epcnt19/auto.py

## auto.py
#coding:utf-8
import time
import argparse
import subprocess
import commands

ip_addr = "10.0.0.2"
netmask = "255.255.255.0"
gateway = "10.0.0.1"
dns_addr = "10.0.0.1"

malware_path = "http://10.0.0.1/exe/Petya.A.exe"
dname_to_id = "xl domid %s"

download = "cmd.exe /c \\\"netsh interface ip set address name=\\\"Ethernet\\\" static %s %s %s && netsh interface ip set dns name=\\\"Ethernet\\\" static %s validate=no && ping -n 5 127.0.0.1 && powershell (new-object System.Net.WebClient).Downloadfile(\'%s\', \'C:\\\\Users\\\\windows\\\\Desktop\\\\test.exe\')\\\""

execute = "C:\\\\Users\\\\windows\\\\Desktop\\\\test.exe"
injector = "injector %s %s %s \"%s\""

#drakvuf = "drakvuf -r %s -d %s -i %s -e \"%s\" -T \"%s\" -t %s -o csv"
drakvuf = "drakvuf -r %s -d %s -i %s -e \"%s\" -t %s -o csv"


def write_log(output,filepath):
	with open(filepath,'a') as f:
		f.write(output)
	f.close()


def get_lines(cmd):
	proc = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT)
	while True:
		line = proc.stdout.readline()
		if line:
			yield line
		if not line and proc.poll() is not None:
			break


if __name__ == '__main__':
	parser = argparse.ArgumentParser()
	parser.add_argument("--dname",help="set domain name")
	parser.add_argument("--pid",help="set process id")
	parser.add_argument("--filepath",help="set filepath")
	parser.add_argument("--rekall",help="set rekall profile path")
	parser.add_argument("--tcpip",help="set tcpip.json path")
	parser.add_argument("--timeout",help="set execution time")
	args = parser.parse_args()

	log = ""
	dname = args.dname
	pid = args.pid
	file_path = args.filepath
	rekall_path = args.rekall
	tcpip_path = args.tcpip
	timeout = args.timeout
	did = commands.getoutput(dname_to_id%dname)

	download = download%(ip_addr,netmask,gateway,dns_addr,malware_path)
	download_inject = injector%(rekall_path,did,pid,download)
	print(download_inject)

	for line in get_lines(cmd=download_inject):
		print(line.split("\n")[0])

	time.sleep(20)

	drakvuf_exec = drakvuf%(rekall_path,did,pid,execute,timeout)
	print(drakvuf_exec)

	for line in get_lines(cmd=drakvuf_exec):
		print(line.split("\n")[0])
		log += line

	write_log(log,file_path)
	#coding:utf-8
	import time
	import argparse
	import subprocess
	import commands

	ip_addr = "10.0.0.2"
	netmask = "255.255.255.0"
	gateway = "10.0.0.1"
	dns_addr = "10.0.0.1"

	malware_path = "http://10.0.0.1/exe/Petya.A.exe"
	dname_to_id = "xl domid %s"

	download = "cmd.exe /c \\\"netsh interface ip set address name=\\\"Ethernet\\\" static %s %s %s && netsh interface ip set dns name=\\\"Ethernet\\\" static %s validate=no && ping -n 5 127.0.0.1 && powershell (new-object System.Net.WebClient).Downloadfile(\'%s\', \'C:\\\\Users\\\\windows\\\\Desktop\\\\test.exe\')\\\""

	execute = "C:\\\\Users\\\\windows\\\\Desktop\\\\test.exe"
	injector = "injector %s %s %s \"%s\""

	#drakvuf = "drakvuf -r %s -d %s -i %s -e \"%s\" -T \"%s\" -t %s -o csv"
	drakvuf = "drakvuf -r %s -d %s -i %s -e \"%s\" -t %s -o csv"


	def write_log(output,filepath):
	with open(filepath,'a') as f:
	f.write(output)
	f.close()


	def get_lines(cmd):
	proc = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT)
	while True:
	line = proc.stdout.readline()
	if line:
	yield line
	if not line and proc.poll() is not None:
	break


	if __name__ == '__main__':
	parser = argparse.ArgumentParser()
	parser.add_argument("--dname",help="set domain name")
	parser.add_argument("--pid",help="set process id")
	parser.add_argument("--filepath",help="set filepath")
	parser.add_argument("--rekall",help="set rekall profile path")
	parser.add_argument("--tcpip",help="set tcpip.json path")
	parser.add_argument("--timeout",help="set execution time")
	args = parser.parse_args()

	log = ""
	dname = args.dname
	pid = args.pid
	file_path = args.filepath
	rekall_path = args.rekall
	tcpip_path = args.tcpip
	timeout = args.timeout
	did = commands.getoutput(dname_to_id%dname)

	download = download%(ip_addr,netmask,gateway,dns_addr,malware_path)
	download_inject = injector%(rekall_path,did,pid,download)
	print(download_inject)

	for line in get_lines(cmd=download_inject):
	print(line.split("\n")[0])

	time.sleep(20)

	drakvuf_exec = drakvuf%(rekall_path,did,pid,execute,timeout)
	print(drakvuf_exec)

	for line in get_lines(cmd=drakvuf_exec):
	print(line.split("\n")[0])
	log += line

	write_log(log,file_path)