Current ThreatQ Version Filter
Malware Patrol CDF
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 2.0.1 |
| Compatible with ThreatQ Versions | >= 4.28.0 |
| Support Tier | ThreatQ Supported |
Introduction
The Malware Patrol CDF for ThreatQ ingests threat intelligence data from several Malware Patrol feeds:
- Malware URLs (Sanitized)
- Command and Control Server Addresses (Sanitized)
- Malware Hashes
- Malicious IP Addresses
- Real Time DDoS Attacks
- Domains Generated via DGA
- Malware Patrol - Phishing
- Malware Patrol - Anti Mining
The integration ingests indicators and indicator attributes into the ThreatQ platform.
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Commercial option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Username Your Malware Patrol account username. Password Your Malware Patrol account password. Domain The domain name of the feeds hosting server (E.g. .malwarepatrol.net) - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
ThreatQ Mapping
Malware Patrol Malware URLs (Sanitized)
Gunzipped JSON Sample Response:
[
{
"malware_classification":"Trojan-Banker.Win32.Banker.etk",
"malware_SHA1":"7c9c5ed13022df06545be28b3193ee6baeb2e4b5",
"ASN":"12479",
"detection_timestamp":"20060119150041",
"AS_information":"UNI2-AS Uni2 Autonomous System",
"domain":"perso.wanadoo.es",
"malware_URL":"http://perso.wanadoo.es/selviba101",
"MBL_ID":"MBL#14021",
"malware_extension":"exe",
"malware_MD5":"fe516740fb2a7b7fe8411963fa5e0e57"
},
...
]ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Normalization | Published Date | Examples | Notes |
|---|---|---|---|---|---|---|
| .[].malware_URL | indicator.value | URL | .[].detection_timestamp | http://perso.wanadoo.es/ selviba101 |
||
| .[].malware_SHA1 | indicator.value | SHA1 | .[].detection_timestamp | 7c9c5ed13022df06545be2 8b3193ee6baeb2e4b5 |
||
| .[].malware_MD5 | indicator.value | MD5 | .[].detection_timestamp | fe516740fb2a7b7fe841196 3fa5e0e57 |
||
| .[].malware_ classification |
indicator.attribute | Malware Classification | .[].detection_timestamp | Trojan-Banker.Win32.Banker.etk | ||
| .[].ASN | indicator.attribute | Classification | .[].detection_timestamp | Trojan-Banker.Win32.Banker.etk | ||
| .[].MBL_ID | indicator.attribute | Classification | .[].detection_timestamp | 12479 | See Above |
Malware Patrol Command and Control Server Addresses (Sanitized)
Gunzipped JSON Sample Response:
[
{
"C2_URL":"http://www.technlip.com/wp-includes/pomo/joe/cp.php",
"malware_family":"ZeuS",
"detection_timestamp":"2014-03-30 19:14:47"
},
...
]ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key |
Normalization | Published Date | Examples | Notes |
|---|---|---|---|---|---|---|
| .[].C2_URL | indicator. value |
URL | .[].detection_ timestamp |
http://www.technlip.com/wp-includes/pomo/joe/cp.php | If it's a URL | |
| .[].C2_URL | indicator value |
IP Address | .[].detection_ timestamp |
http://190.128.29.1:8080/web alizer/opt/cp.php |
If it's an IP Address | |
| .[].C2_URL | indicator. attribute |
Scheme | .[].detection_ timestamp |
tcp, udp, http or https |
||
| .[].C2_URL | indicator. attribute |
Port | .[].detection_ timestamp |
8080 | If the format isurl:port or ip:port
|
|
| .[].malware_ family |
indicator. attribute |
Malware Family | .[].detection_ timestamp |
ZeuS |
Malware Patrol Malware Hashes
Gunzipped JSON Sample Response:
[
{
"timestamp":"20060119150041",
"md5":"fe516740fb2a7b7fe8411963fa5e0e57",
"sha1":"7c9c5ed13022df06545be28b3193ee6baeb2e4b5",
"classification":"TrojanBanker.Win32.Banker.etk"
},
...
]ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| [].md5 | indicator.value | MD5 | .[].timestamp | fe516740fb2a7b7fe8411963fa5e0e57 | |
| .[].sha1 | indicator.value | SHA1 | .[].timestamp | 7c9c5ed13022df06545be28b3193ee6baeb2e4b5 | |
| .[].classification | indicator.attribute | Malware Classification | .[].timestamp | TrojanBanker.Win32.Banker.etk |
Malware Patrol Malicious IP Addresses
Gunzipped JSON Sample Response:
[
{
"MBL_ID": "MBL-M-11386919",
"IP_address": "122.226.188.6",
"type": "malware_url",
"classification": "Win32.210.Eldorado",
"detection_timestamp": "20180714231621"
},
...
]
ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| .[].IP_Address | indicator.value | IP Address | .[].detection_timestamp | 122.226.188.6 | |
| .[].MBL_ID | indicator.attribute | MBL ID | .[].detection_timestamp | MBL-M-11386919 | |
| .[].classification | indicator.attribute | Malware Classification | .[].detection_timestamp | Win32.210.Eldorado | |
| .[].type | indicator.attribute | Type | .[].detection_timestamp | malware_url |
Malware Patrol Real Time DDoS Attacks
CSV Sample Response:
20181117034914,hpot,US-DC02,132.232.237.18,11211,N/A,Amplification/Reflection,3,3,2
20181116020037,hpot,US-DC02,197.219.208.66,11211,N/A,Amplification/Reflection,3,3,2
20181116170931,hpot,US-DC01,221.229.196.61,11211,N/A,Amplification/Reflection,3,3,2
20181116134950,hpot,US-DC02,66.240.205.221,1900,12,Amplification/Reflection,3,3,2ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Normalization | Published Date | Examples | Notes |
|---|---|---|---|---|---|---|
| 1 (second token) | indicator.attribute | Source | 0 (first token) | hpot | ||
| 2 (third token) | indicator.attribute | Node | 0 (first token) | US-DC02 | ||
| 3 (fourth token) | indicator.value | IP Address | 0 (first token) | 132.232.237.18 | ||
| 4 (fifth token) | indicator.attribute | Port | 0 (first token) | 11211 | ||
| 5 (sixth token) | indicator.attribute | Count | 0 (first token) | 12 | ||
| 6 (eighth token) | indicator.attribute | Type | 0 (first token) | 3 | ||
| 8 (ninth token) | indicator.attribute | Reliability | 0 (first token) | 3 | ||
| 9 (tenth token) | indicator.attribute | Credibility | 0 (first token) | 2 |
Malware Patrol Domains Generated via DGA
Gunzipped JSON Sample Response:
[
{
"domain": "zpjnllaabettingk.com",
"classification": "Banjori",
"timestamp": "0000-00-00 00:00:00"
},
...
]ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Normalization | Published Date | Examples | Notes |
|---|---|---|---|---|---|---|
| .[].domain | indicator.value | FQDN | .[].timestamp | zpjnllaabettingk.com | ||
| .[].classification | indicator.attribute | Malware Classification | .[].timestamp | Banjori |
Malware Patrol - Anti Mining
Gunzipped JSON Sample Response:
[
{
"domain": "tovar4ka.ru",
"IP":"5.101.152.21"
"rank":">30M"
},
...
]
ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| .[].domain | indicator.value | FQDN | tovar4ka.ru | ||
| .[].IP | indicator.value | IP Address | 5.101.152.21 | ||
| .[].rank | indicator.attribute | Rank | 30M | ||
| .[].domain | indicator.value | FQDN | .[].timestamp | zpjnllaabettingk.com | |
| .[].classification | indicator.attribute | Malware Classification | .[].timestamp | Banjori |
Malware Patrol - Phishing
Gunzipped JSON Sample Response:
[
{
"domain": "shamoc.com",
"language": "ro",
"brand": "Microsoft",
"id": "396390",
"screenshot_file_name": "cd5c732c566ada475ef2acdc5fdfd081",
"domain_ranking": "0",
"score": "100",
"flag_screenshot": "1",
"detection_timestamp": "2019-09-23 21:35:54",
"url": "http://www.christianbeaulieu.com/wp-includes/pomo/dol/uy131aguhv8lqpk9tsq63z1r.php"
},
...
]ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples |
|---|---|---|---|---|
| .[].domain | indicator.value | FQDN | .[].detection_timestamp | "shamoc.com" |
| .[].screenshot_file_name | indicator.value | Filename | .[].detection_timestamp | "cd5c732c566ada4 75ef2acdc5fdfd081" |
| .[].url | indicator.value | URL | .[].detection_timestamp | "http://www.christia nbeaulieu.com/wp-in cludes/pomo/dol/uy13 1aguhv8lqpk9tsq63z1r.php" |
| .[].language | indicator.attribute | Language | .[].detection_timestamp | "ro" |
| .[].id | indicator.attribute | ID | .[].detection_timestamp | "396390" |
| .[].flag_screenshot | indicator.attribute | Flag Screenshot | .[].detection_timestamp | "1" |
| .[].detection_timestamp | indicator.attribute | Detected At | .[].detection_timestamp | "2019-09-23 21:35:54" |
| .[].brand | indicator.attribute | Brand | .[].detection_timestamp | "Microsoft" |
| .[].score | indicator.attribute | Score | .[].detection_timestamp | "100" |
| .[].domain_ranking | indicator.attribute | Domain Ranking | .[].detection_timestamp | "0" |
Average Feed Run
Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.
Malware Patrol Malware URLs (Sanitized)
| Metric | Result | |
|---|---|---|
| Run Time | 1 minute | |
| Indicators | 0 | |
| Indicator Attributes | 0 |
Malware Patrol Command And Control Server Addresses (Sanitized)
| Metric | Result | |
|---|---|---|
| Run Time | 2 minutes | |
| Indicators | 1,189 | |
| Indicator Attributes | 3,537 |
Malware Patrol Hashes
| Metric | Result | |
|---|---|---|
| Run Time | 58 minutes | |
| Indicators | 72,248 | |
| Indicator Attributes | 72,258 |
Malware Patrol Malicious IP Addresses
| Metric | Result | |
|---|---|---|
| Run Time | 53 minutes | |
| Indicators | 10,167 | |
| Indicator Attributes | 76,351 |
Malware Patrol Real Time DDoS Attacks
| Metric | Result | |
|---|---|---|
| Run Time | 11 minutes | |
| Indicators | 4,002 | |
| Indicator Attributes | 25,066 |
Malware Patrol Domains Generated via DGA
| Metric | Result | |
|---|---|---|
| Run Time | 37 minutes | |
| Indicators | 56,969 | |
| Indicator Attributes | 57,261 |
Malware Patrol - Anti Mining
| Metric | Result | |
|---|---|---|
| Run Time | 1 minute | |
| Indicators | 856 | |
| Indicator Attributes | 894 |
Malware Patrol - Phishing
| Metric | Result | |
|---|---|---|
| Run Time | 4 minutes | |
| Indicators | 858 | |
| Indicator Attributes | 8,533 |
Change Log
- Version 2.0.1
- Removed deprecated feed - Malware Patrol Sinkhole IP Addresses.
- Resolved a parsing issue with the Malware Patrol Real Time DDoS Attacks feed.
- Version 2.0.0
- N/A
- Version 1.2.0
- N/A
- Version 1.0.0
- N/A
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Malware Patrol CDF Guide v2.0.1 | 4.28 or Greater |
| Malware Patrol CDF Guide v2.0.0 | 4.28 or Greater |
| Malware Patrol CDF Guide v1.2.0 | 4.7 or Greater |
| Malware Patrol CDF Guide v1.0.0 | 4.7 or Greater |