:::success # CCF Lab 3: Memory analysis ### Name: Daniil Sinelnik This is the part of the lab, everything else will be until the end of the week. ::: ## Prerequisites: :::warning You have a memory image taken from a laptop, which was suspected to be involved in a serious e-banking incident. It is to be assumed that some malware could be on it. You suspect it could be either Zeus or Gozi, as these two malware families were currently active in the country. ::: ## Task 1 :::info Make yourself familiar with the malware families and what characteristics they have and how they can potentially be recognized. You can use files in Desktop/Exercises/Documents. ::: Zeus is a well known trojan program that was created at `2007` and the target victim for that program was to intercept the passwords for `payment systems` and the following consicuences were to steal money. There is no a lot of information general information about Gozi family, but here is something that i have found. It was developed by Russian malware authors. The purpose was finding new ways to steal and profit from data which used to be considered safe from thieves because it was encrypted using SSL/TLS. Originally, this analysis intended to provide insight into the mechanisms used to steal that data, but it became an investigation into the growing trend of malware sold not as a product, but as a service. Eventually it lead to an alarming find and resulted in an active law enforcement investigation. **Zeus charachteristics:** - Zeus is a highly advanced Trojan horse malware that mainly goes after financial institutions and folks who do online banking. - What sets it apart is its knack for snagging sensitive info like usernames, passwords, and financial details. It does this by tracking keystrokes, taking screenshots, and keeping tabs on what you do online. - You'll often find Zeus lurking in phishing emails, sketchy downloads, or hacked websites. - It's not easy to spot because it's got a complex setup with encrypted communication and special files on infected computers. - While there are different versions of Zeus out there, they usually have one thing in common: they're all about pulling off financial scams and swiping data. **Gozi charachteristics:** - Gozi is a pretty sophisticated banking Trojan that's been causing trouble by stealing sensitive info from banks and their customers. - It's got some pretty fancy tricks up its sleeve, like using different code every time it strikes, sneaky rootkit abilities, and clever ways to dodge security software. - What's really sneaky is how it messes with web traffic, slipping in bad code on perfectly good websites to swipe stuff like usernames, passwords, and credit card numbers. - You'll usually find it spreading through dodgy links, phishing emails, or those sneaky downloads that hitch a ride on unsuspecting websites. - And it's not just one trick pony - different versions of Gozi might let hackers control your computer from afar or download even more nasty stuff onto it. To determine Zeus and Gozi like malwares, cybersecurity experts usually look at the following things: - Suspicious network activity, domains or IP adresses with control systems. - The performance of the system becomes slower, command lines activations or even access to the sensetive data that programs are unauthorized to do. - Unknown and unfamiliar files or processes inside the system with random names. - Antivirus programs alerts. ## Task 2 :::info Find out what could have happened: analyze the memory image and the registry that was dumped too and is also available for investigation. Files are located in Desktop/Exercises/images. ::: ## Task 3 :::info Make a log of all your actions and put it into the report as an Investigator. In the conclusion try to recreate a timeline about how the system was infected, describe malicious activity that was running on it, identify suspects or other involved parties. ::: ## Task 4 :::info Imagine a situation in which there was an incident on a PC (Windows) but this suspected PC (Windows) is locked. What can you do to be able to produce live forensics? What challenges do you have? ::: 1. To do live forensics there are tool that can be applicable like `FTK-Imager`, `Volatility` and `EnCase`. 2. Boot from `USB`. Create an image of a forensics OS `CAINE` or `Kali Linux` and boot already locked PC from `USB`. This type of OS and methodology would help you to analyze the system and not changing the data in PC. But you have to have a physical access to the computer. 3. If, in case of the physical access you can somehowe to dodge the system security measures and got an access to unlock it. 4. RAM analyses could also be applicable. We can look through the running processes. * **Challenge 1:** If the suspect is professional, he could encrypt the data and you have to figure out what's the key. * **Challenge 2:** PC is locked, and we have to bypass somehow the authorization. The only option is to analyze the RAM as i have described above. * **Challenge 3:** Lose the data while doing live forensics on the locked system. Do not make any changes of the system.