ZeroAccess (alias MaxPlus, Sirefef) - Page 34

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

#16119 by markusg
Thu Oct 18, 2012 6:36 pm

https://www.virustotal.com/file/74a7d50 ... 350585070/

Attachments

contacts[1].rar

(146.97 KiB) Downloaded 115 times

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

#16392 by EP_X0FF
Sat Nov 03, 2012 8:58 am

markusg wrote:https://www.virustotal.com/file/74a7d50 ... 350585070/

This is backdoor CLSID variant without autoruner and without file infection part. In attach decrypted dropper, extract payload cab manually.
Posts moved.

Attachments

contacts_dropper.rar

pass: malware
(108.81 KiB) Downloaded 100 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: ZeroAccess (alias MaxPlus, Sirefef)

#17142 by N3mes1s
Wed Dec 12, 2012 11:55 am

Interesting Paper on extraction info from NTFS Extended Attributes

http://journeyintoir.blogspot.it/2012/1 ... -ntfs.html

Username

N3mes1s

Posts

42

Joined

Wed Mar 09, 2011 5:17 pm

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

#17424 by R136a1
Fri Dec 28, 2012 4:40 pm

User-mode only sample:

https://www.virustotal.com/file/b3e8772 ... 356712717/

Attachments

88bec96bcc176f0e9b0e91ebb0c27028.zip

pass: infected
(143.21 KiB) Downloaded 85 times

Malware Reversing
http://www.malware-reversing.com

Username

R136a1

Rank

Forum Admin

Posts

272

Joined

Wed Jul 13, 2011 4:30 pm

Location

Netherlands

Re: ZeroAccess (alias MaxPlus, Sirefef)

#17660 by markusg
Tue Jan 08, 2013 3:41 pm

SHA256:
f30d55120d31f1e75f618e6c8b272c6475a87815f2ca12fa9e890805c78ecd9f
File name:
setup (2).exe
Detection ratio:
3 / 46
https://www.virustotal.com/file/f30d551 ... /analysis/

Attachments

setup.rar

(145.86 KiB) Downloaded 104 times

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Re: ZeroAccess (alias MaxPlus, Sirefef)

#17669 by EP_X0FF
Wed Jan 09, 2013 12:38 am

markusg wrote:SHA256:
f30d55120d31f1e75f618e6c8b272c6475a87815f2ca12fa9e890805c78ecd9f
File name:
setup (2).exe
Detection ratio:
3 / 46
https://www.virustotal.com/file/f30d551 ... /analysis/

Decrypted dropper, n32, n64, s32, s64 attached.

Attachments

Malware.rar

pass: malware
(164.99 KiB) Downloaded 118 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: ZeroAccess (alias MaxPlus, Sirefef)

#17776 by thisisu
Sun Jan 20, 2013 1:50 pm

Recycler variant.

https://www.virustotal.com/file/ef70cda ... 358689862/

Attachments

6c99ae8c2662f5b9133cb66dd2b63d3f.zip

pass: infected
(145.49 KiB) Downloaded 99 times

Username

thisisu

Posts

362

Joined

Sun Feb 26, 2012 8:57 am

Contact

Re: ZeroAccess (alias MaxPlus, Sirefef)

#17883 by rough_spear
Sun Jan 27, 2013 11:22 am

Hi All,

One more recycler variant.

https://www.virustotal.com/file/ced7132 ... /analysis/

Regards,

rough_spear. ;)

Attachments

Zaccess.7z

password - infected.
(152.77 KiB) Downloaded 82 times

Username

rough_spear

Posts

163

Joined

Mon Oct 18, 2010 4:46 pm

Location

India

Re: ZeroAccess (alias MaxPlus, Sirefef)

#17932 by rough_spear
Wed Jan 30, 2013 7:34 pm

Hi All,

Recycler variant.

VT link - https://www.virustotal.com/file/ecbbd74 ... /analysis/

MD5 - 05a698a5f1c865619538fdc4e6e53852

Regards,

rough_spear. ;)

Attachments

zaccess.7z

password - infected.
(129.86 KiB) Downloaded 77 times

Username

rough_spear

Posts

163

Joined

Mon Oct 18, 2010 4:46 pm

Location

India

ZeroAccess Recycle CLSID variant

#18044 by unixfreaxjp
Wed Feb 06, 2013 5:58 am

First of all, I tried to find whether this malware is already in the thread but could't find it so allow me to open this topic. Pls forgive if I open the wrong ones.
I encountered interesting payload dropped by Blackhole Exploit Kit "/closest/" version, with the infector details as below:

Landing page: http://33sdfguuh.mywww.biz/closest/209t ... kjskga.php
PluginDetect0.7.9 used: http://pastebin.com/raw.php?i=HSPfPzF1
Following the infector logic to fetching below samples:

(If you interested to see more details in BHEK overall infection that serving this, please see different post here, not a promotion pls, a share.)

The contacts.exe is ZeroAccess, this case's topic.
I attached the sample with the unpack version (made by Horgh) in this post,
And for the memory string dumps can be viewed here

I run it and debugged it at the same time.

It looks loading dlls by these methods:

Code: Select all

LdrLoadDll
LdrGetDllHandle

It brutes the dlls to load like below catch-record...

Code: Select all

dtdlb.dll
etdlc.dll
ftdld.dll
gtdle.dll
htdlf.dll
itdlg.dll
jtdlh.dll
ktdli.dll
ltdlj.dll
mtdlk.dll
fd43u.dll
^tdl\.dll
_tdl].dll
`tdl^.dll
atdl_.dll
btdl`.dll
ctdla.dll

You can see it the details of loading these dll in the contacts.exe process full session I captured here
↑PS:There are also rsgistry access & file access records↑

This malware was detected below software/program/service.. suspected registry token keys.

Code: Select all

Windows Defender
wscntfy.exe
MSASCui.exe
MpCmdRun.exe
NisSrv.exe
msseces.exe
fp.exe
MsMpSvc
windefend
SharedAccess
iphlpsvc
wscsvc
mpssvc
(etc)

The reason is for deletion purpose, I found many stuffs deleted in registry like:

Code: Select all

..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
..\System\CurrentControlSet\Services\SharedAccess\Setup
..\System\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
..\System\CurrentControlSet\Services\wscsvc
..\System\CurrentControlSet\Services\wscsvc\Enum
..\System\CurrentControlSet\Services\wscsvc\Parameters
..\System\CurrentControlSet\Services\wscsvc\Security

In memory this deletion trace was clearly exposed:

Code: Select all

InprocServer32
{fbeb8a05-beee-4442-804e-409d6c4515e9}
\registry\machine\Software\Classes\clsid\{5839fca9-774d-42a1-acda-d6a79037f57f}\InprocServer32

And so does the result in registry also:

Code: Select all

HKLM\Software\Classes\ClsId\{...some ID....}\InprocServer32\
   --→"C:\WINDOWS\system32\wbem\fastprox.dll"/"C:\RECYCLER\S-1-5-18\$6576a1a85f9fdb0e20568660563a58ee\n."

Looks it used RECYCLER for some deletion..

It requests & saved/used infected machine'S GeoIP:

Code: Select all

GET /app/geoip.js HTTP/1.0
Host: j.maxmind.com
Connection: close
  :
geoip_country_code

PoC:

Requesting counter...

Code: Select all

GET /5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=%u&digits=10&siteId=%u HTTP/1.1
Host: bigfatcounters.com
User-Agent: Opera/9 (Windows NT %u.%u; %s; %s)
Connection: close

PoC:

↑These access:

If you run it with the network you'll get the DNS request in not only to google (8.8.8.8:53) but to below remote DNS (which I didnt even register it in my system)

Code: Select all

194.165.17.3:53  ADM-SERVICE-NET (Monaco)
66.85.130.234:53 TechEVE Ltd TE-SAFESUGAR (UK)

And requesting UDP/16464

Code: Select all

92.254.253.254:16464
88.254.253.254:16464
87.254.253.254:16464
71.254.253.254:16464
69.254.253.254:16464
1.172.141.253:16464
122.110.95.253:16464
85.86.69.253:16464
90.230.2.2:16464
115.31.23.2:16464
174.101.87.249:16464
187.74.74.249:16464
61.86.42.249:16464
194.165.17.3:123
91.242.217.247:123
94.183.234.248:16464
180.254.253.254:16464
166.254.253.254:16464
135.254.253.254:16464
134.254.253.254:16464
119.254.253.254:16464
117.254.253.254:16464
115.254.253.254:16464
126.13.87.248:16464
89.215.205.2:16464
222.109.23.4:16464
203.171.244.4:16464
109.90.149.240:16464
173.217.73.3:16464
98.26.183.2:16464
84.55.11.24:16464
116.73.35.4:16464
86.126.1.74:16464
121.242.162.55:16464
175.181.230.42:16464
190.208.75.36:16464
150.214.68.251:16464
188.6.88.61:16464
206.254.253.254:16464
190.254.253.254:16464
182.254.253.254:16464

↑These access looks like:

In details:

So based on the UDP works and the RECYCLER method, I suspected is a ZeroAccess Recycle(r) variant.
The problem is detection ratio is poor = (6/46)
VT: https://www.virustotal.com/file/1861555 ... 360070307/
By all means overall detection atio is too low...

Please help to register this infection sample. Please feel free in adding/correcting/directing this post into the better goals. Rgds.

Attachments

packed-unpacked.zip

The packed and unpacked version of contacts.exe
(248.95 KiB) Downloaded 68 times

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm