ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax
It is currently Sat Aug 13, 2022 2:41 am

All times are UTC




Post new topic  Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Mon Dec 27, 2021 6:34 pm 
User avatar

Joined: Tue Sep 14, 2021 12:25 am
Posts: 34
There is an app called MAKS it locks your computer and you cannot use it until someone put flash disk to your computer. This flash disks programmed before installing the locker, there is no way to re-program flash disks. How can I bypass this app? Thanks in advance, I'm sending the files here. BTW Becareful you may lock your computer while doing that. Consider using virtual computer.

https://we.tl/t-sSyWzrlrGZ


Top
   
PostPosted: Wed Dec 29, 2021 1:33 am 
User avatar

Joined: Sat Dec 27, 2014 8:49 pm
Posts: 241
I wouldn't recommend anyone download this and even bother looking. It's basically malware. Regardless if the application is legit, it comes with several additional files that literally infects your system to make sure it continues to run, replicate, and always be present. It will attempt to recreate itself in a lot of locations to ensure it does not get wiped easily.

To give a rundown of what this zip includes:

applist.fatih:
- Base64 encoded and encrypted file.

ayar.reg: Registry settings file.
- Disables UAC allowing for running anything without permission.
- Disables UAC LUA.
- Disables Windows from asking if you want to end tasks when shutting down, forcing restarts/shutdowns to happen immediately.

e:
- Renamed .NET application that is really named 'userinit'.
- On start, it will immediately hide the main window of itself.
- Tries to start program: C:\ProgramData\mtaku\etkontrol.exe
- Tries to start program: C:\Windows\winload.exe
- After trying to start those processes, it will kill itself.

f:
- Renamed .NET application that is really named 'winload'.
- Uses a mutex to try and only allow one instance to start/run.
- On start, it will do the same thing as 'ayar.reg' and try to disable UAC and allow running things as admin.
- On start, it will immediately hide the main window of itself.
- On start, it will disable Task Manager via the registry.
- On start, it will add 'userinit.exe' to the systems auto-execution list when a user logs in.
- On start, it will try to start program: C:\ProgramData\mtaku\etkontrol.exe
- Starts a few timers that constantly run to check various things.
- Timer1: Will constantly look for instances of 'etkontrol' and ensure only 1 is running and that it is responding.
- Timer1: Will ensure that the C:\ProgramData\mtaku\ folder exists.
- Timer1: Will ensure that the file: C:\Windows\winstart.exe exists, if not copies from C:\Windows\akc\strsdf to C:\Windows\winstart.exe
- Timer1: Will immediately start C:\Windows\winstart.exe if it did not previously exist, after copying it over.
- Timer1: Will ensure the following files exist:
- C:\ProgramData\mtaku\applist.fatih -- If not, copies it from: If not, copies it from: C:\Windows\akc\dendshiougdsgljsdbgkhsdgk
- C:\ProgramData\mtaku\etkontrol.exe -- If not, copies it from: C:\Windows\akc\deffnlakgnalkjdnglknd
- C:\ProgramData\mtaku\MessagingToolkit.QRCode.dll -- If not, copies it from: C:\Windows\akc\aylgifakhfgsdysg
- C:\ProgramData\mtaku\tanim.fatih -- If not, copies it from: C:\Windows\akc\tfflkdsjglksdnglsdn
- C:\ProgramData\mtaku\weblist.fatih -- If not, copies it from: C:\Windows\akc\derkhgkdshgksdhgksdh
- Timer1: Will start the process: C:\ProgramData\mtaku\etkontrol.exe
- Timer2: Will constantly ensure UAC is disabled.

- Timer2: Will constantly check the current active window and look for specific programs to immediately kill.
- Kullanici Hesabi - User Acccount window for Windows in Turkish.
- Kullanici Hesabi Denetim - User Acccount Control window for Windows in Turkish.
- ismets - Turkish but unsure what this is for. Looks for any window with it in its name.
- akc - Looks for window with this in its name.
- tanim.fatih - Looks for window with this in its name.
- mtaku - Looks for window with this in its name.
- cmd.exe - Looks for processes with this name.
- regedit.exe - Looks for processes with this name.
- mmc.exe - Looks for processes with this name.
- Taskmgr.exe - Looks for processes with this name.
- If found running, also tries to enforce that Task Manager is disabled via the registry.

- Timer3: Looks for and reads the file: C:\ProgramData\mtaku\kontrol.txt
- Tries to read a date/timestamp from this file.
- If the date matches a certain range, then the application will try to reinfect the system.
- Runs C:\ProgramData\mtaku\etkontrol.exe if the date matches the expected value.

i:
- Renamed .NET application that is really named 'winstart'.
- On start, it will immediately hide the main window of itself.
- On start, it will try to start program: C:\Windows\winload.exe
- On start, it will try to copy C:\Windows\akc\strsdf to C:\Windows\winload.exe and start it.
- On start, it will try to copy C:\Windows\akc\deffnlakgnalkjdnglknd to C:\ProgramData\mtaku\etkontrol.exe and start it.
- On start, it will add itself to the auto-start program list for Windows.

icon.ico:
- Application icon.
- Has the same icon embedded at the end of it as a .png file.

MAKS_1_kasim.apk:

MAKS_anahtarolustur.exe:
- Obfuscated .NET executable. (Obfuscated with .NET Reactor.)
- Original name is: etk_anahtraolustur
- Has various encryption routines.
- Makes use of API such as: RegisterDeviceNotification

MAKS_kurulum.exe:
- Obfuscated .NET executable. (Obfuscated with .NET Reactor.)
- Original name is: etkontrol_kurulum
- Shows the true name of the software: MAKS (MERSİN AKILLI KİLİT SİSTEMİ)
- Appears to be the configuration application to set things up and prepare the system.
- On start, will check to make sure all the expected files included in the zip are present.
- On start, checks if C:\ProgramData\mtaku\etkontrol.exe already exists.
- On start, reads the file: tanim.fatih (Removes the last 2 bytes from the string after reading.)
- On start, reads the file: C:\ProgramData\mtaku\tanim.fatih (Removes the last 2 bytes from the string after reading.)
- Compares the results of the two read files to see if they match. (These are used as passwords.)
- Has various functions to write things to the registry.
- When the user attempts to install, the application does a lot of things to prepare the system for 'infection'.
- Writes to registry: HKEY_CURRENT_USER\tereg - arkaplan - a (Depending on settings.)
- Writes to registry: HKEY_CURRENT_USER\tereg - arkaplan - b (Depending on settings.)
- Ensures folder is created: C:\Windows\akc\
- Tries to start process: cacls.exe with params: C:\\Windows\\akc / t /e /c /p everyone:f
- Copies file: applist.fatih to C:\Windows\akc\dendshiougdsgljsdbgkhsdgk
- Copies file: t to C:\Windows\akc\deffnlakgnalkjdnglknd (If Windows 10 is used.)
- Copies file: tt to C:\Windows\akc\deffnlakgnalkjdnglknd (If Windows 10 is not used.)
- Copies file: MessagingToolkit.QRCode.dll to C:\Windows\akc\aylgifakhfgsdysg
- Copies file: tanim.fatih to C:\Windows\akc\tfflkdsjglksdnglsdn
- Copies file: weblist.fatih to C:\Windows\akc\derkhgkdshgksdhgksdh
- Copies file: f to C:\Windows\akc\strsdf
- Copies file: f to C:\Windows\winload.exe
- Copies file: e to C:\Windows\userinit.exe
- Copies file: i to C:\Windows\winstart.exe
- Copies file: i to C:\Windows\akc\strsdf
- Ensures folder is created: C:\ProgramData\mtaku\
- Tries to start process: cacls.exe with params: C:\\ProgramData\\mtaku / t /e /c /p everyone:f
- Copies file: applist.fatih to C:\ProgramData\mtaku\applist.fatih
- Copies file: t to C:\ProgramData\mtaku\etkontrol.exe (If Windows 10 is used.)
- Copies file: tt to C:\ProgramData\mtaku\etkontrol.exe (If Windows 10 is not used.)
- Copies file: MessagingToolkit.QRCode.dll to C:\ProgramData\mtaku\MessagingToolkit.QRCode.dll
- Copies file: tanim.fatih to C:\ProgramData\mtaku\tanim.fatih
- Copies file: weblist.fatih to C:\ProgramData\mtaku\weblist.fatih
- Writes to registry: HKEY_CURRENT_USER\defne - deniz - deniz
- Creates a .NET executable configuration file: C:\ProgramData\mtaku\etkontrol.exe.config with the following:

Code:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="mersinSoap" closeTimeout="15:01:00" openTimeout="15:02:00" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647" receiveTimeout="15:10:00" sendTimeout="15:02:00" />
            </basicHttpBinding>
        </bindings>
        <client>
            <endpoint address="http://silifke.meb.gov.tr/infografik/mersin.asmx"
                      binding="basicHttpBinding" bindingConfiguration="mersinSoap"
                      contract="webservis.mersinSoap" name="mersinSoap" />
        </client>
    </system.serviceModel>
</configuration>


- Tries to start process: cacls.exe with params: C:\\ProgramData\\mtaku\\ / t /e /c /p everyone:f
- Writes to registry: HKEY_CURRENT_USER\tereg - player - evet
- Writes to registry: HKEY_CURRENT_USER\tereg - player - hayir
- Tries to start process: regedit.exe with params: ayar.reg
- Tries to start process: C:\Windows\winstart.exe

MessagingToolkit.QRCode.dll:
- Appears to be the legit Twit88 MessagingToolkit module, used to read/scan QR codes.

t:
- Renamed .NET application that is really named 'etkontrol'.
- Obfuscated .NET executable. (Obfuscated with .NET Reactor.)
- Used for Windows 10 systems.

tanim.fatih:
- Base64 encoded and encrypted file.
- Appears to be used for a password.

tt:
- Renamed .NET application that is really named 'etkontrol'.
- Obfuscated .NET executable. (Obfuscated with .NET Reactor.)
- Used for Windows 7/8 systems.

weblist.fatih:
- Base64 encoded and encrypted file.


Each of the obfuscated exe's do too much to want to list it all out. Basic jist is they are basically the same garbage as malware.

The included password that is held inside of tanim.fatih is: mrsnfth4233

As for bypassing it, basically just having that file and being able to decrypt it will get you the password. Otherwise, just undoing all the garbage it self-installs by using the disk in another machine and removing all the junk since it's just dropping files into publically accessible folders if the disk is on another machine. (You can also live boot into a Linux Distro and just remove the files as needed to disable the 'protection'.)

This overall acts like malware though and also opens the system up to being exploitable very easily. It disables UAC, allows ANYTHING to run as admin, and also listens for web requests to execute things.

This is not a safe piece of software I'd recommend anyone use/touch.

_________________
My personal site: http://atom0s.com
Donations can be made via Paypal: Click Here


Top
   
PostPosted: Wed Dec 29, 2021 7:34 am 

Joined: Fri Aug 08, 2014 6:24 am
Posts: 22
Very nice job analyzing this, atom0s.


Top
   
PostPosted: Wed Dec 29, 2021 12:40 pm 
User avatar

Joined: Tue Sep 14, 2021 12:25 am
Posts: 34
atom0s wrote:
Each of the obfuscated exe's do too much to want to list it all out. Basic jist is they are basically the same garbage as malware.

The included password that is held inside of tanim.fatih is: mrsnfth4233

As for bypassing it, basically just having that file and being able to decrypt it will get you the password. Otherwise, just undoing all the garbage it self-installs by using the disk in another machine and removing all the junk since it's just dropping files into publically accessible folders if the disk is on another machine. (You can also live boot into a Linux Distro and just remove the files as needed to disable the 'protection'.)

This overall acts like malware though and also opens the system up to being exploitable very easily. It disables UAC, allows ANYTHING to run as admin, and also listens for web requests to execute things.

This is not a safe piece of software I'd recommend anyone use/touch.


Thanks for the info!


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 4 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited