BETA C2 server that uses the legitimate FIN7 Griffon JScript as its implant.
The JScript implant and the source of deobfuscation can be found in the implant folder
The teamserver was written for Linux based operating systems. It may work on windows with some tweaks.
The teamserver can be built from the Dockerfile in the root directory. To run the container, use:
docker run -it griffon
Requires: python3
pip install -r requirements.txt
HumbleGriffon supports sending commands completely obfuscated. A modified version of the javascript-obfuscator can be found at my github or created via docker commands in the obfuscator folder.
It will automatically get built if you use the HumbleGriffon Dockerfile
After compiling the obfuscator, please place it in the same directory as teamserver.py and make sure it is named obfuscator Any custom obfuscator can be used as long as it takes in base64 JScript commands via CLI and outputs runnable JScript code to stdout
python3 is required for HumbleGriffon
python teamserver.py [OPTIONS]
| Usage | Description |
|---|---|
| --ip TEXT | The IP to listen on |
| --port INTEGER | The port for C2 callbacks |
| --apiport INTEGER | The port for API listener/Client connections |
| --obfuscate | Obfuscate all commands to server if enabled |
| --help | Show this message and exit. |
| Usage | Description |
|---|---|
| delete all the things | Removes all agents - Does not terminate them |
| exit | Exits the C2 server gracefully |
| help | display this message |
| interact [agent id] | interact with an existing agent |
| kill [agent id] | terminates the agent gracefully |
| list | lists every agent |
| quit | Exits the C2 server gracefully |
| remove [agent id] | Removes agent from list of active agents |
| showall | prints information about every agent |
| Usage | Description |
|---|---|
| back | Leave the interact menu |
| cd [path] | Changes the working directory to the specified path |
| clear | Removes all pending commands |
| exit | Terminates the agent gracefully |
| help | display this message |
| ls [directory] | Prints current directory or specified directory |
| pwd | Prints the current working directory |
| shell [command] | Run a command using cmd /c |
| sleep [time in seconds] [jitter % - optional] See Below | Changes how often the agent checks in |
Since this command isn't part of the legitimate griffon payload, it is unimplemented on the provided JScript implant. It can easily be implemented by adding a global variable called sleepy and jitter to the JScript implant and if those values are set, use these instead of random_knock.
This tool is for threat emulation. The author is not responsible for any misuse of this public tool.