Skip to content

Contains tools to perform malware and forensic analysis in Memory

Notifications You must be signed in to change notification settings

bedazzlinghex/Memory-analysis

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 

Repository files navigation

Memory-analysis

Contains tools to perform malware and forensic analysis in Memory.

Plugins:

  • Dyrescan.py - parses Dyreconfig in memory.
  • Rat9002.py - parses 9002 rat config in memory.
  • plugx.py - parses plugx config in memory (modified to also parse config size: 0x170c).
  • ghostrat.py - parses ghostrat config in memory.

Analysis_Script:

  • vol_analysis.sh - script to automate analysis with volatility
  • common_search_strings.txt - textfile used by vol_analysis.sh to search for common commands used by threat actors. Fill out with your own terms.
  • drv_list.txt - List gathered from the Internet with all known bad and good drivernames. Used by vol_analysis.sh to search for bad drivers.

Irma:

  • Created a python script to interact with IRMA on a localmachine. This script is also used by vol_analysis.sh to submit and scan all files extracted from a memory dump and perform analysis on them with various AV-engines.
  • Usage with vol_analysis script: vol_analysis.sh -p WinXPSP2x86 -f memdump.mem -d /output_path -t CASENAME ** Requires IRMA up and running on your machine and the IRMACL API installed.

About

Contains tools to perform malware and forensic analysis in Memory

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published