A Malware Configuration Extraction Tool and Modules for MalDuck
This project is FREE as in FREE 🍺, use it commercially, privately or however you see fit.
The easiest way to use this project is to visit mwcfg.info
, and start extracting malware config right away!
If you like this project and wish to donate 💰 to support the fight against malware...
Buy me a 🍵, as I don't drink 🍺, by sending me some ₿ to 16oXesi7uv3jdPZxxwarHSD2f3cNMpaih9
Installation:
sudo apt update
sudo apt install -y python-virtualenv python-is-python3 git-lfs gnupg ca-certificates
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
echo "deb https://download.mono-project.com/repo/ubuntu stable-focal main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list
sudo apt update
sudo apt install mono-devel
git clone --recursive https://github.com/c3rb3ru5d3d53c/mwcfg.git
cd mwcfg/
virtualenv -p python3 venv
source venv/bin/activate
pip install -v .
git lfs --include tests/azorult.zip
unzip -P infected tests/azorult.zip tests/
mwcfg --input tests/azorult/ --modules modules/ --threads 4 --debug
mwcfg --input tests/azorult/ --list-modules
Installation with PyPi:
sudo apt install -y python-virtualenv python-is-python3
virtualenv venv/
source venv/bin/activate
pip install mwcfg
git clone https://github.com/c3rb3ru5d3d53c/mwcfg-modules.git modules/
mwcfg --input sample.bin --modules modules/ --debug
Server Installation with Docker:
sudo apt install -y docker.io make
sudo usermod -a -G docker $USER
make mwcfg-server # Build Server
make mwcfg-server-start # Start the Server
make mwcfg-server-status # Check Running Status
make mwcfg-server-logs # Tail Logs
make mwcfg-server-stop # Stop Server
make mwcfg-server-clean # Delete Server
Once completed, navigate to https://127.0.0.1
You can alternatively upload samples and get results by doing:
curl --silent --insecure -X POST --upload-file sample.bin https://127.0.0.1
mwcfg Usage:
usage: mwcfg v1.0.0 [-h] [--version] [-i INPUT] -m MODULES [--list-modules] [-d] [-p] [-t THREADS] [-r] [-l LOG]
A Modular Malware Configuration Extraction Utility for MalDuck
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
-i INPUT, --input INPUT
Input File or Directory
-m MODULES, --modules MODULES
Modules
--list-modules
-d, --debug Debug
-p, --pretty Pretty Print Configs
-t THREADS, --threads THREADS
Threads
-r, --recursive Recursive
-l LOG, --log LOG Log to File
Author: c3rb3ru5
mwcfg-server Usage:
usage: mwcfg-server v1.0.0 [-h] [--version] [--host HOST] [-p PORT] -m MODULES [-u UPLOADS] [-d]
A Modular Malware Configuration Extraction Server using MalDuck
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
--host HOST Host
-p PORT, --port PORT
-m MODULES, --modules MODULES
Modules
-u UPLOADS, --uploads UPLOADS
Uploads Directory
-d, --debug
Author: c3rb3ru5
Karton Framework Installation:
sudo apt install -y python-virtualenv python-is-python3 git-lfs
git clone --recursive https://github.com/c3rb3ru5d3d53c/mwcfg.git
cd mwcfg/
virtualenv venv/
source venv/bin/activate
./setup.py install
pip install karton-config-extractor
karton-config-extractor --config-file karton.ini --modules modules/
Contributing Modules:
Please refer to CONTRIBUTING.md
Additional Resources: