Author Topic: [Beginner Challenge] Screen Locker  (Read 1169 times)

0 Members and 2 Guests are viewing this topic.

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
[Beginner Challenge] Screen Locker
« on: January 25, 2016, 01:27:16 pm »
The following file is a Reveton sample. If you ever wanted to know what it is like to have your screen locked, try this in your malware lab.

Your task: Run the sample and disable the screen locking. Report back here (in this thread) how you were able to do that. Several solutions are possible.

This archive contains live malware!

Download: reveton.zip
The password is "infected" (without quotes).
« Last Edit: January 25, 2016, 01:29:22 pm by Deque »

Offline Trap_lord

  • /dev/null
  • *
  • Posts: 19
  • Cookies: -20
    • View Profile
Re: [Beginner Challenge] Screen Locker
« Reply #1 on: February 07, 2016, 04:44:39 am »
When infected with this malware, do the following:

1. Close virtual machine

2. Start vm again

3. If that doesn't work reload using a snapshot or start from scratch

Is there an actual way to unlock the screen.
If so can you post solutions/answers, I'm new to malware analysis and reverse-engineering.
This is your life and it's ending one minute at a time - Fight Club(1999)

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: [Beginner Challenge] Screen Locker
« Reply #2 on: February 07, 2016, 10:35:46 am »
When infected with this malware, do the following:

1. Close virtual machine

2. Start vm again

3. If that doesn't work reload using a snapshot or start from scratch

Is there an actual way to unlock the screen.
If so can you post solutions/answers, I'm new to malware analysis and reverse-engineering.

Restart does not help here (did you try?). Loading a new snapshot is not a solution. Unless you use remote monitoring, you cannot analyse the sample properly whilst the screen is locked. So how would you analyse the sample dynamically without the use of remote monitoring?

Or imagine a friend got infected by this screen locker on his or her actual machine (not VM). How would you help your friend to get rid of it (without reformatting)?

There are several solutions to unlock the screen, because this screen locker is not perfect and does not consider all  eventualities that the user might incorporate.

Note: In the first scenario (sample analysis) you have more possibilities to solve this, because you can prepare your analysis machine before you run the sample.
Quote
If so can you post solutions/answers, I'm new to malware analysis and reverse-engineering.

Feel free to get ideas from this thread: https://evilzone.org/high-quality-tutorials/malware-analysis-by-example-part-5/msg114017/#msg114017
Read the comments below the tutorial and you will find some ideas.
« Last Edit: February 07, 2016, 10:42:43 am by Deque »

Offline Trevor

  • Serf
  • *
  • Posts: 39
  • Cookies: 18
  • Coder, Reverser
    • View Profile
Re: [Beginner Challenge] Screen Locker
« Reply #3 on: February 08, 2016, 08:11:00 pm »
Dynamic Analysis
The malware sample is distributed in the form of a DLL. To run it in our analysis environment we can use the Rundll32 utility.

The malware locks the screen by displaying a form that covers the entire screen. For this, it obtains the size of the screen through the GetSystemMetrics function which is then used to set the size of the form.



To restrict the screen locking to a small area, we can modify the return value of this function call, such that the form only covers a small part of the screen as in the following image.



In addition to the above method, we can also use the desktops utility from Sysinternals to create a new desktop which is unaffected by  the screen locker.

Disabling the screen lock

The best and ideal way to disable the screen lock is to enter a secret pin code. The screen locker would automatically close itself if the secret pin is entered.  Unfortunately, this pin is almost impossible to find as we only know the md5 hash it(EB65306635FECC6ADC4AFC5752C2B20A), which is infeasible to reverse. In the following image, we can see that it compares the md5 hash of the entered pin to the hardcoded value and terminates itself if they match.



These pin codes are actually cash voucher codes from ucash or  paysafecard. An example of such ucash  code is 6337180015919250100. After we use the code, the malware tries to communicates with its C&C, and checks for verification. Since at this time, the C&C is down, I have not done further analysis.

PS:
Thanks to deque for your contribution in this field. Hats off. :)

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: [Beginner Challenge] Screen Locker
« Reply #4 on: February 09, 2016, 09:14:20 am »
Thanks Trevor. Great analysis. What I love about your posts is that you often use an entirely different approach than me. I can learn from your posts as well by just seeing more possibilities to go about it; like in this case restricting the screen locking area. Great idea.  ;D

Edit @everyone else: Feel free to try and find more approaches for disabling the screen locking.
« Last Edit: February 09, 2016, 09:16:17 am by Deque »