Skip to content
/ malware-course-code Public

Repository containing code from my YouTube malware course.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

wrvthlss/malware-course-code

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 

Repository files navigation

Fakey — Malware Behavior Simulation

Fakey is a benign Rust-based malware simulation designed to help defenders understand, observe, and practice detection of realistic attacker behavior in a controlled lab environment. Fakey simulates common offensive patterns such as file enumeration, privilege-target probing, and periodic command-and-control (C2) beaconing, while leaving minimal disk artifacts.

Fakey is not malware. It is a pedagogical tool for building defensive intuition, auditing techniques, host and network telemetry correlation, and threat response practice.

Project Overview

Modern malware blends into host environments, probes for valuable targets, and communicates with remote controllers in brief, low-volume bursts. Fakey reflects these patterns by:

Enumerating a configurable set of high-value targets

  • Logging attempts locally
  • Sending structured telemetry to a mock C2 server
  • Running in a loop with periodic beaconing

This project supports labs on Linux that teach:

  • File system misconceptions (hidden dotfiles)
  • Kernel vs userland visibility (/proc, auditd)
  • Network observation and beaconing detection
  • Capability-based detection (find -perm /111)
  • Limitations of signature tools (e.g., ClamAV)

Key Features

  • Simulated C2 beaconing over HTTP
  • Structured telemetry reporting (JSON)
  • High-value path enumeration
  • Feature-gated behaviors (via Cargo features)
  • Minimal disk artifacts, realistic beacon timing
  • Hooks for auditd rule correlation

Prerequisites

Make sure you have the following installed on your lab system:

  • Rust toolchain (rustc, cargo)
  • Mock C2 server (simple Python HTTP listener)
  • auditd for host syscall logging
  • ClamAV for signature scan experimentation
  • Typical Linux utilities: ls, ss, tcpdump, etc.

Installation & Build

Build the project using Cargo with feature flags:

# Build the “fake escalation” variant
cargo build --release --features "fake_escalation"

This produces a single optimized binary in:

target/release/malware-course-code

Deployment & Execution

Here’s a typical sequence for the lab:

mkdir -p ~/.config/.cache
mv target/release/malware-course-code ~/.config/.cache/.systemd-update
chmod +x ~/.config/.cache/.systemd-update
~/.config/.cache/.systemd-update &

About

Repository containing code from my YouTube malware course.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages