By ro0ted | May 1, 2015 - 09:47 | Posted in /b/ | 4 Comments
#ro0ted #OpNewblood What the blackhats dont want you to know: REMnux Volatility Framework

This is a tutorial using Volatility Framework on the distro Remnux Linux. – https://twitter.com/ro0ted/

What is Volatility Framework?

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License (GPL v2), for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system.

If you don’t want to use remnux you can install it on Windows, Linux, and OS X. I would recommend you just get use to using Remnux for now though if you been following my tutorials just so you are on the same page. If you jump ahead that’s cool to but you may get lost.

Github: https://github.com/volatilityfoundation/volatility
Homepage: http://www.volatilityfoundation.org/

The framework has been featured in the book The Art of Memory Forensics.
You can read it here: http://www.mediafire.com/view/wmaabxvnrtx53sf/The_Art_of_Memory_Forensics.pdf


Note: if you missed the last tutorial on the Remnux Linux vbox setup..
read here: https://archive.cyberguerrilla.org/a/2015/ro0ted-opnewblood-what-the-blackhats-dont-want-you-to-know-remnux-a-distro-for-analyzing-malware/

Note: After you download your memory sample disable your internet on the Virtual Machine.

Start Remnux in your vbox and open a terminal:
(for this tutorial we will be analyzing the infamous ZeuS Bot)

Untitled

Now for a list of commands type: volatility -h

Untitled

Now you will see:

Untitled

Untitled

Untitled

Untitled

As you can see Volatility can do many things.
To get more detailed information
type: volatility –info
Untitled
Untitled

Untitled

Untitled

Untitled

 

Untitled

Untitled

Looks pretty rad huh? well lots of platforms of all types use this framework like the
website malwr.com which is based off of Cuckoo Sandbox https://cuckoosandbox.org/.

For more commands checkout this cheat sheet for Volatility:

Untitled

Visit: http://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf

Well before we began it should be noted I don’t just have malware laying around but Volatility has sample malware you test out for using the Volatility Framework.
https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples
Make sure REMnux isn’t your main OS. When dealing with malware always use some type of Virtual Machine as you never know what the hell you are dealing with besides REMnux was made for Analyzing Malware.


 

 

Download your Memory Sample of your choice from the link above. For this I will use a same of the ZeuS bot for this analysis.
Open terminal to location you downloaded the malicious file
Example:
cd Desktop
ls
unzip zeus.vmem.zip
Untitled

Now type:

ls
volatility -f ‘zeus.vmem’ imageinfo

Untitled

When it’s finished you should see this:

Untitled

now type:

volatility -f ‘zeus.vmem’ callbacks

Untitled

Untitled

Type: volatility -f ‘zeus.vmem’ connscan

Untitled

Now google that IP Address:

Untitled

We see the Pid is 856
so type: volatility -f ‘zeus.vmem’ psscan

Untitled

Now show what processes are in use by that Pid
type: volatility -f ‘zeus.vmem’ handles -p 856 -t Process

Untitled

Now type: volatility -f ‘zeus.vmem’ apihooks

Untitled

This is just a volatility example. Next tutorial we will use it in full action.
ro0ted


 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101

Bypassing Part 2

Android/iOS Reversing

Introducing IDA Pro: Static Analyzing

Hacker’s Disassembler

Ripping Apart Adware

Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file

IDA PRO Book

Unpacking & Crypting there is a difference

Covert Debugging whitepaper from blackhat.com

Manually Unpacking with Ollydbg

Manually Unpacking Part 2

Manually Unpacking 101

ASM Injecting

ASM Injecting Part 2

ASM Injecting Part 3: Crypt your malicious file

Reversing Trials

Adding Your Menu

ASM Injecting Part 4

ASM Injecting Part 5

Finding Nag Screens & Removing them

REMnux: Linux Toolkit for Reverse-Engineering and Analyzing Malware

REMnux: Volatility Framework ~ Memory Forensics +

 

(Visited 1,272 times, 1 visits today)


Trackbacks:

  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

4 Responses to #ro0ted #OpNewblood What the blackhats dont want you to know: REMnux Volatility Framework

  1. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: Infected Machine? Create a memory dump

    […] REMnux: Volatility Framework ~ Memory Forensics […]

  2. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: Analyzing the ZeuS bot Part 2

    […] So by now you should know how to use vbox with REMnux. Last tutorial: https://archive.cyberguerrilla.org/a/2015/ro0ted-opnewblood-what-the-blackhats-dont-want-you-to-know-remnu… […]

  3. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know BE: think ur drive is really wiped?

    […] REMnux: Volatility Framework ~ Memory Forensics Volatility Analyzing the ZeuS Bot Part 2 Infected Machine? Create a memory dump…

  4. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the Blackhats don’t want you to know series

    […] REMnux: Volatility Framework ~ Memory Forensics Volatility Analyzing the ZeuS Bot Part 2 Infected Machine? Create a memory dump…