'Demo' video made by QunneD for presenting the product:
The builder is custom packed, coded in Delphi and have a size of 2,64 Mb
Splash screen and license check of Winlock Builder v1.30:
serial.p act as a license file and ini file, Timer3OnTimer function is core component of license checking (file check/parsing and enables/disables features depending on license data)
How work the winlock now..
Here the idea is on the same style as the old 'homoblocker ransomware'
build.exe (97,5 Kb without upx) is a ransom loader.
It call the gate
Drop the payload 'MineFile' stored in ressource
Create a .bat file for reboot the computer (from ressource too)
Copy the payload:
C:\Documents and Settings\Administrateur\Local Settings\Application Data\WL Pro\swap32.exe
Create a startup regkey for the payload:
Launch the reboot procedure
Now the payload, swap32.exe (51,5 Kb) is more basic, it just check for new created process and if "taskmgr.exe" or "explorer.exe" are detected, it will kill them.
Call again the gate if the serial is good but for says its clean now.
Infected computer monitoring (this winlock is interesting for that)