ImaginaryC2:Python Tool Help In Network Behavioral Analysis Of Malware

ImaginaryC2 is a python tool which aims to help in the behavioral (network) analysis of malware. It hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs.

Additionally, the tool aims to make it easy to replay captured Command-and-Control responses/served payloads.

By using this tool, an analyst can feed the malware consistent network responses. Additionally, the analyst can capture and inspect HTTP requests towards a domain/IP which is off-line at the time of the analysis.

Replay Packet Captures

Imaginary C2 provides two scripts to convert packet captures (PCAPs) or Fiddler Session Archives into request definitions which can be parsed by imaginary C2.

Via these scripts the user can extract HTTP request URLs and domains, as well as HTTP responses. This way, one can quickly replay HTTP responses for a given HTTP request.

Technical Details ImaginaryC2

Requirements: Imaginary C2 requires Python 2.7 and Windows.
Modules: Currently, Imaginary C2 contains three modules and two configuration files:

FilenameFunction
1. imaginary_c2.pyHosts python’s simple HTTP server. Main module.
2. redirect_to_imaginary_c2.pyAlters Windows’ host file and Windows’ (IP) Routing Table.
3. unpack_fiddler_archive.py & unpack_pcap.pyExtracts HTTP responses from packet captures. Adds corresponding HTTP request domains and URLs to the configuration files.
4. redirect_config.txtContains domains and IPs which needs to be redirected to localhost (to the python HTTP server).
5. requests_config.txtContains URL path definitions with the corresponding data sources.

Request definitions: Each (HTTP) request defined in the request configuration consists of two parameters:

Parameter 1: HTTP request URL path (a.k.a. urlType)

ValueMeaning
fixedDefine the URL path as a literal string
regexDefine a regex pattern to be matched on the URL path

Parameter 2: HTTP response source (a.k.a. sourceType)

ValueMeaning
dataImaginary C2 will respond with the contents of a file on disk
pythonImaginary C2 will run a python script. The output of the python script defines the HTTP response.

Sample

R K

Recent Posts

Command-Line Techniques for Listing Linux Users

Linux offers powerful command-line tools for system administrators to view and manage user accounts. Knowing…

50 minutes ago

Exploring User Management in Linux Systems

User management is a critical aspect of Linux administration. Each user in a Linux system…

1 hour ago

How to List Users in Linux

Managing users is an essential part of Linux system administration. Knowing how to list all…

1 hour ago

Nmap cheat sheet for beginners

Nmap (Network Mapper) is a free tool that helps you find devices on a network,…

2 days ago

Understanding the Model Context Protocol (MCP) and How It Works

Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…

1 week ago

The file Command – Quickly Identify File Contents in Linux

While file extensions in Linux are optional and often misleading, the file command helps decode what a…

1 week ago