This is a lil more detailed of Part 2 of Analyzing the ZeuS bot with Volatility. – https://twitter.com/ro0ted/
So by now you should know how to use vbox with REMnux.
Last tutorial: https://archive.cyberguerrilla.org/a/2015/ro0ted-opnewblood-what-the-blackhats-dont-want-you-to-know-remnux-volatility-framework/
Okay start up REMnux and sign in as root.
We start with the command like in the previous tutorial:
type: volatility -f ‘zeus.vmem’ imageinfo
Now type: volatility -f ‘zeus.vmem’ callbacks
Now we check for connections of the remote server.
type: volatility -f ‘zeus.vmem’ connscan
We see here the remote ip of the server aka botnet is 220.127.116.11
and we also see the Pid is 856. Write the Pid down.
Now to make sure this is indeed the botnet IP google it as most times its indexed asmalicious:
Now remember the Pid? Look out for that in the following processes..
Type: volatility -f ‘zeus.vmem’ psscan
Now show what processes are in use by that Pid
type: volatility -f ‘zeus.vmem’ handles -p 856 -t Process
Now type: volatility -f ‘zeus.vmem’ apihooks -p 856
JMPs to an unknown location:
Now we can dump the embedded exe
VadDump tool dumps the embedded exe from svchost.exe
type: volatility -f zeus.vmem vaddump -p 856 -D /home/
Thats about it for this tutorial.
Volatility Analyzing the ZeuS Bot Part 2
- You can follow any responses to this entry through the RSS 2.0 feed.
- Both comments and pings are currently closed.