OP 23 March, 2024 - 03:39 PM
(This post was last modified: 25 April, 2024 - 03:11 AM by angelbanker. Edited 2 times in total.)
Roosevelt Clipper is the most advanced project to intercept cryptocurrency transactions by replacing cryptocurrency address via clipboard with regex (regular wallet expression) comparison
Roosevelt Clipper has innovative binder functions to combine your files (all extensions)
Functions of binder:
Implementation paths
1) Temp
2) AppData
3) UserProfile
4) AllUserprofile
5) Public
6) ProgramData
7) LocalAppdata
8) WinDir
9) System32
10) Current
11) Desktop
12) Startup
13) ProgramFiles
You can also use custom injection into any folder using uac bypass functions.
Kill bots (malware from the list by code, kills by pid, or by mutex)
Skip virutal environments VMware, Vbox, Hyper V, sandbox, etc
Cryptocurrency that can be intercepted by the Roosevelt Clipper:
Bitcoin Wallet
Ethereum Wallet
USDT TRC20 Wallet
Dogecoin Wallet
Litecoin Wallet
Dashcoin Wallet
Xmr Monero Wallet
TRX Tron Wallet
Polygon Wallet
Tezos Wallet
Algorand Wallet
Bloktopia Wallet
Tether USD Wallet
Zcash Wallet
Cardano Wallet
Ripple Wallet
Telegram notification:
The telegram logging code sets certain parameters for ServicePoingManager, the parameters are set to control the behavior of network requests
In the code you will see in clipper, this parameter will handle up to 100-continue headers
Next the code uses WebClient to make an HTTP request to an external server, the external request is (ip.com and telegram API), ip.com is needed for logging, it will show the IP of the infected device in the logs.
In the end the code uses Telegram BOT api to send logs
UAC Bypass:
BinaryPath - string variable containing path to executable file
CMSTP.exe - Windows system file
The Code method is a method that returns a string representing the instructions for the INF configuration file. This file is used to set certain parameters on the system
SetInfFile(pp) is an external method or function that generates a string of settings for the INF file based on some input parameter pp of the CMSTP.exe bypass manipulator
The code has strings such as flag
The flag variable is set to True if the cmstp.exe file does not exist in the specified path (BinaryPath). This is checked with File.Exists(BinaryPath).
If flag and flag2 are both True, then False is returned
This means that if the cmstp.exe file does not exist, the program terminates execution and returns False.
HM headers that return TRUE after running cmstp.exe with certain permissions, helps to bypass UAC.
ALPC Port, \RPC Control\OLE31ACF9C482CE75BB159742E48E36, 0x410
Desktop, \Default, 0x12c
Directory, \KnownDlls, 0x34
Directory, \Sessions\2\BaseNamedObjects, 0x50
Event, \KernelObjects\LowMemoryCondition, 0x1ec
Event, \BaseNamedObjects\CPFATE_13284_v4.0.30319, 0x2cc
Event, \KernelObjects\MaximumCommitCondition, 0x3a0
File, C:\Users\i-s00n\Desktop, 0x40
File, \Device\KsecDD, 0xbc
File, \Device\CNG, 0x294
File, \Device\KsecDD, 0x318
File, C:\Windows\System32\en-US\propsys.dll.mui, 0x3c8
File, C:\Windows\Fonts\StaticCache.dat, 0x3e8
File, \Device\DeviceApi, 0x408
Key, HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions, 0x68
Key, HKCU, 0xe0
Key, HKLM\SYSTEM\ControlSet001\Control\Session Manager, 0x10c
Key, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options, 0x110
Key, HKLM\SOFTWARE\Microsoft\.NETFramework, 0x138
Key, HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids, 0x214
Key, HKLM, 0x218
Key, HKLM\SOFTWARE\Microsoft\Ole, 0x21c
Key, HKCU\Software\Classes\Local Settings\Software\Microsoft, 0x224
Key, HKCU\Software\Classes\Local Settings, 0x228
Key, HKLM\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default, 0x2e8
Key, HKLM, 0x308
Key, HKCU\Software\Classes, 0x390
Key, HKCU\Software\Classes, 0x398
Key, HKCU\Software\Classes, 0x3b0
Key, HKCU\Software\Classes, 0x3b4
Key, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer, 0x3d0
Key, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag, 0x3d4
Key, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag, 0x3d8
Key, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag, 0x3e4
Key, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag, 0x3f0
Key, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag, 0x3f4
Key, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag, 0x3f8
Key, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PropertyBag, 0x414
Key, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PropertyBag, 0x424
Key, HKLM\SOFTWARE\Microsoft\WindowsRuntime, 0x430
Key, HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId, 0x44c
Key, HKLM\SOFTWARE\Microsoft\WindowsRuntime\Server, 0x454
Key, HKCU\SOFTWARE\Microsoft\Internet Explorer\Main, 0x494
Key, HKLM\SOFTWARE\Microsoft\Internet Explorer\Main, 0x498
Key, HKCU\SOFTWARE\Microsoft\Internet Explorer\Security, 0x49c
Key, HKLM\SOFTWARE\Microsoft\Internet Explorer\Security, 0x4a0
Key, HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings, 0x4a4
Key, HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings, 0x4a8
Key, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, 0x4ac
Key, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, 0x4b0
Key, HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl, 0x4b4
Key, HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl, 0x4b8
Key, HKLM\SOFTWARE\Policies, 0x4bc
Key, HKCU\SOFTWARE\Policies, 0x4c0
Key, HKCU\SOFTWARE, 0x4c4
Key, HKLM\SOFTWARE, 0x4c8
Key, HKLM\SOFTWARE\WOW6432Node, 0x4cc
Key, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap, 0x4d0
Key, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap, 0x4d4
Key, HKU, 0x530
Key, HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion, 0x534
Mutant, \Sessions\2\BaseNamedObjects\SM0:13284:304:WilStaging_02, 0x48
Mutant, \Sessions\2\BaseNamedObjects\WCYm5Lu17el9Khdg9, 0x2f4
Mutant, \Sessions\2\BaseNamedObjects\SM0:13284:120:WilError_03, 0x350
Mutant, \Sessions\2\BaseNamedObjects\ZonesCacheCounterMutex, 0x4f0
Mutant, \Sessions\2\BaseNamedObjects\ZonesLockedCacheCounterMutex, 0x4f4
Section, \BaseNamedObjects\Cor_Private_IPCBlock_v4_13284, 0x15c
Section, \...\Cor_SxSPublic_IPCBlock, 0x164
Section, \Sessions\2\BaseNamedObjects\windows_shell_global_counters, 0x35c
Section, \BaseNamedObjects\__ComCatalogCache__, 0x394
Section, \BaseNamedObjects\__ComCatalogCache__, 0x3a4
Section, \Sessions\2\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro, 0x3b8
Section, \Sessions\2\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db, 0x3bc
Section, \Sessions\2\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro, 0x3c0
Section, \Sessions\2\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db, 0x3c4
Section, \BaseNamedObjects\windows_shell_global_counters, 0x3dc
Section, C:\Windows\Fonts\StaticCache.dat, 0x3ec
Section, \Sessions\2\BaseNamedObjects\UrlZonesSM_i-s00n, 0x4e8
Section, \Windows\Theme1019497007, 0x538
Section, \Sessions\2\Windows\Theme2501936404, 0x554
Semaphore, \Sessions\2\BaseNamedObjects\SM0:13284:304:WilStaging_02_p0, 0x54
Semaphore, \Sessions\2\BaseNamedObjects\SM0:13284:304:WilStaging_02_p0h, 0x58
Semaphore, \Sessions\2\BaseNamedObjects\SM0:13284:120:WilError_03_p0, 0x354
Semaphore, \Sessions\2\BaseNamedObjects\SM0:13284:120:WilError_03_p0h, 0x358
Thread, 2.exe (13284): 6628, 0x188
Thread, 2.exe (13284): 4868, 0x18c
Thread, 2.exe (13284): 15888, 0x210
Thread, 2.exe (13284): 15888, 0x2ac
Thread, 2.exe (13284): 6628, 0x2f0
Thread, 2.exe (13284): 8684, 0x43c
Thread, 2.exe (13284): 6628, 0x558
Thread, 2.exe (13284): 3292, 0x5a8
(msgbox : uac bypassed)
WindowStation, \Sessions\2\Windows\WindowStations\WinSta0, 0x128
WindowStation, \Sessions\2\Windows\WindowStations\WinSta0, 0x130
an abandoned thread stack that will no longer be updated: https://cracked.io/Thread-1-Roosevelt-Cl...ce-code-VB
Download link: https://mega.nz/file/UKNWhZbT
Mega key: UP4naYvrrLUtHrcSx14KghhVBsmsJJrHWtDEegfnf94
Password for 7z: RooseveltRow