Skip to content

Instantly share code, notes, and snippets.

@usualsuspect

usualsuspect/config.txt

Created November 23, 2023 13:30
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save usualsuspect/5cd694417f7a64436941e02e985d0ce2 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save usualsuspect/5cd694417f7a64436941e02e985d0ce2 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. usualsuspect created this gist Nov 23, 2023.
    89 changes: 89 additions & 0 deletions config.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,89 @@
    BeaconType - HTTPS
    Port - 443
    SleepTime - 45000
    MaxGetSize - 2801745
    Jitter - 37
    MaxDNS - Not Found
    PublicKey_MD5 - 6b11b512dcbf5063bafcc82a0e1c2bc1
    C2Server - www.tosoh.cloudns.ph,/jquery-3.3.1.min.js
    UserAgent - Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
    HttpPostUri - /jquery-3.3.2.min.js
    Malleable_C2_Instructions - Remove 1522 bytes from the end
    Remove 84 bytes from the beginning
    Remove 3931 bytes from the beginning
    Base64 URL-safe decode
    XOR mask w/ random key
    HttpGet_Metadata - ConstHeaders
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Referer: http://code.jquery.com/
    Accept-Encoding: gzip, deflate
    Metadata
    base64url
    prepend "__cfduid="
    header "Cookie"
    HttpPost_Metadata - ConstHeaders
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Referer: http://code.jquery.com/
    Accept-Encoding: gzip, deflate
    SessionId
    mask
    base64url
    parameter "__cfduid"
    Output
    mask
    base64url
    print
    PipeName - Not Found
    DNS_Idle - Not Found
    DNS_Sleep - Not Found
    SSH_Host - Not Found
    SSH_Port - Not Found
    SSH_Username - Not Found
    SSH_Password_Plaintext - Not Found
    SSH_Password_Pubkey - Not Found
    SSH_Banner -
    HttpGet_Verb - GET
    HttpPost_Verb - POST
    HttpPostChunk - 0
    Spawnto_x86 - %windir%\syswow64\dllhost.exe
    Spawnto_x64 - %windir%\sysnative\dllhost.exe
    CryptoScheme - 0
    Proxy_Config - Not Found
    Proxy_User - Not Found
    Proxy_Password - Not Found
    Proxy_Behavior - Use IE settings
    Watermark_Hash - NtZOV6JzDr9QkEnX6bobPg==
    Watermark - 987654321
    bStageCleanup - True
    bCFGCaution - False
    KillDate - 0
    bProcInject_StartRWX - False
    bProcInject_UseRWX - False
    bProcInject_MinAllocSize - 17500
    ProcInject_PrependAppend_x86 - b'\x90\x90'
    Empty
    ProcInject_PrependAppend_x64 - b'\x90\x90'
    Empty
    ProcInject_Execute - ntdll:RtlUserThreadStart
    CreateThread
    NtQueueApcThread-s
    CreateRemoteThread
    RtlCreateUserThread
    ProcInject_AllocationMethod - NtMapViewOfSection
    bUsesCookies - True
    HostHeader -
    headersToRemove - Not Found
    DNS_Beaconing - Not Found
    DNS_get_TypeA - Not Found
    DNS_get_TypeAAAA - Not Found
    DNS_get_TypeTXT - Not Found
    DNS_put_metadata - Not Found
    DNS_put_output - Not Found
    DNS_resolver - Not Found
    DNS_strategy - round-robin
    DNS_strategy_rotate_seconds - -1
    DNS_strategy_fail_x - -1
    DNS_strategy_fail_seconds - -1
    Retry_Max_Attempts - 0
    Retry_Increase_Attempts - 0
    Retry_Duration - 0