ZeuS v2 Malware Analysis - Part II
(Publication) Google search: [1]
| ZeuS v2 Malware Analysis - Part II | |
|---|---|
| Botnet | |
| Malware | Zbot |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / |
| Editor/Conference | System Forensics |
| Link | http://www.sysforensics.org/2012/04/zeus-v2-malware-analysis-part-ii.html www.sysforensics.org (www.sysforensics.org Archive copy) |
| Author | Patrick Olsen |
| Type | |
Abstract
“ ZeuS v2 Malware Analysis - Part II
Welcome back for Part II. I am going to be taking a look at memory forensics by way of Volatility.
Memory Forensics
Let's kick this section off by running the volatility command, "imageinfo". The imageinfo command does just that. It provides us the image information required so we can specify what profile to pass to volatility when we start running more commands against our image.
In our case this is what the results looked like:
So now we know that we are running Windows 7 Service Pack 1 on an x86 platform, which is correct. So when we run future commands we will specify --profile=Win7SP1x86.
When I am running volatility I will typically run pslist first. Let's do that and see what we can find.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR984,
editor = {System Forensics},
author = {Patrick Olsen},
title = {ZeuS v2 Malware Analysis - Part II},
date = {01},
month = May,
year = {2012},
howpublished = {\url{http://www.sysforensics.org/2012/04/zeus-v2-malware-analysis-part-ii.html www.sysforensics.org}},
}