API tools faq
paste
Advertisement
FlyFar

EmoCrash.ps1

FlyFar
Jun 16th, 2023
1,211
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 2.07 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. #UPDATE 2021 DEC 16TH. LOWERED TO TLP:WHITE
  2. #Thanks to @cryptolaemus
  3. https://twitter.com/Cryptolaemus1 and the various contributors of the Emotet Task Force/Working Group
  4. #Emotet Innoculation Script [Quinnoculation]
  5. # *** Must be run as Admin ****
  6. # Purpose: Emotet V5 Loader generates a value in SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ that it uses as an infection marker.
  7. # This value is set to the Victim's Volume Serial ID, and contains the dropped filename of V5's new filename generation algorithm.
  8. # Emotet looks for this key at startup. If it doesn't exist, it recreates it. If it does exist, Emotet reads that key into a buffer after decrypting it. There are not proper protections in place for the buffer.
  9. # This script overwrites that key with a new key that overflows the buffer, crashing the malware. It also generates an eventID.
  10. # Authors: James Quinn, Binary Defense
  11. # Grabs the VolumeSerialNumbers and sets a registry key in Explorer with type= REG_BINARY and a value too large for Emotet to handle, overwriting the destination buffer,
  12. #Which crashes emotet.
  13.  
  14.  
  15. function GenerateData{
  16. [byte[]]$string
  17. for ($i = 1;$i -lt 0x340;$i++){
  18. $hexNumber = $i % 10
  19.  
  20. $string += [byte[]]$hexNumber
  21. }
  22. $string += [byte[]](0x51,0x75,0x69,0x6e,0x6e,0x75,0x6e,0x69,0x7a,0x65,0x64)
  23. return $string
  24. }
  25. if (([IntPtr]::Size) -eq 8){
  26. $Akey = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer"
  27. $key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\"
  28. }
  29. else{
  30. $Akey = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\"
  31. $key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\"
  32.  
  33. }
  34.  
  35. $volumeSerialNumbers = Get-WmiObject Win32_logicaldisk | select-object -ExpandProperty volumeserialnumber
  36. foreach ($x in $volumeSerialNumbers){
  37.  
  38.  
  39.  
  40. Remove-ItemProperty -Path $AKey -Name $x
  41. Remove-ItemProperty -Path $key -Name $x
  42.  
  43. $data = GenerateData
  44. # Write-Output $data
  45. New-ItemProperty -Path $AKey -Name $x -Value ([byte[]]($data)) -PropertyType Binary
  46. New-ItemProperty -Path $key -Name $x -Value ([byte[]]($data)) -PropertyType Binary
  47.  
  48.  
  49. }
Tags: powershell
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!