markusg wrote:https://www.virustotal.com/file/42cc19b ... 348571320/Same as above. Difference in newly obfuscated dropper and rtk32 driver component. x64 backdoor the same.
Ring0 - the source of inspiration
A forum for reverse engineering, OS internals and malware analysis
markusg wrote:https://www.virustotal.com/file/42cc19b ... 348571320/This variant again :o
Code: Select all
00:57:44.0713 1980 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - copied to quarantine
00:57:45.0133 1980 C:\WINDOWS\$NtUninstallKB50933$\2002760106\@ - copied to quarantine
00:57:45.0133 1980 C:\WINDOWS\$NtUninstallKB50933$\2002760106\Desktop.ini - copied to quarantine
00:57:45.0133 1980 C:\WINDOWS\$NtUninstallKB50933$\2002760106\L\00000004.@ - copied to quarantine
00:57:45.0164 1980 C:\WINDOWS\$NtUninstallKB50933$\2002760106\L\uruzevfc - copied to quarantine
00:57:45.0164 1980 C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\00000004.@ - copied to quarantine
00:57:45.0164 1980 C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\00000008.@ - copied to quarantine
00:57:45.0164 1980 C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\000000cb.@ - copied to quarantine
00:57:45.0164 1980 C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\80000000.@ - copied to quarantine
00:57:45.0164 1980 C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\80000032.@ - copied to quarantine
00:57:45.0604 1980 Backup copy found, using it..
00:57:45.0624 1980 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - will be cured on reboot
00:57:45.0634 1980 C:\WINDOWS\$NtUninstallKB50933$\2002760106\@ - will be deleted on reboot
00:57:45.0634 1980 C:\WINDOWS\$NtUninstallKB50933$\2002760106\Desktop.ini - will be deleted on reboot
00:57:45.0634 1980 C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\00000004.@ - will be deleted on reboot
00:57:45.0634 1980 C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\00000008.@ - will be deleted on reboot
00:57:45.0634 1980 C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\000000cb.@ - will be deleted on reboot
00:57:45.0634 1980 C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\80000000.@ - will be deleted on reboot
00:57:45.0634 1980 C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\80000032.@ - will be deleted on reboot
00:57:45.0634 1980 C:\WINDOWS\$NtUninstallKB50933$\946081224 - will be deleted on reboot
00:57:45.0634 1980 MRxSmb ( Virus.Win32.ZAccess.aml ) - User select action: Cure 
Just in case if everyone interested. This is not new version as someone can decide. This is old 2nd generation ZeroAccess file infector rootkit with small changes. Removed AntiAV part (trap process/reg key), some stability improvements has been made, it now works more stable (at least on my test machines when previous version crash from time to time). This version adds new lower device to DRx object and driver object of this device points to rootkit code (even this is not new, some previous Sirefefs did the same). This makes it less defensive than previous variants that hooks mini port driver major function. Driver loading trick with asterisk is the same. To detect it manually you don't need any third party tools - this can be easily done with Windbg and small brain.dll Additionally this rootkit can be detected by WinObj. Look in GLOBAL?? directory. Usually there should be only SymbolicLink objects. But ZeroAccess puts its own device in this directory.
Code: Select all
lkd> !object \GLOBAL??
Object: e1005600 Type: (81fed5d0) Directory
ObjectHeader: e10055e8 (old version)
HandleCount: 1 PointerCount: 131
Directory Object: e1000298 Name: GLOBAL??
Hash Address Type Name
---- ------- ---- ----
81f18870 Device 0b765132Ring0 - the source of inspiration
SHA256:
4b3d55acca9920f12a149a823ea0b7ee0a8b415ca4be604c66826764091e7b50
File name:
Setup.exe
https://www.virustotal.com/file/4b3d55a ... 348658276/
4b3d55acca9920f12a149a823ea0b7ee0a8b415ca4be604c66826764091e7b50
File name:
Setup.exe
https://www.virustotal.com/file/4b3d55a ... 348658276/
Attachments
(153.21 KiB) Downloaded 83 times
SHA256:
370670b79aaae6abf9a392695f3a6e6ab0214acae8117e646f82011b1404e1ba
File name:
Setup.exe
https://www.virustotal.com/file/370670b ... 348763565/
370670b79aaae6abf9a392695f3a6e6ab0214acae8117e646f82011b1404e1ba
File name:
Setup.exe
https://www.virustotal.com/file/370670b ... 348763565/
Attachments
(154.31 KiB) Downloaded 62 times
anbody has this?? https://www.virustotal.com/file/6d32a06 ... 348810517/
dumb110 wrote:anbody has this?? https://www.virustotal.com/file/6d32a06 ... 348810517/SHA256: 6d32a06be42f9c9b09038279d5121c8f9edd3fc3d5c670f3691d20d92dcddbff
SHA1: 59eb5da32f0f977e49f9724d0a16d7224f028c9c
MD5: dc86b1d1abd08432db8b6903e38b4004
Attachments
pass:infected
(89.12 KiB) Downloaded 62 times
(89.12 KiB) Downloaded 62 times
SHA256:
9f5106cc5b59589d429cd2e45284465ce56553c8d87b47275e8c1cf36cf3e37b
File name:
Setup.exe
https://www.virustotal.com/file/9f5106c ... 348918880/
9f5106cc5b59589d429cd2e45284465ce56553c8d87b47275e8c1cf36cf3e37b
File name:
Setup.exe
https://www.virustotal.com/file/9f5106c ... 348918880/
Attachments
(153.67 KiB) Downloaded 57 times
SHA256:
fff87e480b0c4d1d58dcbbcf7b6543077a5f00d0a1b62d3a52b7d3eb43ce6917
File name:
Setup.exe
https://www.virustotal.com/file/fff87e4 ... 348945383/
fff87e480b0c4d1d58dcbbcf7b6543077a5f00d0a1b62d3a52b7d3eb43ce6917
File name:
Setup.exe
https://www.virustotal.com/file/fff87e4 ... 348945383/
Attachments
(153.84 KiB) Downloaded 65 times
SHA256:
18012d824747fddd6c7446822821248797b347871a400500f42d5ed114976b76
File name:
Setup.exe
https://www.virustotal.com/file/18012d8 ... 349120092/
18012d824747fddd6c7446822821248797b347871a400500f42d5ed114976b76
File name:
Setup.exe
https://www.virustotal.com/file/18012d8 ... 349120092/
Attachments
(156.39 KiB) Downloaded 83 times