Skip to content
Volatility plugin for extracts configuration data of known malware
Branch: master
Clone or download
shu-tom Merge pull request #1 from t-tani/dev
add new a function to emotetscan.py
Latest commit 71dd248 May 17, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
images Released v0.0.1 Apr 22, 2019
utils add new function in emotetscan.py May 16, 2019
yara Updated Ursnif yara rule Apr 24, 2019
.gitignore Released v0.0.1 Apr 22, 2019
LICENSE.txt Released v0.0.1 Apr 22, 2019
README.md Released v0.0.1 Apr 22, 2019
malconfscan.py Released v0.0.1 Apr 22, 2019
requirements.txt Released v0.0.1 Apr 22, 2019

README.md

Concept

 MalConfScan is a Volatility plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.

MalConfScan sample

Supported Malware Families

MalConfScan can dump the following malware configuration data, decoded strings or DGA domains:

  • Ursnif
  • Emotet
  • Smoke Loader
  • PoisonIvy
  • CobaltStrike
  • NetWire
  • PlugX
  • RedLeaves / Himawari / Lavender / Armadill / zark20rk
  • TSCookie
  • TSC_Loader
  • xxmm
  • Datper
  • Ramnit
  • HawkEye
  • Lokibot
  • Bebloh (Shiotob/URLZone)
  • AZORult
  • NanoCore RAT
  • AgentTesla
  • FormBook
  • NodeRAT (https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html)
  • Pony
  • njRAT

Additional Analysis

MalConfScan has a function to list strings to which malicious code refers. Configuration data is usually encoded by malware. Malware writes decoded configuration data to memory, it may be in memory. This feature may list decoded configuration data.

How to Install

If you want to know more details, please check the MalConfScan wiki.

How to Use

MalConfScan has two functions malconfscan and malstrscan.

Export known malware configuration

$ python vol.py malconfscan -f images.mem --profile=Win7SP1x64

List the referenced strings

$ python vol.py malstrscan -f images.mem --profile=Win7SP1x64

MalConfScan with Cuckoo

Malware configuration data can be dumped automatically by adding MalConfScan to Cuckoo Sandbox. If you need more details on Cuckoo and MalConfScan integration, please check MalConfScan with Cuckoo.

You can’t perform that action at this time.