Extract malware configurations with MalConfScan

By on 14 Aug 2019

Category: Tech matters

Tags: , , ,

1 Comment

Blog home

Every day, new types of malware are discovered. However, many of them are actually variants of existing malware — they share most of the code and there is a slight difference in configurations such as command and control servers. In this post, we would like to introduce details of ‘MalConfScan’, a new open-source tool we’ve developed at JPCERT/CC to extract malware configurations.

Download it from GitHub.

A memory forensic tool

In most cases, malware analysis begins with unpacking the malware to extract its configuration.

MalConfScan is a plugin for The Volatility Framework (hereafter Volatility), a memory forensic tool, which extracts configurations from unpacked executable files loaded on the memory. It can perform multiple functions, including:

  • Extracting the configuration of known malware from a memory image (malconfscan)
  • Detecting suspicious processes from a memory image and list the string that it refers to (malstrscan)

malconfscan

Figure 1 is an example of malconfscan execution. First, a malware-injected process name (Name), the process ID (PID) and the name of the detected malware (Malware Name) are displayed. Malware configuration (Config info) is also displayed.

Figure 1 — malconfscan execution result (Detected Lavender, a RedLeaves variant).

malconfscan also decodes encoded strings and displays DGA domains.

Figure 2 shows malconfscan was able to detect the malware ‘Bebloh’. DGA domains are listed following the configuration.

Figure 2 — malconfscan execution result (detected Bebloh).

As of 30 July 2019, malconfscan is compatible with 25 types of malware.

Compatible Malware (as of July 2019)

AgentTeslaNanoCore RATRemcos
AZORultNetWireSmoke Loader
BeblohnjRATTrickBot
CobaltStrikeNodeRATTSCookie
DatperPlugXTSC_Loader
EmotetPoison IvyUrsnif
FormBookQuasarRATxxmm
HawkEye KeyloggerRamnit 
LokibotRedLeaves 
Table 1 — Malware which malconfscan is compatible with.

malstrscan

malstrscan detects process hollowing on the memory and lists the strings that the process refers to. Although malware configurations are usually encoded, malware decodes it when referring to the information, and this is sometimes left on the memory. This function can pick up such remaining configurations (as seen in Figure 3).

Figure 3 — malstrscan execution results.

malstrscan lists strings only from the memory space where the PE file is loaded. With the ‘-a’ option, it can also list strings in heap and parent memory space.

MalConfScan with Cuckoo

As part of the MalConfScan project, we have also developed a plugin that automatically extracts malware configurations using MalConfScan and the Cuckoo Sandbox (hereafter ‘Cuckoo’) (see Figure 4).

Figure 4 — Behaviour of MalConfScan with Cuckoo.

The plugin runs malware on the host machine to extract configurations. When malware is registered on Cuckoo and executed on the host machine, a memory image will be dumped, from which MalConfScan extracts configurations of known malware. The extracted configuration is then shown in a report (Figure 5).

Figure 5 — A report of MalConfScan with Cuckoo showing the configuration of malware Himawari, a variant of RedLeaves, which is used in targeted attacks. The configuration contains a C&C server, destination port, protocol, and the encryption key.

Additionally, the results can also be obtained in JSON format.

Even if malware has an anti-VM or anti-sandbox function, the MalConfScan with Cuckoo can still extract the configuration by spoofing some environmental information.

Learn more

MalConfScan and the MalConfScan with Cuckoo plugin are useful malware analysis and memory forensics tools that we hope can help with incident investigations. Keep an eye out for  updates as we work to make it compatible with other types of malware.

To download and learn more about the tool and project check out our GitHub page.

Adapted from original posts [1,2] on the JPCERT/CC Blog.

Contributors: Shusei Tomonaga

Tomoaki Tani is a forensics analyst at the JPCERT/CC incident response group.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

One Comment

  1. Sebastian

    “The plugin runs malware on the host machine to extract configurations. When malware is registered on Cuckoo and executed on the host machine, a memory image will be dumped, from which MalConfScan extracts configurations of known malware. The extracted configuration is then shown in a report (Figure 5).”

    Do you mean it runs the malware on the virtual machine(guest) instead of host machine?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Top