{ "type": "URL", "indicator": "https://o.location.search/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://o.location.search/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3857668494, "indicator": "https://o.location.search/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "6a16afb92680fcea084bb7b0", "name": "credit: scoreblue ['Eternal Blue_Wana Cry MS'] clone - user notes: interesting name tagged", "description": "", "modified": "2026-05-27T08:54:31.968000", "created": "2026-05-27T08:47:53.724000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536c8eee8d42d670e27723", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2662, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17084, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab45548ef01419902c8f", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:53.256000", "created": "2026-05-27T08:28:53.256000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab3f9578fcc7ffd52a3a", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:47.467000", "created": "2026-05-27T08:28:47.467000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eea19a23474b8c7dca351f", "name": "All Items - find from the UA archive disk", "description": "Again have zero idea 'what these are' - just uploading from the 'archives' as I sort through things", "modified": "2025-12-24T08:28:47.628000", "created": "2024-03-11T06:15:54.351000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "594 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "664bd9b732ecaf1b3c3beddf", "name": "Found some problems - Files from the UAlberta Google Drive Archive", "description": "Been looking for these...Gifts from the University of Alberta to the World apparently\n*Please note: I emptied out the Drive, however, there was a significant amount of abuse re: Google and Microsoft Accounts at the University of Alberta (reported).\n*On the Google side I utilized: Drive (a little), Docs/Slides/Sheets (when groupwork was required)\n*On the Microsoft side I utilized: OneDrive, Office 365 (Word, PPT, Excel, and OneNote). I used to also have a personal microsoft account (OneNote, OneDrive, Skype).\nThese were the applications I lived on for my studies. I could access the Gmail/Microsoft accounts for the University (however - 'bad things' usually happen because of this). I have no access to my personal Microsoft Account (i.e. myself and other affected student(s) do not have access to our personal stuff.", "modified": "2024-09-03T00:02:13.980000", "created": "2024-05-20T23:16:07.255000", "tags": [ "contact", "quick", "destination", "entry", "safety", "local", "health", "travel", "notification", "considerations", "service", "criminal", "showit", "click", "outcome", "step", "please", "class", "questions set", "question set", "unlock", "continue", "jointfilingyes", "jointfilingno", "minimum req", "domicileresusno", "joint sponsor", "sponsorjoint", "path", "href", "span", "activetab", "starton", "newpage", "searchq", "datasia", "datacon", "segfilter", "subsite", "issuance agency", "visas", "null", "state", "dialog field", "tabpanel", "recaptcha", "nameinputvisa", "fullnameinput1", "license headers", "tools", "templates", "sia contact", "visa", "website", "phoneregexp", "emailregexp", "azaz", "urlpattern", "example starter", "javascript", "fetch", "comptwo", "compone", "dateofbirth", "function", "date", "passport", "nameinput", "fullnameinput", "adult passport", "child passport", "new child", "new adult", "new passport", "datepicker", "ds5504", "hideit", "infinity", "false", "jquery", "error", "body", "trident", "simple", "turn", "back", "calendar", "format", "february", "april", "june", "august", "show", "page has", "bcdate", "col1child", "col2child", "coldatechild", "rowdisplay", "val1", "val2", "repaginate", "grab", "jandec", "86400000", "current", "namerbcontactme", "agency", "compliment", "complaint", "passportfees", "customerservice", "bymail", "namerbcategory", "brokenlink", "search", "departuredate", "calendar date", "picker", "change", "month", "vital", "records form", "component js", "select", "please enter", "azaz09", "dddddd", "woff2", "woff", "truetype", "css document", "efefef", "ffffff", "gradienttype0", "galaxy", "nexus", "iphone5", "abtn", "bbtn", "cbtn", "dbtn", "ebtn", "fbtn", "gbtn", "hbtn", "ibtn", "media query", "from", "fce68e", "font family", "bold", "document", "cc3333", "b7b7b7", "e2edff", "ced9ea", "pm author", "ipca csi", "helvetica", "arial", "cq aem", "feed classes", "f2cd54", "f4d97e", "portrait", "landscape", "ipad", "declare", "immigrant", "visa navigation", "navigation css", "georgia", "times new", "roman", "times", "verdana", "photomodal", "styles media", "ff0000", "queries", "form component", "typetext", "queries media", "phone media", "tablet styles", "media queries", "jumbo sized", "copyright", "gpl version", "http", "alpha", "button", "out width", "ui css", "framework", "icons", "misc", "mini", "input", "label", "textarea", "overlays", "csi page", "embassy info", "embassy data", "embassy names", "end adjust", "embassy nameso", "pages", "e1a04d", "c0c0c0", "ffffff url", "us survey", "component css", "country list", "e7eceb", "important", "additional css", "wizard", "corner radius", "f97800", "c61700", "largestbox", "thisbox", "csi navigation", "ui autocomplete", "ui menu", "noticeid", "countnote", "largestnote", "thisnote", "desktops", "43px", "42px", "large", "aem interface", "styles", "web email", "ytconfig", "typeerror", "facebook pixel", "pixel code", "symbol", "fblog", "typeof", "iterator", "pageview", "pixel", "facebook", "config", "meta", "propname", "dpjquerydpuuid", "this", "next", "atom", "cookie", "iframe", "close", "string", "number", "edge", "regexp", "silk", "sxa0", "object", "opera", "android", "void", "form", "UAlberta", "Android", "Mac", "iPhone", "Gov Alberta", "AWS", "AZURE", "ENTRA", "iCloud", "Telus", "Bitdefender", "Norton" ], "references": [ "Copy of clientlib.js(1).download", "Copy of clientlib.js(2).download", "Copy of clientlib.js(5).download", "Copy of clientlib.js(7).download", "Copy of clientlib.js(4).download", "Copy of clientlib.js(10).download", "Copy of clientlib.js(8).download", "Copy of clientlib.js(11).download", "Copy of clientlib.js(12).download", "Copy of clientlib.js(13).download", "Copy of clientlib.js(14).download", "Copy of clientlib.js(9).download", "Copy of clientlib.js(16).download", "Copy of clientlib.js(17).download", "Copy of clientlib.js(18).download", "Copy of clientlib.js(3).download", "Copy of clientlib.js(19).download", "Copy of clientlib.js(15).download", "Copy of clientlib.js(22).download", "Copy of clientlib.js(23).download", "Copy of clientlib.js(21).download", "Copy of clientlib.js(26).download", "Copy of clientlib.js(25).download", "Copy of clientlib.js(24).download", "Copy of clientlib.js(31).download", "Copy of clientlib.js(28).download", "Copy of clientlib.js(30).download", "Copy of clientlib.js(32).download", "Copy of clientlib.js(29).download", "Copy of clientlib.js(34).download", "Copy of clientlib.js(35).download", "Copy of clientlib.js(37).download", "Copy of clientlib.js(36).download", "Copy of clientlib.js(38).download", "Copy of clientlib.js(39).download", "Copy of clientlib.js(33).download", "Copy of clientlib.js(44).download", "Copy of clientlib.js(43).download", "Copy of clientlib.js(41).download", "Copy of clientlib.js(42).download", "Copy of clientlib.js(45).download", "Copy of clientlib.js(51).download", "Copy of clientlib.js(56).download", "Copy of clientlib.js(55).download", "Copy of clientlib.js(54).download", "Copy of clientlib.js(57).download", "Copy of clientlib.js(52).download", "Copy of clientlib.js(53).download", "Copy of clientlib.js(60).download", "Copy of clientlib(1).css", "Copy of clientlib.js(59).download", "Copy of clientlib(3).css", "Copy of clientlib(2).css", "Copy of clientlib(5).css", "Copy of clientlib.js(58).download", "Copy of clientlib(8).css", "Copy of clientlib(10).css", "Copy of clientlib(7).css", "Copy of clientlib(6).css", "Copy of clientlib(12).css", "Copy of clientlib(13).css", "Copy of clientlib(9).css", "Copy of clientlib(4).css", "Copy of clientlib(14).css", "Copy of clientlib(17).css", "Copy of clientlib(15).css", "Copy of clientlib(19).css", "Copy of clientlib(18).css", "Copy of clientlib(11).css", "Copy of clientlib(20).css", "Copy of clientlib(16).css", "Copy of clientlib(23).css", "Copy of clientlib(24).css", "Copy of clientlib(26).css", "Copy of clientlib(25).css", "Copy of clientlib(28).css", "Copy of clientlib(22).css", "Copy of clientlib(27).css", "Copy of clientlib(31).css", "Copy of clientlib(29).css", "Copy of clientlib(30).css", "Copy of clientlib(32).css", "Copy of clientlib(34).css", "Copy of clientlib(35).css", "Copy of clientlib(33).css", "Copy of clientlib(38).css", "Copy of clientlib(37).css", "Copy of clientlib(36).css", "Copy of clientlib(40).css", "Copy of clientlib(39).css", "Copy of clientlib(43).css", "Copy of clientlib(21).css", "Copy of clientlib(41).css", "Copy of clientlib(44).css", "Copy of clientlib(42).css", "Copy of clientlib(46).css", "Copy of clientlib(45).css", "Copy of clientlib(47).css", "Copy of clientlib(48).css", "Copy of clientlib(49).css", "Copy of clientlib(50).css", "Copy of clientlib(52).css", "Copy of clientlib(54).css", "Copy of clientlibs.js(3).download", "Copy of clientlib(53).css", "Copy of clientlibs.js(2).download", "Copy of clientlibs(3).css", "Copy of clientlib(51).css", "Copy of clientlibs(1).css", "Copy of clientlibs(2).css", "Copy of clientlibs.js.download", "Copy of clientlibs.js(4).download", "Copy of clientlibs(5).css", "Copy of clientlibs.css", "Copy of clientlibs(4).css", "Copy of dir (1).c9r", "Copy of clientlib(55).css", "Copy of iframe_api", "Copy of fbevents.js.download", "Copy of clientlibs.js(1).download", "Copy of js", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/iocs", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/graph", "hxxps://go[.]microsoft[.]com/fwlink/?LinkId=2033498", "hxxps://portal[.]office[.]com/Account", "hxxps://myapplications[.]microsoft[.]com/", "https://tria.ge/240521-rvybaahb79", "https://tria.ge/240521-rxpf6ahd6w", "https://tria.ge/240521-r1yh8shd44", "https://tria.ge/240521-ry949ahe2z/behavioral1", "https://tria.ge/240521-r3mvhshd83" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Mexico", "Anguilla", "Aruba", "Panama", "Ukraine", "Trinidad and Tobago", "Saint Vincent and the Grenadines", "Saint Martin (French part)", "Sint Maarten (Dutch part)", "Philippines", "Netherlands", "Cura\u00e7ao", "Georgia", "Tanzania, United Republic of", "Costa Rica", "Guatemala", "Japan", "Barbados" ], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Biotechnology", "Telecommunications", "Energy", "Construction", "Chemical", "Agriculture", "Finance", "Media", "Defense", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 251, "hostname": 188, "FileHash-SHA256": 142, "URL": 69, "FileHash-MD5": 77, "FileHash-SHA1": 77 }, "indicator_count": 804, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "635 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66536881127f5ee988306394", "name": "iOS Attack - Crouching Yeti: http://x.com/denverpolice/status/|", "description": "Targeted triangulation. Apple iOS iPad. Attack chains of Operation Triangulation involves advanced tactics employed by those acting as secret middleman, deploying spoofed trusted websites, emails, alarming news stories, messages, Bluetooth hacking, if threat actor has full CnC of targets phone via injection (sometimes it's random) can power on B/T. In Spoofed sites, malicious redirects, iMessage 0day case. Zero-click iMessage exploit seen. Information is sent to attacker and stored. Data harvesting, financial & identity theft, service modification and DoS intended. Used by law enforcement, governments, attorney PI's, cyber security defense, red teams and/or malicious hackers.\n*Crouching Yeti threat description notes: Contextual Indicators: Domain is classified as Social Networking Contextual Indicators: The URL is known benign by Check Point's Threat Cloud Contextual Indicators: Https://x.com is popular among websites with good reputation Contextual Indicators: Domain Cisco Umbrella rank is 312.", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T16:51:13.962000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66536c8eee8d42d670e27723", "name": "Eternal Blue _ WannaCry MS17-010 | Apple iOS iMessage injection infiltration", "description": "", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T17:08:30.022000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6639853fc403f7be5bd6f27d", "name": "Facebook+", "description": "", "modified": "2024-05-07T01:34:55.365000", "created": "2024-05-07T01:34:55.365000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "65eea19a23474b8c7dca351f", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Phone2209", "id": "281168", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "754 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cc958e062575a9a160", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:24.154000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cdfd20f6237e3892c0", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:25.910000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015551faca20cb510f9121", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:29.149000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015553ad4633eb85c66817", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:31.072000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603360b48908ae9b9835563", "name": "IoT Dark Nexus + Mirai BotNet HELP HER PLEASE!!- Enom | TELNET Root |", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:54:35.118000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603369ad0e38e313883c4fa", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root HELP! RETALIATION HAS OCCURRED ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:56:58.037000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 4468, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "Copy of clientlib(46).css", "Copy of clientlib.js(24).download", "Copy of clientlib(13).css", "Copy of clientlib(21).css", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Copy of clientlib.js(56).download", "Copy of clientlib(12).css", "https://tria.ge/240521-rxpf6ahd6w", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Copy of clientlib(32).css", "Copy of clientlib(6).css", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "Copy of clientlib(25).css", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Copy of clientlib(36).css", "Copy of clientlibs.js(2).download", "Copy of clientlib.js(30).download", "Copy of clientlibs.js.download", "Copy of clientlib(55).css", "Copy of clientlibs(3).css", "Copy of clientlib(34).css", "Copy of clientlib(28).css", "Copy of clientlib.js(7).download", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "Copy of clientlib(9).css", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "Copy of clientlib(30).css", "Copy of clientlib(50).css", "Copy of clientlib(52).css", "hxxps://myapplications[.]microsoft[.]com/", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/graph", "Copy of clientlib(19).css", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "https://tria.ge/240521-r1yh8shd44", "https://tria.ge/240521-r3mvhshd83", "Copy of clientlib(24).css", "Copy of clientlib(47).css", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Copy of clientlib(22).css", "Copy of clientlib.js(54).download", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Copy of clientlib.js(10).download", "Copy of clientlib.js(28).download", "Copy of clientlib(4).css", "Copy of clientlib.js(52).download", "Copy of clientlib(10).css", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "Copy of clientlib.js(35).download", "Copy of clientlib.js(12).download", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "Copy of clientlib.js(18).download", "Copy of clientlib.js(60).download", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "Copy of clientlib.js(13).download", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Copy of clientlib(44).css", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Copy of clientlib(18).css", "Copy of clientlib.js(9).download", "Copy of clientlib(42).css", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "https://tria.ge/240521-ry949ahe2z/behavioral1", "Copy of clientlib.js(19).download", "Copy of clientlib(38).css", "Copy of clientlib(35).css", "Copy of clientlib.js(34).download", "Copy of clientlibs.js(4).download", "Copy of clientlib.js(2).download", "Copy of clientlib.js(33).download", "Copy of clientlib(23).css", "hxxps://go[.]microsoft[.]com/fwlink/?LinkId=2033498", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Copy of clientlib.js(23).download", "Copy of clientlib.js(3).download", "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "Copy of clientlib(53).css", "Copy of fbevents.js.download", "hxxps://portal[.]office[.]com/Account", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "Copy of clientlib.js(25).download", "Copy of clientlib.js(43).download", "Redirects to https://twitter.com?mx=1", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "Copy of clientlib.js(51).download", "Copy of dir (1).c9r", "Copy of clientlib(49).css", "Copy of clientlib.js(29).download", "https://tria.ge/240521-rvybaahb79", "http://x.com/denverpolice/status/", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "Copy of clientlib.js(1).download", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |", "Copy of clientlib(1).css", "Copy of clientlib(5).css", "Copy of clientlib(27).css", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "Copy of clientlib(51).css", "Copy of clientlib.js(15).download", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Copy of clientlib(29).css", "Copy of clientlib(11).css", "Copy of iframe_api", "Copy of clientlib.js(32).download", "Copy of clientlib.js(8).download", "Copy of js", "Copy of clientlib(15).css", "Copy of clientlib.js(38).download", "Copy of clientlib(31).css", "Copy of clientlib(7).css", "Copy of clientlib.js(11).download", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Copy of clientlib.js(58).download", "HOSTEDBYAPPLIEDI.NET - Enom", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Copy of clientlib(2).css", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Copy of clientlib(8).css", "Copy of clientlib.js(42).download", "Copy of clientlib(48).css", "Copy of clientlib.js(59).download", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Copy of clientlib(39).css", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "Copy of clientlib(14).css", "Copy of clientlibs(5).css", "Copy of clientlib(37).css", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "Copy of clientlib.js(39).download", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "Copy of clientlib.js(53).download", "Copy of clientlib(45).css", "Copy of clientlib.js(36).download", "Copy of clientlib.js(41).download", "Copy of clientlibs(1).css", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "Copy of clientlib(17).css", "Copy of clientlib(43).css", "Copy of clientlib.js(16).download", "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "Copy of clientlib.js(22).download", "Copy of clientlibs.js(1).download", "Copy of clientlib(20).css", "nr-data.net [Apple Private Data Collection]", "Copy of clientlib(16).css", "Copy of clientlib.js(17).download", "Copy of clientlib(41).css", "Copy of clientlib.js(37).download", "Copy of clientlib.js(31).download", "Copy of clientlib.js(14).download", "Copy of clientlib.js(21).download", "Copy of clientlib(54).css", "Copy of clientlib.js(26).download", "Copy of clientlib(40).css", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Copy of clientlib.js(45).download", "Copy of clientlib.js(55).download", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/iocs", "Copy of clientlib.js(57).download", "Copy of clientlibs.js(3).download", "Copy of clientlib(26).css", "Copy of clientlib.js(5).download", "Copy of clientlib(3).css", "Copy of clientlibs.css", "Copy of clientlib.js(44).download", "Copy of clientlib(33).css", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "Copy of clientlibs(2).css", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Copy of clientlibs(4).css", "Copy of clientlib.js(4).download" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win32/vflooder.b vtapi dos", "Clicker.bgou", "Ransom", "Elf:mirai-gh\\ [trj]", "Win32:trojan-gen", "Trojan:win32/qqpass", "Win.trojan.downloader-63174", "Unix.trojan.darknexus-7679166-0", "Win32/vflooder.b checkin", "Win.dropper.qqpass-9895638-0", "Wannacry", "Win.trojan.agent-752791", "Win.malware.vtflooder-6723768-0", "Win32:malware-gen", "Mirai" ], "industries": [ "Chemical", "Agriculture", "Transportation", "Telecommunications", "Media", "Construction", "Biotechnology", "Defense", "Energy", "Healthcare", "Technology", "Finance", "Education", "Government" ], "unique_indicators": 58494 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/location.search", "whois": "http://whois.domaintools.com/location.search", "domain": "location.search", "hostname": "o.location.search" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "6a16afb92680fcea084bb7b0", "name": "credit: scoreblue ['Eternal Blue_Wana Cry MS'] clone - user notes: interesting name tagged", "description": "", "modified": "2026-05-27T08:54:31.968000", "created": "2026-05-27T08:47:53.724000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536c8eee8d42d670e27723", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2662, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17084, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab45548ef01419902c8f", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:53.256000", "created": "2026-05-27T08:28:53.256000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab3f9578fcc7ffd52a3a", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:47.467000", "created": "2026-05-27T08:28:47.467000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eea19a23474b8c7dca351f", "name": "All Items - find from the UA archive disk", "description": "Again have zero idea 'what these are' - just uploading from the 'archives' as I sort through things", "modified": "2025-12-24T08:28:47.628000", "created": "2024-03-11T06:15:54.351000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "594 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "664bd9b732ecaf1b3c3beddf", "name": "Found some problems - Files from the UAlberta Google Drive Archive", "description": "Been looking for these...Gifts from the University of Alberta to the World apparently\n*Please note: I emptied out the Drive, however, there was a significant amount of abuse re: Google and Microsoft Accounts at the University of Alberta (reported).\n*On the Google side I utilized: Drive (a little), Docs/Slides/Sheets (when groupwork was required)\n*On the Microsoft side I utilized: OneDrive, Office 365 (Word, PPT, Excel, and OneNote). I used to also have a personal microsoft account (OneNote, OneDrive, Skype).\nThese were the applications I lived on for my studies. I could access the Gmail/Microsoft accounts for the University (however - 'bad things' usually happen because of this). I have no access to my personal Microsoft Account (i.e. myself and other affected student(s) do not have access to our personal stuff.", "modified": "2024-09-03T00:02:13.980000", "created": "2024-05-20T23:16:07.255000", "tags": [ "contact", "quick", "destination", "entry", "safety", "local", "health", "travel", "notification", "considerations", "service", "criminal", "showit", "click", "outcome", "step", "please", "class", "questions set", "question set", "unlock", "continue", "jointfilingyes", "jointfilingno", "minimum req", "domicileresusno", "joint sponsor", "sponsorjoint", "path", "href", "span", "activetab", "starton", "newpage", "searchq", "datasia", "datacon", "segfilter", "subsite", "issuance agency", "visas", "null", "state", "dialog field", "tabpanel", "recaptcha", "nameinputvisa", "fullnameinput1", "license headers", "tools", "templates", "sia contact", "visa", "website", "phoneregexp", "emailregexp", "azaz", "urlpattern", "example starter", "javascript", "fetch", "comptwo", "compone", "dateofbirth", "function", "date", "passport", "nameinput", "fullnameinput", "adult passport", "child passport", "new child", "new adult", "new passport", "datepicker", "ds5504", "hideit", "infinity", "false", "jquery", "error", "body", "trident", "simple", "turn", "back", "calendar", "format", "february", "april", "june", "august", "show", "page has", "bcdate", "col1child", "col2child", "coldatechild", "rowdisplay", "val1", "val2", "repaginate", "grab", "jandec", "86400000", "current", "namerbcontactme", "agency", "compliment", "complaint", "passportfees", "customerservice", "bymail", "namerbcategory", "brokenlink", "search", "departuredate", "calendar date", "picker", "change", "month", "vital", "records form", "component js", "select", "please enter", "azaz09", "dddddd", "woff2", "woff", "truetype", "css document", "efefef", "ffffff", "gradienttype0", "galaxy", "nexus", "iphone5", "abtn", "bbtn", "cbtn", "dbtn", "ebtn", "fbtn", "gbtn", "hbtn", "ibtn", "media query", "from", "fce68e", "font family", "bold", "document", "cc3333", "b7b7b7", "e2edff", "ced9ea", "pm author", "ipca csi", "helvetica", "arial", "cq aem", "feed classes", "f2cd54", "f4d97e", "portrait", "landscape", "ipad", "declare", "immigrant", "visa navigation", "navigation css", "georgia", "times new", "roman", "times", "verdana", "photomodal", "styles media", "ff0000", "queries", "form component", "typetext", "queries media", "phone media", "tablet styles", "media queries", "jumbo sized", "copyright", "gpl version", "http", "alpha", "button", "out width", "ui css", "framework", "icons", "misc", "mini", "input", "label", "textarea", "overlays", "csi page", "embassy info", "embassy data", "embassy names", "end adjust", "embassy nameso", "pages", "e1a04d", "c0c0c0", "ffffff url", "us survey", "component css", "country list", "e7eceb", "important", "additional css", "wizard", "corner radius", "f97800", "c61700", "largestbox", "thisbox", "csi navigation", "ui autocomplete", "ui menu", "noticeid", "countnote", "largestnote", "thisnote", "desktops", "43px", "42px", "large", "aem interface", "styles", "web email", "ytconfig", "typeerror", "facebook pixel", "pixel code", "symbol", "fblog", "typeof", "iterator", "pageview", "pixel", "facebook", "config", "meta", "propname", "dpjquerydpuuid", "this", "next", "atom", "cookie", "iframe", "close", "string", "number", "edge", "regexp", "silk", "sxa0", "object", "opera", "android", "void", "form", "UAlberta", "Android", "Mac", "iPhone", "Gov Alberta", "AWS", "AZURE", "ENTRA", "iCloud", "Telus", "Bitdefender", "Norton" ], "references": [ "Copy of clientlib.js(1).download", "Copy of clientlib.js(2).download", "Copy of clientlib.js(5).download", "Copy of clientlib.js(7).download", "Copy of clientlib.js(4).download", "Copy of clientlib.js(10).download", "Copy of clientlib.js(8).download", "Copy of clientlib.js(11).download", "Copy of clientlib.js(12).download", "Copy of clientlib.js(13).download", "Copy of clientlib.js(14).download", "Copy of clientlib.js(9).download", "Copy of clientlib.js(16).download", "Copy of clientlib.js(17).download", "Copy of clientlib.js(18).download", "Copy of clientlib.js(3).download", "Copy of clientlib.js(19).download", "Copy of clientlib.js(15).download", "Copy of clientlib.js(22).download", "Copy of clientlib.js(23).download", "Copy of clientlib.js(21).download", "Copy of clientlib.js(26).download", "Copy of clientlib.js(25).download", "Copy of clientlib.js(24).download", "Copy of clientlib.js(31).download", "Copy of clientlib.js(28).download", "Copy of clientlib.js(30).download", "Copy of clientlib.js(32).download", "Copy of clientlib.js(29).download", "Copy of clientlib.js(34).download", "Copy of clientlib.js(35).download", "Copy of clientlib.js(37).download", "Copy of clientlib.js(36).download", "Copy of clientlib.js(38).download", "Copy of clientlib.js(39).download", "Copy of clientlib.js(33).download", "Copy of clientlib.js(44).download", "Copy of clientlib.js(43).download", "Copy of clientlib.js(41).download", "Copy of clientlib.js(42).download", "Copy of clientlib.js(45).download", "Copy of clientlib.js(51).download", "Copy of clientlib.js(56).download", "Copy of clientlib.js(55).download", "Copy of clientlib.js(54).download", "Copy of clientlib.js(57).download", "Copy of clientlib.js(52).download", "Copy of clientlib.js(53).download", "Copy of clientlib.js(60).download", "Copy of clientlib(1).css", "Copy of clientlib.js(59).download", "Copy of clientlib(3).css", "Copy of clientlib(2).css", "Copy of clientlib(5).css", "Copy of clientlib.js(58).download", "Copy of clientlib(8).css", "Copy of clientlib(10).css", "Copy of clientlib(7).css", "Copy of clientlib(6).css", "Copy of clientlib(12).css", "Copy of clientlib(13).css", "Copy of clientlib(9).css", "Copy of clientlib(4).css", "Copy of clientlib(14).css", "Copy of clientlib(17).css", "Copy of clientlib(15).css", "Copy of clientlib(19).css", "Copy of clientlib(18).css", "Copy of clientlib(11).css", "Copy of clientlib(20).css", "Copy of clientlib(16).css", "Copy of clientlib(23).css", "Copy of clientlib(24).css", "Copy of clientlib(26).css", "Copy of clientlib(25).css", "Copy of clientlib(28).css", "Copy of clientlib(22).css", "Copy of clientlib(27).css", "Copy of clientlib(31).css", "Copy of clientlib(29).css", "Copy of clientlib(30).css", "Copy of clientlib(32).css", "Copy of clientlib(34).css", "Copy of clientlib(35).css", "Copy of clientlib(33).css", "Copy of clientlib(38).css", "Copy of clientlib(37).css", "Copy of clientlib(36).css", "Copy of clientlib(40).css", "Copy of clientlib(39).css", "Copy of clientlib(43).css", "Copy of clientlib(21).css", "Copy of clientlib(41).css", "Copy of clientlib(44).css", "Copy of clientlib(42).css", "Copy of clientlib(46).css", "Copy of clientlib(45).css", "Copy of clientlib(47).css", "Copy of clientlib(48).css", "Copy of clientlib(49).css", "Copy of clientlib(50).css", "Copy of clientlib(52).css", "Copy of clientlib(54).css", "Copy of clientlibs.js(3).download", "Copy of clientlib(53).css", "Copy of clientlibs.js(2).download", "Copy of clientlibs(3).css", "Copy of clientlib(51).css", "Copy of clientlibs(1).css", "Copy of clientlibs(2).css", "Copy of clientlibs.js.download", "Copy of clientlibs.js(4).download", "Copy of clientlibs(5).css", "Copy of clientlibs.css", "Copy of clientlibs(4).css", "Copy of dir (1).c9r", "Copy of clientlib(55).css", "Copy of iframe_api", "Copy of fbevents.js.download", "Copy of clientlibs.js(1).download", "Copy of js", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/iocs", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/graph", "hxxps://go[.]microsoft[.]com/fwlink/?LinkId=2033498", "hxxps://portal[.]office[.]com/Account", "hxxps://myapplications[.]microsoft[.]com/", "https://tria.ge/240521-rvybaahb79", "https://tria.ge/240521-rxpf6ahd6w", "https://tria.ge/240521-r1yh8shd44", "https://tria.ge/240521-ry949ahe2z/behavioral1", "https://tria.ge/240521-r3mvhshd83" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Mexico", "Anguilla", "Aruba", "Panama", "Ukraine", "Trinidad and Tobago", "Saint Vincent and the Grenadines", "Saint Martin (French part)", "Sint Maarten (Dutch part)", "Philippines", "Netherlands", "Cura\u00e7ao", "Georgia", "Tanzania, United Republic of", "Costa Rica", "Guatemala", "Japan", "Barbados" ], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Biotechnology", "Telecommunications", "Energy", "Construction", "Chemical", "Agriculture", "Finance", "Media", "Defense", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 251, "hostname": 188, "FileHash-SHA256": 142, "URL": 69, "FileHash-MD5": 77, "FileHash-SHA1": 77 }, "indicator_count": 804, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "635 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66536881127f5ee988306394", "name": "iOS Attack - Crouching Yeti: http://x.com/denverpolice/status/|", "description": "Targeted triangulation. Apple iOS iPad. Attack chains of Operation Triangulation involves advanced tactics employed by those acting as secret middleman, deploying spoofed trusted websites, emails, alarming news stories, messages, Bluetooth hacking, if threat actor has full CnC of targets phone via injection (sometimes it's random) can power on B/T. In Spoofed sites, malicious redirects, iMessage 0day case. Zero-click iMessage exploit seen. Information is sent to attacker and stored. Data harvesting, financial & identity theft, service modification and DoS intended. Used by law enforcement, governments, attorney PI's, cyber security defense, red teams and/or malicious hackers.\n*Crouching Yeti threat description notes: Contextual Indicators: Domain is classified as Social Networking Contextual Indicators: The URL is known benign by Check Point's Threat Cloud Contextual Indicators: Https://x.com is popular among websites with good reputation Contextual Indicators: Domain Cisco Umbrella rank is 312.", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T16:51:13.962000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66536c8eee8d42d670e27723", "name": "Eternal Blue _ WannaCry MS17-010 | Apple iOS iMessage injection infiltration", "description": "", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T17:08:30.022000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6639853fc403f7be5bd6f27d", "name": "Facebook+", "description": "", "modified": "2024-05-07T01:34:55.365000", "created": "2024-05-07T01:34:55.365000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "65eea19a23474b8c7dca351f", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Phone2209", "id": "281168", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "754 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cc958e062575a9a160", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:24.154000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://o.location.search/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://o.location.search/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780200066.6268404 }