Skip to content
/ windows-malware Public

Configurable windows malware with persistence, infostealing, keylogging and screenshots features

License

GPL-3.0 license
7 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

percept-denigrate/windows-malware

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

119 Commits
injector
injector
 
 
payload
payload
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Configurable windows malware with persistence, infostealing, keylogging and screenshots features.

Warning

This a class project for demonstration purposes, don't use it for anything illegal.

How it works

The repo contains 2 cargo projects, one for the payload that contains the features, and one for the injector (to be hidden as a file) that will download the payload and make it persistent on the machine. If you want to make the malware single-use, just use the payload and discard the injector.

The malware exfiltrates data to a discord webhook that acts as a C2 server. To set it up, create a webhook in a discord server you own and put its link in payload/src/constants.rs. If you use the screenshots feature, you can use another webhook to receive the screenshots in another channel.

Building

  • Build the payload, preferably in release profile to reduce binary size
  • Upload the payload to a file hosting website, or as a discord attachment
  • Put the url of the uploaded payload in injector/src/constants.rs
  • Build the injector

Crosscompiling

To compile for windows on linux, install mingw-w64 and run cargo build --target x86_64-pc-windows-gnu --release in the payload and injector directories.

The compiled binary for the payload in release mode will be in payload/target/x86_64-pc-windows-gnu/release/payload.exe, same path for the injector with injector instead of payload.

You can make the directory shared with a windows VM for testing.

Features

The malware has multiple features that can be toggled in payload/constants.rs and injector/constants.rs.

Browser cookies and passwords stealing

Cookies (including authentication tokens) and saved passwords in chromium-based browsers are collected and sent when the payload is executed.

Keylogging

The payload starts a thread that saves keystrokes and the window they are typed in, and sends it at each payload execution (requires persistence).

Screenshots

The payload starts a thread that takes screenshots every 5 seconds and sends them on the spot.

Anti-analysis

The injector and the payload use the crate antilysis to stop execution if run in an analysis environment.

To do

  • firefox-based browsers cookies and passwords
  • authentication token selection
  • telegram, steam, discord tokens
  • clipper
  • recall data
  • packing
  • obfuscation
  • data encryption

Inspirations

https://github.com/Abdulrhmanbk/discoon-malware/

https://github.com/doenerium69/doenerium

About

Configurable windows malware with persistence, infostealing, keylogging and screenshots features

Resources

Readme

License

GPL-3.0 license
Activity

Stars

7 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages