Define Protocol from Traffic (XenoRAT)
This video shows how to define a protocol in CapLoader just by providing examples of what the protocol looks like. CapLoader can then identify that protocol in other traffic, regardless of IP address and port number, simply by looking for traffic that behaves similar to what it was trained on. We call this Port Independent Protocol Identification (PIPI). You don’t need to define all protocols this way though since CapLoader can detect hundreds of different protocols out of the box using PIPI.
The protocol identified in the video is the XenoRAT command-and-control (C2) protocol. The identification was based on a sandbox execution of XenoRATClientScript.js on ANY.RUN. The protocol model was then tested on a PCAP file from a XenoRAT execution on Triage.
IOC List
- Url: hxxps://raw.githubusercontent[.]com/NTCHuy/hack/refs/heads/main/Client.exe
- MD5: e0b465d3bd1ec5e95aee016951d55640
- MD5: 5ab23ac79ede02166d6f5013d89738f9
- C2: Huy1612-24727.portmap[.]io:24727
- C2: 193.161.193.99:24727
- C2: 147.185.221.30:54661
Posted by Erik Hjelmvik on Thursday, 21 August 2025 12:50:00 (UTC/GMT)
