From a6c6b26b698decb810665f9a37783e1a1ee4fcc0 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 5 Nov 2024 13:05:26 +0000 Subject: [PATCH] style: Automatic code formatting --- modules/parsers/MACO/AgentTesla.py | 13 ++++------- modules/parsers/MACO/AsyncRAT.py | 7 +++--- modules/parsers/MACO/AuroraStealer.py | 3 ++- modules/parsers/MACO/Azorult.py | 3 ++- modules/parsers/MACO/BackOffLoader.py | 7 +++--- modules/parsers/MACO/BackOffPOS.py | 7 +++--- modules/parsers/MACO/BitPaymer.py | 7 +++--- modules/parsers/MACO/BlackDropper.py | 7 +++--- modules/parsers/MACO/BlackNix.py | 3 ++- modules/parsers/MACO/Blister.py | 8 +++---- modules/parsers/MACO/BruteRatel.py | 4 ++-- modules/parsers/MACO/BuerLoader.py | 4 ++-- modules/parsers/MACO/BumbleBee.py | 8 +++---- modules/parsers/MACO/Carbanak.py | 7 +++--- modules/parsers/MACO/ChChes.py | 3 ++- modules/parsers/MACO/CobaltStrikeBeacon.py | 16 ++++---------- modules/parsers/MACO/CobaltStrikeStager.py | 4 ++-- modules/parsers/MACO/DCRat.py | 4 ++-- modules/parsers/MACO/DarkGate.py | 3 ++- modules/parsers/MACO/DoppelPaymer.py | 9 +++----- modules/parsers/MACO/DridexLoader.py | 7 +++--- modules/parsers/MACO/Emotet.py | 17 +++++--------- modules/parsers/MACO/Enfal.py | 3 ++- modules/parsers/MACO/EvilGrab.py | 3 ++- modules/parsers/MACO/Fareit.py | 4 ++-- modules/parsers/MACO/Formbook.py | 4 ++-- modules/parsers/MACO/Greame.py | 3 ++- modules/parsers/MACO/GuLoader.py | 3 ++- .../parsers/MACO/Hancitor.py_deprecated.py | 4 ++-- modules/parsers/MACO/HttpBrowser.py | 7 +++--- modules/parsers/MACO/IcedID.py | 4 ++-- modules/parsers/MACO/IcedIDLoader.py | 4 ++-- modules/parsers/MACO/KoiLoader.py | 3 ++- modules/parsers/MACO/Latrodectus.py | 8 +++---- modules/parsers/MACO/LokiBot.py | 4 ++-- modules/parsers/MACO/Lumma.py | 4 ++-- modules/parsers/MACO/NanoCore.py | 9 +++----- modules/parsers/MACO/Nighthawk.py | 4 ++-- modules/parsers/MACO/Njrat.py | 3 ++- modules/parsers/MACO/Oyster.py | 4 ++-- modules/parsers/MACO/Pandora.py | 11 ++++------ modules/parsers/MACO/PhemedroneStealer.py | 3 ++- modules/parsers/MACO/PikaBot.py | 22 +++++-------------- modules/parsers/MACO/PlugX.py | 3 ++- modules/parsers/MACO/PoisonIvy.py | 3 ++- modules/parsers/MACO/Punisher.py | 11 +++------- modules/parsers/MACO/QakBot.py | 3 ++- modules/parsers/MACO/QuasarRAT.py | 4 ++-- modules/parsers/MACO/Quickbind.py | 8 +++---- modules/parsers/MACO/RCSession.py | 7 +++--- modules/parsers/MACO/REvil.py | 3 ++- modules/parsers/MACO/RedLeaf.py | 3 ++- modules/parsers/MACO/RedLine.py | 3 ++- modules/parsers/MACO/Remcos.py | 4 ++-- modules/parsers/MACO/Retefe.py | 3 ++- modules/parsers/MACO/Rhadamanthys.py | 4 ++-- modules/parsers/MACO/Rozena.py | 8 +++---- modules/parsers/MACO/SmallNet.py | 3 ++- modules/parsers/MACO/SmokeLoader.py | 3 ++- modules/parsers/MACO/Socks5Systemz.py | 13 ++++------- modules/parsers/MACO/SparkRAT.py | 4 ++-- modules/parsers/MACO/SquirrelWaffle.py | 3 ++- modules/parsers/MACO/Stealc.py | 3 ++- modules/parsers/MACO/Strrat.py | 3 ++- modules/parsers/MACO/TSCookie.py | 4 ++-- modules/parsers/MACO/TrickBot.py | 3 ++- modules/parsers/MACO/UrsnifV3.py | 4 ++-- modules/parsers/MACO/VenomRat.py | 3 ++- modules/parsers/MACO/WarzoneRAT.py | 3 ++- modules/parsers/MACO/XWorm.py | 4 ++-- modules/parsers/MACO/XenoRAT.py | 4 ++-- modules/parsers/MACO/Zloader.py | 7 +++--- modules/parsers/utils.py | 10 ++++++--- 73 files changed, 184 insertions(+), 222 deletions(-) diff --git a/modules/parsers/MACO/AgentTesla.py b/modules/parsers/MACO/AgentTesla.py index f77d5b2d..72de7988 100644 --- a/modules/parsers/MACO/AgentTesla.py +++ b/modules/parsers/MACO/AgentTesla.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.community.AgentTesla import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.AgentTesla import extract_config + from modules.parsers.utils import get_YARA_rule @@ -14,11 +15,7 @@ def convert_to_MACO(raw_config: dict) -> MACOModel: parsed_result = MACOModel(family="AgentTesla", other=raw_config) if protocol == "Telegram": - parsed_result.http.append( - MACOModel.Http( - uri=raw_config["C2"], password=raw_config["Password"], usage="c2" - ) - ) + parsed_result.http.append(MACOModel.Http(uri=raw_config["C2"], password=raw_config["Password"], usage="c2")) elif protocol in ["HTTP(S)", "Discord"]: parsed_result.http.append(MACOModel.Http(uri=raw_config["C2"], usage="c2")) @@ -46,9 +43,7 @@ def convert_to_MACO(raw_config: dict) -> MACOModel: parsed_result.smtp.append(MACOModel.SMTP(**smtp)) if "Persistence_Filename" in raw_config: - parsed_result.paths.append( - MACOModel.Path(path=raw_config["Persistence_Filename"], usage="storage") - ) + parsed_result.paths.append(MACOModel.Path(path=raw_config["Persistence_Filename"], usage="storage")) if "ExternalIPCheckServices" in raw_config: for service in raw_config["ExternalIPCheckServices"]: diff --git a/modules/parsers/MACO/AsyncRAT.py b/modules/parsers/MACO/AsyncRAT.py index 6459c8e2..afc2ee7b 100644 --- a/modules/parsers/MACO/AsyncRAT.py +++ b/modules/parsers/MACO/AsyncRAT.py @@ -1,8 +1,9 @@ import os +from cape_parsers.CAPE.community.AsyncRAT import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.AsyncRAT import extract_config + from modules.parsers.utils import get_YARA_rule @@ -46,9 +47,7 @@ def convert_to_MACO(raw_config: dict) -> MACOModel: if raw_config.get("Pastebin") not in ["null", None]: # TODO: Is it used to download the C2 information if not embedded? # Ref: https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader - parsed_result.http.append( - MACOModel.Http(uri=raw_config["Pastebin"], usage="download") - ) + parsed_result.http.append(MACOModel.Http(uri=raw_config["Pastebin"], usage="download")) return parsed_result diff --git a/modules/parsers/MACO/AuroraStealer.py b/modules/parsers/MACO/AuroraStealer.py index 06677c0b..e6c51226 100644 --- a/modules/parsers/MACO/AuroraStealer.py +++ b/modules/parsers/MACO/AuroraStealer.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.community.AuroraStealer import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.AuroraStealer import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Azorult.py b/modules/parsers/MACO/Azorult.py index 62868d9c..21e5ad7e 100644 --- a/modules/parsers/MACO/Azorult.py +++ b/modules/parsers/MACO/Azorult.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.Azorult import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.Azorult import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/BackOffLoader.py b/modules/parsers/MACO/BackOffLoader.py index cdc3954a..f3cf38ce 100644 --- a/modules/parsers/MACO/BackOffLoader.py +++ b/modules/parsers/MACO/BackOffLoader.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.community.BackOffLoader import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.BackOffLoader import extract_config + from modules.parsers.utils import get_YARA_rule @@ -15,9 +16,7 @@ def convert_to_MACO(raw_config: dict): # Encryption details parsed_result.encryption.append( - MACOModel.Encryption( - algorithm="rc4", key=raw_config["EncryptionKey"], seed=raw_config["RC4Seed"] - ) + MACOModel.Encryption(algorithm="rc4", key=raw_config["EncryptionKey"], seed=raw_config["RC4Seed"]) ) for url in raw_config["URLs"]: parsed_result.http.append(MACOModel.Http(url=url)) diff --git a/modules/parsers/MACO/BackOffPOS.py b/modules/parsers/MACO/BackOffPOS.py index 620985ff..c82efd65 100644 --- a/modules/parsers/MACO/BackOffPOS.py +++ b/modules/parsers/MACO/BackOffPOS.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.community.BackOffPOS import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.BackOffPOS import extract_config + from modules.parsers.utils import get_YARA_rule @@ -15,9 +16,7 @@ def convert_to_MACO(raw_config: dict): # Encryption details parsed_result.encryption.append( - MACOModel.Encryption( - algorithm="rc4", key=raw_config["EncryptionKey"], seed=raw_config["RC4Seed"] - ) + MACOModel.Encryption(algorithm="rc4", key=raw_config["EncryptionKey"], seed=raw_config["RC4Seed"]) ) for url in raw_config["URLs"]: parsed_result.http.append(MACOModel.Http(url=url)) diff --git a/modules/parsers/MACO/BitPaymer.py b/modules/parsers/MACO/BitPaymer.py index 4849612c..6fb53326 100644 --- a/modules/parsers/MACO/BitPaymer.py +++ b/modules/parsers/MACO/BitPaymer.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.BitPaymer import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.BitPaymer import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule @@ -14,9 +15,7 @@ def convert_to_MACO(raw_config: dict): parsed_result.decoded_strings = raw_config["strings"] # Encryption details - parsed_result.encryption.append( - MACOModel.Encryption(algorithm="rsa", public_key=raw_config["RSA public key"]) - ) + parsed_result.encryption.append(MACOModel.Encryption(algorithm="rsa", public_key=raw_config["RSA public key"])) return parsed_result diff --git a/modules/parsers/MACO/BlackDropper.py b/modules/parsers/MACO/BlackDropper.py index f0e8a7bd..888f03d4 100644 --- a/modules/parsers/MACO/BlackDropper.py +++ b/modules/parsers/MACO/BlackDropper.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.BlackDropper import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.BlackDropper import extract_config + from modules.parsers.utils import get_YARA_rule @@ -8,9 +9,7 @@ def convert_to_MACO(raw_config: dict): if not raw_config: return None - parsed_result = MACOModel( - family="BlackDropper", campaign_id=[raw_config["campaign"]], other=raw_config - ) + parsed_result = MACOModel(family="BlackDropper", campaign_id=[raw_config["campaign"]], other=raw_config) for dir in raw_config.get("directories", []): parsed_result.paths.append(MACOModel.Path(path=dir)) diff --git a/modules/parsers/MACO/BlackNix.py b/modules/parsers/MACO/BlackNix.py index f3fd6332..d8ed7041 100644 --- a/modules/parsers/MACO/BlackNix.py +++ b/modules/parsers/MACO/BlackNix.py @@ -1,8 +1,9 @@ import os +from cape_parsers.CAPE.community.BlackNix import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.BlackNix import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Blister.py b/modules/parsers/MACO/Blister.py index 0aea544a..a9f20d0f 100644 --- a/modules/parsers/MACO/Blister.py +++ b/modules/parsers/MACO/Blister.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.core.Blister import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.Blister import extract_config + from modules.parsers.utils import get_YARA_rule @@ -19,9 +19,7 @@ def convert_to_MACO(raw_config: dict): # Rabbit encryption parsed_result.encryption.append( - MACOModel.Encryption( - algorithm="rabbit", key=raw_config["Rabbit key"], iv=raw_config["Rabbit IV"] - ) + MACOModel.Encryption(algorithm="rabbit", key=raw_config["Rabbit key"], iv=raw_config["Rabbit IV"]) ) return parsed_result diff --git a/modules/parsers/MACO/BruteRatel.py b/modules/parsers/MACO/BruteRatel.py index 617dd8d8..a07326d5 100644 --- a/modules/parsers/MACO/BruteRatel.py +++ b/modules/parsers/MACO/BruteRatel.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.core.BruteRatel import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.BruteRatel import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/BuerLoader.py b/modules/parsers/MACO/BuerLoader.py index 2dc5925a..b033bf04 100644 --- a/modules/parsers/MACO/BuerLoader.py +++ b/modules/parsers/MACO/BuerLoader.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.core.BuerLoader import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.BuerLoader import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/BumbleBee.py b/modules/parsers/MACO/BumbleBee.py index 187ede14..9e1a1608 100644 --- a/modules/parsers/MACO/BumbleBee.py +++ b/modules/parsers/MACO/BumbleBee.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.core.BumbleBee import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.BumbleBee import extract_config + from modules.parsers.utils import get_YARA_rule @@ -29,9 +29,7 @@ def convert_to_MACO(raw_config: dict): # RC4 Key if raw_config.get("RC4 Key"): - parsed_result.encryption.append( - MACOModel.Encryption(algorithm="rc4", key=raw_config["RC4 Key"]) - ) + parsed_result.encryption.append(MACOModel.Encryption(algorithm="rc4", key=raw_config["RC4 Key"])) return parsed_result diff --git a/modules/parsers/MACO/Carbanak.py b/modules/parsers/MACO/Carbanak.py index 34ac9705..a805e196 100644 --- a/modules/parsers/MACO/Carbanak.py +++ b/modules/parsers/MACO/Carbanak.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.community.Carbanak import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.Carbanak import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule @@ -22,9 +23,7 @@ def convert_to_MACO(raw_config: dict): # C2 if raw_config.get("C2"): if isinstance(raw_config["C2"], str): - parsed_result.http.append( - MACOModel.Http(hostname=raw_config["C2"], usage="c2") - ) + parsed_result.http.append(MACOModel.Http(hostname=raw_config["C2"], usage="c2")) else: for c2 in raw_config["C2"]: parsed_result.http.append(MACOModel.Http(hostname=c2, usage="c2")) diff --git a/modules/parsers/MACO/ChChes.py b/modules/parsers/MACO/ChChes.py index 987cb964..21291d93 100644 --- a/modules/parsers/MACO/ChChes.py +++ b/modules/parsers/MACO/ChChes.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.ChChes import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.ChChes import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/CobaltStrikeBeacon.py b/modules/parsers/MACO/CobaltStrikeBeacon.py index 35dd02c8..76a56600 100644 --- a/modules/parsers/MACO/CobaltStrikeBeacon.py +++ b/modules/parsers/MACO/CobaltStrikeBeacon.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.community.CobaltStrikeBeacon import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.CobaltStrikeBeacon import extract_config + from modules.parsers.utils import get_YARA_rule @@ -12,11 +12,7 @@ def convert_to_MACO(raw_config: dict): parsed_result = MACOModel(family="CobaltStrikeBeacon", other=raw_config) clean_config = {k: v for k, v in raw_config.items() if v != "Not Found"} - capabilities = { - k[1:]: clean_config.pop(k) - for k in list(clean_config.keys()) - if clean_config[k] in ["True", "False"] - } + capabilities = {k[1:]: clean_config.pop(k) for k in list(clean_config.keys()) if clean_config[k] in ["True", "False"]} for capability, enabled in capabilities.items(): if enabled.lower() == "true": @@ -27,11 +23,7 @@ def convert_to_MACO(raw_config: dict): if "C2Server" in clean_config: host, get_path = clean_config.pop("C2Server").split(",") port = clean_config.pop("Port") - parsed_result.http.append( - MACOModel.Http( - hostname=host, port=port, method="GET", path=get_path, usage="c2" - ) - ) + parsed_result.http.append(MACOModel.Http(hostname=host, port=port, method="GET", path=get_path, usage="c2")) parsed_result.http.append( MACOModel.Http( hostname=host, diff --git a/modules/parsers/MACO/CobaltStrikeStager.py b/modules/parsers/MACO/CobaltStrikeStager.py index 51eeb432..37cbfd18 100644 --- a/modules/parsers/MACO/CobaltStrikeStager.py +++ b/modules/parsers/MACO/CobaltStrikeStager.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.community.CobaltStrikeStager import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.CobaltStrikeStager import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/DCRat.py b/modules/parsers/MACO/DCRat.py index f9f3f165..44a71818 100644 --- a/modules/parsers/MACO/DCRat.py +++ b/modules/parsers/MACO/DCRat.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.community.DCRat import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.DCRat import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/DarkGate.py b/modules/parsers/MACO/DarkGate.py index b4e7efb7..8e75b231 100644 --- a/modules/parsers/MACO/DarkGate.py +++ b/modules/parsers/MACO/DarkGate.py @@ -1,8 +1,9 @@ from copy import deepcopy +from cape_parsers.CAPE.core.DarkGate import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.DarkGate import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/DoppelPaymer.py b/modules/parsers/MACO/DoppelPaymer.py index d3350b34..19adace7 100644 --- a/modules/parsers/MACO/DoppelPaymer.py +++ b/modules/parsers/MACO/DoppelPaymer.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.DoppelPaymer import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.DoppelPaymer import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule @@ -14,11 +15,7 @@ def convert_to_MACO(raw_config: dict): parsed_result.decoded_strings = raw_config["strings"] if "RSA public key" in raw_config: - parsed_result.encryption.append( - MACOModel.Encryption( - algorithm="RSA", public_key=raw_config["RSA public key"] - ) - ) + parsed_result.encryption.append(MACOModel.Encryption(algorithm="RSA", public_key=raw_config["RSA public key"])) return parsed_result diff --git a/modules/parsers/MACO/DridexLoader.py b/modules/parsers/MACO/DridexLoader.py index 6c436c60..dc193b9a 100644 --- a/modules/parsers/MACO/DridexLoader.py +++ b/modules/parsers/MACO/DridexLoader.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.DridexLoader import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.DridexLoader import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule @@ -14,9 +15,7 @@ def convert_to_MACO(raw_config: dict): parsed_result.http.append(MACOModel.Http(uri=c2_address, usage="c2")) if "RC4 key" in raw_config: - parsed_result.encryption.append( - MACOModel.Encryption(algorithm="RC4", key=raw_config["RC4 key"]) - ) + parsed_result.encryption.append(MACOModel.Encryption(algorithm="RC4", key=raw_config["RC4 key"])) if "Botnet ID" in raw_config: parsed_result.identifier.append(raw_config["Botnet ID"]) diff --git a/modules/parsers/MACO/Emotet.py b/modules/parsers/MACO/Emotet.py index 0b96f889..04ac53fe 100644 --- a/modules/parsers/MACO/Emotet.py +++ b/modules/parsers/MACO/Emotet.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.Emotet import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.Emotet import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule @@ -14,17 +15,9 @@ def convert_to_MACO(raw_config: dict): parsed_result.http.append(MACOModel.Http(uri=c2_address, usage="c2")) if "RC4 public key" in raw_config: - parsed_result.encryption.append( - MACOModel.Encryption( - algorithm="RC4", public_key=raw_config["RSA public key"] - ) - ) - - parsed_result.other = { - k: raw_config[k] - for k in raw_config.keys() - if k not in ["address", "RSA public key"] - } + parsed_result.encryption.append(MACOModel.Encryption(algorithm="RC4", public_key=raw_config["RSA public key"])) + + parsed_result.other = {k: raw_config[k] for k in raw_config.keys() if k not in ["address", "RSA public key"]} return parsed_result diff --git a/modules/parsers/MACO/Enfal.py b/modules/parsers/MACO/Enfal.py index 3b3a3656..72c343be 100644 --- a/modules/parsers/MACO/Enfal.py +++ b/modules/parsers/MACO/Enfal.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.Enfal import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.Enfal import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/EvilGrab.py b/modules/parsers/MACO/EvilGrab.py index 3d5e047d..75a61ef4 100644 --- a/modules/parsers/MACO/EvilGrab.py +++ b/modules/parsers/MACO/EvilGrab.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.EvilGrab import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.EvilGrab import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Fareit.py b/modules/parsers/MACO/Fareit.py index 3715d76b..ffb0a89f 100644 --- a/modules/parsers/MACO/Fareit.py +++ b/modules/parsers/MACO/Fareit.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.community.Fareit import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.Fareit import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Formbook.py b/modules/parsers/MACO/Formbook.py index e1b2de86..db596562 100644 --- a/modules/parsers/MACO/Formbook.py +++ b/modules/parsers/MACO/Formbook.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.core.Formbook import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.Formbook import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Greame.py b/modules/parsers/MACO/Greame.py index b4e8a350..3c2a3467 100644 --- a/modules/parsers/MACO/Greame.py +++ b/modules/parsers/MACO/Greame.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.community.Greame import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.Greame import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/GuLoader.py b/modules/parsers/MACO/GuLoader.py index 061ec7ca..31c08cf4 100644 --- a/modules/parsers/MACO/GuLoader.py +++ b/modules/parsers/MACO/GuLoader.py @@ -1,8 +1,9 @@ import os +from cape_parsers.CAPE.core.GuLoader import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.GuLoader import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Hancitor.py_deprecated.py b/modules/parsers/MACO/Hancitor.py_deprecated.py index 83323526..f82287fa 100644 --- a/modules/parsers/MACO/Hancitor.py_deprecated.py +++ b/modules/parsers/MACO/Hancitor.py_deprecated.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.Hancitor import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.Hancitor import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/HttpBrowser.py b/modules/parsers/MACO/HttpBrowser.py index a9e08f04..4372f1c9 100644 --- a/modules/parsers/MACO/HttpBrowser.py +++ b/modules/parsers/MACO/HttpBrowser.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.HttpBrowser import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.HttpBrowser import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule @@ -13,9 +14,7 @@ def convert_to_MACO(raw_config: dict): port = raw_config["port"][0] if "port" in raw_config else None if "c2_address" in raw_config: - parsed_result.http.append( - MACOModel.Http(uri=raw_config["c2_address"], port=port, usage="c2") - ) + parsed_result.http.append(MACOModel.Http(uri=raw_config["c2_address"], port=port, usage="c2")) if "filepath" in raw_config: parsed_result.paths.append(MACOModel.Path(path=raw_config["filepath"])) diff --git a/modules/parsers/MACO/IcedID.py b/modules/parsers/MACO/IcedID.py index 40a85937..60d6edbf 100644 --- a/modules/parsers/MACO/IcedID.py +++ b/modules/parsers/MACO/IcedID.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.core.IcedID import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.IcedID import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/IcedIDLoader.py b/modules/parsers/MACO/IcedIDLoader.py index 496225d5..cc9f1e5c 100644 --- a/modules/parsers/MACO/IcedIDLoader.py +++ b/modules/parsers/MACO/IcedIDLoader.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.core.IcedIDLoader import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.IcedIDLoader import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/KoiLoader.py b/modules/parsers/MACO/KoiLoader.py index 9e8df88d..e989fd3b 100644 --- a/modules/parsers/MACO/KoiLoader.py +++ b/modules/parsers/MACO/KoiLoader.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.community.KoiLoader import RULE_SOURCE, extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.KoiLoader import RULE_SOURCE, extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Latrodectus.py b/modules/parsers/MACO/Latrodectus.py index a338d2af..d3762ec3 100644 --- a/modules/parsers/MACO/Latrodectus.py +++ b/modules/parsers/MACO/Latrodectus.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.core.Latrodectus import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.Latrodectus import extract_config + from modules.parsers.utils import get_YARA_rule @@ -24,9 +24,7 @@ def convert_to_MACO(raw_config: dict): parsed_result.version = raw_config["Version"] if "RC4 key" in raw_config: - parsed_result.encryption.append( - MACOModel.Encryption(algorithm="RC4", key=raw_config["RC4 key"]) - ) + parsed_result.encryption.append(MACOModel.Encryption(algorithm="RC4", key=raw_config["RC4 key"])) if "Strings" in raw_config: parsed_result.decoded_strings = raw_config["Strings"] diff --git a/modules/parsers/MACO/LokiBot.py b/modules/parsers/MACO/LokiBot.py index 4c0c94b7..1a3d8880 100644 --- a/modules/parsers/MACO/LokiBot.py +++ b/modules/parsers/MACO/LokiBot.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.community.LokiBot import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.LokiBot import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Lumma.py b/modules/parsers/MACO/Lumma.py index 152035a9..ee232faa 100644 --- a/modules/parsers/MACO/Lumma.py +++ b/modules/parsers/MACO/Lumma.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.community.Lumma import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.Lumma import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/NanoCore.py b/modules/parsers/MACO/NanoCore.py index d5b24e65..fb2761c6 100644 --- a/modules/parsers/MACO/NanoCore.py +++ b/modules/parsers/MACO/NanoCore.py @@ -1,8 +1,9 @@ from copy import deepcopy +from cape_parsers.CAPE.community.NanoCore import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.NanoCore import extract_config + from modules.parsers.utils import get_YARA_rule @@ -13,11 +14,7 @@ def convert_to_MACO(raw_config: dict): parsed_result = MACOModel(family="NanoCore", other=raw_config) config_copy = deepcopy(raw_config) - capabilities = { - k: config_copy.pop(k) - for k in list(config_copy.keys()) - if config_copy[k] in ["True", "False"] - } + capabilities = {k: config_copy.pop(k) for k in list(config_copy.keys()) if config_copy[k] in ["True", "False"]} if "Version" in config_copy: parsed_result.version = config_copy.pop("Version") diff --git a/modules/parsers/MACO/Nighthawk.py b/modules/parsers/MACO/Nighthawk.py index 616aa6fd..b7dce90a 100644 --- a/modules/parsers/MACO/Nighthawk.py +++ b/modules/parsers/MACO/Nighthawk.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.community.Nighthawk import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.Nighthawk import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Njrat.py b/modules/parsers/MACO/Njrat.py index 4a8ab60d..93012657 100644 --- a/modules/parsers/MACO/Njrat.py +++ b/modules/parsers/MACO/Njrat.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.community.Njrat import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.Njrat import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Oyster.py b/modules/parsers/MACO/Oyster.py index 8c012da9..4ad8e108 100644 --- a/modules/parsers/MACO/Oyster.py +++ b/modules/parsers/MACO/Oyster.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.core.Oyster import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.Oyster import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Pandora.py b/modules/parsers/MACO/Pandora.py index 84c815f3..5a831637 100644 --- a/modules/parsers/MACO/Pandora.py +++ b/modules/parsers/MACO/Pandora.py @@ -1,9 +1,10 @@ import os from copy import deepcopy +from cape_parsers.CAPE.community.Pandora import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.Pandora import extract_config + from modules.parsers.utils import get_YARA_rule @@ -29,17 +30,13 @@ def convert_to_MACO(raw_config: dict): parsed_result.paths.append( MACOModel.Path( - path=os.path.join( - config_copy.pop("Install Path"), config_copy.pop("Install Name") - ), + path=os.path.join(config_copy.pop("Install Path"), config_copy.pop("Install Name")), usage="install", ) ) parsed_result.registry.append(MACOModel.Registry(key=config_copy.pop("HKCU Key"))) - parsed_result.registry.append( - MACOModel.Registry(key=config_copy.pop("ActiveX Key")) - ) + parsed_result.registry.append(MACOModel.Registry(key=config_copy.pop("ActiveX Key"))) for field in list(config_copy.keys()): # TODO: Unsure what's the value of the remaining fields diff --git a/modules/parsers/MACO/PhemedroneStealer.py b/modules/parsers/MACO/PhemedroneStealer.py index f865b0f9..31fa662b 100644 --- a/modules/parsers/MACO/PhemedroneStealer.py +++ b/modules/parsers/MACO/PhemedroneStealer.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.community.PhemedroneStealer import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.PhemedroneStealer import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/PikaBot.py b/modules/parsers/MACO/PikaBot.py index 4b54c0fe..1c8855a7 100644 --- a/modules/parsers/MACO/PikaBot.py +++ b/modules/parsers/MACO/PikaBot.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.PikaBot import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.PikaBot import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule @@ -11,26 +12,15 @@ def convert_to_MACO(raw_config: dict): parsed_result = MACOModel(family="PikaBot", other=raw_config) if "C2" in raw_config: - [ - parsed_result.http.append(MACOModel.Http(uri=c2, usage="c2")) - for c2 in raw_config["C2"] - ] - parsed_result.binaries.append( - MACOModel.Binary(datatype="payload", data=raw_config["Powershell"]) - ) + [parsed_result.http.append(MACOModel.Http(uri=c2, usage="c2")) for c2 in raw_config["C2"]] + parsed_result.binaries.append(MACOModel.Binary(datatype="payload", data=raw_config["Powershell"])) elif "C2s" in raw_config: parsed_result.version = raw_config["Version"] parsed_result.campaign_id.append(raw_config["Campaign Name"]) - parsed_result.registry.append( - MACOModel.Registry(key=raw_config["Registry Key"]) - ) + parsed_result.registry.append(MACOModel.Registry(key=raw_config["Registry Key"])) for c2 in raw_config["C2s"]: host, port = c2.split(":") - parsed_result.http.append( - MACOModel.Http( - hostname=host, port=port, user_agent=raw_config["User Agent"] - ) - ) + parsed_result.http.append(MACOModel.Http(hostname=host, port=port, user_agent=raw_config["User Agent"])) return parsed_result diff --git a/modules/parsers/MACO/PlugX.py b/modules/parsers/MACO/PlugX.py index f6ba61d4..00da9e8a 100644 --- a/modules/parsers/MACO/PlugX.py +++ b/modules/parsers/MACO/PlugX.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.PlugX import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.PlugX import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/PoisonIvy.py b/modules/parsers/MACO/PoisonIvy.py index 602e5d64..ff352651 100644 --- a/modules/parsers/MACO/PoisonIvy.py +++ b/modules/parsers/MACO/PoisonIvy.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.community.PoisonIvy import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.PoisonIvy import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Punisher.py b/modules/parsers/MACO/Punisher.py index d6f11c21..4ec01601 100644 --- a/modules/parsers/MACO/Punisher.py +++ b/modules/parsers/MACO/Punisher.py @@ -1,9 +1,10 @@ import os from copy import deepcopy +from cape_parsers.CAPE.community.Punisher import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.Punisher import extract_config + from modules.parsers.utils import get_YARA_rule @@ -17,13 +18,7 @@ def convert_to_MACO(raw_config: dict): campaign_id=config_copy["Campaign Name"], password=[config_copy["Password"]], registry=[MACOModel.Registry(key=config_copy["Registry Key"])], - paths=[ - MACOModel.Path( - path=os.path.join( - config_copy["Install Path"], config_copy["Install Name"] - ) - ) - ], + paths=[MACOModel.Path(path=os.path.join(config_copy["Install Path"], config_copy["Install Name"]))], http=[MACOModel.Http(hostname=config_copy["Domain"], port=config_copy["Port"])], other=raw_config, ) diff --git a/modules/parsers/MACO/QakBot.py b/modules/parsers/MACO/QakBot.py index 02fe6af4..4ab876f6 100644 --- a/modules/parsers/MACO/QakBot.py +++ b/modules/parsers/MACO/QakBot.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.QakBot import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.QakBot import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/QuasarRAT.py b/modules/parsers/MACO/QuasarRAT.py index 628d8a9d..3097a83b 100644 --- a/modules/parsers/MACO/QuasarRAT.py +++ b/modules/parsers/MACO/QuasarRAT.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.community.QuasarRAT import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.QuasarRAT import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Quickbind.py b/modules/parsers/MACO/Quickbind.py index 4ada459c..d4366957 100644 --- a/modules/parsers/MACO/Quickbind.py +++ b/modules/parsers/MACO/Quickbind.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.core.Quickbind import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.Quickbind import extract_config + from modules.parsers.utils import get_YARA_rule @@ -18,9 +18,7 @@ def convert_to_MACO(raw_config: dict): parsed_result.http.append(MACOModel.Http(hostname=c2, usage="c2")) if "Encryption Key" in raw_config: - parsed_result.encryption.append( - MACOModel.Encryption(key=raw_config["Encryption Key"]) - ) + parsed_result.encryption.append(MACOModel.Encryption(key=raw_config["Encryption Key"])) return parsed_result diff --git a/modules/parsers/MACO/RCSession.py b/modules/parsers/MACO/RCSession.py index 657abd2e..25aae160 100644 --- a/modules/parsers/MACO/RCSession.py +++ b/modules/parsers/MACO/RCSession.