telemetry.bat is the original code; can be wrapped into setup.msi for secret execution. currently startup.bat is harmless; but theoretically can be used to launch external code (e.g by updating telemetry code).
- Writes "spike.ps1" to user's startup directory.
- calls "spike.ps1" to download "startup.bat" from internet.
- Deletes "spike.ps1".
- Startup.bat executes on every user boot.
- Currently, startup.bat is harmless and displays load animation only to poison this code, modify telemetry.bat to point to different location with malicious code.
- Wrap telemetry.bat to setup.exe or setup.msi and distribute to end user.
- Utilises simple windows API call to create a batch file.
- The newly downloaded batch file is equivalent to user-created code, therefore computer allows execution easily.
- Delete startup.bat from startup folder at "%LocalAppData%/../Roaming/Microsoft/Windows/Start Menu/Programs/Startup"
- Delete .rat file from "%temp%". This is sample library folder to store future executables; called directly from script using "./%temp%/.rat/application.exe"
- Set execution-policy to restricted