{"report_id":"8c1b24d1-8e9f-42df-878e-c5c018680019","version":6,"status":"done","tags":[],"date":"2024-11-29T19:42:39Z","url":{"schema":"http","addr":"42.227.2.52:38566/Mozi.m","fqdn":"42.227.2.52","domain":"42.227.2.52","tld":""},"ip":{"addr":"42.227.2.52","port":0,"asn":4837,"as":"CHINA UNICOM China169 Backbone","country":"China","country_code":"CN"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":["urlhaus"],"meta":null},"settings":{"access":"public","device_type":"","expires_at":"2027-02-07T19:42:39Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"42.227.2.52","ip":{"addr":"0.0.0.0","port":0,"asn":0,"as":"","country":"","country_code":"zz"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":1,"request_count":1,"received_data":108,"sent_data":396,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T19:42:15Z","timestamp":1732909335,"ip_dst":{"addr":"172.18.0.25","port":33756,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"42.227.2.52","port":38566,"asn":4837,"as":"CHINA UNICOM China169 Backbone","country":"China","country_code":"CN"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download","source":"{\"timestamp\":\"2024-11-29T19:42:15.975252+0000\",\"flow_id\":1142405886982872,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"42.227.2.52\",\"src_port\":38566,\"dest_ip\":\"172.18.0.25\",\"dest_port\":33756,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.ELFDownload\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2000418,\"rev\":17,\"signature\":\"ET POLICY Executable and linking format (ELF) file download\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2010_07_30\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"42.227.2.52\",\"http_port\":38566,\"url\":\"/Mozi.m\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/zip\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":2776},\"files\":[{\"filename\":\"/Mozi.m\",\"sid\":[],\"gaps\":false,\"state\":\"UNKNOWN\",\"stored\":false,\"size\":2776,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":13,\"pkts_toclient\":13,\"bytes_toserver\":1482,\"bytes_toclient\":14854,\"start\":\"2024-11-29T19:42:13.998104+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T19:42:19Z","timestamp":1732909339,"ip_dst":{"addr":"172.18.0.25","port":33762,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"42.227.2.52","port":38566,"asn":4837,"as":"CHINA UNICOM China169 Backbone","country":"China","country_code":"CN"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download","source":"{\"timestamp\":\"2024-11-29T19:42:19.808037+0000\",\"flow_id\":838560573215048,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"42.227.2.52\",\"src_port\":38566,\"dest_ip\":\"172.18.0.25\",\"dest_port\":33762,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.ELFDownload\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2000418,\"rev\":17,\"signature\":\"ET POLICY Executable and linking format (ELF) file download\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2010_07_30\"],\"updated_at\":[\"2023_04_12\"]}},\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":260,\"bytes_toclient\":1702,\"start\":\"2024-11-29T19:42:14.250184+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"Mnemonic Secure DNS","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-11-29","alert":"Sinkholed","trigger":"42.227.2.52","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"http","addr":"42.227.2.52:38566/Mozi.m","fqdn":"42.227.2.52","domain":"42.227.2.52","tld":""},"ip":{"addr":"0.0.0.0","port":0,"asn":0,"as":"","country":"","country_code":"zz"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-11-29T19:42:14.002Z","timestamp":1732909334002,"http_version":"","security_state":"insecure","security_info":null,"request":{"raw":"GET /Mozi.m HTTP/1.1\r\nHost: 42.227.2.52:38566\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Length: 135784\r\nConnection: close\r\nContent-Type: application/zip\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-04-18T06:23:13.010739Z","times_seen":13887845,"resource_available":true,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-11-29","alert":"Sinkholed","trigger":"42.227.2.52","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":null}}]}