JPCERTCC
diff --git a/‎.gitignore
Lines changed: 3 additions & 0 deletions b/‎.gitignore
Lines changed: 3 additions & 0 deletions
diff --git a/‎LICENSE.txt
Lines changed: 29 additions & 0 deletions b/‎LICENSE.txt
Lines changed: 29 additions & 0 deletions
diff --git a/‎README.md
Lines changed: 56 additions & 2 deletions b/‎README.md
Lines changed: 56 additions & 2 deletions
diff --git a/‎images/logo.svg
Lines changed: 65 additions & 0 deletions b/‎images/logo.svg
Lines changed: 65 additions & 0 deletions
diff --git a/‎images/sample1.png
61.7 KB b/‎images/sample1.png
61.7 KB
diff --git a/‎images/sample2.png
97.7 KB b/‎images/sample2.png
97.7 KB
diff --git a/‎images/sample3.png
99.5 KB b/‎images/sample3.png
99.5 KB
diff --git a/‎images/sample4.png
133 KB b/‎images/sample4.png
133 KB
diff --git a/‎images/title.svg
Lines changed: 3 additions & 0 deletions b/‎images/title.svg
Lines changed: 3 additions & 0 deletions
@@ -0,0 +1,3 @@
+*.pyc
+*~
+*.bak
@@ -0,0 +1,29 @@
+LICENSE
+Copyright (C) 2015 JPCERT Coordination Center. All Rights Reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following acknowledgments and disclaimers.
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following acknowledgments and disclaimers in the documentation and/or other materials provided with the distribution.
+3. Products derived from this software may not include "JPCERT Coordination Center" in the name of such derived product, nor shall "JPCERT Coordination Center"  be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].
+
+ACKNOWLEDGMENTS AND DISCLAIMERS
+Copyright (C) 2015 JPCERT Coordination Center
+
+This software is based upon work funded and supported by the Ministry of
+Economy, Trade and Industry.
+
+Any opinions, findings and conclusions or recommendations expressed in this
+software are those of the author(s) and do not necessarily reflect the views of
+the Ministry of Economy, Trade and Industry.
+
+NO WARRANTY. THIS JPCERT COORDINATION CENTER SOFTWARE IS FURNISHED ON
+AN "AS-IS" BASIS. JPCERT COORDINATION CENTER MAKES NO WARRANTIES OF
+ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY,
+EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE SOFTWARE. JPCERT
+COORDINATION CENTER DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH
+RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+
+This software has been approved for public release and unlimited distribution.
@@ -1,2 +1,56 @@
-# MalConfScan
-Volatility plugin for extracts configuration data of known malware
+<div align="center"><img src="images/title.svg" width="800"></div>
+
+## Concept
+ 　**MalConfScan** is a [Volatility](https://github.com/volatilityfoundation/volatility) plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.  
+
+  ![MalConfScan sample](images/sample1.png)  
+
+## Supported Malware Families
+  MalConfScan can dump the following malware configuration data, decoded strings or DGA domains:
+
+  - [x] Ursnif  
+  - [x] Emotet  
+  - [x] Smoke Loader    
+  - [x] PoisonIvy
+  - [x] CobaltStrike
+  - [x] NetWire
+  - [x] PlugX
+  - [x] RedLeaves / Himawari / Lavender / Armadill / zark20rk
+  - [x] TSCookie
+  - [x] TSC_Loader
+  - [x] xxmm  
+  - [x] Datper  
+  - [x] Ramnit  
+  - [x] HawkEye  
+  - [x] Lokibot
+  - [x] Bebloh (Shiotob/URLZone)
+  - [x] AZORult
+  - [x] NanoCore RAT
+  - [x] AgentTesla   
+  - [x] FormBook
+  - [x] NodeRAT (https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html)
+  - [ ] Pony
+  - [ ] njRAT
+
+## Additional Analysis
+  MalConfScan has a function to list strings to which malicious code refers. Configuration data is usually encoded by malware. Malware writes decoded configuration data to memory, it may be in memory. This feature may list decoded configuration data.  
+
+## How to Install
+  If you want to know more details, please check [the MalConfScan wiki](https://github.com/JPCERTCC/MalConfScan/wiki).
+
+## How to Use
+ MalConfScan has two functions **malconfscan** and **malstrscan**.
+
+### Export known malware configuration
+```
+$ python vol.py malconfscan -f images.mem --profile=Win7SP1x64
+```
+
+### List the referenced strings
+```
+$ python vol.py malstrscan -f images.mem --profile=Win7SP1x64
+```
+
+## MalConfScan with Cuckoo
+  Malware configuration data can be dumped automatically by adding MalConfScan to Cuckoo Sandbox. If you need more details on Cuckoo and MalConfScan integration, please check [MalConfScan with Cuckoo](https://github.com/JPCERTCC/MalConfScan-with-Cuckoo).
+  <!-- MalConfScan with Cuckoo????????? wiki??? -->