PyPI - CAPE-parsers - Versions diffs - 0.1.58__py3-none-any.whl → 0.1.60__py3-none-any.whl - Mend

CAPE-parsers 0.1.58py3-none-any.whl → 0.1.60py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

cape_parsers/CAPE/community/Amadey.py CHANGED Viewed

@@ -28,6 +28,34 @@ rule Amadey_Key_String
 }
 """
+RULE_SOURCE_KEY_X64 = """
+rule Amadey_Key_String_X64
+{
+    meta:
+        author = "Matthieu Gras"
+        description = "Find decryption key in Amadey (64bit)."
+    strings:
+        $opcodes = {
+            /* sub rsp, imm8  */
+            48 83 EC ??
+            /* mov r8d, imm32 */
+            41 B8 ?? ?? ?? ??
+            /* lea rdx, [rip+disp32] */
+            48 8D 15 ?? ?? ?? ??
+            /* lea rcx, [rip+disp32] */
+            48 8D 0D ?? ?? ?? ??
+            /* call rel32 */
+            E8 ?? ?? ?? ??
+        }
+    condition:
+        $opcodes
+}
+"""
 RULE_SOURCE_ENCODED_STRINGS = """
 rule Amadey_Encoded_Strings
 {
@@ -50,6 +78,43 @@ rule Amadey_Encoded_Strings
 }
 """
+RULE_SOURCE_ENCODED_STRINGS_X64 = """
+rule Amadey_Encoded_Strings_X64
+{
+    meta:
+        author = "Matthieu Gras"
+        description = "Find encoded strings in Amadey (64bit)."
+    strings:
+        $opcodes = {
+            /* sub rsp, imm8 */
+            48 83 EC ??
+            /* mov r8d, imm32 */
+            41 B8 ?? ?? ?? ??
+            /* lea rdx, [rip+disp32] */
+            48 8D 15 ?? ?? ?? ??
+            /* lea rcx, [rip+disp32] */
+            48 8D 0D ?? ?? ?? ??
+            /* call rel32  */
+            E8 ?? ?? ?? ??
+            /* lea rcx, [rip+disp32] */
+            48 8D 0D ?? ?? ?? ??
+            /* add rsp, imm8 */
+            48 83 C4 ??
+            /* jmp rel32 */
+            E9 ?? ?? ?? ??
+        }
+    condition:
+        $opcodes
+}
+"""
 def contains_non_printable(byte_array):
     for byte in byte_array:
@@ -68,14 +133,14 @@ def yara_scan_generator(raw_data, rule_source):
                 yield instance.offset, block.identifier
-def get_keys(pe, data):
-    image_base = pe.OPTIONAL_HEADER.ImageBase
+def get_keys(pe, data, is_64bit=False):
     keys = []
-    for offset, _ in yara_scan_generator(data, RULE_SOURCE_KEY):
+    rule_source = RULE_SOURCE_KEY_X64 if is_64bit else RULE_SOURCE_KEY
+    for offset, _ in yara_scan_generator(data, rule_source):
         try:
-            key_string_rva = struct.unpack('i', data[offset + 3 : offset + 7])[0]
-            key_string_dword_offset = pe.get_offset_from_rva(key_string_rva - image_base)
-            key_string = pe.get_string_from_data(key_string_dword_offset, data)
+            key_string_offset = get_rip_relative_address(pe, data, offset, is_64bit)
+            key_string = pe.get_string_from_data(key_string_offset, data)
             if b"=" not in key_string:
                 keys.append(key_string.decode())
@@ -88,19 +153,34 @@ def get_keys(pe, data):
     return []
+def get_rip_relative_address(pe, data, offset, is_64bit):
+    if is_64bit:
+        offset += 10
+        disp = struct.unpack('<i', data[offset + 3 : offset + 7])[0]
+        rip_rva = pe.get_rva_from_offset(offset + 7)
+        target_rva = rip_rva + disp
+        target_offset = pe.get_offset_from_rva(target_rva)
+    else:
+        rva = struct.unpack('i', data[offset + 3 : offset + 7])[0]
+        target_offset = pe.get_offset_from_rva(rva - pe.OPTIONAL_HEADER.ImageBase)
-def get_encoded_strings(pe, data):
+    return target_offset
+def get_encoded_strings(pe, data, is_64bit=False):
     encoded_strings = []
-    image_base = pe.OPTIONAL_HEADER.ImageBase
-    for offset, _ in yara_scan_generator(data, RULE_SOURCE_ENCODED_STRINGS):
+    rule_source = RULE_SOURCE_ENCODED_STRINGS_X64 if is_64bit else RULE_SOURCE_ENCODED_STRINGS
+    for offset, _ in yara_scan_generator(data, rule_source):
         try:
-            encoded_string_size = data[offset + 1]
-            encoded_string_rva = struct.unpack('i', data[offset + 3 : offset + 7])[0]
-            encoded_string_dword_offset = pe.get_offset_from_rva(encoded_string_rva - image_base)
-            encoded_string = pe.get_string_from_data(encoded_string_dword_offset, data)
+            if is_64bit:
+                encoded_string_size = struct.unpack('<I', data[offset + 6 : offset + 10])[0]
+            else:
+                encoded_string_size = data[offset + 1]
+            encoded_string_offset = get_rip_relative_address(pe, data, offset, is_64bit)
+            encoded_string = pe.get_string_from_data(encoded_string_offset, data)
-            # Make sure the string matches length from operand
             if encoded_string_size != len(encoded_string):
                 continue
@@ -147,13 +227,15 @@ def extract_config(data):
     pe = pefile.PE(data=data, fast_load=True)
     # image_base = pe.OPTIONAL_HEADER.ImageBase
-    keys = get_keys(pe, data)
+    is_64bit = pe.OPTIONAL_HEADER.Magic == pefile.OPTIONAL_HEADER_MAGIC_PE_PLUS
+    keys = get_keys(pe, data, is_64bit)
     if not keys:
         return {}
     decode_key = keys[0]
     rc4_key = keys[1]
-    encoded_strings = get_encoded_strings(pe, data)
+    encoded_strings = get_encoded_strings(pe, data, is_64bit)
     decoded_strings = []
     for encoded_string in encoded_strings:

cape_parsers/CAPE/community/Amatera.py CHANGED Viewed

@@ -3,11 +3,8 @@ import json
 import pefile
 import yara
 import struct
-import re
-import ipaddress
 from contextlib import suppress
 DESCRIPTION = "Amatera Stealer parser"
 AUTHOR = "YungBinary"
@@ -18,7 +15,7 @@ rule AmateraDecrypt
         author = "YungBinary"
         description = "Find Amatera XOR key"
     strings:
-        $decrypt = {
+        $decrypt_global = {
             A1 ?? ?? ?? ??                  // mov     eax, dword ptr ds:szXorKey ; "852149723"
             89 45 ??                        // mov     dword ptr [ebp+xor_key], eax
             8B 0D ?? ?? ?? ??               // mov     ecx, dword ptr ds:szXorKey+4 ; "49723"
@@ -29,12 +26,18 @@ rule AmateraDecrypt
             50                              // push    eax
             E8                              // call
         }
+        $decrypt_stack = {
+            83 EC 1C                        // sub     esp, 1Ch
+            56                              // push    esi
+            89 ?? ??                        // mov     [ebp+var], reg
+            C6 45 ?? ??                     // mov     [ebp+char_1], imm
+            C6 45 ?? ??                     // mov     [ebp+char_2], imm
+        }
     condition:
-        uint16(0) == 0x5A4D and $decrypt
+        uint16(0) == 0x5A4D and ($decrypt_global or $decrypt_stack)
 }
 """
 RULE_SOURCE_AES_KEY = """
 rule AmateraAESKey
 {
@@ -83,28 +86,18 @@ rule AmateraAESKey
 }
 """
-DOMAIN_REGEX = r'^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$'
+B64_CHARS = set(b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=")
 def yara_scan(raw_data: bytes, rule_source: str):
     yara_rules = yara.compile(source=rule_source)
     matches = yara_rules.match(data=raw_data)
     for match in matches:
         for block in match.strings:
             for instance in block.instances:
                 return instance.offset
-def extract_base64_strings(data: bytes, minchars: int, maxchars: int):
-    """
-    Generator that returns ASCII formatted base64 strings
-    """
-    apat = b"([A-Za-z0-9+/=]{" + str(minchars).encode() + b"," + str(maxchars).encode() + b"})\x00"
-    for s in re.findall(apat, data):
-        yield s.decode()
 def xor_data(data, key):
     decoded = bytearray()
     for i in range(len(data)):
@@ -112,68 +105,107 @@ def xor_data(data, key):
     return decoded
-def is_public_ip(ip):
-    try:
-        # This will raise a ValueError if the IP format is incorrect
-        ip_obj = ipaddress.ip_address(ip.decode())
-        if ip_obj.is_private:
-            return False
-        return True
-    except Exception:
-        return False
+def decode_and_decrypt(data_bytes, xor_key):
+    if not data_bytes:
+        return ""
+    clean_bytes = data_bytes.rstrip(b"\x00")
+    # Heuristic: Check if valid Base64
+    if any(b not in B64_CHARS for b in clean_bytes):
+        return clean_bytes.decode("utf-8", errors="ignore")
-def is_valid_domain(data):
     try:
-        if re.fullmatch(DOMAIN_REGEX, data.decode()):
-            return True
-        return False
+        decoded = base64.b64decode(clean_bytes, validate=True)
+        decrypted = xor_data(decoded, xor_key)
+        # Heuristic: Check if result is printable ASCII
+        if all(0x20 <= b <= 0x7E for b in decrypted if b != 0):
+            return decrypted.decode("utf-8", errors="ignore").rstrip("\x00")
     except Exception:
-        return False
+        pass
+    return clean_bytes.decode("utf-8", errors="ignore")
 def extract_config(data):
-    """
-    Extract Amatera malware configuration.
-    """
     config_dict = {}
     with suppress(Exception):
         pe = pefile.PE(data=data)
         image_base = pe.OPTIONAL_HEADER.ImageBase
-        # Identify XOR key decryption routine and extract key
         offset = yara_scan(data, RULE_SOURCE)
-        if not offset:
+        if offset is None:
             return config_dict
-        key_str_va = struct.unpack('i', data[offset + 1: offset + 5])[0]
-        key_str = pe.get_string_at_rva(key_str_va - image_base, max_length=20) + b'\x00'
-        # Extract AES 256 key
+        key_str = b""
+        if data[offset] == 0xA1:  # $decrypt_global
+            key_str_va = struct.unpack("i", data[offset + 1 : offset + 5])[0]
+            key_str = (
+                pe.get_string_at_rva(key_str_va - image_base, max_length=20) + b"\x00"
+            )
+        elif data[offset] == 0x83:  # $decrypt_stack
+            key_bytes = bytearray()
+            # Skip sub/push/mov reg (7 bytes)
+            current_idx = offset + 7
+            for _ in range(32):
+                if data[current_idx] != 0xC6 or data[current_idx + 1] != 0x45:
+                    break
+                val = data[current_idx + 3]
+                if val == 0x00:
+                    break
+                key_bytes.append(val)
+                current_idx += 4
+            key_str = key_bytes + b"\x00"
+        if key_str:
+            config_dict["xor_key"] = key_str.rstrip(b"\x00").decode(
+                "utf-8", errors="ignore"
+            )
         aes_key_offset = yara_scan(data, RULE_SOURCE_AES_KEY)
-        aes_key = bytearray()
         if aes_key_offset:
+            aes_key = bytearray()
             aes_block = data[aes_key_offset : aes_key_offset + 131]
             for i in range(0, len(aes_block) - 4, 4):
-                aes_key.append(aes_block[i+6])
-        # Handle each base64 string -> decode -> decrypt with XOR key
-        for b64_str in extract_base64_strings(data, 8, 20):
-            try:
-                decoded = base64.b64decode(b64_str, validate=True)
-                decrypted = xor_data(decoded, key_str)
-                if not is_public_ip(decrypted) and not is_valid_domain(decrypted):
-                    continue
-                config_dict["CNCs"] = [f"https://{decrypted.decode()}"]
-                if aes_key:
-                    config_dict["cryptokey"] = aes_key.hex()
-                    config_dict["cryptokey_type"] = "AES"
-                return config_dict
-            except Exception:
-                continue
+                aes_key.append(aes_block[i + 6])
+            config_dict["cryptokey"] = aes_key.hex()
+            config_dict["cryptokey_type"] = "AES"
+        data_section = next(
+            (
+                s
+                for s in pe.sections
+                if s.Name.decode().strip("\x00").lower() == ".data"
+            ),
+            None,
+        )
+        if data_section:
+            # First 16 bytes = 4 pointers
+            pointers_raw = pe.get_data(data_section.VirtualAddress, 16)
+            if len(pointers_raw) == 16:
+                ptrs = struct.unpack("4I", pointers_raw)
+                extracted = []
+                for ptr in ptrs:
+                    rva = ptr - image_base
+                    if 0 < rva < pe.OPTIONAL_HEADER.SizeOfImage:
+                        extracted.append(pe.get_string_at_rva(rva))
+                    else:
+                        extracted.append(b"")
+                if len(extracted) == 4:
+                    config_dict["payload_guid_1"] = decode_and_decrypt(
+                        extracted[0], key_str
+                    )
+                    config_dict["payload_guid_2"] = decode_and_decrypt(
+                        extracted[1], key_str
+                    )
+                    config_dict["fake_c2"] = decode_and_decrypt(extracted[2], key_str)
+                    real_c2 = decode_and_decrypt(extracted[3], key_str)
+                    config_dict["CNCs"] = [f"https://{real_c2}"]
     return config_dict
@@ -182,5 +214,4 @@ if __name__ == "__main__":
     import sys
     with open(sys.argv[1], "rb") as f:
-        config_json = json.dumps(extract_config(f.read()), indent=4)
-        print(config_json)
+        print(json.dumps(extract_config(f.read()), indent=4))

cape_parsers/CAPE/core/Zloader.py CHANGED Viewed

@@ -15,14 +15,15 @@
 DESCRIPTION = "Zloader configuration parser"
 AUTHOR = "kevoreilly"
+import json
 import logging
+import re
 import socket
 import struct
 import pefile
-from Cryptodome.Cipher import ARC4
 import yara
+from Cryptodome.Cipher import ARC4
 log = logging.getLogger(__name__)
@@ -59,6 +60,20 @@ rule Zloader2024
     condition:
         uint16(0) == 0x5A4D and $conf_1 and 2 of ($confkey_*)
 }
+rule Zloader2025
+{
+    meta:
+        author = "enzok"
+        description = "Zloader Payload"
+        cape_type = "Zloader Payload"
+    strings:
+        $conf = {4? 01 ?? [4] E8 [4] 4? 8D 15 [4] 4? 89 ?? 4? 89 ?? E8 [4] C7 46 30 00 00 00 00 8B 7E 34}
+        $confkey_1 = {4? 01 ?? [2] E8 [4] 4? 8D 15 [4] 4? 89 ?? 4? 89 ?? E8 [4] C7 46 34 00 00 00 00 8B 46 38}
+        $confkey_2 = {4? 01 ?? [2] E8 [4] 4? 8D 15 [4] 4? 89 ?? 4? 89 ?? E8 [4] C7 46 38 00 00 00 00 48 83 C4 28}
+    condition:
+        uint16(0) == 0x5A4D and $conf and all of ($confkey_*)
+}
 """
 MAX_STRING_SIZE = 32
@@ -71,41 +86,73 @@ def decrypt_rc4(key, data):
 def string_from_offset(data, offset):
-    return data[offset : offset + MAX_STRING_SIZE].split(b"\0", 1)[0]
+    return data[offset: offset + MAX_STRING_SIZE].split(b"\0", 1)[0]
+def parse_config(data, version=None):
+    for i in range(len(data) - 3, -1, -1):
+        if data[i : i + 3] == b"\x00\x00\x00":
+            data = data[:i]
+            break
-def parse_config(data):
     parsed = {}
-    parsed["botnet"] = data[4:].split(b"\x00", 1)[0].decode("utf-8")
-    parsed["campaign"] = data[25:].split(b"\x00", 1)[0].decode("utf-8")
+    net_params = []
+    dns_ips = []
+    tls_sni = ""
+    cryptokey = ""
+    fields = [part.strip() for part in data.split(b'\x00') if part and part.strip()]
+    parsed["botnet"] = fields[0].decode("utf-8") if len(fields) > 0 else ""
+    parsed["campaign"] = fields[1].decode("utf-8") if len(fields) > 1 else ""
     c2s = []
-    c2_data = data[46:686]
-    for i in range(10):
-        chunk = c2_data[i * 64 : (i + 1) * 64]
-        chunk = chunk.rstrip(b"\x00")
-        if chunk:
-            c2s.append(chunk.decode("utf-8"))
+    for f in fields:
+        if f.startswith(b"http"):
+            f = f.decode("utf-8")
+            if "~" in f:
+                tls_sni, f = map(str.strip, f.split("~", 1))
+            if f:
+                c2s.append(f)
+        elif b"PUBLIC KEY" in f:
+            cryptokey = f.decode("utf-8").replace("\n", "")
+        elif version == 3 and b"\x08\x08" in f and len(f) % 4 == 0:
+            idx = 0
+            for i in range(len(f) // 4):
+                dns_ips.append(socket.inet_ntoa(f[idx: idx + 4]))
+                idx += 4
+        elif version == 4 and f.startswith(b"[") and f.endswith(b"]"):
+            try:
+                params = json.loads(f)
+                for param in params:
+                    proto = param.get("proto", "unknown")
+                    ip = param.get("ip", "")
+                    port = param.get("port", 0)
+                    qps = param.get("qps", "")
+                    net_params.append(f"{proto}, {ip}:{port}, qps={qps}".strip())
+            except json.JSONDecodeError:
+                params = None
     parsed["CNCs"] = c2s
-    parsed["cryptokey"] = data[704:].split(b"\x00", 1)[0]
+    parsed["cryptokey"] = cryptokey
     parsed["cryptokey_type"] = "RSA Public Key"
-    dns_data = data[1004:].split(b"\x00", 1)[0]
-    parsed["TLS SNI"] = dns_data.split(b"~")[0].decode("utf-8").rstrip()
-    parsed["DNS C2"] = dns_data.split(b"~")[1].decode("utf-8").strip()
-    dns_ips = []
-    dns_ips.append(socket.inet_ntoa(data[1204:1208].split(b"\x00", 1)[0]))
-    dns_ip_data = data[1208:1248]
-    for i in range(10):
-        chunk = dns_ip_data[i * 4 : (i + 1) * 4]
-        chunk = chunk.rstrip(b"\x00")
-        if chunk:
-            dns_ips.append(socket.inet_ntoa(chunk))
-    parsed["DNS Servers"] = dns_ips
+    raw = parsed["raw"] = {}
+    if tls_sni:
+        raw["tls sni"] = tls_sni
+    if net_params:
+        raw["dns config"] = net_params
+    if dns_ips:
+        raw["dns ips"] = dns_ips
     return parsed
 def extract_config(filebuf):
     config = {}
-    end_config = {}
     pe = pefile.PE(data=filebuf, fast_load=False)
     image_base = pe.OPTIONAL_HEADER.ImageBase
     matches = yara_rules.match(data=filebuf)
@@ -113,7 +160,7 @@ def extract_config(filebuf):
         return
     conf_type = ""
     decrypt_key = ""
-    conf_size = 1020
+    conf_size = None
     for match in matches:
         if match.rule == "Zloader":
             for item in match.strings:
@@ -137,17 +184,23 @@ def extract_config(filebuf):
                 elif "$decrypt_key_3" == item.identifier:
                     decrypt_key = item.instances[0].offset
                     kva_s = 3
+            break
         elif match.rule == "Zloader2024":
-            conf_size = 1264
+            conf_size = None
             rc4_chunk1 = None
             rc4_chunk2 = None
             numchunks = 0
             for item in match.strings:
-                if "$conf_1" == item.identifier:
+                item_id = item.identifier
+                if item_id == "$conf_1":
                     decrypt_conf = item.instances[0].offset + 6
                     conf_size = item.instances[0].offset + 12
+                    if conf_size > 2048:
+                        conf_size = 2048
                     conf_type = "3"
-                elif item.identifier.startswith("$confkey_") and numchunks < 2:
+                elif item_id.startswith("$confkey_") and numchunks < 2:
                     matched_data = item.instances[0].matched_data[:2]
                     if matched_data == b"\x48\x8D":
                         offset = 3
@@ -161,11 +214,32 @@ def extract_config(filebuf):
                         rc4_chunk2 = chunk_offset
                     numchunks += 1
+            break
+        elif match.rule == "Zloader2025":
+            conf_size = None
+            rc4_chunk1 = None
+            rc4_chunk2 = None
+            for item in match.strings:
+                item_id = item.identifier
+                if item_id == "$conf":
+                    decrypt_conf = item.instances[0].offset + 15
+                    size_base_offset = item.instances[0].offset + 5
+                    call_func_offset = item.instances[0].offset + 7
+                    call_func_size_offset = call_func_offset + 1
+                    conf_type = "4"
+                elif item_id == "$confkey_1":
+                    rc4_chunk1 = item.instances[0].offset + 13
+                elif item_id == "$confkey_2":
+                    rc4_chunk2 = item.instances[0].offset + 13
+            break
     if conf_type == "1":
-        va = struct.unpack("I", filebuf[decrypt_conf : decrypt_conf + 4])[0]
+        va = struct.unpack("I", filebuf[decrypt_conf: decrypt_conf + 4])[0]
         key = string_from_offset(filebuf, pe.get_offset_from_rva(va - image_base))
-        data_offset = pe.get_offset_from_rva(struct.unpack("I", filebuf[decrypt_conf + 5 : decrypt_conf + 9])[0] - image_base)
+        data_offset = pe.get_offset_from_rva(struct.unpack("I", filebuf[decrypt_conf + 5: decrypt_conf + 9])[0] - image_base)
         enc_data = filebuf[data_offset:].split(b"\0\0", 1)[0]
         raw = decrypt_rc4(key, enc_data)
         items = list(filter(None, raw.split(b"\x00\x00")))
@@ -178,15 +252,17 @@ def extract_config(filebuf):
             elif len(item) == 16:
                 config["cryptokey"] = item
                 config["cryptokey_type"] = "RC4"
     elif conf_type == "2" and decrypt_key:
-        conf_va = struct.unpack("I", filebuf[decrypt_conf + cva : decrypt_conf + cva + 4])[0]
+        conf_size = 1020
+        conf_va = struct.unpack("I", filebuf[decrypt_conf + cva: decrypt_conf + cva + 4])[0]
         conf_offset = pe.get_offset_from_rva(conf_va + pe.get_rva_from_offset(decrypt_conf) + cva + 4)
         # if not conf_size:
         # conf_size = struct.unpack("I", filebuf[decrypt_key + size_s : decrypt_key + size_s + 4])[0]
-        key_va = struct.unpack("I", filebuf[decrypt_key + kva_s : decrypt_key + kva_s + 4])[0]
+        key_va = struct.unpack("I", filebuf[decrypt_key + kva_s: decrypt_key + kva_s + 4])[0]
         key_offset = pe.get_offset_from_rva(key_va + pe.get_rva_from_offset(decrypt_key) + kva_s + 4)
         key = string_from_offset(filebuf, key_offset)
-        conf_data = filebuf[conf_offset : conf_offset + conf_size]
+        conf_data = filebuf[conf_offset: conf_offset + conf_size]
         raw = decrypt_rc4(key, conf_data)
         items = list(filter(None, raw.split(b"\x00\x00")))
         config["botnet"] = items[0].decode("utf-8")
@@ -198,25 +274,56 @@ def extract_config(filebuf):
             elif b"PUBLIC KEY" in item:
                 config["cryptokey"] = item.decode("utf-8").replace("\n", "")
                 config["cryptokey_type"] = "RSA Public key"
     elif conf_type == "3" and rc4_chunk1 and rc4_chunk2:
-        conf_va = struct.unpack("I", filebuf[decrypt_conf : decrypt_conf + 4])[0]
+        conf_va = struct.unpack("I", filebuf[decrypt_conf: decrypt_conf + 4])[0]
         conf_offset = pe.get_offset_from_rva(conf_va + pe.get_rva_from_offset(decrypt_conf) + 4)
-        conf_data = filebuf[conf_offset : conf_offset + conf_size]
-        keychunk1_va = struct.unpack("I", filebuf[rc4_chunk1 : rc4_chunk1 + 4])[0]
+        conf_data = filebuf[conf_offset: conf_offset + conf_size]
+        keychunk1_va = struct.unpack("I", filebuf[rc4_chunk1: rc4_chunk1 + 4])[0]
         keychunk1_offset = pe.get_offset_from_rva(keychunk1_va + pe.get_rva_from_offset(rc4_chunk1) + 4)
-        keychunk1 = filebuf[keychunk1_offset : keychunk1_offset + 16]
-        keychunk2_va = struct.unpack("I", filebuf[rc4_chunk2 : rc4_chunk2 + 4])[0]
+        keychunk1 = filebuf[keychunk1_offset: keychunk1_offset + 16]
+        keychunk2_va = struct.unpack("I", filebuf[rc4_chunk2: rc4_chunk2 + 4])[0]
         keychunk2_offset = pe.get_offset_from_rva(keychunk2_va + pe.get_rva_from_offset(rc4_chunk2) + 4)
-        keychunk2 = filebuf[keychunk2_offset : keychunk2_offset + 16]
+        keychunk2 = filebuf[keychunk2_offset: keychunk2_offset + 16]
         decrypt_key = bytes(a ^ b for a, b in zip(keychunk1, keychunk2))
         conf = decrypt_rc4(decrypt_key, conf_data)
-        end_config = parse_config(conf)
+        config = parse_config(conf, 3)
+    elif conf_type == "4" and rc4_chunk1 and rc4_chunk2:
+        conf_va = struct.unpack("I", filebuf[decrypt_conf: decrypt_conf + 4])[0]
+        conf_offset = pe.get_offset_from_rva(conf_va + pe.get_rva_from_offset(decrypt_conf) + 4)
+        call_rva = pe.get_rva_from_offset(call_func_offset)
+        call_target_rva = call_rva + 5 + struct.unpack("i", filebuf[call_func_size_offset: call_func_size_offset + 4])[0]
+        call_target_offset = pe.get_offset_from_rva(call_target_rva)
+        function_tail = b"\x5F\x5E\xC3"
+        index = filebuf.find(function_tail, call_target_offset)
+        if index != -1:
+            index += 256
+        function_end_offset = index + len(function_tail)
+        function_data = filebuf[call_target_offset: function_end_offset]
+        pattern = re.compile(b"\x66\x81\xF1..\x66\x89\x4D.", re.DOTALL)
+        key = 0
+        for match in pattern.finditer(function_data):
+            off = match.start()
+            key = struct.unpack_from("<H", function_data, off + 3)[0]
-    if config and end_config:
-        config = config.update({"raw": end_config})
+        size_base = struct.unpack_from("<H", filebuf[size_base_offset: size_base_offset + 2])[0]
+        conf_size = size_base ^ key & 0xFFFF
+        conf_data = filebuf[conf_offset: conf_offset + conf_size]
+        keychunk1_va = struct.unpack("I", filebuf[rc4_chunk1: rc4_chunk1 + 4])[0]
+        keychunk1_offset = pe.get_offset_from_rva(keychunk1_va + pe.get_rva_from_offset(rc4_chunk1) + 4)
+        keychunk1 = filebuf[keychunk1_offset: keychunk1_offset + 16]
+        keychunk2_va = struct.unpack("I", filebuf[rc4_chunk2: rc4_chunk2 + 4])[0]
+        keychunk2_offset = pe.get_offset_from_rva(keychunk2_va + pe.get_rva_from_offset(rc4_chunk2) + 4)
+        keychunk2 = filebuf[keychunk2_offset: keychunk2_offset + 16]
+        decrypt_key = bytes(a ^ b for a, b in zip(keychunk1, keychunk2))
+        conf = decrypt_rc4(decrypt_key, conf_data)
+        config = parse_config(conf, 4)
     return config
 if __name__ == "__main__":
     import sys
     from pathlib import Path

{cape_parsers-0.1.58.dist-info → cape_parsers-0.1.60.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: CAPE-parsers
-Version: 0.1.58
+Version: 0.1.60
 Summary: CAPE: Malware Configuration Extraction
 License: MIT
 License-File: LICENSE

{cape_parsers-0.1.58.dist-info → cape_parsers-0.1.60.dist-info}/RECORD RENAMED Viewed

@@ -1,7 +1,7 @@
 cape_parsers/CAPE/__init__.py,sha256=JcY8WPKzUFYgexwV1eyKIuT1JyNZzMJjBynlPSzxY_I,7
 cape_parsers/CAPE/community/AgentTesla.py,sha256=NmKIZRAea2aEJOszKyHDyiwljFAGIe4oe6aOXiyIb6Q,4413
-cape_parsers/CAPE/community/Amadey.py,sha256=IUyt909q9IDQPPip6UW9uD16rJMD_gvkwvNZ8NHTW-k,5577
-cape_parsers/CAPE/community/Amatera.py,sha256=8s94SW58r04bs2KuIdJJ5-dm4WfoOrwINEqdSuFJKHk,7096
+cape_parsers/CAPE/community/Amadey.py,sha256=7a-meFa8-yKmz3SAhU7v-ZSl3rMwS7uODTorMn5NQHk,7494
+cape_parsers/CAPE/community/Amatera.py,sha256=giu37eRWaHpVnKPyggp5S70NwT3UwYrsT9oEm6NmDpw,8738
 cape_parsers/CAPE/community/Arkei.py,sha256=k36qHxdo5yPa9V1cg7EImSWP06kMog0rBda4KXqLKCY,3783
 cape_parsers/CAPE/community/AsyncRAT.py,sha256=0-FRT3d2x63KQ_cs1xmKFj7x0JRf7ID6QDc_DvBa0PM,1003
 cape_parsers/CAPE/community/AuroraStealer.py,sha256=LRu2QFBYkGhRGDJBw3GlcKub4E0_TBWmjdR2PnobDZM,2643
@@ -60,7 +60,7 @@ cape_parsers/CAPE/core/Socks5Systemz.py,sha256=jSt6QejL5K99dIB3qdItvUHL28w6N60xu
 cape_parsers/CAPE/core/SquirrelWaffle.py,sha256=UMha7l60fL64VPHxueFUnCEGaO-CXau5ftEyK-Wv__o,3308
 cape_parsers/CAPE/core/Strrat.py,sha256=PAKTzGZCdblXr4pNKsOpNOPhvcaAfRCiE9BtKAeOp0M,2240
 cape_parsers/CAPE/core/WarzoneRAT.py,sha256=aHB6n-EX4uMZA93_R4yiFzRsvoqxfh7sdbtlAA-Ia2E,3780
-cape_parsers/CAPE/core/Zloader.py,sha256=Etjowu5fZOW7fFykPNOTDhLWjTcdvtPZUy3s6R8ln8M,9598
+cape_parsers/CAPE/core/Zloader.py,sha256=h0G1FaU1z8iKy248yfYsrNxpRaDKde7DGn1k-DvxJKk,13734
 cape_parsers/CAPE/core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cape_parsers/CAPE/core/test_cape.py,sha256=CrmghlO43hpnTLv0X8Dw4hTcrVHuJ0X20dPXcFpeWYo,31
 cape_parsers/RATDecoders/README.md,sha256=SHgVQraCdp033IQjM4Cm6t70U4kULn1MfSwTq3rsZv8,22
@@ -112,7 +112,7 @@ cape_parsers/utils/blzpack_lib.so,sha256=5PJtnggw8fV5q4DlhwMJk4ZadvC3fFTsVTNZKvE
 cape_parsers/utils/dotnet_utils.py,sha256=pzQGbCqccz7DRv8T_i1JURlrKDIlDT2axxViiFF9hsU,1672
 cape_parsers/utils/lznt1.py,sha256=X-BmJtP6AwYSl0ORg5dfSt-NIuXbHrtCO5kUaaJI2C8,4066
 cape_parsers/utils/strings.py,sha256=a-nbvP9jYST7b6t_H37Ype-fK2jEmQr-wMF5a4i04e4,3062
-cape_parsers-0.1.58.dist-info/METADATA,sha256=yK13F0B9baYnbtifb3kwzoFCaCcTHct7SbVFHBlixeU,1826
-cape_parsers-0.1.58.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
-cape_parsers-0.1.58.dist-info/licenses/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
-cape_parsers-0.1.58.dist-info/RECORD,,
+cape_parsers-0.1.60.dist-info/METADATA,sha256=uC0gVg_hKpZuVrHSLzKie3I0QsGgFOahOkC-TOk8BMQ,1826
+cape_parsers-0.1.60.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
+cape_parsers-0.1.60.dist-info/licenses/LICENSE,sha256=88c01_HLG8WPj7R7aU_b-O-UoF38vrrifvcko4KDxcE,1069
+cape_parsers-0.1.60.dist-info/RECORD,,

{cape_parsers-0.1.58.dist-info → cape_parsers-0.1.60.dist-info}/WHEEL RENAMED Viewed

File without changes

{cape_parsers-0.1.58.dist-info → cape_parsers-0.1.60.dist-info}/licenses/LICENSE RENAMED Viewed

File without changes

CAPE-parsers 0.1.58__py3-none-any.whl → 0.1.60__py3-none-any.whl

CAPE-parsers 0.1.58py3-none-any.whl → 0.1.60py3-none-any.whl