Michael Hale Ligh
michael.hale at gmail.com
Tue Jan 28 09:47:47 CST 2014
Sure, if malfind identifies the injected code, but zeusscan2 doesn't dump
the RC4 keys, then you've just got a new Zeus variant (or not "new" per se,
but just one that we don't currently have a signature  for).
To fix that, the injected Zeus code would need to be extracted and reversed
a bit to determine the proper instruction sequences which reference the RC4
Any chance you can still send the vadinfo output offlist, so I can look
into the memory consumption issue on the other process(es)?
On Tue, Jan 28, 2014 at 9:40 AM, <shorejsi2 at mmm.com> wrote:
> $ python vol.py --plugins=contrib/plugins/malware zeusscan2 -f
> ~/Images/CA005040-HP8460/CA005040-HP8460-RAM.dd4.001 --profile=Win7SP1x86
> -p 2928
> Volatility Foundation Volatility Framework 2.3.1
> [a05p8zz at W0147206 volatility-2.3.1]$
> Ends relatively quickly with no output.
> Looking at 'strings' for the malfind output relate to this process, I see
> all of the things I have come to know and love about Zeus:
> 00008A40 tellerplus
> 00008A58 bancline
> 00008A6C fidelity
> 00008A80 micrsolv
> 00008A94 bankman
> 00008AA4 vantiv
> 00008AB4 episys
> 00008AC4 jack henry
> 00008ADC cruisenet
> 00008AF0 gplusmain
> 00008B04 launchpadshell.exe
> 00008B2C dirclt32.exe
> 00008B48 wtng.exe
> 00008B5C prologue.exe
> 00008B78 silverlake
> 00008B90 pcsws.exe
> 00008BA4 v48d0250s1
> 00008BBC fdmaster.exe
> 00008BD8 fastdoc
> And our FireEye infrastructure is screaming Zeus as well.
> -=[ Steve ]=-
> >> Hi Steve,
> >> The plugin may have encountered a bad size field, causing it to read
> too much data into memory at once. Can you do the following for me, please:
> >> * Run zeusscan2 -p PID where PID is the process id for explorer.exe (we
> know Zeus injects explorer, so this will let us focus on just one process
> >> * If you get the same memory-consumption behavior, run vadinfo -p PID
> and send me the output (offlist is fine)
> >> * If you don't see the same behavior on explorer.exe, please run
> vadinfo across all processes (just vol.py vadinfo > results.txt) and send
> me that instead.
> >> Thanks!
> >> Michael
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vol-users