{"report_id":"c21ec89b-6aed-4fda-8f42-f2cc65da1614","version":6,"status":"done","tags":[],"date":"2024-11-29T19:42:39Z","url":{"schema":"http","addr":"222.252.143.43:37883/Mozi.m","fqdn":"222.252.143.43","domain":"222.252.143.43","tld":""},"ip":{"addr":"222.252.143.43","port":0,"asn":45899,"as":"VNPT Corp","country":"Vietnam","country_code":"VN"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":["urlhaus"],"meta":null},"settings":{"access":"public","device_type":"","expires_at":"2027-02-07T19:42:39Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"222.252.143.43","ip":{"addr":"222.252.143.43","port":37883,"asn":45899,"as":"VNPT Corp","country":"Vietnam","country_code":"VN"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":4,"request_count":1,"received_data":137586,"sent_data":397,"comment":"","tags":null,"fingerprints":null}],"files":[{"md5":"3849f30b51a5c49e8d1546960cc206c7","sha1":"61c74136534b826059c63221a2373dc0613a47b7","sha256":"f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8","sha512":"43d79293d1fbf716111c27e50df95a0860a0d706079625fa2b8a6b57c5ee06fa7b5b6b8c0acae33714a2181686426728513c990534e44b6f03a05dde0629ab86","magic":"ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV)","size":137480,"url":{"schema":"http","addr":"222.252.143.43:37883/Mozi.m","fqdn":"222.252.143.43","domain":"222.252.143.43","tld":""},"ip":{"addr":"222.252.143.43","port":37883,"asn":45899,"as":"VNPT Corp","country":"Vietnam","country_code":"VN"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-11-29","alert":"Detects a suspicious ELF binary with UPX compression","trigger":"222.252.143.43:37883/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-12","description":"Detects a suspicious ELF binary with UPX compression","hash1":"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4","reference":"Internal Research","rule":"SUSP_ELF_LNX_UPX_Compressed_File","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Packer.Patched_UPX","trigger":"222.252.143.43:37883/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-08","fingerprint":"3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d","id":"62e11c64-fc7d-4a0a-9d72-ad53ec3987ff","last_modified":"2021-07-28","license":"Elastic License v2","os":"linux","reference":"https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/","reference_sample":"02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669","rule":"Linux_Packer_Patched_UPX_62e11c64","scan_context":"file","severity":"60","threat_name":"Linux.Packer.Patched_UPX"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-11-28","alert":"Scan result 43/59","trigger":"f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8","verdict":"malicious","severity":"","comment":"malicious - 43/59","link":"https://www.virustotal.com/gui/file/f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8","meta":null}]}}],"artifacts":{"windows_shortcuts":null,"files":[{"md5":"3849f30b51a5c49e8d1546960cc206c7","sha1":"61c74136534b826059c63221a2373dc0613a47b7","sha256":"f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8","sha512":"43d79293d1fbf716111c27e50df95a0860a0d706079625fa2b8a6b57c5ee06fa7b5b6b8c0acae33714a2181686426728513c990534e44b6f03a05dde0629ab86","magic":"ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV)","size":137480,"url":{"schema":"http","addr":"222.252.143.43:37883/Mozi.m","fqdn":"222.252.143.43","domain":"222.252.143.43","tld":""},"ip":{"addr":"222.252.143.43","port":37883,"asn":45899,"as":"VNPT Corp","country":"Vietnam","country_code":"VN"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-11-29","alert":"Detects a suspicious ELF binary with UPX compression","trigger":"222.252.143.43:37883/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-12","description":"Detects a suspicious ELF binary with UPX compression","hash1":"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4","reference":"Internal Research","rule":"SUSP_ELF_LNX_UPX_Compressed_File","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Packer.Patched_UPX","trigger":"222.252.143.43:37883/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-08","fingerprint":"3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d","id":"62e11c64-fc7d-4a0a-9d72-ad53ec3987ff","last_modified":"2021-07-28","license":"Elastic License v2","os":"linux","reference":"https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/","reference_sample":"02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669","rule":"Linux_Packer_Patched_UPX_62e11c64","scan_context":"file","severity":"60","threat_name":"Linux.Packer.Patched_UPX"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-11-28","alert":"Scan result 43/59","trigger":"f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8","verdict":"malicious","severity":"","comment":"malicious - 43/59","link":"https://www.virustotal.com/gui/file/f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T19:42:14Z","timestamp":1732909334,"ip_dst":{"addr":"172.18.0.10","port":49748,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"222.252.143.43","port":37883,"asn":45899,"as":"VNPT Corp","country":"Vietnam","country_code":"VN"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download","source":"{\"timestamp\":\"2024-11-29T19:42:14.809502+0000\",\"flow_id\":754965477171566,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"222.252.143.43\",\"src_port\":37883,\"dest_ip\":\"172.18.0.10\",\"dest_port\":49748,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.ELFDownload\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2000418,\"rev\":17,\"signature\":\"ET POLICY Executable and linking format (ELF) file download\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2010_07_30\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"222.252.143.43\",\"http_port\":37883,\"url\":\"/Mozi.m\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/zip\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":2904},\"files\":[{\"filename\":\"/Mozi.m\",\"sid\":[],\"gaps\":false,\"state\":\"UNKNOWN\",\"stored\":false,\"size\":2904,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":6,\"bytes_toserver\":743,\"bytes_toclient\":4800,\"start\":\"2024-11-29T19:42:13.958830+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T19:42:19Z","timestamp":1732909339,"ip_dst":{"addr":"172.18.0.10","port":49752,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"222.252.143.43","port":37883,"asn":45899,"as":"VNPT Corp","country":"Vietnam","country_code":"VN"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download","source":"{\"timestamp\":\"2024-11-29T19:42:19.996149+0000\",\"flow_id\":499335466205960,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"222.252.143.43\",\"src_port\":37883,\"dest_ip\":\"172.18.0.10\",\"dest_port\":49752,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.ELFDownload\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2000418,\"rev\":17,\"signature\":\"ET POLICY Executable and linking format (ELF) file download\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2010_07_30\"],\"updated_at\":[\"2023_04_12\"]}},\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":236,\"bytes_toclient\":1734,\"start\":\"2024-11-29T19:42:14.213768+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-11-29","alert":"Detects a suspicious ELF binary with UPX compression","trigger":"222.252.143.43:37883/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-12","description":"Detects a suspicious ELF binary with UPX compression","hash1":"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4","reference":"Internal Research","rule":"SUSP_ELF_LNX_UPX_Compressed_File","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Packer.Patched_UPX","trigger":"222.252.143.43:37883/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-08","fingerprint":"3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d","id":"62e11c64-fc7d-4a0a-9d72-ad53ec3987ff","last_modified":"2021-07-28","license":"Elastic License v2","os":"linux","reference":"https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/","reference_sample":"02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669","rule":"Linux_Packer_Patched_UPX_62e11c64","scan_context":"file","severity":"60","threat_name":"Linux.Packer.Patched_UPX"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"Mnemonic Secure DNS","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-11-29","alert":"Sinkholed","trigger":"222.252.143.43","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"http","addr":"222.252.143.43:37883/Mozi.m","fqdn":"222.252.143.43","domain":"222.252.143.43","tld":""},"ip":{"addr":"222.252.143.43","port":37883,"asn":45899,"as":"VNPT Corp","country":"Vietnam","country_code":"VN"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-11-29T19:42:13.961Z","timestamp":1732909333961,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /Mozi.m HTTP/1.1\r\nHost: 222.252.143.43:37883\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Length: 137480\r\nConnection: close\r\nContent-Type: application/zip\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":137480,"size_decoded":137480,"mime_type":"application/zip","magic":"ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV)","md5":"3849f30b51a5c49e8d1546960cc206c7","sha1":"61c74136534b826059c63221a2373dc0613a47b7","sha256":"f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8","sha512":"43d79293d1fbf716111c27e50df95a0860a0d706079625fa2b8a6b57c5ee06fa7b5b6b8c0acae33714a2181686426728513c990534e44b6f03a05dde0629ab86","ssdeep":"3072:biMYFJvw6Yh0b1gKobtCGCmCRlrisfrYm:fYFJvwe1gKCYVl2szN","tlshash":"59d31322d3130c4fc02579fa7a2be62a39873e6a24ce449c45f5d66a2fb7084ed71753","first_seen":"2023-05-05T13:35:11Z","last_seen":"2026-04-18T05:21:00.843233Z","times_seen":36232,"resource_available":true,"data":null}},"time_used":2262,"timings":{"blocked":279,"dns":0,"connect":281,"send":0,"wait":289,"receive":1412,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-11-29","alert":"Detects a suspicious ELF binary with UPX compression","trigger":"222.252.143.43:37883/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-12","description":"Detects a suspicious ELF binary with UPX compression","hash1":"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4","reference":"Internal Research","rule":"SUSP_ELF_LNX_UPX_Compressed_File","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Packer.Patched_UPX","trigger":"222.252.143.43:37883/Mozi.m","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-08","fingerprint":"3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d","id":"62e11c64-fc7d-4a0a-9d72-ad53ec3987ff","last_modified":"2021-07-28","license":"Elastic License v2","os":"linux","reference":"https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/","reference_sample":"02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669","rule":"Linux_Packer_Patched_UPX_62e11c64","scan_context":"file","severity":"60","threat_name":"Linux.Packer.Patched_UPX"}},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-11-29","alert":"Sinkholed","trigger":"222.252.143.43","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-11-28","alert":"Scan result 43/59","trigger":"f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8","verdict":"malicious","severity":"","comment":"malicious - 43/59","link":"https://www.virustotal.com/gui/file/f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8","meta":null}],"urlquery":null}}]}