README

This is only for Educational purposes.

The purpose of this particular development is to demonstrate in my review paper about the file-less malware approach using JavaScript.
Link to the paper: https://www.linkedin.com/pulse/survey-file-less-malware-approach-using-javascript-ruwan-geeganage

3rd party libraries used
- RSA encryption library
- Base 64 decoding library
- Command line execution mechanism of the Poweliks.

This uses the RSA 1024-bit public key for encryption.
This is a POC for a file-less malware approach with JavaScript.

This a Ransomware.
This ransomware will encrypt the first 23400 characters in PDF, TXT, DOC, DOCX, XLS inside the Document folder.
eg: C:\Users\Victim\Documents\

Registry entry creation:

Encryption Module => HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\e
FileReader Module => HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\f
Decoder Module => HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\d
Public Key => HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\pk
Triggering point => HKCU\Software\Microsoft\Windows\CurrentVersion\Run\fileLessRw

The encryption and File Reader module is stored in Base 64 Encoded format.
Execution module
Commands in the triggering point entry will read the decoder module and execute it.
The decoder reads the File Reader module and decodes it then executes it.
The file reader module will read the encryption module and execute against all the files that satisfy the selection criteria.sd
The encryption module reads the Public key and uses it for encryption.
The encryption module adds a header to each file to identify any file which already been encrypted to avoid encryption again.
PAYLOAD.JS contains all the code. Other than that, there are no files involved or created by the malware.