Types of Malware:

--- tags: forced-execution --- # Types of Malware: ### 1: Packer 1. Execute payloads a. Regular loaders executed via `exec` - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/0aedd5bbd3e77bb573ffb90ef3703c1c2083023c.py) b. Use ctype casting execute - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/1f888ce0e423dc5be0389e69f8909fa28480341a.py) c. Download payload and allocate directly in memory to execute - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/0f4ea2bdcf27cb31b36816f739631f737a6a143d.py) [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/6e5b569b31cdf9df313913eff1b841508f6c7a0c.py) d. Powershell commands execute - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/2cd9e3d313d383def641a3bba07579fa350057b6.py) e. `exec` with virtual allocation - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/8e36a1f9da8a82fa4025c8ca6fdf48f7ce63c998.py) f. `exec` in separate thread - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/25b0918dd0f5c5a9ca826b041ca916fba483326f.py) g. Download executable and execute - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/925d4f8f1b4e4333563cf5f78b4f706dc6b6ee1f.py) h. Shell code execute - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/4830b60fbd83e6d475ae67f262ac1f8da2776ff4.py) [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/7980cb41be8ea7b533c41d114cf828a819ec21be.py) i. Generates python libraries after execution - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/a479fbc9621985c3b07815a13dd6945668f1095b.py) ### 2: Remote shell 1. Powershell commands generation (class for commands generation) - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/0b8a8a367d258ad06ffeacf3b0e91e5282260593.py) 5. Remote shell - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/00f30c367477d5a4b23ab3e681f20aa079499986.py) 7. Server to send exploit (HTML remote shell) - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/1be77f084fb8a0a6ee99b49f9c1bd883dcfb2cb7.py) 22. Comlplex: ~~a. [information stealer; link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/6022cf391e74543e9f5369503d5471cb47ebce41.py)~~ b. [(looks like a remote shell) link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/e1733d57f13a12355af31d11b8c99ebf74689272.py) ### 3: Keylogger 1. Keylogger (listeners for keyboard input) - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/0cc77a4ad4015972b6c0cf0872070255e2a99881.py) 17. Recording script via shell - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/67c2056d4a2d57482197237e40c064ed32776096.py) 18. Record mouse position - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/82debcd7c869cf12b337eb572bf7f0c19b120697.py) ### 4: Malware Toolkit 1. Lazagne: a. inherited classes for stealing tokens - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/0dce67205be06652b2a770a3d3a3363c83c3e772.py) b. Stealing passwords (functions) - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/1ab497b1cf619673b210bbca5d76b65585209b99.py) c. Exec uses lazagne - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/c48899a78536168aeae311d31b5439d98bcf7c21.py) d. Tool uses lazagne - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/f06aa8ae77de64ee4e7da2276963700b5cb5104e.py) 8. Functions not invoked and incomplete exploits: a. uploads and downloads files - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/1eb864e79a9ef749df60fbd9e9f91dc8af1b9fb4.py) b. Extract data - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/1f179c41ac7788e89fd043f3e2dbb6bbbc1be5d7.py) c. Execute CVE - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/8a7cfa96d6f682f38a2c9552a65a93996d27f59d.py) d. Data and functions (Can we infer about this?) - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/261ce3791ece22da6e0291e1d0a1ccc830383b56.py) e. Webshell [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/635c856ad986e9fbf749abcff78f7296908d4724.py) f. Thread builder [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/4409bdd3dbda0946315da26b442812969c577916.py) 13. Meterpreter - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/4cfd026d0583acb6c621c0c360566f012ba281f5.py) [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/70dc91bbfff5fe2548ca136e1e65e271714e8b30.py) 20. Unicorn exploit - [github source](https://github.com/trustedsec/unicorn) - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/94dc46c73890703e3acbde0a7944d494ec174e97.py) ### 5: Known Exploits 1. Android devices exploit (uses eval and others) - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/1fbadae53b00ac6ba89338577102a667fda3dcf5.py) 16. Exploit for CVEs a. CVE-2009-0927 (pdf exploit) - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/59f56e19777bed3fb05131fbdc2d1fc27cef6b7f.py) b. CVE-unknown (dlink exploit) - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/84a7a12500d56a78b73047c6d2cfa6e4e5c29892.py) c. checkm8 exploit (ROP attacks) - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/a946eca0e7c04c45c37fbe7824bbf428f9269ace.py) * when executing pyc (bin), can we access the variable name? how does the decompiler obtain variable names? 24. Server vulnerability test - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/b21a9709dafbc6b6d0671cdd0676abce33473188.py) ### 6: Evasive Tactics 1. Cloudflare bypass with threads - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/2f440ec8e697d7792ab56ab69de6121caacf125a.py) * this uses list[rand()] to select an element from the list randomly (exec should explore all elements -- diverse data) ### 7: Information Exfiltrate 1. Traverse directories to find discord tokens - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/3af14f70534f6371124ab1b4911efc187cfb6be3.py) [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/6a12e3f1e5efd8b1ecf73918595c51c363cdec56.py) 14. Extract system information - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/8cb5c1756e2c688a389b59b26a17a678f8062074.py) [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/98cea6fc42c8fa3a2666b225268c0f9ba7d15d5f.py) 15. Stealing system data - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/9d11a0c313dbf0b9135838d88f0cda85ac9d5787.py) [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/6267e7ee2199208585f2a5a909162bfe388da521.py) [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/0045442f29ded66089a6f1a4511d13b62b0d1676.py) * getting hints from db select query? ```=python= // from the first link cursor.execute('SELECT origin_url, username_value, password_value from logins;') for log in cursor.fetchall(): password = Win32CryptUnprotectData(log[2]) if password is not False: var_with_logs += 'URL: ' + log[0].encode('utf-8') + '\n' var_with_logs += '\tLogin : ' + log[1].encode('utf-8') + '\n' var_with_logs += '\tPassword : ' + password.encode('utf-8') + '\n\n' ``` 4. Multiple threads with google drive and twitter - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/91b96dbfa37bfa1fd85ec5d2f40e2512146052fb.py) 21. Steal chrome passwords - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/98cbc5823dc912b3cf0746a33475f06658f913c4.py) [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/688bee60724da3478f9f7408044ac2260029ab96.py) 22. Comlplex: a. [information stealer; link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/6022cf391e74543e9f5369503d5471cb47ebce41.py) ~~b. [(looks like a remote shell) link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/e1733d57f13a12355af31d11b8c99ebf74689272.py)~~ ### 8: Ransomware 1. Ransomeware - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/be82a4406338352a60c86169fd19ec97233b696e.py) [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/d94437d6aa2b74d56626e1cb31230949e21c4f48.py) ### 9: Persistence 1. Windows service to run program - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/ae3dac25d9c4a78a34744b88894207454b6ac9a1.py) 2. Update windows registry - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/ccfc74970a67db56a867e115bf0a0c4f134bee17.py) ### 10: Others (Unclassified; etc) 1. GUI: a. Standard output - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/1a6f037f592325a8022afb7393609d0031ac05b2.py) b. Overwrite stdout/stderr - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/67e61ac7bd80f248b3bd636d7c842e2ca6a4d4a3.py) c. Counter Ransomware - [link](https://github.com/roguedream/py-mal-sample/blob/main/malware_samples_2/decompiled_refactored_py3/d2413d2d0f8a9a1e250d3a1b17df07da12df42c0.py)