This repository includes a Windows client application to send commands and work with the PIPEDANCE malware. PIPEDANCE is a named pipe malware that works in a point-to-point fashion with capabilities such as:
Testing Advice
This project should NOT be used in a production environment. This is for testing and performing research that interacts directly with malware. Any activity related to this project should be conducted inside an isolated network.
Each PIPEDANCE sample comes with a hardcoded string that serves as the pipe name and RC4 key for encryption/decryption. For our testing, we used the existing hard-coded string found in our sample.
Compile the files included in this repository using the CMakeLists.txt file. This project will produce the PIPEDANCE client that will allow interaction with the PIPEDANCE malware on a separate machine.
On one endpoint (Endpoint A), run the provided PIPEDANCE malware sample from this link. Please note, this is malware found from a real campaign, do not execute in non-testing environment.
On second endpoint (Endpoint B) with the compiled client from Step 1, execute the program along with the target IP address or hostname of the machine running the PIPEDANCE malware (Endpoint A).
pipedance_client.exe 192.168.47.130
Follow the command prompts in order to use each function and their respective parameters. The table below consists of the different functions and their required parameters.
Below is the list of available commands in the PIPEDANCE client application.
Command ID | Description | Arguments |
---|---|---|
0 | Stop PIPEDANCE client | |
1 | Terminate process by PID | PID (ex. 9867) |
2 | Run shell command and print output | Command (ex. ipconfig) |
4 | List files in current working directory | |
6 | Write file to disk | Filename (full path), file content |
7 | Get current working directory | |
8 | Change current working directory | Folder path |
9 | List running processes | |
23 | Create random process with hijacked token from provided PID and inject shellcode (32bits) | PID (token hijack), shellcode |
24 | Create random process with hijacked token from provided PID and inject shellcode (64bits) | PID (token hijack), shellcode |
25 | Open process from provided PID and inject shellcode (32bits) | PID (thread hijack), shellcode |
26 | Open process from provided PID and inject shellcode (64bits) | PID (thread hijack), shellcode |
71 | HTTP connectivity check | Domain (ex. google.com) |
72 | DNS connectivity check with provided DNS server IP | DNS server IP |
73 | ICMP connectivity check | ICMP server IP |
74 | TCP connectivity check | IP, port |
75 | DNS connectivity check without DNS server | |
99 | Disconnect pipe / exit thread | |
100 | Terminate PIPEDANCE process / disconnect Pipe / exit thread |
Hunting Query:
process.name:("makecab.exe" or "typeperf.exe" or "w32tm.exe" or "bootcfg.exe" or "diskperf.exe" or "esentutl.exe") and event.dataset: endpoint.events.network