PyPI - CAPE-parsers - Versions diffs - 0.1.57__tar.gz → 0.1.59__tar.gz - Mend

CAPE-parsers 0.1.57tar.gz → 0.1.59tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (118) hide show

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: CAPE-parsers
-Version: 0.1.57
+Version: 0.1.59
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 License-File: LICENSE

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/Amatera.py RENAMED Viewed

@@ -3,11 +3,8 @@ import json
 import pefile
 import yara
 import struct
-import re
-import ipaddress
 from contextlib import suppress
 DESCRIPTION = "Amatera Stealer parser"
 AUTHOR = "YungBinary"
@@ -18,7 +15,7 @@ rule AmateraDecrypt
         author = "YungBinary"
         description = "Find Amatera XOR key"
     strings:
-        $decrypt = {
+        $decrypt_global = {
             A1 ?? ?? ?? ??                  // mov     eax, dword ptr ds:szXorKey ; "852149723"
             89 45 ??                        // mov     dword ptr [ebp+xor_key], eax
             8B 0D ?? ?? ?? ??               // mov     ecx, dword ptr ds:szXorKey+4 ; "49723"
@@ -29,12 +26,18 @@ rule AmateraDecrypt
             50                              // push    eax
             E8                              // call
         }
+        $decrypt_stack = {
+            83 EC 1C                        // sub     esp, 1Ch
+            56                              // push    esi
+            89 ?? ??                        // mov     [ebp+var], reg
+            C6 45 ?? ??                     // mov     [ebp+char_1], imm
+            C6 45 ?? ??                     // mov     [ebp+char_2], imm
+        }
     condition:
-        uint16(0) == 0x5A4D and $decrypt
+        uint16(0) == 0x5A4D and ($decrypt_global or $decrypt_stack)
 }
 """
 RULE_SOURCE_AES_KEY = """
 rule AmateraAESKey
 {
@@ -83,28 +86,18 @@ rule AmateraAESKey
 }
 """
-DOMAIN_REGEX = r'^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$'
+B64_CHARS = set(b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=")
 def yara_scan(raw_data: bytes, rule_source: str):
     yara_rules = yara.compile(source=rule_source)
     matches = yara_rules.match(data=raw_data)
     for match in matches:
         for block in match.strings:
             for instance in block.instances:
                 return instance.offset
-def extract_base64_strings(data: bytes, minchars: int, maxchars: int):
-    """
-    Generator that returns ASCII formatted base64 strings
-    """
-    apat = b"([A-Za-z0-9+/=]{" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00"
-    for s in re.findall(apat, data):
-        yield s.decode()
 def xor_data(data, key):
     decoded = bytearray()
     for i in range(len(data)):
@@ -112,68 +105,107 @@ def xor_data(data, key):
     return decoded
-def is_public_ip(ip):
-    try:
-        # This will raise a ValueError if the IP format is incorrect
-        ip_obj = ipaddress.ip_address(ip.decode())
-        if ip_obj.is_private:
-            return False
-        return True
-    except Exception:
-        return False
+def decode_and_decrypt(data_bytes, xor_key):
+    if not data_bytes:
+        return ""
+    clean_bytes = data_bytes.rstrip(b"\x00")
+    # Heuristic: Check if valid Base64
+    if any(b not in B64_CHARS for b in clean_bytes):
+        return clean_bytes.decode("utf-8", errors="ignore")
-def is_valid_domain(data):
     try:
-        if re.fullmatch(DOMAIN_REGEX, data.decode()):
-            return True
-        return False
+        decoded = base64.b64decode(clean_bytes, validate=True)
+        decrypted = xor_data(decoded, xor_key)
+        # Heuristic: Check if result is printable ASCII
+        if all(0x20 <= b <= 0x7E for b in decrypted if b != 0):
+            return decrypted.decode("utf-8", errors="ignore").rstrip("\x00")
     except Exception:
-        return False
+        pass
+    return clean_bytes.decode("utf-8", errors="ignore")
 def extract_config(data):
-    """
-    Extract Amatera malware configuration.
-    """
     config_dict = {}
     with suppress(Exception):
         pe = pefile.PE(data=data)
         image_base = pe.OPTIONAL_HEADER.ImageBase
-        # Identify XOR key decryption routine and extract key
         offset = yara_scan(data, RULE_SOURCE)
-        if not offset:
+        if offset is None:
             return config_dict
-        key_str_va = struct.unpack('i', data[offset + 1: offset + 5])[0]
-        key_str = pe.get_string_at_rva(key_str_va - image_base, max_length=20) + b'\x00'
-        # Extract AES 256 key
+        key_str = b""
+        if data[offset] == 0xA1:  # $decrypt_global
+            key_str_va = struct.unpack("i", data[offset + 1 : offset + 5])[0]
+            key_str = (
+                pe.get_string_at_rva(key_str_va - image_base, max_length=20) + b"\x00"
+            )
+        elif data[offset] == 0x83:  # $decrypt_stack
+            key_bytes = bytearray()
+            # Skip sub/push/mov reg (7 bytes)
+            current_idx = offset + 7
+            for _ in range(32):
+                if data[current_idx] != 0xC6 or data[current_idx + 1] != 0x45:
+                    break
+                val = data[current_idx + 3]
+                if val == 0x00:
+                    break
+                key_bytes.append(val)
+                current_idx += 4
+            key_str = key_bytes + b"\x00"
+        if key_str:
+            config_dict["xor_key"] = key_str.rstrip(b"\x00").decode(
+                "utf-8", errors="ignore"
+            )
         aes_key_offset = yara_scan(data, RULE_SOURCE_AES_KEY)
-        aes_key = bytearray()
         if aes_key_offset:
+            aes_key = bytearray()
             aes_block = data[aes_key_offset : aes_key_offset + 131]
             for i in range(0, len(aes_block) - 4, 4):
-                aes_key.append(aes_block[i+6])
-        # Handle each base64 string -> decode -> decrypt with XOR key
-        for b64_str in extract_base64_strings(data, 8, 20):
-            try:
-                decoded = base64.b64decode(b64_str, validate=True)
-                decrypted = xor_data(decoded, key_str)
-                if not is_public_ip(decrypted) and not is_valid_domain(decrypted):
-                    continue
-                config_dict["CNCs"] = [f"https://{decrypted.decode()}"]
-                if aes_key:
-                    config_dict["cryptokey"] = aes_key.hex()
-                    config_dict["cryptokey_type"] = "AES"
-                return config_dict
-            except Exception:
-                continue
+                aes_key.append(aes_block[i + 6])
+            config_dict["cryptokey"] = aes_key.hex()
+            config_dict["cryptokey_type"] = "AES"
+        data_section = next(
+            (
+                s
+                for s in pe.sections
+                if s.Name.decode().strip("\x00").lower() == ".data"
+            ),
+            None,
+        )
+        if data_section:
+            # First 16 bytes = 4 pointers
+            pointers_raw = pe.get_data(data_section.VirtualAddress, 16)
+            if len(pointers_raw) == 16:
+                ptrs = struct.unpack("4I", pointers_raw)
+                extracted = []
+                for ptr in ptrs:
+                    rva = ptr - image_base
+                    if 0 < rva < pe.OPTIONAL_HEADER.SizeOfImage:
+                        extracted.append(pe.get_string_at_rva(rva))
+                    else:
+                        extracted.append(b"")
+                if len(extracted) == 4:
+                    config_dict["payload_guid_1"] = decode_and_decrypt(
+                        extracted[0], key_str
+                    )
+                    config_dict["payload_guid_2"] = decode_and_decrypt(
+                        extracted[1], key_str
+                    )
+                    config_dict["fake_c2"] = decode_and_decrypt(extracted[2], key_str)
+                    real_c2 = decode_and_decrypt(extracted[3], key_str)
+                    config_dict["CNCs"] = [f"https://{real_c2}"]
     return config_dict
@@ -182,5 +214,4 @@ if __name__ == "__main__":
     import sys
     with open(sys.argv[1], "rb") as f:
-        config_json = json.dumps(extract_config(f.read()), indent=4)
-        print(config_json)
+        print(json.dumps(extract_config(f.read()), indent=4))

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/SmokeLoader.py RENAMED Viewed

@@ -14,17 +14,14 @@ rule SmokeLoader
 {
     meta:
         author = "kevoreilly"
-        description = "SmokeLoader Payload"
-        cape_type = "SmokeLoader Payload"
+        description = "SmokeLoader Config Extraction"
     strings:
-        $rc4_decrypt64 = {41 8D 41 01 44 0F B6 C8 42 0F B6 [2] 41 8D 04 12 44 0F B6 D0 42 8A [2] 42 88 [2] 42 88 [2] 42 0F B6 [2] 03 CA 0F B6 C1 8A [2] 30 0F 48 FF C7 49 FF CB 75}
-        $rc4_decrypt32 = {47 B9 FF 00 00 00 23 F9 8A 54 [2] 0F B6 C2 03 F0 23 F1 8A 44 [2] 88 44 [2] 88 54 [2] 0F B6 4C [2] 0F B6 C2 03 C8 81 E1 FF 00 00 00 8A 44 [2] 30 04 2B 43 3B 9C 24 [4] 72 C0}
-        $fetch_c2_64 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 FF C? 75 F0 [6-10] 48 8D 05}
+        $fetch_c2_64_1 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 (FF C?|83 EF 01) 75 (F0|EF) [6-10] 48 8D 05}
+        $fetch_c2_64_2 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 (FF C?|83 EF 01) 75 (F0|EF) 33 C9 E8}
         $fetch_c2_32 = {8B 96 [2] (00|01) 00 8B CE 5E 8B 14 95 [4] E9}
     condition:
-        2  of them
+        any of them
 }
 """
 yara_rules = yara.compile(source=rule_source)
@@ -69,7 +66,7 @@ def extract_config(filebuf):
             continue
         for item in match.strings:
             for instance in item.instances:
-                if "$fetch_c2_64" in item.identifier:
+                if "$fetch_c2_64_1" in item.identifier:
                     match_offset = (int(instance.offset) & 0xFFFF) + instance.matched_length
                     try:
                         c2list_offset = (
@@ -78,6 +75,17 @@ def extract_config(filebuf):
                     except Exception:
                         break
                     delta = 8
+                if "$fetch_c2_64_2" in item.identifier:
+                    match_offset = (int(instance.offset) & 0xFFFF) + instance.matched_length
+                    try:
+                        func = (
+                            struct.unpack("<I", filebuf[match_offset : match_offset + 4])[0] + match_offset + 4
+                        ) & 0xFFFF
+                        c2list_pointer = struct.unpack("i", filebuf[func+11:func+15])[0]+func+15
+                        c2list_offset = struct.unpack("H", filebuf[c2list_pointer:c2list_pointer+2])[0]
+                    except Exception:
+                        break
+                    delta = 8
                 if "$fetch_c2_32" in item.identifier:
                     match_offset = (int(instance[0]) & 0xFFFF) + 12
                     try:

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/Zloader.py RENAMED Viewed

@@ -15,14 +15,15 @@
 DESCRIPTION = "Zloader configuration parser"
 AUTHOR = "kevoreilly"
+import json
 import logging
+import re
 import socket
 import struct
 import pefile
-from Cryptodome.Cipher import ARC4
 import yara
+from Cryptodome.Cipher import ARC4
 log = logging.getLogger(__name__)
@@ -59,6 +60,20 @@ rule Zloader2024
     condition:
         uint16(0) == 0x5A4D and $conf_1 and 2 of ($confkey_*)
 }
+rule Zloader2025
+{
+    meta:
+        author = "enzok"
+        description = "Zloader Payload"
+        cape_type = "Zloader Payload"
+    strings:
+        $conf = {4? 01 ?? [4] E8 [4] 4? 8D 15 [4] 4? 89 ?? 4? 89 ?? E8 [4] C7 46 30 00 00 00 00 8B 7E 34}
+        $confkey_1 = {4? 01 ?? [2] E8 [4] 4? 8D 15 [4] 4? 89 ?? 4? 89 ?? E8 [4] C7 46 34 00 00 00 00 8B 46 38}
+        $confkey_2 = {4? 01 ?? [2] E8 [4] 4? 8D 15 [4] 4? 89 ?? 4? 89 ?? E8 [4] C7 46 38 00 00 00 00 48 83 C4 28}
+    condition:
+        uint16(0) == 0x5A4D and $conf and all of ($confkey_*)
+}
 """
 MAX_STRING_SIZE = 32
@@ -71,41 +86,73 @@ def decrypt_rc4(key, data):
 def string_from_offset(data, offset):
-    return data[offset : offset + MAX_STRING_SIZE].split(b"\0", 1)[0]
+    return data[offset: offset + MAX_STRING_SIZE].split(b"\0", 1)[0]
+def parse_config(data, version=None):
+    for i in range(len(data) - 3, -1, -1):
+        if data[i : i + 3] == b"\x00\x00\x00":
+            data = data[:i]
+            break
-def parse_config(data):
     parsed = {}
-    parsed["botnet"] = data[4:].split(b"\x00", 1)[0].decode("utf-8")
-    parsed["campaign"] = data[25:].split(b"\x00", 1)[0].decode("utf-8")
+    net_params = []
+    dns_ips = []
+    tls_sni = ""
+    cryptokey = ""
+    fields = [part.strip() for part in data.split(b'\x00') if part and part.strip()]
+    parsed["botnet"] = fields[0].decode("utf-8") if len(fields) > 0 else ""
+    parsed["campaign"] = fields[1].decode("utf-8") if len(fields) > 1 else ""
     c2s = []
-    c2_data = data[46:686]
-    for i in range(10):
-        chunk = c2_data[i * 64 : (i + 1) * 64]
-        chunk = chunk.rstrip(b"\x00")
-        if chunk:
-            c2s.append(chunk.decode("utf-8"))
+    for f in fields:
+        if f.startswith(b"http"):
+            f = f.decode("utf-8")
+            if "~" in f:
+                tls_sni, f = map(str.strip, f.split("~", 1))
+            if f:
+                c2s.append(f)
+        elif b"PUBLIC KEY" in f:
+            cryptokey = f.decode("utf-8").replace("\n", "")
+        elif version == 3 and b"\x08\x08" in f and len(f) % 4 == 0:
+            idx = 0
+            for i in range(len(f) // 4):
+                dns_ips.append(socket.inet_ntoa(f[idx: idx + 4]))
+                idx += 4
+        elif version == 4 and f.startswith(b"[") and f.endswith(b"]"):
+            try:
+                params = json.loads(f)
+                for param in params:
+                    proto = param.get("proto", "unknown")
+                    ip = param.get("ip", "")
+                    port = param.get("port", 0)
+                    qps = param.get("qps", "")
+                    net_params.append(f"{proto}, {ip}:{port}, qps={qps}".strip())
+            except json.JSONDecodeError:
+                params = None
     parsed["CNCs"] = c2s
-    parsed["cryptokey"] = data[704:].split(b"\x00", 1)[0]
+    parsed["cryptokey"] = cryptokey
     parsed["cryptokey_type"] = "RSA Public Key"
-    dns_data = data[1004:].split(b"\x00", 1)[0]
-    parsed["TLS SNI"] = dns_data.split(b"~")[0].decode("utf-8").rstrip()
-    parsed["DNS C2"] = dns_data.split(b"~")[1].decode("utf-8").strip()
-    dns_ips = []
-    dns_ips.append(socket.inet_ntoa(data[1204:1208].split(b"\x00", 1)[0]))
-    dns_ip_data = data[1208:1248]
-    for i in range(10):
-        chunk = dns_ip_data[i * 4 : (i + 1) * 4]
-        chunk = chunk.rstrip(b"\x00")
-        if chunk:
-            dns_ips.append(socket.inet_ntoa(chunk))
-    parsed["DNS Servers"] = dns_ips
+    raw = parsed["raw"] = {}
+    if tls_sni:
+        raw["tls sni"] = tls_sni
+    if net_params:
+        raw["dns config"] = net_params
+    if dns_ips:
+        raw["dns ips"] = dns_ips
     return parsed
 def extract_config(filebuf):
     config = {}
-    end_config = {}
     pe = pefile.PE(data=filebuf, fast_load=False)
     image_base = pe.OPTIONAL_HEADER.ImageBase
     matches = yara_rules.match(data=filebuf)
@@ -113,7 +160,7 @@ def extract_config(filebuf):
         return
     conf_type = ""
     decrypt_key = ""
-    conf_size = 1020
+    conf_size = None
     for match in matches:
         if match.rule == "Zloader":
             for item in match.strings:
@@ -137,17 +184,23 @@ def extract_config(filebuf):
                 elif "$decrypt_key_3" == item.identifier:
                     decrypt_key = item.instances[0].offset
                     kva_s = 3
+            break
         elif match.rule == "Zloader2024":
-            conf_size = 1264
+            conf_size = None
             rc4_chunk1 = None
             rc4_chunk2 = None
             numchunks = 0
             for item in match.strings:
-                if "$conf_1" == item.identifier:
+                item_id = item.identifier
+                if item_id == "$conf_1":
                     decrypt_conf = item.instances[0].offset + 6
                     conf_size = item.instances[0].offset + 12
+                    if conf_size > 2048:
+                        conf_size = 2048
                     conf_type = "3"
-                elif item.identifier.startswith("$confkey_") and numchunks < 2:
+                elif item_id.startswith("$confkey_") and numchunks < 2:
                     matched_data = item.instances[0].matched_data[:2]
                     if matched_data == b"\x48\x8D":
                         offset = 3
@@ -161,11 +214,32 @@ def extract_config(filebuf):
                         rc4_chunk2 = chunk_offset
                     numchunks += 1
+            break
+        elif match.rule == "Zloader2025":
+            conf_size = None
+            rc4_chunk1 = None
+            rc4_chunk2 = None
+            for item in match.strings:
+                item_id = item.identifier
+                if item_id == "$conf":
+                    decrypt_conf = item.instances[0].offset + 15
+                    size_base_offset = item.instances[0].offset + 5
+                    call_func_offset = item.instances[0].offset + 7
+                    call_func_size_offset = call_func_offset + 1
+                    conf_type = "4"
+                elif item_id == "$confkey_1":
+                    rc4_chunk1 = item.instances[0].offset + 13
+                elif item_id == "$confkey_2":
+                    rc4_chunk2 = item.instances[0].offset + 13
+            break
     if conf_type == "1":
-        va = struct.unpack("I", filebuf[decrypt_conf : decrypt_conf + 4])[0]
+        va = struct.unpack("I", filebuf[decrypt_conf: decrypt_conf + 4])[0]
         key = string_from_offset(filebuf, pe.get_offset_from_rva(va - image_base))
-        data_offset = pe.get_offset_from_rva(struct.unpack("I", filebuf[decrypt_conf + 5 : decrypt_conf + 9])[0] - image_base)
+        data_offset = pe.get_offset_from_rva(struct.unpack("I", filebuf[decrypt_conf + 5: decrypt_conf + 9])[0] - image_base)
         enc_data = filebuf[data_offset:].split(b"\0\0", 1)[0]
         raw = decrypt_rc4(key, enc_data)
         items = list(filter(None, raw.split(b"\x00\x00")))
@@ -178,15 +252,17 @@ def extract_config(filebuf):
             elif len(item) == 16:
                 config["cryptokey"] = item
                 config["cryptokey_type"] = "RC4"
     elif conf_type == "2" and decrypt_key:
-        conf_va = struct.unpack("I", filebuf[decrypt_conf + cva : decrypt_conf + cva + 4])[0]
+        conf_size = 1020
+        conf_va = struct.unpack("I", filebuf[decrypt_conf + cva: decrypt_conf + cva + 4])[0]
         conf_offset = pe.get_offset_from_rva(conf_va + pe.get_rva_from_offset(decrypt_conf) + cva + 4)
         # if not conf_size:
         # conf_size = struct.unpack("I", filebuf[decrypt_key + size_s : decrypt_key + size_s + 4])[0]
-        key_va = struct.unpack("I", filebuf[decrypt_key + kva_s : decrypt_key + kva_s + 4])[0]
+        key_va = struct.unpack("I", filebuf[decrypt_key + kva_s: decrypt_key + kva_s + 4])[0]
         key_offset = pe.get_offset_from_rva(key_va + pe.get_rva_from_offset(decrypt_key) + kva_s + 4)
         key = string_from_offset(filebuf, key_offset)
-        conf_data = filebuf[conf_offset : conf_offset + conf_size]
+        conf_data = filebuf[conf_offset: conf_offset + conf_size]
         raw = decrypt_rc4(key, conf_data)
         items = list(filter(None, raw.split(b"\x00\x00")))
         config["botnet"] = items[0].decode("utf-8")
@@ -198,25 +274,56 @@ def extract_config(filebuf):
             elif b"PUBLIC KEY" in item:
                 config["cryptokey"] = item.decode("utf-8").replace("\n", "")
                 config["cryptokey_type"] = "RSA Public key"
     elif conf_type == "3" and rc4_chunk1 and rc4_chunk2:
-        conf_va = struct.unpack("I", filebuf[decrypt_conf : decrypt_conf + 4])[0]
+        conf_va = struct.unpack("I", filebuf[decrypt_conf: decrypt_conf + 4])[0]
         conf_offset = pe.get_offset_from_rva(conf_va + pe.get_rva_from_offset(decrypt_conf) + 4)
-        conf_data = filebuf[conf_offset : conf_offset + conf_size]
-        keychunk1_va = struct.unpack("I", filebuf[rc4_chunk1 : rc4_chunk1 + 4])[0]
+        conf_data = filebuf[conf_offset: conf_offset + conf_size]
+        keychunk1_va = struct.unpack("I", filebuf[rc4_chunk1: rc4_chunk1 + 4])[0]
         keychunk1_offset = pe.get_offset_from_rva(keychunk1_va + pe.get_rva_from_offset(rc4_chunk1) + 4)
-        keychunk1 = filebuf[keychunk1_offset : keychunk1_offset + 16]
-        keychunk2_va = struct.unpack("I", filebuf[rc4_chunk2 : rc4_chunk2 + 4])[0]
+        keychunk1 = filebuf[keychunk1_offset: keychunk1_offset + 16]
+        keychunk2_va = struct.unpack("I", filebuf[rc4_chunk2: rc4_chunk2 + 4])[0]
         keychunk2_offset = pe.get_offset_from_rva(keychunk2_va + pe.get_rva_from_offset(rc4_chunk2) + 4)
-        keychunk2 = filebuf[keychunk2_offset : keychunk2_offset + 16]
+        keychunk2 = filebuf[keychunk2_offset: keychunk2_offset + 16]
         decrypt_key = bytes(a ^ b for a, b in zip(keychunk1, keychunk2))
         conf = decrypt_rc4(decrypt_key, conf_data)
-        end_config = parse_config(conf)
+        config = parse_config(conf, 3)
+    elif conf_type == "4" and rc4_chunk1 and rc4_chunk2:
+        conf_va = struct.unpack("I", filebuf[decrypt_conf: decrypt_conf + 4])[0]
+        conf_offset = pe.get_offset_from_rva(conf_va + pe.get_rva_from_offset(decrypt_conf) + 4)
+        call_rva = pe.get_rva_from_offset(call_func_offset)
+        call_target_rva = call_rva + 5 + struct.unpack("i", filebuf[call_func_size_offset: call_func_size_offset + 4])[0]
+        call_target_offset = pe.get_offset_from_rva(call_target_rva)
+        function_tail = b"\x5F\x5E\xC3"
+        index = filebuf.find(function_tail, call_target_offset)
+        if index != -1:
+            index += 256
+        function_end_offset = index + len(function_tail)
+        function_data = filebuf[call_target_offset: function_end_offset]
+        pattern = re.compile(b"\x66\x81\xF1..\x66\x89\x4D.", re.DOTALL)
+        key = 0
+        for match in pattern.finditer(function_data):
+            off = match.start()
+            key = struct.unpack_from("<H", function_data, off + 3)[0]
-    if config and end_config:
-        config = config.update({"raw": end_config})
+        size_base = struct.unpack_from("<H", filebuf[size_base_offset: size_base_offset + 2])[0]
+        conf_size = size_base ^ key & 0xFFFF
+        conf_data = filebuf[conf_offset: conf_offset + conf_size]
+        keychunk1_va = struct.unpack("I", filebuf[rc4_chunk1: rc4_chunk1 + 4])[0]
+        keychunk1_offset = pe.get_offset_from_rva(keychunk1_va + pe.get_rva_from_offset(rc4_chunk1) + 4)
+        keychunk1 = filebuf[keychunk1_offset: keychunk1_offset + 16]
+        keychunk2_va = struct.unpack("I", filebuf[rc4_chunk2: rc4_chunk2 + 4])[0]
+        keychunk2_offset = pe.get_offset_from_rva(keychunk2_va + pe.get_rva_from_offset(rc4_chunk2) + 4)
+        keychunk2 = filebuf[keychunk2_offset: keychunk2_offset + 16]
+        decrypt_key = bytes(a ^ b for a, b in zip(keychunk1, keychunk2))
+        conf = decrypt_rc4(decrypt_key, conf_data)
+        config = parse_config(conf, 4)
     return config
 if __name__ == "__main__":
     import sys
     from pathlib import Path

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "CAPE-parsers"
-version = "0.1.57"
+version = "0.1.59"
 description = "CAPE: Malware Configuration Extraction"
 authors = ["Kevin O'Reilly <kev@capesandbox.com>", "doomedraven <doomedraven@capesandbox.com>"]
 license = "MIT"

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/LICENSE RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/README.md RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/__init__.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/AgentTesla.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/Amadey.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/Arkei.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/AsyncRAT.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/AuroraStealer.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/Carbanak.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/CobaltStrikeBeacon.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/CobaltStrikeStager.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/DCRat.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/Fareit.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/KoiLoader.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/LokiBot.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/Lumma.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/MonsterV2.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/MyKings.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/NanoCore.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/Nighthawk.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/Njrat.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/PhemedroneStealer.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/QuasarRAT.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/README.md RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/Snake.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/SparkRAT.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/Stealc.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/VenomRAT.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/WinosStager.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/XWorm.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/XenoRAT.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/community/__init__.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/AdaptixBeacon.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/AuraStealer.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/Azorult.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/BitPaymer.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/BlackDropper.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/Blister.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/BruteRatel.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/BumbleBee.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/DarkGate.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/DoppelPaymer.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/DridexLoader.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/Formbook.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/GuLoader.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/IcedID.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/IcedIDLoader.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/Latrodectus.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/NitroBunnyDownloader.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/Oyster.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/PikaBot.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/PlugX.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/QakBot.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/Quickbind.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/README.md RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/RedLine.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/Remcos.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/Rhadamanthys.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/Socks5Systemz.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/SquirrelWaffle.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/Strrat.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/WarzoneRAT.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/__init__.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/CAPE/core/test_cape.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/RATDecoders/README.md RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/RATDecoders/__init__.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/RATDecoders/test_rats.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/__init__.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/BackOffLoader.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/BackOffPOS.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/BlackNix.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/BuerLoader.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/ChChes.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/Emotet.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/Enfal.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/EvilGrab.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/Greame.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/Hancitor.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/HttpBrowser.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/JavaDropper.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/Nymaim.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/Pandora.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/PoisonIvy.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/PredatorPain.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/Punisher.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/RCSession.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/REvil.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/RedLeaf.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/Retefe.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/Rozena.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/SmallNet.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/TSCookie.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/TrickBot.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/UrsnifV3.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/_ShadowTech.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/_VirusRat.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/_jRat.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/unrecom.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/deprecated/xRAT.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/malduck/LICENSE RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/malduck/README.md RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/malduck/__init__.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/malduck/test_malduck.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/mwcp/README.md RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/mwcp/__init__.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/mwcp/test_mwcp.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/utils/__init__.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/utils/aplib.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/utils/blzpack.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/utils/blzpack_lib.so RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/utils/dotnet_utils.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/utils/lznt1.py RENAMED Viewed

File without changes

{cape_parsers-0.1.57 → cape_parsers-0.1.59}/cape_parsers/utils/strings.py RENAMED Viewed

File without changes

CAPE-parsers 0.1.57__tar.gz → 0.1.59__tar.gz

CAPE-parsers 0.1.57tar.gz → 0.1.59tar.gz