​ZeroAccess V3 Dropper: Malware Analysis

 Sample: 9e980cd01f46224e27b72369e988d8213436d50e7c3bd24344a8560c4fd23a04
 
VirusTotal : 2/55
McAfee-GW-Edition,BehavesLike.Win32.Ransom.mm,23.01.2016,132
Qihoo-360,HEUR/QVM20.1.Malware.Gen,23.01.2016,132
 
Compilation Timestamp: 0x5680253A (Sun Dec 27 12:51:54 2015)

 Here are the imported libraries:

• ntdll.dll,x,Implicit,21,NT Layer DLL
• kernel32.dll,-,Implicit,3,Windows NT BASE API Client DLL
• shlwapi.dll,-,Implicit,3,Shell Light-weight Utility Library
• gdiplus.dll,-,Implicit,24,Microsoft GDI+

 
Here are the imported blacklisted calls:

• LdrFindResource_U,x,-,-,ntdll.dll
• ZwAllocateVirtualMemory,x,-,-,ntdll.dll
• LdrUnloadDll,x,-,-,ntdll.dll
• LdrAccessResource,x,-,-,ntdll.dll
• LdrGetProcedureAddress,x,-,-,ntdll.dll
• ZwFreeVirtualMemory,x,-,-,ntdll.dll
• memcpy,x,-,-,ntdll.dll
• ExitProcess,x,-,-,kernel32.dll

 
Here are indicators of the PNG dropper calls from gdiplus.dll (enables applications to use graphics and formatted text on both the video display and the printer):

Red Flags:

• The file contains 10 blacklisted strings.
• The symbol (GdipBitmapLockBits) is imported several (8) times/
• The file references the Windows Native API.
• The file opts for Address Space Layout Randomization (ASLR).
• The file ignores Structured Exception Handling (SEH).
• The file has no Version.
• The file does not contain a digital certificate.
• The file checksum (0x00000000) is invalid.

Yara Signature: ZeroAccess v3 Dropper

global private rule gen_characteristics {
    condition:
        ( uint16(0) == 0x5a4d or uint16(0) == 0x0000 ) and filesize < 85KB
}

rule zeroaccess_9e980cd01f46224e27b72369e988d8213436d50e7c3bd24344a8560c4fd23a04 {
    meta:
        description = "samle_9e980cd01f46224e27b72369e988d8213436d50e7c3bd24344a8560c4fd23a04"
        author = "Vitali Kremez"
        reference = "Detects the ZeroAccess v3 Dropper"
        date = "2016-06-03"
        hash = "9e980cd01f46224e27b72369e988d8213436d50e7c3bd24344a8560c4fd23a04"
    strings:
        $s0 = "<requestedExecutionLevel level='asInvoker' uiAccess=\"false\"/>" fullword ascii

        $op0 = { 83 c4 0c 8b fd 8d 44 24 40 50 ff 74 24 18 ff 15 } /* Opcode */
        $op1 = { 8d 44 24 38 89 5c 24 3c 50 ff 74 24 18 89 5c 24 } /* Opcode */
        $op2 = { 8d 44 24 14 50 56 ff 15 14 20 40 00 85 c0 0f 85 } /* Opcode */
condition:
        uint16(0) == 0x5a4d and filesize < 85KB and all of them
}