ZeroAccess (alias MaxPlus, Sirefef) - Page 41

Re: ZeroAccess (alias MaxPlus, Sirefef)

#19395 by erikloman
Thu May 23, 2013 3:37 pm

We just released a Beta version of HitmanPro that cleans up the reparse points:
http://www.wilderssecurity.com/showpost ... count=5345

Erik Loman [HitmanPro]
SurfRight B.V. - www.surfright.com

Username

erikloman

Posts

70

Joined

Sun Mar 14, 2010 8:53 am

Re: ZeroAccess (alias MaxPlus, Sirefef)

#19461 by EP_X0FF
Wed May 29, 2013 9:17 am

Nearly two months after
http://blog.avast.com/2013/05/29/analys ... f-cryptor/

#slowpokes

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: ZeroAccess (alias MaxPlus, Sirefef)

#19480 by EP_X0FF
Thu May 30, 2013 8:50 am

Multipart 3.x RAR archive attached. Pass: infected, 428 Win32/Sirefef, SHA1

Code: Select all

01011e2bc818685704a243d83f07ec9fb404d712
01c6f0f8965e2869fe1bb63ea6fd49738c1218f4
02befe8500c6d8b98a88990dedc6be2ffcde8028
032f2d573c88b7169005af753cbce38a410a7b2a
03487856a2d14e79a3abed7fba655a05e922a5e6
03d815ef1dca3a0be59e03e2e6ac2cb6eacf6131
03e9e7ac8591c88376d6bf2185c4cabbbdb0449d
05679c11e68c15ea9f434b92e4822930f6135220
05894254e2ac34f18ae6e745bc6cd4bd433dc047
05a10a43ea7eea9bbc8d0aefac8f8e157bd1dd7c
071d08296966976fcfa1f22886c19222b413f9af
07d14400543e14ade634c5e0504b6bcaf95417a9
0820cdae8e850f774cfa341a9db5e745049c035c
09372b1586a621c4b0252596417240768a4fa78b
09477741bfabececa80ac0362c4807220eef1af6
09bb7d6cbc5e7bd59aa55c8cb149e80ccb6f18fd
09d4e70112fd7ea851a2df3aca63ebff59d88b0b
09e7e70170ebfd8cbe48d4e5679586780d942914
0ababb46e57a233e3bab3312e9d15f3ee0b131b7
0b0e6f2dca323be8c2dcc282532c3625686ffeb9
0d6e20d8f80e3134f8651ba8736138085bda62a0
0de891ce347beefdb31b978b4b022be622bb08c5
0e03439b9672353b4a9f7eb42e65e0995c89d8a2
0f9a863ce5e625f8f00199e5ccc484e9181a2562
1153bf5909beeb1fcc0135c7e5eb7f71cc185ebc
1369310d8c0b1796f034c4674031f7423cffa848
1378adcccdfca3b6ae91ce7c30fd0fa416c9e56c
1418c31733490ac476a0b30e4d0e753324d8e69a
144f1a1cd695c75a20bbe023e143c48265e91664
14747129052e99c42819c7895182c99b150cce6b
153adeeb2e504d30243632f312cda635d9501dd4
155ab3e7ab687b3786016e5ab4b82d3272b88f36
16be12d38d8956cc63911cd7043eab12138c6e2c
16d6711265ec8bbcca979719a834d80ca8549949
16ea75c563b688c249b937d6d345bda0893a105a
16f76c97f74a0dc2538b30c81c0191f0f7778ff9
188bcb281dc1c98fa1054db761667a7031bc5324
18cbab3cc1ab126b6e7de762f3cb75cb1a9049f7
198efc29bfbce61b730d2a60f5902c97d04a2041
19dc66ca0f277cc738e6c5a403ed2762ee7af394
1a09da60496c85d289eb821c8a39dbfc715de921
1b5b4111294132ad467f3a6cec748cea35a45250
1bd96d87316ca6171e1c9ad2f541ab49c8b85a42
1bf54cf2dcb7973d5aa265497a88d4179fc29820
1c0f71a547a95dbdd07fb357d4f9a0523db65b3c
1e60541c9c4822c21e0f962eb0e28ab2ff39768d
1e8b90ded7f4d7dbef753a8bdb5b6f64fd04d438
1f5372d181c1b938f56527d328751c8ff0ab068b
21519b3876b77bdda76ee6a8fb99e78e0e9ca483
223b6df75834c66a309836f9b6b295c552b4ba08
22a4f5a9adf4e52c31cc2dfe5d3e97c61e227c51
22c943b3068640a7ce1ec31b79f7bb29bccda6bd
22cb21508de3bf6cdc201c9de03bba81391246be
233bd5388a950e8258a8c5159e428b8bfe73202a
23599c04b78c61e6f29dffd1b1cc5b6f4976615f
23890932a96a1cf2062f50b6df0b791a9bff6075
24a39f6fc65fb6873bd6a9ca0c4f3f0f3105fe58
274a980e503b5747ef2ab8f9cc64c882f6548733
274d301c0bb74f8ec09136ebb0c98a056b22ed5b
276f6951832d8d79e5de42dc9d77a90679b6967b
2786bd9e4f3a74af8c7364c2cd60d8e833358de5
281aff5a00a44aa2a3720355d70bd8d9a848bb21
2823a32f8c568bc3ce70e23720228bc61c820f29
28eab590fa04cc8bbfb3ad77e0b7cfff49f7ccff
298e1e6cdc5b0e52bfa06b46aea22aa9eec91870
2b002c6244d517d4ef5588ba5d4bab1da349e5eb
2b23cb9090c25940f0577e407e1b241d50425dee
2b84daf955ec1d6cdbef8049b329db2437c1ed92
2c30ee13c795a4bd6eca16694a40598efe7678fe
2c39c9d13289c113e57a5b468dd8bc4326acbfee
2ca4035164d0654716e66099cec7a121cdd8aa71
2cf797506792050af4cac03fed007e8c076548a7
2e15c2d8c26ef0a9ec6dbf7f3f4e1fa13ec5a5dd
2ea16ac4dac0536bc174269e29d25968f6ba2485
30382572c2a5336fbe8c702f88d648d73ae0b5cb
304673dae5367ce5a09e670cf8bd5b52bf3a5144
307fe0fa515e90567f32b2359caeb4f09bb41deb
30cfd21a75505d0fa4be7e97e9a317aa01910f0a
31232ed99603cc1e9bc532f71e0e4d130bf8ff33
315975f2cb77021ac5e2958bc3392ae30d512eec
318e84c1e427e2918a58f411e60a3eaede208dab
327173be0c5c6d52fd473ff1345a80f8733cec01
329c41a4ecdd60a0825111816c94b16370aaed7c
32a8ebacafbbf47e5f14b30a84adaaa575455226
32d15b5905a0ddf2385195845db03224785eeb62
33f5061e09513616dd9fcd4a25bd254a84b098ab
3486e0e44f71cc79296e679241cb2f78208c2266
356c1a41e8585568e49fdd689b11768eaed69349
3570c8f5199453aa4c6993ed7c0c291c297b0a05
35ad3a051b6426f91e1132792a1f3149275442e3
35b34365bbf7de333c640a54b518a5d0f63b8598
398e7d5a1de09ff1145bc85dc94c82887900f6f7
3a371251a3b7c4e3c6db53dae6008dfc0ee63e95
3a4e9ff559d04dc854544ed57e54c679fde6cb99
3c7abaa1c5cd792a828d3418328d89b8f13dd3a7
3d8abff43375ff775b43049e0d5d1a08dcbeda55
3db38807ac07edef0f69d4e77810bda2b68155a9
3e01b21a605db5b15c994a1cd4d73784393020dd
3e2cc1db80aa5be5ce5faf63d527037974b58737
3f11dd0c159fc37894b5fe09b2ced8de7b69f55c
3f34d07459b01470ac4be76d66fdfe7b75d90b23
3f3758c00640fdb3c6640498f17bf71ffff753fd
3f5526241d5c6033e6cad5be1edb6a8e20d3dedd
3f6ebc3ff9a4c7b5b7316acb1f8b5c72150a5a75
3f9f17fff750036e0a4935992c7edd467bff1999
3fc8664c8be3b0877453c653c70db2fd7966a9dc
4051d144431c77feb8f36fd6174b338db7dcb842
418f2fe7161c25e2b6c68ecaf5bbf0084b3260b5
41cee0b13311094dda06cab4abe605a2e8267074
433a5c610b6f86d6335bdc15fb69b09f728a038e
436adfb39ba396a7e3197816ca2395526e52b3a8
4373aa40c0e802504a32b89566df26039121e8fd
437a6e3955cd9d6507e3f0706376a62c131c5e45
43a55bb792a5868aaed1066fbb087040ef01642a
45b72ba54503daa83e6fceff8b40b2a68b27a5a2
464ae354458614db20130e0f2451663a2d4ecea5
464df7678dd94f5fd29a66312f91ee642335b831
46bf253db052e11fbb2b8c68588adc987eee8a97
46ed977db4f101f91df61972f5079991b107e664
471cf7cd5e500420d7dc9f63a5b17738df02e053
47f0943fe6822de52f1caec8d22bf4077f8c4175
4904e4efd70cac4bf1422e1607f857191d3833c6
49ad50baf7e13f3c64a89fef0f23dec9082c621b
49d1b9c8a9581641974a27aa7d1114f1a6494fb3
4aa19224a3af23a4fa3704544bbfab481224e6c8
4bbf461064895af2f673252d156b9e88aa2098ab
4c5c09c1a34e1579de884809440b2108e56808c6
4d1159b6658c749b7eaafdd3533cf13ce3acaf84
4d9523c3e3b2004cc1a521ab80eaa6d25d6b7a62
4e081ae77a501255fd2921f08719941eb3516704
4fa7a6b8322d4c343244c8e197d33998c454886e
50aaabffb694edea54b5618544c2196984ea7f16
514452bea8caed674d18699d41841d3eec080db3
51ae60f4881c07ab4ae62e561b7c68dc252d76a1
527a5665069e9b0f1e49d936312795db8d0cb4fa
535b3e553c89fb31ca9bab44cf2f5a56c9ba17e4
53e58144d3fafbe4e835acb24f107c7488c9ed68
53f7483fada1d6de23d6dac1b2ca89c2bc9499ea
545704155247207cf4f5bc59cb4fcb6ce045fe9b
5460c2ff217b7ada7bc8b4cb78c1e70ac1ef2a9b
552dd29b0a10cac45b6664188fa002b361a650b4
55509614dce89c8fa9562c061a7303f48c578f5a
557df84c68a48b25344663c22e860c749637df70
5612d49d7d236aa1617644615a0157e9219f405f
5652082054f6dd34ca9d256c8fd6d43926216482
5675332844d7d8ed8c952bde7d90755476e81062
5793b087d0f0f18287f709f8012b6b9ddc861e1b
58441adf25cc1a2f2ecf61633f26a8bd36c4597d
58865edbf3b242d55bc90b3a6a790bd5fd676597
5a060105f1c7de618a452ca57f0fd5bdf88636ac
5a1e49576e1357c34906ceede6e80eccdb60726f
5a6b26b98d60311b28226791bed2046b7adc2b62
5a8ef72d72f700177d1545db32fa6dc7d51193ce
5b1ffa70d41442d8d9322e052057afdf091bc5b9
5b24d9aeb893c957ff17730c761455ebe9acc92b
5b8d97ffb570c758cea2565f8ae2d6d8801de206
5c19b99251a28ff018147e8b5e65af1962c32cfb
5c9825bc8b4f7697191be86afae413b69b114d71
5d98cb6d05421936b74ee3cf6170e54a741bbc57
5ed518a434ccda4c51da0ca3d2c440622e199c08
5ee5b65a1873bdf4b7d26ec4c9dc19b7f3d425be
5f6abefb4ac4fb7b6c6eb89b5bc6dd8fc5065090
5fed8b40ff406a40e8622d1d0d5f9c1a2b50723c
60465bf750cc0c943ec03f59a957da0e9fa2b5a7
60716e42a443cd082e29ee14d56468a054c96be4
62da7e82efd25af228d216cd37d06aca7d40e706
644a36d162c5332a4f5a456b30c2df0ecc5d60c1
64575b461cea9c4b8ce55f7fc095e5590ee42928
64822d571aea6426be3e5d3717651133ac124c90
6494abe7618113aec92b64d83b9af6f09e66e05f
64d485f1bdc03c5861fb8d347bc323525784d3df
64f8f29cf3463dda860df4f74c41ff0421e24a6a
66372a34bf5481e964f42baf5b13aa53bdfec87b
663b04b619c2854d3edb1419e9ffdff61a98891e
66cac053254eebf4603d66a4de3ab0642e063f28
66f587d0209f1e14fd42647b7df18113a23ebb15
6787dbdd018b22ab3d265c5e4fe2e9532dd29776
6882321fee59aad4bb75f184e243c48bf8a3593c
69ed4deb9fb6b67192337074bdb481f160349675
6a30abbb60420df0e163d93102459800ec696242
6be02ac199be94b98c7bf52108665787006c8f5f
6d2f7611d9e0d2bf890337f77a9cddc1a3b60e22
6d66000af6e796915dd045c663e71d5af70bdff1
6e7211cb2afae8877e86f82c8a56588ce86aba88
6f49a0a09f5800b990487e2e523edcd18a0714f0
6f675ece84e186a5d413ce0e4fcaccab40cc7eb2
6f71e51cef3d253c3e5b2979d5683dd89644b754
6fa9a8262fe76acb352f237260cd387ae088a317
709b7ed046655aa39009bb79bcfb4a600f5eb28e
70ba6d07376169d073427576b5c92124c6555470
720ddd9185923eb0d58930d1d4973019baf243d9
73d348f613228fcb61d816387ce7ea558c53c6b9
742d22428cba758d9d7d696de1063217cde19cf0
751b7f9f019b116648ccf26c7f0fe83bdfa7cb13
754e561f3d70de2bfb6d6e5c1020abbd70b7af80
7594d299b39d8c57b54ccb4677929aaa739f28b7
75b234997c96d0b69d9ecd7f585935529a8f9f28
761845d03066768f6cc9b6f5eac86d7ffaa18267
7629ff3ded02f08401914d3eebb285038262126e
775d6383997d32ecae4d7751ec19ef03f644652c
77a6cc327bc9b74dae6b975903af340cc7aad98d
77e64614aea0333dd169200bcd1d3fe3fed957f5
77ee734b517f48a79fd8159928d937a3c9b6e188
77f6bbd314fec460d696fffae2d56dc80a1f0584
