luni, 26 februarie 2018

Zeus botnet simple analysis

A little analysis of Zeus botnet.

It was done for someone to see how it works and I share it with you.

bot.exe
  • OEP: 0040DCA0
  • COMPILER: Borland Delphi 6.0 – 7.0
  • MD5: 8a849d20c0a954f45566cec53acc9263
  • SHA-1: 764c29fd18c3f3c4d9ba3fe394655f2ed2ec0c01



Injects into remote processes
Injected into “explorer.exe”
 
Drops files:
 

giep.exe

MD5: 769919e56bd4e9e1e906559c1c36bdf6
SHA-1: 39ed72d34e02e1674742cb47bbd6ebdad13f7931
Reg: HKU\S-1-5-21-2442644137-1929233181-142757687-1000\Software\Microsoft\Windows\CurrentVersion\Run\{74A201A8-2DEE-69F0-F124-27DF3D9773DA}: “C:\Users\Insider\AppData\Roaming\Qioho\giep.exe”
https://www.virustotal.com/#/file/5069bc991ff37817bb05e6bb453c9c44d22ef2719bb0d4f72a3ca30c544f040c/detection

  • Same atributes like bot.exe

Some of the processes made by the bot.exe action:
 
  • CreateFile
  • RegOpenKey
  • RegisterClass
  • CoCreate
  • CreateThread
  • RegCreateKey
  • RegSetValue
  • ProcessStarted
 
 Network traffic:
 
In the same way it is using the /POST request for sending stealed data, when the victim visits some bank account, paypal…etc.
Botnet host directory and login page:
 

H**p://xxx.xxx/adminpanel/admin.php

The remove is easy. You just have to follow the path’s to find the droped executables and delete the created registers.

Niciun comentariu:

Trimiteți un comentariu