Cuckoo Memory Analysis with Volatility


Previous post: Cuckoo Submitting Malware

In this post we will learn installation and usage of Volatility for memory analysis. In Cuckoo it is also possible to get a memory dump. We will use this memory dump with Volatility to check the hidden processes, connections, etc…

Here we will use a Sality virus variant. You can download it for testing from the link below

The password for the zip file is “infected“.

Install Volatility:

Installation of Volatility is very easy. First download it from http://www.volatilityfoundation.org/#!24/c12wa.
You need to download the source file in “tar.gz” format. For installation you need to have root rights.

$ sudo -i
# tar xvfz volatility-2.4.tar.gz
# cd volatility
# sudo python setup.py build
# sudo python setup.py install

Check it is correctly installed for python. If it is correctly installed you will get no error message.
# python -c "import volatility"

Cuckoo Memory Analysis with Volatility:

Now we are ready for analysis. For submitting with memory dump you can use the following option: “--memory“. And here is an example command to submit sality.

# utils/submit.py --memory samples/sality.c.exe

Note: I do not tell how to start cuckoo and use submit command again. You can check the details from previous posts if needed.

After analysis is complete goto the storage->analyses folder  and you will see that there is a memory.dmp file.

Cuckoo Memory Analysis with Volatility

Now lets start with volatility analysis. I will show you the basics. You can check help of volatility for more options. Before starting open a terminal and go to relevant directory of memory file:
# cd /root/cuckoo/storage/analyses/12

Volatility Help:
Use this command to get help and options of Volatility.
# vol.py --help

The Memory File Info:
Here we check the file details. One of the important info is the profile type.
# vol.py -f memory.dmp imageinfo

In my example I used Windows 7 64bits without any service pack. So the template is Win7SP0x64.

cuckoo-volatility2

Check the Connections:
Check the connections in the memory to see which processes have a connection and which ports are listening or if there are any active established connections.
# vol.py --profile=Win7SP0x64 -f memory.dmp netscan
...
0x3df15be0         TCPv4    192.168.56.101:49167           192.168.56.1:2042    ESTABLISHED      2660     sality.c.exe
...

I did not include all the details as it is too long. However there is one interesting line: As you see above sality has a connection established.

Process Tree:
List process tree to see if there are any suspicious processes.
# vol.py --profile=Win7SP0x64 -f memory.dmp pstree
...

0xfffffa8000dd5330:sality.c.exe 2660 1476 5 51 2014-11-19 10:21:46 UTC+0000
. 0xfffffa8000e19b30:sality.c.~01 3048 2660 0 ------ 2014-11-19 10:22:02 UTC+0000
...

Above you can see the processes related to sality. There is also a possiblity that the process may be hidden. To check the list of processes including hidden ones use:
# vol.py -f memory.dmp --profile=Win7SP0x64 psxview

Dump the file of a process for further analysis:
It is also possible that you can get the file that is running in the memory. In our example the process number is 2660 and here is the command:
# vol.py --profile=Win7SP0x64 -f memory.dmp procdump -D ./ -p 2660
Below you can see that it extracted an exe file:
cuckoo-volatility3

You can also get the full list of file objects in the memory by the command below
# vol.py --profile=Win7SP0x64 -f memory.dmp filescan

For more and detailed information check the Volatility Documentation Project

? The end of post ?