I came across a program the other day that is very powerful when it comes to IR (Incident Response). So wanting to learn more about the platform I dived right in and decided to create a plugin. What if you could automatically carve out a file from a memory image and submit said carving to an online virus scanning service? That’d be awesome and make for quick work to triage any memory dumps you may have laying around, assuming you can isolate the suspicious process. This idea was born out of a larger project in development called Avalanche. It’s goal is to bring a lot of these tools together for a quick analysis ala Mandiant Redline or HB Gary Responder Pro but built around Python.

For those who don’t know what Volatility is. It’s a great open source memory forensics framework written in python. It’s being actively developed by a great community (it even supports Windows 8 at the time of this writing). The tool operates on memory dumps. These are dumps of physical ram to an image much like a disk image but just has snapshots of the current state of your machine. There are some advantages to full disk dumps such as size and context. Some information exists in memory that is difficult to discern from disk images (api hooking, process injection, listening sockets, current and previous ip connections, hidden processes). Memory dumps make these data points easily accessible.

Volatility has some practice images on their wiki that you can play with as well. The install of the plugin is pretty simple. Download the file and unzip it to the plugins directory. Now if you want to use VirusTotal you will need to hardcode your api key into avsubmit.py as well as download SimpleJson. AVsubmit is code that was shared via MHL in the Malware Analyst’s Cookbook. All of it’s code snippets are freely available here. I’ve heard great things about the book and mine is in the mail.

So usage is pretty simple. Run this command.



python vol.py vscan -f target.img -p 100 -s Jotti

Volatile Systems Volatility Framework 2.0

************************************************************************

Dumping explorer.exe, pid: 1724 output: executable.1724.exe

[-] Uploading to a virus scan service. Results may be slow on queue

File already exists, initialization not required.

[*] Using Jotti...

Initialized session cookie: sessionid=800d68a1e60bf4a8c7f3c3f0a0c983d0ab03c3d2

Initialized APC: 1b38781678971428acde9fe921396eecabecc8a2

Checking Jotti's databse for file with MD5: 7161D1047247D94471CBA21ACB8BAB9E

The file does not already exist on Jotti...

Attempting to upload the sample, please wait...

You can find the new analysis here:

http://virusscan.jotti.org/en/scanresult/eb435d81ffc22b032cbba262f52382b202b65b

3a

Trying to get results for the next 600 seconds...

Try 0

Try 1

Try 2

Try 3

Try 4

Try 5

drweb => scan clean

fsecure => scan clean

cpsecure => scan clean

arcavir => scan clean

fprot => scan clean

avast => scan clean

vba32 => scan clean

clamav => scan clean

gdata => scan clean

kaspersky => scan clean

bitdefender => scan clean

panda => scan clean

sophos => scan clean

avira => scan clean

ikarus => scan clean

avg => scan clean

nod32 => scan clean

emsisoft => scan clean

quickheal => scan clean

virusbuster => scan clean

Added sample to database with ID 4

Finished.



This dumps a target process from a memory image and submits it to the service of your choosing. Be warned that if the process has code injected into it may yield some false positives (Zeus/Zbot). In this case I use the malfind plugin via MHL’s malware.py scripts and it will dump out a process based on the VAD tree entries that it finds suspicious. After these items are dumped to disk you can still use the avscan plugin by just passing the -F flag to specify a file that has recently been dumped.



python vol.py -f zeus.vmem vscan -E c:\zeus\winlogon.exe.66f0978.00ae0000-00b05fff.dmp -S jotti

Volatile Systems Volatility Framework 2.0

[*] Submitting [c:\zeus\winlogon.exe.66f0978.00ae0000-00b05fff.dmp] to [jotti

File already exists, initialization not required.

[*] Using Jotti...

Initialized session cookie: sessionid=7e90a75eb406c0f64ac3662a3a5e0ca325bc94f6

Initialized APC: 55521be59f3ec0b6385dfb43eb6a3a7885ded3c7

Checking Jotti's databse for file with MD5: B5CAE4218DC957F4419AEAA675C21B7F

You can find the existing analysis here:

http://virusscan.jotti.org/en/scanresult/7f8bccd75f6d538fda4bbec15c8e600c2cc2b3

37

Trying to get results for the next 600 seconds...

Try 0

drweb => Trojan.PWS.Panda.199

fsecure => Trojan.Spy.Zbot.EHO

cpsecure => scan clean

arcavir => scan clean

fprot => W32/Zbot.AF.gen!Eldorado

avast => Win32:Zbot-BCW

vba32 => scan clean

clamav => scan clean

gdata => Trojan.Spy.Zbot.EHO

kaspersky => scan clean

bitdefender => Trojan.Spy.Zbot.EHO

panda => scan clean

sophos => Sus/Behav-1010

avira => TR/Hijacker.Gen

ikarus => Trojan-Spy.Zbot

avg => Win32/Cryptor

nod32 => Win32/Kryptik.AY

emsisoft => Trojan-Spy.Zbot!IK

quickheal => scan clean

virusbuster => scan clean

Added sample to database with ID 8

Finished.



You could also extend the plugin to do this for files that are going to be dumped on disk by malfind.py. I hope you find the plugin useful and perhaps have inspired you to contribute something as well to this awesome project! Download the plugin here.

Share this: Twitter

Facebook

Like this: Like Loading... Related

Posted in incident response, Malware

Tags: incident response, ir, malware, python, volatility, volatility plugin