• Stars
    star
    134
  • Rank 270,967 (Top 6 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 5 years ago
  • Updated 11 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Cuckoo Sandbox plugin for extracts configuration data of known malware

Arsenal

Introduction

MalConfScan integration for Cuckoo Sandbox.
This plugin lets you integrate MalConfScan into Cuckoo Sandbox with the patch file. The plugin would add the function to extract known malware's configuration data from memory dump and, add the MalConfScan report into Cuckoo Sandbox.

Sample report

Screenshot: Sample report of Himawari (a variant of RedLeaves) in Cuckoo

Himawari Cuckoo

Sample report.json

...snip...
"malconfscan": {
    "data": [
        {
            "malconf": [
                [
                    {"Server1": "diamond.ninth.biz"}, 
                    {"Server2": "diamond.ninth.biz"}, 
                    {"Server3": "diamond.ninth.biz"}, 
                    {"Server4": "diamond.ninth.biz"}, 
                    {"Port": "443"}, 
                    {"Mode": "TCP and HTTP"}, 
                    {"ID": "2017-11-28-MACRO"}, 
                    {"Mutex": "Q34894iq"}, 
                    {"Key": "usotsuki"}, 
                    {"UserAgent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)"}, 
                    {"Proxy server": ""}, 
                    {"Proxy username": ""}, 
                    {"Proxy password": ""}
                ]
            ], 
            "vad_base_addr": "0x04521984", 
            "process_name": "iexplore.exe", 
            "process_id": "2248", 
            "malware_name": "Himawari", 
            "size": "0x00815104"
        }
    ],
},
...snip...

What's MalConfScan?

MalConfScan is a Volatility plugin extracts the configuration data of known malware. It supports 20+ malware families. Check the detail here.

How to install

Modify the source code of Cuckoo Sandbox with the deploy-script and deploy Cuckoo Sandbox. If you want to know more detail, please check the Wiki.

How to use

  1. Setup your Cuckoo Sandbox and patch it with malconfscan.patch.
  2. Submit your sample to the sandbox.
  3. Check the report.

Overview & Demonstration

Following YouTube video shows the overview of MalConfScan with Cuckoo.

MalConfScan-with-Cuckoo_Overview

And, following YouTube video is the demonstration of MalConfScan with Cuckoo.

MalConfScan-with-Cuckoo_Demonstration

Notes

Tested with following environments.

  • Python 2.7.15
  • Cuckoo Sandbox 2.0.6
  • Volatility 2.6

More Repositories

1

LogonTracer

Investigate malicious Windows logon by visualizing and analyzing Windows event log
Python
2,690
star
2

EmoCheck

Emotet detection tool for Windows OS
C++
669
star
3

MalConfScan

Volatility plugin for extracts configuration data of known malware
Python
478
star
4

aa-tools

Artifact analysis tools by JPCERT/CC Analysis Center
Python
452
star
5

SysmonSearch

Investigate suspicious activity by visualizing Sysmon's event log
JavaScript
417
star
6

ToolAnalysisResultSheet

Tool Analysis Result Sheet
HTML
341
star
7

YAMA

Yet Another Memory Analyzer for malware detection
C++
171
star
8

phishurl-list

Phishing URL dataset from JPCERT/CC
HTML
150
star
9

DetectLM

Detecting Lateral Movement with Machine Learning
Python
137
star
10

jpcert-yara

JPCERT/CC public YARA rules repository
YARA
96
star
11

log-analysis-training

ログ分析トレーニング用コンテンツ
HTML
88
star
12

impfuzzy

Fuzzy Hash calculated from import API of PE files
Python
87
star
13

MemoryForensic-on-Cloud

Memory Forensic System on Cloud
HTML
84
star
14

Windows-Symbol-Tables

Windows symbol tables for Volatility 3
Python
71
star
15

cordova

Vulnerability Analysis of Hybrid Applications using Apache Cordova
HTML
55
star
16

Lazarus-research

Lazarus analysis tools and research report
Python
54
star
17

OWASPdocuments

Japanese translation of OWASP documents
HTML
52
star
18

STrelok

Application for STIX v2.0 objects management and analysis
Python
27
star
19

CobaltStrike-Config

Repository for archiving Cobalt Strike configuration
27
star
20

QuasarRAT-Analysis

QuasarRAT analysis tools and research report
Python
24
star
21

Lucky-Visitor-Scam-IoC

Automatically update IoC for lucky visitor scam
24
star
22

SurfaceAnalysis-on-Cloud

Surface Analysis System on Cloud
HCL
18
star
23

ToolAnalysisResultSheet_jp

分析ツール結果シート
HTML
16
star
24

AutoYara4FLIRT

Python
14
star
25

cwe-1003-ja

CWE-1003 日本語訳
9
star
26

vdo-json-schema

JSON Schema for Vulnerability Description Ontology (VDO)
JavaScript
8
star
27

JPCERT-IR-Statistics

JPCERT/CC Incident handling statistics
HTML
6
star
28

xml2evtx

Convert Event Log XML to EVTX file
Python
5
star
29

HUILoader-research

HUI Loader analysis research
4
star
30

GobRAT-Analysis

Python
1
star