Imaginaryc2 - Tool Which Aims To Aid Inwards The Behavioral (Network) Analysis Of Malware
Monday, September 23, 2019
Edit
Imaginaryc2 - Tool Which Aims To Aid Inwards The Behavioral (Network) Analysis Of Malware - Hi friends mederc, In the article that you read this time with the title Imaginaryc2 - Tool Which Aims To Aid Inwards The Behavioral (Network) Analysis Of Malware, We have prepared this article well for you to read and retrieve information from it. hopefully fill the posts
Article Fiddler,
Article HTTP,
Article HTTP Requests,
Article imaginaryC2,
Article Linux,
Article Malware,
Article Malware Analysis,
Article Malware Analyzer,
Article Python,
Article Scripts,
Article Windows, we write this you can understand. Alright, happy reading.
Title : Imaginaryc2 - Tool Which Aims To Aid Inwards The Behavioral (Network) Analysis Of Malware
link : Imaginaryc2 - Tool Which Aims To Aid Inwards The Behavioral (Network) Analysis Of Malware
Technical details
requirements: Imaginary C2 requires Python 2.7 as well as Windows.
modules: Currently, Imaginary C2 contains 3 modules as well as 2 configuration files:
request definitions: Each (HTTP) asking defined inward the asking configuration consists of 2 parameters:
Parameter 1: HTTP asking URL path (a.k.a. urlType)
Parameter 2: HTTP response source (a.k.a. sourceType)
Demo role case: Simulating TrickBot servers
Imaginary C2 tin survive used to copy the hosting of TrickBot components as well as configuration files. Additionally, it tin also survive used to copy TrickBot's spider web injection servers.
How it works:
Upon execution, the TrickBot downloader connects to a laid of hardcoded IPs to fetch a few configuration files. One of these configuration files contains the locations (IP addresses) of the TrickBot plugin servers. The Trickbot downloader downloads the plugins (modules) from these servers as well as decrypts them. The decrypted modules are hence injected into a svchost.exe instance.
One of TrickBot's plugins is called injectdll, a plugin which is responsible for TrickBot's webinjects. The injectdll plugin regularly fetches an updated laid of webinject configurations. For each targeted (banking) website inward the configuration, the address of a webfake server is defined. When a victim browses to a (banking) website which is targeted yesteryear TrickBot, his browser secretly gets redirected to the webfake server. The webfake server hosts a replica of the targeted website. This replica website commonly is used inward a social-engineering laid on to defraud the victim.
Imaginary C2 inward action:
The below video shows the TrickBot downloader running within svchost.exe as well as connecting to imaginary C2 to download 2 modules. Each downloaded module gets injected into a newly spawned svchost.exe instance. The webinject module tries to bag the browser's saved passwords as well as exfiltrates the stolen passwords to the TrickBot server. Upon visiting a targeted banking website, TrickBot redirects the browser to the webfake server. In the demo, the webfake server hosts the message: "Default imaginary C2 server response" (full video).
You are now reading the article Imaginaryc2 - Tool Which Aims To Aid Inwards The Behavioral (Network) Analysis Of Malware with the link address https://mederc.blogspot.com/2019/09/imaginaryc2-tool-which-aims-to-aid.html
Title : Imaginaryc2 - Tool Which Aims To Aid Inwards The Behavioral (Network) Analysis Of Malware
link : Imaginaryc2 - Tool Which Aims To Aid Inwards The Behavioral (Network) Analysis Of Malware
Imaginaryc2 - Tool Which Aims To Aid Inwards The Behavioral (Network) Analysis Of Malware
Imaginary C2 is a python tool which aims to assistance inward the behavioral (network) analysis of malware.
Imaginary C2 hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs. Additionally, the tool aims to larn inward slow to replay captured Command-and-Control responses/served payloads.
By using this tool, an analyst tin feed the malware consistent network responses (e.g. C&C instructions for the malware to execute). Additionally, the analyst tin capture as well as inspect HTTP requests towards a domain/IP which is off-line at the fourth dimension of the analysis.
Replay package captures
Imaginary C2 provides 2 scripts to convert packet captures (PCAPs) or Fiddler Session Archives into request definitions which tin survive parsed yesteryear imaginary C2. Via these scripts the user tin extract HTTP asking URLs as well as domains, every bit good every bit HTTP responses. This way, 1 tin rapidly replay HTTP responses for a given HTTP request.
requirements: Imaginary C2 requires Python 2.7 as well as Windows.
modules: Currently, Imaginary C2 contains 3 modules as well as 2 configuration files:
Filename | Function |
---|---|
1. imaginary_c2.py | Hosts python's uncomplicated HTTP server. Main module. |
2. redirect_to_imaginary_c2.py | Alters Windows' host file as well as Windows' (IP) Routing Table. |
3. unpack_fiddler_archive.py & unpack_pcap.py | Extracts HTTP responses from package captures. Adds corresponding HTTP asking domains as well as URLs to the configuration files. |
4. redirect_config.txt | Contains domains as well as IPs which needs to survive redirected to localhost (to the python HTTP server). |
5. requests_config.txt | Contains URL path definitions amongst the corresponding information sources. |
Parameter 1: HTTP asking URL path (a.k.a. urlType)
Value | Meaning |
---|---|
fixed | Define the URL path every bit a literal string |
regex | Define a regex blueprint to survive matched on the URL path |
Value | Meaning |
---|---|
data | Imaginary C2 volition response amongst the contents of a file on disk |
python | Imaginary C2 volition run a python script. The output of the python script defines the HTTP response. |
Demo role case: Simulating TrickBot servers
Imaginary C2 tin survive used to copy the hosting of TrickBot components as well as configuration files. Additionally, it tin also survive used to copy TrickBot's spider web injection servers.
How it works:
Upon execution, the TrickBot downloader connects to a laid of hardcoded IPs to fetch a few configuration files. One of these configuration files contains the locations (IP addresses) of the TrickBot plugin servers. The Trickbot downloader downloads the plugins (modules) from these servers as well as decrypts them. The decrypted modules are hence injected into a svchost.exe instance.
One of TrickBot's plugins is called injectdll, a plugin which is responsible for TrickBot's webinjects. The injectdll plugin regularly fetches an updated laid of webinject configurations. For each targeted (banking) website inward the configuration, the address of a webfake server is defined. When a victim browses to a (banking) website which is targeted yesteryear TrickBot, his browser secretly gets redirected to the webfake server. The webfake server hosts a replica of the targeted website. This replica website commonly is used inward a social-engineering laid on to defraud the victim.
Imaginary C2 inward action:
The below video shows the TrickBot downloader running within svchost.exe as well as connecting to imaginary C2 to download 2 modules. Each downloaded module gets injected into a newly spawned svchost.exe instance. The webinject module tries to bag the browser's saved passwords as well as exfiltrates the stolen passwords to the TrickBot server. Upon visiting a targeted banking website, TrickBot redirects the browser to the webfake server. In the demo, the webfake server hosts the message: "Default imaginary C2 server response" (full video).
Thus the article Imaginaryc2 - Tool Which Aims To Aid Inwards The Behavioral (Network) Analysis Of Malware
That's all the article Imaginaryc2 - Tool Which Aims To Aid Inwards The Behavioral (Network) Analysis Of Malware this time, hopefully can benefit you all. okay, see you in another article posting.
You are now reading the article Imaginaryc2 - Tool Which Aims To Aid Inwards The Behavioral (Network) Analysis Of Malware with the link address https://mederc.blogspot.com/2019/09/imaginaryc2-tool-which-aims-to-aid.html