The Volatility Framework
Public Member Functions | Static Public Attributes | List of all members
contrib.plugins.malware.zeusscan.CitadelScan1345 Class Reference

Locate and Decrypt Citadel 1.3.4.5 Configs. More...

Inheritance diagram for contrib.plugins.malware.zeusscan.CitadelScan1345:
contrib.plugins.malware.zeusscan.ZeusScan2

Public Member Functions

def rc4 (self, key, encoded, login_key)
 Perform a basic RC4 operation. More...
 
def decode_magic (self, config_key)
 Decode the magic buffer using RC4 and the LOGIN_KEY. More...
 
def check_matches (self, task_space, vad, matches, last_sec_data)
 Check the Yara matches and derive the encoded/decoded config objects and magic structures. More...
 
def render_extra (self, outfd, task, vad, params)
 Show Citadel specific fields.
 
- Public Member Functions inherited from contrib.plugins.malware.zeusscan.ZeusScan2
def rc4 (self, key, encoded)
 Perform a basic RC4 operation.
 
def rc4_init (self, data)
 Initialize the RC4 keystate.
 
def decode_config (self, encoded_config, last_sec_data)
 Decode the config with data from the last PE section. More...
 
def check_matches (self, task_space, vad, matches, last_sec_data)
 Check the Yara matches and derive the encoded/decoded config objects and magic structures. More...
 
def decode_magic (self, config_key)
 Decode the magic structure using the configuration key. More...
 
def scan_key (self, task_space)
 Find the offset of the RC4 key and use it to decode the magic buffer. More...
 
def calculate (self)
 
def render_extra (self, outfd, task, vad, params)
 Show any Zeus specific fields.
 
def render_text (self, outfd, data)
 Render the plugin's default text output.
 

Static Public Attributes

dictionary signatures
 
string magic_struct = '_CITADEL1345_CONFIG'
 
- Static Public Attributes inherited from contrib.plugins.malware.zeusscan.ZeusScan2
dictionary signatures
 
string magic_struct = '_ZEUS2_CONFIG'
 
tuple params
 

Additional Inherited Members

- Static Public Member Functions inherited from contrib.plugins.malware.zeusscan.ZeusScan2
def is_valid_profile (profile)
 

Detailed Description

Locate and Decrypt Citadel 1.3.4.5 Configs.

Member Function Documentation

def contrib.plugins.malware.zeusscan.CitadelScan1345.check_matches (   self,
  task_space,
  vad,
  matches,
  last_sec_data 
)

Check the Yara matches and derive the encoded/decoded config objects and magic structures.

Parameters
task_spacethe process AS
vadthe containing MMVAD
matcheslist of YARA hits
last_sec_databuffer of the last PE section's data
def contrib.plugins.malware.zeusscan.CitadelScan1345.decode_magic (   self,
  config_key 
)

Decode the magic buffer using RC4 and the LOGIN_KEY.

def contrib.plugins.malware.zeusscan.CitadelScan1345.rc4 (   self,
  key,
  encoded,
  login_key 
)

Perform a basic RC4 operation.

Same as Zeus, but with incorporation of a LOGIN_KEY value.

Member Data Documentation

dictionary contrib.plugins.malware.zeusscan.CitadelScan1345.signatures
static
Initial value:
1 = {
2  'namespace1':'rule z1 {strings: $a = {8B EC 83 EC 0C 8A 82 ?? ?? ?? ?? 88 45 FE 8A 82 01 01 00 00 88 45 FD 8A 82 02 01 00 00 B9 ?? ?? ?? ?? 88 45 FF E8 ?? ?? ?? ??} condition: $a}',
3  'namespace2':'rule z2 {strings: $a = {56 BA ?? ?? 00 00 52 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 03 0D ?? ?? ?? ?? 8B F2 2B C8} condition: $a}',
4  'namespace3':'rule z3 {strings: $a = {68 ?? ?? 00 00 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? B8 ?? ?? 00 00 50 68 ?? ?? ?? ??} condition: $a}'
5  }
The documentation for this class was generated from the following file: