Update Oyster yara and parsing (#2149)

* Update Oyster yara and parsing * small fix
kevoreilly · May 30, 2024 · 2b49dcb · 2b49dcb
1 parent 37c7bec
commit 2b49dcb
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/data/yara/CAPE/Oyster.yar b/data/yara/CAPE/Oyster.yar
@@ -6,7 +6,7 @@ rule Oyster
         cape_type = "Oyster Payload"
         hash = "8bae0fa9f589cd434a689eebd7a1fde949cc09e6a65e1b56bb620998246a1650"
     strings:
-		$start_exit = {05 00 00 00 2E 96 1E A6}
+		$start_exit = {(05 | 00) 00 00 00 2E 96 1E A6}
 		$content_type = {F6 CE 56 F4 76 F6 96 2E 86 C6 96 36 0E 0E 86 04 5C A6 0E 9E 2A B4 2E 76 A6 2E 76 F6 C2}
         $domain = {44 5C 44 76 96 86 B6 F6 26 44 34 44}
         $id = {44 5C 44 64 96 44 DE}

diff --git a/modules/processing/parsers/CAPE/Oyster.py b/modules/processing/parsers/CAPE/Oyster.py
@@ -88,6 +88,8 @@ def extract_config(filebuf):
                 c2 = []
                 dll_version = ""
 
+                c2_pattern = r"\b[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*\.(?!txt\b|dll\b|exe\b)[a-zA-Z]{2,}"
+
                 for item in hex_strings:
                     with suppress(Exception):
                         decoded = transform(bytearray(item), bytearray(lookup_table)).decode("utf-8")
@@ -102,6 +104,11 @@ def extract_config(filebuf):
                         dll_version = decoded.split('":"')[-1]
                     elif "api" in decoded or "Content-Type" in decoded:
                         str_vals.append(decoded)
+                    else:
+                        c2_matches = re.findall(c2_pattern, decoded)
+                        if c2_matches:
+                            c2.extend(c2_matches)
+
                 cfg = {
                     "C2": c2,
                     "Dll Version": dll_version,