IlluminatiFish

## crypto_draining_eth_wallets.csv

          
            page_domain
            drainer_configuration_domain
            drainer_wallet_address
            drainer_file_url
            drainer_file_hash

            
              metagirls.icu
              beryeurverviug.shop
              0x252166461CBe83cbe69D7baF9344a74E64F5BC3F
              https://metagirls.icu/assets/web3-provider.js
              07d1084b129749718a1a4fde33f276a046e575d285d30bb313e88cce2150d656

            
              verify-collab.info
              airdrop-alert.net
              0xc45c2FC0Eae87263F4055c7838a93730eDabEBB6
              https://airdrop-alerts.net/assets/web3-provider.js
              8847744dfc114287eaa7edf4e28bc61d8472547e630d9ae1c719c5638c528e81

            
              crytdgroup.com
              register-sui.io
              0x000812de2241aB594aE154060028F70F39DAE000
              https://crytdgroup.com/assets/web3-provider.js
              23a7b90a5c7eb8a461ba2dd70f5796a38d84aafcd0c2f8892da312bbfe2dbe9c

            
              avaxloot.com
              network.berynaof.online
              0x9a9Cdb3747b2F280fd809f62A20AbC8256Ea650a
              https://avaxloot.com/assets/web3-provider.js
              0f104d024e9b4a3c815fa47662cc503027f086b0df6aafd8578af5e14c525f15

            
              thetipcoin.fun
              claims-service.net
              0x000099fe5C0867Ddd4344a44cE730d438B6f0000
              https://thetipcoin.fun/2aaf5c4a-a8f7-40da-aaf8-78e44425d676.js
              2bc284bfc884c9b4e5a1b682e

## crypto_draining_eth_wallets.json
{
    "0x753536e5AAE0254558d26F8B34b90cE39ECe07b2": "DRAINER_00001",
    "0xede26742364289d24a3c17d11b293b09ff63db1c": "DRAINER_00002",
    "0x121446e4E694199C809585b7ECf64cAC385e108F": "DRAINER_00003",
    "0x0c0fD96c0E058E89cd81DFfF454c98B920b24B6F": "DRAINER_00004",
    "0x42c99e69C77a3083da981130628B51E56638B447": "DRAINER_00005",
    "0x31089bD92c78374125C69B83365827108337F96A": "DRAINER_00006",
    "0xC7819d29c30B23b04d509A7D3B35aA1DbFCF3DE4": "DRAINER_00007",
    "0x68098977199926b11127ccE67136992b7961FFe1": "DRAINER_00008",
    "0x07cC89444DDf587D94cc9e0d12C92F87cFC4c771": "DRAINER_00009",

## tjx6_stealer_writeup.md

      
              1 file
            
          
              0 forks
            
          
              7 comments
            
          
              2 stars
            
          
                IlluminatiFish
                / tjx6_stealer_writeup.md
            
            
              Created
              August 9, 2022 02:02
            
              
                A small write up of what the tjx6 stealer is and what it does.
              
          
    Introduction

I was casually using my YouTube crawling bot (Kaelego) as I usually do to find new fake Hypixel Skyblock modifications
that are present in YouTube video descriptions, when I stumbled upon this peculiar sample (Video: https://www.youtube.com/watch?v=akZl0ZajV-Y).
The channel from which the video was uploaded, "Tutpeter", has another video, uploaded July 23. The video
shows a "duping mod", but the download links (MediaFire) showed that both files were uploaded from Germany
on July 24 at 8:51 AM. Both files are also exactly the same size (756.3 KB). It is possible that the link was changed in the first video to a fresh link, with a new sample of tjx6.
The JAR file was very weird from the get go as neither Java decompilation software such as Recaf

  
## YoutubeMalware.yara
rule MALWARE_VIDEO {
    strings:
        $password = /(PASS|PASSWORD)( )?(:|-)?( )?[0-9A-Za-z]{3,10}/i
        $download = /(http|https):\/\/(yt\.sv|shorturl\.at|clck\.ru|sites\.google\.com|bit\.ly|bit\.do|cutt\.ly|mega\.nz|(www\.)?mediafire\.com|gg\.gg|(www\.)?sendspace\.com|t\.ly|telegra\.ph|split\.to|actgames\.site|goo\.su|easyupload\.io)\/(.*)/i
        $keywords = /(crack|hack|cheat)/i
    condition:
        (all of them) or ($download and $keywords)
}

## JNDIPayloadDeobfuscator.py
import re

class DeobfuscatorException(Exception):
    """
    DeobfuscatorException class to be raised
    """
    pass

class JNDIPayloadDeobfuscator:

## blacklist.txt
[
  "2.56.59.7",
  "2.56.59.115",
  "2.56.59.242",
  "45.133.1.45",
  "45.138.72.93",
  "45.138.72.103",
  "45.138.72.104",
  "45.138.72.107",
  "45.138.72.110",

## Terminator.py
import requests, pprint, json, base64, magic


class Nuker:

    def __init__(self, webhook_url):
        chunks = webhook_url.split("/")

        self.webhook_id = chunks[5]
        self.webhook_token = chunks[6]

## Centauri.py
#
# This program is a utility used by myself that I have released
# to the public under the GPLv3 license
#
# Copyright (c) 2021 IlluminatiFish.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3.
#

## YAMLNodePreloader.py
#
# This program is a utility used by myself that I have released
# to the public under the GPLv3 license
#
# Copyright (c) 2021 IlluminatiFish.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3.
#

## EntropyAnalyzer.py
#
# This program is a utility used by myself that I have released
# to the public under the GPLv3 license
#
# Copyright (c) 2021 IlluminatiFish.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3.
#
page_domain	drainer_configuration_domain	drainer_wallet_address	drainer_file_url	drainer_file_hash
metagirls.icu	beryeurverviug.shop	0x252166461CBe83cbe69D7baF9344a74E64F5BC3F	https://metagirls.icu/assets/web3-provider.js	07d1084b129749718a1a4fde33f276a046e575d285d30bb313e88cce2150d656
verify-collab.info	airdrop-alert.net	0xc45c2FC0Eae87263F4055c7838a93730eDabEBB6	https://airdrop-alerts.net/assets/web3-provider.js	8847744dfc114287eaa7edf4e28bc61d8472547e630d9ae1c719c5638c528e81
crytdgroup.com	register-sui.io	0x000812de2241aB594aE154060028F70F39DAE000	https://crytdgroup.com/assets/web3-provider.js	23a7b90a5c7eb8a461ba2dd70f5796a38d84aafcd0c2f8892da312bbfe2dbe9c
avaxloot.com	network.berynaof.online	0x9a9Cdb3747b2F280fd809f62A20AbC8256Ea650a	https://avaxloot.com/assets/web3-provider.js	0f104d024e9b4a3c815fa47662cc503027f086b0df6aafd8578af5e14c525f15
thetipcoin.fun	claims-service.net	0x000099fe5C0867Ddd4344a44cE730d438B6f0000	https://thetipcoin.fun/2aaf5c4a-a8f7-40da-aaf8-78e44425d676.js	2bc284bfc884c9b4e5a1b682e
	{
	"0x753536e5AAE0254558d26F8B34b90cE39ECe07b2": "DRAINER_00001",
	"0xede26742364289d24a3c17d11b293b09ff63db1c": "DRAINER_00002",
	"0x121446e4E694199C809585b7ECf64cAC385e108F": "DRAINER_00003",
	"0x0c0fD96c0E058E89cd81DFfF454c98B920b24B6F": "DRAINER_00004",
	"0x42c99e69C77a3083da981130628B51E56638B447": "DRAINER_00005",
	"0x31089bD92c78374125C69B83365827108337F96A": "DRAINER_00006",
	"0xC7819d29c30B23b04d509A7D3B35aA1DbFCF3DE4": "DRAINER_00007",
	"0x68098977199926b11127ccE67136992b7961FFe1": "DRAINER_00008",
	"0x07cC89444DDf587D94cc9e0d12C92F87cFC4c771": "DRAINER_00009",
	rule MALWARE_VIDEO {
	strings:
	$password = /(PASS\|PASSWORD)( )?(:\|-)?( )?[0-9A-Za-z]{3,10}/i
	$download = /(http\|https):\/\/(yt\.sv\|shorturl\.at\|clck\.ru\|sites\.google\.com\|bit\.ly\|bit\.do\|cutt\.ly\|mega\.nz\|(www\.)?mediafire\.com\|gg\.gg\|(www\.)?sendspace\.com\|t\.ly\|telegra\.ph\|split\.to\|actgames\.site\|goo\.su\|easyupload\.io)\/(.*)/i
	$keywords = /(crack\|hack\|cheat)/i
	condition:
	(all of them) or ($download and $keywords)
	}
	import re

	class DeobfuscatorException(Exception):
	"""
	DeobfuscatorException class to be raised
	"""
	pass

	class JNDIPayloadDeobfuscator:
	[
	"2.56.59.7",
	"2.56.59.115",
	"2.56.59.242",
	"45.133.1.45",
	"45.138.72.93",
	"45.138.72.103",
	"45.138.72.104",
	"45.138.72.107",
	"45.138.72.110",
	import requests, pprint, json, base64, magic


	class Nuker:

	def __init__(self, webhook_url):
	chunks = webhook_url.split("/")

	self.webhook_id = chunks[5]
	self.webhook_token = chunks[6]
	#
	# This program is a utility used by myself that I have released
	# to the public under the GPLv3 license
	#
	# Copyright (c) 2021 IlluminatiFish.
	#
	# This program is free software: you can redistribute it and/or modify
	# it under the terms of the GNU General Public License as published by
	# the Free Software Foundation, version 3.
	#