GitHub - JPCERTCC/MalConfScan-with-Cuckoo: Cuckoo Sandbox plugin for extracts configuration data of known malware
Skip to content

Cuckoo Sandbox plugin for extracts configuration data of known malware

License

Notifications You must be signed in to change notification settings

JPCERTCC/MalConfScan-with-Cuckoo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Arsenal

Introduction

MalConfScan integration for Cuckoo Sandbox.
This plugin lets you integrate MalConfScan into Cuckoo Sandbox with the patch file. The plugin would add the function to extract known malware's configuration data from memory dump and, add the MalConfScan report into Cuckoo Sandbox.

Sample report

Screenshot: Sample report of Himawari (a variant of RedLeaves) in Cuckoo

Himawari Cuckoo

Sample report.json

...snip...
"malconfscan": {
    "data": [
        {
            "malconf": [
                [
                    {"Server1": "diamond.ninth.biz"}, 
                    {"Server2": "diamond.ninth.biz"}, 
                    {"Server3": "diamond.ninth.biz"}, 
                    {"Server4": "diamond.ninth.biz"}, 
                    {"Port": "443"}, 
                    {"Mode": "TCP and HTTP"}, 
                    {"ID": "2017-11-28-MACRO"}, 
                    {"Mutex": "Q34894iq"}, 
                    {"Key": "usotsuki"}, 
                    {"UserAgent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)"}, 
                    {"Proxy server": ""}, 
                    {"Proxy username": ""}, 
                    {"Proxy password": ""}
                ]
            ], 
            "vad_base_addr": "0x04521984", 
            "process_name": "iexplore.exe", 
            "process_id": "2248", 
            "malware_name": "Himawari", 
            "size": "0x00815104"
        }
    ],
},
...snip...

What's MalConfScan?

MalConfScan is a Volatility plugin extracts the configuration data of known malware. It supports 20+ malware families. Check the detail here.

How to install

Modify the source code of Cuckoo Sandbox with the deploy-script and deploy Cuckoo Sandbox. If you want to know more detail, please check the Wiki.

How to use

  1. Setup your Cuckoo Sandbox and patch it with malconfscan.patch.
  2. Submit your sample to the sandbox.
  3. Check the report.

Overview & Demonstration

Following YouTube video shows the overview of MalConfScan with Cuckoo.

MalConfScan-with-Cuckoo_Overview

And, following YouTube video is the demonstration of MalConfScan with Cuckoo.

MalConfScan-with-Cuckoo_Demonstration

Notes

Tested with following environments.

  • Python 2.7.15
  • Cuckoo Sandbox 2.0.6
  • Volatility 2.6