An in-depth look at a PyRation-family malware variant analyzed by StratosphereIPS, focusing on a Windows Python-based client–bot architecture and capabilities such as screen capture, keylogging, AV detection, anonymous browsing, and remote command execution. The study reconstructs the BotClient, server, and Botmaster components and details how data and commands flow through this three-part C2 setup, including decompilation of Python scripts into readable code. #PyRation #StratosphereIPS #BotClient #Botmaster #Windows #macOS
Keypoints
- The malware analyzed is a Python-based Windows PE variant of the PyRation family, with MD5 and SHA-256 hashes provided and the sample delivered in a ZIP archive.
- The authors reconstruct a three-part architecture: BotClient (on the target), a central Server (Command & Control), and a Botmaster to issue commands.
- Core capabilities include automated screenshot capture (every 10 minutes), a keylogger, antivirus software detection, anonymous browsing via proxy, remote command execution, and file management (download/write).
- Communication relies on Socket.IO for low-latency, bidirectional exchanges between client and server, and decompilation steps (pyinstxtractor, decompyle3) reveal the client’s Python scripts (e.g., main.py).
- AV detection relies on a Windows-only library that can detect 18 antivirus products; macOS adaptations check the OS and adjust behavior accordingly.
- The malware can use the host as a proxy for anonymous browsing and supports commands such as pulling files, saving new files, and executing command lines remotely.
- All discussed artifacts and code are publicly available in the StratosphereIPS GitHub repo (Malware-CC-Recovery), illustrating how the researchers reconstructed the BotClient, server, and Botmaster.
MITRE Techniques
- [T1113] Screen Capture – The malware takes and transmits screenshots from the client to the server. “One of the program’s three ‘core’ functions is to take and send screenshots from the client to the server.”
- [T1056.001] Input Capture – Keylogging via the pynput Listener object. “The last ‘core’ function of the malware involves the capability to record key presses… relies on the implementation of the pynput library’s Listener object.”
- [T1090] Proxy – Anonymous browsing by using the infected host to perform external requests. “The server sends parameters, including URL, method, headers, and payload, prompting the malware to execute the request from the infected system.”
- [T1059] Command and Scripting Interpreter – Remote command execution by receiving and executing command line commands. “The specific command is given by the server and then executed.”
- [T1105] Ingress Tool Transfer – File download and file creation/assembly from server commands (pull_file_http and save_file_from_socket). “First, the server sends the command ‘pull_file_http’… then the server sends the file to the malware” and “The server sends the message ‘save_file_from_socket’… then the bot saves the file on disk.”
- [T1518] Software Discovery – Antivirus detection in Windows environments (detects 18 antivirus products). “detects 18 different types of antiviruses.”
- [T1082] System Information Discovery – OS checks to determine Windows vs. macOS. “It checks that the OS is Windows (Figure 5).” and related OS checks for macOS adaptation.
Indicators of Compromise
- [Hash] MD5 – 67e77dcdbf046a0fd91a0bbb3e807831 – MD5 hash of the malware sample described in the article.
- [Hash] SHA256 – bba407734a2567c7e22e443ee5cc1b3a5780c9dd44c79b4a94d514449b0fd39a – SHA-256 hash of the malware sample described in the article.
- [File] original-malware.zip – ZIP container that was analyzed to obtain the sample.
- [File] bba407734 – extracted file recovered from the ZIP archive.
- [Directory] bba407734a_extracted – folder resulting from the extraction process.
- [URL] https://github.com/stratosphereips/Malware-CC-Recovery – public GitHub repository containing the discussed files.