{"id":41,"date":"2016-10-29T09:33:14","date_gmt":"2016-10-29T09:33:14","guid":{"rendered":"http:\/\/piratesecurityblog.com\/?p=41"},"modified":"2017-08-23T08:52:33","modified_gmt":"2017-08-23T08:52:33","slug":"zeus-analysis-in-volatility-2-0","status":"publish","type":"post","link":"https:\/\/piratesecurityblog.com\/?p=41","title":{"rendered":"Zeus Analysis in Volatility\u00a02.0"},"content":{"rendered":"

<\/h2>\n
\n

Well I wanted to post another article about memory forensics with my favorite open source tool right now\u2026. Volatility<\/a>.\u00a0 Can\u2019t say enough great things about the documentation (very well written and expansive) and the community is very helpful in answering questions (even noobish ones).\u00a0 So after I read MHL\u2019s Stuxnet Analysis with Volatility 2.0<\/a> it inspired me to do my own sort of analysis with a different piece of malware to see how many artifacts I could come up with.\u00a0 I\u2019ll be referencing some in-depth deep dives to confirm the analysis.\u00a0 At the end of the article the links will be given to those reports in full.\u00a0 I\u2019m going to assume no prior knowledge is known about Zeus.\u00a0 We can use Volatility to start as well as confirm with multiple artifacts we are in fact infected with Zeus beyond any doubts.<\/p>\n

Luckily for us we don\u2019t have to infect a VM, take a memory dump and then analyze it (or have a friend ask for our help to cleanup their computer like here<\/a>).\u00a0 The folks at Volatility<\/a>have provided a sample image that\u2019s infected with Zeus<\/a> for you to practice on.\u00a0 They are in need of contribution with additional malware if you have any laying around that you\u2019d like to share.\u00a0 So download the image and follow along.<\/p>\n


\nC:\\RE\\volatility2.0\\py\\volatility-2.0>python vol.py -f zeus.vmem imageinfo
\nVolatile Systems Volatility Framework 2.0
\nSuggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with Win
\nXPSP2x86)
\nAS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
\nAS Layer2 : FileAddressSpace (C:\\RE\\volatility2.0\\py\\volatility-2.0\\zeus.vmem)
\nPAE type : PAE
\nDTB : 0x319000
\nKDBG : 0x80544ce0L
\nKPCR : 0xffdff000L
\nKUSER_SHARED_DATA : 0xffdf0000L
\nImage date and time : 2010-08-15 19:17:56
\nImage local date and time : 2010-08-15 19:17:56
\nNumber of Processors : 1
\nImage Type : Service Pack 2
\n<\/code><\/p>\n

So we can tell this is a XP SP2 image, no big surprise here.\u00a0 Let\u2019s grab a process listing.<\/p>\n


\nC:\\RE\\volatility2.0\\py\\volatility-2.0>python vol.py -f zeus.vmem pslist
\nVolatile Systems Volatility Framework 2.0
\nOffset(V)\u00a0 Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PID\u00a0\u00a0\u00a0 PPID\u00a0\u00a0 Thds\u00a0\u00a0 Hnds\u00a0\u00a0 Time
\n---------- -------------------- ------ ------ ------ ------ -------------------
\n0x810b1660 System\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 4\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 58\u00a0\u00a0\u00a0 379 1970-01-01 00:00:00
\n0xff2ab020 smss.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 544\u00a0\u00a0\u00a0\u00a0\u00a0 4\u00a0\u00a0\u00a0\u00a0\u00a0 3\u00a0\u00a0\u00a0\u00a0 21 2010-08-11 06:06:21
\n0xff1ecda0 csrss.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 608\u00a0\u00a0\u00a0 544\u00a0\u00a0\u00a0\u00a0 10\u00a0\u00a0\u00a0 410 2010-08-11 06:06:23
\n0xff1ec978 winlogon.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 632\u00a0\u00a0\u00a0 544\u00a0\u00a0\u00a0\u00a0 24\u00a0\u00a0\u00a0 536 2010-08-11 06:06:23
\n0xff247020 services.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0 632\u00a0\u00a0\u00a0\u00a0 16\u00a0\u00a0\u00a0 288 2010-08-11 06:06:24
\n0xff255020 lsass.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 688\u00a0\u00a0\u00a0 632\u00a0\u00a0\u00a0\u00a0 21\u00a0\u00a0\u00a0 405 2010-08-11 06:06:24
\n0xff218230 vmacthlp.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 844\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 37 2010-08-11 06:06:24
\n0x80ff88d8 svchost.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 856\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0 29\u00a0\u00a0\u00a0 336 2010-08-11 06:06:24
\n0xff217560 svchost.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 936\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0 11\u00a0\u00a0\u00a0 288 2010-08-11 06:06:24
\n0x80fbf910 svchost.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1028\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0 88\u00a0\u00a0 1424 2010-08-11 06:06:24
\n0xff22d558 svchost.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1088\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0\u00a0 7\u00a0\u00a0\u00a0\u00a0 93 2010-08-11 06:06:25
\n0xff203b80 svchost.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1148\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0 15\u00a0\u00a0\u00a0 217 2010-08-11 06:06:26
\n0xff1d7da0 spoolsv.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1432\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0 14\u00a0\u00a0\u00a0 145 2010-08-11 06:06:26
\n0xff1b8b28 vmtoolsd.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1668\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0\u00a0 5\u00a0\u00a0\u00a0 225 2010-08-11 06:06:35
\n0xff1fdc88 VMUpgradeHelper\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1788\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0\u00a0 5\u00a0\u00a0\u00a0 112 2010-08-11 06:06:38
\n0xff143b28 TPAutoConnSvc.e\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1968\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0\u00a0 5\u00a0\u00a0\u00a0 106 2010-08-11 06:06:39
\n0xff25a7e0 alg.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 216\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0\u00a0 8\u00a0\u00a0\u00a0 120 2010-08-11 06:06:39
\n0xff364310 wscntfy.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 888\u00a0\u00a0 1028\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 40 2010-08-11 06:06:49
\n0xff38b5f8 TPAutoConnect.e\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1084\u00a0\u00a0 1968\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 68 2010-08-11 06:06:52
\n0x80f60da0 wuauclt.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1732\u00a0\u00a0 1028\u00a0\u00a0\u00a0\u00a0\u00a0 7\u00a0\u00a0\u00a0 189 2010-08-11 06:07:44
\n0xff3865d0 explorer.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1724\u00a0\u00a0 1708\u00a0\u00a0\u00a0\u00a0 13\u00a0\u00a0\u00a0 326 2010-08-11 06:09:29
\n0xff3667e8 VMwareTray.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 432\u00a0\u00a0 1724\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 60 2010-08-11 06:09:31
\n0xff374980 VMwareUser.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 452\u00a0\u00a0 1724\u00a0\u00a0\u00a0\u00a0\u00a0 8\u00a0\u00a0\u00a0 207 2010-08-11 06:09:32
\n0x80f94588 wuauclt.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 468\u00a0\u00a0 1028\u00a0\u00a0\u00a0\u00a0\u00a0 4\u00a0\u00a0\u00a0 142 2010-08-11 06:09:37
\n0xff224020 cmd.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 124\u00a0\u00a0 1668\u00a0\u00a0\u00a0\u00a0\u00a0 0 ------ 2010-08-15 19:17:55
\n<\/code><\/p>\n

Nothing immediately stands out to me as they all look like legitimate processes that are running on the box.\u00a0 Let\u2019s see if any of them are hiding with a new command fresh out of 2.0 which is psxview.<\/p>\n


\nC:\\RE\\volatility2.0\\py\\volatility-2.0>python vol.py -f zeus.vmem psxview
\nVolatile Systems Volatility Framework 2.0
\nOffset\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Pid\u00a0\u00a0\u00a0\u00a0\u00a0 pslist\u00a0\u00a0\u00a0\u00a0 psscan\u00a0\u00a0\u00a0\u00a0 thrdproc\u00a0\u00a0 psp
\nid\u00a0\u00a0\u00a0\u00a0 csr_hnds\u00a0\u00a0 csr_list
\n0x80fbf910L\u00a0 svchost.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1028\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0x80ff88d8L\u00a0 svchost.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 856\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff1d7da0L\u00a0 spoolsv.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1432\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0x80f60da0L\u00a0 wuauclt.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1732\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff2ab020L\u00a0 smss.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 544\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff3667e8L\u00a0 VMwareTray.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 432\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff247020L\u00a0 services.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff217560L\u00a0 svchost.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 936\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff143b28L\u00a0 TPAutoConnSvc.e\u00a0\u00a0\u00a0\u00a0\u00a0 1968\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff203b80L\u00a0 svchost.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1148\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff1b8b28L\u00a0 vmtoolsd.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1668\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff255020L\u00a0 lsass.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 688\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff3865d0L\u00a0 explorer.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1724\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff22d558L\u00a0 svchost.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1088\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff374980L\u00a0 VMwareUser.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 452\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff1fdc88L\u00a0 VMUpgradeHelper\u00a0\u00a0\u00a0\u00a0\u00a0 1788\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff218230L\u00a0 vmacthlp.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 844\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff364310L\u00a0 wscntfy.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 888\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0x80f94588L\u00a0 wuauclt.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 468\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff25a7e0L\u00a0 alg.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 216\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff1ecda0L\u00a0 csrss.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 608\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff38b5f8L\u00a0 TPAutoConnect.e\u00a0\u00a0\u00a0\u00a0\u00a0 1084\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff1ec978L\u00a0 winlogon.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 632\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0xff224020L\u00a0 cmd.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 124\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n0x810b1660L\u00a0 System\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 4\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1
\n0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0
\n<\/code><\/p>\n

This uses multiple methods for looking at processes artifacts in memory.\u00a0 If you see any that are 0\u2019s for psscan, pslist and thrdproc it\u2019s an attempt to hide the process by DKOM (Direct Kernel Object Manipulation).\u00a0 Nothing interesting here so let\u2019s see about some network connections.<\/p>\n


\nC:\\RE\\volatility2.0\\py\\volatility-2.0>python vol.py -f zeus.vmem connections
\nVolatile Systems Volatility Framework 2.0
\nOffset(V)\u00a0 Local Address\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Remote Address\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Pid
\n---------- ------------------------- ------------------------- ------
\n<\/code><\/p>\n

Well that\u2019s disappointing.\u00a0 No active connections at the time the memory dump was taken.\u00a0 Let\u2019s go a little deeper and scan for connections that may have been previously closed with connscan.<\/p>\n


\nC:\\RE\\volatility2.0\\py\\volatility-2.0>python vol.py -f zeus.vmem connscan
\nVolatile Systems Volatility Framework 2.0
\nOffset\u00a0\u00a0\u00a0\u00a0 Local Address\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Remote Address\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Pid
\n---------- ------------------------- ------------------------- ------
\n0x02214988 172.16.176.143:1054\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 193.104.41.75:80\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 856
\n0x06015ab0 0.0.0.0:1056\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 193.104.41.75:80\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 856
\n<\/code><\/p>\n

Bingo!\u00a0 We have 2 connections here that look to be listed to PID 856.\u00a0 That\u2019s SVChost which is odd.\u00a0 Let\u2019s see where these connections are located.\u00a0 A whois report reveals that the IP is located in Moldova.<\/p>\n\n\n\n\n\n\n\n\n
IP Address<\/td>\n193.104.41.75<\/a><\/td>\n<\/tr>\n
Host<\/td>\n193.104.41.75<\/td>\n<\/tr>\n
Location<\/td>\n\"MD\" MD, Moldova, Republic of<\/td>\n<\/tr>\n
City<\/td>\n-, \u2013 \u2013<\/td>\n<\/tr>\n
Organization<\/td>\nPE Voronov Evgen Sergiyovich<\/td>\n<\/tr>\n
ISP<\/td>\nPE Voronov Evgen Sergiyovich<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

It\u2019s well known that a lot of malware calls Eastern Europe and Asia home.\u00a0 So this is pretty suspicious but since it looks like all our processes appear legitimate we might be facing some malware that utilizes code injection.\u00a0 To detect these types of processes MHL has released a great plugin here that utilizes malfind.\u00a0 It will detect injected processes so let\u2019s run that on our target image.<\/p>\n


\nC:\\RE\\volatility2.0\\py\\volatility-2.0>python vol.py -f zeus.vmem malfind --dump-dir c:\\re\\zeus_demo
\nVMwareTray.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 432\u00a0\u00a0\u00a0 0x00d70000 0xd95fff00 VadS\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0 PAGE_EXECUTE_R
\nEADWRITE
\nDumped to: c:\\re\\zeus_demo\\VMwareTray.exe.4be97e8.00d70000-00d95fff.dmp
\n0x00d70000\u00a0\u00a0 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00\u00a0\u00a0\u00a0 MZ..............<\/code><\/p>\n

