IlluminatiFish

page_domain	drainer_configuration_domain	drainer_wallet_address	drainer_file_url	drainer_file_hash
metagirls.icu	beryeurverviug.shop	0x252166461CBe83cbe69D7baF9344a74E64F5BC3F	https://metagirls.icu/assets/web3-provider.js	07d1084b129749718a1a4fde33f276a046e575d285d30bb313e88cce2150d656
verify-collab.info	airdrop-alert.net	0xc45c2FC0Eae87263F4055c7838a93730eDabEBB6	https://airdrop-alerts.net/assets/web3-provider.js	8847744dfc114287eaa7edf4e28bc61d8472547e630d9ae1c719c5638c528e81
crytdgroup.com	register-sui.io	0x000812de2241aB594aE154060028F70F39DAE000	https://crytdgroup.com/assets/web3-provider.js	23a7b90a5c7eb8a461ba2dd70f5796a38d84aafcd0c2f8892da312bbfe2dbe9c
avaxloot.com	network.berynaof.online	0x9a9Cdb3747b2F280fd809f62A20AbC8256Ea650a	https://avaxloot.com/assets/web3-provider.js	0f104d024e9b4a3c815fa47662cc503027f086b0df6aafd8578af5e14c525f15
thetipcoin.fun	claims-service.net	0x000099fe5C0867Ddd4344a44cE730d438B6f0000	https://thetipcoin.fun/2aaf5c4a-a8f7-40da-aaf8-78e44425d676.js	2bc284bfc884c9b4e5a1b682e

Introduction

I was casually using my YouTube crawling bot (Kaelego) as I usually do to find new fake Hypixel Skyblock modifications that are present in YouTube video descriptions, when I stumbled upon this peculiar sample (Video: https://www.youtube.com/watch?v=akZl0ZajV-Y).

The channel from which the video was uploaded, "Tutpeter", has another video, uploaded July 23. The video shows a "duping mod", but the download links (MediaFire) showed that both files were uploaded from Germany on July 24 at 8:51 AM. Both files are also exactly the same size (756.3 KB). It is possible that the link was changed in the first video to a fresh link, with a new sample of tjx6.

The JAR file was very weird from the get go as neither Java decompilation software such as Recaf

	{
	"0x753536e5AAE0254558d26F8B34b90cE39ECe07b2": "DRAINER_00001",
	"0xede26742364289d24a3c17d11b293b09ff63db1c": "DRAINER_00002",
	"0x121446e4E694199C809585b7ECf64cAC385e108F": "DRAINER_00003",
	"0x0c0fD96c0E058E89cd81DFfF454c98B920b24B6F": "DRAINER_00004",
	"0x42c99e69C77a3083da981130628B51E56638B447": "DRAINER_00005",
	"0x31089bD92c78374125C69B83365827108337F96A": "DRAINER_00006",
	"0xC7819d29c30B23b04d509A7D3B35aA1DbFCF3DE4": "DRAINER_00007",
	"0x68098977199926b11127ccE67136992b7961FFe1": "DRAINER_00008",
	"0x07cC89444DDf587D94cc9e0d12C92F87cFC4c771": "DRAINER_00009",

	rule MALWARE_VIDEO {
	strings:
	$password = /(PASS\|PASSWORD)( )?(:\|-)?( )?[0-9A-Za-z]{3,10}/i
	$download = /(http\|https):\/\/(yt\.sv\|shorturl\.at\|clck\.ru\|sites\.google\.com\|bit\.ly\|bit\.do\|cutt\.ly\|mega\.nz\|(www\.)?mediafire\.com\|gg\.gg\|(www\.)?sendspace\.com\|t\.ly\|telegra\.ph\|split\.to\|actgames\.site\|goo\.su\|easyupload\.io)\/(.*)/i
	$keywords = /(crack\|hack\|cheat)/i
	condition:
	(all of them) or ($download and $keywords)
	}

	import re

	class DeobfuscatorException(Exception):
	"""
	DeobfuscatorException class to be raised
	"""
	pass

	class JNDIPayloadDeobfuscator:

	[
	"2.56.59.7",
	"2.56.59.115",
	"2.56.59.242",
	"45.133.1.45",
	"45.138.72.93",
	"45.138.72.103",
	"45.138.72.104",
	"45.138.72.107",
	"45.138.72.110",

	import requests, pprint, json, base64, magic


	class Nuker:

	def __init__(self, webhook_url):
	chunks = webhook_url.split("/")

	self.webhook_id = chunks[5]
	self.webhook_token = chunks[6]

	#
	# This program is a utility used by myself that I have released
	# to the public under the GPLv3 license
	#
	# Copyright (c) 2021 IlluminatiFish.
	#
	# This program is free software: you can redistribute it and/or modify
	# it under the terms of the GNU General Public License as published by
	# the Free Software Foundation, version 3.
	#