A Malware Configuration Extraction Tool and Modules for MalDuck
This project is FREE as in FREE ๐บ, use it commercially, privately or however you see fit.
The easiest way to use this project is to visit mwcfg.info
, and start extracting malware config right away!
If you like this project and wish to donate ๐ฐ to support the fight against malware...
Buy me a ๐ต, as I don't drink ๐บ, by sending me some โฟ to 16oXesi7uv3jdPZxxwarHSD2f3cNMpaih9
Installation:
sudo apt update
sudo apt install -y python-virtualenv python-is-python3 git-lfs gnupg ca-certificates
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
echo "deb https://download.mono-project.com/repo/ubuntu stable-focal main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list
sudo apt update
sudo apt install mono-devel
git clone --recursive https://github.com/c3rb3ru5d3d53c/mwcfg.git
cd mwcfg/
virtualenv -p python3 venv
source venv/bin/activate
pip install -v .
git lfs --include tests/azorult.zip
unzip -P infected tests/azorult.zip tests/
mwcfg --input tests/azorult/ --modules modules/ --threads 4 --debug
mwcfg --input tests/azorult/ --list-modules
Installation with PyPi:
sudo apt install -y python-virtualenv python-is-python3
virtualenv venv/
source venv/bin/activate
pip install mwcfg
git clone https://github.com/c3rb3ru5d3d53c/mwcfg-modules.git modules/
mwcfg --input sample.bin --modules modules/ --debug
Server Installation with Docker:
sudo apt install -y docker.io make
sudo usermod -a -G docker $USER
make mwcfg-server # Build Server
make mwcfg-server-start # Start the Server
make mwcfg-server-status # Check Running Status
make mwcfg-server-logs # Tail Logs
make mwcfg-server-stop # Stop Server
make mwcfg-server-clean # Delete Server
Once completed, navigate to https://127.0.0.1
You can alternatively upload samples and get results by doing:
curl --silent --insecure -X POST --upload-file sample.bin https://127.0.0.1
mwcfg Usage:
usage: mwcfg v1.0.0 [-h] [--version] [-i INPUT] -m MODULES [--list-modules] [-d] [-p] [-t THREADS] [-r] [-l LOG]
A Modular Malware Configuration Extraction Utility for MalDuck
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
-i INPUT, --input INPUT
Input File or Directory
-m MODULES, --modules MODULES
Modules
--list-modules
-d, --debug Debug
-p, --pretty Pretty Print Configs
-t THREADS, --threads THREADS
Threads
-r, --recursive Recursive
-l LOG, --log LOG Log to File
Author: c3rb3ru5
mwcfg-server Usage:
usage: mwcfg-server v1.0.0 [-h] [--version] [--host HOST] [-p PORT] -m MODULES [-u UPLOADS] [-d]
A Modular Malware Configuration Extraction Server using MalDuck
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
--host HOST Host
-p PORT, --port PORT
-m MODULES, --modules MODULES
Modules
-u UPLOADS, --uploads UPLOADS
Uploads Directory
-d, --debug
Author: c3rb3ru5
Karton Framework Installation:
sudo apt install -y python-virtualenv python-is-python3 git-lfs
git clone --recursive https://github.com/c3rb3ru5d3d53c/mwcfg.git
cd mwcfg/
virtualenv venv/
source venv/bin/activate
./setup.py install
pip install karton-config-extractor
karton-config-extractor --config-file karton.ini --modules modules/
Contributing Modules:
Please refer to CONTRIBUTING.md
Additional Resources: