[Vol-users] zeusscan2

shorejsi2 at mmm.com shorejsi2 at mmm.com
Tue Jan 28 09:40:14 CST 2014


Michael;

 Interesting:

$ python vol.py --plugins=contrib/plugins/malware  zeusscan2 -f 
~/Images/CA005040-HP8460/CA005040-HP8460-RAM.dd4.001 --profile=Win7SP1x86 
-p 2928
Volatility Foundation Volatility Framework 2.3.1
[a05p8zz at W0147206 volatility-2.3.1]$

 Ends relatively quickly with no output.

 Looking at 'strings' for the malfind output relate to this process, I see 
all of the things I have come to know and love about Zeus:

00008A40  tellerplus
00008A58  bancline
00008A6C  fidelity
00008A80  micrsolv
00008A94  bankman
00008AA4  vantiv
00008AB4  episys
00008AC4  jack henry
00008ADC  cruisenet
00008AF0  gplusmain
00008B04  launchpadshell.exe
00008B2C  dirclt32.exe
00008B48  wtng.exe
00008B5C  prologue.exe
00008B78  silverlake
00008B90  pcsws.exe
00008BA4  v48d0250s1
00008BBC  fdmaster.exe
00008BD8  fastdoc

 And our FireEye infrastructure is screaming Zeus as well. 

 Thoughts? 


                        -=[ Steve ]=-



>> Hi Steve,  

>> The plugin may have encountered a bad size field, causing it to read 
too much data into memory at once. Can you do the following for me, 
please:

>> * Run zeusscan2 -p PID where PID is the process id for explorer.exe (we 
know Zeus injects explorer, so this will let us focus on just one process 
first)

>> * If you get the same memory-consumption behavior, run vadinfo -p PID 
and send me the output (offlist is fine)

>> * If you don't see the same behavior on explorer.exe, please run 
vadinfo across all processes (just vol.py vadinfo > results.txt) and send 
me that instead. 

>> Thanks!
>> Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140128/219707bb/attachment.html


More information about the Vol-users mailing list