A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22897  by EP_X0FF
 Sun May 18, 2014 3:26 am
thisisu wrote:
AronPX wrote:Does anyone have new sample of za?
Have a PC now with ZA that contains *etadpug service. Is that still newest variant?
If you mean "Google"/Desktop service version, I didn't noticed any new ZA droppers. They pushed click-fraud module in 2014 and nothing more, ZA is still half-dead.
 #23047  by EP_X0FF
 Thu Jun 05, 2014 6:22 am
One of the last available Sirefef droppers just before it takedown. Google/etadplug variant.

MD5 46f004fb9cdd93167dc0ac339d436286
SHA1 d38deb27b0da125881af78b258434ee752a7b5dd
SHA256 8c575bd3c91b7679995e485166606f96b3e51357006344f6b75646afa65aa068
https://www.virustotal.com/en/file/8c57 ... /analysis/

TimeDateStamp of dropper body (after crypter) 04/12/2013 23:16:14

Dropper+decrypted+extracted modules in attach
pass: infected
(256.9 KiB) Downloaded 149 times
 #23576  by EP_X0FF
 Mon Aug 11, 2014 10:36 am
kmd wrote:ZeroAccess Botnet: Is It Preparing Its Next Attack?
http://www.zonealarm.com/blog/2014/06/z ... xt-attack/
Marketing bullshit. Nothing changed since December. It is dying.

The key of this article
Being vigilant about what you do online, as well as equipping your PC with updated [ url ]security software [/ url], will help you stay safe online.
where url is hxxp://www.zonealarm.com/security/en-us/computer-security.htm
very fun.
 #27513  by R136a1
 Sun Jan 03, 2016 11:46 am
Hi folks,

I have found a new year present from ZeroAccess author(s). This fresh variant comes in form of a dropper which contains the encrypted payload inside a .png file in the resource section.
-> see Zeroaccess_2016 (attached)

Last year around the same time an earlier (unencrypted) sample of this variant appeared in the wild which used a new UAC bypass method. This method was later adopted by H1N1 loader: https://github.com/hfiref0x/UACME/blob/ ... /hybrids.c
-> see Zeroaccess_2014 (attached)

Details will follow soon...
PW: infected
(128.35 KiB) Downloaded 164 times
PW: infected
(52.6 KiB) Downloaded 80 times
 #27515  by EP_X0FF
 Sun Jan 03, 2016 12:12 pm
No WHITEFLAG :) In attach lowest level dropper and resources from it (classical Cabinet instead of Aplib used).

Uses NTFS junction and "." in the folder name to protect against removal. Deeper level dropper based on "Google" variant from 2013. Investigation continues :)
pass: infected
(91.47 KiB) Downloaded 97 times
 #27517  by EP_X0FF
 Sun Jan 03, 2016 12:47 pm
Components from 944e4fd798a8d74379c5794ee0a9090547bf2da60fa629d458b2247a82d6bedb (dated back December 2014).

Payload (both x64-x86), data files.
pass: infected
(16.69 KiB) Downloaded 76 times
pass: infected
(34.97 KiB) Downloaded 69 times
 #27520  by EP_X0FF
 Sun Jan 03, 2016 2:49 pm
Brief analysis summary:

1) This variant dated back to 2014 year. One year after shutdown Sirefef already have a new version.
2) Dropper complicated and multistaged. Well like in previous variants.
3) Dropper uses effective UAC bypass (UACME #14). It doesn't work however under Windows 10 TH2 and Redstone builds.
4) No KnownDlls injection - instead it starts itself as service and injects kernel dll (k32/k64) into svchost and later in processes with network access (explorer.exe for example).
5 ) It uses new self-protection methods - hiding it files into juction protected folder which is not accessible for Win32 API.
6) Kernel dlls masqueraded as comres.dll (Windows Ldr entry hijack) in affected applications.
7) Embedded Windows 8/10 Windows Defender capable of detecting this malware in runtime and removing it, but I think it is only because this particular sample lacks obfuscation.
 #27521  by rinn
 Sun Jan 03, 2016 4:00 pm

NtOpenFile ( ... GENERIC_ALL ...), NtSetInformationFile(... FileRenameInformation ...); NtClose; - Shift+Del :) Also closing it handles inside svchost.exe result in delayed reboot.

Best Regards,
  • 1
  • 50
  • 51
  • 52
  • 53
  • 54
  • 56