def start(self, path): iexplore = self.get_path("Internet Explorer") # pass the URL instead of a filename in this case self.execute(iexplore, '"about:blank"', "about:blank") args = self.options.get("arguments") appdata = self.options.get("appdata") runasx86 = self.options.get("runasx86") # If the file doesn't have an extension, add .exe # See CWinApp::SetCurrentHandles(), it will throw # an exception that will crash the app if it does # not find an extension on the main exe's filename path = check_file_extension(path, ".exe") if appdata: # run the executable from the APPDATA directory, required for some malware basepath = os.getenv("APPDATA") newpath = os.path.join(basepath, os.path.basename(path)) shutil.copy(path, newpath) path = newpath if runasx86: # ignore the return value, user must have CorFlags.exe installed in the guest VM call(["CorFlags.exe", path, "/32bit+"]) return self.execute(path, args, path)
def start(self, path): rundll32 = self.get_path("rundll32.exe") function = self.options.get("function", "#1") arguments = self.options.get("arguments", "") dllloader = self.options.get("dllloader") # If the file doesn't have the proper .dll extension force it # and rename it. This is needed for rundll32 to execute correctly. # See ticket #354 for details. path = check_file_extension(path, ".dll") if dllloader: newname = os.path.join(os.path.dirname(rundll32), dllloader) shutil.copy(rundll32, newname) rundll32 = newname try: start, end = (int(_.lstrip("#")) for _ in function.replace("..", "-").split("-", 1)) assert start < end args = '/c for /l %i in ({start},1,{end}) do @{rundll32} "{path}",#%i {arguments}'.format( **locals()) # if there are multiple functions launch them by their ordinal number in a for loop via cmd.exe calling rundll32.exe return self.execute("C:\\Windows\\System32\\cmd.exe", args.strip(), path) except (ValueError, AssertionError): pass args = f'"{path}",{function}' if arguments: args += f" {arguments}" return self.execute(rundll32, args, path)
def start(self, path): try: servicename = self.options.get("servicename", "CAPEService") servicedesc = self.options.get("servicedesc", "CAPE Service") arguments = self.options.get("arguments") path = check_file_extension(path, ".exe") binPath = f'"{path}"' if arguments: binPath += f" {arguments}" scm_handle = ADVAPI32.OpenSCManagerA(None, None, SC_MANAGER_ALL_ACCESS) if scm_handle == 0: log.info("Failed to open SCManager") log.info(ctypes.FormatError()) return service_handle = ADVAPI32.CreateServiceA( scm_handle, servicename, servicedesc, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, binPath, None, None, None, None, None, ) if service_handle == 0: log.info("Failed to create service") log.info(ctypes.FormatError()) return log.info("Created service (handle: 0x%x)", service_handle) servproc = Process(options=self.options, config=self.config, pid=self.config.services_pid, suspended=False) filepath = servproc.get_filepath() servproc.inject(injectmode=INJECT_QUEUEUSERAPC, interest=filepath, nosleepskip=True) servproc.close() KERNEL32.Sleep(500) service_launched = ADVAPI32.StartServiceA(service_handle, 0, None) if service_launched: log.info("Successfully started service") else: log.info(ctypes.FormatError()) log.info("Failed to start service") ADVAPI32.CloseServiceHandle(service_handle) ADVAPI32.CloseServiceHandle(scm_handle) return except Exception as e: log.info(sys.exc_info()[0]) log.info(e) log.info(e.__dict__) log.info(e.__class__) log.exception(e)
def start(self, path): arguments = self.options.get("arguments") # If the file doesn't have an extension, add .exe # See CWinApp::SetCurrentHandles(), it will throw # an exception that will crash the app if it does # not find an extension on the main exe's filename path = check_file_extension(path, ".exe") return self.execute(path, arguments, path)
def start(self, path): password = self.options.get("password", "") appdata = self.options.get("appdata") root = os.environ["APPDATA"] if appdata else os.environ["TEMP"] exe_regex = re.compile(r"(\.exe|\.dll|\.scr|\.msi|\.bat|\.lnk|\.js|\.jse|\.vbs|\.vbe|\.wsf)$", flags=re.IGNORECASE) zipinfos = self.get_infos(path) self.extract_zip(path, root, password, 0) file_name = self.options.get("file") # If no file name is provided via option, take the first file. if file_name is None: # No name provided try to find a better name. if not len(zipinfos): raise CuckooPackageError("Empty ZIP archive") # Attempt to find a valid exe extension in the archive for f in zipinfos: if exe_regex.search(f.filename): file_name = f.filename break # Default to the first one if none found file_name = file_name or zipinfos[0].filename log.debug("Missing file option, auto executing: %s", file_name) file_path = os.path.join(root, file_name) log.debug('file_name: "%s"', file_name) if file_name.lower().endswith(".lnk"): cmd_path = self.get_path("cmd.exe") cmd_args = f'/c start /wait "" "{file_path}"' return self.execute(cmd_path, cmd_args, file_path) elif file_name.lower().endswith(".msi"): msi_path = self.get_path("msiexec.exe") msi_args = f'/I "{file_path}"' return self.execute(msi_path, msi_args, file_path) elif file_name.lower().endswith((".js", ".jse", ".vbs", ".vbe", ".wsf")): wscript = self.get_path_app_in_path("wscript.exe") wscript_args = f'"{file_path}"' return self.execute(wscript, wscript_args, file_path) elif file_name.lower().endswith(".dll"): rundll32 = self.get_path_app_in_path("rundll32.exe") function = self.options.get("function", "#1") arguments = self.options.get("arguments") dllloader = self.options.get("dllloader") dll_args = f'"{file_path}",{function}' if arguments: dll_args += f" {arguments}" if dllloader: newname = os.path.join(os.path.dirname(rundll32), dllloader) shutil.copy(rundll32, newname) rundll32 = newname return self.execute(rundll32, dll_args, file_path) elif file_name.lower().endswith(".ps1"): powershell = self.get_path_app_in_path("powershell.exe") args = f'-NoProfile -ExecutionPolicy bypass -File "{path}"' return self.execute(powershell, args, file_path) else: path = check_file_extension(path, ".exe") return self.execute(file_path, self.options.get("arguments"), file_path)
def start(self, path): iexplore = self.get_path("browser") # Travelling inside malware universe you should bring a towel with you. # If a file detected as HTML is submitted without a proper extension, # or without an extension at all (are you used to name samples with hash?), # IE is going to open it as a text file, so your precious sample will not # be executed. # We help you sample to execute renaming it with a proper extension. path = check_file_extension(path, ".mht") return self.execute(iexplore, f'"{path}"', path)
def start(self, path): arguments = self.options.get("arguments") appdata = self.options.get("appdata") path = check_file_extension(path, ".exe") if appdata: # run the executable from the APPDATA directory, required for some malware basepath = os.getenv("APPDATA") newpath = os.path.join(basepath, os.path.basename(path)) shutil.copy(path, newpath) path = newpath return self.execute(path, arguments, path)
def start(self, path): regsvr32 = self.get_path("regsvr32.exe") arguments = self.options.get("arguments") # If the file doesn't have the proper .dll extension force it # and rename it. This is needed for rundll32 to execute correctly. # See ticket #354 for details. path = check_file_extension(path, ".dll") args = path if arguments: args += f" {arguments}" return self.execute(regsvr32, args, path)
def start(self, path): rundll32 = self.get_path("rundll32.exe") function = self.options.get("function", "#1") arguments = self.options.get("arguments") dllloader = self.options.get("dllloader") path = check_file_extension(path, ".dll") args = f"{path},{function}" if arguments: args += f" {arguments}" if dllloader: newname = os.path.join(os.path.dirname(rundll32), dllloader) shutil.copy(rundll32, newname) rundll32 = newname return self.execute(rundll32, args, path)
def start(self, path): rundll32 = self.get_path("rundll32.exe") function = self.options.get("function", "#1") arguments = self.options.get("arguments") dllloader = self.options.get("dllloader") # If the file doesn't have the proper .dll extension force it # and rename it. This is needed for rundll32 to execute correctly. # See ticket #354 for details. path = check_file_extension(path, ".dll") args = f"{path},{function}" if arguments: args += f" {arguments}" if dllloader: newname = os.path.join(os.path.dirname(rundll32), dllloader) shutil.copy(rundll32, newname) rundll32 = newname return self.execute(rundll32, args, path)
def start(self, path): if not HAS_RARFILE: raise CuckooPackageError( "rarfile Python module not installed in guest") # Check file extension. path = check_file_extension(path, ".rar") root = os.environ["TEMP"] password = self.options.get("password") exe_regex = re.compile(r"(\.exe|\.scr|\.msi|\.bat|\.lnk)$", flags=re.IGNORECASE) rarinfos = self.get_infos(path) self.extract_rar(path, root, password) file_name = self.options.get("file") # If no file name is provided via option, take the first file. if file_name is None: # No name provided try to find a better name. if len(rarinfos): # Attempt to find a valid exe extension in the archive for f in rarinfos: if exe_regex.search(f.filename): file_name = f.filename break # Default to the first one if none found file_name = file_name or rarinfos[0].filename log.debug("Missing file option, auto executing: %s", file_name) else: raise CuckooPackageError("Empty RAR archive") file_path = os.path.join(root, file_name) if file_name.lower().endswith(".lnk"): cmd_path = self.get_path("cmd.exe") cmd_args = f'/c start /wait "" "{file_path}"' return self.execute(cmd_path, cmd_args, file_path) else: return self.execute(file_path, self.options.get("arguments"), file_path)
def start(self, path): word = self.get_path_glob("Microsoft Office Word") path = check_file_extension(path, ".doc") return self.execute(word, f'"{path}" /q', path)
def start(self, path): path = check_file_extension(path, ".lnk") cmd_path = self.get_path("cmd.exe") cmd_args = f'/c start /wait "" "{path}"' return self.execute(cmd_path, cmd_args, path)
def start(self, path): path = check_file_extension(path, ".xls") excel = self.get_path_glob("Microsoft Office Excel") return self.execute(excel, f'"{path}" /dde', path)
def start(self, path): powershell = self.get_path_glob("PowerShell") path = check_file_extension(path, ".ps1") args = f'-NoProfile -ExecutionPolicy bypass -File "{path}"' return self.execute(powershell, args, path)
def start(self, path): wmic = self.get_path("wmic.exe") path = check_file_extension(path, ".xsl") return self.execute(wmic, f'process LIST /FORMAT:"{path}"', path)
def start(self, path): mshta = self.get_path("mshta.exe") path = check_file_extension(path, ".hta") return self.execute(mshta, f'"{path}"', path)
def start(self, path): inp = self.get_path("Inpage.exe") # Rename file to file.inp so it can open properly. path = check_file_extension(path, ".inp") return self.execute(inp, f'"{path}"', path)
def start(self, path): wscript = self.get_path("WScript") # Enforce the .wsf file extension as is required by wscript. path = check_file_extension(path, ".wsf") return self.execute(wscript, f'"{path}"', path)
def start(self, path): hh = self.get_path_glob("hh.exe") path = check_file_extension(path, ".chm") return self.execute(hh, f'"{path}"', path)
def start(self, path): self.set_keys() publisher = self.get_path_glob("Microsoft Office Publisher") path = check_file_extension(path, ".pub") return self.execute(publisher, f'"{path}"', path)
def start(self, path): access = self.get_path_glob("Microsoft Office Access") path = check_file_extension(path, ".accdr") return self.execute(access, f'"{path}"', path)
def start(self, path): ichitaro = self.get_path("TAROVIEW.EXE") # Rename file to file.jtd so it can open properly. path = check_file_extension(path, ".jtd") return self.execute(ichitaro, f'"{path}"', path)
def start(self, path): rundll32 = self.get_path("rundll32.exe") arguments = self.options.get("arguments", "") dllloader = self.options.get("dllloader") # If the file doesn't have the proper .dll extension force it # and rename it. This is needed for rundll32 to execute correctly. # See ticket #354 for details. path = check_file_extension(path, ".dll") if dllloader: newname = os.path.join(os.path.dirname(rundll32), dllloader) shutil.copy(rundll32, newname) rundll32 = newname # If user has requested we use something (function, functions, ordinal, ordinal range) function = self.options.get("function") # Does the user want us to run multiple exports that are available? enable_multi = self.options.get("enable_multi", "") if enable_multi.lower() in ["on", "yes", "true"]: enable_multi = True else: enable_multi = False # Does the user want us to run multiple exports by name? use_export_name = self.options.get("use_export_name", "") if use_export_name.lower() in ["on", "yes", "true"]: use_export_name = True else: use_export_name = False run_ordinal_range = False run_multiple_functions = False if function: # If user has requested we use functions (by name or by ordinal number), separated by commas if enable_multi and "," in function: function = function.split(",") run_multiple_functions = True # If user has requested we use an ordinal range, separated by a hyphen or by .. elif enable_multi and ("-" in function or ".." in function): run_ordinal_range = True # If the user has not enabled multi, but requested multiple functions, log it and default to #1 elif not enable_multi and ("," in function or "-" in function or ".." in function): log.warning("You need to enable the `enable_multi` option if you want to run multiple functions.") # Setting function to the first ordinal number since the user does not want use to run multiple functions. function = "#1" # If user has not requested that we use a function(s), we should default to running main export entry or # all available exports, up to a limit, if enabled else: # If the user does not want us to run multiple exports that are available, set function to default if not enable_multi: if not use_export_name: function = "#1" else: function = "DllMain" # The user does want us to run multiple functions if we can find them else: available_exports = list(filter(None, self.config.exports.split(","))) # If there are no available exports, default if not available_exports: if use_export_name: function = ["DllMain", "DllRegisterServer"] run_multiple_functions = True else: function = "#1" # If there are available exports, set limit and determine if we are to use name or number else: max_dll_exports = int(self.options.get("max_dll_exports", MAX_DLL_EXPORTS_DEFAULT)) if max_dll_exports <= 0: max_dll_exports = MAX_DLL_EXPORTS_DEFAULT dll_exports_num = min(len(available_exports), max_dll_exports) if use_export_name: function = available_exports[:dll_exports_num] run_multiple_functions = True else: function = f"#1-{dll_exports_num}" run_ordinal_range = True # To get to this stage, the user has enabled `enable_multi`, and has either specified an ordinal # range or requested that we use available exports by ordinal number, up to a limit if run_ordinal_range: with contextlib.suppress(ValueError, AssertionError): start, end = (int(_.lstrip("#")) for _ in function.replace("..", "-").split("-", 1)) assert start < end args = '/c for /l %i in ({start},1,{end}) do @{rundll32} "{path}",#%i {arguments}'.format(**locals()) # if there are multiple functions launch them by their ordinal number in a for loop via cmd.exe calling rundll32.exe return self.execute("C:\\Windows\\System32\\cmd.exe", args.strip(), path) # To get to this stage, the user has enabled `enable_multi`, and has either specified a list of function names # or requested that we use available exports by name, up to a limit elif run_multiple_functions: ret_list = [] for function_name in function: args = f'"{path}"' if dllloader == "regsvcs.exe" else f'"{path}",{function_name}' if arguments: args += f" {arguments}" ret_list.append(self.execute(rundll32, args, path)) return ret_list # To get to this stage, the user has either: # - enabled `enable_multi`, did not provide a function, and does not want to use export names (default to #1) # - specified a single function, either by name or by ordinal number # - specified multiple functions, but did not enable `enable_multi` else: args = f'"{path}"' if dllloader == "regsvcs.exe" else f'"{path}",{function}' if arguments: args += f" {arguments}" return self.execute(rundll32, args, path)