Thursday, May 23, 2013

ZAccess/Sirefef.P Artifacts

I wanted to share a few interesting artifacts from two ZAccess/Sirefef.P compromises I recently had to deal with. In both infections, malicious files were written to hidden sub directories located in the User and System accounts $Recycle.Bin's. Much like other variants of this Trojan, these files were injected into legitimate processes including explorer.exe and services.exe. At first I thought the infection had mucked with the permissions of the hidden sub directories within the Recycle.Bin but then noticed the S-1-5-18 SID, indicating the use of the SYSTEM account.





The first compromise went a step further and overwrote the Wdf01000.sys driver under \SystemRoot\System32\Drivers. I would have missed this if I had not dumped the NTFS Master File Table and used the $SI Entry Date when creating my timeline. By overwriting the existing file, it would appear the other NTFS timestamps were preserved due to File System Tunneling (ref: KB172190 and WIR Blog). A very interesting artifact indeed.


The first variant loaded some typical Fake Antivirus into the C:\ProgramData folder. Nothing new there but with the second variant, I noted the creation of a lot of Internet cache files under \SystemRoot\System32\Config\Systemprofile\AppData in what appeared to be the presence of click fraud.


Overall, a couple of interesting variants that I enjoyed playing with. Here's the hashes for reference.
[root]\$Recycle.Bin\S-1-5-18\$a032773db1be215125d280696ec7b357\n
MD5: 3aaac8a9352dde4e2073a7814514bd9d
SHA1: 321132983c3fc25448e19ae63e65cb127f28c5b7 

[root]\$Recycle.Bin\S-1-5-18\$f58c247e192203c97063e19c12229833\n
MD5: cfaddbb43ba973f8d15d7d2e50c63476
SHA1: 34206a971fe3cbb1acf2ce8bb9f145bfd78e256e 
Happy Hunting!