[BHUSA 2018 Arsenal] Integrated tool to analyze Drive-by Download attack
EKTotal
is an integrated analysis tool that can automatically analyze the traffic of Drive-by Download attacks. The proposed software package can identify four types of Exploit Kits such as RIG and Magnitude, and more than ten types of attack campaigns such as Seamless and Fobos. EKTotal can also extract exploit codes and malware. The proposed heuristic analysis engine is based on Exploit Kit tracking research conducted since 2017, and is known as team "nao_sec". EKTotal provides a user-friendly web interface and powerful automated analysis functions. Thus, EKTotal can assist SOC operators and CSIRT members and researchers.
nginx + php-fpm
).NET Framework
, Mono
)FiddlerCore.dll
, Ionic.Zip.dll
and pcap2saz.exe
under ektotal/bin
post_vt.php
docker-compose up -d
FiddlerCore.dll
, Ionic.Zip.dll
and pcap2saz.exe
under ektotal/bin
post_vt.php
/frontend/dist
and document_root of the URL containing /api
is /
nginx + php-fpm
server {
listen 80;
server_name _;
client_max_body_size 30M;
location / {
root /path/to/directory/frontend/dist;
index index.html;
try_files $uri $uri/ /index.html;
}
location /api {
root /path/to/directory;
index index.html index.htm index.php;
try_files $uri /index.php?$query_string;
}
location ~ \.php$ {
root /path/to/directory;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
Just submit pcap or saz file
EKTotal
is open-sourced software licensed under the MIT License