Thursday, March 19, 2009

Memory snapshot Project Part II

It appears that the memory snapshot idea has been well received so I'm in the process of uploading more snapshots to my skydrive. I think I've got a decent format now.

Under my public folder you'll see a series of exemplarX files where X is a number.

Within each directory you can expect to find the following:

about.txt - This identifies the malware and provides an md5. The binary is uploaded at

- This is a .pdf file containing virustotal results for the binary.

Exemplar segments - I decided on a more universal method of compression (tar.gz) and I've split the segments using the linux split command. These segments will need to be concatenated. This can be done in linux by using the cat command. In windows, it's a copy command.

on Linux:
cat exemplar5.tar.gz.* > exemplar5.tar.gz

on Windows:
copy /b exemplar5.tar.gz.* exemplar5.tar.gz

Simply extract the .vmem from the .tar.gz file and off you go.

hashes.txt - This is a list of md5 hashes of all segmented files, the .vmem file, the .pdf, and the about.txt file.

This seems like a fairly decent model to follow though I'm open to suggestions.

I've posted a few more images and I'm in the process of creating several more.

One thing to keep in mind is that while I try to validate the execution of the malware in a virtual setting, I am fallible. If you think there's no trace of the malware in the memory dump, let me know.

Happy malware hunting.

3/21/09 addendum

A quick update.

I realized a flaw in my methodology. I didn't give the malware enough time to fully execute so I'm re-doing the exemplars.

If you downloaded exemplar4 already, I invite you to download it again.


Robert said...

Great work! Now if I can only find more time.