Previous post: Cuckoo Submitting Malware
In this post we will learn installation and usage of Volatility for memory analysis. In Cuckoo it is also possible to get a memory dump. We will use this memory dump with Volatility to check the hidden processes, connections, etc…
Here we will use a Sality virus variant. You can download it for testing from the link below
The password for the zip file is “
Installation of Volatility is very easy. First download it from http://www.volatilityfoundation.org/#!24/c12wa.
You need to download the source file in “tar.gz” format. For installation you need to have root rights.
$ sudo -i
# tar xvfz volatility-2.4.tar.gz
# cd volatility
# sudo python setup.py build
# sudo python setup.py install
Check it is correctly installed for python. If it is correctly installed you will get no error message.
# python -c "import volatility"
Cuckoo Memory Analysis with Volatility:
Now we are ready for analysis. For submitting with memory dump you can use the following option: “
--memory“. And here is an example command to submit sality.
# utils/submit.py --memory samples/sality.c.exe
Note: I do not tell how to start cuckoo and use submit command again. You can check the details from previous posts if needed.
After analysis is complete goto the
storage->analyses folder and you will see that there is a memory.dmp file.
Now lets start with volatility analysis. I will show you the basics. You can check help of volatility for more options. Before starting open a terminal and go to relevant directory of memory file:
# cd /root/cuckoo/storage/analyses/12
Use this command to get help and options of Volatility.
# vol.py --help
The Memory File Info:
Here we check the file details. One of the important info is the profile type.
# vol.py -f memory.dmp imageinfo
In my example I used Windows 7 64bits without any service pack. So the template is Win7SP0x64.
Check the Connections:
Check the connections in the memory to see which processes have a connection and which ports are listening or if there are any active established connections.
# vol.py --profile=Win7SP0x64 -f memory.dmp netscan
0x3df15be0 TCPv4 192.168.56.101:49167 192.168.56.1:2042 ESTABLISHED 2660 sality.c.exe
I did not include all the details as it is too long. However there is one interesting line: As you see above sality has a connection established.
List process tree to see if there are any suspicious processes.
# vol.py --profile=Win7SP0x64 -f memory.dmp pstree
0xfffffa8000dd5330:sality.c.exe 2660 1476 5 51 2014-11-19 10:21:46 UTC+0000
. 0xfffffa8000e19b30:sality.c.~01 3048 2660 0 ------ 2014-11-19 10:22:02 UTC+0000
Above you can see the processes related to sality. There is also a possiblity that the process may be hidden. To check the list of processes including hidden ones use:
# vol.py -f memory.dmp --profile=Win7SP0x64 psxview
Dump the file of a process for further analysis:
It is also possible that you can get the file that is running in the memory. In our example the process number is 2660 and here is the command:
# vol.py --profile=Win7SP0x64 -f memory.dmp procdump -D ./ -p 2660
Below you can see that it extracted an exe file:
You can also get the full list of file objects in the memory by the command below
# vol.py --profile=Win7SP0x64 -f memory.dmp filescan
For more and detailed information check the Volatility Documentation Project
? The end of post ?