The hypothesis is that the detected URLs are associated with Mirai malware, which is used to compromise IoT devices and launch DDoS attacks. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential botnet activity and network compromise.
IOC Summary
Threat: mirai Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://77.247.88.72:46687/bin.sh | online | malware_download | 2026-03-19 |
hxxp://110.37.99.117:41152/bin.sh | online | malware_download | 2026-03-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["110.37.99.117", "77.247.88.72"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.37.99.117", "77.247.88.72"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a Mirai-based vulnerability scanner tool to validate its detection capabilities.
Filter/Exclusion: Exclude URLs that match the known test URLs used by the Mirai vulnerability scanner (e.g., http://test-mirai-url.com).
Scenario: A scheduled job runs a network discovery tool like Nmap to map internal network devices, and one of the discovered devices is flagged as a Mirai-related URL.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges and are associated with network discovery tools like Nmap.
Scenario: A security analyst is using Wireshark to analyze network traffic and manually captures a Mirai-related URL as part of a packet capture for forensic analysis.
Filter/Exclusion: Exclude URLs that are part of packet capture files or traffic analysis sessions initiated by Wireshark.
Scenario: A DevOps team is deploying a containerized application using Docker and the container’s health check endpoint is mistakenly flagged as a Mirai URL.
Filter/Exclusion: Exclude URLs that are part of Docker health check endpoints (e.g., /health, /live, /ready).
Scenario: A system is running a Windows Task Scheduler job that periodically downloads a configuration file from an internal server, which is misidentified as a Mirai URL.
Filter/Exclusion: Exclude URLs that are associated with Windows Task Scheduler jobs and originate from internal domain names.