vysecurity / Morphhta
morphHTA - Morphing Cobalt Strike's evil.HTA
Stars: ✭ 438
Programming Languages
python
139335 projects - #7 most used programming language
Projects that are alternatives of or similar to Morphhta
Awesome Cybersecurity Datasets
A curated list of amazingly awesome Cybersecurity datasets
Stars: ✭ 380 (-13.24%)
Mutual labels: malware
Emp3r0r
linux post-exploitation framework made by linux user
Stars: ✭ 419 (-4.34%)
Mutual labels: malware
Spectro
🎶 Real-time audio spectrogram generator for the web
Stars: ✭ 383 (-12.56%)
Mutual labels: application
Dex Oracle
A pattern based Dalvik deobfuscator which uses limited execution to improve semantic analysis
Stars: ✭ 398 (-9.13%)
Mutual labels: malware
Gobot2
Second Version of The GoBot Botnet, But more advanced.
Stars: ✭ 431 (-1.6%)
Mutual labels: malware
Domain generation algorithms
Some results of my DGA reversing efforts
Stars: ✭ 417 (-4.79%)
Mutual labels: malware
Engine
Droidefense: Advance Android Malware Analysis Framework
Stars: ✭ 386 (-11.87%)
Mutual labels: malware
Xeexe Topantivirusevasion
Undetectable & Xor encrypting with custom KEY (FUD Metasploit Rat) bypass Top Antivirus like BitDefender,Malwarebytes,Avast,ESET-NOD32,AVG,... & Automatically Add ICON and MANIFEST to excitable
Stars: ✭ 387 (-11.64%)
Mutual labels: malware
Malware analysis
Various snippets created during malware analysis
Stars: ✭ 413 (-5.71%)
Mutual labels: malware
Drakvuf Sandbox
DRAKVUF Sandbox - automated hypervisor-level malware analysis system
Stars: ✭ 384 (-12.33%)
Mutual labels: malware
Fcl
FCL (Fileless Command Lines) - Known command lines of fileless malicious executions
Stars: ✭ 409 (-6.62%)
Mutual labels: malware
Wahh extras
The Web Application Hacker's Handbook - Extra Content
Stars: ✭ 428 (-2.28%)
Mutual labels: application
Disclaimer
As usual, this code and tool should not be used for malicious purposes.
Written by Vincent Yiu of MDSec Consulting's ActiveBreach team. Modification of code is allowed with credits to author.
Explorer and SWBemLocator COM Moniker research is by @enigma0x3
morphHTA
Usage:
usage: morph-hta.py [-h] [--in <input_file>] [--out <output_file>]
[--maxstrlen <default: 1000>] [--maxvarlen <default: 40>]
[--maxnumsplit <default: 10>]
optional arguments:
-h, --help show this help message and exit
--in <input_file> File to input Cobalt Strike PowerShell HTA
--out <output_file> File to output the morphed HTA to
--maxstrlen <default: 1000>
Max length of randomly generated strings
--maxvarlen <default: 40>
Max length of randomly generated variable names
--maxnumsplit <default: 10>
Max number of times values should be split in chr
obfuscation
Examples:
/morphHTA# python morph-hta.py
███╗ ███╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ██╗ ██╗████████╗ █████╗
████╗ ████║██╔═══██╗██╔══██╗██╔══██╗██║ ██║ ██║ ██║╚══██╔══╝██╔══██╗
██╔████╔██║██║ ██║██████╔╝██████╔╝███████║█████╗███████║ ██║ ███████║
██║╚██╔╝██║██║ ██║██╔══██╗██╔═══╝ ██╔══██║╚════╝██╔══██║ ██║ ██╔══██║
██║ ╚═╝ ██║╚██████╔╝██║ ██║██║ ██║ ██║ ██║ ██║ ██║ ██║ ██║
╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝
Morphing Evil.HTA from Cobalt Strike
Author: Vincent Yiu (@vysec, @vysecurity)
[*] morphHTA initiated
[+] Writing payload to morph.hta
[+] Payload written
Max variable name length and randomly generated string length reduced to reduce overall size of HTA output:
/morphHTA# python morph-hta.py --maxstrlen 4 --maxvarlen 4
Max split in chr() obfuscation, this reduces the number of additions we do to reduce length:
/morphHTA# python morph-hta.py --maxnumsplit 4
Change input file and output files:
/morphHTA# python morph-hta.py --in advert.hta --out advert-morph.hta
Video how to
https://www.youtube.com/watch?v=X4S2aQ4o_jA
VirusTotal Example
I suggest not uploading to VT:
Example of Obfuscated HTA content
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].