International Journal of Network Security, Vol.20, No.5, PP.836-843, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).

04) 836

Detection and Analysis Cerber Ransomware

Based on Network Forensics Behavior
Ade Kurniawan1 and Imam Riadi2
(Corresponding author: Ade Kurniawan)

Department of Informatics Engineering, Universal University1

Kompleks Maha Vihara Duta Maitreya, Sungai Panas, Batam 29456, Kepulauan Riau, Indonesia
(Email: [email protected])
Department of Information System, Ahmad Dahlan University2
(Received Apr. 3, 2017; revised and accepted July 2, 2017)

Abstract tacks Ransomware statistical average 100-300 percent in

2016 [17, 25, 33] with the report number of incidents
Kaspersky and other information security firms men- increased up to 4000 percent [16]. In 2016 and is es-
tioned 2016 as the year of Ransomware. The impact of timated in 2017 there was three Ransomware is Tes-
attacks has allowed financial damage on the business or in- laCrypt, Locky, and CERBER who rules the world of
dividual. The FBI estimates that losses incurred in 2016 Ransomware [11, 25]. Now Malware authors create Ran-
will top US$ 3 billion. Meanwhile, cyber criminals use somware more sophisticated, more effective, and using
malware: Trojans, Spyware, and Keyloggers, all of which anti forensic to avoid detection and analysis of each com-
require long tremendous effort to transfer benefits into mit crimes [3, 26, 32].
their bank accounts; while Ransomware makes the pro- Ransomware detection method generally divided into
cess automatic and easy by using a business model of Ran- three approaches; Static feature- based, host-based and
somware as a Service (RaaS). Therefore, Ransomware are behavior-based Network Behavior Analysis [8, 19, 27].
made more sophisticated and more effective as to avoid Static feature- based widely used by antivirus software
detection and analysis. In this paper, we present a new and easily avoided by attackers, such as an attacker using
insight into detection by analyzing Cerber Ransomware packaging techniques or structural change their malware
using Network-Forensic-Behavioral-Based. This paper is code [4]. Host-behavior-based methods or dynamic analy-
aimed to reconstruct the attack of timestamp, to identify sis where artifacts malware is executed in an environment
the infected host and malware, to compromise websites in- VM (virtual machine) which also has limitations due to
volved in the chain of infection, to find campaigns scripts, the current Malware can detect a VM environment or host
and to exploit kits and payload Ransomware. computer [9, 29] and also less capable of detecting new
Keywords: Cerber; Detection; Malware; Network Foren- malware samples, and tends to produce false warnings or
sic; Ransomware generate misclassification [19].
Cerber ransomware can infect via several different
methods with the impact more damaging and more ex-
1 Introduction pensive. General scheme of distribution, spread and in-
fections of ransomware through Network-based such as
A hospital in Los Angeles in 2016 occurred ”network in- downloading a file, e-mail phishing, drive-by download or
filtration” by disabling the network and computers with compromised website and others [26, 31] and therefore in
Ransomware, cyber criminals demanded a ransom of $ this paper, we offer an approach to the detection and anal-
17,000 to restore the network and computer full of impor- ysis Cerber Ransomware with Network Forensics Based
tant and confidential information of patients [15]. Ran- behavior Method of because this approach has the ability
somware is a type of Malware that restrict access to infor- to identify abnormal traffic patterns during the operation
mation by encrypting files and folders with a key is impos- of the network. [18, 30]
sible to resolve and the cybercriminal will ask a ransom Use of the approaches Network Forensic Behavior
to unlock access to files and folders [14, 15, 31]. Based could reconstruct the events of the beginning of
Ransomware is becoming popular among cyber crim- a spread, starting with the first infection of CERBER
inals to make money in an easy way [22]. Ransomware Ransomware on the host computer named STIWIE PC,
has an impact of damage and anxiety to the busi- find the Trojan Godzilla, pseudoDarkleech script as the
ness characterized by an increased the number of at- Campaign to redirect network traffic victim to the server
International Journal of Network Security, Vol.20, No.5, PP.836-843, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).04) 837

of exploit kit (EK) and a payload Ransomware used by encrypted and placed in the folder % APPDATA%
cyber criminals. or% TEMP% in the user profile.
This paper is structured as follows, in Section 2 we
describe Ransomware, Cerber, and Network Forensics. In Back-up spoliation: shortly after Delivery and execu-
Section 3 we describe Methodology, the hardware, and tion processes, Ransomware will search for a file and
software used to analyze Cerber Ransomware by using folder backup and delete all the files for avoiding the
Network Forensics Behavior Based. In Section 4 which victim that will restore files and folders that have
is the result of an analysis of the findings of this paper. been encrypted. In a Windows system, vssadmin
Section 5 is part of the Conclusion and Future Work. tool delete volume shadow copy of the system, such
as cryptolocker Ransomware and Locky will run the
command to remove all shadow copies of the system.
2 Basic Theory File encryption; once the file, folder and shadow copy
back-up were completely removed, the malware will
2.1 Ransomware perform the secure key exchange with the command
and control (C2) server, build an encryption key that
Ransomware is a type of malware that restricts access to will only be used on the local system. Ransomware
important information an individual or company with a will identify uniquely to each local system to distin-
way to encrypt files and will ask for a ransom payment guish the strong encryption keys among them using
in exchange for the decryption key to restoring encrypted the AES 256 algorithm the encryption process can
files [7, 26]. The embryo of ransomware called PC Cyborg take anywhere from several minutes to hours depend-
started in 1989 by Dr. Joseph Popp [20]. ing on network latency, number and size of docu-
After infection, the PC Cyborg will hide all the file ments and the number of connected devices.
folders and encrypt files on the C: drive. A script mes-
sage asked for a ransom of $ 189 directed to the PC Cy- User notification and clean-up: in this phase extor-
borg Corporation [26]. The first attack Ransomware uses tion requests and payment instructions are presented
public key cryptography to incorporate a combination of to the victim. Instructions extortion requests and
viruses and Trojan horses called cryptovirus and they saved to the hard drive, sometimes the instruction
called ”cryptovirological attacks” [35]. The five phases file in the same folder with the encrypted files as an
of ransomware [26] shown in Figure 1: example of CryptoWall version 3 with the file name
HELP DECRYPT.

2.2 Cerber Ransomware

Cerber is one kind of sophisticated malware, with a busi-
ness model Ransomware as a Service. Emerging Cer-
ber Ransomware about 4 March 2016 in Russia and the
spread is usually through botnets, spam emails and drive-
by downloads [28]. When it infected, the victim data files
are encrypted using AES encryption algorithm and will
be notified to the victim must pay a ransom of its ordi-
nary in the form of digital currency such as Bitcoins to
Figure 1: Five phases of ransomware receive and access their files get back [5].
Cerber will identify each victim by country, by check-
ing the IP Geolocation country of origin of the victim, if
The following explanation of the five-phase mentioned
the computer of one of the following countries (Armenia,
above:
Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan,
Exploitation and infection: Ransomware file needs to Moldova, Russia, Turkmenistan, Tajikistan, Ukraine,
be executed on a computer. The spreading process Uzbekistan) will end itself and does not encrypt the com-
and infection are often carried out through phishing puter [24].
emails or exploit security holes in software applica- After the executed, CERBER will install itself
tions, for example, Adobe Flash and Internet Ex- in the folder% AppData% {2ED2A2FE-872C-D4A0-
plorer. 17ACE301404F1CBA}. Windows configures automati-
cally boot into Safe Mode and the next reboot the net-
Delivery and execution: After Exploitation and infec- work mode Cerber start automatically when the user logs
tion processes, Ransomware executable will be sent into Windows, to run the screensaver when the system is
back to the victim’s system. After executing, the idle for execute itself every minute and display false alert
mechanism of this process can take several seconds, system until the computer is restarted [2]. To make sure
depending on network latency. Ransomware is most the victim will be begging ransom, Cerber left three notes
often executable network deployment through strong (# decrypt MY FILES # .html, # decrypt MY FILES
International Journal of Network Security, Vol.20, No.5, PP.836-843, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).04) 838

# .txt, and # decrypt MY FILES # .vbs) in each folder 3.1 Obtain Information
that has been encrypted.
Two important things that need to be done network foren-
sic Investigator at the beginning of the investigation: to
2.3 Network Forensic obtain information about the incident itself and get infor-
Network Forensics is a branch of Digital Forensics that mation about the environment. Important points to note
use proven scientific techniques to collect, to use, to iden- regarding the incident is a description of what happened,
tify, examine, linking, to analyze, and documenting digital the timestamp (date, time, and method of the invention
evidence from several sources of digital evidence and elec- of the incident), people involved, systems and data in-
tronic evidence [1, 21, 23]. Network Forensic very reliable volved, the manager Incident and processes, legal issues,
to capture the network traffic to and from one or multiple time for investigation/recovery/resolution and Goals.
hosts that can later be revealed channels, methods, and Social and political dynamics could change during the
the spread of malicious code [12, 23]. incident, investigators need to spend some time under-
stand and respond to specific events. The following things
Obstacles often faced by the Network of Forensic inves-
about the environment: Business models, Legal issues,
tigators are gathering evidence and acceptance are often
network topology, network available sources of evidence,
vague, poorly understood, or lack of evidence. When per-
Organizational structure, Incident Response Management
forming network forensics, investigators often work with
Process, Resources available (staff, equipment, funding,
a live system (online) that cannot be taken offline. This
and time).
may include routers, switches, servers and other types of
network devices [30].
Forensic evidence gathering for network similar to the 3.2 Strategies
collection of digital forensic investigation [10] but digital
Network Forensics Investigator must work efficiently [18],
evidence network-based often highly volatile and should
because of network forensics keeps potential sources of
be collected through active ways inherent of evidence
very important evidence, some of which are also very
gathering system [6, 30].
volatile. Strategies points to consider in network forensic
is Understanding the purpose the period of the investiga-
3 Methodology tion, a list of resources (personnel, time, and equipment),
identify possible sources of evidence, to estimate the value
Preparation stage starts with the setup of hardware and and the cost of obtaining the evidence, list prioritizes the
software that will be used in this study. Hardware used acquisition and plans initial acquisition/analysis.
in this study is a Notebook Processor: Intel (R) Core
(TM) i7-6500U CPU @ 2.30GHz, 8GB RAM, 250GB SSD, 3.3 Collect Evidence
Intel 530 Graphics Card. Software used in this study is
Wireshark Version 2.2.5 and dataset from http://www. Three essential components that must be done each time
malware-traffic-analysis.net/. the Network Forensic Investigator to obtain evidence:
In general, there are three methods for detecting mal- Document, Capture and Store/Transport. Make sure the
ware: static feature, host behavior, and network-based document keeps a log of all the systems accessible and
behavior [7, 30, 32]. Detection methods used in the study all actions taken during the collection of evidence, as well
Cerber Ransomware is a network-based behavior. Net- as noting the date, time, sources of, methods of acquisi-
work behavior is to identify traffic patterns that did not tion, and the name of the investigator and the chain of
occur during normal operation of the network by check- custody [23, 30].
ing Packet Inspection: checking header, protocol, viruses,
spam. Signature Detection: It monitors the content of 3.4 Analysis
packets in the network and comparing the pattern of at-
The important elements to consider in the Analyze phase
tacks before configuration [23].
is:
Inside the Network Forensics Investigation research, we
use OSCAR Methodology (Obtain Information, Strate- • Correlation: The advantages of network forensics
gies, Collect Evidence, Analyze and Report) [30]. Illus- involves multiple sources of evidence such as time
tration of the Methodology is shown in Figure 2. stamp and other sources of evidence that can be cor-
related that would become sources of new evidence.

• Timeline: Once a data source is some evidence has

been collected and correlated, we are building a time-
line of activities, recount comprehension who is doing
what, when, and how the basis of the case.

Figure 2: OSCAR methodology • Events of Interest: Certain events will stand out, po-
tentially more relevant than another event. Network
International Journal of Network Security, Vol.20, No.5, PP.836-843, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).04) 839

forensics investigator must isolate events of interest

and search for to understand how it happened.

• Interpretation: The necessary expertise to identified

potential sources of additional evidence and build a
theory of possible events. It is most important that
you separate your interpretation of the evidence of
the fact. Your interpretation of evidence always hy- Figure 3: Date and time of the infection
potheses, which can be proved or disproved.

3.5 Report on the Local Area Network (LAN). Analysis of IP and

MAC address of who the victims were first the infected
Reporting the most important aspect of the investigation, show in Figure 4, IP Host Computers infected victims is
any Network Forensic report must be attention to the 172.16.4.193 with MAC Address 5c: 26: OA: 02: a8: e4
following points: the network card from hardware vendors Dell and with
Host Stewie name PC.
• Conceived by non-technical layman: Legal Team,
Manager, Human Resources Personnel;

• Delivered detailed and structured;

• Factual.

In short, should be able to explain the results of an in-

vestigation is unreasonable to non-technical people, while
retaining scientific principles.

4 Result
Figure 4: NBNS traffic analysis in wireshark
In our research focus is on the side of the detection and
analyze. Obtain Information from this study suspected
of infection and spread of Ransomware in a corporate en- IP, MAC Address and hostname we already know, the
vironment via a Network. Phase Strategies the company next phase determine malware which infects the host
before infected with malware is to installing packet cap- name of the Stewie PC. After deep analysis of sev-
ture tools to capture every traffic if an illegal act when eral packet shown in Figure 5 traffic to the domain.top,
there is either an attack from the inside or from the out- usually malware author used domain.top in conducting
side that later can become digital evidence to support criminal activities. List Domain [13] which is gener-
the forensic measures if there is a violation of the law. ally used is Domains lclebb6kvohlkcml.onion [.] link
The dataset for research using sample data from http:// lclebb6kvohlkcml.onion [.] nu bmacyzmea723xyaz.onion
malware-traffic-analysis.net/index.html, file for- [.] link bmacyzmea723xyaz.onion [.] nu ne-
mat packet capture (PCAP) with a filename 2017-01-28 jdtkok7oz5kjoc.onion [.] link nejdtkok7oz5kjoc.onion [.]
traffic-analysis.pcap file size 3,173 KB. nu.

4.1 Analysis
Timestamp in the digital forensic very important role be-
cause it contains information related to the show in a con-
dition when or time [1]. Detection and forensic analysis
using Wireshark Network with filter HTTP.request first
thing to do is to determine when the first time the host
computer is infected, show in Figure 3 shows the first time
an infected computer is on time 2017-01-27 22:53:54 UTC
or January 28, 2017 05:53:54 SE Asia Standard Time.
After knowing the date and time of the infection the
next phase is to detect and analyze the IP and the
hostname of the computer has been infected. IP detec- Figure 5: Information gathering
tion, MAC Address Hostname and NetBIOS analysis per-
formed by using filter NBNS. NetBIOS is an application
which allows a computer to communicate with computers From result analyze was we found that the domain
International Journal of Network Security, Vol.20, No.5, PP.836-843, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).04) 840

used by cyber criminals, with the aid the Google search (mail spam) and Exploit Kit. Malicious spam (mail spam)
engine with the keywords p27dokhpz2n7nvgr.1jw2lx.top. is a way of spreading and distribution directly to a ran-
Google.com search results show in Figure 6 describes somware victims to enter the link that has been infected
found malware which infects PCs Stewie is CERBER with malware and takes an active part on the victim to
Ransomware. click a link or attachment files that have been injected
malware. The second method is to use exploits Kit. Ex-
ploits Kit (EK) is designed to work behind the scenes,
which is used by cyber criminals to automate the exploita-
tion of security holes in the victim’s machine when it is
active browsing [34]. EK does not require such active
actions of the victim clicks on a link or attachment.

Figure 6: Result p27dokhpz2n7nvgr.1jw2lx.top

In Figure 7, we show the result of PCAP that

has been uploaded to https://www.virustotal.com alert
shows the results of Suricata that display found an ac-
tor/cybercriminal Cerber used RIG EK (Exploit Kit).
Figure 9: HTTP requests to the rig exploit kit internet
protocol address

Filtering of HTTP requests on all IP addresses EK Rig

in Wireshark, phase detects and analyze RIG EK and the
website domain that mediates the spread of and infection
of the host computer by way of the Following TCP Stream
the packet as shown in figure 10. Following the results of
the TCP stream shows the result found host computer is
a www.homeimprovement.com address. From analysis of
Figure 7: RIG exploit kit landing known victims access to bing.com is doing a search with
keywords ”remodeling your kitchen cabinets” in the ad-
dress Referrer: http://www.bing.com/search?q=home+
Another scenario when the pcap file is ran on Snort improvement+remodeling+your+kitchen\&qs=n\&sp=-
as shown in Figure 8 RIG exploit kit landing page has 1\&PQ=homeimprovement+++yourremodeling
detected. Exploit Kit (EK) is a server-based framework,
exploitation by taking advantage of vulnerabilities in a
software application that usually associated web browser
and infects the victim without realizing have been in-
fected. RIG EK is a gateway delivery and distribution
of malware that functions direct the victim to execute a
malware payload.

Figure 10: Follow HTTP stream to find referrer

Figure 8: Snort result From result analyze www.homeimprovement.com been

compromised website in spreading RIG EK. RIG EK is a
sophisticated delivery method, the system for distributing
In Figure 9 shows the result of the filtering http.request malware via EK involves many other components in the
and ip.addr eq 194.87.234.129 that shows the IP address chain of events malware infection. Basically, RIG EK
associated with Rig EK. In general, the spread of Ran- with various tricks to direct traffic to the server EK users
somware using two methods: first through malicious spam before sending malware. Actors used campaigns to guide
International Journal of Network Security, Vol.20, No.5, PP.836-843, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).04) 841

Figure 11: Export object list and pseudoDarkleech script

traffic to the victim server EK. Actors and campaigns two 3) If the exploit is successful, EK sending payload Ran-
different terms, an actor may use one or several campaigns somware and carry out activities to access and en-
to distribute malware. One actor may have used the same cryption of files and folders unnoticed, the victim
campaigns to distribute various types of malware. The completely have been infected by the payload Ran-
next stage was to determine the campaign’s script used somware.
to deliver Cerber is a way to export object in the packet
capture as shown in Figure 11.
PseudoDarkleech is a commonly used campaigns Cer- 5 Conlusion and Future Work
ber author, function to redirect traffic from the victim to
Exploit Kit server with a stealth mode. The pseudoDark- The use of Network Forensic Behavior Based successfully
leech script has the task of injecting web pages and a web detect and analyze Cerber Ransomware as through the re-
server through on the root level. construction Cerber Ransomware chain of events as shown
in Figure 13.

Figure 13: Chains of event

Figure 12: Chain of events pseudoDarkleech campaign
Started from the host computer named STIWIE PC,
Explanation chain of events is as follows pseudo- the victim then performs a search on a search en-
Darkleech campaign shown in Figure 12: gine bing.com for the referral advice from search engine
bing.com STIWIE visits www.homeimprovement.com
1) The first victim visits a website (compromised web- PC. Website analysis shows the results found have been
site) that have been compromised or malicious scripts injected by cyber criminals/actors of making the site into
injected and malicious script from compromised web- a Compromised Websites for the Campaign. The anal-
sites to make an HTTP request on Exploit Kit Land- ysis phase detected Campaign successfully used pseudo-
ing Page. Darkleec script to redirect a victim to the server by us-
ing RIG Exploit Kit EK to download a malware payload
2) Landing page EK finding and determine whether the that named CERBER Ransomware for future work re-
computer has vulnerability are usually browser-based quired Network Forensic deep on the side of compromised
applications and Adobe flash player and furthermore websites and Exploits Kit server. Exploit Kit is currently
sending EK Exploit to take advantage of the vulner- in delivery has encrypted binary code that has made it
able application. harder to be detected and analyzed.
International Journal of Network Security, Vol.20, No.5, PP.836-843, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).04) 842

