Target Audience: Defense (Malware Analyst, BlueTeam)

Short Abstract:
"MalConfScan with Cuckoo" is a tool for automatically extracting known Windows and Linux malware's configuration data.
MalConfScan with Cuckoo works as a plug-in for Cuckoo Sandbox. Cuckoo Sandbox is a leading open-source automated malware analysis system. You can automatically dump malware configuration data by installing this plug-in on Cuckoo. This is a unique feature compared to other commercial Sandbox products. It supports over 30+ Windows and Linux malware families to extract the configuration data. Also, it can be used for the memory forensics tool for Windows/Linux OS as a Volatility plug-in. It helps to detect known/unknown malware and extract configuration data from memory images.

Detailed Explanation of Tool:
"MalConfScan with Cuckoo" is a Plug-in for Cuckoo Sandbox, automatically extracting known malware configuration data. With the growing number of malware variants emerging day by day, the automation of malware analysis using sandbox systems is becoming popular. Such systems have a function to list malware behavior on Windows/Linux OS, such as communication, file and registry creation. On the other hand, malware analysts spend more time extracting malware configuration data rather than analyzing malware behavior. There are the following reasons:
  1. Many malware variants mostly share the same code except for configuration data. In other words, the type of malware and configuration data are the only elements that need to be checked.
  2. Malware configuration data contains an attack campaign ID and communication encryption keys. This information is important for incident response.
We present a malware analysis tool to extract configuration data for incident responders and malware analysts. With this tool, the time spent on malware analysis can be reduced. In addition, this tool can be used not only for malware analysis but also for memory forensics. It can help a victim organization with malware infection identify C2 server information and encryption key, which are necessary for incident response.

This tool can dump the following malware configuration data, decoded strings, or DGA domains. It supports 30+ malware families:

- Ursnif
- Emotet
- Smoke Loader
- PoisonIvy
- CobaltStrike
- NetWire
- PlugX
- RedLeaves / Himawari / Lavender / Armadill / zark20rk
- TSCookie
- TSC_Loader
- xxmm
- Datper
- Ramnit
- HawkEye
- Lokibot
- Bebloh (Shiotob/URLZone)
- AZORult
- NanoCore RAT
- AgentTesla
- FormBook
- NodeRAT (https://blogs.jpcert.or.jp/ja/2019/0...-activity.html)
- Wellmess
- QuasarRat
- etc.

This tool can be used as a memory forensic tool because it is based on the Volatility Plug-in. In memory forensics, it is difficult to find a malicious process, but you can use this plug-in to detect malware processes and dump configuration data.

In addition, this tool has a function to extract unknown malware configuration data. This plug-in can list strings to which a malicious code refers. Configuration data is usually encoded by malware, which is decoded on memory and may still be left there. This function lists decoded configuration data in the PE-loaded memory space and the parent memory space.

[New Release]
We are planning to release the following features at the DEMO LABS.

- Newly support Linux malware
- Support Volatility3
- Support new malware families etc.

Supporting Files, Code, etc:

- Supporting Versions
- Cuckoo ~ 2.0.7
- Volatility
- Volatility3

- Supporting Malware Families
- 30+ Windows/Linux Malware Families

- Supporring OS (for Memory Forensics)
- Windows OS (x86/x64)
- Linux OS (x86/x64)

Short Developer Bio:
Tomoaki Tani works as a Forensic Analyst at Incident Response Group of JPCERT/CC. His primary responsibility is in providing coordination and assistance for cybersecurity incidents related to Japanese constituents. With his technical insight, he is also in charge of analyzing incident trends and attack methods. He presented at CODE BLUE, BsidesLV, BlackHat USA Arsenal, PHDays, VB Conference, and more. Prior to joining JPCERT/CC, he was engaged in security analysis operations and incident handling at a major Japanese telco.

Shusei Tomonaga is a member of the Incident Response Group of JPCERT/CC. Since December 2012, he has been engaged in malware analysis and forensic investigation. In particular, he spearheads the analysis of targeted attacks affecting critical Japanese industries. In addition, he has written blog posts on malware analysis and technical findings (https://blogs.jpcert.or.jp/en/). Prior to joining JPCERT/CC, he was engaged in security monitoring and analysis operations at a foreign-affiliated IT vendor. He has presented at CODE BLUE, BsidesLV, Botconf, VB Conference, PHDays, PacSec, FIRST Conference, BlackHat USA Arsenal, and more.