Memory dump analysis. Volatility.
15 Aug 2015
We have reviewed how to obtain memory dump on remote host using winpmem in the last article. Let's look at utility volatility in order to understand how we can analyze it.
Сonsider the real case when Intrusion Detection System has detected connection of internal host to external host in Internet with low reputation (MALWARE_IP).
First of all we need to obtain memory dump on potentially infected host. Then we will use volatility (version for Linux) in order to analyze it.
1. Getting of system profile.
We will use plugin "imageinfo" in order to get system profile. It is necessary for valid work of another volatility plugins.
$ python volatility-2.4/vol.py -f physical_memory.raw imageinfo
As a result we see that memory dump was obtained on the host with Windows 7 SP1 (x64).
2. Analysis of network connections.
We will use plugin "netscan" in order to get network connections. Also we should specify system profile.
$ python volatility-2.4/vol.py -f physical_memory.raw --profile=Win7SP1x64 netscan | grep MALWARE_IP
As a result we see that process *****.exe has connected to malware host detected by IDS. According to information that it is legitimate process we need to know which DLLs were injected to it.
3. Export of injected DLLs.
We will use plugin "malfind" in order to get dumps of the DLLs that were injected to the process with PID 4476.
$ python volatility-2.4/vol.py -f physical_memory.raw --profile=Win7SP1x64 malfind -p 4476 -D malware
As a result we get DLL dumps in the folder "malware".
Let's check these files on VirusTotal.
4. Analysis of DLL dumps on VirusTotal.
Malware is detected. It is trojan.