Finding malware on memory dumps using Volatility and Yara rules

Previously i’ve talked a lot about Volatility, and i’ve published also some articles about YARA.

Today i’d like share a brief and simple workflow, useful for a first high-level analysis of memory dumps in order to search the presence of a generic malware.

The result of this workflow is useful as pivot-point for further analysis, focused on a specific threat.


The YARA rules repository

In the GitHub repository of Yara Rules Project, a big set of precompiled rules is available:

This project covers the need of a group of IT Security Researchers to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible, and began as an open source community for collecting Yara rules. Our Yara ruleset is under the GNU-GPLv2 license and open to any user or organization, as long as you use it under this license.

Yara is becoming increasingly used, but knowledge about the tool and its usage is dispersed across many different places. The Yara Rules project aims to be the meeting point for Yara users by gathering together a ruleset as complete as possible thusly providing users a quick way to get Yara ready for usage.

The reporitory contains rules for a large number of threats, and a section specific for malwares.

During the first phase of a memory dump analysis, could be useful check the dump for the presence of artifacts related to the most known malware: but to performs this operation should be needed to scan the image with all rules located in “malware” section of repository.

In order to speed-up the process, i’ve developed a simple python script (based on this project) for automatically download and merge rules from git repository:

The script doesn’t have any requirement and the usage is pretty simple, just run it in the console:

[email protected]:~/tmp/volsample$ ./malware_yara_rules.py
Cloning into 'rules'...
remote: Counting objects: 6166, done.
remote: Total 6166 (delta 0), reused 0 (delta 0), pack-reused 6166
Ricezione degli oggetti: 100% (6166/6166), 3.77 MiB | 2.15 MiB/s, done.
Risoluzione dei delta: 100% (3806/3806), done.
Processing ./rules/malware
Processing ./rules/malware/Operation_Blockbuster
Processing ./rules/malware/000_common_rules.yar
Processing ./rules/malware/APT_APT1.yar
Processing ./rules/malware/APT_APT10.yar
Processing ./rules/malware/APT_APT15.yar
Processing ./rules/malware/APT_APT17.yar
Processing ./rules/malware/APT_APT29_Grizzly_Steppe.yar
Processing ./rules/malware/APT_APT3102.yar
Processing ./rules/malware/APT_APT9002.yar
Processing ./rules/malware/APT_Backspace.yar
Processing ./rules/malware/APT_Bestia.yar
Processing ./rules/malware/APT_Blackenergy.yar
Processing ./rules/malware/APT_Bluetermite_Emdivi.yar
Processing ./rules/malware/APT_C16.yar
Processing ./rules/malware/APT_Carbanak.yar
Processing ./rules/malware/APT_Careto.yar
Processing ./rules/malware/APT_Casper.yar
Processing ./rules/malware/APT_CheshireCat.yar
Processing ./rules/malware/APT_Cloudduke.yar
Processing ./rules/malware/APT_Codoso.yar
Processing ./rules/malware/APT_DPRK_ROKRAT.yar
Processing ./rules/malware/APT_DeepPanda_Anthem.yar
Processing ./rules/malware/APT_DeputyDog.yar
Processing ./rules/malware/APT_Derusbi.yar
Processing ./rules/malware/APT_Dubnium.yar
Processing ./rules/malware/APT_Duqu2.yar
Processing ./rules/malware/APT_EQUATIONGRP.yar
Processing ./rules/malware/APT_Emissary.yar
Processing ./rules/malware/APT_EnergeticBear_backdoored_ssh.yar
Processing ./rules/malware/APT_Equation.yar
Processing ./rules/malware/APT_FIN7.yar
Processing ./rules/malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar
Processing ./rules/malware/APT_FiveEyes.yar
Processing ./rules/malware/APT_Greenbug.yar
Processing ./rules/malware/APT_Grizzlybear_uscert.yar
Processing ./rules/malware/APT_HackingTeam.yar
Processing ./rules/malware/APT_Hellsing.yar
Processing ./rules/malware/APT_HiddenCobra.yar
Processing ./rules/malware/APT_Hikit.yar
Processing ./rules/malware/APT_Industroyer.yar
Processing ./rules/malware/APT_Irontiger.yar
Processing ./rules/malware/APT_Kaba.yar
Processing ./rules/malware/APT_Ke3Chang_TidePool.yar
Processing ./rules/malware/APT_KeyBoy.yar
Processing ./rules/malware/APT_LotusBlossom.yar
Processing ./rules/malware/APT_Minidionis.yar
Processing ./rules/malware/APT_Mirage.yar
Processing ./rules/malware/APT_Molerats.yar
Processing ./rules/malware/APT_Mongall.yar
Processing ./rules/malware/APT_NGO.yar
Processing ./rules/malware/APT_OPCleaver.yar
Processing ./rules/malware/APT_Oilrig.yar
Processing ./rules/malware/APT_OpClandestineWolf.yar
Processing ./rules/malware/APT_OpDustStorm.yar
Processing ./rules/malware/APT_OpPotao.yar
Processing ./rules/malware/APT_PCclient.yar
Processing ./rules/malware/APT_Passcv.yar
Processing ./rules/malware/APT_Pipcreat.yar
Processing ./rules/malware/APT_Platinum.yar
Processing ./rules/malware/APT_Poseidon_Group.yar
Processing ./rules/malware/APT_Prikormka.yar
Processing ./rules/malware/APT_PutterPanda.yar
Processing ./rules/malware/APT_Regin.yar
Processing ./rules/malware/APT_RemSec.yar
Processing ./rules/malware/APT_Scarab_Scieron.yar
Processing ./rules/malware/APT_Seaduke.yar
Processing ./rules/malware/APT_Snowglobe_Babar.yar
Processing ./rules/malware/APT_Sofacy_Bundestag.yar
Processing ./rules/malware/APT_Sofacy_Fysbis.yar
Processing ./rules/malware/APT_Sofacy_Jun16.yar
Processing ./rules/malware/APT_Sphinx_Moth.yar
Processing ./rules/malware/APT_Stuxnet.yar
Processing ./rules/malware/APT_Terracota.yar
Processing ./rules/malware/APT_ThreatGroup3390.yar
Processing ./rules/malware/APT_TradeSecret.yar
Processing ./rules/malware/APT_Turla_Neuron.yar
Processing ./rules/malware/APT_Turla_RUAG.yar
Processing ./rules/malware/APT_UP007_SLServer.yar
Processing ./rules/malware/APT_Unit78020.yar
Processing ./rules/malware/APT_Waterbug.yar
Processing ./rules/malware/APT_WildNeutron.yar
Processing ./rules/malware/APT_Windigo_Onimiki.yar
Processing ./rules/malware/APT_Winnti.yar
Processing ./rules/malware/APT_WoolenGoldfish.yar
Processing ./rules/malware/APT_eqgrp_apr17.yar
Processing ./rules/malware/APT_fancybear_dnc.yar
Processing ./rules/malware/APT_fancybear_downdelph.yar
Processing ./rules/malware/APT_furtim.yar
Processing ./rules/malware/EXPERIMENTAL_Beef.yar
Processing ./rules/malware/GEN_PowerShell.yar
Processing ./rules/malware/MALW_AgentTesla.yar
Processing ./rules/malware/MALW_AgentTesla_SMTP.yar
Processing ./rules/malware/MALW_Alina.yar
Processing ./rules/malware/MALW_Andromeda.yar
Processing ./rules/malware/MALW_Athena.yar
Processing ./rules/malware/MALW_Atmos.yar
Processing ./rules/malware/MALW_BackdoorSSH.yar
Processing ./rules/malware/MALW_Backoff.yar
Processing ./rules/malware/MALW_Bangat.yar
Processing ./rules/malware/MALW_Batel.yar
Processing ./rules/malware/MALW_BlackRev.yar
Processing ./rules/malware/MALW_BlackWorm.yar
Processing ./rules/malware/MALW_Boouset.yar
Processing ./rules/malware/MALW_Bublik.yar
Processing ./rules/malware/MALW_Buzus_Softpulse.yar
Processing ./rules/malware/MALW_CAP_HookExKeylogger.yar
Processing ./rules/malware/MALW_CAP_Win32Inet.yara
Processing ./rules/malware/MALW_Chicken.yar
Processing ./rules/malware/MALW_Citadel.yar
Processing ./rules/malware/MALW_Cloaking.yar
Processing ./rules/malware/MALW_Cookies.yar
Processing ./rules/malware/MALW_Corkow.yar
Processing ./rules/malware/MALW_Cxpid.yar
Processing ./rules/malware/MALW_Cythosia.yar
Processing ./rules/malware/MALW_DDoSTf.yar
Processing ./rules/malware/MALW_Derkziel.yar
Processing ./rules/malware/MALW_Dexter.yar
Processing ./rules/malware/MALW_DiamondFox.yar
Processing ./rules/malware/MALW_DirtJumper.yar
Processing ./rules/malware/MALW_Elex.yar
Processing ./rules/malware/MALW_Elknot.yar
Processing ./rules/malware/MALW_Emotet.yar
Processing ./rules/malware/MALW_Empire.yar
Processing ./rules/malware/MALW_Enfal.yar
Processing ./rules/malware/MALW_Exploit_UAC_Elevators.yar
Processing ./rules/malware/MALW_Ezcob.yar
Processing ./rules/malware/MALW_F0xy.yar
Processing ./rules/malware/MALW_FALLCHILL.yar
Processing ./rules/malware/MALW_FakeM.yar
Processing ./rules/malware/MALW_Fareit.yar
Processing ./rules/malware/MALW_Favorite.yar
Processing ./rules/malware/MALW_Furtim.yar
Processing ./rules/malware/MALW_Gafgyt.yar
Processing ./rules/malware/MALW_Genome.yar
Processing ./rules/malware/MALW_Glasses.yar
Processing ./rules/malware/MALW_Gozi.yar
Processing ./rules/malware/MALW_Grozlex.yar
Processing ./rules/malware/MALW_Hsdfihdf_banking.yar
Processing ./rules/malware/MALW_Httpsd_ELF.yar
Processing ./rules/malware/MALW_IMuler.yar
Processing ./rules/malware/MALW_IcedID.yar
Processing ./rules/malware/MALW_Iexpl0ree.yar
Processing ./rules/malware/MALW_Install11.yar
Processing ./rules/malware/MALW_Intel_Virtualization.yar
Processing ./rules/malware/MALW_IotReaper.yar
