Basic anonymised sample sensor submission (POST data): timestamp=1235801109,remotehost=nn.nn.nn.1,url=ftp://70.232.61.243:5554/16745_up.exe,trigger=ftp://anonymous:bin@192.168.1.64:5554/16745_up.exe,md5=1a2c0e6130850f8fd9b9b5309413cd00,sha512=8e1e40dedb4aa57ae5c89a75aca26a813ce5622e371049ddbc916552d1c00b483db042879b1f2088da652eda8ac0ebba3bd682f2545b139984ef20bf643664c,filetype=PE32 executable for MS Windows (GUI) Intel 80386 32-bit,source_host=nnnnnnnnnn,target_host=nnnnnnnnnn,filename=16745_up.exe,Upload_OK timestamp=1235924337,remotehost=nn.nn.nn.1,url=ftp://1:1@88.204.183.126:7293/netlibrary.exe,trigger=ftp://1:1@88.204.183.126:7293/netlibrary.exe,md5=e399196c959235c23f71ac2c5ab1192d,sha512=d41821a576642131e32645afc3d531dca5f6d4a09a76ad0ce71a7d49021c6906d348f0d490c8d46f8372f8af0b884d33b82dcee21155894d7cc85d16e6bd7b2,filetype=PE32 executable for MS Windows (GUI) Intel 80386 32-bit,source_host=nnnnnnnnnn,target_host=nnnnnnnnnn,filename=netlibrary.exe,Upload_OK timestamp=1236003748,remotehost=nn.nn.nn.1,url=creceive://87.175.58.187:4652,trigger=creceive://87.175.58.187:4652,md5=3875b6257d4d21d51ec13247ee4c1cdb,sha512=5e60dd302d73e64b2a4c7e3d7e22b684028a6d5a719c7869891783f5f86e2cf384e6b25068a2ce986600afcc5f27b64bbd0a2c41387cbe3f4b127ac3a49dc8a,filetype=PE32 executable for MS Windows (GUI) Intel 80386 32-bit,source_host=nnnnnnnnnn,target_host=nnnnnnnnnn,filename=index.html,Upload_OK timestamp=1236011878,remotehost=nn.nn.nn.1,url=creceive://211.200.220.64:3647,trigger=creceive://211.200.220.64:3647,md5=8f4e8e31fcdbf9635791ab009defe1b5,sha512=43035d05ecda3412564c6a281ff9197fb30b25fd68dd59e54589bdd8ea861a7e7c9b9ab1b350b1b8d362e26946ed51d87eb4b464d148781d13edb851b08188f,filetype=PE32 executable for MS Windows (GUI) Intel 80386 32-bit,source_host=nnnnnnnnnn,target_host=nnnnnnnnnn,filename=index.html,Upload_OK timestamp=1236037386,remotehost=nn.nn.nn.1,url=creceive://87.17.73.69:43074,trigger=creceive://87.17.73.69:43074,md5=f5f55437982c893ae8b9cb8187d47256,sha512=37da6527c3dcd7b26071ba7c5eab639d122ac5263cc0abbff9de4be83b5ad52144ddb6c71f14ffb3d64ac36cb32e22088358759622f959a21424c207cb92c07,filetype=PE32 executable for MS Windows (GUI) Intel 80386 32-bit,source_host=nnnnnnnnnn,target_host=nnnnnnnnnn,filename=index.html,Upload_OK timestamp=1236037531,remotehost=nn.nn.nn.1,url=creceive://87.17.73.69:59800,trigger=creceive://87.17.73.69:59800,md5=11d31a4ebd7260193ffe8da9bb79156a,sha512=8096d0ce1fcd9b279d55037bd67af05873b57b4ca796f813a8449790a76e5c3a89460161b490a5dcbfd9a882eb1ec167b9844e1dd4a4496cf0fc885295fa506,filetype=PE32 executable for MS Windows (GUI) Intel 80386 32-bit,source_host=nnnnnnnnnn,target_host=nnnnnnnnnn,filename=index.html,Upload_OK timestamp=1236180665,remotehost=nn.nn.nn.1,url=ftp://a:a@118.165.49.147:2866/igxdfdfds.com,trigger=ftp://a:a@118.165.49.147:2866/igxdfdfds.com,md5=e8d4d8cde15ef310305955c943c0d1c2,sha512=41edfecb9630fc428dbe1413a293aa180c98dedd3c128bbfb40367f56d00a2e32bf365e92c738c2279f153d624b10207fc042c03cb5c6765070f2f8108cf3b6,filetype=PE32 executable for MS Windows (GUI) Intel 80386 32-bit,source_host=nnnnnnnnnn,target_host=nnnnnnnnnn,filename=igxdfdfds.com,Upload_OK timestamp = seconds since epoch remotehost = sensor submitting data source_host = attacker IP (ip2long) target_host = victim IP (ie an IP address on a honeypot, ip2long) Also submits a malware binary file which is written to disk with the md5sum as a the filename We have IP address geolocation for lat/long, etc from tools like Maxmind, ipgeo and ip2location, which can be used for mapping.