Report - best.obs.cn-sz1.ctyun.cn/cn/sysnew.spc

Report Overview

Visited public
2024-08-08 14:30:52
Tags
URL
best.obs.cn-sz1.ctyun.cn/cn/sysnew.spc
Finishing URL
about:privatebrowsing
IP / ASN
113.108.66.99
#4134 Chinanet
Title
about:privatebrowsing

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Sent	Received	IP
r10.o.lencr.org	unknown	2.9 kB	8.0 kB	2.23.172.203
ocsp.global.sheca.com	unknown	340 B	1.3 kB	47.246.44.225
best.obs.cn-sz1.ctyun.cn	unknown	492 B	108 kB	113.108.66.99

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

Scan Date	Severity	Indicator	Alert
2024-08-08	medium	best.obs.cn-sz1.ctyun.cn/cn/sysnew.spc	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
2024-08-08	medium	best.obs.cn-sz1.ctyun.cn/cn/sysnew.spc	Linux.Trojan.Gafgyt

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

Files detected

URL
best.obs.cn-sz1.ctyun.cn/cn/sysnew.spc
IP
113.108.66.99
ASN
#4134 Chinanet

File type
ELF 32-bit MSB executable, SPARC, version 1 (SYSV)
Size
108 kB (107900 bytes)
Hash
c7d2a0a8fe7a1141355b0b2e3364aadf
e355201008711671796ea29d186a45fc6130fbb7
667e0db9b74bb51b05798777399f2aa4f4ecf31b9c1825bad57c99026a2eff09

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Elastic Security YARA Rules	malware	Linux.Trojan.Gafgyt
VirusTotal	malicious	VirusTotal - Scan result 42/65

JavaScript (0)

HTTP Transactions (11)

URL IP Response Size

r10.o.lencr.org/

2.23.172.203

504 B

URL
r10.o.lencr.org/
IP
2.23.172.203:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
a4b0d33ac49c96c71e39bb632bda5673
f4a1b2c6888fbf71cf9f3a36170c0968463df973
b28c45ed35b17a62f81e5aa81541f61740e5dfb5d5c1baa572feed4a4e2db9c5

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "B28C45ED35B17A62F81E5AA81541F61740E5DFB5D5C1BAA572FEED4A4E2DB9C5"
Last-Modified: Tue, 06 Aug 2024 06:28:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=11144
Expires: Thu, 08 Aug 2024 17:36:10 GMT
Date: Thu, 08 Aug 2024 14:30:26 GMT
Connection: keep-alive

r10.o.lencr.org/

2.23.172.203

504 B

URL
r10.o.lencr.org/
IP
2.23.172.203:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
361994b45d17874f3d57044be82a542d
ddad8ebd0d7ecdc2c9d07245d5aff4df9e3e0a56
bf3643f753112c9f8fa5204e8ee172a6e0374d160407b7f14e2c0708aa0daad5

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "BF3643F753112C9F8FA5204E8EE172A6E0374D160407B7F14E2C0708AA0DAAD5"
Last-Modified: Tue, 06 Aug 2024 06:27:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=18380
Expires: Thu, 08 Aug 2024 19:36:46 GMT
Date: Thu, 08 Aug 2024 14:30:26 GMT
Connection: keep-alive

r10.o.lencr.org/

2.23.172.203

504 B

URL
r10.o.lencr.org/
IP
2.23.172.203:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
e7a128439c6dec237227cc4b883a2c99
7794fc9e9bc964823a96cec60a2ec829dbce9919
f0a648a200fc7849174d4b74c6fbfee82b5bd098c9c9cae7084bdafaba169e3b

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "F0A648A200FC7849174D4B74C6FBFEE82B5BD098C9C9CAE7084BDAFABA169E3B"
Last-Modified: Tue, 06 Aug 2024 06:26:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=10252
Expires: Thu, 08 Aug 2024 17:21:19 GMT
Date: Thu, 08 Aug 2024 14:30:27 GMT
Connection: keep-alive

r10.o.lencr.org/

2.23.172.203

504 B

URL
r10.o.lencr.org/
IP
2.23.172.203:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
5aa0870760a323e0c76c1574633ed6e1
5ba6f90abf50092defc125757aef5f3775353f40
485adde6605f8d46bbb24f1ce8fbdeba81d44f09b75600300584d408aa9f3ce1

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "485ADDE6605F8D46BBB24F1CE8FBDEBA81D44F09B75600300584D408AA9F3CE1"
Last-Modified: Tue, 06 Aug 2024 06:57:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=11983
Expires: Thu, 08 Aug 2024 17:50:10 GMT
Date: Thu, 08 Aug 2024 14:30:27 GMT
Connection: keep-alive

ocsp.global.sheca.com/ovscag5

47.246.44.225

515 B

URL
ocsp.global.sheca.com/ovscag5
IP
47.246.44.225:0
ASN
#24429 Zhejiang Taobao Network Co.,Ltd

File type
data
Size
515 B (515 bytes)
Hash
4f26f8931dd6ff8eafc0713554d7c2e0
d1c724c41303d39517a87acb2a44cc65abfb4a14
066895ba8b9384f4bbded4463226fbb515f5838929bd804b51a53a0b20626f0d

HTTP Headers

POST /ovscag5 HTTP/1.1
Host: ocsp.global.sheca.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 83
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/ocsp-response
Content-Length: 515
Connection: keep-alive
Date: Thu, 08 Aug 2024 07:30:23 GMT
Cache-Control: max-age=86400, public, no-transform, must-revalidate
Etag: "04f26f8931dd6ff8eafc0713554d7c2e0"
Expires: Tue, 13 Aug 2024 03:44:21 GMT
Last-Modified: Thu, 08 Aug 2024 03:44:21 GMT
Via: cache14.l2de2[0,0,200-0,H], cache21.l2de2[1,0], ens-cache9.se2[231,231,200-0,M], ens-cache9.se2[233,0]
Age: 25204
Ali-Swift-Global-Savetime: 1723102223
X-Cache: MISS TCP_MISS dirn:-2:-2
X-Swift-SaveTime: Thu, 08 Aug 2024 14:30:27 GMT
X-Swift-CacheTime: 61196
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Timing-Allow-Origin: *
EagleId: 2ff62c9d17231274276824840e

best.obs.cn-sz1.ctyun.cn/cn/sysnew.spc

113.108.66.99

200 OK

108 kB

URL User Request GET HTTP/1.1
best.obs.cn-sz1.ctyun.cn/cn/sysnew.spc
IP
113.108.66.99:443
ASN
#4134 Chinanet

Certificate
IssuerUniTrust
Subject*.ctyun.cn
FingerprintE1:76:B2:49:B2:6F:6D:91:E2:41:80:B1:F3:53:F6:88:03:F7:DD:D1
ValidityFri, 01 Sep 2023 02:08:59 GMT - Tue, 01 Oct 2024 15:59:59 GMT

File type
ELF 32-bit MSB executable, SPARC, version 1 (SYSV)
Size
108 kB (107900 bytes)
Hash
c7d2a0a8fe7a1141355b0b2e3364aadf
e355201008711671796ea29d186a45fc6130fbb7
667e0db9b74bb51b05798777399f2aa4f4ecf31b9c1825bad57c99026a2eff09

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Elastic Security YARA Rules	malware	Linux.Trojan.Gafgyt
VirusTotal	malicious	VirusTotal - Scan result 42/65

HTTP Headers

GET /cn/sysnew.spc HTTP/1.1
Host: best.obs.cn-sz1.ctyun.cn
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: 000001913265F3EB90165F0F2DA8143D
x-reserved-indicator: 372
Accept-Ranges: bytes
ETag: "c7d2a0a8fe7a1141355b0b2e3364aadf"
Last-Modified: Fri, 27 Jan 2023 14:20:20 GMT
Content-Disposition: attachment
Content-Type: binary/octet-stream
x-obs-id-2: 32AAAQAAEAABAAAQAAEAABAAAQAAEAABCSvmzoDg7TL4LeS66nr6mZ3WuWnn86mE
Date: Thu, 08 Aug 2024 14:30:28 GMT
Content-Length: 107900

r10.o.lencr.org/

2.23.172.203

504 B

URL
r10.o.lencr.org/
IP
2.23.172.203:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
460334cc4e5b7d0e9bae1a2db2ad27cd
b0a331b5252d61b68e687dc25581842a360aac4f
8e85f0944ea44f26c441f73cd791e0cf50936b0278733f5af7305e594372df58

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "8E85F0944EA44F26C441F73CD791E0CF50936B0278733F5AF7305E594372DF58"
Last-Modified: Tue, 06 Aug 2024 06:58:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=17869
Expires: Thu, 08 Aug 2024 19:28:18 GMT
Date: Thu, 08 Aug 2024 14:30:29 GMT
Connection: keep-alive

r10.o.lencr.org/

2.23.172.203

504 B

URL
r10.o.lencr.org/
IP
2.23.172.203:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
460334cc4e5b7d0e9bae1a2db2ad27cd
b0a331b5252d61b68e687dc25581842a360aac4f
8e85f0944ea44f26c441f73cd791e0cf50936b0278733f5af7305e594372df58

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "8E85F0944EA44F26C441F73CD791E0CF50936B0278733F5AF7305E594372DF58"
Last-Modified: Tue, 06 Aug 2024 06:58:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=17869
Expires: Thu, 08 Aug 2024 19:28:18 GMT
Date: Thu, 08 Aug 2024 14:30:29 GMT
Connection: keep-alive

r10.o.lencr.org/

2.23.172.203

504 B

URL
r10.o.lencr.org/
IP
2.23.172.203:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
460334cc4e5b7d0e9bae1a2db2ad27cd
b0a331b5252d61b68e687dc25581842a360aac4f
8e85f0944ea44f26c441f73cd791e0cf50936b0278733f5af7305e594372df58

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "8E85F0944EA44F26C441F73CD791E0CF50936B0278733F5AF7305E594372DF58"
Last-Modified: Tue, 06 Aug 2024 06:58:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=17869
Expires: Thu, 08 Aug 2024 19:28:18 GMT
Date: Thu, 08 Aug 2024 14:30:29 GMT
Connection: keep-alive

r10.o.lencr.org/

2.23.172.203

504 B

URL
r10.o.lencr.org/
IP
2.23.172.203:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
460334cc4e5b7d0e9bae1a2db2ad27cd
b0a331b5252d61b68e687dc25581842a360aac4f
8e85f0944ea44f26c441f73cd791e0cf50936b0278733f5af7305e594372df58

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "8E85F0944EA44F26C441F73CD791E0CF50936B0278733F5AF7305E594372DF58"
Last-Modified: Tue, 06 Aug 2024 06:58:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=17869
Expires: Thu, 08 Aug 2024 19:28:18 GMT
Date: Thu, 08 Aug 2024 14:30:29 GMT
Connection: keep-alive

r10.o.lencr.org/

2.23.172.203

504 B

URL
r10.o.lencr.org/
IP
2.23.172.203:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
460334cc4e5b7d0e9bae1a2db2ad27cd
b0a331b5252d61b68e687dc25581842a360aac4f
8e85f0944ea44f26c441f73cd791e0cf50936b0278733f5af7305e594372df58

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "8E85F0944EA44F26C441F73CD791E0CF50936B0278733F5AF7305E594372DF58"
Last-Modified: Tue, 06 Aug 2024 06:58:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=17869
Expires: Thu, 08 Aug 2024 19:28:18 GMT
Date: Thu, 08 Aug 2024 14:30:29 GMT
Connection: keep-alive

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

mnemonic secure dns

Quad9 DNS

ThreatFox

Files detected

URL

IP

ASN

File type

Size

Hash

Detections

JavaScript (0)

HTTP Transactions (11)

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL User Request GET HTTP/1.1

IP

ASN

Certificate

File type

Size

Hash

Detections

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers