Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-10-30 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Volatility Bot: Automated Memory Analysis

Published: 2016-10-30
Last Updated: 2016-10-30 16:28:53 UTC
by Pasquale Stirparo (Version: 1)
2 comment(s)

Few weeks ago I’ve attended the SANS DFIR Summit in Prague, and one of the very interesting talks was from Martin Korman (@MartinKorman), who presented a new tool he developed: Volatility Bot. 

According to his description, Volatility Bot is “an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. Not only does it automatically extract the executable (exe), but it also fetches all new processes created in memory, code injections, strings, IP addresses, etc.” Basically, the goal of this tool is to automate most of the initial repetitive tasks an analyst does when analyzing a sample via memory analysis. 
Once configured (config/ and prepared the VM, the next step is to run the script that will build a golden image for the active VM pre-infection, storing the output for later comparison.

At this point, the tool allows for two options: either to analyze the entire memory dump, or to submit one or more samples to VolatilityBot via command line. In the latter case, the tool will run one sample at the time and for each sample it will revert the VM back to the clean snapshot before lunching it, run the malware, pause the VM, parse the current memory state, and move to the next. This is done all automatically, without the analyst having to restart new VM, load the malware and run it every time.

Other than simply executing the standard volatility plugins, the "Code Extractor" component of Volatility Bot will try to identify and/or dump Injected Code, Kernel Modules, New Processes, Hooks, etc., comparing the output of volatility with the golden image and looking for signs of suspicious/malicious behavior.

The last component is what the author calls “Post Process Modules”, which will work on the volatility plugin results and the dumped processes/code to perform analysis using YARA, strings, basic PE analysis and some Heuristic analysis, looking for spawned processes of supposedly exploitable processes (e.g. browsers, office, etc.), processes launched from suspicious paths, suspicious handles, code injection, etc. Following a picture of the high level tool architecture:

Last but not least, according to the author the tool has been tested against a dataset of 3875 malware samples, with a success rate of 88%. Not too bad for a tool that is still at its early stage.
In my opinion it is definitely worth a try, it can for sure speed up the analysis (or at least the triage) of commodity malware and hopefully not only.

You can find the tool on github at
Happy Hunting,


2 comment(s)
Diary Archives