ESET Online Help

Search
Select the topic

Botnet - C&C feed

This feed is a subset of a Botnet feed and provides information about links of Command and Control (C&C) servers and associated data.

ei.cc

Below is a description of some attributes of the ei.cc feed.

Used by—The family name of the attacking Botnet. This field has the same value as the "target" field in ei.target (Win32/Dorkbot.H worm).

Last alive—The timestamp of when ESET was last able to communicate with the server (2015-12-03 13:17:31).

URIobj—The link to the CnC server. This value might also be a TOR link (http://t7yz3cihrrzalznq.onion/assets).

Protocols:

oProtocols used by URIobj

oLayer4_Protocol (TCP)

oLayer7_Protocol (http)

IP_Address—The IP address of the CnC server (204.95.99.243).

Hostname—The hostname of the CnC server. This name is not always the same as the link (n.lbxfqfcxj.ru).

Port_value—The port-communicated number (443).

JSON

Below is a snippet of an ei.cc feed in JSON format.

STIX 2.0

Below is a snippet of an ei.cc feed in STIX 2.0 format.

 

The following types of STIX domain objects are available for the cc feed:

Indicator—The link to the CnC server that should be blocked

Malware—Information about the malware that communicates with the CnC server through the given link

Observed data—Additional information about the domain on which the CnC link is hosted

Relationship

stix_relationships_cc_feed