A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21094  by Mosh
 Mon Oct 07, 2013 2:30 am
SHA256: 9dcbb64f365fdf6f80607d297d88134efa4a74ebadc3cc3c5effa9c4f8625937
SHA1: d015651dbaeb2a43dd70731af2ab0c7a5ddd9086
MD5: 8df1f6f7cf864df50f02cbab508564b0
Tamaño: 207.0 KB ( 211968 bytes )
Nombre: m.exe
Tipo: Win32 EXE
Etiquetas: peexe
Detecciones: 29 / 45

https://www.virustotal.com/es/file/9dcb ... 380779236/
Attachments
infected
(137.78 KiB) Downloaded 108 times
 #21145  by EP_X0FF
 Thu Oct 10, 2013 12:29 pm
Mosh wrote:SHA256: 9dcbb64f365fdf6f80607d297d88134efa4a74ebadc3cc3c5effa9c4f8625937
SHA1: d015651dbaeb2a43dd70731af2ab0c7a5ddd9086
MD5: 8df1f6f7cf864df50f02cbab508564b0
Tamaño: 207.0 KB ( 211968 bytes )
Nombre: m.exe
Tipo: Win32 EXE
Etiquetas: peexe
Detecciones: 29 / 45

https://www.virustotal.com/es/file/9dcb ... 380779236/

unixfreaxjp has a lot of info about it.

http://malwaremustdie.blogspot.jp/2013/ ... -dead.html


Extracted components + two updated plugins in attach. Notice that p2p dll's continue to update.
Attachments
pass: infected
(91.21 KiB) Downloaded 85 times
 #21146  by unixfreaxjp
 Thu Oct 10, 2013 1:07 pm
Greetings good friends. Terribly sorry for the late share and post.
Sample of this post: http://malwaremustdie.blogspot.jp/2013/ ... -dead.html
Is attached with the password, I changed all pwd into this one.
Just done last checks, ZA is not even close to reduce in peers quantity, infection vectors, nor domains in distributions..
Symantec should allocate their budget more to real ZA research than promotion of electricity energy. Hence, no hash.
But it has interesting vector that we can use to shut this down, we are start working on it. Pls support!
Be free to join in next botnet OP.
Attachments
password is infectedinfected
(824.23 KiB) Downloaded 111 times
 #21155  by EP_X0FF
 Fri Oct 11, 2013 2:36 am
zs.exe and SpringSvc.exe has nothing to do with ZeroAccess itself. Seems they are 3rd party components here. Both written in CodeGear RAD studio in Delphi language and zs.exe is primitive downloader packed with AsPack, SpringSvc.exe is using TWebBrowser component. All *.tmp files are copies of SpringSvc (must be temporary files created by zs.exe downloader).

unpacked results for both

https://www.virustotal.com/en/file/51b0 ... 381458340/
https://www.virustotal.com/en/file/62f4 ... 381458760/
 #21180  by unixfreaxjp
 Wed Oct 16, 2013 2:42 pm
zs.exe and SpringSvc.exe has nothing to do with ZeroAccess itself
Thank you for the clarification, as per mentioned in bog, Accompanied Trojan A und Trojan B.
The point is the botnet is active on campaign is PoC'ed
With my best respect and regards
  • 1
  • 46
  • 47
  • 48
  • 49
  • 50
  • 56