"MalCfgParser" is a malware configuration parsing tool for incident response analysts and malware researchers. Malware detection and analysis evasion is a cat-and-mouse game between analysts and malware authors. The attackers apply diverse landing mechanisms or obfuscation techniques to cloak their backdoors. It is imperative to adopt automated analysis to handle these rapidly changing malware. In this talk, we present "MalCfgParser", which dives into memory to perform automatic and brute-force parsing to extract the malware configuration. Malware configurations expose C&C servers, encryption key, campaign code, installation path or mutex name. It helps analysts or enterprise to produce a more complete vision to threat. The MalCfgParser operate standalone for manually analysis, integrate with a sandbox, or any memory forensics tools. It is designed to be a flexible framework that every malware researcher could contribute their knowledge of a specific malware family, and easily add configuration settings to enhance its power. We believe the above scenarios and operated modes serve the needs for people fighting with malware, including malware researchers, forensic or incident response. Lastly, we will have a live demo for both standalone and integration with TeamT5 product with several notorious APT malware, or crimeware.

1. MALCFGPARSER
A LIGHTWEIGHT MALWARE CONFIGURATION PARSING TOOL

2. YCY
Cyber Threat Analyst
DUCKLL
Cyber Threat Analyst
CHARLES LI
Chief Analyst

3. 3
60+ Clients in Asia Pacific
90%+ MSSP in Taiwan
Government agencies
Telecom / ISP
Leading CTI Firms
Accounting firms / Financial sectors
Semiconductor / Manufacturing
International Trading
NGO / NPO
Taiwan
10+ Partners
Japan
2+ Partners
Start from APAC, Speak for APAC, Guardian of APAC
ASEAN
3+ Partners

4. POWERED BY
SUPPORTS
AND POSSIBLY
OTHER PRODUCTS…?

5. MEMORY DUMP SCAN
ADVERSARY: POLARIS (MUSTANG PANDA)
MALWARE: PLUGX

6. LIVE MEMORY SCAN
MALWARE: PHANTOMIVY

7. LIVE MEMORY SCANEVER-CHANGING MALWARE
2015 FROM APT20
PLUGX 0X36A4 LOADER
2016 FROM DRAGONOK
> STRINGS
cPNfEPGjP<p=t
XeWTjYfOOib]jYR
hJ;b@K:CJiFCJaNBJX
c[]ln[x
d5BF
Ba>;BP
rIFBPmTGQIP
<111
T;BB7
bhgvn
pRCjHSBKRoVISKRv
GetProcAddress
LoadLibraryA
KERNEL32.dll
;Tls.u
MessageBoxA
user32.dll
GetModuleFileNameA
GetModuleHandleA
GetSystemTime
Sleep
lstrlenA
kernel32.dll
!+W
RasTls.dll
DoWork
2X<^<&=
…

8. LIVE MEMORY SCANEVER-CHANGING MALWARE
2017 FROM SLIME.HLEMONK
PLUGX 0X36A4 LOADER
IN MEMORY
> STRINGS
Create
FileW
CreateFileMappingW
MapViewOfFile
GetSystemTime
GetModuleHandleA
VirtualProtect
VirtualAlloc
GetModuleFileNameW
lstrcpyW
lstrcpyA
lstrcatA
GetProcAddress
GetLastError
f91u
JhL0
VVVVVVQV
5L0
ExitProcess
GetCommandLineW
CreateProcessW
WaitForSingleObject
lstrcpyW
KERNEL32.dll
JP0
JP1
JAP0
JAP1

9. ANOTHER CHALLENGE…

10. So here is born of…

11. WORKING WITH CUCKOO

12. WORKING WITH THREATSONAR

13. Malware
Configuration
{
“C&C Server1": "…"
“C&C Server2": "…"
"Installation Path":
"…"
}
VIRTUAL MACHINE
LIVE MEMORY SCANHOW DOES IT WORK?
MALCFGPARSER
MALWARE
DUMP FILES
PID

14. LIVE MEMORY SCANINSIDE MALCFGPARSER
Structure
POWERED BY
POWERED BY Parse
Scan LOADS
Decode
Brute Force Parsing
Validate

15. MALWARE
LIVE MEMORY SCANWORKING WITH CUCKOO
Ananlyzer
PROCESS DUMP
ProcMemory
SUPPORTED BY
GUEST MACHINE HOST MACHINE WEB SERVER

16. ycy@teamt5.org
duckll@teamt5.org
charles@teamt5.org