Advertisement
joemccray

Memory Analysis with Volatility

Oct 12th, 2018
770
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.44 KB | None | 0 0
  1. ############################
  2. # Download the Analysis VM #
  3. ############################
  4. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
  5. user: infosecaddicts
  6. pass: infosecaddicts
  7.  
  8.  
  9.  
  10. - Log in to your Ubuntu system with the username 'infosecaddicts' and the password 'infosecaddicts'.
  11.  
  12.  
  13. ###################################
  14. # Setting up your virtual machine #
  15. ###################################
  16.  
  17. Here is where we will setup all of the required dependencies for the tools we plan to install
  18. ---------------------------Type This-----------------------------------
  19. apt update
  20. apt-get install -y foremost tcpxtract python-openpyxl python-ujson python-ujson-dbg python-pycryptopp python-pycryptopp-dbg libdistorm3-3 libdistorm3-dev python-distorm3 volatility volatility-tools
  21. -----------------------------------------------------------------------
  22.  
  23.  
  24.  
  25.  
  26. ################
  27. # The Scenario #
  28. ################
  29.  
  30.  
  31. ###################
  32. # Memory Analysis #
  33. ###################
  34. ---------------------------Type This-----------------------------------
  35. cd ~/
  36.  
  37. mkdir mem_analysis
  38.  
  39. cd mem_analysis
  40.  
  41. wget https://s3.amazonaws.com/infosecaddictsfiles/hn_forensics.vmem
  42.  
  43. volatility pslist -f hn_forensics.vmem
  44. volatility pslist -f hn_forensics.vmem | awk '{print $2,$3,$4}'
  45. volatility pslist -f hn_forensics.vmem | awk '{print $2,"\t\t"$3"\t\t","\t\t"$4}'
  46. volatility connscan -f hn_forensics.vmem
  47. volatility connscan -f hn_forensics.vmem | grep -E '888|1752'
  48.  
  49. mkdir malfind/
  50. mkdir dump/
  51. mkdir -p output/pdf/
  52.  
  53. volatility privs -f hn_forensics.vmem
  54. volatility svcscan -f hn_forensics.vmem
  55. volatility malfind -f hn_forensics.vmem --dump-dir malfind/
  56.  
  57.  
  58. volatility -f hn_forensics.vmem memdump -p 888 --dump-dir dump/
  59. volatility -f hn_forensics.vmem memdump -p 1752 --dump-dir dump/
  60.  
  61. ***Takes a few min***
  62.  
  63. cd dump/
  64. strings 1752.dmp | grep "^http://" | sort | uniq
  65. strings 1752.dmp | grep "Ahttps://" | uniq -u
  66.  
  67. foremost -i 1752.dmp -t pdf -o ../output/pdf/
  68. cd ../output/pdf/
  69. cat audit.txt
  70. cd pdf
  71. ls
  72. grep -i javascript *.pdf
  73.  
  74.  
  75. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
  76. unzip pdf-parser_V0_6_4.zip
  77. python pdf-parser.py -s javascript --raw 00601560.pdf
  78. python pdf-parser.py --object 11 00601560.pdf
  79. python pdf-parser.py --object 1054 --raw --filter 00601560.pdf > malicious.js
  80.  
  81. cat malicious.js
  82. -----------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement