Botnet - Target feed
This feed is a subset of a Botnet feed and provides information about the targets.
ei.target
Below is a description of some attributes of the ei.target feed.
•Target—The targeted link string that the botnet is attacking (*paypal.*/webscr?cmd=_login-submit*).
•Targeted by—The family name of the attacking botnet. This field has the same value as ei.botnet and ei.cc (Win32/Dorkbot.B worm).
JSON
Below is a snippet of an ei.target feed in JSON format.
{ "cnc": "http://81.215.230.173:443", "domain_count": 5524, "domain_first_seen": "2020-10-16 12:10:42 UTC", "domain_last_seen": "2020-10-26 12:55:19 UTC", "host": "81.215.230.173", "ip": "81.215.230.173", "last_alive": "2020-10-26 03:52:54 UTC", "port": 443, "prot_l4": "TCP", "prot_l7": "http", "state": null, "threat": "Win32/Emotet.CI trojan", "valid_to": "2020-10-28 13:11:06 UTC" } |
STIX 2.0
Below is a snippet of an ei.target feed in STIX 2.0 format.
{ "type": "identity", "id": "identity--1982c472-79dc-41a3-a43e-1a756f9c7b64", "created": "2020-10-26T12:56:07.577Z", "modified": "2020-10-26T12:56:07.577Z", "name": "https://www24.bmo.com/onlinebanking/*", "identity_class": "unknown" }, { "type": "malware", "id": "malware--0fe7e8a7-5302-468a-975d-7872599d629e", "created": "2020-10-26T12:56:07.000Z", "modified": "2020-10-26T12:56:07.000Z", "name": "Win32/Qbot.CO trojan", "labels": [ "bot" ] }, { "type": "relationship", "id": "relationship--0dd64678-3d06-4415-9a1c-82535320398e", "created": "2020-10-26T12:56:07.577Z", "modified": "2020-10-26T12:56:07.577Z", "relationship_type": "targets", "source_ref": "malware--0fe7e8a7-5302-468a-975d-7872599d629e", "target_ref": "identity--1982c472-79dc-41a3-a43e-1a756f9c7b64" } |
The following types of STIX domain objects are available for the target feed:
•Malware—The detection name of the malware targeting the identity
•Identity—The name of the target, usually in the form of a link string, human-readable company name, or process name
•Relationship
