A forum for reverse engineering, OS internals and malware analysis 

Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

Re: Rootkit ZeroAccess (aka MAX++)

 #8639  by rough_spear
 Mon Sep 19, 2011 6:07 pm
Hi,
Today's fresh samples.Again animal sxx and Dog.Definitely ZeroAccess author like Doggi $tyle.Ha Ha Ha. ;)

File name - dog-fuck-girl.avi.exe and dogsex_005.avi.exe
File size - 244 KB.
web link -
hxxp://updatexporn8.tk/new/dog-fuck-girl.avi.exe
hxxp://updatexporn8.tk/new/dogsex_005.avi.exe
hxxp://updatexporn7.tk/new/dogsex_005.avi.exe
hxxp://updatexporn7.tk/new/dog-fuck-girl.avi.exe

VT link - http://www.virustotal.com/file-scan/rep ... 1316398489

Signatures -
MD5 : ddf3e4c97f00f55b1911eb86552fcaa8
SHA1 : 549fbe9dcfe109c7ff281ceb62ff576138c25843
SHA256: 46a5322d8eec2a9942ae3600e519bb24234b62515c5e21f0e5df6604c207ccf5
ssdeep: 6144:EHV/CIvKENj9aZKx0GEMYGpeaQzJ/Jl+La1sbS7iq6td:mvlNR0fLbJl+L7H

Packed with UPX 2.90

the above files are archived in ZAccess-19-09-2011.7z
password - malware.

File name - animal-porn-movie.avi.exe, dog-doing-girl.avi.exe and xxx-porn-movie.avi.exe
File size - 230 KB.

Web Link -
hxxp://ns2.magicxtube.in/new/animal-porn-movie.avi.exe
hxxp://ns2.magicxtube.in/new/dog-doing-girl.avi.exe
hxxp://ns2.magicxtube.in/new/xxx-porn-movie.avi.exe

VT link - http://www.virustotal.com/file-scan/rep ... 1316454925

Signature
MD5 : aeb2b5ab12a621845f8f28ef635ea717
SHA1 : 4f5803c7018abf80895fefefb85be54634547028
SHA256: 9a1bfd743c49b536d27a57b5176b2f66e8cd89878695766bdad0508543e9e840

Packed with UPX 2.90

the above files are archived in ZAccess-19-09-2011-part02.7z
password - malware.

Regards,


rough_spear. :D
Attachments
File name - ZAccess-19-09-2011-part02.7z
password - malware.
(224.25 KiB) Downloaded 72 times
File name - ZAccess-19-09-2011.7z
password - malware.
(236.95 KiB) Downloaded 73 times

Re: Rootkit ZeroAccess (aka MAX++)

 #8643  by Quads
 Tue Sep 20, 2011 12:35 am
This fake site changes it's download link from yesterdays link to the one that downloads today (different file(s)).

hxxp://download-upload2.com/index.php?key=anti%20virus%20trojan

Yesterdays link for download hxxp://download-upload2.com/2_setup.exe

Todays link for download hxxp://www.adsame.com/adsamer2/eaglepro/system ... setup.rar

Both downloads though is Zeroaccess

Quads

Re: Rootkit ZeroAccess (aka MAX++)

 #8677  by rough_spear
 Wed Sep 21, 2011 4:30 pm
Again ZAccess!!! :evil:

Web LInks :
hxxp://updatexporn30.tk/new/dog-fuck-girl.avi.exe
hxxp://updatexporn30.tk/new/dogsex_005.avi.exe
size: 229 KB

MD5 : 9eeba1be2b1ac055fccda3bc8c47c91b
SHA1 : 2bb122ea839e07c334ed47535fa49468fe595673
SHA256: 919ee1c45cb3504705caf32048cc9e634540718fc295ee2f4253a5ac505fc4b1
ssdeep: 6144:FCC8YvOR+HT7UbS4bBdGyBqqaGjhXXYtn/kE:FCVYvEr+4rGyAjEXXEn


hxxp://updatexporn127.tk/new/animal-xxx-movie.avi.exe
hxxp://updatexporn127.tk/new/xxxvideo.avi.exe
Size: 242 KB

MD5 : 9669d883bae8fffb0ab09ef97ff88cc4
SHA1 : 03eb0a4ea4dfbc45f0e461cf90cba4951b79164c
SHA256: d5d007c67d1f69ce5f800fbbfda97164d669eaa6597cbb2ceee0d4b989dac749
ssdeep: 6144:zBVpRi/yEch0ybI6o7PFJVxjBaRmhEJetbYD2PJMw:lIcrI6o7PjjBgmhEMbO2xMw



hxxp://updatexporn25.tk/new/animal-porn-movie.avi.exe

File Size - 252KB

MD5 : 9269b62d99ff62cf20d09fc066ab1906
SHA1 : ba8d96e65af6562326e8c62e99caba6b8e3cfcf1
SHA256: 604c754cf874970dc618aa0720d8651a96c43566a6c265038ecb471561e1b6e7
ssdeep: 6144:eTnXTsryh6Y8IUw5tOFIhDvdDbo0AI1vHEj6F:eTnXTsI8Fw5YFEDtNLfM6F


hxxp://updatexporn45.tk/new/dog-fuck-girl.avi.exe

File size : 233 KB

MD5 : 141ac6086d1dfd5b3282cc9112642eeb
SHA1 : 61f35b10c6963d01892358de10a7ed23238b7926
SHA256: 06f48aeb9ed858caa023b9ea49906d4a4bd520c69d37e076fe9eb00e7e63874b
ssdeep: 6144:Hk06/WeX8FCW322bwyUedT4p4g+EwbX6yy:E0heXmn0eZ4oEm

password is malware.

Regards,


rough_spear. :evil:
Attachments
password - malware
(226.86 KiB) Downloaded 72 times
password - malware.
(245.6 KiB) Downloaded 72 times
password - malware
(457.33 KiB) Downloaded 74 times

Re: Rootkit ZeroAccess (aka MAX++)

 #8729  by rough_spear
 Sat Sep 24, 2011 7:14 pm
Hi All,
I m back with more ZeroAccess droppers. :D

Date - 22-09-2011
web link - hxxp://updatexporn80.tk/new/animal-porn-movie.avi.exe
size - 203 KB
MD5 : 9e65e8dc1bb7e83b61cef5076acb5ffd
SHA1 : 044325652f9f44d8bf1db5c5d151cbd22d91bbc3
SHA256: d4e0905d0a69d05b98b5f2c8fd196589e41fa58ed4cb13c63882fa575cb1b0b8
ssdeep: 3072:cFggf/vHTPgUHhaa5o4iUIoz8prsOUkozcXldR+Qvn+0jLIfnXAlkxgCTtD1uoAO:cFdfW
J4iUIo8p4vX6leQG0QfqCpDcm

VT link - http://www.virustotal.com/file-scan/rep ... 1316788721

Date - 23-09-2011
Web link - hxxp://todaysextube3.tk/xxx/animal-porn-movie.avi.exe

MD5 : 96be7f02a6319bb5ee33725007c96c0e
SHA1 : 6c453b0445f13a5e76c8ad80e3c2a7fb315a6f3b
SHA256: 89f416df5eba013c6da7193331720df2052b028dc449875164f6c1bca3111c28
ssdeep: 6144:MoSvGqvgGvdFLe+UErfVPKTYyvl7a/Mf:tWvgGry+trfVyTYyvl73f

File size : 214 KB

VT Link - http://www.virustotal.com/file-scan/rep ... 1316790844

Date - 24-09-2011

Web Link - hxxp://todaysextube16.tk/xxx/xxx-HD-movie.avi.exe
hxxp://todaysextube16.tk/xxx/xxxvideo.avi.exe

MD5 : 9ed99fc2195505bec40b56c7989dc110
SHA1 : a6bf18efa9aef0e3c98edd6457dd25b0505216da
SHA256: 506b635de5ab26034256a87d64f40d48020d132c0353fe8c2c0b1c1f076895bc
ssdeep: 6144:SsYzVCyuasshciAURsqqRGU7Wu4I0Z/xb:SsGCygsCURsqqL30Z/l

VT Link - http://www.virustotal.com/file-scan/rep ... 1316875181


Regards,


rough_spear. 8-)
Attachments
password - malware
(210.32 KiB) Downloaded 73 times
password - malware
(208.88 KiB) Downloaded 67 times
password - malware
(200.11 KiB) Downloaded 71 times

Re: Rootkit ZeroAccess (aka MAX++)

 #8752  by rkhunter
 Mon Sep 26, 2011 1:59 pm
I was really surprised at the accuracy with which Microsoft recognized droppers of ZeroAccess/Sirefef and Tdss/Tidserv in it's malware-thread. Have experienced this many times and almost always the result is right. I think no one vendor can boast of such accuracy add of these droppers (Alureon and Sirefef).

Re: Rootkit ZeroAccess (aka MAX++)

 #8755  by rkhunter
 Mon Sep 26, 2011 5:13 pm
Even if you take the last VT-links, published by rough_spear, you will see this result:

96be7f02a6319bb5ee33725007c96c0e -> TrojanDropper:Win32/Sirefef.B, 2011-09-23
9e65e8dc1bb7e83b61cef5076acb5ffd -> TrojanDropper:Win32/Sirefef.B, 2011-09-23
ddf3e4c97f00f55b1911eb86552fcaa8 -> no detection
9ed99fc2195505bec40b56c7989dc110 -> TrojanDropper:Win32/Sirefef.B, 2011-09-24

Detection by other vendors in this case as "generic". By the date (addition rate) I think that it robot working.
EDIT: date info

Re: Rootkit ZeroAccess (aka MAX++)

 #8869  by rough_spear
 Fri Sep 30, 2011 5:54 pm
Hi All,
One more ZeroAccess rootkit sample. :D

Web Link - hxxp://yederteremap.osa.pl/prmdva/0d5839149e44ff010e5ba37dbab27e9f/d6.php?f=tr
File Size - 188 KB.
VT Link - http://www.virustotal.com/file-scan/rep ... 1317403833

MD5 : ecd216e4f917f60c844aa74c528e8e10
SHA1 : 620a75b194fa9d9720186eb342109dcdf9d0ca7b
SHA256: 4e24d1ec4217445bad5568f2e832e33f7a87489da8cb5e1ec91be4fc2ec15f5a
ssdeep: 6144:cMx0JoUdNBoDQfCTUCt62ZU9uhJY1T8twoHx7qQMm:cZJ9diQE3xhe1T83Y0

Regards,


rough_spear. ;)
Attachments
password - malware.
(182.18 KiB) Downloaded 110 times

Re: Rootkit ZeroAccess (aka MAX++)

 #9013  by USForce
 Fri Oct 07, 2011 11:15 am
They totally changed the kernel mode packer. Not new actually, they changed it a couple weeks ago
  • 1
  • 11
  • 12
  • 13
  • 14
  • 15
  • 38
 Return to “Malware”