Java IDX Sample Files from Java Spearphishing Attack from SANS FOR508

Earlier this year, SANS created the most in-depth incident response training scenario that spans multiple systems in FOR508:  Advanced Forensic Analysis and Incident Response.  We discussed the entire scenario in a blog titled: “Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results

One of the biggest complaints that many have in the DFIR community is the lack of realistic data to learn from. Starting a year ago, I planned to change that through creating a realistic scenario based on experiences from the entire cadre of instructors at SANS and additional experts who reviewed and advised the attack “script”. We created an incredibly rich and realistic attack scenario across multiple windows-based systems in enterprise environment. The attack scenario was created for the new FOR508: Advanced Forensics and Incident Response course. Our main goal was to place the student in the middle of a real attack that they have to response to.

The purpose is to give attendees of the new FOR508 real filesystem and memory images that they will examine in class to detect, identify, and forensicate APT-based activities across these systems in class. The goal is to give students who attend the course “real world” data to analyze. The goal was to create attack data to use in our courses at SANS so our students could have a direct feel for what it is like to investigate advanced adversaries.

As a part of that exercise, the main spearphishing attack was the result of a Java Applet attack.  It can be clearly seen in this super timeline created as a part of the course.  We find the exact pivot point in the timeline using memory analysis – both Redline from MANDIANT and Volatility in the SIFT Workstation.

Over the past few weeks, many capabilities have been created to parse the JAVA based malware specifically in the IDX files that can be seen as a part of this attack.

IDX Format Links:

  1. ForensicsWiki Java  by Joachim Metz (thanks to Corey Harrell for pointing this out)
  2. Java IDX Format  by Mark Woan

IDX Parsing Tools:

  1.  JavaIDX (exe)-    by  Mark Woan
  2. IDXparse (perl)-   by  Harlan Carvey
  3. IDX Parser (python)-  by  Brian Baskin

If you would like to work with some idx file residue from the attack supertimeline shown above, you can download the AD1 file we created with the embedded .exe malware in addition to the two .idx files that were connected to the original attack listed above.  The password for the file is “sansforensics” and if you don’t know how to open an AD1 Custom Content image file, you might download FTK Imager and try opening it there.

Java IDX Sample Files:

  1. Download IDX and /temp directory .exe malware.

Note:  By downloading the zipfile, you consent automatically to the following agreement:  I certify that by having access to tools and programs that can be used to break or “hack” into systems, that I will only use them in an ethical, professional and legal manner. This means that I will only use them to test the current strength of security network so that proper improvements can be made. I will always get permission before running any of these tools on a network. If for some reason I do not use these tools in a proper manner, I do not hold SANS liable and accept full responsibility for my actions.

Published by

Rob Lee

Rob Lee is an entrepreneur and consultant in the Washington DC area, specializing in information security, incident response, and digital forensics. Rob is currently the curriculum lead and author for digital forensic and incident response training at the SANS Institute in addition to owning his own firm. Rob has more than 15 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response. Rob graduated from the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on information warfare. Later, he was a member of the Air Force Office of Special Investigations (AFOSI) where he led a team conducting computer crime investigations, incident response, and computer forensics. Prior to starting his own firm, he directly worked with a variety of government agencies in the law enforcement, U.S. Department of Defense, and intelligence communities as the technical lead for a vulnerability discovery and an exploit development team, lead for a cyber forensics branch, and lead for a computer forensic and security software development team. Rob was also a director for MANDIANT, a company focused on investigating advanced adversaries, such as the APT, for four years prior to starting his own business. Rob co-authored the book Know Your Enemy, 2nd Edition. Rob earned his MBA from Georgetown University in Washington DC. He was awarded the Digital Forensic Examiner of the Year from the Forensic 4Cast Awards. Rob is also an ardent blogger about computer forensics and incident response topics at the SANS Computer Forensic Blog. Rob is also a co-author of the MANDIANT threat intelligence report M-Trends: The Advanced Persistent Threat.

One thought on “Java IDX Sample Files from Java Spearphishing Attack from SANS FOR508”

  1. The FOR508 is indeed a comprehensive incident training response scenario and it can greatly help students to learn about Java Spearphishing attacks. Thanks a lot for sharing Rob.

Comments are closed.