Last active
May 12, 2020 20:34
-
-
Save sysopfb/2e0e22aa51b7d0f0ded968c496e0a2bf to your computer and use it in GitHub Desktop.
beacon pivots
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Pivot from config at https://twitter.com/VK_Intel/status/1260296104672886790 | |
{ | |
C2_CHUNK_POST: 0 | |
C2_POSTREQ: [('_HEADER', 0, 'Content-Type: application/octet-stream'), ('BUILD', ('PARAMETER', 'id'))] | |
C2_RECOVER: | |
C2_REQUEST: [('BUILD', ('BASE64', 'HEADER', 'Cookie'))] | |
C2_VERB_GET: GET | |
C2_VERB_POST: POST | |
CRYPTO_sCHEME: 1 | |
DNS_IDLE: 0 | |
DNS_SLEEP: 0 | |
DOMAINS: 37.252.15.241,/visit.js | |
ITTER: 0 | |
KILLDATE_DAY: 0 | |
KILLDATE_MONTH: 0 | |
KILLDATE_YEAR: 0 | |
MAXDNS: 255 | |
MAXGET: 1048576 | |
PIPENAME: \\%s\pipe\msagent_%x | |
PORT: 80 | |
PROTOCOL: 0 | |
PUBKEY: 30819f300d06092a864886f70d010101050003818d0030818902818100e6c96e9ba9ebe3596e8367afb772ecf1c5705efc838ee52ca6957be5f6bc2cf0f93378c2f2cf0989d8971c366dd9d5a38231e3a786ddc0e605db448f865fb5325d647192588639d05f456ece6b44390860319b2d9fd56cdb6dbbc4036f67cfe11f2250c59abd21f1d7f2cab0a7b2b863b4ba4470663d1de10da6983554d74b930203010001 | |
SLEEPTIME: 60000 | |
SPAWNTO_X64: %windir%\sysnative\rundll32.exe | |
SPAWNTO_X86: %windir%\syswow64\rundll32.exe | |
SUBMITURI: /submit.php | |
USERAGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08) | |
dos_stub_hash: | |
mal_type: mal_configs | |
md5: 2588add337ae787071d3796d39636133 | |
overlay_hash: | |
pe_header_hash: b5d31274da56847386a43f9cca674dc2 | |
pe_start_data_hash: 1cdf62336a780a4680fdfa2a04d2ea5e | |
rich_hdr_data: 9a3da20ede5ccc5dde5ccc5dde5ccc5d40fc0b5ddf5ccc5d2f9a035df45ccc5d2f9a025d585ccc5d2f9a015dd45ccc5db8b21e5d465ccc5dd7245f5dd15ccc5dde5ccd5d0d5ccc5db8b2025dfc5ccc5db8b2065ddf5ccc5db8b2055ddf5ccc5db8b2005ddf5ccc5d52696368de5ccc5d | |
rich_hdr_hash: ea1776604db4068abb31a44ad26da7fb | |
section_name_hash: 3bee9f62d5857e3ae29319c4526f337e | |
sha1: 29898a8111f18895158c5d306fbe8bc14861883b | |
sha256: ae0cbcddf935d11065074d0a30c57a6e7d790742365d6dff49ede387f9e37c34 | |
str_hash_10: fb2763f88585f3c3675363065eb8cb8a | |
str_hash_3: 6553ec150f913c996d8c25e729232fef | |
str_hash_4: a4e8d00cdd4447416b9c67a1e79a3844 | |
str_hash_5: b14e3e6523b1bed5b1bab4cedbf8ffef | |
str_hash_6: f21dab46581c014bd43c465f03046c1f | |
str_hash_7: 95de61cb97728907d0ae21c2e3234afb | |
str_hash_8: 11491a352375205315c7ccd5492e2eab | |
str_hash_9: ba558dc6a823848c5e56072c11890e4c | |
type: cobaltstrike | |
} | |
{ | |
C2_CHUNK_POST: 0 | |
C2_POSTREQ: [('_HEADER', 0, 'Content-Type: application/octet-stream'), ('BUILD', ('PARAMETER', 'id'))] | |
C2_RECOVER: | |
C2_REQUEST: [('BUILD', ('BASE64', 'HEADER', 'Cookie'))] | |
C2_VERB_GET: GET | |
C2_VERB_POST: POST | |
CRYPTO_sCHEME: 1 | |
DNS_IDLE: 0 | |
DNS_SLEEP: 0 | |
DOMAINS: 47.106.204.157,/g.pixel | |
ITTER: 0 | |
MAXDNS: 255 | |
MAXGET: 1048576 | |
PIPENAME: \\%s\pipe\msagent_%x | |
PORT: 9000 | |
PROTOCOL: 0 | |
PROXY_BEHAVIOR: 2 | |
PUBKEY: 30819f300d06092a864886f70d010101050003818d003081890281810081af738becf4a3be8fa2e7b26d1a24ef1ef241c5693a5e790478e1a3ec4151a9ec80a20fcd197afd34a114fcee5587e7fedea6584a3af03f9d80d93443b788f79e9bae2f4d65c557d3e8e26d21f65b3580d21550b82232ae1fb8776b6c3558c43c527ababa9af254ed6fda8b1ca20a660f45b74af5e6e7b968077fd729fd205b0203010001 | |
SLEEPTIME: 60000 | |
SPAWNTO_X64: %windir%\sysnative\rundll32.exe | |
SPAWNTO_X86: %windir%\syswow64\rundll32.exe | |
SUBMITURI: /submit.php | |
UNKNOWN38: 30 | |
UNKNOWN39: 30 | |
UNKNOWN40: 0 | |
UNKNOWN41: 0 | |
UNKNOWN43: 3634 | |
UNKNOWN44: 3634 | |
UNKNOWN45: 0 | |
UNKNOWN46: | |
UNKNOWN47: | |
UNKNOWN48: 35 | |
USERAGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08) | |
WATERMARK: 0 | |
dos_stub_hash: | |
mal_type: mal_configs | |
md5: 1605ece7685faea45079fd86787ad069 | |
overlay_hash: | |
pe_header_hash: b6020d629a4abe024912f14d8bdefa53 | |
pe_start_data_hash: 6760ed79d0ef1b66177ef5b5112bd366 | |
rich_hdr_data: d7fd5e35939c3066939c3066939c30662ed3a666929c30668dceb466bb9c30668dcea566809c30668dceb366119c3066b45a4b669c9c3066939c3166729c30668dceb9662f9c30668dcea266929c30668dcea166929c306652696368939c3066 | |
rich_hdr_hash: c1252a3a14c2b314ae3d300218e38c57 | |
section_name_hash: 7b1af1699e23046300e1cd097dee731b | |
sha1: cb928ad7fd80726b4edc062374bc7016f837b95a | |
sha256: 89dd5b039fca14713fddd3fdb5ba9426eb3b0c07d4acfa8836bf5145343593b5 | |
str_hash_10: e366f32591fd1ff9b626c3b48bc179bb | |
str_hash_3: 5a434326bdf0960654f4df303d15b607 | |
str_hash_4: ff332a9215115e72f8cbec03d08ef340 | |
str_hash_5: 501d1421d081e3a2632e1ee5e7378ec4 | |
str_hash_6: 1e092fa193e6fe5d4774a8c9480ff1d2 | |
str_hash_7: 0effa190e99ebd76214bc80ed3953749 | |
str_hash_8: 31a94f4db83d26418748ecefcf401ac6 | |
str_hash_9: e2c5c600245d4a035520a425feeecf95 | |
type: cobaltstrike | |
} | |
{ | |
C2_CHUNK_POST: 0 | |
C2_POSTREQ: [('_HEADER', 0, 'Content-Type: application/octet-stream'), ('BUILD', ('PARAMETER', 'id'))] | |
C2_RECOVER: | |
C2_REQUEST: [('BUILD', ('BASE64', 'HEADER', 'Cookie'))] | |
C2_VERB_GET: GET | |
C2_VERB_POST: POST | |
CRYPTO_sCHEME: 1 | |
DNS_IDLE: 0 | |
DNS_SLEEP: 0 | |
DOMAINS: 103.86.86.71,/dot.gif | |
INJECT_OPTIONS: 1 | |
ITTER: 0 | |
KILLDATE_DAY: 0 | |
KILLDATE_MONTH: 0 | |
KILLDATE_YEAR: 0 | |
MAXDNS: 255 | |
MAXGET: 1048576 | |
PIPENAME: \\%s\pipe\msagent_%x | |
PORT: 443 | |
PROTOCOL: 8 | |
PROXY_BEHAVIOR: 2 | |
PUBKEY: 30819f300d06092a864886f70d010101050003818d00308189028181008ad075b9a232d45cf856f2901ea3e78b4f223c05139db648df79b9f17072512db69d396bf1ba58a160c55d37de2b7b707e57c50526ca123a6ef45b5b1e99a1e7c009aa40487e1c97ef1d4b19c30b3c2b2e8ea94c937f0c52d31c892e730845c1661301b4b34253c53d02d3d4a3f567706c9741180c9aac3f2373ac89a79bacad0203010001 | |
SLEEPTIME: 60000 | |
SPAWNTO_X64: %windir%\sysnative\rundll32.exe | |
SPAWNTO_X86: %windir%\syswow64\rundll32.exe | |
SUBMITURI: /submit.php | |
USERAGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP08; MAAU; NP08) | |
dos_stub_hash: 44d88612fea8a8f36de82e1278abb02f | |
mal_type: mal_configs | |
md5: df9f26ee74ee5883b717c77bc2e8c6a9 | |
overlay_hash: 44d88612fea8a8f36de82e1278abb02f | |
pe_header_hash: 15bbc192e0d2300066ce08561fa03e6d | |
pe_start_data_hash: b5ef8563010a7f9c8ecd92abed9e9441 | |
rich_hdr_data: 9fd21c16dbb37245dbb37245dbb3724566fce445dab37245c5e1f645f2b37245c5e1e745c8b37245c5e1f1455ab37245fc750945d4b37245dbb3734506b37245c5e1fb4562b37245c5e1e045dab37245c5e1e345dab3724552696368dbb37245 | |
rich_hdr_hash: fbaf77a64eafa5f5c68da888bd097323 | |
section_name_hash: 40a71983f0a3bba083f701530540dc35 | |
sha1: d48a73f44b4177c0f80a7e781d6d0b50ab0a1fb5 | |
sha256: cc218b5afd1a7a6ca5da19eff3bddd01185d92de12a88341184064469f8684ae | |
str_hash_10: 700a87bf27fb6f4c5a5fad349dc6ed84 | |
str_hash_3: f4cb724f4d32e8ae7152fc7f70a0767c | |
str_hash_4: a76bb354534a79a40f090d17794dc5b9 | |
str_hash_5: 1cb78c260e7ba9c256777067cf920ed5 | |
str_hash_6: 8815ac60632d931aff6482f0d7eee7eb | |
str_hash_7: 059ae037dd5084e2153622160fb7e425 | |
str_hash_8: 564cfdbf396a4cdf7a18cba3178e38bc | |
str_hash_9: 1501e2b9913b1bd24c0fde900ee7eabb | |
type: cobaltstrike | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment