tag:blogger.com,1999:blog-4268584393779840195.post359095607751959324..comments2022-11-25T09:24:10.199+00:00Comments on Active Security: Ramnit, Zeus and the BAT! Part 3cbentle2http://www.blogger.com/profile/12931621208758003923noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-4268584393779840195.post-58599352381738317622014-03-04T15:52:06.744+00:002014-03-04T15:52:06.744+00:00Hello I'm trying to build up myself a IOC for ...Hello I'm trying to build up myself a IOC for Zeus V2 and I'm getting stuck trying to formalize the Ring 3 hooks established from explorer exe to USER32.dll, CRYPT32.dll. How can I do that?<br /><br />Also I would like to know if there is any kind of cheatsheet for IOC indicators.<br /><br />Thanks for allAnonymoushttps://www.blogger.com/profile/16386547264407669547noreply@blogger.comtag:blogger.com,1999:blog-4268584393779840195.post-23309953267758351152012-01-23T19:36:57.148+00:002012-01-23T19:36:57.148+00:00Harlan again you are correct regarding the misspel...Harlan again you are correct regarding the misspelled service.<br /><br />The Display name shows the misspelled Service and the image path points to the rootkit driver which is loaded.<br /><br />I also agree they are pretty good IOC's although the malware can easily be recompiled to create a service with a different Display Name and also different Image Path value. Hopefully the other indicators would still be triggered.cbentle2https://www.blogger.com/profile/12931621208758003923noreply@blogger.comtag:blogger.com,1999:blog-4268584393779840195.post-58363131581140292772012-01-20T13:47:05.470+00:002012-01-20T13:47:05.470+00:00Again, I'm confused...you say "misspelled...Again, I'm confused...you say "misspelled service", but what you showed (i.e., the misspelled "Micorsoft") doesn't appear to be what would be present in the ImagePath value...rather, it appears that it would be what appears in the DisplayName value.<br /><br />Now, if this <b>is</b> what appears in the ImagePath value, I would consider that to be a very significant IOC...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4268584393779840195.post-27084137511924717652012-01-19T20:48:36.778+00:002012-01-19T20:48:36.778+00:00Harlan thanks for reading the post.
You are correc...Harlan thanks for reading the post.<br />You are correct, when you review the image path Registry entry (HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ Micorsoft Windows Service)\Image Path) for the service it corresponds to the rootkit driver.<br /><br />Sorry for the confusion.cbentle2https://www.blogger.com/profile/12931621208758003923noreply@blogger.comtag:blogger.com,1999:blog-4268584393779840195.post-57796993326952959622012-01-19T13:30:03.049+00:002012-01-19T13:30:03.049+00:00I’m going to start with the driver (imjvxcsr.sys) ...<i>I’m going to start with the driver (imjvxcsr.sys) associated with the misspelled service: <b>Micorsoft</b> Windows Service.</i><br /><br />By this, do you mean driver with a misspelled Windows service Display Name?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com