I've seen it on kernelmode for the first time on a post, i've looked fastly just the panel...
![]()
Dashboard:
![]()
Edit a file:
![]()
Rename:
![]()
More recent, a friend gived me this link via IRC: androidauthorization.com/bin/disk.exe
![]()
Oh... it's another RunPE crap:
![]()
![]()
When unpacked, just 15 AV detect it: https://www.virustotal.com/file/978a996ddf98f7a093fd4b8d693622a3e32486e6d6a93c3b4d672693a7d49cb8/analysis/1353868360/
as winlock?! let's have a look.
A routine decode the config strings inside:
![]()
![]()
Then it retrieves the address of functions
![]()
And start the work, hide the file:
![]()
Add a registry persistence in \Run and delete \SafeBoot
![]()
![]()
Create windows:
![]()
If program manager is found, terminate it:
![]()
Set the windows topmost:
![]()
Test internet:
![]()
Prepare the landing:
![]()
Then i've run F9...
Lame landing:
![]()
![]()
It also call the gate to know if we kill the process or not
![]()
Multi Locker landing editor for this sample:
![]()
getunlock.php:
![]()
tds.php:
![]()
Oh... well, another winlock kit ripped from another winlock kit, i'm not amused to find sale thread and shit, this kit is designed to fail, my net is slow as fuck for the moment i will post the rest of pictures from the C&C later.
Dashboard:
![]()
Analytics botnet:
![]()
Billing:
![]()
Landing:
![]()
Manual:
![]()
Support:
![]()
Change password:
![]()
![]()
Dashboard:
Edit a file:
Rename:
More recent, a friend gived me this link via IRC: androidauthorization.com/bin/disk.exe
Oh... it's another RunPE crap:
When unpacked, just 15 AV detect it: https://www.virustotal.com/file/978a996ddf98f7a093fd4b8d693622a3e32486e6d6a93c3b4d672693a7d49cb8/analysis/1353868360/
as winlock?! let's have a look.
A routine decode the config strings inside:
Then it retrieves the address of functions
Add a registry persistence in \Run and delete \SafeBoot
Create windows:
If program manager is found, terminate it:
Set the windows topmost:
Test internet:
Prepare the landing:
Lame landing:
It also call the gate to know if we kill the process or not
Multi Locker landing editor for this sample:
getunlock.php:
tds.php:
Oh... well, another winlock kit ripped from another winlock kit, i'm not amused to find sale thread and shit, this kit is designed to fail, my net is slow as fuck for the moment i will post the rest of pictures from the C&C later.
Dashboard:
Analytics botnet:
Billing:
Landing:
Manual:
Support:
Change password:
