Hello friends, volatility has been released a new volatiliy version 3.0. In this blog post we use volatility’s new version quickly and give some information about it’s usage. I analyze stuxnet.vmem memory image file which is dumped from stuxnet infected machine whose version XP. First you can clone volatility 3 from its Github page for installation.

I installed it to Kali and you can reach documentation link is given below;

Before We start I present you my Udemy Trainings if you want you can benefit my training for learning deeply;

Lets start with examining processes. Commands a little different but genarally smillar to previous version;

We learned the version and other base information about dumped machine such as machine’s operating system is XP sp3. In next step we list processes with windows.pslist parameter;

There are 3 lsass.exe exists in the process list if you remember from previous blog post I noticed that there are only one lsass instance in the process list. It’s suspicious. Lets go on psscan module with windows.psscan module;

Look at the date and times of lsass process. It’s suspicious too, one year difference for opening same lasass processes times. We use windows.pstree plugin or parameter for displaying the process tree on the screen;

As you see process 1928 is weird because lsass process must be child of the winlogon or wininit process but here stuation is different and it’s tree depth is four, under normal conditions it must be three. With cmdline parameter we can examine commandline parameters;

Ok now go on examining process 1928, lets investigate drivers and modules with windows.moddump parameter;

We detected stuxnet dirver in the list;

We create a simple bash loop for calculating driver dumps hash values;

I investigated hash values from Virustotal by using Vttool is already preinstalled at Remnux.

I used malfind parameter for searching malware signutures from memory’s predefined process with -p parameter;

In a conclusion volatility 3.0 is faster than volatility 2.6 and I shared some usage parameters over Stuxnet example. See you a new blog post…