{"id":13775523,"url":"https://github.com/omriher/captipper","last_synced_at":"2025-05-11T07:32:50.645Z","repository":{"id":25744098,"uuid":"29181792","full_name":"omriher/CapTipper","owner":"omriher","description":"Malicious HTTP traffic explorer","archived":false,"fork":false,"pushed_at":"2023-03-16T02:20:12.000Z","size":741,"stargazers_count":711,"open_issues_count":15,"forks_count":159,"subscribers_count":63,"default_branch":"master","last_synced_at":"2024-11-17T10:39:59.399Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/omriher.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2015-01-13T09:05:17.000Z","updated_at":"2024-11-16T07:02:53.000Z","dependencies_parsed_at":"2024-01-03T04:02:30.816Z","dependency_job_id":null,"html_url":"https://github.com/omriher/CapTipper","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omriher%2FCapTipper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omriher%2FCapTipper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omriher%2FCapTipper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omriher%2FCapTipper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/omriher","download_url":"https://codeload.github.com/omriher/CapTipper/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253534084,"owners_count":21923515,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T17:01:40.265Z","updated_at":"2025-05-11T07:32:45.629Z","avatar_url":"https://github.com/omriher.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"eec238a1a2657b70f7bbbe68a4421249\"\u003e\u003c/a\u003e其他"],"sub_categories":["\u003ca id=\"b239f12aca7aa942b45836032cbef99a\"\u003e\u003c/a\u003e转换"],"readme":"## CapTipper v0.3\r\n\r\n[Logo]: http://4.bp.blogspot.com/-uuRE1KkS5Jo/Vb8j-cfEuHI/AAAAAAAAeY4/MltsTu7jG5E/s1600/CapTipper_logo.png\r\n![Logo]\r\n\r\nCapTipper v0.3: http://www.omriher.com/2015/08/captipper-v03-is-out.html  \r\nCapTipper v0.2: http://www.omriher.com/2015/03/captipper-02-released.html  \r\nCapTipper v0.1: http://www.omriher.com/2015/01/captipper-malicious-http-traffic.html  \r\n\r\nCapTipper is a python tool to analyze, explore and revive HTTP malicious traffic.  \r\nCapTipper sets up a web server that acts exactly as the server in the PCAP file,  \r\nand contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.\r\n\r\nThe tool provides the security researcher with easy access to the files and the understanding of the network flow,  \r\nand is useful when trying to research exploits, pre-conditions, versions, obfuscations, plugins and shellcodes.\r\n\r\nFeeding CapTipper with a drive-by traffic capture (e.g of an exploit kit) displays the user with the requests URI's that were sent and responses meta-data.  \r\nThe user can at this point browse to http://127.0.0.1/[host]/[URI] and receive the response back to the browser.  \r\nIn addition, an interactive shell is launched for deeper investigation using various commands such as: hosts, hexdump, info, ungzip, body, client, dump and more...\r\n\r\nDocumentation: http://captipper.readthedocs.org\r\n\r\n**Update from 02-Oct-2020:**  \r\nCapTipper now supports Python3 and can be found in the following branch: https://github.com/omriher/CapTipper/tree/python3_support\r\n\r\n[ScreenShot]: http://3.bp.blogspot.com/-7XrSKP1BHzE/VLRGBR3cQ0I/AAAAAAAAZso/3FpWTRi8rYU/s1600/CapTipperScreenShot.png\r\n\r\n![ScreenShot]\r\n***\r\n### Analysis Example\r\n\r\n```sh\r\nUsage: ./CapTipper.py \u003cPCAP_file\u003e [-p] [web_server_port=80]\r\n```\r\nLet's analyze the following Nuclear EK drive-by infection PCAP [2014-11-06-Nuclear-EK-traffic.pcap](http://malware-traffic-analysis.net/2014/11/06/2014-11-06-Nuclear-EK-traffic.pcap.zip)\r\n```sh\r\nC:\\CapTipper\u003e CapTipper.py \"C:\\NuclearFiles\\2014-11-06-Nuclear-EK-traffic.pcap\"\r\n\r\nCapTipper v0.1 - Malicious HTTP traffic explorer tool\r\nCopyright 2015 Omri Herscovici \u003comriher@gmail.com\u003e\r\n\r\n[A] Analyzing PCAP: C:\\NuclearFiles\\2014-11-06-Nuclear-EK-traffic.pcap\r\n\r\n[+] Traffic Activity Time: Thu, 11/06/14 17:02:35\r\n[+] Conversations Found:\r\n\r\n0: / -\u003e text/html (0.html) [5509 B]\r\n1: /wp-includes/js/jquery/jquery.js?ver=1.7.2 -\u003e application/javascript (jquery.js) [39562 B]\r\n2: /seedadmin17.html -\u003e text/html (seedadmin17.html) [354 B]\r\n3: /15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html -\u003e text/html (15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html) [113149 B]\r\n4: /wp-content/uploads/2014/01/MetroWest_COVER_Issue2_Feb2014.jpg -\u003e image/jpeg (MetroWest_COVER_Issue2_Feb2014.jpg) [350008 B]\r\n5: /images/footer/3000melbourne.png -\u003e image/png (3000melbourne.png) [2965 B]\r\n6: /images/footer/3207portmelbourne.png -\u003e image/png (3207portmelbourne.png) [3092 B]\r\n7: /wp-content/uploads/2012/09/background1.jpg -\u003e image/jpeg (background1.jpg) [33112 B]\r\n8: /00015d76d9b2rr9f/1415286120 -\u003e application/octet-stream (00015d76.swf) [31579 B]\r\n9: /00015d766423rr9f/1415286120 -\u003e application/pdf (XykpdWhZZ2.pdf) [9940 B]\r\n10: /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6 -\u003e application/octet-stream (5.exe) [139264 B]\r\n11: /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6;1 -\u003e application/octet-stream (5.exe) [139264 B]\r\n12: /00015d76rr9f/1415286120/7 -\u003e application/octet-stream (7.exe) [139264 B]\r\n13: /00015d761709rr9f/1415286120 -\u003e application/octet-stream (00015d76.swf) [8064 B]\r\n14: /00015d76rr9f/1415286120/8 -\u003e application/octet-stream (8.exe) [139264 B]\r\n\r\n\r\n[+] Started Web Server on http://localhost:80\r\n[+] Listening to requests...\r\n\r\nCapTipper Interpreter\r\nType 'open \u003cconversation id\u003e' to open address in browser\r\ntype 'hosts' to view traffic flow\r\nType 'help' for more options\r\n\r\nCT\u003e\r\n```\r\nThe Initialization outputs the conversations found between the client and the server in the following format:\r\n\r\n**[ID] : REQUEST URI -\u003e SERVER RESPONSE TYPE (FILENAME) [SIZE IN BYTES]**\r\n\r\n**ID**: An assigned Id to the specific conversation  \r\n**REQUEST URI**: The URI that was sent to the server in the GET request  \r\n**SERVER RESPONSE TYPE**: The content-type returned in the server response header  \r\n**FILENAME**: The filename can be a few things:  \r\n  1. Filename attribute given in the response header\r\n  2. Derived from the URI\r\n  3. Assigned by CapTipper if couldn't find any of the above\r\n  \r\n**SIZE IN BYTES**: Response body size\r\n\r\nAfter Initalization, 2 things occur:  \r\n  1. CapTipper creates a pseudo-web server that behaves like the web server in the pcap\r\n  2. An Interpreter is launched\r\n  \r\nThe interpreter contains internal tools for further investigation of the objects in the pcap.\r\n\r\nOpening a URI in the browser is simply by typing 'open' along with the object id\r\n```sh\r\nCT\u003e open 0\r\nCT\u003e log\r\n[2015-01-09T18:01:28.878000] 127.0.0.1 : GET / HTTP/1.1\r\n```\r\n* None of the commands (Except 'open') actually requires the server to be running. You can turn off the server by typing 'server off' or by adding -s when calling CapTipper.  \r\n\r\nLet's see what can we find out without using the browser.  \r\nFirst, we'll take a bird's-eye view on the traffic by using the command 'hosts'\r\n```sh\r\nCT\u003e hosts\r\nFound Hosts:\r\n\r\n www.magmedia.com.au\r\n ├-- /   [0]\r\n ├-- /wp-includes/js/jquery/jquery.js?ver=1.7.2   [1]\r\n ├-- /wp-content/uploads/2014/01/MetroWest_COVER_Issue2_Feb2014.jpg   [4]\r\n ├-- /images/footer/3000melbourne.png   [5]\r\n ├-- /images/footer/3207portmelbourne.png   [6]\r\n └-- /wp-content/uploads/2012/09/background1.jpg   [7]\r\n\r\n\r\n pixeltouchstudios.tk\r\n └-- /seedadmin17.html   [2]\r\n\r\n\r\n grannityrektonaver.co.vu\r\n ├-- /15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html   [3]\r\n ├-- /00015d76d9b2rr9f/1415286120   [8]\r\n ├-- /00015d766423rr9f/1415286120   [9]\r\n ├-- /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6   [10]\r\n ├-- /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6;1   [11]\r\n ├-- /00015d76rr9f/1415286120/7   [12]\r\n ├-- /00015d761709rr9f/1415286120   [13]\r\n └-- /00015d76rr9f/1415286120/8   [14]\r\n```\r\nIt seems that **www.magmedia.com.au** is the compromised site.\r\n\r\nBy crossing this information and the file types we got in the conversations list, it looks like **grannityrektonaver.co.vu** is the infecting host.\r\n\r\nThen what is **pixeltouchstudios.tk** ?\r\n\r\nWell, knowing how exploit-kits usually work, this is probably the TDS (Traffic Distribution System) server.  \r\nLet's take a closer look.\r\n\r\nWe can print the header and the body of the page by typing 'head' and 'body':\r\n```sh\r\nCT\u003e head 2\r\nDisplaying header of object 2 (seedadmin17.html):\r\n\r\nHTTP/1.1 302 Found\r\nServer: nginx\r\nDate: Thu, 06 Nov 2014 15:02:38 GMT\r\nContent-Type: text/html; charset=iso-8859-1\r\nContent-Length: 354\r\nConnection: keep-alive\r\nSet-Cookie: ehihm=_YocADE3AAIAAgCvjVtU__.vjVtUQAABAAAAr41bVAA-; expires=Fri, 06-Nov-2015 15:03:11 GMT; path=/; domain=pixeltouchstudios.tk\r\nLocation: http://grannityrektonaver.co.vu/15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html\r\n\r\nCT\u003e body 2\r\nDisplaying body of object 2 (seedadmin17.html) [256 bytes]:\r\n\r\n\u003c!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"\u003e\r\n\u003chtml\u003e\u003chead\u003e\r\n\u003ctitle\u003e302 Found\u003c/title\u003e\r\n\u003c/head\u003e\u003cbody\u003e\r\n\u003ch1\u003eFound\u003c/h1\u003e\r\n\u003cp\u003eThe document has moved \u003ca href=\"http://grannityrektonaver.co.vu/15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\r\n\u003chr\r\n```\r\n* By deafult, the body command returns the first 256 byte, you can change it by typing body 2 1000 - this will print the first 1000 bytes\r\n\r\nWe see that object 2, returns a *302 redirection* to the infecting host.  \r\nSo our hypothesis was probably true.\r\n\r\nLet's get more information on object 2 by typing 'info':\r\n```sh\r\nCT\u003e info 2\r\nInfo of conversation 2:\r\n\r\n SERVER IP   : 108.61.196.84:80\r\n HOST        : pixeltouchstudios.tk\r\n URI         : /seedadmin17.html\r\n REFERER     : http://www.magmedia.com.au/\r\n RESULT NUM  : 302 Found\r\n RESULT TYPE : text/html\r\n FILE NAME   : seedadmin17.html\r\n LENGTH      : 354 B\r\n```\r\nThe referrer to that page was of course **magmedia.co.au**, but what exactly redirected us?\r\n\r\nBy looking at the conversations it was probably either the index page or the javascript file.  \r\nLet's have a quick peek at the javascript file (object 1)\r\n```sh\r\nCT\u003e body 1 \r\nDisplaying body of object 1 (jquery.js) [256 bytes]:\r\n\r\n▼     ♦♥─╜i{#╟ס╢√}~♣X╓t♥═\"HJצg♀░→o½%Y▓╡ם║m┘CR║\r\n@a!▒P ╪כ        ╬o?≈‼╣TJ≥£≈\\g╞jó╢\\\"#cן╚πg ÷ry≤~5↔O6םµ╦Vπ├ףף h|╛*ך╞½σh≤6_§ם╧ק╖כa╛ש.↨iπ╦┼á▌רl67¥ππ╤z╘^«╞╟ ÷∞°▀F╖כב▐hלכ═╦σ≥zZ4≤╓▌¢|╒Φg├σαv^,6φב=h╧≤═`╥\\¶o\r\n←▀↨π╧▐▌4ףf»≤π╢█h%חy{U▄╠≥A╤\u003cn₧_┤?Φ=█▐▌_4/Z↨τ↨ק↨↨↨╟↨ח?^╢מ╟irq±┴i\r\n```\r\nHmm... What's going on? Let's look at the header\r\n```sh\r\nCT\u003e head 1\r\nDisplaying header of object 1 (jquery.js):\r\n\r\nHTTP/1.1 200 OK\r\nContent-Encoding: gzip\r\nVary: Accept-Encoding\r\nDate: Thu, 06 Nov 2014 15:03:41 GMT\r\nServer: LiteSpeed\r\nAccept-Ranges: bytes\r\nConnection: Keep-Alive\r\nKeep-Alive: timeout=5, max=100\r\nLast-Modified: Mon, 10 Feb 2014 12:34:10 GMT\r\nContent-Type: application/javascript\r\nContent-Length: 39562\r\nCache-Control: public, max-age=604800\r\nExpires: Thu, 13 Nov 2014 15:03:41 GMT\r\n```\r\nThe response is gzipped.  \r\nLet's ungzip it:\r\n```sh\r\nCT\u003e ungzip 1\r\n GZIP Decompression of object 1 (jquery.js) successful!\r\n New object created: 15\r\n```\r\nGreat. a new object was created (15).  \r\nLet's look at it.\r\n```sh\r\nCT\u003e body 15\r\nDisplaying body of object 15 (ungzip-jquery.js) [256 bytes]:\r\n\r\n/*\r\nCopyright (C) 2007 Free Software Foundation, Inc. http://fsf.org/\r\n*/\r\nfunction getCookie(a){var b=document.cookie.match(new RegExp(\"(?:^|; )\"+a.replace(/([\\.$?*|{}\\(\\)\\[\\]\\\\\\/\\+^])/g,\"\\\\$1\")+\"=([^;]*)\"));return b?decodeU\r\nRIComponent(b[1]):undefined}(funct\r\n```\r\nSo this is the ungzipped version of the JS file.  \r\nRemember, we want to find out what redirected us to the TDS,  \r\nSafe to assume it was an iframe, so let's search for iframes in the new object using the command 'iframes'\r\n```sh\r\nCT\u003e iframes 15\r\nSearching for iframes in object 15 (ungzip-jquery.js)...\r\n 1 Iframe(s) Found!\r\n\r\n [I] 1 : http://pixeltouchstudios.tk/seedadmin17.html\r\n```\r\nThere you go, the attacker planted/altered this javascript and made it send the users to the TDS.\r\n\r\nNow let's take a look at the files from the infecting server.  \r\ntyping 'convs' again will display the conversations:\r\n```sh\r\nCT\u003e convs\r\nConversations Found:\r\n\r\n0: / -\u003e text/html (0.html) [5509 B]\r\n1: /wp-includes/js/jquery/jquery.js?ver=1.7.2 -\u003e application/javascript (jquery.js) [39562 B]\r\n2: /seedadmin17.html -\u003e text/html (seedadmin17.html) [354 B]\r\n3: /15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html -\u003e text/html (15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html) [113149 B]\r\n4: /wp-content/uploads/2014/01/MetroWest_COVER_Issue2_Feb2014.jpg -\u003e image/jpeg (MetroWest_COVER_Issue2_Feb2014.jpg) [350008 B]\r\n5: /images/footer/3000melbourne.png -\u003e image/png (3000melbourne.png) [2965 B]\r\n6: /images/footer/3207portmelbourne.png -\u003e image/png (3207portmelbourne.png) [3092 B]\r\n7: /wp-content/uploads/2012/09/background1.jpg -\u003e image/jpeg (background1.jpg) [33112 B]\r\n8: /00015d76d9b2rr9f/1415286120 -\u003e application/octet-stream (00015d76.swf) [31579 B]\r\n9: /00015d766423rr9f/1415286120 -\u003e application/pdf (XykpdWhZZ2.pdf) [9940 B]\r\n10: /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6 -\u003e application/octet-stream (5.exe) [139264 B]\r\n11: /00015d76rr9f/1415286120/5/x00809070554515d565b010b03510053535c0505;1;6;1 -\u003e application/octet-stream (5.exe) [139264 B]\r\n12: /00015d76rr9f/1415286120/7 -\u003e application/octet-stream (7.exe) [139264 B]\r\n13: /00015d761709rr9f/1415286120 -\u003e application/octet-stream (00015d76.swf) [8064 B]\r\n14: /00015d76rr9f/1415286120/8 -\u003e application/octet-stream (8.exe) [139264 B]\r\n```\r\nSo what do we have here...  \r\nlooks like we have 1 PDF file, 2 SWF files, and 4 EXE files that were probably downloaded by the shellcode.\r\n\r\nWe can dump all the files to a folder for deeper inspection using the 'dump' function, we can add '-e' to refrain from dumping the EXE files, so we won't accidentally launch them.\r\n```sh\r\nCT\u003e dump all c:\\NuclearFiles -e\r\n Object 0 written to c:\\NuclearFiles\\0-0.html\r\n Object 1 written to c:\\NuclearFiles\\1-jquery.js\r\n Object 2 written to c:\\NuclearFiles\\2-seedadmin17.html\r\n Object 3 written to c:\\NuclearFiles\\3-15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html\r\n Object 4 written to c:\\NuclearFiles\\4-MetroWest_COVER_Issue2_Feb2014.jpg\r\n Object 5 written to c:\\NuclearFiles\\5-3000melbourne.png\r\n Object 6 written to c:\\NuclearFiles\\6-3207portmelbourne.png\r\n Object 7 written to c:\\NuclearFiles\\7-background1.jpg\r\n Object 8 written to c:\\NuclearFiles\\8-00015d76.swf\r\n Object 9 written to c:\\NuclearFiles\\9-XykpdWhZZ2.pdf\r\n Object 13 written to c:\\NuclearFiles\\13-00015d76.swf\r\n Object 15 written to c:\\NuclearFiles\\15-ungzip-jquery.js\r\n```\r\nAs you can see, it also dumps the newly created ungzipped javascript file.\r\n\r\nWe can also examing the files using CapTipper.  \r\nLet's take a look at the first SWF file using 'hexdump'.\r\n```sh\r\nCT\u003e hexdump 8\r\nDisplaying hexdump of object 8 (00015d76.swf) body [256 bytes]:\r\n\r\n0000   5A 57 53 17 E4 1B 01 01 4A 7B 00 00 5D 00 00 00    ZWS.....J{..]...\r\n0010   01 00 3B FF FC 8E 19 FA DF E7 66 08 A0 3D 3E 85    ..;.......f..=\u003e.\r\n0020   F5 75 6F D2 74 6B 7F 7F 31 2C 92 04 FD 10 0A EE    .uo.tk..1,......\r\n0030   E2 C5 C2 C9 4C 83 91 74 AE C8 7C 80 F6 31 A6 CE    ....L..t..|..1..\r\n0040   C0 15 CB 62 8D 76 42 8B 28 96 D3 83 FE 20 DE 57    ...b.vB.(.... .W\r\n0050   7B E4 D2 F1 D8 BC E6 45 CF DC 7B 79 38 41 60 1F    {......E..{y8A`.\r\n0060   0A E9 E4 10 8B F8 DA 0D A6 32 CF E1 E6 E9 78 AB    .........2....x.\r\n0070   8B A7 8A C5 62 8F 0B 31 84 41 10 75 B1 33 35 9D    ....b..1.A.u.35.\r\n0080   6E BA 30 B8 AE EB 78 33 31 67 36 42 01 36 4A A3    n.0...x31g6B.6J.\r\n0090   C8 CB 29 B5 36 6E BF A7 D2 3B 9F 5C 6B A8 4A 9F    ..).6n...;.\\k.J.\r\n00A0   A5 59 5F 7F 43 98 39 43 E8 90 69 C7 9D 84 3A 9C    .Y_.C.9C..i...:.\r\n00B0   36 1D E6 12 F8 EB 03 EA F4 59 2A FD 71 9F 15 DB    6........Y*.q...\r\n00C0   4B F3 C3 C4 4C 70 11 A1 19 25 C8 79 6E 4A 5E 4C    K...Lp...%.ynJ^L\r\n00D0   10 F5 A2 F9 1A E0 18 42 9D 87 9D 39 12 39 57 89    .......B...9.9W.\r\n00E0   CF EF 41 78 2E 57 88 C9 A5 BA F2 0E FC E0 5E B5    ..Ax.W........^.\r\n00F0   66 0C B4 7E A2 0B C4 D7 65 F8 12 57 98 58 16 16    f..~....e..W.X..\r\n```\r\nNow let's take a look at the second one:\r\n```sh\r\nCT\u003e hexdump 13\r\nDisplaying hexdump of object 13 (00015d76.swf) body [256 bytes]:\r\n\r\n0000   50 4B 03 04 14 00 00 08 08 00 81 7A 5D 45 6F 8B    PK.........z]Eo.\r\n0010   BE 6C D2 00 00 00 6B 01 00 00 10 00 00 00 41 70    .l....k.......Ap\r\n0020   70 4D 61 6E 69 66 65 73 74 2E 78 61 6D 6C 85 8F    pManifest.xaml..\r\n0030   C1 4A 03 31 10 86 EF 42 DF 21 E4 01 92 50 6A 95    .J.1...B.!...Pj.\r\n0040   C5 2D 14 F4 2A A5 8A F7 98 9D DA 60 66 12 32 69    .-..*......`f.2i\r\n0050   9B 7D 36 0F 3E 92 AF E0 D6 A2 EC 61 C1 EB 37 FF    .}6.\u003e......a..7.\r\n0060   C7 C7 7C 7D 7C DE DD 43 0A B1 47 A0 22 2A 06 E2    ..|}|..C..G.\"*..\r\n0070   56 EE 4B 49 8D D6 EC F6 80 96 15 7A 97 23 C7 5D    V.KI.......z.#.]\r\n0080   51 2E A2 76 C1 0F 53 3D 37 E6 46 77 7F AA BC B8    Q..v..S=7.Fw....\r\n0090   4D FD C7 3E 79 DA D5 B3 BC D4 D5 62 90 E2 81 4A    M..\u003ey......b...J\r\n00A0   EE 37 D1 53 59 33 03 BE 86 BE 95 15 F2 D1 A2 25    .7.SY3.........%\r\n00B0   48 B0 00 7A F7 E3 D5 73 9F A0 95 96 BB 37 EE D4    H..z...s.....7..\r\n00C0   3A 25 29 B6 07 2A 1E E1 05 32 FB 48 AD 5C 28 A3    :%)..*...2.H.\\(.\r\n00D0   AE CD ED 7C A9 8C 5C CD AE 84 18 7D A8 36 36 17    ...|..\\....}.66.\r\n00E0   FE A1 03 FF 2D 9E A1 A8 CD A3 45 98 8A 3F C5 43    ....-.....E..?.C\r\n00F0   76 13 17 D5 85 E1 01 7D 69 E8 89 C8 18 AE BE 01    v......}i.......\r\n```\r\nInteresting... This file starts with the 'PK' magic bytes, meaning it's actually a zip file, which can be a few things.\r\n\r\nLet's take a look at the files inside the zip using the command 'ziplist'\r\n```sh\r\nCT\u003e ziplist 13\r\n 2 Files found in zip object 13 (00015d76.swf):\r\n\r\n [Z] 1 : AppManifest.xaml\r\n [Z] 2 : xervamanepe4enki.dll\r\n```\r\nWell it seems that this is actually a Silverlight exploit.  \r\nNow we can dump it with it's real extension:\r\n```sh\r\nCT\u003e dump 13 c:\\NuclearFiles\\Silver_exp.xap\r\n Object 13 written to c:\\NuclearFiles\\Silver_exp.xap\r\n```\r\nWe can also send the file's md5 hash to VirusTotal to see if it is recognized by any of the Anti-Virus providers, using the command 'vt'.  \r\nThese requires a VirusTotal public API key.  \r\n(The file itself isn't sent to VT, only the hash of the file is sent!)\r\n```sh\r\nCT\u003e vt 13\r\n VirusTotal result for object 13 (00015d76.swf):\r\n\r\n Detection: 37/56\r\n Last Analysis Date: 2014-12-11 13:15:33\r\n Report Link: https://www.virustotal.com/file/5bcb20f506ce854eb3191ca87a14c5777cdcb0f96ffec0b6...\r\n\r\n Scan Result:\r\n        MicroWorld-eScan        Trojan.GenericKD.1962112        12.0.250.0      20141211\r\n        nProtect        Trojan.GenericKD.1962112        2014-12-11.01   20141211\r\n        CAT-QuickHeal   Trojan.Generic.r3       14.00   20141210\r\n        McAfee  RDN/Generic Exploit!1ns 6.0.5.614       20141211\r\n        Malwarebytes    Trojan.Agent    1.75.0.1        20141211\r\n        VIPRE   Trojan.Win32.Generic!BT 35624   20141211\r\n        K7AntiVirus     Exploit ( 004b06661 )   9.186.14309     20141211\r\n        K7GW    Exploit ( 004b06661 )   9.186.14308     20141211\r\n        Agnitum Exploit.CVE-2013-0074!  5.5.1.3 20141210\r\n        F-Prot  W32/CVE130074.I 4.7.1.166       20141211\r\n        Symantec        Trojan.Gen.2    20141.1.0.330   20141211\r\n        Norman  CVE-2013-0074.D 7.04.04 20141211\r\n        TotalDefense    Win32/Tnega.DPSQOR      37.0.11324      20141211\r\n        TrendMicro-HouseCall    Suspicious_GEN.F47V1112 9.700.0.1001    20141211\r\n        Avast   Win32:Malware-gen       8.0.1489.320    20141211\r\n        ClamAV  SILVERLIGHT.Exploit.Nuclear     0.98.5.0        20141211\r\n        BitDefender     Trojan.GenericKD.1962112        7.2     20141211\r\n        NANO-Antivirus  Exploit.Win32.CVE20130074.dikfyh        0.28.6.63850    20141211\r\n        Ad-Aware        Trojan.GenericKD.1962112        12.0.163.0      20141211\r\n        Sophos  Mal/Generic-S   4.98.0  20141211\r\n        Comodo  UnclassifiedMalware     20333   20141211\r\n        F-Secure        Trojan.GenericKD.1962112        11.0.19100.45   20141211\r\n        DrWeb   Exploit.CVE2013-0074.36 7.0.10.8210     20141211\r\n        McAfee-GW-Edition       RDN/Generic Exploit!1ns v2014.2 20141211\r\n        Emsisoft        Trojan.GenericKD.1962112 (B)    3.0.0.600       20141211\r\n        Cyren   W32/CVE130074.MCZQ-2806 5.4.1.7 20141211\r\n        Avira   EXP/Silverlight.Gen2    7.11.194.74     20141211\r\n        Antiy-AVL       Trojan/Win32.SGeneric   1.0.0.1 20141211\r\n        Microsoft       Exploit:MSIL/CVE-2013-0074.F    1.11202 20141211\r\n        GData   Trojan.GenericKD.1962112        24      20141211\r\n        ALYac   Exploit.CVE-2013-0074   1.0.1.4 20141211\r\n        AVware  Trojan.Win32.Generic!BT 1.5.0.21        20141211\r\n        Panda   Exploit/CVE-2013-0074   4.6.4.2 20141211\r\n        ESET-NOD32      a variant of Win32/Exploit.CVE-2013-0074.BZ     10861   20141211\r\n        Ikarus  Exploit.CVE-2013-0074   T3.1.8.5.0      20141211\r\n        AVG     Exploit_c.ABKR  15.0.0.4235     20141211\r\n        Baidu-International     Trojan.Win32.CVE-2013-0074.bBZ  3.5.1.41473     20141211\r\n```\r\nWe notice that most of the Anti-Viruses detected this file as malicious, while some even provided the exploit CVE (2013-0074).  \r\n* If you don't have a VirusTotal public API key, you can use the command 'hashes', and manually send the hash to VirusTotal.\r\n\r\n***\r\n### Info\r\n\r\nWritten By Omri Herscovici\r\n\r\nPlease open an issue for bugs.  \r\nI would be happy to accept suggestions and feedback to my mail :)  \r\n\r\nCapTipper: http://www.omriher.com/2015/01/captipper-malicious-http-traffic.html  \r\nEmail: omriher [at] gmail.com  \r\nTwitter: [@omriher](https://twitter.com/omriher)\r\n\r\n\r\n\r\n\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fomriher%2Fcaptipper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fomriher%2Fcaptipper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fomriher%2Fcaptipper/lists"}