{"report_id":"a38784be-e20c-4aaa-bd57-d4388db59f3a","version":6,"status":"done","tags":[],"date":"2024-06-11T11:58:41Z","url":{"schema":"http","addr":"223.10.56.107:38933/Mozi.m","fqdn":"223.10.56.107","domain":"223.10.56.107","tld":""},"ip":{"addr":"223.10.56.107","port":0,"asn":4134,"as":"Chinanet","country":"China","country_code":"CN"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-25T13:46:26Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"223.10.56.107:38933","ip":{"addr":"223.10.56.107","port":0,"asn":4134,"as":"Chinanet","country":"China","country_code":"CN"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":6,"request_count":1,"received_data":308066,"sent_data":396,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"eec5c6c219535fba3a0492ea8118b397","sha1":"292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21","sha256":"12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef","sha512":"3482c8324a18302f0f37b6e23ed85f24fff9f50bb568d8fd7461bf57f077a7c592f7a88bb2e1c398699958946d87bb93ab744d13a0003f9b879c15e6471f7400","magic":"ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV)","size":307960,"url":{"schema":"http","addr":"223.10.56.107:38933/Mozi.m","fqdn":"223.10.56.107:38933","domain":"223.10.56.107","tld":"107:38933"},"ip":{"addr":"223.10.56.107","port":0,"asn":4134,"as":"Chinanet","country":"China","country_code":"CN"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-06-11","alert":"Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.","trigger":"223.10.56.107:38933/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-28","description":"Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.","modified":"2022-05-13","reference":"https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()","rule":"SUSP_XORed_Mozilla","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-06-11","alert":"Linux.Trojan.Mirai","trigger":"223.10.56.107:38933/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"39501003c45c89d6a08f71fbf9c442bcc952afc5f1a1eb7b5af2d4b7633698a8","id":"5c62e6b2-9f6a-4c6d-b3fc-c6cbc8cf0b4b","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9","rule":"Linux_Trojan_Mirai_5c62e6b2","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-06-11","alert":"Linux.Trojan.Mirai","trigger":"223.10.56.107:38933/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"afeedf7fb287320c70a2889f43bc36a3047528204e1de45c4ac07898187d136b","id":"77137320-6c7e-4bb8-81a4-bd422049c309","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9","rule":"Linux_Trojan_Mirai_77137320","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-06-11","alert":"Linux.Trojan.Mirai","trigger":"223.10.56.107:38933/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"e2eee1f72b8c2dbf68e57b721c481a5cd85296e844059decc3548e7a6dc28fea","id":"ac253e4f-b628-4dd0-91f1-f19099286992","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9","rule":"Linux_Trojan_Mirai_ac253e4f","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-06-11","alert":"Scan result 51/66","trigger":"12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef","verdict":"malicious","severity":"","comment":"malicious - 51/66","link":"https://www.virustotal.com/gui/file/12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2024-06-11T11:58:17Z","timestamp":1718107097,"ip_dst":{"addr":"Client IP","port":33828,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"223.10.56.107","port":38933,"asn":4134,"as":"Chinanet","country":"China","country_code":"CN"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download","source":"{\"timestamp\":\"2024-06-11T11:58:17.735755+0000\",\"flow_id\":1641730778200071,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"223.10.56.107\",\"src_port\":38933,\"dest_ip\":\"172.18.0.6\",\"dest_port\":33828,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.ELFDownload\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2000418,\"rev\":17,\"signature\":\"ET POLICY Executable and linking format (ELF) file download\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2010_07_30\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"223.10.56.107\",\"http_port\":38933,\"url\":\"/Mozi.m\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/zip\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":5760},\"files\":[{\"filename\":\"/Mozi.m\",\"sid\":[],\"gaps\":false,\"state\":\"UNKNOWN\",\"stored\":false,\"size\":5760,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":8,\"bytes_toserver\":934,\"bytes_toclient\":7844,\"start\":\"2024-06-11T11:58:17.194567+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-06-11T11:58:18Z","timestamp":1718107098,"ip_dst":{"addr":"Client