List of “Tool”

  • Visualise Event Logs to Identify Compromised Accounts - LogonTracer - Forensic
    Visualise Event Logs to Identify Compromised Accounts - LogonTracer -
    Hello again, this is Shusei Tomonaga from the Analysis Center. Event log analysis is a key element in security incident investigation. If a network is managed by Active Directory (hereafter, AD), can be identified by analysing AD event logs. For such investigation, it is quite difficult to conduct detailed analysis in AD event viewer; it is rather common to export the logs to text format or import them into SIEM/log...

    Read more

  • Detecting Datper Malware from Proxy Logs Malware
    Detecting Datper Malware from Proxy Logs
    This is Yu Nakamura from Analysis Center. This entry is to explain features of Datper, malware used for targeted attacks against Japanese organisations and how to detect it from the logs. JPCERT/CC has been observing attacks using Datper since around June 2016. Research reports on the adversary are published from LAC [1], SecureWorks [2] and Palo Alto Networks [3]. The adversary had also conducted attacks using Daserf malware in the...

    Read more

  • Clustering Malware Variants Using “impfuzzy for Neo4j” Malware
    Clustering Malware Variants Using “impfuzzy for Neo4j”
    In a past article, we introduced “impfuzzy for Neo4j”, a tool to visualise results of malware clustering (developed by JPCERT/CC). In this article, we will show the result of clustering Emdivi using the tool. Emdivi had been seen until around 2015 in targeted attacks against Japanese organisations. For more information about Emdivi, please refer to JPCERT/CC’s report. Clustering Emdivi with impfuzzy for Neo4j Emdivi has two major variants - t17...

    Read more

  • Volatility Plugin for Detecting RedLeaves Malware Malware
    Volatility Plugin for Detecting RedLeaves Malware
    Our previous blog entry introduced details of RedLeaves, a type of malware used for targeted attacks. Since then, we’ve seen reports including those from US-CERT that Management Service Providers (MSPs) have been targeted [1] [2]. In the US-CERT report, some instances have been identified where RedLeaves malware has only been found within memory with no on-disk evidence because of the behavior of self-elimination after the infection. To verify the infection...

    Read more

  • Malware Clustering using impfuzzy and Network Analysis - impfuzzy for Neo4j - Malware
    Malware Clustering using impfuzzy and Network Analysis - impfuzzy for Neo4j -
    Hi again, this is Shusei Tomonaga from the Analysis Center. This entry introduces a malware clustering tool “impfuzzy for Neo4j” developed by JPCERT/CC. Overview of impfuzzy for Neo4j impfuzzy for Neo4j is a tool to visualise results of malware clustering using a graph database, Neo4j. A graph database is a database for handling data structure comprised of records (nodes) and relations among the records. Neo4j provides functions to visualise registered...

    Read more

  • A New Tool to Detect Known Malware from Memory Images – impfuzzy for Volatility – Malware
    A New Tool to Detect Known Malware from Memory Images – impfuzzy for Volatility –
    Hi again, this is Shusei Tomonaga from the Analysis Center. Today I will introduce a tool “impfuzzy for Volatility”, which JPCERT/CC has created for extracting known malware from memory images and utilises for analysis operations. Malware Detection in Memory Forensics To judge if a file type malware sample is a known kind, the easiest and fastest way is to check the hash value (e.g. MD5 or SHA 256) of the...

    Read more

  • Classifying Malware using Import API and Fuzzy Hashing – impfuzzy – Malware
    Classifying Malware using Import API and Fuzzy Hashing – impfuzzy –
    Hello all, this is Shusei Tomonaga again. Generally speaking, malware analysis begins with classifying whether it is known malware or not. In order to make comparison with the enormous number of known malware samples in the database in a speedy manner, hash values are used, derived by performing hash functions to the malware sample. Among the different hash functions, traditional ones such as MD5 and SHA1 derive totally different hash...

    Read more

  • Decoding Obfuscated Strings in Adwind Malware
    Decoding Obfuscated Strings in Adwind
    From the latter half of 2015 to 2016, there have been an increasing number of cyber attacks worldwide using Adwind, a Remote Access Tool [1]. JPCERT/CC also received incident reports about emails with this malware in its attachment. Adwind is malware written in Java language, and it operates in Windows and other OS as well. It has a variety of functions: to download and execute arbitrary files, send infected machine...

    Read more

  • Banking Trojan “Citadel” Returns Malware
    Banking Trojan “Citadel” Returns
    Hello again, this is You ‘Tsuru’ Nakatsuru from Analysis Center. It has been just about two years since I delivered a talk “Fight Against Citadel in Japan” at CODE BLUE 2013 (an international security conference in Tokyo) about the situation on banking trojans observed in Japan at that time and detailed analysis results on Citadel (See my blog entry here). For the presentation material and audio archive, please see Reference...

    Read more

  • Decrypting Strings in Emdivi Malware
    Decrypting Strings in Emdivi
    Hello, this is You ‘Tsuru’ Nakatsuru at Analysis Center. As introduced in the previous blog post, my colleagues presented on the attacks arising in Japan at CODE BLUE 2015, entitled “Revealing the Attack Operations Targeting Japan”. In this entry, I will introduce the details of an IDAPython script “emdivi_string_decryptor.py”, which JPCERT/CC developed to analyse Emdivi, a remote control malware. The script was also introduced in our presentation at CODE BLUE...

    Read more