain(decrypted):
+                    continue
+
+                config_dict["CNCs"] = [f"https://{decrypted.decode()}"]
+
+                if aes_key:
+                    config_dict["cryptokey"] = aes_key.hex()
+                    config_dict["cryptokey_type"] = "AES"
+
+                return config_dict
+            except Exception:
+                continue
+
+    return config_dict
+
+
+if __name__ == "__main__":
+    import sys
+
+    with open(sys.argv[1], "rb") as f:
+        config_json = json.dumps(extract_config(f.read()), indent=4)
+        print(config_json)

cape_parsers/CAPE/community/Carbanak.py

@@ -18,7 +18,6 @@ import re
 from contextlib import suppress
 
 import pefile
-
 import yara
 
 log = logging.getLogger(__name__)
@@ -169,7 +168,13 @@ def extract_config(filebuf):
         c2_dec = decode_string(items[10], sbox).decode("utf8")
         if "|" in c2_dec:
             c2_dec = c2_dec.split("|")
-        cfg["CNCs"] = c2_dec
+        for c2 in c2_dec:
+            # Assign the proper scheme based on the port
+            if c2.endswith(':443'):
+                c2 = f"https://{c2}"
+            else:
+                c2 = f"http://{c2}"
+            cfg.setdefault("CNCs", []).append(c2)
         if float(cfg["version"]) < 1.7:
             cfg["campaign"] = decode_string(items[276], sbox).decode("utf8")
         else:

cape_parsers/CAPE/community/Fareit.py

@@ -55,11 +55,11 @@ def extract_config(memdump_path, read=False):
                 if gate_url.match(url):
                     config.setdefault("CNCs", []).append(url.decode())
                 elif exe_url.match(url) or dll_url.match(url):
-                    artifacts_raw["downloads"].append(url.decode())
+                    artifacts_raw.setdefault("downloads", []).append(url.decode())
         except Exception as e:
             print(e, sys.exc_info(), "PONY")
-    config["CNCs"] = list(set(config["controllers"]))
-    config.setdefault("raw", {})["downloads"] = list(set(artifacts_raw["downloads"]))
+    if "downloads" in artifacts_raw:
+        config.setdefault("raw", {})["downloads"] = list(set(artifacts_raw["downloads"]))
     return config
 
 

cape_parsers/CAPE/community/KoiLoader.py

@@ -119,7 +119,7 @@ def extract_config(data):
         encoded_payload = remove_nulls(encoded_payload, encoded_payload_size)
         decoded_payload = xor_data(encoded_payload, xor_key)
         cncs = find_c2(decoded_payload)
-        if cncs and list(filter(cncs, None)):
+        if cncs:
             config["CNCs"] = cncs
 
     return config

cape_parsers/CAPE/community/NanoCore.py

@@ -188,7 +188,17 @@ def extract_config(filebuf):
         cncs.append(config_dict["raw"]["BackupConnectionHost"])
     if config_dict.get("raw", {}).get("ConnectionPort") and cncs:
         port = config_dict["raw"]["ConnectionPort"]
-        config_dict["CNCs"] = [f"{cnc}:{port}" for cnc in cncs]
+        config_dict["CNCs"] = [f"tcp://{cnc}:{port}" for cnc in cncs]
+
+    if "Mutex" in config_dict.get("raw", {}):
+        config_dict["mutex"] = config_dict["raw"]["Mutex"]
+
+    if "Version" in config_dict.get("raw", {}):
+        config_dict["version"] = config_dict["raw"]["Version"]
+
+    if "DefaultGroup" in config_dict.get("raw", {}):
+        config_dict["campaign"] = config_dict["raw"]["DefaultGroup"]
+
     return config_dict
 
 

cape_parsers/CAPE/community/Njrat.py

@@ -176,7 +176,7 @@ def extract_config(data):
     config = get_clean_config(config_dict)
     if config:
         if config.get("domain") and config.get("port"):
-            conf["CNCs"] = [f"{config['domain']}:{config['port']}"]
+            conf["CNCs"] = [f"tcp://{config['domain']}:{config['port']}"]
 
         if config.get("campaign_id"):
             conf["campaign"] = config["campaign_id"]

cape_parsers/CAPE/community/Snake.py

@@ -38,7 +38,7 @@ def handle_plain(dotnet_file, c2_type, user_strings):
     if c2_type == "Telegram":
         token = dotnet_file.net.user_strings.get(user_strings_list[15]).value.__str__()
         chat_id = dotnet_file.net.user_strings.get(user_strings_list[16]).value.__str__()
-        return {"raw": {"Type": "Telegram"}, "CNCs": f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"}
+        return {"raw": {"Type": "Telegram"}, "CNCs": [f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"]}
     elif c2_type == "SMTP":
         smtp_from = dotnet_file.net.user_strings.get(user_strings_list[7]).value.__str__()
         smtp_password = dotnet_file.net.user_strings.get(user_strings_list[8]).value.__str__()
@@ -106,7 +106,7 @@ def handle_encrypted(dotnet_file, data, c2_type, user_strings):
     if decrypted_strings:
         if c2_type == "Telegram":
             token, chat_id = decrypted_strings
-            config_dict = {"raw": {"Type": "Telegram"}, "CNCs": f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"}
+            config_dict = {"raw": {"Type": "Telegram"}, "CNCs": [f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"]}
         elif c2_type == "SMTP":
             smtp_from, smtp_password, smtp_host, smtp_to, smtp_port = decrypted_strings
             config_dict = {

cape_parsers/CAPE/community/SparkRAT.py

@@ -61,7 +61,11 @@ def extract_config(data):
             enc_data = f.read(data_len - 32)
             config = decrypt_config(enc_data, key, iv)
             if config:
-                return {"raw": config}
+                output = {"raw": config}
+                output["CNCs"] = [
+                    f"{'http' if not config['secure'] else 'https'}://{config['host']}:{config['port']}{config['path']}"
+                ]
+                return output
     except Exception as e:
         log.error("Configuration decryption failed: %s", e)
         return {}

cape_parsers/CAPE/community/WinosStager.py

@@ -3,9 +3,8 @@ Description: Winos 4.0 "OnlineModule" config parser
 Author: x.com/YungBinary
 """
 
-from contextlib import suppress
 import re
-
+from contextlib import suppress
 
 CONFIG_KEY_MAP = {
     "dd": "execution_delay_seconds",
@@ -60,7 +59,11 @@ def extract_config(data: bytes) -> dict:
 
             final_config["CNCs"] = list(set(final_config["CNCs"]))
             # Extract campaign ID
-            final_config["campaign_id"] = "default" if config_dict["fz"] == "\u9ed8\u8ba4" else config_dict["fz"]
+            final_config["campaign"] = "default" if config_dict["fz"] == "\u9ed8\u8ba4" else config_dict["fz"]
+
+            # Check if the version has been extracted
+            if "bb" in config_dict:
+                final_config["version"] = config_dict["bb"]
 
             # Map keys, e.g. dd -> execution_delay_seconds
             final_config["raw"] = {v: config_dict[k] for k, v in CONFIG_KEY_MAP.items() if k in config_dict}

cape_parsers/CAPE/core/AdaptixBeacon.py

@@ -59,7 +59,19 @@ def parse_http_config(rc4_key: bytes, data: bytes) -> dict:
     config["sleep_delay"] = read("<I")
     config["jitter_delay"] = read("<I")
 
-    return {"raw": config}
+    output = {"raw": config}
+
+    # Map some fields to CAPE's output format, where possible
+    output['cryptokey'] = config['cryptokey']
+    output['cryptokey_type'] = config['cryptokey_type']
+    output['user_agent'] = config['user_agent']
+    output['CNCs'] = [f"{'https' if config['use_ssl'] else 'http'}://{server}:{ports[i]}{config['uri']}"
+                      for i, server in enumerate(servers)]
+
+    # TODO: Does agent_type map to version or build?
+    # output['version'] = output['raw']['agent_type']
+
+    return output
 
 
 def extract_config(filebuf: bytes) -> dict:

cape_parsers/CAPE/core/Blister.py

@@ -15,8 +15,8 @@ from pathlib import Path
 from struct import pack, unpack
 
 import pefile
-
 import yara
+
 from cape_parsers.utils.lznt1 import lznt1
 
 log = logging.getLogger(__name__)
@@ -556,4 +556,7 @@ def extract_config(data):
         }
     }
 
+    config["cryptokey"] = config["raw"]["Rabbit key"]
+    config["cryptokey_type"] = "Rabbit"
+
     return config

cape_parsers/CAPE/core/DarkGate.py

@@ -92,11 +92,14 @@ def decode(data):
 
 
 def extract_config(data):
+    config_extracted = False
     with suppress(pefile.PEFormatError):
         pe = pefile.PE(data=data, fast_load=True)
         for section in pe.sections:
             if b"CODE" in section.Name:
-                return decode(section.get_data())
+                config = decode(section.get_data())
+                config_extracted = True
+                break
 
     if b"1=Yes" in data or b"1=No" in data:
         config = {}
@@ -105,6 +108,32 @@ def extract_config(data):
                 config["CNCs"] = [x for x in item[2:].decode("utf-8").split("|") if x.strip() != ""]
             else:
                 config.update(parse_config(item, config_map_2))
+        config_extracted = True
+
+    if config_extracted:
+        # Map information to CAPE's format, if possible
+        if "c2_port" in config["raw"] and "CNCs" in config:
+            # We're making the assumpton the same port is used for all CNCs
+            config["CNCs"] = [f"{url}:{config['raw']['c2_port']}" for url in config["CNCs"]]
+
+        if "internal_mutex" in config["raw"]:
+            # Bring mutex to top level
+            config["mutex"] = config["raw"]["internal_mutex"]
+
+        if "crypto_key" in config["raw"]:
+            # Bring crypto_key to top level
+            config["cryptokey"] = config["raw"]["crypto_key"]
+
+        if "campaign_id" in config["raw"]:
+            # Bring campaign_id to top level
+            config["campaign"] = config["raw"]["campaign_id"]
+
+        if "xor_key" in config["raw"]:
+            # Bring xor_key to top level
+            config["cryptokey"] = config["raw"]["xor_key"]
+            config["cruptokey_type"] = "XOR"
+
+
         return config
 
     return ""

cape_parsers/CAPE/core/IcedIDLoader.py

@@ -35,7 +35,8 @@ def extract_config(filebuf):
                 if n > 32:
                     break
             campaign, c2 = struct.unpack("I30s", bytes(dec))
-            config["CNCs"] = c2.split(b"\00", 1)[0].decode()
+            c2 = c2.split(b"\00", 1)[0].decode()
+            config["CNCs"] = f"http://{c2}"
             config["campaign"] = campaign
             return config
 

cape_parsers/CAPE/core/Latrodectus.py

@@ -154,6 +154,7 @@ def extract_config(filebuf):
                         minor = int.from_bytes(data[18:19], byteorder="big")
                         release = int.from_bytes(data[26:27], byteorder="big")
                         version = f"{major}.{minor}.{release}"
+
                     if "$key" in item.identifier:
                         key = instance.matched_data[4::5]
             try:
@@ -161,6 +162,7 @@ def extract_config(filebuf):
                 data_sections = [s for s in pe.sections if s.Name.find(b".data") != -1]
                 if not data_sections:
                     return
+
                 data = data_sections[0].get_data()
                 str_vals = []
                 c2 = []

cape_parsers/CAPE/core/NitroBunnyDownloader.py

@@ -14,6 +14,7 @@
 
 import logging
 import struct
+from typing import List
 
 import pefile
 import yara
@@ -32,8 +33,8 @@ rule NitroBunnyDownloader
         cape_type = "NitroBunnyDownloader Payload"
         hash = "960e59200ec0a4b5fb3b44e6da763f5fec4092997975140797d4eec491de411b"
     strings:
-        $config1 = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00}
-        $config2 = {E8 [3] 00 48 8D 15 [3] 00 41 B8 ?? ?? 00 00 48 89 C1 48 89 ?? E8 [3] 00}        
+        $config1 = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 4? 89 ?? E8 [3] 00}
+        $config2 = {E8 [3] 00 48 8D 15 [3] 00 41 B8 ?? ?? 00 00 48 89 C1 4? 89 ?? E8 [3] 00}
         $string1 = "X-Amz-User-Agent:" wide
         $string2 = "Amz-Security-Flag:" wide
         $string3 = "/cart" wide
@@ -87,6 +88,20 @@ def read_string_list(data, off, count):
     return items, off
 
 
+def make_endpoints(cncs: List[str], port: int, uris: List[str]) -> List[str]:
+    endpoints = []
+    schema = {80: "http", 443: "https"}.get(port, "tcp")
+    for cnc in cncs:
+        base_url = f"{schema}://{cnc}"
+        if port not in (80, 443):
+            base_url += f":{port}"
+
+        for uri in uris:
+            endpoints.append(f"{base_url}/{uri.lstrip('/')}")
+
+    return endpoints
+
+
 def extract_config(filebuf):
     yara_hit = yara_scan(filebuf)
     if not yara_hit:
@@ -98,24 +113,20 @@ def extract_config(filebuf):
     config_offset = None
     rva_offset = None
 
+    CONFIG_OFFSETS = {
+        "$config1": (7, 14, 18),
+        "$config2": (14, 8, 12),
+    }
+
     for hit in yara_hit:
         if hit.rule != "NitroBunnyDownloader":
             continue
 
         for item in hit.strings:
-            for instance in item.instances:
-                if item.identifier == "$config1":
-                    config_code_offset = instance.offset
-                    config_size_offset = 7
-                    config_offset= 14
-                    rva_offset = 18
-                    break
-                elif item.identifier == "$config2":
-                    config_code_offset = instance.offset
-                    config_size_offset = 14
-                    config_offset= 8
-                    rva_offset = 12
-                    break
+            if item.identifier in CONFIG_OFFSETS and item.instances:
+                config_code_offset = item.instances[0].offset
+                config_size_offset, config_offset, rva_offset = CONFIG_OFFSETS[item.identifier]
+                break
 
             if config_code_offset:
                 break
@@ -126,33 +137,26 @@ def extract_config(filebuf):
     try:
         pe = pefile.PE(data=filebuf, fast_load=True)
         config_length = pe.get_dword_from_offset(config_code_offset + config_size_offset)
-        config = pe.get_dword_from_offset(config_code_offset + config_offset)
+        config_data_offset = pe.get_dword_from_offset(config_code_offset + config_offset)
         rva = pe.get_rva_from_offset(config_code_offset + rva_offset)
-        config_rva = rva + config
+        config_rva = rva + config_data_offset
         data = pe.get_data(config_rva, config_length)
         off = 0
-        raw = cfg["raw"] = {}
+        cfg["CNCs"] = []
         port, off = read_dword(data, off)
         num, off = read_dword(data, off)
         cncs, off = read_string_list(data, off, num)
         num, off = read_qword(data, off)
-        raw["user_agent"], off = read_utf16le_string(data, off, num)
+        cfg["user_agent"], off = read_utf16le_string(data, off, num)
         num, off = read_dword(data, off)
+        raw = cfg["raw"] = {}
         raw["http_header_items"], off = read_string_list(data, off, num)
         num, off = read_dword(data, off)
-        raw["uri_list"], off = read_string_list(data, off, num)
+        uris, off = read_string_list(data, off, num)
         raw["unknown_1"], off = read_dword(data, off)
         raw["unknown_2"], off = read_dword(data, off)
-
         if cncs:
-            cfg["CNCs"] = []
-            schema = {80: "http", 443: "https"}.get(port, "tcp")
-            for cnc in cncs:
-                cnc = f"{schema}://{cnc}"
-                if port not in (80, 443):
-                    cnc += f":{port}"
-
-                cfg["CNCs"].append(cnc)
+            cfg["CNCs"] = make_endpoints(cncs, port, uris)
 
     except Exception as e:
         log.error("Error: %s", e)

cape_parsers/CAPE/core/Oyster.py

@@ -12,21 +12,21 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-
+import ipaddress
 import logging
 import re
 import struct
 from contextlib import suppress
+from typing import List
 
-import yara
 import pefile
+import yara
 
 log = logging.getLogger(__name__)
 
 DESCRIPTION = "Oyster configuration parser."
 AUTHOR = "enzok"
-yara_rules = yara.compile(
-    source="""rule Oyster
+yara_rules = yara.compile(source="""rule Oyster
 {
     meta:
         author = "enzok"
@@ -45,8 +45,9 @@ yara_rules = yara.compile(
     condition:
         4 of them
 }
-"""
-)
+""")
+
+MIN_CHARS = 6
 
 
 def transform(src, lookup_table):
@@ -63,37 +64,137 @@ def transform(src, lookup_table):
             result = lookup_table[n]
             src[pVal] = result
             pVal -= 1
+
     return src
 
 
 def yara_scan(raw_data):
     try:
         return yara_rules.match(data=raw_data)
-    except Exception as e:
-        print(e)
+    except yara.Error as e:
+        log.error("Yara scan failed: %s", e)
+        return []
+
+
+def extract_utf16le(data, min_chars=MIN_CHARS):
+    results = []
+    n = len(data)
+    i = 0
+    while i < n - 1:
+        if 32 <= data[i] <= 126 and data[i + 1] == 0x00:
+            start = i
+            chars = []
+            while i < n - 1 and 32 <= data[i] <= 126 and data[i + 1] == 0x00:
+                chars.append(chr(data[i]))
+                i += 2
+
+            if len(chars) >= min_chars:
+                results.append((start, ''.join(chars)))
+        else:
+            i += 1
+
+    return results
+
+
+def is_uri(s: str) -> bool:
+    return s.lower().lstrip().startswith(("api/", "/api"))
+
+
+def is_c2(s: str) -> bool:
+    DOMAIN_RE = re.compile(r'^[a-zA-Z0-9.-]+\.(?:com|net)$', re.IGNORECASE)
+    IP_RE = re.compile(r'^(?:\d{1,3}\.){3}\d{1,3}$')
+
+    s = s.strip()
+    if DOMAIN_RE.match(s):
+        return True
+
+    if IP_RE.match(s):
+        try:
+            ip = ipaddress.IPv4Address(s)
+            if ip.is_private or ip.is_loopback or ip.is_link_local or ip.is_multicast or ip.is_reserved or ip.is_unspecified:
+                return False
+
+            return True
+        except ipaddress.AddressValueError:
+            return False
+
+    return False
+
+
+def is_useragent(s: str) -> bool:
+    return "mozilla" in s.lower()
+
+
+def is_mutex(s: str) -> bool:
+    if s.count('-') < 2:
+        return False
+
+    parts = [p.strip() for p in s.split('-') if p.strip()]
+    if len(parts) < 3:
+        return False
+
+    has_digit = any(any(ch.isdigit() for ch in part) for part in parts)
+    long_enough = all(len(part) > 1 for part in parts)
+    return has_digit and long_enough
+
+
+def extract_types(data: bytes):
+    uris = []
+    c2s = []
+    user_agent = None
+    mutexes = []
+
+    for off, s in extract_utf16le(data):
+        s_str = s.strip()
+        if is_uri(s_str) and s_str not in uris:
+            uris.append(s_str)
+
+        if is_c2(s_str) and s_str not in c2s:
+            c2s.append(s_str)
+
+        if user_agent is None and is_useragent(s_str):
+            user_agent = s_str
+
+        if is_mutex(s_str) and s_str not in mutexes:
+            mutexes.append(s_str)
+
+    return uris, c2s, user_agent, mutexes
+
+
+def make_endpoints(c2s: List[str], uris: List[str]) -> List[str]:
+    endpoints = []
+    for c2 in c2s:
+        for uri in uris:
+            endpoints.append(f"https://{c2}/{uri.lstrip('/')}")
+
+    return endpoints
 
 
 def extract_config(filebuf):
-    yara_hit = yara_scan(filebuf)
+    yara_hits = yara_scan(filebuf)
     config = {}
 
-    for hit in yara_hit:
+    for hit in yara_hits:
         if hit.rule == "Oyster":
             start_offset = ""
             lookup_va = ""
+
             for item in hit.strings:
                 if "$start_exit" == item.identifier:
                     start_offset = item.instances[0].offset
+
                 if "$decode" == item.identifier:
                     decode_offset = item.instances[0].offset
-                    lookup_va = filebuf[decode_offset + 12 : decode_offset + 16]
+                    lookup_va = filebuf[decode_offset + 12: decode_offset + 16]
+
             if not (start_offset and lookup_va):
-                return
+                continue
+
             try:
                 pe = pefile.PE(data=filebuf, fast_load=True)
                 lookup_offset = pe.get_offset_from_rva(struct.unpack("I", lookup_va)[0] - pe.OPTIONAL_HEADER.ImageBase)
-                lookup_table = filebuf[lookup_offset : lookup_offset + 256]
-                data = filebuf[start_offset + 4 : start_offset + 8092]
+                lookup_table = filebuf[lookup_offset: lookup_offset + 256]
+                data = filebuf[start_offset + 4: start_offset + 8092]
                 hex_strings = re.split(rb"\x00+", data)
                 hex_strings = [s for s in hex_strings if s]
                 str_vals = []
@@ -105,8 +206,10 @@ def extract_config(filebuf):
                 for item in hex_strings:
                     with suppress(Exception):
                         decoded = transform(bytearray(item), bytearray(lookup_table)).decode("utf-8")
+
                     if not decoded:
                         continue
+
                     if "http" in decoded:
                         if "\r\n" in decoded:
                             c2.extend(list(filter(None, decoded.split("\r\n"))))
@@ -121,15 +224,19 @@ def extract_config(filebuf):
                         if c2_matches:
                             c2.extend(c2_matches)
 
-                config = {
-                    "CNCs": c2,
-                    'version': dll_version,
-                    "raw": {
-                        "Strings": str_vals,
-                    },
-                }
+                config = {"CNCs": c2, 'version': dll_version, "raw": {"Strings": str_vals, }, }
+                return config
             except Exception as e:
                 log.error("Error: %s", e)
+
+    if not config:
+        urls = []
+        uris, c2s, useragent, mutexes = extract_types(filebuf)
+        if uris and c2s:
+            urls = make_endpoints(c2s, uris)
+
+        config = {"CNCs": urls, "user_agent": useragent, "mutex": mutexes, }
+
     return config
 
 

cape_parsers/CAPE/core/PikaBot.py

@@ -6,7 +6,6 @@ from contextlib import suppress
 from io import BytesIO
 
 import pefile
-
 import yara
 
 rule_source = """
@@ -83,7 +82,7 @@ def get_c2s(data, count):
         c2_size = struct.unpack("I", data.read(4))[0]
         c2 = get_wchar_string(data, c2_size)
         port, val1, val2 = struct.unpack("III", data.read(12))
-        c2_list.append(f"{c2}:{port}")
+        c2_list.append(f"http://{c2}:{port}")
     return c2_list
 
 

cape_parsers/CAPE/core/QakBot.py

@@ -5,22 +5,21 @@
 DESCRIPTION = "Qakbot configuration parser."
 AUTHOR = "threathive, r1n9w0rm"
 
-import sys
 import datetime
 import hashlib
 import ipaddress
 import logging
 import socket
 import struct
+import sys
 from contextlib import suppress
 
 import pefile
+import yara
 from Cryptodome.Cipher import AES, ARC4
 from Cryptodome.Hash import SHA256
 from Cryptodome.Util.Padding import unpad
 
