Here is a real-world example of using Volatilty and YARA. You can download this good old ZeuS image from the Malware Analyst’s Cookbook: zeus.vmem.zip [41,4 MB]
1.) Go into your Volatility directory
2.) If you don’t know what type of system your image came from, use the ‘imageinfo’ command.
$ python vol.py imageinfo -f /home/evild3ad/memory-samples/cookbook/zeus.vmem
3.) Use the command ‘pslist’ to display a list of all processes that were active when the snapshot was taken.
$ python vol.py pslist -f /home/evild3ad/memory-samples/cookbook/zeus.vmem
4.) The list of open TCP connections looks a lot more promising. Two active connections are listed to the IP address 188.8.131.52 on port 80. According to the process list, the process ID 856 don’t belong to a browser process.
$ python vol.py connscan -f /home/evild3ad/memory-samples/cookbook/zeus.vmem
5.) Let’s do a whois for the IP address 184.108.40.206 and see what comes back. You can also use Google to find more information to this IP address.
$ whois 220.127.116.11
6.) The registry is spread across numerous files called ‘hives’. The current user’s registry branch, HKEY Current User (HKCU), is located in the hidden file NTUSER.DAT of the home directory under \Documents and Settings\. There are two more important branches: HKEY Local Machine (HKLM) and the sub-branch for software in \Windows\system32\config. But first, we need to have ‘hivelist’ display where Windows put the files into memory.
$ python vol.py hivelist -f /home/evild3ad/memory-samples/cookbook/zeus.vmem
7.) The key ‘UserInit’ specifies what program should be launched right after a user logs into Windows. The default program for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that restores your profile, fonts, colors, etc. for your username. It is possible to add further programs that will launch from this key by separating the programs with a comma. It’s is a common place for trojans.
$ python vol.py printkey -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -o 0xe153ab60 -K 'Microsoft\Windows NT\CurrentVersion\Winlogon'
8.) To view the process listing in tree form, use the ‘pstree’ command. This plugin print process list as a tree so we can visualize the parent/child relationships.
$ python vol.py pstree -f /home/evild3ad/memory-samples/cookbook/zeus.vmem
We did notice that winlogon.exe launched sdra64.exe and that the system process svchost.exe (Pid 856) is connected to the internet…services.exe (PPid 676) looked to have some code injected into it.
9.) Let’s revisit our ‘printkey’ command so we can detect if the windows firewall is enabled or disabled.
python vol.py printkey -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -K 'ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile'
10.) Now, it’s time for the Volatility plug-in malware.py. Simply place the plugin in the ‘plugins’ directory within the Volatility directory. The function ‘apihooks’ looks at the svchost.exe process with the PID 856 and finds two in-line hooks.
$ python vol.py apihooks -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -p 856
11.) There is a typical PE file header including the characteristic “This program cannot be run in DOS mode.” This is the smoking gun; it proves that a complete program image has indeed been injected into the svchost.exe process.
$ python vol.py malfind -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -p 856 -D /home/evild3ad/Volatility/dump-files
12.) Finally we’ll use YARA which identifies malicious software based on characteristic strings and byte sequences. You can download here the official malware rules of the YARA project website.
$ python vol.py malfind -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -p 856 -Y /home/evild3ad/yara-rules/MalwareRules.yara -D /home/evild3ad/Volatility/dump-files
CSI Internet – A trip into RAM by Frank Boldewin (English Version)
Tatort Internet – Eine Reise ins RAM by Frank Boldewin (Deutsche Version)
Volatility – CommandReference
Volatility – FeaturesByPlugin
Volatility Documentation Project (VDP) 2.0
Yara – A malware identification and classification tool