Octopus - Features & informations

Introduction

Octopus is mainly an executable file crypter, although it offers many other functions. It is coded in C++ (stub) and Delphi (builder). First version, 1.0, was completed in september 2009 and since then many updates have been done to the program. While 1.x series were written in Visual Basic 6, I decided to rewrite from scratch the new version, to be able to code and use more advanced techniques which are not possible to do in VB6.

Octopus stubs are sold Fully UnDetected by antiviruses ( 0/33 on scan4you.net). Both stub and builder are programmed to be independent and stand-alone. They are able to run on Windows XP, Windows Vista and Windows 7, on both 32 and 64 bit systems, without requiring any dependencies (except of course the ones which come with a basic Windows installation).

Octopus features:

-Crypter:

On the contrary of most (if not all) crypters sold, not only the input files and whole settings are differently encrypted on each build, but also a big part of the stub itself. In fact, the actual stub in Octopus 2.0 consists in a .exe file and a .dll file. The DLL, which gets encrypted togheter with the other input data, contains the core crypter functions (RunPE, binder, spreader, downloader etc.) and Anti-Viruses are unable to analyze it, since it stays crypted like your files, which on the disk are never decrypted or dropped.

The only thing AVs can analyze is the .exe file, which is nothing more than a decrypter and memory-loader for the encrypted DLL code.

This technique makes detection harder for AVs and reduces generic detections.

Each stub.exe you buy is unique, each time undetected by me with a C++ code obfuscator I programmed to do the job.

Stub.dll is 8 kb big, while stub.exe can vary around 50-60 kb, due to the big amount of obfuscation.

The builder will crypt input files and settings with RC4 algorithm using a random-bytes, random-lenght encryption key. You have also the option to enter your own encryption password.

-Binder:

-Unlimited file number support: Join together how many files you want.

-Working with all file types: .exe, .doc, .jpg, etc.

-Direct memory execution: If you choose this option, your executable file will be executed directly in memory, without being dropped to hard disk.

Warning: memory execution works only with executable files (.exe, .scr ...)! For other file types, you must use the drop and execute option!

Warning: if you use the drop option, file will be decrypted before being dropped (scantime crypt only)! If you want the dropped file to still be crypted/undetectable, then crypt it using memory execution, save it, then bind it using dropping option.

-How to make malware / server always run at startup but not binded file

Why is this needed? Because when you install for example a RAT server, installed file will be a copy of file which has been run (so if you binded more files, they will be run also on startup)

This is good technique to avoid this (for all binders and crypters):

1. Crypt single server (memory run);

2. Clear binder list;
3. Bind crypted server with legit file/s (drop and execute).

-Spreader:

Drives/USB spread:

the program will spread itself to all drives (Removable hard drives, USB drives, memory cards etc.) connected to the computer. An autorun.ini file is created to execute the server automatically when the drive is opened. If you check the “Hide files” option, then the spreaded file and the Autorun.ini file will be hidden as a hidden, system file with readonly attributes. You can also choose a different name for the copied file.

-General features:

No external dependencies needed: Neither the stub nor the builder need any external dependency (except standard Windows system dlls) and are programmed to run under Windows XP, Vista and 7.

Shell parameters support: Octopus is compatible with programs that need to be executed with command line parameters.

EOF Data support: This crypter is compatible with applications which store data/settings at End Of File (for example Bifrost). By the way some applications have got EOF data but they don't need it to store settings, so EOF preserve option can be disabled without corrupting the application.

Icon / Informations cloner: Clones icon, informations, or both, on your choice, from desided input file to output file.

Online authentication mechanism: Octopus will check online if the licence is authorized. This is a read-only operation and no information is transmitted remotely, except licence name and code. In case of suspicious chargebacks or scams, Builder will be locked and stub distributed to AVs.

-Downloader:

Unlimited file number support (multidownloader)

Every file type supported.

The downloader will download chosen files from the specified URL to the specified directory. Then you can choose if it must also execute file or not. You can download and execute any file type (executables but also pictures etc.)

Downloader can be useful if you want Octopus to execute files, without adding much size to stub.

-Message Box:

On program run, a message box with specified features will be displayed. This is the only action the server does before the time delay (if there is).

Tested and working with:

• DarkComet (including version 4)
• Spy-Net
• Poison Ivy
• Bifrost
• Zeus
• Viotto Keylogger
• Ap0calypse 1.4.4
• BlackShades.NET
• SS-Rat 1.0
• CyberGate
• Bandook V1.9 Private Edition
• ...More and more

By the way Octopus should be compatible with any common file. Obviously it will not work with some specific files such as protected files which do a CRC check to see if the file code on disk has been altered before executing.

Example of Virus-Scan:

Unencrypted DarkComet backdoor:

DarkComet crypted with Octopus:

Disclaimer:

I will not be held responsible for the use you make of this program (Octopus). You (the purchaser) are the only one responsible for your actions, not me (the seller)!