kevoreilly · doomedraven · Jun 17, 2024 · Jun 17, 2024 · Jun 17, 2024
diff --git a/modules/processing/parsers/CAPE/Njrat.py b/modules/processing/parsers/CAPE/Njrat.py
@@ -12,7 +12,7 @@ def __init__(self, data: bytes):
 
     # ex: 72 9F 00 00 70 ldstr foo, the index is what comes after 0x72 opcode -> 0x9F
     def get_user_string_from_index(self, index):
-        return self.dotnet_file.net.user_strings.get_us(index).value
+        return self.dotnet_file.net.user_strings.get(index).value
 
     # in little-endian token is: 12 00 00 04 (0x40000012), where 0x04 is field table index, and 0x12 is the field index
     def get_field_name_from_index(self, index):

diff --git a/modules/processing/parsers/CAPE/PhemedroneStealer.py b/modules/processing/parsers/CAPE/PhemedroneStealer.py
@@ -54,7 +54,7 @@ class DnfileParse:
     def read_dotnet_user_string(pe, token):
         """read user string from #US stream"""
         try:
-            user_string = pe.net.user_strings.get_us(token.rid)
+            user_string = pe.net.user_strings.get(token.rid)
         except UnicodeDecodeError:
             return InvalidToken(token.value)
 

diff --git a/modules/processing/parsers/CAPE/RedLine.py b/modules/processing/parsers/CAPE/RedLine.py
@@ -146,7 +146,7 @@ def extract_config(data):
                 extracted = []
                 for match in p.findall(data):
                     for item in match:
-                        user_string = dn.net.user_strings.get_us(int.from_bytes(item, "little")).value
+                        user_string = dn.net.user_strings.get(int.from_bytes(item, "little")).value
                         if user_string:
                             extracted.append(user_string)
                 if extracted:

diff --git a/modules/processing/parsers/CAPE/XWorm.py b/modules/processing/parsers/CAPE/XWorm.py
@@ -84,14 +84,14 @@ def extract_config(data):
             for pattern in mutexPatterns:
                 mutexMatched = pattern.findall(data)
                 if mutexMatched:
-                    mutex = dn.net.user_strings.get_us(int.from_bytes(mutexMatched[0], "little")).value
+                    mutex = dn.net.user_strings.get(int.from_bytes(mutexMatched[0], "little")).value
                     AESKey = deriveAESKey(mutex)
                     break
                 else:
                     return
 
             for match in confPattern.findall(data):
-                er_string = dn.net.user_strings.get_us(int.from_bytes(match, "little")).value
+                er_string = dn.net.user_strings.get(int.from_bytes(match, "little")).value
                 extracted.append(er_string)
 
             for i in range(5):
@@ -116,10 +116,10 @@ def extract_config(data):
             installDirMatch = installDirPattern.findall(data)
 
             if installDirMatch:
-                installDir = dn.net.user_strings.get_us(int.from_bytes(installDirMatch[0], "little")).value
+                installDir = dn.net.user_strings.get(int.from_bytes(installDirMatch[0], "little")).value
                 config_dict["InstallDir"] = decryptAES(AESKey, installDir, AES.MODE_ECB)
             if installBinMatch:
-                installBinName = dn.net.user_strings.get_us(int.from_bytes(installBinMatch[0], "little")).value
+                installBinName = dn.net.user_strings.get(int.from_bytes(installBinMatch[0], "little")).value
                 config_dict["InstallBinName"] = decryptAES(AESKey, installBinName, AES.MODE_ECB)
         else:
             lines = data.decode().split("\n")