By ro0ted | May 4, 2015 - 13:22 | Posted in /b/ | 8 Comments
#ro0ted #OpNewblood What the blackhats dont want you to know: Analyzing the ZeuS bot Part 2

This is a lil more detailed of Part 2 of Analyzing the ZeuS bot with Volatility. – https://twitter.com/ro0ted/

 

So by now you should know how to use vbox with REMnux.
Last tutorial: https://archive.cyberguerrilla.org/a/2015/ro0ted-opnewblood-what-the-blackhats-dont-want-you-to-know-remnux-volatility-framework/

Okay start up REMnux and sign in as root.
We start with the command like in the previous tutorial:
type: volatility -f ‘zeus.vmem’ imageinfo

11

Now type: volatility -f ‘zeus.vmem’ callbacks

11

Now we check for connections of the remote server.
type: volatility -f ‘zeus.vmem’ connscan

11

We see here the remote ip of the server aka botnet is 193.104.41.75
and we also see the Pid is 856. Write the Pid down.
Now to make sure this is indeed the botnet IP google it as most times its indexed asmalicious:

11

Now remember the Pid? Look out for that in the following processes..
Type: volatility -f ‘zeus.vmem’ psscan

11

Now show what processes are in use by that Pid
type: volatility -f ‘zeus.vmem’ handles -p 856 -t Process

11

Now type: volatility -f ‘zeus.vmem’ apihooks -p 856
JMPs to an unknown location:

11

Now we can dump the embedded exe
VadDump tool dumps the embedded exe from svchost.exe
type: volatility -f zeus.vmem vaddump -p 856 -D /home/

11

Now go to that folder where the dumped directory is:
11

Thats about it for this tutorial.

This tutorial we analyzed the bot alone. Next one will be revealing the whole botnet via the connection to the infected machine.
Preview:
Untitled

ro0ted


 

 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101

Bypassing Part 2

Android/iOS Reversing

Introducing IDA Pro: Static Analyzing

Hacker’s Disassembler

Ripping Apart Adware

Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file

IDA PRO Book

Unpacking & Crypting there is a difference

Covert Debugging whitepaper from blackhat.com

Manually Unpacking with Ollydbg

Manually Unpacking Part 2

Manually Unpacking 101

ASM Injecting

ASM Injecting Part 2

ASM Injecting Part 3: Crypt your malicious file

Reversing Trials

Adding Your Menu

ASM Injecting Part 4

ASM Injecting Part 5

Finding Nag Screens & Removing them

REMnux: Linux Toolkit for Reverse-Engineering and Analyzing Malware

REMnux: Volatility Framework ~ Memory Forensics

Volatility Analyzing the ZeuS Bot Part 2

 

 

(Visited 2,032 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

8 Responses to #ro0ted #OpNewblood What the blackhats dont want you to know: Analyzing the ZeuS bot Part 2

  1. Pingback: What the blackhats dont want you to know: Analy...

    […] We see here the remote ip of the server aka botnet is 193.104.41.75 and we also see the Pid…

  2. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewbl...

    […]   […]

  3. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: Infected Machine? Create a memory dump

    […] Start up your REMnux VM and follow my previous tutorial to analyze your memory dump to see what you…

  4. Is the part3 of zeus bot Analysis Out

  5. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood You have pictures of your face on the internet right?

    […] Volatility Framework ~ Memory Forensics Volatility Analyzing the ZeuS Bot Part 2 Infected Machine? Create a memory dump What…

  6. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know BE: think ur drive is really wiped?

    […] Volatility Framework ~ Memory Forensics Volatility Analyzing the ZeuS Bot Part 2 Infected Machine? Create a memory dump What…

  7. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want u to know: Memory Cloning + BE in Linux

    […] Volatility Framework ~ Memory Forensics Volatility Analyzing the ZeuS Bot Part 2 Infected Machine? Create a memory dump What…

  8. Pingback: Tutoriales sobre ingeniería inversa | Cyberhades

    […] Volatility Analyzing the ZeuS Bot Part 2 […]