Posts: 70 Threads: 0 Joined: N/A November 11, 2022 at 1:10 AM Well, I have already did some RE of ransomewares, And I found there techniques are fun =)- Different and customizable communication method with C2 I guess.(raw UDP, ICMP, Https, DNS, etc)- Fast encryption of files by high concurrency multithreading through asynchronous I/O operations (IOCP)- Delete system shadow copiesZOMBIE PROCESS:1. Create a process using CreatreProcess, pass in CREATE_ SUPERDED Create target process in suspended mode2. Call NtUnmapViewOfSection to unload the memory data of the target 3. Call VirtualAllocEx to request memory in the target process 4. Call WriteProcessMemory to write ShellCode to memory 5. Call GetThreadContext to get the CONTEXT of the target process 6. Call SetThreadContext to set the entry point 7. Call ResumeThread to recover the process and execute ShellCode
I am not sure about whether you are already doing this, hope this can help anyway.CODE LIKE A WIND, bro.
(November 11, 2022, 01:02 AM)4br4x4s Wrote: I am unsure on how useful this bit of information could be, but maybe try avoiding people from popping up command lines to try to terminate your software.
I like running FTP with win + R and then using ! to execute commands on some corporate computers that I have the misfortune of having to use. (let me play tetris dammit!)
Considering few people in the general population are technically literate enough to pull this off, I do not know if this is worthwhile, but I guess it could be something useful for you to know?
here are the different ways that people spawn CMD
https://www.howtogeek.com/235101/10-ways-to-open-the-command-prompt-in-windows-10/
probably just stopping CMD from running altogether could work
here is a source for different ways people can spawn shells in windows
https://www.infosecmatter.com/19-ways-to-bypass-software-restrictions-and-spawn-a-shell/
If I am spewing out a bunch of nonsense, don't pay me any attention. I am still new in the field! When users(victims) discover that their data has been encrypted, the CMD can not help much actually, files are encrypted with AES or RSA, Nobody can decrypt it by only CMD without the Key, lol. Wait, talking about this, a ransomeware called "Snatch" execute "bcedit.exe /set {current} safeboot minimal" in order to boot into secure mod automatically. Then it regist itself as an service in secure mod, then encrypt, then ransome, It's a really fun way because AVs can't be run under secure mod. Posts: 56 Threads: 0 Joined: N/A November 11, 2022 at 7:25 AM Advantage of your project vs other ransomwares? Posts: 276 Threads: 0 Joined: N/A    November 11, 2022 at 7:26 AM (November 11, 2022, 07:25 AM)1neverending Wrote: Advantage of your project vs other ransomwares? its open source and fully customisable. it is not to replace but to act as a challenge for me. something fun in the forum. Posts: 56 Threads: 0 Joined: N/A November 11, 2022 at 7:30 AM (November 11, 2022, 07:26 AM)IntelBroker Wrote: (November 11, 2022, 07:25 AM)1neverending Wrote: Advantage of your project vs other ransomwares?
its open source and fully customisable. it is not to replace but to act as a challenge for me. something fun in the forum. Nice. Good work Sir. Can you brick device? Such as more than files, whole computer is locked unless payment made? Posts: 276 Threads: 0 Joined: N/A November 11, 2022 at 7:34 AM (November 11, 2022, 07:30 AM)1neverending Wrote: (November 11, 2022, 07:26 AM)IntelBroker Wrote: (November 11, 2022, 07:25 AM)1neverending Wrote: Advantage of your project vs other ransomwares?
its open source and fully customisable. it is not to replace but to act as a challenge for me. something fun in the forum.
Nice. Good work Sir. Can you brick device? Such as more than files, whole computer is locked unless payment made? MBR destruction is working. check the top of thread to see what is done and not done Posts: 43 Threads: 0 Joined: N/A November 17, 2022 at 9:55 AM (November 8, 2022, 01:07 AM)IntelBroker Wrote: Hello. I am looking to expand my service to the community and provide an effective method of generating money, as well as a learning experience for many. I am looking to start active development (on the side of my pre-existing project) on an open-source and fully customisable ransomware / wiper malware. If you have any wants and needs or suggestions for this please comment below and the thread will be updated with TODO. It will be developed in C++ and have documentation steps. Wiper is coded in C# for performance testing KEY:
TO-DO
implement MBR hijacking (customise destruction of MBR sector or n/a) setup check to see what sort of OS is being run implement web-interface for easy access and tracking of victims. implement customisable C&C server connections (retrieval of data for extortion) code initial wiper for standard wiping (currently it is separate program but in future i will make dropper for it) setup optional wiper dropper to prevent windows from restarting in safe-mode (add warning to readme.txt on victim device) implement AD AS network spreader (not important right now but will setup at later date) implement different architectures - x32 x64 x86_x64 (main distros - Linux, Windows XP - 11/10, mac (later)) keep file size small easy file binding use AES-256 encryption over RSA 2048 encryption. (RSA 2048 has smaller bit security than AES-256) use invoke obfuscation by default forge software signature implement sandbox aware option (if in sandbox - run intended file-bound function e.g - pdf file etc) add whitelist and blacklist of "bad" and "good" programs to keep running (e.g - processhackers, wireshark, av software) setup optional feature "sleeper_agent" - waits set amount of time before activation - good for waiting for spread setup means of transportation of files / folders / data (TLS most likely because tor is slow) implemented worm feature (network spreader in progress but automatic mail spreader has been set up) disable internet when executed force UAC on execution create temp ransom note create GitHub page
For testing I recommend you use a VM. Sandbox aware has not been setup yet so test it out while you can! This will destroy your computer so be careful. I have added a worm feature to the development stage to aide in spreading. It is limited to mail connections so far and will be expanded. HI SENTINEL LABS, MUTAHAR, AND ALL OTHERS! instead of making it destruction only add in a ransom ability so that one can exfiltrate the data on the system, then wipe it, then restore it if the actor wants to. also add a chatbox for communication between the victim and the hacker. maybe add a custom message to be displayed Posts: 15 Threads: 0 Joined: N/A November 17, 2022 at 12:44 PM (November 8, 2022, 01:07 AM)IntelBroker Wrote: Hello. I am looking to expand my service to the community and provide an effective method of generating money, as well as a learning experience for many. I am looking to start active development (on the side of my pre-existing project) on an open-source and fully customisable ransomware / wiper malware. If you have any wants and needs or suggestions for this please comment below and the thread will be updated with TODO. It will be developed in C++ and have documentation steps. Wiper is coded in C# for performance testing KEY:
TO-DO
implement MBR hijacking (customise destruction of MBR sector or n/a) setup check to see what sort of OS is being run implement web-interface for easy access and tracking of victims. implement customisable C&C server connections (retrieval of data for extortion) code initial wiper for standard wiping (currently it is separate program but in future i will make dropper for it) setup optional wiper dropper to prevent windows from restarting in safe-mode (add warning to readme.txt on victim device) implement AD AS network spreader (not important right now but will setup at later date) implement different architectures - x32 x64 x86_x64 (main distros - Linux, Windows XP - 11/10, mac (later)) keep file size small easy file binding use AES-256 encryption over RSA 2048 encryption. (RSA 2048 has smaller bit security than AES-256) use invoke obfuscation by default forge software signature implement sandbox aware option (if in sandbox - run intended file-bound function e.g - pdf file etc) add whitelist and blacklist of "bad" and "good" programs to keep running (e.g - processhackers, wireshark, av software) setup optional feature "sleeper_agent" - waits set amount of time before activation - good for waiting for spread setup means of transportation of files / folders / data (TLS most likely because tor is slow) implemented worm feature (network spreader in progress but automatic mail spreader has been set up) disable internet when executed force UAC on execution create temp ransom note create GitHub page
For testing I recommend you use a VM. Sandbox aware has not been setup yet so test it out while you can! This will destroy your computer so be careful. I have added a worm feature to the development stage to aide in spreading. It is limited to mail connections so far and will be expanded. Anti-forensics & hypervisor detection Posts: 13 Threads: 0 Joined: N/A November 18, 2022 at 1:04 AM Great to see a thread about an actual development process in this section. Usually we only get hundreds of threads asking the same Stackoverflow-tier questions over and over again... Posts: 22 Threads: 0 Joined: N/A November 18, 2022 at 3:27 AM thank you for also trying to document it, i can't read C++ well. do you mind if i dm you questions on how to make malware in general? i'm trying to make my own but a bit confused on some low-level terminologies Posts: 861 Threads: 0 Joined: N/A       November 19, 2022 at 10:07 PM MY RANSOMWARE IS BETTER BRO I have quit due to abuse from mods. I will be back some day |