0x00d70010\u00a0\u00a0 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00\u00a0\u00a0\u00a0 ……..@…….<\/p>\n

0x00d70020\u00a0\u00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\u00a0\u00a0\u00a0 …………….<\/p>\n

0x00d70030\u00a0\u00a0 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00\u00a0\u00a0\u00a0 …………….<\/p>\n

0x00d70040\u00a0\u00a0 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68\u00a0\u00a0\u00a0 ……..!..L.!Th<\/p>\n

0x00d70050\u00a0\u00a0 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f\u00a0\u00a0\u00a0 is program canno<\/p>\n

0x00d70060\u00a0\u00a0 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20\u00a0\u00a0\u00a0 t be run in DOS<\/p>\n

0x00d70070\u00a0\u00a0 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00\u00a0\u00a0\u00a0 mode….$…….<\/p>\n

VMwareTray.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 432\u00a0\u00a0\u00a0 0x00e30000 0xe30fff00 VadS\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0 PAGE_EXECUTE_R
\nEADWRITE
\nDumped to: c:\\re\\zeus_demo\\VMwareTray.exe.4be97e8.00e30000-00e30fff.dmp
\n0x00e30000\u00a0\u00a0 b8 35 00 00 00 e9 cd d7 ad 7b b8 91 00 00 00 e9\u00a0\u00a0\u00a0 .5…….{……<\/p>\n

0x00e30010\u00a0\u00a0 4f df ad 7b 8b ff 55 8b ec e9 ef 17 3e 76 8b ff\u00a0\u00a0\u00a0 O..{..U…..>v..<\/p>\n

0x00e30020\u00a0\u00a0 55 8b ec e9 95 76 39 76 8b ff 55 8b ec e9 be 53\u00a0\u00a0\u00a0 U….v9v..U….S<\/p>\n

0x00e30030\u00a0\u00a0 3a 76 8b ff 55 8b ec e9 d6 18 3e 76 8b ff 55 8b\u00a0\u00a0\u00a0 :v..U…..>v..U.<\/p>\n

0x00e30040\u00a0\u00a0 ec e9 14 95 39 76 8b ff 55 8b ec e9 4f 7e 3c 76\u00a0\u00a0\u00a0 ….9v..U…O~<v<\/p>\n

0x00e30050\u00a0\u00a0 8b ff 55 8b ec e9 0a 32 3a 76 8b ff 55 8b ec e9\u00a0\u00a0\u00a0 ..U….2:v..U…<\/p>\n

0x00e30060\u00a0\u00a0 7d 61 39 76 6a 2c 68 b8 8d 1c 77 e9 01 8c 39 76\u00a0\u00a0\u00a0 }a9vj,h…w…9v<\/p>\n

0x00e30070\u00a0\u00a0 8b ff 55 8b ec e9 c4 95 c8 70 8b ff 55 8b ec e9\u00a0\u00a0\u00a0 ..U……p..U…<\/p>\n

Disassembly:
\n00e30000: b835000000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MOV EAX, 0x35
\n00e30005: e9cdd7ad7b\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 JMP 0x7c90d7d7
\n00e3000a: b891000000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MOV EAX, 0x91
\n00e3000f: e94fdfad7b\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 JMP 0x7c90df63
\n00e30014: 8bff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MOV EDI, EDI
\n00e30016: 55\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PUSH EBP
\n00e30017: 8bec\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MOV EBP, ESP
\n00e30019: e9ef173e76\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 JMP 0x7721180d
\n00e3001e: 8bff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MOV EDI, EDI
\n00e30020: 55\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PUSH EBP
\n[snip]
\n<\/code>
\nWell we have a lot of output so looks like a lot of our processes are injected with malcode.\u00a0 The reason this plugin can find it is due to the fact of looking for kernel memory structures that work very closely with VirtualAlloc.\u00a0 These memory structures are in a VAD tree and work closely with memory management aspects of the kernel.\u00a0\u00a0\u00a0 There\u2019s a lot more detailed explanation in the references section if you care to read further on the subject.\u00a0 The plugin outputs hexdumps as well as assembly code at the base location of where the injected code was detected.\u00a0 You can also pipe this output to a text file if it won\u2019t fit in your console.<\/p>\n

With all this output from our plugin let\u2019s revisit our pstree command so we can get a hierarchical view on how the code injection may have cascaded.<\/p>\n


\nC:\\RE\\volatility2.0\\py\\volatility-2.0>python vol.py -f zeus.vmem pstree
\nVolatile Systems Volatility Framework 2.0
\nName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Pid\u00a0\u00a0\u00a0 PPid\u00a0\u00a0 Thds\u00a0\u00a0 Hnds\u00a0\u00a0 Time
\n0x810B1660:System\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 4\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 58\u00a0\u00a0\u00a0 379 1970-01-
\n01 00:00:00
\n. 0xFF2AB020:smss.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 544\u00a0\u00a0\u00a0\u00a0\u00a0 4\u00a0\u00a0\u00a0\u00a0\u00a0 3\u00a0\u00a0\u00a0\u00a0 21 2010-08-
\n11 06:06:21
\n.. 0xFF1EC978:winlogon.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 632\u00a0\u00a0\u00a0 544\u00a0\u00a0\u00a0\u00a0 24\u00a0\u00a0\u00a0 536 2010-08-
\n11 06:06:23
\n... 0xFF255020:lsass.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 688\u00a0\u00a0\u00a0 632\u00a0\u00a0\u00a0\u00a0 21\u00a0\u00a0\u00a0 405 2010-08-
\n11 06:06:24
\n... 0xFF247020:services.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0 632\u00a0\u00a0\u00a0\u00a0 16\u00a0\u00a0\u00a0 288 2010-08-
\n11 06:06:24
\n.... 0xFF1B8B28:vmtoolsd.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1668\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0\u00a0 5\u00a0\u00a0\u00a0 225 2010-08-
\n11 06:06:35
\n..... 0xFF224020:cmd.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 124\u00a0\u00a0 1668\u00a0\u00a0\u00a0\u00a0\u00a0 0 ------ 2010-08-
\n15 19:17:55
\n.... 0x80FF88D8:svchost.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 856\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0 29\u00a0\u00a0\u00a0 336 2010-08-
\n11 06:06:24
\n.... 0xFF1D7DA0:spoolsv.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1432\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0 14\u00a0\u00a0\u00a0 145 2010-08-
\n11 06:06:26
\n.... 0x80FBF910:svchost.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1028\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0 88\u00a0\u00a0 1424 2010-08-
\n11 06:06:24
\n..... 0x80F60DA0:wuauclt.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1732\u00a0\u00a0 1028\u00a0\u00a0\u00a0\u00a0\u00a0 7\u00a0\u00a0\u00a0 189 2010-08-
\n11 06:07:44
\n..... 0x80F94588:wuauclt.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 468\u00a0\u00a0 1028\u00a0\u00a0\u00a0\u00a0\u00a0 4\u00a0\u00a0\u00a0 142 2010-08-
\n11 06:09:37
\n..... 0xFF364310:wscntfy.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 888\u00a0\u00a0 1028\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 40 2010-08-
\n11 06:06:49
\n.... 0xFF217560:svchost.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 936\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0 11\u00a0\u00a0\u00a0 288 2010-08-
\n11 06:06:24
\n.... 0xFF143B28:TPAutoConnSvc.e\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1968\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0\u00a0 5\u00a0\u00a0\u00a0 106 2010-08-
\n11 06:06:39
\n..... 0xFF38B5F8:TPAutoConnect.e\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1084\u00a0\u00a0 1968\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 68 2010-08-
\n11 06:06:52
\n.... 0xFF22D558:svchost.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1088\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0\u00a0 7\u00a0\u00a0\u00a0\u00a0 93 2010-08-
\n11 06:06:25
\n.... 0xFF218230:vmacthlp.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 844\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 37 2010-08-
\n11 06:06:24
\n.... 0xFF25A7E0:alg.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 216\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0\u00a0 8\u00a0\u00a0\u00a0 120 2010-08-
\n11 06:06:39
\n.... 0xFF203B80:svchost.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1148\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0 15\u00a0\u00a0\u00a0 217 2010-08-
\n11 06:06:26
\n.... 0xFF1FDC88:VMUpgradeHelper\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1788\u00a0\u00a0\u00a0 676\u00a0\u00a0\u00a0\u00a0\u00a0 5\u00a0\u00a0\u00a0 112 2010-08-
\n11 06:06:38
\n.. 0xFF1ECDA0:csrss.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 608\u00a0\u00a0\u00a0 544\u00a0\u00a0\u00a0\u00a0 10\u00a0\u00a0\u00a0 410 2010-08-
\n11 06:06:23
\n0xFF3865D0:explorer.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1724\u00a0\u00a0 1708\u00a0\u00a0\u00a0\u00a0 13\u00a0\u00a0\u00a0 326 2010-08-
\n11 06:09:29
\n. 0xFF374980:VMwareUser.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 452\u00a0\u00a0 1724\u00a0\u00a0\u00a0\u00a0\u00a0 8\u00a0\u00a0\u00a0 207 2010-08-
\n11 06:09:32
\n. 0xFF3667E8:VMwareTray.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 432\u00a0\u00a0 1724\u00a0\u00a0\u00a0\u00a0\u00a0 1\u00a0\u00a0\u00a0\u00a0 60 2010-08-
\n11 06:09:31
\n<\/code><\/p>\n

We did notice that services.exe<\/span> looked to have some code injected into it.\u00a0 Let\u2019s take the parent process (winlogon.dmp<\/span> that was dumped by malfind) and submit it to virustotal as PID 676 seems to be where the code injection is originating from in a hierarchical sense.<\/p>\n

http:\/\/www.virustotal.com\/file-scan\/report.html?id=75a45694e30eecdb63d173fe18f2a6642113244e7049524d5331054c5ba07960-1316219032<\/a><\/p>\n

Sure enough 26\/44 say it\u2019s malicious.\u00a0 Seems most of the scans detect it as Zbot.\u00a0\u00a0 So let\u2019s Google around find some reports and see if we can verify it\u2019s presence elsewhere.\u00a0 Now that we\u2019re armed with some reports let\u2019s verify some other artifacts on the system just to make sure this is Zbot.<\/p>\n

\u201cThe install function searches for the \u201cwinlogon.exe<\/span>\u201d process, allocates some memory within it and decrypts itself into the process.\u201d
\n<\/em><\/p>\n

Well what do you know it looks like Zbot\/Zeus injects it\u2019s code into winlogon.exe<\/span> This was apparent after we did our malfind as it detected injected code into other processes. If you would use procexedump through volatility it would be fine if you submitted to an avscan as it uses the pe header to dump the memory image. The new code sections that were allocated and later written to will not be reflected in the original pe header that was loaded into memory. This is the exact reason why we had to use malfind (Thanks again MHL!) above and couldn\u2019t just procdump based on pid.<\/p>\n

\u201cThe bot executable is written to the hard drive as \u201cC:\\WINDOWS\\system32\\sdra64.exe\u201d.\u201d<\/em><\/p>\n

Volatility has a useful plugin here that allows us to identify file handles that are still hanging around in memory filescan.<\/p>\n


\nC:\\RE\\volatility2.0\\py\\volatility-2.0>python vol.py -f zeus.vmem filescan
\nVolatile Systems Volatility Framework 2.0
\nOffset(V) Obj Type #Ptr #Hnd Access Name
\n0x01090778 0x8109d560 1 0 R--r-d '\\\\WINDOWS\\\\system32\\\\winrnr.dll'
\n0x010915b0 0x8109d560 1 0 R--rwd '\\\\WINDOWS\\\\system32\\\\oleaut32.dll'
\n0x01091648 0x8109d560 1 0 R--rwd '\\\\WINDOWS\\\\system32\\\\rpcrt4.dll'
\n0x01091810 0x8109d560 1 0 R--rwd '\\\\WINDOWS\\\\system32\\\\csrss.exe'
\n0x01092270 0x8109d560 1 1 RW-rw- '\\\\WINDOWS\\\\WindowsUpdate.log'
\n[snip]
\n0x029d9b28 0x8109d560 1 1 R----- '\\\\WINDOWS\\\\system32\\\\sdra64.exe'
\n0x029d9cd8 0x8109d560 1 0 -WD--- '\\\\WINDOWS\\\\system32\\\\sdra64.exe'
\n[snip]
\n<\/code><\/p>\n

\u201cThe directory \u201cC:\\WINDOWS\\system32\\lowsec\\\u201d is created. This directory is not visible in Windows Explorer but can be seen from the command line. Its purpose is to contain the following files:<\/em><\/p>\n

local.ds<\/span>: Contains the most recently downloaded DynamicConfig file.
\nuser.ds<\/span>: Contains logged information.
\nuser.ds.lll<\/span>: Temporarily created if transmission of logs to the drop server fails.
\n\u201d<\/p>\n

These artifacts can also be found in the above file scan to further bolster the case that this is definitely Zeus.<\/p>\n

\u201cThe Winlogon (\u201cHKLM\/SOFTWARE\/Microsoft\/WindowsNT\/CurrentVersion\/Winlogon\u201d) registry key\u2019s value is appended with the path of the bot executable: C:\/WINDOWS\/system32\/sdra64.exe. This will cause the bot to execute when the computer restarts.\u201d<\/em><\/p>\n

Volatility sure enough has a feature to allow us to investigate registry entries. Namely the printkey command. So let\u2019s check the reg key from our Zbot analysis to see that this is here too.<\/p>\n


\nC:\\RE\\volatility2.0\\py\\volatility-2.0>python vol.py -f zeus.vmem printkey -K \"Mi
\ncrosoft\\Windows NT\\CurrentVersion\\Winlogon\"
\nVolatile Systems Volatility Framework 2.0
\nLegend: (S) = Stable (V) = Volatile
\n----------------------------
\nRegistry: \\Device\\HarddiskVolume1\\WINDOWS\\system32\\config\\software
\nKey name: Winlogon (S)
\nLast updated: 2010-08-15 19:17:23
\nSubkeys:
\n(S) GPExtensions
\n(S) Notify
\n(S) SpecialAccounts
\n(V) Credentials<\/code><\/p>\n

Values:
\nREG_DWORD AutoRestartShell : (S) 1
\nREG_SZ DefaultDomainName : (S) BILLY-DB5B96DD3
\nREG_SZ DefaultUserName : (S) Administrator
\nREG_SZ LegalNoticeCaption : (S)
\nREG_SZ LegalNoticeText : (S)
\nREG_SZ PowerdownAfterShutdown : (S) 0
\nREG_SZ ReportBootOk : (S) 1
\nREG_SZ Shell : (S) Explorer.exe<\/span>
\nREG_SZ ShutdownWithoutLogon : (S) 0
\nREG_SZ System : (S)
\nREG_SZ Userinit : (S) C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS<\/span>\\
\nsystem32\\sdra64.exe,
\nREG_SZ VmApplet : (S) rundll32 shell32,Control_RunDLL \u201csysdm.cpl<\/span>\u201d<\/p>\n

REG_DWORD SfcQuota : (S) 4294967295
\nREG_SZ allocatecdroms : (S) 0
\nREG_SZ allocatedasd : (S) 0
\nREG_SZ allocatefloppies : (S) 0
\nREG_SZ cachedlogonscount : (S) 10
\nREG_DWORD forceunlocklogon : (S) 0
\nREG_DWORD passwordexpirywarning : (S) 14
\nREG_SZ scremoveoption : (S) 0
\nREG_DWORD AllowMultipleTSSessions : (S) 1
\nREG_EXPAND_SZ UIHost : (S) logonui.exe<\/span>
\nREG_DWORD LogonType : (S) 1
\nREG_SZ Background : (S) 0 0 0
\nREG_SZ AutoAdminLogon : (S) 0
\nREG_SZ DebugServerCommand : (S) no
\nREG_DWORD SFCDisable : (S) 0
\nREG_SZ WinStationsDisabled : (S) 0
\nREG_DWORD HibernationPreviouslyEnabled : (S) 1
\nREG_DWORD ShowLogonOptions : (S) 0
\nREG_SZ AltDefaultUserName : (S) Administrator
\nREG_SZ AltDefaultDomainName : (S) BILLY-DB5B96DD3<\/p>\n

Well that key is certainly apparent and this is our persistence mechanism. So the Zeus\/Zbot injector process is called at start-up to insert it\u2019s hooks and malicious code in our legitimate looking processes to evade detection. This would be something you\u2019d want to clean up if you were re-mediating the system as well.<\/p>\n

\u201cThe Windows XP firewall is disabled. This causes a Windows Security Center warning icon to appear in the system tray, the only visible indication that the computer has been infected.\u201d<\/em><\/p>\n

It looks like Zeus\/Zbot also takes care of disabling the Windows Firewall so your not annoyed with any popups while it\u2019s pilfering through your banking data. Googling around there are some registry forensics blogs that keep track of the location for windows firewall settings. Using our command printkey we can detect if this is enabled or disabled in this specific image.<\/p>\n


\nC:\\RE\\volatility2.0\\py\\volatility-2.0>python vol.py -f zeus.vmem printkey -K \"Co
\nntrolSet001\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\"
\nVolatile Systems Volatility Framework 2.0
\nLegend: (S) = Stable (V) = Volatile
\n----------------------------
\nRegistry: \\Device\\HarddiskVolume1\\WINDOWS\\system32\\config\\system
\nKey name: StandardProfile (S)
\nLast updated: 2010-08-15 19:17:24<\/code><\/p>\n

Subkeys:
\n(S) AuthorizedApplications<\/p>\n

Values:
\nREG_DWORD EnableFirewall : (S) 0<\/p>\n

So the firewall is currently disabled and if you notice the timestamp on the key as well. It looks like this was last updated at 2010-8-15 at 19:17:24. This is tidbit of information that you could use in a timeline analysis if you had to document to this level of detail. The specific Zeus\/Zbot may not modify this key every time but check if its set according to it\u2019s specifications. I\u2019m not sure as I don\u2019t have the file but it would be a reasonable assumption. Also the EnableFirewall key was not in the DomainProfile but only the StandardProfile for you registry pros out there.<\/p>\n

\u201cA closer look at its binary file reveals that the spyware was designed to monitor known ZBOT mutexes, _AVIRA_ and __SYSTEM__.\u201d<\/em><\/p>\n


\nC:\\RE\\volatility2.0\\py\\volatility-2.0>python vol.py -f zeus.vmem mutantscan
\nVolatile Systems Volatility Framework 2.0
\n[snip]
\n0x05ca17e8 0x810ae5e0 2 1 1 0x00000000 '_AVIRA_2108'
\n[snip]
\n<\/code><\/p>\n

Well there is certainly a mutex that has been recent in memory for AVIRA which ironically enough is the name of an antivirus engine. It was sent to poke fun at the anti-virus companies by the programmer\u2019s of Zeus. It also looks from the above mutex that we have a 1.x version of Zeus\/Zbot as in 2.x versions they use randomly generated GUID\u2019s over mutexes to communicate.<\/p>\n

So there we have it using Volatility we can get a look at a Zeus\/Zbot infection and determine steps here for possible remediation just based on a memory dump. We\u2019d have more resources if we were able to have access to the system as well so we could study the injector process to see if it has any other persistence mechanisms. It\u2019s doubtful since this matches so closely to the typical Zeus\/Zbot signature. I hope you enjoyed reading this article!<\/p>\n

Edit<\/strong>: Looks like another Zeus article was written and is linked here<\/a> to give you another viewpoint on this piece of malware.<\/p>\n

References:<\/p>\n

[1] \u2013 http:\/\/www.fortiguard.com\/analysis\/zeusanalysis.html<\/a><\/p>\n

[2] \u2013 http:\/\/www.dfrws.org\/2007\/proceedings\/p62-dolan-gavitt.pdf<\/a><\/p>\n

[3] \u2013 http:\/\/www.eptuners.com\/forensics\/contents\/examination.htm<\/a><\/p>\n

[4] \u2013 http:\/\/www.sans.org\/reading_room\/whitepapers\/malicious\/clash-titans-zeus-spyeye_33393<\/a><\/p>\n

[5] \u2013 http:\/\/www.symantec.com\/connect\/blogs\/brief-look-zeuszbot-20<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Well I wanted to post another article about memory forensics with my favorite open source tool right now\u2026. Volatility.\u00a0 Can\u2019t say enough great things about the documentation (very well written and expansive) and the community is very helpful in answering questions (even noobish ones).\u00a0 So after I read MHL\u2019s Stuxnet Analysis with Volatility 2.0 it … Continue reading Zeus Analysis in Volatility\u00a02.0<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[16,2],"tags":[17,4],"_links":{"self":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/41"}],"collection":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=41"}],"version-history":[{"count":2,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/41\/revisions"}],"predecessor-version":[{"id":58,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/41\/revisions\/58"}],"wp:attachment":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=41"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=41"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=41"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}