Skip to content

Instantly share code, notes, and snippets.

View usualsuspect's full-sized avatar

usualsuspect

29 followers · 5 following
View GitHub Profile
@usualsuspect
usualsuspect / config.txt
Created October 1, 2024 12:28
Cobalt Strike config ns.nacta.in
BeaconType - Hybrid HTTP DNS
Port - 1
SleepTime - 258000
MaxGetSize - 1527201
Jitter - 70
MaxDNS - 255
PublicKey_MD5 - 111d7dcba67aa777ffbee816c78745e7
C2Server - ns.nacta.in,/watch/4827893
UserAgent - Not Found
HttpPostUri - Not Found
@usualsuspect
usualsuspect / hash64.py
Created March 8, 2024 15:13
Unknown 64bit hash used for API lookup
#
# Used in custom import table to lookup APIs via hash instead of name
#
def hash_str64(s):
h = 0x1111111111111111
for i in range(len(s)):
h = h*0xABFFF385ABFFF386
h &= 0xFFFFFFFFFFFFFFFF
h += s[i]
@usualsuspect
usualsuspect / pika_dns_cobaltstrike.txt
Created November 29, 2023 15:04
https://twitter.com/Threatlabz/status/1729571130581934547
BeaconType - Hybrid HTTP DNS
Port - 1
SleepTime - 5000
MaxGetSize - 2798028
Jitter - 45
MaxDNS - 247
PublicKey_MD5 - d94a9ed1b7edf342d1723b57a8485051
C2Server - dns.ionoslaba.com,/dev/coke/CQHL5IYQF
UserAgent - Not Found
HttpPostUri - Not Found
@usualsuspect
usualsuspect / config.txt
Created November 28, 2023 20:24
https://twitter.com/malwrhunterteam/status/1729559280292946394
BeaconType - Hybrid HTTP DNS
Port - 1
SleepTime - 3000
MaxGetSize - 1048576
Jitter - 20
MaxDNS - 255
PublicKey_MD5 - 34aa5e72eba144f50c75d5ad3bb11d43
C2Server - ns1.data.microsoftdata.site,/ga.js,ns2.data.microsoftdata.site,/visit.js,ns3.data.microsoftdata.site,/IE9CompatViewList.xml,ns4.data.microsoftdata.site,/dpixel
UserAgent - Not Found
HttpPostUri - Not Found
@usualsuspect
usualsuspect / config.txt
Created November 23, 2023 13:30
"BreakPoint Software Inc." signed Cobalt Strike config
BeaconType - HTTPS
Port - 443
SleepTime - 45000
MaxGetSize - 2801745
Jitter - 37
MaxDNS - Not Found
PublicKey_MD5 - 6b11b512dcbf5063bafcc82a0e1c2bc1
C2Server - www.tosoh.cloudns.ph,/jquery-3.3.1.min.js
UserAgent - Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri - /jquery-3.3.2.min.js
@usualsuspect
usualsuspect / exproler_config.txt
Created July 11, 2023 18:37
Pokemon Cobalt Strike Config
BeaconType - HTTPS
Port - 443
SleepTime - 10000
MaxGetSize - 1398322
Jitter - 20
MaxDNS - Not Found
PublicKey_MD5 - e516ca02d126b82ff30593ce45d9cba5
C2Server - 47.94.58.82,/api/v1/server/user/info
UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
HttpPostUri - /api/v1/server/log
@usualsuspect
usualsuspect / decrypt.py
Created May 2, 2023 11:21
String decryption for unknown malware
#!/usr/bin/env python3
#
# String decryption for unknown malware
#
# Author: @jaydinbas (2023-05-02)
#
# Reference sample:
#
# https://www.virustotal.com/gui/file/88c10674bb6a53791bfe08497948699bf57ea9980a878a3a5fc1afb160d1d234
#
@usualsuspect
usualsuspect / config.txt
Created April 12, 2023 10:28
ShanghaiTrafficEngineeringSocietyCross-straitUrbanTransportationAcademicSeminar.zip
BeaconType - HTTPS
Port - 443
SleepTime - 3000
MaxGetSize - 2097167
Jitter - 7
MaxDNS - Not Found
PublicKey_MD5 - cb1063db5f2d3c4b16f03fcaa7bcc6cd
C2Server - service-iwp4bo93-1308858055.bj.apigw.tencentcs.com,/jquery/2.0.1/jquery
UserAgent - Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM)
HttpPostUri - /jquery/2.0.2/jquery
@usualsuspect
usualsuspect / config.txt
Created March 15, 2023 10:08
Cobalt Strike in ms_KB5023921_x64_install.iso
BeaconType - HTTPS
Port - 443
SleepTime - 30000
MaxGetSize - 4194310
Jitter - 90
MaxDNS - Not Found
PublicKey_MD5 - bf11f0c194c8a14fad097015ca064e80
C2Server - fc01np5u7i.execute-api.us-east-1.amazonaws.com,/api/v2/json/cluster/tasks
UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4501.0 Safari/537.36 Edg/91.0.866.0
HttpPostUri - /1295648064/storage/tabs
@usualsuspect
usualsuspect / config.txt
Created March 13, 2023 13:35
NY Times Cobalt Strike Config
BeaconType - HTTPS
Port - 443
SleepTime - 165000
MaxGetSize - 2097223
Jitter - 77
MaxDNS - Not Found
PublicKey_MD5 - 59c484f9028a06073eb133568ef23de1
C2Server - content.api.nytimes.com,/caa09abd7511/XNc549Rf1p3VXb6h2g8q9ey6pp,csp.nytimes.com,/caa09abd7511/eXlTjaR3heoufbSNC-H4EJbCnOqpn
UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
HttpPostUri - /921d522938b2/GmFoRGmqwNIbBmPUEKtJE