Lab 4: Memory Analysis

Scenario:
In this lab we are going to analyze the memory image of windows xp system which
was infected by the ZEUS Malware.

Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of
Microsoft Windows. While it can be used to carry out many malicious and
criminal tasks, it is often used to steal banking information by man-in-the-browser
keystroke logging and form grabbing. It is also used to install the CryptoLocker
ransomware. Zeus is spread mainly through drive-by downloads and phishing
schemes. First identified in July 2007 when it was used to steal information from
the United States Department of Transportation. It became more widespread in
March 2009. In June 2009 security company Prevx discovered that Zeus had
compromised over 74,000 FTP accounts on websites of such companies as the
Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon,
and BusinessWeek.
You have to make sure that the utility “”Volatility” is installed on Kali linux and
you should have a memory image file of windows xp infected by Zeus. The
memory image file can be downloaded from following link.

STEP 1: Installing Volatility

Most probably volatility is by default installed in Kali Linux but if is not then you
can follow these steps to install it. Otherwise skip these steps

# apt-get install volatility

STEP 2: Getting image information

#volatility -f /root/zeus.vmem imageinfo

STEP 3: Scanning the image of processes running

# volatility -f /root/zeus.vmem --profile=WinXPSP2x86 psscan

STEP 4: Doing conn scan to see any suspicious open connections

# volatility -f /root/zeus.vmem --profile=WinXPSP2x86 connscan

As an output of this command if you see any suspicious ip address , you can check
this ip address from http://www.malwareurl.com/listing-urls.php to see if this is
reported as a suspicious.
STEP 5: Checking the registry keys “Run” and “Winlogon” for some
suspicious activity

#volatility -f /root/zues.vmem --profile=WinXPSP2x86 printkey -K

"Microsoft\Windows\CurrentVersion\Run"

# volatility -f /root/zues.vmem --profile=WinXPSP2x86 printkey -K "Microsoft

NT\CurrentVersion\Winlogon"

As an output of these commands look for some suspicious executable and then
check it online whether it is linked to some malware or not?

STEP 6 : Using “malfind” to show the hidden code or injected process

# volatility -f /root/zues.vmem --profile=WinXPSP2x86 malfind --pid=856 >
/root/dump

As an output of this command you will see MZ which is the file header of an
executable which means that an executable has been injected into the svhost.

STEP 7: Generating MD5 hash of the injected code

# Cd /dump
# md5sum process....b70000.dmp
As an output you will get the hash. Copy the md5 hash and check in online on
virustotal to see if it is associated with Zeus or not

STEP 8: Using “userassist” option to pull out user assist keys from registry
# volatility -f /root/zues.vmem --profile=WinXPSP2x86 userassist
As an output you will see that an executable was run from the Administrator
desktop