Rootkit ZeroAccess (alias MaxPlus, Sirefef) - Page 16

Re: Rootkit ZeroAccess (aka MAX++)

#9379 by rough_spear
Sun Oct 23, 2011 6:49 pm

Hi All,
ZAccess Dropper. :twisted:

File name - X
VT link - http://www.virustotal.com/file-scan/rep ... 1319244459
MD5 : a381c34ae0ce20140e0abf84398f87e2
SHA1 : 604a30bce63cfe812465edc8544985ed5d39e248
SHA256: 5d927bb725a3fcfb5a9c04813b3d4b41b587f206d555eedaf260216bca99d2ea
ssdeep: 1536:vDG/kmsGmVpiQ1RZxGHi2CM32kRctzb6K:6e7ui2CM32kG
File size : 59392 bytes

Regards,

rough_spear. ;)

Attachments

ZAccess-21-Oct-2011.7z

password - malware.
(46.82 KiB) Downloaded 96 times

Username

rough_spear

Posts

163

Joined

Mon Oct 18, 2010 4:46 pm

Location

India

Re: Rootkit ZeroAccess (aka MAX++)

#9380 by p4r4n0id
Sun Oct 23, 2011 7:49 pm

ZeroAccess’s trick - A wolf in sheep’s clothing

http://blogs.avg.com/news-threats/zeroa ... -clothing/

p4r4n0id

Keep Low. Move Fast. Kill First. Die Last. One Shot. One Kill. No Luck. Pure Skill.
http://p4r4n0id.com/

Username

p4r4n0id

Posts

126

Joined

Thu Sep 22, 2011 11:36 am

Location

Israel

Contact

Re: Rootkit ZeroAccess (aka MAX++)

#9448 by markusg
Sat Oct 29, 2011 2:32 pm

GeoStar.3D.GeometrieBaukasten.keygen.exe
MD5 : a94f8cccea9b9dbc923ac128053fb0cc
https://www.virustotal.com/file-scan/re ... 1319897872

Attachments

GeoStar.3D.GeometrieBaukasten.keygen.rar

(219.43 KiB) Downloaded 85 times

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Re: Rootkit ZeroAccess (aka MAX++)

#9449 by rkhunter
Sat Oct 29, 2011 2:58 pm

markusg wrote:GeoStar.3D.GeometrieBaukasten.keygen.exe
MD5 : a94f8cccea9b9dbc923ac128053fb0cc
https://www.virustotal.com/file-scan/re ... 1319897872

http://www.threatexpert.com/report.aspx ... 28053fb0cc
http://camas.comodo.com/cgi-bin/submit? ... bf69322983
Registers in winlogon->shell, create fake service, using $NtUninstallKB23832$\816222785.

Attachments

traffic.zip

(892 Bytes) Downloaded 64 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

#9551 by rough_spear
Sat Nov 05, 2011 7:46 pm

Hi, :D
ZAccess files and plugins from ZAccess infected systems.

File name - X
VT link - http://www.virustotal.com/file-scan/rep ... 1320132829

File name - 800000cb.@
VT link - http://www.virustotal.com/file-scan/rep ... 1320320210

File name - 80000000.@ (comparatively low detection)
VT link - http://www.virustotal.com/file-scan/rep ... 1320514888

File name - ad4.tmp.exe (I don't know what it is, i tried running it in sandbox and vm but yields no result, malware or innocent file) :?:
VT link - http://www.virustotal.com/file-scan/rep ... 1320495081

Regards,

rough_spear. ;)

Attachments

ZAccess.7z

password - malware.
(206.5 KiB) Downloaded 65 times

Username

rough_spear

Posts

163

Joined

Mon Oct 18, 2010 4:46 pm

Location

India

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

#9555 by Quads
Sat Nov 05, 2011 11:53 pm

I ran the .tmp.exe files on my system (not in VM or Sandbox) and they don't run.

Quads

Username

Quads

Posts

148

Joined

Thu May 06, 2010 10:19 pm

Location

New Zealand

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

#9557 by EP_X0FF
Sun Nov 06, 2011 4:40 am

rough_spear wrote:File name - ad4.tmp.exe (I don't know what it is, i tried running it in sandbox and vm but yields no result, malware or innocent file) :?:

This is small console application that checks files in windows directory for suspicious ads and logs results into C:\AlternateDataStreams.log

Code: Select all

sprintf(&Buffer, "%-12s %s", "Status", "ADS File Path");
WriteToDebugLog(&chDebugLogFileName, &Buffer);
WriteToDebugLog(&chDebugLogFileName, "===============================================================");
sprintf(&Buffer, "%-12s %s", "Infected", &chFileName);
WriteToDebugLog(&chDebugLogFileName, &Buffer);
printf("\n%s", "===============================================================");
printf(" \nADS Found !!!");
printf("\n%s", "===============================================================");

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

#9576 by NarfBang
Mon Nov 07, 2011 4:12 pm

What do you mean by "suspicious"? What's it looking for? AV? VM? Or other malware?

Username

NarfBang

Posts

17

Joined

Thu Jun 30, 2011 4:29 pm

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

#9608 by cjbi
Wed Nov 09, 2011 3:24 pm

kmddsp.tsp wrote:z00clicker3

Interesting...

Attachments

ZeroAccess.zip

pw: malware
(462.86 KiB) Downloaded 60 times

Username

cjbi

Posts

92

Joined

Sun Mar 14, 2010 7:16 am

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

#9711 by rough_spear
Tue Nov 15, 2011 6:29 pm

Hi All, :D
One more ZAccess rootkit sample. :evil:

Web link -
hxxp://hotpic.cc/anurag+9+pro+rar.exe
hxxp://hotpic.cc/atm.breakout.catcher.exe

VT link -http://www.virustotal.com/file-scan/rep ... 1321265328

MD5 : 0413641a36d16b40d3a39a4423d9f49f
SHA1 : 8b84fc0a374a84f97003cdc0885e939081e61ad9
SHA256: 594602dcfca8322af28a6d312e5fccb0d07901916b385ff0c3f0fdd67157e95a
ssdeep: 6144:2QMBL1mXDin/MqgTrLj7IL9pKpVQTvS0RhS/Xa6e2Ah2vrn:XMLmX2/MLnvYIqvS+hAKp2
AMvz
File size : 340480 bytes

File name - X
VT link - http://www.virustotal.com/file-scan/rep ... 1321230520
MD5 : b74577535fa7046e1951ebf208287ae9
SHA1 : 26da3c198c55dbb5cff1f361435ae7199b484db4
SHA256: f6cfb3680a14d78684dd52068c8c68eea3c4404e8e0add11acc442f4646421e6
ssdeep: 1536:oU5D7/Ot6d1srOYbBdYGK5xVU+hkBjHs:oa34WsnXYP5jU+OBI
File size : 60416 bytes

Regards,

rough_spear. ;)

Attachments

14-11-2011-ZAccess.7z

password - malware.
(350.31 KiB) Downloaded 67 times

Username

rough_spear

Posts

163

Joined

Mon Oct 18, 2010 4:46 pm

Location

India