I found a Python script that implements a funny anti-analysis trick. The script has a low score on VT (4/59) (SHA256:d716c2edbcdb76c6a6d31b21f154fee7e0f8613617078b69da69c8f4867c9534)[1]. This sample attracted my attention because it uses the tkinter[2] library. This library is used to create graphical user interfaces (GUIs). It provides tools to create windows, dialogs, buttons, labels, text fields, and other interactive elements, allowing developers to build desktop applications with visual interfaces in Python. Most Python scripts are intended to be executed from a command line. That's why I consider this library as a good sign of suspicious behavior (It does not mean that all Python scripts using this library are malicious!)

While reviewing the script, a variable contains an interesting piece of text:

info = "\nA problem has been detected and windows has been shut down to prevent damage\nto your computer ... (removed) ..."

The interesting piece of code is here:

root = tk.Tk()
root.configure(background="dark blue")
ex = Example(root)
w, h = root.winfo_screenwidth(), root.winfo_screenheight()
root.overrideredirect(1)
root.geometry("%dx%d+0+0" % (w, h))
root.wm_attributes("-topmost", 1)
root.mainloop()

The attribute "-topmost" set to "1" or "TRUE" will make the window remain open on top of all windows. The window will also be created to fill the screen without any control elements to close or resize it. When the script is executed, you will get this screen:

To be honest, that's not the best BSOD ("Blue Screen of Death") that I saw... but it's a nice trick to annoy the victim or slow down (a bit) the analysis of the file.

[1] https://www.virustotal.com/gui/file/d716c2edbcdb76c6a6d31b21f154fee7e0f8613617078b69da69c8f4867c9534/detection
[2] https://docs.python.org/3/library/tkinter.html

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key