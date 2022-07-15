The Malware Configuration Parser (MWCP) tool, developed by DC3’s Technical Solutions Development (TSD) group, can now can produce a STIX 2.1 output for easier integration between malware processing pipelines and cyber threat intelligence (CTI) tools.

DC3 MWCP is a framework for parsing out interesting information from malware samples. It was open sourced back in 2015 and has consistently been one of the most downloaded tools DC3 has produced.

While DC3 does not share the internally developed configuration parsers, the MWCP framework makes it easier for malware reverse engineers to integrate their own parsers into their organization’s automated processes.

STIX 2.1 is the latest version of the Structured Threat Information Expression, an OASIS standard for sharing CTI between automated systems. MWCP’s primary output format has always been in proprietary JavaScript Object Notation (JSON), but with new developments the option has been added to return STIX content instead. This innovation will allow systems that support STIX to ingest data without having to write a middle layer to convert MWCP’s output into something their existing tooling can understand.

Older output formats will still be present for those entities which have tightly integrated these methods into their pipelines. STIX output will allow for easier connectivity with off-the-shelf solutions.

Access to the MWCP tool and other capabilities can be found at the following: (https://github.com/dod-cyber-crime-center/DC3-MWCP).