Processing ./rules/malware/MALW_Jolob_Backdoor.yar
Processing ./rules/malware/MALW_KINS.yar
Processing ./rules/malware/MALW_Kelihos.yar
Processing ./rules/malware/MALW_Korlia.yar
Processing ./rules/malware/MALW_Korplug.yar
Processing ./rules/malware/MALW_Kovter.yar
Processing ./rules/malware/MALW_Kraken.yar
Processing ./rules/malware/MALW_Kwampirs.yar
Processing ./rules/malware/MALW_LURK0.yar
Processing ./rules/malware/MALW_Lateral_Movement.yar
Processing ./rules/malware/MALW_Lenovo_Superfish.yar
Processing ./rules/malware/MALW_LinuxBew.yar
Processing ./rules/malware/MALW_LinuxHelios.yar
Processing ./rules/malware/MALW_LinuxMoose.yar
Processing ./rules/malware/MALW_LostDoor.yar
Processing ./rules/malware/MALW_LuaBot.yar
Processing ./rules/malware/MALW_LuckyCat.yar
Processing ./rules/malware/MALW_MacControl.yar
Processing ./rules/malware/MALW_Madness.yar
Processing ./rules/malware/MALW_Magento_backend.yar
Processing ./rules/malware/MALW_Magento_frontend.yar
Processing ./rules/malware/MALW_Magento_suspicious.yar
Processing ./rules/malware/MALW_Mailers.yar
Processing ./rules/malware/MALW_Miancha.yar
Processing ./rules/malware/MALW_MiniAsp3_mem.yar
Processing ./rules/malware/MALW_Mirai_Okiru_ELF.yar
Processing ./rules/malware/MALW_Mirai_Satori_ELF.yar
Processing ./rules/malware/MALW_Miscelanea.yar
Processing ./rules/malware/MALW_Miscelanea_Linux.yar
Processing ./rules/malware/MALW_Monero_Miner_installer.yar
Processing ./rules/malware/MALW_NSFree.yar
Processing ./rules/malware/MALW_Naikon.yar
Processing ./rules/malware/MALW_Naspyupdate.yar
Processing ./rules/malware/MALW_NetTraveler.yar
Processing ./rules/malware/MALW_NionSpy.yar
Processing ./rules/malware/MALW_Notepad.yar
Processing ./rules/malware/MALW_OSX_Leverage.yar
Processing ./rules/malware/MALW_Odinaff.yar
Processing ./rules/malware/MALW_Olyx.yar
Processing ./rules/malware/MALW_PE_sections.yar
Processing ./rules/malware/MALW_PittyTiger.yar
Processing ./rules/malware/MALW_Ponmocup.yar
Processing ./rules/malware/MALW_Pony.yar
Processing ./rules/malware/MALW_PubSab.yar
Processing ./rules/malware/MALW_PyPI.yar
Processing ./rules/malware/MALW_Pyinstaller.yar
Processing ./rules/malware/MALW_Quarian.yar
Processing ./rules/malware/MALW_Rebirth_Vulcan_ELF.yar
Processing ./rules/malware/MALW_Regsubdat.yar
Processing ./rules/malware/MALW_Retefe.yar
Processing ./rules/malware/MALW_Rockloader.yar
Processing ./rules/malware/MALW_Rooter.yar
Processing ./rules/malware/MALW_Rovnix.yar
Processing ./rules/malware/MALW_Safenet.yar
Processing ./rules/malware/MALW_Sakurel.yar
Processing ./rules/malware/MALW_Sayad.yar
Processing ./rules/malware/MALW_Scarhikn.yar
Processing ./rules/malware/MALW_Sendsafe.yar
Processing ./rules/malware/MALW_Shamoon.yar
Processing ./rules/malware/MALW_Shifu.yar
Processing ./rules/malware/MALW_Skeleton.yar
Processing ./rules/malware/MALW_Spora.yar
Processing ./rules/malware/MALW_Sqlite.yar
Processing ./rules/malware/MALW_Stealer.yar
Processing ./rules/malware/MALW_Surtr.yar
Processing ./rules/malware/MALW_T5000.yar
Processing ./rules/malware/MALW_TRITON_HATMAN.yar
Processing ./rules/malware/MALW_TRITON_ICS_FRAMEWORK.yar
Processing ./rules/malware/MALW_Tedroo.yar
Processing ./rules/malware/MALW_Tinba.yar
Processing ./rules/malware/MALW_TinyShell_Backdoor_gen.yar
Processing ./rules/malware/MALW_Torte_ELF.yar
Processing ./rules/malware/MALW_TreasureHunt.yar
Processing ./rules/malware/MALW_TrickBot.yar
Processing ./rules/malware/MALW_Trumpbot.yar
Processing ./rules/malware/MALW_Upatre.yar
Processing ./rules/malware/MALW_Urausy.yar
Processing ./rules/malware/MALW_Vidgrab.yar
Processing ./rules/malware/MALW_Virut_FileInfector_UNK_VERSION.yar
Processing ./rules/malware/MALW_Volgmer.yar
Processing ./rules/malware/MALW_Wabot.yar
Processing ./rules/malware/MALW_Warp.yar
Processing ./rules/malware/MALW_Wimmie.yar
Processing ./rules/malware/MALW_XHide.yar
Processing ./rules/malware/MALW_XMRIG_Miner.yar
Processing ./rules/malware/MALW_XOR_DDos.yar
Processing ./rules/malware/MALW_Yayih.yar
Processing ./rules/malware/MALW_Zegost.yar
Processing ./rules/malware/MALW_Zeus.yar
Processing ./rules/malware/MALW_adwind_RAT.yar
Processing ./rules/malware/MALW_sitrof_fortis_scar.yar
Processing ./rules/malware/MALW_viotto_keylogger.yar
Processing ./rules/malware/MALW_xDedic_marketplace.yar
Processing ./rules/malware/POS.yar
Processing ./rules/malware/POS_Bernhard.yar
Processing ./rules/malware/POS_BruteforcingBot.yar
Processing ./rules/malware/POS_Easterjack.yar
Processing ./rules/malware/POS_FastPOS.yar
Processing ./rules/malware/POS_LogPOS.yar
Processing ./rules/malware/POS_MalumPOS.yar
Processing ./rules/malware/POS_Mozart.yar
Processing ./rules/malware/RANSOM_.CRYPTXXX.yar
Processing ./rules/malware/RANSOM_777.yar
Processing ./rules/malware/RANSOM_Alpha.yar
Processing ./rules/malware/RANSOM_Cerber.yar
Processing ./rules/malware/RANSOM_Comodosec.yar
Processing ./rules/malware/RANSOM_Crypren.yar
Processing ./rules/malware/RANSOM_Cryptolocker.yar
Processing ./rules/malware/RANSOM_DMALocker.yar
Processing ./rules/malware/RANSOM_DoublePulsar_Petya.yar
Processing ./rules/malware/RANSOM_Erebus.yar
Processing ./rules/malware/RANSOM_GPGQwerty.yar
Processing ./rules/malware/RANSOM_GoldenEye.yar
Processing ./rules/malware/RANSOM_Locky.yar
Processing ./rules/malware/RANSOM_MS17-010_Wannacrypt.yar
Processing ./rules/malware/RANSOM_PetrWrap.yar
Processing ./rules/malware/RANSOM_Petya.yar
Processing ./rules/malware/RANSOM_Satana.yar
Processing ./rules/malware/RANSOM_Sigma.yar
Processing ./rules/malware/RANSOM_Stampado.yar
Processing ./rules/malware/RANSOM_TeslaCrypt.yar
Processing ./rules/malware/RANSOM_Tox.yar
Processing ./rules/malware/RAT_Adwind.yar
Processing ./rules/malware/RAT_Adzok.yar
Processing ./rules/malware/RAT_BlackShades.yar
Processing ./rules/malware/RAT_Bolonyokte.yar
Processing ./rules/malware/RAT_Bozok.yar
Processing ./rules/malware/RAT_Cerberus.yar
Processing ./rules/malware/RAT_Crimson.yar
Processing ./rules/malware/RAT_CyberGate.yar
Processing ./rules/malware/RAT_DarkComet.yar
Processing ./rules/malware/RAT_FlyingKitten.yar
Processing ./rules/malware/RAT_Gh0st.yar
Processing ./rules/malware/RAT_Gholee.yar
Processing ./rules/malware/RAT_Glass.yar
Processing ./rules/malware/RAT_Havex.yar
Processing ./rules/malware/RAT_Hizor.yar
Processing ./rules/malware/RAT_Indetectables.yar
Processing ./rules/malware/RAT_Inocnation.yar
Processing ./rules/malware/RAT_Meterpreter_Reverse_Tcp.yar
Processing ./rules/malware/RAT_Nanocore.yar
Processing ./rules/malware/RAT_NetwiredRC.yar
Processing ./rules/malware/RAT_Njrat.yar
Processing ./rules/malware/RAT_PlugX.yar
Processing ./rules/malware/RAT_PoisonIvy.yar
Processing ./rules/malware/RAT_Ratdecoders.yar
Processing ./rules/malware/RAT_Sakula.yar
Processing ./rules/malware/RAT_ShadowTech.yar
Processing ./rules/malware/RAT_Shim.yar
Processing ./rules/malware/RAT_Terminator.yar
Processing ./rules/malware/RAT_Xtreme.yar
Processing ./rules/malware/RAT_ZoxPNG.yar
