{"id":13746317,"url":"https://github.com/jpcertcc/aa-tools","last_synced_at":"2025-04-04T13:13:31.537Z","repository":{"id":49358306,"uuid":"45087520","full_name":"JPCERTCC/aa-tools","owner":"JPCERTCC","description":"Artifact analysis tools by JPCERT/CC Analysis Center","archived":false,"fork":false,"pushed_at":"2024-07-09T03:56:17.000Z","size":4283,"stargazers_count":458,"open_issues_count":2,"forks_count":90,"subscribers_count":54,"default_branch":"master","last_synced_at":"2025-03-28T12:08:44.367Z","etag":null,"topics":["malware","python","security"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JPCERTCC.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-10-28T03:52:32.000Z","updated_at":"2025-02-06T09:13:31.000Z","dependencies_parsed_at":"2022-08-30T04:51:18.612Z","dependency_job_id":"13bd3673-0bee-442f-81da-c1e592075408","html_url":"https://github.com/JPCERTCC/aa-tools","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2Faa-tools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2Faa-tools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2Faa-tools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2Faa-tools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JPCERTCC","download_url":"https://codeload.github.com/JPCERTCC/aa-tools/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247182420,"owners_count":20897381,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["malware","python","security"],"created_at":"2024-08-03T06:00:51.607Z","updated_at":"2025-04-04T13:13:31.512Z","avatar_url":"https://github.com/JPCERTCC.png","language":"Python","readme":"# aa-tools\nArtifact analysis tools by JPCERT/CC Analysis Center\n\n## Deob_NOOPLDR.py\n  IDA plugin Tool to deobfuscate CFF used by NOOPLDR malware\n\n  Article/Blog entry:   \n  https://blogs.jpcert.or.jp/ja/2024/07/mirrorface.html (Japanese)   \n\n## GobRAT-Analysis\n  C2 Commands Emulation tools in go language that supports analysis of GobRAT malware\n\n  Article/Blog entry:   \n  https://blogs.jpcert.or.jp/ja/2023/05/gobrat.html (Japanese)   \n  https://blogs.jpcert.or.jp/en/2023/05/gobrat.html (English)\n\n\n## apt17scan.py\n  Volatility plugin for detecting APT17 related malware and extracting its config\n\n  Article/Blog entry:   \n  http://www.jpcert.or.jp/magazine/acreport-aptscan.html (Japanese)   \n  http://blog.jpcert.or.jp/2015/11/a-volatility-plugin-created-for-detecting-malware-used-in-targeted-attacks.html (English)\n\n\n## emdivi_postdata_decoder.py\n  Python script for decoding Emdivi's post data\n\n  Article/Blog entry:   \n  http://www.jpcert.or.jp/magazine/acreport-emdivi.html (Japanese)   \n  http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html (English)\n\n## emdivi_string_decryptor.py\n  IDAPython script for decrypting strings inside Emdivi\n\n  Article/Blog entry:   \n  http://www.jpcert.or.jp/magazine/acreport-emdivi.html (Japanese)   \n  http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html (English)\n\n## Citadel Decryptor\n  Data decryption tool for Citadel\n\n  Article/Blog entry:   \n  http://www.jpcert.or.jp/magazine/acreport-citadel.html (Japanese)   \n  http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html (English)\n\n## adwind_string_decoder.py\n  Python script for decoding strings inside Adwind\n\n  Article/Blog entry:   \n  https://www.jpcert.or.jp/magazine/acreport-adwind.html (Japanese)   \n  http://blog.jpcert.or.jp/2016/05/decoding-obfuscated-strings-in-adwind.html (English)\n\n## redleavesscan.py\n  Volatility plugin for detecting RedLeaves and extracting its config\n\n  Article/Blog entry:   \n  https://www.jpcert.or.jp/magazine/acreport-redleaves2.html (Japanese)   \n  http://blog.jpcert.or.jp/2017/05/volatility-plugin-for-detecting-redleaves-malware.html (English)\n\n## datper-splunk.py\n  Python script for detects Datper communication and adds result field to Splunk index\n\n  Article/Blog entry:   \n  https://www.jpcert.or.jp/magazine/acreport-search-datper.html (Japanese)   \n  http://blog.jpcert.or.jp/2017/09/chase-up-datper-bba7.html (English)   \n\n## datper-elk.py\n  Python script for detects Datper communication and adds result field to Elasticsearch index\n\n  Article/Blog entry:   \n  https://www.jpcert.or.jp/magazine/acreport-search-datper.html (Japanese)   \n  http://blog.jpcert.or.jp/2017/09/chase-up-datper-bba7.html (English)   \n\n## tscookie_decode.py\n  Python script for decrypting and parsing TSCookie configure data\n\n  Article/Blog entry:   \n  https://www.jpcert.or.jp/magazine/acreport-tscookie.html (Japanese)   \n  http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html (English)   \n\n## wellmess_cookie_decode.py\n  Python script for decoding WellMess's cookie data (support Python2)  \n\n  Article/Blog entry:   \n  https://blogs.jpcert.or.jp/ja/2018/06/wellmess.html (Japanese)   \n  https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html (English)   \n\n## cobaltstrikescan.py\n  Volatility plugin for detecting Cobalt Strike Beacon and extracting its config\n\n  Article/Blog entry:   \n  https://www.jpcert.or.jp/magazine/acreport-cobaltstrike.html (Japanese)   \n  https://blog.jpcert.or.jp/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html (English)\n\n## tscookie_data_decode.py\n  Python script for decrypting and parsing TSCookie configure data\n\n  Article/Blog entry:   \n  https://blogs.jpcert.or.jp/ja/2019/09/tscookie_loader.html (Japanese)   \n  https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html (English)\n","funding_links":[],"categories":["\u003ca id=\"f11ab1ff46aa300cc3e86528b8a98ad7\"\u003e\u003c/a\u003e插件\u0026\u0026脚本","\u003ca id=\"c39a6d8598dde6abfeef43faf931beb5\"\u003e\u003c/a\u003e未分类"],"sub_categories":["\u003ca id=\"c39a6d8598dde6abfeef43faf931beb5\"\u003e\u003c/a\u003e未分类"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjpcertcc%2Faa-tools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjpcertcc%2Faa-tools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjpcertcc%2Faa-tools/lists"}