ZeroAccess[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

ZeroAccess.zip
Size

165KB
MD5

25b0dfbf8d762ddf965d62760af11895
SHA1

591cbc4108d91b6a53e26dab2202cef9bc8fadeb
SHA256

769f6ab4c26caa66c0d1c43f7b1ab28e51bdbec94e473da04e59517c741aaf8c
SHA512

837e06a229a36f643eb40cf38fd10f4a54dc0b8e0abca7fe21a8634af4f95749a937bf3d485551d7fc50547c2a9df97570b90b8ca3f5962126d95e1b12743f6e
SSDEEP

3072:G/CiK3TU9bOCAbQDJWWL4nPXiFdJ7pGDwKcYiBTiguvFpGHKclmzEzJ:G/CJ3qb9AbQQBPSLGDwKMDU2KMzJ

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/ZeroAccess_xxx-porn-movie.avi.exe_
unpack001/dumped.dll

Files

ZeroAccess.zip
.zip .ps1 polyglot

Password: infected
ZeroAccess_xxx-porn-movie.avi.exe_
.exe windows:4 windows x86 arch:x86

Password: infected

f779ba733fe09bbc41ec56db49c53fa3

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_BYTES_REVERSED_HI

Imports

oleaut32

CreateErrorInfo
DispGetIDsOfNames
BstrFromVector
OleLoadPictureEx
GetErrorInfo

kernel32

GetVersionExW
GlobalLock
GlobalAlloc
GlobalReAlloc
GetModuleHandleW
GlobalSize
FreeResource
SizeofResource
LockResource
LoadResource
FindResourceA
LocalAlloc
LocalFree
CreateFileA
lstrcmpA
GetFileAttributesA
GetProcAddress
GetModuleFileNameA
GetTempPathA
DeleteFileA
CloseHandle
GetCurrentDirectoryA
GetLocalTime
FindClose
FindNextFileA
FindFirstFileA
EnumResourceLanguagesA
WideCharToMultiByte
ReadFile
WriteFile
SetFilePointer
GlobalHandle
IsDBCSLeadByte
GetModuleHandleA
VirtualProtect
QueryPerformanceCounter
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
GetProcessHeap
CreateProcessA
GetTempFileNameA
HeapFree
HeapAlloc
LoadLibraryW
InterlockedExchange
Sleep
InterlockedCompareExchange
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetLastError
GlobalFree
GlobalUnlock
GetCurrentThread
lstrlenA
MulDiv
MultiByteToWideChar
FreeLibrary
RaiseException
LoadLibraryA
FormatMessageA
GetSystemDirectoryW

setupapi

CM_Get_DevNode_Status
SetupDiGetDeviceRegistryPropertyW
CMP_WaitNoPendingInstallEvents

user32

SetWindowLongA
SetWindowTextA
SendMessageA
GetDlgItem
wsprintfA
WaitForInputIdle
CharUpperA
MessageBoxA

Sections

.text
Size: 147KB - Virtual size: 147KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 250B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
dumped.dll
.dll windows:5 windows x86 arch:x86

Password: infected

48543a709489a7fb0ada5149ac24a97b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

ntdll

RtlInterlockedPopEntrySList
RtlInterlockedPushEntrySList
memset
ZwSetLowEventPair
ZwWaitHighEventPair
ZwSetHighWaitLowEventPair
ZwCreateEventPair
LdrFindEntryForAddress
ZwCreateEvent
ZwQueryInformationToken
ZwOpenProcessToken
RtlConvertSidToUnicodeString
RtlAppendUnicodeToString
memcpy
RtlNtStatusToDosError
ZwOpenEvent
ZwWriteFile
ZwClose
ZwReadFile
RtlInitUnicodeString
ZwOpenFile
wcscat
wcscpy
wcsrchr
LdrGetProcedureAddress
swprintf
wcslen
RtlExitUserThread
LdrProcessRelocationBlock
RtlImageDirectoryEntryToData
RtlImageNtHeader
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
RtlComputeCrc32
RtlAddressInSectionTable
ZwSetInformationFile
ZwSetEaFile
ZwCreateFile
ZwDeleteFile
wcstoul
ZwQueryDirectoryFile
ZwQueryEaFile
qsort
ZwQueryVolumeInformationFile
RtlTimeToSecondsSince1980
RtlUnwind
NtQueryVirtualMemory

kernel32

LeaveCriticalSection
GetSystemTimeAsFileTime
GetLastError
BindIoCompletionCallback
LocalFree
LocalAlloc
DeleteTimerQueueTimer
CreateTimerQueueTimer
CreateThread
DisableThreadLibraryCalls
GetProcAddress
DeleteCriticalSection
InitializeCriticalSection
SleepEx
Sleep
FreeLibrary
LoadLibraryW
VirtualFree
EnterCriticalSection
LoadLibraryA
VirtualAlloc

advapi32

CryptDestroyKey
CryptDestroyHash
CryptVerifySignatureW
CryptSetHashParam
CryptCreateHash
CryptReleaseContext
MD5Init
CryptGenRandom
CryptImportKey
CryptAcquireContextW
MD5Final
MD5Update

mswsock

AcceptEx

ws2_32

setsockopt
WSASend
WSARecv
WSAIoctl
listen
WSASendTo
closesocket
WSAGetLastError
WSASocketW
WSACleanup
WSAStartup
bind
WSARecvFrom

Exports

Exports

DllGetClassObject

Sections

.text
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

f779ba733fe09bbc41ec56db49c53fa3

Headers

File Characteristics

Imports

oleaut32

kernel32

setupapi

user32

Sections

.text Size: 147KB - Virtual size: 147KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 8KB - Virtual size: 8KB

.reloc Size: 512B - Virtual size: 250B

Password: infected

48543a709489a7fb0ada5149ac24a97b

Headers

File Characteristics

Imports

ntdll

kernel32

advapi32

mswsock

ws2_32

Exports

Exports

Sections

.text Size: 12KB - Virtual size: 12KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 6KB - Virtual size: 6KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 147KB - Virtual size: 147KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 8KB - Virtual size: 8KB

.reloc
Size: 512B - Virtual size: 250B

.text
Size: 12KB - Virtual size: 12KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 6KB - Virtual size: 6KB

.reloc
Size: 1KB - Virtual size: 1KB