The hypothesis is that the detection identifies potential adversary activity involving the exfiltration of sensitive data through malicious URLs tagged as elf, leveraging compromised endpoints to steal information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate data exfiltration attempts early, preventing data loss and reducing the impact of potential breaches.
IOC Summary
Threat: elf Total URLs: 18 Active URLs: 11
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://156.226.174.212/bins/sora.mpsl | online | malware_download | 2026-04-21 |
hxxp://156.226.174.212/bins/sora.sh4 | online | malware_download | 2026-04-21 |
hxxp://156.226.174.212/bins/sora.mips | online | malware_download | 2026-04-21 |
hxxp://156.226.174.212/bins/sora.arm7 | online | malware_download | 2026-04-21 |
hxxp://156.226.174.212/bins/sora.arm6 | online | malware_download | 2026-04-21 |
hxxp://156.226.174.212/bins/sora.ppc | online | malware_download | 2026-04-21 |
hxxp://156.226.174.212/bins/sora.x86 | online | malware_download | 2026-04-21 |
hxxp://156.226.174.212/bins/sora.i686 | online | malware_download | 2026-04-21 |
hxxp://156.226.174.212/bins/sora.arm5 | online | malware_download | 2026-04-21 |
hxxp://156.226.174.212/bins/sora.x86_64 | online | malware_download | 2026-04-21 |
hxxp://156.226.174.212/bins/sora.m68k | online | malware_download | 2026-04-21 |
hxxp://156.226.174.212/bins/sora.i468 | offline | malware_download | 2026-04-21 |
hxxp://179.43.182.70/hiddenbin/Space.sparc | offline | malware_download | 2026-04-21 |
hxxp://179.43.182.70/hiddenbin/Space.mips64 | offline | malware_download | 2026-04-21 |
hxxp://156.226.174.212/bins/sora.ppc440fp | offline | malware_download | 2026-04-21 |
hxxp://156.226.174.212/bins/sora.arm4 | offline | malware_download | 2026-04-21 |
hxxp://179.43.182.70/hiddenbin/Space.i686 | offline | malware_download | 2026-04-21 |
hxxp://179.43.182.70/hiddenbin/Space.arc | offline | malware_download | 2026-04-21 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["156.226.174.212"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["156.226.174.212"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortening service by generating and accessing a few legitimate .elf files for internal validation.
Filter/Exclusion: Exclude URLs that match internal testing domains or contain known internal test patterns (e.g., test-internal.example.com).
Scenario: A scheduled job runs a script that downloads and unpacks a .elf file as part of a software update process.
Filter/Exclusion: Exclude URLs that match known internal update servers or use specific query parameters like ?action=download or ?version=1.2.3.
Scenario: A DevOps team is using a CI/CD pipeline that builds and tests a binary file with a .elf extension as part of a container image build.
Filter/Exclusion: Exclude URLs that originate from internal CI/CD endpoints (e.g., ci.example.com) or contain build-specific identifiers (e.g., build-id=12345).
Scenario: A security analyst is using a sandboxing tool like Cuckoo Sandbox to analyze a benign .elf file for malware analysis.
Filter/Exclusion: Exclude URLs that match the internal sandboxing infrastructure (e.g., sandbox.example.com) or are associated with known analysis tools.
Scenario: A backup process is restoring a file with a .elf extension from an archive, which is part of a regular system maintenance task.
Filter/Exclusion: Exclude URLs that match internal backup servers or contain backup-related query parameters (e.g., ?restore=true or ?backup=system).