forked from Genetic-Malware/Ebowla
-
Notifications
You must be signed in to change notification settings - Fork 0
/
genetic.config
137 lines (82 loc) · 3.83 KB
/
genetic.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
[Overall]
# Options ENV, OTP
Encryption_Type = ENV
# Template output: GO, Python, OR PowerShell
output_type = powershell
# Number of bytes subtracted from the reconstructed payload that will be the
# sha512 checksum used when checking the file before executing the payload.
minus_bytes = 1
# type of file being fed (payload) - also determines execution
# Python: EXE, DLL_x86, DLL_x64 are written to disk
# GO: Nothing is written to disk
# OPTIONS for GO: EXE, DLL_x86, DLL_x64, SHELLCODE
# OPTIONS for PYTHON: EXE, SHELLCODE, CODE, FILE_DROP
# OPTIONS for PowerShell: CODE, DLL_x86, DLL_x64, EXE, FILE_DROP
payload_type = shellcode
# key_iterations is for otp_type = key and for symmetric_settings_win
# It is the number of times that the key hash is iterated via sha512 before being used
# as the encryption key. NOT available to otp_type = full
key_iterations = 10000
# Clean the resulting loaders from comments and print statements
# This will make the runs faster and not display status information on the victim host
# Most useful once payloads have been tested and are ready for deployment
# Values Bool: True or False
clean_output = False
[otp_settings]
# otp is simple, provide one time pad, type, and starting search location
# type is full otp to reconstruct the malware in memory, or an offset in the file for a symmetric key
otp_type = key # OPTIONS: full, key
# File for use with otp
pad = 'cmd.exe'
# Max pad size: Decide the largest pad size to use.
# 256 ** 3 - 1 (16777215 or 0xffffff) maximum is supported
# Too small might be a bad idea...
pad_max = 0xffffff
# starting location in the path to start looking if walking the path
scan_dir = 'c:\windows\sysnative'#'%APPDATA%'
# For use with FULL OTP:
# Number of max bytes for matching the payload against the OTP
# -- larger byte width equals possible smaller lookup table but longer build times
byte_width = 9
[symmetric_settings_win]
# AES-CFB-256 key from a combination of the any of the following settings.
# Any of the following can be used, the more specific to your target the better.
# set the value to '' if you do not want to use that value
# This is not a permanent list. Any env variable can be added below.
# If you want the env variable to be used, give it a value.
# These are case insensitive.
[[ENV_VAR]]
username = 'admin'
computername = ''
homepath = ''
homedrive = ''
Number_of_processors = ''
processor_identifier = ''
processor_revision = ''
userdomain = 'DESKTOP-E1D6G0A'
systemdrive = ''
userprofile = ''
path = ''
temp = ''
[[PATH]]
# Check if a path exists on the workstation
# Only one path can be used. This is immutable. To use, give it a value and a start location.
# This is the path that will be used as part of the key
path = ''
# You can provide Env Variables that are associated with a path for the start_loc
# , such as %TEMP%, %APPDATA%, %PROGRAMFILES%
# You Must use the %ENV VAR% when using env vars for paths!
# Examples: C:\Windows, C:\Program Files, %APPDATA%
start_loc = '%HOMEPATH%'
[[IP_RANGES]]
# Network mask for external enumeration 22.23.0.0
# IP mask should not be used alone more simple to brute force.
# Support for only 24 16 8 masks or exact ip
# 12.12.0.0 or 12.12.12.12 or 12.12.0.0 or 12.0.0.0
external_ip_mask = ''
[[SYSTEM_TIME]]
# Time Range with BEGING and END in EPOC
# Should be used with another variable
# This is a mask: 20161001 or 20161000 or 20160000
# YEAR, MONTH, DAY
Time_Range = ''