Malhunt: automated malware search in memory dumps

Recently i’ve published this post focused on hunting malware using volatility and Yara rules.

Into the article i’ve shared the simple script which i use for downloading and merging all yara rules related to malware into a single file, useful for scan with yarascan volatility’s plugin.

So, starting from this script, i’ve developed a more complex solution that currently I use for first phases of analysis: the script, dubbed “Malhunt”, automatize my workflow for malware hunting


The workflow

My personal workflow is composed by 2 main steps:

Identify suspicios processes

First, a list of suspicious preocesses is needed for further analysis.
Usually i use the mixed result of 3 volatility plugin:

  • yarascan: search suspicious processes trying to identify malware artifacts using a list of yara rules. This step is already explained in this article.
  • malfind: scans process memory in order to find some condition that may suggest some code injection (usually a memory area marked as Page_Execute_ReadWrite, which allows a piece of code to run and write itself).
  • network scan: using correct plugin according to Windows version (netscan or connscan), i extract a list of foreign address and PIDs. If an ip is present into a blacklist (currently http://getipintel.net/), the related PID is added into the “suspiscios list”.
Check processes for malware

In this second step, I dump all suspicious processes and related handles and check them with clamscan, in order to confirm the detection performed in the first step or mark it as false-positive.

If this workflow return even a single result, you have a good pivot point for further investigations.


Malhunt

Obviously, the name is a pun based on “manhunt” word.

The script, developed in python with a very short list of dependencies, applies all steps of the just mentioned workflow and present the results a simple report.
Further, automatize the image identification process, caches some result and automatically downloads and merges yara rules.

Here a simple gif that shows the Malhunt output, during the analysys of a memory dump extracted from a stuxnet infected machine:

 

Requirements

  • Python
  • Git
  • Volatility
  • Clamscan from ClamAV

Installation

Simply clone the repository:

git clone [email protected]:andreafortuna/malhunt.git

Usage

Start malhunt.py specifing the memory image file:

./malhunt.py stuxnet.vmem
  __  __       _ _                 _
 |  \/  |     | | |               | |
 | \  / | __ _| | |__  _   _ _ __ | |_
 | |\/| |/ _` | | '_ \| | | | '_ \| __|
 | |  | | (_| | | | | | |_| | | | | |_
 |_|  |_|\__,_|_|_| |_|\__,_|_| |_|\__|

Hunt malware with Volatility!

Andrea Fortuna
[email protected]
https://www.andreafortuna.org

* Update malware yara rules...
Cloning into '/home/andrea/.malhunt/rules'...
remote: Counting objects: 6166, done.
remote: Total 6166 (delta 0), reused 0 (delta 0), pack-reused 6166
Ricezione degli oggetti: 100% (6166/6166), 3.77 MiB | 2.08 MiB/s, done.
Risoluzione dei delta: 100% (3806/3806), done.
** Starting image identification for file stuxnet.vmem...
Image stuxnet.vmem identified as WinXPSP2x86
*** Starting malware artifacts search...Yarascan...Malfind...Network...Done!
**** Suspicious processes ****
         XtremeRATStrings: explorer.exe (1196)
                Saving process memory and handles...done!
                Scanning artifact with ClamScan...OK
         StuxNet_Malware_1: lsass.exe (868)
                Saving process memory and handles...done!
                Scanning artifact with ClamScan...Win.Trojan.Duqu-10 FOUND
         StuxNet_Malware_1: lsass.exe (1928)
                Saving process memory and handles...done!
                Scanning artifact with ClamScan...Win.Trojan.Duqu-10 FOUND
         malfind: csrss.exe (600)
                Saving process memory and handles...done!
                Scanning artifact with ClamScan...OK
         malfind: services.exe (668)
                Saving process memory and handles...done!
                Scanning artifact with ClamScan...OK
         malfind: svchost.exe (940)
                Saving process memory and handles...done!
                Scanning artifact with ClamScan...OK

That’s all: I hope can be useful!


References and additional readings

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.