Description: In this video I will show you how to analysis the Zeus Malware, using Volatality-Framework on Backtrack 5.
First you need to download the Zeus Malware and follow this video, This memory image is infected with Zeus malware and I will dump some of process into exe and I will scan into Virus-Total. There is lots of more process do it yourself. If you dump the dll so you will get lots more information.
Commands : -
./vol.py imageinfo -f zeus.vmem (For Profiles and Imange Information)
./ vol.py --profile=WinXPSP2x86 pslist -f zeus.vmem (Processes List)
./ vol.py –profile=WinXPSP2x86 connections -f zeus.vmem (Connection Connected with)
./ vol.py --profile=WinXPSP2x86 connscan -f zeus.vmem (Connections)
./vol.py --profile=WinXPSP2x86 -f zeus.vmem malfind -p 172 (Automatic Malware finder plugin)
./vol.py --profile=WinXPSP2x86 -f zeus.vmem -p 856 procexedump --dump-dir /root/Desktop (Process Dump and save it in your directory for Virus Scan.) change PID number and dump all process and analysis you will get lots of infected files.
./vol.py --profile=WinXPSP2x86 -f zeus.vmem printkey -o 0xe153ab60 –K "Microsoft\Windows NT\CurrentVersion\Winlogon" ( Proof that this memory is zeus infected sdra64.exe ) :D
./vol.py --profile=WinXPSP2x86 -f zeus.vmem thread (Dump Threads)
Reference : -
http://malwarereversing.wordpress.com/2011/09/23/zeus-analysis-in-volatility-2-0/
Other Links : -
http://www.symantec.com/connect/blogs/brief-look-zeuszbot-20
http://www.eptuners.com/forensics/contents/examination.htm
http://www.sans.org/reading_room/whitepapers/malicious/clash-titans-zeus-spyeye_33393
http://www.fortiguard.com/analysis/zeusanalysis.html
Tags: zeus , malware , framework , analysis ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
The videos are great man , But please buy a mic :)
Should i need to disable network during the demo.