Kaseya Community

Basic Combofix Malware Script

  • wget.zip
    With all the javascript PDF exploits hitting the net right now, I thought I would share my basic combofix.exe script. Its not as polished as most but it works well. Client interaction is necessary to complete this script since the EULA for combofix must be accepted. NOTE: Combofix is a serious program and can smoke your windows installation. Use with caution or RTFM Smile






    Script Name: S8 - Execute Combofix.exe
    Script Description: Deploys WGET.exe to the agentdir\combofix folder. Script executes WGET to download the newest version of combofix.exe from the bleepingcomputer site. Next, the shell command executes combofix.exe. Client interaction is necessary to agree to license terms of combofix.

    IF True
    THEN
    Get Variable
    Parameter 1 : 6
    Parameter 2 :
    Parameter 3 : machid
    OS Type : 0
    Get Variable
    Parameter 1 : 10
    Parameter 2 :
    Parameter 3 : temp
    OS Type : 0
    Write File
    Parameter 1 : #temp#\combofix\wget.exe
    Parameter 2 : VSASharedFiles\wget.exe
    OS Type : 0
    Execute Shell Command
    Parameter 1 : del "#temp#\combofix\combofix.*"
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command
    Parameter 1 : "#temp#\combofix\wget.exe" http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command
    Parameter 1 : start #temp#\combofix\combofix.exe
    Parameter 2 : 0
    OS Type : 0
    Write Script Log Entry
    Parameter 1 : Combofix has ran on #machid#
    OS Type : 0
    ELSE

    Legacy Forum Name: Basic Combofix Malware Script,
    Legacy Posted By Username: Mac
  • Some quick tips here for your script.

    You can use Get URL in place of downloading and using wget. You can also skip the get temp variable and use a built in view to download it straight to the agent temp directory.

    Example:


    IF True
    THEN
    Get URL
    Parameter 1 : http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Parameter 2 : #vAgentConfiguration.agentTempDir#\Combofix.exe
    Parameter 3 : 2
    OS Type : 0
    ELSE


    Also, I would rename combofix.exe to something else like CMBFX.exe BEFORE running it as some malware out there will prevent anything named combofix.exe from even starting.

    You can see all the database views in the help file here All sorts of neato things are in there including the machine ID (skip step 1)

    -----

    For everyone else. Don't schedule a combofix script to run without you watching it. It will seriously confuse any user on the other end. At this time, the only way to automate the whole thing would be to use something like AutoIT to click the buttons for you and then close the log after the reboot. If someone scripts up an AutoIT script for it you can make this script much more advanced (grabbing the log and uploading to the kserver, parsing the log for alerts, etc.)


    Smile

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: CeruleanBlue
  • Far more elegant using the database view. I totally agree about not using combofix unattended. It needs a skilled hand to correct anything that might go wrong during the cleaning process. I have seen malware kill older versions of combofix so renaming the file might be a good thing. Older versions of combofix would not run if you changed the name, but I tested the latest version and you could change it to anything and it will still work. Thanks CeruleanBlue for cleaning that up for me. I wrote it out of necessity and with great haste.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: Mac