ioc[.]one - OSINT Cyber Threat Intelligence Database

Collecting and operationalizing threat data from the Mozi botnet

Tags

cmtmf-attack-pattern:	Obfuscated Files Or Information
country:	Bulgaria India
attack-pattern:	Data Datasets Botnet - T1583.005 Botnet - T1584.005 Exploits - T1587.004 Exploits - T1588.005 Firmware - T1592.003 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Password Spraying - T1110.003 Powershell - T1059.001 Search Engines - T1593.002 Server - T1583.004 Server - T1584.004 Serverless - T1583.007 Serverless - T1584.007 Software - T1592.002 Tool - T1588.002 Obfuscated Files Or Information - T1027 Powershell - T1086 Denial Of Service

Show in Graph

Common Information

Type	Value
UUID	ed4e5c1e-4eee-4233-b2c8-fcd66508241f
Fingerprint	b5852b00e93d83b3
Analysis status	DONE
Considered CTI value	1
Text language
Published	July 27, 2021, midnight
Added to db	Sept. 26, 2022, 9:30 a.m.
Last updated	Nov. 17, 2024, 7:44 p.m.
Headline	UNKNOWN
Title	Collecting and operationalizing threat data from the Mozi botnet
Detected Hints/Tags/Attributes	78/3/46

Source URLs

	Redirection	Url
Details	Source	https://www.elastic.co/blog/collecting-and-operationalizing-threat-data-from-the-mozi-botnet

URL Provider

Details	Provider	Source level domain
Details	elastic.co	www.elastic.co

Attributes

Details	Type	#Events	Value
Details	Domain	97	abuse.ch
Details	Domain	2	threatfox-api.abuse.ch
Details	Domain	96	malpedia.caad.fkie.fraunhofer.de
Details	Domain	93	bazaar.abuse.ch
Details	Domain	3	mb-api.abuse.ch
Details	Domain	4	dht.transmissionbt.com
Details	Domain	6	router.bittorrent.com
Details	Domain	5	router.utorrent.com
Details	Domain	4	bttracker.debian.org
Details	Domain	2	abc.abc.abc.abc
Details	Domain	39	xxx.xxx.xxx.xxx
Details	Domain	9	event.id
Details	Domain	2	threat.software
Details	Domain	2	threat.software.name
Details	Domain	3	collection.sh
Details	Domain	4127	github.com
Details	Domain	2	tactic.as
Details	Domain	11	threatfox.abuse.ch
Details	Domain	2	cujo.com
Details	Domain	2	vcodispot.com
Details	Domain	38	blog.netlab.360.com
Details	Domain	145	threatpost.com
Details	Domain	101	www.elastic.co
Details	File	2	832fb4090879c1bebe75bea939a9c5724dbf87898febd425f94f7e03ee687d3b.raw
Details	File	8	upx.exe
Details	File	2	indicator.geo
Details	File	2	pipeline.json
Details	File	2	maps.html
Details	File	2	lens.html
Details	Github username	17	elastic
Details	sha256	3	832fb4090879c1bebe75bea939a9c5724dbf87898febd425f94f7e03ee687d3b
Details	IPv4	619	0.0.0.0
Details	Url	2	https://threatfox-api.abuse.ch/api/v1
Details	Url	3	https://mb-api.abuse.ch/api/v1
Details	Url	2	https://github.com/elastic/examples
Details	Url	2	https://github.com/elastic/examples/tree/master/blog/mozin-about
Details	Url	2	https://threatfox.abuse.ch/browse
Details	Url	2	https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware
Details	Url	2	https://vcodispot.com/corrupted-upx-packed-elf-repair
Details	Url	2	https://blag.nullteilerfrei.de/2019/12/26/upx-packed-elf-binaries-of-the-peer-to-peer-botnet-family-mozi
Details	Url	2	https://blog.netlab.360.com/mozi-another-botnet-using-dht
Details	Url	2	https://threatpost.com/mozi-botnet-majority-iot-traffic/159337
Details	Url	2	https://www.bleepingcomputer.com/news/security/new-mozi-p2p-botnet-takes-over-netgear-d-link-huawei-routers
Details	Url	2	https://www.elastic.co/guide/en/kibana/current/maps.html
Details	Url	2	https://www.elastic.co/guide/en/kibana/current/lens.html
Details	Yara rule	2	rule Mozi_Obfuscation_Technique { meta: author = "Elastic Security, Lars Wallenborn (@larsborn)" description = "Detects obfuscation technique used by Mozi botnet." strings: $a = { 55 50 58 21 [4] 00 00 00 00 00 00 00 00 00 00 00 00 } condition: all of them }