Lately, I’ve often found myself manually unpacking different versions of the same malware in order to perform static analysis with IDA and BinDiff. Therefore, I’ve decided to write a small system that will automate the entire process – the VolatilityBot.
How does VolatilityBot work?
- It executes the malware on a VM.
- It waits for a pre-defined period of time.
- It suspends the VM.
- It compares the snapshot to a golden image of the VM, finds new processes, injected code, loaded DLLs or Kernel Modules, dumps them from the memory and fixes the PE file in order to make static analysis easier.
All metadata is saved to a SQLite DB. Dumps are saved to a configured storage. All PE files pass a short static analysis and reports are stored on Storage as well. VolatilityBot can theoretically manage an unlimited quantity of virtual machines, depending on the performance of your PC. Currently there is no UI, but the SQLite DB can be accessed by a GUI tool, like sqlitebrowser on Mac OS or sqliteman on Linux. In future versions there’ll be a small web UI in which you could submit new samples and read reports of existing ones.
In order to avoid VM detection, a few tricks were used:
- Registry keys cleanup (all VMware stuff I don’t think there is a need to describe, as there’s a lot of information on the internet regarding this issue).
- A macro that moves the mouse and executes the malware.
- Of course, no VMware tools on the machine.
Here’s a short demo of two virtual machines processing three samples:
The source code and configuration instructions will be posted next week.