This document discusses extracting malware configuration data from memory dumps. It introduces MalConfScan, a Volatility plugin that extracts configuration data of known malware from memory images. It supports many malware families. Using Volatility avoids needing to unpack malware. The document also covers MalConfScan-with-Cuckoo, which automates configuration extraction by running malware in Cuckoo Sandbox and analyzing the memory dump with MalConfScan. It discusses bypassing anti-analysis techniques used by malware to evade detection.

1. Shusei Tomonaga (JPCERT/CC)
Tomoaki Tani (JPCERT/CC)

2. Copyright ©2018 JPCERT/CC All rights reserved.
Motivation
Sandbox
Malware
Analyst
Perfect! That's not
what I want…
Huma
n
1

3. Copyright ©2018 JPCERT/CC All rights reserved.
Motivation
Sandbox
Malware
Analyst
I want
configuration
data!
Huma
n
2
Perfect!

4. Copyright ©2018 JPCERT/CC All rights reserved.
Why do we need malware configuration data?
Many variants of malware code are almost
unchanged, and only configuration data is
different.
• If the configuration data is known, there is no
need for static analysis.
Configuration data contains important information
that cannot be obtained by Sandbox analysis.
• Including campaign id, encryption key etc.
3

5. Copyright ©2018 JPCERT/CC All rights reserved.4
How to Extract Malware Configuration Data Manually
It's very simple.

6. Copyright ©2018 JPCERT/CC All rights reserved.
Malware Analysis
• Understand encryption techniques
• Understand configuration
structures
5
How to Extract Malware Configuration Data Manually
Step 1

7. Copyright ©2018 JPCERT/CC All rights reserved.
Create tool
6
How to Extract Malware Configuration Data Manually
Step 2
That's all.

8. Copyright ©2018 JPCERT/CC All rights reserved.
How to Extract PlugX Configuration
In PlugX data,
PlugX main module and configuration are encoded.
Code
Encoded Code
&
PlugX
&
Config
Code
LZNT1 Compress
PlugX
Encoded + LZNT1
Config
Decmpress
PlugX
Config
Decoded Code
Injection Process

9. Copyright ©2018 JPCERT/CC All rights reserved.
PlugX Encoding Method
8
PlugX uses a custom encoding method.
Config size 0x2540
Config size 0x36A4

10. Copyright ©2018 JPCERT/CC All rights reserved.9
PlugX Configuration Structure

11. Copyright ©2018 JPCERT/CC All rights reserved.
How to Extract TSCookie Configuration
TSCookie uses only RC4 for encryption.
Code
Encrypted
Resource
Decoded Code
TSCookie
RC4 Config
TSCookie
Config

12. Copyright ©2018 JPCERT/CC All rights reserved.11
TSCookie Configuration Structure

13. Copyright ©2018 JPCERT/CC All rights reserved.
MalConfScan is a Volatility plugin that extracts
configuration data of known malware.
Volatility is an open-source memory forensics framework
for incident response and malware analysis.
MalConfScan searches for malware in memory images
and dumps configuration data.
What is MalConfScan?
12

14. Copyright ©2018 JPCERT/CC All rights reserved.
Example (RedLeaves configuration data)
13

15. Copyright ©2018 JPCERT/CC All rights reserved.
Supported Malware Families
Supported Malware Families
Ursnif TSCookie AZORult
Emotet TSC_Loader NanoCore RAT
Smoke Loader xxmm AgentTesla
PoisonIvy Datper FormBook
CobaltStrike Ramnit NodeRAT
NetWire HawkEye njRAT
PlugX Lokibot TrickBot
RedLeaves Bebloh Remcos
QuasarRAT
14

16. Copyright ©2018 JPCERT/CC All rights reserved.
Supported Malware Families
Supported Malware Families
Ursnif TSCookie AZORult
Emotet TSC_Loader NanoCore RAT
Smoke Loader xxmm AgentTesla
PoisonIvy Datper FormBook
CobaltStrike Ramnit NodeRAT
NetWire HawkEye njRAT
PlugX Lokibot TrickBot
RedLeaves Bebloh Remcos
QuasarRAT
15

17. Copyright ©2018 JPCERT/CC All rights reserved.16
Question
Why use Volatility?

18. Copyright ©2018 JPCERT/CC All rights reserved.
Advantages of Dumping Configuration Data from Memory
• Unpacking malware is not necessary
when extracting configuration data.
No Need to Unpack
• Configuration data may be already
decoded.
• No need to know how to decrypt
configuration data.
No Need to Decode
17

19. Copyright ©2018 JPCERT/CC All rights reserved.
This tool also dumps more than configuration data if
needed.
In Addition
Configuration Data
Decoded Strings
DGA Domains
18

20. Copyright ©2018 JPCERT/CC All rights reserved.
Example (Bebloh configuration data and DGAs)
19

21. Copyright ©2018 JPCERT/CC All rights reserved.
Example (FormBook decoded strings)
20

22. Copyright ©2018 JPCERT/CC All rights reserved.
malstrscan function can list strings to which the hollowed
process refers.
Additional Feature
Configuration data is usually encoded
by malware.
Most of malwares writes decoded
configuration data on memory.
This feature list decoded
configuration data when possible.
21

23. Copyright ©2018 JPCERT/CC All rights reserved.
Example
22

24. Copyright ©2018 JPCERT/CC All rights reserved.
D E M O N S T R A T I O N
23

25. Copyright ©2018 JPCERT/CC All rights reserved.
MalConfScan Wiki
https://github.com/JPCERTCC/MalConfScan/wiki
How to Use
24

26. Copyright ©2018 JPCERT/CC All rights reserved.
Automation!
Next Stage
25

27. Copyright ©2018 JPCERT/CC All rights reserved.
MalConfScan-with-Cuckoo is Cuckoo Sandbox plugin
for MalConfScan.
The plugin adds the function to extract known malware's
configuration data from memory dump and add the
MalConfScan report to Cuckoo Sandbox.
What is MalConfScan-with-Cuckoo?
26

28. Copyright ©2018 JPCERT/CC All rights reserved.
This tool uses Cuckoo's memory dump function to extract
configuration data of executed malware from memory
dumps.
How it Works
27

29. Copyright ©2018 JPCERT/CC All rights reserved.
Overview
28

30. Copyright ©2018 JPCERT/CC All rights reserved.
GUI
29

31. Copyright ©2018 JPCERT/CC All rights reserved.
Anti-analysis functions disturbs the analysis in sandbox
Some of the malware have these functions
— Ursnif variants (targeting Japan) etc.
30
Anti-analysis

32. Copyright ©2018 JPCERT/CC All rights reserved.
Generic
— Language settings
— Execution after reboot
— Total physical memory
— Count of processors etc.
Virtualization
— CPUID (CPU brand, virtualization setting, etc.)
— Device info (Device name, MAC address, etc.)
— Registry keys etc.
Processes
— Process name (wireshark, OllyDbg, Process Monitor, etc.)
31
Anti-analysis techniques

33. Copyright ©2018 JPCERT/CC All rights reserved.32
How to bypass anti-analysis
Configure your VM.

34. Copyright ©2018 JPCERT/CC All rights reserved.
Malware Analysis
• Understand anti-analysis techniques
33
How to bypass anti-analysis
Step 1

35. Copyright ©2018 JPCERT/CC All rights reserved.
Configure VM settings
34
How to bypass anti-analysis
Step 2
That's all.

36. Copyright ©2018 JPCERT/CC All rights reserved.35
How to configure you VM
Ursnif have some anti-analysis functions.
CPU Brand Detection
Device Name Detection
Debugger Detection
Boot-time Detection

37. Copyright ©2018 JPCERT/CC All rights reserved.36
Anti-Analysis : CPU Brand Name Detection
Call CPUID opcode to dump the
CPU brand name.
Check the CPU brand name if it
includes “XEON”.
mov eax, 8000000[2-4]h
__cpuid

38. Copyright ©2018 JPCERT/CC All rights reserved.37
Anti-Anti-Analysis: Fake the CPU Brand Name (VMware)
Fake the return value of CPUID with VM configuration
cpuid.80000002.0.eax = "0110:0101:0111:0100:0110:1110:0100:1001"
cpuid.80000002.0.ebx = "0010:1001:0101:0010:0010:1000:0110:1100"
cpuid.80000002.0.ecx = "0111:0010:0110:1111:0100:0011:0010:0000"
cpuid.80000002.0.edx = "0100:1101:0101:0100:0010:1000:0110:0101"
cpuid.80000003.0.eax = "0011:0101:0110:1001:0010:0000:0010:1001"
cpuid.80000003.0.ebx = "0011:0101:0101:1001:0011:0111:0010:1101"
cpuid.80000003.0.ecx = "0101:0000:0100:0011:0010:0000:0011:0100"
cpuid.80000003.0.edx = "0010:0000:0100:0000:0010:0000:0101:0101"
cpuid.80000004.0.eax = "0011:0000:0011:0010:0010:1110:0011:0001"
cpuid.80000004.0.ebx = "0000:0000:0111:1010:0100:1000:0100:0111"
cpuid.80000004.0.ecx = "0000:0000:0000:0000:0000:0000:0000:0000"
cpuid.80000004.0.edx = "0000:0000:0000:0000:0000:0000:0000:0000"
Insert following settings to your .vmx file

39. Copyright ©2018 JPCERT/CC All rights reserved.38
Before After

40. Copyright ©2018 JPCERT/CC All rights reserved.39
Anti-Analysis : Device Name Detection
Call Win32API to get the device
name
Check the device name includes
specific strings

41. Copyright ©2018 JPCERT/CC All rights reserved.40
Anti-Anti-Analysis: Modify the Device Name (VMware)
Modify the device name.
scsi0:0.productID = "Toshiba SSD"
scsi0:0.vendorID = "Toshiba"
scsi1:0.productID = "Toshiba SSD"
scsi1:0.vendorID = "Toshiba"
Insert following settings to your .vmx file

42. Copyright ©2018 JPCERT/CC All rights reserved.41
Recommended setting for Anti-Anti-Analysis
Do NOT use VMware tools or VirtualBox guest
additions.
Use local language OS for VM
Modify the CPUID response
Modify the Device name
Modify the NIC (MAC address)

43. Copyright ©2018 JPCERT/CC All rights reserved.
D E M O N S T R A T I O N
42

44. Copyright ©2018 JPCERT/CC All rights reserved.
MalConfScan with Cuckoo wiki
https://github.com/JPCERTCC/MalConfScan-with-Cuckoo/wiki
How to Use
43

45. Copyright ©2018 JPCERT/CC All rights reserved.44
Feature works
Volatility3 is out!

46. Copyright ©2018 JPCERT/CC All rights reserved.
T h a n k y o u !
@jpcert_en ir-info@jpcert.or.jp
PGP https://www.jpcert.or.jp/english/pgp/
Contact
https://github.com/JPCERTCC/MalConfScan
https://github.com/JPCERTCC/MalConfScan-with-Cuckoo
45