When attempting to use CS beacon64.bin as input for HTA output only JSfile() output is in file

[ghost]

Input: ./ScareCrow -I /root/tools/b64.bin -Loader wscript -O loader.hta -domain microsoft.com

• b64.bin is default CobaltStrike RAW output bin file.

Output:

Thoughts: Tested 3 times. File output only appears to show code from Structs.go JSfile() the code from HTA() does not appear in file. I could be using it wrong or something but I think the expected output would be using some of the HTA() code (at least for the html). Might help solve issue #19.

Interesting Output found during testing (file extension left blank):

[Tylous]

So -O flag specifies the to write the loader in. Because you defined the -loader to be wscript it's going to treat output file name as jscript file. if you put now file extension it will still treat it as a jscript file but provide an additional message about the extension. For it to generate the HTA() code you need to specify the -delivery hta command-line argument with the -url of where you are going to host it. With that delivery flag set to hta it will generate the HTA() code

[ghost]

gotcha makes sense. thank you