{"id":18280371,"url":"https://github.com/ysfcndgr/malware-analysis","last_synced_at":"2026-01-21T19:36:42.354Z","repository":{"id":159726346,"uuid":"348700957","full_name":"ysfcndgr/Malware-Analysis","owner":"ysfcndgr","description":" An e-book of malware analysis applications","archived":false,"fork":false,"pushed_at":"2021-04-03T23:15:29.000Z","size":42303,"stargazers_count":8,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-09T05:17:16.595Z","etag":null,"topics":["darcomet","malware-analysis","rat","remoteaccesstrojan","reverse-engineering","stuxnet","stuxnet-memory-analysis","zeus-botnet"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ysfcndgr.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-03-17T12:27:29.000Z","updated_at":"2025-03-03T12:19:34.000Z","dependencies_parsed_at":null,"dependency_job_id":"30e7054c-6fb2-4c29-abfe-253cefd546a5","html_url":"https://github.com/ysfcndgr/Malware-Analysis","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ysfcndgr/Malware-Analysis","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ysfcndgr%2FMalware-Analysis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ysfcndgr%2FMalware-Analysis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ysfcndgr%2FMalware-Analysis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ysfcndgr%2FMalware-Analysis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ysfcndgr","download_url":"https://codeload.github.com/ysfcndgr/Malware-Analysis/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ysfcndgr%2FMalware-Analysis/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28641276,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-21T18:04:35.752Z","status":"ssl_error","status_checked_at":"2026-01-21T18:03:55.054Z","response_time":86,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["darcomet","malware-analysis","rat","remoteaccesstrojan","reverse-engineering","stuxnet","stuxnet-memory-analysis","zeus-botnet"],"created_at":"2024-11-05T12:36:32.743Z","updated_at":"2026-01-21T19:36:42.333Z","avatar_url":"https://github.com/ysfcndgr.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Malware Analysis\n\nAn E-book of malware analysis applications.You can download the programs used here from the applications folder.\n\nWill be constantly updated...\n\n# PAGES\n\n1-)\u003ca href=\"https://github.com/ysfcndgr/Malware-Analysis#zeus-botnet-memory-analysis\"\u003eZeus Botnet Memory Analysis\u003c/a\u003e\n\n2-)\u003ca href=\"https://github.com/ysfcndgr/Malware-Analysis#stuxnet-memory-analysis\"\u003eStuxnet Memory Analysis\u003c/a\u003e\n\n3-)\u003ca href=\"https://github.com/ysfcndgr/Malware-Analysis#darcomet-rat\"\u003eDarcomet RAT Memory Analysis\u003c/a\u003e\n\n\n\n\n# Zeus Botnet Memory Analysis\n\nWe will analyze memory dump with Volatility.\nWe run the following command to find out from which system the image was taken.\n\n\n\u003ccode\u003evol.exe -f zeus.vmem imageinfo \u003c/code\u003e\n\n![1](https://user-images.githubusercontent.com/32979760/111479163-c6087880-8741-11eb-9eac-0a1beae645ca.PNG)\n\nProcesses taken in the image are displayed with the following command.\n\n\u003ccode\u003evol.exe -f zeus.vmem pstree\u003c/code\u003e\n\n![2](https://user-images.githubusercontent.com/32979760/111479933-7fffe480-8742-11eb-8156-49bdc874b55c.PNG)\n\nThere doesn't appear to be a problem with running processes.\nWe will check if there is a connection to the machine and if there is a connection to the machine, we will find out which process started via PiD.\n\n\u003ccode\u003evol.exe -f zeus.vmem connscan\u003c/code\u003e\n\n![3](https://user-images.githubusercontent.com/32979760/111481066-a6724f80-8743-11eb-9ec0-9c92d5ed5f9e.PNG)\n\nWhen we look at the screenshot above, we see that svchost.exe connects to the connection on port 80.This is not normal for svchost.exe.\n(For more information on svchost.exe, see here. https://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/ )\n\nWe continue\n\nWe check whether the address 193.104.41.75 is in the black list via ipvoid.com.\n\n![4](https://user-images.githubusercontent.com/32979760/111482693-3369d880-8745-11eb-8d0f-5e9eab88b57b.PNG)\n\nWe see that the result is clean.\n\n\nWe check the ip address on the malwaredomain.com site.\n\n![5](https://user-images.githubusercontent.com/32979760/111530822-d2f28f80-8774-11eb-8c6a-bc025803b9da.PNG)\n\nIt has been observed that the ip address is distributing malicious files and the description is zeus botnet.\n\nLet's see if the malicious file runs itself at startup.\n\n\u003ccode\u003evol.exe -f zeus.vmem printkey -K \"Microsoft\\Windows NT\\CurrentVersion\\Winlogon\"\u003c/code\u003e\n\n![6](https://user-images.githubusercontent.com/32979760/111627005-ab94d480-87ff-11eb-82c5-07568f1521ce.PNG)\n\nAs seen in the screenshot, sdra64.exe runs itself automatically.\n\nWe are now looking for a malicious signature.\n\n\u003ccode\u003evol.exe -f zeus.vmem malfind -D dump\u003c/code\u003e\n\nI saved the output under the dump folder.\nWe see svchost.exe in the output.\n\n![7](https://user-images.githubusercontent.com/32979760/111628395-3aeeb780-8801-11eb-8e62-875012f8ab95.PNG)\n\n\nNow with piD, the malware signature is saved under the dump folder\n\n\u003ccode\u003evol.exe -f zeus.vmem malfind -D dump/ -p 856\u003c/code\u003e\n\nThe output in the dump folder was scanned at virustotal.com.\nand once again we see that the malware is Zbot.\n\n![8](https://user-images.githubusercontent.com/32979760/111629784-b866f780-8802-11eb-884b-a994ccf8977b.PNG)\n\n\n# Stuxnet Memory Analysis\n\nWhat is stuxnet?\n\n\nStuxnet is worm software used by the US and Israel to disrupt Iran's nuclear operations. The virus, whose existence was revealed in June 2010, affected Iran's nuclear facilities in Bushehr and Natanz.\nWe are looking at image information\n\n\n\u003ccode\u003e  vol.exe -f stuxnet.vmem imageinfo\u003c/code\u003e \n\n![9](https://user-images.githubusercontent.com/32979760/111703819-410b8500-884f-11eb-9be0-2a77d2d5ed05.PNG)\n\nthen we view the processes in the system.\n\n\u003ccode\u003evol.exe -f stuxnet.vmem pslist\u003c/code\u003e\n\n![10](https://user-images.githubusercontent.com/32979760/111702483-60091780-884d-11eb-921e-0093ae01a330.PNG)\n![11](https://user-images.githubusercontent.com/32979760/111702486-60a1ae00-884d-11eb-8b05-c1be4f3f90b9.PNG)\n\nIt is doubtful to have 3 identical lsass.exe processes.\n\n\u003ccode\u003e vol.exe -f stuxnet.vmem pstree \u003c/code\u003e\n\nWe are viewing the start time of processes.\n\n![12](https://user-images.githubusercontent.com/32979760/111703615-f853cc00-884e-11eb-9270-709e8a83c1b1.PNG)\n\n\nThe winlogon process must run in order to perform the login process in the Windows operating system.\nWe see that piD 680 and piD 624 start at the same time.\nthis appears normal, but other lsass.exe processes do not appear to be normal.piD(868, 1928)\n\nLet's examine the network connections.\n\n\u003ccode\u003evol.exe -f stuxnet.vmem connections\u003c/code\u003e\n\n![13](https://user-images.githubusercontent.com/32979760/111707479-2b995980-8855-11eb-8156-a06eda88b4e6.PNG)\n\nno open network connections were seen.\nWe are examining the network sockets.\n\n\u003ccode\u003evol.exe -f stuxnet.vmem sockets\u003c/code\u003e\n\n![14](https://user-images.githubusercontent.com/32979760/111707755-b11d0980-8855-11eb-8fc6-84411aebf20a.PNG)\n\nIt is normal for lsass.exe number piD 680 to broadcast from 500 and 4500 ports, but it isn't normal that the other 2 lsass.exe processes don't open ports.\n\n\u003ccode\u003evol.exe -f stuxnet.vmem ldrmodules -p 1928 -v\u003c/code\u003e\n\nThe dlls of the process piD 1928 have been seen.\n\n![15](https://user-images.githubusercontent.com/32979760/111778187-5622fb00-88c5-11eb-9ad7-67c306a7f9c0.PNG)\n\nAs seen in the screenshot, kernel calls made are related to stuxnet.We are now looking for a malware signature.\n\n\u003ccode\u003e vol.exe -f stuxnet.vmem malfind -p 1928 -D dump \u003c/code\u003e\n \n\n![16](https://user-images.githubusercontent.com/32979760/111778563-e4977c80-88c5-11eb-8e29-57d2e6847905.PNG)\n\nWe go to virustotal.com and scan the results\n\n![17](https://user-images.githubusercontent.com/32979760/111779204-e3b31a80-88c6-11eb-9ac3-1a385ec4b37c.PNG)\n \n# Darcomet RAT\n\nDownload image: https://drive.google.com/file/d/0B-pKvSR-QbsHdDRzeG8xNVNnbEU/edit\n\nAs always, we first look at the image information.\n\n\u003ccode\u003evol .exe -f WIN-TTUMF6EI3O3-20140203-123134.raw imageinfo \u003c/code\u003e\n\n![18](https://user-images.githubusercontent.com/32979760/111905356-45f15400-8a5c-11eb-8f4c-3e0e9a582194.PNG)\n\nWe see that the image is taken from the Windows 7 operating system.\nThen the psxview parameter is executed to see the process list.\n\n\u003ccode\u003evol .exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 psxview \u003c/code\u003e\n\n![20](https://user-images.githubusercontent.com/32979760/111905605-8c937e00-8a5d-11eb-9a23-a7800f740c9c.PNG)\n\nLooking carefully at the screenshot, the process that should be rundll32.exe is shown as runddl32.exe. This process is suspicious.\nWe need to examine the dll files that the process uses.\n\n\u003ccode\u003evol .exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 dlllist -p 1524 \u003c/code\u003e\n\n![1](https://user-images.githubusercontent.com/32979760/113492486-48ce5900-94e0-11eb-8c96-8f7f55e25206.PNG)\n\nWhen we look at the file path that started the process, we can see that appdata is used.\nWe are deepening our research\n\n\u003ccode\u003evol.exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 dumpfiles -r runddl32 -D . \u003c/code\u003e\n\n![2](https://user-images.githubusercontent.com/32979760/113493031-b5e3ed80-94e4-11eb-91a5-0bc4c07ce150.PNG)\n\nthese files will be stored for review with the strings utility.\nWe continue to see if runddl32.exe starts other processes.\n\n\u003ccode\u003evol.exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 pstree\u003c/code\u003e\n\n![3](https://user-images.githubusercontent.com/32979760/113493106-43274200-94e5-11eb-865f-538a474b06c6.PNG)\n\nAfter running 2 cmd as separate processes, it was seen that notepad.exe and runddl32.exe were running.\nWe use malfind parameter for notepad.exe\n\n\u003ccode\u003evol.exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 -p 1896 malfind\u003c/code\u003e\n\n\u003ccode\u003e vol.exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 memdump -p 1896 -D dumpfiles \u003c/code\u003e\n\nWe will use the mutantscan parameter to find mutex objects in memory.\n\n![4](https://user-images.githubusercontent.com/32979760/113493239-4111b300-94e6-11eb-894b-5864186c6e80.PNG)\n\nWe see that the malware is dc_mutex_khnew006.\n\nNow we dump runddl32.exe continuation\n\nLet's analyze the dump file with the strings tool.\n\n![5](https://user-images.githubusercontent.com/32979760/113493709-98198700-94ea-11eb-8271-84da1cad1b5d.png)\n\nAs you can see, everything is clearly seen. ;)\n\nLet's look at the startup\n\n\u003ccode\u003evol.exe -f WIN-TTUMF6EI3O3-20140203-123134.raw --profile=Win7SP1x86 printkey -K \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"\u003c/code\u003e\n\n![6](https://user-images.githubusercontent.com/32979760/113493822-8684af00-94eb-11eb-8904-27aad3b59c52.PNG)\n\nthe malware has been shown to run itself at startup and the analysis is over.\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fysfcndgr%2Fmalware-analysis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fysfcndgr%2Fmalware-analysis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fysfcndgr%2Fmalware-analysis/lists"}