Avoid Reconstructing C2List (#27)

CAPESandbox · Feb 19, 2025 · c787c23 · c787c23
1 parent 9902cce
commit c787c23
Showing 1 changed file with 3 additions and 7 deletions.
diff --git a/cape_parsers/CAPE/core/Emotet.py b/cape_parsers/CAPE/core/Emotet.py
@@ -298,10 +298,8 @@ def extract_config(filebuf):
         c2list_va_offset = first_match(yara_matches, "$snippet3")
         c2_list_va = struct.unpack("I", filebuf[c2list_va_offset + 2 : c2list_va_offset + 6])[0]
         c2_list_rva = c2_list_va & 0xFFFF if c2_list_va - image_base > 0x20000 else c2_list_va - image_base
-        try:
+        with suppress(pefile.PEFormatError):
             c2_list_offset = pe.get_offset_from_rva(c2_list_rva)
-        except pefile.PEFormatError:
-            pass
 
         while True:
             try:
@@ -320,10 +318,8 @@ def extract_config(filebuf):
         c2list_va_offset = first_match(yara_matches, "$snippet4")
         c2_list_va = struct.unpack("I", filebuf[c2list_va_offset + 8 : c2list_va_offset + 12])[0]
         c2_list_rva = c2_list_va & 0xFFFF if c2_list_va - image_base > 0x20000 else c2_list_va - image_base
-        try:
+        with suppress(pefile.PEFormatError):
             c2_list_offset = pe.get_offset_from_rva(c2_list_rva)
-        except pefile.PEFormatError:
-            pass
         while True:
             try:
                 ip = struct.unpack("<I", filebuf[c2_list_offset : c2_list_offset + 4])[0]
@@ -532,7 +528,7 @@ def extract_config(filebuf):
         c2_funcs = c2_funcs_from_match(yara_matches, "$snippetY", filebuf)
     elif first_match(yara_matches, "$snippetZ"):
         c2_funcs = c2_funcs_from_match(yara_matches, "$snippetZ", filebuf)
-    if delta:
+    if delta and not conf_dict:
         if c2list_va_offset:
             c2_list_va = struct.unpack("I", filebuf[c2list_va_offset + delta : c2list_va_offset + delta + 4])[0]
             c2_list_rva = c2_list_va - image_base