Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/navytitanium/eitest-trigger

Trigger content injection on demand from the EITest C2
https://github.com/navytitanium/eitest-trigger

eitest-c2 malware-research tracking

Last synced: 7 months ago
JSON representation

Trigger content injection on demand from the EITest C2

Awesome Lists containing this project

README 

          
# EITest-trigger

**The domain stat-dns.com used in EITest's DGA algorithm [has been sinkholed](https://www.proofpoint.com/us/threat-insight/post/eitest-sinkholing-oldest-infection-chain). As a result, the EITest campaign has now been shutdown since 2018-03-15.** 



Trigger content injection on demand from the EITest C2.



This PHP script is based on the original malicious script, but deobfuscated and highly modified. It will fake a client browsing a website and ask for content injection to the EITest malware C2.



Can be used to track malicious campaigns with the bash script provided. See [the latest version here](https://github.com/NavyTitanium/EITest-trigger/tree/master/automated)



## Usage

```

[root@localhost]# php eitest.php "User Agent string"

```

## Output

Faking Chrome browser:

```

[root@localhost]# php eitest.php "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"

injected:

 if (!!window.chrome && .....<output omitted>.....setTimeout(dy0,1000);} 

```

Faking IE browser:

```

[root@localhost]# php eitest.php "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"

injected:

 function GetWindowHeight(){.....<output omitted>.....;initPu(); 

```