Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/vysecurity/morphhta
morphHTA - Morphing Cobalt Strike's evil.HTA
https://github.com/vysecurity/morphhta
application cobalt evil hta html malware strike
Last synced: 6 days ago
JSON representation
morphHTA - Morphing Cobalt Strike's evil.HTA
- Host: GitHub
- URL: https://github.com/vysecurity/morphhta
- Owner: vysecurity
- Created: 2017-02-24T11:27:00.000Z (almost 8 years ago)
- Default Branch: master
- Last Pushed: 2023-04-14T19:15:57.000Z (over 1 year ago)
- Last Synced: 2024-12-14T17:05:32.592Z (13 days ago)
- Topics: application, cobalt, evil, hta, html, malware, strike
- Language: Python
- Size: 1.95 MB
- Stars: 518
- Watchers: 26
- Forks: 129
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
Awesome Lists containing this project
README
Disclaimer
==========
As usual, this code and tool should not be used for malicious purposes.Written by Vincent Yiu of MDSec Consulting's ActiveBreach team. Modification of code is allowed with credits to author.
Explorer and SWBemLocator COM Moniker research is by @enigma0x3
morphHTA
========Usage:
```
usage: morph-hta.py [-h] [--in ] [--out ]
[--maxstrlen ] [--maxvarlen ]
[--maxnumsplit ]optional arguments:
-h, --help show this help message and exit
--in File to input Cobalt Strike PowerShell HTA
--out File to output the morphed HTA to
--maxstrlen
Max length of randomly generated strings
--maxvarlen
Max length of randomly generated variable names
--maxnumsplit
Max number of times values should be split in chr
obfuscation
```Examples:
=========
```
/morphHTA# python morph-hta.py
███╗ ███╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ██╗ ██╗████████╗ █████╗
████╗ ████║██╔═══██╗██╔══██╗██╔══██╗██║ ██║ ██║ ██║╚══██╔══╝██╔══██╗
██╔████╔██║██║ ██║██████╔╝██████╔╝███████║█████╗███████║ ██║ ███████║
██║╚██╔╝██║██║ ██║██╔══██╗██╔═══╝ ██╔══██║╚════╝██╔══██║ ██║ ██╔══██║
██║ ╚═╝ ██║╚██████╔╝██║ ██║██║ ██║ ██║ ██║ ██║ ██║ ██║ ██║
╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝Morphing Evil.HTA from Cobalt Strike
Author: Vincent Yiu (@vysec, @vysecurity)[*] morphHTA initiated
[+] Writing payload to morph.hta
[+] Payload written
```Max variable name length and randomly generated string length reduced to reduce overall size of HTA output:
`/morphHTA# python morph-hta.py --maxstrlen 4 --maxvarlen 4`
Max split in chr() obfuscation, this reduces the number of additions we do to reduce length:
`/morphHTA# python morph-hta.py --maxnumsplit 4`
Change input file and output files:
`/morphHTA# python morph-hta.py --in advert.hta --out advert-morph.hta`
Video how to
============
https://www.youtube.com/watch?v=X4S2aQ4o_jAVirusTotal Example
==================I suggest not uploading to VT:
Example of Obfuscated HTA content
=================================