The Volatility Framework
Public Member Functions | Static Public Member Functions | Static Public Attributes | List of all members
contrib.plugins.malware.zeusscan.ZeusScan2 Class Reference

Locate and Decrypt Zeus >= 2.0 Configs. More...

Inheritance diagram for contrib.plugins.malware.zeusscan.ZeusScan2:
contrib.plugins.malware.zeusscan.CitadelScan1345

Public Member Functions

def rc4 (self, key, encoded)
 Perform a basic RC4 operation.
 
def rc4_init (self, data)
 Initialize the RC4 keystate.
 
def decode_config (self, encoded_config, last_sec_data)
 Decode the config with data from the last PE section. More...
 
def check_matches (self, task_space, vad, matches, last_sec_data)
 Check the Yara matches and derive the encoded/decoded config objects and magic structures. More...
 
def decode_magic (self, config_key)
 Decode the magic structure using the configuration key. More...
 
def scan_key (self, task_space)
 Find the offset of the RC4 key and use it to decode the magic buffer. More...
 
def calculate (self)
 
def render_extra (self, outfd, task, vad, params)
 Show any Zeus specific fields.
 
def render_text (self, outfd, data)
 Render the plugin's default text output.
 

Static Public Member Functions

def is_valid_profile (profile)
 

Static Public Attributes

dictionary signatures
 
string magic_struct = '_ZEUS2_CONFIG'
 
tuple params
 

Detailed Description

Locate and Decrypt Zeus >= 2.0 Configs.

Member Function Documentation

def contrib.plugins.malware.zeusscan.ZeusScan2.check_matches (   self,
  task_space,
  vad,
  matches,
  last_sec_data 
)

Check the Yara matches and derive the encoded/decoded config objects and magic structures.

Parameters
task_spacethe process AS
vadthe containing MMVAD
matcheslist of YARA hits
last_sec_databuffer of the last PE section's data
def contrib.plugins.malware.zeusscan.ZeusScan2.decode_config (   self,
  encoded_config,
  last_sec_data 
)

Decode the config with data from the last PE section.

Parameters
encoded_configthe encoded configuration
last_sec_datalast PE section data.
def contrib.plugins.malware.zeusscan.ZeusScan2.decode_magic (   self,
  config_key 
)

Decode the magic structure using the configuration key.

Parameters
config_keythe config RC4 key.
def contrib.plugins.malware.zeusscan.ZeusScan2.scan_key (   self,
  task_space 
)

Find the offset of the RC4 key and use it to decode the magic buffer.

Parameters
task_spacethe process AS

Member Data Documentation

tuple contrib.plugins.malware.zeusscan.ZeusScan2.params
static
Initial value:
1 = dict(
2  # This contains the C2 URL, RC4 key for decoding
3  # local.ds and the magic buffer
4  decoded_config = None,
5  # This contains the hardware lock info, the user.ds
6  # RC4 key, and XOR key
7  encoded_magic = None,
8  # The decoded version of the magic structure
9  decoded_magic = None,
10  # The key for decoding the configuration
11  config_key = None,
12  # The login key (citadel only)
13  login_key = None,
14  # The AES key (citadel only)
15  aes_key = None,
16  )
dictionary contrib.plugins.malware.zeusscan.ZeusScan2.signatures
static
Initial value:
1 = {
2  'namespace1':'rule z1 {strings: $a = {56 BA ?? ?? 00 00 52 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8B 0D ?? ?? ?? ??} condition: $a}',
3  'namespace5':'rule z5 {strings: $a = {56 BA ?? ?? 00 00 52 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 03 0D ?? ?? ?? ??} condition: $a}',
4  'namespace2':'rule z2 {strings: $a = {55 8B EC 51 A1 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 56 8D 34 01 A1 ?? ?? ?? ?? 8B 0D ?? ?? ?? ??} condition: $a}',
5  'namespace3':'rule z3 {strings: $a = {68 02 01 00 00 8D 84 24 ?? ?? ?? ?? 50 8D 44 24 ?? 50 E8 ?? ?? ?? ?? B8 E6 01 00 00 50 68 ?? ?? ?? ??} condition: $a}',
6  'namespace4':'rule z4 {strings: $a = {68 02 01 00 00 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? B8 E6 01 00 00 50 68 ?? ?? ?? ??} condition: $a}'
7  }
The documentation for this class was generated from the following file: