fixed ramnit

BC-SECURITY · Jun 11, 2023 · 69f1c8f · 69f1c8f
1 parent 5d12580
commit 69f1c8f
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 16 deletions.
diff --git a/Crimeware/ramnit.profile b/Crimeware/ramnit.profile
@@ -49,7 +49,7 @@ http-get {
             prepend "105";
             prepend "<html><head><link rel=\"icon\" type=\"image/gif\" href=\"data:image/gif;base64,";
 
-            append "\"/><meta http-equiv=\"refresh\" content=\"0;URL='http://xn-b1aanbboc3ad8jee4bff.xn--p1ai/gav4.php'\" /></head><body></body></html>";
+            append "\"/><meta http-equiv=\"refresh\" content=\"0;URL=\'http://xn-b1aanbboc3ad8jee4bff.xn--p1ai/gav4.php\'\" /></head><body></body></html>";
 
             print;
         }
@@ -69,18 +69,15 @@ http-post {
 	header "Accept-Language" "en-US";
 	header "Host" "xn--b1aanbboc3ad8jee4bff.xn--p1ai";
 #	header "Connection" "Keep-Alive";
-
-        output {
-            netbios;
-	        print;
 
-        }
-
-
         id {
             netbios;
 	        prepend "http://........../redirect.php?acsc=";
-
+	        header "Referrer";
+        }
+        output {
+            netbios;
+	        print;
         }
     }
 

diff --git a/Crimeware/saefko.profile b/Crimeware/saefko.profile
@@ -89,7 +89,7 @@ http-post {
 	        prepend "\nHTTP/1.1 100 Continue\n\n";
 
         #checked to make sure the misspells were misspelled, uh, correctly?
-            append "irc_channel\":\"null\",\"irc_nickname\":\"jI87fg\",\"irc_password\":\"K8gtr$4\",\"irc_port\":\"6669\",\"irc_server\":\"Setting+up+IRC+service.\",\"machine_active_time\":\"12\",\"machine_artct\":\"x86\",\"machine_bitcoin_value\":\"0\",\"machine_business_value\":\"0\",\"machine_calls_activity\":\"0\",\"machine_camera_activity\":\"8\",\"machine_country_iso_code\":\"8864\",\"machine_creadit_card_posiblty\":\"0\",\"machine_current_time\":\"10:32:45\",\"machine_facebook_activity\":\"0\",\"machine_gaming_value\":\"0\",\"machine_gmail_avtivity\":\"0\",\"machine_googlepluse_activity\":\"0\",\"machine_instgram_activity\":\"0\",\"machine_ip\":\"10.1.23.146\",\"machine_lat\":\"0\",\"machine_lng\":\"eng\",\"machine_os_type\":\"win\",\"machine_register_date\":\"0222\",\"machine_screenshot\":\"1";
+            append "\"irc_channel\":\"null\",\"irc_nickname\":\"jI87fg\",\"irc_password\":\"K8gtr$4\",\"irc_port\":\"6669\",\"irc_server\":\"Setting+up+IRC+service.\",\"machine_active_time\":\"12\",\"machine_artct\":\"x86\",\"machine_bitcoin_value\":\"0\",\"machine_business_value\":\"0\",\"machine_calls_activity\":\"0\",\"machine_camera_activity\":\"8\",\"machine_country_iso_code\":\"8864\",\"machine_creadit_card_posiblty\":\"0\",\"machine_current_time\":\"10:32:45\",\"machine_facebook_activity\":\"0\",\"machine_gaming_value\":\"0\",\"machine_gmail_avtivity\":\"0\",\"machine_googlepluse_activity\":\"0\",\"machine_instgram_activity\":\"0\",\"machine_ip\":\"10.1.23.146\",\"machine_lat\":\"0\",\"machine_lng\":\"eng\",\"machine_os_type\":\"win\",\"machine_register_date\":\"0222\",\"machine_screenshot\":\"1\"";
             print;
         }
     }

diff --git a/Crimeware/trickbot.profile b/Crimeware/trickbot.profile
@@ -49,8 +49,8 @@ http-get {
             prepend "<hr><center>nginx</center>";
             prepend "</body>";
             prepend "</html>";
-            prepend "<!CDATA['=";
-            append "']>";
+            prepend "<!CDATA[\'=";
+            append "\']>";
             append "</html>";
             print;
         }
@@ -78,7 +78,7 @@ http-post {
 
         id {
             base64url;
-	    header "Cookie";
+	        header "Cookie";
 
         }
     }
@@ -103,7 +103,7 @@ http-stager {
         header "Server" "nginx";
         header "Date" "Fri, 30 Jun 2017 13:08:47 GMT";
         header "Content-Type" "text/html; charset=utf-8";        
-	header "Connection" "keep-alive";
+	    header "Connection" "keep-alive";
 
     }
 

diff --git a/Normal/slack.profile b/Normal/slack.profile
@@ -92,8 +92,8 @@ http-get {
             append "</div>";
             append "<div id=\"notifications_dismiss_banner\" class=\"banner seafoam_green_bg hidden\">";
             append "We strongly recommend enabling desktop notifications if you’ll be using Slack on this computer.<span class=\"inline_block no_wrap\">";
-            append "<button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.close(); TS.ui.banner.growlsPermissionPrompt();\">Enable notifications</button> •";
-            append "<button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.close()\">Ask me next time</button> •";
+            append "<button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.close(); TS.ui.banner.growlsPermissionPrompt();\">Enable notifications</button>";
+            append "<button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.close()\">Ask me next time</button>";
             append "<button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.closeNagAndSetCookie()\">Never ask again on this computer</button>";
             append "</span>";
             append "</div>";