I reversed a Node.js malware and came upon the creator

I reversed a Node.js malware and came upon the creator

The Devops Guy

To provide a exiguous context, I am a Discord admin on a small server about constructing, and we just now not too prolonged previously got a record from regarded as one of our users that somebody was once attempting to salvage him to get an EXE file.

The main ingredient I did was once quiz the reporter if he opened the file, to which he answered he did. He suggested me this system opened a console quick for about a seconds and then exited. As a rule, this isn’t correct at the same time as you occupy downloaded a file from an untrusted provide…

So I grabbed my computer and downloaded the file (I downloaded it in a Linux VM so if it will get contaminated in some ways, I’m able to delete the VM). Time to review.

My first thought was once to peep up what was once in this executable. To invent so, I passe the strings explain love this :

> strings file.exe

The strings explain finds the printable strings in a binary file. It’s precious to witness any strings love URLs or addresses embedded in a file.

This returned gibberish for loads of the tip result, nevertheless at some level, I saw NodeRuntime. We are able to now explain it’s a NodeJS bundled executable!

In that assemble of executables, the sources are repeatedly explain on the tip of the strings output. Let’s purchase a imagine at those sources :

characteristic a0_0x47b121(_0x44bb58,_0x4e9d60,_0x355d77,_0x4e9d34,_0x1a193e){return a0_0x1b80(_0x1a193e- -0x1e4,_0x44bb58);

The code looks obfuscated and minified on a in actuality prolonged line…

I utilized the following manner to love the logic in the inspire of the obfuscated code.

I knew that this binary was once disbursed by means of Discord DMs, so I regarded if the code contained the phrase discord with grep. Bingo!

A total lot of capabilities grasp the phrase discord: listDiscords , startDiscord , killDiscord and pwnBetterDiscord . This closing characteristic regarded promising.

I regarded up on Google and Github for pwnBetterDiscord and came upon the provision of the machine: https://github.com/Stanley-GF/PirateStealer.


We occupy came upon the provision code that was once passe in the bundled app. Let’s give it a imagine.

It steals the entire information that it have to gain from the Discord client by first killing the discord client and patching it with a Javascript payload to exfiltrate non-public information love Discord credentials and credit playing cards information by means of a Discord webhook (an URL where you would POST to ship a message to your Discord server).

The creator claims that this machine is handiest for academic capabilities, nevertheless he also sells top rate parts and make stronger? That doesn’t seem love a suited “academic capabilities” claim…

The code is filled with many proxy capabilities that are attempting to obfuscate the entry to the principle string-obfuscation characteristic. Thanks to the code now not being fully obfuscated, we are able to search out webhook=a0_0x78da73(0x331,0x342,0x32c,0x2f1,0x324) . Let’s play a sport and extract the entire methods wished to decipher this code. For the sake of brevity, I will rename the entire obfuscated capabilities to fn1 , fn2 … and their params p1 , p2

a0_0x78da73 (let’s call it fn1) takes 5 arguments nevertheless it indubitably handiest cares regarding the first and the closing one :

characteristic fn1(p1,p2,p3,p4,p5){return fn2(p5 - 0x26a,p1);}

fn2 is more subtle, with initialization vectors and complex rotations, nevertheless we are able to avoid the complexity by calling this characteristic straight. Let’s invent that!

I created a unique file known as find_webhook.js that copies the wished code to speed fn2 and console.log(fn2(0x324 — 0x26a, 0x331)), and… we occupy now it! The output is https://ptb.discord.com/api/webhooks/abcdefg/hijklmn (output censored for privacy causes).

Discovering the user of the script

I then passe the webhook to ship them messages telling them that I knew what they had been doing and telling them to DM me with my discord ID, hoping they are going to acknowledge me. And they did!

From that, no more to direct, the dialogue was once now not very productive nevertheless on the least I could perhaps well perhaps characterize completely different servers we had in standard that the sinful man was once also on their server.

I hope this post will reduction of us to be more considerate when downloading executables from untrusted sources and may perhaps well perhaps restful reduction some others to witness how we are able to reverse NodeJS malwares, that are an increasing number of passe for the time being.

In the occasion you occupy any solutions or comments, invent now not hesitate to post them in the comment section and I will are attempting to acknowledge to them.

Also, don’t forget to practice as I will continue to submit more stepped forward matters on this hack and Electron

NOW WITH OVER +8500 USERS. of us can Be half of Knowasiak with out cost. Model in on Knowasiak.com
Read More



“Simplicity, patience, compassion.
These three are your greatest treasures.
Simple in actions and thoughts, you return to the source of being.
Patient with both friends and enemies,
you accord with the way things are.
Compassionate toward yourself,
you reconcile all beings in the world.”
― Lao Tzu, Tao Te Ching