The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may indicate the presence of previously unseen malware in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 4 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 15[.]204[.]255[.]172:7443 | botnet_cc | 2026-06-02 | 75% |
| domain | merindashop.cyou | payload_delivery | 2026-06-02 | 100% |
| ip:port | 115[.]159[.]72[.]181:8888 | botnet_cc | 2026-06-02 | 100% |
| domain | veryhotcoffee.monster | payload_delivery | 2026-06-02 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["115.159.72.181", "15.204.255.172"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["115.159.72.181", "15.204.255.172"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["merindashop.cyou", "veryhotcoffee.monster"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is running a scheduled job to update the ThreatFox database using the threatfox-cli tool.
Filter/Exclusion: Exclude process names containing threatfox-cli or threatfox in the process name field.
Scenario: A security analyst is using the yara tool to scan network traffic for known malware signatures as part of a routine security assessment.
Filter/Exclusion: Exclude processes associated with yara or any known security analysis tools in the process name or command line.
Scenario: A database administrator is executing a backup job using mysqldump to generate a backup file named unknown_malware.sql as part of a standard backup procedure.
Filter/Exclusion: Exclude file names matching unknown_malware.sql or any file names that match known backup naming conventions.
Scenario: A DevOps engineer is deploying a new application using Ansible and the playbook includes a task named unknown_malware_setup as part of the deployment process.
Filter/Exclusion: Exclude processes with ansible in the process name and filter out tasks with unknown_malware in the command line or playbook name.
Scenario: A system administrator is using PowerShell to run a script that generates a report named unknown_malware_report.txt as part of a monthly security review.
Filter/Exclusion: Exclude file names containing unknown_malware and filter out PowerShell scripts executed from known administrative scripts or scheduled tasks.