Processing ./rules/malware/RAT_jRAT.yar
Processing ./rules/malware/RAT_xRAT.yar
Processing ./rules/malware/RAT_xRAT20.yar
Processing ./rules/malware/TOOLKIT_Chinese_Hacktools.yar
Processing ./rules/malware/TOOLKIT_Dubrute.yar
Processing ./rules/malware/TOOLKIT_FinFisher_.yar
Processing ./rules/malware/TOOLKIT_Gen_powerkatz.yar
Processing ./rules/malware/TOOLKIT_Mandibule.yar
Processing ./rules/malware/TOOLKIT_PassTheHash.yar
Processing ./rules/malware/TOOLKIT_Powerstager.yar
Processing ./rules/malware/TOOLKIT_Pwdump.yar
Processing ./rules/malware/TOOLKIT_THOR_HackTools.yar
Processing ./rules/malware/TOOLKIT_Wineggdrop.yar
Processing ./rules/malware/TOOLKIT_exe2hex_payload.yar
Processing ./rules/malware/Operation_Blockbuster/DeltaCharlie.yara
Processing ./rules/malware/Operation_Blockbuster/HotelAlfa.yara
Processing ./rules/malware/Operation_Blockbuster/IndiaAlfa.yara
Processing ./rules/malware/Operation_Blockbuster/IndiaBravo.yara
Processing ./rules/malware/Operation_Blockbuster/IndiaCharlie.yara
Processing ./rules/malware/Operation_Blockbuster/IndiaDelta.yara
Processing ./rules/malware/Operation_Blockbuster/IndiaEcho.yara
Processing ./rules/malware/Operation_Blockbuster/IndiaGolf.yara
Processing ./rules/malware/Operation_Blockbuster/IndiaHotel.yara
Processing ./rules/malware/Operation_Blockbuster/IndiaJuliett.yara
Processing ./rules/malware/Operation_Blockbuster/IndiaWhiskey.yara
Processing ./rules/malware/Operation_Blockbuster/KiloAlfa.yara
Processing ./rules/malware/Operation_Blockbuster/LimaAlfa.yara
Processing ./rules/malware/Operation_Blockbuster/LimaBravo.yara
Processing ./rules/malware/Operation_Blockbuster/LimaCharlie.yara
Processing ./rules/malware/Operation_Blockbuster/LimaDelta.yara
Processing ./rules/malware/Operation_Blockbuster/PapaAlfa.yara
Processing ./rules/malware/Operation_Blockbuster/RomeoAlfa.yara
Processing ./rules/malware/Operation_Blockbuster/RomeoBravo.yara
Processing ./rules/malware/Operation_Blockbuster/RomeoCharlie.yara
Processing ./rules/malware/Operation_Blockbuster/RomeoDelta.yara
Processing ./rules/malware/Operation_Blockbuster/RomeoEcho.yara
Processing ./rules/malware/Operation_Blockbuster/RomeoGolf_mod.yara
Processing ./rules/malware/Operation_Blockbuster/RomeoHotel.yara
Processing ./rules/malware/Operation_Blockbuster/RomeoWhiskey.yara
Processing ./rules/malware/Operation_Blockbuster/SierraAlfa.yara
Processing ./rules/malware/Operation_Blockbuster/SierraBravo.yara
Processing ./rules/malware/Operation_Blockbuster/SierraCharlie.yara
Processing ./rules/malware/Operation_Blockbuster/SierraJuliettMikeOne.yara
Processing ./rules/malware/Operation_Blockbuster/SierraJuliettMikeTwo.yara
Processing ./rules/malware/Operation_Blockbuster/TangoAlfa.yara
Processing ./rules/malware/Operation_Blockbuster/TangoBravo.yara
Processing ./rules/malware/Operation_Blockbuster/UniformAlfa.yara
Processing ./rules/malware/Operation_Blockbuster/UniformJuliett.yara
Processing ./rules/malware/Operation_Blockbuster/WhiskeyAlfa.yara
Processing ./rules/malware/Operation_Blockbuster/WhiskeyBravo_mod.yara
Processing ./rules/malware/Operation_Blockbuster/WhiskeyCharlie.yara
Processing ./rules/malware/Operation_Blockbuster/WhiskeyDelta.yara
Processing ./rules/malware/Operation_Blockbuster/cert_wiper.yara
Processing ./rules/malware/Operation_Blockbuster/general.yara
Processing ./rules/malware/Operation_Blockbuster/sharedcode.yara
Processing ./rules/malware/Operation_Blockbuster/suicidescripts.yara

