ESET Online Help

Search
Select the category
Select the topic

CC feed

This feed is a subset of a botnet feed and provides information about links of Command and Control (CnC) servers and associated data. Thus the name CC feed.

ei.cc

Below is a description of some attributes of the ei.cc feed.

Used by—The family name of the attacking Botnet. This field has the same value as the "target" field in ei.target (Win32/Dorkbot.H worm).

Last alive—The timestamp of when ESET was last able to communicate with the server (2015-12-03 13:17:31).

URIobj—The link to the CnC server. This value might be a TOR link also (http://t7yz3cihrrzalznq.onion/assets).

Protocols:

oProtocols used by URIobj

oLayer4_Protocol (TCP)

oLayer7_Protocol (http)

IP_Address—The IP address of the CnC server (204.95.99.243).

Hostname—The hostname of the CnC server. This name is not always the same as the link (n.lbxfqfcxj.ru).

Port_value—The port-communicated number (443).

JSON

Below is a snippet of an ei.cc feed in JSON format.


example

{

 "cnc": "http://62.30.7.67:443",

 "domain_count": 16584,

 "domain_first_seen": "2019-09-28 23:00:00 UTC",

 "domain_last_seen": "2020-10-26 11:51:04 UTC",

 "host": "62.30.7.67",

 "ip": "62.30.7.67",

 "last_alive": "2020-10-26 10:37:15 UTC",

 "port": 443,

 "prot_l4": "TCP",

 "prot_l7": "http",

 "state": null,

 "threat": "Win32/Emotet.CI trojan",

 "valid_to": "2020-10-28 12:00:14 UTC"

}

STIX 2.0

Below is a snippet of an ei.cc feed in STIX 2.0 format.


example

{

 "type": "indicator",

 "id": "indicator--8425fc2b-adc6-4e71-a2b5-7a469dd1b2e0",

 "created": "2020-10-26T12:00:14.000Z",

 "modified": "2020-10-26T12:00:14.000Z",

 "name": "Not blocked",

 "description": "C&C of Win32/Emotet.CI trojan",

 "pattern": "[url:value='http://62.30.7.67:443']",

 "valid_from": "2020-10-26T12:00:14Z",

 "valid_until": "2020-10-28T12:00:14Z",

 "labels": [

         "malicious-activity"

 ]

}

 

The following types of STIX domain objects are available for the cc feed:

Indicator—The link to the CnC server that should be blocked

Malware—Information about the malware that communicates with the CnC server through the given link

Observed data—Additional information about the domain on which the CnC link is hosted

Relationship:

 

stix_relationships_cc_feed