VolDiff, for memory image differential analysis, (Sun, May 3rd)

VolDiff is a bash script that runs Volatility plugins against memory images captured before and after malware execution providing a differential analysis, helping identify IOCs and understand advanced malware behaviour.
I had intended to include it in my latest toolsmith article, Attack Detection: Hunting in-memory adversaries with Rekall and WinPmem, but quite literally ran out of space and time.
Using WinPmem, as part of Rekall and GRR offerings, you can acquire two memory images, one clean image prior to infection or compromise, and one after buggering your target system.
As you”>powershell.exe. To that end, did the VolDiff results corroborate the findings achieved with Rekall? Absolutely! Note that the suspicious PIDs from the article are 1284 and 2396. You”>| | / /___ / / __ (_) __/ __/
| | / / __ / / / / / / /_/ /_
| |/ / /_/ / / /_/ / / __/ __/
|___/____/_/_____/_/_/ /_/ “>0x13c8993d0 UDPv4 0.0.0.0:0 *:* 2396 powershell.exe 2015-04-26 17:56:08 UTC+0000
0x13e81acb0 UDPv4 0.0.0.0:0 *:* 1284 “>0xfffffa8031da1400 cmd.exe 1676 2396 0 ——– 1 0 2015-04-26 18:11:52 UTC+0000 2015-04-26 18:15:50 UTC+0000
0xfffffa8033b17060 powershell.exe 2604 1676 5 250 1 1 2015-04-26 18:12:58 UTC+0000
0xfffffa80322c2060 cmd.exe 2912 1284 0 ——– 1 0 2015-04-26 19:16:50 UTC+0000 2015-04-26 19:19:41 UTC+0000
0xfffffa8032407460 powershell.exe 1984 2912 6 235 1 0 2015-04-26 19:18:20 UTC+0000 “>0x000000013eac2060 cmd.exe 2912 1284 0x0000000055564000 2015-04-26 19:16:50 UTC+0000 2015-04-26 19:19:41 UTC+0000
0x000000013eb65060 powershell.exe 1284 2244 0x00000000bc783000 2015-04-26 18:17:32 UTC+0000
0x000000013f6a8060 cmd.exe 2288 1284 0x000000006dd6f000 2015-04-26 19:19:44 UTC+0000 2015-04-26 19:55:20 UTC+0000
0x000000013eb65060 powershell.exe 1284 2244 0x00000000bc783000 2015-04-26 18:17:32 UTC+0000 “>1284 powershell.exe 0x000000006df70000 False False False WindowsSysWOW64schannel.dll
2396 powershell.exe 0x000000006e010000 False False False WindowsSysWOW64credssp.dll
“>Process: powershell.exe Pid: 2396 Address: 0x6400000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 216, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x06400000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 d0 “>Process: powershell.exe Pid: 1284 Address: 0x4ff0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 33, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x04ff0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 “>Suspicious new getsids entries
===========================================================================

powershell.exe (1284): S-1-5-21-1828531342-1736868966-1560356964-513 (Domain Users)
powershell.exe (1284): S-1-1-0 (Everyone)
powershell.exe (1284): S-1-5-114
powershell.exe (1284): S-1-5-32-544 (Administrators)
powershell.exe (1284): S-1-5-32-545 (Users)
powershell.exe (1284): S-1-5-4 (Interactive)
powershell.exe (1284): S-1-2-1 (Console Logon (Users who are logged onto the physical console))
powershell.exe (1284): S-1-5-11 (Authenticated Users)
powershell.exe (1284): S-1-5-15 (This Organization)
powershell.exe (1284): S-1-5-113
powershell.exe (1284): S-1-5-5-0-194227 (Logon Session)
powershell.exe (1284): S-1-2-0 (Local (Users with the ability to log in locally))
powershell.exe (1284): S-1-5-64-10 (NTLM Authentication)
powershell.exe (1284): S-1-16-12288 (High Mandatory Level)”>powershell.exe definitely did it. :-)Great memory analysis tool from Houcem Hachicha (@aim4r). Give it a try!

Pop quiz: Under the malfind results, in the ASCII readable output dumped from the hex, what jumps out at you? First right answer to @sans_isc and @holisticinfosecin the”>|”>@holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

CyberSafe-WP-Admin