The stager requires an agent id, the message is encrypted with RC4 with the shared serverkey
The server decrypt the message, compile and sends the agent, generate and send KEY and IV for future communications AES encryption, the message is encrypted RC4
The stager decrypt the message and load the agent via Assembly.Load
The agent sends a checkin message to the server, the message is encrypted with AES
Profiles
配置c2的内容文件,包含以下内容:
General
Delay (between requests)
ContentUri (url of dynamic content eg. dll hta etc.)
UserAgent
Spawn (the process to create to perform critical tasks)
HtmlCovered (Enable covered channel)
TargetClass (Class to search for image recover)
Http Get
ApiPath (comma separated list of url es /news-list.jsp,/antani.php etc.)
Server
Prepend
Append
Headers (name and value pair for http headers)
Client
Headers
Http Post
ApiPath (comma separated list of url es /news-list.jsp,/antani.php etc.)
Param (the name of the post request payload parameter)
Mask (format for interpreting the key value pair eg {0}={1}) (need more work...)