Testing Indicators

Testing Indicators

CanCyber has setup a number of domains, IPs, files, and certificates for testing purposes. These are tasked in MISP for detection at Event 969.

None of these sites have any real malware or pose any actual risk.

Simulated Badness

IP: 35.183.9.38

Domains: malware-c2.com, www.img-url.com, jpg.img-url.com, png.img-url.com

URLS: http://png.img-url.com/ImportantDocument8b745966fd.jpg
http://malware-c2.com/ImportantDocument8b745966fd.jpg
http://malware-c2.com/TPSReportfaf8b745966fd.xlsx
http://jpg.img-url.com/ImportantDocument8b745966fd.jpg
http://jpg.img-url.com/TPSReportfaf8b745966fd.xlsx
http://png.img-url.com/TPSReportfaf8b745966fd.xlsx

Filenames: ImportantDocument8b745966fd.jpg, TPSReportfaf8b745966fd.xlsx

File hash: 9f23bd021d571abf6d2faf8b745966fd, c6e7ec54ed35eb19ba8d736ac257b63e (you can download the 2 files at the above URLs to get the same "bad" files.

SSL Cert hash: dd1bec8f68dbdcc76c7b0f755aba0e53ba6fea41feac760a1dd869a8e3cfe1a5, eb3797b15cbdae7e28baa56fdac40780ab9a4e0527624b94ff328e0d0fb1c9ad (malware-c2.com and img-url.com)

Network content: http://malware-c2.com/bad.html contains the string "991CANCYBER_TEST_BAD_SIGNATURE991" which will be detected in TCP or HTTP responses.

Simulated Goodness

IP: 35.183.24.213

Domain: notmalware-c2.com (partial overlap of the simulated bad malware-c2.com to test accuracy)

SSL cert for https://notmalware-c2.com/

.