Skip to content
Cuckoo Sandbox plugin for extracts configuration data of known malware
Python HTML
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
img initial commit. Apr 22, 2019
malconfscan-cuckoo/cuckoo initial commit. Apr 22, 2019
LICENSE.txt initial commit. Apr 22, 2019
README.md fix typo in README.md Apr 22, 2019
malconfscan.patch initial commit. Apr 22, 2019

README.md

Introduction

MalConfScan integration for Cuckoo Sandbox.
This plugin lets you integrate MalConfScan into Cuckoo Sandbox with the patch file. The plugin would add the function to extract known malware's configuration data from memory dump and, add the MalConfScan report into Cuckoo Sandbox.

Sample report

Screenshot: Sample report of Himawari (a variant of RedLeaves) in Cuckoo

Himawari Cuckoo

Sample report.json

...snip...
"malconfscan": {
    "data": [
        {
            "malconf": [
                [
                    {"Server1": "diamond.ninth.biz"}, 
                    {"Server2": "diamond.ninth.biz"}, 
                    {"Server3": "diamond.ninth.biz"}, 
                    {"Server4": "diamond.ninth.biz"}, 
                    {"Port": "443"}, 
                    {"Mode": "TCP and HTTP"}, 
                    {"ID": "2017-11-28-MACRO"}, 
                    {"Mutex": "Q34894iq"}, 
                    {"Key": "usotsuki"}, 
                    {"UserAgent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)"}, 
                    {"Proxy server": ""}, 
                    {"Proxy username": ""}, 
                    {"Proxy password": ""}
                ]
            ], 
            "vad_base_addr": "0x04521984", 
            "process_name": "iexplore.exe", 
            "process_id": "2248", 
            "malware_name": "Himawari", 
            "size": "0x00815104"
        }
    ],
},
...snip...

What's MalConfScan?

MalConfScan is a Volatility plugin extracts the configuration data of known malware. It supports 20+ malware families. Check the detail here.

How to install

Modify the source code of Cuckoo Sandbox with the deploy-script and deploy Cuckoo Sandbox. If you want to know more detail, please check the Wiki.

How to use

  1. Setup your Cuckoo Sandbox and patch it with malconfscan.patch.
  2. Submit your sample to the sandbox.
  3. Check the report.

Notes

Tested with following environments.

  • Python 2.7.15
  • Cuckoo Sandbox 2.0.6
  • Volatility 2.6
You can’t perform that action at this time.