up

petikvx · Jan 8, 2024 · a3e0e1e · a3e0e1e
1 parent ab8be67
commit a3e0e1e
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 1 deletion.
diff --git a/_posts/Malware Analyze/2024-01-15-unpacking-hydracrypt.md b/_posts/Malware Analyze/2024-01-15-unpacking-hydracrypt.md
@@ -159,4 +159,68 @@ private static void Run()
     }
 }
 
-```
+```
+
+### Password creation
+
+The malware will generate a 50-character password.
+
+```csharp
+private static string CreatePassword(int length)
+{
+    StringBuilder stringBuilder = new StringBuilder();
+    Random random = new Random();
+    while (0 < Math.Max(Interlocked.Decrement(ref length), length + 1))
+    {
+        stringBuilder.Append("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/"[random.Next("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/".Length)]);
+    }
+    return stringBuilder.ToString();
+}
+```
+
+### ID Creation
+
+The HWID() method generates a Hardware Identifier (HWID) using certain system information such as the current thread's ID, the username, the machine's name, the operating system version, and the system page size. This method returns the HWID as a string.
+
+The GetHash(string strToHash) method takes an input string, converts it into a 10-character MD5 hash using UTF-8 encoding, and then returns the result in uppercase without dashes.
+
+```csharp
+internal class Hwid
+{
+    public static string HWID()
+    {
+        string result;
+        try
+        {
+            result = Hwid.GetHash(string.Concat(new object[]
+            {
+                Environment.CurrentManagedThreadId,
+                Environment.UserName,
+                Environment.MachineName,
+                Environment.OSVersion.VersionString,
+                Environment.SystemPageSize
+            }));
+        }
+        catch
+        {
+            result = "Error HWID";
+        }
+        return result;
+    }
+
+    public static string GetHash(string strToHash)
+    {
+        string result;
+        using (MD5 md = MD5.Create())
+        {
+            byte[] bytes = Encoding.UTF8.GetBytes(strToHash);
+            result = BitConverter.ToString(md.ComputeHash(bytes), 0, 10).Replace("-", "").ToUpper();
+        }
+        return result;
+    }
+}
+```
+
+The result will be displayed in the ransomware note.
+
+![your-id](/images/hydracrypt/your-id.png)
diff --git a/images/hydracrypt/your-id.png b/images/hydracrypt/your-id.png