A forum for reverse engineering, OS internals and malware analysis 

ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #20568  by N3mes1s
 Thu Aug 22, 2013 9:47 pm
SHA256: f402260b175a3542a272f04e03124b2a207c604f68a77d62879d7ff676ae4f33
SHA1: 76a1d8d19236ec0d45546a70c74d7ab3614ee2c8
MD5: 5446dd8981582828a82361287e023312
File size: 204.0 KB ( 208896 bytes )
File name: java2
File type: Win32 EXE
Tags: peexe
Detection ratio: 7 / 46
Analysis date: 2013-08-22 20:20:44 UTC

https://www.virustotal.com/en/file/f402 ... /analysis/

https://malwr.com/analysis/OGFkYjM5MTMw ... e9a0a29d75
Attachments
password: infected
(118.48 KiB) Downloaded 89 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #20583  by N3mes1s
 Fri Aug 23, 2013 5:12 pm
SHA256: 10ab2e2ec7793e086d66081c60347150e691a87f3b35a0990353992a84b27f39
SHA1: dfd2243d85e544dc0d02781ba1e51c8a055caa19
MD5: 7137e24d685772fdf0ab0fa6239465fe
File size: 249.0 KB ( 254976 bytes )
File name: 10ab2e2ec7793e086d66081c60347150e691a87f3b35a0990353992a84b27f39.bin
File type: Win32 EXE
Detection ratio: 3 / 43
Analysis date: 2013-08-23 16:30:15 UTC

TimeStamp 2013:08:23 07:28:07+01:00

https://www.virustotal.com/en/file/10ab ... 377275415/

https://malwr.com/analysis/ZmY3ZmFkYTY4 ... d77daf1f87

PCAP
pcap - password: infected
(376.68 KiB) Downloaded 55 times
Attachments
password: infected
(118.09 KiB) Downloaded 83 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #20588  by Evilcry
 Sat Aug 24, 2013 6:49 am
SHA256: ebe55dc39519b1d26df7cf30fe9342dedc3f4b7c02346c6cc6421cb3171e71bd
SHA1: bc8ff8ee98b54e45386493d3dd7626d788faca3a
MD5: af445c4153e26888bb4a8db656a7cc1d
File size: 191.5 KB ( 196096 bytes )
File name: af445c4153e26888bb4a8db656a7cc1d_kaf0x0
Detection ratio: 5 / 46
Analysis date: 2013-08-24 04:51:31 UTC

Origin: Blackhole EK (more information here: http://pastebin.com/ztdz8yu8 )
Attachments
Password: infected
(114.71 KiB) Downloaded 91 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #20590  by EP_X0FF
 Sat Aug 24, 2013 8:45 am
Evilcry wrote:SHA256: ebe55dc39519b1d26df7cf30fe9342dedc3f4b7c02346c6cc6421cb3171e71bd
SHA1: bc8ff8ee98b54e45386493d3dd7626d788faca3a
MD5: af445c4153e26888bb4a8db656a7cc1d
File size: 191.5 KB ( 196096 bytes )
File name: af445c4153e26888bb4a8db656a7cc1d_kaf0x0
Detection ratio: 5 / 46
Analysis date: 2013-08-24 04:51:31 UTC

Origin: Blackhole EK (more information here: http://pastebin.com/ztdz8yu8 )

Modules in attach. All build yesterday. Notice how small become p2p.32.dll with latest protocol changes and removal of dll obfuscator. And how relatively bad they all detected

https://www.virustotal.com/en/file/9ea2 ... /analysis/
https://www.virustotal.com/en/file/3073 ... /analysis/
https://www.virustotal.com/en/file/10f3 ... 377333628/
https://www.virustotal.com/en/file/e7d4 ... 377333629/
https://www.virustotal.com/en/file/5980 ... 377333631/

All plugins also updated, 16 Aug - 21 Aug.

https://www.virustotal.com/en/file/2b0e ... 377333822/
https://www.virustotal.com/en/file/9475 ... 377333822/
https://www.virustotal.com/en/file/8fd1 ... 377333823/
https://www.virustotal.com/en/file/0d37 ... 377333823/
https://www.virustotal.com/en/file/19e0 ... 377333825/

edit, z00clicker (16 Aug) from 800000cb plugin in attach

https://www.virustotal.com/en/file/2a78 ... 377334033/
https://www.virustotal.com/en/file/4aff ... 377334076/
Attachments
pass: malware
(32.35 KiB) Downloaded 78 times
pass: malware
(309.85 KiB) Downloaded 88 times
Sirefef components, pass: malware
(125.01 KiB) Downloaded 90 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #20672  by Quads
 Sun Sep 01, 2013 11:39 pm
The ZA folder in the Quarantine does not want to remove itself from the Hard Drive, means the Quarantine folder cannot be deleted.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-09-2013
Ran by Phyllis Toshiba at 2013-09-01 18:21:12 Run:3
Running from C:\Users\Phyllis Toshiba\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
Folder: c:\frst\quarantine
DeleteQuarantine:
end

*****************


========================= Folder: c:\frst\quarantine ========================

2013-08-27 23:21 - 2013-08-27 23:21 - 0000000 ____D () c:\frst\quarantine\{17e16652-7966-197b-87f6-ca04a86e9b05}
2013-08-27 23:21 - 2013-08-27 23:21 - 0000000 ____D () c:\frst\quarantine\{17e16652-7966-197b-87f6-ca04a86e9b05}\❤≸⋙
2013-08-27 23:21 - 2013-08-27 23:21 - 0000000 ____D () c:\frst\quarantine\{17e16652-7966-197b-87f6-ca04a86e9b05}\❤≸⋙\Ⱒ☠⍨
2013-08-27 23:21 - 2013-08-27 23:21 - 0000000 ____D () c:\frst\quarantine\{17e16652-7966-197b-87f6-ca04a86e9b05}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛
2013-08-27 23:21 - 2013-08-30 08:56 - 0000000 ____D () c:\frst\quarantine\{17e16652-7966-197b-87f6-ca04a86e9b05}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{17e16652-7966-197b-87f6-ca04a86e9b05}

====== End of Folder: ======

C:\FRST\Quarantine => Failed to delete.

==== End of Fixlog ====

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #20674  by Quads
 Mon Sep 02, 2013 1:54 am
Thanks

I have had 4 users where once the Zeroaccess folder is moved to Quarantine (for FRST) even by FRST itself, in Normal and Recovery Modes FRST still fails to delete its quarantine.

I have a 75 year old user as the last one left.

One user, I had manually step by step shift the Zeroaccess folder back inside the Install folder so the FRST\quarantine folder would then delete as soon as the Zeroaccess folder is moved out.

The Zeroaccess folder is able to be moved around in Windows, but won't delete at times, for the parent folder it is inside to, Including _OTL hahahaha

Quads

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #20676  by Quads
 Mon Sep 02, 2013 6:19 am
I already have with 2 systems, with scripts of

Content of fixlist:
*****************
Start
Folder: c:\frst\quarantine
DeleteQuarantine:
end

Or just

Content of fixlist:
*****************
Start
DeleteQuarantine:
end

And it fails to delete, Example log below

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-09-2013
Ran by Phyllis Toshiba at 2013-09-01 18:21:12 Run:3
Running from C:\Users\Phyllis Toshiba\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
Folder: c:\frst\quarantine
DeleteQuarantine:
end

*****************


========================= Folder: c:\frst\quarantine ========================

2013-08-27 23:21 - 2013-08-27 23:21 - 0000000 ____D () c:\frst\quarantine\{17e16652-7966-197b-87f6-ca04a86e9b05}
2013-08-27 23:21 - 2013-08-27 23:21 - 0000000 ____D () c:\frst\quarantine\{17e16652-7966-197b-87f6-ca04a86e9b05}\❤≸⋙
2013-08-27 23:21 - 2013-08-27 23:21 - 0000000 ____D () c:\frst\quarantine\{17e16652-7966-197b-87f6-ca04a86e9b05}\❤≸⋙\Ⱒ☠⍨
2013-08-27 23:21 - 2013-08-27 23:21 - 0000000 ____D () c:\frst\quarantine\{17e16652-7966-197b-87f6-ca04a86e9b05}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛
2013-08-27 23:21 - 2013-08-30 08:56 - 0000000 ____D () c:\frst\quarantine\{17e16652-7966-197b-87f6-ca04a86e9b05}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{17e16652-7966-197b-87f6-ca04a86e9b05}

====== End of Folder: ======

C:\FRST\Quarantine => Failed to delete.

==== End of Fixlog ====


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-08-2013
Ran by SYSTEM at 2013-09-01 16:22:54 Run:2
Running from G:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
Start
DeleteQuarantine:
end

*****************

C:\FRST\Quarantine => Failed to delete.

==== End of Fixlog ====
  • 1
  • 43
  • 44
  • 45
  • 46
  • 47
  • 56
 Return to “Malware”