Volatility Memory Forensics | Basic Usage for Malware Analysis

Here is a real-world example of using Volatilty and YARA. You can download this good old ZeuS image from the Malware Analyst’s Cookbook: zeus.vmem.zip [41,4 MB]

1.) Go into your Volatility directory

2.) If you don’t know what type of system your image came from, use the ‘imageinfo’ command.

$ python vol.py imageinfo -f /home/evild3ad/memory-samples/cookbook/zeus.vmem

imageinfo

3.) Use the command ‘pslist’ to display a list of all processes that were active when the snapshot was taken.

$ python vol.py pslist -f /home/evild3ad/memory-samples/cookbook/zeus.vmem

pslist

4.) The list of open TCP connections looks a lot more promising. Two active connections are listed to the IP address 193.104.41.75 on port 80. According to the process list, the process ID 856 don’t belong to a browser process.

$ python vol.py connscan -f /home/evild3ad/memory-samples/cookbook/zeus.vmem

connscan

5.) Let’s do a whois for the IP address 193.104.41.75 and see what comes back. You can also use Google to find more information to this IP address.

$ whois 193.104.41.75

whois

6.) The registry is spread across numerous files called ‘hives’. The current user’s registry branch, HKEY Current User (HKCU), is located in the hidden file NTUSER.DAT of the home directory under \Documents and Settings\. There are two more important branches: HKEY Local Machine (HKLM) and the sub-branch for software in \Windows\system32\config. But first, we need to have ‘hivelist’ display where Windows put the files into memory.

$ python vol.py hivelist -f /home/evild3ad/memory-samples/cookbook/zeus.vmem

hivelist

7.) The key ‘UserInit’ specifies what program should be launched right after a user logs into Windows. The default program for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that restores your profile, fonts, colors, etc. for your username. It is possible to add further programs that will launch from this key by separating the programs with a comma. It’s is a common place for trojans.

$ python vol.py printkey -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -o 0xe153ab60 -K 'Microsoft\Windows NT\CurrentVersion\Winlogon'

printkey

8.) To view the process listing in tree form, use the ‘pstree’ command. This plugin print process list as a tree so we can visualize the parent/child relationships.

$ python vol.py pstree -f /home/evild3ad/memory-samples/cookbook/zeus.vmem

pstree

We did notice that winlogon.exe launched sdra64.exe and that the system process svchost.exe (Pid 856) is connected to the internet…services.exe (PPid 676) looked to have some code injected into it.

9.) Let’s revisit our ‘printkey’ command so we can detect if the windows firewall is enabled or disabled.

python vol.py printkey -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -K 'ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile'

firewall settings

10.) Now, it’s time for the Volatility plug-in malware.py. Simply place the plugin in the ‘plugins’ directory within the Volatility directory. The function ‘apihooks’ looks at the svchost.exe process with the PID 856 and finds two in-line hooks.

$ python vol.py apihooks -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -p 856

whois

11.) There is a typical PE file header including the characteristic “This program cannot be run in DOS mode.” This is the smoking gun; it proves that a complete program image has indeed been injected into the svchost.exe process.

$ python vol.py malfind -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -p 856 -D /home/evild3ad/Volatility/dump-files

whois

12.) Finally we’ll use YARA which identifies malicious software based on characteristic strings and byte sequences. You can download here the official malware rules of the YARA project website.

$ python vol.py malfind -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -p 856 -Y /home/evild3ad/yara-rules/MalwareRules.yara -D /home/evild3ad/Volatility/dump-files

whois

Links:
CSI Internet – A trip into RAM by Frank Boldewin (English Version)
Tatort Internet – Eine Reise ins RAM by Frank Boldewin (Deutsche Version)
Volatility – CommandReference
Volatility – FeaturesByPlugin
Volatility Documentation Project (VDP) 2.0
Yara – A malware identification and classification tool

This Post Has 3 Comments

Comments are closed.