[{"content":"","date":null,"permalink":"/tags/about/","section":"Tags","summary":"","title":"About"},{"content":" The not lame stuff # DEFCON SOC Goon DEFCON PHV volunteer DEFCON malware village presenter The lame stuff: # University student Rock climber ","date":"8 April 2026","permalink":"/about/","section":"DrGecko","summary":"Malware writeups, malware dev logs and other blogposts I deem cool","title":"About me"},{"content":"","date":null,"permalink":"/tags/blog/","section":"Tags","summary":"","title":"Blog"},{"content":"","date":null,"permalink":"/tags/drgecko/","section":"Tags","summary":"","title":"Drgecko"},{"content":"\nI cannot save you 15% or more on car insurance but I can cost you 100% of your cybersec budget.\n","date":null,"permalink":"/","section":"DrGecko","summary":"","title":"DrGecko"},{"content":"","date":null,"permalink":"/tags/me/","section":"Tags","summary":"","title":"Me"},{"content":"","date":null,"permalink":"/tags/personal/","section":"Tags","summary":"","title":"Personal"},{"content":"","date":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags"},{"content":"I write malware, reverse malware and do other weird things occasionally, here are my blogposts about it\n","date":null,"permalink":"/blog/","section":"Writeups, articles and blogs","summary":"Malware writeups, malware dev logs and other blogposts I deem cool","title":"Writeups, articles and blogs"},{"content":"","date":null,"permalink":"/tags/development/","section":"Tags","summary":"","title":"Development"},{"content":"","date":null,"permalink":"/tags/malware/","section":"Tags","summary":"","title":"Malware"},{"content":"","date":null,"permalink":"/tags/stardew/","section":"Tags","summary":"","title":"Stardew"},{"content":" What is Stardew Valley #Stardew Valley is a farming simulator in which you take over handling the farm from your deceased grandfather. The whole point of the game is to farm crops, upgrade your farm tools and buildings and progress through the years.\nIntroduction #About six months ago, I had the idea of writing malware using only the Stardew Valley Modding API. I sat on that idea until a few weeks ago. That \u0026ldquo;one day project\u0026rdquo; turned into several weeks of writing malware, hours of testing, and documenting it in this article. This article will go through the malware and the process I took to write it.\nPlan \u0026amp; Goals #With my idea in mind, I wrote a test mod that pulled all environment variables on game startup and output them to the console. I then started up the game and it worked. Having proved the idea will work I formed a plan, I want to harvest credentials on startup and use the game as a C2 client.\nGoals:\nHarvest data\nExfiltrate data\nRun every time game starts up\nConvert the mod into a C2\nThe Scythe #When planning what data I wanted to target, I decided to go for things I knew every Stardew player would have such as browser, Steam and basic system information. With my goals and targets set, I moved onto writing the Scythe and its methods.\nWriting the Scythe # Now that I had a plan and targets, I needed a place to exfiltrate data to. Keeping on par with the faming theme, I named the exfiltration folder Hayloft.\nI then wrote a method to exfiltrate data into the hayloft. The method checks if a file path or directory exists. If it’s a valid file, the Scythe copies it into the hayloft. If it’s a valid directory, the Scythe zips the directory and places the zip in the hayloft. Steam Harvesting #After making the hayloft, I moved onto harvesting Steam data. I wanted the authorization cookie and the user data folder. I used the Scythe_Harvest function I had just created to copy the user data folder and the cookies file. Browser Harvesting #Next I made a method to harvest the browser data I wanted to target. I wanted to target history, cookies, and bookmarks. System Harvesting #Then, I made a method to harvest some basic system information including internal IPs, MAC address, logged in user, and OS version. After collecting all the information, the method combines it all into one string then puts it into a file in the hayloft. Exfiltrating the Hayloft #Now that I had collected all the targeted data into the hayloft, I moved on to exfiltration. I wrote a function that compresses the hayloft into a zip file called haybale.zip in the temporary directory. The method then takes the haybale and uploads it to the collection endpoint.\nHooking into the event #Now that I had written all my methods I needed a way to execute them and for them to run without visually affecting gameplay. After looking through the Stardew Modding API reference for a while, I located the “GameLaunched” event. Hooking into this event allows me to execute all my Scythe methods on game launch and runs them without visually affecting gameplay. I wrote a method that runs all the methods that I just created. I then used the Stardew Modding API to hook into the GameLaunched event, running the methods. This then completes the Scythe and I moved on to the CropControl. Now with my methods being created, and my execution plan. This then completes the Scythe and I moved on to the CropControl.\nThe CropControl #While looking for what event to hook the Scythe into I located the \u0026ldquo;OnTimeChange\u0026rdquo; event. I immediately knew I wanted to use that event to turn the game into a C2 client. After completing the Scythe I got to work on the C2 client.\nThe Client #Before I could write the client I had two problems I needed to work through. One problem: how do I prevent a command from being ran twice? My solution for that was to assign each command a unique token. My second problem: how do I send commands with special characters and exfiltrate responses with special characters? My solution for that was to Base64 encode and decode any commands or data. With solutions set in mind, I wrote two methods to Base64 encode and decode, and then I moved on to writing the method to execute commands.\nExecution of commands #I first wrote a method to execute a command and return its response. The method requires a command to run and the token associated with the command. The method first sets the environment variable of \u0026ldquo;ctoken\u0026rdquo; to the new command token. The method proceeds to Base64 decode the command, then execute it. Then the method captures the response and any errors and returns it as a string.\nExfiltrating a response #With my method created to execute commands I then needed a method to exfiltrate a response. I wrote a quick method to take a string input and exfiltrate it to the C2 server.\nCombining and requesting new commands #Next, I wrote a final method to make a request to the C2 server, compare the tokens, and exfiltrate data. The method first makes a request to my C2 server, the C2 server responds with the current command and current token. The client checks if the requested token is different then the current token stored in an environment variable. If they are different the client moves on to execution. After execution the client base64 encodes the response and exfiltrates it. Hooking into the event #Finally I hooked into the \u0026ldquo;OnTimeChange\u0026rdquo; event, I also updated the \u0026ldquo;OnGameLaunched\u0026rdquo; event to set the \u0026ldquo;ctoken\u0026rdquo; environment variable to \u0026ldquo;null\u0026rdquo; on start up.\nServer #With my client created, I needed a server it could talk to. I wrote four endpoints for the C2 and one endpoint to exfiltrate the hay bale from the Scythe. In my example, the server is a Python FastAPI web server.\nExfiltrating a hay bale #I first wrote the exfiltration endpoint for collected haybale. The endpoint takes the provided hay bale file and writes it to the pasture. The endpoint then logs that a hay bale was collected. Setting a command #Then I moved onto writing the endpoint to set a new C2 command. The endpoint takes a JSON post request, takes the command JSON key, and Base64 encodes it. The endpoint then assigns it a custom token, and writes it to a file in the pasture to be accessed later, then the endpoint logs that a new command was set. Reading a command #Next I wrote the endpoint to read the C2 command for the client to execute. The endpoint reads the file in the pasture, loads it into a JSON dictionary, logs that the client accessed the command, then returns the dictionary for the client to execute.\nExfiltrating a response #Finally, I wrote the endpoint to exfiltrate a command response. The endpoint takes a JSON body, Base64 decodes the data key, then prints the response. Conclusion #Starting with a dumb idea, this turned into a full project on learning how to write malware, how to write a C2, and how to disguise myself. It took weeks of testing and if I never have to hear the Stardew music again, I will be at peace. I will slowly add some updates and bug fixes to the code and publish it on my GitHub if you would like to read through it.\n","date":"10 June 2024","permalink":"/blog/stardew_valley_c2/","section":"Writeups, articles and blogs","summary":"","title":"Stardew Valley C2"},{"content":"","date":null,"permalink":"/tags/writeup/","section":"Tags","summary":"","title":"Writeup"},{"content":"","date":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories"}]