Clone wiki

volatility_plugins / Home

Volatility Plugins

A set of plugins we wrote for the Volatility framework.

Install

Simply copy the files in your volatility plugins directory.

Getting started

PlugX Plugin

PlugX plugin can be used to detect the presence of the RAT and to parse its configuration file.

$ python vol.py -h
Volatility Foundation Volatility Framework 2.3.1
Usage: Volatility - A memory forensics analysis platform.

Options:
[...]
    Supported Plugin Commands:
[...]
        plugxconfig     Locate and parse the PlugX configuration
        plugxscan       Detect processes infected with PlugX
[...]

The plugxconfig command allows to detect processes in which the RAT is injected:

$ python vol.py plugxscan -f mem2.dmp 
Volatility Foundation Volatility Framework 2.3.1
Name                 PID      Data VA   
-------------------- -------- ----------
svchost.exe              1864 0x00930000
svchost.exe              1864 0x00930000
msiexec.exe               248 0x00c30000
msiexec.exe               248 0x00c30000

The plugxconfig command allows to parse the configuration:

$ python vol.py plugxconfig -f mem2.dmp 
Volatility Foundation Volatility Framework 2.3.1
--------------------------------------------------------------------------------
Process: svchost.exe (1864)

PlugX Config (0x2540 bytes):
    Flags: True True True True True True True True True True True
    Timer 1: 10 secs
    Timer 2: 0 secs
    C&C Address: dns.lookipv6.com:80 (TCP / HTTP)
    C&C Address: dns.lookipv6.com:53 (UDP / ICMP)
    C&C Address: dns.lookipv6.com:8080 (TCP / HTTP / UDP / ICMP)
    C&C Address: dns.lookipv6.com:53 (UDP / ICMP)
    Persistence Type: Service + Run Key
    Install Dir: %AUTO%\RasTls
    Service Name: RasTls
    Service Disp: RasTls
    Service Desc: Symantec 802.1x Supplicant 
    Registry hive: 80000001
    Registry key: Software\Microsoft\Windows\CurrentVersion\Run
    Registry value: Supplicant
    Injection: True
    Injection process: %windir%\system32\svchost.exe
    Online Pass: TEST
    Memo: nsc
    Mutex: My_Name
    Screenshots: False
    Screenshots params: 10 sec / Zoom 100 / 16 bits / Quality 50 / Keep 3 days
    Screenshots path: %AUTO%\screen
    Lateral TCP port: 535
    Lateral UDP port: 535

Updated