Updates VolDiff - Malware Memory Footprint Analysis.

Updates VolDiff – Malware Memory Footprint Analysis.

Latest Version v-1.2:
+ Added checks to search for executables/DLLs loaded from TEMP folders
+ Added checks to search for keylogger artifacts
+ Added a check to dump and analyse the hosts file
+ Added a routine to compute a list of unique IPs from netscan output
+ Minor bug fixes and enhancements

VolDiff is a bash script that runs Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes.

VolDiff is a simple yet powerfull malware analysis tool that enables malware analysts to quickly identify IOCs and understand advanced malware behaviour.

Use Directions:
1.Capture a memory dump of a clean Windows system and save it as “baseline.raw”. This image will serve as a baseline for the analysis.
2.Execute your malware sample on the same system, then take a second memory dump and save it as “infected.raw”.
3.Run VolDiff:

VolDiff will save the output of a selection of Volatility plugins for both memory images (baseline and infected), then it will create a report to highlight notable changes (new processes, network connections, injected code, drivers etc).

Example Output :

Script :