🧪 Malware Analysis Project (Keylogger + C2 Simulation)

⚠️ Disclaimer

This project is strictly for educational purposes only as part of the Fundamentals of Malware Analysis course.

It was developed and tested in a controlled lab environment (VM setup) to understand malware behavior, not for any real-world or malicious use.

---

📌 Overview

This project is a simple malware analysis simulation that includes:

• Windows-based keylogger (victim machine)
• Python-based C2 server (attacker machine - Kali Linux)
• Trigger-based execution system
• Persistence mechanism using Windows Registry
• Keystroke logging + data exfiltration simulation

The idea is to understand how real malware behaves from both sides:

• infected system (Windows VM)
• attacker system (Kali Linux)

---

🧠 Project Architecture

🪟 Victim Side (Windows VM)

• keylogger.exe
• Captures keystrokes using Windows API hooks
• Runs in stealth mode
• Waits for trigger before activation
• Stores logs locally
• Sends data to C2 server after activation
• Adds persistence via registry Run key

---

🐧 Attacker Side (Kali Linux)

• c2_server.py

• HTTP-based command & control server

• Receives keystrokes from victim machine

• Stores logs in:

  • .log file (human readable)
  • .json file (structured format)

• Displays real-time incoming data

---

⚙️ Features

🔹 Keylogger (Windows)

• Stealth execution (hidden window)

• Windows API keyboard hooking

• Trigger-based activation:

  • USB insertion
  • Calculator process detection
  • Ctrl + Alt + Esc hotkey

• Registry persistence (Run key)

• Buffered keystroke logging

• HTTP communication to C2 server

---

🔹 C2 Server (Kali Linux)

• Simple HTTP server using Python

• Receives POST requests from victim

• Stores data in two formats:

  • keystrokes.log
  • keystrokes.json

• Web interface for viewing logs

• Real-time terminal logging

---

🛠️ Setup Instructions

🐧 Step 1: Start C2 Server (Kali Linux)

Run the server:

python3 c2_server.py

Server starts on:

http://0.0.0.0:8080

You can view:

• Logs: http://localhost:8080/logs
• JSON: http://localhost:8080/json

---

🪟 Step 2: Run Keylogger (Windows VM)

Compile command:

g++ -static -mwindows -std=c++11 -O2 keylogger.cpp -o keylogger.exe -luser32 -lgdi32 -lwininet -lpthread -ladvapi32

Run:

keylogger.exe

---

🔁 How It Works (Full Flow)

1. Idle State

• Keylogger starts in dormant mode
• No logging happens initially
• Only monitors system activity

---

2. Trigger Activation

Keylogger activates when ANY of these happen:

• USB drive inserted
• Calculator opened
• Ctrl + Alt + Esc pressed

Once triggered:

• Keyboard hook becomes active
• Logging starts

---

3. Keylogging Phase

• Captures all keystrokes
• Stores them in buffer
• Writes to:

C:\Windows\Temp\system_log.dat

---

4. C2 Communication

After activation:

• Logs are sent to Kali server
• Server receives POST requests at:

http://<kali-ip>:8080/log

• Data is stored in:

  • keystrokes.log
  • keystrokes.json

---

5. Persistence

• Adds entry to Windows registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• Ensures program runs on startup automatically

---

📡 C2 Server Details (c2_server.py)

This script runs on Kali Linux and acts as the attacker control panel.

What it does:

• Accepts incoming HTTP POST data
• Extracts keystrokes
• Saves logs with timestamps
• Provides simple web UI to view logs

Endpoints:

• / → Status page
• /logs → Plain text logs
• /json → Structured JSON logs
• /log → Receives data from victim

---

🧪 Key Learning Outcomes

This project helps understand:

• Windows API hooking
• Malware persistence techniques
• Trigger-based execution logic
• Data exfiltration concepts
• Basic command & control architecture
• Victim vs attacker communication flow

---

🛡️ Defensive View

From a security perspective, this behavior can be detected via:

• Suspicious registry Run entries
• Keyboard hook detection
• Hidden process execution
• Unusual HTTP POST traffic
• Temp directory log creation

---

👨‍💻 Developer

• Hammad