This trojan, as many other winlock samples comes with great interesting features.
An unlock screen with porn images appears asking the user to type the unlock code.
Let s check with resource hacker tool. And we can the see the lock screen hidden in resource :-)
We can also see the number to which an SMS is asked to send .
Lets try to get the unlock code,,going at code level using OllyDbg.
Code responsible for dropping sample copy. And using Userinit.exe
Code responsible for making Startup entry. "sample copy added to winlogon entry"
Code responsible for getting system metrics for unlock screen size to be generated.
The return values stored in EAX are used later.
Checking by all referenced strings, screen got hung and was not allowing me to save the strings.
Above the message box blocks a couple of strings.
The following were the strings ( in whole)
Text strings referenced in BDEF4FD2:.text
Address Disassembly Text string
0040100B PUSH BDEF4FD2.00404520 ASCII "C:\Documents and Settings\Administrator\Desktop\BDEF4FD21F963939567DE6C757C3C098.exe"
00401017 PUSH BDEF4FD2.00404180 ASCII "Shell32"
00401026 PUSH BDEF4FD2.00404188 ASCII "ShellExecuteA"
0040103D PUSH BDEF4FD2.004041F1 ASCII "cfg"
00401088 PUSH BDEF4FD2.00404220 ASCII "8-963-724-50-49"
004010BA PUSH BDEF4FD2.00404420 ASCII "336985"
004011E1 PUSH BDEF4FD2.00404220 ASCII "8-963-724-50-49"
0040125D PUSH BDEF4FD2.004041DC ASCII "Console"
00401289 PUSH BDEF4FD2.00404144 ASCII "ConsoleSelfCount"
004012DE PUSH BDEF4FD2.00409028 ASCII "C:\WINDOWS\system32\"
004012E3 PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
004012ED PUSH BDEF4FD2.0040408C ASCII "userinit.exe,"
004012F2 PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
0040132B PUSH BDEF4FD2.00404008 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
0040133A PUSH BDEF4FD2.004040B8 ASCII "explorer"
00401376 PUSH BDEF4FD2.00404048 ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
00401385 PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
00401393 PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
0040139C PUSH BDEF4FD2.00404080 ASCII "Userinit"
004013CB PUSH BDEF4FD2.00404008 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
004013DA PUSH BDEF4FD2.004040B8 ASCII "explorer"
004013FF PUSH BDEF4FD2.00404196 ASCII "ComSpec"
00401409 PUSH BDEF4FD2.0040419E ASCII "/c del ""
00401418 PUSH BDEF4FD2.00404520 ASCII "C:\Documents and Settings\Administrator\Desktop\BDEF4FD21F963939567DE6C757C3C098.exe"
00401427 PUSH BDEF4FD2.004041A7 ASCII "" >> NUL"
0040149A PUSH BDEF4FD2.004041C8 ASCII "BUTTON"
004014CF PUSH BDEF4FD2.00404179 ASCII "Tahoma"
004014D4 PUSH BDEF4FD2.00409771 ASCII "Tahoma"
00401512 PUSH BDEF4FD2.00404179 ASCII "Tahoma"
00401517 PUSH BDEF4FD2.004097AD ASCII "Tahoma"
00401672 PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
00401685 PUSH BDEF4FD2.00404162 ASCII "#32770"
0040168A PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
004017AE PUSH BDEF4FD2.00404008 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
004017BD PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
004017CB PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
004017D4 PUSH BDEF4FD2.004040B8 ASCII "explorer"
00401812 PUSH BDEF4FD2.00404048 ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
00401821 PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
0040182F PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
00401838 PUSH BDEF4FD2.00404080 ASCII "Userinit"
00401869 PUSH BDEF4FD2.00404008 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
00401878 PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
00401886 PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
0040188F PUSH BDEF4FD2.004040B8 ASCII "explorer"
004018E0 PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
004018F5 PUSH BDEF4FD2.00404420 ASCII "336985"
004018FA PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
004019CC PUSH BDEF4FD2.004041DC ASCII "Console"
004019F7 PUSH BDEF4FD2.00404144 ASCII "ConsoleSelfCount"
00401A69 PUSH BDEF4FD2.00409028 ASCII "C:\WINDOWS\system32\"
00401A73 PUSH BDEF4FD2.00409028 ASCII "C:\WINDOWS\system32\"
00401A7D ADD EAX,BDEF4FD2.00409028 ASCII "C:\WINDOWS\system32\"
00401A8E PUSH BDEF4FD2.00409028 ASCII "C:\WINDOWS\system32\"
00401A98 PUSH BDEF4FD2.00409028 ASCII "C:\WINDOWS\system32\"
00401A9D PUSH BDEF4FD2.00407128 ASCII "C:\WINDOWS\system32\"
00401AA7 PUSH BDEF4FD2.00409028 ASCII "C:\WINDOWS\system32\"
00401AAC PUSH BDEF4FD2.00409644 ASCII "C:\WINDOWS\system32\\usrinit.exe"
00401AB6 PUSH BDEF4FD2.00404038 ASCII "\usrinit.exe"
00401AC1 PUSH BDEF4FD2.00409644 ASCII "C:\WINDOWS\system32\\usrinit.exe"
00401AC6 PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe, \temp_sys.exe"
00401AD5 PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
00401ADA PUSH BDEF4FD2.0040413C ASCII "sss"
00401AE4 PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
00401AEE ADD EAX,BDEF4FD2.00408028 ASCII "\temp_sys.exe"
00401AFF PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
00401B09 PUSH BDEF4FD2.004041B0 ASCII "temp_sys.exe"
00401B0E PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
00401B1A PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
00401B1F PUSH BDEF4FD2.00404520 ASCII "C:\Documents and Settings\Administrator\Desktop\BDEF4FD21F963939567DE6C757C3C098.exe"
00401B29 PUSH BDEF4FD2.00409028 ASCII "C:\WINDOWS\system32\"
00401B2E PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
00401B38 PUSH BDEF4FD2.0040408C ASCII "userinit.exe,"
00401B43 PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
00401B53 PUSH BDEF4FD2.00404520 ASCII "C:\Documents and Settings\Administrator\Desktop\BDEF4FD21F963939567DE6C757C3C098.exe"
00401B5E PUSH BDEF4FD2.004041B0 ASCII "temp_sys.exe"
00401BA3 MOV DWORD PTR SS:[EBP-8],BDEF4FD2.004041 ASCII "ddd"
00401C31 PUSH BDEF4FD2.0040415A ASCII "Trololo"
00401C36 PUSH BDEF4FD2.00404140 ASCII "ddd"
00401C57 PUSH DWORD PTR DS:[409530] (Initial CPU selection)
00401CB6 PUSH BDEF4FD2.004041CF ASCII "EDIT"
00401CD6 PUSH BDEF4FD2.00404200 ASCII "IMAGE"
The following are the most important details having the number to which SMS is asked to be sent and "THE UNLOCK CODE"
00401088 PUSH BDEF4FD2.00404220 ASCII "8-963-724-50-49"
004010BA PUSH BDEF4FD2.00404420 ASCII "336985"
004011E1 PUSH BDEF4FD2.00404220 ASCII "8-963-724-50-49"
An unlock screen with porn images appears asking the user to type the unlock code.
Let s check with resource hacker tool. And we can the see the lock screen hidden in resource :-)
We can also see the number to which an SMS is asked to send .
Lets try to get the unlock code,,going at code level using OllyDbg.
Code responsible for dropping sample copy. And using Userinit.exe
Code responsible for making Startup entry. "sample copy added to winlogon entry"
Code responsible for getting system metrics for unlock screen size to be generated.
The return values stored in EAX are used later.
Checking by all referenced strings, screen got hung and was not allowing me to save the strings.
Above the message box blocks a couple of strings.
The following were the strings ( in whole)
Text strings referenced in BDEF4FD2:.text
Address Disassembly Text string
0040100B PUSH BDEF4FD2.00404520 ASCII "C:\Documents and Settings\Administrator\Desktop\BDEF4FD21F963939567DE6C757C3C098.exe"
00401017 PUSH BDEF4FD2.00404180 ASCII "Shell32"
00401026 PUSH BDEF4FD2.00404188 ASCII "ShellExecuteA"
0040103D PUSH BDEF4FD2.004041F1 ASCII "cfg"
00401088 PUSH BDEF4FD2.00404220 ASCII "8-963-724-50-49"
004010BA PUSH BDEF4FD2.00404420 ASCII "336985"
004011E1 PUSH BDEF4FD2.00404220 ASCII "8-963-724-50-49"
0040125D PUSH BDEF4FD2.004041DC ASCII "Console"
00401289 PUSH BDEF4FD2.00404144 ASCII "ConsoleSelfCount"
004012DE PUSH BDEF4FD2.00409028 ASCII "C:\WINDOWS\system32\"
004012E3 PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
004012ED PUSH BDEF4FD2.0040408C ASCII "userinit.exe,"
004012F2 PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
0040132B PUSH BDEF4FD2.00404008 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
0040133A PUSH BDEF4FD2.004040B8 ASCII "explorer"
00401376 PUSH BDEF4FD2.00404048 ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
00401385 PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
00401393 PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
0040139C PUSH BDEF4FD2.00404080 ASCII "Userinit"
004013CB PUSH BDEF4FD2.00404008 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
004013DA PUSH BDEF4FD2.004040B8 ASCII "explorer"
004013FF PUSH BDEF4FD2.00404196 ASCII "ComSpec"
00401409 PUSH BDEF4FD2.0040419E ASCII "/c del ""
00401418 PUSH BDEF4FD2.00404520 ASCII "C:\Documents and Settings\Administrator\Desktop\BDEF4FD21F963939567DE6C757C3C098.exe"
00401427 PUSH BDEF4FD2.004041A7 ASCII "" >> NUL"
0040149A PUSH BDEF4FD2.004041C8 ASCII "BUTTON"
004014CF PUSH BDEF4FD2.00404179 ASCII "Tahoma"
004014D4 PUSH BDEF4FD2.00409771 ASCII "Tahoma"
00401512 PUSH BDEF4FD2.00404179 ASCII "Tahoma"
00401517 PUSH BDEF4FD2.004097AD ASCII "Tahoma"
00401672 PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
00401685 PUSH BDEF4FD2.00404162 ASCII "#32770"
0040168A PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
004017AE PUSH BDEF4FD2.00404008 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
004017BD PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
004017CB PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
004017D4 PUSH BDEF4FD2.004040B8 ASCII "explorer"
00401812 PUSH BDEF4FD2.00404048 ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
00401821 PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
0040182F PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
00401838 PUSH BDEF4FD2.00404080 ASCII "Userinit"
00401869 PUSH BDEF4FD2.00404008 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
00401878 PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
00401886 PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
0040188F PUSH BDEF4FD2.004040B8 ASCII "explorer"
004018E0 PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
004018F5 PUSH BDEF4FD2.00404420 ASCII "336985"
004018FA PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
004019CC PUSH BDEF4FD2.004041DC ASCII "Console"
004019F7 PUSH BDEF4FD2.00404144 ASCII "ConsoleSelfCount"
00401A69 PUSH BDEF4FD2.00409028 ASCII "C:\WINDOWS\system32\"
00401A73 PUSH BDEF4FD2.00409028 ASCII "C:\WINDOWS\system32\"
00401A7D ADD EAX,BDEF4FD2.00409028 ASCII "C:\WINDOWS\system32\"
00401A8E PUSH BDEF4FD2.00409028 ASCII "C:\WINDOWS\system32\"
00401A98 PUSH BDEF4FD2.00409028 ASCII "C:\WINDOWS\system32\"
00401A9D PUSH BDEF4FD2.00407128 ASCII "C:\WINDOWS\system32\"
00401AA7 PUSH BDEF4FD2.00409028 ASCII "C:\WINDOWS\system32\"
00401AAC PUSH BDEF4FD2.00409644 ASCII "C:\WINDOWS\system32\\usrinit.exe"
00401AB6 PUSH BDEF4FD2.00404038 ASCII "\usrinit.exe"
00401AC1 PUSH BDEF4FD2.00409644 ASCII "C:\WINDOWS\system32\\usrinit.exe"
00401AC6 PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe, \temp_sys.exe"
00401AD5 PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
00401ADA PUSH BDEF4FD2.0040413C ASCII "sss"
00401AE4 PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
00401AEE ADD EAX,BDEF4FD2.00408028 ASCII "\temp_sys.exe"
00401AFF PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
00401B09 PUSH BDEF4FD2.004041B0 ASCII "temp_sys.exe"
00401B0E PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
00401B1A PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
00401B1F PUSH BDEF4FD2.00404520 ASCII "C:\Documents and Settings\Administrator\Desktop\BDEF4FD21F963939567DE6C757C3C098.exe"
00401B29 PUSH BDEF4FD2.00409028 ASCII "C:\WINDOWS\system32\"
00401B2E PUSH BDEF4FD2.00409544 ASCII "C:\WINDOWS\system32\userinit.exe,\temp_sys.exe"
00401B38 PUSH BDEF4FD2.0040408C ASCII "userinit.exe,"
00401B43 PUSH BDEF4FD2.00408028 ASCII "\temp_sys.exe"
00401B53 PUSH BDEF4FD2.00404520 ASCII "C:\Documents and Settings\Administrator\Desktop\BDEF4FD21F963939567DE6C757C3C098.exe"
00401B5E PUSH BDEF4FD2.004041B0 ASCII "temp_sys.exe"
00401BA3 MOV DWORD PTR SS:[EBP-8],BDEF4FD2.004041 ASCII "ddd"
00401C31 PUSH BDEF4FD2.0040415A ASCII "Trololo"
00401C36 PUSH BDEF4FD2.00404140 ASCII "ddd"
00401C57 PUSH DWORD PTR DS:[409530] (Initial CPU selection)
00401CB6 PUSH BDEF4FD2.004041CF ASCII "EDIT"
00401CD6 PUSH BDEF4FD2.00404200 ASCII "IMAGE"
The following are the most important details having the number to which SMS is asked to be sent and "THE UNLOCK CODE"
00401088 PUSH BDEF4FD2.00404220 ASCII "8-963-724-50-49"
004010BA PUSH BDEF4FD2.00404420 ASCII "336985"
004011E1 PUSH BDEF4FD2.00404220 ASCII "8-963-724-50-49"
"336985"" is the unlock code" for this sample.
Other details that can be inferred from above details are normal, like the trojan deleting itself from the running directory and the strat up entry for the dropped sample copy.
No comments:
Post a Comment