From 2b49dcbd98e374e169266c040936223d968e6763 Mon Sep 17 00:00:00 2001 From: enzo <7831008+enzok@users.noreply.github.com> Date: Thu, 30 May 2024 15:57:01 -0400 Subject: [PATCH] Update Oyster yara and parsing (#2149) * Update Oyster yara and parsing * small fix --- data/yara/CAPE/Oyster.yar | 2 +- modules/processing/parsers/CAPE/Oyster.py | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/data/yara/CAPE/Oyster.yar b/data/yara/CAPE/Oyster.yar index b83c00500d8..0bf27f00242 100644 --- a/data/yara/CAPE/Oyster.yar +++ b/data/yara/CAPE/Oyster.yar @@ -6,7 +6,7 @@ rule Oyster cape_type = "Oyster Payload" hash = "8bae0fa9f589cd434a689eebd7a1fde949cc09e6a65e1b56bb620998246a1650" strings: - $start_exit = {05 00 00 00 2E 96 1E A6} + $start_exit = {(05 | 00) 00 00 00 2E 96 1E A6} $content_type = {F6 CE 56 F4 76 F6 96 2E 86 C6 96 36 0E 0E 86 04 5C A6 0E 9E 2A B4 2E 76 A6 2E 76 F6 C2} $domain = {44 5C 44 76 96 86 B6 F6 26 44 34 44} $id = {44 5C 44 64 96 44 DE} diff --git a/modules/processing/parsers/CAPE/Oyster.py b/modules/processing/parsers/CAPE/Oyster.py index b5c7b3ce3f1..4d328529852 100644 --- a/modules/processing/parsers/CAPE/Oyster.py +++ b/modules/processing/parsers/CAPE/Oyster.py @@ -88,6 +88,8 @@ def extract_config(filebuf): c2 = [] dll_version = "" + c2_pattern = r"\b[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*\.(?!txt\b|dll\b|exe\b)[a-zA-Z]{2,}" + for item in hex_strings: with suppress(Exception): decoded = transform(bytearray(item), bytearray(lookup_table)).decode("utf-8") @@ -102,6 +104,11 @@ def extract_config(filebuf): dll_version = decoded.split('":"')[-1] elif "api" in decoded or "Content-Type" in decoded: str_vals.append(decoded) + else: + c2_matches = re.findall(c2_pattern, decoded) + if c2_matches: + c2.extend(c2_matches) + cfg = { "C2": c2, "Dll Version": dll_version,