1. Overview Prefetch is artifact that exists in Windows. This artifact records program execution files read by that program in 10 seconds. Prefetch is one of the most well-known artifacts, but its recording mechanism is very complex as follows. (This is an simplified version, not the whole thing.) I reversed the kernel to look for something interesting in the data related to prefetch. However, I could not find any incident response usable data. Now that I understand the mechanisms involved in prefetch, I leave this blog as a note. ・Same executable but different prefetch conditions ・High probability bypass prefetch 2. Same executable but different prefetch conditions Generally, prefetch is created for each executable file path. This is handled internally as the following NT kernel path. If the hashes of this path are the same, they are written to the same prefetch. \Device\HarddiskVolume2\Windows\System32\cmd.exe However, there are a few exceptions. You will see a l
1. Overview On March 17, Waseda University announced that its sports newspaper club's website(https://wasedasports[.]com/) had been infected with malware. At the time of my research the final payload was common malware called BitRAT, but there are several interesting points in its infection chain. A portion of the infection chain is shown below. The compromised site finally trigger download of the zip file. There is nothing interesting about the infection chain after this. You can refer to the IoC section for more information on infecting malware if necessary. Now, what is interesting? In my opinion, the interesting points of this attack are as follows. ・Using Domen social engineering toolkit: This toolkit was used around 2019-2020, but not recently. ・Mysteriously structured zip file: The file name in this zip file is depending on the archiver used for decompression. 2. Domen social engineering toolkit Domen is social engineering toolkit and was used for fake update