Few weeks ago Ive attended the SANS DFIR Summit in Prague, and one of the very interesting talks was from Martin Korman (@MartinKorman), who presented a new tool he developed: Volatility Bot.
According to his description, Volatility Bot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. Not only does it automatically extract the executable (exe), but it also fetches all new processes created in memory, code injections, strings, IP addresses, etc.Basically, the goal of this tool is to automate most of the initial repetitive tasks an analyst does when analyzing a sample via memory analysis.">gi_bulder.py script that will build a golden image for the active VM pre-infection, storing the output for later comparison.
At this point, the tool allows fortwo options: either to analyze the entire memory dump, or to submit one or more samples to VolatilityBot via command line. In the latter case, the tool will run one sample at the time and for each sample it will revert the VM back to the clean snapshot before lunching it, run the malware,pausethe VM, parsethe current memory state, and move to the next. This is done all automatically, without the analyst having to restart new VM, load the malware and run it every time.
Other than simply executing the standard volatility plugins, the Code Extractor component of VolatilityBot will try to identify and/or dump Injected Code, Kernel Modules, New Processes, Hooks, etc., comparing the output of volatility with the golden image and looking for signs of suspicious/malicious behavior.
The last component is what the author calls Post Process Modules" />
Last but not least, according to the author the tool has been tested against a dataset of 3875 malware samples, with a success rate of 88%. Not too bad for a tool that is still at its early stage.
In my opinion it is definitely worth a try, it can for sure speed up the analysis (or at least the triage) of commodity malware and hopefully not only.
You can find the tool on github at https://github.com/mkorman90/VolatilityBot
Happy Hunting,
Pasquale
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.