├── .gitignore ├── INSTALL.md ├── LICENSE ├── README.md ├── config.py ├── ekanalyzer.py ├── patches └── dpkt.patch ├── requirements.txt ├── templates ├── base.html ├── details.html ├── index.html ├── launch.html ├── list.html └── view.html ├── user_agents.txt ├── user_agents_large.txt └── yara ├── ExploitPackTable_2014.yar ├── ekanalyzer.yar ├── jsunpack.yar ├── paranoid.yar └── yalih.yar /.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | config.py 3 | venv 4 | uploads/ 5 | workspace/ 6 | -------------------------------------------------------------------------------- /INSTALL.md: -------------------------------------------------------------------------------- 1 | Install 2 | ======= 3 | 4 | 5 | 6 | ### Install services 7 | 8 | Install mongo, redis and clamav: 9 | 10 | ~~~ 11 | sudo apt-get install mongodb redis-server clamav-daemon python-pip build-essential dh-autoreconf python-dev patch 12 | ~~~ 13 | 14 | Download clamav signatures: 15 | 16 | ~~~ 17 | sudo freshclam 18 | ~~~ 19 | 20 | 21 | ### Virtual enviroment 22 | 23 | 24 | ~~~ 25 | sudo pip install virtualenv 26 | cd ekanalyzer 27 | virtualenv venv 28 | source venv/bin/activate 29 | pip install -r requirements.txt 30 | mkdir uploads 31 | ~~~ 32 | 33 | ### Install yara (in your virtualenv) 34 | 35 | ~~~ 36 | cd /tmp 37 | wget https://github.com/plusvic/yara/archive/v3.3.0.tar.gz 38 | tar xvfz v3.3.0.tar.gz 39 | cd yara-3.3.0 40 | ./bootstrap.sh 41 | ./configure 42 | sudo make install 43 | cd yara-python 44 | python setup.py install 45 | ~~~ 46 | 47 | ### Install dpkt (in your virtualenv) 48 | 49 | ~~~ 50 | cd /tmp 51 | wget http://dpkt.googlecode.com/files/dpkt-1.8.tar.gz 52 | tar xvfz dpkt-1.8.tar.gz 53 | cd dpkt-1.8 54 | python setup.py install 55 | ~~~ 56 | 57 | 58 | ### Recomended: Patch dpkt 59 | 60 | The patch is available at patches/ directory 61 | cd venv/local/lib/python2.7/site-packages/dpkt 62 | patch -p1 < /tmp/ekanalyzer/patches/dpkt.patch 63 | 64 | 65 | 66 | 67 | Edit the config.py file and introduce your Virus Total API Key 68 | 69 | 70 | ### Launch 71 | 72 | Celery (Terminal 1) 73 | 74 | ~~~ 75 | cd ekanalyzer 76 | source venv/bin/activate 77 | celery -A ekanalyzer:celery worker -l DEBUG 78 | ~~~ 79 | 80 | 81 | App (Terminal 2) 82 | 83 | ~~~ 84 | cd ekanalyzer 85 | source venv/bin/activate 86 | python ekanalyzer.py 87 | ~~~ 88 | 89 | 90 | 91 | 92 | 93 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU AFFERO GENERAL PUBLIC LICENSE 2 | Version 3, 19 November 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU Affero General Public License is a free, copyleft license for 11 | software and other kinds of works, specifically designed to ensure 12 | cooperation with the community in the case of network server software. 13 | 14 | The licenses for most software and other practical works are designed 15 | to take away your freedom to share and change the works. By contrast, 16 | our General Public Licenses are intended to guarantee your freedom to 17 | share and change all versions of a program--to make sure it remains free 18 | software for all its users. 19 | 20 | When we speak of free software, we are referring to freedom, not 21 | price. Our General Public Licenses are designed to make sure that you 22 | have the freedom to distribute copies of free software (and charge for 23 | them if you wish), that you receive source code or can get it if you 24 | want it, that you can change the software or use pieces of it in new 25 | free programs, and that you know you can do these things. 26 | 27 | Developers that use our General Public Licenses protect your rights 28 | with two steps: (1) assert copyright on the software, and (2) offer 29 | you this License which gives you legal permission to copy, distribute 30 | and/or modify the software. 31 | 32 | A secondary benefit of defending all users' freedom is that 33 | improvements made in alternate versions of the program, if they 34 | receive widespread use, become available for other developers to 35 | incorporate. Many developers of free software are heartened and 36 | encouraged by the resulting cooperation. However, in the case of 37 | software used on network servers, this result may fail to come about. 38 | The GNU General Public License permits making a modified version and 39 | letting the public access it on a server without ever releasing its 40 | source code to the public. 41 | 42 | The GNU Affero General Public License is designed specifically to 43 | ensure that, in such cases, the modified source code becomes available 44 | to the community. It requires the operator of a network server to 45 | provide the source code of the modified version running there to the 46 | users of that server. Therefore, public use of a modified version, on 47 | a publicly accessible server, gives the public access to the source 48 | code of the modified version. 49 | 50 | An older license, called the Affero General Public License and 51 | published by Affero, was designed to accomplish similar goals. This is 52 | a different license, not a version of the Affero GPL, but Affero has 53 | released a new version of the Affero GPL which permits relicensing under 54 | this license. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | TERMS AND CONDITIONS 60 | 61 | 0. Definitions. 62 | 63 | "This License" refers to version 3 of the GNU Affero General Public License. 64 | 65 | "Copyright" also means copyright-like laws that apply to other kinds of 66 | works, such as semiconductor masks. 67 | 68 | "The Program" refers to any copyrightable work licensed under this 69 | License. Each licensee is addressed as "you". "Licensees" and 70 | "recipients" may be individuals or organizations. 71 | 72 | To "modify" a work means to copy from or adapt all or part of the work 73 | in a fashion requiring copyright permission, other than the making of an 74 | exact copy. The resulting work is called a "modified version" of the 75 | earlier work or a work "based on" the earlier work. 76 | 77 | A "covered work" means either the unmodified Program or a work based 78 | on the Program. 79 | 80 | To "propagate" a work means to do anything with it that, without 81 | permission, would make you directly or secondarily liable for 82 | infringement under applicable copyright law, except executing it on a 83 | computer or modifying a private copy. Propagation includes copying, 84 | distribution (with or without modification), making available to the 85 | public, and in some countries other activities as well. 86 | 87 | To "convey" a work means any kind of propagation that enables other 88 | parties to make or receive copies. Mere interaction with a user through 89 | a computer network, with no transfer of a copy, is not conveying. 90 | 91 | An interactive user interface displays "Appropriate Legal Notices" 92 | to the extent that it includes a convenient and prominently visible 93 | feature that (1) displays an appropriate copyright notice, and (2) 94 | tells the user that there is no warranty for the work (except to the 95 | extent that warranties are provided), that licensees may convey the 96 | work under this License, and how to view a copy of this License. If 97 | the interface presents a list of user commands or options, such as a 98 | menu, a prominent item in the list meets this criterion. 99 | 100 | 1. Source Code. 101 | 102 | The "source code" for a work means the preferred form of the work 103 | for making modifications to it. "Object code" means any non-source 104 | form of a work. 105 | 106 | A "Standard Interface" means an interface that either is an official 107 | standard defined by a recognized standards body, or, in the case of 108 | interfaces specified for a particular programming language, one that 109 | is widely used among developers working in that language. 110 | 111 | The "System Libraries" of an executable work include anything, other 112 | than the work as a whole, that (a) is included in the normal form of 113 | packaging a Major Component, but which is not part of that Major 114 | Component, and (b) serves only to enable use of the work with that 115 | Major Component, or to implement a Standard Interface for which an 116 | implementation is available to the public in source code form. A 117 | "Major Component", in this context, means a major essential component 118 | (kernel, window system, and so on) of the specific operating system 119 | (if any) on which the executable work runs, or a compiler used to 120 | produce the work, or an object code interpreter used to run it. 121 | 122 | The "Corresponding Source" for a work in object code form means all 123 | the source code needed to generate, install, and (for an executable 124 | work) run the object code and to modify the work, including scripts to 125 | control those activities. However, it does not include the work's 126 | System Libraries, or general-purpose tools or generally available free 127 | programs which are used unmodified in performing those activities but 128 | which are not part of the work. For example, Corresponding Source 129 | includes interface definition files associated with source files for 130 | the work, and the source code for shared libraries and dynamically 131 | linked subprograms that the work is specifically designed to require, 132 | such as by intimate data communication or control flow between those 133 | subprograms and other parts of the work. 134 | 135 | The Corresponding Source need not include anything that users 136 | can regenerate automatically from other parts of the Corresponding 137 | Source. 138 | 139 | The Corresponding Source for a work in source code form is that 140 | same work. 141 | 142 | 2. Basic Permissions. 143 | 144 | All rights granted under this License are granted for the term of 145 | copyright on the Program, and are irrevocable provided the stated 146 | conditions are met. This License explicitly affirms your unlimited 147 | permission to run the unmodified Program. The output from running a 148 | covered work is covered by this License only if the output, given its 149 | content, constitutes a covered work. This License acknowledges your 150 | rights of fair use or other equivalent, as provided by copyright law. 151 | 152 | You may make, run and propagate covered works that you do not 153 | convey, without conditions so long as your license otherwise remains 154 | in force. You may convey covered works to others for the sole purpose 155 | of having them make modifications exclusively for you, or provide you 156 | with facilities for running those works, provided that you comply with 157 | the terms of this License in conveying all material for which you do 158 | not control copyright. Those thus making or running the covered works 159 | for you must do so exclusively on your behalf, under your direction 160 | and control, on terms that prohibit them from making any copies of 161 | your copyrighted material outside their relationship with you. 162 | 163 | Conveying under any other circumstances is permitted solely under 164 | the conditions stated below. Sublicensing is not allowed; section 10 165 | makes it unnecessary. 166 | 167 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 168 | 169 | No covered work shall be deemed part of an effective technological 170 | measure under any applicable law fulfilling obligations under article 171 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 172 | similar laws prohibiting or restricting circumvention of such 173 | measures. 174 | 175 | When you convey a covered work, you waive any legal power to forbid 176 | circumvention of technological measures to the extent such circumvention 177 | is effected by exercising rights under this License with respect to 178 | the covered work, and you disclaim any intention to limit operation or 179 | modification of the work as a means of enforcing, against the work's 180 | users, your or third parties' legal rights to forbid circumvention of 181 | technological measures. 182 | 183 | 4. Conveying Verbatim Copies. 184 | 185 | You may convey verbatim copies of the Program's source code as you 186 | receive it, in any medium, provided that you conspicuously and 187 | appropriately publish on each copy an appropriate copyright notice; 188 | keep intact all notices stating that this License and any 189 | non-permissive terms added in accord with section 7 apply to the code; 190 | keep intact all notices of the absence of any warranty; and give all 191 | recipients a copy of this License along with the Program. 192 | 193 | You may charge any price or no price for each copy that you convey, 194 | and you may offer support or warranty protection for a fee. 195 | 196 | 5. Conveying Modified Source Versions. 197 | 198 | You may convey a work based on the Program, or the modifications to 199 | produce it from the Program, in the form of source code under the 200 | terms of section 4, provided that you also meet all of these conditions: 201 | 202 | a) The work must carry prominent notices stating that you modified 203 | it, and giving a relevant date. 204 | 205 | b) The work must carry prominent notices stating that it is 206 | released under this License and any conditions added under section 207 | 7. This requirement modifies the requirement in section 4 to 208 | "keep intact all notices". 209 | 210 | c) You must license the entire work, as a whole, under this 211 | License to anyone who comes into possession of a copy. This 212 | License will therefore apply, along with any applicable section 7 213 | additional terms, to the whole of the work, and all its parts, 214 | regardless of how they are packaged. This License gives no 215 | permission to license the work in any other way, but it does not 216 | invalidate such permission if you have separately received it. 217 | 218 | d) If the work has interactive user interfaces, each must display 219 | Appropriate Legal Notices; however, if the Program has interactive 220 | interfaces that do not display Appropriate Legal Notices, your 221 | work need not make them do so. 222 | 223 | A compilation of a covered work with other separate and independent 224 | works, which are not by their nature extensions of the covered work, 225 | and which are not combined with it such as to form a larger program, 226 | in or on a volume of a storage or distribution medium, is called an 227 | "aggregate" if the compilation and its resulting copyright are not 228 | used to limit the access or legal rights of the compilation's users 229 | beyond what the individual works permit. Inclusion of a covered work 230 | in an aggregate does not cause this License to apply to the other 231 | parts of the aggregate. 232 | 233 | 6. Conveying Non-Source Forms. 234 | 235 | You may convey a covered work in object code form under the terms 236 | of sections 4 and 5, provided that you also convey the 237 | machine-readable Corresponding Source under the terms of this License, 238 | in one of these ways: 239 | 240 | a) Convey the object code in, or embodied in, a physical product 241 | (including a physical distribution medium), accompanied by the 242 | Corresponding Source fixed on a durable physical medium 243 | customarily used for software interchange. 244 | 245 | b) Convey the object code in, or embodied in, a physical product 246 | (including a physical distribution medium), accompanied by a 247 | written offer, valid for at least three years and valid for as 248 | long as you offer spare parts or customer support for that product 249 | model, to give anyone who possesses the object code either (1) a 250 | copy of the Corresponding Source for all the software in the 251 | product that is covered by this License, on a durable physical 252 | medium customarily used for software interchange, for a price no 253 | more than your reasonable cost of physically performing this 254 | conveying of source, or (2) access to copy the 255 | Corresponding Source from a network server at no charge. 256 | 257 | c) Convey individual copies of the object code with a copy of the 258 | written offer to provide the Corresponding Source. This 259 | alternative is allowed only occasionally and noncommercially, and 260 | only if you received the object code with such an offer, in accord 261 | with subsection 6b. 262 | 263 | d) Convey the object code by offering access from a designated 264 | place (gratis or for a charge), and offer equivalent access to the 265 | Corresponding Source in the same way through the same place at no 266 | further charge. You need not require recipients to copy the 267 | Corresponding Source along with the object code. If the place to 268 | copy the object code is a network server, the Corresponding Source 269 | may be on a different server (operated by you or a third party) 270 | that supports equivalent copying facilities, provided you maintain 271 | clear directions next to the object code saying where to find the 272 | Corresponding Source. Regardless of what server hosts the 273 | Corresponding Source, you remain obligated to ensure that it is 274 | available for as long as needed to satisfy these requirements. 275 | 276 | e) Convey the object code using peer-to-peer transmission, provided 277 | you inform other peers where the object code and Corresponding 278 | Source of the work are being offered to the general public at no 279 | charge under subsection 6d. 280 | 281 | A separable portion of the object code, whose source code is excluded 282 | from the Corresponding Source as a System Library, need not be 283 | included in conveying the object code work. 284 | 285 | A "User Product" is either (1) a "consumer product", which means any 286 | tangible personal property which is normally used for personal, family, 287 | or household purposes, or (2) anything designed or sold for incorporation 288 | into a dwelling. In determining whether a product is a consumer product, 289 | doubtful cases shall be resolved in favor of coverage. For a particular 290 | product received by a particular user, "normally used" refers to a 291 | typical or common use of that class of product, regardless of the status 292 | of the particular user or of the way in which the particular user 293 | actually uses, or expects or is expected to use, the product. A product 294 | is a consumer product regardless of whether the product has substantial 295 | commercial, industrial or non-consumer uses, unless such uses represent 296 | the only significant mode of use of the product. 297 | 298 | "Installation Information" for a User Product means any methods, 299 | procedures, authorization keys, or other information required to install 300 | and execute modified versions of a covered work in that User Product from 301 | a modified version of its Corresponding Source. The information must 302 | suffice to ensure that the continued functioning of the modified object 303 | code is in no case prevented or interfered with solely because 304 | modification has been made. 305 | 306 | If you convey an object code work under this section in, or with, or 307 | specifically for use in, a User Product, and the conveying occurs as 308 | part of a transaction in which the right of possession and use of the 309 | User Product is transferred to the recipient in perpetuity or for a 310 | fixed term (regardless of how the transaction is characterized), the 311 | Corresponding Source conveyed under this section must be accompanied 312 | by the Installation Information. But this requirement does not apply 313 | if neither you nor any third party retains the ability to install 314 | modified object code on the User Product (for example, the work has 315 | been installed in ROM). 316 | 317 | The requirement to provide Installation Information does not include a 318 | requirement to continue to provide support service, warranty, or updates 319 | for a work that has been modified or installed by the recipient, or for 320 | the User Product in which it has been modified or installed. Access to a 321 | network may be denied when the modification itself materially and 322 | adversely affects the operation of the network or violates the rules and 323 | protocols for communication across the network. 324 | 325 | Corresponding Source conveyed, and Installation Information provided, 326 | in accord with this section must be in a format that is publicly 327 | documented (and with an implementation available to the public in 328 | source code form), and must require no special password or key for 329 | unpacking, reading or copying. 330 | 331 | 7. Additional Terms. 332 | 333 | "Additional permissions" are terms that supplement the terms of this 334 | License by making exceptions from one or more of its conditions. 335 | Additional permissions that are applicable to the entire Program shall 336 | be treated as though they were included in this License, to the extent 337 | that they are valid under applicable law. If additional permissions 338 | apply only to part of the Program, that part may be used separately 339 | under those permissions, but the entire Program remains governed by 340 | this License without regard to the additional permissions. 341 | 342 | When you convey a copy of a covered work, you may at your option 343 | remove any additional permissions from that copy, or from any part of 344 | it. (Additional permissions may be written to require their own 345 | removal in certain cases when you modify the work.) You may place 346 | additional permissions on material, added by you to a covered work, 347 | for which you have or can give appropriate copyright permission. 348 | 349 | Notwithstanding any other provision of this License, for material you 350 | add to a covered work, you may (if authorized by the copyright holders of 351 | that material) supplement the terms of this License with terms: 352 | 353 | a) Disclaiming warranty or limiting liability differently from the 354 | terms of sections 15 and 16 of this License; or 355 | 356 | b) Requiring preservation of specified reasonable legal notices or 357 | author attributions in that material or in the Appropriate Legal 358 | Notices displayed by works containing it; or 359 | 360 | c) Prohibiting misrepresentation of the origin of that material, or 361 | requiring that modified versions of such material be marked in 362 | reasonable ways as different from the original version; or 363 | 364 | d) Limiting the use for publicity purposes of names of licensors or 365 | authors of the material; or 366 | 367 | e) Declining to grant rights under trademark law for use of some 368 | trade names, trademarks, or service marks; or 369 | 370 | f) Requiring indemnification of licensors and authors of that 371 | material by anyone who conveys the material (or modified versions of 372 | it) with contractual assumptions of liability to the recipient, for 373 | any liability that these contractual assumptions directly impose on 374 | those licensors and authors. 375 | 376 | All other non-permissive additional terms are considered "further 377 | restrictions" within the meaning of section 10. If the Program as you 378 | received it, or any part of it, contains a notice stating that it is 379 | governed by this License along with a term that is a further 380 | restriction, you may remove that term. If a license document contains 381 | a further restriction but permits relicensing or conveying under this 382 | License, you may add to a covered work material governed by the terms 383 | of that license document, provided that the further restriction does 384 | not survive such relicensing or conveying. 385 | 386 | If you add terms to a covered work in accord with this section, you 387 | must place, in the relevant source files, a statement of the 388 | additional terms that apply to those files, or a notice indicating 389 | where to find the applicable terms. 390 | 391 | Additional terms, permissive or non-permissive, may be stated in the 392 | form of a separately written license, or stated as exceptions; 393 | the above requirements apply either way. 394 | 395 | 8. Termination. 396 | 397 | You may not propagate or modify a covered work except as expressly 398 | provided under this License. Any attempt otherwise to propagate or 399 | modify it is void, and will automatically terminate your rights under 400 | this License (including any patent licenses granted under the third 401 | paragraph of section 11). 402 | 403 | However, if you cease all violation of this License, then your 404 | license from a particular copyright holder is reinstated (a) 405 | provisionally, unless and until the copyright holder explicitly and 406 | finally terminates your license, and (b) permanently, if the copyright 407 | holder fails to notify you of the violation by some reasonable means 408 | prior to 60 days after the cessation. 409 | 410 | Moreover, your license from a particular copyright holder is 411 | reinstated permanently if the copyright holder notifies you of the 412 | violation by some reasonable means, this is the first time you have 413 | received notice of violation of this License (for any work) from that 414 | copyright holder, and you cure the violation prior to 30 days after 415 | your receipt of the notice. 416 | 417 | Termination of your rights under this section does not terminate the 418 | licenses of parties who have received copies or rights from you under 419 | this License. If your rights have been terminated and not permanently 420 | reinstated, you do not qualify to receive new licenses for the same 421 | material under section 10. 422 | 423 | 9. Acceptance Not Required for Having Copies. 424 | 425 | You are not required to accept this License in order to receive or 426 | run a copy of the Program. Ancillary propagation of a covered work 427 | occurring solely as a consequence of using peer-to-peer transmission 428 | to receive a copy likewise does not require acceptance. However, 429 | nothing other than this License grants you permission to propagate or 430 | modify any covered work. These actions infringe copyright if you do 431 | not accept this License. Therefore, by modifying or propagating a 432 | covered work, you indicate your acceptance of this License to do so. 433 | 434 | 10. Automatic Licensing of Downstream Recipients. 435 | 436 | Each time you convey a covered work, the recipient automatically 437 | receives a license from the original licensors, to run, modify and 438 | propagate that work, subject to this License. You are not responsible 439 | for enforcing compliance by third parties with this License. 440 | 441 | An "entity transaction" is a transaction transferring control of an 442 | organization, or substantially all assets of one, or subdividing an 443 | organization, or merging organizations. If propagation of a covered 444 | work results from an entity transaction, each party to that 445 | transaction who receives a copy of the work also receives whatever 446 | licenses to the work the party's predecessor in interest had or could 447 | give under the previous paragraph, plus a right to possession of the 448 | Corresponding Source of the work from the predecessor in interest, if 449 | the predecessor has it or can get it with reasonable efforts. 450 | 451 | You may not impose any further restrictions on the exercise of the 452 | rights granted or affirmed under this License. For example, you may 453 | not impose a license fee, royalty, or other charge for exercise of 454 | rights granted under this License, and you may not initiate litigation 455 | (including a cross-claim or counterclaim in a lawsuit) alleging that 456 | any patent claim is infringed by making, using, selling, offering for 457 | sale, or importing the Program or any portion of it. 458 | 459 | 11. Patents. 460 | 461 | A "contributor" is a copyright holder who authorizes use under this 462 | License of the Program or a work on which the Program is based. The 463 | work thus licensed is called the contributor's "contributor version". 464 | 465 | A contributor's "essential patent claims" are all patent claims 466 | owned or controlled by the contributor, whether already acquired or 467 | hereafter acquired, that would be infringed by some manner, permitted 468 | by this License, of making, using, or selling its contributor version, 469 | but do not include claims that would be infringed only as a 470 | consequence of further modification of the contributor version. For 471 | purposes of this definition, "control" includes the right to grant 472 | patent sublicenses in a manner consistent with the requirements of 473 | this License. 474 | 475 | Each contributor grants you a non-exclusive, worldwide, royalty-free 476 | patent license under the contributor's essential patent claims, to 477 | make, use, sell, offer for sale, import and otherwise run, modify and 478 | propagate the contents of its contributor version. 479 | 480 | In the following three paragraphs, a "patent license" is any express 481 | agreement or commitment, however denominated, not to enforce a patent 482 | (such as an express permission to practice a patent or covenant not to 483 | sue for patent infringement). To "grant" such a patent license to a 484 | party means to make such an agreement or commitment not to enforce a 485 | patent against the party. 486 | 487 | If you convey a covered work, knowingly relying on a patent license, 488 | and the Corresponding Source of the work is not available for anyone 489 | to copy, free of charge and under the terms of this License, through a 490 | publicly available network server or other readily accessible means, 491 | then you must either (1) cause the Corresponding Source to be so 492 | available, or (2) arrange to deprive yourself of the benefit of the 493 | patent license for this particular work, or (3) arrange, in a manner 494 | consistent with the requirements of this License, to extend the patent 495 | license to downstream recipients. "Knowingly relying" means you have 496 | actual knowledge that, but for the patent license, your conveying the 497 | covered work in a country, or your recipient's use of the covered work 498 | in a country, would infringe one or more identifiable patents in that 499 | country that you have reason to believe are valid. 500 | 501 | If, pursuant to or in connection with a single transaction or 502 | arrangement, you convey, or propagate by procuring conveyance of, a 503 | covered work, and grant a patent license to some of the parties 504 | receiving the covered work authorizing them to use, propagate, modify 505 | or convey a specific copy of the covered work, then the patent license 506 | you grant is automatically extended to all recipients of the covered 507 | work and works based on it. 508 | 509 | A patent license is "discriminatory" if it does not include within 510 | the scope of its coverage, prohibits the exercise of, or is 511 | conditioned on the non-exercise of one or more of the rights that are 512 | specifically granted under this License. You may not convey a covered 513 | work if you are a party to an arrangement with a third party that is 514 | in the business of distributing software, under which you make payment 515 | to the third party based on the extent of your activity of conveying 516 | the work, and under which the third party grants, to any of the 517 | parties who would receive the covered work from you, a discriminatory 518 | patent license (a) in connection with copies of the covered work 519 | conveyed by you (or copies made from those copies), or (b) primarily 520 | for and in connection with specific products or compilations that 521 | contain the covered work, unless you entered into that arrangement, 522 | or that patent license was granted, prior to 28 March 2007. 523 | 524 | Nothing in this License shall be construed as excluding or limiting 525 | any implied license or other defenses to infringement that may 526 | otherwise be available to you under applicable patent law. 527 | 528 | 12. No Surrender of Others' Freedom. 529 | 530 | If conditions are imposed on you (whether by court order, agreement or 531 | otherwise) that contradict the conditions of this License, they do not 532 | excuse you from the conditions of this License. If you cannot convey a 533 | covered work so as to satisfy simultaneously your obligations under this 534 | License and any other pertinent obligations, then as a consequence you may 535 | not convey it at all. For example, if you agree to terms that obligate you 536 | to collect a royalty for further conveying from those to whom you convey 537 | the Program, the only way you could satisfy both those terms and this 538 | License would be to refrain entirely from conveying the Program. 539 | 540 | 13. Remote Network Interaction; Use with the GNU General Public License. 541 | 542 | Notwithstanding any other provision of this License, if you modify the 543 | Program, your modified version must prominently offer all users 544 | interacting with it remotely through a computer network (if your version 545 | supports such interaction) an opportunity to receive the Corresponding 546 | Source of your version by providing access to the Corresponding Source 547 | from a network server at no charge, through some standard or customary 548 | means of facilitating copying of software. This Corresponding Source 549 | shall include the Corresponding Source for any work covered by version 3 550 | of the GNU General Public License that is incorporated pursuant to the 551 | following paragraph. 552 | 553 | Notwithstanding any other provision of this License, you have 554 | permission to link or combine any covered work with a work licensed 555 | under version 3 of the GNU General Public License into a single 556 | combined work, and to convey the resulting work. The terms of this 557 | License will continue to apply to the part which is the covered work, 558 | but the work with which it is combined will remain governed by version 559 | 3 of the GNU General Public License. 560 | 561 | 14. Revised Versions of this License. 562 | 563 | The Free Software Foundation may publish revised and/or new versions of 564 | the GNU Affero General Public License from time to time. Such new versions 565 | will be similar in spirit to the present version, but may differ in detail to 566 | address new problems or concerns. 567 | 568 | Each version is given a distinguishing version number. If the 569 | Program specifies that a certain numbered version of the GNU Affero General 570 | Public License "or any later version" applies to it, you have the 571 | option of following the terms and conditions either of that numbered 572 | version or of any later version published by the Free Software 573 | Foundation. If the Program does not specify a version number of the 574 | GNU Affero General Public License, you may choose any version ever published 575 | by the Free Software Foundation. 576 | 577 | If the Program specifies that a proxy can decide which future 578 | versions of the GNU Affero General Public License can be used, that proxy's 579 | public statement of acceptance of a version permanently authorizes you 580 | to choose that version for the Program. 581 | 582 | Later license versions may give you additional or different 583 | permissions. However, no additional obligations are imposed on any 584 | author or copyright holder as a result of your choosing to follow a 585 | later version. 586 | 587 | 15. Disclaimer of Warranty. 588 | 589 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 590 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 591 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 592 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 593 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 594 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 595 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 596 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 597 | 598 | 16. Limitation of Liability. 599 | 600 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 602 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 603 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 604 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 605 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 606 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 607 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 608 | SUCH DAMAGES. 609 | 610 | 17. Interpretation of Sections 15 and 16. 611 | 612 | If the disclaimer of warranty and limitation of liability provided 613 | above cannot be given local legal effect according to their terms, 614 | reviewing courts shall apply local law that most closely approximates 615 | an absolute waiver of all civil liability in connection with the 616 | Program, unless a warranty or assumption of liability accompanies a 617 | copy of the Program in return for a fee. 618 | 619 | END OF TERMS AND CONDITIONS 620 | 621 | How to Apply These Terms to Your New Programs 622 | 623 | If you develop a new program, and you want it to be of the greatest 624 | possible use to the public, the best way to achieve this is to make it 625 | free software which everyone can redistribute and change under these terms. 626 | 627 | To do so, attach the following notices to the program. It is safest 628 | to attach them to the start of each source file to most effectively 629 | state the exclusion of warranty; and each file should have at least 630 | the "copyright" line and a pointer to where the full notice is found. 631 | 632 | 633 | Copyright (C) 634 | 635 | This program is free software: you can redistribute it and/or modify 636 | it under the terms of the GNU Affero General Public License as published 637 | by the Free Software Foundation, either version 3 of the License, or 638 | (at your option) any later version. 639 | 640 | This program is distributed in the hope that it will be useful, 641 | but WITHOUT ANY WARRANTY; without even the implied warranty of 642 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 643 | GNU Affero General Public License for more details. 644 | 645 | You should have received a copy of the GNU Affero General Public License 646 | along with this program. If not, see . 647 | 648 | Also add information on how to contact you by electronic and paper mail. 649 | 650 | If your software can interact with users remotely through a computer 651 | network, you should also make sure that it provides a way for users to 652 | get its source. For example, if your program is a web application, its 653 | interface could display a "Source" link that leads users to an archive 654 | of the code. There are many ways you could offer source, and different 655 | solutions will be better for different programs; see section 13 for the 656 | specific requirements. 657 | 658 | You should also get your employer (if you work as a programmer) or school, 659 | if any, to sign a "copyright disclaimer" for the program, if necessary. 660 | For more information on this, and how to apply and follow the GNU AGPL, see 661 | . 662 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ekanalyzer 2 | ========== 3 | 4 | Exploit kit analyzer 5 | -------------------------------------------------------------------------------- /config.py: -------------------------------------------------------------------------------- 1 | 2 | 3 | UPLOAD_FOLDER = "uploads/" 4 | MAX_CONTENT_LENGTH= 16 * 1024 * 1024 5 | 6 | 7 | CELERY_RESULT_BACKEND = "redis" 8 | CELERY_REDIS_HOST = "localhost" 9 | CELERY_REDIS_PORT = 6379 10 | CELERY_REDIS_DB = 0 11 | BROKER_URL = 'redis://localhost:6379/0' 12 | 13 | MONGODB_SERVER = 'localhost' 14 | MONGODB_PORT = 27017 15 | 16 | 17 | USER_AGENTS = open("user_agents.txt").read().splitlines() 18 | 19 | VIRUSTOTAL_API_KEY = "a0283a2c3d55728300d064874239b5346fb991317e8449fe43c902879d758088" 20 | -------------------------------------------------------------------------------- /ekanalyzer.py: -------------------------------------------------------------------------------- 1 | import os 2 | from flask import Flask 3 | from flask import render_template 4 | from flask import request, redirect, url_for 5 | from werkzeug import secure_filename 6 | import hashlib 7 | 8 | #from pymongo import Connection 9 | from pymongo import * 10 | from bson.code import Code 11 | 12 | import dpkt 13 | import sys 14 | import socket 15 | 16 | 17 | from celery import Celery 18 | 19 | import requests 20 | from requests import Request, Session 21 | 22 | import magic 23 | import zlib 24 | 25 | import yara 26 | import pyclamd 27 | 28 | import datetime 29 | from time import sleep 30 | 31 | from bson.objectid import ObjectId 32 | 33 | from zipfile import ZipFile 34 | import redis 35 | import json 36 | 37 | # FIXME: move to config.py 38 | ALLOWED_EXTENSIONS = set(['pcap']) 39 | rules = yara.compile(filepath='yara/ekanalyzer.yar') 40 | 41 | cd = pyclamd.ClamdAgnostic() 42 | 43 | def create_app(): 44 | return Flask("ekanalyzer") 45 | 46 | app = create_app() 47 | app.config.from_pyfile('config.py') 48 | 49 | 50 | connection = Connection(app.config['MONGODB_SERVER'] , app.config['MONGODB_PORT']) 51 | db = connection.ekanalyzer 52 | try: 53 | db.create_collection("analysis") 54 | db.create_collection("malicious") 55 | db.create_collection("pcap") 56 | db.create_collection("requests") 57 | except errors.CollectionInvalid as e: 58 | pass 59 | 60 | 61 | memcache = redis.Redis('localhost') 62 | 63 | 64 | app.debug = True 65 | 66 | celery = Celery('ekanalyzer', broker=app.config['BROKER_URL'] ) 67 | 68 | 69 | @celery.task 70 | def perform_results(pcap_id): 71 | try: 72 | 73 | pcap = {'_id' : ObjectId(pcap_id)} 74 | 75 | result = db.pcap.find_one(pcap) 76 | 77 | #if result.count() > 0: 78 | # return 79 | #else: 80 | # db.pcap.insert(pcap) 81 | 82 | pcap_hash = result['id'] 83 | 84 | 85 | f = open(app.config['UPLOAD_FOLDER'] + pcap_hash, "rb") 86 | 87 | pcap = dpkt.pcap.Reader(f) 88 | for ts, buf in pcap: 89 | eth = dpkt.ethernet.Ethernet(buf) 90 | ip = eth.data 91 | tcp = ip.data 92 | if type(tcp) is str: 93 | continue 94 | # FIXME: assuming only http traffic on port 80 95 | if tcp.dport == 80 and len(tcp.data) > 0: 96 | http = dpkt.http.Request(tcp.data) 97 | ipaddress = socket.inet_ntoa(ip.dst) 98 | 99 | data = { 'ip' : ipaddress, 100 | 'uri' : http.uri, 101 | 'method' : http.method, 102 | 'data' : http.data, 103 | 'headers' : http.headers, 104 | 'hash': pcap_hash, 105 | 'pcap_id' : ObjectId(pcap_id), 106 | 'date' : datetime.datetime.utcnow() 107 | 108 | } 109 | db.requests.insert(data) 110 | #else: 111 | # print "Port is " + str(tcp.dport) 112 | 113 | 114 | except dpkt.NeedData as e: 115 | print e 116 | except AttributeError as e: 117 | print e 118 | except NameError as e: 119 | print e 120 | except : 121 | print "Unexpected error:", sys.exc_info() 122 | print pcap_hash 123 | finally: 124 | status = process_requests(pcap_id) 125 | 126 | 127 | def process_requests(pcap_id): 128 | 129 | request = { 'pcap_id' : ObjectId(pcap_id)} 130 | 131 | result = db.requests.find(request) 132 | nrequests = result.count() 133 | uas = len(app.config['USER_AGENTS']) 134 | nrequests*=uas 135 | nrequests+=1 136 | memcache.set(str(pcap_id) + "_tasks", str(nrequests)) 137 | memcache.set(str(pcap_id) + "_total_tasks", str(nrequests)) 138 | 139 | print "added %s tasks" % str(nrequests) 140 | 141 | for r in result: 142 | # Maybe hash is not necesary 143 | print process_request.delay(r['ip'], r['uri'], r['method'], r['headers'], r['data'], r['hash'], r['pcap_id']) 144 | 145 | 146 | 147 | def extract_zip(input_zip): 148 | input_zip=ZipFile(input_zip) 149 | return {name: input_zip.read(name) for name in input_zip.namelist()} 150 | 151 | def check_vt(hash, mimetype): 152 | # 153 | # This function uses response (buffer) and fpath (path to file) 154 | # FIX this as soon as the "/" bug be fixed (gridfs) 155 | # 156 | 157 | vt_report = None 158 | 159 | 160 | # Empty file 161 | if hash == "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855": 162 | return vt_report 163 | 164 | try: 165 | vt_report_raw = memcache.get(hash) 166 | vt_report = json.loads(vt_report_raw) 167 | except Exception as e: 168 | print "The report cannot be loaded for %s: %s" % (hash, e) 169 | vt_report = None 170 | 171 | if vt_report == None: 172 | 173 | # Send to VT 174 | if mimetype == "application/octet-stream" \ 175 | or mimetype == "application/java-archive" \ 176 | or mimetype == "application/zip" \ 177 | or mimetype == "application/pdf" \ 178 | or mimetype == "text/html" \ 179 | or mimetype == "application/x-shockwave-flash": 180 | 181 | parameters = {"resource": hash, "apikey": app.config["VIRUSTOTAL_API_KEY"]} 182 | 183 | last_call_cache = memcache.get("last_vt_call") 184 | 185 | if last_call_cache != None: 186 | last_call = datetime.datetime.strptime(last_call_cache,"%Y-%m-%d %H:%M:%S.%f") 187 | now = datetime.datetime.utcnow() 188 | delta = now - last_call 189 | sleep_seconds = 15 - delta.total_seconds() 190 | if sleep_seconds > 0: 191 | sleep(sleep_seconds) 192 | 193 | 194 | r = requests.post('https://www.virustotal.com/vtapi/v2/file/report', params=parameters) 195 | memcache.set("last_vt_call",datetime.datetime.utcnow() ) 196 | 197 | 198 | try: 199 | print r.text 200 | vt_report = r.json() 201 | memcache.set(hash,r.text) 202 | except: 203 | print "Problem saving the report" 204 | print "Unexpected error:", sys.exc_info() 205 | return vt_report 206 | 207 | 208 | @celery.task 209 | def process_request(ip, uri, method, headers, data, pcap_hash, pcap_id): 210 | 211 | 212 | 213 | user_agents = app.config['USER_AGENTS'] 214 | 215 | # FIXME: check case 216 | if 'user-agent' in headers: 217 | user_agents.append(headers['user-agent']) 218 | else: 219 | user_agents.append("") 220 | 221 | for user_agent in user_agents: 222 | headers['user-agent'] = user_agent 223 | 224 | 225 | #FIXME: port 80 226 | #FIXME: ConnectionError 227 | url = "http://{0}:80{1}".format(ip, uri) 228 | 229 | 230 | #proxies = { 231 | # "http": "http://127.0.0.1:8080" 232 | #} 233 | 234 | s = Session() 235 | req = Request(method, url, 236 | data=data, 237 | headers=headers 238 | ) 239 | prepped = req.prepare() 240 | 241 | try: 242 | resp = s.send(prepped, 243 | timeout=3, 244 | allow_redirects=False, 245 | #proxies=proxies 246 | ) 247 | except requests.ConnectionError: 248 | pending_tasks = memcache.get(str(pcap_id) + "_tasks") 249 | remaining_tasks = int(pending_tasks) - 1 250 | memcache.set(str(pcap_id) + "_tasks", remaining_tasks ) 251 | continue 252 | except requests.exceptions.ReadTimeout: 253 | pending_tasks = memcache.get(str(pcap_id) + "_tasks") 254 | remaining_tasks = int(pending_tasks) - 1 255 | memcache.set(str(pcap_id) + "_tasks", remaining_tasks ) 256 | continue 257 | 258 | #user agent hash 259 | m = hashlib.md5() 260 | m.update(user_agent) 261 | UA = m.hexdigest() 262 | 263 | 264 | fpath = "workspace/" + str(pcap_id) + "/" + UA + "/" + headers['host'] + uri 265 | dpath = os.path.dirname(fpath) 266 | 267 | 268 | if not os.path.exists(dpath): 269 | os.makedirs(dpath) 270 | 271 | response = resp.content 272 | 273 | # FIXME: uris ending with / are not saved properly 274 | try: 275 | if not os.path.isdir(fpath): 276 | with open(fpath, "w") as f: 277 | f.write(response) 278 | #FIXME: manage files in GridFS 279 | except IOError: 280 | pass 281 | 282 | 283 | 284 | # response hash 285 | m = hashlib.sha256() 286 | m.update(response) 287 | hash = m.hexdigest() 288 | 289 | 290 | # filetype & mimetype 291 | filetype = magic.from_buffer(response) 292 | mimetype = magic.from_buffer(response, mime=True) 293 | 294 | 295 | 296 | 297 | tags = { 'clean' : 0, 'suspicious' : 0, 'malicious' : 0 } 298 | 299 | malicious = False 300 | 301 | ymatches = None 302 | 303 | unpacked = '' 304 | 305 | vt_report = check_vt(hash, mimetype) 306 | 307 | if vt_report != None: 308 | try: 309 | if vt_report['positives'] > 0: 310 | tags['malicious'] += 1 311 | malicious = True 312 | except KeyError: 313 | pass 314 | 315 | # FIXME: check VT after unpack/decompress 316 | # Prepare for YARA 317 | # FIXME: ZWS http://malware-traffic-analysis.net/2014/09/23/index.html 318 | try: 319 | if mimetype == "application/x-shockwave-flash" and filetype.find("CWS"): 320 | #print "compressed SWF detected" 321 | f = open(fpath, "rb") 322 | f.read(3) # skip 3 bytes 323 | tmp = 'FWS' + f.read(5) + zlib.decompress(f.read()) 324 | decompressed = fpath + ".decompressed" 325 | with open(decompressed, "w") as f: 326 | f.write(tmp) 327 | unpacked = tmp 328 | 329 | elif mimetype == "application/zip": 330 | extracted = extract_zip(fpath) 331 | 332 | for name, content in extracted.iteritems(): 333 | unpacked += content 334 | 335 | else: 336 | unpacked = response 337 | 338 | ymatches = rules.match(data=unpacked) 339 | if not bool(ymatches): 340 | ymatches = None 341 | else: 342 | tags['suspicious'] += 1 343 | except: 344 | print "Unexpected error:", sys.exc_info() 345 | 346 | # ClamAV analysis 347 | clamav = cd.scan_stream(unpacked) 348 | if clamav: 349 | tags['malicious'] += 1 350 | 351 | 352 | #FIXME: add html/javascript analysis here 353 | 354 | #FIXME: add peepdf based analysis here 355 | 356 | 357 | 358 | # Review tags before analysis 359 | if tags['malicious'] == 0 and tags['suspicious'] == 0: 360 | tags['clean'] = 1 361 | 362 | # FIXME: remove 'malicious': malicious 363 | # FIXME: maybe hash is not necesary 364 | analysis_data = { 'pcap_id' : ObjectId(pcap_id), 365 | 'hash': pcap_hash, 366 | 'tags': tags, 367 | 'filetype': filetype, 368 | 'mimetype': mimetype, 369 | 'yara' : ymatches, 370 | 'clamav' : clamav, 371 | 'user-agent': user_agent, 372 | 'UA' : UA, 373 | 'host': headers['host'], 374 | 'uri' : uri, 375 | 'data' : data, 376 | 'status_code': resp.status_code, 377 | 'content_hash': hash, 378 | 'vt' : vt_report, 379 | 'date' : datetime.datetime.utcnow() 380 | } 381 | 382 | db.analysis.insert(analysis_data) 383 | pending_tasks = memcache.get(str(pcap_id) + "_tasks") 384 | remaining_tasks = int(pending_tasks) - 1 385 | memcache.set(str(pcap_id) + "_tasks", remaining_tasks ) 386 | 387 | 388 | def allowed_file(filename): 389 | return '.' in filename and \ 390 | filename.rsplit('.', 1)[1] in ALLOWED_EXTENSIONS 391 | 392 | @app.route('/upload-ek/', methods=['POST']) 393 | def upload_file(): 394 | file = request.files['pcap'] 395 | 396 | if file and allowed_file(file.filename): 397 | 398 | hash = hashlib.sha256() 399 | 400 | try: 401 | # FIXME: it should be saved before calculate sha256 402 | hash.update(file.read()) 403 | except: 404 | print "Unexpected error:", sys.exc_info() 405 | finally: 406 | file.seek(0) 407 | hash_name = "%s" % (hash.hexdigest()) 408 | file.save(os.path.join(app.config['UPLOAD_FOLDER'], hash_name)) 409 | 410 | pcap = {'id' : hash_name, 'date' : datetime.datetime.utcnow()} 411 | pcap_id = db.pcap.insert(pcap) 412 | 413 | return redirect(url_for('launch', pcap_id=pcap_id)) 414 | 415 | 416 | @app.route('/launch//') 417 | def launch(pcap_id): 418 | 419 | perform_results.delay(pcap_id) 420 | return render_template('launch.html', pcap_id=pcap_id) 421 | 422 | @app.route('/view//') 423 | def view(pcap_id): 424 | 425 | 426 | pending_tasks = memcache.get(str(pcap_id) + "_tasks") 427 | total_tasks = memcache.get(str(pcap_id) + "_total_tasks") 428 | 429 | if pending_tasks != None: 430 | print "There are %s pending tasks" % pending_tasks 431 | 432 | if total_tasks != None: 433 | print "There are %s tasks" % total_tasks 434 | 435 | pid = { "_id.pcap_id" : ObjectId(pcap_id) } 436 | 437 | 438 | # FIXME: this map/reduce is executed each time view is requested 439 | map = Code("function () {" 440 | " emit({ pcap_id : this['pcap_id'], UA : this.UA, 'user-agent' : this['user-agent']}, {malicious: this.tags.malicious, clean: this.tags.clean, suspicious:this.tags.suspicious});" 441 | "}") 442 | 443 | reduce = Code("function (key, vals) {" 444 | " var result = {malicious:0, suspicious:0, clean:0 };" 445 | " vals.forEach(function (value) {result.malicious += value.malicious; result.clean += value.clean; result.suspicious += value.suspicious; });" 446 | " return result;" 447 | "}") 448 | 449 | results = db.analysis.map_reduce(map, reduce, 'malicious') 450 | 451 | found = results.find(pid) 452 | requests = [] 453 | 454 | for i in found: 455 | #print i 456 | requests.append(i) 457 | 458 | original_request = db.requests.find_one({"pcap_id": ObjectId(pcap_id)}) 459 | 460 | 461 | original_ua = '' 462 | 463 | try: 464 | if original_request: 465 | original_ua = original_request['headers']['user-agent'] 466 | except KeyError: 467 | pass 468 | 469 | return render_template('view.html', requests=requests, original_ua=original_ua, pending_tasks=int(pending_tasks), total_tasks=int(total_tasks)) 470 | 471 | @app.route('/list') 472 | def list(): 473 | 474 | pcaps = db.pcap.find().sort( [('_id', DESCENDING)] ) 475 | 476 | analysis = [] 477 | 478 | malicious = False 479 | 480 | 481 | for pcap in pcaps: 482 | h = { 'pcap_id' : ObjectId(pcap['_id'])} 483 | queries = db.analysis.find(h) 484 | details = [] 485 | tags = { 'malicious' : 0, 'suspicious': 0, 'clean': 0, 'running' : 0} 486 | pending = memcache.get(str(pcap['_id']) + "_tasks") 487 | pending = int(pending) 488 | if(pending > 0): 489 | tags['running']= 1 490 | 491 | for query in queries: 492 | if query['tags']['malicious']: 493 | tags['malicious'] += 1 494 | if query['tags']['suspicious']: 495 | tags['suspicious'] += 1 496 | if query['tags']['clean']: 497 | tags['clean'] += 1 498 | 499 | 500 | analysis.append( {pcap['_id'] : { 'tags' : tags, 'date_performed' : pcap['date']} }) 501 | return render_template('list.html', analysis=analysis) 502 | 503 | 504 | @app.route('/details///') 505 | def details(pcap_id, ua): 506 | user_agent = { 'UA' : ua, 'pcap_id' : ObjectId(pcap_id)} 507 | requests = db.analysis.find(user_agent) 508 | 509 | return render_template('details.html', requests=requests) 510 | 511 | 512 | @app.route('/') 513 | def index(): 514 | return render_template('index.html') 515 | 516 | 517 | 518 | if __name__ == "__main__": 519 | app.run(debug=True, host="0.0.0.0", port=5001) 520 | 521 | 522 | -------------------------------------------------------------------------------- /patches/dpkt.patch: -------------------------------------------------------------------------------- 1 | diff -Nur dpkt/http.py dpkt-patch/http.py 2 | --- dpkt/http.py 2014-11-17 17:41:59.406706107 +0100 3 | +++ dpkt-patch/http.py 2014-11-17 17:43:08.378704782 +0100 4 | @@ -11,7 +11,8 @@ 5 | while 1: 6 | line = f.readline() 7 | if not line: 8 | - raise dpkt.NeedData('premature end of headers') 9 | + #raise dpkt.NeedData('premature end of headers') 10 | + continue 11 | line = line.strip() 12 | if not line: 13 | break 14 | @@ -49,13 +50,15 @@ 15 | else: 16 | break 17 | if not found_end: 18 | - raise dpkt.NeedData('premature end of chunked body') 19 | + #raise dpkt.NeedData('premature end of chunked body') 20 | + pass 21 | body = ''.join(l) 22 | elif 'content-length' in headers: 23 | n = int(headers['content-length']) 24 | body = f.read(n) 25 | if len(body) != n: 26 | - raise dpkt.NeedData('short body (missing %d bytes)' % (n - len(body))) 27 | + #raise dpkt.NeedData('short body (missing %d bytes)' % (n - len(body))) 28 | + pass 29 | elif 'content-type' in headers: 30 | body = f.read() 31 | else: 32 | Binary files dpkt/http.pyc and dpkt-patch/http.pyc differ 33 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==0.10.1 2 | Jinja2==2.7.3 3 | MarkupSafe==0.23 4 | Werkzeug==0.9.6 5 | amqp==1.4.6 6 | anyjson==0.3.3 7 | billiard==3.3.0.18 8 | celery==3.1.15 9 | itsdangerous==0.24 10 | kombu==3.0.23 11 | pyClamd==0.3.10 12 | pymongo==2.7.2 13 | python-magic==0.4.6 14 | pytz==2014.7 15 | redis==2.10.3 16 | requests==2.4.1 17 | wsgiref==0.1.2 18 | yara==1.7.7 19 | -------------------------------------------------------------------------------- /templates/base.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | {% block head %} 5 | 6 | {% block title %}{% endblock %} - Exploit kit Analyzer 7 | 8 | {% endblock %} 9 | 10 | 11 |
{% block content %}{% endblock %}
12 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /templates/details.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %}EK Analyzer{% endblock %} 4 | {% block head %} 5 | {{ super() }} 6 | 7 | {% endblock %} 8 | 9 | {% block content %} 10 | 11 |

Details

12 | 13 | 14 | {% for request in requests %} 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | {% if request['yara'] %} 58 | 59 | 60 | 65 | 66 | {% endif %} 67 | 68 | 69 | {% if request['clamav'] %} 70 | 71 | 72 | 73 | 74 | {% endif %} 75 | 76 | 77 | 78 | 108 | 109 | 110 | 111 | 112 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 |
URI{{request['uri']}}
User Agent{{request['user-agent']}}
Host{{request['host']}}
Filetype{{request['filetype']}}
Mimetype{{request['mimetype']}}
sha256{{request['content_hash']}}
Date{{request['date']}}
Yara 61 | {% for y in request['yara'].main %} 62 | {{y.rule}}
63 | {% endfor %} 64 |
ClamAV{{request['clamav']}}
VT 79 | 80 | 81 | {% if request.vt %} 82 | 83 | {% if request.vt.positives %} 84 | {{request.vt.positives}}/{{request.vt.total}} 85 | {% else %} 86 | No detections 87 | {% endif %} 88 | {% if request.vt.permalink %} 89 | View VT Report 90 | {% endif %} 91 | {% else %} 92 | Not analyzed 93 | {% endif %} 94 | 95 | 96 | 106 | 107 |
Tags 113 | {% for t in request['tags'] %} 114 | {% if request['tags'][t] > 0 %} 115 | {{t}}
116 | {% endif %} 117 | {% endfor %} 118 |
127 |
128 | 129 | {% endfor %} 130 | 131 | 132 | {% endblock %} 133 | -------------------------------------------------------------------------------- /templates/index.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %}EK Analyzer{% endblock %} 4 | {% block head %} 5 | {{ super() }} 6 | 7 | {% endblock %} 8 | 9 | {% block content %} 10 | 11 | View analysis 12 | 13 | 14 |

Upload a pcap file

15 | 16 |
17 |
18 | 19 |
20 | 21 | 22 |
23 |
24 | 29 | 30 |
31 |
32 |
33 | 34 | 35 | 36 | 37 | {% endblock %} 38 | -------------------------------------------------------------------------------- /templates/launch.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |

A new task been created. Please wait a few seconds...

5 | -------------------------------------------------------------------------------- /templates/list.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %}EK Analyzer{% endblock %} 4 | {% block head %} 5 | {{ super() }} 6 | 7 | {% endblock %} 8 | 9 | {% block content %} 10 | 11 |

List

12 | 13 | {% for item in analysis %} 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | {% for key, result in item.iteritems() %} 29 | 30 | 31 | 32 | 33 | 57 | 58 | 59 | 60 | 61 | {% endfor %} 62 | 63 | 64 |
IDDateResultView
{{key}}{{result.date_performed}} 34 | {% if result.tags.running == 1 %} 35 | Running 36 | {% else %} 37 | {% if result.tags.malicious > 0 %} 38 | Malicious
39 | 40 | {% else %} 41 | 42 | {% if result.tags.suspicious > 0 %} 43 | Suspicious 44 | {% else %} 45 | 46 | {% if result.tags.clean > 0 %} 47 | Clean 48 | {% endif %} 49 | 50 | {% endif %} 51 | 52 | {% endif %} 53 | {% endif %} 54 | 55 | 56 | 		View
65 |
66 | {% endfor %} 67 | 68 | 69 | 70 | 71 | {% endblock %} 72 | -------------------------------------------------------------------------------- /templates/view.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block title %}EK Analyzer{% endblock %} 4 | {% block head %} 5 | {{ super() }} 6 | 7 | {% endblock %} 8 | {% block content %} 9 |

Overview

10 | 11 | 12 | 13 | {% if pending_tasks > 0 %} 14 |

This analysis is running


15 | 16 | Total Tasks:{{total_tasks}}
17 | Pending Tasks:{{pending_tasks}} 18 | {% else %} 19 | The analysis has finished properly. 20 | {% endif %} 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | {% for request in requests %} 32 | 33 | 38 | 46 | 49 | 50 | {% else %} 51 |

52 | No information available. 53 | 54 | {% if pending_tasks < 1 %} 55 | Maybe the server is down. 56 | {% endif %} 57 | 58 |

59 | 60 | {% endfor %} 61 | 62 |
User AgentStatsDetails
34 | {% if original_ua == request['_id']['user-agent'] %} {% endif %} 35 | {{ request['_id']['user-agent'] }} 36 | {% if original_ua == request['_id']['user-agent'] %} {% endif %} 37 | 39 | 40 | Malicious: {{request.value.malicious}}
41 | Suspicious: {{request.value.suspicious}}
42 | Clean: {{request.value.clean}}
43 | 44 | 45 | 		47 | View 48 |
63 | {% endblock %} 64 | -------------------------------------------------------------------------------- /user_agents.txt: -------------------------------------------------------------------------------- 1 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) 2 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0) 3 | Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) 4 | Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322) 5 | Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0) 6 | Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) -------------------------------------------------------------------------------- /user_agents_large.txt: -------------------------------------------------------------------------------- 1 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/7.0.6 Safari/537.78.2 2 | Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 3 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36 4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 5 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 6 | Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.103 Safari/537.36 7 | Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 8 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0 9 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 10 | Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 11 | Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53 12 | Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 13 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 14 | Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53 15 | Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 16 | Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 17 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4 18 | Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 19 | Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.103 Safari/537.36 20 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0 21 | Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 22 | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 23 | Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.103 Safari/537.36 24 | Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 25 | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36 26 | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 27 | Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0 28 | Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko 29 | Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 30 | Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 31 | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 32 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.8 (KHTML, like Gecko) Version/8.0 Safari/600.1.8 33 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 34 | Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) 35 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) 36 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10 37 | Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36 38 | Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 39 | Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 40 | Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 41 | Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.102 Safari/537.36 42 | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36 43 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36 44 | Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 45 | Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko 46 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0) Gecko/20100101 Firefox/31.0 47 | Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0 48 | Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D201 Safari/9537.53 49 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36 50 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 51 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36 52 | Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.103 Safari/537.36 53 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:31.0) Gecko/20100101 Firefox/31.0 54 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 55 | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 56 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2 57 | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 58 | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 59 | Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 60 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 61 | Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0 62 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 63 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 64 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36 65 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 66 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.76.4 (KHTML, like Gecko) Version/7.0.4 Safari/537.76.4 67 | Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 68 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14 69 | Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.103 Safari/537.36 70 | Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 71 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:31.0) Gecko/20100101 Firefox/31.0 72 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 73 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.15 (KHTML, like Gecko) Version/8.0 Safari/600.1.15 74 | Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) GSA/4.1.0.31802 Mobile/11D257 Safari/9537.53 75 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36 76 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0 77 | Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36 78 | Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 79 | Mozilla/5.0 (iPad; CPU OS 7_1_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D201 Safari/9537.53 80 | Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 81 | Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko 82 | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/37.0.2062.94 Chrome/37.0.2062.94 Safari/537.36 83 | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0 84 | Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53 85 | Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A365 Safari/600.1.4 86 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 87 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14 88 | Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 89 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 90 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36 91 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 92 | Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 93 | -------------------------------------------------------------------------------- /yara/ExploitPackTable_2014.yar: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Rules from https://docs.google.com/a/drainware.com/spreadsheet/lv?key=0Atu4BZE06xNIdERxdEw4MGM3a0Fwc2pxaHVrSFhneVE&f=true&noheader=true&gid=2 4 | 5 | */ 6 | 7 | rule cf_pdf_cve_2007_5659 8 | { 9 | meta: 10 | maltype = "all" 11 | filetype = "pdf" 12 | yaraexchange = "No distribution without author's consent" 13 | author = "Michael Remen" 14 | source = "Yara Exchange" 15 | date = "2012-08" 16 | version = "1.0" 17 | cve = "CVE-2007-5659" 18 | strings: 19 | $a = {255044462d} 20 | $b = {7961727073} 21 | $c = {6570616373656e75} 22 | $d = {6e6f6974636e7566} 23 | $e = {7961727241} 24 | condition: 25 | all of them 26 | } 27 | 28 | 29 | 30 | rule cf_pdf_suspicious_obfuscation : pdf 31 | { 32 | meta: 33 | author = "Glenn Edwards (@hiddenillusion)" 34 | version = "0.1" 35 | weight = 2 36 | maltype = "all" 37 | filetype = "pdf" 38 | yaraexchange = "No distribution without author's consent" 39 | strings: 40 | $magic = { 25 50 44 46 } 41 | $reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/ 42 | condition: 43 | $magic at 0 and #reg > 5 44 | } 45 | 46 | rule cf_java_execute_write 47 | { 48 | meta: 49 | author = "Glenn Edwards (@hiddenillusion)" 50 | version = "0.1" 51 | ref = "http://docs.oracle.com" 52 | maltype = "all" 53 | filetype = "jar" 54 | yaraexchange = "No distribution without author's consent" 55 | date = "2012-09" 56 | strings: 57 | $magic = { CA FE BA BE } 58 | /* Local execution */ 59 | $exec0 = "Runtime.getRuntime" 60 | $exec1 = "exec" 61 | /* Exploit */ 62 | $exp0 = /arrayOf(Byte|String)/ 63 | $exp1 = "toByteArray" 64 | $exp2 = "HexDecode" 65 | $exp3 = "StringtoBytes" 66 | $exp6 = "InputStream" 67 | $exp7 = "Exception.printStackTrace" 68 | $fwrite0 = "FileOutputStream" /*contains a byte stream with the serialized representation of an object given to its constructor*/ 69 | $fwrite3 = "MarshalledObject" 70 | $fwrite4 = "writeObject" 71 | $fwrite5 = "OutputStreamWriter" 72 | /* Loader indicators */ 73 | $load0 = "getResourceAsStream" 74 | $load1 = /l(port|host)/ 75 | $load2 = "ObjectInputStream" 76 | $load3 = "ArrayOfByte" 77 | //$gen1 = "file://" 78 | condition: 79 | $magic at 0 and ((all of ($exec*) and 2 of ($fwrite*)) or (2 of ($exp*) and 2 of ($load*))) 80 | } 81 | 82 | 83 | 84 | rule dyndns_d_la { strings: $a = "d.la" condition: $a } 85 | 86 | rule dyndns_sytes_net { strings: $a = "sytes.net" condition: $a } 87 | 88 | rule GEN_XOR_256bit_This_program_cannot_decremented 89 | { 90 | meta: 91 | author = "villys777@gmail.com" 92 | source = "Yara Exchange" 93 | date = "2012-08" 94 | version = "2.0" 95 | description = "encoded with decremented xor key executable" 96 | string = "This program cannot be run" 97 | byte_encode = true 98 | 99 | 100 | strings: 101 | $a1 = { 55 68 96 8d dd 8c 89 95 9e 8a 96 9b d5 97 92 9c 9f 9f 9b ce 8f 89 cb 98 9c 86} 102 | $a2 = { 56 69 69 8c de 8d 8e 94 9d 8b 99 9a d6 96 95 9d 9c 9e 84 cf 8c 88 cc 99 9f 87} 103 | $a3 = { 57 6a 68 73 df 8e 8f 93 9c 88 98 95 d7 95 94 9a 9d 9d 85 d0 8d 8b cd 9e 9e 84} 104 | $a4 = { 50 6b 6b 72 20 8f 8c 92 9b 89 9b 94 d8 94 97 9b 9a 9c 86 d1 92 8a ce 9f 99 85} 105 | $a5 = { 51 6c 6a 71 21 70 8d 91 9a 8e 9a 97 d9 9b 96 98 9b 9b 87 d2 93 95 cf 9c 98 82} 106 | $a6 = { 52 6d 6d 70 22 71 72 90 99 8f 9d 96 da 9a 99 99 98 9a 80 d3 90 94 d0 9d 9b 83} 107 | $a7 = { 53 6e 6c 77 23 72 73 6f 98 8c 9c 91 db 99 98 96 99 99 81 d4 91 97 d1 82 9a 80} 108 | $a8 = { 5c 6f 6f 76 24 73 70 6e 67 8d 9f 90 dc 98 9b 97 96 98 82 d5 96 96 d2 83 85 81} 109 | $a9 = { 5d 60 6e 75 25 74 71 6d 66 72 9e 93 dd 9f 9a 94 97 97 83 d6 97 91 d3 80 84 9e} 110 | $a10 = { 5e 61 61 74 26 75 76 6c 65 73 61 92 de 9e 9d 95 94 96 8c d7 94 90 d4 81 87 9f} 111 | $a11 = { 5f 62 60 7b 27 76 77 6b 64 70 60 6d df 9d 9c 92 95 95 8d d8 95 93 d5 86 86 9c} 112 | $a12 = { 58 63 63 7a 28 77 74 6a 63 71 63 6c 20 9c 9f 93 92 94 8e d9 9a 92 d6 87 81 9d} 113 | $a13 = { 59 64 62 79 29 78 75 69 62 76 62 6f 21 63 9e 90 93 93 8f da 9b 9d d7 84 80 9a} 114 | $a14 = { 5a 65 65 78 2a 79 7a 68 61 77 65 6e 22 62 61 91 90 92 88 db 98 9c d8 85 83 9b} 115 | $a15 = { 5b 66 64 7f 2b 7a 7b 67 60 74 64 69 23 61 60 6e 91 91 89 dc 99 9f d9 8a 82 98} 116 | $a16 = { 44 67 67 7e 2c 7b 78 66 6f 75 67 68 24 60 63 6f 6e 90 8a dd 9e 9e da 8b 8d 99} 117 | $a17 = { 45 78 66 7d 2d 7c 79 65 6e 7a 66 6b 25 67 62 6c 6f 6f 8b de 9f 99 db 88 8c 96} 118 | $a18 = { 46 79 79 7c 2e 7d 7e 64 6d 7b 69 6a 26 66 65 6d 6c 6e 74 df 9c 98 dc 89 8f 97} 119 | $a19 = { 47 7a 78 63 2f 7e 7f 63 6c 78 68 65 27 65 64 6a 6d 6d 75 20 9d 9b dd 8e 8e 94} 120 | $a20 = { 40 7b 7b 62 30 7f 7c 62 6b 79 6b 64 28 64 67 6b 6a 6c 76 21 62 9a de 8f 89 95} 121 | $a21 = { 41 7c 7a 61 31 60 7d 61 6a 7e 6a 67 29 6b 66 68 6b 6b 77 22 63 65 df 8c 88 92} 122 | $a22 = { 42 7d 7d 60 32 61 62 60 69 7f 6d 66 2a 6a 69 69 68 6a 70 23 60 64 20 8d 8b 93} 123 | $a23 = { 43 7e 7c 67 33 62 63 7f 68 7c 6c 61 2b 69 68 66 69 69 71 24 61 67 21 72 8a 90} 124 | $a24 = { 4c 7f 7f 66 34 63 60 7e 77 7d 6f 60 2c 68 6b 67 66 68 72 25 66 66 22 73 75 91} 125 | $a25 = { 4d 70 7e 65 35 64 61 7d 76 62 6e 63 2d 6f 6a 64 67 67 73 26 67 61 23 70 74 6e} 126 | $a26 = { 4e 71 71 64 36 65 66 7c 75 63 71 62 2e 6e 6d 65 64 66 7c 27 64 60 24 71 77 6f} 127 | $a27 = { 4f 72 70 6b 37 66 67 7b 74 60 70 7d 2f 6d 6c 62 65 65 7d 28 65 63 25 76 76 6c} 128 | $a28 = { 48 73 73 6a 38 67 64 7a 73 61 73 7c 30 6c 6f 63 62 64 7e 29 6a 62 26 77 71 6d} 129 | $a29 = { 49 74 72 69 39 68 65 79 72 66 72 7f 31 73 6e 60 63 63 7f 2a 6b 6d 27 74 70 6a} 130 | $a30 = { 4a 75 75 68 3a 69 6a 78 71 67 75 7e 32 72 71 61 60 62 78 2b 68 6c 28 75 73 6b} 131 | $a31 = { 4b 76 74 6f 3b 6a 6b 77 70 64 74 79 33 71 70 7e 61 61 79 2c 69 6f 29 7a 72 68} 132 | $a32 = { 74 77 77 6e 3c 6b 68 76 7f 65 77 78 34 70 73 7f 7e 60 7a 2d 6e 6e 2a 7b 7d 69} 133 | $a33 = { 75 48 76 6d 3d 6c 69 75 7e 6a 76 7b 35 77 72 7c 7f 7f 7b 2e 6f 69 2b 78 7c 66} 134 | $a34 = { 76 49 49 6c 3e 6d 6e 74 7d 6b 79 7a 36 76 75 7d 7c 7e 64 2f 6c 68 2c 79 7f 67} 135 | $a35 = { 77 4a 48 53 3f 6e 6f 73 7c 68 78 75 37 75 74 7a 7d 7d 65 30 6d 6b 2d 7e 7e 64} 136 | $a36 = { 70 4b 4b 52 00 6f 6c 72 7b 69 7b 74 38 74 77 7b 7a 7c 66 31 72 6a 2e 7f 79 65} 137 | $a37 = { 71 4c 4a 51 01 50 6d 71 7a 6e 7a 77 39 7b 76 78 7b 7b 67 32 73 75 2f 7c 78 62} 138 | $a38 = { 72 4d 4d 50 02 51 52 70 79 6f 7d 76 3a 7a 79 79 78 7a 60 33 70 74 30 7d 7b 63} 139 | $a39 = { 73 4e 4c 57 03 52 53 4f 78 6c 7c 71 3b 79 78 76 79 79 61 34 71 77 31 62 7a 60} 140 | $a40 = { 7c 4f 4f 56 04 53 50 4e 47 6d 7f 70 3c 78 7b 77 76 78 62 35 76 76 32 63 65 61} 141 | $a41 = { 7d 40 4e 55 05 54 51 4d 46 52 7e 73 3d 7f 7a 74 77 77 63 36 77 71 33 60 64 7e} 142 | $a42 = { 7e 41 41 54 06 55 56 4c 45 53 41 72 3e 7e 7d 75 74 76 6c 37 74 70 34 61 67 7f} 143 | $a43 = { 7f 42 40 5b 07 56 57 4b 44 50 40 4d 3f 7d 7c 72 75 75 6d 38 75 73 35 66 66 7c} 144 | $a44 = { 78 43 43 5a 08 57 54 4a 43 51 43 4c 00 7c 7f 73 72 74 6e 39 7a 72 36 67 61 7d} 145 | $a45 = { 79 44 42 59 09 58 55 49 42 56 42 4f 01 43 7e 70 73 73 6f 3a 7b 7d 37 64 60 7a} 146 | $a46 = { 7a 45 45 58 0a 59 5a 48 41 57 45 4e 02 42 41 71 70 72 68 3b 78 7c 38 65 63 7b} 147 | $a47 = { 7b 46 44 5f 0b 5a 5b 47 40 54 44 49 03 41 40 4e 71 71 69 3c 79 7f 39 6a 62 78} 148 | $a48 = { 64 47 47 5e 0c 5b 58 46 4f 55 47 48 04 40 43 4f 4e 70 6a 3d 7e 7e 3a 6b 6d 79} 149 | $a49 = { 65 58 46 5d 0d 5c 59 45 4e 5a 46 4b 05 47 42 4c 4f 4f 6b 3e 7f 79 3b 68 6c 76} 150 | $a50 = { 66 59 59 5c 0e 5d 5e 44 4d 5b 49 4a 06 46 45 4d 4c 4e 54 3f 7c 78 3c 69 6f 77} 151 | $a51 = { 67 5a 58 43 0f 5e 5f 43 4c 58 48 45 07 45 44 4a 4d 4d 55 00 7d 7b 3d 6e 6e 74} 152 | $a52 = { 60 5b 5b 42 10 5f 5c 42 4b 59 4b 44 08 44 47 4b 4a 4c 56 01 42 7a 3e 6f 69 75} 153 | $a53 = { 61 5c 5a 41 11 40 5d 41 4a 5e 4a 47 09 4b 46 48 4b 4b 57 02 43 45 3f 6c 68 72} 154 | $a54 = { 62 5d 5d 40 12 41 42 40 49 5f 4d 46 0a 4a 49 49 48 4a 50 03 40 44 00 6d 6b 73} 155 | $a55 = { 63 5e 5c 47 13 42 43 5f 48 5c 4c 41 0b 49 48 46 49 49 51 04 41 47 01 52 6a 70} 156 | $a56 = { 6c 5f 5f 46 14 43 40 5e 57 5d 4f 40 0c 48 4b 47 46 48 52 05 46 46 02 53 55 71} 157 | $a57 = { 6d 50 5e 45 15 44 41 5d 56 42 4e 43 0d 4f 4a 44 47 47 53 06 47 41 03 50 54 4e} 158 | $a58 = { 6e 51 51 44 16 45 46 5c 55 43 51 42 0e 4e 4d 45 44 46 5c 07 44 40 04 51 57 4f} 159 | $a59 = { 6f 52 50 4b 17 46 47 5b 54 40 50 5d 0f 4d 4c 42 45 45 5d 08 45 43 05 56 56 4c} 160 | $a60 = { 68 53 53 4a 18 47 44 5a 53 41 53 5c 10 4c 4f 43 42 44 5e 09 4a 42 06 57 51 4d} 161 | $a61 = { 69 54 52 49 19 48 45 59 52 46 52 5f 11 53 4e 40 43 43 5f 0a 4b 4d 07 54 50 4a} 162 | $a62 = { 6a 55 55 48 1a 49 4a 58 51 47 55 5e 12 52 51 41 40 42 58 0b 48 4c 08 55 53 4b} 163 | $a63 = { 6b 56 54 4f 1b 4a 4b 57 50 44 54 59 13 51 50 5e 41 41 59 0c 49 4f 09 5a 52 48} 164 | $a64 = { 14 57 57 4e 1c 4b 48 56 5f 45 57 58 14 50 53 5f 5e 40 5a 0d 4e 4e 0a 5b 5d 49} 165 | $a65 = { 15 28 56 4d 1d 4c 49 55 5e 4a 56 5b 15 57 52 5c 5f 5f 5b 0e 4f 49 0b 58 5c 46} 166 | $a66 = { 16 29 29 4c 1e 4d 4e 54 5d 4b 59 5a 16 56 55 5d 5c 5e 44 0f 4c 48 0c 59 5f 47} 167 | $a67 = { 17 2a 28 33 1f 4e 4f 53 5c 48 58 55 17 55 54 5a 5d 5d 45 10 4d 4b 0d 5e 5e 44} 168 | $a68 = { 10 2b 2b 32 60 4f 4c 52 5b 49 5b 54 18 54 57 5b 5a 5c 46 11 52 4a 0e 5f 59 45} 169 | $a69 = { 11 2c 2a 31 61 30 4d 51 5a 4e 5a 57 19 5b 56 58 5b 5b 47 12 53 55 0f 5c 58 42} 170 | $a70 = { 12 2d 2d 30 62 31 32 50 59 4f 5d 56 1a 5a 59 59 58 5a 40 13 50 54 10 5d 5b 43} 171 | $a71 = { 13 2e 2c 37 63 32 33 2f 58 4c 5c 51 1b 59 58 56 59 59 41 14 51 57 11 42 5a 40} 172 | $a72 = { 1c 2f 2f 36 64 33 30 2e 27 4d 5f 50 1c 58 5b 57 56 58 42 15 56 56 12 43 45 41} 173 | $a73 = { 1d 20 2e 35 65 34 31 2d 26 32 5e 53 1d 5f 5a 54 57 57 43 16 57 51 13 40 44 5e} 174 | $a74 = { 1e 21 21 34 66 35 36 2c 25 33 21 52 1e 5e 5d 55 54 56 4c 17 54 50 14 41 47 5f} 175 | $a75 = { 1f 22 20 3b 67 36 37 2b 24 30 20 2d 1f 5d 5c 52 55 55 4d 18 55 53 15 46 46 5c} 176 | $a76 = { 18 23 23 3a 68 37 34 2a 23 31 23 2c 60 5c 5f 53 52 54 4e 19 5a 52 16 47 41 5d} 177 | $a77 = { 19 24 22 39 69 38 35 29 22 36 22 2f 61 23 5e 50 53 53 4f 1a 5b 5d 17 44 40 5a} 178 | $a78 = { 1a 25 25 38 6a 39 3a 28 21 37 25 2e 62 22 21 51 50 52 48 1b 58 5c 18 45 43 5b} 179 | $a79 = { 1b 26 24 3f 6b 3a 3b 27 20 34 24 29 63 21 20 2e 51 51 49 1c 59 5f 19 4a 42 58} 180 | $a80 = { 04 27 27 3e 6c 3b 38 26 2f 35 27 28 64 20 23 2f 2e 50 4a 1d 5e 5e 1a 4b 4d 59} 181 | $a81 = { 05 38 26 3d 6d 3c 39 25 2e 3a 26 2b 65 27 22 2c 2f 2f 4b 1e 5f 59 1b 48 4c 56} 182 | $a82 = { 06 39 39 3c 6e 3d 3e 24 2d 3b 29 2a 66 26 25 2d 2c 2e 34 1f 5c 58 1c 49 4f 57} 183 | $a83 = { 07 3a 38 23 6f 3e 3f 23 2c 38 28 25 67 25 24 2a 2d 2d 35 60 5d 5b 1d 4e 4e 54} 184 | $a84 = { 00 3b 3b 22 70 3f 3c 22 2b 39 2b 24 68 24 27 2b 2a 2c 36 61 22 5a 1e 4f 49 55} 185 | $a85 = { 01 3c 3a 21 71 20 3d 21 2a 3e 2a 27 69 2b 26 28 2b 2b 37 62 23 25 1f 4c 48 52} 186 | $a86 = { 02 3d 3d 20 72 21 22 20 29 3f 2d 26 6a 2a 29 29 28 2a 30 63 20 24 60 4d 4b 53} 187 | $a87 = { 03 3e 3c 27 73 22 23 3f 28 3c 2c 21 6b 29 28 26 29 29 31 64 21 27 61 32 4a 50} 188 | $a88 = { 0c 3f 3f 26 74 23 20 3e 37 3d 2f 20 6c 28 2b 27 26 28 32 65 26 26 62 33 35 51} 189 | $a89 = { 0d 30 3e 25 75 24 21 3d 36 22 2e 23 6d 2f 2a 24 27 27 33 66 27 21 63 30 34 2e} 190 | $a90 = { 0e 31 31 24 76 25 26 3c 35 23 31 22 6e 2e 2d 25 24 26 3c 67 24 20 64 31 37 2f} 191 | $a91 = { 0f 32 30 2b 77 26 27 3b 34 20 30 3d 6f 2d 2c 22 25 25 3d 68 25 23 65 36 36 2c} 192 | $a92 = { 08 33 33 2a 78 27 24 3a 33 21 33 3c 70 2c 2f 23 22 24 3e 69 2a 22 66 37 31 2d} 193 | $a93 = { 09 34 32 29 79 28 25 39 32 26 32 3f 71 33 2e 20 23 23 3f 6a 2b 2d 67 34 30 2a} 194 | $a94 = { 0a 35 35 28 7a 29 2a 38 31 27 35 3e 72 32 31 21 20 22 38 6b 28 2c 68 35 33 2b} 195 | $a95 = { 0b 36 34 2f 7b 2a 2b 37 30 24 34 39 73 31 30 3e 21 21 39 6c 29 2f 69 3a 32 28} 196 | $a96 = { 34 37 37 2e 7c 2b 28 36 3f 25 37 38 74 30 33 3f 3e 20 3a 6d 2e 2e 6a 3b 3d 29} 197 | $a97 = { 35 08 36 2d 7d 2c 29 35 3e 2a 36 3b 75 37 32 3c 3f 3f 3b 6e 2f 29 6b 38 3c 26} 198 | $a98 = { 36 09 09 2c 7e 2d 2e 34 3d 2b 39 3a 76 36 35 3d 3c 3e 24 6f 2c 28 6c 39 3f 27} 199 | $a99 = { 37 0a 08 13 7f 2e 2f 33 3c 28 38 35 77 35 34 3a 3d 3d 25 70 2d 2b 6d 3e 3e 24} 200 | $a100 = { 30 0b 0b 12 40 2f 2c 32 3b 29 3b 34 78 34 37 3b 3a 3c 26 71 32 2a 6e 3f 39 25} 201 | $a101 = { 31 0c 0a 11 41 10 2d 31 3a 2e 3a 37 79 3b 36 38 3b 3b 27 72 33 35 6f 3c 38 22} 202 | $a102 = { 32 0d 0d 10 42 11 12 30 39 2f 3d 36 7a 3a 39 39 38 3a 20 73 30 34 70 3d 3b 23} 203 | $a103 = { 33 0e 0c 17 43 12 13 0f 38 2c 3c 31 7b 39 38 36 39 39 21 74 31 37 71 22 3a 20} 204 | $a104 = { 3c 0f 0f 16 44 13 10 0e 07 2d 3f 30 7c 38 3b 37 36 38 22 75 36 36 72 23 25 21} 205 | $a105 = { 3d 00 0e 15 45 14 11 0d 06 12 3e 33 7d 3f 3a 34 37 37 23 76 37 31 73 20 24 3e} 206 | $a106 = { 3e 01 01 14 46 15 16 0c 05 13 01 32 7e 3e 3d 35 34 36 2c 77 34 30 74 21 27 3f} 207 | $a107 = { 3f 02 00 1b 47 16 17 0b 04 10 00 0d 7f 3d 3c 32 35 35 2d 78 35 33 75 26 26 3c} 208 | $a108 = { 38 03 03 1a 48 17 14 0a 03 11 03 0c 40 3c 3f 33 32 34 2e 79 3a 32 76 27 21 3d} 209 | $a109 = { 39 04 02 19 49 18 15 09 02 16 02 0f 41 03 3e 30 33 33 2f 7a 3b 3d 77 24 20 3a} 210 | $a110 = { 3a 05 05 18 4a 19 1a 08 01 17 05 0e 42 02 01 31 30 32 28 7b 38 3c 78 25 23 3b} 211 | $a111 = { 3b 06 04 1f 4b 1a 1b 07 00 14 04 09 43 01 00 0e 31 31 29 7c 39 3f 79 2a 22 38} 212 | $a112 = { 24 07 07 1e 4c 1b 18 06 0f 15 07 08 44 00 03 0f 0e 30 2a 7d 3e 3e 7a 2b 2d 39} 213 | $a113 = { 25 18 06 1d 4d 1c 19 05 0e 1a 06 0b 45 07 02 0c 0f 0f 2b 7e 3f 39 7b 28 2c 36} 214 | $a114 = { 26 19 19 1c 4e 1d 1e 04 0d 1b 09 0a 46 06 05 0d 0c 0e 14 7f 3c 38 7c 29 2f 37} 215 | $a115 = { 27 1a 18 03 4f 1e 1f 03 0c 18 08 05 47 05 04 0a 0d 0d 15 40 3d 3b 7d 2e 2e 34} 216 | $a116 = { 20 1b 1b 02 50 1f 1c 02 0b 19 0b 04 48 04 07 0b 0a 0c 16 41 02 3a 7e 2f 29 35} 217 | $a117 = { 21 1c 1a 01 51 00 1d 01 0a 1e 0a 07 49 0b 06 08 0b 0b 17 42 03 05 7f 2c 28 32} 218 | $a118 = { 22 1d 1d 00 52 01 02 00 09 1f 0d 06 4a 0a 09 09 08 0a 10 43 00 04 40 2d 2b 33} 219 | $a119 = { 23 1e 1c 07 53 02 03 1f 08 1c 0c 01 4b 09 08 06 09 09 11 44 01 07 41 12 2a 30} 220 | $a120 = { 2c 1f 1f 06 54 03 00 1e 17 1d 0f 00 4c 08 0b 07 06 08 12 45 06 06 42 13 15 31} 221 | $a121 = { 2d 10 1e 05 55 04 01 1d 16 02 0e 03 4d 0f 0a 04 07 07 13 46 07 01 43 10 14 0e} 222 | $a122 = { 2e 11 11 04 56 05 06 1c 15 03 11 02 4e 0e 0d 05 04 06 1c 47 04 00 44 11 17 0f} 223 | $a123 = { 2f 12 10 0b 57 06 07 1b 14 00 10 1d 4f 0d 0c 02 05 05 1d 48 05 03 45 16 16 0c} 224 | $a124 = { 28 13 13 0a 58 07 04 1a 13 01 13 1c 50 0c 0f 03 02 04 1e 49 0a 02 46 17 11 0d} 225 | $a125 = { 29 14 12 09 59 08 05 19 12 06 12 1f 51 13 0e 00 03 03 1f 4a 0b 0d 47 14 10 0a} 226 | $a126 = { 2a 15 15 08 5a 09 0a 18 11 07 15 1e 52 12 11 01 00 02 18 4b 08 0c 48 15 13 0b} 227 | $a127 = { 2b 16 14 0f 5b 0a 0b 17 10 04 14 19 53 11 10 1e 01 01 19 4c 09 0f 49 1a 12 08} 228 | $a128 = { d4 17 17 0e 5c 0b 08 16 1f 05 17 18 54 10 13 1f 1e 00 1a 4d 0e 0e 4a 1b 1d 09} 229 | $a129 = { d5 e8 16 0d 5d 0c 09 15 1e 0a 16 1b 55 17 12 1c 1f 1f 1b 4e 0f 09 4b 18 1c 06} 230 | $a130 = { d6 e9 e9 0c 5e 0d 0e 14 1d 0b 19 1a 56 16 15 1d 1c 1e 04 4f 0c 08 4c 19 1f 07} 231 | $a131 = { d7 ea e8 f3 5f 0e 0f 13 1c 08 18 15 57 15 14 1a 1d 1d 05 50 0d 0b 4d 1e 1e 04} 232 | $a132 = { d0 eb eb f2 a0 0f 0c 12 1b 09 1b 14 58 14 17 1b 1a 1c 06 51 12 0a 4e 1f 19 05} 233 | $a133 = { d1 ec ea f1 a1 f0 0d 11 1a 0e 1a 17 59 1b 16 18 1b 1b 07 52 13 15 4f 1c 18 02} 234 | $a134 = { d2 ed ed f0 a2 f1 f2 10 19 0f 1d 16 5a 1a 19 19 18 1a 00 53 10 14 50 1d 1b 03} 235 | $a135 = { d3 ee ec f7 a3 f2 f3 ef 18 0c 1c 11 5b 19 18 16 19 19 01 54 11 17 51 02 1a 00} 236 | $a136 = { dc ef ef f6 a4 f3 f0 ee e7 0d 1f 10 5c 18 1b 17 16 18 02 55 16 16 52 03 05 01} 237 | $a137 = { dd e0 ee f5 a5 f4 f1 ed e6 f2 1e 13 5d 1f 1a 14 17 17 03 56 17 11 53 00 04 1e} 238 | $a138 = { de e1 e1 f4 a6 f5 f6 ec e5 f3 e1 12 5e 1e 1d 15 14 16 0c 57 14 10 54 01 07 1f} 239 | $a139 = { df e2 e0 fb a7 f6 f7 eb e4 f0 e0 ed 5f 1d 1c 12 15 15 0d 58 15 13 55 06 06 1c} 240 | $a140 = { d8 e3 e3 fa a8 f7 f4 ea e3 f1 e3 ec a0 1c 1f 13 12 14 0e 59 1a 12 56 07 01 1d} 241 | $a141 = { d9 e4 e2 f9 a9 f8 f5 e9 e2 f6 e2 ef a1 e3 1e 10 13 13 0f 5a 1b 1d 57 04 00 1a} 242 | $a142 = { da e5 e5 f8 aa f9 fa e8 e1 f7 e5 ee a2 e2 e1 11 10 12 08 5b 18 1c 58 05 03 1b} 243 | $a143 = { db e6 e4 ff ab fa fb e7 e0 f4 e4 e9 a3 e1 e0 ee 11 11 09 5c 19 1f 59 0a 02 18} 244 | $a144 = { c4 e7 e7 fe ac fb f8 e6 ef f5 e7 e8 a4 e0 e3 ef ee 10 0a 5d 1e 1e 5a 0b 0d 19} 245 | $a145 = { c5 f8 e6 fd ad fc f9 e5 ee fa e6 eb a5 e7 e2 ec ef ef 0b 5e 1f 19 5b 08 0c 16} 246 | $a146 = { c6 f9 f9 fc ae fd fe e4 ed fb e9 ea a6 e6 e5 ed ec ee f4 5f 1c 18 5c 09 0f 17} 247 | $a147 = { c7 fa f8 e3 af fe ff e3 ec f8 e8 e5 a7 e5 e4 ea ed ed f5 a0 1d 1b 5d 0e 0e 14} 248 | $a148 = { c0 fb fb e2 b0 ff fc e2 eb f9 eb e4 a8 e4 e7 eb ea ec f6 a1 e2 1a 5e 0f 09 15} 249 | $a149 = { c1 fc fa e1 b1 e0 fd e1 ea fe ea e7 a9 eb e6 e8 eb eb f7 a2 e3 e5 5f 0c 08 12} 250 | $a150 = { c2 fd fd e0 b2 e1 e2 e0 e9 ff ed e6 aa ea e9 e9 e8 ea f0 a3 e0 e4 a0 0d 0b 13} 251 | $a151 = { c3 fe fc e7 b3 e2 e3 ff e8 fc ec e1 ab e9 e8 e6 e9 e9 f1 a4 e1 e7 a1 f2 0a 10} 252 | $a152 = { cc ff ff e6 b4 e3 e0 fe f7 fd ef e0 ac e8 eb e7 e6 e8 f2 a5 e6 e6 a2 f3 f5 11} 253 | $a153 = { cd f0 fe e5 b5 e4 e1 fd f6 e2 ee e3 ad ef ea e4 e7 e7 f3 a6 e7 e1 a3 f0 f4 ee} 254 | $a154 = { ce f1 f1 e4 b6 e5 e6 fc f5 e3 f1 e2 ae ee ed e5 e4 e6 fc a7 e4 e0 a4 f1 f7 ef} 255 | $a155 = { cf f2 f0 eb b7 e6 e7 fb f4 e0 f0 fd af ed ec e2 e5 e5 fd a8 e5 e3 a5 f6 f6 ec} 256 | $a156 = { c8 f3 f3 ea b8 e7 e4 fa f3 e1 f3 fc b0 ec ef e3 e2 e4 fe a9 ea e2 a6 f7 f1 ed} 257 | $a157 = { c9 f4 f2 e9 b9 e8 e5 f9 f2 e6 f2 ff b1 f3 ee e0 e3 e3 ff aa eb ed a7 f4 f0 ea} 258 | $a158 = { ca f5 f5 e8 ba e9 ea f8 f1 e7 f5 fe b2 f2 f1 e1 e0 e2 f8 ab e8 ec a8 f5 f3 eb} 259 | $a159 = { cb f6 f4 ef bb ea eb f7 f0 e4 f4 f9 b3 f1 f0 fe e1 e1 f9 ac e9 ef a9 fa f2 e8} 260 | $a160 = { f4 f7 f7 ee bc eb e8 f6 ff e5 f7 f8 b4 f0 f3 ff fe e0 fa ad ee ee aa fb fd e9} 261 | $a161 = { f5 c8 f6 ed bd ec e9 f5 fe ea f6 fb b5 f7 f2 fc ff ff fb ae ef e9 ab f8 fc e6} 262 | $a162 = { f6 c9 c9 ec be ed ee f4 fd eb f9 fa b6 f6 f5 fd fc fe e4 af ec e8 ac f9 ff e7} 263 | $a163 = { f7 ca c8 d3 bf ee ef f3 fc e8 f8 f5 b7 f5 f4 fa fd fd e5 b0 ed eb ad fe fe e4} 264 | $a164 = { f0 cb cb d2 80 ef ec f2 fb e9 fb f4 b8 f4 f7 fb fa fc e6 b1 f2 ea ae ff f9 e5} 265 | $a165 = { f1 cc ca d1 81 d0 ed f1 fa ee fa f7 b9 fb f6 f8 fb fb e7 b2 f3 f5 af fc f8 e2} 266 | $a166 = { f2 cd cd d0 82 d1 d2 f0 f9 ef fd f6 ba fa f9 f9 f8 fa e0 b3 f0 f4 b0 fd fb e3} 267 | $a167 = { f3 ce cc d7 83 d2 d3 cf f8 ec fc f1 bb f9 f8 f6 f9 f9 e1 b4 f1 f7 b1 e2 fa e0} 268 | $a168 = { fc cf cf d6 84 d3 d0 ce c7 ed ff f0 bc f8 fb f7 f6 f8 e2 b5 f6 f6 b2 e3 e5 e1} 269 | $a169 = { fd c0 ce d5 85 d4 d1 cd c6 d2 fe f3 bd ff fa f4 f7 f7 e3 b6 f7 f1 b3 e0 e4 fe} 270 | $a170 = { fe c1 c1 d4 86 d5 d6 cc c5 d3 c1 f2 be fe fd f5 f4 f6 ec b7 f4 f0 b4 e1 e7 ff} 271 | $a171 = { ff c2 c0 db 87 d6 d7 cb c4 d0 c0 cd bf fd fc f2 f5 f5 ed b8 f5 f3 b5 e6 e6 fc} 272 | $a172 = { f8 c3 c3 da 88 d7 d4 ca c3 d1 c3 cc 80 fc ff f3 f2 f4 ee b9 fa f2 b6 e7 e1 fd} 273 | $a173 = { f9 c4 c2 d9 89 d8 d5 c9 c2 d6 c2 cf 81 c3 fe f0 f3 f3 ef ba fb fd b7 e4 e0 fa} 274 | $a174 = { fa c5 c5 d8 8a d9 da c8 c1 d7 c5 ce 82 c2 c1 f1 f0 f2 e8 bb f8 fc b8 e5 e3 fb} 275 | $a175 = { fb c6 c4 df 8b da db c7 c0 d4 c4 c9 83 c1 c0 ce f1 f1 e9 bc f9 ff b9 ea e2 f8} 276 | $a176 = { e4 c7 c7 de 8c db d8 c6 cf d5 c7 c8 84 c0 c3 cf ce f0 ea bd fe fe ba eb ed f9} 277 | $a177 = { e5 d8 c6 dd 8d dc d9 c5 ce da c6 cb 85 c7 c2 cc cf cf eb be ff f9 bb e8 ec f6} 278 | $a178 = { e6 d9 d9 dc 8e dd de c4 cd db c9 ca 86 c6 c5 cd cc ce d4 bf fc f8 bc e9 ef f7} 279 | $a179 = { e7 da d8 c3 8f de df c3 cc d8 c8 c5 87 c5 c4 ca cd cd d5 80 fd fb bd ee ee f4} 280 | $a180 = { e0 db db c2 90 df dc c2 cb d9 cb c4 88 c4 c7 cb ca cc d6 81 c2 fa be ef e9 f5} 281 | $a181 = { e1 dc da c1 91 c0 dd c1 ca de ca c7 89 cb c6 c8 cb cb d7 82 c3 c5 bf ec e8 f2} 282 | $a182 = { e2 dd dd c0 92 c1 c2 c0 c9 df cd c6 8a ca c9 c9 c8 ca d0 83 c0 c4 80 ed eb f3} 283 | $a183 = { e3 de dc c7 93 c2 c3 df c8 dc cc c1 8b c9 c8 c6 c9 c9 d1 84 c1 c7 81 d2 ea f0} 284 | $a184 = { ec df df c6 94 c3 c0 de d7 dd cf c0 8c c8 cb c7 c6 c8 d2 85 c6 c6 82 d3 d5 f1} 285 | $a185 = { ed d0 de c5 95 c4 c1 dd d6 c2 ce c3 8d cf ca c4 c7 c7 d3 86 c7 c1 83 d0 d4 ce} 286 | $a186 = { ee d1 d1 c4 96 c5 c6 dc d5 c3 d1 c2 8e ce cd c5 c4 c6 dc 87 c4 c0 84 d1 d7 cf} 287 | $a187 = { ef d2 d0 cb 97 c6 c7 db d4 c0 d0 dd 8f cd cc c2 c5 c5 dd 88 c5 c3 85 d6 d6 cc} 288 | $a188 = { e8 d3 d3 ca 98 c7 c4 da d3 c1 d3 dc 90 cc cf c3 c2 c4 de 89 ca c2 86 d7 d1 cd} 289 | $a189 = { e9 d4 d2 c9 99 c8 c5 d9 d2 c6 d2 df 91 d3 ce c0 c3 c3 df 8a cb cd 87 d4 d0 ca} 290 | $a190 = { ea d5 d5 c8 9a c9 ca d8 d1 c7 d5 de 92 d2 d1 c1 c0 c2 d8 8b c8 cc 88 d5 d3 cb} 291 | $a191 = { eb d6 d4 cf 9b ca cb d7 d0 c4 d4 d9 93 d1 d0 de c1 c1 d9 8c c9 cf 89 da d2 c8} 292 | $a192 = { 94 d7 d7 ce 9c cb c8 d6 df c5 d7 d8 94 d0 d3 df de c0 da 8d ce ce 8a db dd c9} 293 | $a193 = { 95 a8 d6 cd 9d cc c9 d5 de ca d6 db 95 d7 d2 dc df df db 8e cf c9 8b d8 dc c6} 294 | $a194 = { 96 a9 a9 cc 9e cd ce d4 dd cb d9 da 96 d6 d5 dd dc de c4 8f cc c8 8c d9 df c7} 295 | $a195 = { 97 aa a8 b3 9f ce cf d3 dc c8 d8 d5 97 d5 d4 da dd dd c5 90 cd cb 8d de de c4} 296 | $a196 = { 90 ab ab b2 e0 cf cc d2 db c9 db d4 98 d4 d7 db da dc c6 91 d2 ca 8e df d9 c5} 297 | $a197 = { 91 ac aa b1 e1 b0 cd d1 da ce da d7 99 db d6 d8 db db c7 92 d3 d5 8f dc d8 c2} 298 | $a198 = { 92 ad ad b0 e2 b1 b2 d0 d9 cf dd d6 9a da d9 d9 d8 da c0 93 d0 d4 90 dd db c3} 299 | $a199 = { 93 ae ac b7 e3 b2 b3 af d8 cc dc d1 9b d9 d8 d6 d9 d9 c1 94 d1 d7 91 c2 da c0} 300 | $a200 = { 9c af af b6 e4 b3 b0 ae a7 cd df d0 9c d8 db d7 d6 d8 c2 95 d6 d6 92 c3 c5 c1} 301 | $a201 = { 9d a0 ae b5 e5 b4 b1 ad a6 b2 de d3 9d df da d4 d7 d7 c3 96 d7 d1 93 c0 c4 de} 302 | $a202 = { 9e a1 a1 b4 e6 b5 b6 ac a5 b3 a1 d2 9e de dd d5 d4 d6 cc 97 d4 d0 94 c1 c7 df} 303 | $a203 = { 9f a2 a0 bb e7 b6 b7 ab a4 b0 a0 ad 9f dd dc d2 d5 d5 cd 98 d5 d3 95 c6 c6 dc} 304 | $a204 = { 98 a3 a3 ba e8 b7 b4 aa a3 b1 a3 ac e0 dc df d3 d2 d4 ce 99 da d2 96 c7 c1 dd} 305 | $a205 = { 99 a4 a2 b9 e9 b8 b5 a9 a2 b6 a2 af e1 a3 de d0 d3 d3 cf 9a db dd 97 c4 c0 da} 306 | $a206 = { 9a a5 a5 b8 ea b9 ba a8 a1 b7 a5 ae e2 a2 a1 d1 d0 d2 c8 9b d8 dc 98 c5 c3 db} 307 | $a207 = { 9b a6 a4 bf eb ba bb a7 a0 b4 a4 a9 e3 a1 a0 ae d1 d1 c9 9c d9 df 99 ca c2 d8} 308 | $a208 = { 84 a7 a7 be ec bb b8 a6 af b5 a7 a8 e4 a0 a3 af ae d0 ca 9d de de 9a cb cd d9} 309 | $a209 = { 85 b8 a6 bd ed bc b9 a5 ae ba a6 ab e5 a7 a2 ac af af cb 9e df d9 9b c8 cc d6} 310 | $a210 = { 86 b9 b9 bc ee bd be a4 ad bb a9 aa e6 a6 a5 ad ac ae b4 9f dc d8 9c c9 cf d7} 311 | $a211 = { 87 ba b8 a3 ef be bf a3 ac b8 a8 a5 e7 a5 a4 aa ad ad b5 e0 dd db 9d ce ce d4} 312 | $a212 = { 80 bb bb a2 f0 bf bc a2 ab b9 ab a4 e8 a4 a7 ab aa ac b6 e1 a2 da 9e cf c9 d5} 313 | $a213 = { 81 bc ba a1 f1 a0 bd a1 aa be aa a7 e9 ab a6 a8 ab ab b7 e2 a3 a5 9f cc c8 d2} 314 | $a214 = { 82 bd bd a0 f2 a1 a2 a0 a9 bf ad a6 ea aa a9 a9 a8 aa b0 e3 a0 a4 e0 cd cb d3} 315 | $a215 = { 83 be bc a7 f3 a2 a3 bf a8 bc ac a1 eb a9 a8 a6 a9 a9 b1 e4 a1 a7 e1 b2 ca d0} 316 | $a216 = { 8c bf bf a6 f4 a3 a0 be b7 bd af a0 ec a8 ab a7 a6 a8 b2 e5 a6 a6 e2 b3 b5 d1} 317 | $a217 = { 8d b0 be a5 f5 a4 a1 bd b6 a2 ae a3 ed af aa a4 a7 a7 b3 e6 a7 a1 e3 b0 b4 ae} 318 | $a218 = { 8e b1 b1 a4 f6 a5 a6 bc b5 a3 b1 a2 ee ae ad a5 a4 a6 bc e7 a4 a0 e4 b1 b7 af} 319 | $a219 = { 8f b2 b0 ab f7 a6 a7 bb b4 a0 b0 bd ef ad ac a2 a5 a5 bd e8 a5 a3 e5 b6 b6 ac} 320 | $a220 = { 88 b3 b3 aa f8 a7 a4 ba b3 a1 b3 bc f0 ac af a3 a2 a4 be e9 aa a2 e6 b7 b1 ad} 321 | $a221 = { 89 b4 b2 a9 f9 a8 a5 b9 b2 a6 b2 bf f1 b3 ae a0 a3 a3 bf ea ab ad e7 b4 b0 aa} 322 | $a222 = { 8a b5 b5 a8 fa a9 aa b8 b1 a7 b5 be f2 b2 b1 a1 a0 a2 b8 eb a8 ac e8 b5 b3 ab} 323 | $a223 = { 8b b6 b4 af fb aa ab b7 b0 a4 b4 b9 f3 b1 b0 be a1 a1 b9 ec a9 af e9 ba b2 a8} 324 | $a224 = { b4 b7 b7 ae fc ab a8 b6 bf a5 b7 b8 f4 b0 b3 bf be a0 ba ed ae ae ea bb bd a9} 325 | $a225 = { b5 88 b6 ad fd ac a9 b5 be aa b6 bb f5 b7 b2 bc bf bf bb ee af a9 eb b8 bc a6} 326 | $a226 = { b6 89 89 ac fe ad ae b4 bd ab b9 ba f6 b6 b5 bd bc be a4 ef ac a8 ec b9 bf a7} 327 | $a227 = { b7 8a 88 93 ff ae af b3 bc a8 b8 b5 f7 b5 b4 ba bd bd a5 f0 ad ab ed be be a4} 328 | $a228 = { b0 8b 8b 92 c0 af ac b2 bb a9 bb b4 f8 b4 b7 bb ba bc a6 f1 b2 aa ee bf b9 a5} 329 | $a229 = { b1 8c 8a 91 c1 90 ad b1 ba ae ba b7 f9 bb b6 b8 bb bb a7 f2 b3 b5 ef bc b8 a2} 330 | $a230 = { b2 8d 8d 90 c2 91 92 b0 b9 af bd b6 fa ba b9 b9 b8 ba a0 f3 b0 b4 f0 bd bb a3} 331 | $a231 = { b3 8e 8c 97 c3 92 93 8f b8 ac bc b1 fb b9 b8 b6 b9 b9 a1 f4 b1 b7 f1 a2 ba a0} 332 | $a232 = { bc 8f 8f 96 c4 93 90 8e 87 ad bf b0 fc b8 bb b7 b6 b8 a2 f5 b6 b6 f2 a3 a5 a1} 333 | $a233 = { bd 80 8e 95 c5 94 91 8d 86 92 be b3 fd bf ba b4 b7 b7 a3 f6 b7 b1 f3 a0 a4 be} 334 | $a234 = { be 81 81 94 c6 95 96 8c 85 93 81 b2 fe be bd b5 b4 b6 ac f7 b4 b0 f4 a1 a7 bf} 335 | $a235 = { bf 82 80 9b c7 96 97 8b 84 90 80 8d ff bd bc b2 b5 b5 ad f8 b5 b3 f5 a6 a6 bc} 336 | $a236 = { b8 83 83 9a c8 97 94 8a 83 91 83 8c c0 bc bf b3 b2 b4 ae f9 ba b2 f6 a7 a1 bd} 337 | $a237 = { b9 84 82 99 c9 98 95 89 82 96 82 8f c1 83 be b0 b3 b3 af fa bb bd f7 a4 a0 ba} 338 | $a238 = { ba 85 85 98 ca 99 9a 88 81 97 85 8e c2 82 81 b1 b0 b2 a8 fb b8 bc f8 a5 a3 bb} 339 | $a239 = { bb 86 84 9f cb 9a 9b 87 80 94 84 89 c3 81 80 8e b1 b1 a9 fc b9 bf f9 aa a2 b8} 340 | $a240 = { a4 87 87 9e cc 9b 98 86 8f 95 87 88 c4 80 83 8f 8e b0 aa fd be be fa ab ad b9} 341 | $a241 = { a5 98 86 9d cd 9c 99 85 8e 9a 86 8b c5 87 82 8c 8f 8f ab fe bf b9 fb a8 ac b6} 342 | $a242 = { a6 99 99 9c ce 9d 9e 84 8d 9b 89 8a c6 86 85 8d 8c 8e 94 ff bc b8 fc a9 af b7} 343 | $a243 = { a7 9a 98 83 cf 9e 9f 83 8c 98 88 85 c7 85 84 8a 8d 8d 95 c0 bd bb fd ae ae b4} 344 | $a244 = { a0 9b 9b 82 d0 9f 9c 82 8b 99 8b 84 c8 84 87 8b 8a 8c 96 c1 82 ba fe af a9 b5} 345 | $a245 = { a1 9c 9a 81 d1 80 9d 81 8a 9e 8a 87 c9 8b 86 88 8b 8b 97 c2 83 85 ff ac a8 b2} 346 | $a246 = { a2 9d 9d 80 d2 81 82 80 89 9f 8d 86 ca 8a 89 89 88 8a 90 c3 80 84 c0 ad ab b3} 347 | $a247 = { a3 9e 9c 87 d3 82 83 9f 88 9c 8c 81 cb 89 88 86 89 89 91 c4 81 87 c1 92 aa b0} 348 | $a248 = { ac 9f 9f 86 d4 83 80 9e 97 9d 8f 80 cc 88 8b 87 86 88 92 c5 86 86 c2 93 95 b1} 349 | $a249 = { ad 90 9e 85 d5 84 81 9d 96 82 8e 83 cd 8f 8a 84 87 87 93 c6 87 81 c3 90 94 8e} 350 | $a250 = { ae 91 91 84 d6 85 86 9c 95 83 91 82 ce 8e 8d 85 84 86 9c c7 84 80 c4 91 97 8f} 351 | $a251 = { af 92 90 8b d7 86 87 9b 94 80 90 9d cf 8d 8c 82 85 85 9d c8 85 83 c5 96 96 8c} 352 | $a252 = { a8 93 93 8a d8 87 84 9a 93 81 93 9c d0 8c 8f 83 82 84 9e c9 8a 82 c6 97 91 8d} 353 | $a253 = { a9 94 92 89 d9 88 85 99 92 86 92 9f d1 93 8e 80 83 83 9f ca 8b 8d c7 94 90 8a} 354 | $a254 = { aa 95 95 88 da 89 8a 98 91 87 95 9e d2 92 91 81 80 82 98 cb 88 8c c8 95 93 8b} 355 | $a255 = { ab 96 94 8f db 8a 8b 97 90 84 94 99 d3 91 90 9e 81 81 99 cc 89 8f c9 9a 92 88} 356 | condition: 357 | any of them 358 | } 359 | 360 | 361 | 362 | 363 | rule XOR_embeded_exefile_xored_with_round_256_bytes_key 364 | //Yara Exchange: Distribution and sharing prohibited without author's consent. Contact: yara@deependresearch.org 365 | { 366 | meta: 367 | author = "villys777@gmail.com" 368 | description = "executable encoded with increment or decremented one byte xor key" 369 | decription = "extension PDF,XLS,DOC,PPT" 370 | source = "Yara Exchange" 371 | date = "2012-07" 372 | byte_encode = true 373 | strings: 374 | $inc = {00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17} 375 | $dec = {17 16 15 14 13 12 11 10 0f 0e 0d 0c 0b 0a 09 08 07 06 05 04 03 02 01 00 ff fe fd fc fb fa f9 f8 f7 f6 f5 f4 f3 f2 f1 f0 ef ee ed ec eb ea e9 e8 e7 e6 e5 e4 e3 e2 e1 e0 df de dd dc db da d9 d8 d7 d6 d5 d4 d3 d2 d1 d0 cf ce cd cc cb ca c9 c8 c7 c6 c5 c4 c3 c2 c1 c0 bf be bd bc bb ba b9 b8 b7 b6 b5 b4 b3 b2 b1 b0 af ae ad ac ab aa a9 a8 a7 a6 a5 a4 a3 a2 a1 a0 9f 9e 9d 9c 9b 9a 99 98 97 96 95 94 93 92 91 90 8f 8e 8d 8c 8b 8a 89 88 87 86 85 84 83 82 81 80 7f 7e 7d 7c 7b 7a 79 78 77 76 75 74 73 72 71 70 6f 6e 6d 6c 6b 6a 69 68 67 66 65 64 63 62 61 60 5f 5e 5d 5c 5b 5a 59 58 57 56 55 54 53 52 51 50 4f 4e 4d 4c 4b 4a 49 48 47 46 45 44 43 42 41 40 3f 3e 3d 3c 3b 3a 39 38 37 36 35 34 33 32 31 30 2f 2e 2d 2c 2b 2a 29 28 27 26 25 24 23 22 21 20 1f 1e 1d 1c 1b 1a 19 18 17 16 15 14 13 12 11 10 0f 0e 0d 0c 0b 0a 09 08 07 06 05 04 03 02 01 00} 376 | condition: 377 | $inc or $dec 378 | } 379 | 380 | rule KERNEL32_dll_xor_exe_key_239 381 | { 382 | meta: 383 | author = "sconzo@visiblerisk.com" 384 | description = "xor encoded executable" 385 | string = "KERNEL32.dll" 386 | key = "239" 387 | byte_encode = true 388 | 389 | strings: 390 | $a = { a4 aa bd a1 aa a3 dc dd c1 8b 83 83 } 391 | condition: 392 | $a 393 | } 394 | 395 | rule kernel32_dll_xor_exe_key_167 396 | { 397 | meta: 398 | author = "sconzo@visiblerisk.com" 399 | description = "xor encoded executable" 400 | string = "kernel32.dll" 401 | key = "167" 402 | byte_encode = true 403 | 404 | strings: 405 | $a = { cc c2 d5 c9 c2 cb 94 95 89 c3 cb cb } 406 | condition: 407 | $a 408 | } 409 | 410 | rule xor_0xa7_kernel32_dll {strings: $a={ cc c2 d5 c9 c2 cb 94 95 89 c3 cb cb } condition: $a } 411 | 412 | rule xor_0xa7_This_program {strings: $a={ f3 cf ce d4 87 d7 d5 c8 c0 d5 c6 ca } condition: $a } 413 | 414 | 415 | rule pdf_document 416 | { 417 | strings: 418 | $a = "%PDF-" 419 | condition: 420 | $a at 0 421 | } 422 | 423 | 424 | rule dyndns_ath_ro { strings: $a = "ath.ro" condition: $a } 425 | 426 | 427 | 428 | -------------------------------------------------------------------------------- /yara/ekanalyzer.yar: -------------------------------------------------------------------------------- 1 | include "jsunpack.yar" 2 | include "paranoid.yar" 3 | include "yalih.yar" 4 | include "ExploitPackTable_2014.yar" -------------------------------------------------------------------------------- /yara/jsunpack.yar: -------------------------------------------------------------------------------- 1 | /*** 2 | Yara Rules file for jsunpackn 3 | http://jsunpack.jeek.org/ 4 | Blake Hartstein 5 | blake[@]jeek.org 6 | Feel free to send me new or custom rules! 7 | If you want the most up to date rules, check http://jsunpack.jeek.org/dec/current_rules 8 | 9 | Last updated 3/22/2010 10 | 11 | Alert modifiers: (does not affect detection) 12 | ref = CVE-NAME 13 | impact = (between 0 - 10, 10 being most severe) 14 | hide = (true|false), if hide=true, don't pass detected strings to program 15 | use this if the rule name captures everything of value, or you just don't care about the data 16 | 17 | 18 | Detection modifiers: 19 | decodedPDF = rules that only alert if decoding within a PDF file 20 | decodedOnly = rules that only alert if decoding level > 0 (ie. a decoding and not the original file) 21 | 22 | (add your own) I will support them (maybe not) ;) 23 | */ 24 | 25 | rule Utilprintf: decodedPDF 26 | { 27 | meta: 28 | ref = "CVE-2008-2992" 29 | hide = true 30 | strings: 31 | $cve20082992 = "util.printf" nocase fullword 32 | condition: 33 | 1 of them 34 | } 35 | rule SpellcustomDictionaryOpen: decodedPDF 36 | { 37 | meta: 38 | ref = "CVE-2009-1493" 39 | hide = true 40 | strings: 41 | $cve20091493 = "spell.customDictionaryOpen" nocase fullword 42 | condition: 43 | 1 of them 44 | } 45 | rule printSeps: decodedPDF 46 | { 47 | meta: 48 | ref = "CVE-2010-4091" 49 | hide = true 50 | strings: 51 | $cve20104091_1 = "doc.printSeps" 52 | $cve20104091_2 = "this.printSeps" 53 | condition: 54 | 1 of them 55 | } 56 | /* 57 | 58 | //This rule is not strong enough, handled by detecting createElement x 100 in pre.js now 59 | rule MSIEUseAfterFree: decodedOnly 60 | { 61 | meta: 62 | ref = "CVE-2010-0249" 63 | hide = true 64 | impact = 5 65 | strings: 66 | $cve20100249_1 = "createEventObject" nocase fullword 67 | $cve20100249_2 = "getElementById" nocase fullword 68 | $cve20100249_3 = "onload" nocase fullword 69 | $cve20100249_4 = "srcElement" nocase fullword 70 | condition: 71 | all of them 72 | } 73 | */ 74 | rule getAnnots: decodedPDF 75 | { 76 | meta: 77 | impact = 3 //Since getAnnots may be legitimate 78 | ref = "CVE-2009-1492" 79 | hide = true 80 | strings: 81 | $cve20091492 = "getAnnots" nocase fullword 82 | condition: 83 | 1 of them 84 | } 85 | rule mediaNewplayer: decodedPDF 86 | { 87 | meta: 88 | ref = "CVE-2009-4324" 89 | hide = true 90 | strings: 91 | $cve20094324 = "media.newPlayer" nocase fullword 92 | condition: 93 | 1 of them 94 | } 95 | rule collectEmailInfo: decodedPDF 96 | { 97 | meta: 98 | ref = "CVE-2007-5659" 99 | hide = true 100 | strings: 101 | $cve20075659 = "collab.collectEmailInfo" nocase fullword 102 | condition: 103 | 1 of them 104 | } 105 | rule CollabgetIcon: decodedPDF 106 | { 107 | meta: 108 | ref = "CVE-2009-0927" 109 | hide = true 110 | strings: 111 | $cve20090927 = "collab.getIcon" nocase fullword 112 | condition: 113 | 1 of them 114 | } 115 | rule PDFobfuscation: decodedPDF 116 | { 117 | meta: 118 | impact = 5 119 | strings: 120 | $cveNOMATCH = "collab[" nocase //hidden collab string 121 | condition: 122 | 1 of them 123 | } 124 | rule UnconfirmedPDFexploit: decodedPDF 125 | { 126 | meta: 127 | impact = 0 128 | //unconfirmed exploitation 129 | strings: 130 | $cve20084813 = "getCosObj" nocase fullword 131 | $cve20082042 = "app.checkForUpdate" nocase fullword 132 | $cve20080726 = "printSepsWithParams" nocase fullword 133 | $cve20073902 = "setExpression" nocase fullword 134 | $cve20090773 = "ResizeSlots" nocase fullword 135 | condition: 136 | 1 of them 137 | } 138 | rule DecodedGenericCLSID : decodedOnly 139 | { 140 | meta: 141 | impact = 0 142 | strings: 143 | $gen = /[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/ nocase 144 | $a = "02d55ba8-adf8-4a31-a685-f2f8e1e9e63d" nocase 145 | $b = "9af45c85-b20b-4f64-8ecb-78eafca2fc53" nocase 146 | $c = "56bfcce4-6106-4bb0-be9c-12181cab7f4b" nocase 147 | $d = "e61eea32-6d31-4dc4-9842-b7f83d9edb5f" nocase 148 | $e = "D27CDB6E-AE6D-11cf-96B8-444553540000" nocase 149 | condition: 150 | 1 of them 151 | } 152 | rule MSOfficeSnapshotViewer 153 | { 154 | meta: 155 | ref = "CVE-2008-2463" 156 | impact = 7 157 | strings: 158 | $cve20082463 = /(F0E42D50|F0E42D60|F2175210)-368C-11D0-AD81-00A0C90DC8D9/ nocase 159 | condition: 160 | 1 of them 161 | } 162 | rule MSOfficeWebComponents 163 | { //Expect ActiveX with it, OWC10.Spreadsheet OWC11.Spreadsheet 164 | meta: 165 | ref = "CVE-2009-1136" 166 | impact = 7 167 | strings: 168 | $cve20091136_1 = "msDataSourceObject" nocase fullword 169 | $cve20091136_2 = "OWC10.Spreadsheet" nocase fullword 170 | $cve20091136_3 = "OWC11.Spreadsheet" nocase fullword 171 | condition: 172 | 1 of them 173 | } 174 | rule COMObjectInstantiationMemoryCorruption 175 | { 176 | meta: 177 | ref = "CVE-2005-2127" 178 | impact = 7 179 | strings: 180 | $cve20052127 = "EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F" nocase fullword 181 | condition: 182 | 1 of them 183 | } 184 | /** rule MSXMLCoreServicesdd 185 | { //match with open(a,b,c,d,e)? or setRequestHeader? 186 | meta: 187 | ref = "CVE-2006-5745" 188 | impact = 7 189 | strings: 190 | $cve20065745 = "88d969c5-f192-11d4-a65f-0040963251e5" nocase fullword 191 | condition: 192 | 1 of them 193 | }*/ 194 | rule MSDirectShowCLSID 195 | { 196 | meta: 197 | ref = "CVE-2008-0015" 198 | impact = 7 199 | strings: 200 | $cve20080015 = "0955AC62-BF2E-4CBA-A2B9-A63F772D46CF" nocase fullword 201 | condition: 202 | 1 of them 203 | } 204 | rule MSWindowsVMLElement 205 | { 206 | meta: 207 | ref = "CVE-2007-0024" 208 | impact = 7 209 | strings: 210 | $cve20070024 = "10072CEC-8CC1-11D1-986E-00A0C955B42E" 211 | condition: 212 | 1 of them 213 | } 214 | rule MSsetSlice 215 | { 216 | meta: 217 | ref = "CVE-2006-3730" 218 | impact = 4 219 | strings: 220 | $cve20063730_1 = "setSlice" nocase fullword 221 | $cve20063730_2 = "WebViewFolderIcon.WebViewFolderIcon.1" nocase fullword 222 | condition: 223 | 1 of them 224 | } 225 | rule ActiveXDataObjectsMDAC 226 | { 227 | meta: 228 | impact = 0 229 | strings: 230 | $cve20060003_1 = "MSXML2.ServerXMLHTTP" nocase fullword 231 | $cve20060003_2 = "Microsoft.XMLHTTP" nocase fullword 232 | condition: 233 | 1 of them 234 | } 235 | rule AOLSuperBuddyActiveX 236 | { 237 | meta: 238 | ref = "CVE-2006-5820" 239 | impact = 7 240 | strings: 241 | $cve20065820 = "Sb.SuperBuddy.1" nocase fullword 242 | condition: 243 | 1 of them 244 | } 245 | rule Alert 246 | { 247 | strings: 248 | $alert = /\/\/alert CVE-.+/ 249 | condition: 250 | 1 of them 251 | } 252 | rule Warning 253 | { 254 | meta: 255 | impact = 5 256 | strings: 257 | $alert = /\/\/warning CVE-.+/ 258 | condition: 259 | 1 of them 260 | } 261 | rule DecodedMsg 262 | { 263 | meta: 264 | impact = 0 265 | strings: 266 | $activex = /\/\/info\.ActiveXObject (.*)/ 267 | $shellcode = /\/\/shellcode len .{150,}/ //150 is %u1234 (6 characters) X (25) 268 | //jsunpack\..* 269 | condition: 270 | 1 of them 271 | } 272 | /* 273 | rule DecodedIframe: decodedOnly 274 | { 275 | meta: 276 | impact = 0 277 | hide = true 278 | strings: 279 | $iframe = "] 284 | //style=['"]display:none['"]>\s*