Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/JPCERTCC/MalConfScan
Volatility plugin for extracts configuration data of known malware
https://github.com/JPCERTCC/MalConfScan
forensics malware memory python security volatility
Last synced: about 2 months ago
JSON representation
Volatility plugin for extracts configuration data of known malware
- Host: GitHub
- URL: https://github.com/JPCERTCC/MalConfScan
- Owner: JPCERTCC
- License: other
- Created: 2019-04-22T00:23:02.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2023-12-22T05:43:15.000Z (9 months ago)
- Last Synced: 2024-06-20T17:29:52.781Z (3 months ago)
- Topics: forensics, malware, memory, python, security, volatility
- Language: Python
- Homepage:
- Size: 590 KB
- Stars: 476
- Watchers: 36
- Forks: 68
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
Awesome Lists containing this project
- awesome-volatility - MalConfScan - Plugin extracts configuration data of known malware (Volatility 2 / Plugins)
- awesome-rainmana - JPCERTCC/MalConfScan - Volatility plugin for extracts configuration data of known malware (Python)
README
[](http://www.toolswatch.org/2019/05/amazing-black-hat-arsenal-usa-2019-lineup-announced/)
## Concept
**MalConfScan** is a [Volatility](https://github.com/volatilityfoundation/volatility) plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.
## Supported Malware Families
MalConfScan can dump the following malware configuration data, decoded strings or DGA domains:
- [x] Ursnif
- [x] Emotet
- [x] Smoke Loader
- [x] PoisonIvy
- [x] CobaltStrike
- [x] NetWire
- [x] PlugX
- [x] RedLeaves / Himawari / Lavender / Armadill / zark20rk
- [x] TSCookie
- [x] TSC_Loader
- [x] xxmm
- [x] Datper
- [x] Ramnit
- [x] HawkEye
- [x] Lokibot
- [x] Bebloh (Shiotob/URLZone)
- [x] AZORult
- [x] NanoCore RAT
- [x] AgentTesla
- [x] FormBook
- [x] NodeRAT (https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html)
- [x] njRAT
- [x] TrickBot
- [x] Remcos
- [x] QuasarRAT
- [x] AsyncRAT
- [x] WellMess (Windows/Linux)
- [x] ELF_PLEAD
- [ ] Pony
## Additional Analysis
MalConfScan has a function to list strings to which malicious code refers. Configuration data is usually encoded by malware. Malware writes decoded configuration data to memory, it may be in memory. This feature may list decoded configuration data.
## How to Install
If you want to know more details, please check [the MalConfScan wiki](https://github.com/JPCERTCC/MalConfScan/wiki).
## How to Use
MalConfScan has two functions **malconfscan**, **linux_malconfscan** and **malstrscan**.
### Export known malware configuration
```
$ python vol.py malconfscan -f images.mem --profile=Win7SP1x64
```
### Export known malware configuration for Linux
```
$ python vol.py linux_malconfscan -f images.mem --profile=LinuxDebianx64
```
### List the referenced strings
```
$ python vol.py malstrscan -f images.mem --profile=Win7SP1x64
```
## Overview & Demonstration
Following [YouTube video](https://youtu.be/n36WAzgHldY) shows the overview of MalConfScan.
[](https://youtu.be/n36WAzgHldY)
And, following [YouTube video](https://youtu.be/kPsOvoRHK3k) is the demonstration of MalConfScan.
[](https://youtu.be/kPsOvoRHK3k)
## MalConfScan with Cuckoo
Malware configuration data can be dumped automatically by adding MalConfScan to Cuckoo Sandbox. If you need more details on Cuckoo and MalConfScan integration, please check [MalConfScan with Cuckoo](https://github.com/JPCERTCC/MalConfScan-with-Cuckoo).