ESET Online Help

Search
Select the category
Select the topic

Target feed

This feed is a subset of a botnet feed and provides information about the targets.

ei.target

Below is a description of some attributes of the ei.target feed.

Target—The targeted link string that the botnet is attacking (*paypal.*/webscr?cmd=_login-submit*).

Targeted by—The family name of attacking botnet. This field has the same value as ei.botnet and ei.cc (Win32/Dorkbot.B worm).

JSON

Below is a snippet of an ei.target feed in JSON format.


example

{

 "cnc": "http://81.215.230.173:443",

 "domain_count": 5524,

 "domain_first_seen": "2020-10-16 12:10:42 UTC",

 "domain_last_seen": "2020-10-26 12:55:19 UTC",

 "host": "81.215.230.173",

 "ip": "81.215.230.173",

 "last_alive": "2020-10-26 03:52:54 UTC",

 "port": 443,

 "prot_l4": "TCP",

 "prot_l7": "http",

 "state": null,

 "threat": "Win32/Emotet.CI trojan",

 "valid_to": "2020-10-28 13:11:06 UTC"

}

 

STIX 2.0

Below is a snippet of an ei.target feed in STIX 2.0 format.


example

{

 "type": "identity",

 "id": "identity--1982c472-79dc-41a3-a43e-1a756f9c7b64",

 "created": "2020-10-26T12:56:07.577Z",

 "modified": "2020-10-26T12:56:07.577Z",

 "name": "https://www24.bmo.com/onlinebanking/*",

 "identity_class": "unknown"

},

{

 "type": "malware",

 "id": "malware--0fe7e8a7-5302-468a-975d-7872599d629e",

 "created": "2020-10-26T12:56:07.000Z",

 "modified": "2020-10-26T12:56:07.000Z",

 "name": "Win32/Qbot.CO trojan",

 "labels": [

         "bot"

 ]

},

{

 "type": "relationship",

 "id": "relationship--0dd64678-3d06-4415-9a1c-82535320398e",

 "created": "2020-10-26T12:56:07.577Z",

 "modified": "2020-10-26T12:56:07.577Z",

 "relationship_type": "targets",

 "source_ref": "malware--0fe7e8a7-5302-468a-975d-7872599d629e",

 "target_ref": "identity--1982c472-79dc-41a3-a43e-1a756f9c7b64"

}

 

 

The following types of STIX domain objects are available for the target feed:

Malware - The detection name of the malware targeting the identity

Identity - The name of the target, usually in the form of a link string, human-readable company name, or process name

Relationship:

 

stix_relationships_target_feed