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.RCSession import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.RCSession import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule @@ -14,9 +15,7 @@ def convert_to_MACO(raw_config: dict): parsed_result.http.append(MACOModel.Http(hostname=address, usage="c2")) if "directory" in raw_config: - parsed_result.paths.append( - MACOModel.Path(path=raw_config["directory"], usage="install") - ) + parsed_result.paths.append(MACOModel.Path(path=raw_config["directory"], usage="install")) service = {} diff --git a/modules/parsers/MACO/REvil.py b/modules/parsers/MACO/REvil.py index a2527f39..b0db3948 100644 --- a/modules/parsers/MACO/REvil.py +++ b/modules/parsers/MACO/REvil.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.community.REvil import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.REvil import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/RedLeaf.py b/modules/parsers/MACO/RedLeaf.py index c356f20c..3a8f65ea 100644 --- a/modules/parsers/MACO/RedLeaf.py +++ b/modules/parsers/MACO/RedLeaf.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.RedLeaf import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.RedLeaf import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/RedLine.py b/modules/parsers/MACO/RedLine.py index ef48073b..b7edb4ab 100644 --- a/modules/parsers/MACO/RedLine.py +++ b/modules/parsers/MACO/RedLine.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.RedLine import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.RedLine import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Remcos.py b/modules/parsers/MACO/Remcos.py index aa1829e9..a4cd42e0 100644 --- a/modules/parsers/MACO/Remcos.py +++ b/modules/parsers/MACO/Remcos.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.core.Remcos import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.Remcos import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Retefe.py b/modules/parsers/MACO/Retefe.py index 76b5abb7..ac2542dd 100644 --- a/modules/parsers/MACO/Retefe.py +++ b/modules/parsers/MACO/Retefe.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.community.Retefe import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.Retefe import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Rhadamanthys.py b/modules/parsers/MACO/Rhadamanthys.py index 991da443..0bd98a7a 100644 --- a/modules/parsers/MACO/Rhadamanthys.py +++ b/modules/parsers/MACO/Rhadamanthys.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.core.Rhadamanthys import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.Rhadamanthys import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Rozena.py b/modules/parsers/MACO/Rozena.py index 7f41a2c7..79d25d10 100644 --- a/modules/parsers/MACO/Rozena.py +++ b/modules/parsers/MACO/Rozena.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.community.Rozena import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.Rozena import extract_config + from modules.parsers.utils import get_YARA_rule @@ -10,9 +10,7 @@ def convert_to_MACO(raw_config: dict): return None parsed_result = MACOModel(family="Rozena", other=raw_config) - parsed_result.http = [ - MACOModel.Http(hostname=raw_config["C2"], port=raw_config["Port"], usage="c2") - ] + parsed_result.http = [MACOModel.Http(hostname=raw_config["C2"], port=raw_config["Port"], usage="c2")] return parsed_result diff --git a/modules/parsers/MACO/SmallNet.py b/modules/parsers/MACO/SmallNet.py index c9e932e5..f0293cea 100644 --- a/modules/parsers/MACO/SmallNet.py +++ b/modules/parsers/MACO/SmallNet.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.community.SmallNet import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.SmallNet import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/SmokeLoader.py b/modules/parsers/MACO/SmokeLoader.py index 8023697c..9025c2a7 100644 --- a/modules/parsers/MACO/SmokeLoader.py +++ b/modules/parsers/MACO/SmokeLoader.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.SmokeLoader import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.SmokeLoader import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Socks5Systemz.py b/modules/parsers/MACO/Socks5Systemz.py index e750ac71..6fdb5e4c 100644 --- a/modules/parsers/MACO/Socks5Systemz.py +++ b/modules/parsers/MACO/Socks5Systemz.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.core.Socks5Systemz import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.Socks5Systemz import extract_config + from modules.parsers.utils import get_YARA_rule @@ -12,13 +12,8 @@ def convert_to_MACO(raw_config: dict): parsed_result = MACOModel( family="Socks5Systemz", other=raw_config, - http=[ - MACOModel.Http(hostname=c2, usage="c2") for c2 in raw_config.get("C2s", []) - ] - + [ - MACOModel.Http(hostname=decoy, usage="decoy") - for decoy in raw_config.get("Dummy domain", []) - ], + http=[MACOModel.Http(hostname=c2, usage="c2") for c2 in raw_config.get("C2s", [])] + + [MACOModel.Http(hostname=decoy, usage="decoy") for decoy in raw_config.get("Dummy domain", [])], ) return parsed_result diff --git a/modules/parsers/MACO/SparkRAT.py b/modules/parsers/MACO/SparkRAT.py index de76cd1d..d8529f8d 100644 --- a/modules/parsers/MACO/SparkRAT.py +++ b/modules/parsers/MACO/SparkRAT.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.community.SparkRAT import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.SparkRAT import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/SquirrelWaffle.py b/modules/parsers/MACO/SquirrelWaffle.py index 2e047349..aee48d28 100644 --- a/modules/parsers/MACO/SquirrelWaffle.py +++ b/modules/parsers/MACO/SquirrelWaffle.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.SquirrelWaffle import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.SquirrelWaffle import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Stealc.py b/modules/parsers/MACO/Stealc.py index a31d87d9..bb0e8c0f 100644 --- a/modules/parsers/MACO/Stealc.py +++ b/modules/parsers/MACO/Stealc.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.community.Stealc import RULE_SOURCE, extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.Stealc import RULE_SOURCE, extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Strrat.py b/modules/parsers/MACO/Strrat.py index 9e315c93..712d3b8d 100644 --- a/modules/parsers/MACO/Strrat.py +++ b/modules/parsers/MACO/Strrat.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.Strrat import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.Strrat import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/TSCookie.py b/modules/parsers/MACO/TSCookie.py index 099e2a50..494bc380 100644 --- a/modules/parsers/MACO/TSCookie.py +++ b/modules/parsers/MACO/TSCookie.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.community.TSCookie import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.TSCookie import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/TrickBot.py b/modules/parsers/MACO/TrickBot.py index 230a6b3a..2d277d2d 100644 --- a/modules/parsers/MACO/TrickBot.py +++ b/modules/parsers/MACO/TrickBot.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.community.TrickBot import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.TrickBot import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/UrsnifV3.py b/modules/parsers/MACO/UrsnifV3.py index e677ed76..b2b9df80 100644 --- a/modules/parsers/MACO/UrsnifV3.py +++ b/modules/parsers/MACO/UrsnifV3.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.core.UrsnifV3 import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.UrsnifV3 import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/VenomRat.py b/modules/parsers/MACO/VenomRat.py index ebbc6f01..21dd65f9 100644 --- a/modules/parsers/MACO/VenomRat.py +++ b/modules/parsers/MACO/VenomRat.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.community.VenomRAT import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.VenomRAT import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/WarzoneRAT.py b/modules/parsers/MACO/WarzoneRAT.py index fc6b99cb..415bf904 100644 --- a/modules/parsers/MACO/WarzoneRAT.py +++ b/modules/parsers/MACO/WarzoneRAT.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.WarzoneRAT import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.WarzoneRAT import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/XWorm.py b/modules/parsers/MACO/XWorm.py index ffd18c2d..b6c83d0c 100644 --- a/modules/parsers/MACO/XWorm.py +++ b/modules/parsers/MACO/XWorm.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.community.XWorm import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.XWorm import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/XenoRAT.py b/modules/parsers/MACO/XenoRAT.py index 48a9f988..edb84481 100644 --- a/modules/parsers/MACO/XenoRAT.py +++ b/modules/parsers/MACO/XenoRAT.py @@ -1,7 +1,7 @@ - +from cape_parsers.CAPE.community.XenoRAT import extract_config from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.community.XenoRAT import extract_config + from modules.parsers.utils import get_YARA_rule diff --git a/modules/parsers/MACO/Zloader.py b/modules/parsers/MACO/Zloader.py index a3641c93..0db17d77 100644 --- a/modules/parsers/MACO/Zloader.py +++ b/modules/parsers/MACO/Zloader.py @@ -1,6 +1,7 @@ +from cape_parsers.CAPE.core.Zloader import extract_config, rule_source from maco.extractor import Extractor from maco.model import ExtractorModel as MACOModel -from cape_parsers.CAPE.core.Zloader import extract_config, rule_source + from modules.parsers.utils import get_YARA_rule @@ -14,9 +15,7 @@ def convert_to_MACO(raw_config: dict): parsed_result.campaign_id = [raw_config["Campaign ID"]] if "RC4 key" in raw_config: - parsed_result.encryption = [ - MACOModel.Encryption(algorithm="RC4", key=raw_config[:"RC4 key"]) - ] + parsed_result.encryption = [MACOModel.Encryption(algorithm="RC4", key=raw_config[:"RC4 key"])] for address in raw_config.get("address", []): parsed_result.http.append(MACOModel.Http(uri=address)) diff --git a/modules/parsers/utils.py b/modules/parsers/utils.py index 8a330119..b9b6eaa8 100644 --- a/modules/parsers/utils.py +++ b/modules/parsers/utils.py @@ -1,9 +1,13 @@ import os + import requests # Raw file download template (default to Github-based raw download URL) -CAPE_RAW_DOWNLOAD_TEMPLATE=os.environ.get("CAPE_RAW_DOWNLOAD_TEMPLATE", - "https://raw.githubusercontent.com/kevoreilly/CAPEv2/refs/heads/master/data/yara/CAPE/{family}.yar") +CAPE_RAW_DOWNLOAD_TEMPLATE = os.environ.get( + "CAPE_RAW_DOWNLOAD_TEMPLATE", + "https://raw.githubusercontent.com/kevoreilly/CAPEv2/refs/heads/master/data/yara/CAPE/{family}.yar", +) + def get_YARA_rule(family: str) -> str | None: root = os.path.join(os.path.dirname(__file__)) @@ -32,7 +36,7 @@ def get_YARA_rule(family: str) -> str | None: resp = requests.get(CAPE_RAW_DOWNLOAD_TEMPLATE.format(family=family), timeout=10) if resp.ok: # Cache the rule on disk - with open(maco_yara_path, 'w') as f: + with open(maco_yara_path, "w") as f: f.write(resp.text) return resp.text except Exception as e: