Skip to content

Latest commit

 

History

History
193 lines (112 loc) · 5.71 KB

modules.md

File metadata and controls

193 lines (112 loc) · 5.71 KB

Modules

  • See below for each modules documentation
  • To get to modules right click a call back and you will see the following options
Surveillance
Remote Shell
Remote Screen
Remote Camera
Remote Regedit
File Manager
Process Manager
Netstat
Record
Program Notifications (Start | Stop)

Remote Shell

  • Exactly what it sounds like
  • Click on the module wait for below to appear
Microsoft Windows [Version 10.0.20348.1787]
(c) Microsoft Corporation. All rights reserved.
  • This is a cmd.exe prompt not a powershell prompt!
  • Use the white bar at the bottom to execute commands

Remote Screen

  • Also exactly what it sounds like

  • View the remote screen of the remote system

  • It can take a second to load, please be patient.

  • Screen sharing can be controlled (off/on) with the Start button at the top left

  • Option to View only or control the remote machine via your mouse and keyboard

  • To turn either on press the respective button at the top

  • Can also take auto screenshots with the Camera button also at the top

    • By default it will capture the screen every ~3 seconds
    • IMO that is far too fast, I am working on tuning it to roughly every 30 seconds to drop the amount of network traffic that is required with the screenshots.

Remote Camera

  • View the remote systems webcam
  • Requires loading RemoteCamera.dll into memory which will happen automatically
  • If no camera if found the pop up will exit automatically

Remote Regedit

  • Remotely view the registry in addition to creation of new keys or modification of existing keys

  • To create a new key click on Edit at the top and follow the prompts
  • It is nearly identical to the normal Regedit program on Windows

File Manager

  • File manager for remote upload, download, compressing and general file manager options
  • Just point and click
  • To move up a directory after traversing down the file system ensure you Right Click --> Back
    • That took me longer to figure out than I care to admit pubically

  • When you download a file a ClientsFolder will get created, you can find your exfil'ed file there
DcRat\Binaries\Debug\ClientsFolder\1427F5A9B444217138E1 #String is client id

Process Manager

  • Exactly like it sounds
  • View running process
  • Right Click to Refresh or Kill a specific process
  • Refreshes pulls a up to date process list
  • It is better opsec to not constantly upload as that can greatly increate the amount of network traffic

Netstat

  • Exactly like it sounds
  • View network connection on the remote host
  • Right Click and select Refresh or Kill
  • Selecting Kill attempts to kill the process creating that network connection

Record

  • Record the audio off the remote systems microphone

  • If the remote system has no microphone you will get an error in the logs

  • Requires the Audio.dll file to be automatically loaded onto the remote systems memory

Program Notification

  • Alert the operator when a specific remote process is launched on the system
  • Defaults to Uplay,QQ,Chrome,Edge,Word,Excel,PowerPoint,Epic,Steam
  • Currently changed to:
Chrome,Edge,Firefox,Word,Excel,PowerPoint,Task Manager

Control
Send File --> From URL Send File to Disk Send File to Memory
Run Shellcode
Message Box
Chat
Visit Website
Change Wallpaper
Keylogger
File Search

Send File

Run Shellcode

MessageBox

Chat

Visit Website

Change Wallpaper

Keylogger

File Search

Malware
DDOS
Ransomware --> Encrypt Decrypt
Disable WD
Password Recovery
Disable UAC

DDOS

Ransomware

Disable WD

Password Recovery

Disable UAC

-- All modules not currently listed yet