{"report_id":"7c3e4759-ab4c-469a-aee3-d88e2279a27e","version":6,"status":"done","tags":[],"date":"2024-07-15T04:42:59Z","url":{"schema":"http","addr":"cpcontacts.78.172-245-112-195.cprapid.com/arm5","fqdn":"cpcontacts.78.172-245-112-195.cprapid.com","domain":"78.172-245-112-195.cprapid.com","tld":"172-245-112-195.cprapid.com"},"ip":{"addr":"172.245.112.195","port":0,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-25T09:43:18Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"cpcontacts.78.172-245-112-195.cprapid.com","ip":{"addr":"172.245.112.195","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":5,"request_count":1,"received_data":74450,"sent_data":416,"comment":"","tags":null,"fingerprints":null},{"fqdn":"r10.o.lencr.org","ip":{"addr":"23.33.119.27","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"domain_registered":"2020-06-29","domain_rank":0,"first_seen":"2024-06-06 21:45:11","last_seen":"2024-07-14 18:12:33","alert_count":0,"request_count":7,"received_data":6209,"sent_data":2289,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"0c7b0e49c2147c3ead4991feedef8fb8","sha1":"c5eeed107135e54efb030509b1e57ed4bd063f5c","sha256":"629ee7649a2d6fea48f3c0f3bacba8f9f14250531e0f31bfedf5dd3b630bbdb3","sha512":"f0f055802a22c4b40aa86ccfe1933babedaa0d7b7af2c8bbbe8068ba7fd3cfcbbcaaecd26422d82c7d774d35ef0417c849469e26d21c29950e60343610ffefe2","magic":"ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV)","size":74188,"url":{"schema":"http","addr":"cpcontacts.78.172-245-112-195.cprapid.com/arm5","fqdn":"cpcontacts.78.172-245-112-195.cprapid.com","domain":"78.172-245-112-195.cprapid.com","tld":"172-245-112-195.cprapid.com"},"ip":{"addr":"172.245.112.195","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-07-15","alert":"Detects Mirai Botnet Malware","trigger":"cpcontacts.78.172-245-112-195.cprapid.com/arm5","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-10-04","description":"Detects Mirai Botnet Malware","hash1":"05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c","hash10":"c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f","hash11":"d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89","hash12":"f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5","hash13":"fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b","hash2":"05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c","hash3":"20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4","hash4":"2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69","hash5":"420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175","hash6":"62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6","hash7":"70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0","hash8":"89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147","hash9":"bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"Internal Research","rule":"Mirai_Botnet_Malware"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-07-15","alert":"Linux.Trojan.Mirai","trigger":"cpcontacts.78.172-245-112-195.cprapid.com/arm5","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"993d0d2e24152d0fb72cc5d5add395bed26671c3935f73386341398b91cb0e6e","id":"0bce98a2-113e-41e1-95c9-9e1852b26142","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80","rule":"Linux_Trojan_Mirai_0bce98a2","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-07-14","alert":"Scan result 44/66","trigger":"629ee7649a2d6fea48f3c0f3bacba8f9f14250531e0f31bfedf5dd3b630bbdb3","verdict":"malicious","severity":"","comment":"malicious - 44/66","link":"https://www.virustotal.com/gui/file/629ee7649a2d6fea48f3c0f3bacba8f9f14250531e0f31bfedf5dd3b630bbdb3","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2024-07-15T04:42:27Z","timestamp":1721018547,"ip_dst":{"addr":"Client IP","port":38016,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"172.245.112.195","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download Over HTTP","source":"{\"timestamp\":\"2024-07-15T04:42:27.470259+0000\",\"flow_id\":2032553153478359,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.245.112.195\",\"src_port\":80,\"dest_ip\":\"172.18.0.18\",\"dest_port\":38016,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.ELFDownload\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2019240,\"rev\":14,\"signature\":\"ET POLICY Executable and linking format (ELF) file download Over HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2014_09_25\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"cpcontacts.78.172-245-112-195.cprapid.com\",\"url\":\"/arm5\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43176},\"files\":[{\"filename\":\"/arm5\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":43176,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":23,\"pkts_toclient\":33,\"bytes_toserver\":1944,\"bytes_toclient\":47074,\"start\":\"2024-07-15T04:42:27.081623+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-07-15","alert":"Detects Mirai Botnet Malware","trigger":"cpcontacts.78.172-245-112-195.cprapid.com/arm5","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-10-04","description":"Detects Mirai Botnet Malware","hash1":"05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c","hash10":"c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f","hash11":"d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89","hash12":"f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5","hash13":"fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b","hash2":"05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c","hash3":"20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4","hash4":"2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69","hash5":"420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175","hash6":"62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6","hash7":"70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0","hash8":"89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147","hash9":"bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"Internal Research","rule":"Mirai_Botnet_Malware"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-07-15","alert":"Linux.Trojan.Mirai","trigger":"cpcontacts.78.172-245-112-195.cprapid.com/arm5","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"993d0d2e24152d0fb72cc5d5add395bed26671c3935f73386341398b91cb0e6e","id":"0bce98a2-113e-41e1-95c9-9e1852b26142","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80","rule":"Linux_Trojan_Mirai_0bce98a2","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-07-15","alert":"Sinkholed","trigger":"78.172-245-112-195.cprapid.com","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.33.119.27","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-07-15T04:42:26.372303119Z","timestamp":1721018546372,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"F724A88C585DE4B49AC6A6B9109DBFD2BA10ECAD612C1DC9CFAD222CA18D0967\"\r\nLast-Modified: Sun, 14 Jul 2024 15:27:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=4734\r\nExpires: Mon, 15 Jul 2024 06:01:20 GMT\r\nDate: Mon, 15 Jul 2024 04:42:26 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"309bab809ca002395b203d83805fef51","sha1":"d43bd0ccefdd620a33dea8eff957395c7373520b","sha256":"f724a88c585de4b49ac6a6b9109dbfd2ba10ecad612c1dc9cfad222ca18d0967","sha512":"cc053033cd9b291fe05eed30b948d2b918b2fae91dfc5f89fb6f9dc5aa9d4c1fe63ee77d28f6f6d679e42785d51fe72baa6f166e786b6e2f007e9d9a22ec37b8","ssdeep":"","tlshash":"06f0754b004d7d512938590e58a0c5097a0076f2743408d8b9f041f324547f98aa4d88","first_seen":"2024-07-14T20:44:01Z","last_seen":"2024-08-19T16:58:09.5603Z","times_seen":10802,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.33.119.27","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-07-15T04:42:26.382079048Z","timestamp":1721018546382,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"7CD67C1E38BF7CF396230F1F4CA4D83BD04FEDD7D1258139ECFCEDA994200568\"\r\nLast-Modified: Sat, 13 Jul 2024 01:53:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=2236\r\nExpires: Mon, 15 Jul 2024 05:19:42 GMT\r\nDate: Mon, 15 Jul 2024 04:42:26 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"59f504b373ca5c60694d89699bf99f9d","sha1":"98d3531909c87a27c1cedcda49b9450cb398bdc7","sha256":"7cd67c1e38bf7cf396230f1f4ca4d83bd04fedd7d1258139ecfceda994200568","sha512":"8c6c664a5999e99e09af7da8e7358e2087cca4e589c4a70f707e07de0a2cf3dd863d45e9305da870fb319d08897c574e85c38dfae6fbe8383c06e4e515672f21","ssdeep":"","tlshash":"70f00e2302a9bd8863340161baa1c0992d285eab14954ab036cc03e3fcb9b7664cc009","first_seen":"2024-07-13T06:31:47Z","last_seen":"2024-08-19T17:05:30.179842Z","times_seen":41364,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.33.119.27","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-07-15T04:42:26.648884555Z","timestamp":1721018546648,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"4EFBA0F7A3C02E999FF66FDEEA5E0170EF5FEB724739A1EEB9B4719772C0DEAC\"\r\nLast-Modified: Sun, 14 Jul 2024 23:47:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=4788\r\nExpires: Mon, 15 Jul 2024 06:02:14 GMT\r\nDate: Mon, 15 Jul 2024 04:42:26 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"3ce85b1d34b1e8024ca9a37cff66221a","sha1":"39236c242bdb2053821ca7b473582450acff9b39","sha256":"4efba0f7a3c02e999ff66fdeea5e0170ef5feb724739a1eeb9b4719772c0deac","sha512":"e71af0774a11ca58edfccc698e6d8574c1a7e086f0b1d3621b88d6c49d922a5d1ca271ff362aac1be760b4b2c35e4411008249ebaa9ca6bf5606a0808c9e51c5","ssdeep":"","tlshash":"cdf00e051eebbd55b72616023da0c59f7e62edeb34810bae226103f3bc013eb46c8058","first_seen":"2024-07-15T02:12:23Z","last_seen":"2024-08-19T16:57:09.420064Z","times_seen":19833,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.33.119.27","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-07-15T04:42:26.80335408Z","timestamp":1721018546803,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"1E08A73FA54952429A067B3CD08BDCAE14DF1354CA56C0F29FDF5731ACD63989\"\r\nLast-Modified: Sun, 14 Jul 2024 16:18:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=4817\r\nExpires: Mon, 15 Jul 2024 06:02:43 GMT\r\nDate: Mon, 15 Jul 2024 04:42:26 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"851cd50083ec4a0cf653cb0f0e4965b7","sha1":"5c65b0e574b717e61e548dfbe958f30464739e4f","sha256":"1e08a73fa54952429a067b3cd08bdcae14df1354ca56c0f29fdf5731acd63989","sha512":"9d35a0293328a4806924aa7802cd3cf36be5dcb799c5b561fa8dc3311f52a4e951bf36f9082fa595f4db6545f1a7a58a97e20c0bdb21f3e79cbafee5a8950967","ssdeep":"","tlshash":"59f0c9420ae2ac51bba84d0b7cf0c5096c00bfbc7a0419a084a089e36864bfb84c84e8","first_seen":"2024-07-14T22:04:14Z","last_seen":"2024-08-19T16:58:12.633798Z","times_seen":7211,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"cpcontacts.78.172-245-112-195.cprapid.com/arm5","fqdn":"cpcontacts.78.172-245-112-195.cprapid.com","domain":"78.172-245-112-195.cprapid.com","tld":"172-245-112-195.cprapid.com"},"ip":{"addr":"172.245.112.195","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-07-15T04:42:27.084Z","timestamp":1721018547084,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /arm5 HTTP/1.1\r\nHost: cpcontacts.78.172-245-112-195.cprapid.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Mon, 15 Jul 2024 04:42:27 GMT\r\nServer: Apache/2.4.41 (Ubuntu)\r\nLast-Modified: Sat, 15 Jun 2024 21:58:36 GMT\r\nETag: \"121cc-61af4d586941a\"\r\nAccept-Ranges: bytes\r\nContent-Length: 74188\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":74188,"size_decoded":74188,"mime_type":"application/octet-stream","magic":"ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV)","md5":"0c7b0e49c2147c3ead4991feedef8fb8","sha1":"c5eeed107135e54efb030509b1e57ed4bd063f5c","sha256":"629ee7649a2d6fea48f3c0f3bacba8f9f14250531e0f31bfedf5dd3b630bbdb3","sha512":"f0f055802a22c4b40aa86ccfe1933babedaa0d7b7af2c8bbbe8068ba7fd3cfcbbcaaecd26422d82c7d774d35ef0417c849469e26d21c29950e60343610ffefe2","ssdeep":"1536:ZgnNEAHT9oc7do2p0ctwtWDVEWYJcDNlTOiSU5mAKEz:FAz9Zp9lwtWDVEWY+iU5XPz","tlshash":"1373e94af9829f11d4d622baff8f41493313bba8e3ee7102dd205f5427ca59b0a77512","first_seen":"2024-06-20T08:58:06Z","last_seen":"2024-08-19T19:24:15.679583Z","times_seen":1580,"resource_available":false,"data":null}},"time_used":485,"timings":{"blocked":94,"dns":0,"connect":97,"send":0,"wait":98,"receive":196,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2024-07-15T04:42:27Z","timestamp":1721018547,"ip_dst":{"addr":"172.18.0.18","port":38016,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"172.245.112.195","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download Over HTTP","source":"{\"timestamp\":\"2024-07-15T04:42:27.470259+0000\",\"flow_id\":2032553153478359,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.245.112.195\",\"src_port\":80,\"dest_ip\":\"172.18.0.18\",\"dest_port\":38016,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.ELFDownload\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2019240,\"rev\":14,\"signature\":\"ET POLICY Executable and linking format (ELF) file download Over HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2014_09_25\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"cpcontacts.78.172-245-112-195.cprapid.com\",\"url\":\"/arm5\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43176},\"files\":[{\"filename\":\"/arm5\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":43176,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":23,\"pkts_toclient\":33,\"bytes_toserver\":1944,\"bytes_toclient\":47074,\"start\":\"2024-07-15T04:42:27.081623+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-07-15","alert":"Detects Mirai Botnet Malware","trigger":"cpcontacts.78.172-245-112-195.cprapid.com/arm5","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-10-04","description":"Detects Mirai Botnet Malware","hash1":"05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c","hash10":"c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f","hash11":"d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89","hash12":"f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5","hash13":"fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b","hash2":"05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c","hash3":"20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4","hash4":"2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69","hash5":"420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175","hash6":"62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6","hash7":"70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0","hash8":"89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147","hash9":"bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2023-01-27","reference":"Internal Research","rule":"Mirai_Botnet_Malware"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-07-15","alert":"Linux.Trojan.Mirai","trigger":"cpcontacts.78.172-245-112-195.cprapid.com/arm5","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"993d0d2e24152d0fb72cc5d5add395bed26671c3935f73386341398b91cb0e6e","id":"0bce98a2-113e-41e1-95c9-9e1852b26142","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80","rule":"Linux_Trojan_Mirai_0bce98a2","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-07-15","alert":"Sinkholed","trigger":"78.172-245-112-195.cprapid.com","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-07-14","alert":"Scan result 44/66","trigger":"629ee7649a2d6fea48f3c0f3bacba8f9f14250531e0f31bfedf5dd3b630bbdb3","verdict":"malicious","severity":"","comment":"malicious - 44/66","link":"https://www.virustotal.com/gui/file/629ee7649a2d6fea48f3c0f3bacba8f9f14250531e0f31bfedf5dd3b630bbdb3","meta":null}],"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.33.119.27","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-07-15T04:42:28.389512802Z","timestamp":1721018548389,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"B76186C793CDE690AF253F9096553D00DFFD54DC33FAF5B9A7059B5CE61DE651\"\r\nLast-Modified: Sat, 13 Jul 2024 05:32:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=2188\r\nExpires: Mon, 15 Jul 2024 05:18:56 GMT\r\nDate: Mon, 15 Jul 2024 04:42:28 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"80ee007415e4a9cd9ff180ee56d4fd90","sha1":"08276896e8774d12a699400ffe88939d02acd056","sha256":"b76186c793cde690af253f9096553d00dffd54dc33faf5b9a7059b5ce61de651","sha512":"9aef5dde7a8c139e89cd83acf1c8b6a05e9d41e78c336550035609341942ad6d92ee42f3ff07a8b4301372a22e7eae3de1d6495124e51dd5e8bbae36c1af0ada","ssdeep":"","tlshash":"9df0c99028ac39a2a8a614269ceda76a8d10bce5300009dc388486e3e9527ebb1c045c","first_seen":"2024-07-13T09:16:33Z","last_seen":"2024-08-19T17:04:57.5713Z","times_seen":47007,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.33.119.27","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-07-15T04:42:28.394706021Z","timestamp":1721018548394,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"B76186C793CDE690AF253F9096553D00DFFD54DC33FAF5B9A7059B5CE61DE651\"\r\nLast-Modified: Sat, 13 Jul 2024 05:32:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=2188\r\nExpires: Mon, 15 Jul 2024 05:18:56 GMT\r\nDate: Mon, 15 Jul 2024 04:42:28 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"80ee007415e4a9cd9ff180ee56d4fd90","sha1":"08276896e8774d12a699400ffe88939d02acd056","sha256":"b76186c793cde690af253f9096553d00dffd54dc33faf5b9a7059b5ce61de651","sha512":"9aef5dde7a8c139e89cd83acf1c8b6a05e9d41e78c336550035609341942ad6d92ee42f3ff07a8b4301372a22e7eae3de1d6495124e51dd5e8bbae36c1af0ada","ssdeep":"","tlshash":"9df0c99028ac39a2a8a614269ceda76a8d10bce5300009dc388486e3e9527ebb1c045c","first_seen":"2024-07-13T09:16:33Z","last_seen":"2024-08-19T17:04:57.5713Z","times_seen":47007,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.33.119.27","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-07-15T04:42:28.39674051Z","timestamp":1721018548396,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"B76186C793CDE690AF253F9096553D00DFFD54DC33FAF5B9A7059B5CE61DE651\"\r\nLast-Modified: Sat, 13 Jul 2024 05:32:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=2188\r\nExpires: Mon, 15 Jul 2024 05:18:56 GMT\r\nDate: Mon, 15 Jul 2024 04:42:28 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"80ee007415e4a9cd9ff180ee56d4fd90","sha1":"08276896e8774d12a699400ffe88939d02acd056","sha256":"b76186c793cde690af253f9096553d00dffd54dc33faf5b9a7059b5ce61de651","sha512":"9aef5dde7a8c139e89cd83acf1c8b6a05e9d41e78c336550035609341942ad6d92ee42f3ff07a8b4301372a22e7eae3de1d6495124e51dd5e8bbae36c1af0ada","ssdeep":"","tlshash":"9df0c99028ac39a2a8a614269ceda76a8d10bce5300009dc388486e3e9527ebb1c045c","first_seen":"2024-07-13T09:16:33Z","last_seen":"2024-08-19T17:04:57.5713Z","times_seen":47007,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}