def request(self, flow: http.HTTPFlow):
# Analyze
headers = dict(flow.request.headers)
try:
contentLength = int(headers["Content-Length"]) # 111 Bytes
except Exception as KeyError:
return
if (contentLength < 140) and (contentLength > 100):
# Log request
self.simLogger.warning("---> Matching Request")
httpReqStr = utils.createHttpRequestLogMsg(flow, 0)
self.simLogger.warning(httpReqStr)
helpers.saveHttpInfos(self.sampleLogDir + "sim/", httpReqStr, flow, 0, helpers.HttpPacketType.Request)
self.simLogger.warning("Found Content-Length with: " + str(contentLength))
keyBytes = bytes(
[0xfe, 0x29, 0x36]) # e.g. used by ecf6426f6ab647239675e5f9426c7eeee748b2e999b71824f394d521b61c5bb8
plainBytes = helpers.XOR(flow.request.raw_content, keyBytes)
try:
plaintext = plainBytes.decode("utf-8")
self.simLogger.warning("Plaintext: " + plaintext)
if (plaintext.count(
"%") > 5): # we know that the plaintext is a URL-encoded string, thus it will contain many % chars
# Create response
encodedConfig = "<c>KysrKysrKysrDQpJCTg5LjI0NS45NC4xNDpERQ0K</c><n>"
encryptedConfig = helpers.XOR(encodedConfig.encode("utf-8"), keyBytes)
nPartFile = open("Azorult32_Parts/n_part.bin", "rb")
nPartBytes = nPartFile.read()
nPartFile.close()
dPartFile = open("Azorult32_Parts/d_part.bin", "rb") # exactly same
dPartBytes = dPartFile.read()
dPartFile.close()
responseBytes = encryptedConfig + nPartBytes + "</n><d>".encode(
"utf-8") + dPartBytes + "</d>".encode("utf-8")
flow.response = http.HTTPResponse.make(200, responseBytes,
{"Content-Type": "text/plain; charset=utf-8"})
# Log response
self.simLogger.warning("---> Own Response")
httpResStr = utils.createHttpResponseLogMsg(flow, 0)
self.simLogger.warning(httpResStr)
helpers.saveHttpInfos(self.sampleLogDir + "sim/", httpResStr, flow, 0,
helpers.HttpPacketType.Response)
except Exception as e:
self.simLogger.error("Exception: \n" + traceback.format_exc())
def request(self, flow: http.HTTPFlow):
# Analyze
headers = dict(flow.request.headers)
try:
contentLength = int(headers["Content-Length"]) # 111 Bytes
except Exception as KeyError:
return
if (contentLength < 130) and (contentLength > 90):
# Log request
self.simLogger.warning("---> Matching Request")
httpReqStr = utils.createHttpRequestLogMsg(flow, 0)
self.simLogger.warning(httpReqStr)
helpers.saveHttpInfos(self.sampleLogDir + "sim/", httpReqStr, flow, 0, helpers.HttpPacketType.Request)
self.simLogger.warning("Found Content-Length with: " + str(contentLength))
keyBytes = bytes(
[0x0D, 0x0A, 0xC8]) # e.g. used by 2a3ff0ac89c072d3734a0a0d4bb7106d7854fca1a71eea3e48b20a9ada0d8cec
plainBytes = helpers.XOR(flow.request.raw_content, keyBytes)
try:
plaintext = plainBytes.decode("utf-8")
self.simLogger.warning("Plaintext: " + plaintext)
if (plaintext.count(
"%") > 5): # we know that the plaintext is a URL-encoded string, thus it will contain many % chars
# Create response
encodedConfig = "<c>KysrKy0rLSstKw0KRglERVNLCSVVU0VSUFJPRklMRSVcRGVza3RvcAkqLnR4dCwqLnBkZiwqLnBuZywqLmpwZywqLnJhciwqLnppcCwqLmRvYwkzMDAJKwktCQ0KTAkJLQkNCkkJODMuMTM1LjE5NC41OkRFDQo=</c><n>"
encryptedConfig = helpers.XOR(encodedConfig.encode("utf-8"), keyBytes)
nPartFile = open("Azorult32_Parts/n_part.bin", "rb")
nPartBytes = nPartFile.read()
nPartFile.close()
dPartFile = open("Azorult32_Parts/d_part.bin", "rb")
dPartBytes = dPartFile.read()
dPartFile.close()
responseBytes = encryptedConfig + nPartBytes + "</n><d>".encode(
"utf-8") + dPartBytes + "</d>".encode("utf-8")
# cipherBytes = sourcefile.read()
flow.response = http.HTTPResponse.make(200, responseBytes,
{"Content-Type": "text/plain; charset=utf-8"})
# Log response
self.simLogger.warning("---> Own Response")
httpResStr = utils.createHttpResponseLogMsg(flow, 0)
self.simLogger.warning(httpResStr)
helpers.saveHttpInfos(self.sampleLogDir + "sim/", httpResStr, flow, 0,
helpers.HttpPacketType.Response)
except Exception as e:
self.simLogger.error("Exception: \n" + traceback.format_exc())
def request(self, flow: http.HTTPFlow): # The full HTTP request has been read.
try:
if utils.filterMicrosoftHttpTraffic(flow):
return
self.packetCounter += 1
httpReqStr = utils.createHttpRequestLogMsg(flow, self.packetCounter)
self.httpLogger.warning(httpReqStr)
helpers.saveHttpInfos(self.sampleLogDir + "http/", httpReqStr, flow, self.packetCounter, helpers.HttpPacketType.Request)
except Exception as e:
self.httpLogger.error("Exception: \n" + traceback.format_exc())
def request(self, flow: http.HTTPFlow):
if flow.request.path.find("/gate.php") != -1: # make sure that remote host is not localhost
# Log request
self.simLogger.warning("---> Matching Request")
httpReqStr = utils.createHttpRequestLogMsg(flow, 0)
self.simLogger.warning(httpReqStr)
helpers.saveHttpInfos(self.sampleLogDir + "sim/", httpReqStr, flow, 0, helpers.HttpPacketType.Request)
# Create response
config = "IS_G_PWDS: 1\r\n" + "IS_G_DOUBLE: 1\r\n" + "IS_G_BROWSERS: 1\r\n" + "IS_G_COINS: 1\r\n" + "IS_G_SKYPE: 1\r\n" + "IS_G_STEAM: 1\r\n" + "IS_G_DESKTOP: 1\r\n" + "G_DESKTOP_EXTS: txt,doc\r\n" + "G_DESKTOP_MAXSIZE: 200\r\n"
flow.response = http.HTTPResponse.make(200, config, {"Content-Type": "text/plain; charset=utf-8"})
# Log response
self.simLogger.warning("---> Own Response")
httpResStr = utils.createHttpResponseLogMsg(flow,0)
self.simLogger.warning(httpResStr)
helpers.saveHttpInfos(self.sampleLogDir + "sim/", httpResStr, flow, 0, helpers.HttpPacketType.Response)
def request(self, flow: http.HTTPFlow):
if flow.request.path.find("Libs.zip") != -1:
# Log request
self.simLogger.warning("---> Matching Request")
httpReqStr = utils.createHttpRequestLogMsg(flow, 0)
self.simLogger.warning(httpReqStr)
helpers.saveHttpInfos(self.sampleLogDir + "sim/", httpReqStr, flow, 0, helpers.HttpPacketType.Request)
fLibs = open("AcridRain_Parts/Libs.zip", "rb") # exactly same
responseBytes = fLibs.read()
flow.response = http.HTTPResponse.make(200, responseBytes, {"Content-Type": "application/zip"})
fLibs.close()
# Log response
self.simLogger.warning("---> Own Response")
httpResStr = utils.createHttpResponseLogMsg(flow, 0)
self.simLogger.warning(httpResStr)
helpers.saveHttpInfos(self.sampleLogDir + "sim/", httpResStr, flow, 0, helpers.HttpPacketType.Response)
def request(self, flow: http.HTTPFlow):
if flow.request.path.find("config.php") != -1 or flow.request.pretty_host == "a-n-y.online" or flow.request.pretty_host == "jelouslaodnn.org" or flow.request.pretty_host == "seeyouonlineservice.com":
# Log request
self.simLogger.warning("---> Matching Request")
httpReqStr = utils.createHttpRequestLogMsg(flow, 0)
self.simLogger.warning(httpReqStr)
helpers.saveHttpInfos(self.sampleLogDir + "sim/", httpReqStr, flow, 0, helpers.HttpPacketType.Request)
if(flow.request.path.find("config.php") != -1):
# Create response
fConfig = open("Kpot_Parts/config_kpot.bin", "rb") # exactly same
responseBytes = fConfig.read()
fConfig.close()
flow.response = http.HTTPResponse.make(200, responseBytes, {"Content-Type": "text/plain; charset=utf-8"})
# Log response
self.simLogger.warning("---> Own Response")
httpResStr = utils.createHttpResponseLogMsg(flow,0)
self.simLogger.warning(httpResStr)
helpers.saveHttpInfos(self.sampleLogDir + "sim/", httpResStr, flow, 0, helpers.HttpPacketType.Response)