https://github.com/jpcertcc/aa-tools

Artifact analysis tools by JPCERT/CC Analysis Center
https://github.com/jpcertcc/aa-tools

malware python security

Last synced: 7 months ago
JSON representation

Artifact analysis tools by JPCERT/CC Analysis Center

• Host: GitHub
• URL: https://github.com/jpcertcc/aa-tools
• Owner: JPCERTCC
• License: other
• Created: 2015-10-28T03:52:32.000Z (about 10 years ago)
• Default Branch: master
• Last Pushed: 2024-07-09T03:56:17.000Z (over 1 year ago)
• Last Synced: 2025-03-28T12:08:44.367Z (8 months ago)
• Topics: malware, python, security
• Language: Python
• Size: 4.08 MB
• Stars: 458
• Watchers: 54
• Forks: 90
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.txt

Awesome Lists containing this project

• awesome-reverse-engineering - **277**星

README

          
# aa-tools

Artifact analysis tools by JPCERT/CC Analysis Center

## Deob_NOOPLDR.py

  IDA plugin Tool to deobfuscate CFF used by NOOPLDR malware

  Article/Blog entry:   

  https://blogs.jpcert.or.jp/ja/2024/07/mirrorface.html (Japanese)   

## GobRAT-Analysis

  C2 Commands Emulation tools in go language that supports analysis of GobRAT malware

  Article/Blog entry:   

  https://blogs.jpcert.or.jp/ja/2023/05/gobrat.html (Japanese)   

  https://blogs.jpcert.or.jp/en/2023/05/gobrat.html (English)

## apt17scan.py

  Volatility plugin for detecting APT17 related malware and extracting its config

  Article/Blog entry:   

  http://www.jpcert.or.jp/magazine/acreport-aptscan.html (Japanese)   

  http://blog.jpcert.or.jp/2015/11/a-volatility-plugin-created-for-detecting-malware-used-in-targeted-attacks.html (English)

## emdivi_postdata_decoder.py

  Python script for decoding Emdivi's post data

  Article/Blog entry:   

  http://www.jpcert.or.jp/magazine/acreport-emdivi.html (Japanese)   

  http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html (English)

## emdivi_string_decryptor.py

  IDAPython script for decrypting strings inside Emdivi

  Article/Blog entry:   

  http://www.jpcert.or.jp/magazine/acreport-emdivi.html (Japanese)   

  http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html (English)

## Citadel Decryptor

  Data decryption tool for Citadel

  Article/Blog entry:   

  http://www.jpcert.or.jp/magazine/acreport-citadel.html (Japanese)   

  http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html (English)

## adwind_string_decoder.py

  Python script for decoding strings inside Adwind

  Article/Blog entry:   

  https://www.jpcert.or.jp/magazine/acreport-adwind.html (Japanese)   

  http://blog.jpcert.or.jp/2016/05/decoding-obfuscated-strings-in-adwind.html (English)

## redleavesscan.py

  Volatility plugin for detecting RedLeaves and extracting its config

  Article/Blog entry:   

  https://www.jpcert.or.jp/magazine/acreport-redleaves2.html (Japanese)   

  http://blog.jpcert.or.jp/2017/05/volatility-plugin-for-detecting-redleaves-malware.html (English)

## datper-splunk.py

  Python script for detects Datper communication and adds result field to Splunk index

  Article/Blog entry:   

  https://www.jpcert.or.jp/magazine/acreport-search-datper.html (Japanese)   

  http://blog.jpcert.or.jp/2017/09/chase-up-datper-bba7.html (English)   

## datper-elk.py

  Python script for detects Datper communication and adds result field to Elasticsearch index

  Article/Blog entry:   

  https://www.jpcert.or.jp/magazine/acreport-search-datper.html (Japanese)   

  http://blog.jpcert.or.jp/2017/09/chase-up-datper-bba7.html (English)   

## tscookie_decode.py

  Python script for decrypting and parsing TSCookie configure data

  Article/Blog entry:   

  https://www.jpcert.or.jp/magazine/acreport-tscookie.html (Japanese)   

  http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html (English)   

## wellmess_cookie_decode.py

  Python script for decoding WellMess's cookie data (support Python2)  

  Article/Blog entry:   

  https://blogs.jpcert.or.jp/ja/2018/06/wellmess.html (Japanese)   

  https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html (English)   

## cobaltstrikescan.py

  Volatility plugin for detecting Cobalt Strike Beacon and extracting its config

  Article/Blog entry:   

  https://www.jpcert.or.jp/magazine/acreport-cobaltstrike.html (Japanese)   

  https://blog.jpcert.or.jp/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html (English)

## tscookie_data_decode.py

  Python script for decrypting and parsing TSCookie configure data

  Article/Blog entry:   

  https://blogs.jpcert.or.jp/ja/2019/09/tscookie_loader.html (Japanese)   

  https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html (English)