|
| 1 | +{ |
| 2 | + "build_identifiers": { |
| 3 | + "watermark": "2300af0c", |
| 4 | + "watermark_hash": "dc7875617e2f4f78b90bb2f6b27ecae1", |
| 5 | + "releasenotes_hash": "5eea44650e8c6b09c2839bd2fb673b61", |
| 6 | + "teamserverimage_hash": "6eebe6e473d3503233aa56f2ce51f5b1" |
| 7 | + }, |
| 8 | + "cfg_caution": false, |
| 9 | + "cleanup": true, |
| 10 | + "crypto_keys": [ |
| 11 | + { |
| 12 | + "key": { |
| 13 | + "e": 65537, |
| 14 | + "n": 116070618613680827767543007135707086679960478161352437237398889210213619957650799256139724346821779955221771018497787437350851212943073252580917521449674952949908997112288951124769476143283501499439094762411645677212939739616717219863204333755606196965328606895969072410712436213717026194008309062925958376343, |
| 15 | + "mode": "PUBLIC", |
| 16 | + "input_format": "DER" |
| 17 | + }, |
| 18 | + "key_relation": "communication", |
| 19 | + "key_type": "RSA" |
| 20 | + } |
| 21 | + ], |
| 22 | + "domain_strategy": "round_robin", |
| 23 | + "exit_funk": 0, |
| 24 | + "http": { |
| 25 | + "get": { |
| 26 | + "verb": "GET", |
| 27 | + "client": { |
| 28 | + "metadata": { |
| 29 | + "step": "5", |
| 30 | + "transforms": [ |
| 31 | + "mask", |
| 32 | + "base64url", |
| 33 | + "prepend \"auth_token2LZS=\"", |
| 34 | + "header \"Cookie\"" |
| 35 | + ] |
| 36 | + }, |
| 37 | + "constants": { |
| 38 | + "header": { |
| 39 | + "1": "x-authorization: HzqAG84mxP3Zwsb", |
| 40 | + "2": "Accept: application/xhtml+xml, application/json, text/html", |
| 41 | + "3": "Accept-Language: nb", |
| 42 | + "4": "Accept-Encoding: compress, *" |
| 43 | + } |
| 44 | + } |
| 45 | + }, |
| 46 | + "server": [ |
| 47 | + "print", |
| 48 | + "append \"929 characters\"", |
| 49 | + "prepend \"910 characters\"", |
| 50 | + "base64url", |
| 51 | + "mask" |
| 52 | + ] |
| 53 | + }, |
| 54 | + "post": { |
| 55 | + "uri": "/Retrieve/v3.85/ZSRNTX1OUI", |
| 56 | + "verb": "POST", |
| 57 | + "chunk": 0, |
| 58 | + "client": { |
| 59 | + "id": { |
| 60 | + "step": "5", |
| 61 | + "transforms": [ |
| 62 | + "mask", |
| 63 | + "netbiosu", |
| 64 | + "parameter \"_CJEUTLWB\"" |
| 65 | + ] |
| 66 | + }, |
| 67 | + "output": { |
| 68 | + "step": "6", |
| 69 | + "transforms": [ |
| 70 | + "mask", |
| 71 | + "netbios", |
| 72 | + "print" |
| 73 | + ] |
| 74 | + }, |
| 75 | + "constants": { |
| 76 | + "header": { |
| 77 | + "1": "x-authorization: HzqAG84mxP3Zwsb", |
| 78 | + "2": "Accept: application/json, application/xhtml+xml, text/html", |
| 79 | + "3": "Accept-Language: ar-ma", |
| 80 | + "4": "Accept-Encoding: gzip, *" |
| 81 | + } |
| 82 | + } |
| 83 | + } |
| 84 | + }, |
| 85 | + "proxy": { |
| 86 | + "behavior": "preconfig" |
| 87 | + }, |
| 88 | + "user_agent": "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.94 Safari/537.36", |
| 89 | + "host_header": "", |
| 90 | + "http_no_cookies": true |
| 91 | + }, |
| 92 | + "is_trial": false, |
| 93 | + "jitter": 35, |
| 94 | + "kill_date_month": 0, |
| 95 | + "max_index": 74, |
| 96 | + "max_retry_strategy": "", |
| 97 | + "maxget": 2798047, |
| 98 | + "obfuscate_sections": [ |
| 99 | + { |
| 100 | + "end": "000289b5", |
| 101 | + "start": "00001000" |
| 102 | + }, |
| 103 | + { |
| 104 | + "end": "00032c11", |
| 105 | + "start": "00029000" |
| 106 | + }, |
| 107 | + { |
| 108 | + "end": "00042020", |
| 109 | + "start": "00033000" |
| 110 | + }, |
| 111 | + { |
| 112 | + "end": "00045060", |
| 113 | + "start": "00043000" |
| 114 | + } |
| 115 | + ], |
| 116 | + "post_ex": { |
| 117 | + "spawn_to_x64": "%windir%\\sysnative\\getmac.exe /V", |
| 118 | + "spawn_to_x86": "%windir%\\syswow64\\getmac.exe /V" |
| 119 | + }, |
| 120 | + "process_inject": { |
| 121 | + "userwx": false, |
| 122 | + "execute": [ |
| 123 | + "CreateThread \"ntdll!RtlUserThreadStart+0x805\"", |
| 124 | + "CreateThread", |
| 125 | + "NtQueueApcThread_s", |
| 126 | + "CreateRemoteThread", |
| 127 | + "RtlCreateUserThread" |
| 128 | + ], |
| 129 | + "startrwx": true, |
| 130 | + "allocator": "NtMapViewOfSection", |
| 131 | + "min_alloc": 11282, |
| 132 | + "bof_allocator": "VirtualAlloc", |
| 133 | + "transform_x64": { |
| 134 | + "append": "660f1f840000000000660f1f840000000000660f1f440000660f1f8400000000000f1f440000", |
| 135 | + "prepend": "0f1f000f1f840000000000660f1f4400000f1f80000000000f1f4000660f1f8400000000000f1f8400000000000f1f8400000000000f1f800000000066900f1f80000000000f1f440000" |
| 136 | + }, |
| 137 | + "transform_x86": { |
| 138 | + "append": "5058660f1f840000000000660f1f4400000f1f8400000000000f1f8000000000669066900f1f4400000f1f4000660f1f4400000f1f8400000000000f1f00", |
| 139 | + "prepend": "660f1f44000050580f1f00660f1f4400000f1f00660f1f84000000000066900f1f000f1f0090" |
| 140 | + }, |
| 141 | + "bof_reuse_memory": true |
| 142 | + }, |
| 143 | + "protocol": "https", |
| 144 | + "sleep_time": 5000, |
| 145 | + "smb_frame_header": "79c154b67db4749eb0e1dd98c265818f8ecc75b985e400000000", |
| 146 | + "tcp_frame_header": "91e46db6ccaa8fe100000000", |
| 147 | + "text_section_end": 1, |
| 148 | + "urls": [ |
| 149 | + { |
| 150 | + "url": "https://nutiensel.com/Dequeue/odbc/1VXDSW2OHJOE", |
| 151 | + "url_type": "cnc" |
| 152 | + }, |
| 153 | + { |
| 154 | + "url": "https://nutiensel.com/Retrieve/v3.85/ZSRNTX1OUI", |
| 155 | + "url_type": "cnc" |
| 156 | + } |
| 157 | + ] |
| 158 | +} |
0 commit comments