DECODA’s IOC extraction engine automatically detects indicators of compromise from analysis output using pattern matching with validation. Each indicator is assigned a confidence level and can be exported in machine-readable formats.
Network Indicators
| Category | Pattern | Confidence | Example |
|---|
| IPv4 | Standard dotted-decimal | High | 192.168.1.100 |
| IPv4 with Port | IP:port format | High | 10.0.0.1:4444 |
| IPv6 | Full and compressed formats | Medium | fe80::1, 2001:db8::1 |
| Domain | Common TLDs used in malware ops | Medium | evil-c2.xyz, payload.onion |
| URL | HTTP/HTTPS/FTP with paths | High | https://malware.site/payload.bin |
| Email | Standard email format | High | attacker@evil.com |
Domain detection covers 60+ TLDs including those commonly abused in malware campaigns: .xyz, .top, .tk, .pw, .onion, .bit, and country-code TLDs.
File Indicators
| Category | Pattern | Confidence | Example |
|---|
| MD5 | 32 hex characters | Low | d41d8cd98f00b204e9800998ecf8427e |
| SHA-1 | 40 hex characters | Low | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA-256 | 64 hex characters | Low | e3b0c44298fc1c149afbf4c8996fb924... |
| SHA-512 | 128 hex characters | Low | Full 128-char hex string |
| PDB Path | Windows .pdb debug paths | High | C:\Users\dev\malware\Release\loader.pdb |
| Windows Path | Drive letter paths | Medium | C:\Windows\System32\cmd.exe |
| Unix Path | System directory paths | Medium | /tmp/.hidden/payload |
PDB paths are particularly valuable for attribution, as they may reveal developer usernames, project names, and build environments.
Host Indicators
| Category | Pattern | Confidence | Example |
|---|
| Registry Key | HKEY_* / HKLM / HKCU paths | High | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Mutex | Global\ and Local\ prefixed names | High | Global\{DEADBEEF-1234-5678} |
| User Agent | Mozilla/* HTTP user-agent strings | Medium | Mozilla/5.0 (Windows NT 10.0; ...) |
Cryptocurrency Indicators
| Category | Pattern | Confidence | Example |
|---|
| Bitcoin | P2PKH (1…), P2SH (3…), Bech32 (bc1…) | High | bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh |
| Monero | Standard addresses starting with 4 | High | 4AdUndXHHZ6cfufTMvppY6JwXNouMBzSkbLYfpAV5Usx... |
Confidence Levels
Each detected IOC is assigned a confidence level:
- High - Strong structural match with validation (URLs, IPv4 addresses, registry keys, crypto addresses, mutexes)
- Medium - Good pattern match but may have false positives (domains, IPv6 addresses, file paths, user agents)
- Low - Hex string length match only (hashes) - could be coincidental hex sequences
Hash confidence is low because a 32-character hex string could be an MD5 hash, a GUID, or just a hex-encoded value. DECODA uses context from surrounding analysis to improve hash classification.
JSON
Structured data suitable for SIEM ingestion or custom tooling. IOCs are grouped by category:
{
"format": "ioc_list",
"version": "1.0",
"generated_at": "2026-01-01T00:00:00.000Z",
"total_count": 1,
"by_category": {
"ipv4": 1
},
"iocs": {
"ipv4": [
{
"category": "ipv4",
"value": "192.168.1.100",
"confidence": "high",
"context": "Found in decoded C2 configuration"
}
]
}
}
CSV
Spreadsheet-compatible format for manual review or bulk import. Values are defanged by default for safety:
category,value,confidence,context,offset
ipv4,192.168.1.100,high,Found in decoded C2 configuration,
domain,evil-c2[.]xyz,medium,Referenced in HTTP beacon function,
STIX 2.1
Standard threat intelligence format for sharing between organisations and tools. DECODA generates a valid STIX 2.1 bundle of Cyber Observable Objects - ipv4-addr, ipv6-addr, domain-name, url, email-addr, file (hashes and file paths), windows-registry-key, and mutex.
User-agent strings and cryptocurrency addresses have no native STIX 2.1 observable type and are omitted from the STIX export. Use the JSON or CSV format to retain those categories.
Filtering & Options
When asking the agent to extract IOCs, you can specify:
- Category filter - “Extract only network IOCs” or “Just the file hashes”
- Confidence threshold - “Only high-confidence indicators”
- Defanged output - IOCs are modified to prevent accidental clicks (e.g.,
hxxps://evil[.]com)
Example prompts:
“Extract all network IOCs and export as STIX 2.1”
“Find high-confidence IOCs only, defanged, as CSV”
“Generate IOCs from this analysis and export as JSON”
False Positive Filtering
By default, DECODA filters out common false positives:
- Private, reserved, and localhost IP ranges (10.x, 172.16-31.x, 192.168.x, 127.x, link-local, etc.)
- Test/example domains (
example.com, localhost, .test, .invalid, and similar)
- Empty-file and padding hashes (e.g., the hash of a zero-byte file)
- File extensions that look like domains (
.dll, .exe, .sys, .ini, .log, .tmp)
DECODA also maintains an optional benign-domain whitelist (microsoft.com, google.com, certificate authorities, etc.) and a common-system-path filter. These are available but off by default, so legitimate-looking but benign indicators are still reported unless explicitly suppressed. 