IP","port":33828,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"223.10.56.107","port":38933,"asn":4134,"as":"Chinanet","country":"China","country_code":"CN"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download","source":"{\"timestamp\":\"2024-06-11T11:58:18.817622+0000\",\"flow_id\":1641730778200071,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"223.10.56.107\",\"src_port\":38933,\"dest_ip\":\"172.18.0.6\",\"dest_port\":33828,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.ELFDownload\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2000418,\"rev\":17,\"signature\":\"ET POLICY Executable and linking format (ELF) file download\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2010_07_30\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"223.10.56.107\",\"http_port\":38933,\"url\":\"/Mozi.m\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/zip\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":231840},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":146,\"pkts_toclient\":165,\"bytes_toserver\":10042,\"bytes_toclient\":244286,\"start\":\"2024-06-11T11:58:17.194567+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-06-11T11:58:18Z","timestamp":1718107098,"ip_dst":{"addr":"Client IP","port":33828,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"223.10.56.107","port":38933,"asn":4134,"as":"Chinanet","country":"China","country_code":"CN"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download","source":"{\"timestamp\":\"2024-06-11T11:58:18.817727+0000\",\"flow_id\":1641730778200071,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"223.10.56.107\",\"src_port\":38933,\"dest_ip\":\"172.18.0.6\",\"dest_port\":33828,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.ELFDownload\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2000418,\"rev\":17,\"signature\":\"ET POLICY Executable and linking format (ELF) file download\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2010_07_30\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"223.10.56.107\",\"http_port\":38933,\"url\":\"/Mozi.m\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/zip\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":236160},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":149,\"pkts_toclient\":168,\"bytes_toserver\":10240,\"bytes_toclient\":248804,\"start\":\"2024-06-11T11:58:17.194567+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-06-11T11:58:18Z","timestamp":1718107098,"ip_dst":{"addr":"Client IP","port":33828,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"223.10.56.107","port":38933,"asn":4134,"as":"Chinanet","country":"China","country_code":"CN"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download","source":"{\"timestamp\":\"2024-06-11T11:58:18.817957+0000\",\"flow_id\":1641730778200071,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"223.10.56.107\",\"src_port\":38933,\"dest_ip\":\"172.18.0.6\",\"dest_port\":33828,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.ELFDownload\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2000418,\"rev\":17,\"signature\":\"ET POLICY Executable and linking format (ELF) file download\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2010_07_30\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"223.10.56.107\",\"http_port\":38933,\"url\":\"/Mozi.m\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/zip\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":241920},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":153,\"pkts_toclient\":172,\"bytes_toserver\":10504,\"bytes_toclient\":254828,\"start\":\"2024-06-11T11:58:17.194567+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-06-11T11:58:18Z","timestamp":1718107098,"ip_dst":{"addr":"Client IP","port":33828,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"223.10.56.107","port":38933,"asn":4134,"as":"Chinanet","country":"China","country_code":"CN"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download","source":"{\"timestamp\":\"2024-06-11T11:58:18.822576+0000\",\"flow_id\":1641730778200071,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"223.10.56.107\",\"src_port\":38933,\"dest_ip\":\"172.18.0.6\",\"dest_port\":33828,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.ELFDownload\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2000418,\"rev\":17,\"signature\":\"ET POLICY Executable and linking format (ELF) file download\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2010_07_30\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"223.10.56.107\",\"http_port\":38933,\"url\":\"/Mozi.m\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/zip\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":246240},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":156,\"pkts_toclient\":175,\"bytes_toserver\":10702,\"bytes_toclient\":259346,\"start\":\"2024-06-11T11:58:17.194567+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-06-11T11:58:18Z","timestamp":1718107098,"ip_dst":{"addr":"Client IP","port":33828,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"223.10.56.107","port":38933,"asn":4134,"as":"Chinanet","country":"China","country_code":"CN"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download","source":"{\"timestamp\":\"2024-06-11T11:58:18.822802+0000\",\"flow_id\":1641730778200071,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"223.10.56.107\",\"src_port\":38933,\"dest_ip\":\"172.18.0.6\",\"dest_port\":33828,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.ELFDownload\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2000418,\"rev\":17,\"signature\":\"ET POLICY Executable and linking format (ELF) file download\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2010_07_30\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"223.10.56.107\",\"http_port\":38933,\"url\":\"/Mozi.m\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/zip\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":249120},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":158,\"pkts_toclient\":177,\"bytes_toserver\":10834,\"bytes_toclient\":262358,\"start\":\"2024-06-11T11:58:17.194567+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-06-11T11:58:18Z","timestamp":1718107098,"ip_dst":{"addr":"Client IP","port":33828,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"223.10.56.107","port":38933,"asn":4134,"as":"Chinanet","country":"China","country_code":"CN"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download","source":"{\"timestamp\":\"2024-06-11T11:58:18.822927+0000\",\"flow_id\":1641730778200071,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"223.10.56.107\",\"src_port\":38933,\"dest_ip\":\"172.18.0.6\",\"dest_port\":33828,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.ELFDownload\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2000418,\"rev\":17,\"signature\":\"ET POLICY Executable and linking format (ELF) file download\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2010_07_30\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"223.10.56.107\",\"http_port\":38933,\"url\":\"/Mozi.m\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/zip\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":252000},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":160,\"pkts_toclient\":179,\"bytes_toserver\":10966,\"bytes_toclient\":265370,\"start\":\"2024-06-11T11:58:17.194567+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-06-11T11:58:18Z","timestamp":1718107098,"ip_dst":{"addr":"Client IP","port":33828,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"223.10.56.107","port":38933,"asn":4134,"as":"Chinanet","country":"China","country_code":"CN"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download","source":"{\"timestamp\":\"2024-06-11T11:58:18.822983+0000\",\"flow_id\":1641730778200071,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"223.10.56.107\",\"src_port\":38933,\"dest_ip\":\"172.18.0.6\",\"dest_port\":33828,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.ELFDownload\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2000418,\"rev\":17,\"signature\":\"ET POLICY Executable and linking format (ELF) file download\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2010_07_30\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"223.10.56.107\",\"http_port\":38933,\"url\":\"/Mozi.m\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/zip\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":254880},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":162,\"pkts_toclient\":181,\"bytes_toserver\":11098,\"bytes_toclient\":268382,\"start\":\"2024-06-11T11:58:17.194567+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-06-11T11:58:23Z","timestamp":1718107103,"ip_dst":{"addr":"Client IP","port":33832,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"223.10.56.107","port":38933,"asn":4134,"as":"Chinanet","country":"China","country_code":"CN"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download","source":"{\"timestamp\":\"2024-06-11T11:58:23.487573+0000\",\"flow_id\":778742999402849,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"223.10.56.107\",\"src_port\":38933,\"dest_ip\":\"172.18.0.6\",\"dest_port\":33832,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.ELFDownload\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2000418,\"rev\":17,\"signature\":\"ET POLICY Executable and linking format (ELF) file download\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2010_07_30\"],\"updated_at\":[\"2023_04_12\"]}},\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":4,\"bytes_toserver\":326,\"bytes_toclient\":1828,\"start\":\"2024-06-11T11:58:17.444769+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-06-11","alert":"Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.","trigger":"223.10.56.107:38933/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-28","description":"Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.","modified":"2022-05-13","reference":"https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()","rule":"SUSP_XORed_Mozilla","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-06-11","alert":"Linux.Trojan.Mirai","trigger":"223.10.56.107:38933/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"39501003c45c89d6a08f71fbf9c442bcc952afc5f1a1eb7b5af2d4b7633698a8","id":"5c62e6b2-9f6a-4c6d-b3fc-c6cbc8cf0b4b","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9","rule":"Linux_Trojan_Mirai_5c62e6b2","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-06-11","alert":"Linux.Trojan.Mirai","trigger":"223.10.56.107:38933/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"afeedf7fb287320c70a2889f43bc36a3047528204e1de45c4ac07898187d136b","id":"77137320-6c7e-4bb8-81a4-bd422049c309","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9","rule":"Linux_Trojan_Mirai_77137320","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-06-11","alert":"Linux.Trojan.Mirai","trigger":"223.10.56.107:38933/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"e2eee1f72b8c2dbf68e57b721c481a5cd85296e844059decc3548e7a6dc28fea","id":"ac253e4f-b628-4dd0-91f1-f19099286992","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9","rule":"Linux_Trojan_Mirai_ac253e4f","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-06-11","alert":"Sinkholed","trigger":"223.10.56.107","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"http","addr":"223.10.56.107:38933/Mozi.m","fqdn":"223.10.56.107:38933","domain":"223.10.56.107","tld":"107:38933"},"ip":{"addr":"223.10.56.107","port":0,"asn":4134,"as":"Chinanet","country":"China","country_code":"CN"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-06-11T11:58:18.884514019Z","timestamp":1718107098884,"http_version":"","security_state":"","security_info":null,"request":{"raw":"GET /Mozi.m HTTP/1.1\r\nHost: 223.10.56.107:38933\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Length: 307960\r\nConnection: close\r\nContent-Type: application/zip\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":307960,"size_decoded":307960,"mime_type":"application/octet-stream","magic":"ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV)","md5":"eec5c6c219535fba3a0492ea8118b397","sha1":"292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21","sha256":"12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef","sha512":"3482c8324a18302f0f37b6e23ed85f24fff9f50bb568d8fd7461bf57f077a7c592f7a88bb2e1c398699958946d87bb93ab744d13a0003f9b879c15e6471f7400","ssdeep":"6144:T2s/gAWuboqsJ9xcJxspJBqQgTuaJZRhVabE5wKSDP99zBa77oNsKqqfPqOJ:T2s/bW+UmJqBxAuaPRhVabEDSDP99zBT","tlshash":"13643a8afd81ae25d5c126bbfe2f4289331317b8d2eb71029d145f2876ca94f0f7a541","first_seen":"2023-05-05T14:51:10Z","last_seen":"2026-05-24T13:58:10.319179Z","times_seen":61171,"resource_available":true,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-06-11","alert":"Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.","trigger":"223.10.56.107:38933/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2019-10-28","description":"Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.","modified":"2022-05-13","reference":"https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()","rule":"SUSP_XORed_Mozilla","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-06-11","alert":"Linux.Trojan.Mirai","trigger":"223.10.56.107:38933/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"39501003c45c89d6a08f71fbf9c442bcc952afc5f1a1eb7b5af2d4b7633698a8","id":"5c62e6b2-9f6a-4c6d-b3fc-c6cbc8cf0b4b","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9","rule":"Linux_Trojan_Mirai_5c62e6b2","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-06-11","alert":"Linux.Trojan.Mirai","trigger":"223.10.56.107:38933/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"afeedf7fb287320c70a2889f43bc36a3047528204e1de45c4ac07898187d136b","id":"77137320-6c7e-4bb8-81a4-bd422049c309","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9","rule":"Linux_Trojan_Mirai_77137320","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-06-11","alert":"Linux.Trojan.Mirai","trigger":"223.10.56.107:38933/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"e2eee1f72b8c2dbf68e57b721c481a5cd85296e844059decc3548e7a6dc28fea","id":"ac253e4f-b628-4dd0-91f1-f19099286992","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9","rule":"Linux_Trojan_Mirai_ac253e4f","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-06-11","alert":"Sinkholed","trigger":"223.10.56.107","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-06-11","alert":"Scan result 51/66","trigger":"12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef","verdict":"malicious","severity":"","comment":"malicious - 51/66","link":"https://www.virustotal.com/gui/file/12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef","meta":null}],"urlquery":null}}]}