Malware Zeus - Análise de Memória Volatility

# Malware Zeus - Análise de Memória Volatility O Zeus também conhecido como Zbot, é um tipo de malware projetado para roubar informações confidenciais de computadores infectados. Ele geralmente é distribuído por meio de emails de phishing e sites maliciosos e é capaz de se instalar silenciosamente no computador da vítima. Uma vez instalado, o Zeus pode capturar informações sensíveis, como senhas bancárias, informações de cartão de crédito e outras credenciais de login. Ele também pode se espalhar para outros computadores na mesma rede e executar comandos remotos, tornando-se parte de uma botnet. O Zeus já foi considerado um dos malwares mais perigosos e difíceis de detectar, pois é constantemente atualizado pelos desenvolvedores para evitar a detecção pelos programas antivírus. É importante manter o software antivírus e o sistema operacional atualizados e evitar clicar em links ou baixar arquivos de fontes não confiáveis para se proteger contra o Zeus e outros tipos de malware. ### Análisando memória RAM infectada pelo malware Zeus: 1. Determinando perfil da memória: ``` ┌─[mac@iMac-de-Mac] - [~/Desktop] - [2023-04-16 05:03:45] └─[0] <> vol.py -f zeus.vmem imageinfo Volatility Foundation Volatility Framework 2.6.1 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86) AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (/Users/mac/Desktop/zeus.vmem) PAE type : PAE DTB : 0x319000L KDBG : 0x80544ce0L Number of Processors : 1 Image Type (Service Pack) : 2 KPCR for CPU 0 : 0xffdff000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2010-08-15 19:17:56 UTC+0000 Image local date and time : 2010-08-15 15:17:56 -0400**** ``` 2. Verificando processos: ``` ┌─[mac@iMac-de-Mac] - [~/Desktop] - [2023-04-16 05:10:10] └─[0] <> vol.py -f zeus.vmem pslist Volatility Foundation Volatility Framework 2.6.1 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x810b1660 System 4 0 58 379 ------ 0 0xff2ab020 smss.exe 544 4 3 21 ------ 0 2010-08-11 06:06:21 UTC+0000 0xff1ecda0 csrss.exe 608 544 10 410 0 0 2010-08-11 06:06:23 UTC+0000 0xff1ec978 winlogon.exe 632 544 24 536 0 0 2010-08-11 06:06:23 UTC+0000 0xff247020 services.exe 676 632 16 288 0 0 2010-08-11 06:06:24 UTC+0000 0xff255020 lsass.exe 688 632 21 405 0 0 2010-08-11 06:06:24 UTC+0000 0xff218230 vmacthlp.exe 844 676 1 37 0 0 2010-08-11 06:06:24 UTC+0000 0x80ff88d8 svchost.exe 856 676 29 336 0 0 2010-08-11 06:06:24 UTC+0000 0xff217560 svchost.exe 936 676 11 288 0 0 2010-08-11 06:06:24 UTC+0000 0x80fbf910 svchost.exe 1028 676 88 1424 0 0 2010-08-11 06:06:24 UTC+0000 0xff22d558 svchost.exe 1088 676 7 93 0 0 2010-08-11 06:06:25 UTC+0000 0xff203b80 svchost.exe 1148 676 15 217 0 0 2010-08-11 06:06:26 UTC+0000 0xff1d7da0 spoolsv.exe 1432 676 14 145 0 0 2010-08-11 06:06:26 UTC+0000 0xff1b8b28 vmtoolsd.exe 1668 676 5 225 0 0 2010-08-11 06:06:35 UTC+0000 0xff1fdc88 VMUpgradeHelper 1788 676 5 112 0 0 2010-08-11 06:06:38 UTC+0000 0xff143b28 TPAutoConnSvc.e 1968 676 5 106 0 0 2010-08-11 06:06:39 UTC+0000 0xff25a7e0 alg.exe 216 676 8 120 0 0 2010-08-11 06:06:39 UTC+0000 0xff364310 wscntfy.exe 888 1028 1 40 0 0 2010-08-11 06:06:49 UTC+0000 0xff38b5f8 TPAutoConnect.e 1084 1968 1 68 0 0 2010-08-11 06:06:52 UTC+0000 0x80f60da0 wuauclt.exe 1732 1028 7 189 0 0 2010-08-11 06:07:44 UTC+0000 0xff3865d0 explorer.exe 1724 1708 13 326 0 0 2010-08-11 06:09:29 UTC+0000 0xff3667e8 VMwareTray.exe 432 1724 1 60 0 0 2010-08-11 06:09:31 UTC+0000 0xff374980 VMwareUser.exe 452 1724 8 207 0 0 2010-08-11 06:09:32 UTC+0000 0x80f94588 wuauclt.exe 468 1028 4 142 0 0 2010-08-11 06:09:37 UTC+0000 0xff224020 cmd.exe 124 1668 0 -------- 0 0 2010-08-15 19:17:55 UTC+0000 2010-08-15 19:17:56 UTC+0000 ``` 3. Analisando conexões de rede: *** Conexão IP 193.104.41.75 através processo 856 ``` ┌─[mac@iMac-de-Mac] - [~/Desktop] - [2023-04-16 05:11:27] └─[0] <> vol.py -f zeus.vmem connscan Volatility Foundation Volatility Framework 2.6.1 Offset(P) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --- 0x02214988 172.16.176.143:1054 193.104.41.75:80 856 0x06015ab0 0.0.0.0:1056 193.104.41.75:80 856 ``` 4. Verificando WHOIS IP 193.104.41.75 ``` ┌─[mac@iMac-de-Mac] - [~/Desktop] - [2023-04-16 05:12:32] └─[0] <> whois 192.104.41.75 % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object refer: whois.arin.net inetnum: 192.0.0.0 - 192.255.255.255 organisation: Administered by ARIN status: LEGACY whois: whois.arin.net changed: 1993-05 source: IANA # whois.arin.net NetRange: 192.104.41.0 - 192.104.41.255 CIDR: 192.104.41.0/24 NetName: RIPE-ERX-192-104-41-0 NetHandle: NET-192-104-41-0-1 Parent: NET192 (NET-192-0-0-0-0) NetType: Early Registrations, Transferred to RIPE NCC OriginAS: Organization: RIPE Network Coordination Centre (RIPE) RegDate: 2005-02-28 Updated: 2005-02-28 Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at http://www.ripe.net/whois Ref: https://rdap.arin.net/registry/ip/192.104.41.0 ResourceLink: https://apps.db.ripe.net/search/query.html ResourceLink: whois.ripe.net OrgName: RIPE Network Coordination Centre OrgId: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL RegDate: Updated: 2013-07-29 Ref: https://rdap.arin.net/registry/entity/RIPE ReferralServer: whois://whois.ripe.net ResourceLink: https://apps.db.ripe.net/search/query.html OrgAbuseHandle: ABUSE3850-ARIN OrgAbuseName: Abuse Contact OrgAbusePhone: +31205354444 OrgAbuseEmail: abuse@ripe.net OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3850-ARIN OrgTechHandle: RNO29-ARIN OrgTechName: RIPE NCC Operations OrgTechPhone: +31 20 535 4444 OrgTechEmail: hostmaster@ripe.net OrgTechRef: https://rdap.arin.net/registry/entity/RNO29-ARIN # whois.ripe.net inetnum: 192.104.41.0 - 192.104.41.255 netname: TICINOCOM-ASGN1 descr: Ticinocom SA country: CH admin-c: TCOM-RIPE tech-c: TCOM-RIPE status: LEGACY mnt-by: CH-MIC-NET-MNT mnt-by: TICINOCOM-MNT mnt-routes: TICINOCOM-MNT created: 1970-01-01T00:00:00Z last-modified: 2019-12-04T13:03:41Z source: RIPE role: Ticinocom SA address: Ticinocom SA address: Via Stazione 5 address: CH-6600 Muralto address: Switzerland org: ORG-IL3-RIPE phone: +41 91 22 00 000 fax-no: +41 91 22 00 010 abuse-mailbox: abuse@ticino.com remarks: ======================================================== remarks: Spam and abuse issues : abuse@ticino.com remarks: ======================================================== admin-c: KHF2-RIPE tech-c: KHF2-RIPE nic-hdl: TCOM-RIPE mnt-by: TICINOCOM-MNT created: 2011-05-04T07:58:52Z last-modified: 2014-02-24T09:14:50Z source: RIPE # Filtered % Information related to '192.104.41.0/24AS12620' route: 192.104.41.0/24 descr: MIC-NET descr: Provider: Ticinocom SA origin: AS12620 mnt-by: TICINOCOM-MNT created: 2008-10-22T07:24:07Z last-modified: 2011-05-26T12:48:39Z source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.106 (SHETLAND) ``` 5. Verificando existem anomalias quando do inicio do sistema, ou seja, se há operações de registros suspeitas: *** SUSPEITO **C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe** ``` ┌─[mac@iMac-de-Mac] - [~/Desktop] - [2023-04-16 05:14:43] └─[0] <> vol.py -f zeus.vmem printkey -K "Microsoft\Windows NT\CurrentVersion\Winlogon" Volatility Foundation Volatility Framework 2.6.1 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software Key name: Winlogon (S) Last updated: 2010-08-15 19:17:23 UTC+0000 Subkeys: (S) GPExtensions (S) Notify (S) SpecialAccounts (V) Credentials Values: REG_DWORD AutoRestartShell : (S) 1 REG_SZ DefaultDomainName : (S) BILLY-DB5B96DD3 REG_SZ DefaultUserName : (S) Administrator REG_SZ LegalNoticeCaption : (S) REG_SZ LegalNoticeText : (S) REG_SZ PowerdownAfterShutdown : (S) 0 REG_SZ ReportBootOk : (S) 1 REG_SZ Shell : (S) Explorer.exe REG_SZ ShutdownWithoutLogon : (S) 0 REG_SZ System : (S) REG_SZ Userinit : (S) C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, REG_SZ VmApplet : (S) rundll32 shell32,Control_RunDLL "sysdm.cpl" REG_DWORD SfcQuota : (S) 4294967295 REG_SZ allocatecdroms : (S) 0 REG_SZ allocatedasd : (S) 0 REG_SZ allocatefloppies : (S) 0 REG_SZ cachedlogonscount : (S) 10 REG_DWORD forceunlocklogon : (S) 0 REG_DWORD passwordexpirywarning : (S) 14 REG_SZ scremoveoption : (S) 0 REG_DWORD AllowMultipleTSSessions : (S) 1 REG_EXPAND_SZ UIHost : (S) logonui.exe REG_DWORD LogonType : (S) 1 REG_SZ Background : (S) 0 0 0 REG_SZ AutoAdminLogon : (S) 0 REG_SZ DebugServerCommand : (S) no REG_DWORD SFCDisable : (S) 0 REG_SZ WinStationsDisabled : (S) 0 REG_DWORD HibernationPreviouslyEnabled : (S) 1 REG_DWORD ShowLogonOptions : (S) 0 REG_SZ AltDefaultUserName : (S) Administrator REG_SZ AltDefaultDomainName : (S) BILLY-DB5B96DD3 ``` 6. Busca por sdra64.exe no Google: ![](https://i.imgur.com/9AdK8l7.png) 7. O malfind pode ser usado para encontrar arquivos executáveis ocultos na memória do sistema, que podem estar sendo usados por malwares para se manterem persistente na máquina. Ele também pode ajudar a identificar processos maliciosos que estão tentando se esconder ou que foram injetados em processos legítimos do sistema. ``` vol.py -f zeus.vmem malfind --dump-dir evidencias/ ``` 8. Grepando o processo 856 e verificando qual o endereço extraído: ``` ┌─[mac@iMac-de-Mac] - [~/Desktop] - [2023-04-16 05:24:31] └─[0] <> vol.py -f zeus.vmem malfind -p 856 Volatility Foundation Volatility Framework 2.6.1 Process: svchost.exe Pid: 856 Address: 0xb70000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 38, MemCommit: 1, PrivateMemory: 1, Protection: 6 0x00b70000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 0x00b70010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0x00b70020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00b70030 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 ................ ``` 9. Tirando hash md5 do processo extraído e submentendo ao vírus total: ``` ┌─[mac@iMac-de-Mac] - [~/Desktop] - [2023-04-16 05:30:57] └─[0] <> vol.py -f zeus.vmem malfind --dump-dir evidencias | grep 856 Volatility Foundation Volatility Framework 2.6.1 Process: svchost.exe Pid: 856 Address: 0xb70000 Process: svchost.exe Pid: 856 Address: 0xcb0000 ┌─[mac@iMac-de-Mac] - [~/Desktop] - [2023-04-16 05:31:18] └─[0] <> md5 evidencias/process.0x80ff88d8.0xb70000.dmp MD5 (evidencias/process.0x80ff88d8.0xb70000.dmp) = 59f1993ae96c0108f0fa224609f51a2f ``` 10. Submetido ao visrus total: ![](https://i.imgur.com/1UKjuuh.png) 11. Buscando por MUTEX: O plugin Mutant é uma ferramenta útil para a análise de memória em sistemas comprometidos, especialmente para a identificação de padrões de comportamento suspeitos em processos maliciosos. Ele pode ajudar a entender como os mutantes são usados em um sistema e a identificar comportamentos fora do comum, o que pode indicar uma infecção por malware. ``` ─[mac@iMac-de-Mac] - [~/Desktop] - [2023-04-16 05:35:37] └─[2] <> vol.py -f zeus.vmem mutantscan Volatility Foundation Volatility Framework 2.6.1 Offset(P) #Ptr #Hnd Signal Thread CID Name ------------------ -------- -------- ------ ---------- --------- ---- 0x00000000000962c0 1 1 1 0x00000000 0x00000000007c0840 1 1 1 0x00000000 0x00000000009d86e0 1 1 1 0x00000000 0x00000000009d90d8 1 1 1 0x00000000 0x0000000000eda878 1 1 1 0x00000000 0x0000000000edae88 1 1 1 0x00000000 0x000000000105a278 1 1 1 0x00000000 0x000000000105a2e8 1 1 1 0x00000000 0x000000000105aa38 7 6 1 0x00000000 _!MSFTHISTORY!_ 0x000000000105acf0 2 1 0 0xff3ba880 888:912 wscntfy_mtx 0x000000000105e900 1 1 1 0x00000000 0x0000000001061fe0 2 1 1 0x00000000 542B5ABE01CB391B000003A82 0x00000000010633b8 2 1 1 0x00000000 msgina: InteractiveLogonRequestMutex 0x0000000001066480 2 1 1 0x00000000 PerfOS_Perf_Library_Lock_PID_684 0x00000000010669d0 2 1 1 0x00000000 winlogon: Logon UserProfileMapping Mutex 0x0000000001066bd0 2 1 1 0x00000000 PerfProc_Perf_Library_Lock_PID_684 0x00000000010676d8 2 1 1 0x00000000 RemoteAccess_Perf_Library_Lock_PID_684 0x0000000001067d60 1 1 1 0x00000000 0x0000000001069fa8 2 1 1 0x00000000 WmiApRpl_Perf_Library_Lock_PID_684 0x000000000106fb60 3 2 1 0x00000000 WininetProxyRegistryMutex 0x0000000001070380 2 1 1 0x00000000 Spooler_Perf_Library_Lock_PID_684 0x00000000010719b0 2 1 1 0x00000000 ContentFilter_Perf_Library_Lock_PID_684 0x0000000001071e40 1 1 1 0x00000000 0x000000000107a2b0 2 1 1 0x00000000 54D23F5A01CB391B0000047C2 0x000000000107b290 2 1 1 0x00000000 c:!windows!system32!config!systemprofile!cookies! 0x000000000107c200 1 1 1 0x00000000 0x000000000108af60 1 1 1 0x00000000 0x0000000001093568 1 1 1 0x00000000 0x0000000001093c10 1 1 1 0x00000000 0x0000000001093c90 4 3 1 0x00000000 ZonesLockedCacheCounterMutex 0x00000000010af880 1 1 1 0x00000000 0x00000000010b7f68 1 1 1 0x00000000 0x00000000010bb748 1 1 1 0x00000000 0x00000000010bb7b8 1 1 1 0x00000000 0x00000000010bbf10 2 1 1 0x00000000 Tcpip_Perf_Library_Lock_PID_684 0x00000000010bc140 2 1 1 0x00000000 MSDTC_Perf_Library_Lock_PID_684 0x00000000010bc550 2 1 1 0x00000000 PerfDisk_Perf_Library_Lock_PID_684 0x00000000010bc750 2 1 1 0x00000000 PerfNet_Perf_Library_Lock_PID_684 0x00000000010bc7f8 1 1 1 0x00000000 0x00000000010bcc38 2 1 1 0x00000000 TapiSrv_Perf_Library_Lock_PID_684 0x00000000010bed60 2 1 1 0x00000000 TermService_Perf_Library_Lock_PID_684 0x00000000010c2c60 1 1 1 0x00000000 0x00000000010c2cd0 1 1 1 0x00000000 0x00000000010c46f0 1 1 1 0x00000000 0x00000000010c7cf0 1 1 1 0x00000000 0x00000000010c9898 4 3 1 0x00000000 ZonesCounterMutex 0x00000000010d4030 2 1 1 0x00000000 ISAPISearch_Perf_Library_Lock_PID_684 0x00000000010d61e8 2 1 1 0x00000000 userenv: User Registry policy mutex 0x00000000010d7de8 1 1 1 0x00000000 0x00000000010d9a50 2 1 1 0x00000000 53AF607601CB391B000002A42 0x00000000010dd398 2 1 1 0x00000000 ContentIndex_Perf_Library_Lock_PID_684 0x000000000110c530 1 1 1 0x00000000 0x0000000001113cc8 1 1 1 0x00000000 0x0000000001116218 1 1 1 0x00000000 0x0000000001119730 2 1 1 0x00000000 RAS_MO_02 0x000000000111bfe0 1 1 1 0x00000000 0x000000000111eb40 2 1 1 0x00000000 c:!windows!system32!config!systemprofile!local settings!history!history.ie5! 0x00000000011211a8 4 3 1 0x00000000 ZonesCacheCounterMutex 0x000000000112cad0 1 1 1 0x00000000 0x000000000112d0e0 1 1 1 0x00000000 0x000000000112da78 2 1 1 0x00000000 5C9DCF9C01CB391B000007B02 0x000000000112f388 3 2 1 0x00000000 SRDataStore 0x000000000112f688 2 1 1 0x00000000 55319D6A01CB391B000005982 0x0000000001130ef8 3 2 1 0x00000000 c:!documents and settings!administrator!cookies! 0x0000000001133f48 1 1 1 0x00000000 0x000000000113f1b8 2 1 1 0x00000000 c:!windows!system32!config!systemprofile!local settings!temporary internet files!content.ie5! 0x000000000113fd28 1 1 1 0x00000000 0x00000000011465c8 3 2 1 0x00000000 c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! 0x000000000114e9c0 2 1 1 0x00000000 userenv: Machine Registry policy mutex 0x0000000001152150 1 1 1 0x00000000 0x0000000001159760 1 1 1 0x00000000 0x000000000115e988 1 1 1 0x00000000 0x000000000115ed38 2 1 1 0x00000000 SingleSesMutex 0x000000000115f628 2 1 0 0xff398638 1732:680 Instance0: ESENT Performance Data Schema Version 40 0x00000000011627c8 1 1 1 0x00000000 0x00000000011633c0 2 1 1 0x00000000 839553D201CB391B000006C42 0x0000000001163898 2 1 1 0x00000000 C1EA8C7801CB391B000006BC2 0x0000000001166e20 1 1 1 0x00000000 0x00000000011875d8 1 1 1 0x00000000 0x000000000118b330 1 1 1 0x00000000 0x000000000118c228 1 1 1 0x00000000 0x000000000118d2d0 1 1 1 0x00000000 0x000000000118d640 1 1 1 0x00000000 0x0000000001190288 1 1 1 0x00000000 0x000000000211a230 5 4 1 0x00000000 TpVcW32ListMutex 0x00000000024c9ef8 2 1 1 0x00000000 PSched_Perf_Library_Lock_PID_684 0x0000000002ae49b0 1 1 1 0x00000000 0x0000000002e2c4b0 1 1 1 0x00000000 0x00000000043d21b8 2 1 1 0x00000000 53EAFB4001CB391B0000034C2 0x00000000043d62a0 2 1 1 0x00000000 0CADFD67AF62496dB34264F000F5624A 0x00000000043d6e18 1 1 1 0x00000000 0x000000000441a380 2 1 1 0x00000000 C3CCBBD401CB391B000001C42 0x000000000445c2c8 1 1 1 0x00000000 0x000000000445cec8 1 1 1 0x00000000 0x000000000485e548 1 1 1 0x00000000 0x0000000004861550 1 1 1 0x00000000 0x0000000004866dc8 2 1 1 0x00000000 c:!documents and settings!networkservice!local settings!history!history.ie5! 0x000000000486b0f8 1 1 1 0x00000000 0x00000000048f8fb0 2 1 1 0x00000000 543E6D8E01CB391B000004402 0x000000000493faa8 1 1 1 0x00000000 0x0000000004a064f8 9 8 1 0x00000000 ShimCacheMutex 0x0000000004a06c00 2 1 1 0x00000000 5A50EAC601CB391B000006842 0x0000000004a4ad70 2 1 1 0x00000000 647C72AE01CB391B0000043C2 0x0000000004a50740 1 1 1 0x00000000 0x0000000004a97110 1 1 1 0x00000000 0x0000000004b58900 2 1 1 0x00000000 6303BF2201CB391B000003782 0x0000000004b5c608 1 1 1 0x00000000 0x0000000004b5c668 2 1 1 0x00000000 HGFSMUTEX00000000000242b4 0x0000000004be2778 1 1 1 0x00000000 0x0000000004be4410 2 1 1 0x00000000 userenv: user policy mutex 0x0000000004c2d6b8 2 1 1 0x00000000 5C2B5EBC01CB391B000006FC2 0x00000000052af290 1 1 1 0x00000000 0x00000000052af2d0 1 1 1 0x00000000 0x00000000054707e0 2 1 1 0x00000000 238FAD3109D3473aB4764B20B3731840 0x00000000054714b0 3 2 1 0x00000000 c:!documents and settings!localservice!local settings!temporary internet files!content.ie5! 0x00000000054716f8 2 1 1 0x00000000 4FCC0DEFE22C4f138FB9D5AF25FD9398 0x00000000054b2a48 1 1 1 0x00000000 0x00000000054b2ab8 1 1 1 0x00000000 0x00000000054f30c0 1 1 1 0x00000000 0x0000000005534f48 1 1 1 0x00000000 0x00000000055379d8 2 1 1 0x00000000 WPA_LICSTORE_MUTEX 0x0000000005537a28 2 1 1 0x00000000 WPA_HWID_MUTEX 0x0000000005537a78 2 1 1 0x00000000 WPA_LT_MUTEX 0x0000000005537ac8 2 1 1 0x00000000 WPA_RT_MUTEX 0x00000000055fe480 2 1 1 0x00000000 WPA_PR_MUTEX 0x00000000055fe538 1 1 1 0x00000000 0x00000000058020d0 1 1 1 0x00000000 0x00000000058021f0 1 1 1 0x00000000 0x00000000058022d0 1 1 1 0x00000000 0x00000000058024f0 1 1 1 0x00000000 0x0000000005802868 1 1 1 0x00000000 0x0000000005b949a0 1 1 1 0x00000000 0x0000000005c16378 2 1 1 0x00000000 c:!documents and settings!networkservice!cookies! 0x0000000005c18f08 3 2 1 0x00000000 MidiMapper_modLongMessage_RefCnt 0x0000000005c9f978 2 1 1 0x00000000 C70DD0D201CB391B000001D42 0x0000000005c9fb30 2 1 1 0x00000000 5CE2F3CE01CB391B000000D82 0x0000000005ca17e8 2 1 1 0x00000000 _AVIRA_2108 0x0000000005ce3e60 2 1 1 0x00000000 C39837F001CB391B000001B02 0x0000000005ce5dd0 2 1 1 0x00000000 _SHuassist.mtx 0x0000000005d281f0 2 1 1 0x00000000 746bbf3569adEncrypt 0x0000000005d2a258 1 1 1 0x00000000 0x0000000005d2a440 1 1 1 0x00000000 0x0000000005e32020 1 1 1 0x00000000 0x0000000005e320f0 1 1 1 0x00000000 0x0000000005e36c08 1 1 1 0x00000000 0x0000000005e7ffe0 3 2 1 0x00000000 MidiMapper_Configure 0x0000000005f01c68 2 1 1 0x00000000 ExplorerIsShellMutex 0x0000000005f02378 1 1 1 0x00000000 0x0000000005f024d8 2 1 1 0x00000000 RAS_MO_01 0x0000000005f45148 7 6 1 0x00000000 SHIMLIB_LOG_MUTEX 0x0000000005f45528 1 1 1 0x00000000 0x0000000005f45908 1 1 1 0x00000000 0x0000000005f45e48 2 1 1 0x00000000 msgina: InteractiveLogonMutex 0x0000000005f48ba8 2 1 1 0x00000000 DBWinMutex 0x0000000005f8aec8 1 1 1 0x00000000 0x0000000005fd0b38 3 2 1 0x00000000 c:!documents and settings!localservice!cookies! 0x0000000005fd4eb0 3 2 1 0x00000000 c:!documents and settings!administrator!local settings!history!history.ie5! 0x00000000060152d8 1 1 1 0x00000000 0x0000000006016b88 2 1 1 0x00000000 VMwareGuestCopyPasteMutex 0x0000000006017ee8 3 2 1 0x00000000 ThinPrint-L 0x0000000006017fe0 2 1 1 0x00000000 c:!documents and settings!networkservice!local settings!temporary internet files!content.ie5! 0x000000000605ff40 1 1 1 0x00000000 0x0000000006124810 1 1 1 0x00000000 0x0000000006126908 1 1 1 0x00000000 0x00000000061682e8 1 1 1 0x00000000 0x000000000616ad30 1 1 1 0x00000000 0x00000000061ab388 1 1 1 0x00000000 0x00000000061ad0e0 1 1 1 0x00000000 0x00000000061ee258 2 1 1 0x00000000 PnP_Init_Mutex 0x00000000061efc38 1 1 1 0x00000000 0x0000000006231bd0 1 1 1 0x00000000 0x0000000006231e28 1 1 1 0x00000000 0x0000000006233a98 1 1 1 0x00000000 0x0000000006234b58 2 1 1 0x00000000 5434E42601CB391B000004042 0x0000000006234bc8 1 1 1 0x00000000 0x0000000006234ec0 1 1 1 0x00000000 0x00000000062354d8 2 1 1 0x00000000 VMToolsHookQueueLock 0x00000000062363a0 2 1 1 0x00000000 53B1C2D001CB391B000002B02 0x0000000006238c38 1 1 1 0x00000000 0x00000000062392e8 1 1 1 0x00000000 0x000000000627e0e0 1 1 1 0x00000000 0x000000000627f960 1 1 1 0x00000000 0x0000000006381678 1 1 1 0x00000000 0x0000000006381aa0 1 1 1 0x00000000 0x0000000006381de8 1 1 1 0x00000000 0x0000000006383150 2 1 1 0x00000000 userenv: machine policy mutex 0x00000000063c6678 1 1 1 0x00000000 0x00000000063c6aa0 1 1 1 0x00000000 0x00000000063c7908 1 1 1 0x00000000 0x0000000006408950 1 1 1 0x00000000 0x00000000064093e8 1 1 1 0x00000000 0x0000000006409c38 1 1 1 0x00000000 0x000000000640aa70 1 1 1 0x00000000 0x000000000640aec0 1 1 1 0x00000000 0x000000000644c7e8 1 1 1 0x00000000 0x000000000644e898 3 2 1 0x00000000 c:!documents and settings!localservice!local settings!history!history.ie5! 0x000000000644eeb0 5 4 1 0x00000000 WindowsUpdateTracingMutex 0x0000000006453bc8 1 1 1 0x00000000 0x0000000006453c38 1 1 1 0x00000000 0x0000000006453e48 1 1 1 0x00000000 0x00000000064951d0 3 2 1 0x00000000 WininetStartupMutex 0x00000000064995c0 1 1 1 0x00000000 0x000000000651a720 1 1 1 0x00000000 0x0000000006560db0 1 1 1 0x00000000 0x0000000006560e20 1 1 1 0x00000000 0x00000000065c05a8 1 1 1 0x00000000 0x00000000065e6810 1 1 1 0x00000000 0x00000000066290f8 1 1 1 0x00000000 0x000000000666c678 1 1 1 0x00000000 0x00000000066ad9a8 1 1 1 0x00000000 0x00000000066add28 1 1 1 0x00000000 0x00000000066f68b0 5 4 1 0x00000000 RasPbFile 0x00000000066f6cd0 1 1 1 0x00000000 0x00000000067358a8 2 1 1 0x00000000 RSVP_Perf_Library_Lock_PID_684 0x0000000006735dc0 2 1 1 0x00000000 _AVIRA_2109 0x00000000067790f8 1 1 1 0x00000000 0x0000000006779d48 1 1 1 0x00000000 0x000000000687f0f8 1 1 1 0x00000000 0x0000000006901208 1 1 1 0x00000000 0x0000000006944ba0 1 1 1 0x00000000 0x0000000006945830 1 1 1 0x00000000 0x0000000006945a30 1 1 1 0x00000000 0x0000000006946678 1 1 1 0x00000000 0x0000000006b1a460 2 1 1 0x00000000 VMwareGuestDnDDataMutex 0x0000000006b400f8 1 1 1 0x00000000 ``` 12. Buscando MUTEX Google: ![](https://i.imgur.com/n5bnmhk.png) 13. Extraindo arquivo pcap da memória com a ferramenta bulk_extractor: ``` ┌─[mac@iMac-de-Mac] - [~/Desktop] - [2023-04-16 05:35:44] └─[0] <> bulk_extractor -x all -e net -o evidencias zeus.vmem bulk_extractor version: 1.5.5 Hostname: iMac-de-Mac.local Input file: zeus.vmem Output directory: evidencias Disk Size: 134217728 Threads: 4 Attempt to open zeus.vmem 17:42:17 Offset 67MB (50.00%) Done in 0:00:01 at 17:42:18 All data are read; waiting for threads to finish... Time elapsed waiting for 4 threads to finish: (timeout in 60 min.) All Threads Finished! Producer time spent waiting: 1.50352 sec. Average consumer time spent waiting: 0.107559 sec. MD5 of Disk Image: b6e4817d7c1aea69bbd8b19b42075681 Phase 2. Shutting down scanners Phase 3. Creating Histograms Elapsed time: 2.96458 sec. Total MB processed: 134 Overall performance: 45.2737 MBytes/sec (11.3184 MBytes/sec/thread) ``` 14. Analisando o arquivo pcap extraído da memória com wireshark: ![](https://i.imgur.com/vI2ySRm.png) 15. Utilzando o strings para busca de domínios: ``` ┌─[mac@iMac-de-Mac] - [~/Desktop] - [2023-04-16 05:42:19] └─[0] <> strings zeus.vmem | grep http --- linhas omitidas http://193.104.41.75/cbd/75.bro --- linhas omitidas ┌─[mac@iMac-de-Mac] - [~/Desktop] - [2023-04-16 05:59:00] └─[0] <> strings zeus.vmem | grep 75.bro ://193.104.41.75/cbd/75.bro ://193.104.41.75/cbd/75.bro /cbd/75.bro HTTP/1.1 93.104.41.75/cbd/75.bro /75.bro http://193.104.41.75/cbd/75.bro /cbd/75.bro ┌─[mac@iMac-de-Mac] - [~/Desktop] - [2023-04-16 06:06:11] └─[0] <> strings zeus.vmem | grep bank Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome ``` Conclusão: Com base na análise realizada, é possível concluir que o arquivo "zeus.vem" contém evidências de infecção pelo malware Zbot. O Zbot é um tipo de malware que é projetado para roubar informações pessoais, como senhas e informações bancárias, de computadores comprometidos. Ele é uma variação do malware Zeus, que foi responsável por várias campanhas de phishing e roubo de dados ao longo dos anos. A presença do Zbot no arquivo "zeus.vmem" é uma indicação clara de que o computador em questão foi comprometido por um ataque malicioso. É importante tomar medidas imediatas para remover o malware do sistema e garantir que ele não seja capaz de causar mais danos ou comprometer mais dados sensíveis. Em geral, é recomendado que usuários e empresas mantenham seus sistemas operacionais e softwares de segurança atualizados, realizem varreduras regulares em busca de malware e usem boas práticas de segurança, como evitar clicar em links suspeitos e não fornecer informações pessoais a sites ou e-mails desconhecidos.