Professional Documents
Culture Documents
Lab3 Memory Analysis
Lab3 Memory Analysis
Scenario:
In this lab we are going to analyze the memory image of windows xp system which
was infected by the ZEUS Malware.
Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of
Microsoft Windows. While it can be used to carry out many malicious and
criminal tasks, it is often used to steal banking information by man-in-the-browser
keystroke logging and form grabbing. It is also used to install the CryptoLocker
ransomware. Zeus is spread mainly through drive-by downloads and phishing
schemes. First identified in July 2007 when it was used to steal information from
the United States Department of Transportation. It became more widespread in
March 2009. In June 2009 security company Prevx discovered that Zeus had
compromised over 74,000 FTP accounts on websites of such companies as the
Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon,
and BusinessWeek.
You have to make sure that the utility “”Volatility” is installed on Kali linux and
you should have a memory image file of windows xp infected by Zeus. The
memory image file can be downloaded from following link.
As an output of this command if you see any suspicious ip address , you can check
this ip address from http://www.malwareurl.com/listing-urls.php to see if this is
reported as a suspicious.
STEP 5: Checking the registry keys “Run” and “Winlogon” for some
suspicious activity
As an output of these commands look for some suspicious executable and then
check it online whether it is linked to some malware or not?
As an output of this command you will see MZ which is the file header of an
executable which means that an executable has been injected into the svhost.
STEP 8: Using “userassist” option to pull out user assist keys from registry
# volatility -f /root/zues.vmem --profile=WinXPSP2x86 userassist
As an output you will see that an executable was run from the Administrator
desktop