Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/mkorman90/VolatilityBot

VolatilityBot – An automated memory analyzer for malware samples and memory dumps
https://github.com/mkorman90/VolatilityBot

Last synced: 2 months ago
JSON representation

VolatilityBot – An automated memory analyzer for malware samples and memory dumps

Host: GitHub
URL: https://github.com/mkorman90/VolatilityBot
Owner: mkorman90
License: mit
Created: 2015-02-04T15:13:46.000Z (over 9 years ago)
Default Branch: master
Last Pushed: 2021-06-15T05:31:06.000Z (about 3 years ago)
Last Synced: 2024-01-23T21:26:03.827Z (5 months ago)
Language: Python
Homepage:
Size: 1.22 MB
Stars: 260
Watchers: 27
Forks: 59
Open Issues: 1
Metadata Files:
- Readme: readme.md
- License: LICENSE

Lists

awesome-incident-response - VolatilityBot - Automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. (IR Tools Collection / Memory Analysis Tools)
awesome-incident-response - VolatilityBot - Automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. (IR Tools Collection / Memory Analysis Tools)
awesome-memory-forensics - VolatilityBot
awesome-incident-response - VolatilityBot - VolatilityBot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation (IR tools Collection / Memory Analysis Tools)
awesome-incident-response - VolatilityBot - Automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. (IR tools Collection / Memory Analysis Tools)
awesome-incident-response - VolatilityBot - VolatilityBot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation (IR tools Collection / Memory Analysis Tools)
awesome-incident-response - VolatilityBot - Automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. (IR tools Collection / Memory Analysis Tools)
awesome-incident-response - VolatilityBot - Automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. (IR Tools Collection / Memory Analysis Tools)
fucking-awesome-incident-response - VolatilityBot - Automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. (IR Tools Collection / Memory Analysis Tools)

README

        ![alt tag](https://raw.githubusercontent.com/mkorman90/VolatilityBot/master/pics/logo.png)

## Synopsis

VolatilityBot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase,

or to help the investigator in the first steps of performing a memory analysis investigation.

Not only does it automatically extract the executable (exe), but it also fetches all new processes created in memory, code injections, strings, IP addresses, etc.

## Motivation

Part of the work security researchers have to go through when they study new malware or wish to analyse suspicious executables is to extract the binary file and all the different injections and strings decrypted during the malware’s execution.

In the new version of VolatilityBot, a new feature is automated analysis of memory dumps, using heuristics and YARA/Clam AV Scanners (Clam scan coming soon).

This feature is useful for memory analysis at scale. Usually, this initial process is done manually, either of a malware sample, or a memory dump and it can be lengthy and tedious.

## Current features

* Automated analaysis of malware samples (Based on diff-ing between clean memory image and infected one )

  * Extraction of injected code

  * Dump of new processes

  * Yara scan, static analysis, string extraction, etc. on all outputs

+ Automated heuristic analysis of memory dumps 

  * Detect anomallies using heuristics and dump the relevant code

  * Yara scan, static analysis, string extraction, etc. on all outputs

            

## Coming soon:

* Integration of automated sample analysis with Fakenet-NG

* Clam scan on extracted code 

## Installation

git clone https://github.com/mkorman90/VolatilityBot.git

install the required dependencies, from the requirements.txt file

### prepare the VM (Currently only vmware)

1. Create a new virtual machine, with Windows XP up to windows 10 x64.

2. Make sure the machine has windows defender and FW disabled, and has a static IP

3. Install python 3.5

4. Create c:\temp folder, or change the destination folder in config

5. Copy the agent.py from Utils and launch it (you can execute it without the console using pythonw.exe)

6. Take a snapshot of the VM

7. repeat steps 1-6 for as many VMs as you want

### Configuring the host

1. Edit the required parameters, as instructed in the conf/conf.py file

2. Execute db_builder.py - in order to create the database

3. Execute gi_builder.py - in order to build the golden images for all active VMs

###Submit

* Analyze a memory dump using heuristics, and dump output to folder

```

VolatilityBot.py  -m --dump -f /Users/Martin/Downloads/stuxnet.vmem

```

* Submit an executable and analyze it using Volatility:

```

VolatilityBot.py  -f 

VolatilityBot.py  -D

```