danaConfig

command module
v0.0.0-...-6a718fd Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 14, 2021 License: GPL-3.0 Imports: 15 Imported by: 0

README

Go Report Card

danaConfig

DanaConfig is a static configuration extractor implemented in Golang for the main component of DanaBot (targeting Microsoft Windows). By default the script will print the extracted information to stdout. It is also capable of dumping the malware configuration to disk as a JSON file with the -j flag.

Usage
go run danaConfig.go [-j] path/to/danabot_main.dll
Screenshots

The script itself, running in verbose mode and with JSON output enabled:

A JSON file with the extracted configuration:

Sources/Credits

The idea of this config extractor is based on the work of Dennis Schwarz, who analyzed the recent spike in DanaBot activity in this article for Zscaler.

Configuration layout/contents

Below you can see the configuration structure in IDA Pro:

danaConfig

To visualize the approach of danaConfig I annotated the raw contents of the DLL file in an Hex Editor:

Testing

This configuration extractor has been tested successfully with the following samples:

SHA-256 Sample
77ff83cc49d6c1b71c474a17eeaefad0f0a71df0a938190bf9a9a7e22531c292 Malware Bazaar
e7c9951f26973c3915ffadced059e629390c2bb55b247e2a1a95effbd7d29204 Malware Bazaar
ad0ccba36cef1de383182f866478abcd8b91f8e060d03e170987431974dc861e Malware Bazaar

If you encounter an error with danaConfig, please file a bug report via an issue. Contributions are always welcome :)

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.