def start(self, path):
iexplore = self.get_path("Internet Explorer")
# pass the URL instead of a filename in this case
self.execute(iexplore, '"about:blank"', "about:blank")
args = self.options.get("arguments")
appdata = self.options.get("appdata")
runasx86 = self.options.get("runasx86")
# If the file doesn't have an extension, add .exe
# See CWinApp::SetCurrentHandles(), it will throw
# an exception that will crash the app if it does
# not find an extension on the main exe's filename
path = check_file_extension(path, ".exe")
if appdata:
# run the executable from the APPDATA directory, required for some malware
basepath = os.getenv("APPDATA")
newpath = os.path.join(basepath, os.path.basename(path))
shutil.copy(path, newpath)
path = newpath
if runasx86:
# ignore the return value, user must have CorFlags.exe installed in the guest VM
call(["CorFlags.exe", path, "/32bit+"])
return self.execute(path, args, path)
def start(self, path):
rundll32 = self.get_path("rundll32.exe")
function = self.options.get("function", "#1")
arguments = self.options.get("arguments", "")
dllloader = self.options.get("dllloader")
# If the file doesn't have the proper .dll extension force it
# and rename it. This is needed for rundll32 to execute correctly.
# See ticket #354 for details.
path = check_file_extension(path, ".dll")
if dllloader:
newname = os.path.join(os.path.dirname(rundll32), dllloader)
shutil.copy(rundll32, newname)
rundll32 = newname
try:
start, end = (int(_.lstrip("#"))
for _ in function.replace("..", "-").split("-", 1))
assert start < end
args = '/c for /l %i in ({start},1,{end}) do @{rundll32} "{path}",#%i {arguments}'.format(
**locals())
# if there are multiple functions launch them by their ordinal number in a for loop via cmd.exe calling rundll32.exe
return self.execute("C:\\Windows\\System32\\cmd.exe", args.strip(),
path)
except (ValueError, AssertionError):
pass
args = f'"{path}",{function}'
if arguments:
args += f" {arguments}"
return self.execute(rundll32, args, path)
def start(self, path):
try:
servicename = self.options.get("servicename", "CAPEService")
servicedesc = self.options.get("servicedesc", "CAPE Service")
arguments = self.options.get("arguments")
path = check_file_extension(path, ".exe")
binPath = f'"{path}"'
if arguments:
binPath += f" {arguments}"
scm_handle = ADVAPI32.OpenSCManagerA(None, None,
SC_MANAGER_ALL_ACCESS)
if scm_handle == 0:
log.info("Failed to open SCManager")
log.info(ctypes.FormatError())
return
service_handle = ADVAPI32.CreateServiceA(
scm_handle,
servicename,
servicedesc,
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,
SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE,
binPath,
None,
None,
None,
None,
None,
)
if service_handle == 0:
log.info("Failed to create service")
log.info(ctypes.FormatError())
return
log.info("Created service (handle: 0x%x)", service_handle)
servproc = Process(options=self.options,
config=self.config,
pid=self.config.services_pid,
suspended=False)
filepath = servproc.get_filepath()
servproc.inject(injectmode=INJECT_QUEUEUSERAPC,
interest=filepath,
nosleepskip=True)
servproc.close()
KERNEL32.Sleep(500)
service_launched = ADVAPI32.StartServiceA(service_handle, 0, None)
if service_launched:
log.info("Successfully started service")
else:
log.info(ctypes.FormatError())
log.info("Failed to start service")
ADVAPI32.CloseServiceHandle(service_handle)
ADVAPI32.CloseServiceHandle(scm_handle)
return
except Exception as e:
log.info(sys.exc_info()[0])
log.info(e)
log.info(e.__dict__)
log.info(e.__class__)
log.exception(e)
def start(self, path):
arguments = self.options.get("arguments")
# If the file doesn't have an extension, add .exe
# See CWinApp::SetCurrentHandles(), it will throw
# an exception that will crash the app if it does
# not find an extension on the main exe's filename
path = check_file_extension(path, ".exe")
return self.execute(path, arguments, path)
def start(self, path):
password = self.options.get("password", "")
appdata = self.options.get("appdata")
root = os.environ["APPDATA"] if appdata else os.environ["TEMP"]
exe_regex = re.compile(r"(\.exe|\.dll|\.scr|\.msi|\.bat|\.lnk|\.js|\.jse|\.vbs|\.vbe|\.wsf)$", flags=re.IGNORECASE)
zipinfos = self.get_infos(path)
self.extract_zip(path, root, password, 0)
file_name = self.options.get("file")
# If no file name is provided via option, take the first file.
if file_name is None:
# No name provided try to find a better name.
if not len(zipinfos):
raise CuckooPackageError("Empty ZIP archive")
# Attempt to find a valid exe extension in the archive
for f in zipinfos:
if exe_regex.search(f.filename):
file_name = f.filename
break
# Default to the first one if none found
file_name = file_name or zipinfos[0].filename
log.debug("Missing file option, auto executing: %s", file_name)
file_path = os.path.join(root, file_name)
log.debug('file_name: "%s"', file_name)
if file_name.lower().endswith(".lnk"):
cmd_path = self.get_path("cmd.exe")
cmd_args = f'/c start /wait "" "{file_path}"'
return self.execute(cmd_path, cmd_args, file_path)
elif file_name.lower().endswith(".msi"):
msi_path = self.get_path("msiexec.exe")
msi_args = f'/I "{file_path}"'
return self.execute(msi_path, msi_args, file_path)
elif file_name.lower().endswith((".js", ".jse", ".vbs", ".vbe", ".wsf")):
wscript = self.get_path_app_in_path("wscript.exe")
wscript_args = f'"{file_path}"'
return self.execute(wscript, wscript_args, file_path)
elif file_name.lower().endswith(".dll"):
rundll32 = self.get_path_app_in_path("rundll32.exe")
function = self.options.get("function", "#1")
arguments = self.options.get("arguments")
dllloader = self.options.get("dllloader")
dll_args = f'"{file_path}",{function}'
if arguments:
dll_args += f" {arguments}"
if dllloader:
newname = os.path.join(os.path.dirname(rundll32), dllloader)
shutil.copy(rundll32, newname)
rundll32 = newname
return self.execute(rundll32, dll_args, file_path)
elif file_name.lower().endswith(".ps1"):
powershell = self.get_path_app_in_path("powershell.exe")
args = f'-NoProfile -ExecutionPolicy bypass -File "{path}"'
return self.execute(powershell, args, file_path)
else:
path = check_file_extension(path, ".exe")
return self.execute(file_path, self.options.get("arguments"), file_path)
def start(self, path):
iexplore = self.get_path("browser")
# Travelling inside malware universe you should bring a towel with you.
# If a file detected as HTML is submitted without a proper extension,
# or without an extension at all (are you used to name samples with hash?),
# IE is going to open it as a text file, so your precious sample will not
# be executed.
# We help you sample to execute renaming it with a proper extension.
path = check_file_extension(path, ".mht")
return self.execute(iexplore, f'"{path}"', path)
def start(self, path):
arguments = self.options.get("arguments")
appdata = self.options.get("appdata")
path = check_file_extension(path, ".exe")
if appdata:
# run the executable from the APPDATA directory, required for some malware
basepath = os.getenv("APPDATA")
newpath = os.path.join(basepath, os.path.basename(path))
shutil.copy(path, newpath)
path = newpath
return self.execute(path, arguments, path)
def start(self, path):
regsvr32 = self.get_path("regsvr32.exe")
arguments = self.options.get("arguments")
# If the file doesn't have the proper .dll extension force it
# and rename it. This is needed for rundll32 to execute correctly.
# See ticket #354 for details.
path = check_file_extension(path, ".dll")
args = path
if arguments:
args += f" {arguments}"
return self.execute(regsvr32, args, path)
def start(self, path):
rundll32 = self.get_path("rundll32.exe")
function = self.options.get("function", "#1")
arguments = self.options.get("arguments")
dllloader = self.options.get("dllloader")
path = check_file_extension(path, ".dll")
args = f"{path},{function}"
if arguments:
args += f" {arguments}"
if dllloader:
newname = os.path.join(os.path.dirname(rundll32), dllloader)
shutil.copy(rundll32, newname)
rundll32 = newname
return self.execute(rundll32, args, path)
def start(self, path):
rundll32 = self.get_path("rundll32.exe")
function = self.options.get("function", "#1")
arguments = self.options.get("arguments")
dllloader = self.options.get("dllloader")
# If the file doesn't have the proper .dll extension force it
# and rename it. This is needed for rundll32 to execute correctly.
# See ticket #354 for details.
path = check_file_extension(path, ".dll")
args = f"{path},{function}"
if arguments:
args += f" {arguments}"
if dllloader:
newname = os.path.join(os.path.dirname(rundll32), dllloader)
shutil.copy(rundll32, newname)
rundll32 = newname
return self.execute(rundll32, args, path)
def start(self, path):
if not HAS_RARFILE:
raise CuckooPackageError(
"rarfile Python module not installed in guest")
# Check file extension.
path = check_file_extension(path, ".rar")
root = os.environ["TEMP"]
password = self.options.get("password")
exe_regex = re.compile(r"(\.exe|\.scr|\.msi|\.bat|\.lnk)$",
flags=re.IGNORECASE)
rarinfos = self.get_infos(path)
self.extract_rar(path, root, password)
file_name = self.options.get("file")
# If no file name is provided via option, take the first file.
if file_name is None:
# No name provided try to find a better name.
if len(rarinfos):
# Attempt to find a valid exe extension in the archive
for f in rarinfos:
if exe_regex.search(f.filename):
file_name = f.filename
break
# Default to the first one if none found
file_name = file_name or rarinfos[0].filename
log.debug("Missing file option, auto executing: %s", file_name)
else:
raise CuckooPackageError("Empty RAR archive")
file_path = os.path.join(root, file_name)
if file_name.lower().endswith(".lnk"):
cmd_path = self.get_path("cmd.exe")
cmd_args = f'/c start /wait "" "{file_path}"'
return self.execute(cmd_path, cmd_args, file_path)
else:
return self.execute(file_path, self.options.get("arguments"),
file_path)
def start(self, path):
word = self.get_path_glob("Microsoft Office Word")
path = check_file_extension(path, ".doc")
return self.execute(word, f'"{path}" /q', path)
def start(self, path):
path = check_file_extension(path, ".lnk")
cmd_path = self.get_path("cmd.exe")
cmd_args = f'/c start /wait "" "{path}"'
return self.execute(cmd_path, cmd_args, path)
def start(self, path):
path = check_file_extension(path, ".xls")
excel = self.get_path_glob("Microsoft Office Excel")
return self.execute(excel, f'"{path}" /dde', path)
def start(self, path):
powershell = self.get_path_glob("PowerShell")
path = check_file_extension(path, ".ps1")
args = f'-NoProfile -ExecutionPolicy bypass -File "{path}"'
return self.execute(powershell, args, path)
def start(self, path):
wmic = self.get_path("wmic.exe")
path = check_file_extension(path, ".xsl")
return self.execute(wmic, f'process LIST /FORMAT:"{path}"', path)
def start(self, path):
mshta = self.get_path("mshta.exe")
path = check_file_extension(path, ".hta")
return self.execute(mshta, f'"{path}"', path)
def start(self, path):
inp = self.get_path("Inpage.exe")
# Rename file to file.inp so it can open properly.
path = check_file_extension(path, ".inp")
return self.execute(inp, f'"{path}"', path)
def start(self, path):
wscript = self.get_path("WScript")
# Enforce the .wsf file extension as is required by wscript.
path = check_file_extension(path, ".wsf")
return self.execute(wscript, f'"{path}"', path)
def start(self, path):
hh = self.get_path_glob("hh.exe")
path = check_file_extension(path, ".chm")
return self.execute(hh, f'"{path}"', path)
def start(self, path):
self.set_keys()
publisher = self.get_path_glob("Microsoft Office Publisher")
path = check_file_extension(path, ".pub")
return self.execute(publisher, f'"{path}"', path)
def start(self, path):
access = self.get_path_glob("Microsoft Office Access")
path = check_file_extension(path, ".accdr")
return self.execute(access, f'"{path}"', path)
def start(self, path):
ichitaro = self.get_path("TAROVIEW.EXE")
# Rename file to file.jtd so it can open properly.
path = check_file_extension(path, ".jtd")
return self.execute(ichitaro, f'"{path}"', path)
def start(self, path):
rundll32 = self.get_path("rundll32.exe")
arguments = self.options.get("arguments", "")
dllloader = self.options.get("dllloader")
# If the file doesn't have the proper .dll extension force it
# and rename it. This is needed for rundll32 to execute correctly.
# See ticket #354 for details.
path = check_file_extension(path, ".dll")
if dllloader:
newname = os.path.join(os.path.dirname(rundll32), dllloader)
shutil.copy(rundll32, newname)
rundll32 = newname
# If user has requested we use something (function, functions, ordinal, ordinal range)
function = self.options.get("function")
# Does the user want us to run multiple exports that are available?
enable_multi = self.options.get("enable_multi", "")
if enable_multi.lower() in ["on", "yes", "true"]:
enable_multi = True
else:
enable_multi = False
# Does the user want us to run multiple exports by name?
use_export_name = self.options.get("use_export_name", "")
if use_export_name.lower() in ["on", "yes", "true"]:
use_export_name = True
else:
use_export_name = False
run_ordinal_range = False
run_multiple_functions = False
if function:
# If user has requested we use functions (by name or by ordinal number), separated by commas
if enable_multi and "," in function:
function = function.split(",")
run_multiple_functions = True
# If user has requested we use an ordinal range, separated by a hyphen or by ..
elif enable_multi and ("-" in function or ".." in function):
run_ordinal_range = True
# If the user has not enabled multi, but requested multiple functions, log it and default to #1
elif not enable_multi and ("," in function or "-" in function or ".." in function):
log.warning("You need to enable the `enable_multi` option if you want to run multiple functions.")
# Setting function to the first ordinal number since the user does not want use to run multiple functions.
function = "#1"
# If user has not requested that we use a function(s), we should default to running main export entry or
# all available exports, up to a limit, if enabled
else:
# If the user does not want us to run multiple exports that are available, set function to default
if not enable_multi:
if not use_export_name:
function = "#1"
else:
function = "DllMain"
# The user does want us to run multiple functions if we can find them
else:
available_exports = list(filter(None, self.config.exports.split(",")))
# If there are no available exports, default
if not available_exports:
if use_export_name:
function = ["DllMain", "DllRegisterServer"]
run_multiple_functions = True
else:
function = "#1"
# If there are available exports, set limit and determine if we are to use name or number
else:
max_dll_exports = int(self.options.get("max_dll_exports", MAX_DLL_EXPORTS_DEFAULT))
if max_dll_exports <= 0:
max_dll_exports = MAX_DLL_EXPORTS_DEFAULT
dll_exports_num = min(len(available_exports), max_dll_exports)
if use_export_name:
function = available_exports[:dll_exports_num]
run_multiple_functions = True
else:
function = f"#1-{dll_exports_num}"
run_ordinal_range = True
# To get to this stage, the user has enabled `enable_multi`, and has either specified an ordinal
# range or requested that we use available exports by ordinal number, up to a limit
if run_ordinal_range:
with contextlib.suppress(ValueError, AssertionError):
start, end = (int(_.lstrip("#")) for _ in function.replace("..", "-").split("-", 1))
assert start < end
args = '/c for /l %i in ({start},1,{end}) do @{rundll32} "{path}",#%i {arguments}'.format(**locals())
# if there are multiple functions launch them by their ordinal number in a for loop via cmd.exe calling rundll32.exe
return self.execute("C:\\Windows\\System32\\cmd.exe", args.strip(), path)
# To get to this stage, the user has enabled `enable_multi`, and has either specified a list of function names
# or requested that we use available exports by name, up to a limit
elif run_multiple_functions:
ret_list = []
for function_name in function:
args = f'"{path}"' if dllloader == "regsvcs.exe" else f'"{path}",{function_name}'
if arguments:
args += f" {arguments}"
ret_list.append(self.execute(rundll32, args, path))
return ret_list
# To get to this stage, the user has either:
# - enabled `enable_multi`, did not provide a function, and does not want to use export names (default to #1)
# - specified a single function, either by name or by ordinal number
# - specified multiple functions, but did not enable `enable_multi`
else:
args = f'"{path}"' if dllloader == "regsvcs.exe" else f'"{path}",{function}'
if arguments:
args += f" {arguments}"
return self.execute(rundll32, args, path)
