GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → JPCERTCC → Malconfscan With Cuckoo

JPCERTCC / Malconfscan With Cuckoo

Licence: other
Cuckoo Sandbox plugin for extracts configuration data of known malware

Programming Languages

python
139335 projects - #7 most used programming language

Labels

securitymalwarememory

Projects that are alternatives of or similar to Malconfscan With Cuckoo

Malconfscan
Volatility plugin for extracts configuration data of known malware
Stars: ✭ 327 (+197.27%)
Mutual labels:  memory, malware
moneta
Moneta is a live usermode memory analysis tool for Windows with the capability to detect malware IOCs
Stars: ✭ 384 (+249.09%)
Mutual labels:  memory, malware
Memtriage
Allows you to quickly query a Windows machine for RAM artifacts
Stars: ✭ 200 (+81.82%)
Mutual labels:  memory, malware
Volatility
An advanced memory forensics framework
Stars: ✭ 5,042 (+4483.64%)
Mutual labels:  memory, malware
Iglance
Free system monitor for OSX and macOS. See all system information at a glance in the menu bar.
Stars: ✭ 1,358 (+1134.55%)
Mutual labels:  memory
Sharlayan
Visit us on Discord! https://discord.gg/aCzSANp
Stars: ✭ 91 (-17.27%)
Mutual labels:  memory
Mnemonic
Apache Mnemonic - A non-volatile hybrid memory storage oriented library
Stars: ✭ 91 (-17.27%)
Mutual labels:  memory
Python Haystack
Process heap analysis framework - Windows/Linux - record type inference and forensics
Stars: ✭ 89 (-19.09%)
Mutual labels:  memory
Awesome Malware
💻⚠️ A curated collection of awesome malware, botnets, and other post-exploitation tools.
Stars: ✭ 108 (-1.82%)
Mutual labels:  malware
Relocbonus
An obfuscation tool for Windows which instruments the Windows Loader into acting as an unpacking engine.
Stars: ✭ 106 (-3.64%)
Mutual labels:  malware
Artifacts Kit
Pseudo-malicious usermode memory artifact generator kit designed to easily mimic the footprints left by real malware on an infected Windows OS.
Stars: ✭ 99 (-10%)
Mutual labels:  malware
Lwmem
Lightweight dynamic memory manager library for embedded systems with memory constraints. It implements malloc, calloc, realloc and free functions
Stars: ✭ 92 (-16.36%)
Mutual labels:  memory
Server Stats
Statsy is a easy to use open source PHP tool for developers, that allows you to return various types of information about your server.
Stars: ✭ 101 (-8.18%)
Mutual labels:  memory
Malware scripts
Various scripts for different malware families
Stars: ✭ 91 (-17.27%)
Mutual labels:  malware
Node Cache
a node internal (in-memory) caching module
Stars: ✭ 1,660 (+1409.09%)
Mutual labels:  memory
Injectallthethings
Seven different DLL injection techniques in one single project.
Stars: ✭ 1,297 (+1079.09%)
Mutual labels:  malware
Mcelog
Linux kernel machine check handling middleware
Stars: ✭ 96 (-12.73%)
Mutual labels:  memory
Inferno
🔥 Modern command line tool for malware creation on Windows
Stars: ✭ 105 (-4.55%)
Mutual labels:  malware
Illuminatejs
IlluminateJS is a static JavaScript deobfuscator
Stars: ✭ 96 (-12.73%)
Mutual labels:  malware
Python Ransomware
Python Ransomware Tutorial - YouTube tutorial explaining code + showcasing the ransomware with victim/target roles
Stars: ✭ 96 (-12.73%)
Mutual labels:  malware
View All Similar Projects ➔

Arsenal

Introduction

MalConfScan integration for Cuckoo Sandbox.
This plugin lets you integrate MalConfScan into Cuckoo Sandbox with the patch file. The plugin would add the function to extract known malware's configuration data from memory dump and, add the MalConfScan report into Cuckoo Sandbox.

Sample report

Screenshot: Sample report of Himawari (a variant of RedLeaves) in Cuckoo

Himawari Cuckoo

Sample report.json 

...snip...
"malconfscan": {
    "data": [
        {
            "malconf": [
                [
                    {"Server1": "diamond.ninth.biz"}, 
                    {"Server2": "diamond.ninth.biz"}, 
                    {"Server3": "diamond.ninth.biz"}, 
                    {"Server4": "diamond.ninth.biz"}, 
                    {"Port": "443"}, 
                    {"Mode": "TCP and HTTP"}, 
                    {"ID": "2017-11-28-MACRO"}, 
                    {"Mutex": "Q34894iq"}, 
                    {"Key": "usotsuki"}, 
                    {"UserAgent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)"}, 
                    {"Proxy server": ""}, 
                    {"Proxy username": ""}, 
                    {"Proxy password": ""}
                ]
            ], 
            "vad_base_addr": "0x04521984", 
            "process_name": "iexplore.exe", 
            "process_id": "2248", 
            "malware_name": "Himawari", 
            "size": "0x00815104"
        }
    ],
},
...snip...

What's MalConfScan?

MalConfScan is a Volatility plugin extracts the configuration data of known malware. It supports 20+ malware families. Check the detail here.

How to install

Modify the source code of Cuckoo Sandbox with the deploy-script and deploy Cuckoo Sandbox. If you want to know more detail, please check the Wiki.

How to use

  1. Setup your Cuckoo Sandbox and patch it with malconfscan.patch.
  2. Submit your sample to the sandbox.
  3. Check the report.

Overview & Demonstration

Following YouTube video shows the overview of MalConfScan with Cuckoo.

MalConfScan-with-Cuckoo_Overview

And, following YouTube video is the demonstration of MalConfScan with Cuckoo.

MalConfScan-with-Cuckoo_Demonstration

Notes

Tested with following environments.

  • Python 2.7.15
  • Cuckoo Sandbox 2.0.6
  • Volatility 2.6
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].