IOCs for memory forensics
Never forget to configure “advanced parameters” (check String and the length is 4)
- ZeroAccess for kernel/user-mode variants
- Poison Ivy
- Zeus 2.x variants including Citadel
- SpyEye 1.3.x
IDAPython script
- Deobfuscating_SpyEye deobfuscate 4-byte hash values and strings
- zeus_string_decoder decode strings in ZeuS binary
- fix_junk_pony modify PONY’s junk code
Immunity Debugger script
- immbone_nx break on execute script on DEP environment (enable DEP and uncheck the option ignoring Memory access violation in the debugger settings)
- immbone break on execute script on non-DEP environment (disable DEP and uncheck the option ignoring single-step break in the debugger settings)
- blackmanta slightly-changed version for Immunity Debugger v1.8
EnCase EnScript
- CrashDumpAnalyzer memory forensic EnScripts for MS crash dump
- RawImageAnalyzer memory forensic EnScripts for raw memory dump
- Timeline_Report_v1.8.1_CCI NTFS SI/FN timeline EnScript based on Geoff Black’s timeline EnScript
- PFDCforPE parse/filter/detect/carve PE files