how to use - JPCERTCC/MalConfScan-with-Cuckoo GitHub Wiki

Run your Cuckoo server and submit the sample you want to analyze.

1. Run your server

1.1. start Cuckoo

$ cuckoo --cwd /opt/cuckoo

1.2. Run the Web Interface

$ cuckoo --cwd /opt/cuckoo web runserver 0.0.0.0:7777

2. Submit your samples

2.1. submit via web interface

Submit the sample from the web interface.

cuckoo-web-submit

2.2. submit via CLI

$ cuckoo submit /path/to/binary

For more detail, please check the official document.

Submit an Analysis | Cuckoo Sandbox Docs

3. Check the analysis result

If MalConfScan found something in the memory, it will show some results.

3.1. Check the result from web interface

Click the VM Memory Dump icon.

cuckoo-web-report-step1

Click the MalConfScan tab.

cuckoo-web-report-step2

3.2. Check the result in JSON

You could find the analysis result in the Cuckoo Working Directory.

/opt/cuckoo/storage/analyses/[analysis number]/report/report.json

Following is a sample dumped data of TSCookie in report.json.

...snip...
"malconfscan": {
    "data": [
        {
            "malconf": [
                [
                    {"Server 0": "jpcert.ignorelist.com"},
                    {"Server 0 (port 1)": "443"},
                    {"Server 0 (port 2)": "0"},
                    {"Server 1": "jpcerts.jpcertinfo.com"},
                    {"Server 1 (port 1)": "443"},
                    {"Server 1 (port 2)": "80"},
                    {"Server 2": "45.76.102.145"},
                    {"Server 2 (port 1)": "443"},
                    {"Server 2 (port 2)": "0"},
                    {"ID": "A\u0000v\u00003\u0000-\u0000l"},
                    {"KEY": "2455402077"},
                    {"Sleep time": "56"}
                ]
            ],
            "vad_base_addr": "0x03997696", 
            "process_name": "64174c53199de5242b59a3bbe1b326de.exe",
            "process_id": "2764", 
            "malware_name": "TSCookie", 
            "size": "0x00065536"
        }
    ]
},
...snip...