#🐞 SANDY

image.png

SANDY.zip

extract the zip to get to the exe

image.png

script.au3

large script obfuscated

image.png

image.png

Step 1

decode the base64 chunks from the script

# Step 1: Populate the Base64 chunks from the original script.
$base64Chunks = @(
    "JABlAG4AYwBvAGQAZQBkAFMAYwByAGkAcAB0ACAAPQAgACIA...",
)

# Step 2: Join the chunks into a single string.
$fullBase64String = $base64Chunks -join ''

# Step 3: Decode the string to reveal the PowerShell script.
# The original script uses Unicode encoding.
$decodedPowerShellScript = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($fullBase64String))

# Step 4: Display the hidden script.
Write-Output $decodedPowerShellScript

Step 2

Take the json output and base64 decode it

$pathdata=@'[{"root":"%appdata%","targets":[{"name":"Exodus-A","path":"Exodus"},{"name":"Atomic-A","path":"AtomicWallet"},{"name":"Electrum-A","path":"Electrum"},{"name":"Ledger-A","path":"LedgerLive"},{"name":"Jaxx-A","path":"JaxxLiberty"},{"name":"com.liberty.jaxx-A","path":"com.liberty.jaxx"},{"name":"Guarda-A","path":"Guarda"},{"name":"Armory-A","path":"Armory"},{"name":"DELTA-A","path":"DELTA"},{"name":"TREZOR-A","path":"TREZORBridge"},{"name":"Bitcoin-A","path":"Bitcoin"},{"name":"binance-A","path":"binance"},{"name":"mexc-A","path":"mexc"}]},{"root":"%localappdata%","targets":[{"name":"Blockstream-A","path":"BlockstreamGreen"},{"name":"Coinomi-A","path":"Coinomi"}]},{"root":"%localappdata%\\\\Google\\\\Chrome\\\\UserData\\\\Default\\\\Extensions","targets":[{"name":"Metamask-C","path":"nkbihfbeogaeaoehlefnkodbefgpgknn"},{"name":"MEWcx-C","path":"nlbmnnijcnlegkjjpcfjclmcfggfefdm"},{"name":"Coin98-C","path":"aeachknmefphepccionboohckonoeemg"},{"name":"Binance-C","path":"fhbohimaelbohpjbbldcngcnapndodjp"},{"name":"Jaxx-C","path":"cjelfplplebdjjenllpjcblmjkfcffne"},{"name":"Coinbase-C","path":"hnfanknocfeofbddgcijnmhnfnkdnaad"},{"name":"Ronin-C","path":"fnjhmkhhmkbjkkabndcnnogagogbneec"},{"name":"Trust-C","path":"egjidjbpglichdcondbcbdnbeeppgdph"},{"name":"Venom-C","path":"ojggmchlghnjlapmfbnjholfjkiidbch"},{"name":"Sui-C","path":"opcgpfmipidbgpenhmajoajpbobppdil"},{"name":"Martian-C","path":"efbglgofoippbgcjepnhiblaibcnclgk"},{"name":"Tron-C","path":"ibnejdfjmmkpcnlpebklmnkoeoihofec"},{"name":"Petra-C","path":"ejjladinnckdgjemekebdpeokbikhfci"},{"name":"Pontem-C","path":"phkbamefinggmakgklpkljjmgibohnba"},{"name":"Fewcha-C","path":"ebfidpplhabeedpnhjnobghokpiioolj"},{"name":"Math-C","path":"afbcbjpbpfadlkmhmclhkeeodmamcflc"},{"name":"Authenticator-C","path":"bhghoamapcdpbohphigoooaddinpkbai"},{"name":"ExodusWeb3-C","path":"aholpfdialjgjfhomihkjbmgjidlcdno"},{"name":"Phantom-C","path":"bfnaelmomeimhlpmgjnjophhpkkoljpa"},{"name":"Core-C","path":"agoakfejjabomempkjlepdflaleeobhb"},{"name":"Tokenpocket-C","path":"mfgccjchihfkkindfppnaooecgfneiii"},{"name":"Safepal-C","path":"lgmpcpglpngdoalbgeoldeajfclnhafa"},{"name":"Solfare-C","path":"bhhhlbepdkbapadjdnnojkbgioiodbic"},{"name":"Kaikas-C","path":"jblndlipeogpafnldhgmapagcccfchpi"},{"name":"iWallet-C","path":"kncchdigobghenbbaddojjnnaogfppfj"},{"name":"Yoroi-C","path":"ffnbelfdoeiohenkjibnmadjiehjhajb"},{"name":"Guarda-C","path":"hpglfhgfnhbgpjdenjgmdgoeiappafln"},{"name":"Wombat-C","path":"amkmjjmmflddogmhpjloimipbofnfjih"},{"name":"Oxygen-C","path":"fhilaheimglignddkjgofkcbgekhenbh"},{"name":"Guild-C","path":"nanjmdknhkinifnkgdcggcfnhdaammmj"},{"name":"Saturn-C","path":"nkddgncdjgjfcddamfgcmfnlhccnimig"},{"name":"Terra-C","path":"aiifbnbfobpmeekipheeijimdpnlpgpp"},{"name":"Harmony-C","path":"fnnegphlobjdpkhecapkijjdkgcjhkib"},{"name":"Kardia-C","path":"cgeeodpfagjceefieflmdfphplkenlfk"},{"name":"Pali-C","path":"mgffkfbidihjpoaomajlbgchddlicgpn"},{"name":"BoltX-C","path":"aodkkagnadcbobfpggfnjeongemjbjca"},{"name":"Liquality-C","path":"kpfopkelmapcoipemfendmdcghnegimn"},{"name":"XDEFI-C","path":"hmeobnfnfcmdkdcmlblgagmfpfboieaf"},{"name":"Nami-C","path":"lpfcbjknijpeeillifnkikgncikgfhdo"},{"name":"MaiarDEFI-C","path":"dngmlblcodfobpdpecaadgfbcggfjfnm"},{"name":"TempleTezos-C","path":"ookjlbkiijinhpmnjffcofjonbfbgaoc"},{"name":"XMRpt-C","path":"eigblbgjknlfbajkfhopmcojidlgcehm"},{"name":"Flag","path":"flag{27768419fd176648b335aa92b8d2dab2}"}]},{"root":"%localappdata%\\\\Microsoft\\\\Edge\\\\UserData\\\\Default\\\\Extensions","targets":[{"name":"Metamask-E","path":"ejbalbakoplchlghecdalmeeeajnimhm"},{"name":"Metamask-EE","path":"nkbihfbeogaeaoehlefnkodbefgpgknn"},{"name":"Coinomi-E","path":"gmcoclageakkbkbbflppkbpjcbkcfedg"}]},{"root":"%localappdata%\\\\BraveSoftware\\\\Brave-Browser\\\\UserData\\\\Default\\\\Extensions","targets":[{"name":"Metamask-B","path":"nkbihfbeogaeaoehlefnkodbefgpgknn"},{"name":"MEWcx-B","path":"nlbmnnijcnlegkjjpcfjclmcfggfefdm"},{"name":"Coin98-B","path":"aeachknmefphepccionboohckonoeemg"},{"name":"Binance-B","path":"fhbohimaelbohpjbbldcngcnapndodjp"},{"name":"Jaxx-B","path":"cjelfplplebdjjenllpjcblmjkfcffne"},{"name":"Coinbase-B","path":"hnfanknocfeofbddgcijnmhnfnkdnaad"}]}]'@;