I am using Volatility3
and specifically the YaraScan
command to test a memory dump.
Specifically:
- I have taken a memory dump from a completely clean OS (VM) (4GB RAM). Some foreinsic tools installed like ProcMon, SysMon, Wireshark.
- At the moment of the dump nothing interesting was being done at all.
After I took the dump, I used the Volatility3 command to analyze it against YARA rules.
Specifically, I used all 2354
YARA rules from their /malware
section (https://github.com/Yara-Rules/rules/tree/0f93570194a80d2f2032869055808b0ddcdfb360/malware).
The result is that out of 2354 rules, I have 402 positive matches. Which is very weird since the OS is completely clean.
I will note that there are multiple matches that point to the same rule, just with different Offsets.
Am I interepreting the results wrongly?
I’ve uploaded an example of the csv output too.
I will note that there are multiple matches that point to the same rule, just with different Offsets.