{"report_id":"2744609f-c9d7-4cbb-9ee1-9b126b2ac2d6","version":6,"status":"done","tags":[],"date":"2024-10-26T00:01:15Z","url":{"schema":"http","addr":"cy1020.click/zj/873229.exe","fqdn":"cy1020.click","domain":"cy1020.click","tld":"click"},"ip":{"addr":"172.67.128.226","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"final":{"url":{"schema":"https","addr":"cy1020.click/zj/873229.exe","fqdn":"cy1020.click","domain":"cy1020.click","tld":"click"},"title":"404 Not Found"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"","expires_at":"2027-01-04T00:01:15Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"cy1020.click","ip":{"addr":"172.67.128.226","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"United States","country_code":"US"},"domain_registered":"2024-04-04","domain_rank":0,"first_seen":"2024-10-26T00:01:04.87349Z","last_seen":"2024-10-26T00:01:04.87349Z","alert_count":1,"request_count":2,"received_data":60152,"sent_data":828,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2024-10-26T00:00:50Z","timestamp":1729900850,"ip_dst":{"addr":"172.67.128.226","port":80,"asn":13335,"as":"CLOUDFLARENET","country":"United States","country_code":"US"},"ip_src":{"addr":"172.18.0.11","port":56920,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"high","alert":"ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016","source":"{\"timestamp\":\"2024-10-26T00:00:50.971698+0000\",\"flow_id\":1323832152562057,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.11\",\"src_port\":56920,\"dest_ip\":\"172.67.128.226\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"ET.SuspExeTLDs\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022896,\"rev\":7,\"signature\":\"ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"created_at\":[\"2016_06_14\"],\"performance_impact\":[\"Moderate\"],\"reviewed_at\":[\"2024_04_11\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2024_04_22\"]}},\"http\":{\"hostname\":\"cy1020.click\",\"url\":\"/zj/873229.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":301,\"redirect\":\"https://cy1020.click/zj/873229.exe\",\"length\":167},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":670,\"bytes_toclient\":1236,\"start\":\"2024-10-26T00:00:50.924041+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"Mnemonic Secure DNS","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"cy1020.click/zj/873229.exe","fqdn":"cy1020.click","domain":"cy1020.click","tld":"click"},"ip":{"addr":"172.67.128.226","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-10-26T00:00:50.381Z","timestamp":1729900850381,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"cy1020.click","organization":""},"issuer":{"commonName":"WE1","organization":"Google Trust Services"},"validity":{"start":"Sat, 28 Sep 2024 02:04:30 GMT","end":"Fri, 27 Dec 2024 02:04:29 GMT"},"fingerprint":{"sha1":"C5:7D:D9:8D:A0:9F:12:ED:D9:26:AD:C8:04:CA:9C:C3:00:5F:47:14","sha256":"F0:C8:DB:F7:2D:3E:A6:3C:B9:39:08:28:45:6F:FD:58:D2:AA:33:A2:79:34:A8:D6:7D:43:F3:61:59:AD:34:FA"}}},"request":{"raw":"GET /zj/873229.exe HTTP/1.1\r\nHost: cy1020.click\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 301 Moved Permanently\r\nDate: Sat, 26 Oct 2024 00:00:50 GMT\r\nContent-Type: text/html\r\nContent-Length: 167\r\nConnection: keep-alive\r\nCache-Control: max-age=3600\r\nExpires: Sat, 26 Oct 2024 01:00:50 GMT\r\nLocation: https://cy1020.click/zj/873229.exe\r\nReport-To: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=OOAwIRkFeKVI%2FpMIJh%2BgDs5hyUiQm%2FJIAQEXOFxqw64hwp%2BKVA2V7HDzQ6J4wtO1R%2BDtr4B6BNb%2F3xxGP6zJhL1lLMJZcJHUg0gGPpeWN1YDHjiObjv2Ur%2FtSJR8hPI%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}\r\nNEL: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nVary: Accept-Encoding\r\nServer: cloudflare\r\nCF-RAY: 8d862b1e6ff35696-OSL\r\nalt-svc: h2=\":443\"; ma=60\r\nserver-timing: cfL4;desc=\"?proto=TCP\u0026rtt=16501\u0026sent=1\u0026recv=3\u0026lost=0\u0026retrans=0\u0026sent_bytes=0\u0026recv_bytes=398\u0026delivery_rate=0\u0026cwnd=249\u0026unsent_bytes=0\u0026cid=0000000000000000\u0026ts=0\u0026x=0\"\r\n","headers":null,"cookies":null,"status_code":"301","status_text":"Moved Permanently","fingerprints":null,"data":{"size":167,"size_decoded":167,"mime_type":"text/html","magic":"HTML document, ASCII text, with CRLF line terminators","md5":"0104c301c5e02bd6148b8703d19b3a73","sha1":"7436e0b4b1f8c222c38069890b75fa2baf9ca620","sha256":"446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f","sha512":"84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf","ssdeep":"","tlshash":"c4c08cad6b523c98b8a73b3960c3a1a0e2ec803022d9042202b04a07f0cb1e78ec23d1","first_seen":"2023-04-05T06:32:17Z","last_seen":"2025-09-21T18:05:05.674757Z","times_seen":190494,"resource_available":false,"data":null}},"time_used":268,"timings":{"blocked":52,"dns":1,"connect":17,"send":0,"wait":161,"receive":0,"ssl":31},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2024-10-26T00:00:50Z","timestamp":1729900850,"ip_dst":{"addr":"172.67.128.226","port":80,"asn":13335,"as":"CLOUDFLARENET","country":"United States","country_code":"US"},"ip_src":{"addr":"172.18.0.11","port":56920,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"high","alert":"ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016","source":"{\"timestamp\":\"2024-10-26T00:00:50.971698+0000\",\"flow_id\":1323832152562057,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.11\",\"src_port\":56920,\"dest_ip\":\"172.67.128.226\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"ET.SuspExeTLDs\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022896,\"rev\":7,\"signature\":\"ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"created_at\":[\"2016_06_14\"],\"performance_impact\":[\"Moderate\"],\"reviewed_at\":[\"2024_04_11\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2024_04_22\"]}},\"http\":{\"hostname\":\"cy1020.click\",\"url\":\"/zj/873229.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":301,\"redirect\":\"https://cy1020.click/zj/873229.exe\",\"length\":167},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":670,\"bytes_toclient\":1236,\"start\":\"2024-10-26T00:00:50.924041+0000\"}}"}],"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"cy1020.click/favicon.ico","fqdn":"cy1020.click","domain":"cy1020.click","tld":"click"},"ip":{"addr":"104.21.2.74","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://cy1020.click/zj/873229.exe","date":"2024-10-26T00:00:51.253Z","timestamp":1729900851253,"http_version":"HTTP/3","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"cy1020.click","organization":""},"issuer":{"commonName":"WE1","organization":"Google Trust Services"},"validity":{"start":"Sat, 28 Sep 2024 02:04:30 GMT","end":"Fri, 27 Dec 2024 02:04:29 GMT"},"fingerprint":{"sha1":"C5:7D:D9:8D:A0:9F:12:ED:D9:26:AD:C8:04:CA:9C:C3:00:5F:47:14","sha256":"F0:C8:DB:F7:2D:3E:A6:3C:B9:39:08:28:45:6F:FD:58:D2:AA:33:A2:79:34:A8:D6:7D:43:F3:61:59:AD:34:FA"}}},"request":{"raw":"GET /favicon.ico HTTP/1.1\r\nHost: cy1020.click\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://cy1020.click/zj/873229.exe\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/3 404 Not Found\r\ndate: Sat, 26 Oct 2024 00:00:51 GMT\r\ncontent-type: text/html\r\nvary: Accept-Encoding\r\ncache-control: max-age=14400\r\ncf-cache-status: HIT\r\nage: 11\r\npriority: u=6,i=?0\r\nreport-to: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=ys6kPe3wgH3BJIfl%2FFNNHwbACLG88kb31GIWTXp7urMCqbcspOKJxIZHU87rfUJTu68td5t29mLa8jR%2B6BntoXvKOgdvPHRjF3mIcxLm71yIJzuNJ6n%2FQ7ul7gogKq8%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}\r\nnel: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nserver: cloudflare\r\ncf-ray: 8d862b205eb156a8-OSL\r\ncontent-encoding: br\r\nalt-svc: h3=\":443\"; ma=86400\r\nserver-timing: cfL4;desc=\"?proto=QUIC\u0026rtt=20312\u0026sent=51\u0026recv=10\u0026lost=0\u0026retrans=0\u0026sent_bytes=49248\u0026recv_bytes=1525\u0026delivery_rate=524789\u0026cwnd=48000\u0026unsent_bytes=0\u0026cid=c67e15c8e2195ad6\u0026ts=662\u0026x=1\", cfExtPri, cfHdrFlush;dur=0\r\n\r\n","headers":null,"cookies":null,"status_code":"404","status_text":"Not Found","fingerprints":null,"data":{"size":58288,"size_decoded":58288,"mime_type":"text/html","magic":"HTML document, ASCII text, with very long lines (56756)","md5":"b6305f53b4d3432d561eb748f4af25fd","sha1":"e01e5117f6fa0d6b1a82ae3c45839d8097d119b5","sha256":"dc676cc52046a252ee86c463e49bce5b517c932ab100f21cb62e231cb3d7ed7a","sha512":"18f3435e92ce082fc5d52e8c8b3e3186c86bd499afdf405b842d1b0aef771a4d14359bf39d142b591469cc4c4a2016c2f4c6fd646662318cee2ad0f966470b83","ssdeep":"768:cHJYDDQHVZHIs91TXESJBjgBSp00yCqJ3Z+IYM3WiesRQiULO0bpD9tcNQEfdomx:cmDD6oeFUycwpk06hWp1b99c7Vz","tlshash":"0443021803de40a2cd9978d9426f2f3d842a1863da1c94bd1f5b6df4ca0d8a4767f1ea","first_seen":"2024-05-06T13:26:20Z","last_seen":"2026-06-05T18:18:55.358576Z","times_seen":1828,"resource_available":true,"data":null}},"time_used":29,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":28,"receive":1,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}