usualsuspect/config.txt

## config.txt
BeaconType                       - HTTPS
Port                             - 443
SleepTime                        - 3000
MaxGetSize                       - 2097167
Jitter                           - 7
MaxDNS                           - Not Found
PublicKey_MD5                    - cb1063db5f2d3c4b16f03fcaa7bcc6cd
C2Server                         - service-iwp4bo93-1308858055.bj.apigw.tencentcs.com,/jquery/2.0.1/jquery
UserAgent                        - Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM)
HttpPostUri                      - /jquery/2.0.2/jquery
Malleable_C2_Instructions        - Remove 2 bytes from the end
                                   Remove 5 bytes from the beginning
                                   NetBIOS decode 'a'
                                   XOR mask w/ random key
HttpGet_Metadata                 - Metadata
                                   	base64url
                                   	prepend "SESSIONID="
                                   	header "Cookie"
HttpPost_Metadata                - SessionId
                                   	mask
                                   	netbiosu
                                   	prepend "user="
                                   	append "%%"
                                   	header "User"
                                   Output
                                   	mask
                                   	base64url
                                   	prepend "data="
                                   	append "%%"
                                   	print
PipeName                         - Not Found
DNS_Idle                         - Not Found
DNS_Sleep                        - Not Found
SSH_Host                         - Not Found
SSH_Port                         - Not Found
SSH_Username                     - Not Found
SSH_Password_Plaintext           - Not Found
SSH_Password_Pubkey              - Not Found
SSH_Banner                       -
HttpGet_Verb                     - GET
HttpPost_Verb                    - POST
HttpPostChunk                    - 0
Spawnto_x86                      - c:\windows\syswow64\rundll32.exe
Spawnto_x64                      - c:\windows\system32\rundll32.exe
CryptoScheme                     - 0
Proxy_Config                     - Not Found
Proxy_User                       - Not Found
Proxy_Password                   - Not Found
Proxy_Behavior                   - Use IE settings
Watermark_Hash                   - BeudtKgqnlm0Ruvf+VYxuw==
Watermark                        - 100000
bStageCleanup                    - True
bCFGCaution                      - False
KillDate                         - 0
bProcInject_StartRWX             - True
bProcInject_UseRWX               - True
bProcInject_MinAllocSize         - 0
ProcInject_PrependAppend_x86     - Empty
ProcInject_PrependAppend_x64     - Empty
ProcInject_Execute               - CreateThread
                                   SetThreadContext
                                   CreateRemoteThread
                                   RtlCreateUserThread
ProcInject_AllocationMethod      - VirtualAllocEx
bUsesCookies                     - True
HostHeader                       -
headersToRemove                  - Not Found
DNS_Beaconing                    - Not Found
DNS_get_TypeA                    - Not Found
DNS_get_TypeAAAA                 - Not Found
DNS_get_TypeTXT                  - Not Found
DNS_put_metadata                 - Not Found
DNS_put_output                   - Not Found
DNS_resolver                     - Not Found
DNS_strategy                     - round-robin
DNS_strategy_rotate_seconds      - -1
DNS_strategy_fail_x              - -1
DNS_strategy_fail_seconds        - -1
Retry_Max_Attempts               - 0
Retry_Increase_Attempts          - 0
Retry_Duration                   - 0
	BeaconType - HTTPS
	Port - 443
	SleepTime - 3000
	MaxGetSize - 2097167
	Jitter - 7
	MaxDNS - Not Found
	PublicKey_MD5 - cb1063db5f2d3c4b16f03fcaa7bcc6cd
	C2Server - service-iwp4bo93-1308858055.bj.apigw.tencentcs.com,/jquery/2.0.1/jquery
	UserAgent - Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM)
	HttpPostUri - /jquery/2.0.2/jquery
	Malleable_C2_Instructions - Remove 2 bytes from the end
	Remove 5 bytes from the beginning
	NetBIOS decode 'a'
	XOR mask w/ random key
	HttpGet_Metadata - Metadata
	base64url
	prepend "SESSIONID="
	header "Cookie"
	HttpPost_Metadata - SessionId
	mask
	netbiosu
	prepend "user="
	append "%%"
	header "User"
	Output
	mask
	base64url
	prepend "data="
	append "%%"
	print
	PipeName - Not Found
	DNS_Idle - Not Found
	DNS_Sleep - Not Found
	SSH_Host - Not Found
	SSH_Port - Not Found
	SSH_Username - Not Found
	SSH_Password_Plaintext - Not Found
	SSH_Password_Pubkey - Not Found
	SSH_Banner -
	HttpGet_Verb - GET
	HttpPost_Verb - POST
	HttpPostChunk - 0
	Spawnto_x86 - c:\windows\syswow64\rundll32.exe
	Spawnto_x64 - c:\windows\system32\rundll32.exe
	CryptoScheme - 0
	Proxy_Config - Not Found
	Proxy_User - Not Found
	Proxy_Password - Not Found
	Proxy_Behavior - Use IE settings
	Watermark_Hash - BeudtKgqnlm0Ruvf+VYxuw==
	Watermark - 100000
	bStageCleanup - True
	bCFGCaution - False
	KillDate - 0
	bProcInject_StartRWX - True
	bProcInject_UseRWX - True
	bProcInject_MinAllocSize - 0
	ProcInject_PrependAppend_x86 - Empty
	ProcInject_PrependAppend_x64 - Empty
	ProcInject_Execute - CreateThread
	SetThreadContext
	CreateRemoteThread
	RtlCreateUserThread
	ProcInject_AllocationMethod - VirtualAllocEx
	bUsesCookies - True
	HostHeader -
	headersToRemove - Not Found
	DNS_Beaconing - Not Found
	DNS_get_TypeA - Not Found
	DNS_get_TypeAAAA - Not Found
	DNS_get_TypeTXT - Not Found
	DNS_put_metadata - Not Found
	DNS_put_output - Not Found
	DNS_resolver - Not Found
	DNS_strategy - round-robin
	DNS_strategy_rotate_seconds - -1
	DNS_strategy_fail_x - -1
	DNS_strategy_fail_seconds - -1
	Retry_Max_Attempts - 0
	Retry_Increase_Attempts - 0
	Retry_Duration - 0