The hypothesis is that the detection identifies potential adversary activity involving the use of malicious URLs associated with the elf malware family, which could be used to deliver payloads or exfiltrate data. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage compromise attempts by threat actors leveraging known malicious infrastructure.
IOC Summary
Threat: elf Total URLs: 18 Active URLs: 18
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://94.156.152.234:8080/i686 | online | malware_download | 2026-05-09 |
hxxp://94.156.152.234:8080/mips | online | malware_download | 2026-05-09 |
hxxp://94.156.152.234:8080/ppc64 | online | malware_download | 2026-05-09 |
hxxp://94.156.152.234:8080/x86 | online | malware_download | 2026-05-09 |
hxxp://94.156.152.234:8080/mipsel | online | malware_download | 2026-05-09 |
hxxp://176.65.139.165/manji.sh4 | online | malware_download | 2026-05-09 |
hxxp://176.65.139.165/manji.mpsl | online | malware_download | 2026-05-09 |
hxxp://176.65.139.165/ARMV4L | online | malware_download | 2026-05-09 |
hxxp://176.65.139.165/manji.spc | online | malware_download | 2026-05-09 |
hxxp://176.65.139.165/manji.ppc | online | malware_download | 2026-05-09 |
hxxp://176.65.139.165/ARMV5L | online | malware_download | 2026-05-09 |
hxxp://176.65.139.165/manji.m68k | online | malware_download | 2026-05-09 |
hxxp://176.65.139.165/manji.x86 | online | malware_download | 2026-05-09 |
hxxp://176.65.139.165/manji.ppc440 | online | malware_download | 2026-05-09 |
hxxp://176.65.139.165/MIPS | online | malware_download | 2026-05-09 |
hxxp://176.65.139.165/ARMV7L | online | malware_download | 2026-05-09 |
hxxp://176.65.139.165/ARMV6L | online | malware_download | 2026-05-09 |
hxxp://176.65.139.165/manji.i486 | online | malware_download | 2026-05-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["94.156.152.234", "176.65.139.165"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["94.156.152.234", "176.65.139.165"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by accessing a known safe “elf” file hosted on a test server.
Filter/Exclusion: Exclude URLs containing the domain internal.test or any URL that matches the regex pattern .*internal\.test.*
Scenario: A scheduled job runs a nightly backup script that downloads a .elf file from a secure internal repository for archive purposes.
Filter/Exclusion: Exclude URLs that include the path /backup/ or originate from the internal IP range 10.0.0.0/8
Scenario: A developer is using a tool like strace or gdb to debug a local .elf binary, which is part of a development environment.
Filter/Exclusion: Exclude processes where the command line includes strace, gdb, or debugger and filter by local IP addresses only.
Scenario: A security team is performing a red team exercise and uses a legitimate .elf file as part of a controlled phishing simulation.
Filter/Exclusion: Exclude URLs that contain the query parameter simulate=true or are associated with the internal red team IP range 192.168.100.0/24
Scenario: A system is running a scheduled job to update a software repository, which includes downloading .elf files from a trusted internal package manager like apt or yum.
Filter/Exclusion: Exclude URLs that match the package manager’s internal repository URL (e.g., http://repo.internal.example.com) or are part of a known update process.