Botnet - C&C feed
This feed is a subset of a Botnet feed and provides information about links of Command and Control (C&C) servers and associated data.
ei.cc
Below is a description of some attributes of the ei.cc feed.
•Used by—The family name of the attacking Botnet. This field has the same value as the "target" field in ei.target (Win32/Dorkbot.H worm).
•Last alive—The timestamp of when ESET was last able to communicate with the server (2015-12-03 13:17:31).
•URIobj—The link to the CnC server. This value might also be a TOR link (http://t7yz3cihrrzalznq.onion/assets).
•Protocols:
oProtocols used by URIobj
oLayer4_Protocol (TCP)
oLayer7_Protocol (http)
•IP_Address—The IP address of the CnC server (204.95.99.243).
•Hostname—The hostname of the CnC server. This name is not always the same as the link (n.lbxfqfcxj.ru).
•Port_value—The port-communicated number (443).
JSON
Below is a snippet of an ei.cc feed in JSON format.
{ "cnc": "http://62.30.7.67:443", "domain_count": 16584, "domain_first_seen": "2019-09-28 23:00:00 UTC", "domain_last_seen": "2020-10-26 11:51:04 UTC", "host": "62.30.7.67", "ip": "62.30.7.67", "last_alive": "2020-10-26 10:37:15 UTC", "port": 443, "prot_l4": "TCP", "prot_l7": "http", "state": null, "threat": "Win32/Emotet.CI trojan", "valid_to": "2020-10-28 12:00:14 UTC" } |
STIX 2.0
Below is a snippet of an ei.cc feed in STIX 2.0 format.
{ "type": "indicator", "id": "indicator--8425fc2b-adc6-4e71-a2b5-7a469dd1b2e0", "created": "2020-10-26T12:00:14.000Z", "modified": "2020-10-26T12:00:14.000Z", "name": "Not blocked", "description": "C&C of Win32/Emotet.CI trojan", "pattern": "[url:value='http://62.30.7.67:443']", "valid_from": "2020-10-26T12:00:14Z", "valid_until": "2020-10-28T12:00:14Z", "labels": [ "malicious-activity" ] } |
The following types of STIX domain objects are available for the cc feed:
•Indicator—The link to the CnC server that should be blocked
•Malware—Information about the malware that communicates with the CnC server through the given link
•Observed data—Additional information about the domain on which the CnC link is hosted
•Relationship