{"report_id":"8a784d07-a0ba-48a0-a214-126b21731c50","version":6,"status":"done","tags":[],"date":"2025-09-23T22:18:37Z","url":{"schema":"http","addr":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","fqdn":"185.34.144.92","domain":"185.34.144.92","tld":""},"ip":{"addr":"185.34.144.92","port":0,"asn":7488,"as":"CNServer LLC","country":"United States","country_code":"US"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"http","addr":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","fqdn":"185.34.144.92","domain":"185.34.144.92","tld":""},"ip":{"addr":"185.34.144.92","port":0,"asn":7488,"as":"CNServer LLC","country":"United States","country_code":"US"},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-28T22:18:37Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":2,"urlquery":0,"analyzer":4}},"detection":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-09-23T22:18:12Z","timestamp":1758665892,"ip_dst":{"addr":"185.34.144.92","port":80,"asn":7488,"as":"CNServer LLC","country":"United States","country_code":"US"},"ip_src":{"addr":"172.18.0.22","port":48638,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET HUNTING Suspicious GET Request for .arc File","source":"{\"timestamp\":\"2025-09-23T22:18:12.644904+0000\",\"flow_id\":531586435275824,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.22\",\"src_port\":48638,\"dest_ip\":\"185.34.144.92\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2038652,\"rev\":1,\"signature\":\"ET HUNTING Suspicious GET Request for .arc File\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"Medium\"],\"created_at\":[\"2022_08_29\"],\"deployment\":[\"SSLDecrypt\",\"Perimeter\"],\"reviewed_at\":[\"2024_12_02\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_08_29\"]}},\"http\":{\"hostname\":\"185.34.144.92\",\"url\":\"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1193},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":5,\"bytes_toserver\":703,\"bytes_toclient\":4658,\"start\":\"2025-09-23T22:18:12.416816+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-09-23T22:18:12Z","timestamp":1758665892,"ip_dst":{"addr":"172.18.0.22","port":48638,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"185.34.144.92","port":80,"asn":7488,"as":"CNServer LLC","country":"United States","country_code":"US"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download Over HTTP","source":"{\"timestamp\":\"2025-09-23T22:18:12.872645+0000\",\"flow_id\":531586435275824,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"185.34.144.92\",\"src_port\":80,\"dest_ip\":\"172.18.0.22\",\"dest_port\":48638,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.ELFDownload\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2019240,\"rev\":14,\"signature\":\"ET POLICY Executable and linking format (ELF) file download Over HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_09_25\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"185.34.144.92\",\"url\":\"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43533},\"files\":[{\"filename\":\"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":43533,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":33,\"bytes_toserver\":1567,\"bytes_toclient\":47050,\"start\":\"2025-09-23T22:18:12.416816+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-09-23","alert":"Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.","trigger":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-28","description":"Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.","modified":"2022-05-13","reference":"https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()","rule":"SUSP_XORed_Mozilla","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2025-09-23","alert":"Yakuza botnet","trigger":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-07-22","description":"Yakuza botnet","rule":"botnet_Yakuza","yarahub_license":"CC0 1.0","yarahub_reference_md5":"6dde652b28f73f978e834412b835a740","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"c0ed7b7d-f8f5-4301-812d-aaca80577c97"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Elastic Security YARA rules","description":"Elastic Security YARA Rules","scan_date":"2025-09-23","alert":"Linux.Trojan.Gafgyt","trigger":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e","id":"ea92cca8-bba7-4a1c-9b88-a2d051ad0021","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Gafgyt_ea92cca8","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Gafgyt"}},{"sensor_name":"clamav","sensor_type":"antivirus","title":"ClamAV","description":"ClamAV","scan_date":"2025-09-23","alert":"Unix.Dropper.Mirai-7135870-0","trigger":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","verdict":"malicious","severity":"medium","comment":"","link":"https://www.clamav.net/","meta":null}],"urlquery":null},"summary":[{"fqdn":"185.34.144.92","ip":{"addr":"0.0.0.0","port":0,"asn":0,"as":"","country":"","country_code":"zz"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":9,"request_count":2,"received_data":75399,"sent_data":1018,"comment":"","tags":null,"fingerprints":[{"name":"AlmaLinux","description":"AlmaLinux is an