Closed 13Cubed closed 4 years ago
t-tani
commented
4 years ago If you know which PID is malicious, try to use -p option.
python vol.py malconfscan -f your_image.mem --profile=Win10x64 -p [malicious PID]
Or try to use the latest volatility from GitHub repo. Volatility 2.6.1 does not support Windows 10 17763. It was supported after the following commit.
https://github.com/volatilityfoundation/volatility/commit/5865a1539f05f17f736bde3034b17170e2201ec1
13Cubed
commented
4 years ago Thank you. The build of 2.6.1 I am using was cloned from the official Volatility GitHub repo, and does have a profile for 17763. I tried specifying the malicious PIDs. The Yara scanning process no longer hangs, but simply exits a couple of seconds later. Perhaps I will try another memory sample, though I am certain the malware is present within this one. Running a plugin such as pslist works correctly, and shows the expected results.
I have a 9GB memory sample from a Windows 10 17763 host infected with TrickBot. However, when using Volatility 2.6.1 with the MalConfScan plugin, it seems to hang on "Searching memory by Yara rules." No errors are generated, the analysis system has free disk and memory available, and even after 12+ hours nothing seemed to happen. Can you please advise? The memory sample was obtained from: https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis