PyPI - CAPE-parsers - Versions diffs - 0.1.56__tar.gz → 0.1.58__tar.gz - Mend

CAPE-parsers 0.1.56tar.gz → 0.1.58tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (118) hide show

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: CAPE-parsers
-Version: 0.1.56
+Version: 0.1.58
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 License-File: LICENSE

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/community/AgentTesla.py RENAMED Viewed

@@ -83,7 +83,13 @@ def extract_config(data: bytes):
                             config["CNCs"] = lines[base + index + x]
                             break
     if config or config_dict:
-        return config.setdefault("raw", config_dict)
+        config.setdefault("raw", config_dict)
+        # If the data exfiltration is done through SMTP, then patch the extracted CNCs to include SMTP credentials
+        if config_dict.get("Protocol") == "SMTP":
+            config['CNCs'] = [f"smtp://{config_dict.get('Username')}:{config_dict.get('Password')}@{domain}:{config_dict.get('Port','587')}" for domain in config_dict.get('CNCs', [])]
+        return config
 if __name__ == "__main__":
     import sys

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/community/Carbanak.py RENAMED Viewed

@@ -18,7 +18,6 @@ import re
 from contextlib import suppress
 import pefile
 import yara
 log = logging.getLogger(__name__)
@@ -169,7 +168,13 @@ def extract_config(filebuf):
         c2_dec = decode_string(items[10], sbox).decode("utf8")
         if "|" in c2_dec:
             c2_dec = c2_dec.split("|")
-        cfg["CNCs"] = c2_dec
+        for c2 in c2_dec:
+            # Assign the proper scheme based on the port
+            if c2.endswith(':443'):
+                c2 = f"https://{c2}"
+            else:
+                c2 = f"http://{c2}"
+            cfg.setdefault("CNCs", []).append(c2)
         if float(cfg["version"]) < 1.7:
             cfg["campaign"] = decode_string(items[276], sbox).decode("utf8")
         else:

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/community/Fareit.py RENAMED Viewed

@@ -55,11 +55,11 @@ def extract_config(memdump_path, read=False):
                 if gate_url.match(url):
                     config.setdefault("CNCs", []).append(url.decode())
                 elif exe_url.match(url) or dll_url.match(url):
-                    artifacts_raw["downloads"].append(url.decode())
+                    artifacts_raw.setdefault("downloads", []).append(url.decode())
         except Exception as e:
             print(e, sys.exc_info(), "PONY")
-    config["CNCs"] = list(set(config["controllers"]))
-    config.setdefault("raw", {})["downloads"] = list(set(artifacts_raw["downloads"]))
+    if "downloads" in artifacts_raw:
+        config.setdefault("raw", {})["downloads"] = list(set(artifacts_raw["downloads"]))
     return config

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/community/NanoCore.py RENAMED Viewed

@@ -188,7 +188,17 @@ def extract_config(filebuf):
         cncs.append(config_dict["raw"]["BackupConnectionHost"])
     if config_dict.get("raw", {}).get("ConnectionPort") and cncs:
         port = config_dict["raw"]["ConnectionPort"]
-        config_dict["CNCs"] = [f"{cnc}:{port}" for cnc in cncs]
+        config_dict["CNCs"] = [f"tcp://{cnc}:{port}" for cnc in cncs]
+    if "Mutex" in config_dict.get("raw", {}):
+        config_dict["mutex"] = config_dict["raw"]["Mutex"]
+    if "Version" in config_dict.get("raw", {}):
+        config_dict["version"] = config_dict["raw"]["Version"]
+    if "DefaultGroup" in config_dict.get("raw", {}):
+        config_dict["campaign"] = config_dict["raw"]["DefaultGroup"]
     return config_dict

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/community/Njrat.py RENAMED Viewed

@@ -176,7 +176,7 @@ def extract_config(data):
     config = get_clean_config(config_dict)
     if config:
         if config.get("domain") and config.get("port"):
-            conf["CNCs"] = [f"{config['domain']}:{config['port']}"]
+            conf["CNCs"] = [f"tcp://{config['domain']}:{config['port']}"]
         if config.get("campaign_id"):
             conf["campaign"] = config["campaign_id"]

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/community/Snake.py RENAMED Viewed

@@ -38,7 +38,7 @@ def handle_plain(dotnet_file, c2_type, user_strings):
     if c2_type == "Telegram":
         token = dotnet_file.net.user_strings.get(user_strings_list[15]).value.__str__()
         chat_id = dotnet_file.net.user_strings.get(user_strings_list[16]).value.__str__()
-        return {"raw": {"Type": "Telegram"}, "CNCs": f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"}
+        return {"raw": {"Type": "Telegram"}, "CNCs": [f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"]}
     elif c2_type == "SMTP":
         smtp_from = dotnet_file.net.user_strings.get(user_strings_list[7]).value.__str__()
         smtp_password = dotnet_file.net.user_strings.get(user_strings_list[8]).value.__str__()
@@ -106,7 +106,7 @@ def handle_encrypted(dotnet_file, data, c2_type, user_strings):
     if decrypted_strings:
         if c2_type == "Telegram":
             token, chat_id = decrypted_strings
-            config_dict = {"raw": {"Type": "Telegram"}, "CNCs": f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"}
+            config_dict = {"raw": {"Type": "Telegram"}, "CNCs": [f"https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}"]}
         elif c2_type == "SMTP":
             smtp_from, smtp_password, smtp_host, smtp_to, smtp_port = decrypted_strings
             config_dict = {

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/community/SparkRAT.py RENAMED Viewed

@@ -61,7 +61,11 @@ def extract_config(data):
             enc_data = f.read(data_len - 32)
             config = decrypt_config(enc_data, key, iv)
             if config:
-                return {"raw": config}
+                output = {"raw": config}
+                output["CNCs"] = [
+                    f"{'http' if not config['secure'] else 'https'}://{config['host']}:{config['port']}{config['path']}"
+                ]
+                return output
     except Exception as e:
         log.error("Configuration decryption failed: %s", e)
         return {}

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/community/WinosStager.py RENAMED Viewed

@@ -3,9 +3,8 @@ Description: Winos 4.0 "OnlineModule" config parser
 Author: x.com/YungBinary
 """
-from contextlib import suppress
 import re
+from contextlib import suppress
 CONFIG_KEY_MAP = {
     "dd": "execution_delay_seconds",
@@ -60,7 +59,11 @@ def extract_config(data: bytes) -> dict:
             final_config["CNCs"] = list(set(final_config["CNCs"]))
             # Extract campaign ID
-            final_config["campaign_id"] = "default" if config_dict["fz"] == "\u9ed8\u8ba4" else config_dict["fz"]
+            final_config["campaign"] = "default" if config_dict["fz"] == "\u9ed8\u8ba4" else config_dict["fz"]
+            # Check if the version has been extracted
+            if "bb" in config_dict:
+                final_config["version"] = config_dict["bb"]
             # Map keys, e.g. dd -> execution_delay_seconds
             final_config["raw"] = {v: config_dict[k] for k, v in CONFIG_KEY_MAP.items() if k in config_dict}

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/core/AdaptixBeacon.py RENAMED Viewed

@@ -59,7 +59,19 @@ def parse_http_config(rc4_key: bytes, data: bytes) -> dict:
     config["sleep_delay"] = read("<I")
     config["jitter_delay"] = read("<I")
-    return {"raw": config}
+    output = {"raw": config}
+    # Map some fields to CAPE's output format, where possible
+    output['cryptokey'] = config['cryptokey']
+    output['cryptokey_type'] = config['cryptokey_type']
+    output['user_agent'] = config['user_agent']
+    output['CNCs'] = [f"{'https' if config['use_ssl'] else 'http'}://{server}:{ports[i]}{config['uri']}"
+                      for i, server in enumerate(servers)]
+    # TODO: Does agent_type map to version or build?
+    # output['version'] = output['raw']['agent_type']
+    return output
 def extract_config(filebuf: bytes) -> dict:

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/core/Blister.py RENAMED Viewed

@@ -15,8 +15,8 @@ from pathlib import Path
 from struct import pack, unpack
 import pefile
 import yara
 from cape_parsers.utils.lznt1 import lznt1
 log = logging.getLogger(__name__)
@@ -556,4 +556,7 @@ def extract_config(data):
         }
     }
+    config["cryptokey"] = config["raw"]["Rabbit key"]
+    config["cryptokey_type"] = "Rabbit"
     return config

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/core/DarkGate.py RENAMED Viewed

@@ -92,11 +92,14 @@ def decode(data):
 def extract_config(data):
+    config_extracted = False
     with suppress(pefile.PEFormatError):
         pe = pefile.PE(data=data, fast_load=True)
         for section in pe.sections:
             if b"CODE" in section.Name:
-                return decode(section.get_data())
+                config = decode(section.get_data())
+                config_extracted = True
+                break
     if b"1=Yes" in data or b"1=No" in data:
         config = {}
@@ -105,6 +108,32 @@ def extract_config(data):
                 config["CNCs"] = [x for x in item[2:].decode("utf-8").split("|") if x.strip() != ""]
             else:
                 config.update(parse_config(item, config_map_2))
+        config_extracted = True
+    if config_extracted:
+        # Map information to CAPE's format, if possible
+        if "c2_port" in config["raw"] and "CNCs" in config:
+            # We're making the assumpton the same port is used for all CNCs
+            config["CNCs"] = [f"{url}:{config['raw']['c2_port']}" for url in config["CNCs"]]
+        if "internal_mutex" in config["raw"]:
+            # Bring mutex to top level
+            config["mutex"] = config["raw"]["internal_mutex"]
+        if "crypto_key" in config["raw"]:
+            # Bring crypto_key to top level
+            config["cryptokey"] = config["raw"]["crypto_key"]
+        if "campaign_id" in config["raw"]:
+            # Bring campaign_id to top level
+            config["campaign"] = config["raw"]["campaign_id"]
+        if "xor_key" in config["raw"]:
+            # Bring xor_key to top level
+            config["cryptokey"] = config["raw"]["xor_key"]
+            config["cruptokey_type"] = "XOR"
         return config
     return ""

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/core/IcedIDLoader.py RENAMED Viewed

@@ -35,7 +35,8 @@ def extract_config(filebuf):
                 if n > 32:
                     break
             campaign, c2 = struct.unpack("I30s", bytes(dec))
-            config["CNCs"] = c2.split(b"\00", 1)[0].decode()
+            c2 = c2.split(b"\00", 1)[0].decode()
+            config["CNCs"] = f"http://{c2}"
             config["campaign"] = campaign
             return config

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/core/Latrodectus.py RENAMED Viewed

@@ -154,6 +154,7 @@ def extract_config(filebuf):
                         minor = int.from_bytes(data[18:19], byteorder="big")
                         release = int.from_bytes(data[26:27], byteorder="big")
                         version = f"{major}.{minor}.{release}"
                     if "$key" in item.identifier:
                         key = instance.matched_data[4::5]
             try:
@@ -161,6 +162,7 @@ def extract_config(filebuf):
                 data_sections = [s for s in pe.sections if s.Name.find(b".data") != -1]
                 if not data_sections:
                     return
                 data = data_sections[0].get_data()
                 str_vals = []
                 c2 = []

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/core/NitroBunnyDownloader.py RENAMED Viewed

@@ -14,6 +14,7 @@
 import logging
 import struct
+from typing import List
 import pefile
 import yara
@@ -32,8 +33,8 @@ rule NitroBunnyDownloader
         cape_type = "NitroBunnyDownloader Payload"
         hash = "960e59200ec0a4b5fb3b44e6da763f5fec4092997975140797d4eec491de411b"
     strings:
-        $config1 = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00}
-        $config2 = {E8 [3] 00 48 8D 15 [3] 00 41 B8 ?? ?? 00 00 48 89 C1 48 89 ?? E8 [3] 00}
+        $config1 = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 4? 89 ?? E8 [3] 00}
+        $config2 = {E8 [3] 00 48 8D 15 [3] 00 41 B8 ?? ?? 00 00 48 89 C1 4? 89 ?? E8 [3] 00}
         $string1 = "X-Amz-User-Agent:" wide
         $string2 = "Amz-Security-Flag:" wide
         $string3 = "/cart" wide
@@ -87,6 +88,20 @@ def read_string_list(data, off, count):
     return items, off
+def make_endpoints(cncs: List[str], port: int, uris: List[str]) -> List[str]:
+    endpoints = []
+    schema = {80: "http", 443: "https"}.get(port, "tcp")
+    for cnc in cncs:
+        base_url = f"{schema}://{cnc}"
+        if port not in (80, 443):
+            base_url += f":{port}"
+        for uri in uris:
+            endpoints.append(f"{base_url}/{uri.lstrip('/')}")
+    return endpoints
 def extract_config(filebuf):
     yara_hit = yara_scan(filebuf)
     if not yara_hit:
@@ -98,24 +113,20 @@ def extract_config(filebuf):
     config_offset = None
     rva_offset = None
+    CONFIG_OFFSETS = {
+        "$config1": (7, 14, 18),
+        "$config2": (14, 8, 12),
+    }
     for hit in yara_hit:
         if hit.rule != "NitroBunnyDownloader":
             continue
         for item in hit.strings:
-            for instance in item.instances:
-                if item.identifier == "$config1":
-                    config_code_offset = instance.offset
-                    config_size_offset = 7
-                    config_offset= 14
-                    rva_offset = 18
-                    break
-                elif item.identifier == "$config2":
-                    config_code_offset = instance.offset
-                    config_size_offset = 14
-                    config_offset= 8
-                    rva_offset = 12
-                    break
+            if item.identifier in CONFIG_OFFSETS and item.instances:
+                config_code_offset = item.instances[0].offset
+                config_size_offset, config_offset, rva_offset = CONFIG_OFFSETS[item.identifier]
+                break
             if config_code_offset:
                 break
@@ -126,33 +137,26 @@ def extract_config(filebuf):
     try:
         pe = pefile.PE(data=filebuf, fast_load=True)
         config_length = pe.get_dword_from_offset(config_code_offset + config_size_offset)
-        config = pe.get_dword_from_offset(config_code_offset + config_offset)
+        config_data_offset = pe.get_dword_from_offset(config_code_offset + config_offset)
         rva = pe.get_rva_from_offset(config_code_offset + rva_offset)
-        config_rva = rva + config
+        config_rva = rva + config_data_offset
         data = pe.get_data(config_rva, config_length)
         off = 0
-        raw = cfg["raw"] = {}
+        cfg["CNCs"] = []
         port, off = read_dword(data, off)
         num, off = read_dword(data, off)
         cncs, off = read_string_list(data, off, num)
         num, off = read_qword(data, off)
-        raw["user_agent"], off = read_utf16le_string(data, off, num)
+        cfg["user_agent"], off = read_utf16le_string(data, off, num)
         num, off = read_dword(data, off)
+        raw = cfg["raw"] = {}
         raw["http_header_items"], off = read_string_list(data, off, num)
         num, off = read_dword(data, off)
-        raw["uri_list"], off = read_string_list(data, off, num)
+        uris, off = read_string_list(data, off, num)
         raw["unknown_1"], off = read_dword(data, off)
         raw["unknown_2"], off = read_dword(data, off)
         if cncs:
-            cfg["CNCs"] = []
-            schema = {80: "http", 443: "https"}.get(port, "tcp")
-            for cnc in cncs:
-                cnc = f"{schema}://{cnc}"
-                if port not in (80, 443):
-                    cnc += f":{port}"
-                cfg["CNCs"].append(cnc)
+            cfg["CNCs"] = make_endpoints(cncs, port, uris)
     except Exception as e:
         log.error("Error: %s", e)

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/core/Oyster.py RENAMED Viewed

@@ -12,21 +12,21 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import ipaddress
 import logging
 import re
 import struct
 from contextlib import suppress
+from typing import List
-import yara
 import pefile
+import yara
 log = logging.getLogger(__name__)
 DESCRIPTION = "Oyster configuration parser."
 AUTHOR = "enzok"
-yara_rules = yara.compile(
-    source="""rule Oyster
+yara_rules = yara.compile(source="""rule Oyster
 {
     meta:
         author = "enzok"
@@ -45,8 +45,9 @@ yara_rules = yara.compile(
     condition:
         4 of them
 }
-"""
-)
+""")
+MIN_CHARS = 6
 def transform(src, lookup_table):
@@ -63,37 +64,137 @@ def transform(src, lookup_table):
             result = lookup_table[n]
             src[pVal] = result
             pVal -= 1
     return src
 def yara_scan(raw_data):
     try:
         return yara_rules.match(data=raw_data)
-    except Exception as e:
-        print(e)
+    except yara.Error as e:
+        log.error("Yara scan failed: %s", e)
+        return []
+def extract_utf16le(data, min_chars=MIN_CHARS):
+    results = []
+    n = len(data)
+    i = 0
+    while i < n - 1:
+        if 32 <= data[i] <= 126 and data[i + 1] == 0x00:
+            start = i
+            chars = []
+            while i < n - 1 and 32 <= data[i] <= 126 and data[i + 1] == 0x00:
+                chars.append(chr(data[i]))
+                i += 2
+            if len(chars) >= min_chars:
+                results.append((start, ''.join(chars)))
+        else:
+            i += 1
+    return results
+def is_uri(s: str) -> bool:
+    return s.lower().lstrip().startswith(("api/", "/api"))
+def is_c2(s: str) -> bool:
+    DOMAIN_RE = re.compile(r'^[a-zA-Z0-9.-]+\.(?:com|net)$', re.IGNORECASE)
+    IP_RE = re.compile(r'^(?:\d{1,3}\.){3}\d{1,3}$')
+    s = s.strip()
+    if DOMAIN_RE.match(s):
+        return True
+    if IP_RE.match(s):
+        try:
+            ip = ipaddress.IPv4Address(s)
+            if ip.is_private or ip.is_loopback or ip.is_link_local or ip.is_multicast or ip.is_reserved or ip.is_unspecified:
+                return False
+            return True
+        except ipaddress.AddressValueError:
+            return False
+    return False
+def is_useragent(s: str) -> bool:
+    return "mozilla" in s.lower()
+def is_mutex(s: str) -> bool:
+    if s.count('-') < 2:
+        return False
+    parts = [p.strip() for p in s.split('-') if p.strip()]
+    if len(parts) < 3:
+        return False
+    has_digit = any(any(ch.isdigit() for ch in part) for part in parts)
+    long_enough = all(len(part) > 1 for part in parts)
+    return has_digit and long_enough
+def extract_types(data: bytes):
+    uris = []
+    c2s = []
+    user_agent = None
+    mutexes = []
+    for off, s in extract_utf16le(data):
+        s_str = s.strip()
+        if is_uri(s_str) and s_str not in uris:
+            uris.append(s_str)
+        if is_c2(s_str) and s_str not in c2s:
+            c2s.append(s_str)
+        if user_agent is None and is_useragent(s_str):
+            user_agent = s_str
+        if is_mutex(s_str) and s_str not in mutexes:
+            mutexes.append(s_str)
+    return uris, c2s, user_agent, mutexes
+def make_endpoints(c2s: List[str], uris: List[str]) -> List[str]:
+    endpoints = []
+    for c2 in c2s:
+        for uri in uris:
+            endpoints.append(f"https://{c2}/{uri.lstrip('/')}")
+    return endpoints
 def extract_config(filebuf):
-    yara_hit = yara_scan(filebuf)
+    yara_hits = yara_scan(filebuf)
     config = {}
-    for hit in yara_hit:
+    for hit in yara_hits:
         if hit.rule == "Oyster":
             start_offset = ""
             lookup_va = ""
             for item in hit.strings:
                 if "$start_exit" == item.identifier:
                     start_offset = item.instances[0].offset
                 if "$decode" == item.identifier:
                     decode_offset = item.instances[0].offset
-                    lookup_va = filebuf[decode_offset + 12 : decode_offset + 16]
+                    lookup_va = filebuf[decode_offset + 12: decode_offset + 16]
             if not (start_offset and lookup_va):
-                return
+                continue
             try:
                 pe = pefile.PE(data=filebuf, fast_load=True)
                 lookup_offset = pe.get_offset_from_rva(struct.unpack("I", lookup_va)[0] - pe.OPTIONAL_HEADER.ImageBase)
-                lookup_table = filebuf[lookup_offset : lookup_offset + 256]
-                data = filebuf[start_offset + 4 : start_offset + 8092]
+                lookup_table = filebuf[lookup_offset: lookup_offset + 256]
+                data = filebuf[start_offset + 4: start_offset + 8092]
                 hex_strings = re.split(rb"\x00+", data)
                 hex_strings = [s for s in hex_strings if s]
                 str_vals = []
@@ -105,8 +206,10 @@ def extract_config(filebuf):
                 for item in hex_strings:
                     with suppress(Exception):
                         decoded = transform(bytearray(item), bytearray(lookup_table)).decode("utf-8")
                     if not decoded:
                         continue
                     if "http" in decoded:
                         if "\r\n" in decoded:
                             c2.extend(list(filter(None, decoded.split("\r\n"))))
@@ -121,15 +224,19 @@ def extract_config(filebuf):
                         if c2_matches:
                             c2.extend(c2_matches)
-                config = {
-                    "CNCs": c2,
-                    'version': dll_version,
-                    "raw": {
-                        "Strings": str_vals,
-                    },
-                }
+                config = {"CNCs": c2, 'version': dll_version, "raw": {"Strings": str_vals, }, }
+                return config
             except Exception as e:
                 log.error("Error: %s", e)
+    if not config:
+        urls = []
+        uris, c2s, useragent, mutexes = extract_types(filebuf)
+        if uris and c2s:
+            urls = make_endpoints(c2s, uris)
+        config = {"CNCs": urls, "user_agent": useragent, "mutex": mutexes, }
     return config

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/core/PikaBot.py RENAMED Viewed

@@ -6,7 +6,6 @@ from contextlib import suppress
 from io import BytesIO
 import pefile
 import yara
 rule_source = """
@@ -83,7 +82,7 @@ def get_c2s(data, count):
         c2_size = struct.unpack("I", data.read(4))[0]
         c2 = get_wchar_string(data, c2_size)
         port, val1, val2 = struct.unpack("III", data.read(12))
-        c2_list.append(f"{c2}:{port}")
+        c2_list.append(f"http://{c2}:{port}")
     return c2_list

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/core/QakBot.py RENAMED Viewed

@@ -5,22 +5,21 @@
 DESCRIPTION = "Qakbot configuration parser."
 AUTHOR = "threathive, r1n9w0rm"
-import sys
 import datetime
 import hashlib
 import ipaddress
 import logging
 import socket
 import struct
+import sys
 from contextlib import suppress
 import pefile
+import yara
 from Cryptodome.Cipher import AES, ARC4
 from Cryptodome.Hash import SHA256
 from Cryptodome.Util.Padding import unpad
-import yara
 try:
     HAVE_BLZPACK = True
     from cape_parsers.utils import blzpack
@@ -494,7 +493,11 @@ def extract_config(filebuf):
         for k, v in config.items():
             end_config.setdefault(k, v)
     if end_config:
-        return {"raw": end_config}
+        output = {"raw": end_config}
+        if "C2s" in end_config:
+            # Prefix with tcp://
+            output["CNCs"] = [f"http://{c2}" for c2 in end_config["C2s"]]
+        return output
 if __name__ == "__main__":

