A forum for reverse engineering, OS internals and malware analysis 

ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #15022  by EP_X0FF
 Mon Aug 06, 2012 1:37 am
Captain Obvious to the rescue? It would be so cool if it wasn't so obvious from the thread.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #15094  by EP_X0FF
 Fri Aug 10, 2012 12:55 pm
Offtopic removed.

Further offtop of same kind in this thread will lead to:

1) User warning
2) User banning, including whole IP range

If you have any questions or you disagree with something feel free to PM me. All public posts will be classified as offtop. If you still disagree - feel free to go away.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #15100  by Tigzy
 Fri Aug 10, 2012 4:36 pm
It's me or they have removed every easy findable signature (ZwQueryFileEa)?
In the last dropper, I only see ASLR bit switched and a code part:
Attachments
Capture.PNG
Capture.PNG (49.07 KiB) Viewed 366 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #15102  by Win32:Virut
 Fri Aug 10, 2012 4:58 pm
This is ZeroAccess?

AFFBA411A853948FEACB50E75EA18DC4 - https://www.virustotal.com/file/a54fd0d ... /analysis/
DC68B058868FC998D775A4922D8CD44C - https://www.virustotal.com/file/1d16b57 ... /analysis/
EF2F92E2E543F57EE40A1DB37C111D73 - https://www.virustotal.com/file/5d71358 ... /analysis/
Attachments
(151.82 KiB) Downloaded 78 times
(152.03 KiB) Downloaded 68 times
(151.97 KiB) Downloaded 69 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #15108  by EP_X0FF
 Sat Aug 11, 2012 12:39 am
Tigzy wrote:It's me or they have removed every easy findable signature (ZwQueryFileEa)?
In the last dropper, I only see ASLR bit switched and a code part:
There are 2 variants of Sirefef 2012 infector. Both with different infection methods and different shellcode

Old: TLS + shellcode in .reloc with hardcoded routine names
New: Deep patch with finding routines in runtime by their hashes

both need dynamic base flag removal.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #15109  by EP_X0FF
 Sat Aug 11, 2012 12:49 am
ReviewsAntivirus wrote:This is ZeroAccess?

DC68B058868FC998D775A4922D8CD44C - https://www.virustotal.com/file/1d16b57 ... /analysis/
EF2F92E2E543F57EE40A1DB37C111D73 - https://www.virustotal.com/file/5d71358 ... /analysis/
Yes all Sirefef. All modules in attach.
Attachments
pass: malware
(178.91 KiB) Downloaded 83 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #15160  by rkhunter
 Mon Aug 13, 2012 9:14 am
SHA256: a445cceb352b62423fe4fdc5ebb987eef6f0613c08667cd08a378de4e448a7bb
SHA1: 688f2b3237a64c68793264cb4a9586c865b20f1a
MD5: bc9553901867b9bac268f0a2dca32ddb

[7 / 42] https://www.virustotal.com/file/a445cce ... /analysis/
Attachments
pass:infected
(168.6 KiB) Downloaded 86 times
  • 1
  • 25
  • 26
  • 27
  • 28
  • 29
  • 56
 Return to “Malware”