![]() ![]() Http_conn_id ( str | None) – Http connection ID with host as “ ” andĭefault webhook endpoint in the extra field in the form of You can override these defaults in this operator. Theĭefault endpoint can be overridden using the webhook_endpoint parameterĮach Discord webhook can be pre-configured to use a specific username andĪvatar_url. Takes a Discord connection ID with a default relative webhook endpoint. DiscordWebhookOperator ( *, http_conn_id = None, webhook_endpoint = None, message = '', username = None, avatar_url = None, tts = False, proxy = None, ** kwargs ) ¶īases: .http.SimpleHttpOperator This also gives you unlimited access to Medium.This operator allows you to post messages to Discord using incoming webhooks.Ĭlass .discord_webhook. This kind of article takes a long time to prepare (almost a week alongside my day job), so if you want to support me, you can subscribe to Medium membership here. If you enjoyed this article, please consider leaving a reaction. If you have any suggestions or comments, do not hesitate to post them in the comment section and I will try to answer them.Īlso, don’t forget to follow as I will continue to publish more advanced topics on this hack and Electron. I hope this post will encourage people to be more considerate when downloading executables from untrusted sources and will help some others to see how we can reverse NodeJS malwares, which are more and more used nowadays. And they did!įrom that, no more to say, the discussion was not very productive but at least I could tell other servers we had in common that the bad guy was also on their server. I then used the webhook to send them messages telling them that I knew what they were doing and telling them to DM me with my discord ID, hoping they will answer me. I created a new file called find_webhook.js that copies the needed code to run fn2 and console.log(fn2(0x324 - 0x26a, 0x331)), and… we have it! The output is (output censored for privacy reasons). Let’s take a look at those sources : function a0_0x47b121(_0x44bb58,_0x4e9d60,_0x355d77,_0x4e9d34,_0x1a193e)įn2 is more complicated, with initialization vectors and complex rotations, but we can bypass the complexity by calling this function directly. In that kind of executables, the sources are always present at the end of the strings output. We can now say it is a NodeJS bundled executable! This returned gibberish for most of the result, but at some point, I saw NodeRuntime. It is helpful to see any strings like URLs or addresses embedded in a file. ![]() The strings command finds the printable strings in a binary file. To do so, I used the strings command like this : > strings file.exe My first idea was to look up what was in this executable. ![]() So I grabbed my computer and downloaded the file (I downloaded it in a Linux VM so if it gets infected in some ways, I can delete the VM). Most of the time, this isn’t good when you have downloaded a file from an untrusted source… He told me the program opened a console prompt for a few seconds and then exited. The first thing I did was ask the reporter if he opened the file, to which he answered he did. ![]() To give a bit of context, I am a Discord admin on a small server about development, and we recently got a report from one of our users that someone was trying to get him to download an EXE file. How I reversed a NodeJS malware and found the author ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |