Malconf is a python3 library that can be used to staticly analyse specific malware families and extract the Configuration data that can be used by Incident Responders during an incident.
As a library it can also be installed in to automated malware analysis pipelines.
There are some pre-reqs that are included in the pip setup and the requirements.txt
- pefile
- pbkdf2
- javaobj-py3
- pycrypto
- androguard
For all the decoders you will need yara and yara-python. For dealing with .NET malware you will need to install yara-python with dotnet support
git clone --recursive https://github.com/VirusTotal/yara-python
python3 setup.py build --enable-magic --enable-dotnet
sudo python3 setup.py install
pip3 install --upgrade malwareconfig
git clone git@github.com:kevthehermit/RATDecoders.git
cd RATDecoders
pip3 install -r requirements.txt
python3 setup.py install
Here is a list of the currently supported RATS:
- LostDoor
- Xtreme
- AAR
- AdWind
- Adzok
- AlienSpy
- Alina
- Arcom
- BlackNix
- BlackShades
- BlueBanana
- Bozok
- ClientMesh
- CyberGate
- DarkComet
- DarkRAT
- HawkEye
- Hrat / hworm / WSH
- Jbifrost
- JRat
- LuminosityLink
- LuxNet
- NanoCore
- NetWire
- njRat
- Plasma
- Remcos
- Saefko
- Sakula
- SpyNote / Mobihook
- Still migrating old ones!
Using the supplied command line tool malconf
you can pass in a single file or a directory with the -r
flag and it will attempt to automagically detect the family and extract any config.
You can also use the -o
option to write results out to a file.
malconf
malconf -l
This will list all the supported rats
malconf /path/to/sample
This will automagically detect the family and run the decoder
⇒ malconf tests/samples/alienspy
__ __ _ ____ __
| \/ | __ _| |/ ___|___ _ __ / _|
| |\/| |/ _` | | | / _ \| '_ \| |_
| | | | (_| | | |__| (_) | | | | _|
|_| |_|\__,_|_|\____\___/|_| |_|_|
Malware Configuration Parser by @kevthehermit
[+] Loading File: tests/samples/alienspy
[-] Found: AlienSpy
[-] Running Decoder
[-] Config Output
{'ConfigKey': 'fzGUoTaQH3SUW7E82IKQK2J2J2IISIS',
'NAME': 'ok',
'Version': 'B',
'connetion_time': '0',
'desktop': 'true',
'dns': '213.208.129.211',
'extensionname': 'qQJ',
'folder': 'java',
'instalar': 'true',
If you pip install you can also use it is a library.
from malwareconfig import fileparser
from malwareconfig.modules import __decoders__, __preprocessors__
# Open and parse the file
sample_path = '/path/to/sample.exe'
file_info = fileparser.FileParser(file_path=sample_path)
# Check for a valid decoder and then parse
if file_info.malware_name in __decoders__:
module = __decoders__[file_info.malware_name]['obj']()
module.set_file(file_info)
module.get_config()
conf = module.config
pprint(conf)
Full credit where credit is due.
Malware.lu for the initial xtreme Rat Writeup - https://code.google.com/p/malware-lu/wiki/en_xtreme_RAT
Fireye for their Poison Ivy and Xtreme rat WriteUps (Even though they ignored my tweets :-) ) - http://www.fireeye.com/blog/technical/2014/02/xtremerat-nuisance-or-threat.html
Shawn Denbow and Jesse Herts for their paper here - http://www.matasano.com/research/PEST-CONTROL.pdf Saved me a lot of time