{"report_id":"a7551b77-dd3a-45f5-90dc-2d888990cca2","version":6,"status":"done","tags":[],"date":"2024-12-01T19:32:43Z","url":{"schema":"http","addr":"13.251.16.150/aboxodwolejxjvpaP","fqdn":"13.251.16.150","domain":"13.251.16.150","tld":""},"ip":{"addr":"13.251.16.150","port":0,"asn":16509,"as":"AMAZON-02","country":"Singapore","country_code":"SG"},"final":{"url":{"schema":"http","addr":"13.251.16.150/aboxodwolejxjvpaP","fqdn":"13.251.16.150","domain":"13.251.16.150","tld":"150"},"title":"13.251.16.150/aboxodwolejxjvpaP"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"","expires_at":"2027-02-09T19:32:43Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"13.251.16.150","ip":{"addr":"13.251.16.150","port":80,"asn":16509,"as":"AMAZON-02","country":"Singapore","country_code":"SG"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":4,"request_count":2,"received_data":807,"sent_data":862,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2024-12-01T19:32:19Z","timestamp":1733081539,"ip_dst":{"addr":"172.18.0.19","port":42586,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"13.251.16.150","port":80,"asn":16509,"as":"AMAZON-02","country":"Singapore","country_code":"SG"},"severity":"high","alert":"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz","source":"{\"timestamp\":\"2024-12-01T19:32:19.502899+0000\",\"flow_id\":7794187138563,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"13.251.16.150\",\"src_port\":80,\"dest_ip\":\"172.18.0.19\",\"dest_port\":42586,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018141,\"rev\":6,\"signature\":\"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_02_15\"],\"reviewed_at\":[\"2024_04_23\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_08_11\"]}},\"http\":{\"hostname\":\"13.251.16.150\",\"url\":\"/aboxodwolejxjvpaP\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":29},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":5,\"bytes_toserver\":741,\"bytes_toclient\":800,\"start\":\"2024-12-01T19:32:17.816643+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-12-01T19:32:19Z","timestamp":1733081539,"ip_dst":{"addr":"172.18.0.19","port":42586,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"13.251.16.150","port":80,"asn":16509,"as":"AMAZON-02","country":"Singapore","country_code":"SG"},"severity":"high","alert":"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst","source":"{\"timestamp\":\"2024-12-01T19:32:19.502899+0000\",\"flow_id\":7794187138563,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"13.251.16.150\",\"src_port\":80,\"dest_ip\":\"172.18.0.19\",\"dest_port\":42586,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2037771,\"rev\":2,\"signature\":\"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2022_07_15\"],\"deployment\":[\"Perimeter\"],\"reviewed_at\":[\"2023_09_01\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2023_05_19\"]}},\"http\":{\"hostname\":\"13.251.16.150\",\"url\":\"/aboxodwolejxjvpaP\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":29},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":5,\"bytes_toserver\":741,\"bytes_toclient\":800,\"start\":\"2024-12-01T19:32:17.816643+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-12-01","alert":"Sinkholed","trigger":"13.251.16.150","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-12-01","alert":"Sinkholed","trigger":"13.251.16.150","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"http","addr":"13.251.16.150/aboxodwolejxjvpaP","fqdn":"13.251.16.150","domain":"13.251.16.150","tld":""},"ip":{"addr":"13.251.16.150","port":80,"asn":16509,"as":"AMAZON-02","country":"Singapore","country_code":"SG"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-12-01T19:32:17.817Z","timestamp":1733081537817,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /aboxodwolejxjvpaP HTTP/1.1\r\nHost: 13.251.16.150\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sun, 01 Dec 2024 19:32:18 GMT\r\nContent-Type: text/html\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nSet-Cookie: btst=6aa780240c5c61e16954a9dda0020aad|91.90.42.154|1733081538|1733081538|0|1|0; path=/; domain=13.251.16.150; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;\nsnkz=91.90.42.154; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT\r\nContent-Encoding: gzip\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":20,"size_decoded":20,"mime_type":"text/html","magic":"gzip compressed data, from Unix","md5":"7029066c27ac6f5ef18d660d5741979a","sha1":"46c6643f07aa7f6bfe7118de926b86defc5087c4","sha256":"59869db34853933b239f1e2219cf7d431da006aa919635478511fabbfc8849d2","sha512":"7e8e93f4a89ce7fae011403e14a1d53544c6e6f6b6010d61129dc27937806d2b03802610d7999eab33a4c36b0f9e001d9d76001b8354087634c1aa9c740c536f","ssdeep":"","tlshash":"de70000000c03c30cc00003000000000000c30000000c00300000c3000030c000c003c","first_seen":"2023-04-09T15:32:38Z","last_seen":"2025-03-02T06:10:10.559841Z","times_seen":229342,"resource_available":false,"data":null}},"time_used":1686,"timings":{"blocked":562,"dns":0,"connect":562,"send":0,"wait":562,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2024-12-01T19:32:19Z","timestamp":1733081539,"ip_dst":{"addr":"172.18.0.19","port":42586,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"13.251.16.150","port":80,"asn":16509,"as":"AMAZON-02","country":"Singapore","country_code":"SG"},"severity":"high","alert":"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz","source":"{\"timestamp\":\"2024-12-01T19:32:19.502899+0000\",\"flow_id\":7794187138563,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"13.251.16.150\",\"src_port\":80,\"dest_ip\":\"172.18.0.19\",\"dest_port\":42586,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018141,\"rev\":6,\"signature\":\"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_02_15\"],\"reviewed_at\":[\"2024_04_23\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_08_11\"]}},\"http\":{\"hostname\":\"13.251.16.150\",\"url\":\"/aboxodwolejxjvpaP\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":29},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":5,\"bytes_toserver\":741,\"bytes_toclient\":800,\"start\":\"2024-12-01T19:32:17.816643+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-12-01T19:32:19Z","timestamp":1733081539,"ip_dst":{"addr":"172.18.0.19","port":42586,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"13.251.16.150","port":80,"asn":16509,"as":"AMAZON-02","country":"Singapore","country_code":"SG"},"severity":"high","alert":"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst","source":"{\"timestamp\":\"2024-12-01T19:32:19.502899+0000\",\"flow_id\":7794187138563,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"13.251.16.150\",\"src_port\":80,\"dest_ip\":\"172.18.0.19\",\"dest_port\":42586,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2037771,\"rev\":2,\"signature\":\"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2022_07_15\"],\"deployment\":[\"Perimeter\"],\"reviewed_at\":[\"2023_09_01\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2023_05_19\"]}},\"http\":{\"hostname\":\"13.251.16.150\",\"url\":\"/aboxodwolejxjvpaP\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":29},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":5,\"bytes_toserver\":741,\"bytes_toclient\":800,\"start\":\"2024-12-01T19:32:17.816643+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-12-01","alert":"Sinkholed","trigger":"13.251.16.150","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":null}},{"url":{"schema":"http","addr":"13.251.16.150/favicon.ico","fqdn":"13.251.16.150","domain":"13.251.16.150","tld":""},"ip":{"addr":"13.251.16.150","port":80,"asn":16509,"as":"AMAZON-02","country":"Singapore","country_code":"SG"},"is_navigation_request":false,"resource_type":"img","requested_by":"http://13.251.16.150/aboxodwolejxjvpaP","date":"2024-12-01T19:32:19.047Z","timestamp":1733081539047,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /favicon.ico HTTP/1.1\r\nHost: 13.251.16.150\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: http://13.251.16.150/aboxodwolejxjvpaP\r\nCookie: btst=6aa780240c5c61e16954a9dda0020aad|91.90.42.154|1733081538|1733081538|0|1|0; snkz=91.90.42.154\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sun, 01 Dec 2024 19:32:19 GMT\r\nContent-Type: text/html\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nSet-Cookie: btst=6aa780240c5c61e16954a9dda0020aad|91.90.42.154|1733081539|1733081538|0|2|0; path=/; domain=13.251.16.150; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;\r\nContent-Encoding: gzip\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":20,"size_decoded":20,"mime_type":"text/html","magic":"gzip compressed data, from Unix","md5":"7029066c27ac6f5ef18d660d5741979a","sha1":"46c6643f07aa7f6bfe7118de926b86defc5087c4","sha256":"59869db34853933b239f1e2219cf7d431da006aa919635478511fabbfc8849d2","sha512":"7e8e93f4a89ce7fae011403e14a1d53544c6e6f6b6010d61129dc27937806d2b03802610d7999eab33a4c36b0f9e001d9d76001b8354087634c1aa9c740c536f","ssdeep":"","tlshash":"de70000000c03c30cc00003000000000000c30000000c00300000c3000030c000c003c","first_seen":"2023-04-09T15:32:38Z","last_seen":"2025-03-02T06:10:10.559841Z","times_seen":229342,"resource_available":false,"data":null}},"time_used":547,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":547,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-12-01","alert":"Sinkholed","trigger":"13.251.16.150","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":null}}]}