Re: [Vol-users] zeusscan2
28 Jan
2014
28 Jan
'14
10:40 a.m.
Michael;
Interesting:
$ python vol.py --plugins=contrib/plugins/malware zeusscan2 -f
~/Images/CA005040-HP8460/CA005040-HP8460-RAM.dd4.001 --profile=Win7SP1x86
-p 2928
Volatility Foundation Volatility Framework 2.3.1
[a05p8zz@W0147206 volatility-2.3.1]$
Ends relatively quickly with no output.
Looking at 'strings' for the malfind output relate to this process, I see
all of the things I have come to know and love about Zeus:
00008A40 tellerplus
00008A58 bancline
00008A6C fidelity
00008A80 micrsolv
00008A94 bankman
00008AA4 vantiv
00008AB4 episys
00008AC4 jack henry
00008ADC cruisenet
00008AF0 gplusmain
00008B04 launchpadshell.exe
00008B2C dirclt32.exe
00008B48 wtng.exe
00008B5C prologue.exe
00008B78 silverlake
00008B90 pcsws.exe
00008BA4 v48d0250s1
00008BBC fdmaster.exe
00008BD8 fastdoc
And our FireEye infrastructure is screaming Zeus as well.
Thoughts?
-=[ Steve ]=-
> Hi Steve,
> The plugin may have encountered a bad size field,
causing it to read
too much data into memory at once. Can you do the following for
me,
please:
> * Run zeusscan2 -p PID where PID is the process id
for explorer.exe (we
know Zeus injects explorer, so this will let us focus on just
one process
first)
> * If you get the same memory-consumption behavior,
run vadinfo -p PID
and send me the output (offlist is fine)
> * If you don't see the same behavior on
explorer.exe, please run
vadinfo across all processes (just vol.py vadinfo >
results.txt) and send
me that instead.
> Thanks!
> Michael
Attachments:
- attachment.html (text/html — 3.0 KB)