hxxp://"c[:]\program files\python35\python[.]exe" -c "#! /usr/bin/env python\u000a# encoding[:] utf-8\u000a# WARNING! Do not edit! hxxps://waf[.]io/book/index[.]html#_obtaining_the_waf_file\u000a\u000aimport os,sys,traceback,base64,signal\u000atry[:]\u000a\u0009import cPickle\u000aexcept ImportError[:]\u000a\u0009import pickle as cPickle\u000atry[:]\u000a\u0009import subprocess32 as subprocess\u000aexcept ImportError[:]\u000a\u0009import subprocess\u000atry[:]\u000a\u0009TimeoutExpired=subprocess[.]TimeoutExpired\u000aexcept AttributeError[:]\u000a\u0009class TimeoutExpired(Exception)[:]\u000a\u0009\u0009pass\u000adef run()[:]\u000a\u0009txt=sys[.]stdin[.]readline()[.]strip()\u000a\u0009if not txt[:]\u000a\u0009\u0009sys[.]exit(1)\u000a\u0009[cmd,kwargs,cargs]=cPickle[.]loads(base64[.]b64decode(txt))\u000a\u0009cargs=cargs or{}\u000a\u0009if not'close_fds'in kwargs[:]\u000a\u0009\u0009kwargs['close_fds']=False\u000a\u0009ret=1\u000a\u0009out,err,ex,trace=(None,None,None,None)\u000a\u0009try[:]\u000a\u0009\u0009proc=subprocess[.]Popen(cmd,**kwargs)\u000a\u0009\u0009try[:]\u000a\u0009\u0009\u0009out,err=proc[.]communicate(**cargs)\u000a\u0009\u0009except TimeoutExpired[:]\u000a\u0009\u0009\u0009if kwargs[.]get('start_new_session')and hasattr(os,'killpg')[:]\u000a\u0009\u0009\u0009\u0009os[.]killpg(proc[.]pid,signal[.]SIGKILL)\u000a\u0009\u0009\u0009else[:]\u000a\u0009\u0009\u0009\u0009proc[.]kill()\u000a\u0009\u0009\u0009out,err=proc[.]communicate()\u000a\u0009\u0009\u0009exc=TimeoutExpired(proc[.]args,timeout=cargs['timeout'],output=out)\u000a\u0009\u0009\u0009exc[.]stderr=err\u000a\u0009\u0009\u0009raise exc\u000a\u0009\u0009ret=proc[.]returncode\u000a\u0009except Exception as e[:]\u000a\u0009\u0009exc_type,exc_value,tb=sys[.]exc_info()\u000a\u0009\u0009exc_lines=traceback[.]format_exception(exc_type,exc_value,tb)\u000a\u0009\u0009trace=str(cmd)+'\n'+''[.]join(exc_lines)\u000a\u0009\u0009ex=e[.]__class__[.]__name__\u000a\u0009tmp=[ret,out,err,ex,trace]\u000a\u0009obj=base64[.]b64encode(cPickle[.]dumps(tmp))\u000a\u0009sys[.]stdout[.]write(obj[.]decode())\u000a\u0009sys[.]stdout[.]write('\n')\u000a\u0009sys[.]stdout[.]flush()\u000awhile 1[:]\u000a\u0009try[:]\u000a\u0009\u0009run()\u000a\u0009except KeyboardInterrupt[:]\u000a\u0009\u0009break\u000a"

Sharing

Behavioral task

behavioral1

Sample

http://"c:\program files\python35\python.exe" -c "#! /usr/bin/env python\u000a# encoding: utf-8\u000a# WARNING! Do not edit! https://waf.io/book/index.html#_obtaining_the_waf_file\u000a\u000aimport os,sys,traceback,base64,signal\u000atry:\u000a\u0009import cPickle\u000aexcept ImportError:\u000a\u0009import pickle as cPickle\u000atry:\u000a\u0009import subprocess32 as subprocess\u000aexcept ImportError:\u000a\u0009import subprocess\u000atry:\u000a\u0009TimeoutExpired=subprocess.TimeoutExpired\u000aexcept AttributeError:\u000a\u0009class TimeoutExpired(Exception):\u000a\u0009\u0009pass\u000adef run():\u000a\u0009txt=sys.stdin.readline().strip()\u000a\u0009if not txt:\u000a\u0009\u0009sys.exit(1)\u000a\u0009[cmd,kwargs,cargs]=cPickle.loads(base64.b64decode(txt))\u000a\u0009cargs=cargs or{}\u000a\u0009if not'close_fds'in kwargs:\u000a\u0009\u0009kwargs['close_fds']=False\u000a\u0009ret=1\u000a\u0009out,err,ex,trace=(None,None,None,None)\u000a\u0009try:\u000a\u0009\u0009proc=subprocess.Popen(cmd,**kwargs)\u000a\u0009\u0009try:\u000a\u0009\u0009\u0009out,err=proc.communicate(**cargs)\u000a\u0009\u0009except TimeoutExpired:\u000a\u0009\u0009\u0009if kwargs.get('start_new_session')and hasattr(os,'killpg'):\u000a\u0009\u0009\u0009\u0009os.killpg(proc.pid,signal.SIGKILL)\u000a\u0009\u0009\u0009else:\u000a\u0009\u0009\u0009\u0009proc.kill()\u000a\u0009\u0009\u0009out,err=proc.communicate()\u000a\u0009\u0009\u0009exc=TimeoutExpired(proc.args,timeout=cargs['timeout'],output=out)\u000a\u0009\u0009\u0009exc.stderr=err\u000a\u0009\u0009\u0009raise exc\u000a\u0009\u0009ret=proc.returncode\u000a\u0009except Exception as e:\u000a\u0009\u0009exc_type,exc_value,tb=sys.exc_info()\u000a\u0009\u0009exc_lines=traceback.format_exception(exc_type,exc_value,tb)\u000a\u0009\u0009trace=str(cmd)+'\n'+''.join(exc_lines)\u000a\u0009\u0009ex=e.__class__.__name__\u000a\u0009tmp=[ret,out,err,ex,trace]\u000a\u0009obj=base64.b64encode(cPickle.dumps(tmp))\u000a\u0009sys.stdout.write(obj.decode())\u000a\u0009sys.stdout.write('\n')\u000a\u0009sys.stdout.flush()\u000awhile 1:\u000a\u0009try:\u000a\u0009\u0009run()\u000a\u0009except KeyboardInterrupt:\u000a\u0009\u0009break\u000a"

Resource

win10v2004-20230915-en

windows10-2004-x64

6 signatures

150 seconds

General

Target

http://"c:\program files\python35\python.exe" -c "#! /usr/bin/env python\u000a# encoding: utf-8\u000a# WARNING! Do not edit! https://waf.io/book/index.html#_obtaining_the_waf_file\u000a\u000aimport os,sys,traceback,base64,signal\u000atry:\u000a\u0009import cPickle\u000aexcept ImportError:\u000a\u0009import pickle as cPickle\u000atry:\u000a\u0009import subprocess32 as subprocess\u000aexcept ImportError:\u000a\u0009import subprocess\u000atry:\u000a\u0009TimeoutExpired=subprocess.TimeoutExpired\u000aexcept AttributeError:\u000a\u0009class TimeoutExpired(Exception):\u000a\u0009\u0009pass\u000adef run():\u000a\u0009txt=sys.stdin.readline().strip()\u000a\u0009if not txt:\u000a\u0009\u0009sys.exit(1)\u000a\u0009[cmd,kwargs,cargs]=cPickle.loads(base64.b64decode(txt))\u000a\u0009cargs=cargs or{}\u000a\u0009if not'close_fds'in kwargs:\u000a\u0009\u0009kwargs['close_fds']=False\u000a\u0009ret=1\u000a\u0009out,err,ex,trace=(None,None,None,None)\u000a\u0009try:\u000a\u0009\u0009proc=subprocess.Popen(cmd,**kwargs)\u000a\u0009\u0009try:\u000a\u0009\u0009\u0009out,err=proc.communicate(**cargs)\u000a\u0009\u0009except TimeoutExpired:\u000a\u0009\u0009\u0009if kwargs.get('start_new_session')and hasattr(os,'killpg'):\u000a\u0009\u0009\u0009\u0009os.killpg(proc.pid,signal.SIGKILL)\u000a\u0009\u0009\u0009else:\u000a\u0009\u0009\u0009\u0009proc.kill()\u000a\u0009\u0009\u0009out,err=proc.communicate()\u000a\u0009\u0009\u0009exc=TimeoutExpired(proc.args,timeout=cargs['timeout'],output=out)\u000a\u0009\u0009\u0009exc.stderr=err\u000a\u0009\u0009\u0009raise exc\u000a\u0009\u0009ret=proc.returncode\u000a\u0009except Exception as e:\u000a\u0009\u0009exc_type,exc_value,tb=sys.exc_info()\u000a\u0009\u0009exc_lines=traceback.format_exception(exc_type,exc_value,tb)\u000a\u0009\u0009trace=str(cmd)+'\n'+''.join(exc_lines)\u000a\u0009\u0009ex=e.__class__.__name__\u000a\u0009tmp=[ret,out,err,ex,trace]\u000a\u0009obj=base64.b64encode(cPickle.dumps(tmp))\u000a\u0009sys.stdout.write(obj.decode())\u000a\u0009sys.stdout.write('\n')\u000a\u0009sys.stdout.flush()\u000awhile 1:\u000a\u0009try:\u000a\u0009\u0009run()\u000a\u0009except KeyboardInterrupt:\u000a\u0009\u0009break\u000a"

Sharing

General

Malware Config

Signatures

Files