EvilZone
Hacking and Security => Reverse Engineering => : Deque January 25, 2016, 01:27:16 PM
-
The following file is a Reveton sample. If you ever wanted to know what it is like to have your screen locked, try this in your malware lab.
Your task: Run the sample and disable the screen locking. Report back here (in this thread) how you were able to do that. Several solutions are possible.
This archive contains live malware!
Download: reveton.zip (http://upload.evilzone.org?page=download&file=BD7ktNaFbqINRITuimFlxAtRWLYM9PMHdjM3ysUTzASfiPzgap)
The password is "infected" (without quotes).
-
When infected with this malware, do the following:
1. Close virtual machine
2. Start vm again
3. If that doesn't work reload using a snapshot or start from scratch
Is there an actual way to unlock the screen.
If so can you post solutions/answers, I'm new to malware analysis and reverse-engineering.
-
When infected with this malware, do the following:
1. Close virtual machine
2. Start vm again
3. If that doesn't work reload using a snapshot or start from scratch
Is there an actual way to unlock the screen.
If so can you post solutions/answers, I'm new to malware analysis and reverse-engineering.
Restart does not help here (did you try?). Loading a new snapshot is not a solution. Unless you use remote monitoring, you cannot analyse the sample properly whilst the screen is locked. So how would you analyse the sample dynamically without the use of remote monitoring?
Or imagine a friend got infected by this screen locker on his or her actual machine (not VM). How would you help your friend to get rid of it (without reformatting)?
There are several solutions to unlock the screen, because this screen locker is not perfect and does not consider all eventualities that the user might incorporate.
Note: In the first scenario (sample analysis) you have more possibilities to solve this, because you can prepare your analysis machine before you run the sample.
If so can you post solutions/answers, I'm new to malware analysis and reverse-engineering.
Feel free to get ideas from this thread: https://evilzone.org/high-quality-tutorials/malware-analysis-by-example-part-5/msg114017/#msg114017
Read the comments below the tutorial and you will find some ideas.
-
Dynamic Analysis
The malware sample is distributed in the form of a DLL. To run it in our analysis environment we can use the Rundll32 (http://www.walkernews.net/2007/06/06/quick-start-to-rundll32-syntax-and-example/) utility.
The malware locks the screen by displaying a form that covers the entire screen. For this, it obtains the size of the screen through the GetSystemMetrics (https://msdn.microsoft.com/en-us/library/windows/desktop/ms724385(v=vs.85).aspx) function which is then used to set the size of the form.
(http://s7.postimg.org/vu0xvryaj/image.png)
To restrict the screen locking to a small area, we can modify the return value of this function call, such that the form only covers a small part of the screen as in the following image.
(http://s15.postimg.org/bw5z4qt3f/image.png)
In addition to the above method, we can also use the desktops utility from Sysinternals to create a new desktop which is unaffected by the screen locker.
Disabling the screen lock
The best and ideal way to disable the screen lock is to enter a secret pin code. The screen locker would automatically close itself if the secret pin is entered. Unfortunately, this pin is almost impossible to find as we only know the md5 hash it(EB65306635FECC6ADC4AFC5752C2B20A), which is infeasible to reverse. In the following image, we can see that it compares the md5 hash of the entered pin to the hardcoded value and terminates itself if they match.
(http://s14.postimg.org/qf0pna23l/image.png)
These pin codes are actually cash voucher codes from ucash or paysafecard. An example of such ucash code is 6337180015919250100. After we use the code, the malware tries to communicates with its C&C, and checks for verification. Since at this time, the C&C is down, I have not done further analysis.
PS:
Thanks to deque for your contribution in this field. Hats off. :)
-
Thanks Trevor. Great analysis. What I love about your posts is that you often use an entirely different approach than me. I can learn from your posts as well by just seeing more possibilities to go about it; like in this case restricting the screen locking area. Great idea. ;D
Edit @everyone else: Feel free to try and find more approaches for disabling the screen locking.