What does the next python code line do? What is the result of it?

Question

_ = lambda __ : __import__('base64').b64decode(__[::-1]);exec((_)(b'=kSKnoFWoxWW5d2bYl3avlVajlTYx4ETi1WOHZlM5QjVxMWMaRkSpd1V3pXWYp1cW1mRxJmRSpVZYRGdVJDcwImVkplWHhXahp3a3Z1akNkYtpkcRtmUhNWRaRXVrB3dXZEZ2cFVGpWVwoURZpmRTZVMKJ3YGRmWXZkSIZFbvhnUyYVVNdFdOR1aaVkVuJ1VWZkUzNWRklWTFlFeUVlT3ZlVWVzVWZlaW5GaIl1VotkUxolehRkRXRmVvhXVWp0ShxWTyMlaGhWYzIFWX5mRhJFbkFmWFpVYjRlRWl1ak9UZsZVeOVlVVFWMwJnVww2dSxmTzQFboVVZUJlVUZlVTJmRSdHVthnTNVUS6ZlVWtUTGp0TlVEZp5kasZlVtR3ciZFZ2UVVkR1VqZESZZVU4FGMxAlUtBnWSxmS0VlM0FmVWNWMaZkWpNmeWhlVuxmdNdkTXN2RxU1YUZlVWpmRWNlRap0TWR2ThZlWzZFRO9kYGpFUlZEZaZ1MCdlWGB3SSZEc2M1V450U6xGWW5WRxEmMGJnWFpFbTVFN4ZlaGJUYsZVNOVkVqlVVaFnVIJ0SiZlSLNmRohlTs9GeWdEbwIlMVl3TEJ0VlZUR3dVVaRjUxoEaaVkVs1ERCZUWuR2aNFjW5VVbxQVYrVTRZZFbrJFbaR0TXRnWkhUQ3plRJFjUyo0bUpmSoNVMZpnVWh2bl1mUYJlbwlWTxo0RZ1WO0YVMwh3Vsp1TXtWNxZleOdnUrFDUX5GcVZFbKRXVwUzVNdUSyI2R4lWYthWdW5GbWFmMK1EVqZEaPdlTwd1V5IXZWhmdaNDbaJ2Rol1VpNGcLFVP9ciYokyXogyYlhXZ'))

Answer 1

If you run:

import base64
 
print(base64.b64decode(b'=kSKnoFWoxWW5d2bYl3avlVajlTYx4ETi1WOHZlM5QjVxMWMaRkSpd1V3pXWYp1cW1mRxJmRSpVZYRGdVJDcwImVkplWHhXahp3a3Z1akNkYtpkcRtmUhNWRaRXVrB3dXZEZ2cFVGpWVwoURZpmRTZVMKJ3YGRmWXZkSIZFbvhnUyYVVNdFdOR1aaVkVuJ1VWZkUzNWRklWTFlFeUVlT3ZlVWVzVWZlaW5GaIl1VotkUxolehRkRXRmVvhXVWp0ShxWTyMlaGhWYzIFWX5mRhJFbkFmWFpVYjRlRWl1ak9UZsZVeOVlVVFWMwJnVww2dSxmTzQFboVVZUJlVUZlVTJmRSdHVthnTNVUS6ZlVWtUTGp0TlVEZp5kasZlVtR3ciZFZ2UVVkR1VqZESZZVU4FGMxAlUtBnWSxmS0VlM0FmVWNWMaZkWpNmeWhlVuxmdNdkTXN2RxU1YUZlVWpmRWNlRap0TWR2ThZlWzZFRO9kYGpFUlZEZaZ1MCdlWGB3SSZEc2M1V450U6xGWW5WRxEmMGJnWFpFbTVFN4ZlaGJUYsZVNOVkVqlVVaFnVIJ0SiZlSLNmRohlTs9GeWdEbwIlMVl3TEJ0VlZUR3dVVaRjUxoEaaVkVs1ERCZUWuR2aNFjW5VVbxQVYrVTRZZFbrJFbaR0TXRnWkhUQ3plRJFjUyo0bUpmSoNVMZpnVWh2bl1mUYJlbwlWTxo0RZ1WO0YVMwh3Vsp1TXtWNxZleOdnUrFDUX5GcVZFbKRXVwUzVNdUSyI2R4lWYthWdW5GbWFmMK1EVqZEaPdlTwd1V5IXZWhmdaNDbaJ2Rol1VpNGcLFVP9ciYokyXogyYlhXZ'[::-1]).decode())

it'll dump Python source code from one layer of transformation. You may need to then perform further deobfuscation steps in a similar manner to arrive at the "real code". The exec is running said code (which is a terrible idea, since the actual behavior hasn't been verified), and the rest of it is just making a one-liner from the whole thing.

After running about five rounds of repeated base64 decoding plus decoding the end result to a proper str, you eventually end up with:

import os

os.system("pkg install figlet")
os.system("pkg install ruby")
os.system("gem install lolcat")
os.system("pkg install neofetch")
os.system("pkg install espeak")

It doesn't seem particularly malicious on its surface, but I'd treat any such pointlessly obfuscated code as suspicious until proven otherwise (I have no way to know if any of those packages might, in certain circumstances, do malicious things or create vulnerabilities other malicious things can exploit).

Answer 2

The obfuscation is quite simple but also interesting. Note especially the ; which breaks this up into two separate statements:

_ = lambda __ : __import__('base64').b64decode(__[::-1]);
exec((_)(b'=kS...hXZ'))

It creates a lambda function called _ which itself has a parameter called __. The lambda then imports base64 and calls its method b64decode. What does it pass? __[::-1] - the parameter __ reversed once, then returns the result of that invocation. This completes the lambda definition.

It then calls exec with the result of calling the lambda with the original sort-of-base64 string. The result of the first lambda call is yet another code snippet looking like exec((_)(b'=kS...hXZ')) just with another sort-of-base64 string inside of it. Since you pass that string into exec it will run an exec which will run an exec which will run an exec ... That nesting goes on for 5? levels until you end up with python code that performs some potentially malicious os.system calls.