Open in app

Sign in

Write

Sign in

Installing the MalConfScan with Cuckoo to Analyze Emotet

soji256
14 min readMay 23, 2019

On April 22, 2019, JPCERT/CC published a tool called MalConfScan on github. MalConfScan is a Volatility plugin extracts configuration data of known malware. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.

MalConfScan can dump the following malware:

- Ursnif
- Emotet
- Smoke Loader
- PoisonIvy
- CobaltStrike
- NetWire
- PlugX
- RedLeaves / Himawari / Lavender / Armadill / zark20rk
- TSCookie
- TSC_Loader
- xxmm
- Datper
- Ramnit
- HawkEye
- Lokibot
- Bebloh (Shiotob/URLZone)
- AZORult
- NanoCore RAT
- AgentTesla
- FormBook
- NodeRAT (https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html)
- Pony
- njRAT

JPCERT/CC seems to have done a great job.

You can use it as Volatility, but at the bottom of the page there was a note saying MalConfScan with Cuckoo and it seemed to work with Cuckoo, so I started building the environment first.

Building the Environment for “MalConfScan with Cuckoo”

We will build Ubuntu 18.04. 2 LTS on VMware as a Cuckoo host. Build a Python environment for Cuckoo (venv) and a Windows 7 environment for Sandbox (VirtualBox) on Ubuntu.

Environment for “MalConfScan with Cuckoo”

Preparation for Ubuntu 18.04.2

Prepare a fresh Ubuntu 18.04. 2. If you are using MalConfScan, you will be able to prepare without any problems, so I will skip the steps, but I will explain it assuming that the environment is as follows.

Ubuntu18.04.2 (Cuckoo host)

  • On VMware (VMware Workstation 15 Pro)
  • Memory Size: 8GB
  • CPU Cores : 4
  • CPU ”Virtualize Intel VT-x/EPT or AMD-V/RVI” : ON
  • HDD:80GB
  • Network Adapter: NAT
  • User Name: infected
  • Ubuntu 18.04.2 LTS (iso image)
    https://www.ubuntu.com/download/desktop

The “Virtualize Intel VT-x/EPT or AMD-V/RVI” is a setting for changing the number of CPU cores in VirtualBox in the virtual machine. If you do not change the number of cores, you do not need to change the setting.

Update Ubuntu

Update Ubuntu to the latest state.

sudo apt update
sudo apt upgrade -y

Preparation for MalConfScan with Cuckoo

sudo apt install -y git make vim
sudo apt install -y python python-pip python-setuptools python-virtualenv virtualenv
sudo apt install -y libjpeg8-dev zlib1g-dev

git clone https://github.com/JPCERTCC/MalConfScan.git# for cuckoo best practice
virtualenv venv
. venv/bin/activate

Enter the above command to move to an isolated Python environment. The screen displays (venv) at the beginning of the prompt as follows:

Virtualenv (venv)

From here, you must enter the command in an isolated environment. If you follow the steps listed, you will enter the commands in an isolated environment. If you are unable to follow the steps due to an unexpected situation, enter “. venv/bin/activate” and return to an isolated environment before continuing. The following steps assume you are in an isolated environment.

# for Volatility
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python setup.py install
cd ../
pip install distorm3 pefile

cp MalConfScan/malconfscan.py venv/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/
cp -R MalConfScan/utils venv/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/
cp -R MalConfScan/yara venv/lib/python2.7/site-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/

# for MongoDB
sudo apt install -y libffi-dev libssl-dev libjpeg-dev zlib1g-dev swig
sudo apt install -y mongodb

# for elasticsearch 5.6.0 (https://github.com/cuckoosandbox/cuckoo/issues/2085)
sudo apt install -y openjdk-11-jdk
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.6.0.deb
sudo dpkg -i elasticsearch-5.6.0.deb
rm elasticsearch-5.6.0.deb 

# for mitmproxy
sudo apt install -y python3-dev python3-pip
pip3 install mitmproxy

# for tcpdump (https://cuckoo.readthedocs.io/en/latest/faq/#tcpdump-permission-denied)
sudo apt install -y apparmor-utils
sudo aa-disable /usr/sbin/tcpdump

# for non-root user (in this case, user name is "infected")
sudo usermod -a -G vboxusers infected
sudo groupadd pcap
sudo usermod -a -G pcap infected
sudo chgrp pcap /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

# for VirtualBox
sudo apt install -y virtualbox
sudo vboxmanage hostonlyif create
sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0

Cuckoo uses SQLite3 as the default DB. It is recommended to change to MySQL or PostgreSQL mainly for performance reasons, but it seems to be no problem for small users, so we will proceed with standard SQLite3.

Preparing virtual machines for sandbox

We’ll be preparing Windows 7 for the sandbox for a while. From the perspective of avoiding detection of virtual environments, it is desirable to prepare a fresh Windows 7, but there are also OS images for verification as follows.

We will use the above OS image to try out “MalConfScan with Cuckoo”. You should use a clean copy of Windows 7 to take advantage of this tool. And it can be implemented in much the same way. The big difference is that you don’t have to delete the “VirtualBox Guest Additions” step.

Virtual machines on VirtualBox (Windows 7)

  • Machine Name: Win7SP1x86
  • Version: Windows 7 SP1 (32-bit)
  • CPU Cores: 2
  • Memory Size: 1280 MB
  • Video Memory Size: 32 MB
  • Display - Remote Display: Disable
  • System - Enable I/O APIC: Enable (automatically)
  • User Name: IEUser

We are changing the number of CPU cores and memory size to avoid virtual environment detection. It is not required to use MalConfScan. Note that “Intel VT-x/EPT or AMD-V/RVI Virtualization” must be enabled in order to change the number of CPU cores. If you can’t change it, check the VMware settings in Ubuntu.

Launch a virtual machine on VirtualBox to change the preferences

  • Set display resolution to 1024 x 768
  • Disable Windows Update
  • Disable Windows Defender
  • Disable Windows Firewall
  • Disable UAC (Set not to notify)
  • Select “Ask me later” when asked to set when starting IE
  • Installing Python 2.7 https://www.python.org/ftp/python/2.7.13/python-2.7.13.msi
  • Installing PIL-1.1.7.win32-py2.7.exe
    http://effbot.org/downloads/PIL-1.1.7.win32-py2.7.exe
  • Set agent.py in startup folder
    agent.py :
    https://raw.githubusercontent.com/cuckoosandbox/cuckoo/master/cuckoo/data/agent/agent.py
    Startup folder :
    %AppData%\Microsoft\Windows\Start Menu\Programs\Startup
  • Network Settings
    - IP address:192.168.56.101
    - Subnet mask:255.255.255.0
    - Default gateway:192.168.56.1
    - Preferred DNS server:8.8.8.8
    - Alternate DNS server:8.8.4.4
  • Suppressing Network Noise (Disable Teredo, LLMNR, etc.)
    - To open the Group Policy Editor, [Windows key] + R, and then type “gpedit.msc”
    - Computer Configuration- > Administrative Templates- > Network- > DNS Client, and then enable “Turn off Multicast Name Resolution”
    - Computer Configuration- > Administrative Templates- > System- > Internet Communication Management, and then enable “Restrict Internet Communication”
    - Enter the following at the command prompt.
netsh interface teredo set state disabled
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM]
“SystemBiosDate”=”06/12/10"
“SystemBiosVersion”=”BC1.05"
“VideoBiosVersion”=”VC1.20"[-HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__]
[-HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__]
[-HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\VBOX__]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\Virtual Box Guest Additions]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBox*]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#ven_80ee&dev_cafe]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E97D-E325–11CE-BFC1–08002BE10318}\0020]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBoxGuest\Enum]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E97D-E325–11CE-BFC1–08002BE10318}\0020]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\CriticalDeviceDatabase\pci#ven_80ee&dev_cafe]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E97D-E325–11CE-BFC1–08002BE10318}\0020]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_80ee&dev_cafe]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VBoxGuest\Enum]
  • Change the network configuration of VirtualBox to “Host-only Adapter”
    - Make sure “vboxnet0” is selected
    - If “Not Selected”, execute the following command
sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
  • Uninstall “Oracle VM VirtualBox Guest Additions”
    - Will be asked to reboot, so reboot
  • Verify agent.py is started after reboot
    - You should see a black screen with the title “C:\Python 27\python.exe”
    - If not started, check that the contents of agent.py match the contents of the source.
  • Minimize agent.py’s window so it doesn’t get in the way of screenshots during analysis
  • Run the previously created init.reg

When you have completed all of the above steps, take a snapshot of the virtual machine while it is still running. Save the snapshot as “cuckoo”. Be careful not to mistake the virtual machine and snapshot names as they will be used in the Cuckoo configuration file. When you are finished taking snapshots, shut down the virtual machine. You can also terminate VirtualBox itself.

The sandbox virtual machine is now ready. Return to Cuckoo setup.

MalConfScan with Cuckoo Setup

Reboot the host machine. (This is to deal with the problem that mitmproxy does not start properly if it does not reboot.)

reboot

Patch Cuckoo to make MalConfScan available.

git clone https://github.com/jpcertcc/malconfscan-with-cuckoo.git
git clone -b 2.0.6 https://github.com/cuckoosandbox/cuckoo.git

. venv/bin/activate
cd cuckoo
patch -p1 < ../malconfscan-with-cuckoo/malconfscan.patch
python stuff/monitor.py
python setup.py sdist develop
cd ../
cuckoo

Initializes mitmproxy. To generate the certificate file required for the configuration, start it once and exit with [Ctrl] + C.

# for create the “.mitmproxy” dir
mitmproxy
[Ctrl]+C# Copy the certificate to a location for Cuckoo to use
cp .mitmproxy/mitmproxy-ca-cert.p12 .cuckoo/analyzer/windows/bin/cert.p12

Replace mitm.py to avoid errors later.

#for https://github.com/cuckoosandbox/cuckoo/issues/2313
wget https://raw.githubusercontent.com/cuckoosandbox/cuckoo/9a1cd18a079de49cc5279631c04995313e2b509e/cuckoo/auxiliary/mitm.py
mv mitm.py ./cuckoo/cuckoo/auxiliary/

Introduce the m2crypto that Cuckoo needs to analyze. Follow these steps:

# for m2crypto
wget http://deb.debian.org/debian/pool/main/m/m2crypto/m2crypto_0.24.0.orig.tar.xz
wget http://deb.debian.org/debian/pool/main/m/m2crypto/m2crypto_0.24.0-1.1.debian.tar.xz
tar xvf m2crypto_0.24.0.orig.tar.xz
tar xvf m2crypto_0.24.0–1.1.debian.tar.xz
cp -r debian/ M2Crypto-0.24.0/sudo apt install -y quilt
echo export QUILT_PATCHES=debian/patches>>.bashrc
source .bashrc. venv/bin/activate
cd M2Crypto-0.24.0/
quilt push
python setup.py sdist
cd ../sudo apt install -y libssl1.0-dev
pip install M2Crypto-0.24.0/dist/M2Crypto-0.24.0.tar.gz

Start up MongoDB and ElasticSearch for use with Cuckoo.

sudo service elasticsearch start
sudo systemctl enable elasticsearchsudo service mongodb start
sudo systemctl enable mongodb

Modifying the Cuckoo Configuration File

From here, we will modify various Cuckoo configuration files according to the environment.

vi .cuckoo/conf/auxiliary.conf[mitm]
# Enable man in the middle proxying (mitmdump) [yes/no].
#enabled = no
enabled = yes
(snip)
# path is correct.
#mitmdump = /usr/local/bin/mitmdump
mitmdump = /home/infected/.local/bin/mitmdump
vi .cuckoo/conf/cuckoo.conf# submission. Currently available for: VirtualBox and libvirt modules (KVM).
#memory_dump = no
memory_dump = yes
(snip)
# The value is expressed in bytes, by default 128 MB.
#upload_max_size = 134217728
upload_max_size = 1610612736
vi .cuckoo/conf/memory.conf[basic]
# Profile to avoid wasting time identifying it
#guest_profile = WinXPSP2x86
guest_profile = Win7SP1x86
vi .cuckoo/conf/processing.conf[memory]
# Create a memory dump of the entire Virtual Machine. This memory dump will
# then be analyzed using Volatility to locate interesting events that can be
# extracted from memory.
#enabled = no
enabled = yes
vi .cuckoo/conf/reporting.conf[mongodb]
#enabled = no
enabled = yes
(snip)
[elasticsearch]
#enabled = no
enabled = yes
(snip)
#hosts = 127.0.0.1
hosts = 127.0.0.1:9200
vi .cuckoo/conf/virtualbox.conf[cuckoo1]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
#label = cuckoo1
label = Win7SP1x86
(snip)
# Example (Snapshot1 is the snapshot name):
#snapshot =
snapshot = cuckoo
(snip)
# Example (vboxnet0 is the interface name):
#interface = 
interface = vboxnet0

Cuckoo Network Configuration

Configure network settings. First, fix a bug in systemd.

ls -l /etc/resolv.conf
sudo rm -f /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
sudo service systemd-resolved restart

Next, configure iptables. Allow sandbox to communicate to the Internet, but prohibit access to internal IPs. I’ve tested this configuration, but I’m worried about communicating with the Internet. It is recommended that you isolate Ubuntu, the sandbox host, unless you specifically need to connect to the Internet.

# Initializes iptables settings.
sudo iptables -t nat -F
sudo iptables -F
sudo iptables -Lsudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -i vboxnet0 -j ACCEPT
sudo iptables -A INPUT -m conntrack — ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -m conntrack — ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.0.0/16 -i vboxnet0 -o ens33 -j DROP
sudo iptables -A FORWARD -s 192.168.56.0/24 -d 172.16.0.0/12 -i vboxnet0 -o ens33 -j DROP
sudo iptables -A FORWARD -s 192.168.56.0/24 -d 10.0.0.0/8 -i vboxnet0 -o ens33 -j DROP
sudo iptables -A FORWARD -s 192.168.56.0/24 -i vboxnet0 -o ens33 -m conntrack — ctstate NEW -j ACCEPT
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROPsudo sysctl -w net.ipv4.ip_forward=1

Persistent Settings (Select Yes for displayed choices).

sudo apt install -y iptables-persistentsudo bash
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
exit

Verify Network Settings.

$ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i vboxnet0 -j ACCEPT
-A INPUT -m conntrack — ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack — ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.56.0/24 -d 192.168.0.0/16 -i vboxnet0 -o ens33 -j DROP
-A FORWARD -s 192.168.56.0/24 -d 172.16.0.0/12 -i vboxnet0 -o ens33 -j DROP
-A FORWARD -s 192.168.56.0/24 -d 10.0.0.0/8 -i vboxnet0 -o ens33 -j DROP
-A FORWARD -s 192.168.56.0/24 -i vboxnet0 -o ens33 -m conntrack — ctstate NEW -j ACCEPT$ sudo iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -j MASQUERADE

Launch Cuckoo

You should have rebooted, so enable vboxnet0 first.

sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0

Now that everything is ready, start Cuckoo.

cuckoo community
cuckoo

If the following display appears, it will start up safely and it will be waiting for the sample to be delivered.

                             ),-. /
 Cuckoo Sandbox            <(a ` — -’,’
 no chance for malwares!   ( `-, ._> )
                            ) _>.___/
                               _/Cuckoo Sandbox 2.0.6
 www.cuckoosandbox.org
 Copyright © 2010–2018Checking for updates…
 You’re good to go!Our latest blogposts:
 * IQY malspam campaign, October 15, 2018.
 Analysis of a malspam campaign leveraging .IQY (Excel Web Query) files containing DDE to achieve code execution.
 More at https://hatching.io/blog/iqy-malspam* Hooking VBScript execution in Cuckoo, October 03, 2018.
 Details on implementation of Visual Basic Script instrumentation for Cuckoo Monitor for extraction of dynamically executed VBScript.
 More at https://hatching.io/blog/vbscript-hooking* Cuckoo Sandbox 2.0.6 pentest, September 18, 2018.
 Cuckoo Sandbox 2.0.6 public pentest performed by Cure53 and sponsored by PolySwarm!
 More at https://hatching.io/blog/cuckoo-206-pentest* Cuckoo Sandbox 2.0.6, June 07, 2018.
 Interim release awaiting the big release.
 More at https://cuckoosandbox.org/blog/206-interim-release* Cuckoo Sandbox 2.0.5: Office DDE, December 03, 2017.
 Brand new release based on a DDE case study.
 More at https://cuckoosandbox.org/blog/205-office-dde2019–05–21 23:54:00,165 [cuckoo.core.scheduler] INFO: Using “virtualbox” as machine manager
2019–05–21 23:54:00,737 [cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2019–05–21 23:54:00,757 [cuckoo.core.scheduler] INFO: Waiting for analysis tasks.

Cuckoo Web interface

Starts WebUI for use in a browser. Open another terminal and type:

. venv/bin/activate
cuckoo webPerforming system checks…
System check identified no issues (0 silenced).
May 22, 2019–03:21:32
Django version 1.8.4, using settings ‘cuckoo.web.web.settings’
Starting development server at http://localhost:8000/
Quit the server with CONTROL-C.

When the above display appears, you are ready.

Go to “http://127.0.0.1:8000/" and you’ll see the Cuckoo Web page. When you D&D the file you want to analyze in the “SUBMIT A FILE FOR ANALYSIS” space, the analysis setting screen appears. For URLs and hash values, paste them into “Submit URLs/hashes” and click “Submit” to move to the analysis setting screen.

Cuckoo Web — Firefox

The following is the result of parsing Emotet. it is determined to be Emotet and the list of communication destinations is extracted.

Cuckoo Report Sanmple — Emotet

Using Cuckoo after a reboot

Since vboxnet0 appears to be disabled, you must enable vboxnet0 by typing the following command before starting Cuckoo:

sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0. venv/bin/activate
cuckoo &
cuckoo web &

Thanks.

References

About MalConfScan

About Cuckoo

About Sandbox

About Volatility

About Elasticsearch

About Network Settings

Sites used to resolve errors

Appendix

Office 2016 in Sandbox Crashes During Analysis

Cuckoo 2.0. 6 has a known bug (Issue # 2302, Issue # 2737, etc.) that crashes the open process when you try to parse an Office file such as docx with MS Office 2016 (Office 365, etc.) in the sandbox.

You can avoid this by using an older version of Office or by changing the option to turn off injection (Enable Injection/Enable behavior analysis.).

Options : Enable Injection

Dark Mode

You can change the color by clicking the brush icon in the upper right corner. There are 3 types, including dark mode, so please choose the one you like.

Effects of analytical environment detection measures.

This is just for your information, but we checked how much we can avoid the detection of the analysis environment by analyzing pafish.

  • a0rtega/pafish: Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
    https://github.com/a0rtega/pafish

The results are as follows.

Pafish 1/3
Pafish 2/3
Pafish 3/3

Initialize iptables

sudo iptables -t nat -F
sudo iptables -F
sudo iptables -L

Disable Screen Lock

  • [Setting] -> [Privacy] -> [ScreenLock] -> OFF
  • [Setting] -> [Power] -> [Blank screen] -> Never

About Modifying emotetscan.py

Previous versions of MalConfScan required a fix, but it’s now fixed and no longer needed. The following is the correction method.

vi MalConfScan/utils/emotetscan.py# p_data["IP " + str(i)] = str(inet_ntoa(ip)) + ":" + str(port)
p_data[str(unpack("!I", ip)[0])] = str(inet_ntoa(ip)) + ":" + str(port)

Original text

Build a MalConfScan with Cuckoo environment to analyze Emotet -setodaNote (Japanese)
https://soji256.hatenablog.jp/entry/2019/05/23/004911

Update History

  • 2019/05/23 New.
  • 2019/05/25 Fixed some typographical errors.
  • 2019/06/01
    - Added network noise suppression to the sandbox environment.
    - Removed modification to emotetscan.py around MongoDB (Issues #2) .
    - Added a note about a bug that caused Office 2016 to crash.
    - Added a reboot of the host to the procedure before the first run of mitmproxy.
    - Added iptables initialization to the procedure. Fixed “sudo iptables -P FORWARD DROP” missing from iptables settings.
    - Added modification to emotetscan.py (Issue #3).
    - Corrected incorrect file path modification to cert.p 12 in “.cuckoo/conf/auxiliary.conf” (There was no problem with the default description.).
  • 2019/06/08
    - Changed the title from “Build a MalConfScan with Cuckoo environment to analyze Emotet”.
    - The description of the modification to emotetscan.py has been moved from the text to the appendix.
  • 2019/08/05
    - Added reference to the articles introducing MalConfScan by JPCERT/CC.
  • 2020/03/03 Revised.
Cybersecurity
Malware Analysis
Cuckoo
Malconfscan
Volatility

--

--

soji256

Written by soji256

109 Followers

Loves cats and CTFs. …ᓚᘏᗢ… [twitter:@soji256] ,CISSP

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams