Redguard Offensive Malware Executor

$path = "C:\Users\redguard\Downloads"
$logfile = "checker_web.out.yaml"

If(!(Test-path -PathType container $path))
{
    Write-Output "[!] Working directory does not exist. Please make sure it exists and try again."
    Exit
}

function Write-Log($event) {

    if (-Not (Test-Path "$path\$logfile")) {
        Add-Content -Path "$path\$logfile" -Value "web:"
    }

    $timestamp = [int](Get-Date -UFormat %s -Millisecond 0)

    Add-Content -Path "$path\$logfile" -Value "  - id: $orig_hash"
    Add-Content -Path "$path\$logfile" -Value "    type: $ext"
    Add-Content -Path "$path\$logfile" -Value "    timestamp: $timestamp"
    Add-Content -Path "$path\$logfile" -Value "    event: $event"
    Add-Content -Path "$path\$logfile" -Value ""
}

$files = Get-ChildItem -Path $path | Where { $_.Name.Split(".")[0].Length -eq 64 } | Select Name

foreach ($file in $files)
{
  $file = $file.Name
  $orig_hash = $file.Split(".")[0]
  $ext = $file.Split(".")[1]
  $calc_hash = $(Get-FileHash -Algorithm SHA256 "$path\$file").Hash.ToLower()

  if ($orig_hash -eq $calc_hash) {
    Write-Log("web_download_unchanged")
  } else {
    Write-Log("web_download_changed")
  }
}

$work_dir = "C:\Users\redguard\Desktop\rome"
$logfile = "checker_mail.out.yaml"

If(!(Test-path -PathType container $work_dir))
{
    Write-Output "[!] Working directory does not exist. Please make sure it exists and try again."
    Exit
}

function Write-Log($event){
    if (-Not (Test-Path "$work_dir\$logfile")) {
        Add-Content -Path "$work_dir\$logfile" -Value "mail:"
    }

    $timestamp = [int](Get-Date -UFormat %s -Millisecond 0)

    Add-Content -Path "$work_dir\$logfile" -Value "  - id: $OriginalFileHash"
    Add-Content -Path "$work_dir\$logfile" -Value "    type: $FileExtension"
    Add-Content -Path "$work_dir\$logfile" -Value "    timestamp: $timestamp"
    Add-Content -Path "$work_dir\$logfile" -Value "    event: $event"
    Add-Content -Path "$work_dir\$logfile" -Value ""
}

$outlook = new-object -com outlook.application; 
$mapi = $outlook.GetNameSpace("MAPI");

$olFolderInbox = 6
$inbox = $mapi.GetDefaultFolder($olFolderInbox) 

Write-Host "[*] Scanning inbox for ROME mails. This may take a while..."
$inbox.Items | 
    ?{$_.subject -match "ROME Payload:" } |
    %{
        ## TODO: case when the proxy adds files is not covered yet (e.g. PF)
        if($_.attachments.count -eq 1){
            # Mail contains the one expected attachment
            $attachment = $_.attachments[1]
            $attachmentPath = (Join-Path $work_dir $attachment.FileName)
            $attachment.saveasfile($attachmentPath)

            # test if the mail has been changed
            $CalculatedFileHash = Get-FileHash $attachmentPath
            $OriginalFileHash = $attachment.FileName.Split(".")[0]
            $FileExtension = $attachment.FileName.Split(".")[1]

            if ($CalculatedFileHash.Hash.ToLower() -eq $OriginalFileHash){
                # file not changed, log event 'mail_attachment_unchanged'
                $FileExtension = $attachment.FileName.Split(".")[1]
                Write-Log('mail_attachment_unchanged')
            } else {
                # file changed, log event 'mail_attachment_changed'
                $FileExtension = $attachment.FileName.Split(".")[1]
                Write-Log('mail_attachment_changed')
            }
        } elseif ($_.attachments.count -eq 0) {
            # Mail contains 0 attachments -> attachment has been removed
            $OriginalFileHash = $_.Body.Split("*")[1].Split("*")[0]
            $FileExtension = $_.Body.Split("*")[3].Split("*")[0]
            Write-Log('mail_attachment_removed')
        }
     }

$path = "C:\Users\redguard\Downloads"
$logfile = "executor.out.yaml"

If(!(Test-path -PathType container $path))
{
    Write-Output "[!] Working directory does not exist. Please make sure it exists and try again."
    Exit
}

$manually_testable = @("reg", "bgi", "lnk", "application", "appref-ms", "appx", "msix", "appxbundle", "eml", "xltm", "xlt", "MAM", "csproj", "one", "iso", "zip", "tar", "rar", "7z", "tgz", "tar.gz")

function Write-Log($event) {

    if (-Not (Test-Path "$path\$logfile")) {
        Add-Content -Path "$path\$logfile" -Value "local:"
    }

    $timestamp = [int](Get-Date -UFormat %s -Millisecond 0)

    Add-Content -Path "$path\$logfile" -Value "  - id: $orig_hash"
    Add-Content -Path "$path\$logfile" -Value "    type: $ext"
    Add-Content -Path "$path\$logfile" -Value "    timestamp: $timestamp"
    Add-Content -Path "$path\$logfile" -Value "    event: $event"
    Add-Content -Path "$path\$logfile" -Value ""
}

$files = Get-ChildItem -Path $path | Where { $_.Name.Split(".")[0].Length -eq 64 } | Select Name

foreach ($file in $files)
{
  $file = $file.Name
  $orig_hash = $file.Split(".")[0]
  $ext = $file.Split(".")[1]

  if ($manually_testable.Contains($ext)) {
    Write-Host "[!] Found only manual testable extension for $orig_hash.$ext"
    Write-Log("sample_manually_testable")
  } else {
    Invoke-Item -Path "$path\$file";
    Write-Host "[*] Executed sample $file"
  }
}

Start-Sleep -Seconds 5

$files = Get-ChildItem -Path $path | Where { ($_.Name.Split(".")[0].Length -eq 64) -AND ($_.Name.Split(".")[2] -eq "proof" )} | Select Name

foreach ($file in $files)
{
  $file = $file.Name
  $orig_hash = $file.Split(".")[0]
  $ext = $file.Split(".")[1]

  Write-Host "[+] Found proof for $orig_hash.$ext"
  Write-Log("sample_executed")
}