The output is a big .yara file containing all rules:

[email protected]:~/tmp/volsample$ ls -lh
totale 1,5M
-rw-r--r-- 1 andrea andrea 1,5M lug 4 14:03 malware_rules.yar
-rwxr-xr-x 1 andrea andrea 1,9K lug 4 13:42 malware_yara_rules.py
drwxr-xr-x 14 andrea andrea 4,0K lug 4 14:03 rules

The memory analysis with Volatility

Although all Volatility commands can help you find malware, there are a few designed specifically for hunting rootkits and malicious code.

One of this is the “yarascan” plugin, that can help you locate any sequence of bytes (like assembly instructions with wild cards), regular expressions, ANSI strings, or Unicode strings in user mode or kernel memory.

Using the specific rules created in the previous step, you are able to hunt the presence of artifact related to most common malwares in the analyzed memory image.

For the purpose of this blog post, we are going to analyze a memory sample available online such as the stuxnet.vmem file, produced to accompany The Malware Analyst’s Cookbook, and coming from a virtual machine infected with Stuxnet.

After downloaded and unzipped the memory image, first perform the image identification:

[email protected]:~/tmp/volsample$ volatility -f stuxnet.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/andrea/tmp/volsample/stuxnet.vmem)
PAE type : PAE
DTB : 0x319000L
KDBG : 0x80545ae0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2011-06-03 04:31:36 UTC+0000
Image local date and time : 2011-06-03 00:31:36 -0400

and then, simply perform the yara scan using the generated rules:

[email protected]:~/tmp/volsample$ volatility -f stuxnet.vmem --profile=WinXPSP2x86 yarascan -y malware_rules.yar
Volatility Foundation Volatility Framework 2.6

Rule: StuxNet_Malware_1
Owner: Process lsass.exe Pid 868
0x01002723 8b 45 08 35 dd 79 19 ae 33 c9 8b 55 08 89 02 89 .E.5.y..3..U....
0x01002733 4a 04 8b 45 08 c7 40 0c 77 35 00 01 33 c0 5e c9 [email protected]^.
0x01002743 c3 55 8b ec 83 ec 2c 83 65 e8 00 83 65 f4 00 83 .U....,.e...e...
0x01002753 65 e4 00 8b 45 20 8b 4d 14 8d 84 01 98 00 00 00 e...E..M........
0x01002763 89 45 f0 8d 45 f4 50 8d 45 e8 50 8d 45 d8 50 ff .E..E.P.E.P.E.P.
0x01002773 75 f0 ff 75 08 e8 14 fe ff ff 83 c4 14 89 45 fc u..u..........E.
0x01002783 83 7d fc 00 74 08 8b 45 fc e9 fd 00 00 00 8b 45 .}..t..E.......E
0x01002793 e8 89 45 f8 8b 45 e8 05 98 00 00 00 89 45 e8 c7 ..E..E.......E..
0x010027a3 45 e4 98 00 00 00 ff 75 20 ff 75 1c 8b 45 f8 05 E......u..u..E..
0x010027b3 84 00 00 00 50 8d 45 e4 50 ff 75 f4 8d 45 e8 50 ....P.E.P.u..E.P
0x010027c3 e8 79 fe ff ff 83 c4 18 8b 45 e8 89 45 dc ff 75 .y.......E..E..u
0x010027d3 14 ff 75 10 8b 45 f8 05 8c 00 00 00 50 8d 45 e4 ..u..E......P.E.
0x010027e3 50 ff 75 f4 8d 45 e8 50 e8 51 fe ff ff 83 c4 18 P.u..E.P.Q......
0x010027f3 8b 45 dc 89 45 ec 81 7d 14 00 10 00 00 72 47 8b .E..E..}.....rG.
0x01002803 45 ec 0f b7 00 3d 4d 5a 00 00 75 3a 8b 45 ec 8b E....=MZ..u:.E..
0x01002813 40 3c 05 f8 00 00 00 3b 45 14 73 2a 8b 45 ec 8b @<.....;E.s*.E..
Rule: StuxNet_Malware_1
Owner: Process lsass.exe Pid 868
0x01002eb5 74 36 8b 7f 08 83 ff 00 74 2e 0f b7 1f 8b 7f 04 t6......t.......
0x01002ec5 8d 5c 1f 02 8d 5b fe 3b df 7e 1d 66 83 7b fe 5c .\...[.;.~.f.{.\
0x01002ed5 75 f2 52 53 8d 5a 10 53 e8 bf ff ff ff ff 52 08 u.RS.Z.S......R.
0x01002ee5 5a 85 c0 75 03 40 eb 02 33 c0 5f 5a 59 5b c3 50 [email protected]_ZY[.P
0x01002ef5 51 52 e8 a5 ff ff ff c7 42 04 00 00 00 00 ff 32 QR......B......2
0x01002f05 ff 52 14 59 85 c0 0f 84 b7 00 00 00 50 51 50 54 .R.Y........PQPT
0x01002f15 68 80 00 00 00 6a 18 50 e8 7f ff ff ff ff 52 10 h....j.P......R.
0x01002f25 5a 8b d0 59 58 85 d2 0f 84 96 00 00 00 80 38 b8 Z..YX.........8.
0x01002f35 0f 85 8d 00 00 00 80 78 05 ba 74 70 81 78 05 8d .......x..tp.x..
0x01002f45 54 24 04 75 1b 81 78 08 04 cd 2e c2 75 75 2b c8 T$.u..x.....uu+.
0x01002f55 83 e9 0a 89 48 06 c6 40 05 e8 c6 40 0a 90 eb 63 [email protected]@...c
0x01002f65 81 78 07 8d 54 24 04 75 5a 81 78 0b 64 ff 15 c0 .x..T$.uZ.x.d...
0x01002f75 75 51 81 78 0f 00 00 00 c2 75 48 52 e8 1b ff ff uQ.x.....uHR....
0x01002f85 ff c7 42 04 01 00 00 00 5a 56 50 53 51 52 8b f0 ..B.....ZVPSQR..
0x01002f95 8b 46 0a 8b 56 0e 2b ce 83 e9 12 bb 04 90 90 e8 .F..V.+.........
0x01002fa5 f0 0f c7 4e 0a 5a 59 5b 58 5e eb 17 66 81 78 0a ...N.ZY[X^..f.x.
Rule: StuxNet_Malware_1
Owner: Process lsass.exe Pid 868
0x01002f3f 74 70 81 78 05 8d 54 24 04 75 1b 81 78 08 04 cd tp.x..T$.u..x...
0x01002f4f 2e c2 75 75 2b c8 83 e9 0a 89 48 06 c6 40 05 e8 [email protected]
0x01002f5f c6 40 0a 90 eb 63 81 78 07 8d 54 24 04 75 5a 81 [email protected]$.uZ.
0x01002f6f 78 0b 64 ff 15 c0 75 51 81 78 0f 00 00 00 c2 75 x.d...uQ.x.....u
0x01002f7f 48 52 e8 1b ff ff ff c7 42 04 01 00 00 00 5a 56 HR......B.....ZV
0x01002f8f 50 53 51 52 8b f0 8b 46 0a 8b 56 0e 2b ce 83 e9 PSQR...F..V.+...
0x01002f9f 12 bb 04 90 90 e8 f0 0f c7 4e 0a 5a 59 5b 58 5e .........N.ZY[X^
0x01002faf eb 17 66 81 78 0a ff d2 74 0c 66 81 78 0a ff 12 ..f.x...t.f.x...
0x01002fbf 75 07 c6 40 0b d2 89 48 06 58 c3 00 00 90 7c 00 [email protected]|.
0x01002fcf 00 00 00 26 aa 80 7c 61 ba 80 7c d4 1a 80 7c 30 ...&..|a..|...|0
0x01002fdf ae 80 7c 95 b9 80 7c 04 ba 80 7c d4 55 83 7c db ..|...|...|.U.|.
0x01002fef ae 80 7c 6e ac 80 7c 60 d1 90 7c 00 d5 90 7c c7 ..|n..|`..|...|.
0x01002fff 06 81 7c 30 25 80 7c 1d 14 82 7c d0 cf 90 7c 8b ..|0%.|...|...|.
0x0100300f 44 24 04 85 c0 75 08 8b 44 24 08 c6 00 00 c3 8b D$...u..D$......
0x0100301f 4c 24 08 eb 03 40 40 41 8a 10 80 f2 12 88 11 75 [email protected]@A.......u
0x0100302f f4 c3 8b 4c 24 04 85 c9 75 0a 8b 4c 24 08 33 c0 ...L$...u..L$.3.

(…and more…)

The result of the scan highlights the presence of a stuxnet infection…now you can start a more specific analysis on target PIDs.


References and further reading

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.