{ "type": "URL", "indicator": "https://pay.c51.decagonsoftware.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://pay.c51.decagonsoftware.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4117572730, "indicator": "https://pay.c51.decagonsoftware.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68b798c0a419c49eeb4e2a13", "name": "Archive.ph - Mirai", "description": "Outdated archiving domain of questionable origin can expose or has exposed monitored target/s to\nUnix.Dropper.Mirai-7135858-0.\n\nThe domain seems to want to appear as if it originates from Russia. There is a DoD & Endgame systems relationship. Multiple archived pages have been injected and deleted.\n(Little Endian) is a name seen often related to an innocent known to be targeted by a pro male entity who utilizes Pegasus, Palantir, Gotham, Foundry , Tulach, for silencing.\n#trulymissed #mirai #malicious", "modified": "2025-10-03T00:01:12.616000", "created": "2025-09-03T01:24:16.418000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "javascript", "spawns", "united", "present aug", "div div", "meta", "fffae1", "xml title", "drag", "div form", "form div", "a li", "encrypt", "russia", "passive dns", "urls", "aaaa", "netherlands", "your ip", "panama", "russia unknown", "present mar", "present jun", "moved", "present jul", "present sep", "ip address", "present jan", "body", "title", "domain", "files", "content type", "body doctype", "as16509", "intel mac", "os x", "ipv4 add", "port", "destination", "read c", "medium", "entries", "et info", "execution", "next", "dock", "write", "persistence", "malware", "url analysis", "files ip", "name server", "domain address", "algorithm", "key identifier", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "us as15169", "us as396982", "mitre att", "pattern match", "form", "onload", "general", "local", "path", "click", "strings", "verify", "asnone", "china as4134", "resolverror", "high", "dns query", "as7018 att", "japan as4713", "south korea", "little \u2018endian\u2019", "mirai", "dod", "endgame systems", "government overreach", "sabey type", "foundry type", "apple", "cve" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135858-0", "display_name": "Unix.Dropper.Mirai-7135858-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2069, "domain": 406, "FileHash-SHA256": 1498, "hostname": 811, "FileHash-MD5": 150, "FileHash-SHA1": 138, "SSLCertFingerprint": 8, "CIDR": 1, "CVE": 1 }, "indicator_count": 5082, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "199 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c54659742e10df0e2dd0ec", "name": "Archive.ph - Mirai", "description": "", "modified": "2025-10-03T00:01:12.616000", "created": "2025-09-13T10:24:25.814000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "javascript", "spawns", "united", "present aug", "div div", "meta", "fffae1", "xml title", "drag", "div form", "form div", "a li", "encrypt", "russia", "passive dns", "urls", "aaaa", "netherlands", "your ip", "panama", "russia unknown", "present mar", "present jun", "moved", "present jul", "present sep", "ip address", "present jan", "body", "title", "domain", "files", "content type", "body doctype", "as16509", "intel mac", "os x", "ipv4 add", "port", "destination", "read c", "medium", "entries", "et info", "execution", "next", "dock", "write", "persistence", "malware", "url analysis", "files ip", "name server", "domain address", "algorithm", "key identifier", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "us as15169", "us as396982", "mitre att", "pattern match", "form", "onload", "general", "local", "path", "click", "strings", "verify", "asnone", "china as4134", "resolverror", "high", "dns query", "as7018 att", "japan as4713", "south korea", "little \u2018endian\u2019", "mirai", "dod", "endgame systems", "government overreach", "sabey type", "foundry type", "apple", "cve" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135858-0", "display_name": "Unix.Dropper.Mirai-7135858-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "68b798c0a419c49eeb4e2a13", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2069, "domain": 406, "FileHash-SHA256": 1498, "hostname": 811, "FileHash-MD5": 150, "FileHash-SHA1": 138, "SSLCertFingerprint": 8, "CIDR": 1, "CVE": 1 }, "indicator_count": 5082, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "199 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ae5b9ef87646927a236b61", "name": "Privacy - Google Videos Search - Web Applications Stack Exchange = WannaCry", "description": "Description: dfir.blog - A blog about Digital Forensics & Incident Response\ndfir.blog\nDigital forensics, web browsers, visualizations, & open source tools.\n#monitoring #dod(?) #chinacache #crypt #ransom#infectedsystems", "modified": "2025-09-26T00:01:12.214000", "created": "2025-08-27T01:13:02.780000", "tags": [ "google", "mullvad browser", "value", "incognito mode", "mine", "unix time", "friday", "january", "does", "tor browser", "search", "show", "langchinese", "packing t1045", "t1045", "medium", "pe resource", "module load", "t1129", "service", "trojan", "copy", "dock", "write", "malware", "clock", "united", "passive dns", "urls", "next associated", "gmt cache", "ipv4 add", "pulse pulses", "files", "reverse dns", "win32", "title", "location united", "america flag", "america asn", "as15169 google", "dns resolutions", "domains top", "level", "unique tlds", "present aug", "china unknown", "creation date", "date", "domain", "ip address", "domain name", "expiration date", "status ok", "nanjing", "accept", "body", "div td", "td tr", "div div", "span span", "a li", "span p", "p div", "moved", "a domains", "open", "span", "uuupupu", "t1055", "process32nextw", "high", "windows", "high defense", "evasion", "delphi", "google gmail", "images sign", "advanced search", "solutions", "privacy", "store gmail", "delete delete", "report", "how search", "applying ai", "settings search", "advanced", "search search", "search help", "domainabuse", "showing", "hostname add", "url add", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "read c", "tlsv1", "whitelisted", "port", "destination", "ascii text", "next", "encrypt", "script urls", "msie", "chrome", "bad gateway", "script domains", "present feb", "link", "meta", "digital", "language", "body doctype", "ghost", "present jun", "aaaa", "present jul", "present oct", "record value", "yara detections", "dock zone", "top source", "top destination", "source source", "filehash", "code", "error", "windows nt", "wow64", "slcc2", "media center", "execution", "persistence", "tulach", "brian sabey", "dod network", "orgtechref", "address range", "cidr", "network name", "allocation type", "whois server", "entity dnic", "handle", "whois lookup", "dod", "et trojan", "server header", "suspicious", "et info", "unknown", "virustotal", "specified", "download", "et", "please", "type size", "first seen", "loading", "python wheel", "dynamicloader", "intel", "ms windows", "pe32", "entries", "user agent", "powershell", "agent", "yara rule", "checks", "levelblue", "open threat", "observed dns", "query", "dns lookup", "msdos", "wannacry dns", "lookup", "wannacry", "worm", "explorer", "msil", "darkcomet", "ping", "tools", "capture", "hallrender", "dga domains", "unfurl sites", "honey net", "bot", "nxdomain", "potential-c2" ], "references": [ "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "DoD Network Information Center (DNIC)", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}", "Python Wheel package", "https://www.google.com/search", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Magania.DSK!MTB", "display_name": "Trojan:Win32/Magania.DSK!MTB", "target": "/malware/Trojan:Win32/Magania.DSK!MTB" }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "a variant of Win32/Kryptik.DEOA", "display_name": "a variant of Win32/Kryptik.DEOA", "target": null }, { "id": "ALF:Exploit:Win32/gSharedInfoRef.A", "display_name": "ALF:Exploit:Win32/gSharedInfoRef.A", "target": null }, { "id": "Wannacry", "display_name": "Wannacry", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Telecommunications", "Technology", "Civilian" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8221, "domain": 1216, "FileHash-SHA256": 2434, "FileHash-MD5": 296, "FileHash-SHA1": 155, "hostname": 2939, "email": 7, "SSLCertFingerprint": 8, "CIDR": 2 }, "indicator_count": 15278, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "Python Wheel package", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}", "DoD Network Information Center (DNIC)", "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "https://www.google.com/search" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Unix.dropper.mirai-7135858-0", "Trojan:win32/zusy", "Alf:exploit:win32/gsharedinforef.a", "Wannacry", "Et", "A variant of win32/kryptik.deoa", "Trojan:win32/magania.dsk!mtb" ], "industries": [ "Government", "Telecommunications", "Technology", "Civilian" ], "unique_indicators": 19793 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/decagonsoftware.com", "whois": "http://whois.domaintools.com/decagonsoftware.com", "domain": "decagonsoftware.com", "hostname": "pay.c51.decagonsoftware.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68b798c0a419c49eeb4e2a13", "name": "Archive.ph - Mirai", "description": "Outdated archiving domain of questionable origin can expose or has exposed monitored target/s to\nUnix.Dropper.Mirai-7135858-0.\n\nThe domain seems to want to appear as if it originates from Russia. There is a DoD & Endgame systems relationship. Multiple archived pages have been injected and deleted.\n(Little Endian) is a name seen often related to an innocent known to be targeted by a pro male entity who utilizes Pegasus, Palantir, Gotham, Foundry , Tulach, for silencing.\n#trulymissed #mirai #malicious", "modified": "2025-10-03T00:01:12.616000", "created": "2025-09-03T01:24:16.418000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "javascript", "spawns", "united", "present aug", "div div", "meta", "fffae1", "xml title", "drag", "div form", "form div", "a li", "encrypt", "russia", "passive dns", "urls", "aaaa", "netherlands", "your ip", "panama", "russia unknown", "present mar", "present jun", "moved", "present jul", "present sep", "ip address", "present jan", "body", "title", "domain", "files", "content type", "body doctype", "as16509", "intel mac", "os x", "ipv4 add", "port", "destination", "read c", "medium", "entries", "et info", "execution", "next", "dock", "write", "persistence", "malware", "url analysis", "files ip", "name server", "domain address", "algorithm", "key identifier", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "us as15169", "us as396982", "mitre att", "pattern match", "form", "onload", "general", "local", "path", "click", "strings", "verify", "asnone", "china as4134", "resolverror", "high", "dns query", "as7018 att", "japan as4713", "south korea", "little \u2018endian\u2019", "mirai", "dod", "endgame systems", "government overreach", "sabey type", "foundry type", "apple", "cve" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135858-0", "display_name": "Unix.Dropper.Mirai-7135858-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2069, "domain": 406, "FileHash-SHA256": 1498, "hostname": 811, "FileHash-MD5": 150, "FileHash-SHA1": 138, "SSLCertFingerprint": 8, "CIDR": 1, "CVE": 1 }, "indicator_count": 5082, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "199 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c54659742e10df0e2dd0ec", "name": "Archive.ph - Mirai", "description": "", "modified": "2025-10-03T00:01:12.616000", "created": "2025-09-13T10:24:25.814000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "javascript", "spawns", "united", "present aug", "div div", "meta", "fffae1", "xml title", "drag", "div form", "form div", "a li", "encrypt", "russia", "passive dns", "urls", "aaaa", "netherlands", "your ip", "panama", "russia unknown", "present mar", "present jun", "moved", "present jul", "present sep", "ip address", "present jan", "body", "title", "domain", "files", "content type", "body doctype", "as16509", "intel mac", "os x", "ipv4 add", "port", "destination", "read c", "medium", "entries", "et info", "execution", "next", "dock", "write", "persistence", "malware", "url analysis", "files ip", "name server", "domain address", "algorithm", "key identifier", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "us as15169", "us as396982", "mitre att", "pattern match", "form", "onload", "general", "local", "path", "click", "strings", "verify", "asnone", "china as4134", "resolverror", "high", "dns query", "as7018 att", "japan as4713", "south korea", "little \u2018endian\u2019", "mirai", "dod", "endgame systems", "government overreach", "sabey type", "foundry type", "apple", "cve" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135858-0", "display_name": "Unix.Dropper.Mirai-7135858-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "68b798c0a419c49eeb4e2a13", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2069, "domain": 406, "FileHash-SHA256": 1498, "hostname": 811, "FileHash-MD5": 150, "FileHash-SHA1": 138, "SSLCertFingerprint": 8, "CIDR": 1, "CVE": 1 }, "indicator_count": 5082, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "199 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ae5b9ef87646927a236b61", "name": "Privacy - Google Videos Search - Web Applications Stack Exchange = WannaCry", "description": "Description: dfir.blog - A blog about Digital Forensics & Incident Response\ndfir.blog\nDigital forensics, web browsers, visualizations, & open source tools.