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/core/Quickbind.py RENAMED Viewed

@@ -118,10 +118,11 @@ def extract_config(filebuf):
             cfg["campaign"] = campaign
         if c2s:
-            cfg["CNCs"] = c2s
+            cfg["CNCs"] = [f"http://{c2}" for c2 in c2s]
         if mutexes:
-            cfg["mutex"] = list(set(mutexes))
+            mutexes = list(set(mutexes))
+            cfg["mutex"] = mutexes[0] if len(mutexes) == 1 else mutexes
     return cfg

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/cape_parsers/CAPE/core/SmokeLoader.py RENAMED Viewed

@@ -14,17 +14,14 @@ rule SmokeLoader
 {
     meta:
         author = "kevoreilly"
-        description = "SmokeLoader Payload"
-        cape_type = "SmokeLoader Payload"
+        description = "SmokeLoader Config Extraction"
     strings:
-        $rc4_decrypt64 = {41 8D 41 01 44 0F B6 C8 42 0F B6 [2] 41 8D 04 12 44 0F B6 D0 42 8A [2] 42 88 [2] 42 88 [2] 42 0F B6 [2] 03 CA 0F B6 C1 8A [2] 30 0F 48 FF C7 49 FF CB 75}
-        $rc4_decrypt32 = {47 B9 FF 00 00 00 23 F9 8A 54 [2] 0F B6 C2 03 F0 23 F1 8A 44 [2] 88 44 [2] 88 54 [2] 0F B6 4C [2] 0F B6 C2 03 C8 81 E1 FF 00 00 00 8A 44 [2] 30 04 2B 43 3B 9C 24 [4] 72 C0}
-        $fetch_c2_64 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 FF C? 75 F0 [6-10] 48 8D 05}
+        $fetch_c2_64_1 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 (FF C?|83 EF 01) 75 (F0|EF) [6-10] 48 8D 05}
+        $fetch_c2_64_2 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 (FF C?|83 EF 01) 75 (F0|EF) 33 C9 E8}
         $fetch_c2_32 = {8B 96 [2] (00|01) 00 8B CE 5E 8B 14 95 [4] E9}
     condition:
-        2  of them
+        any of them
 }
 """
 yara_rules = yara.compile(source=rule_source)
@@ -69,7 +66,7 @@ def extract_config(filebuf):
             continue
         for item in match.strings:
             for instance in item.instances:
-                if "$fetch_c2_64" in item.identifier:
+                if "$fetch_c2_64_1" in item.identifier:
                     match_offset = (int(instance.offset) & 0xFFFF) + instance.matched_length
                     try:
                         c2list_offset = (
@@ -78,6 +75,17 @@ def extract_config(filebuf):
                     except Exception:
                         break
                     delta = 8
+                if "$fetch_c2_64_2" in item.identifier:
+                    match_offset = (int(instance.offset) & 0xFFFF) + instance.matched_length
+                    try:
+                        func = (
+                            struct.unpack("<I", filebuf[match_offset : match_offset + 4])[0] + match_offset + 4
+                        ) & 0xFFFF
+                        c2list_pointer = struct.unpack("i", filebuf[func+11:func+15])[0]+func+15
+                        c2list_offset = struct.unpack("H", filebuf[c2list_pointer:c2list_pointer+2])[0]
+                    except Exception:
+                        break
+                    delta = 8
                 if "$fetch_c2_32" in item.identifier:
                     match_offset = (int(instance[0]) & 0xFFFF) + 12
                     try:

{cape_parsers-0.1.56 → cape_parsers-0.1.58}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "CAPE-parsers"
-version = "0.1.56"
+version = "0.1.58"
 description = "CAPE: Malware Configuration Extraction"
 authors = ["Kevin O'Reilly <kev@capesandbox.com>", "doomedraven <doomedraven@capesandbox.com>"]
 license = "MIT"