A forum for reverse engineering, OS internals and malware analysis 

Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

Re: Rootkit ZeroAccess (alias MaxPlus, Sirefef)

 #25714  by EP_X0FF
 Wed Apr 22, 2015 9:27 am
Old 2010 year rootkit version with UAC bypass in dropper (IFileOperation -> CRYPTSP.DLL/CRYPTBASE.DLL, sysprep.exe and runas in the loop). For historical purposes.

https://www.virustotal.com/en/file/d456 ... 429694621/

MD5 d303f53877b77330fe40d0e0bdef80a0
SHA1 3d3e7031c21d254cef0b8676719f1ac35857580b
SHA256 d4569c33414f06689fc3294a39ca3d98b1f577aec2c3374b5ab6b7c18afabb24
Attachments
pass: infected
(236.64 KiB) Downloaded 69 times

Re: Rootkit ZeroAccess (alias MaxPlus, Sirefef)

 #27706  by EP_X0FF
 Thu Jan 21, 2016 4:51 am
While looking for fresh dropper I found this old(2013) rootkit(2012 variant) version, where you can find combination of cabinet and aplib usage (this should version from April 2013). As you remember sirefef dropped cab usage in the end of 2013 moving to aplib for packing it internal components. In attach you will find dropper (which uses self debugging for decryption), final stage dropper (MSCF inside)

MD5 13f332819853fea68751c27bcb3a3554
SHA1 c72781eb621a372e35ae0d5bf0e8eb9df288b94c
SHA256 a08584146f61cc32cf0107b32503df066fb17ed9e158f810aafaecf5dca20e66
https://www.virustotal.com/en/file/a085 ... /analysis/
Attachments
pass: infected
(469.66 KiB) Downloaded 74 times
  • 1
  • 34
  • 35
  • 36
  • 37
  • 38
 Return to “Malware”