Data

Tools

Indexes

Applications

Experiments

Open Source Science

malware-cc-recovery

A project to recover a specific malware and make it work.

https://github.com/stratosphereips/malware-cc-recovery

Science Score: 44.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (11.7%) to scientific vocabulary
Last synced: 8 months ago · JSON representation ·

Repository

A project to recover a specific malware and make it work.

Basic Info
  • Host: GitHub
  • Owner: stratosphereips
  • License: gpl-2.0
  • Language: Python
  • Default Branch: main
  • Size: 17.2 MB
Statistics
  • Stars: 3
  • Watchers: 3
  • Forks: 0
  • Open Issues: 0
  • Releases: 0
Created about 2 years ago · Last pushed about 2 years ago
Metadata Files
Readme Contributing License Code of conduct Citation Security

README.md

header

Malware CC Recovery of PyRation variant Malware

The Malware CC Recovery is a project done by Tomy-Niepo as part of his internship in the Stratosphere Laboratory to analyze real malware and understand its working.

This repository has the recovered code of the original malware, plus a new implementation of a Command and Control (CC) server and a new implementation of a botmaster bot.

The blog with the description can be found here online, or a PDF copy is in here. The slides of a presentation on all the work is here.

Analysis of the Original Malware

The original malware is a member of the PyRation variant family. It is a Windows PE file with hash MD5 67e77dcdbf046a0fd91a0bbb3e807831, SHA256 bba407734a2567c7e22e443ee5cc1b3a5780c9dd44c79b4a94d514449b0fd39a (VirusTotal). The original file can be found here.

Previous analyses of this malware were partially done, for example here.

The original malware was done to run on Windows. My adaptation runs well on macOS and maybe Linux (did not finish testing).

CC Server

Since the malware is only the bot part for Windows, there is no Command and Control server to try and see how it works. This is why I designed and created the CC server to be able to receive multiple bots and give them orders.

BotMaster

The CC Server is the middle layer and communication software with the Bots (infected computers), but the orders need to come from someplace. My solution for this was to create a new type of client that acts as the botmaster and gives orders to the Bots through the CC server.

Part of the server was based on the ideas from https://github.com/yuv-c/serverclientwebsocket_chat.

How to run

  • Install the libraries bash python3 -m venv myenv source myenv/bin/activate pip install -r requirements.txt

  • Start the CC server bash python ccserver.py

  • Start the bots

In another console or computer, start a bot (repeat this for as many bots as you want) bash python malware_client.py If running on macOS, you will need to give permissions to the application where you run the bot. It can be iterm2, or the terminal or other. You need to give the terminal permission to take screenshots of your computer as well as permission to listen to your keyboard. This can be done in settings. Go to 'Privacy and Security' then 'Input Monitoring' and enable, for example, Iterm2. Then, also in 'Privacy and Security' go to 'Screen Recording & System Audio' and enable, for example, Iterm2.

  • Start the Botmaster bash python botmaster.py

How to use

As soon as you execute the Botmaster, from the console of the botmaster you can manage all the bots.

image

Executing Actions

From the menu, you can select a to execute actions

image

Action 'write a file from /static/downloads into computer'

This action sends a file from the CC server to all the bots. Be sure the file exists before sending.

image

In the logs of the server, server.log you should see

image

Action 'send file name and file contents to write in computer'

This action is to send a file from the Bot to the CC server.

image

Action 'make a remeote request from computer'

This action is to ask the Bot to visit a web site and send back the results. It is not working for now.

Executing commands

The Botmaster can execute commands in all the Bots by sending commands with c option.

image

This can be verified in the CC server file commands_results.txt, which in this case has the content:

Darwin Conter.local 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:53:34 PST 2023; root:xnu-10002.61.3~2/RELEASE_ARM64_T8103 x86_64 Darwin Conter.local 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:53:34 PST 2023; root:xnu-10002.61.3~2/RELEASE_ARM64_T8103 x86_64

Automatic functions

The Bot is continually doing three functions

Screenshot capture

Every 5 minutes, it captures a screenshot of the main windows (desktop) and sends it as a 600x600 size image to the server. The images are stored in the Documents folder.

Keylogger

The bots capture all the keys on all the open applications in the system. Keys are sent to the CC server every 1 minute.

The keys are sent to the server and stored in a file called keylogs.txt. An example log is:

bash 2024-02-22 14:56:04.792776: |shift_r| 2024-02-22 14:56:20.442531: |shift_r| 2024-02-22 14:56:23.221389: |shift_r| 2024-02-22 14:56:23.392227: |shift_r| 2024-02-22 14:56:24.624446: |shift_r| 2024-02-22 14:56:26.855297: |shift_r| 2024-02-22 14:56:29.968832: |shift_r| 2024-02-22 14:56:33.448805: |shift_r| 2024-02-22 14:56:34.547535: |shift_r| 2024-02-22 14:56:39.680636: |cmd| 2024-02-22 14:56:42.754119: |ctrl|

Find installed AntiVirus

Only once when the bot connects to the CC Server it searches all the installed AntiVirus in macOS and sends the list to the CC server.

Update configuration

Only once when the bot connects to the CC Server, it askes for a configuration file. In this file is possible to change the IP of the CC server and the time configurations for the screenshot capture and keylogger sending.

Diagram of operation

Diagram Analysis Malware Code

Owner

  • Name: Stratosphere IPS
  • Login: stratosphereips
  • Kind: organization
  • Location: Prague

Cybersecurity Research Laboratory at the Czech Technical University in Prague. Creators of Slips, a free software machine learning-based behavioral IDS/IPS.

Citation (CITATION.cff) 

cff-version: 1.2.0
message: "If you use this software, please cite it as below."
authors:
- family-names: "YOUR_NAME_HERE"
  given-names: "YOUR_NAME_HERE"
  email: youremailhere
  affiliation: >-
      Stratosphere Laboratory, AIC, FEL, Czech
      Technical University in Prague
  orcid: "https://orcid.org/0000-0000-0000-0000"
- family-names: "Lisa"
  given-names: "Mona"
  email: youremailhere
  affiliation: >-
      Stratosphere Laboratory, AIC, FEL, Czech
      Technical University in Prague
  orcid: "https://orcid.org/0000-0000-0000-0000"
title: "repository-template"
version: 1.0.0
doi: 10.5281/zenodo.1234
date-released: 2022-07-13
url: "https://github.com/stratosphereips/repository-template"

GitHub Events

Total
Last Year

Dependencies

.github/workflows/autotag.yml actions
  • actions/checkout v2 composite
  • anothrNick/github-tag-action 1.36.0 composite
requirements.txt pypi
  • flask_socketio *
  • numpy *
  • pillow ==10.1.0
  • pynput ==1.7.6
  • python-socketio ==5.11.1
  • requests ==2.31.0