GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → JPCERTCC → Malconfscan

JPCERTCC / Malconfscan

Licence: other
Volatility plugin for extracts configuration data of known malware

Programming Languages

python
139335 projects - #7 most used programming language

Labels

securitymalwarememoryforensics

Projects that are alternatives of or similar to Malconfscan

Ir Rescue
A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
Stars: ✭ 311 (-4.89%)
Mutual labels:  malware, forensics
Mba
Malware Behavior Analyzer
Stars: ✭ 125 (-61.77%)
Mutual labels:  malware, forensics
Artifacts Kit
Pseudo-malicious usermode memory artifact generator kit designed to easily mimic the footprints left by real malware on an infected Windows OS.
Stars: ✭ 99 (-69.72%)
Mutual labels:  malware, forensics
Volatility
An advanced memory forensics framework
Stars: ✭ 5,042 (+1441.9%)
Mutual labels:  memory, malware
DFIR Resources REvil Kaseya
Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack
Stars: ✭ 172 (-47.4%)
Mutual labels:  malware, forensics
memscrimper
Code for the DIMVA 2018 paper: "MemScrimper: Time- and Space-Efficient Storage of Malware Sandbox Memory Dumps"
Stars: ✭ 25 (-92.35%)
Mutual labels:  malware, forensics
Awesome Hacking
Awesome hacking is an awesome collection of hacking tools.
Stars: ✭ 1,802 (+451.07%)
Mutual labels:  malware, forensics
Malconfscan With Cuckoo
Cuckoo Sandbox plugin for extracts configuration data of known malware
Stars: ✭ 110 (-66.36%)
Mutual labels:  memory, malware
Memtriage
Allows you to quickly query a Windows machine for RAM artifacts
Stars: ✭ 200 (-38.84%)
Mutual labels:  memory, malware
moneta
Moneta is a live usermode memory analysis tool for Windows with the capability to detect malware IOCs
Stars: ✭ 384 (+17.43%)
Mutual labels:  memory, malware
Vol3xp
Volatility Explorer Suit
Stars: ✭ 31 (-90.52%)
Mutual labels:  memory, forensics
Zelos
A comprehensive binary emulation and instrumentation platform.
Stars: ✭ 298 (-8.87%)
Mutual labels:  malware
Ghostshell
Malware indetectable, with AV bypass techniques, anti-disassembly, etc.
Stars: ✭ 293 (-10.4%)
Mutual labels:  malware
Fidl
A sane API for IDA Pro's decompiler. Useful for malware RE and vulnerability research
Stars: ✭ 319 (-2.45%)
Mutual labels:  malware
Vxug Papers
Research code & papers from members of vx-underground.
Stars: ✭ 291 (-11.01%)
Mutual labels:  malware
Hackdroid
Android Apps, Roms and Platforms for Pentesting
Stars: ✭ 310 (-5.2%)
Mutual labels:  forensics
Medusa
Binary instrumentation framework based on FRIDA
Stars: ✭ 258 (-21.1%)
Mutual labels:  malware
Mobileperf
Android performance test
Stars: ✭ 286 (-12.54%)
Mutual labels:  memory
Docker Cuckoo
Cuckoo Sandbox Dockerfile
Stars: ✭ 289 (-11.62%)
Mutual labels:  malware
Flare Wmi
Stars: ✭ 321 (-1.83%)
Mutual labels:  forensics
View All Similar Projects ➔

Arsenal

Concept

MalConfScan is a Volatility plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.

MalConfScan sample

Supported Malware Families

MalConfScan can dump the following malware configuration data, decoded strings or DGA domains:

  • [x] Ursnif
  • [x] Emotet
  • [x] Smoke Loader
  • [x] PoisonIvy
  • [x] CobaltStrike
  • [x] NetWire
  • [x] PlugX
  • [x] RedLeaves / Himawari / Lavender / Armadill / zark20rk
  • [x] TSCookie
  • [x] TSC_Loader
  • [x] xxmm
  • [x] Datper
  • [x] Ramnit
  • [x] HawkEye
  • [x] Lokibot
  • [x] Bebloh (Shiotob/URLZone)
  • [x] AZORult
  • [x] NanoCore RAT
  • [x] AgentTesla
  • [x] FormBook
  • [x] NodeRAT (https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html)
  • [x] njRAT
  • [x] TrickBot
  • [x] Remcos
  • [x] QuasarRAT
  • [x] AsyncRAT
  • [x] WellMess (Windows/Linux)
  • [x] ELF_PLEAD
  • [ ] Pony

Additional Analysis

MalConfScan has a function to list strings to which malicious code refers. Configuration data is usually encoded by malware. Malware writes decoded configuration data to memory, it may be in memory. This feature may list decoded configuration data.

How to Install

If you want to know more details, please check the MalConfScan wiki.

How to Use

MalConfScan has two functions malconfscan, linux_malconfscan and malstrscan.

Export known malware configuration

$ python vol.py malconfscan -f images.mem --profile=Win7SP1x64

Export known malware configuration for Linux

$ python vol.py linux_malconfscan -f images.mem --profile=LinuxDebianx64

List the referenced strings

$ python vol.py malstrscan -f images.mem --profile=Win7SP1x64

Overview & Demonstration

Following YouTube video shows the overview of MalConfScan.

MalConfScan_Overview

And, following YouTube video is the demonstration of MalConfScan.

MalConfScan_Demonstration

MalConfScan with Cuckoo

Malware configuration data can be dumped automatically by adding MalConfScan to Cuckoo Sandbox. If you need more details on Cuckoo and MalConfScan integration, please check MalConfScan with Cuckoo.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].