Imaginaryc2 - Tool Which Aims To Aid Inwards The Behavioral (Network) Analysis Of Malware
Imaginary C2 is a python tool which aims to assistance inward the behavioral (network) analysis of malware.
Imaginary C2 hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs. Additionally, the tool aims to larn inward slow to replay captured Command-and-Control responses/served payloads.
By using this tool, an analyst tin feed the malware consistent network responses (e.g. C&C instructions for the malware to execute). Additionally, the analyst tin capture as well as inspect HTTP requests towards a domain/IP which is off-line at the fourth dimension of the analysis.
Replay package captures
Imaginary C2 provides 2 scripts to convert packet captures (PCAPs) or Fiddler Session Archives into request definitions which tin survive parsed yesteryear imaginary C2. Via these scripts the user tin extract HTTP asking URLs as well as domains, every bit good every bit HTTP responses. This way, 1 tin rapidly replay HTTP responses for a given HTTP request.
requirements: Imaginary C2 requires Python 2.7 as well as Windows.
modules: Currently, Imaginary C2 contains 3 modules as well as 2 configuration files:
Filename | Function |
---|---|
1. imaginary_c2.py | Hosts python's uncomplicated HTTP server. Main module. |
2. redirect_to_imaginary_c2.py | Alters Windows' host file as well as Windows' (IP) Routing Table. |
3. unpack_fiddler_archive.py & unpack_pcap.py | Extracts HTTP responses from package captures. Adds corresponding HTTP asking domains as well as URLs to the configuration files. |
4. redirect_config.txt | Contains domains as well as IPs which needs to survive redirected to localhost (to the python HTTP server). |
5. requests_config.txt | Contains URL path definitions amongst the corresponding information sources. |
Parameter 1: HTTP asking URL path (a.k.a. urlType)
Value | Meaning |
---|---|
fixed | Define the URL path every bit a literal string |
regex | Define a regex blueprint to survive matched on the URL path |
Value | Meaning |
---|---|
data | Imaginary C2 volition response amongst the contents of a file on disk |
python | Imaginary C2 volition run a python script. The output of the python script defines the HTTP response. |
Demo role case: Simulating TrickBot servers
Imaginary C2 tin survive used to copy the hosting of TrickBot components as well as configuration files. Additionally, it tin also survive used to copy TrickBot's spider web injection servers.
How it works:
Upon execution, the TrickBot downloader connects to a laid of hardcoded IPs to fetch a few configuration files. One of these configuration files contains the locations (IP addresses) of the TrickBot plugin servers. The Trickbot downloader downloads the plugins (modules) from these servers as well as decrypts them. The decrypted modules are hence injected into a svchost.exe instance.
One of TrickBot's plugins is called injectdll, a plugin which is responsible for TrickBot's webinjects. The injectdll plugin regularly fetches an updated laid of webinject configurations. For each targeted (banking) website inward the configuration, the address of a webfake server is defined. When a victim browses to a (banking) website which is targeted yesteryear TrickBot, his browser secretly gets redirected to the webfake server. The webfake server hosts a replica of the targeted website. This replica website commonly is used inward a social-engineering laid on to defraud the victim.
Imaginary C2 inward action:
The below video shows the TrickBot downloader running within svchost.exe as well as connecting to imaginary C2 to download 2 modules. Each downloaded module gets injected into a newly spawned svchost.exe instance. The webinject module tries to bag the browser's saved passwords as well as exfiltrates the stolen passwords to the TrickBot server. Upon visiting a targeted banking website, TrickBot redirects the browser to the webfake server. In the demo, the webfake server hosts the message: "Default imaginary C2 server response" (full video).