AlientVault OTX <> Graphistry: LockerGoga investigation

AlientVault OTX <> Graphistry: LockerGoga investigation#

[ ]:
#!pip install graphistry -q
#!pip install OTXv2 -q
[ ]:
import graphistry
import pandas as pd
from OTXv2 import OTXv2, IndicatorTypes
from gotx import G_OTX
[ ]:
# To specify Graphistry account & server, use:
# graphistry.register(api=3, username='...', password='...', protocol='https', server='hub.graphistry.com')
# For more options, see https://github.com/graphistry/pygraphistry#configure

otx = OTXv2("MY_KEY")
g_otx = G_OTX(graphistry, otx)

Start: rough hits#

We find there are 3 clusters of activity

[ ]:
lockergoga_pulses = otx.search_pulses('LockerGoga').get('results')
[ ]:
lockergoga_pulses_df = g_otx.pulses_to_df(lockergoga_pulses)
lockergoga_indicators_df = g_otx.pulses_to_indicators_df(lockergoga_pulses)

g = g_otx.indicatormap(lockergoga_pulses_df, lockergoga_indicators_df)

g.plot()

Continue: Expand on IPv4 hits#

Let’s expand the small cluster related to “Powershell Backdoor calling back on port 443”. Use the OTX API to get other pulses containing the same IP address and then expand them and create a new graph

[ ]:
ip_pulses = otx.get_indicator_details_by_section(IndicatorTypes.IPv4, lockergoga_indicators_df[lockergoga_indicators_df['indicator_type'] == 'IPv4'].values[0][0])
[ ]:
ip_pulses_df = g_otx.indicator_details_by_section_to_pulses_df(ip_pulses)
ip_indicators_df = g_otx.indicator_details_by_section_to_indicators_df(ip_pulses)

g_otx.indicatormap(ip_pulses_df, ip_indicators_df).plot()