100 Days of YARA – Day 38: pupy

On By DanielIn 100 days of Yara

Pupy is yet another open-source RAT/C2 framework.

Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory.

https://github.com/n1nj4sec/pupy

I have encountered this used at attack/defend CTFs. This rule finds these implants.

rule pupy
{
	meta:
		description = "https://github.com/n1nj4sec/pupy"

	strings:
		$a = "pupy.error"
		$b = "get_pupy_config"

	condition:
		all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 38: pupy

  1. Pingback: Week 05 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s