[thisisu]

@thisisu

Can you please share the source of your Sirefef droppers? If possible PM me.

Sent you a PM :)
___

MD5: a504d4e47975d58dd72c6ce9799df0ea
https://www.virustotal.com/file/6f2ed90 ... /analysis/
Oak Technology Inc. .DLLs

[EP_X0FF]

MD5: a504d4e47975d58dd72c6ce9799df0ea
https://www.virustotal.com/file/6f2ed90 ... /analysis/
Oak Technology Inc. .DLLs

Blackhole which hosts this dropper was generous. There are actually few Sirefef droppers, one from it pretty fresh (see attach). https://www.virustotal.com/file/9fe5b66 ... /analysis/

Same multistage installation + infection of system driver (seems infection code has been updated).

Complete list of malware from BH EK


6354578DE170FA554068BE9E521F83688316BF1E
ACAF9645770895719D38E97AA3DE214F743E6A6A
1453C26567D47FA2E4CED92D1DC5C20DCDC7368A
0E04A3B23C4EFC04A9E0AE49B96BFD3ED6308D99
408EFA8E16CF9F11B283AC685D4DB5A0C94A5B0D
53B2B484D2B11630FCACF1453DC350415404CFCA
96BD740F883123E67825D5F7C8D4A55D06FF38FA

They are Sirefef and Fake AV's. Probably daily basis update.

[thisisu]

MD5: bab55b0769e4189b5637c5fe50605968
https://www.virustotal.com/file/279e461 ... 334885685/
Oak Technology Inc. .DLLs

[thisisu]

MD5: 5cc3bf6dff6aef5951c85ab0169d0f51
https://www.virustotal.com/file/41393c5 ... /analysis/
Oak Technology Inc. .DLLs

[int0]

MD5: 5cc3bf6dff6aef5951c85ab0169d0f51
https://www.virustotal.com/file/41393c5 ... /analysis/
Oak Technology Inc. .DLLs

Thnx for the sample, there are new features in this sample. VFS folder $NtUninstall%u$ is not reparse point anymore and its redirected to \SystemRoot\System32\config so user actually sees fake content also it now logs your search history into file named "oemid" in VFS folder. Definitely useful sample thnx!

[thisisu]

Guys, detailed ZeroAccess/Sirefef research by Sophos - http://sophosnews.files.wordpress.com/2 ... access.pdf.

Dead link now

Found copy here: http://www.sophos.com/medialibrary/PDFs ... Access.pdf

Thnx for the sample, there are new features in this sample

I'm glad you enjoyed :)

[thisisu]

http://www.malekal.com/2012/04/26/zeroa ... rus-sacem/ - Good article IMO.

[thisisu]

MD5: e09ed785b315df552c7e2acc296d8ba9
https://www.virustotal.com/file/6a29270 ... /analysis/
Oak Technology Inc. DLLs

[EP_X0FF]

Sirefef dumps of BHEK from the last 7 days. Daily basis obfuscation updates.

https://www.virustotal.com/file/5412182 ... /analysis/
https://www.virustotal.com/file/1835ae6 ... /analysis/
https://www.virustotal.com/file/7ba507c ... /analysis/
https://www.virustotal.com/file/5ffc903 ... /analysis/
https://www.virustotal.com/file/7a845e0 ... /analysis/
https://www.virustotal.com/file/ac9c18c ... /analysis/
https://www.virustotal.com/file/d81ea8a ... /analysis/
https://www.virustotal.com/file/5a53b23 ... /analysis/
https://www.virustotal.com/file/41393c5 ... /analysis/
https://www.virustotal.com/file/257edcc ... /analysis/
https://www.virustotal.com/file/a3d808f ... /analysis/
https://www.virustotal.com/file/965bb03 ... /analysis/
https://www.virustotal.com/file/852b5a5 ... /analysis/
https://www.virustotal.com/file/5a5cf15 ... /analysis/
https://www.virustotal.com/file/f47ff25 ... /analysis/
https://www.virustotal.com/file/b57f37c ... /analysis/
https://www.virustotal.com/file/a540cae ... /analysis/
https://www.virustotal.com/file/52c9128 ... /analysis/
https://www.virustotal.com/file/1f1153c ... /analysis/
https://www.virustotal.com/file/bef7870 ... /analysis/

[thisisu]

MD5: b5340bcc77be63a5b5b3238083b63566
https://www.virustotal.com/file/97a0501 ... /analysis/
Oak Technology Inc. .DLLs