Skip to main content
  1. All Posts/

visualize_logs

Tools HTML

visualize_logs

A Python library and command line tools to provide log visualization.

Gallery

When you view these plots you will need JavaScript turned on. The plots are interactive and you can
select borders around the pieces you would like to zoom into. You can double click to zoom out. You can also
hover over nodes and more information will be displayed. The plot controls will be in the upper right hand corner of the plot.
The plot will look different depending on your browser (Chrome, Firefox, etc…) and the size
of your browser. I typically use Chrome on a Mac with a very large size to see everything I want to see.
The smaller your browser is, the more crunched it will be. If you change your browser size, be sure to click
‘Reload’.

Cuckoo JSON Reports

Kovter Sample 1

SHA256: 15c237f6b74af2588b07912bf18e2734594251787871c9638104e4bf5de46589
This sample was identified in the following blog post.

  • Example 1

    • Kovter showing processes only
    • plotcuckoojson -t "Kovter Example 1" -f kovter1_example1.html -fa -ra -na 1_report.json
  • Example 2

    • Kovter showing processes and network
    • plotcuckoojson -t "Kovter Example 2" -f kovter1_example2.html -fa -ra 1_report.json
  • Example 3

    • Kovter showing processes and files
    • plotcuckoojson -t "Kovter Example 3" -f kovter1_example3.html -na -ra 1_report.json
  • Example 4

    • Kovter showing processes and registry
    • plotcuckoojson -t "Kovter Example 4" -f kovter1_example4.html -fa -na 1_report.json

Kovter Sample 2

SHA256: bffe7ccbcf69e7c787ff10d1dc7dbf6044bffcb13b95d851f4a735917b3a6fdf
This sample was identified in the following blog post.

  • Example 1

    • Kovter showing processes only
    • plotcuckoojson -t "Kovter Example 1" -f kovter2_example1.html -fa -ra -na 2_report.json
  • Example 2

    • Kovter showing processes and network
    • plotcuckoojson -t "Kovter Example 2" -f kovter2_example2.html -fa -ra 2_report.json
  • Example 3

    • Kovter showing processes and files
    • plotcuckoojson -t "Kovter Example 3" -f kovter2_example3.html -na -ra 2_report.json
  • Example 4

    • Kovter showing processes and registry
    • plotcuckoojson -t "Kovter Example 4" -f kovter2_example4.html -fa -na 2_report.json

Ransomware

SHA256: 9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122

  • Example 1

    • Ransomware showing processes only
    • plotcuckoojson -t "Ransomware Example 1" -f ransomware_example1.html -fa -na -ra 3_report.json
  • Example 2

    • Ransomware showing processes and network
    • plotcuckoojson -t "Ransomware Example 2" -f ransomware_example2.html -fa -ra 3_report.json
  • Example 3

    • Ransomware showing processes and files
    • plotcuckoojson -t "Ransomware Example 3" -f ransomware_example3.html -na -ra 3_report.json
  • Example 4

    • Ransomware showing processes and registry
    • plotcuckoojson -t "Ransomware Example 4" -f ransomware_example4.html -na -fa 3_report.json

wwwlgoogle dot com Adware

SHA256: e64910e3549a6c6e01be814b40e0f1fca02db45d5d19e2882a90914cef1c799e
This sample came from wwwlgoogle dot com.

  • Example 1

    • wwwlgoogle showing processes only
    • plotcuckoojson -t "wwwlgoogle.com Example 1" -f wwwlgoogle_example1.html -fa -na -ra 4_report.json
  • Example 2

    • wwwlgoogle showing processes and network
    • plotcuckoojson -t "wwwlgoogle.com Example 2" -f wwwlgoogle_example2.html -fa -ra 4_report.json
  • Example 3

    • wwwlgoogle showing processes and files
    • plotcuckoojson -t "wwwlgoogle.com Example 3" -f wwwlgoogle_example3.html -na -ra 4_report.json
  • Example 4

    • wwwlgoogle showing processes and registry
    • plotcuckoojson -t "wwwlgoogle.com Example 4" -f wwwlgoogle_example4.html -fa -na 4_report.json

ProcMon CSV Logs

The “focused” views were generated by selecting just the PIDs I wanted
to show with ProcMon before saving the data to a CSV.

Kovter Sample 1

SHA256: 15c237f6b74af2588b07912bf18e2734594251787871c9638104e4bf5de46589
This sample was identified in the following blog post.

  • Example 1

    • Kovter showing processes only (Focused)
    • plotprocmoncsv -sp -t "Kovter Example 1" -f kovter1_example1.html kovter1_focused.csv
    • Notice how this doesn’t show much. This is one example where filtering with ProcMon hurt us. We know more happens with Kovter. Let’s look at all the activity…
  • Example 2

    • Kovter showing processes only (All)
    • plotprocmoncsv -sp -t "Kovter Example 2" -f kovter1_example2.html kovter1.csv
    • Notice how this doesn’t show much. We know more happens with Kovter.
  • Example 3

    • Kovter showing processes and file writes/deletes/renames (All)
    • plotprocmoncsv -sp -pfw -pfd -pfn -t "Kovter Example 3" -f kovter1_example3.html kovter1.csv
  • Example 4

    • Kovter showing processes and Registry writes/deletes (All)
    • plotprocmoncsv -sp -prw -prd -t "Kovter Example 4" -f kovter1_example4.html kovter1.csv
  • Example 5

    • Kovter showing processes and network (All)
    • plotprocmoncsv -sp -pu -pt -t "Kovter Example 5" -f kovter1_example5.html kovter1.csv

Kovter Sample 2

SHA256: bffe7ccbcf69e7c787ff10d1dc7dbf6044bffcb13b95d851f4a735917b3a6fdf
This sample was identified in the following blog post.

  • Example 1

    • Kovter showing processes only (Focused)
    • plotprocmoncsv -sp -t "Kovter Example 1" -f kovter2_example1.html kovter2_focused.csv
    • Notice how this doesn’t show much. This is one example where filtering with ProcMon hurt us. We know more happens with Kovter. Let’s look at all the activity…
  • Example 2

    • Kovter showing processes only (All)
    • plotprocmoncsv -sp -t "Kovter Example 2" -f kovter2_example2.html kovter2.csv
    • Notice how this doesn’t show much. We know more happens with Kovter.
  • Example 3

    • Kovter showing processes and file writes/deletes/renames (All)
    • plotprocmoncsv -sp -pfw -pfd -pfr -t "Kovter Example 3" -f kovter2_example3.html kovter2.csv
  • Example 4

    • Kovter showing processes and Registry writes/deletes (All)
    • plotprocmoncsv -sp -prw -prd -t "Kovter Example 4" -f kovter2_example4.html kovter2.csv
  • Example 5

    • Kovter showing processes and network (All)
    • plotprocmoncsv -sp -pu -pt -t "Kovter Example 5" -f kovter2_example5.html kovter2.csv

Ransomware

SHA256: 9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122

  • Example 1

    • Ransomware showing processes only (Focused)
    • plotprocmoncsv -sp -t "Ransomware Example 1" -f ransomware_example1.html Ransomware_focused.csv
  • Example 2

    • Ransomware showing processes only (All)
    • plotprocmoncsv -sp -t "Ransomware Example 2" -f ransomware_example2.html Ransomware_focused.csv
  • Example 3

    • Ransomware showing processes and network only (All)
    • plotprocmoncsv -sp -pt -pu -t "Ransomware Example 3" -f ransomware_example3.html Ransomware_focused.csv
  • Example 4

    • Ransomware showing file writes/renames/deletes (Focused)
    • plotprocmoncsv -t "Ransomware Example 4" -pfw -pfd -pfn -sp -f ransomware_example4.html Ransomware_focused.csv
    • Notice it is very clear that this is ransomware based upon all the file writes!
  • Example 5

    • Ransomware showing file writes/renames/deletes (All)
    • plotprocmoncsv -t "Ransomware Example 5" -pfw -pfd -pfn -sp -f ransomware_example5.html Ransomware.csv
    • Notice it is very clear that this is ransomware based upon all the file writes!
  • Example 6

    • Ransomware showing Registry writes and deletes (Focused)
    • plotprocmoncsv -t "Ransomware Example 6" -prw -prd -sp -f ../gallery/procmoncsv/ransomware_example6.html /Source/Procmon CSV/Ransomware_focused.csv

wwwlgoogle dot com Adware

SHA256: e64910e3549a6c6e01be814b40e0f1fca02db45d5d19e2882a90914cef1c799e
This sample came from wwwlgoogle dot com.

  • Example 1

    • wwwlgoogle showing processes only (Focused)
    • plotprocmoncsv -sp -t "wwwlgoogle.com Example 1" -f wwwlgoogle_example1.html wwwlgoogle_focused.csv
  • Example 2

    • wwwlgoogle showing processes only (All)
    • plotprocmoncsv -sp -t "wwwlgoogle.com Example 2" -f wwwlgoogle_example2.html wwwlgoogle.csv
  • Example 3

    • wwwlgoogle showing processes and network…