Scarecrow not working with Mythic C2/atlas agent about scarecrow HOT 12 CLOSED

That is very very odd. I am not sure why it calls back once and then dies... I'll take a look but does the following happen on both binary and control loaders?
atlas + CLRvoyance + scarecrow = 1 callback then dead
atlas + confuserEx + donut + scarecrow = 1 callback then dead

from scarecrow.

It is odd.

Both are confirmed with both binary and control (just reconfirmed them moments ago just to be safe)

from scarecrow.

could you provide me a link to the confuserEx repo you are using I see a couple out there.

from scarecrow.

This is the repo I used for the testing:
https://github.com/mkaring/ConfuserEx

I downloaded the 1.5 release binary

from scarecrow.

I am looking into this will update the thread as soon as I have info on it.

from scarecrow.

Awesome. Thanks for all the work you do on this! Let me know if I can help in any way.

from scarecrow.

Sorry, I've been off a bit, Circling back to this could you do the following to test?
Can you run something like process hacker 2 and monitor the process, when you execute it, does the process terminate?
Can you use binary with -console mode and paste the terminal output?

from scarecrow.

Hey sorry for the late reply. The process terminates immediately after the console finishes running. Originally the console output showed no errors but now I'm seeing the following:

[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [*] Create a Pointer on stack
[DEBUG] [*] Loading shellcode into a string
[DEBUG] [*] Copy Pointer's attributes
[DEBUG] [*] Overwriten Pointer to point to shellcode String
[DEBUG] [*] Overwriting shellcode String with Pointer's attributes
Exception 0xc0000005 0x0 0x18 0x7ff9ec7811f0
PC=0x7ff9ec7811f0
signal arrived during external code execution

runtime.cgocall(0x7ff68783fd00, 0x7ff6879d6520)
        runtime/cgocall.go:156 +0x4a fp=0xc000133dc0 sp=0xc000133d88 pc=0x7ff6877e392a
syscall.Syscall(0xc000372000, 0x0, 0x0, 0x0, 0x0)
        runtime/syscall_windows.go:479 +0xf4 fp=0xc000133df8 sp=0xc000133dc0 pc=0x7ff68783aa54
syscall.Syscall(0x7ff6878e0050, 0xc00000e3c0, 0x5, 0x5, 0x0)
        <autogenerated>:1 +0x2b fp=0xc000133e48 sp=0xc000133df8 pc=0x7ff687840bab
main.main()
        BOQGcMfOIHZwwiD/OneDrive.go:613 +0x2677 fp=0xc000133f80 sp=0xc000133e48 pc=0x7ff6878a1857
runtime.main()
        runtime/proc.go:255 +0x217 fp=0xc000133fe0 sp=0xc000133f80 pc=0x7ff6878167d7
runtime.goexit()
        runtime/asm_amd64.s:1581 +0x1 fp=0xc000133fe8 sp=0xc000133fe0 pc=0x7ff68783e4c1
rax     0x1a6c73b0250
rbx     0x0
rcx     0x7ff98d316d8a
rdi     0x1a6c73b0250
rsi     0x1a6c738eb58
rbp     0x5021dfde10
rsp     0x5021dfdd90
r8      0x0
r9      0x1
r10     0x9
r11     0xa
r12     0x8
r13     0x48
r14     0x5021dfe4e0
r15     0x1
rip     0x7ff9ec7811f0
rflags  0x10206
cs      0x33
fs      0x53
gs      0x2b

This was using a binary loader and no confuserex (exported shellcode directly from mythic).

from scarecrow.

Okay, so that's different than it calling home once.

from scarecrow.

Just fyi, I run into the same issue with the latest scarecrow + atlas agent:

from scarecrow.

Bumping this thread is the shellcode in question staged or stageless?

from scarecrow.

Scarecrow 5.0 should address this.

from scarecrow.