This section contains examples of OpenIOC files with investigation results for a hash, IP address, domain, and web address.
This format is not available for exporting investigation results for reserved IP addresses.
By default, the format of the file name is as follows: <request type>_<request>.ioc
Here:
<request type>—The type of object that you export investigation results for.Possible values include:
MD5—If hash investigation results are exported.IP—If IP address investigation results are exported.DOMAIN—If domain investigation results are exported.URL—If web address investigation results are exported.<request> is the object that you export investigation results for.For domains and web address, a domain / web address UUID hash in hex format is used.
You can change the file name if necessary.
If you export investigation results for the domain ddns.net, the OpenIOC file will have the following name by default:
DOMAIN_852808bf99be59a2902e089e26d5976a.ioc
OpenIOC for a hash
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the hash 495DB359D61411F0688211C8DD473CB7 in OpenIOC format.
Data and ratings are updated dynamically. The data displayed in this example may differ from the data for the same object requested at a later time.
MD5_495DB359D61411F0688211C8DD473CB7.ioc
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.mandiant.com/2010/ioc" id="0294496a-b037-55b9-a3fe-46a344d7f524" last-modified="2016-11-08T16:43:21.4083202Z">
<short_description>ioc for 495DB359D61411F0688211C8DD473CB7</short_description>
<description>ZONE:Yellow</description>
<authored_by>KasperskyThreatLookup</authored_by>
<authored_date>2016-11-08T16:43:21.4083202Z</authored_date>
<links />
<definition>
<Indicator operator="OR" id="6f7a75ee-f423-5cf1-ad42-140ae6aa2301">
<IndicatorItem condition="is" id="59b35d49-14d6-f011-6882-11c8dd473cb7">
<Context document="FileItem" search="FileItem/Md5sum" type="mir" />
<Content type="md5">495DB359D61411F0688211C8DD473CB7</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="4784b55d-d0a9-5172-8c0a-f740f9184607">
<Context document="FileItem" search="FileItem/Sha1sum" type="mir" />
<Content type="string">CAD7296F99733E209CE57422F348A8698245CBD5</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="b533c6cd-89ab-5c8c-971c-0cd79858aeb7">
<Context document="FileItem" search="FileItem/Sha256sum" type="mir" />
<Content type="string">12FF1AE06AC3ACA95969B2D338A24D47DF80D7B70521BD7DB801B715DB629420</Content>
</IndicatorItem>
<Indicator operator="AND" id="173db112-d8ee-5141-b76a-49dc3430f04c">
<IndicatorItem condition="is" id="4b2610ba-5431-57f2-8af3-24d0f43d7919">
<Context document="FileItem" search="FileItem/PEInfo/DigitalSignature/SignatureExists" type="mir" />
<Content type="string">YES</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="1f3510a5-0f48-522f-bd50-adbf9be9c9c8">
<Context document="FileItem" search="FileItem/SizeInBytes" type="mir" />
<Content type="int">3702320</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="3e9d0121-11fb-5e7a-bf0c-9a99728178ca">
<Context document="FileItem" search="FileItem/FileExtension" type="mir" />
<Content type="string">PE</Content>
</IndicatorItem>
<Indicator operator="AND" id="472a6ade-1196-5e1e-a8b4-8f0864b40051">
<Indicator operator="OR" id="a317c11b-0c26-5e52-b601-307d133ee986">
<IndicatorItem condition="is" id="a4c97305-950f-555f-b0ca-ecbea8873e38">
<Context document="FileItem" search="FileItem/FilePath" type="mir" />
<Content type="string">itva\lovivkontakte2</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="6cc33a2a-72b1-558b-b737-bcc52ede225b">
<Context document="FileItem" search="FileItem/FilePath" type="mir" />
<Content type="string">lovivk</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="a0f344e5-5b06-51ec-bb14-02b60918f31a">
<Context document="FileItem" search="FileItem/FilePath" type="mir" />
<Content type="string">system volume information\_restore{8d816860-50be-4aed-b133-e43e1df90217}\rp115</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="759b363e-5f39-51f0-bacf-5c168eb1f5b3">
<Context document="FileItem" search="FileItem/FilePath" type="mir" />
<Content type="string">system volume information\_restore{8d816860-50be-4aed-b133-e43e1df90217}\rp113</Content>
</IndicatorItem>
</Indicator>
<Indicator operator="OR" id="8a207637-a1e8-5059-8e74-cdc0fb0a41eb">
<IndicatorItem condition="is" id="d744a9e8-9f30-59a0-aca1-e0f00ffe4b5b">
<Context document="FileItem" search="FileItem/FileName" type="mir" />
<Content type="string">lvk2.exe</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="af970d9e-b5f9-5ae2-81d3-5ebef78b63cf">
<Context document="FileItem" search="FileItem/FileName" type="mir" />
<Content type="string">a0040146.exe</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="1cf19365-1b8e-5dbe-99d6-ed94783855a7">
<Context document="FileItem" search="FileItem/FileName" type="mir" />
<Content type="string">a0004589.exe</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="2cc36f03-8207-55e2-9ed6-4b927a043c4b">
<Context document="FileItem" search="FileItem/FileName" type="mir" />
<Content type="string">updater.exe</Content>
</IndicatorItem>
</Indicator>
<Indicator operator="OR" id="a20c7f94-60ce-5dd6-8c7b-b5beabcb2e62">
<IndicatorItem condition="is" id="7e122afb-6820-53bd-ac1f-d976c98983eb">
<Context document="FileDownloadHistoryItem" search="FileDownloadHistoryItem/SourceURL" type="mir" />
<Content type="string">upconfusepat.ru/3e122e2dd79b0dcab9df0e4c6d3d238f/625819-book</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="da8849e7-2564-5709-81e7-0c5b7a244cad">
<Context document="FileDownloadHistoryItem" search="FileDownloadHistoryItem/SourceURL" type="mir" />
<Content type="string">73f2d1c5c7ea62da3b9f212a.appssharploads.ru/api/web/getInstaller</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="3bb6a5ae-41bf-511a-af12-0f59c4114ea1">
<Context document="FileDownloadHistoryItem" search="FileDownloadHistoryItem/SourceURL" type="mir" />
<Content type="string">1d30c85c657d5957297fea73.oysiudyfisdf.ru</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="6fb061ce-b6e2-52d7-918e-dbd9511c4991">
<Context document="FileDownloadHistoryItem" search="FileDownloadHistoryItem/SourceURL" type="mir" />
<Content type="string">8eb7094dd3284344a7abc7ca.ksldhfkshfks.ru/api/web/getInstaller</Content>
</IndicatorItem>
</Indicator>
<Indicator operator="OR" id="ee3069c4-c5a9-5594-9068-a1ad20349b5e">
<IndicatorItem condition="is" id="9ef1b331-88aa-5782-9c23-228317aa358e">
<Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir" />
<Content type="string">net-tak.net/favicon.ico</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="bfc24ba4-7c74-58ad-bed3-5b15e55e92be">
<Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir" />
<Content type="string">dle.org.ua/favicon.ico</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="62ea1d9b-8fd9-56b5-a5d1-98c0a55032c9">
<Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir" />
<Content type="string">www-odnoklassniki-ru.ru</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="89b59d77-35c9-58f5-a5b0-fda276497f5e">
<Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir" />
<Content type="string">octopus.elar.ru:8080/palpussetup/setup.exe</Content>
</IndicatorItem>
</Indicator>
</Indicator>
</Indicator>
</Indicator>
</definition>
</ioc>
OpenIOC for an IP address
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the IP address 14.14.14.14 in OpenIOC format.
Data and ratings are updated dynamically. The data displayed in this example may differ from the data for the same object requested at a later time.
IP_14.14.14.14.ioc
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.mandiant.com/2010/ioc" id="6142af1a-ed6a-5e99-a54b-05eb22e4fb04" last-modified="2016-10-28T11:41:07.7003725Z">
<short_description>ioc for 14.14.14.14</short_description>
<description>ZONE:Green</description>
<authored_by>KasperskyThreatLookup</authored_by>
<authored_date>2016-10-28T11:41:07.7003725Z</authored_date>
<links />
<definition>
<Indicator operator="OR" id="41137498-7ada-503c-bae1-4e3e1370a0db">
<IndicatorItem condition="is" id="9854d7dd-bcf8-5d67-93eb-3e814a215c73">
<Context document="DnsEntryItem" search="DnsEntryItem/RecordData/IPv4Address" type="mir" />
<Content type="IP">14.14.14.14</Content>
</IndicatorItem>
<Indicator operator="AND" id="291ff821-82e2-505b-aeff-dbf1ae68820f">
<Indicator operator="OR" id="51d01b5b-4ad0-5e0d-acb9-cdd1d500338a">
<IndicatorItem condition="is" id="d073c3e0-3bf1-5c42-b266-13687407e00f">
<Context document="Network" search="Network/URI" type="mir" />
<Content type="string">?.CLOUDFRONT.NET</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="78d631ec-48d9-5aa2-a4cf-874058ee6a02">
<Context document="Network" search="Network/URI" type="mir" />
<Content type="string">DMG.DIGITALTARGET.RU</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="de1b4dd1-22c4-554b-810e-73c037ba242f">
<Context document="Network" search="Network/URI" type="mir" />
<Content type="string">PROSPORTZAL.RU</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="300ffcb0-bb63-52f9-9924-276306c91341">
<Context document="Network" search="Network/URI" type="mir" />
<Content type="string">METRO-PLUS.COM</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="4312e5b6-b571-59ca-963a-37d78b969e68">
<Context document="Network" search="Network/URI" type="mir" />
<Content type="string">FOODANDDRINK.TILE.APPEX.BING.COM</Content>
</IndicatorItem>
</Indicator>
<Indicator operator="OR" id="6376b283-0a4b-561e-a2fa-927e3c3ccab4">
<Indicator operator="AND" id="76fae3c2-a02e-5144-9bab-a85004414277">
<IndicatorItem condition="is" id="605171d1-751e-8343-1962-c5ce8191d306">
<Context document="FileItem" search="FileItem/Md5sum" type="mir" />
<Content type="md5">D17151601E7543831962C5CE8191D306</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="ce595631-691b-59fc-97d3-bddc92e795be">
<Context document="Network" search="Network/URI" type="mir" />
<Content type="string">14.14.14.14/software/compression and backup/winrar/wrar54b4.exe</Content>
</IndicatorItem>
</Indicator>
<Indicator operator="AND" id="a149da5d-6462-522b-a997-37972cd31a19">
<IndicatorItem condition="is" id="62a5a0a5-3533-babc-ba1c-e06f655b15a3">
<Context document="FileItem" search="FileItem/Md5sum" type="mir" />
<Content type="md5">A5A0A5623335BCBABA1CE06F655B15A3</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="a61896d9-ff0b-5a3c-891b-a1dc1773ef54">
<Context document="Network" search="Network/URI" type="mir" />
<Content type="string">14.14.14.14/softower/compression & backup/win rar/wrar521b1.exe</Content>
</IndicatorItem>
</Indicator>
</Indicator>
</Indicator>
</Indicator>
</definition>
</ioc>
OpenIOC for a domain
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the domain ddns.net in OpenIOC format.
Data and ratings are updated dynamically. The data displayed in this example may differ from the data for the same object requested at a later time.
DOMAIN_852808bf99be59a2902e089e26d5976a.ioc
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.mandiant.com/2010/ioc" id="df83c379-d757-5242-971e-640c92016a0b" last-modified="2016-10-27T14:01:31.6275083Z">
<short_description>ioc for ddns.net</short_description>
<description>ZONE:Green</description>
<authored_by>KasperskyThreatLookup</authored_by>
<authored_date>2016-10-27T14:01:31.6275083Z</authored_date>
<links />
<definition>
<Indicator operator="OR" id="b6fe04cb-dfbd-5205-a920-00f7a62308cc">
<IndicatorItem condition="contains" id="852808bf-99be-59a2-902e-089e26d5976a">
<Context document="Network" search="Network/URI" type="mir" />
<Content type="string">DDNS.NET</Content>
</IndicatorItem>
<Indicator operator="AND" id="cfbcee05-35d8-5f37-8837-62fd716b7e1b">
<Indicator operator="OR" id="dfac3ba6-e2ed-5b9f-b1d3-aa1ef3046bc2">
<IndicatorItem condition="is" id="cfcf62ca-6194-5916-becb-024a6cd5db18">
<Context document="DnsEntryItem" search="DnsEntryItem/RecordData/IPv4Address" type="mir" />
<Content type="IP">213.128.81.34</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="e2d0d2bb-cbd9-5bf7-ad07-7de1c4d9e366">
<Context document="DnsEntryItem" search="DnsEntryItem/RecordData/IPv4Address" type="mir" />
<Content type="IP">8.23.224.108</Content>
</IndicatorItem>
</Indicator>
</Indicator>
</Indicator>
</definition>
</ioc>
OpenIOC for a web address
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the web address go.spaceshipads.com-afu.php-zone in OpenIOC format.
Data and ratings are updated dynamically. The data displayed in this example may differ from the data for the same object requested at a later time.
URL_20c056bbd30c5b41be005abd49506015.ioc
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.mandiant.com/2010/ioc" id="d40696c1-3f0b-56e4-b911-6976b359a7f1" last-modified="2016-10-31T12:29:46.227187Z">
<short_description>ioc for go.spaceshipads.com/afu.php?zoneid=361258</short_description>
<description>ZONE:Red</description>
<authored_by>KasperskyThreatLookup</authored_by>
<authored_date>2016-10-31T12:29:46.227187Z</authored_date>
<links />
<definition>
<Indicator operator="OR" id="92c30c12-2578-5d17-a9f6-05a5baaa4d96">
<IndicatorItem condition="contains" id="20c056bb-d30c-5b41-be00-5abd49506015">
<Context document="Network" search="Network/URI" type="mir" />
<Content type="string">go.spaceshipads.com/afu.php?zoneid=361258</Content>
</IndicatorItem>
<Indicator operator="AND" id="c0e45c3f-f292-5422-8c9f-f3514c26466c">
<Indicator operator="OR" id="0d78fcbd-91a9-507a-a510-6d55e0fb0311">
<IndicatorItem condition="is" id="3cbf69fc-b1cb-54be-938f-3459b6aab54d">
<Context document="DnsEntryItem" search="DnsEntryItem/RecordData/IPv4Address" type="mir" />
<Content type="IP">54.72.9.115</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="5402ae2b-f147-58a4-95ae-62ce2d980563">
<Context document="DnsEntryItem" search="DnsEntryItem/RecordData/IPv4Address" type="mir" />
<Content type="IP">67.215.84.26</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="d3f84cb4-bc87-5120-a097-e2b0d62ee7cf">
<Context document="DnsEntryItem" search="DnsEntryItem/RecordData/IPv4Address" type="mir" />
<Content type="IP">202.188.0.156</Content>
</IndicatorItem>
</Indicator>
<Indicator operator="OR" id="411fe6aa-8b73-5ad7-8b25-7c91f5278a45">
<IndicatorItem condition="is" id="4d836507-49a5-bfcd-3193-25cb8f8171eb">
<Context document="FileItem" search="FileItem/Md5sum" type="mir" />
<Content type="md5">0765834DA549CDBF319325CB8F8171EB</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="08914112-537d-dd29-e686-5067ee6e1462">
<Context document="FileItem" search="FileItem/Md5sum" type="mir" />
<Content type="md5">124191087D5329DDE6865067EE6E1462</Content>
</IndicatorItem>
<IndicatorItem condition="is" id="acfda603-edde-2d9e-dd1c-4197df4f7d77">
<Context document="FileItem" search="FileItem/Md5sum" type="mir" />
<Content type="md5">03A6FDACDEED9E2DDD1C4197DF4F7D77</Content>
</IndicatorItem>
</Indicator>
</Indicator>
</Indicator>
</definition>
</ioc>