Furthermore, the suggestion to users to stay updated [14] N. Khoa, T. Dat, M. Wanli, S. Dharmendra, “An
browser application and patch vulnerability because the approach to detect network attacks applied for net-
weakest point in the security chain is the human being, work forensics,” in 11th International Conference on
the solution is to strengthen the end point in a human Fuzzy Systems and Knowledge Discovery (FSKD’14),
side to build ”Human Firewall”. pp. 655–660, 2014.
[15] M. Labs, Understanding Ransomware and Strategies
to Defeat it, Technical Report 1, Dec. 2016.
References [16] M. Labs, Mcafee Labs Threats Report, Technical Re-
port 1, Jan. 2017.
[1] K. Ade, R. Imam, and L. Ahmad, “Forensic analy- [17] MalwareBytes, State of Malware Report, Technical
sis and prevent of cross site scripting in single victim Report 1, Jan. 2017.
attack using open web application security project [18] M. H. Mate, S. R. Kapse, “Network forensic tool
(owasp) framework,” Journal of Theoretical and Ap- - concept and architecture,” in Fifth International
plied Information Technology, vol. 95, no. 6, pp. Conference on Communication Systems and Network
1363–1371, 2017. Technologies, Apr. 2015.
[2] A. Alexander and C. Anders, “The state of ran- [19] Z. Mohd, S. Shahrin, A. M. Faizal, S. S. Rahayu, and
somware, trends and mitigation techniques,” in H. C. Yun, “A comparative study on feature selec-
IEEE East-West Design, 2017. tion method for n-gram mobile malware detection,”
[3] A. A. Ali and Z. N. A. Kamarul, “Attack inten- International Journal of Network Security, vol. 19,
tion recognition: A review,” International Journal of pp. 1–7, 2017.
Network Security, vol. 19, no. 2, pp. 244–250, 2017. [20] Monika, Z. Pavol, and L. Dale, “Experimental analy-
[4] L. Andy, C. Armour, and B. pearce. Jack, “Ran- sis of ransomware on windows and android platforms:
somware becomes the most prevalent form of mal- Evolution and characterization,” Procedia Computer
ware and hits an ever-wider range of victims,” Net- Science, vol. 94, pp. 465–472, 2016.
work Security, vol. 2017, no. 2, pp. 1–2, 2017. [21] B. Nadia, K. Mohamed, Z. Khaled, and B. Chafika,
[5] P. Athina and K. Vasilios, “Differential malware “Iwnetfaf: An integrated wireless network forensic
forensics,” Digital Investigation, vol. 10, no. 4, pp. analysis framework,” in Cybersecurity and Cyber-
311–322, 2013. forensics Conference (CCC’16), pp. 35–40, 2016.
[22] P. A. Networks, Exploit Kit Getting in Any Means
[6] M. Baca, J. Cosic, Z. Cosic, “Forensic analysis of
Neccasary, Technical Report 2, June 2017.
social networks (case study),” in Proceedings of 33rd
International Conference on Information Technology [23] E. S. Pilli and R. C. Joshi, Fundamentals of Network
Interfaces, pp. 219–223, 2013. Forensics, Springer, 2016.
[24] R. Pratyush and K. Prabhakar, “Network detection
[7] K. Cabaj and W. Mazurczyk, “Using software-
of ransomware delivered by exploit kit,” ARPN Jour-
defined networking for ransomware mitigation: the
nal of Engineering and Applied Sciences, vol. 12,
case of cryptowall,” IEEE Network, vol. 30, no. 6,
no. 12, pp. 3885–3889, 2017.
pp. 14–20, 2016.
[25] A. Rab, A. Neville, A. Anand, et al., Ransomware
[8] K. Clemens, C. PaoloMilani, and K. C. and, “Effec-
and Businesses 2016, Technical Report 1, July 2016.
tive and efficient malware detection at the end host
[26] B. Ross, “Ransomware attacks: Detection, preven-
clemens,” in Proceedings of the 18th Conference on
tion and cure,” Network Security, vol. 2016, no. 9,
USENIX Security Symposium, pp. 70–82, 2011.
pp. 5–9, 2016.
[9] P. Ebenezer and A. Aderemi, “Efficient feature selec- [27] A. Saeed and S. Paul, “Optimised malware detection
tion technique for network intrusion detection sys- in digital forensics,” International Journal of Net-
tem using discrete differential evolution and deci- work Security, vol. 6, no. 1, pp. 01–15, 2014.
sion tree,” International Journal of Network Secu- [28] G. S. Sanjay and K. Kamalanathan, “Understanding
rity, vol. 19, no. 5, pp. 660–669, 2017. and defending crypto-ransomware,” ARPN Journal
[10] C. Eoghan, Digital Evidence and Computer Crime, of Engineering and Applied Sciences, vol. 12, no. 12,
Elsevier Academic Press, 2011. pp. 3920–3925, 2017.
[11] S. Gordon, “Malvertising hits dating websites,” Net- [29] D. Sanjeev, L. Yang, Z. Wei, and C. Mahintham,
work Security, vol. 2015, no. 9, p. 2, 2015. “Semantics-based online malware detection: To-
[12] R. Imam, E. Jazi, A. Ahmad, and Subanar, “Log wards efficient real-time protection against mal-
analysis techniques using clustering in network foren- ware,” IEEE Transactions on Information Forensics
sics,” International Journal of Computer Science and and Security, vol. 11, no. 2, 2016.
Information Security, vol. 10, 2013. [30] D. Sherri and H. Jonathan, Network Forensics:
[13] S. James, S. Drew, and S. Visiting, Cerber & Tracking Hackers Through Cyberspace, Prentice Hall,
KeRanger: The Latest Examples of Weaponized En- 2012.
cryption, Institute for Critical Infrastructure Tech- [31] E. Tim, “Ransomware: Threat and response,” Net-
nology, 2016. work Security, vol. 2016, no. 10, pp. 17–19, 2016.
International Journal of Network Security, Vol.20, No.5, PP.836-843, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).04) 843

[32] S. Toshiki, Y. Takeshi, A. Mitsuaki, C. Daiki, and Biography

Y. Takeshi, “Efficient dynamic malware analysis
based on network behavior using deep learning,” in Ade Kurniawan received his Masters degree in Digital
IEEE Global Communications Conference (GLOBE- Forensic in 2014 from Universitas Islam Indonesia. He is
COM’16), pp. 1–7, 2016. currently lcturer Department of Informatics Engineering
[33] M. I. Trend, Trendlabs SM 2016 1H Security of Universal University. His research interests include
Roundup, Technical Report 1, Jan. 2017. Computer, Network Security, and Digital Forensics.
[34] L. Yassine and S. E. Mamouna, “An approach to de- Imam Riadi is an Associate Professor, Department
tect network attacks applied for network forensics,” of Information System, Ahmad Dahlan University.
in International Conference on Cyber Security And Received his PhD Degree in Faculty of Sciences from the
Protection Of Digital Services, pp. 1–10, 2017. Universitas Gadjah Mada. His research interest includes
[35] A, Young and M. Yung, “Cryptovirology: extortion- computer security, Network Forensic, and Data Minning.
based security threats and countermeasures,” in
IEEE Symposium on Security and Privacy, vol. 5111,
pp. 129–140, 1996.