[Quads]

Here is that MD5 services.exe attached

Quads

[dumb110]

Here is that MD5 services.exe attached

Quads

https://www.virustotal.com/file/e647717 ... 339402188/

[Quads]

Here is that MD5 services.exe attached

Quads

https://www.virustotal.com/file/e647717 ... 339402188/

Nothing unusual about that detection ratio, same thing happened with the other MD5 on here, but now 8/42 do detect that one.

Quads

[EP_X0FF]

Preliminary results indicates file structure modification (DYNAMICBASE flag removed from header characterics - ASLR bypassing) + some additional code injected inside with jump to it from services.exe!ScRegisterTCPEndpoint. Overall 9 injected procedures, 7 of them calls one big with dexoring loop.



edit:
Watching in dynamic now.


Okay, starting from shellcode init @0000000100014154 it is looking for ntdll base through PEB by hardcode asm to get required routines by hashes. Classic :)

In call order (hash at left)

6B1E40B3 = RtlDosPathNameToNtPathName_U
CB33FC15 = ZwOpenFile and then opening yourself with full Native decorated path
160C03BE = RtlFreeUnicodeString :D
D1B7D57A = ZwAllocateVirtualMemory
5845BBAF = ZwQueryEaFile
B969CD53 = ZwFreeVirtualMemory

last one obviously ZwClose

@00000001000140B4 = _hpGetAddressByHash

more coming soon

P.S.
Particularly we are now interested in dropper which guarantee the same behaviour for x64 systems.

[EP_X0FF]

We need ADS dump of this file from infected machine. The code injected by ZeroAccess seems to be working that way:

Opens services.exe as file (FILE_READ_EA | FILE_WRITE_EA | SYNCHRONIZE), allocates ERW buffer with size of 0x10000, then calls ZwQueryEaFile for acquired handle and then checks returned length, if everything is fine it executes buffer @00000001000142EB. So if we are not failed somewhere in injected code analysis we assume services.exe contains specially named malware ADS lol

If anyone interested - please confirm :)

[rkhunter]

We need ADS dump of this file from infected machine. The code injected by ZeroAccess seems to be working that way:

Opens services.exe as file (FILE_READ_EA | FILE_WRITE_EA | SYNCHRONIZE), allocates ERW buffer with size of 0x10000, then calls ZwQueryEaFile for acquired handle and then checks returned length, if everything is fine it executes buffer @00000001000142EB. So if we are not failed somewhere in injected code analysis we assume services.exe contains specially named malware ADS lol

If anyone interested - please confirm :)

What version of ZAccess your research belong?

[EP_X0FF]

Correction - ZeroAccess starts payload from ADS, offset 0xC is corresponding ADS data itself and offset 0x6 is sizeof data. No lulz here just old good ADS. I assume ADS also contains something like shellcode. Overall infection scheme remembers me Bamital and makes us think that TDL authors are moved to ZA.

What version of ZAccess your research belong?

This is research based on FUD infected services.exe posted above.

[Tigzy]

BTW , EP_X0FF do you think the "services.exe" and the CLSID variant are the sames?

What I have done so far is basic analysis:

I Have seen the HKCR/CLSID key to load the com object. Also I saw there was the corresponding dll injected into services.exe (named "n")
There's also a desktop.ini (PE) into the GAC. What for?

I'm not able to explain the infection mecanisms :/
the key is here for reboot survival, but what does the GAC PE stands for?

[EP_X0FF]

One more thing. The value(s) associated with each entry follows the EaName array. That is, an EA's values are located at EaName + (EaNameLength + 1). So presumable according to shellcode analysis ZeroAccess extended attribute name is 3 symbols length (3 + NULL), something like services.exe:hui and size must be < 65 Kb :D That's all what we can say from this infected file. Dropper is required for more info.

[rkhunter]

..."services.exe" and the CLSID variant are the sames?
I'm not able to explain the infection mecanisms :/
the key is here for reboot survival, but what does the GAC PE stands for?

Usual Trojan:Win32/Sirefef.P not performs services.exe infection as I remember.
GAC PE were read from disk in context of infected process, so this perform malicious thread. Remove keys, block parent key, reboot and you retrieve clean system.