List of Figures
Figure 1: Drovorub components ............................................................................................................................... 1
Figure 2: Example Drovorub-server configuration file ..................................................................................... 3
Figure 3: Example of the initial Drovorub-client configuration file ............................................................... 4
Figure 4: Example of the Drovorub-client's configuration file with hidden artifacts listed .................. 4
Figure 5: Example initial Drovorub-agent configuration file ........................................................................... 5
Figure 6: Drovorub-agent configuration file after registration with a Drovorub-server ........................ 5
Figure 7: Basic Drovorub JSON payload structure ........................................................................................... 6
Figure 8: WebSocket message structure .............................................................................................................. 7
Figure 9: Initial WebSocket connection and Drovorub authentication session ...................................... 7
Figure 10: HTTP Upgrade request .......................................................................................................................... 8
Figure 11: HTTP 101 Switching Protocols ........................................................................................................... 8
Figure 12: C2 commands for authentication ........................................................................................................ 8
Figure 13: Client "auth.hello" authentication request to Drovorub-server ................................................ 9
Figure 14: Drovorub-server "auth.hello" response to client authentication request............................. 9
Figure 15: Client "auth.login" ("signin" mode) ................................................................................................... 10
Figure 16: Manual generation of passphrase and AES-256 key and IV for "signin" process ........ 10
Figure 17: Manual generation of the “clientid” value ...................................................................................... 10
Figure 18: Manual generation of the HMAC "token" value (“signin” process)...................................... 11
Figure 19: Drovorub-server "auth.pending" response ................................................................................... 11
Figure 20: Client "auth.commit" message........................................................................................................... 12
Figure 21: Drovorub-server "auth.passed" response ..................................................................................... 12
Figure 22: Client "auth.login" - "login" request .................................................................................................. 12
Figure 23: Manual generation of the HMAC “token” value (“login” process) ........................................ 13
Figure 24: Server "auth.passed" response ........................................................................................................ 13
Figure 25: Basic structure of Drovorub communications .............................................................................. 14
Figure 26: Drovorub-server "ping" request ......................................................................................................... 14
Figure 27: Drovorub-client or Drovorub-agent "pong" response ............................................................... 14
Figure 28: File download sequence ...................................................................................................................... 17
Figure 29: File upload sequence ............................................................................................................................ 17
Figure 30: “transfer_request” ................................................................................................................................... 18
Figure 31: “open” .......................................................................................................................................................... 18
Figure 32: “open_success” ....................................................................................................................................... 18
Figure 33: “read” ........................................................................................................................................................... 18
Figure 34: “read_data” ................................................................................................................................................ 19
Figure 35: “close” .......................................................................................................................................................... 19
Figure 36: "file_add_request" .................................................................................................................................. 21
Figure 37: Drovorub-client "net_list_request" sent to Drovorub-server .................................................. 21
Figure 38: Drovorub-server “net_list_reply” sent to Drovorub-client ........................................................ 21
Figure 39: Drovorub-server sends an "open" action to start a command-line shell on a Drovorub-
client ................................................................................................................................................................................... 22
Figure 40: Drovorub-client reports successful opening of command-line shell ................................... 23
Figure 41: Drovorub-server sends a shell command ..................................................................................... 23
Figure 42: Drovorub-client responds with results of the shell command ............................................... 23
Figure 43: Drovorub-server sends a "close" action to terminate the shell ............................................. 23
Figure 44: Example “tunnel” setup ........................................................................................................................ 25
Figure 45: "addtun" action ......................................................................................................................................... 26
Figure 46: "open" action ............................................................................................................................................. 26