CAPE-parsers 0.1.57__py3-none-any.whl → 0.1.58__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. cape_parsers/CAPE/core/SmokeLoader.py +16 -8
  2. {cape_parsers-0.1.57.dist-info → cape_parsers-0.1.58.dist-info}/METADATA +1 -1
  3. {cape_parsers-0.1.57.dist-info → cape_parsers-0.1.58.dist-info}/RECORD +5 -5
  4. {cape_parsers-0.1.57.dist-info → cape_parsers-0.1.58.dist-info}/WHEEL +0 -0
  5. {cape_parsers-0.1.57.dist-info → cape_parsers-0.1.58.dist-info}/licenses/LICENSE +0 -0
cape_parsers/CAPE/core/SmokeLoader.py CHANGED
@@ -14,17 +14,14 @@ rule SmokeLoader
14
14
  {
15
15
  meta:
16
16
  author = "kevoreilly"
17
- description = "SmokeLoader Payload"
18
- cape_type = "SmokeLoader Payload"
17
+ description = "SmokeLoader Config Extraction"
19
18
  strings:
20
- $rc4_decrypt64 = {41 8D 41 01 44 0F B6 C8 42 0F B6 [2] 41 8D 04 12 44 0F B6 D0 42 8A [2] 42 88 [2] 42 88 [2] 42 0F B6 [2] 03 CA 0F B6 C1 8A [2] 30 0F 48 FF C7 49 FF CB 75}
21
- $rc4_decrypt32 = {47 B9 FF 00 00 00 23 F9 8A 54 [2] 0F B6 C2 03 F0 23 F1 8A 44 [2] 88 44 [2] 88 54 [2] 0F B6 4C [2] 0F B6 C2 03 C8 81 E1 FF 00 00 00 8A 44 [2] 30 04 2B 43 3B 9C 24 [4] 72 C0}
22
- $fetch_c2_64 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 FF C? 75 F0 [6-10] 48 8D 05}
19
+ $fetch_c2_64_1 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 (FF C?|83 EF 01) 75 (F0|EF) [6-10] 48 8D 05}
20
+ $fetch_c2_64_2 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 (FF C?|83 EF 01) 75 (F0|EF) 33 C9 E8}
23
21
  $fetch_c2_32 = {8B 96 [2] (00|01) 00 8B CE 5E 8B 14 95 [4] E9}
24
22
  condition:
25
- 2 of them
23
+ any of them
26
24
  }
27
-
28
25
  """
29
26
 
30
27
  yara_rules = yara.compile(source=rule_source)
@@ -69,7 +66,7 @@ def extract_config(filebuf):
69
66
  continue
70
67
  for item in match.strings:
71
68
  for instance in item.instances:
72
- if "$fetch_c2_64" in item.identifier:
69
+ if "$fetch_c2_64_1" in item.identifier:
73
70
  match_offset = (int(instance.offset) & 0xFFFF) + instance.matched_length
74
71
  try:
75
72
  c2list_offset = (
@@ -78,6 +75,17 @@ def extract_config(filebuf):
78
75
  except Exception:
79
76
  break
80
77
  delta = 8
78
+ if "$fetch_c2_64_2" in item.identifier:
79
+ match_offset = (int(instance.offset) & 0xFFFF) + instance.matched_length
80
+ try:
81
+ func = (
82
+ struct.unpack("<I", filebuf[match_offset : match_offset + 4])[0] + match_offset + 4
83
+ ) & 0xFFFF
84
+ c2list_pointer = struct.unpack("i", filebuf[func+11:func+15])[0]+func+15
85
+ c2list_offset = struct.unpack("H", filebuf[c2list_pointer:c2list_pointer+2])[0]
86
+ except Exception:
87
+ break
88
+ delta = 8
81
89
  if "$fetch_c2_32" in item.identifier:
82
90
  match_offset = (int(instance[0]) & 0xFFFF) + 12
83
91
  try:
{cape_parsers-0.1.57.dist-info → cape_parsers-0.1.58.dist-info}/METADATA RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: CAPE-parsers
3
- Version: 0.1.57
3
+ Version: 0.1.58
4
4
  Summary: CAPE: Malware Configuration Extraction
5
5
  License: MIT
6
6
  License-File: LICENSE
{cape_parsers-0.1.57.dist-info → cape_parsers-0.1.58.dist-info}/RECORD RENAMED
@@ -55,7 +55,7 @@ cape_parsers/CAPE/core/README.md,sha256=Zd84WEUj9NzKzGnVZV1jx6gMiEOtz01m32B7xEuS
55
55
  cape_parsers/CAPE/core/RedLine.py,sha256=bZeKLvxaS6HDpWY4RDXtSEBt93qTNzZG5iE6FNS0dOY,5734
56
56
  cape_parsers/CAPE/core/Remcos.py,sha256=MIpO2FwehBGIhO7hS0TT2hdDsgvxlI5ps4rAwyFwdTY,9483
57
57
  cape_parsers/CAPE/core/Rhadamanthys.py,sha256=0vj3M1IC4oPISj1R7ELl9JZm1Uha9DTdbNJraJGdbh0,10725
58
- cape_parsers/CAPE/core/SmokeLoader.py,sha256=ruQ_GDiZvqtGxUTbN2N6fajUYWkIylFTvMXijgZ8L20,3890
58
+ cape_parsers/CAPE/core/SmokeLoader.py,sha256=NHNQ4LzV27vfmddfsvIBoW2PFiyfG2bufGC9iqKzTvE,4262
59
59
  cape_parsers/CAPE/core/Socks5Systemz.py,sha256=jSt6QejL5K99dIB3qdItvUHL28w6N60xuwc8EQHM5Mk,783
60
60
  cape_parsers/CAPE/core/SquirrelWaffle.py,sha256=UMha7l60fL64VPHxueFUnCEGaO-CXau5ftEyK-Wv__o,3308
61
61
  cape_parsers/CAPE/core/Strrat.py,sha256=PAKTzGZCdblXr4pNKsOpNOPhvcaAfRCiE9BtKAeOp0M,2240
@@ -112,7 +112,7 @@ cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvE
112
112
  cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
113
113
  cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
114
114
  cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
115
- cape_parsers-0.1.57.dist-info/METADATA,sha256=tKJbd4dpuBIznH1pffa7cSURQUmWCrhaJRHOa-YFAxs,1826
116
- cape_parsers-0.1.57.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
117
- cape_parsers-0.1.57.dist-info/licenses/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
118
- cape_parsers-0.1.57.dist-info/RECORD,,
115
+ cape_parsers-0.1.58.dist-info/METADATA,sha256=yK13F0B9baYnbtifb3kwzoFCaCcTHct7SbVFHBlixeU,1826
116
+ cape_parsers-0.1.58.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
117
+ cape_parsers-0.1.58.dist-info/licenses/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
118
+ cape_parsers-0.1.58.dist-info/RECORD,,