morphHTA - Morphing Cobalt Strike PowerShell Evil HTA Generator
![enter image description here](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTmX6tg2hodFvX30lzJ3ynCVUb9D_Au7mhQQHQeDnOfb98YUVaLDuTPuVyAn050bNUMeAgBgXnenVSOfe3wFWg8vjKNuOzOZyaUShQowmsYSveFy6F65lHul3aU9Fcu5q6HCyQ5sDkCN_V/s1600/morphHTA.png)
morphHTA is a Morphing Cobalt Strike PowerShell Evil HTA Generator
Usage:
usage: morph-hta.py [-h] [--in <input_file>] [--out <output_file>]
[--maxstrlen <default: 1000>] [--maxvarlen <default: 40>]
[--maxnumsplit <default: 10>]
optional arguments:
-h, --help show this help message and exit
--in <input_file> File to input Cobalt Strike PowerShell HTA
--out <output_file> File to output the morphed HTA to
--maxstrlen <default: 1000>
Max length of randomly generated strings
--maxvarlen <default: 40>
Max length of randomly generated variable names
--maxnumsplit <default: 10>
Max number of times values should be split in chr
obfuscation
Examples:
/morphHTA# python morph-hta.py
███╗ ███╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ██╗ ██╗████████╗ █████╗
████╗ ████║██╔═══██╗██╔══██╗██╔══██╗██║ ██║ ██║ ██║╚══██╔══╝██╔══██╗
██╔████╔██║██║ ██║██████╔╝██████╔╝███████║█████╗███████║ ██║ ███████║
██║╚██╔╝██║██║ ██║██╔══██╗██╔═══╝ ██╔══██║╚════╝██╔══██║ ██║ ██╔══██║
██║ ╚═╝ ██║╚██████╔╝██║ ██║██║ ██║ ██║ ██║ ██║ ██║ ██║ ██║
╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝
Morphing Evil.HTA from Cobalt Strike
Author: Vincent Yiu (@vysec, @vysecurity)
[*] morphHTA initiated
[+] Writing payload to morph.hta
[+] Payload written
Max variable name length and randomly generated string length reduced to reduce the overall size of HTA output:
/morphHTA# python morph-hta.py --maxstrlen 4 --maxvarlen 4
Max split in chr() obfuscation, this reduces the number of additions we do to reduce length:
/morphHTA# python morph-hta.py --maxnumsplit 4
Change input file and output files:
/morphHTA# python morph-hta.py --in advert.hta --out advert-morph.hta
VirusTotal Example I suggest not uploading to VT:
![enter image description here](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0D03tQsPk2zbGnL4y4kbbe3vhIrRmrsGaTxF01AX8F0hb1Kw9jLN3Mf-5KOTK9l8RbJXwRxv1Aopux1k43ZJU7txgexnRsTv55PMpJvuGPcOgKaAQCZbXXeK8IQ2kKk6jNPK7JcrlMi4/s640/morphHTA_2.png)
![enter image description here](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0D03tQsPk2zbGnL4y4kbbe3vhIrRmrsGaTxF01AX8F0hb1Kw9jLN3Mf-5KOTK9l8RbJXwRxv1Aopux1k43ZJU7txgexnRsTv55PMpJvuGPcOgKaAQCZbXXeK8IQ2kKk6jNPK7JcrlMi4/s640/morphHTA_2.png)
Example of Obfuscated HTA content
![enter image description here](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOcEI9Asqz97ykjGtfRoj4veSrDgilpYf8DXoaFX4Xmf7O_7LH3Xma1aKRqjutA8AJON8F0MYeOK5afPbkWSDSbJ1640Ua9R6Xyai_9R7dnOAdLIR0HxMubP3xknpSRMTuOZ556sxfkPQ/s640/morphHTA_3.png)
![enter image description here](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOcEI9Asqz97ykjGtfRoj4veSrDgilpYf8DXoaFX4Xmf7O_7LH3Xma1aKRqjutA8AJON8F0MYeOK5afPbkWSDSbJ1640Ua9R6Xyai_9R7dnOAdLIR0HxMubP3xknpSRMTuOZ556sxfkPQ/s640/morphHTA_3.png)
Post a Comment