Official websites use .mil
Secure .mil websites use HTTPS
The Defense Cyber Crime Center (DC3) released the DC3 Malware Configuration Parser (DC3-MWCP) framework to the open source community on May 6, 2015.
The DC3-MWCP framework provides a structure for malware reverse engineers to easily codify knowledge of where important configuration data are hidden within malicious files. This codified knowledge can be leveraged in future analyses to quickly extract valuable configuration information.
With DC3-MWCP, a tool development process that could previously take weeks may be shortened to just days.
A given piece of malware can be authored by one entity, and then reconfigured and used by other groups. Before launching an attack with the malware, a hacker customizes configuration settings within the malware, much like the user of a home PC customizes preferences. The hacker might select options for the Command and Control (C2) server, the time the malware should sleep before executing, or notes about the malware’s purpose. These customized configuration details are embedded and obfuscated within the malware files.
Malware reverse engineers work to locate this information within the files to provide valuable indicators to cyber analysts. In addition, malware analysts often create a script to automatically extract this configuration data. Each script is unique with its own run commands, output format, and naming scheme.
DC3-MWCP standardizes these aspects of a configuration parser, providing a single interface for running and receiving responses, as well as easing the creation of new parsers. The framework can be accessed as a standalone utility, through a REST API, or Python API. This flexibility allows any configuration parser to be immediately used and incorporated into any organization’s workflow.
Prior to the creation of DC3-MWCP, the process of creating a new configuration parser and integrating it into DC3’s automation system took between four and six weeks. With the advent of DC3-MWCP, this process is shortened to as little as one to two days. Malware reverse engineers can quickly create, test, and deploy a parser into DC3’s system. The release of DC3-MWCP provides new capabilities for the malware analysis community, and creates a new standard to improve the sharing of tools among community members.
DC3-MWCP is available for download at https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP.
DC3 has a history of supporting the digital forensics community. The widely used Dc3dd was open sourced in 2008 with the latest release for 64-bit versions of Windows posted on March 3, 2015.
Established as an entity within the Department of the Air Force in 1998, DC3 provides digital and multimedia (D/MM) forensics, cyber investigative training, technical solutions development, and cyber analytics for the following DoD mission areas: information assurance (IA) and critical infrastructure protection (CIP), law enforcement and counterintelligence (LE/CI), document and media exploitation (DOMEX), and counterterrorism (CT). For more information, visit www.dc3.mil.
Nov. 1, 2022
Special agents, investigators share forensic skills at JBSA
JOINT BASE SAN ANTONIO-FORT SAM HOUSTON, Texas — When crimes occur on Joint Base San Antonio, multiple law enforcement and investigative agencies stand ready on a regular basis during incidents and for specialized training sessions, like the one held at JBSA-Fort Sam Houston Oct. 21, 2022, hosted by OSI Detachment 404.
Feb. 19, 2020
Specht Biography
MR. JEFFREY D. SPECHTJeffrey D. Specht is Executive Director, Department of Defense Cyber Crime Center (DC3), Linthicum, Maryland. Operating under Secretary of the Air Force executive agency, DC3 functions as a designated Federal Cyber Center and as a DoD Center of Excellence for digital and multimedia forensics. Mr. Specht directs a business and
Feb. 18, 2020
UMUC Lauds DC3 Executive Director
The University of Maryland University College is commending DC3's Executive Director's team-first leadership style with its Leadership Award in Cybersecurity. Since 2011, at two year intervals UMUC has conferred the Leadership and Pioneer Awards in Cybersecurity.
DC3 Framework Expedites Malware Analysis