MalSilo 2.0

January 27, 2020

The system upgrade took much longer than expected … but MalSilo 2.0 is here!

Under the hood

Not counting what was changed in the background, here what is interesting to you.

master-dump - four new fields
- timestamp, feed creation time
- mitre_attack, sample behavior mapped to the MITRE framework
- threat, threat family name (generic category or specific malware) - in 1.0, it was inside the tag field, now it has its own dedicated space and should yield more meaningful names
- threats, counts the number of observed threats in the feed. It might come in handy if you want to cherry-pick specific subset of IOCs instead skimming through the json

Feed root keys

1
2
3
4
5


count : int
version : string
timestamp: string
data: list
threats: list

Below an example of a single entry stored under the data field.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56


{
    "tags": [
    "peexe32",
    "pegui"
    ],
    "first_seen": "2020-01-13",
    "last_seen": "2020-01-13",
    "file": {
    "type": "PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft \
            Installer self-extracting archive",
    "hashes": {
        "md5": "e3f16bb0e7467f947c166f98f20481c0",
        "sha1": "ad3cfe4a5dcf01c57e9836bea1f3e15a1a1fe047",
        "sha256": "5359d9f7a19a71166ddb9a8ad2e984bb565840f4537b6eeea03783ddb755e831",
        "sha512": "27dfbbdb959f0c9800b949d5cdc25a85bf3ee97f70a8846d5138f463e1cb39bf\
                    845dbfb3ee9d63dd54659fc612d44ccfd7685dbd4dea733bba5f6648cf78b062",
        "ssdeep": "6144:pY8ipnMhl6OgKxJSq53a1mvfoAEWx2IOFksR8UnQhMpZXHoE0PgQ0P58dts\
                        JGJx:JynMzXfSq53lQpUs+UQhuXHYYbyLK8x"
    },
    "mitre_attack": [
        {
        "T1005": "data from local system"
        },          
        {
        "T1003": "credential dumping"
        },
        {
        "T1081": "credentials in files"
        },
        {
        "T1500": "compile after delivery"
        },
        {
        "T1057": "process discovery"
        },
        {
        "T1012": "query registry"
        },
        {
        "T1129": "execution through module load"
        },
        {
        "T1060": "registry run keys / startup folder"
        }
    ],
    "threat": "nanocore"
    },
    "drop_sites": [
    "https://kigegypt.com/lee.exe"
    ],
    "network_traffic": {
    "dns": [
        "ftp.weijiaautos.com"
    ]
    }
}

ip-list and url-list - two additional columns
- threat and tags, ported from the master-dump

1
2
3
4


# Firstseen,Lastseen,url,threat,tags
"2020-01-13","2020-01-13","http://khaliddib398.xyz/index.php","banload","pegui,peexe32"
"2020-01-19","2020-01-19","http://cdn.vy68.com/api/filegoto/yyl88888","azorult","pegui,peexe32"
"2020-01-14","2020-01-14","http://roiboypo.ru/favicon.ico","ursnif","pedll"

1
2
3
4
5


# Firstseen,Lastseen,ipv4:port,threat,tags
"2020-01-21","2020-01-21","72.29.55.174:80","emotet","pegui,peexe32"
"2020-01-14","2020-01-14","167.172.242.69:54984","nanocore","pegui,peexe32,assembly"
"2020-01-24","2020-01-24","18.194.53.214:80","keylogger","pegui,peexe32"
"2020-01-25","2020-01-25","45.136.111.47:80","spyeye","pegui,peexe32"

domain-list
- same structure as the previous exports (csv)

1
2
3
4
5


# Firstseen,Lastseen,domain,threat,tags
"2020-01-22","2020-01-22","mecharnise.ir","riskware","pegui,peexe32"
"2020-01-22","2020-01-22","maxcoopar5.ddns.net","azorult","pegui,peexe32"
"2020-01-23","2020-01-23","deliciasdvally.com.pe","lokibot","pegui,peexe32"
"2020-01-21","2020-01-21","drrobertepstein.com","maldoc","doc"

raw-data memdumps

MalSilo 2.0

Under the hood