Michael Gillespie Demonslay335

## QueryQNAPUpdate-PS2.ps1
# Ignore self-certs
if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type)
{
$certCallback = @"
    using System;
    using System.Net;
    using System.Net.Security;
    using System.Security.Cryptography.X509Certificates;
    public class ServerCertificateValidationCallback
    {

## Sosemanuk.cs
// Adapted from https://www.seanet.com/~bugbee/crypto/sosemanuk/
public class Sosemanuk
{
  public Sosemanuk(byte[] key, byte[] iv)
  {
    BuildAlphas();
    SetKey(key);
    SetIV(iv);
  }

## gen_id.py
import zlib, sys

def get_id(mac):
	mac = int(mac, 16).to_bytes(6, 'big')
	return checksum(mac, True)

def checksum(input, compression=False):

	v3 = zlib.crc32(input, 0xDEADBEEF)
	v4 = zlib.crc32(input, v3)

## aplib.cs
using System.Collections.Generic;
using System.IO;

// https://github.com/snemes/aplib/blob/master/aplib.py
public class APLib
{
    protected uint Tag;
    protected int BitCount;

    protected uint GetBit(Stream source)

## FixProfile.bat
@ECHO OFF
SETLOCAL EnableDelayedExpansion

FOR /F "tokens=1,2 delims=#" %%A IN ('"prompt #$H#$E# & ECHO ON & FOR %%B IN (1) DO REM"') DO SET "DEL=%%A"

:: Elevation does not work in XP
VER | FIND /I "XP" > NUL
IF ERRORLEVEL 1 CALL :CHECK-ELEVATE

:: Process arguments

## blackmatter_checksum.py
import sys, struct, base64, argparse

def gen_id_from_guid(guid: str) -> str:
	checksum = checksum_string(guid + '\0')
	b64 = base64.b64encode(checksum.to_bytes(8, 'little'))[0:9]
	return b64.decode('utf-8').replace('+', 'x').replace('/', 'i').replace('=', 'z')

def gen_checksum_from_bytes(blob: str) -> str:
	blob = bytearray.fromhex(blob)
	return checksum(blob, len(blob))

## globeimposter_config.py
"""
Extract GlobeImposter 2.0 Ransomware Config
Author: @demonslay335
"""

import os
import sys
import binascii
import re
import hashlib

## dump.py
import os
import sys
import time
import winappdbg
import traceback


class MyEventHandler(winappdbg.EventHandler):

    last_alloc_memory = 0
	# Ignore self-certs
	if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type)
	{
	$certCallback = @"
	using System;
	using System.Net;
	using System.Net.Security;
	using System.Security.Cryptography.X509Certificates;
	public class ServerCertificateValidationCallback
	{
	// Adapted from https://www.seanet.com/~bugbee/crypto/sosemanuk/
	public class Sosemanuk
	{
	public Sosemanuk(byte[] key, byte[] iv)
	{
	BuildAlphas();
	SetKey(key);
	SetIV(iv);
	}
	import zlib, sys

	def get_id(mac):
	mac = int(mac, 16).to_bytes(6, 'big')
	return checksum(mac, True)

	def checksum(input, compression=False):

	v3 = zlib.crc32(input, 0xDEADBEEF)
	v4 = zlib.crc32(input, v3)
	using System.Collections.Generic;
	using System.IO;

	// https://github.com/snemes/aplib/blob/master/aplib.py
	public class APLib
	{
	protected uint Tag;
	protected int BitCount;

	protected uint GetBit(Stream source)
	@ECHO OFF
	SETLOCAL EnableDelayedExpansion

	FOR /F "tokens=1,2 delims=#" %%A IN ('"prompt #$H#$E# & ECHO ON & FOR %%B IN (1) DO REM"') DO SET "DEL=%%A"

	:: Elevation does not work in XP
	VER \| FIND /I "XP" > NUL
	IF ERRORLEVEL 1 CALL :CHECK-ELEVATE

	:: Process arguments
	import sys, struct, base64, argparse

	def gen_id_from_guid(guid: str) -> str:
	checksum = checksum_string(guid + '\0')
	b64 = base64.b64encode(checksum.to_bytes(8, 'little'))[0:9]
	return b64.decode('utf-8').replace('+', 'x').replace('/', 'i').replace('=', 'z')

	def gen_checksum_from_bytes(blob: str) -> str:
	blob = bytearray.fromhex(blob)
	return checksum(blob, len(blob))
	"""
	Extract GlobeImposter 2.0 Ransomware Config
	Author: @demonslay335
	"""

	import os
	import sys
	import binascii
	import re
	import hashlib
	import os
	import sys
	import time
	import winappdbg
	import traceback


	class MyEventHandler(winappdbg.EventHandler):

	last_alloc_memory = 0