77fcc69e5e3b173f1d1adb4dcd34fb1bd9a4517e
7814f21d15fcdeabe0c8f6911c4408c9eec22bc5
7a2e864fe6a3b34eb191a022be9307de50010c93
7da78b3927362510fa62bdc1f7a48edd17363512
7da8a77cf60f56673834660f4c3fa1c8e7c8b52d
7dd97a372d568385c64ce1801f968cfb0b6818f7
7e1194a35dd82ca57b32ecd9227b00a97fd9599d
7effa2c03a443acd054dbf1297627abf0d812b94
7f2d72a6fd695562ca5a4cdbb3ca0ac547768ec6
7f53912d4ff6f49ab041bdfa9674098cb9c67600
7f7c6905bdb0e6c97be57b47ff4a8e95c47cd530
8034af408355bfc4803e4b757576c6264b06befa
8123f470119f7a1ee9308a386daa7943b969196c
833af5ece9fb676280cb99c8b05ebb804f770274
8450ab1be731c0f92bb470911f9079b6316d5fcb
85219bde7e9ecdf778db43f06cca70a31c83e708
85997721a2c6732bbaa84740465a9109642b659a
864caa08ca8a2ac458c8eb81c79be3a5f45ba0ab
869a106459ddd87c647e1830dc0271e3d93ea662
86c660ecde65a4720acd571853d8f3b762d84eb9
86e9d6266d4761c83eb5113f745b4b6fe7beb411
8854a50a448b3dede5f57f7a6fccccebe3fb8447
8971d6faa5f326bbf356c228f18df1156dd8babc
89f8dda5d30d9f0d0952ebbe808d70c999e5e790
8ab9ad4708d8cbe9e4c51f1b428fff2fa9921f00
8b38eadff944be24d7f9daeb7eef85831e5702f9
8b4dffeb32f2456b6ecd5800b46d9ac2faac022b
8b78bc4c7502e7a1ec5881b010850bf3c963df50
8bffbd5ec1cc2dc2dcb5f4a46e53a4ae20532525
8ccf02610b559bff57c15933df74e0a95b38a0f0
8cd1c094ef76a46ce10af1bfc4c55c05ede25152
8cfab473e28725358e4e768f289ba86c35d08dd2
8d37df148c9ec8487fbac2e90e78d6953a2f6125
8f27eea3fc6778a652298a0d52a31baf89e80645
8f822a94b3895efd0fa781eccbd33b66f31e61e1
90813598a60625de6a2a751b89bcafe8454c8587
90931cc7eecf6598150ad1a47f56a17ded8ee870
90c999fade8fca077397b55a19b886b142580cd3
90ea78f67e970d4dab5791150e6655b36f01716b
91024f220a8ece377f54595a236f2e7251aa7393
914e67ea8b5332206030809e9c38e1fbfe91cf8d
91b5fe0de34cbce87976b74c28b3a57692669b58
92aac1dd26b21c4f54c8712b3c1dc0aed9935e9c
92ef69ca565a9ecf19ffa2dbf39155971de81645
937e9d93f4b93aa6cdeaaf5446515b0fb62eff5c
939e76ada669b08517026aed0cbafc01f3398e08
95a59ce03e775362544f4c87a1c4f91d01a5ae3a
966aa500d3356991db0b4490a19e486c356efa62
968703363c4b5abe8d6ff9c2268520a251a3e877
96a26d2844659ae610b1c6e8792f46b354126b8c
97282eba6fe4a1d9b0c3df78b12cf7617ed4f1c8
97b57ad833691274e49dea077985581f401de0b3
97dd947b8e975857ef37ea9194b04c19a623cef5
9801e5e9deafad1c749e1382506bd821bc7e1fd5
98b4625d9f1d33e2b44a1fb769fb8dd2b6062fa8
98d92c0cb3044a1400277129b3ae96acdcc8c4eb
98e3c7592f106829938e10430e4abf84e6754831
99a979e2d89a557c4b6e4570f2ceeb132bd954c6
9a04debac47c441b2f9531cd8e2ff97aae182c75
9a12e3fa757639f58980e2ea76dfbecae963a49d
9af4c85f761b09fab398fec14a3096e4e93b27b9
9bd16857f6bdebaf97de4d658b26c25a2c289465
9d78ab1b274894b91387bc152c427b027282a3f4
9e0e8648bc72a71a1bfa7d80f5fbbb6c6dcee527
9e12f46ea563783774e039f977323141b9e1e04b
9ec401801a6cf5db54485723a58969f733a919f4
9f1c14e53961e351b3468f804a1966d0de16eab1
9f3a2664792eee0c5772a45b727ee9d85ba51ab2
9f45202a0d67e9132eb0f800d7aa0206d0cd9960
a07638297102caf5a79a79a086034f982b3b352d
a199149a7f036f8df1b22b9e68d88ec2d8f8e34b
a1a18920ecc62347a1decbe4edc2bfda0dba6ada
a1bde859cf420bf5fa3c745c2ed7b3174acb0645
a1cfdf0bb23a075d8ee75e1f1492830c6089683b
a1fb37e3bf8266efc5efd1ad6fc832024a154647
a23738e87719a6f2ab3cdad1bf75448b2517445d
a264395d42a82c338b193ee08bfaa62241b137ba
a26b4f2c6429067dafb5d586bcd747b0aec1a96f
a2a0f4698c028d6ed7ab124fb3c97f883f40fd56
a3f619d7a26c6c9661a4e89254fd548d1446f1c6
a47709432e89365644d0e0291fd5d586257581eb
a563a5fbe4028958d1bc7a6ebf1b3783ec19e5e2
a5f0d7587fd8fc1c8d237f0d02c3b50223dd7f16
a617f9921d65e1ca48e8402f98796fedb0a60d79
a619141ebddc7c4c6e22e60a18ba8776702961c7
a7f90c45c754c90ff2e608e6504644b641b5568c
a8d6d15d2675fc511dabdd0380cbc8b248c75688
a93d68635583d9256994e57659cc9e3e6072f5c0
a942fd913cd1394d2abb3bf4108084b0f1b36bb6
a954c526818461ba7f5ec5c07cf58a7f628435aa
a962251a8dd0ee9545dd1e61a2cb707db120dd3a
aa0e857684aad520afdb0ee82b588fe42b5bc4c1
abd759eba64b675b5d3ef3d1e2bd067a81692438
acdc4159a3adbadf419418c68623f7a96ecf2928
ad13199c1170cac5bdbc2e0bf6f243ef1bb6eeb1
add45fb0a4ca23a81e5042e1409b5c629f61ac24
ae6084bc10b37766b9205b590d2eb4bc587d951b
ae779f32bc1a036e2901f62e4bae5dc0ed1de8fc
aeb26a6650e715e854fe7bb1fca194bebc479ede
aff713fecfe982b0ccced85c86ad5dcae8c4187a
b050463c0a436444b09848b899b4f2df56536570
b0b150686aa081d8c873b379329eae5864794b8c
b1606301e2b56949163e728f59461e4e5156307d
b1753b4001bde97c62db1414f6fcc8f59896f9d2
b1d8115a329fe0bb231211ce90105b55c82d47a9
b1e7c583b7fb9a23daa85db4b6e344af100c2ad6
b346c5bf3b557183bfdc60eeecd0859d151a238b
b36a4ed8e3fc0ca2bdaa88d20ad4543a36b83e0c
b43f1926d0d512c3635db1ffa68f2c2ecd6e5383
b47c5454da1883961f1fda631a017ceb189b74b3
b530251dfb691fe27213664d3d41cea91f7e1a39
b53555841b7afdc34053fc5cdf43e631dbad9423
b5a0409b150b7861d8e9c3ec4bd7d5fa7d3aec44
b5b6cbf2889f31e3a4f8ca66fbc5e0e6c6fbbcfd
b6979674e2ee333fe1e1b69e52bd974fcf736e4c
b778bb885bc5dcbeefff37a6cdf112e0edea0eeb
b82bae2aec920196c0832817e4a4a6cbd4372ce6
b906d6a8cd4d77c66ab3ae7242715fa6866dbc7d
b9bd19490b4841c01a679e9877f9724bb0e4b5ed
b9db225aab6cd0fbec3c127749bce1ccdcf5dd41
bafd266d12e7d1f20bbafbcd4a0a41d7abb14ae3
bcbba9ce77e5f542d277a1cb63fdb768a043bc4b
bcfa54549ecbf9794f3205cf1a90d9b0f10668f4
bde42e49ca913c3b0ad97a52dc2b09dc2ffb1116
bdec5cf5cff865aedb1f44f1ba2b641a645c1625
be81399e2871a88264de1a1d1d809f346a0ce32a
bef3ed9c7d244241787036f8515877d9e95ac4be
bf6dd39177f7c57f8904a4dcc2d1cbc4577bf9a2
bf7eebbfe21d89878c82521bfdf15101f297e13e
bfa21825faa64c25aa4c421b095d1ce81ae6d2bc
c10ef7f28c5de6aef5a9deb86aa09cee601681e7
c27d40ce0d54a651b9dbf0a82efc43859d5e1d50
c2fd0086f7140f4cd57648576ff39055141eb097
c3661de63f153f5c257ebe27d59d1edf10018396
c39deb764b5e89c7598a7d4646d20bc551c20920
c410b7e4653cf89be7e04922b2d664c6590f2cc5
c4c44dd10dac52230e0423a260c5ccd567f1db71
c51f98389da69bd2d9d7ca1203ca260da18e0bb8
c529679101b7297d8117d62c04afbf882e7535f2
c5743090f72197b76525159628ebd160e39fdec1
c609c99619279441ec542c953dfe7afff4046105
c703a935ea3cebcab3731cf52ddc0c04d067d65b
c82984fa19563a4c6676ce448bf57bdbd6478e0d
c8bbb628372c9e2aeace8882579ff2a3297a7118
c8cdd15c92345bfbe24514ff40c050e67210f87a
c92b1257cba20533d78fdc7da7df3ac790beee04
c92bb88923e552c9b1842f73da108b7b1713d227
c95711e6bbd6e6584df51a36bc7ecb84d8e7b9c4
c97ff1cd0b9ad77b6038a3e1d35095db699e523f
ca014fb3ef5383cd1fa79fefe14caf5606ae362d
cacf8005c1bf5ddd978b48cf79a6b31c56254d8e
cb4ba655ebf6a5dc9e2e98af6bb42c31b2b06f7c
cb97b1fae28c5ce45f3292060465f55f731df9cd
cc853c4b8ecba4f2ef2d70edbfcbd475e707f7fe
ce08d0232d3d7004a39bf4e1997d8f492fb1f6cd
ce506f3525d6d1b0ee75cc04613959d92d054805
cf35c250df0796fc09f20d1fedfe2e9a98cb9fcc
cf49873b7972d0dfb1f78c2af8b6bd6e9ff16d3b
cfa6f6c7aacd4e28a3101fb63ac75ef1091d92eb
cfd6a00aa5663e6a26af027a4cfa8dc672fb070b
d06c98b750aa6318496624adf4cce463855d4e19
d170a104e09b8953ac7d395958bef4781653a70a
d19e6a657dd84bb203389a2135815da13ed33204
d25e7134f8b2a6200e5bd4a3f64052554fd00101
d318f27db7803fa45931acf7462c2bd2b4561fee
d498d2a3693818417b07df1bd36c07cd1a94e67d
d625df85985e68f8323d4374dfcb206dc85b0243
d6751daab9a81c459197ee24a8477b90b7c1e7aa
d6ac691c73c238c1d77d0e6b096c9d28bbac64f4
d6cf39af545cfc6110595dfc81babfa1da8d231f
d77af64526d82456b6a0885661064d044ab9173a
d7950823b2b74e3de7d2d3579379dd15c4e094ef
d797e2ce606b04b68932dd5bce0ab1c71b4be64c
d7e0d593e2561e1a8c8e814bcf5e1a8b56beca98
d84d154c05e5263a353950e4de47840dcfee68f5
d875daf69e3d259596394fdbdc6be20143f98633
d89201b280ae7137c6ba917484ccfaa2b2f106e7
da26a330bee516e3de8559b89b7d58e456f6105c
dc63c0e7cf013b9769ed9c3d28599437f9fae85a
dcdec4922c923b461b3f07bcc6614dd0a712916d
dce8f9b5a69737a0fe111d77765f931b7f4d4918
dd745ac8dd502c86d2284094e0e04945dae67e94
dd7c25dc15a0624d78700e8f688b52189dca5bb3
dd886af178d83d8e8657f74796bcf7fa5e4f7106
dda98224db8533a703cb2c017ff781eeae1fc422
de29265c6d636f5ff5646cacd7a9304708233a36
de780edfd789e1b1661d715bb7bb68ce743031b7
de8b2ad053e818e6988feacfe87c82aaf93012b3
de93b204aff76f8945e066ffcb467d423dd7570f
decc2224e99d94f76300a1dd44483b8e822328b1
deda6b8bd910856105cbd785fa5cb5ca0538b7b4
df84b8dd79e8f9facf0417635c410606ca01eb58
df9928a6532229bd5dd2faec5b4a8c81ffa96160
e0140ee6c9432ce68a5f3144af8c8d8a4f9bdf4b
e19d14c67ec651fa8e03869e89ff5474abb2459c
e23c4bca7f09f2a8685ff5c28ba9a61caa8aa2c8
e2cabd5a3b77e5d6e027183e7bfc0a745bb9dbce
e5828da3bf6ec6a1efece8ddcf5415c00b131938
e6a7acb61526210d625e1c72e16cf61aeefb8231
e7a8cf01f22293c08a02484ccc4bff2fe3484a80
e8611f4b30c8c2caafa55e65073c6ae413e08ffe
e8668923544d57a1369363b93e31423f7a3fbb3e
e9f3ed4ddc694dc4226923663e8f907398d8c81a
ea7789ce493a0a4be0be1f6d9dc95311073a2b74
eaadc6f45863f8feb15860fd074e2bfc4e9494ed
eca6ce987221fbb21d5deaa35e8861e2c398468f
eceb27cf61e7399922f2eb78a3b850a146bd1aaf
eebfccdbb5b153c3083e98ce06615a00767ea2fd
efe676c1f6ebf48633942b2ef715b2c9a2658be6
effdb62e4d43908cce078bda49bef5036e9ef127
f13a58fd38ff7fd9084b7f90a469c5a4bd2cb1ff
f3132a0ca5c8f6868f56c9f78a9b7ec47c74dc34
f32fe77693914c4afb90193d37496a8b43d7dc23
f44374bd1dda8ff40f78c3780c9bb8e7188e39ca
f474a1dd18a257c9a43436b8448f2488d4a30708
f61eb794513338459e9e1c7a7bae95d3858f6887
f8c291f64b62365507206b8a95c8b06cf563e791
f8cb5a44ae8165a82d1f85be35f959ff1a1e2495
fb1054b206384c2d2a3b79a287af84846b7f6496
fc44f37d264fe7ff6d48a9902f62a342d84012cf
fc8013a46410b67e2492ea97501dbbee55fa6a07
fe4312e9cab7454886b9ee0c3fe61fa3436bae76
fea9cd9d8650431ecbccb46bda315c1fe3eb2bd5
febcc690aff9f5f3bfe0edf806bdd1c84229041e

Attachments

ready.part08.rar

(981.28 KiB) Downloaded 101 times

ready.part07.rar

(9 MiB) Downloaded 108 times

ready.part06.rar

(9 MiB) Downloaded 108 times

ready.part05.rar

(9 MiB) Downloaded 108 times

ready.part04.rar

(9 MiB) Downloaded 111 times

ready.part03.rar

(9 MiB) Downloaded 126 times

ready.part02.rar

(9 MiB) Downloaded 115 times

ready.part01.rar

(9 MiB) Downloaded 113 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: ZeroAccess (alias MaxPlus, Sirefef)

#19628 by EP_X0FF
Thu Jun 13, 2013 4:46 pm

ZeroAccess downloaded by ransomware as one of the payloads.

dropper, sample courtesy of markusg
https://www.virustotal.com/en/file/5949 ... /analysis/

2 stage deobfuscated dropper
https://www.virustotal.com/en/file/495e ... /analysis/

3 stage aplib unpacked dropper (perform MSE/WinDefender blocking)
https://www.virustotal.com/en/file/858e ... /analysis/

p2p.32.dll ("n")
https://www.virustotal.com/en/file/e3f2 ... /analysis/

p2p.32.dll deobfuscated
https://www.virustotal.com/en/file/8431 ... /analysis/

p2p.64.dll unchanged since Oct 2012.

Sirefef payload already uploaded somewhere in this thread, it is unchanged.

Mentioned components and dropper in attach.

Attachments

Malware.rar

pass: infected
(372.8 KiB) Downloaded 122 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: ZeroAccess (alias MaxPlus, Sirefef)

#19767 by x9090
Mon Jun 24, 2013 2:29 pm

EP_X0FF wrote:Fresh Sirefef plugins.

all built 23/04/2013

Group aid_1 , x64 botnet

00000008

80000032

80000064

SHA256: ef8766efc0ddc7a56a71dbcc65200537988163512c70f9ce8cd44398943de5ad
SHA1: b13bd8868b583578c5146afb237dc55b85512158
MD5: 0c3d0bf1eba67f7bc674698e5f5063d2

https://www.virustotal.com/en/file/ef87 ... /analysis/

SHA256: dbdaea813662144d3d37323ddab9c9dc63501fb09e9da3c70325be5ca816c92b
SHA1: 48c3e4403b2099d7ce9bbb89ff0f0ccbf77981f4
MD5: ec42457ade8c59c6479b44f8a6636f6f

https://www.virustotal.com/en/file/dbda ... /analysis/

SHA256: 740cb7e8b404081db03b500fda84b8baf94d2cfd5294638287aec848065ac1d5
SHA1: a065922e48e274f827bc8a04091a44632d498373
MD5: 2350278451ed723fde51380fcbece2e2

https://www.virustotal.com/en/file/740c ... /analysis/

Group aid_1, x86 botnet

all built 23/04/2013

00000008

80000032

SHA256: 05682aae61f3489f7320f384bb58915be85b42d30db4f4ed0a8d659cf2df1e29
SHA1: 0175c1ee2d3e3210cfbfdd52f2c65febb547515e
MD5: 36616e8f309b35f8e090068690272239

https://www.virustotal.com/en/file/0568 ... /analysis/

SHA256: 0a4ff7b562e94f1aae912473c65e23551f26025bba80b065bfd51d908f2f0b42
SHA1: 2587b2a16644839cbf08f2943fa21cc0c8dd6e5d
MD5: 8d8ae5a1c57c3b441fabdb83586c7d0e

https://www.virustotal.com/en/file/0a4f ... /analysis/

Starting with these builds, the bitcoin mining payloads have been removed.

00000008 has been stripped without UPX packed Ufasoft bitcoin miner.
80000032 bitcoin mining thread routine has been removed from the code.

Anyone has any idea could these bitcoin payloads probably stored in other files?

It is kinda weird that with the current exchange rate of BTC, the botnet operators gave up mining bitcoins in the botnets.

Username

x9090

Posts

1

Joined

Sun Aug 29, 2010 6:24 am

Re: ZeroAccess (alias MaxPlus, Sirefef)

#19794 by EP_X0FF
Tue Jun 25, 2013 7:21 am

Bitcoin mining on CPU and GPU is out of date. Perhaps they just waiting for Bitfury ASIC, I really doubt botnet mining will be comparable with specialized ASIC devices (3-5 Gh/s from only 1 chip). Or.. who knows?

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: ZeroAccess (alias MaxPlus, Sirefef)

#20254 by rough_spear
Sun Jul 28, 2013 2:33 pm

Hi All,

Three sirefef files from infected pc.

VT links -
https://www.virustotal.com/en/file/2324 ... /analysis/

https://www.virustotal.com/en/file/a258 ... /analysis/

https://www.virustotal.com/en/file/1ca8 ... /analysis/

Regards,

rough_spear.

Attachments

Sirefef.7z

password - infected.
(62.98 KiB) Downloaded 71 times

Username

rough_spear

Posts

163

Joined

Mon Oct 18, 2010 4:46 pm

Location

India

Re: ZeroAccess (alias MaxPlus, Sirefef)

#20257 by bao
Mon Jul 29, 2013 9:10 am

https://www.virustotal.com/ru/file/228e ... 375089004/

Attachments

Win64Sirefef.rar

(481.78 KiB) Downloaded 69 times

Username

bao

Posts

20

Joined

Sat Sep 22, 2012 9:27 pm

Re: ZeroAccess (alias MaxPlus, Sirefef)

#20259 by EP_X0FF
Mon Jul 29, 2013 2:07 pm

bao wrote:https://www.virustotal.com/ru/file/228e ... 375089004/

All data in attach.
Notice new p2p.32.dll/p2p.64.dll (32 bit version even without obfuscation) and updated 80000032.@ plugin.

Attachments

sirefef.rar

pass: infected
(361.92 KiB) Downloaded 80 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: ZeroAccess (alias MaxPlus, Sirefef)

#20269 by unixfreaxjp
Mon Jul 29, 2013 8:39 pm

ZeroAccess distributed in Japan, via Glazunov Exploit Kit.
The EK infected site was practically hacked, without IE & some conditions it blinds me..

But after the conditions met:

Noted: this is the injection code made by server site. No such trace of redirection code found in original site's data. Mustbe a hacked of either .htaccess, php.ini, default.php etc, or even there's a deeper risk than that, please be concerned to your server security if you got hit by this EK infection.

redirected access was spotted to various URLs, same IP:

Code: Select all

hxxp://212.124.115.197-static.reverse.softlayer.com:8080/3167716386/733
hxxp://212.124.115.197-static.reverse.softlayer.com:8080/3167716386/5504.zip
hxxp://212.124.115.197-static.reverse.softlayer.com:8080/17371

This redirection caused by injection code in the top page:

or

with help of @kafeine we whacked the sample in one session only:

The ZeroAccess is using below Crypto:

Code: Select all

Microsoft Base Cryptographic Provider v1.0

Faking Google Update:

Code: Select all

GoogleUpdate.exe
Google Update Service (gupdate)
Keeps your Google software up to date. If this service is disabled or stopped,
your Google software will not be kept up to date, meaning security vulnerabilities
that may arise cannot be fixed and features may not work. This service uninstalls
itself when there is no Google software using it.

The actual DLL used:

Code: Select all

GDI32.dll  
USER32.dll 
IMM32.DLL  
ntdll.dll  
kernel32.dll
Secur32.dll 　←注意（確認・チェック・DEP）
RPCRT4.dll 
ADVAPI32.dll
USP10.dll  
LPK.DLL    
msvcrt.dll 
WS2HELP.dll
WS2_32.dll  ←注意（結構マルウェア使われています）
SHLWAPI.dll
SHELL32.dll
comctl32.dll
mswsock.dll  ←注意（ネットワーク）
hnetcfg.dll 　←注意（ネットワーク）
wshtcpip.dll　　←注意（ネットワーク）
rsaenh.dll  ←注意（エンコーディング）
crypt32.dll　←注意（エンコーディング）
Apphelp.dll
VERSION.dll

Forget it if you want to run sample in Cuckoo or sandbox:

GeoIP as usual:

ZeroAccess Botnet:

All leads to this one IP only, suspected CnC used for initiation the bot:

Encrypted comm via "malformed" UDP aka ZeroAccess botnet crypted protocol:

Samples, PCAP, PluginDetect 0.8.1 used, Jar with CVE-2013-1493 as per below pic is shared below, hope this help researchersand antivirus industry!

Sample:
JAR: https://www.virustotal.com/en/file/02f4 ... 375117024/
Payload: https://www.virustotal.com/en/file/3f8b ... 375108446/

More details is here (I am sorry is in Japanese! Please use google translate, but I strongly suggest you see as per it is for the better format codes)

Attachments

Glazukov-ZeroAccessJP.7z

(162.98 KiB) Downloaded 103 times

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm