CYBER THREAT

INTELLIGENCE

PREPARED BY
BHUT PAVAN
 Table of Contents
1. Executive Summary
2. IOC Analysis
2.1 Identified IP Address
2.2 Threat Categories
2.3 Malware Family Labels
3. Detection Methods
3.1 YARA Rules Findings
3.2 Sigma Rules Findings
4. Behavior Analysis
4.1 Suspicious Executables
4.2 Malware Persistence
4.3 Malware Family Indicators
5. Indicators of Attack (IOA)
6. Command and Control (C2)
7. Advanced Persistent Threats (APT)
8. Attack Execution Flow
9. Recommendations
9.1 Immediate Actions
9.2 Detection and Response
9.3 Long-term Strategies
10. Harmfulness of the IP Address
11. Conclusion
 1. Executive Summary

This report provides an in-depth analysis of suspicious

behaviors and threat indicators based on observed artifacts.
The behaviors include debugging environment detection, self-
deletion mechanisms, and SSH-based communication. This
report also examines detected Indicators of Attack (IOA),
Command & Control (C2) communications, and Advanced
Persistent Threat (APT) tactics.
Key findings include:
Potential SSH brute-force scanning activity.
DNS queries to suspicious dynamic DNS services.
File modifications, deletions, and execution of suspicious
processes.
 2. IOC Analysis
2.1 Identified IP Address

1. Identified IP Address
Destination IP: 115.11.111.11 → Involved in unauthorized SSH
login attempts, indicating a possible brute-force attack.
Destination Port: 22 (SSH) → A common target for attackers
attempting to gain remote access.
Mitigation:
1. Restrict SSH access to trusted IPs.
2. Use key-based authentication instead of passwords.
2. DNS Query Destination
8.8.8.8 (Google DNS) → Used to resolve domains, including
potentially malicious ones.
Possible Risk: Malware may be using Google DNS to contact a
Command & Control (C2) server.
Mitigation:
1.Monitor DNS requests for unusual activity.
2.Use DNS filtering to block malicious domain resolution.
3. Malware-Related Domain
mirailover.ddns.net → A suspected malware
C2 server, likely used for remote control of
infected devices.
Mitigation:
1. Block the domain at the firewall level.
2. Investigate and isolate any affected hosts.
3. Check system logs for signs of compromise.
 2.2 Threat Categories
Medium: Anti-Analysis Techniques
These are methods used by malware to evade detection and
forensic analysis. Examples include detecting debugging
environments, sandbox evasion, and self-deletion. Since these
techniques primarily aid in stealth rather than direct
exploitation, they are categorized as medium-risk.

High: SSH-Based Attacks 🛡️

These are threats that exploit the SSH (Secure Shell) protocol
to gain unauthorized access, steal credentials, or perform
remote code execution. Due to the critical role of SSH in
system administration, such attacks are considered high-risk.

🌐
High: DNS Tunneling (via .ddns.net)
This refers to the misuse of the DNS (Domain Name System) to
covertly transmit data or control infected systems. Attackers
often use dynamic DNS domains like *.ddns.net for persistent
connections. This technique is categorized as high-risk due to
its use in data exfiltration and command-and-control (C2)
operations.
 2.3 Malware Family Labels
1.ELF Digest: 66fb6f84b83b93e27deedac9159c151f
ELF (Executable and Linkable Format) is the standard
binary format for Linux executables, object files, and
shared libraries.
The provided digest (hash) is a unique identifier for a
specific malware sample.
Security vendors have flagged this ELF binary as
malicious, meaning it matches known Linux malware
signatures.

Impact of This :
Privilege escalation: Exploits vulnerabilities to gain root
access.
Data exfiltration: May steal credentials, configuration
files, or sensitive user data.
System compromise: Allows remote attackers to
execute arbitrary commands.
Persistence: Can establish backdoors to ensure
continued access.
Mitigation Strategies:
Use File Integrity Monitoring (FIM): Tools like
Tripwire, AIDE, and OSSEC can detect unauthorized
file modifications.
Block execution of unknown binaries: Configure
AppArmor, SELinux, or grsecurity to limit execution
of untrusted ELF files.
Perform malware scanning: Use ClamAV, YARA
rules, or VirusTotal to scan and remove infected
files.
Restrict execution permissions: Only trusted
binaries should have execute permissions (chmod
700 for sensitive files).
 2. Trojan.Generic
This is a generic detection name used by
security vendors when identifying trojans
with malicious behavior, often related to:
Credential theft (e.g., stealing SSH keys,
passwords).
Remote access backdoors (e.g., Reverse
Shells, RATs).
Data exfiltration (e.g., stealing browser
cookies, database credentials).

Impact of this:
Can lead to full system compromise and
unauthorized remote control.
Enables attackers to escalate privileges and
move laterally within the network.
May install additional payloads like
ransomware or cryptominers.
Mitigation Strategies:
Enable Multi-Factor Authentication (MFA): Even if
credentials are stolen, attackers cannot easily gain
access.
Restrict outgoing network connections: Prevent
trojans from sending data to command-and-control
(C2) servers.
Use behavioral analysis tools: Falco, CrowdStrike, or
Microsoft Defender for Endpoint can detect unusual
activities.
Regularly audit system processes: Check for
suspicious processes (ps aux | grep
suspicious_process).
3. Worm/Linux.Mirai
Mirai is a well-known Linux-based worm targeting
IoT devices and network infrastructure (routers,
cameras, DVRs).
It spreads by brute-forcing weak/default
credentials and exploiting unpatched
vulnerabilities in connected devices.
Once infected, the device joins a botnet used for
large-scale DDoS attacks.

Impact of This :
Massive DDoS attacks: Can overload servers,
causing service disruptions for websites, businesses,
or entire networks.
Compromised IoT devices: Attackers can remotely
control infected devices.
Resource hijacking: Some Mirai variants mine
cryptocurrency or launch additional malware
infections.
Mitigation Strategies:
Change Default Credentials: Use strong, unique
passwords for all IoT devices.
Implement Network Segmentation: Separate IoT
devices from critical infrastructure.
Apply Regular Firmware Updates: Ensure devices
run the latest patches.
Monitor Unusual Network Traffic: Use Zeek (Bro
IDS), Suricata, or Snort to detect botnet activity.
Block Unused Ports: Mirai often targets ports like
23 (Telnet), 22 (SSH), and 7547 (TR-069). Close
unnecessary services
3.Detection Methods
IDS rules :
1. ET SCAN Potential SSH Scan OUTBOUND

This IDS/IPS alert detects multiple outbound SSH

connection attempts from an internal host.
Possible causes:
Brute-force attack (malware or attacker trying SSH logins).
Botnet activity (compromised device scanning for
vulnerable SSH services).
Misconfigured automation scripts making excessive SSH
requests.
Impact of This:
Medium to High Risk – Can indicate
compromised hosts, insider threats, or
unauthorized SSH scanning.
Could be a precursor to attacks like
unauthorized access, lateral movement, or data
exfiltration.

Mitigation Steps:
Identify the Source of the Scan
Block Suspicious Outbound SSH Traffic
Secure SSH Access
Monitor and Detect Further Threats
2.ET POLICY DNS Query to DynDNS Domain *.ddns .net:-

This alert is triggered when a system in the

network queries a Dynamic DNS (DynDNS)
domain (*.ddns.net).
Dynamic DNS services allow domain names to
be linked to changing IP addresses, commonly
used for remote access but also abused by
malware, botnets, and phishing campaigns to
evade detection.
Impact of This:
Potential Malware C2 Communication – Attackers
use DynDNS to maintain access to infected
systems.
Data Exfiltration Risk – Compromised systems may
use DynDNS for covert communication.
Unauthorized Remote Access – Employees or
attackers may use DynDNS to bypass security
policies.

Mitigation Steps:
Identify and Analyze the Source
Block and Restrict Dynamic DNS Usage
Strengthen Network Security
Investigate and Take Action
3.1 YARA Rules Findings
Rule Name: Base64_Encoded_URL
Severity: Medium
Description: Detects Base64-encoded URLs
often used in malware C2 communications.
Mitigation: Implement URL filtering and
sandboxing.

3.2 Sigma Rules Findings

Rule Name: SSH Outbound Scan Detection
Severity: High
Description: Identifies repeated SSH attempts
to external hosts, a sign of brute-force or
unauthorized remote access.
Mitigation: Monitor outbound SSH traffic and
enforce strict firewall policies.
4. Behavior Analysis
4.1 Suspicious Executables
1. /root/analyzed_bin (deleted)
Behavior:
The executable /root/analyzed_bin was observed
running but subsequently deleted itself.
This self-deletion tactic is commonly used by
malware to evade detection, making forensic
analysis difficult.
The process might have been executed, performed
malicious actions, and then removed itself from the
disk to prevent security tools from detecting it.
Possible Threats:
This could indicate a trojan, rootkit, or custom
exploit tool used by an attacker.
The executable might have been deployed via a
compromised user account or a vulnerability in a
service.
Since it ran from /root/, it suggests the attacker may
have had root access or privilege escalation was
achieved.
Mitigation Steps:
Check process logs (/var/log/syslog,
/var/log/messages) for any activity related to
this executable.
Investigate the system's bash history
(~/.bash_history) to see how it was executed.
Use memory forensics tools (such as volatility)
to analyze remnants of the deleted binary.
Audit root user access to identify unauthorized
logins or privilege escalation attempts.
2. Hijacked httpd Processes
Behavior:
Multiple instances of httpd (Apache web server)
were running in a suspicious manner.
This could indicate that an attacker has injected
malicious code into the web server processes.
Attackers often hijack legitimate services to blend
in and persist without detection.
Possible Threats:
Web Shell Injection: A web shell could have been
uploaded and executed via a vulnerable web
application.
Process Injection: Malware might have been
injected into Apache processes to execute
commands.
Crypto Mining: Hijacked processes could be used
for cryptocurrency mining.
Data Exfiltration: Attackers may use hijacked httpd
processes to exfiltrate sensitive data from the
server.
Mitigation Steps:
Inspect running httpd processes using ps aux | grep
httpd to check for unusual resource usage or
unexpected parent processes.
Examine Apache logs (/var/log/httpd/access.log,
/var/log/httpd/error.log) for suspicious requests.
Check active network connections (netstat -tulnp or
ss -tulnp) to identify unauthorized remote access.
Run ls -l /proc/<PID>/exe for each httpd process to
verify if it's pointing to the legitimate binary.
Perform an integrity check of Apache files using rpm -
V httpd (for RPM-based systems) or debsums httpd
(for Debian-based systems).
Restart Apache (systemctl restart httpd) after
verifying configurations and checking for rootkits.
4.2 Malware Persistence Mechanisms:

Malware employs various techniques to remain

undetected and maintain control over infected
systems:
Self-deletion: Erases itself after execution to
avoid forensic analysis.
DNS queries to dynamic hosts: Uses
domains like mirailover.ddns.net**** to
maintain communication with command-
and-control (C2) servers.
Process tree manipulation: Alters its
execution path to mimic legitimate system
processes, making detection harder.
 4.3 Malware Family Indicators:
Different malware families exhibit unique
behaviors and threats:
Trojan.Generic (High): Designed for
credential theft and unauthorized remote
access, often used for espionage or
financial fraud.
Worm/Linux.Mirai (High): A botnet-related
worm that infects Linux-based IoT
devices, enabling large-scale DDoS
attacks and further propagation.
5. Indicators of Attack (IOA)
1.Unusual Outbound SSH Traffic
Observing multiple failed SSH login attempts
suggests brute-force attacks, where attackers try
to gain unauthorized access by guessing
credentials.
This activity is often linked to botnets or
automated scripts attempting to compromise
remote servers.
2.DNS Queries to Dynamic Domains
The malware connects to dynamic DNS (DDNS)
domains such as *.ddns.net, which are commonly
used by threat actors to maintain communication
with command-and-control (C2) servers.
These domains allow attackers to update IP
addresses dynamically, making it harder to block
malicious traffic.
3.Execution of Suspicious ELF Binaries
ELF (Executable and Linkable Format) binaries
are commonly used in Linux environments.
Finding self-deleting ELF executables indicates
the presence of malware designed to erase
traces after execution, preventing forensic
analysis.
4.Creation of New System Processes
The malware leverages persistence techniques
by spawning new system processes that
integrate with legitimate ones.
This ensures continued execution after reboots
and makes detection more difficult by blending
into normal system activity.
6.Command and Control (C2)
1. C2 Mechanism
The malware uses dynamic DNS (DDNS)
services like mirailover.ddns.net to maintain
communication with command-and-control
(C2) servers.
DDNS allows attackers to frequently change
the IP address linked to a domain, making it
harder to track and block malicious
infrastructure.
2. Communication Protocols
The malware likely utilizes SSH-based
tunnels for secure communication with C2
servers.
SSH tunneling encrypts traffic, helping the
malware evade network security monitoring
and detection systems.
3.Mitigation Strategies
Block outbound DNS requests to known
malicious DDNS domains to disrupt C2
communications.
Monitor and analyze SSH traffic for
unusual patterns, such as unauthorized
tunnels or repeated failed login attempts.
Implement endpoint detection to identify
and block suspicious network activities
associated with malware
7. Advanced Persistent
Threats (APT)
APT Tactics Observed: Use of anti-analysis
techniques, stealth communication via SSH,
and DNS tunneling.
Persistence Strategies: Malware remains
active even after reboots, indicative of
sophisticated APT actors.
Mitigation: Implement strict network
monitoring, threat intelligence feeds, and
incident response plans.
8. Attack Execution Flow
1. Initial Infection: Malware delivered via phishing
email, compromised SSH credentials, or exploited
vulnerability.
2. Persistence Established: Malware installs itself in
system directories, creates scheduled tasks, or
modifies system files.
3. C2 Communication: Uses dynamic DNS to connect
to C2 servers and receive instructions.
4. Lateral Movement: Attempts to spread within the
network using brute-force SSH or exploiting
vulnerabilities.
5. Data Exfiltration or DDoS Execution: Depending on
intent, malware either steals data or launches
attacks.
 9. Recommendations
9.1 Immediate Actions
Block outbound SSH traffic to unknown hosts.
Restrict DNS queries to dynamic domains
(*.ddns.net****).
Isolate and analyze ELF binaries in a sandboxed
environment.
9.2 Detection and Response
Deploy EDR (Endpoint Detection and Response) for
real-time monitoring.
Enforce strict firewall policies against known
malicious IPs.
Regularly update security signatures for IDS/IPS.
9.3 Long-term Strategies
Enhance threat intelligence monitoring.
Conduct periodic security audits and penetration
testing.
Train employees on phishing and social engineering
awareness.
 10. Harmfulness of the
IP Address
1.Flagged as Malicious by Multiple Security
Vendors
The malware or domain has been identified as
a threat by various cybersecurity vendors and
threat intelligence platforms.
Detection across multiple engines suggests a
high confidence level in its malicious nature.
Common classifications include Trojan, Worm,
or Botnet-related malware, often used for
credential theft, remote access, or system
compromise.
2.Associated with Phishing, Malware Distribution, and
SSH Brute-Force Attempts
Phishing: Used to deliver malicious payloads via
deceptive emails or fake login pages, tricking users
into revealing credentials.
Malware Distribution: The infrastructure may be
hosting or spreading malware such as Trojans,
ransomware, or worms to compromise systems.
SSH Brute-Force Attempts: Attackers use automated
scripts to attempt multiple SSH logins, aiming to gain
unauthorized access to vulnerable systems.
3.Active in Botnet Operations and Data Exfiltration
Botnet Activity: The infected devices may be part of
a botnet, used for DDoS attacks, spam campaigns, or
further malware propagation.
Data Exfiltration: The malware may be stealing
sensitive information such as credentials, financial
data, or proprietary documents, transmitting it to
remote servers controlled by threat actors.
 11. Conclusion
The analyzed indicators confirm that the
identified threats pose a significant
cybersecurity risk. Immediate steps must be
taken to block malicious traffic, update
security controls, and implement proactive
monitoring to mitigate these threats
effectively.