SkillAgentSearch skills...

MalConfScan

Volatility plugin for extracts configuration data of known malware

GenerateConvertImprove

Install / Use

/learn @JPCERTCC/MalConfScan
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

<div align="center"><img src="images/title.svg" width="800"></div>

Arsenal

Concept

MalConfScan is a Volatility plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.

MalConfScan sample

Supported Malware Families

MalConfScan can dump the following malware configuration data, decoded strings or DGA domains:

  • [x] Ursnif
  • [x] Emotet
  • [x] Smoke Loader
  • [x] PoisonIvy
  • [x] CobaltStrike
  • [x] NetWire
  • [x] PlugX
  • [x] RedLeaves / Himawari / Lavender / Armadill / zark20rk
  • [x] TSCookie
  • [x] TSC_Loader
  • [x] xxmm
  • [x] Datper
  • [x] Ramnit
  • [x] HawkEye
  • [x] Lokibot
  • [x] Bebloh (Shiotob/URLZone)
  • [x] AZORult
  • [x] NanoCore RAT
  • [x] AgentTesla
  • [x] FormBook
  • [x] NodeRAT (https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html)
  • [x] njRAT
  • [x] TrickBot
  • [x] Remcos
  • [x] QuasarRAT
  • [x] AsyncRAT
  • [x] WellMess (Windows/Linux)
  • [x] ELF_PLEAD
  • [ ] Pony

Additional Analysis

MalConfScan has a function to list strings to which malicious code refers. Configuration data is usually encoded by malware. Malware writes decoded configuration data to memory, it may be in memory. This feature may list decoded configuration data.

How to Install

If you want to know more details, please check the MalConfScan wiki.

How to Use

MalConfScan has two functions malconfscan, linux_malconfscan and malstrscan.

Export known malware configuration

$ python vol.py malconfscan -f images.mem --profile=Win7SP1x64

Export known malware configuration for Linux

$ python vol.py linux_malconfscan -f images.mem --profile=LinuxDebianx64

List the referenced strings

$ python vol.py malstrscan -f images.mem --profile=Win7SP1x64

Overview & Demonstration

Following YouTube video shows the overview of MalConfScan.

MalConfScan_Overview

And, following YouTube video is the demonstration of MalConfScan.

MalConfScan_Demonstration

MalConfScan with Cuckoo

Malware configuration data can be dumped automatically by adding MalConfScan to Cuckoo Sandbox. If you need more details on Cuckoo and MalConfScan integration, please check MalConfScan with Cuckoo.

Related Skills

healthcheck

340.5k

Host security hardening and risk-tolerance configuration for OpenClaw deployments

node-connect

340.5k

Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps

prose

340.5k

OpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.

claude-opus-4-5-migration

84.2k

Migrate prompts and code from Claude Sonnet 4.0, Sonnet 4.5, or Opus 4.1 to Opus 4.5

JPCERTCC

View profile

View on GitHub
GitHub Stars495
CategoryDevelopment
Updated1mo ago
Forks69
JPCERTCC/MalConfScan

Languages

Python

Security Score

85/100

Audited on Feb 14, 2026

No findings