This document provides an overview of analyzing memory forensics using Volatility 2.4. It demonstrates running various Volatility plugins like pstree to print processes, connscan to scan for TCP connections, printkey to print registry keys and values, and malfind to find hidden code injections. The document analyzes a Zeus memory sample, identifying processes, connections, registry keys used by the malware, and injected code, showing how Volatility can be used to analyze malware behavior and artifacts in memory forensics.
We have to select a profile since by default It takes winxpsp2x86
Looks like there is nothing wrong with the process⊠see if its making any connections
Run plugins sockets also âŠ.
SEE WHO OWNS THE PROCESS AND WHO IS ITS PARENTS
RUN THE IP IN VIRUS TOTAL AND SEE
IF its connecting to a site⊠it will make sure to be persistant .. Since it doesnât make sense it will loose connection on restart âŠ.
Lets look into registries for autorun entries âŠ.
Lot of entries in registry âŠ. We have to try all.
These are possible code injections âŠ
but the exe you get here is not the whole process but only the injected part âŠ. You can always load it in vm and start your normal analysis.
IF you want whole process dump then the parameter is procdump âp id dump-dir
-p parameter to select a particular process âŠ
You can take a hash of it and always find something on the virus total.
take an md5sum of both file and submit to virus total.