MCPcopy Index your code
hub / github.com/JPCERTCC/MalConfScan

github.com/JPCERTCC/MalConfScan @v1.0.5

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.0.5 ↗ · + Follow
272 symbols 755 edges 32 files 53 documented · 19%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Arsenal

Concept

MalConfScan is a Volatility plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.

MalConfScan sample

Supported Malware Families

MalConfScan can dump the following malware configuration data, decoded strings or DGA domains:

  • [x] Ursnif
  • [x] Emotet
  • [x] Smoke Loader
  • [x] PoisonIvy
  • [x] CobaltStrike
  • [x] NetWire
  • [x] PlugX
  • [x] RedLeaves / Himawari / Lavender / Armadill / zark20rk
  • [x] TSCookie
  • [x] TSC_Loader
  • [x] xxmm
  • [x] Datper
  • [x] Ramnit
  • [x] HawkEye
  • [x] Lokibot
  • [x] Bebloh (Shiotob/URLZone)
  • [x] AZORult
  • [x] NanoCore RAT
  • [x] AgentTesla
  • [x] FormBook
  • [x] NodeRAT (https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html)
  • [x] njRAT
  • [x] TrickBot
  • [x] Remcos
  • [x] QuasarRAT
  • [x] AsyncRAT
  • [x] WellMess (Windows/Linux)
  • [x] ELF_PLEAD
  • [ ] Pony

Additional Analysis

MalConfScan has a function to list strings to which malicious code refers. Configuration data is usually encoded by malware. Malware writes decoded configuration data to memory, it may be in memory. This feature may list decoded configuration data.

How to Install

If you want to know more details, please check the MalConfScan wiki.

How to Use

MalConfScan has two functions malconfscan, linux_malconfscan and malstrscan.

Export known malware configuration

$ python vol.py malconfscan -f images.mem --profile=Win7SP1x64

Export known malware configuration for Linux

$ python vol.py linux_malconfscan -f images.mem --profile=LinuxDebianx64

List the referenced strings

$ python vol.py malstrscan -f images.mem --profile=Win7SP1x64

Overview & Demonstration

Following YouTube video shows the overview of MalConfScan.

MalConfScan_Overview

And, following YouTube video is the demonstration of MalConfScan.

MalConfScan_Demonstration

MalConfScan with Cuckoo

Malware configuration data can be dumped automatically by adding MalConfScan to Cuckoo Sandbox. If you need more details on Cuckoo and MalConfScan integration, please check MalConfScan with Cuckoo.

Core symbols most depended-on inside this repo

filter_tasks
called by 27
utils/elf_pleadscan.py
offset2_dword_6bytes
called by 16
utils/formbook_decryption.py
offset1_dword_5bytes
called by 12
utils/formbook_decryption.py
offset1_byte_2bytes
called by 10
utils/formbook_decryption.py
decrypt
called by 10
utils/datperscan.py
do
called by 8
utils/aplib.py
write_bit
called by 7
utils/aplib.py
decode
called by 7
utils/smokeloaderscan.py

Shape

Method 231
Class 36
Function 5

Languages

Python100%

Modules by API surface

utils/aplib.py39 symbols
malconfscan.py21 symbols
utils/formbook_decryption.py12 symbols
utils/datperscan.py10 symbols
utils/ursnifscan.py9 symbols
utils/plugxscan.py9 symbols
utils/formbookscan.py9 symbols
utils/beblohscan.py9 symbols
utils/agentteslascan.py9 symbols
utils/tscookiescan.py8 symbols
utils/hawkeyescan.py8 symbols
utils/elf_pleadscan.py8 symbols

For agents

$ claude mcp add MalConfScan \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact