jpcertcc / malconfscan Goto Github PK

While it's still in pre-release, it looks like the volatility team is gearing up for the release of version 3.
https://volatility-labs.blogspot.com/
https://github.com/volatilityfoundation/volatility3

Are there plans to update this plugin to support Volatility 3 when it's released?

I need samples for test，whether the corresponding samples can be obtained for testing

both plugins resulted an error when running.
I am using an ubuntu 16.04 virtual machine, 4 gb RAM, 1 cpu.

malconfscan:

omri@ubuntu:/opt/calamity/MalConfScan$ vol.py -f ~/Desktop/otterctf.vmem --profile=Win7SP1x64 malconfscan
Volatility Foundation Volatility Framework 2.6.1
[+] Searching memory by Yara rules.
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 4, in
import('pkg_resources').run_script('volatility==2.6.1', 'vol.py')
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 719, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 1504, in run_script
exec(code, namespace, namespace)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in
main()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main
command.execute()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/commands.py", line 147, in execute
func(outfd, data)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/malconfscan.py", line 94, in render_text
for task, start, end, malname, memory_model, config_data in data:
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/malconfscan.py", line 84, in calculate
for task, vad_base_addr, end, hit, memory_model, config_data in instance.calculate():
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/utils/datperscan.py", line 236, in calculate
dec = self.custom_rc4(enc, key, rc4key_seed)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/utils/datperscan.py", line 97, in custom_rc4
for char in data:
TypeError: 'NoneType' object is not iterable

malstrscan:

omri@ubuntu:/opt/calamity/MalConfScan$ vol.py -f ~/Desktop/otterctf.vmem --profile=Win7SP1x64 malstrscan
Volatility Foundation Volatility Framework 2.6.1
[+] Searching for malicious memory space.
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 4, in
import('pkg_resources').run_script('volatility==2.6.1', 'vol.py')
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 719, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 1504, in run_script
exec(code, namespace, namespace)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in
main()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main
command.execute()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/commands.py", line 147, in execute
func(outfd, data)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/malconfscan.py", line 271, in render_text
for task, start, end, data, protection, strings in data:
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/malconfscan.py", line 206, in calculate
for start, end, memdata, protection in self.detect_injection_proc(proc, space):
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/malconfscan.py", line 140, in detect_injection_proc
data = address_space.zread(vad.Start, vad.End + 1)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/addrspace.py", line 283, in zread
return self._read(addr, length, True)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/addrspace.py", line 269, in _read
return "".join(buff)
MemoryError

any solutions come in mind? thanks !

I'm unable to get malconfscan to work with Ubuntu 20.04. Ubuntu 20.04 seems to require a different package for volatility (volatility-phocean) and install command (sudo snap install volatility-phocean). Has anyone else encountered this issue?

https://www.gimp.org/downloads/ - GIMP 2.10.24 installer revision 3 for windows
https://www.virustotal.com/gui/file/5e9eabe5739523a9fc347b4614d919418f3335e7aab082a65f71705421e85e04/detection
does GIMP have emotet?
The reason I am asking is because emotet seems to be a very specific piece of malware and less likely to show a false positive

The array index "i" is not incremented.

Therefore, only one IP address is displayed.

https://github.com/JPCERTCC/MalConfScan/blob/master/utils/ursnifscan.py#L246-L247
should be if not has_aplib: - probably a copy/paste error

installed and used exactly as shown.
vol.py -f <path>.vmem --profile=Win7SP1x64 malconfscan
5 seconds later getting the output:

[+] Searching memory by Yara rules.
Killed

and then it stops. same with malstrscan.
any solutions?

Dear all,

I am currently using Volatility 2.6.1 on Window10x64 and I am having an issues regarding to syntax error as shown below when I am doing malware analysis on a particular memory image:

I tried to go to see the yara rules file syntax 227 and this is what it shown:

and I delete the whole plugX coding and re-run command and this is what i get:

this is my python version:

Thank you if anyone is willing to give me some ideas :) appreciate it! have a nice day!

Hi authors,
From what I can see, this is extremely useful plugin.

Unfortunately, I cannot get the plugin working.
Similar issue was already reported: #10

The process is showing "Searching memory by Yara rules.". It takes one cpu with no read or write activity.

I did try to use git versions of the volatility and the MalConfScan plugin.
The -p option did not help.
Just to make sure, I also tried a docker version of the volatility and it stuck.

The plugin was running for several days without result.

I see few findings from your yara rules.

I'm getting memory error during Windows 10 x64 2GB memory dumped from Esxi 6.7 using Win10x64_18362 profile:

Volatility Foundation Volatility Framework 2.6.1
Traceback (most recent call last):
  File "/opt/calamity/volatility/vol.py", line 192, in <module>
    main()
  File "/opt/calamity/volatility/vol.py", line 183, in main
    command.execute()
  File "/opt/calamity/volatility/volatility/commands.py", line 147, in execute
    func(outfd, data)
  File "/opt/calamity/volatility/volatility/plugins/malware/malconfscan.py", line 94, in render_text
    for task, start, end, malname, memory_model, config_data in data:
  File "/opt/calamity/volatility/volatility/plugins/malware/malconfscan.py", line 84, in calculate
    for task, vad_base_addr, end, hit, memory_model, config_data in instance.calculate():
  File "/opt/calamity/volatility/volatility/plugins/malware/utils/datperscan.py", line 216, in calculate
    [+] Searching memory by Yara rules.
data = proc_addr_space.zread(vad_base_addr, end - vad_base_addr)
  File "/opt/calamity/volatility/volatility/addrspace.py", line 283, in zread
    return self._read(addr, length, True)
  File "/opt/calamity/volatility/volatility/addrspace.py", line 269, in _read
    return "".join(buff)
MemoryError

I tried MalConfScan-with-Cuckoo with the sample page ursnif.
SHA256: 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85
But, I am troubled with an error.

File "/home/name/venv/local/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/utils/ursnifscan.py", line 245, in calculate
parse_joinned_data(fname, magic)
NameError: global name 'parse_joinned_data' is not defined

Where to Fix

Following parts in wiki of this repository is wrong.

• https://github.com/JPCERTCC/MalConfScan/wiki/How-to-Install

• https://github.com/JPCERTCC/MalConfScan/wiki/%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC%E3%83%AB

How to Fix

Before: $ cp -R malconfscan.py utils yara [Extract Volatility Folder]/volatility/plugin/malware
After: $ cp -R malconfscan.py utils yara [Extract Volatility Folder]/volatility/plugins/malware

Evidence

Hi,

I'm trying to analize a memory dump from vmware Windows 10 paused machine infected with some malwares.
Currently I've got vmem file and vmsn file.
Vmem file is large 4GB.
Running following command the debug messages stops and there is no progress after 2 hours of time:
python vol.py -f Win10Untrusted-Snapshot5.vmem --profile=Win10x64 malconfscan -d -v

Last debug messages are following:

DEBUG   : volatility.debug    : Applying modification from ShellBagsTypesWin7
DEBUG   : volatility.debug    : Applying modification from UserAssistWin7VTypes
DEBUG   : volatility.debug    : Applying modification from VistaObjectClasses
DEBUG   : volatility.debug    : Applying modification from Win32KCoreClasses
DEBUG   : volatility.debug    : Applying modification from Win7ObjectClasses
DEBUG   : volatility.debug    : Applying modification from Win8x64VolatilityKDBG
DEBUG   : volatility.debug    : Applying modification from WinPEx64VTypes
DEBUG   : volatility.debug    : Applying modification from Windows64Overlay
DEBUG   : volatility.debug    : Applying modification from ServiceBasex64
DEBUG   : volatility.debug    : Applying modification from ServiceVista
DEBUG   : volatility.debug    : Applying modification from Win8ObjectClasses
DEBUG   : volatility.debug    : Applying modification from Win8x64DTB
DEBUG   : volatility.debug    : Applying modification from Win8x64Gui
DEBUG   : volatility.debug    : Applying modification from Win8x64MaxCommit
DEBUG   : volatility.debug    : Applying modification from Service8x64

event attaching to a single PID I got same behaviour.

emotetscan.py export a dict data which field name contains dots (i.e. ".").
It would cause a bug in MalConfScan-with-Cuckoo if Cuckoo is connected to MongoDB(<3.6).

Thanks for the feedback @soji256
Ref: https://soji256.hatenablog.jp/entry/2019/05/23/004911 (Japanese)

I have a 9GB memory sample from a Windows 10 17763 host infected with TrickBot. However, when using Volatility 2.6.1 with the MalConfScan plugin, it seems to hang on "Searching memory by Yara rules." No errors are generated, the analysis system has free disk and memory available, and even after 12+ hours nothing seemed to happen. Can you please advise? The memory sample was obtained from: https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis

it says on virustotal that ADWcleaner and many other programs have "datper" now my OCD bans me from installing them but I also need adwcleaner to scan my pc