Home Malware Analysis Projects About

Vulpes

Vulpes is a Command & Control Framework with a Python Backend, and a C++ Implant. The Implant is designed to be as evasive as possible, whilst providing as much utility as possible.

Table of Contents

Key Features

Demo

TBC.

Command List

# Name Description
1 cat Using stdlib, read the contents of the file and return the data (or the exception).
2 download The stdlib will be used to read the bytes from disk.
3 executeassembly Host a .NET CLR in the current process, execute the assembly, and then cleanly exit.
4 getdrivers Enumerate all the system drivers.
5 getenv Parse the Environmental Variable from the PEB Structure
6 getexports Enumerate all the exports in a given dll.
7 gethandles Enumerate all the handles for a process.
8 getmodules Using the WINAPI, list the modules loaded by a process. If a PID is passed, the data is filtered
9 getregions Enumerate all the memory regions in a process.
10 getsystem Pass in a PID to a SYSTEM process. The Access Token is cloned and set on the executing thread
11 getthreads Using the WINAPI, list the threads used by a process. If a PID is passed, the data is filtered
12 hostname Return GetComputerName()
13 huntrwx Using the NtQueryVirtualMemory SysCall, identify RWX Regions
14 inject Using the configured method, inject a stageless implant into the target process.
15 injectbin Using the configured method, inject specified shellcode into the target process.
16 injectrdll Inject A Reflective DLL into a process. Setting the pid to 0 will self-inject. The injection is done via the configured method in the server configuration file.
17 loaddll Using LoadLibraryA, load a DLL from disk.
18 ls Use FindFirstFile & FindNextFile to cycle through either a user specified directory, or the current directory.
19 modulegrep Using the WINAPI, list the processes on the host and enumerate the loaded modules
20 procgrep Using the WINAPI, list the processes on the host and filter by name
21 ps Using the WINAPI, list the processes on the host. If a PID is passed, the data is filtered
22 pwd Extract the current path from the PEB.
23 setpriv Using the WINAPI, Set or remove a privilege
24 spawn Using the configured method, inject a stageless implant into the newly created process.
25 upload The stdlib will be used to write the bytes to disk.
26 whoami Return GetComputerName()\GetUsername() (CONTOSO\Administrator).