ektotal: integrated analysis tool
EKTotal
EKTotal is an integrated analysis tool that can automatically analyze the traffic of Drive-by Download attacks. The proposed software package can identify four types of Exploit Kits such as RIG and Magnitude, and more than ten types of attack campaigns such as Seamless and Fobos. It can also extract exploit codes and malware. The proposed heuristic analysis engine is based on Exploit Kit tracking research conducted since 2017, and is known as team “nao_sec”. It provides a user-friendly web interface and powerful automated analysis functions. Thus, EKTotal can assist SOC operators and CSIRT members and researchers.
Features
- Identification of malicious traffic
- Extract over 10 types of attack campaigns out of enormous traffic data
- Automatic analysis of Exploit Kit
- Automatically analyzes 4 types of exploit kits, de-obfuscates the exploit codes, and decrypts the malware
- User-friendly Web-UI
- You can know the result at a glance
Installation
Requirements
- PHP 7
- Web Server (e.g. nginx + php-fpm)
- hidd3ncod3s/pcap2saz
- An environment that can run .NET binaries (e.g. .NET Framework, Mono)
- Git clone this repository: git clone https://github.com/nao-sec/ektotal.git
- Git clone hidd3ncod3s/pcap2saz and build it
- Put FiddlerCore.dll, Ionic.Zip.dll, and pcap2saz.exe under /ektotal/bin
- If you want to submit malwares to VirusTotal, set the API key to post_vt.php
- Configure & run Web Server
document_root is /frontend/dist and document_root of the URL containing /api is /
For example when using nginx + php-fpm
Usage
Copyright (c) 2018 nao-sec
Source: https://github.com/nao-sec/
