Decrypting traffic from twex.exe (a variant of Zeus Crimeware Suite)
I am working on a case where the client machine was infected with a variant of the following:
We traced it back to Zeus crimeware suite:
We are trying to ascertain what data was stolen, which can be gleaned from network traffic, malware storage files (local.ds, user.ds, and user.ds.lll), and system restore files created from previous instances of (local.ds, user.ds, and user.ds.lll), if only we could identify the encryption key.
Here are the hash values of the malware that we found, which I uploaded to this site:
We have looked into decryption methods of previous instances of this, but they do not work on this version. Has anyone had any luck with this?
Thanks in advance,