Sample: 9e980cd01f46224e27b72369e988d8213436d50e7c3bd24344a8560c4fd23a04 VirusTotal : 2/55 McAfee-GW-Edition,BehavesLike.Win32.Ransom.mm,23.01.2016,132 Qihoo-360,HEUR/QVM20.1.Malware.Gen,23.01.2016,132 Compilation Timestamp: 0x5680253A (Sun Dec 27 12:51:54 2015) Here are the imported libraries:
Here are the imported blacklisted calls:
Here are indicators of the PNG dropper calls from gdiplus.dll (enables applications to use graphics and formatted text on both the video display and the printer): Red Flags:
Yara Signature: ZeroAccess v3 Dropper
global private rule gen_characteristics { condition: ( uint16(0) == 0x5a4d or uint16(0) == 0x0000 ) and filesize < 85KB } rule zeroaccess_9e980cd01f46224e27b72369e988d8213436d50e7c3bd24344a8560c4fd23a04 { meta: description = "samle_9e980cd01f46224e27b72369e988d8213436d50e7c3bd24344a8560c4fd23a04" author = "Vitali Kremez" reference = "Detects the ZeroAccess v3 Dropper" date = "2016-06-03" hash = "9e980cd01f46224e27b72369e988d8213436d50e7c3bd24344a8560c4fd23a04" strings: $s0 = "<requestedExecutionLevel level='asInvoker' uiAccess=\"false\"/>" fullword ascii $op0 = { 83 c4 0c 8b fd 8d 44 24 40 50 ff 74 24 18 ff 15 } /* Opcode */ $op1 = { 8d 44 24 38 89 5c 24 3c 50 ff 74 24 18 89 5c 24 } /* Opcode */ $op2 = { 8d 44 24 14 50 56 ff 15 14 20 40 00 85 c0 0f 85 } /* Opcode */ condition: uint16(0) == 0x5a4d and filesize < 85KB and all of them }
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |