Most malicious programs perform some network activity, either to download additional components, to receive commands from the attacker, to exfiltrate data, or to create a remote backdoor on the system. Inspecting the networking activity will help you determine the network operations of the malware on the infected system. In many cases, it is useful to associate the process running on the infected system with the activities detected on the network. To determine the active network connections on pre-vista systems (such as Windows XP and 2003), you can use the connections plugin. The following command shows an example of using the connections plugin to print the active connections from a memory dump infected with BlackEnergy malware. From the following output, you can see that the process with a process ID of 756 was responsible for the C2 communication on port 443. After running the pslist plugin, you can tell that the pid of 756 is associated with the svchost.exe process:
$ python vol.py -f be3.vmem --profile=WinXPSP3x86 connections
Volatility Foundation Volatility Framework 2.6
Offset(V) Local Address Remote Address Pid
---------- ------------------ -------------- -------
0x81549748 192.168.1.100:1037 X.X.32.230:443 756
$ python vol.py -f be3.vmem --profile=WinXPSP3x86 pslist -p 756
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start
---------- ----------- --- ---- ---- ---- ---- ------ --------------------
0x8185a808 svchost.exe 756 580 22 442 0 0 2016-01-13 18:38:10
Another plugin that you can use to list the network connections on pre-vista systems is connscan. It uses the pool tag scanning approach to determine the connections. As a result, it can also detect terminated connections. In the following example of the memory image infected with TDL3 rootkit, the connections plugin does not return any results, whereas the connscan plugin displays the network connections. This does not necessarily mean that the connection is hidden, it just means that the network connection was not active (or terminated) when the memory image was acquired:
$ python vol.py -f tdl3.vmem --profile=WinXPSP3x86 connections
Volatility Foundation Volatility Framework 2.6
Offset(V) Local Address Remote Address Pid
---------- ------------- -------------- ----
$ python vol.py -f tdl3.vmem --profile=WinXPSP3x86 connscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Local Address Remote Address Pid
---------- ------------------ --------------- -----
0x093812b0 192.168.1.100:1032 XX.XXX.92.121:80 880
Sometimes, you may want to get the information about the open sockets and their associated processes. On pre-vista systems, you can get the information about the open ports using the sockets and sockscan plugins. The sockets plugin prints the list of open sockets, and the sockscan plugin uses the pool tag scanning approach. As a result, it can detect the ports that have been closed.
On Vista and later systems (such as Windows 7), you can use the netscan plugin to display both the network connections and the sockets. The netscan plugin uses the pool tag scanning approach, similar to the sockscan and connscan plugins. In the following example of the memory image being infected with Darkcomet RAT, the netscan plugin displays C2 communication on port 81, which has been made by the malicious process dmt.exe (pid 3768):
$ python vol.py -f darkcomet.vmem --profile=Win7SP1x86 netscan
Volatility Foundation Volatility Framework 2.6
Proto Local Address Foreign Address State Pid Owner
TCPv4 192.168.1.60:139 0.0.0.0:0 LISTENING 4 System
UDPv4 192.168.1.60:137 *:* 4 System
UDPv4 0.0.0.0:0 *:* 1144 svchost.exe
TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 496 services.exe
UDPv4 0.0.0.0:64471 *:* 1064 svchost.exe
[REMOVED]
UDPv4 0.0.0.0:64470 *:* 1064 svchost.exe
TCPv4 192.168.1.60:49162 XX.XXX.228.199:81 ESTABLISHED 3768 dmt.exe