Skip to content
t-tani edited this page Jun 20, 2019 · 3 revisions

MalConfScan-with-Cuckoo wiki

MalConfScan-with-Cuckoo is a Cuckoo Sandbox plugin extracts configuration data of known malware. Cuckoo Sandbox is an open-source automated malware analysis system. This plugin searches for known malware in the sandbox's memory images and dumps the configuration data. This plugin integrates MalConfScan into your Cuckoo Sandbox and analyzes the memory dump in each analysis session. Before activating the plugin, you need to install Volatility, Yara and, MalConfScan to your Cuckoo server.

Screenshot

Himawari Cuckoo

Screenshot: Sample report of Himawari(a variant of RedLeaves) in Cuckoo

Supported Malware Families

MalConfScan with Cuckoo can dump the following malware configuration data, decoded strings or DGA domains:

  • Ursnif
  • Emotet
  • Smoke Loader
  • PoisonIvy
  • CobaltStrike
  • NetWire
  • PlugX
  • RedLeaves / Himawari / Lavender / Armadill / zark20rk
  • TSCookie
  • TSC_Loader
  • xxmm
  • Datper
  • Ramnit
  • HawkEye
  • Lokibot
  • Bebloh (Shiotob/URLZone)
  • AZORult
  • NanoCore RAT
  • AgentTesla
  • FormBook
  • NodeRAT (https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html)
  • njRAT
  • TrickBot
  • Remcos
  • Pony

Manual

1. Home

2. How to Install

3. How to add Volatility Plugin into Cuckoo

4. How to Use

5. Sample Reports

You can’t perform that action at this time.