open-source, community-driven Linux operating system that fills the gap left by the discontinuation of the CentOS Linux stable release.","website":"https://almalinux.org","common_platform_enumeration":"","icon":"AlmaLinux.svg","categories":["Operating systems"]},{"name":"Apache HTTP Server:2.4.37","description":"Apache is a free and open-source cross-platform web server software.","website":"https://httpd.apache.org/","common_platform_enumeration":"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*","icon":"Apache.svg","categories":["Web servers"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"8382ad29f144d94ecee8e18a19bee9b5","sha1":"39e31d9d60eac54bbae551a9c912822028923da1","sha256":"b613f9c22ed5ede5ba9df6418a1490158b3cf0241b6eeb8bb335d104c92a13c3","sha512":"0508fb52ef83174f78ea212719e920a1e09fe4a03762b3fd35c738748135a6638b95576ff12430c3c6cc7ccd024474b5d195fc2b1fc6497d9481ea01de5c5dab","magic":"ELF 32-bit LSB executable, Synopsys ARCompact ARC700 cores, version 1 (SYSV)","size":75132,"url":{"schema":"http","addr":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","fqdn":"185.34.144.92","domain":"185.34.144.92","tld":""},"ip":{"addr":"185.34.144.92","port":80,"asn":7488,"as":"CNServer LLC","country":"United States","country_code":"US"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-09-23","alert":"Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.","trigger":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-28","description":"Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.","modified":"2022-05-13","reference":"https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()","rule":"SUSP_XORed_Mozilla","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2025-09-23","alert":"Yakuza botnet","trigger":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-07-22","description":"Yakuza botnet","rule":"botnet_Yakuza","yarahub_license":"CC0 1.0","yarahub_reference_md5":"6dde652b28f73f978e834412b835a740","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"c0ed7b7d-f8f5-4301-812d-aaca80577c97"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Elastic Security YARA rules","description":"Elastic Security YARA Rules","scan_date":"2025-09-23","alert":"Linux.Trojan.Gafgyt","trigger":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e","id":"ea92cca8-bba7-4a1c-9b88-a2d051ad0021","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Gafgyt_ea92cca8","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Gafgyt"}},{"sensor_name":"virustotal","sensor_type":"file","title":"VirusTotal","description":"VirusTotal","scan_date":"2025-09-23","alert":"Scan result 28/63","trigger":"b613f9c22ed5ede5ba9df6418a1490158b3cf0241b6eeb8bb335d104c92a13c3","verdict":"malicious","severity":"","comment":"malicious - 28/63","link":"https://www.virustotal.com/gui/file/b613f9c22ed5ede5ba9df6418a1490158b3cf0241b6eeb8bb335d104c92a13c3","meta":null},{"sensor_name":"clamav","sensor_type":"antivirus","title":"ClamAV","description":"ClamAV","scan_date":"2025-09-23","alert":"Unix.Dropper.Mirai-7135870-0","trigger":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","verdict":"malicious","severity":"medium","comment":"","link":"https://www.clamav.net/","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-09-23T22:18:12Z","timestamp":1758665892,"ip_dst":{"addr":"185.34.144.92","port":80,"asn":7488,"as":"CNServer LLC","country":"United States","country_code":"US"},"ip_src":{"addr":"172.18.0.22","port":48638,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET HUNTING Suspicious GET Request for .arc File","source":"{\"timestamp\":\"2025-09-23T22:18:12.644904+0000\",\"flow_id\":531586435275824,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.22\",\"src_port\":48638,\"dest_ip\":\"185.34.144.92\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2038652,\"rev\":1,\"signature\":\"ET HUNTING Suspicious GET Request for .arc File\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"Medium\"],\"created_at\":[\"2022_08_29\"],\"deployment\":[\"SSLDecrypt\",\"Perimeter\"],\"reviewed_at\":[\"2024_12_02\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_08_29\"]}},\"http\":{\"hostname\":\"185.34.144.92\",\"url\":\"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1193},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":5,\"bytes_toserver\":703,\"bytes_toclient\":4658,\"start\":\"2025-09-23T22:18:12.416816+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-09-23T22:18:12Z","timestamp":1758665892,"ip_dst":{"addr":"172.18.0.22","port":48638,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"185.34.144.92","port":80,"asn":7488,"as":"CNServer LLC","country":"United States","country_code":"US"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download Over HTTP","source":"{\"timestamp\":\"2025-09-23T22:18:12.872645+0000\",\"flow_id\":531586435275824,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"185.34.144.92\",\"src_port\":80,\"dest_ip\":\"172.18.0.22\",\"dest_port\":48638,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.ELFDownload\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2019240,\"rev\":14,\"signature\":\"ET POLICY Executable and linking format (ELF) file download Over HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_09_25\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"185.34.144.92\",\"url\":\"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43533},\"files\":[{\"filename\":\"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":43533,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":33,\"bytes_toserver\":1567,\"bytes_toclient\":47050,\"start\":\"2025-09-23T22:18:12.416816+0000\"}}"}]}],"analyzer":null,"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","fqdn":"185.34.144.92","domain":"185.34.144.92","tld":""},"ip":{"addr":"0.0.0.0","port":0,"asn":0,"as":"","country":"","country_code":"zz"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-09-23T22:18:12.160Z","timestamp":0,"http_version":"","security_state":"insecure","security_info":null,"request":{"raw":"GET /596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc HTTP/1.1\r\nHost: 185.34.144.92\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-06-22T02:29:52.920518Z","times_seen":16623839,"resource_available":true,"data":null}},"time_used":117,"timings":{"blocked":117,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-09-23T22:18:12Z","timestamp":1758665892,"ip_dst":{"addr":"185.34.144.92","port":80,"asn":7488,"as":"CNServer LLC","country":"United States","country_code":"US"},"ip_src":{"addr":"172.18.0.22","port":48638,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET HUNTING Suspicious GET Request for .arc File","source":"{\"timestamp\":\"2025-09-23T22:18:12.644904+0000\",\"flow_id\":531586435275824,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.22\",\"src_port\":48638,\"dest_ip\":\"185.34.144.92\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2038652,\"rev\":1,\"signature\":\"ET HUNTING Suspicious GET Request for .arc File\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"Medium\"],\"created_at\":[\"2022_08_29\"],\"deployment\":[\"SSLDecrypt\",\"Perimeter\"],\"reviewed_at\":[\"2024_12_02\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_08_29\"]}},\"http\":{\"hostname\":\"185.34.144.92\",\"url\":\"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1193},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":5,\"bytes_toserver\":703,\"bytes_toclient\":4658,\"start\":\"2025-09-23T22:18:12.416816+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-09-23T22:18:12Z","timestamp":1758665892,"ip_dst":{"addr":"172.18.0.22","port":48638,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"185.34.144.92","port":80,"asn":7488,"as":"CNServer LLC","country":"United States","country_code":"US"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download Over HTTP","source":"{\"timestamp\":\"2025-09-23T22:18:12.872645+0000\",\"flow_id\":531586435275824,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"185.34.144.92\",\"src_port\":80,\"dest_ip\":\"172.18.0.22\",\"dest_port\":48638,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.ELFDownload\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2019240,\"rev\":14,\"signature\":\"ET POLICY Executable and linking format (ELF) file download Over HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_09_25\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"185.34.144.92\",\"url\":\"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43533},\"files\":[{\"filename\":\"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":43533,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":33,\"bytes_toserver\":1567,\"bytes_toclient\":47050,\"start\":\"2025-09-23T22:18:12.416816+0000\"}}"}],"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","fqdn":"185.34.144.92","domain":"185.34.144.92","tld":""},"ip":{"addr":"185.34.144.92","port":80,"asn":7488,"as":"CNServer LLC","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-09-23T22:18:12.425Z","timestamp":0,"http_version":"","security_state":"insecure","security_info":null,"request":{"raw":"GET /596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc HTTP/1.1\r\nHost: 185.34.144.92\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Tue, 23 Sep 2025 22:18:12 GMT\r\nServer: Apache/2.4.37 (AlmaLinux)\r\nLast-Modified: Mon, 22 Sep 2025 16:31:14 GMT\r\nETag: \"1257c-63f6659192499\"\r\nAccept-Ranges: bytes\r\nContent-Length: 75132\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"AlmaLinux","description":"AlmaLinux is an open-source, community-driven Linux operating system that fills the gap left by the discontinuation of the CentOS Linux stable release.","website":"https://almalinux.org","common_platform_enumeration":"","icon":"AlmaLinux.svg","categories":["Operating systems"]},{"name":"Apache HTTP Server:2.4.37","description":"Apache is a free and open-source cross-platform web server software.","website":"https://httpd.apache.org/","common_platform_enumeration":"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*","icon":"Apache.svg","categories":["Web servers"]}],"data":{"size":75132,"size_decoded":0,"mime_type":"application/octet-stream","magic":"ELF 32-bit LSB executable, Synopsys ARCompact ARC700 cores, version 1 (SYSV)","md5":"8382ad29f144d94ecee8e18a19bee9b5","sha1":"39e31d9d60eac54bbae551a9c912822028923da1","sha256":"b613f9c22ed5ede5ba9df6418a1490158b3cf0241b6eeb8bb335d104c92a13c3","sha512":"0508fb52ef83174f78ea212719e920a1e09fe4a03762b3fd35c738748135a6638b95576ff12430c3c6cc7ccd024474b5d195fc2b1fc6497d9481ea01de5c5dab","ssdeep":"1536:yUWelZBDNCDpbR6/XVCcTmt42bamAil0cR7r/WWGcJy+oG8:yU5lZBDNW6FxTUemNl0Er/W405G8","tlshash":"2a731ab41a99f33cedf140b8f44720d628610b083b9cd2e369d3543aef75b497269d59","first_seen":"2025-09-23T22:18:41.064873Z","last_seen":"2025-09-23T22:18:41.064873Z","times_seen":1,"resource_available":false,"data":null}},"time_used":567,"timings":{"blocked":106,"dns":0,"connect":114,"send":0,"wait":114,"receive":233,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-09-23T22:18:12Z","timestamp":1758665892,"ip_dst":{"addr":"185.34.144.92","port":80,"asn":7488,"as":"CNServer LLC","country":"United States","country_code":"US"},"ip_src":{"addr":"172.18.0.22","port":48638,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET HUNTING Suspicious GET Request for .arc File","source":"{\"timestamp\":\"2025-09-23T22:18:12.644904+0000\",\"flow_id\":531586435275824,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.22\",\"src_port\":48638,\"dest_ip\":\"185.34.144.92\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2038652,\"rev\":1,\"signature\":\"ET HUNTING Suspicious GET Request for .arc File\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"Medium\"],\"created_at\":[\"2022_08_29\"],\"deployment\":[\"SSLDecrypt\",\"Perimeter\"],\"reviewed_at\":[\"2024_12_02\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_08_29\"]}},\"http\":{\"hostname\":\"185.34.144.92\",\"url\":\"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1193},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":5,\"bytes_toserver\":703,\"bytes_toclient\":4658,\"start\":\"2025-09-23T22:18:12.416816+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-09-23T22:18:12Z","timestamp":1758665892,"ip_dst":{"addr":"172.18.0.22","port":48638,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"185.34.144.92","port":80,"asn":7488,"as":"CNServer LLC","country":"United States","country_code":"US"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download Over HTTP","source":"{\"timestamp\":\"2025-09-23T22:18:12.872645+0000\",\"flow_id\":531586435275824,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"185.34.144.92\",\"src_port\":80,\"dest_ip\":\"172.18.0.22\",\"dest_port\":48638,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.ELFDownload\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2019240,\"rev\":14,\"signature\":\"ET POLICY Executable and linking format (ELF) file download Over HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_09_25\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"185.34.144.92\",\"url\":\"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43533},\"files\":[{\"filename\":\"/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":43533,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":33,\"bytes_toserver\":1567,\"bytes_toclient\":47050,\"start\":\"2025-09-23T22:18:12.416816+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-09-23","alert":"Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.","trigger":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-28","description":"Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.","modified":"2022-05-13","reference":"https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()","rule":"SUSP_XORed_Mozilla","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2025-09-23","alert":"Yakuza botnet","trigger":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-07-22","description":"Yakuza botnet","rule":"botnet_Yakuza","yarahub_license":"CC0 1.0","yarahub_reference_md5":"6dde652b28f73f978e834412b835a740","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"c0ed7b7d-f8f5-4301-812d-aaca80577c97"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Elastic Security YARA rules","description":"Elastic Security YARA Rules","scan_date":"2025-09-23","alert":"Linux.Trojan.Gafgyt","trigger":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e","id":"ea92cca8-bba7-4a1c-9b88-a2d051ad0021","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Gafgyt_ea92cca8","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Gafgyt"}},{"sensor_name":"virustotal","sensor_type":"file","title":"VirusTotal","description":"VirusTotal","scan_date":"2025-09-23","alert":"Scan result 28/63","trigger":"b613f9c22ed5ede5ba9df6418a1490158b3cf0241b6eeb8bb335d104c92a13c3","verdict":"malicious","severity":"","comment":"malicious - 28/63","link":"https://www.virustotal.com/gui/file/b613f9c22ed5ede5ba9df6418a1490158b3cf0241b6eeb8bb335d104c92a13c3","meta":null},{"sensor_name":"clamav","sensor_type":"antivirus","title":"ClamAV","description":"ClamAV","scan_date":"2025-09-23","alert":"Unix.Dropper.Mirai-7135870-0","trigger":"185.34.144.92/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc","verdict":"malicious","severity":"medium","comment":"","link":"https://www.clamav.net/","meta":null}],"urlquery":null}}]}