Quick Volatility overview and R.E. analysis of Win32.Chebri

Quick Volatility overview and R.E. analysis of Win32.Chebri: In this article we will start from the physical memory dump of a machine suspected of malware compromise, successively with volatility we will establish if the machine is infected and produce evidences from memory artifacts. In the next steps the malicious component will be carved from memory and analyzed with a classical Reverse Engineering approach.

It’s important to put in evidence the fact that actually we do not deal with a complex malware ( Win32.Chebri it’s pretty easy ), the scope of this tutorial is to show how to manage/analyze a real case of “Machine where there is a compromise suspect”.