The hypothesis is that the detected URLs are likely used by adversaries to deliver elf malware, which can execute malicious code and establish persistence. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of endpoints and data exfiltration.
IOC Summary
Threat: elf Total URLs: 44 Active URLs: 13
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://5.231.70.34/nullnet_bin_dir/nullnet_load.arm6 | online | malware_download | 2026-06-07 |
hxxp://5.231.70.34/nullnet_bin_dir/nullnet_load.x86_64 | online | malware_download | 2026-06-07 |
hxxp://5.231.70.34/nullnet_bin_dir/nullnet_load.mpsl | online | malware_download | 2026-06-07 |
hxxp://5.231.70.34/nullnet_bin_dir/nullnet_load.arm7 | online | malware_download | 2026-06-07 |
hxxp://5.231.70.34/nullnet_bin_dir/nullnet_load.mips | online | malware_download | 2026-06-07 |
hxxp://5.231.70.34/nullnet_bin_dir/nullnet_load.arm | online | malware_download | 2026-06-07 |
hxxp://5.231.70.34/nullnet_bin_dir/nullnet_load.x86 | online | malware_download | 2026-06-07 |
hxxp://5.231.70.34/nullnet_bin_dir/nullnet_load.i686 | online | malware_download | 2026-06-07 |
hxxp://5.231.70.34/nullnet_bin_dir/nullnet_load.ppc | online | malware_download | 2026-06-07 |
hxxp://5.231.70.34/nullnet_bin_dir/nullnet_load.sh4 | online | malware_download | 2026-06-07 |
hxxp://5.231.70.34/nullnet_bin_dir/nullnet_load.arm5 | online | malware_download | 2026-06-07 |
hxxp://5.231.70.34/nullnet_bin_dir/nullnet_load.m68k | online | malware_download | 2026-06-07 |
hxxp://45.205.1.59/0ad7d3 | offline | malware_download | 2026-06-07 |
hxxp://94.183.188.60/iran.armv4l | offline | malware_download | 2026-06-07 |
hxxp://94.183.188.60/iran.mips | offline | malware_download | 2026-06-07 |
hxxp://94.183.188.60/iran.armv6l | offline | malware_download | 2026-06-07 |
hxxp://188.132.232.81/QS2l | offline | malware_download | 2026-06-07 |
hxxp://188.132.232.81/dsui | offline | malware_download | 2026-06-07 |
hxxp://45.205.1.59/681855 | offline | malware_download | 2026-06-07 |
hxxp://45.205.1.59/7426b6 | offline | malware_download | 2026-06-07 |
hxxp://45.205.1.59/ceed67 | offline | malware_download | 2026-06-07 |
hxxp://45.205.1.59/c2dba1 | offline | malware_download | 2026-06-07 |
hxxp://45.205.1.59/39325f | offline | malware_download | 2026-06-07 |
hxxp://45.205.1.59/acecfe | offline | malware_download | 2026-06-07 |
hxxp://45.205.1.59/0fc7fa | offline | malware_download | 2026-06-07 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["5.231.70.34", "188.132.232.81"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["5.231.70.34", "188.132.232.81"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by pasting a legitimate URL into a test environment.
Filter/Exclusion: Exclude URLs that match the domain of known URL shortening services (e.g., bit.ly, tinyurl.com, shortened.link).
Scenario: A scheduled job runs to fetch updates from a public repository, such as GitHub, which includes a URL to a script that is not malicious.
Filter/Exclusion: Exclude URLs that match known public code repositories (e.g., github.com, gitlab.com, bitbucket.org).
Scenario: An IT team is performing a security audit and is using a tool like OSSEC or Logwatch to check system logs, which includes a URL to a log analysis script.
Filter/Exclusion: Exclude URLs that contain the string log-analysis or match the IP range used by internal security tools.
Scenario: A developer is using Ansible to deploy a configuration script that includes a URL to a public CDN (e.g., cdnjs.com) for JavaScript libraries.
Filter/Exclusion: Exclude URLs that match CDN domains (e.g., cdnjs.com, jsDelivr.net, cloudflare.com).
Scenario: A system is running a Windows Task Scheduler job that downloads a script from a company-internal server for automated patching.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges or match the internal domain (e.g., intranet.corp.example.com).