https://github.com/rpgeeganage/file-less-ransomware-demo

Demonstrate about file-less malware approach using JavaScript
https://github.com/rpgeeganage/file-less-ransomware-demo

file-less javascript malware ransom-worm ransomware ransomware-resources

Last synced: 7 months ago
JSON representation

Demonstrate about file-less malware approach using JavaScript

• Host: GitHub
• URL: https://github.com/rpgeeganage/file-less-ransomware-demo
• Owner: rpgeeganage
• Created: 2015-06-03T15:08:51.000Z (over 10 years ago)
• Default Branch: master
• Last Pushed: 2017-06-14T09:15:18.000Z (over 8 years ago)
• Last Synced: 2025-02-28T23:21:16.837Z (8 months ago)
• Topics: file-less, javascript, malware, ransom-worm, ransomware, ransomware-resources
• Language: JavaScript
• Homepage:
• Size: 44.9 KB
• Stars: 55
• Watchers: 4
• Forks: 24
• Open Issues: 0
• Metadata Files:
  • Readme: README.MD

Awesome Lists containing this project

README

          
# This is only for Educational purpose.

## ```The purpose of the particular development is to demonstrate on my review paper about file-less malware approach using JavaScript.```

### Link to the paper: [https://www.linkedin.com/pulse/survey-file-less-malware-approach-using-javascript-ruwan-geeganage](https://www.linkedin.com/pulse/survey-file-less-malware-approach-using-javascript-ruwan-geeganage)

### 3rd party libraries used.sdf

1. RSA encryption library

2. Base 64 decoding library

3. Command line execution mechanism of the Poweliks.

## This uses RSA 1024 bit public key to encryption.

### This is a POC for a file-less malware approach with JavaScript.

#### This a Ransom ware.

##### This ransome ware will encrypt the first 23400 characters in PDF, TXT, DOC, DOCX, XLS inside the Document folder.

    eg: C:\Users\Victim\Documents\

    

Registry entry creation

>```Encryption Module``` => ```HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\e```

>```FileReader Module``` => ```HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\f```

>```Decoder Module``` => ```HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\d```

>```Public Key``` => ```HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\pk```

>```Triggering point``` => ```HKCU\Software\Microsoft\Windows\CurrentVersion\Run\fileLessRw```

##### Encryption nd File Reader module is stored in Base 64 Encoded format.

### Exection module

1. Commands in the triggering point entry will read the decoder module and execute it.

2. Decoder reads the File Reader module and decode it then executes it.

3. File reader module will read encryption module and execute against all the files statisfy the selection criteria.sd

4. Encrption module reads Public key and use its for encryption. 

5. Encrytion module adds a header to each file to identify any file which already encrypted to avoid encrytion again.

# ```PAYLOAD.JS``` contains all the code. Other than that, there are no any files involved or created by the malware.