ImaginaryC2 is a python tool which aims to help in the behavioral (network) analysis of malware. It hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs.
Additionally, the tool aims to make it easy to replay captured Command-and-Control responses/served payloads.
By using this tool, an analyst can feed the malware consistent network responses. Additionally, the analyst can capture and inspect HTTP requests towards a domain/IP which is off-line at the time of the analysis.
Imaginary C2 provides two scripts to convert packet captures (PCAPs) or Fiddler Session Archives into request definitions which can be parsed by imaginary C2.
Via these scripts the user can extract HTTP request URLs and domains, as well as HTTP responses. This way, one can quickly replay HTTP responses for a given HTTP request.
Requirements: Imaginary C2 requires Python 2.7 and Windows.
Modules: Currently, Imaginary C2 contains three modules and two configuration files:
| Filename | Function |
|---|---|
| 1. imaginary_c2.py | Hosts python’s simple HTTP server. Main module. |
| 2. redirect_to_imaginary_c2.py | Alters Windows’ host file and Windows’ (IP) Routing Table. |
| 3. unpack_fiddler_archive.py & unpack_pcap.py | Extracts HTTP responses from packet captures. Adds corresponding HTTP request domains and URLs to the configuration files. |
| 4. redirect_config.txt | Contains domains and IPs which needs to be redirected to localhost (to the python HTTP server). |
| 5. requests_config.txt | Contains URL path definitions with the corresponding data sources. |
Request definitions: Each (HTTP) request defined in the request configuration consists of two parameters:
Parameter 1: HTTP request URL path (a.k.a. urlType)
| Value | Meaning |
|---|---|
| fixed | Define the URL path as a literal string |
| regex | Define a regex pattern to be matched on the URL path |
Parameter 2: HTTP response source (a.k.a. sourceType)
| Value | Meaning |
|---|---|
| data | Imaginary C2 will respond with the contents of a file on disk |
| python | Imaginary C2 will run a python script. The output of the python script defines the HTTP response. |
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…