\n#monitoring #dod(?) #chinacache #crypt #ransom#infectedsystems", "modified": "2025-09-26T00:01:12.214000", "created": "2025-08-27T01:13:02.780000", "tags": [ "google", "mullvad browser", "value", "incognito mode", "mine", "unix time", "friday", "january", "does", "tor browser", "search", "show", "langchinese", "packing t1045", "t1045", "medium", "pe resource", "module load", "t1129", "service", "trojan", "copy", "dock", "write", "malware", "clock", "united", "passive dns", "urls", "next associated", "gmt cache", "ipv4 add", "pulse pulses", "files", "reverse dns", "win32", "title", "location united", "america flag", "america asn", "as15169 google", "dns resolutions", "domains top", "level", "unique tlds", "present aug", "china unknown", "creation date", "date", "domain", "ip address", "domain name", "expiration date", "status ok", "nanjing", "accept", "body", "div td", "td tr", "div div", "span span", "a li", "span p", "p div", "moved", "a domains", "open", "span", "uuupupu", "t1055", "process32nextw", "high", "windows", "high defense", "evasion", "delphi", "google gmail", "images sign", "advanced search", "solutions", "privacy", "store gmail", "delete delete", "report", "how search", "applying ai", "settings search", "advanced", "search search", "search help", "domainabuse", "showing", "hostname add", "url add", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "read c", "tlsv1", "whitelisted", "port", "destination", "ascii text", "next", "encrypt", "script urls", "msie", "chrome", "bad gateway", "script domains", "present feb", "link", "meta", "digital", "language", "body doctype", "ghost", "present jun", "aaaa", "present jul", "present oct", "record value", "yara detections", "dock zone", "top source", "top destination", "source source", "filehash", "code", "error", "windows nt", "wow64", "slcc2", "media center", "execution", "persistence", "tulach", "brian sabey", "dod network", "orgtechref", "address range", "cidr", "network name", "allocation type", "whois server", "entity dnic", "handle", "whois lookup", "dod", "et trojan", "server header", "suspicious", "et info", "unknown", "virustotal", "specified", "download", "et", "please", "type size", "first seen", "loading", "python wheel", "dynamicloader", "intel", "ms windows", "pe32", "entries", "user agent", "powershell", "agent", "yara rule", "checks", "levelblue", "open threat", "observed dns", "query", "dns lookup", "msdos", "wannacry dns", "lookup", "wannacry", "worm", "explorer", "msil", "darkcomet", "ping", "tools", "capture", "hallrender", "dga domains", "unfurl sites", "honey net", "bot", "nxdomain", "potential-c2" ], "references": [ "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "DoD Network Information Center (DNIC)", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}", "Python Wheel package", "https://www.google.com/search", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Magania.DSK!MTB", "display_name": "Trojan:Win32/Magania.DSK!MTB", "target": "/malware/Trojan:Win32/Magania.DSK!MTB" }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "a variant of Win32/Kryptik.DEOA", "display_name": "a variant of Win32/Kryptik.DEOA", "target": null }, { "id": "ALF:Exploit:Win32/gSharedInfoRef.A", "display_name": "ALF:Exploit:Win32/gSharedInfoRef.A", "target": null }, { "id": "Wannacry", "display_name": "Wannacry", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Telecommunications", "Technology", "Civilian" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8221, "domain": 1216, "FileHash-SHA256": 2434, "FileHash-MD5": 296, "FileHash-SHA1": 155, "hostname": 2939, "email": 7, "SSLCertFingerprint": 8, "CIDR": 2 }, "indicator_count": 15278, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://pay.c51.decagonsoftware.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://pay.c51.decagonsoftware.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776684808.063309 }