The Trojanizer tool uses WinRAR (SFX) to compress the two files input by user, and transforms it into an SFX executable(.exe) archive.

The sfx archive when executed it will run both files (our payload and the legit appl at the same time).

To make the archive less suspicious to target at execution time, trojanizer will try to replace the default icon(.ico) of the sfx file with a user-selected one, and supress all SFX archive sandbox msgs (Silent=1 | Overwrite=1).

Trojanizer will not build trojans, but from target perspective, it replicates the trojan behavior (execute the payload in background, while the legit application executes in foreground).

DEPENDENCIES (backend applications)

Zenity (bash-GUIs) | Wine (x86|x64) | WinRAr.exe (installed-in-wine)

“Trojanizer.sh will download/install all dependencies as they are needed”

It is recommended to edit and config the option: SYSTEM_ARCH=[ your_sys_arch ] in the ‘settings’ file before attempting to run the tool for the first time.

Trojanize Your Payload

PAYLOADS (agents) ACCEPTED

.exe | .bat | .vbs | .ps1 “All payloads that windows/SFX can auto-extract-execute”

HINT: If sellected ‘SINGLE_EXEC=ON’ in the settings file, then trojanizer will accept any kind of extension to be inputed.

LEGIT APPLICATIONS ACCEPTED (decoys)

.exe | .bat | .vbs | .ps1 | .jpg | .bmp | .doc | .ppt | etc .. “All applications that windows/SFX can auto-extract-execute”

ADVANCED SETTINGS

Trojanizer ‘advanced options’ are only accessible in the ‘settings’ file, and they can only be configured before running the main tool (Trojanizer.sh)

Presetup advanced option

Trojanizer can be configured to execute a program + command before the extraction/execution of the two compressed files (SFX archive). This allow users to take advantage of pre-installed software to execute a remote command before the actual extraction occurs in target system. If active, trojanizer will asks (zenity sandbox) for the command to be executed

Trojanize Your Payload

— single_file_execution
Lets look at the follow scenario: You have a dll payload to input that you need to execute upon extraction, but sfx archives can not execute directly dll files, This setting allow users to input one batch script(.bat) that its going to be used to execute the dll payload. All that Trojanizer needs to Do its to instruct the SFX archive to extract both files and them execute the script.bat

Trojanize Your Payload

single_file_execution switch default behavior its to compress the two files inputed by user but only execute one of them at extraction time (the 2º file inputed will be executed) …

TROJANIZER AND APPL WHITELISTING BYPASSES

A lot of awesome work has been done by a lot of people, especially @subTee, regarding application whitelisting bypass, which is eventually what we want here: execute arbitrary code abusing Microsoft built-in binaries. Windows oneliners to download remote payload and execute arbitrary code

The follow exercise describes how to use trojanizer ‘single_file_execution’ and ‘Presetup’ advanced switchs to drop (remote download) and execute any payload using ‘certutil’ or ‘powershell’ appl_whitelisting_bypass oneliners …

1 – Use metasploit to build our payload

2 – Copy payload.exe to apache2 webroot and start service

3 – Edit Trojanizer ‘settings’ file and activate:

4 – Running trojanizer tool

5 – Start a listener, and send the sfx archive to target using social engineering

When the sfx archive its executed, it will download payload.exe from our apache2 webserver to target and execute it before extract ‘screenshot.png’ and ‘AngryBirds.exe’ (last one will be executed to serve as decoy)

The follow oneliner uses ‘powershell(Downloadfile+start)’ method to achieve the same as previous ‘certutil’ exercise ..

The follow oneliner uses ‘powershell(IEX+downloadstring)’ method to achieve allmost the same (payload.ps1 does not touch disk)

DOWNLOAD/INSTALL

Framework Screenshots

xsf.conf – execute both files upon extraction (trojan behavior)

xsf.conf – single_file_execution + Presetup (advanced options)

Trojanize Your Payload

xsf.conf – single_file_execution + Presetup + appl_whitelisting_bypass (certutil)

xsf.conf – single_file_execution + Presetup + appl_whitelisting_bypass (powershell IEX)

Final sfx archive with icon changed

Inside the sfx archive (open with winrar) – trojan behavior

Trojanize Your Payload

Inside the sfx archive (open with winrar) – single_file_execution

Download Trojanizer