Created
April 3, 2018 06:22
-
-
Save epcnt19/6f6da1fafd94745e97bac0c4f4a2fd98 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#coding:utf-8 | |
import time | |
import argparse | |
import subprocess | |
import commands | |
ip_addr = "10.0.0.2" | |
netmask = "255.255.255.0" | |
gateway = "10.0.0.1" | |
dns_addr = "10.0.0.1" | |
malware_path = "http://10.0.0.1/exe/Petya.A.exe" | |
dname_to_id = "xl domid %s" | |
download = "cmd.exe /c \\\"netsh interface ip set address name=\\\"Ethernet\\\" static %s %s %s && netsh interface ip set dns name=\\\"Ethernet\\\" static %s validate=no && ping -n 5 127.0.0.1 && powershell (new-object System.Net.WebClient).Downloadfile(\'%s\', \'C:\\\\Users\\\\windows\\\\Desktop\\\\test.exe\')\\\"" | |
execute = "C:\\\\Users\\\\windows\\\\Desktop\\\\test.exe" | |
injector = "injector %s %s %s \"%s\"" | |
#drakvuf = "drakvuf -r %s -d %s -i %s -e \"%s\" -T \"%s\" -t %s -o csv" | |
drakvuf = "drakvuf -r %s -d %s -i %s -e \"%s\" -t %s -o csv" | |
def write_log(output,filepath): | |
with open(filepath,'a') as f: | |
f.write(output) | |
f.close() | |
def get_lines(cmd): | |
proc = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT) | |
while True: | |
line = proc.stdout.readline() | |
if line: | |
yield line | |
if not line and proc.poll() is not None: | |
break | |
if __name__ == '__main__': | |
parser = argparse.ArgumentParser() | |
parser.add_argument("--dname",help="set domain name") | |
parser.add_argument("--pid",help="set process id") | |
parser.add_argument("--filepath",help="set filepath") | |
parser.add_argument("--rekall",help="set rekall profile path") | |
parser.add_argument("--tcpip",help="set tcpip.json path") | |
parser.add_argument("--timeout",help="set execution time") | |
args = parser.parse_args() | |
log = "" | |
dname = args.dname | |
pid = args.pid | |
file_path = args.filepath | |
rekall_path = args.rekall | |
tcpip_path = args.tcpip | |
timeout = args.timeout | |
did = commands.getoutput(dname_to_id%dname) | |
download = download%(ip_addr,netmask,gateway,dns_addr,malware_path) | |
download_inject = injector%(rekall_path,did,pid,download) | |
print(download_inject) | |
for line in get_lines(cmd=download_inject): | |
print(line.split("\n")[0]) | |
time.sleep(20) | |
drakvuf_exec = drakvuf%(rekall_path,did,pid,execute,timeout) | |
print(drakvuf_exec) | |
for line in get_lines(cmd=drakvuf_exec): | |
print(line.split("\n")[0]) | |
log += line | |
write_log(log,file_path) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment