Edit

Modules

  • See below for each modules documentation

  • To get to modules right click a call back and you will see the following options

Surveillance

Remote Shell

Remote Screen

Remote Camera

Remote Regedit

File Manager

Process Manager

Netstat

Record

Program Notifications (Start | Stop)

Remote Shell

  • Exactly what it sounds like

  • Click on the module wait for below to appear

Microsoft Windows [Version 10.0.20348.1787]
(c) Microsoft Corporation. All rights reserved.

  • This is a cmd.exe prompt not a powershell prompt!

  • Use the white bar at the bottom to execute commands

Remote Screen

  • Also exactly what it sounds like

  • View the remote screen of the remote system

  • It can take a second to load, please be patient.

  • Screen sharing can be controlled (off/on) with the Start button at the top left

  • Option to View only or control the remote machine via your mouse and keyboard

  • To turn either on press the respective button at the top

  • Can also take auto screenshots with the Camera button also at the top

    • By default it will capture the screen every ~3 seconds

    • IMO that is far too fast, I am working on tuning it to roughly every 30 seconds to drop the amount of network traffic that is required with the screenshots.

Remote Camera

  • View the remote systems webcam

  • Requires loading RemoteCamera.dll into memory which will happen automatically

  • If no camera if found the pop up will exit automatically

Remote Regedit

  • Remotely view the registry in addition to creation of new keys or modification of existing keys

  • To create a new key click on Edit at the top and follow the prompts

  • It is nearly identical to the normal Regedit program on Windows

File Manager

  • File manager for remote upload, download, compressing and general file manager options

  • Just point and click

  • To move up a directory after traversing down the file system ensure you Right Click --> Back

    • That took me longer to figure out than I care to admit pubically

  • When you download a file a ClientsFolder will get created, you can find your exfil'ed file there

DcRat\Binaries\Debug\ClientsFolder\1427F5A9B444217138E1 #String is client id

Process Manager

  • Exactly like it sounds

  • View running process

  • Right Click to Refresh or Kill a specific process

  • Refreshes pulls a up to date process list

  • It is better opsec to not constantly upload as that can greatly increate the amount of network traffic

Netstat

  • Exactly like it sounds

  • View network connection on the remote host

  • Right Click and select Refresh or Kill

  • Selecting Kill attempts to kill the process creating that network connection

Record

  • Record the audio off the remote systems microphone

  • If the remote system has no microphone you will get an error in the logs

  • Requires the Audio.dll file to be automatically loaded onto the remote systems memory

Program Notification

  • Alert the operator when a specific remote process is launched on the system

  • Defaults to Uplay,QQ,Chrome,Edge,Word,Excel,PowerPoint,Epic,Steam

  • Currently changed to:

Chrome,Edge,Firefox,Word,Excel,PowerPoint,Task Manager
Control

Send File -->

From URL

Send File to Disk

Send File to Memory

Run Shellcode

Message Box

Chat

Visit Website

Change Wallpaper

Keylogger

File Search

Send File

Run Shellcode

MessageBox

Chat

Visit Website

Change Wallpaper

Keylogger

File Search

Malware

DDOS

Ransomware -->

Encrypt

Decrypt

Disable WD

Password Recovery

Disable UAC

DDOS

Ransomware

Disable WD

Password Recovery

Disable UAC

-- All modules not currently listed yet

PreviousDcratNextBuilder

Last updated