A forum for reverse engineering, OS internals and malware analysis 

ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #18862  by EP_X0FF
 Sun Apr 07, 2013 8:27 am
Two more fresh very bad detected Sirefef droppers.

SHA256: 5692fc972b404a16f19c6005b84acdac346ffcf5d5c1d1a43078de6f23c17f6a
SHA1: e6439a29f68ce223260d88a9f35f6020d1f1c32b
MD5: 5086976a8eb0d5882f3b371cac63a32c

https://www.virustotal.com/en/file/5692 ... /analysis/


SHA256: 8f4f8ca94f683b4afe4f1003935933805ee6b35ea5aaf096724a58d37860952a
SHA1: 57277efd314feafb3ba7d201fe5621cc9f11a002
MD5: b58ba64a7da9ce7bb9a902fdd250dc7d

https://www.virustotal.com/en/file/8f4f ... /analysis/

Payload equal to http://www.kernelmode.info/forum/viewto ... 553#p18553

Currently distributed from sofitesnuvo.com and it alias funnysmallcats.com (both IP address: 63.90.228.28) as exploit kit payload. Droppers obfuscation update period is a few hours.
Attachments
pass: infected
(326.01 KiB) Downloaded 76 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #18877  by Mosh
 Tue Apr 09, 2013 7:56 am
Hello

I found this today on kandlfashions.com IP: 69.167.158.129

MD5: d6705e1227be5e8b86284832d1354ec6
SHA256: b7eacc1f699634a86e898fec11f884240045ba7f83c84d605d1d4009802dbb49
SHA1: 9ea296afcd65c3c6bebcc9c3873e84e59b00b465

https://www.virustotal.com/en/file/b7ea ... /analysis/
Attachments
infected
(193.8 KiB) Downloaded 88 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #18899  by EP_X0FF
 Thu Apr 11, 2013 3:19 am
4 fresh bad detected droppers + 2 updated payload dlls.

SHA1 for droppers
00816b5827cdacbc10e389ad8269d34e63007caf
2584b04d94276d71f564dc15ec8741e13c1fde04
68749dace21d1ab94652183c0fe3d9af495c6432
8b2b09e9e43444b806ff46f05cd284e8064fafe7

80000032 (Compiled 2 April 2013)

SHA256: dc0a4e48381ffdb29df55bc5ec21c4ebab7e5eefd7ae30375f08fdc7174a8707
SHA1: e1ff5639c0999ceecb56762d1e6fe91aeff28deb
MD5: c5d155ca36300b4149160268334fa927

https://www.virustotal.com/en/file/dc0a ... /analysis/

80000064 (Compiled 2 April 2013)

SHA256: 69df077ecc0a8d788ad24addc8297fc6df842e3a3cfc019b174077166cbf615a
SHA1: 90b5be8eefc2d321a981ae71abb57a9d7140d666
MD5: f5cfa396bc18b5cd92b95cae77327add

https://www.virustotal.com/en/file/69df ... /analysis/
Attachments
pass: infected
(741.51 KiB) Downloaded 85 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #18906  by EP_X0FF
 Fri Apr 12, 2013 4:54 am
Bitcoin miner (00000008.@) and updated 80000032.@ in attach.

Dropper that downloads this:

SHA256: db34bc69c73aa1abd2e8589113a8285642d51440b65a5e90baa566183e1bfbb2
SHA1: c46a04c1d1ecc92f4b3fd09b94c9bf2239614d24
MD5: f89d25a4e9eeff169056ec842323cb34

https://www.virustotal.com/en/file/db34 ... /analysis/

All in attach.
Attachments
pass: infected
(433.74 KiB) Downloaded 87 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #18984  by EP_X0FF
 Wed Apr 17, 2013 4:16 pm
Attached updated 800000cb dll (build 15/04/2013)

SHA256: 210004115454ce52ea84f8b69a1541eb61e3f2f2e6ec98c9dff3a270db88365b
SHA1: 9cc50a16ecd12ec425a90cb2f26ef3d257a8fce1
MD5: 4730cf8bbaa1837597938ae220b5016e

https://www.virustotal.com/en/file/2100 ... /analysis/

and z00clicker v3 extracted from it (also 15/04/2013).

SHA256: 054284d56ee185381e04a145b6cb494af24ad92f4b1339f0f65beefbc87eeb01
SHA1: eb18ad19bfedfc4f8b13ea1d1c46c493eac98bf9
MD5: ba7099870cc7b5e7c807a6200ec7dc31

https://www.virustotal.com/en/file/0542 ... /analysis/

version with cut-off loader shellcode

https://www.virustotal.com/en/file/f55c ... 366215284/
Attachments
pass: infected
(33.35 KiB) Downloaded 61 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #18985  by EP_X0FF
 Wed Apr 17, 2013 4:36 pm
215 Sirefef binaries, some fresh pulled from Blackhole, some 1-X weeks old. Pack covers almost all Sirefef affiliates.

Multipart archive, pass infected

SHA1
a3957b8333d42c64ae7e69b5d23dd8eddc1a1855
cee674da59d48ad494655b72af42d9eecc192e12
43ed3e28cdd71572a26f399b0d58dafa30c1dbb7
26dfe80cf98c6a630f244b47e14ddc3342c18264
9151e2355442ff546445af927500fac4a5a7db00
9a6aaad8175f5ffd0101c7c8cba8bd0c39ca0343
4edb76c3d6551a6d9ccc3901917457a4dcb13506
8ca9a1ba0e84bede9a4f7444736f70df9b6cd5f3
7c72c470643ebbc84e003ada6efb256aa5d474c8
97834a6b4e4710aa58d452f1731ec31e99780d7c
c49baf2bbb62c66f9db22366a1244cb9148be158
f6934105bb507b25c905d139217fdf194b6accbf
266384c36ef25fa754d97b5552a94941b936d57a
2608ba3aaf4d0bca1ce595b1691d77f8a5987419
82dcf5b1421b4a1b3645e4e874542ff96d5bdbbb
9cfb9e50fb62a505417420b0229fa629b43a8c44
2a1543bedb46f4b81e8f40b94a9f2f2fab38c625
a5ead953c5f58cebf00f7ac8f7c3974f7480de5a
7cc54272c6381d3b41a17362a20400b02357aaaf
b643345d7aa0eb6ad398ac72fffb3f3d9c3a3189
3f4c110892d7ee128e51898906925d30b008381e
e1623715541c40e7f0993b5b1c81051b312205cb
514897654da68b56784212d311f389cfa8a68fd3
2b9e1f81ccf1cfd1ec64f9ba275a2bd929be5855
53e19de0ea7782636d340e64c2398d4a605f2691
90f62d274a12961ea499c35599d54093107cf157
1abf6006539b52fb383ef2240976c78cb05d8019
e10ed6461fd5dc2e549e84667428f5e851f5a8be
cde793d9ec17ddc3674d5de077809e1ee55f9ab6
bd074774fcf4afcfbb237731bd2777204c287abe
43b741f816b7bbbf6a1fc5153d07ab2def986c82
aa7799d5db65043a4d1e830bd5f6fbcafdb84a25
6f24468318a06f65b133a92e012516df8b1a6847
127063eedb5cb2d48eff0d6a50c57aa177ef08ac
39fec6ab99231064fe887f017f98af623711d8d2
d9ef2f14e27d1722bf808567f7973d17add53836
454579a460bc8f36a1ba8c943dcf207df5567806
3d40b0e4d6be6fd7644bb8142ae5276cc033fb9f
23ef8633f22806d1d2b2ec55dd880d4b2055e88a
2a482ad1ebbaf39a8eb55430716da04d226fcd81
4b15e198d72029ecb1067dfbb99bc0ebda1ac64f
89351fa43f866f26f87120abb67621b1446a9276
c6b75b3bdf9b2c6a053188926ed22dbf1a82f01d
3f1f2c798fd1530f985f99100cf95b9326580f96
dd7f6c156058f7c27c3d25cd7018286dd39ca501
3673e9bde373366f09dcfbc0e72b31c1255aaef2
0a8448b7937e57ba7570ec3e9b8e31c0949f6ec0
a13644983d5ae24a0fa3cf49be3ebaf1299d021b
c2e4d6935e82c0e852e39ee2c59311e55946a6ed
4370b1c34a13abedd17f773193caa09b9801381b
2e48bbda361d0439087d4449a7f227241d66830c
099ad4326c05f74bf0c393399d6e5b6b421bc0cb
bc82ff801050138c486f3caaa25366997739ccf8
21c616757f0d8fbaf02762713570ad4c7a77e8b1
bf214176ebe2afdd31e00a93aeedc72f0fc90255
bc4f4d665f7b42797c2fca37676c5f90385df642
03c9d1a204dc1e11ff19927118b739abbefe1a5d
97e03eda387ec9fc6c3770d8b28f60d46d337be2
c496b99f9983280bdbdaf6edb43c09cead349a45
3b3a4da1f89617587442bd50d211e29da1a1a737
fa306ea49681d01ba583265f61a20c5eb05d683e
5bedc4d6280644048c05a2712af6a0c7926ec5a1
681bb16ad922c9ededd1161afdefe8660e81900c
5d9d3784952bafd2b983bdf0c881b5a583a2c0b7
a6a9cb243779886a44355bdfd72f99f65646e8f4
59a080fbdbcb01b1e5b9e44e95d16839219894bb
f7fee5bb0c86439143938c530305c695a7f43505
6925bd0d9ff529232652ef78a5ccdc2725a3b06b
1b71b8a6efd7d26bc1acb1f6549051feafb145b4
47c76fb976c1b8d9520a2065e8805952cf02f497
4ceed39afc72e9df98d3f9252feb52bf75ae7ba0
362178113f6e95362c1627e639c3ca7f000b1e02
bd7e6b5d2758982a0a368ea965072627de4e717e
a6176e5ba453631e7500feb7b15ee44da93245c4
87b3894668b8f0c7c79bb8c517177d600dc43581
85591069889cd69be8b98105675079b89139729f
c80fc29fa77319299c620466d1dd310fb704fa04
50bf58bb2a468acaf47d1c218550fe953c6fad21
bd6fbd64168d517a56925e880f8d1b7fcc3a4118
8b7b6490c45783e01bfa6601231753ac7a189d53
53f4378ab42abf14927754af23771aadc5a630d5
c6f7fdb544348564f3ee5c567d8dbe07157c973f
a27a41b1c7c029983a32b727c341b6333c66dedf
75e8d1b48b5aa51b3b97f7d1a339898d86f25a4f
e25fd0269195485325483cdba140df9d8c896efc
0ea4dc45e4789901591280f19fd1179b9ead6f88
341ab64adb41d039ea435565e52daee87a59eed3
256aa183b33533c6559b8416ceb4023698f58e04
93d6b86b1d21ca2c05e6662ee9b887af1a2b2bb4
53dc222b384d950c96932733dcf57f9bfb660edb
2498a33243f1ddcc14626c40c8a6f2f42cb19744
232efbf2e13866fbeaf702d39845ad837dd9994a
6c02398845c7c9a4b3e2f5a4be936012df38f1f3
b1df7752750c70993011be4c21d51da5b5366d19
9320c8084096f08b4481624131454ccf0763fa7b
b436d8f0ebe9a1e048ee2ed1b2bd0f83504615d0
ad5fff53907c8b23de71d7a534b0c903b926c01b
ef0ff78eb9bb6afcfe505af72e39609721b83628
ff56e6b3efa3894bf9c05f76d9c213d12536a6c1
0494412fd9bb69028d4dd6249fbc375b75bc6053
f6f57341c496860c853307e2f78a082bb9d1e41e
963bb081d6b5c2fd415ff71d7a06638c127a8196
9ad5eb0e42a3f73530703be5c70e7596cb84666f
8aea6a60f6fdaec77946e1d690f902a62983a8cf
6d0654eca5bd20cad5973b6c32424e5c6deb99c3
537f28ad8362da17f6ffcfa2d8cd8e845f39feb7
ae6c9ed45fd99e7e29125d9856acab538a6cf11c
be1f3c15cebe751a3b9d4466869efa019a8160ac
84bdce402f8765d7dd13d5e930fb722ec387535a
61440b8c69155d46a08721d7b35106e05cfbba29
92721e42e9ac6467b6ed72dab05e415cfdcada7a
c3e5f89dde12805596e5a64215a962d8ffd2056b
cc11bf5603a443f8cebb318365222e61dc2aee24
2e047b9648047e9f687293e36dbf04ddc553e9a4
5f71f6a6f9a194e92f68940fc0976cc3998eed45
5100ee3c7d4de0865d67c2f742d59781cb97a799
f0040be4b22c9eb64b0ccb3712de1d0dff79b3e1
a74f282c36272efc42b5429dc104d24fba9b31ef
043d39c4dddbc75e10987b7550674cf68d85b2f8
24282a6c2ae361a4e96f2e9cbaadb84f465b7c50
2651ed08b1433a8cd5d16853809f0cbf1115c224
76c07ab57193dc522d30a8d1597441c88d9ccc33
1647f93e13f9d3005a48a0e3afb80056f3f75f2e
9fb95a869273bbec71a32274098846ed6a8be6d0
16283451d6b101074f6cc7a775caee6774634af2
5c3788cdb6b8c961bcf99697f5bc17d318317a95
91a904511231f42976a790e4a1c8a4325c2e86b6
a9f32fb13aa8f409b99f731ffe52584bba81546a
08d85623500d2c83981e3cea5c11f11abea036ab
e6f7b37cead98eb5c87084c5a2216c39008368be
d5eaecfe294c02b891d6f6565c603a797bb91b39
3be5f48f393ed32d3e4a21d1324dea6ecad01d85
2f7f9f5bdca603a2c67eeda4fa724306e9422ebe
bfafa3276c530f8bf142399b429ab2a504a88542
db3330b5579a0b03504a315a7860efd7c8c0b18d
38ccade1191fcf7594e40e8a03a461d148c9aaef
88cd28ce4865065f56b75337a05171f2ffe81d00
966ebe3b29ad48b88f08356fd68389b08bd15795
63ad26c3f608ab602b6a6c3616f3abbdd9aad9b7
2c43bef324cdbfb8f4b4f7f71b949a8fbb94e9b9
165519a4a210332e0c231f333dead26603c7a822
bff857660d72ce86457f01824a696f805bed74d4
24f1daaed1f7796f6345d15b6d3d6dbd328864ec
a88a9240d74bb059bcf03d6031e2fbee772eac5e
f0cbdfbf7904d63bd28d6d91962e3b7c23d046c8
29ad30ee21191500f992a58e6395e8fcd7c2c29d
904e0edd1cc118ca6230de364fe8894f12828400
123c650a6c2c2107b42c8980e2beec19c3b3c78d
4b62cd6cd8cd4455be29c65b3495cfdd8aae1edb
b3386e072721ccabf39366e0f05791af8cda6b14
ad4fe1b2b93d22c23a34252316aa2750a6cc0d5b
56504fcc639181c36b538b0dcee0b0c7ffc9ef90
971d0b5403a0c1d96b68dccac926a517175b478f
3a45708bb0b4673f0870db6ba72d71e0e1a0012b
22c8dd7a621b6fb3985296f8389dc0bc4646859d
e02486ded539ed7b3f98456f1b55cd61ff46d439
5f4d09ed5a64ad7d5ef243eba38ad28e8e1ee859
7468fabe1fac5f144cb548e8bdb635e9ecfd3571
7edc1ce981058bd382db927196815f42f4d6ad70
2129a04a471b17f57173d8acb1efeee63a22c2f7
a7506d5d005638d92faf1f48cb4a10c2c356c652
3591eee00331e6d7beb8fb4430de68ebcb9e8333
69c45e14426ad255c19676562c11cc71aa3b19d4
a1ad4f7101f66666eb5b6e109078dbfe72682581
6d4176878d714518448225a1fb61eb3e9a7750e6
9a3ba3b7ccc276ad79135441ef70c8dda69862bc
32a4d51eb85203d346130f8193360d334a7b3dc7
0abab96274935b74ddd7c95165125dae395d31e6
5340c611d7351fd6b911162714b8a03ec1d3aefd
32e0fdbd240497dba716f23a9c39192ba3f075be
471883eec7f188667e731473b3c12b2491698cd8
51956ae6ccdc6f9458f0e152cbe9e876bce474f6
10c207290044c0e3896d4c11ecd5f3812d896b65
2d73887d34106c1a093d55c4f81f97b7f919747e
5223234271da39329083215cadfcf9e0b34f8e55
1b5476e1e7e014a5566cac3b3827120359303490
2d4f28d5711cd2093a02a9709203aca91cde669c
6e71ae4830bb97d2a5ca7719b051991c6ce37b6d
e6b2390c0a3547fec563801b6c9ef95f6e90b57d
d525601c066b1c1eeb0694fd0719b8c307cb46a7
3b6d1db558dc51bb6105e38a0314673725681382
a6174dfcccc26fd88684d5fcb4afdc7ae201f317
353f8ea26e4e08b22fb56df9cb57b86d372cc084
40f884a86079f728a301d2bbf98371aea12b14fd
a6028529dced9a8e7e3250583fe444ef24cb5a0c
54c2fe770a0f88e331837be854ebc2918077bb7f
7f5128fda0f83e3a1b55ab1cf24dadae800b1701
b9bf79db90c54671c103c4be482847e375034b31
2ecdefe504d7d3e12605f1427e9feec90dc09a8c
0758f2e36fb567bc831451529216507835c6a73e
23420fb2a36bf22a2d25a691a9baba98b793acb8
8ab55bda51d66d5bde8b74ec4dd26ed5fc8c9fcb
0d608a5ef336d5bd40732c5d2d680c636fd0d33a
32a3f3e3f01b6a72d93189affa6fc07896ad6384
3c62ccbf09044b404d3eb0206cede81884f90762
4ed508a4bc5a277e58daaa371c3eec6d671e2c2e
94974ae1e627e6a8429971120c4ab31c4cca7351
2710ade41198853592d1f7f0cadd7e05eaba0689
14891346293b3f706aaad78f0a07a8f1986452ca
4f9f1a4e753872524b308ce208bc4e4769d85329
3e9815e02af6f2b7a836767dfa559daeb1d64b18
229a321b23e3d136da651e34d3f38b664159fad1
9509f96051cac88225b06cb00b3eaba45c1e38a1
04ca936ba9d5c5000c6114a4893ed62933397a04
591ab85d4a292c6671a10af4ff7ccba61b20259e
23aa88ec7fe57747e64af54f730f67e725443e76
79efb8130cafc72f95479decdce1b6132aa4fe0b
48bfd1a4fa7ee88516bf6b12158ac57f1dd7435c
1a44eec7a1dce0eb7cd350d56038ad07a823d024
16d2b6e35b3e5b000f453dcc0aa42dbbefee09b0
7630a4e63a0bb4638d6bf8cb545d6856bff8254f
643c19c90d2cfda4bacf997f1f938ce26b75d641
148bb9ce9a57497536f63969056d85e35d5f1fc1
34d526e9ecb45b853d6947a00f32131873cd70ad
4e1a9794d542f733adaefd73428d9659bd1b84d3
Attachments
(3.62 MiB) Downloaded 80 times
(5 MiB) Downloaded 85 times
(5 MiB) Downloaded 86 times
(5 MiB) Downloaded 87 times
(5 MiB) Downloaded 85 times
(5 MiB) Downloaded 86 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #19006  by 0x16/7ton
 Fri Apr 19, 2013 8:43 am
Fresh Sirefef binaries (17.04.2013)
SHA-1
0e676a45a283328ed5a64a09ddd4917545c4480d
11d72307fc07fd7d80ac246857aff578115eb022
3f7f30894e8d5ecc992e1f7324b07de021ccc2e6
7a84b9cfb23c20183f63fac6af6c44459388b75a
87f715cd0734b7b39f42c8024285cf80d1ea5c8c
9b2fb24ae5a0f79bf8163fb9c61d598c75dc984a
b818ad353e5ecf97155b6295345875ce0cd7ea45
ba1f82ab8faf407a56cb35f2714b4e886748a339
c4f512ec0769fc8527ce161d314311a2e69b5a51
d54bae88a28e51bae43ea011e874c855137c81e9
e9de9c7708386bceb8494080ae60bf4c8288381b
f09635e822ae79de007e04609bb979388988dfd2
ff31996ad8219c860ea37bbb21d11f640e1d28ae
Attachments
pass:infected
(1.85 MiB) Downloaded 83 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #19010  by EP_X0FF
 Fri Apr 19, 2013 9:35 am
As we already discussed with 0x16/7ton this is redesigned dropper which use multistage decryption including self-debugging, aplib unpacking and usual CAB in the final stage.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #19032  by EP_X0FF
 Sun Apr 21, 2013 3:41 pm
44 Sirefef.

SHA1
Code: Select all
099f7a4d981057741796ee4ab9840ab617ca4d1b
0d3d88f31481e481fb54086911b3f30258ae16cb
2a7292b031a899d3f71aedd313ff650ff2134898
2b310c1d868dee04c54f021de858fda24d4c9390
2d14251ac738db38f07081a97c4c5bcf45c9d8e1
30f33baa2d3392bb695ec20d0130672f408be4a9
3aa9ab2c6eb546dccbe376290ee7e7470eb25c9d
3eac9832cd985323e031172cd47c1c5f345adea1
3fa9b2e0fc97e344f260b9baf1d7d7a57490b1c7
40e37ed457083a5aaa313b68ccc67e827b335e17
4557b4b8beeb2ef8ff90d6e7d69154ed2350162f
4b433746854bd749be0998da490eb83b82035221
4e6b5deef909888a931654ea26392cbf20134d99
4e79101b4d5c9cb40d688c9243490c15b1b699bd
502981343def27030728b586d8ead6c769906564
52ba7f13ba74161e39c178d08172c52db3529cd6
6b1251dddba36170027721d438f6ecc1862605b8
6d6cf2136825779cc72df3909167e987fbbbdda9
6ecc8c67e3f3c32712b8110c5b26ec80d22eb0cc
73f3156c78565498f0847cce867402e46f8d6100
767b3cb752eec2d055810a1480828014b3cbe3b1
788dd84b66449eeb183b823746b40f3f89b11b01
79edf67e10975be339000166621cdcf497b4d565
7bc66299e984661b70bc8775a08c99065d7e74b5
839cf8a3b9ae41ebaa56b915d0ccdc775e077e38
868b6686922184c7e5bc3f6873f491e138525aa1
8d83b1213996abf43d7ad13e6a9760acf359adb1
9521a741ed90aa991bec42c2da258d72b01bec98
9dc9d35c8c32ab58b05e3fe27ccc62cfa701f402
a20ea8a24bea48de9221a19dc81b43ef5f05d21d
a279353115d886c8b50bce12d8d33838e6e7f227
ac129dac07df84eacf6c6ed9a0884dcf83ab952f
ac75cd600bcf365f10ac02708af35c79893d3437
ae925f040d7ed7149d09b7699f103fb04bf32261
b0ece35eaa735efba1dbca992d6829bdc42a1874
b4435fe8757f00d40a09c3d7be2f5365381d61cf
b46f14ac7fb432a43e0c10c3bc4c994e87f6c7b4
c99035d30543efd036c74d13da38fe22bf550cde
ce008c50fbaefb7e9204b043e3b57269fe84c5ff
d199beb540a16a770d53b3f259e95a5079ff63eb
d9410d9fd1d53100a8807c8a14f37929620d72e9
da0af445ca9fca5a433405e09a8b473a64570466
e7a5035daa589255b1eccc78624666815c09c5eb
f46fdb0812cf37150dc0b57ec35a472efd399fff
Attachments
pass: infected
(5.65 MiB) Downloaded 101 times
  • 1
  • 37
  • 38
  • 39
  • 40
  • 41
  • 56
 Return to “Malware”