A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27748  by MalwareTech
 Tue Jan 26, 2016 4:52 pm
R136a1 wrote:
MalwareTech wrote:I'm trying to figure out if it's spreading at all, there does seem to be a very slow growth in number of online bots per day but that could be just all the crawlers using EP_X0FFs source :P
I am also trying to figure out the infection vector itself for some time, but it remains unknown to me. I have found only one encrypted dropper sample which gives a clue about the spreading method.

This dropper was uploaded to VT two times as "Setup.exe" inside ZIP archives with the following names:
sof-andreevna-tolsta-povarenna-kniga.zip
vaz-2107-ploho-nagrevaets-dvigatel.zip

If anyone has more information, please share. Thanks.
Can you share hash? I've run out of VT searches for this month.
 #27756  by EP_X0FF
 Wed Jan 27, 2016 7:30 am
It still belongs to the same botnet. Original upload filename suggest it was kind of attachment.
 #27785  by Insid3Code
 Sat Jan 30, 2016 6:56 pm
EP_X0FF wrote:https://github.com/hfiref0x/ZeroAccess
Hi,
Nothing important, just forgot to change this:
--------------------
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
<assemblyIdentity
type="win32"
name="WinObjEx64" --> belong to WinObjEx64 project.
version="1.0.0.0"
processorArchitecture="*"
/>
<description> ZeroAccess </description>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
--------------------

BTW, I noticed, in your "release" does not contain debug directory...
there is an option in MSVC U1 to disable it or you remove it manually?

I Already posted here:
http://www.kernelmode.info/forum/viewto ... 376#p26376

Best regards.
 #28445  by pwnslinger
 Mon May 02, 2016 7:47 pm
EP_X0FF wrote:3 weeks later. This is all you need to know about modern AV "industry" of fake-AV's and "security" companies investigating "state sponsored" APT script-kiddie shit and bin-diffing MS patches.

Even in static scan they failed. Note nothing is crypted here.

Callback address plugin - as downloaded (despite the fact they are resource only dlls they still part of ZeroAccess)
https://www.virustotal.com/en/file/0491 ... 453792440/ (2/53) ZERO correct names
https://www.virustotal.com/en/file/2e6a ... 453792458/ (2/53) ZERO correct names

Callback address plugin - as loaded in memory
https://www.virustotal.com/en/file/1df9 ... /analysis/ (0/44) Nothing
https://www.virustotal.com/en/file/0ea4 ... 453792638/ (0/54) Nothing

Tracker plugin - as downloaded
https://www.virustotal.com/en/file/f8ad ... 453792463/ (2/54) 1 correct names
https://www.virustotal.com/en/file/7f1d ... 453792469/ (1/53) ZERO correct names

Tracker plugin - as loaded in memory and executed
https://www.virustotal.com/en/file/b56e ... 453792647/ (6/54) 2 correct names
https://www.virustotal.com/en/file/0f7c ... /analysis/ (3/53) 1 correct detection

UAC bypass dll - as loaded and executed in memory
https://www.virustotal.com/en/file/2e27 ... 453792497/ (5/54) 2 correct names

P2P dlls - more correct detections just because these modules share > 50% of code with previous version of ZeroAcceess

https://www.virustotal.com/en/file/949d ... 453792487/ (30/53) 10 correct names
https://www.virustotal.com/en/file/3700 ... 453792513/ (29/53) 10 correct names

Dropper itself (again more detection because it share most of the code with previous ZeroAccess version)
https://www.virustotal.com/en/file/7bab ... 453792475/ (43/53) 15 correct names

Dropper as it executed
https://www.virustotal.com/en/file/6a62 ... 453792480/ (33/46) 6 correct names

Remembering these autists from Phallus Group who investigated Delphi Rombertik for a few months it is clearly that: when malware is litte bit complicated than usual dotnet or zeus crap and what is most important - can be used for company marketing purposes - then it is called APT. When it more complicated than average AV "analyst" can understand - then it is not malware, so dgaf about it.
when using zwqueueapcthread i used \xeb\xfe technique to catch shellcode execution. but when i reach when i step into ollydbg give me running.
page protection is RWE.
after zwcontinuethread i attached odbg and f9 f12 , fixed s patched bytes...
Attachments
prob_1.JPG
prob_1.JPG (51.26 KiB) Viewed 538 times
  • 1
  • 52
  • 53
  • 54
  • 55
  • 56