[ { "activity_id": 1, "malware": [ { "classification_ids": [ -1 ], "classifications": [ "Potentially vulnerable application" ], "name": "pva.torrent.openinternet", "provider": "SecurityScorecard", "uid": "pva.torrent.openinternet_9d153be3-a48e-4498-b476-18c2a847d214" } ], "activity_name": "Generate", "category_name": "Findings", "category_uid": 2, "class_name": "Security Finding", "class_uid": 2001, "confidence": 100, "data": "{\"body_bytes_sent\":\"-\",\"enc_host\":\"open-internet.nl\",\"enc_raw_header\":\"-\",\"enc_request\":\"SOCKET_UDP%20%2F\",\"enc_request_body\":\"AAAEFycQGYAAAAAAiWPgag==\",\"family\":\"pva.torrent.openinternet\",\"field_1\":\"2022-06-27T01:37:06.385325 version_5\",\"remote_addr\":\"1.183.190.110\",\"remote_port\":\"2048\",\"remote_user\":\"-\", \"status\":\"200\",\"time_local\":\"2022-06-27T01:36:21.515207\"}", "message": "Potentially vulnerable application infection detected on IP address 1.183.190.110 by Malware DNS sinkhole on communication domain for sinkholed domain open-internet.nl", "severity": "Informational ", "severity_id": 1, "status": "Not applicable, static security finding from global threat intelligence monitoring", "status_id": -1, "state": "New", "state_id": 1, "time": 1668535199945, "timezone_offset": 0, "type_name": "Security Finding: Generate", "type_uid": 200101, "metadata": { "logged_time": 1668535199945, "original_time": "2022-11-15T17:59:59.945Z", "labels": [ "infected_device" ], "product": { "lang": "en", "name": "SecurityScorecard Attack Surface Intelligence", "uid": "ssc_asi", "feature": { "uid": "ssc_malware_dns_sinkhole", "name": "SecurityScorecard Malware DNS Sinkhole collection system" }, "vendor_name": "SecurityScorecard" }, "version": "1.0.0", "profiles": [ "malware", "reputation" ] }, "resources": [ { "group_name": "infected_device", "name": "IPv4 address 1.183.190.110 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs", "owner": "chinatelecom.cn", "uid": "1.183.190.110" } ], "observables": [ { "name": "infected_device.ip", "type": "IP Address", "type_id": 2, "value": "1.183.190.110" }, { "name": "infection.category", "type": "Category of infection on infected device", "type_id": -1, "value": "Potentially vulnerable application" }, { "name": "infected_device.malware_hostname", "type": "Hostname", "type_id": 1, "value": "open-internet.nl" }, { "name": "infection.family", "type": "Malware, adware, or PUA/PVA family name", "type_id": -1, "value": "pva.torrent.openinternet" }, { "name": "infected_device.source_port", "type": "Client-side port making connection to the infection communication domain", "type_id": -1, "value": "2048" }, { "name": "infected_device.geo_location", "type": "Geo Location", "type_id": 26, "value": "Bieligutai, China" } ], "finding": { "title": "Infection found on 1.183.190.110", "uid": "2b7908d7-4b72-4f65-afa0-09bdaea46ae3", "types": [ "malware_infection", "infected_device", "pva.torrent.openinternet" ], "src_url": "https://platform.securityscorecard.io/#/asi/details/1.183.190.110", "remediation": { "desc": "If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence", "kb_articles": [ "https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K", "https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings" ] }, "product_uid": "ssc_malware_dns_sinkhole", "last_seen_time": 1668535199945, "desc": "Potentially vulnerable application infection detected on IP address 1.183.190.110 communicating with Command-and-Control domain open-internet.nl" } }, { "activity_id": 1, "malware": [ { "classification_ids": [ -1 ], "classifications": [ "Potentially vulnerable application" ], "name": "pva.torrent.openinternet", "provider": "SecurityScorecard", "uid": "pva.torrent.openinternet_e1472f25-0d2d-4b88-aac9-b7bd439218f5" } ], "activity_name": "Generate", "category_name": "Findings", "category_uid": 2, "class_name": "Security Finding", "class_uid": 2001, "confidence": 100, "data": "{\"body_bytes_sent\":\"-\",\"enc_host\":\"open-internet.nl\",\"enc_raw_header\":\"-\",\"enc_request\":\"SOCKET_UDP%20%2F\",\"enc_request_body\":\"AAAEFycQGYAAAAAAtdIQjw==\",\"family\":\"pva.torrent.openinternet\",\"field_1\":\"2022-06-04T10:35:07.143255 version_5\",\"remote_addr\":\"59.11.81.231\",\"remote_port\":\"6927\",\"remote_user\":\"-\", \"status\":\"200\",\"time_local\":\"2022-06-04T10:34:45.835005\"}", "message": "Potentially vulnerable application infection detected on IP address 59.11.81.231 by Malware DNS sinkhole on communication domain for sinkholed domain ", "severity": "Informational ", "severity_id": 1, "status": "Not applicable, static security finding from global threat intelligence monitoring", "status_id": -1, "state": "New", "state_id": 1, "time": 1668535199946, "timezone_offset": 0, "type_name": "Security Finding: Generate", "type_uid": 200101, "metadata": { "logged_time": 1668535199946, "original_time": "2022-11-15T17:59:59.946Z", "labels": [ "infected_device" ], "product": { "lang": "en", "name": "SecurityScorecard Attack Surface Intelligence", "uid": "ssc_asi", "feature": { "uid": "ssc_malware_dns_sinkhole", "name": "SecurityScorecard Malware DNS Sinkhole collection system" }, "vendor_name": "SecurityScorecard" }, "version": "1.0.0", "profiles": [ "malware", "reputation" ] }, "resources": [ { "group_name": "infected_device", "name": "IPv4 address 59.11.81.231 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs", "owner": "krnic.or.kr", "uid": "59.11.81.231" } ], "observables": [ { "name": "infected_device.ip", "type": "IP Address", "type_id": 2, "value": "59.11.81.231" }, { "name": "infection.category", "type": "Category of infection on infected device", "type_id": -1, "value": "Potentially vulnerable application" }, { "name": "infected_device.malware_hostname", "type": "Hostname", "type_id": 1, "value": null }, { "name": "infection.family", "type": "Malware, adware, or PUA/PVA family name", "type_id": -1, "value": "pva.torrent.openinternet" }, { "name": "infected_device.source_port", "type": "Client-side port making connection to the infection communication domain", "type_id": -1, "value": "6927" }, { "name": "infected_device.geo_location", "type": "Geo Location", "type_id": 26, "value": "Seongnam-si (Buljeong-ro), Korea, Republic of" } ], "finding": { "title": "Infection found on 59.11.81.231", "uid": "45521c66-6498-442d-ad9b-40da9f0e9236", "types": [ "malware_infection", "infected_device", "pva.torrent.openinternet" ], "src_url": "https://platform.securityscorecard.io/#/asi/details/59.11.81.231", "remediation": { "desc": "If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence", "kb_articles": [ "https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K", "https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings" ] }, "product_uid": "ssc_malware_dns_sinkhole", "last_seen_time": 1668535199947, "desc": "Potentially vulnerable application infection detected on IP address 59.11.81.231 communicating with Command-and-Control domain " } }, { "activity_id": 1, "malware": [ { "classification_ids": [ -1 ], "classifications": [ "Potentially vulnerable application" ], "name": "pva.torrent.kickasstracker", "provider": "SecurityScorecard", "uid": "pva.torrent.kickasstracker_d605642d-9f8b-46ed-bb19-882ffc34a8f4" } ], "activity_name": "Generate", "category_name": "Findings", "category_uid": 2, "class_name": "Security Finding", "class_uid": 2001, "confidence": 100, "data": "{\"body_bytes_sent\":\"152\",\"enc_host\":\"open.kickasstracker.com\",\"enc_raw_header\":\"R0VUIC9zY3JhcGU/aW5mb19oYXNoPSUwMiUyNSVkYiVmMiVmZlElZWVLJTNmJWMxJTI4MW8lMGMlMDklYWElODN4JWVlJTk5IEhUVFAvMS4xDQpVc2VyLUFnZW50OiBUcmFuc21pc3Npb24vMi44NA0KSG9zdDogb3Blbi5raWNrYXNzdHJhY2tlci5jb20NCkFjY2VwdDogKi8qDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXA7cT0xLjAsIGRlZmxhdGUsIGlkZW50aXR5DQoNCg==\",\"enc_request\":\"GET%20%2Fscrape%3Finfo_hash%3D%2502%2525%25db%25f2%25ffQ%25eeK%253f%25c1%25281o%250c%2509%25aa%2583x%25ee%2599%20HTTP%2F1.1\",\"enc_request_body\":\"\",\"family\":\"pva.torrent.kickasstracker\",\"field_1\":\"2022-09-30T21:26:09.028507 version_5\",\"remote_addr\":\"190.109.227.80\",\"remote_port\":\"21886\",\"remote_user\":\"-\", \"status\":\"404\",\"time_local\":\"2022-09-30T21:25:21+00:00\"}", "message": "Potentially vulnerable application infection detected on IP address 190.109.227.80 by Malware DNS sinkhole on communication domain for sinkholed domain open.kickasstracker.com", "severity": "Informational ", "severity_id": 1, "status": "Not applicable, static security finding from global threat intelligence monitoring", "status_id": -1, "state": "New", "state_id": 1, "time": 1668535199947, "timezone_offset": 0, "type_name": "Security Finding: Generate", "type_uid": 200101, "metadata": { "logged_time": 1668535199947, "original_time": "2022-11-15T17:59:59.947Z", "labels": [ "infected_device" ], "product": { "lang": "en", "name": "SecurityScorecard Attack Surface Intelligence", "uid": "ssc_asi", "feature": { "uid": "ssc_malware_dns_sinkhole", "name": "SecurityScorecard Malware DNS Sinkhole collection system" }, "vendor_name": "SecurityScorecard" }, "version": "1.0.0", "profiles": [ "malware", "reputation" ] }, "resources": [ { "group_name": "infected_device", "name": "IPv4 address 190.109.227.80 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs", "owner": "cotel.bo", "uid": "190.109.227.80" } ], "observables": [ { "name": "infected_device.ip", "type": "IP Address", "type_id": 2, "value": "190.109.227.80" }, { "name": "infection.category", "type": "Category of infection on infected device", "type_id": -1, "value": "Potentially vulnerable application" }, { "name": "infected_device.malware_hostname", "type": "Hostname", "type_id": 1, "value": "open.kickasstracker.com" }, { "name": "infection.family", "type": "Malware, adware, or PUA/PVA family name", "type_id": -1, "value": "pva.torrent.kickasstracker" }, { "name": "infected_device.source_port", "type": "Client-side port making connection to the infection communication domain", "type_id": -1, "value": "21886" }, { "name": "infected_device.geo_location", "type": "Geo Location", "type_id": 26, "value": "La Paz (Macrodistrito Centro), Bolivia, Plurinational State of" } ], "finding": { "title": "Infection found on 190.109.227.80", "uid": "8f91e92d-b75c-4d55-a6a2-c9f611cdea28", "types": [ "malware_infection", "infected_device", "pva.torrent.kickasstracker" ], "src_url": "https://platform.securityscorecard.io/#/asi/details/190.109.227.80", "remediation": { "desc": "If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence", "kb_articles": [ "https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K", "https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings" ] }, "product_uid": "ssc_malware_dns_sinkhole", "last_seen_time": 1668535199948, "desc": "Potentially vulnerable application infection detected on IP address 190.109.227.80 communicating with Command-and-Control domain open.kickasstracker.com" } }, { "activity_id": 1, "malware": [ { "classification_ids": [ -1 ], "classifications": [ "Adware" ], "name": "adware.android.imp", "provider": "SecurityScorecard", "uid": "adware.android.imp_7cd5cf7b-4c99-406c-ad46-621487394fba" } ], "activity_name": "Generate", "category_name": "Findings", "category_uid": 2, "class_name": "Security Finding", "class_uid": 2001, "confidence": 100, "data": "{\"body_bytes_sent\":\"152\",\"enc_host\":\"x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\",\"enc_raw_header\":\"UE9TVCAvYXVjdGlvbi9pbml0IEhUVFAvMS4xDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtcHJvdG9idWYNCkFjY2VwdC1FbmNvZGluZzogZ3ppcA0KQ29udGVudC1FbmNvZGluZzogZ3ppcA0KVXNlci1BZ2VudDogRGFsdmlrLzIuMS4wIChMaW51eDsgVTsgQW5kcm9pZCAxMTsgU00tQTIwN0YgQnVpbGQvUlAxQS4yMDA3MjAuMDEyKQ0KSG9zdDogeC1ldS41OGRhYzE2ZTdiMmM4NmMxOWNmZTQ4OTE0YTZlOGZjZGFjOWFlMDZmZTVjZjUzMzY5YmVhYTQ1Yi5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvbnRlbnQtTGVuZ3RoOiAzMDMNCg0K\",\"enc_request\":\"POST%20%2Fauction%2Finit%20HTTP%2F1.1\",\"enc_request_body\":\"H4sIAAAAAAAAAK3PzUoDMRQFYEhbSwNSnI1lljKrgYQkzd+47MqNIIg/u3qTTHCUzshMacFHEHwGwbUPaStVQTcu3F3uOXxwcI8X02TsmwWFdUehDm1ThQk6QpznvZs3JPCsCqfgb6u6PB5wWlA9y0oLzjGvCHPGE+kgEif05iq5YVZZkEye9M+Qy6LVLETpiXfOEilAE2sUJ9EIr4WCGKfibqSoVJQRrttMhKijLhjxQhsijSo29NSS4IOSDJRRzDy+IvyC8H5dLtdNe9/Nqzo2yTMSTwhf55c4wcNdlAzTwaKFKuAUj3e/+apsu6qptxnb7LE4w4efGQR4WJbtV2eUDj82U46v8gt88C3vpf0VdMt/gC/y8x9wvYUnv+FB2uOU/Y19BzRbkezaAQAA\",\"family\":\"adware.android.imp\",\"field_1\":\"2022-09-23T16:20:10.540428 version_5\",\"remote_addr\":\"38.7.186.198\",\"remote_port\":\"59750\",\"remote_user\":\"-\",\"status\":\"404\",\"time_local\":\"2022-09-23T16:19:38+00:00\"}", "message": "Adware infection detected on IP address 38.7.186.198 by Malware DNS sinkhole on communication domain for sinkholed domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com", "severity": "Informational ", "severity_id": 1, "status": "Not applicable, static security finding from global threat intelligence monitoring", "status_id": -1, "state": "New", "state_id": 1, "time": 1668535199948, "timezone_offset": 0, "type_name": "Security Finding: Generate", "type_uid": 200101, "metadata": { "logged_time": 1668535199948, "original_time": "2022-11-15T17:59:59.948Z", "labels": [ "infected_device" ], "product": { "lang": "en", "name": "SecurityScorecard Attack Surface Intelligence", "uid": "ssc_asi", "feature": { "uid": "ssc_malware_dns_sinkhole", "name": "SecurityScorecard Malware DNS Sinkhole collection system" }, "vendor_name": "SecurityScorecard" }, "version": "1.0.0", "profiles": [ "malware", "reputation" ] }, "resources": [ { "group_name": "infected_device", "name": "IPv4 address 38.7.186.198 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs", "owner": "emix.net.ae", "uid": "38.7.186.198" } ], "observables": [ { "name": "infected_device.ip", "type": "IP Address", "type_id": 2, "value": "38.7.186.198" }, { "name": "infection.category", "type": "Category of infection on infected device", "type_id": -1, "value": "Adware" }, { "name": "infected_device.malware_hostname", "type": "Hostname", "type_id": 1, "value": "x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com" }, { "name": "infection.family", "type": "Malware, adware, or PUA/PVA family name", "type_id": -1, "value": "adware.android.imp" }, { "name": "infected_device.source_port", "type": "Client-side port making connection to the infection communication domain", "type_id": -1, "value": "59750" }, { "name": "infected_device.geo_location", "type": "Geo Location", "type_id": 26, "value": "Karachi (Sector Five F), Pakistan" } ], "finding": { "title": "Infection found on 38.7.186.198", "uid": "26c7c83d-0aad-411b-88ee-52343ff22064", "types": [ "malware_infection", "infected_device", "adware.android.imp" ], "src_url": "https://platform.securityscorecard.io/#/asi/details/38.7.186.198", "remediation": { "desc": "If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence", "kb_articles": [ "https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K", "https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings" ] }, "product_uid": "ssc_malware_dns_sinkhole", "last_seen_time": 1668535199948, "desc": "Adware infection detected on IP address 38.7.186.198 communicating with Command-and-Control domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com" } } ]