@Steven Winderlich
You there have an sample for the latest ZeroAccess variant, you know.
And are you guys interested in my analysis?
This variant of malware creates the following processes:
C:\Windows\SysWOW64\shell.exe
C:\Users\Magna\Local Settings\Application Data\WINDOWS\cute.exe
C:\Users\Magna\Local Settings\Application Data\WINDOWS\imoet.exe
C:\Windows\tiwi.exe
C:\Windows\SysWOW64\IExplorer.exe
C:\Users\Magna\Local Settings\Application Data\WINDOWS\winlogon.exeMalware uses more then one as its loading point:
I have not written a full registry path, who knows how to manipulate with regedit, then it will also know how to find a full path in the registry for mentioned keys.Under 32bit Winlogon key,
Userinit and
Shell value, and malware uses legit userinit.exe and Explorer.exe for loading C:\Windows\system32\
IExplorer.exe malicious file.
Under HKCU\...\Run key malware sets
tiwi values and loading file is in windows directory as
tiwi.exeUnder HKCU\...\Run key malware sets
MSMSGS values and loading file is in C:\Users\Magna\Local Settings\Application Data\WINDOWS directory as
winlogon.exeUnder 32bit HKLM\...\Run it creates
Logon<username> value with point on malicious C:\Users\Magna\Local Settings\Application Data\WINDOWS\
imoet.exe file to load.
Same key as above ... creates
System Monitoring value with point on malicious C:\Users\Magna\Local Settings\Application Data\WINDOWS\
cute.exe file
And in AlternateShell value it create the key for running C:\Windows\
tiwi.exe. This I think allows malware to load in safe mode.
Malware sets the following policies (in registry) on system in order to protect itself from begin detected:
disableregistrytools
DisableTaskMgr
NoDispSettingsPage
NoFolderOptions
NoTrayContextMenu
NoFind
NoSetFolders
NoRunMalware creates the following files:
2013-12-10 17:34 - 2013-12-10 17:37 - 00087040 __RSH C:\Windows\tiwi.exe
2013-12-10 17:34 - 2013-12-10 17:37 - 00087040 __RSH C:\tiwi.exe
2013-12-10 17:34 - 2013-12-10 17:37 - 00087040 ____N C:\Windows\SysWOW64\tiwi.scr
2013-12-10 17:34 - 2013-12-10 17:37 - 00087040 ____N C:\Windows\SysWOW64\IExplorer.exe
2013-12-10 17:34 - 2013-12-10 17:37 - 00000729 ____N C:\present.txt
2013-12-10 17:34 - 2013-12-10 17:37 - 00000000 _RSHD C:\Users\Magna\AppData\Local\WINDOWS
2013-12-10 17:34 - 2013-12-10 17:36 - 00087040 ____N C:\Windows\SysWOW64\shell.exe
2013-12-10 17:34 - 2013-12-10 17:34 - 00087040 ____N C:\Tiwi_Cute.exe
2013-12-10 17:34 - 2013-12-10 17:34 - 00087040 ____N C:\Data_Rahasia Magna.exe
2013-12-10 17:34 - 2013-12-10 17:34 - 00000000 ____D C:\Users\Magna\Desktop\Brontok&Samples
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\winlogon.exe
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\tiwi.exe
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\smss.exe
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\imoet.exe
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\IExplorer.exe
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\cute.exe
2013-12-10 17:37 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\Registration
2013-12-10 17:36 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT