Zeus Malware Analysis- Any.Run

I decided to run the Zeus Malware through an automated analysis tool and compare to what I saw using dynamic analysis with Remnux.  I’m using the malware analysis tool at app.any.run

The free version only supports Windows 7 executables, which Zeus targets. After uploading the file, app.any.run displays a windows UI and what the malware looks like being executed.

When Zeus runs, we see it calls out to download Adobe Flash Player, and continues with the install prompts.

I click done once the installer finished:

After install flash, everything seems to return back to normal for the end user. I did not notice any performance and visual indications the machine was compromised. Based on my research of Zeus, this is exactly what it wants. It’s collecting and exporting data including hardware/software specs, keystrokes, web cookies and more. So lets take a closer look at what Any.app.run says about the file.

App.any.run gives us general meta data about the Zeus file executed:

There’s also a process tree display what was created and interacted with during execution. This is simliar to what I saw in Remnux. Invoice_x_x.pdf.exe injects itself into explorer.exe, downloads installflashplayer.exe and  runs the FlashPlayerUpdateService.exe executable. I wasn’t able to get this far in my lab example. I’m assume because I was using Windows 10. App.Any.Run shows us the command issued to delete the InstallFLashPlayer.exe file. I also saw during dynamic analysis.

If we look at installflashplayer.exe, we see it’s being flagged as malicious for a number of reason: creating files, running hidden apps, injecting code, etc.

It also shows us the http requests made to download the “installflashplayer.exe” payload:

An initial DNS request to google resolves additional requests to the same IP address we saw in dynamic analysis, 85[dot]114[dot]128[dot]127

DNS requests resolve to fpdownload[dot]macromedia.com, and an additional requested site, j[dot]maxmind[dot]com

App.any.run also lists the files modified by the executable. We saw the same msimg32.dll in our dynamic analysis, but also additional flashUtil32.dll and activex.vch files.

Still not seeing any indication of the CnC server Zeus would be connecting. Not sure what this sample is attempting, but based on dynamic analysis, it was at least attempting to create persistent access with a browser update.

Regardless, this has been a nice exercise in validating my dynamic analysis findings with an automated tool. I think I’ll use a Windows 7 machine for future malware analysis, as it may be more compatible with older malware. 

Leave a Reply

Your email address will not be published. Required fields are marked *