MalConfScan is a Volatility plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.
MalConfScan can dump the following malware configuration data, decoded strings or DGA domains:
- Ursnif
- Emotet
- Smoke Loader
- PoisonIvy
- CobaltStrike
- NetWire
- PlugX
- RedLeaves / Himawari / Lavender / Armadill / zark20rk
- TSCookie
- TSC_Loader
- xxmm
- Datper
- Ramnit
- HawkEye
- Lokibot
- Bebloh (Shiotob/URLZone)
- AZORult
- NanoCore RAT
- AgentTesla
- FormBook
- NodeRAT (https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html)
- njRAT
- TrickBot
- Remcos
- QuasarRAT
- AsyncRAT
- WellMess (Windows/Linux)
- ELF_PLEAD
- Pony
MalConfScan has a function to list strings to which malicious code refers. Configuration data is usually encoded by malware. Malware writes decoded configuration data to memory, it may be in memory. This feature may list decoded configuration data.
If you want to know more details, please check the MalConfScan wiki.
MalConfScan has two functions malconfscan, linux_malconfscan and malstrscan.
$ python vol.py malconfscan -f images.mem --profile=Win7SP1x64
$ python vol.py linux_malconfscan -f images.mem --profile=LinuxDebianx64
$ python vol.py malstrscan -f images.mem --profile=Win7SP1x64
Following YouTube video shows the overview of MalConfScan.
And, following YouTube video is the demonstration of MalConfScan.
Malware configuration data can be dumped automatically by adding MalConfScan to Cuckoo Sandbox. If you need more details on Cuckoo and MalConfScan integration, please check MalConfScan with Cuckoo.