Mini Challenge 5

Scenario:
A large company is concerned that some of their computers may have been infected with a variant of the Zeus malware toolkit and could be communicating with a malicious command and control (C2) server. They have captured the memory of one of the systems and would like you to determine the IP of the C2. That way they can check their network logs to determine what machines were communicating with it.

Your Goal:
Analyze the “Malware – Zeus” memory dump from the below site to determine the IP of the C2. We would also like to know the country the IP is located in.
https://code.google.com/p/volatility/wiki/SampleMemoryImages

Solution:
We will post the solution to Mini-Challenge 5 on 7/5 for you to see how you did. Mini Challenge 5 solutions are available below.

What to Look For:
The C2’s IP followed by the two letter country code it originates from. Submissions must be in the following format:
<IP excluding the periods><Capitalized Country Code>
For example if the IP was “192.168.1.1” and the country code was “JQ” your submission would be:
19216811JQ

Solution
ANSWER:
1931044175MD

DETAILS:
This challenge could be solved a variety of different ways. One way would be to use the tool “Volatility,” conveniently found on the same
site from which the memory dump was downloaded.

To search for active connections on the machine you could use the “connections” plugin. However, as this will only find active connections
it won’t help in this case. However, the “connscan” plugin will find some terminated plugins as well, and provides the answer we are
looking for. Once you have determined the IP a quick “whois” will reveal the country as well.

Commands to execute (Note yours may differ depending on how you install Volatility):
vol.py -f zeus.vmem connscan
whois 193[.]104[.]41[.]75 (without the brackets)

NOTES
If you are interested in researching this malware further, a complete tutorial on analyzing it using Volatility can be found at:
http://malwarereversing.wordpress.com/2011/09/23/zeus-analysis-in-volatility-2-0/

You can also find some more details on Zeus as well as additional Zeus indicators here:
http://www.fortiguard.com/legacy/analysis/zeusanalysis.html