Volatility3 and YaraScan plugin: seemingly unrealistic results

  Kiến thức lập trình

I am using Volatility3 and specifically the YaraScan command to test a memory dump.

Specifically:

  • I have taken a memory dump from a completely clean OS (VM) (4GB RAM). Some foreinsic tools installed like ProcMon, SysMon, Wireshark.
  • At the moment of the dump nothing interesting was being done at all.

After I took the dump, I used the Volatility3 command to analyze it against YARA rules.
Specifically, I used all 2354 YARA rules from their /malware section (https://github.com/Yara-Rules/rules/tree/0f93570194a80d2f2032869055808b0ddcdfb360/malware).

The result is that out of 2354 rules, I have 402 positive matches. Which is very weird since the OS is completely clean.
I will note that there are multiple matches that point to the same rule, just with different Offsets.

Am I interepreting the results wrongly?

I’ve uploaded an example of the csv output too.

I will note that there are multiple matches that point to the same rule, just with different Offsets.

Theme wordpress giá rẻ Theme wordpress giá rẻ Thiết kế website

LEAVE A COMMENT