diff --git a/modules/processing/parsers/CAPE/Njrat.py b/modules/processing/parsers/CAPE/Njrat.py index 630d08395f1..d280b05175a 100644 --- a/modules/processing/parsers/CAPE/Njrat.py +++ b/modules/processing/parsers/CAPE/Njrat.py @@ -12,7 +12,7 @@ def __init__(self, data: bytes): # ex: 72 9F 00 00 70 ldstr foo, the index is what comes after 0x72 opcode -> 0x9F def get_user_string_from_index(self, index): - return self.dotnet_file.net.user_strings.get_us(index).value + return self.dotnet_file.net.user_strings.get(index).value # in little-endian token is: 12 00 00 04 (0x40000012), where 0x04 is field table index, and 0x12 is the field index def get_field_name_from_index(self, index): diff --git a/modules/processing/parsers/CAPE/PhemedroneStealer.py b/modules/processing/parsers/CAPE/PhemedroneStealer.py index d854c10bf14..19018b83536 100644 --- a/modules/processing/parsers/CAPE/PhemedroneStealer.py +++ b/modules/processing/parsers/CAPE/PhemedroneStealer.py @@ -54,7 +54,7 @@ class DnfileParse: def read_dotnet_user_string(pe, token): """read user string from #US stream""" try: - user_string = pe.net.user_strings.get_us(token.rid) + user_string = pe.net.user_strings.get(token.rid) except UnicodeDecodeError: return InvalidToken(token.value) diff --git a/modules/processing/parsers/CAPE/RedLine.py b/modules/processing/parsers/CAPE/RedLine.py index 1115be71c9f..2110cbbdeec 100644 --- a/modules/processing/parsers/CAPE/RedLine.py +++ b/modules/processing/parsers/CAPE/RedLine.py @@ -146,7 +146,7 @@ def extract_config(data): extracted = [] for match in p.findall(data): for item in match: - user_string = dn.net.user_strings.get_us(int.from_bytes(item, "little")).value + user_string = dn.net.user_strings.get(int.from_bytes(item, "little")).value if user_string: extracted.append(user_string) if extracted: diff --git a/modules/processing/parsers/CAPE/XWorm.py b/modules/processing/parsers/CAPE/XWorm.py index d46a9bed322..dd774ab6f05 100644 --- a/modules/processing/parsers/CAPE/XWorm.py +++ b/modules/processing/parsers/CAPE/XWorm.py @@ -84,14 +84,14 @@ def extract_config(data): for pattern in mutexPatterns: mutexMatched = pattern.findall(data) if mutexMatched: - mutex = dn.net.user_strings.get_us(int.from_bytes(mutexMatched[0], "little")).value + mutex = dn.net.user_strings.get(int.from_bytes(mutexMatched[0], "little")).value AESKey = deriveAESKey(mutex) break else: return for match in confPattern.findall(data): - er_string = dn.net.user_strings.get_us(int.from_bytes(match, "little")).value + er_string = dn.net.user_strings.get(int.from_bytes(match, "little")).value extracted.append(er_string) for i in range(5): @@ -116,10 +116,10 @@ def extract_config(data): installDirMatch = installDirPattern.findall(data) if installDirMatch: - installDir = dn.net.user_strings.get_us(int.from_bytes(installDirMatch[0], "little")).value + installDir = dn.net.user_strings.get(int.from_bytes(installDirMatch[0], "little")).value config_dict["InstallDir"] = decryptAES(AESKey, installDir, AES.MODE_ECB) if installBinMatch: - installBinName = dn.net.user_strings.get_us(int.from_bytes(installBinMatch[0], "little")).value + installBinName = dn.net.user_strings.get(int.from_bytes(installBinMatch[0], "little")).value config_dict["InstallBinName"] = decryptAES(AESKey, installBinName, AES.MODE_ECB) else: lines = data.decode().split("\n")