skip to Main Content

Malware Analysis (Internet Banking Fraud)

Here are my usual steps:

1. Create a forensic image (.e01) of suspect media (System Hard Disk).

2. Objectives of the analysis:
– Identification of the involved banking trojan
– Detection of the trojan files on the infected computer
– Discovery of the method of infection
– Analysis of the functionality of the malware (especially banking behaviour)
– Detection of the C&C server and dropzone(s)
– Cleaning up the infected computer

3. Record of the basic informations

3.1 Bank
– Affected bank
– URL
– All details of the criticized online transaction(s)
– If available: Logfiles (IP addresses, user agent strings, click-paths)

3.2 Banking-Session
– Used user account
– Used web browser
– What happened exactly?

How many indexed transaction numbers were inquired/entered? When was the victim prompted to provide the indexed transaction numbers? Immediately after successful login? How did it look like? Pretext? Exact wording?

3.3 System
– Operating System
– Service Pack
– Computer Name
– User accounts (with priveleges)
– Installed web browsers
– Internet Service Provider

3.4 Essential Security Settings
– Windows-Firewall
– Windows Update Settings
– Anti-Virus Software
– Adobe Reader
– Adobe Flash Player
– Sun Java

Feel free to create a timeline-table for better overview.

4. System Scans
Start a full system scan with Malwarebytes’ Anti-Malware and use HiJackThis.
Check also the logfiles of the installed Anti-Virus softwares. It’s important because the victims mostly run system scans after realization the fraud.

Note: I do all my investigations on the infected computer. The changes on the computer are neglectable.

5. Suspicious Files and URL‘s
Use online Multi-AV Scanners like VirusTotal and Jotti.
Use Automated Threat Analysis Systems like Joe Security, Threat Expert and Anubis.

Note: I also use the free version of Gadwin PrintScreen to document my steps. Gadwin PrintScreen can capture the entire Windows screen, the active window, or a specified area.

6. Banking Trojan
– Banking Trojan (e.g. ZeuS Version 2.x)
– Synonyms (e.g. Zbot, Wsnpoem, Infostealer.Banker.C)
– Overview
– Infection
– Initialization
– Functionality
– Analysis of the decoded configuration files
– Phishing attack variant (iTAN stealer, real-time attacks like background transaction and real-time manipulation)

Cleaning up the infected computer
The data integrity is compromised. Data has been maliciously modified, altered, or destroyed. Please change all your account passwords from a clean system. I highly recommend to do a format and re-install windows (after a backup). It’s also important to overwrite the master boot record.

Back To Top