92.154.92.135:46625/Mozi.m
92.154.92.135200 OK 308 kB URL User Request GET HTTP/1.1 92.154.92.135:46625/Mozi.m
IP 92.154.92.135:46625
File type ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV)
Size 308 kB (307960 bytes)
Hash eec5c6c219535fba3a0492ea8118b397
292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
Analyzer Verdict Alert Public Nextron YARA rules malware Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Elastic Security YARA Rules malware Linux.Trojan.Mirai
Elastic Security YARA Rules malware Linux.Trojan.Mirai
Elastic Security YARA Rules malware Linux.Trojan.Mirai
Quad9 DNS malicious Sinkholed
VirusTotal malicious
GET /Mozi.m HTTP/1.1
Host: 92.154.92.135:46625
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Content-Length: 307960
Connection: close
Content-Type: application/zip
normandy.cdn.mozilla.net/api/v1/
35.201.103.21 598 B URL normandy.cdn.mozilla.net/api/v1/
IP 35.201.103.21:0
ASN #396982 GOOGLE-CLOUD-PLATFORM
Hash 3076f9a5cb273105528b893ff7111e41
b8990c145fe71b9a2410eea41a60a712b43b82bf
69c578fb0c03a28141a975833f660f4571e7991dc28ae7f9cead37672ee2c9b3
GET /api/v1/ HTTP/1.1
Host: normandy.cdn.mozilla.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
HTTP/2 200 OK
server: nginx
content-length: 598
allow: GET, HEAD, OPTIONS
content-security-policy: object-src 'none'; form-action 'self'; frame-src 'none'; block-all-mixed-content; base-uri 'none'; worker-src 'none'; default-src 'self' https://normandy.cdn.mozilla.net/; report-uri /__cspreport__
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000
via: 1.1 google
date: Fri, 26 Apr 2024 23:22:35 GMT
cache-control: public, max-age=86400
content-type: application/json
vary: Accept, Origin
age: 14555
alt-svc: clear
X-Firefox-Spdy: h2
classify-client.services.mozilla.com/api/v1/classify_client/
34.98.75.36 64 B URL classify-client.services.mozilla.com/api/v1/classify_client/
IP 34.98.75.36:0
ASN #396982 GOOGLE-CLOUD-PLATFORM
Hash e4d82a6f3d623b99f6841d8eb6528ad1
f1da5addb7a6ca8786545c2bc2594c6d722c589c
c8bc9a43726d389dd8f9bd59104f97eaded766f6d78b17502ecf51ee2b91b67f
GET /api/v1/classify_client/ HTTP/1.1
Host: classify-client.services.mozilla.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
HTTP/2 200 OK
server: nginx
date: Sat, 27 Apr 2024 03:25:11 GMT
content-type: application/json
content-length: 64
cache-control: max-age=0, no-cache, no-store, must-revalidate
strict-transport-security: max-age=31536000
via: 1.1 google
alt-svc: clear
X-Firefox-Spdy: h2
aus5.mozilla.org/update/3/GMP/111.0a1/20240129201730/Linux_x86_64-gcc3/null/default/Linux%205.15.0-102-generic%20(GTK%203.24.37%2Clibpulse%20not-available)/default/default/update.xml
35.244.181.201 5.8 kB URL aus5.mozilla.org/update/3/GMP/111.0a1/20240129201730/Linux_x86_64-gcc3/null/default/Linux%205.15.0-102-generic%20(GTK%203.24.37%2Clibpulse%20not-available)/default/default/update.xml
IP 35.244.181.201:0
ASN #396982 GOOGLE-CLOUD-PLATFORM
File type gzip compressed data, max speed, from Unix
Hash aa33725c2d0a3d1c2f9c878d64914807
6e83d13ec860384a977738b04ff0891a01ab519a
fe412eadb3dc9820ec6cab7cb62349be057c509e34f7e2de6d23b28eacc98bfd
GET /update/3/GMP/111.0a1/20240129201730/Linux_x86_64-gcc3/null/default/Linux%205.15.0-102-generic%20(GTK%203.24.37%2Clibpulse%20not-available)/default/default/update.xml HTTP/1.1
Host: aus5.mozilla.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cache-Control: no-cache
Pragma: no-cache
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
HTTP/2 200 OK
server: nginx
date: Sat, 27 Apr 2024 03:25:22 GMT
content-type: text/xml; charset=utf-8
vary: Accept-Encoding
rule-id: unknown
rule-data-version: unknown
content-signature: x5u=https://content-signature-2.cdn.mozilla.net/chains/aus.content-signature.mozilla.org-2024-06-09-11-51-10.chain; p384ecdsa=ytQ1qDEac9pEW-mq01Z9nMHUDibrJz_G6VpSBcYo2BrIUhNUaaaGFeO5-i2kWCxwMTl13gfvaKFie3DaLkOSM0BJqkFBzmHl-IWZjLQ2Id0KyxaTPJ_amsvWe5jTpkl1
strict-transport-security: max-age=31536000;
x-content-type-options: nosniff
content-security-policy: default-src 'none'; frame-ancestors 'none'
x-proxy-cache-status: EXPIRED
content-encoding: gzip
via: 1.1 google
cache-control: public,max-age=90
alt-svc: clear
X-Firefox-Spdy: h2