{"id":18291364,"url":"https://github.com/jpcertcc/malconfscan-with-cuckoo","last_synced_at":"2025-07-23T08:31:13.424Z","repository":{"id":97103523,"uuid":"182596560","full_name":"JPCERTCC/MalConfScan-with-Cuckoo","owner":"JPCERTCC","description":"Cuckoo Sandbox plugin for extracts configuration data of known malware","archived":false,"fork":false,"pushed_at":"2023-12-22T07:00:44.000Z","size":772,"stargazers_count":135,"open_issues_count":0,"forks_count":25,"subscribers_count":19,"default_branch":"master","last_synced_at":"2025-05-13T09:06:39.198Z","etag":null,"topics":["cuckoo-sandbox","malware","memory","python","security","volatility"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JPCERTCC.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-04-22T00:27:59.000Z","updated_at":"2024-12-18T03:36:06.000Z","dependencies_parsed_at":null,"dependency_job_id":"8b305d0f-1b12-48d6-8943-306e9d121597","html_url":"https://github.com/JPCERTCC/MalConfScan-with-Cuckoo","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/JPCERTCC/MalConfScan-with-Cuckoo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2FMalConfScan-with-Cuckoo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2FMalConfScan-with-Cuckoo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2FMalConfScan-with-Cuckoo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2FMalConfScan-with-Cuckoo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JPCERTCC","download_url":"https://codeload.github.com/JPCERTCC/MalConfScan-with-Cuckoo/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2FMalConfScan-with-Cuckoo/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266644829,"owners_count":23961586,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-23T02:00:09.312Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cuckoo-sandbox","malware","memory","python","security","volatility"],"created_at":"2024-11-05T14:14:00.490Z","updated_at":"2025-07-23T08:31:13.355Z","avatar_url":"https://github.com/JPCERTCC.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Arsenal](https://rawgit.com/toolswatch/badges/master/arsenal/usa/2019.svg)](http://www.toolswatch.org/2019/05/amazing-black-hat-arsenal-usa-2019-lineup-announced/) \n\n\u003cdiv align=\"center\"\u003e\u003cimg src=\"img/title.png\" width=80%\u003e\u003c/div\u003e\n\n## Introduction\n\n[__MalConfScan__](https://github.com/JPCERTCC/MalConfScan) integration for [__Cuckoo Sandbox__](https://github.com/cuckoosandbox/cuckoo).\u003cbr\u003e\nThis plugin lets you integrate MalConfScan into Cuckoo Sandbox with the patch file. The plugin would add the function to extract known malware's configuration data from memory dump and, add the MalConfScan report into Cuckoo Sandbox.\u003cbr\u003e\u003cbr\u003e\n\n### Sample report\n\n#### Screenshot: Sample report of [Himawari (a variant of RedLeaves)](https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html) in Cuckoo\n\n![Himawari Cuckoo](https://raw.githubusercontent.com/JPCERTCC/MalConfScan-with-Cuckoo/master/img/himawari-cuckoo.png)\n\n#### Sample `report.json`\n\n```json\n...snip...\n\"malconfscan\": {\n    \"data\": [\n        {\n            \"malconf\": [\n                [\n                    {\"Server1\": \"diamond.ninth.biz\"}, \n                    {\"Server2\": \"diamond.ninth.biz\"}, \n                    {\"Server3\": \"diamond.ninth.biz\"}, \n                    {\"Server4\": \"diamond.ninth.biz\"}, \n                    {\"Port\": \"443\"}, \n                    {\"Mode\": \"TCP and HTTP\"}, \n                    {\"ID\": \"2017-11-28-MACRO\"}, \n                    {\"Mutex\": \"Q34894iq\"}, \n                    {\"Key\": \"usotsuki\"}, \n                    {\"UserAgent\": \"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)\"}, \n                    {\"Proxy server\": \"\"}, \n                    {\"Proxy username\": \"\"}, \n                    {\"Proxy password\": \"\"}\n                ]\n            ], \n            \"vad_base_addr\": \"0x04521984\", \n            \"process_name\": \"iexplore.exe\", \n            \"process_id\": \"2248\", \n            \"malware_name\": \"Himawari\", \n            \"size\": \"0x00815104\"\n        }\n    ],\n},\n...snip...\n```\n\n## What's MalConfScan?\n\nMalConfScan is a [Volatility](https://github.com/volatilityfoundation/volatility) plugin extracts the configuration data of known malware. It supports 20+ malware families. Check the detail [here](https://github.com/JPCERTCC/MalConfScan/wiki).\n\n## How to install\n\nModify the source code of Cuckoo Sandbox with the deploy-script and deploy Cuckoo Sandbox. If you want to know more detail, please check the [Wiki](https://github.com/JPCERTCC/MalConfScan-with-Cuckoo/wiki).\n\n## How to use\n\n1. Setup your Cuckoo Sandbox and patch it with `malconfscan.patch`.\n2. Submit your sample to the sandbox.\n3. Check the report.\n\n## Overview \u0026 Demonstration\n\n  Following [YouTube video](https://youtu.be/2K8Vh0XqG24) shows the overview of MalConfScan with Cuckoo.\n\n  [![MalConfScan-with-Cuckoo_Overview](https://img.youtube.com/vi/2K8Vh0XqG24/sddefault.jpg)](https://youtu.be/2K8Vh0XqG24)\n\n  And, following  [YouTube video](https://youtu.be/754NnYWJo_s) is the demonstration of MalConfScan with Cuckoo.\n\n  [![MalConfScan-with-Cuckoo_Demonstration](https://img.youtube.com/vi/754NnYWJo_s/sddefault.jpg)](https://youtu.be/754NnYWJo_s)\n\n## Notes\n\nTested with following environments.\n - Python 2.7.15\n - Cuckoo Sandbox 2.0.6\n - Volatility 2.6\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjpcertcc%2Fmalconfscan-with-cuckoo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjpcertcc%2Fmalconfscan-with-cuckoo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjpcertcc%2Fmalconfscan-with-cuckoo/lists"}