I've seen it on kernelmode for the first time on a post, i've looked fastly just the panel...
Edit a file:
More recent, a friend gived me this link via IRC: androidauthorization.com/bin/disk.exe
Oh... it's another RunPE crap:
When unpacked, just 15 AV detect it: https://www.virustotal.com/file/978a996ddf98f7a093fd4b8d693622a3e32486e6d6a93c3b4d672693a7d49cb8/analysis/1353868360/
as winlock?! let's have a look.
A routine decode the config strings inside:
Then it retrieves the address of functions
Add a registry persistence in \Run and delete \SafeBoot
If program manager is found, terminate it:
Set the windows topmost:
Prepare the landing:
It also call the gate to know if we kill the process or not
Multi Locker landing editor for this sample:
Oh... well, another winlock kit ripped from another winlock kit, i'm not amused to find sale thread and shit, this kit is designed to fail, my net is slow as fuck for the moment i will post the rest of pictures from the C&C later.