A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13933  by Blaze
 Tue Jun 12, 2012 2:14 pm
EP_X0FF wrote:Not everything with ZeroAccess string is ZeroAccess malware and not every ZeroAccess malware has ZeroAccess string inside.
True, but the certificate was back to normal after formatting the machine .... Thanks for your input, as always.
 #13942  by Tigzy
 Wed Jun 13, 2012 12:06 pm
3. If everything fine it additional memory pages in Explorer.exe memory and maps another shellcode here, causing "n" to be loaded inside Explorer.exe. "n" includes "desktop.ini" component inside as raw data.
You mean "services.exe" instead, right?
 #13944  by EP_X0FF
 Wed Jun 13, 2012 12:43 pm
Tigzy wrote:
3. If everything fine it additional memory pages in Explorer.exe memory and maps another shellcode here, causing "n" to be loaded inside Explorer.exe. "n" includes "desktop.ini" component inside as raw data.
You mean "services.exe" instead, right?
No I mean shellcode with LdrLoadDll AFAIR in the context of Explorer.exe

Take decrypted sirefef dropper and try yourself. Set breakpoints on NtAllocateVirtualMemory, NtWriteVirtualMemory.
Attachments
pass: malware
(117.69 KiB) Downloaded 67 times
 #13957  by EP_X0FF
 Thu Jun 14, 2012 2:42 am
Quads wrote:Here is the 3rd services.exe MD5 I know of attached

Quads

The x86 version of services.exe, this means infection is cross-platform. Infection hash values for NativeAPI are the same.
 #13959  by EP_X0FF
 Thu Jun 14, 2012 5:03 am
thisisu wrote:MD5: c6e73a75284507a41da8bef0db342400
https://www.virustotal.com/file/be00ef4 ... /analysis/
Unpacked container in attach. Notice few additional modules (e32, e64, w32, w64)
Attachments
pass: malware
(112.91 KiB) Downloaded 68 times
  • 1
  • 9
  • 10
  • 11
  • 12
  • 13
  • 56