Home · JPCERTCC/MalConfScan-with-Cuckoo Wiki · GitHub
Skip to content

Home

Jump to bottom
t-tani edited this page Jun 20, 2019 · 3 revisions

MalConfScan-with-Cuckoo wiki

MalConfScan-with-Cuckoo is a Cuckoo Sandbox plugin extracts configuration data of known malware. Cuckoo Sandbox is an open-source automated malware analysis system. This plugin searches for known malware in the sandbox's memory images and dumps the configuration data. This plugin integrates MalConfScan into your Cuckoo Sandbox and analyzes the memory dump in each analysis session. Before activating the plugin, you need to install Volatility, Yara and, MalConfScan to your Cuckoo server.

Screenshot

Himawari Cuckoo

Screenshot: Sample report of Himawari(a variant of RedLeaves) in Cuckoo

Supported Malware Families

MalConfScan with Cuckoo can dump the following malware configuration data, decoded strings or DGA domains:

  • Ursnif
  • Emotet
  • Smoke Loader
  • PoisonIvy
  • CobaltStrike
  • NetWire
  • PlugX
  • RedLeaves / Himawari / Lavender / Armadill / zark20rk
  • TSCookie
  • TSC_Loader
  • xxmm
  • Datper
  • Ramnit
  • HawkEye
  • Lokibot
  • Bebloh (Shiotob/URLZone)
  • AZORult
  • NanoCore RAT
  • AgentTesla
  • FormBook
  • NodeRAT (https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html)
  • njRAT
  • TrickBot
  • Remcos
  • Pony

Manual

1. Home

2. How to Install

3. How to add Volatility Plugin into Cuckoo

4. How to Use

5. Sample Reports

Manual

  1. Home
  2. How to Install
  3. How to add Volatility Plugin into Cuckoo
  4. How to Use
  5. Sample Reports
  6. Anti-Anti-Analysis

マニュアル(日本語)

  1. ホーム
  2. インストール
  3. CuckooへのVolatilityプラグインの追加方法
  4. 使用方法
  5. サンプルレポート
  6. 解析妨害回避
Clone this wiki locally