Malware analysis using Memory Forensics (Zeus Botnet)

by 11:15 3 comments

                                                      MEMORY FORENSICS

Memory forensics is forensic analysis of a computer's memory dump. Its primary application is
investigation of advanced computer attacks which are stealthy enough to avoid leaving data on
the computer's hard drive. Consequently, the memory (RAM) must be analyzed for forensic information.

                                                     Why Memory Forensics

• Processes and threads
• Malware (including rootkit technologies)
• Network sockets, URLs, IP addresses,events and IOC (Indicator of compromise)
• Open files,network share
• User generated content
• Passwords, caches, clipboards
• Encryption keys,Application
• Hardware and software configuration

• Windows registry keys and event logs

                                                 Memory Analysis Advantages
  •  Best place to identify malicious software activity
  •  Study running system configuration
  •  Identify inconsistencies (contradictions) in system
  •  Bypass packers, binary obfuscators, rootkits (including kernel mode) and other hiding tools.  
  •  Analyze and track recent activity on the system
  •  Identify all recent activity 
  •  Profile user or attacker activities
  •  Collect evidence that cannot be found anywhere else
  •  Memory-only malware
  •  Chat threads
  •  Internet activities
                                              Virtual Machine Memory Acquisition

VMware (Fusion/Workstation/Server/Player) : .vmem file = raw memory image
Microsoft Hyper-V :  .bin file = raw memory image
Parallels         :   mem file = raw memory image
VirtualBox        :  .sav file = partial memory image

                                                  TOOLS TO CAPTURE RAM

• LIVE System (RAM Acquisition)
  win32dd.exe / win64dd.exe 
  Belkasoft Ram Capturer
• DEAD System
  Hibernation File
  Contains a compressed RAM Image


                                                       Zeus / Zbot Overview

•  Persistent malware designed to steal credentials
• Many variants. A popular one does the following:
• Copies itself to %system32%\sdra64.exe
• Injects code into winlogon.exe or explorer.exe
• Further injects code into every process but csrss & smss
• Auto-start path: HKLM\Software\Microsoft\WindowsNT\winlogon\userinit
• Creates local.ds & user.ds in %sytem32%\lowsec\
• Retrieves files from command and control server
• Mutant: _AVIRA_

• Hooks over 50 system APIs

                                                                      IMAGE INFO
To identify the operating system, service pack, and hardware architecture (32 or 64 bit), but it also contains other useful information such as the DTB address and time the sample was collected.


To find artifacts from previous connections that have since been terminated, in addition to the active ones.


To list the processes of a system and it shows the offset, process name, process ID, the parent process ID, number of threads, number of handles, and date/time when the process started and exited.

Here svchost.exe is the process which is making connections with instead of an Internet Browser


To Find hidden or injected code/DLLs in user mode memory, based on characteristics such as VAD tag and page permissions

                                                            HASHING THE DUMP 

md5sum process.0x80ff88d8.0xb70000.dmp process.0x80ff88d8.0xcb0000.dmp 
59f1993ae96c0108f0fa224609f51a2f  process.0x80ff88d8.0xb70000.dmp
da295c2ce7c8741c2f16ff8d0f76efd3  process.0x80ff88d8.0xcb0000.dmp


To display the subkeys, values, data, and data types contained within a specified registry key, use the printkey command. By default, printkey will search all hives and print the key information (if found) for the requested key. Therefore, if the key is located in more than one hive, the information for the key will be printed for each hive that contains it.

You can see "sdra64.exe" will run when the computer starts.


This provides alot of information about the user activity


To scan physical memory for KMUTANT objects with pool tag scanning, use the mutantscan command. By default, it displays all objects, but you can pass -s or --silent to only show named mutexes. The CID column contains the process ID and thread ID of the mutex owner if one exists.

 Here we noticed _AVIRA_2018 AND _AVIRA_2019


V Dhanunjaya

IT Security and Cyber Forensic Analyst