Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.
dumb110
Posts: 111
Joined: Tue Jun 05, 2012 1:29 pm

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by dumb110 » Wed Jul 03, 2013 12:03 pm

Microsoft_Office_2010_keygen_by_ViKiNG.exe
https://www.virustotal.com/en/file/fe8a ... 372852561/
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by EP_X0FF » Sun Jul 07, 2013 12:49 pm

dumb110 wrote:Microsoft_Office_2010_keygen_by_ViKiNG.exe
https://www.virustotal.com/en/file/fe8a ... 372852561/
Rootkit version equal to http://www.kernelmode.info/forum/viewto ... 857#p19857.
Posts moved.
Ring0 - the source of inspiration

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Post by Win32:Virut » Mon Jul 08, 2013 3:01 pm

3 samples
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Post by EP_X0FF » Wed Apr 22, 2015 9:27 am

Old 2010 year rootkit version with UAC bypass in dropper (IFileOperation -> CRYPTSP.DLL/CRYPTBASE.DLL, sysprep.exe and runas in the loop). For historical purposes.

https://www.virustotal.com/en/file/d456 ... 429694621/

MD5 d303f53877b77330fe40d0e0bdef80a0
SHA1 3d3e7031c21d254cef0b8676719f1ac35857580b
SHA256 d4569c33414f06689fc3294a39ca3d98b1f577aec2c3374b5ab6b7c18afabb24
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Post by EP_X0FF » Thu Jan 21, 2016 4:51 am

While looking for fresh dropper I found this old(2013) rootkit(2012 variant) version, where you can find combination of cabinet and aplib usage (this should version from April 2013). As you remember sirefef dropped cab usage in the end of 2013 moving to aplib for packing it internal components. In attach you will find dropper (which uses self debugging for decryption), final stage dropper (MSCF inside)

MD5 13f332819853fea68751c27bcb3a3554
SHA1 c72781eb621a372e35ae0d5bf0e8eb9df288b94c
SHA256 a08584146f61cc32cf0107b32503df066fb17ed9e158f810aafaecf5dca20e66
https://www.virustotal.com/en/file/a085 ... /analysis/
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

Post Reply