Now let's start the boring part (reversing)
At first it call the time service dept and retrieve the date and check it with 29 Oct
It's a protection inside Silence Winlocker, the bad guys have 7 days to f*ck ppl with his bin, after the bin will not work and should buy a new one.
Kill process:
Add a startup key:
Load from ressource an MP3 file:
And about ressource there is even one picture
Call the C&C:
Remove some entry in registry:
Kill taskmgr if found:
Play the MP3 file:
Call the C&C for picture:
And here we go
The C&C look's like this:
Main:
Number of connections:
Payement:
You have 72 hours to pay the fine!
Tring with a 'working' MoneyPak code
Wait! Your request is processed within 24 hours.
Code appeared on the panel:
DA:
Files:
The latest version of Silent Winlocker (5.0) have not changed alot, they replaced the fbi sound by webcam feature after... it's still the same crap who do same things.
thread:
kill proc:
Startup:
Call the gate:
lol'd:
Landing fail:
It should look's like this:
Main:
Number of connections:
Ukash/PSC/MoneyPak Payment:
Picture:
Panel files
picture.php:
CameraExample.swf:
Also got the Citadel HID calculator
ppl dont know that the protection message is 'CORRUPTED EXE SHIT'
Nice work xyli :)
ReplyDeleteLooking foward to your more articals.
Can I ask how do you find panels for certain software you infiltrate?
ReplyDeleteDo you get some bin from the wild? Where? Torrents?
I'd like to start some analysys like you do it's exciting
I know you crack their login with brutus .
thanks for your answer
exploit kit / malware tracker is useful
Deletei guess this domain got reported personally:
Deletesame domain:
http://www.hackforums.net/showthread.php?tid=2972763
He gets them by contacting hosting provider. And they cant deny xyli because him being police agent.
Delete:)
Very nice reverse eng on that.
ReplyDeleteWTF IS Citadel HID?
HID = Hardware ID
Deletehow can I get this locker?
ReplyDelete