Table 8 Error analysis
From: TriCTI: an actionable cyber threat intelligence discovery system via trigger-enhanced neural network
Reasons | Examples | Analysis |
|---|---|---|
Multi-label | a. b14d8faf7f0cbcfad051cefe5f39645f - dispci.exe installs the bootlocker, communicates with the driver | Two kinds of label conflict: Installation and Command and Control |
b. Via an associated C2 IP address 108.61.214.194, we found an equivalent page on the phishing domain www.battllestategames.com | Two kinds of label conflict: Command and control and Delivery | |
Incorrect association of IOCs with the campaign stages | c. We observed the sample in the sandbox launched a DDoS attack against 185.63.190.95 around 2017-04-23 21:45:00 | 185.63.190.95 is the IP address of the victim |
d. A typical representative of this malware family is an obfuscated Java script using ADODB.Stream technology to download and run DLL, EXE and PDF files | ADODB.Stream is not a domain address |