-import yara
-
 try:
     HAVE_BLZPACK = True
     from cape_parsers.utils import blzpack
@@ -494,7 +493,11 @@ def extract_config(filebuf):
         for k, v in config.items():
             end_config.setdefault(k, v)
     if end_config:
-        return {"raw": end_config}
+        output = {"raw": end_config}
+        if "C2s" in end_config:
+            # Prefix with tcp://
+            output["CNCs"] = [f"http://{c2}" for c2 in end_config["C2s"]]
+        return output
 
 
 if __name__ == "__main__":

cape_parsers/CAPE/core/Quickbind.py

@@ -118,10 +118,11 @@ def extract_config(filebuf):
             cfg["campaign"] = campaign
 
         if c2s:
-            cfg["CNCs"] = c2s
+            cfg["CNCs"] = [f"http://{c2}" for c2 in c2s]
 
         if mutexes:
-            cfg["mutex"] = list(set(mutexes))
+            mutexes = list(set(mutexes))
+            cfg["mutex"] = mutexes[0] if len(mutexes) == 1 else mutexes
 
     return cfg
 

{cape_parsers-0.1.55.dist-info → cape_parsers-0.1.57.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: CAPE-parsers
-Version: 0.1.55
+Version: 0.1.57
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 License-File: LICENSE

{cape_parsers-0.1.55.dist-info → cape_parsers-0.1.57.dist-info}/RECORD

@@ -1,55 +1,56 @@
 cape_parsers/CAPE/__init__.py,sha256=JcY8WPKzUFYgexwV1eyKIuT1JyNZzMJjBynlPSzxY_I,7
-cape_parsers/CAPE/community/AgentTesla.py,sha256=ln5MqFXkTb7WrlDrUHNTnMWBYRHDSqyK4VHeq0ZldtA,4047
+cape_parsers/CAPE/community/AgentTesla.py,sha256=NmKIZRAea2aEJOszKyHDyiwljFAGIe4oe6aOXiyIb6Q,4413
 cape_parsers/CAPE/community/Amadey.py,sha256=IUyt909q9IDQPPip6UW9uD16rJMD_gvkwvNZ8NHTW-k,5577
+cape_parsers/CAPE/community/Amatera.py,sha256=8s94SW58r04bs2KuIdJJ5-dm4WfoOrwINEqdSuFJKHk,7096
 cape_parsers/CAPE/community/Arkei.py,sha256=k36qHxdo5yPa9V1cg7EImSWP06kMog0rBda4KXqLKCY,3783
 cape_parsers/CAPE/community/AsyncRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
 cape_parsers/CAPE/community/AuroraStealer.py,sha256=LRu2QFBYkGhRGDJBw3GlcKub4E0_TBWmjdR2PnobDZM,2643
-cape_parsers/CAPE/community/Carbanak.py,sha256=Smi_vTWDfWxYBQa661ZIy0624IYJA22LMHAJEQbstpk,5607
+cape_parsers/CAPE/community/Carbanak.py,sha256=K8wPh-geoeNOT2NPQJb9fJhsuo2dCgC-2A9-fV_3Dkc,5837
 cape_parsers/CAPE/community/CobaltStrikeBeacon.py,sha256=U4Q0ObCrPRpiO5B5fBmkgr63jXdizujNth8v6kUPnEQ,19466
 cape_parsers/CAPE/community/CobaltStrikeStager.py,sha256=HLxROBjz453uHNq1bPz0VSAhtyWDfz79ZacTPdjuWmY,7535
 cape_parsers/CAPE/community/DCRat.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
-cape_parsers/CAPE/community/Fareit.py,sha256=OyKeZdcvyAhjxZgJqkDPJHP4Npv1ArvTHJZ5F0C1Iac,1875
-cape_parsers/CAPE/community/KoiLoader.py,sha256=cWV3TcVz5Qg7kkmMYYtuh5cXhAKohGAk6d6aXuId0lc,4077
+cape_parsers/CAPE/community/Fareit.py,sha256=8LFQSgC12onQ8Fp0VNTWPjhMD07BnGQ6zySrbDeMHQM,1877
+cape_parsers/CAPE/community/KoiLoader.py,sha256=tCl22pzNnuzC9dvlh13oa_KEBlMwchrEhy5KjipfyiM,4048
 cape_parsers/CAPE/community/LokiBot.py,sha256=355kqLx0LNMr8XcGfPL7cxG8QZalcmE7ttVBqoWtTWE,5754
 cape_parsers/CAPE/community/Lumma.py,sha256=Iqd9yvt3g0FeV_bYRmL1RKp4C1H92qeGg4fXivVDSxw,12206
 cape_parsers/CAPE/community/MonsterV2.py,sha256=cFxhYxo7FruTMmFY3OtBO-E0hDyxfsC3zWX3BlcB-qI,2915
 cape_parsers/CAPE/community/MyKings.py,sha256=bcypBMJf6Jeg0yrHZ-J-XjnhHvFbb-lpDF_zwW63gOk,1397
-cape_parsers/CAPE/community/NanoCore.py,sha256=8QZnf1AcY9481kSfsf3SHQShwPLn97peGAf8_xEasQc,6230
+cape_parsers/CAPE/community/NanoCore.py,sha256=bfrzyKG6nvK9psuax2vxHDZvAnGfHKoC0sXe_G7TnYU,6588
 cape_parsers/CAPE/community/Nighthawk.py,sha256=8ss8yvslrwUt53zV6U0xuwGKU3hgYfOt13S5lkOVpNo,12105
-cape_parsers/CAPE/community/Njrat.py,sha256=GiwSENBB43RUqyJ7zT7ZPkPUYqo8Ew4kd5MJUj0jzdc,4702
+cape_parsers/CAPE/community/Njrat.py,sha256=nA9nsbHTg8LlwIHprTjvySKIkKyPgckwYG3y8ymx6IQ,4708
 cape_parsers/CAPE/community/PhemedroneStealer.py,sha256=Z7_PdxC8bmd6P3AqOm7AHVRrbEVuREwMWbyLVHaAhK0,7095
 cape_parsers/CAPE/community/QuasarRAT.py,sha256=dzVInOc-BPVRdArk92oEY4PKq1AEW04NUToL8UV-UGk,146
 cape_parsers/CAPE/community/README.md,sha256=SHgVQraCdp033IQjM4Cm6t70U4kULn1MfSwTq3rsZv8,22
-cape_parsers/CAPE/community/Snake.py,sha256=v_MAPmg86ZdgGOkzc9GVHbi-lu4nLa1_0Lp90qiCg8s,6650
-cape_parsers/CAPE/community/SparkRAT.py,sha256=OVDty_1i9PTGuEumT0BHoDn0bD2UtdhHVNjThah80pg,2140
+cape_parsers/CAPE/community/Snake.py,sha256=_ft5VJup4x7LuNGPCo95M-cNwoyH4t0yffqHLVEmy84,6654
+cape_parsers/CAPE/community/SparkRAT.py,sha256=Ef37A3ZXxBkBYcARQ8h0BxnrEQL7EOP9cneP-u2rV5Y,2350
 cape_parsers/CAPE/community/Stealc.py,sha256=18EkQ-lMMAreKV5vA9xLBmOK5B4JtYcBwVqNfof4K2A,5321
 cape_parsers/CAPE/community/VenomRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
-cape_parsers/CAPE/community/WinosStager.py,sha256=6jkfTJiVdz6oyyqTjh3I4qunYgXbD4qXS_bd-uogwGA,2407
+cape_parsers/CAPE/community/WinosStager.py,sha256=PVOGM1Cj-WSO3Vq-Yti9TS9XlNbrHG6ZhaE4Tm2VuOM,2554
 cape_parsers/CAPE/community/XWorm.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
 cape_parsers/CAPE/community/XenoRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
 cape_parsers/CAPE/community/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cape_parsers/CAPE/core/AdaptixBeacon.py,sha256=40wMfrXt-7UG30WsLC5GxUtG6tSUaaP1OT-ntWzPZn0,2956
+cape_parsers/CAPE/core/AdaptixBeacon.py,sha256=j1PN5yYQG9smdzU8lHtIy7wXYZRYPC2doegwNuTb7E4,3462
 cape_parsers/CAPE/core/AuraStealer.py,sha256=RSiclflsvcrcNLHpRokc_qF2cdQKXGBKg8Ti-Q-XmaM,3021
 cape_parsers/CAPE/core/Azorult.py,sha256=YkMIhC6zRTxEkLVMUdr2MMsbV9iAnZ8hUS8be9GZ5N4,2150
 cape_parsers/CAPE/core/BitPaymer.py,sha256=HQwoE0o7HMiXItxE08vBenf2ZWMxZp84-Hf_1eZ8QdE,3050
 cape_parsers/CAPE/core/BlackDropper.py,sha256=sCSu2T5oPvcFHlSAzSsLj_gCv2Tldl0UPguwy0MVg6A,3282
-cape_parsers/CAPE/core/Blister.py,sha256=wprcJMHixv4JHGqBjQeu26BJ6HgXeBMobh10Y-H6-Xg,18173
+cape_parsers/CAPE/core/Blister.py,sha256=3lZamTW4aWcpsv1AGykhdrrhiGoWOY_EhXUeB2QUbvs,18268
 cape_parsers/CAPE/core/BruteRatel.py,sha256=_hFAYLbOsHdekWPOMXRmIYNXTNeNQSs3LZqh7xAVI2U,1147
 cape_parsers/CAPE/core/BumbleBee.py,sha256=8a15OLAoNKs377ehdgx8R6kCAsJeG-_itt8xc_EMQes,10075
-cape_parsers/CAPE/core/DarkGate.py,sha256=ppSRDfw-u2NltzQlrVvRwqxGaprShuv5CrwbNbnSvaw,3477
+cape_parsers/CAPE/core/DarkGate.py,sha256=SH_lCQBCzayUw48uuX_Pn70unW8Dt2P-LqQYOdu1Ca4,4548
 cape_parsers/CAPE/core/DoppelPaymer.py,sha256=LPAQ-7imcAWFciAd7Qb_r6js2PdIsTt9fRdYKoEkFMg,2537
 cape_parsers/CAPE/core/DridexLoader.py,sha256=8NKppvGz7tVXnNTGEgS7R3LGn5vtW4xslQYbo38wQUg,7087
 cape_parsers/CAPE/core/Formbook.py,sha256=rvf0BRuRl_v8K9SJuSSfbVVMWLSTEemIgP3NtPp2vFM,550
 cape_parsers/CAPE/core/GuLoader.py,sha256=wH6t1e7rO60Bwe0ulqFdZq12-M087zT5WQtC_Wn2biU,354
 cape_parsers/CAPE/core/IcedID.py,sha256=TEsvFq8qHz_D5kIURKWSC4lbvWaQbMriDZ3jQsVu2VA,4029
-cape_parsers/CAPE/core/IcedIDLoader.py,sha256=YUOEILpTycO01KK4qqAxGSplsRVs2EzjscUw4T-DGWs,1602
-cape_parsers/CAPE/core/Latrodectus.py,sha256=1K9yUUYtzRJ2c3unrYIUaA8nE--Zoqi5pjXY7t7t1qg,7751
-cape_parsers/CAPE/core/NitroBunnyDownloader.py,sha256=nxySGP7t5yv7-YL31-IiMxzkKCYKrDQgzWfMXadha2g,5265
-cape_parsers/CAPE/core/Oyster.py,sha256=QStBScevJuLyd5d4Rw093SxTlbRG1LFkDwYgmjZx-EQ,4881
-cape_parsers/CAPE/core/PikaBot.py,sha256=6Q8goXfMsSoU8UkdE9iuZY2KTxX_AmWhH1szke_HfWA,5280
+cape_parsers/CAPE/core/IcedIDLoader.py,sha256=RM7DgpAD_EzQZKn9LdmdophJpkjJHassgd9bT7NSClA,1634
+cape_parsers/CAPE/core/Latrodectus.py,sha256=5QQKB93IldxnGv78mlozBgsu9NSHypA-qmJrJ1ufD0c,7753
+cape_parsers/CAPE/core/NitroBunnyDownloader.py,sha256=A1mFjRP_yLPEKfsAttiOOmSiEBHTiSSzcmUZ6duDE3A,5285
+cape_parsers/CAPE/core/Oyster.py,sha256=7h7panvLV1Tt1pAynk32-m-AMeGiPAKqSD4FGTHOY7I,7490
+cape_parsers/CAPE/core/PikaBot.py,sha256=t2_TXC8fK7kVFJP6kmNFw0agRepO3R92T0e4eSxG2AU,5286
 cape_parsers/CAPE/core/PlugX.py,sha256=lGwr1T3mttG6CTbZCj_Cf5HnOad60A3LP264jlCsGsc,13192
-cape_parsers/CAPE/core/QakBot.py,sha256=SmXRuwOiaDLL7uN9RwCiQP62P3ctxGJ6y54zJG9yuyM,18230
-cape_parsers/CAPE/core/Quickbind.py,sha256=5A077RFQQOL8dtr2Q9vmlTKsWk96JkRWuHGseApyTmU,3675
+cape_parsers/CAPE/core/QakBot.py,sha256=iIbe_aE9mlip8esp10FAEjNsiaOfTtXnygu8E3JJQKI,18392
+cape_parsers/CAPE/core/Quickbind.py,sha256=0nyUatmDf79tWhjR3IM2pDFV98cmly9SfpULHdJL6JQ,3769
 cape_parsers/CAPE/core/README.md,sha256=Zd84WEUj9NzKzGnVZV1jx6gMiEOtz01m32B7xEuS91k,17
 cape_parsers/CAPE/core/RedLine.py,sha256=bZeKLvxaS6HDpWY4RDXtSEBt93qTNzZG5iE6FNS0dOY,5734
 cape_parsers/CAPE/core/Remcos.py,sha256=MIpO2FwehBGIhO7hS0TT2hdDsgvxlI5ps4rAwyFwdTY,9483
@@ -111,7 +112,7 @@ cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvE
 cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
 cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
 cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
-cape_parsers-0.1.55.dist-info/METADATA,sha256=eQvSMB-kC-_Hrdc78Sv-uxnNrVywaTqlLf_cjIG-gy8,1826
-cape_parsers-0.1.55.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
-cape_parsers-0.1.55.dist-info/licenses/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
-cape_parsers-0.1.55.dist-info/RECORD,,
+cape_parsers-0.1.57.dist-info/METADATA,sha256=tKJbd4dpuBIznH1pffa7cSURQUmWCrhaJRHOa-YFAxs,1826
+cape_parsers-0.1.57.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
+cape_parsers-0.1.57.dist-info/licenses/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
+cape_parsers-0.1.57.dist-info/RECORD,,