Demonslay335 · January 16, 2023 14:49
diff --git a/globeimposter_config.py b/globeimposter_config.py
 """
 Extract GlobeImposter 2.0 Ransomware Config
 Author: @demonslay335
 """

 import os
 import sys
 import binascii
 import re
 import hashlib
 import pefile
 import argparse

 # https://github.com/bozhu/RC4-Python
 # RC4 key scheduling
 def KSA(key):
    keylength = len(key)

    S = range(256)

    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % keylength]) % 256
        S[i], S[j] = S[j], S[i]  # swap

    return S

 # RC4 pseudo-random generator algorithm
 def PRGA(S):
    i = 0
    j = 0
    while True:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]  # swap

        K = S[(S[i] + S[j]) % 256]
        yield K

 # Use RC4 algorithm
 def RC4(key):
    S = KSA(key)
    return PRGA(S)

 # Decrypt using RC4
 def DecryptRC4(cipher, key):
 	# Generate RC4 keystream
 	keystream = RC4(key)
 	
 	# Plaintext
 	plaintext = ''
 	
 	# Decrypt with RC4
 	for c in cipher:
 		if isinstance(c, basestring):
 			x = ord(c) ^ keystream.next()
 		else:
 			x = c ^ keystream.next()
 		plaintext += chr(x)
 	
 	return plaintext

 # Convert string to integers
 def convert(s):
 	return [ord(c) for c in s]

 # Check for non-ASCII in string
 def ascii_only(s):
 	return all(ord(char) < 128 for char in s)

 # Decrypt given config
 def decrypt_config(config, config2, note, note2Part1, note2Part2, extra, key, key2):
 	
 	# Convert key and cipher to byte arrays
 	key = convert(key)	
 	key2 = convert(key2)
 	cipher = convert(config)
 	
 	# Test decrypt
 	testPlaintext = DecryptRC4(config, key)
 	
 	if not ascii_only(testPlaintext):
 		# Try secondary RC4 key
 		key = key2
 		print "[!] Primary RC4 key failed, switching to secondary RC4 key..."

 	configPlaintext = DecryptRC4(config, key)
 	config2Plaintext = DecryptRC4(config2, key)
 	notePlaintext = DecryptRC4(note, key)
 	note2Part1Plaintext = DecryptRC4(note2Part1, key)
 	note2Part2Plaintext = DecryptRC4(note2Part2, key)
 	
 	extraPlaintext = ''
 	note2Plaintext = ''
 	
 	if extra is not '':
 		extraPlaintext = DecryptRC4(extra, key)
 	
 	# Check extra is valid
 	if not isinstance(extraPlaintext, str):
 		extraPlaintext = ''
 	
 	# Note from resources may need decoded from widechar
 	try:
 		note2Plaintext = note2Part1Plaintext.decode('utf-16')
 	except:
 		pass
 	
 	try:
 		note2Plaintext += note2Part2Plaintext.decode('utf-16')
 	except:
 		pass
 	
 	# Split up the configs
 	config = configPlaintext.split(chr(0))
 	config2 = config2Plaintext.split(chr(0))
 	
 	# Check for valid decryption
 	if len(config) == 1:
 		print "[-] Error decrypting config"
 		config = ['0', '0']
 	
 	# Check config is valid
 	if not isinstance(config[0], str) or not isinstance(config[1], str):
 		print "[-] Error decrypting config"
 		config = ['0', '0']

 	# Check note is valid
 	if notePlaintext.find('<h') != -1:
 		note = notePlaintext
 	elif note2Plaintext.find('<h') != -1:
 		note = note2Plaintext
 	else:
 		print "[-] Error decrypting note"
 		note = ''
 	
 	# Determine which config the filename is in
 	if config[1] is not '' and ascii_only(config[1]):
 		filename = config[1]
 	elif config2[0] is not '' and ascii_only(config2[0]):
 		filename = config2[0]
 	else:
 		print "[-] Error decoding filename"
 		filename = ''
 	
 	# Extract any email addresses from the decrypted note
 	emails = re.findall(r'[\w\.-]+@[\w\.-]+', note)
 	
 	# Extract any bitcoin addresses from the decrypted note
 	bitcoins = re.findall(r'\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b', note)
 	
 	# Extract any bitmessage addresses from the decrypted note
 	bitmessages = re.findall(r'BM-[1-9a-km-zA-HJ-NP-Z]{32,34}', note)
 	
 	# Extract any Tor addresses from the decrypted note
 	tors = [t.replace('href="', '') for t in re.findall('(?:https?://)?(?:www)?(\S*?\.onion)', note, re.M | re.IGNORECASE)]
 	
 	# Return our config
 	return {
 		'extension': config[0],
 		'filename': filename,
 		'note': note,
 		'emails': set(emails),
 		'bitmessage': set(bitmessages),
 		'bitcoin': set(bitcoins),
 		'tor': set(tors),
 		'extra': extraPlaintext
 	}

 def load_file(path):
 	# Read the whole file
 	with open(path, 'rb') as f:
 		content = f.read()
 	return content

 def extract_config(path):
 	# Load file
 	exe = load_file(path)
 	
 	exeHex = binascii.hexlify(exe)
 	
 	# Extract key as string
 	m = re.search('([A-F0-9]){512}', exe)
 	
 	key = '0'
 	key2 = '0'
 	
 	# Check if we got a key this way
 	if m == None:
 		print "[-] Error extracting key"
 	else:
 		rsa = m.group(0)
 		# Only the first 0x14 bytes are used as the RC4 key
 		key = rsa[:0x14]
 		# Or a SHA256
 		key2 = hashlib.sha256(rsa).digest()
 		print "[+] Extracted RC4 key: %s" % key
 		print "[+] Extracted public RSA-%d key: %s" % (len(rsa) / 2 * 8, rsa)
 		print "[+] Secondary RC4 key: %s" % binascii.hexlify(key2).upper()

 	# Zero array used for filtering blank results
 	z = '0' * 68
 	
 	config = ''
 	
 	# Regex for known config patterns
 	config_patterns = [
 		'[0]{22}(([0-9a-f]{2}){34})([0]{28})',
 		'(([0-9a-f]{2}){74})([0]{12})'
 	]

 	# Iterate possible config patterns
 	for pattern in config_patterns:
 		
 		matches = re.finditer(pattern, exeHex)
 		
 		# Iterate matches
 		for m in matches:
 			# Ignore empty matches or mostly-zero matches
 			if m.group(1) != z and m.group(1).count('0') < 20:
 				config = m.group(1)
 				print "[+] Extracted encrypted config: %s" % config
 				break
 		
 		# Check for success with this pattern
 		if config is not '':
 			break
 	
 	# Check we got a config cipher at all
 	if config is '':
 		print "[-] Error extracting config"
 		return None

 	# Regex for known config2 patterns
 	config2_patterns = [
 		'[0]{14}(([0-9a-f]{2}){38})([0]{20})',
 		'[0]{4}(([0-9a-f]{2}){38})([0]{12})'
 	]

 	config2 = ''
 	
 	# Iterate possible config patterns
 	for pattern in config2_patterns:
 		
 		matches = re.finditer(pattern, exeHex)

 		# Iterate matches
 		for m in matches:
 			# Ignore empty matches or mostly-zero matches
 			if m.group(1) != z and m.group(1).count('0') < 20:
 				config2 = m.group(1)
 				print "[+] Extracted encrypted secondary config: %s" % config2
 				break
 		
 		# Check for success with this pattern
 		if config2 is not '':
 			break
 	
 	# Check we got a config2 cipher at all
 	if config2 is '':
 		print "[-] Error extracting secondary config"
 	
 	# Find potential ransom note cipher after the imports
 	offset = exe.find("CommandLineA")
 	
 	if offset == -1:
 		# Try again with another known import
 		offset = exe.find("RPCRT4.dll")
 		if offset == -1:
 			print "[-] Error extracting note"
 		else:
 			offset += len("RPCRT4.dll") + 2
 	else:
 		offset += len("CommandLineA") + 1
 	
 	endOffset = offset
 	
 	# Search for the end of the encrypted note
 	while not (ord(exe[endOffset]) == 0x00 and ord(exe[endOffset+1]) == 0x00 and ord(exe[endOffset+2]) == 0x00):
 		endOffset += 1
 	
 	note = exe[offset:endOffset+1]
 	
 	# Check we got a valid note
 	if note is '':
 		print "[-] Error extracting note"
 	else:
 		print "[+] Extracted encrypted note (%d bytes)" % len(note)
 	
 	# Extract a secondary note that could be in the resources
 	pe = pefile.PE(path)
 	
 	note2Part1 = ''
 	note2Part2 = ''
 	plaintextExtension = ''
 	plaintextFilename = ''
 	extra = ''
 	
 	offset = 0x0
 	size = 0x0
 	
 	# Iterate resources
 	if hasattr(pe, 'DIRECTORY_ENTRY_RESOURCE'):
 		for rsrc in pe.DIRECTORY_ENTRY_RESOURCE.entries:
 			# Iterate resource entries
 			for entry in rsrc.directory.entries:
 				# Get offset and size of the resource
 				offset = entry.directory.entries[0].data.struct.OffsetToData
 				size = entry.directory.entries[0].data.struct.Size
 				# Check for entry 101, some random extra data possibly of interest
 				if entry.id == 101:
 					extra = pe.get_memory_mapped_image()[offset:offset+size]
 					print "[+] Extracted extra data from resources: %s" % binascii.hexlify(extra)
 				# Check for entry 104, part 1 of note
 				if entry.id == 104:
 					note2Part1 = pe.get_memory_mapped_image()[offset:offset+size]
 					print "[+] Extracted part 1 of encrypted note from resources (%d bytes)" % len(note2Part1)
 				# Check for entry 105, part 2 of note
 				elif entry.id == 105:
 					note2Part2 = pe.get_memory_mapped_image()[offset:offset+size]
 					print "[+] Extracted part 2 of encrypted note from resources (%d bytes)" % len(note2Part2)
 				# Check for entry 106, public RSA key and RC4 key
 				elif entry.id == 106:
 					rsa = pe.get_memory_mapped_image()[offset:offset+size]
 					key = rsa[:0x14]
 					print "[+] Extracted RC4 key from resources: %s" % key
 					print "[+] Extracted public RSA-%d key: %s" % (len(rsa) / 2 * 8, rsa)
 				# Check for entry 110, plaintext extension
 				elif entry.id == 110:
 					plaintextExtension = pe.get_memory_mapped_image()[offset:offset+size]
 					print "[+] Extracted plaintext extension from resources"
 				# Check for entry 111, plaintext ransom note filename
 				elif entry.id == 111:
 					plaintextFilename = pe.get_memory_mapped_image()[offset:offset+size]
 					print "[+] Extracted plaintext ransom note filename from resources"

 	# Decrypted config
 	decrypted = decrypt_config(config.decode('hex'), config2.decode('hex'), note, note2Part1, note2Part2, extra, key, key2)
 	
 	# Check for successful decryption
 	if decrypted is not None:
 		ret = decrypted.copy()
 		
 		# Check for plaintext extension (from resources)
 		if plaintextExtension is not '':
 			# Overwrite
 			ret.update({'extension': plaintextExtension})
 		
 		# Check for plaintext ransom note filename (from resources)
 		if plaintextFilename is not '':
 			# Overwrite
 			ret.update({'filename': plaintextFilename})
 	
 	else:
 		return None
 	
 	return ret

 # Setup argument parts
 parser = argparse.ArgumentParser(description='Extract configuration from GlobeImposter 2.0 ransomware.')
 parser.add_argument('file', help='executable path')
 parser.add_argument('-n, --note', dest='note', help='output ransom note contents', action='store_true')
 parser.add_argument('-s, --save_note', dest='save_note', help='save ransom note contents to file', action='store_true')

 # Parse arguments
 args = parser.parse_args()

 # Extract config for given binary
 config = extract_config(args.file)

 # Check for success
 if config == None:
 	print "\n[-] Error decrypting config"
 else:
 	# Output config data
 	print (
 		"\n[+] Extension: %s"
 		"\n[+] Ransom Note Filename: %s"
 		% (config['extension'], config['filename'])
 	)
 	
 	# Output extra data if applicable
 	if config['extra'] is not '':
 		print "[+] Extra data: %s" % config['extra']
 	
 	# Output emails, etc.
 	for e in config['emails']:
 		print "[+] Email Address: %s" % e
 	for b in config['bitmessage']:
 		print "[+] BitMessage: %s" % b
 	for b in config['bitcoin']:
 		print "[+] Bitcoin: %s" % b
 	for t in config['tor']:
 		print "[+] Tor: %s" % t
 	
 	# Check for saving the note
 	if args.save_note:
 		note_path = os.path.join(os.path.dirname(args.file), config['filename'] + ' - ' + os.path.basename(args.file))
 		with open(note_path, 'wb') as f:
 			f.write(config['note'])
 		print "[+] Wrote ransom note contents to: %s" % note_path
 	# Or outputting it
 	elif args.note:
 		print "[+] Note:\n%s" % config['note'].encode(sys.stdout.encoding, errors='replace')
	"""
	Extract GlobeImposter 2.0 Ransomware Config
	Author: @demonslay335
	"""

	import os
	import sys
	import binascii
	import re
	import hashlib
	import pefile
	import argparse

	# https://github.com/bozhu/RC4-Python
	# RC4 key scheduling
	def KSA(key):
	keylength = len(key)

	S = range(256)

	j = 0
	for i in range(256):
	j = (j + S[i] + key[i % keylength]) % 256
	S[i], S[j] = S[j], S[i] # swap

	return S

	# RC4 pseudo-random generator algorithm
	def PRGA(S):
	i = 0
	j = 0
	while True:
	i = (i + 1) % 256
	j = (j + S[i]) % 256
	S[i], S[j] = S[j], S[i] # swap

	K = S[(S[i] + S[j]) % 256]
	yield K

	# Use RC4 algorithm
	def RC4(key):
	S = KSA(key)
	return PRGA(S)

	# Decrypt using RC4
	def DecryptRC4(cipher, key):
	# Generate RC4 keystream
	keystream = RC4(key)

	# Plaintext
	plaintext = ''

	# Decrypt with RC4
	for c in cipher:
	if isinstance(c, basestring):
	x = ord(c) ^ keystream.next()
	else:
	x = c ^ keystream.next()
	plaintext += chr(x)

	return plaintext

	# Convert string to integers
	def convert(s):
	return [ord(c) for c in s]

	# Check for non-ASCII in string
	def ascii_only(s):
	return all(ord(char) < 128 for char in s)

	# Decrypt given config
	def decrypt_config(config, config2, note, note2Part1, note2Part2, extra, key, key2):

	# Convert key and cipher to byte arrays
	key = convert(key)
	key2 = convert(key2)
	cipher = convert(config)

	# Test decrypt
	testPlaintext = DecryptRC4(config, key)

	if not ascii_only(testPlaintext):
	# Try secondary RC4 key
	key = key2
	print "[!] Primary RC4 key failed, switching to secondary RC4 key..."

	configPlaintext = DecryptRC4(config, key)
	config2Plaintext = DecryptRC4(config2, key)
	notePlaintext = DecryptRC4(note, key)
	note2Part1Plaintext = DecryptRC4(note2Part1, key)
	note2Part2Plaintext = DecryptRC4(note2Part2, key)

	extraPlaintext = ''
	note2Plaintext = ''

	if extra is not '':
	extraPlaintext = DecryptRC4(extra, key)

	# Check extra is valid
	if not isinstance(extraPlaintext, str):
	extraPlaintext = ''

	# Note from resources may need decoded from widechar
	try:
	note2Plaintext = note2Part1Plaintext.decode('utf-16')
	except:
	pass

	try:
	note2Plaintext += note2Part2Plaintext.decode('utf-16')
	except:
	pass

	# Split up the configs
	config = configPlaintext.split(chr(0))
	config2 = config2Plaintext.split(chr(0))

	# Check for valid decryption
	if len(config) == 1:
	print "[-] Error decrypting config"
	config = ['0', '0']

	# Check config is valid
	if not isinstance(config[0], str) or not isinstance(config[1], str):
	print "[-] Error decrypting config"
	config = ['0', '0']

	# Check note is valid
	if notePlaintext.find('<h') != -1:
	note = notePlaintext
	elif note2Plaintext.find('<h') != -1:
	note = note2Plaintext
	else:
	print "[-] Error decrypting note"
	note = ''

	# Determine which config the filename is in
	if config[1] is not '' and ascii_only(config[1]):
	filename = config[1]
	elif config2[0] is not '' and ascii_only(config2[0]):
	filename = config2[0]
	else:
	print "[-] Error decoding filename"
	filename = ''

	# Extract any email addresses from the decrypted note
	emails = re.findall(r'[\w\.-]+@[\w\.-]+', note)

	# Extract any bitcoin addresses from the decrypted note
	bitcoins = re.findall(r'\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b', note)

	# Extract any bitmessage addresses from the decrypted note
	bitmessages = re.findall(r'BM-[1-9a-km-zA-HJ-NP-Z]{32,34}', note)

	# Extract any Tor addresses from the decrypted note
	tors = [t.replace('href="', '') for t in re.findall('(?:https?://)?(?:www)?(\S*?\.onion)', note, re.M \| re.IGNORECASE)]

	# Return our config
	return {
	'extension': config[0],
	'filename': filename,
	'note': note,
	'emails': set(emails),
	'bitmessage': set(bitmessages),
	'bitcoin': set(bitcoins),
	'tor': set(tors),
	'extra': extraPlaintext
	}

	def load_file(path):
	# Read the whole file
	with open(path, 'rb') as f:
	content = f.read()
	return content

	def extract_config(path):
	# Load file
	exe = load_file(path)

	exeHex = binascii.hexlify(exe)

	# Extract key as string
	m = re.search('([A-F0-9]){512}', exe)

	key = '0'
	key2 = '0'

	# Check if we got a key this way
	if m == None:
	print "[-] Error extracting key"
	else:
	rsa = m.group(0)
	# Only the first 0x14 bytes are used as the RC4 key
	key = rsa[:0x14]
	# Or a SHA256
	key2 = hashlib.sha256(rsa).digest()
	print "[+] Extracted RC4 key: %s" % key
	print "[+] Extracted public RSA-%d key: %s" % (len(rsa) / 2 * 8, rsa)
	print "[+] Secondary RC4 key: %s" % binascii.hexlify(key2).upper()

	# Zero array used for filtering blank results
	z = '0' * 68

	config = ''

	# Regex for known config patterns
	config_patterns = [
	'[0]{22}(([0-9a-f]{2}){34})([0]{28})',
	'(([0-9a-f]{2}){74})([0]{12})'
	]

	# Iterate possible config patterns
	for pattern in config_patterns:

	matches = re.finditer(pattern, exeHex)

	# Iterate matches
	for m in matches:
	# Ignore empty matches or mostly-zero matches
	if m.group(1) != z and m.group(1).count('0') < 20:
	config = m.group(1)
	print "[+] Extracted encrypted config: %s" % config
	break

	# Check for success with this pattern
	if config is not '':
	break

	# Check we got a config cipher at all
	if config is '':
	print "[-] Error extracting config"
	return None

	# Regex for known config2 patterns
	config2_patterns = [
	'[0]{14}(([0-9a-f]{2}){38})([0]{20})',
	'[0]{4}(([0-9a-f]{2}){38})([0]{12})'
	]

	config2 = ''

	# Iterate possible config patterns
	for pattern in config2_patterns:

	matches = re.finditer(pattern, exeHex)

	# Iterate matches
	for m in matches:
	# Ignore empty matches or mostly-zero matches
	if m.group(1) != z and m.group(1).count('0') < 20:
	config2 = m.group(1)
	print "[+] Extracted encrypted secondary config: %s" % config2
	break

	# Check for success with this pattern
	if config2 is not '':
	break

	# Check we got a config2 cipher at all
	if config2 is '':
	print "[-] Error extracting secondary config"

	# Find potential ransom note cipher after the imports
	offset = exe.find("CommandLineA")

	if offset == -1:
	# Try again with another known import
	offset = exe.find("RPCRT4.dll")
	if offset == -1:
	print "[-] Error extracting note"
	else:
	offset += len("RPCRT4.dll") + 2
	else:
	offset += len("CommandLineA") + 1

	endOffset = offset

	# Search for the end of the encrypted note
	while not (ord(exe[endOffset]) == 0x00 and ord(exe[endOffset+1]) == 0x00 and ord(exe[endOffset+2]) == 0x00):
	endOffset += 1

	note = exe[offset:endOffset+1]

	# Check we got a valid note
	if note is '':
	print "[-] Error extracting note"
	else:
	print "[+] Extracted encrypted note (%d bytes)" % len(note)

	# Extract a secondary note that could be in the resources
	pe = pefile.PE(path)

	note2Part1 = ''
	note2Part2 = ''
	plaintextExtension = ''
	plaintextFilename = ''
	extra = ''

	offset = 0x0
	size = 0x0

	# Iterate resources
	if hasattr(pe, 'DIRECTORY_ENTRY_RESOURCE'):
	for rsrc in pe.DIRECTORY_ENTRY_RESOURCE.entries:
	# Iterate resource entries
	for entry in rsrc.directory.entries:
	# Get offset and size of the resource
	offset = entry.directory.entries[0].data.struct.OffsetToData
	size = entry.directory.entries[0].data.struct.Size
	# Check for entry 101, some random extra data possibly of interest
	if entry.id == 101:
	extra = pe.get_memory_mapped_image()[offset:offset+size]
	print "[+] Extracted extra data from resources: %s" % binascii.hexlify(extra)
	# Check for entry 104, part 1 of note
	if entry.id == 104:
	note2Part1 = pe.get_memory_mapped_image()[offset:offset+size]
	print "[+] Extracted part 1 of encrypted note from resources (%d bytes)" % len(note2Part1)
	# Check for entry 105, part 2 of note
	elif entry.id == 105:
	note2Part2 = pe.get_memory_mapped_image()[offset:offset+size]
	print "[+] Extracted part 2 of encrypted note from resources (%d bytes)" % len(note2Part2)
	# Check for entry 106, public RSA key and RC4 key
	elif entry.id == 106:
	rsa = pe.get_memory_mapped_image()[offset:offset+size]
	key = rsa[:0x14]
	print "[+] Extracted RC4 key from resources: %s" % key
	print "[+] Extracted public RSA-%d key: %s" % (len(rsa) / 2 * 8, rsa)
	# Check for entry 110, plaintext extension
	elif entry.id == 110:
	plaintextExtension = pe.get_memory_mapped_image()[offset:offset+size]
	print "[+] Extracted plaintext extension from resources"
	# Check for entry 111, plaintext ransom note filename
	elif entry.id == 111:
	plaintextFilename = pe.get_memory_mapped_image()[offset:offset+size]
	print "[+] Extracted plaintext ransom note filename from resources"

	# Decrypted config
	decrypted = decrypt_config(config.decode('hex'), config2.decode('hex'), note, note2Part1, note2Part2, extra, key, key2)

	# Check for successful decryption
	if decrypted is not None:
	ret = decrypted.copy()

	# Check for plaintext extension (from resources)
	if plaintextExtension is not '':
	# Overwrite
	ret.update({'extension': plaintextExtension})

	# Check for plaintext ransom note filename (from resources)
	if plaintextFilename is not '':
	# Overwrite
	ret.update({'filename': plaintextFilename})

	else:
	return None

	return ret

	# Setup argument parts
	parser = argparse.ArgumentParser(description='Extract configuration from GlobeImposter 2.0 ransomware.')
	parser.add_argument('file', help='executable path')
	parser.add_argument('-n, --note', dest='note', help='output ransom note contents', action='store_true')
	parser.add_argument('-s, --save_note', dest='save_note', help='save ransom note contents to file', action='store_true')

	# Parse arguments
	args = parser.parse_args()

	# Extract config for given binary
	config = extract_config(args.file)

	# Check for success
	if config == None:
	print "\n[-] Error decrypting config"
	else:
	# Output config data
	print (
	"\n[+] Extension: %s"
	"\n[+] Ransom Note Filename: %s"
	% (config['extension'], config['filename'])
	)

	# Output extra data if applicable
	if config['extra'] is not '':
	print "[+] Extra data: %s" % config['extra']

	# Output emails, etc.
	for e in config['emails']:
	print "[+] Email Address: %s" % e
	for b in config['bitmessage']:
	print "[+] BitMessage: %s" % b
	for b in config['bitcoin']:
	print "[+] Bitcoin: %s" % b
	for t in config['tor']:
	print "[+] Tor: %s" % t

	# Check for saving the note
	if args.save_note:
	note_path = os.path.join(os.path.dirname(args.file), config['filename'] + ' - ' + os.path.basename(args.file))
	with open(note_path, 'wb') as f:
	f.write(config['note'])
	print "[+] Wrote ransom note contents to: %s" % note_path
	# Or outputting it
	elif args.note:
	print "[+] Note:\n%s" % config['note'].encode(sys.stdout.encoding, errors='replace')