Edit tour

Linux Analysis Report
D8OrlQhDGl.elf

Overview

General Information

Sample name:D8OrlQhDGl.elf
renamed because original name is a hash value
Original sample name:6f35026b7878d58d950acd326f7ed635.elf
Analysis ID:1419331
MD5:6f35026b7878d58d950acd326f7ed635
SHA1:bde4dee977e3ef3677317a1d7a45f96e963a83b2
SHA256:559ce9dfd20ba48e25172ab780cb3e50e318ad5cdc4410a1b86498b9e1c9de95
Tags:32elfintelmirai
Infos:

Detection

Mirai
Score:68
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Machine Learning detection for sample
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Sample contains strings that are user agent strings indicative of HTTP manipulation
Sample has stripped symbol table
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1419331
Start date and time:2024-04-03 14:25:49 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 53s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:D8OrlQhDGl.elf
renamed because original name is a hash value
Original Sample Name:6f35026b7878d58d950acd326f7ed635.elf
Detection:MAL
Classification:mal68.troj.linELF@0/0@2/0
Command:/tmp/D8OrlQhDGl.elf
PID:5470
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
i promise you its fine
Standard Error:
  • system is lnxubuntu20
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
D8OrlQhDGl.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    D8OrlQhDGl.elfLinux_Trojan_Mirai_5f7b67b8unknownunknown
    • 0xa604:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
    D8OrlQhDGl.elfLinux_Trojan_Mirai_389ee3e9unknownunknown
    • 0x9823:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
    D8OrlQhDGl.elfLinux_Trojan_Mirai_cc93863bunknownunknown
    • 0x7d65:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
    D8OrlQhDGl.elfLinux_Trojan_Mirai_8aa7b5d3unknownunknown
    • 0x59c2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
    SourceRuleDescriptionAuthorStrings
    5474.1.0000000008048000.0000000008059000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      5474.1.0000000008048000.0000000008059000.r-x.sdmpLinux_Trojan_Mirai_5f7b67b8unknownunknown
      • 0xa604:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
      5474.1.0000000008048000.0000000008059000.r-x.sdmpLinux_Trojan_Mirai_389ee3e9unknownunknown
      • 0x9823:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
      5474.1.0000000008048000.0000000008059000.r-x.sdmpLinux_Trojan_Mirai_cc93863bunknownunknown
      • 0x7d65:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
      5474.1.0000000008048000.0000000008059000.r-x.sdmpLinux_Trojan_Mirai_8aa7b5d3unknownunknown
      • 0x59c2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
      Click to see the 10 entries
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: D8OrlQhDGl.elfReversingLabs: Detection: 50%
      Source: D8OrlQhDGl.elfVirustotal: Detection: 39%Perma Link
      Source: D8OrlQhDGl.elfJoe Sandbox ML: detected
      Source: D8OrlQhDGl.elfString: /proc/%d/maps.arm.mips.mpsl.x86/proc//proc/self/exewgetftpgettftprebootcurl/proc/proc/%s/cmdline1
      Source: global trafficTCP traffic: 192.168.2.14:53460 -> 185.196.9.193:6666
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.193
      Source: unknownDNS traffic detected: queries for: daisy.ubuntu.com
      Source: D8OrlQhDGl.elfString found in binary or memory: http://fast.no/support/crawler.asp)
      Source: D8OrlQhDGl.elfString found in binary or memory: http://feedback.redkolibri.com/
      Source: D8OrlQhDGl.elfString found in binary or memory: http://www.baidu.com/search/spider.htm)
      Source: D8OrlQhDGl.elfString found in binary or memory: http://www.baidu.com/search/spider.html)
      Source: D8OrlQhDGl.elfString found in binary or memory: http://www.billybobbot.com/crawler/)

      System Summary

      barindex
      Source: D8OrlQhDGl.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
      Source: D8OrlQhDGl.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
      Source: D8OrlQhDGl.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
      Source: D8OrlQhDGl.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
      Source: 5474.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
      Source: 5474.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
      Source: 5474.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
      Source: 5474.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
      Source: 5471.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
      Source: 5471.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
      Source: 5471.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
      Source: 5471.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
      Source: 5470.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
      Source: 5470.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
      Source: 5470.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
      Source: 5470.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
      Source: ELF static info symbol of initial sample.symtab present: no
      Source: D8OrlQhDGl.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
      Source: D8OrlQhDGl.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
      Source: D8OrlQhDGl.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
      Source: D8OrlQhDGl.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
      Source: 5474.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
      Source: 5474.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
      Source: 5474.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
      Source: 5474.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
      Source: 5471.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
      Source: 5471.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
      Source: 5471.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
      Source: 5471.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
      Source: 5470.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
      Source: 5470.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
      Source: 5470.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
      Source: 5470.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
      Source: classification engineClassification label: mal68.troj.linELF@0/0@2/0
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908491/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908371/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909267/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909187/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909067/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909259/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908443/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909139/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908923/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909019/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909339/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908803/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909291/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909091/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908683/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909211/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908563/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909331/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908995/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908875/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908515/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908755/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908635/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909163/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909043/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909283/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908395/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909363/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909243/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909315/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909235/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908467/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908587/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909115/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908827/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908707/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908947/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909355/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908731/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908611/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908971/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908851/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908779/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152909307/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908659/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908899/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908419/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5472)File opened: /proc/152908539/mapsJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/3760/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/3761/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/1583/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/2672/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/110/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/3759/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/111/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/112/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/113/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/234/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/1577/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/114/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/235/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/115/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/116/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/117/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/118/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/119/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/10/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/917/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/11/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/12/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/13/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/14/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/15/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/16/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/17/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/18/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/19/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/1593/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/240/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/120/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/3094/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/121/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/242/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/3406/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/1/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/122/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/243/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/2/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/123/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/244/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/1589/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/3/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/124/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/245/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/1588/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/125/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/4/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/246/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/3402/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/126/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/5/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/247/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/127/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/6/cmdlineJump to behavior
      Source: /tmp/D8OrlQhDGl.elf (PID: 5473)File opened: /proc/248/cmdlineJump to behavior

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: D8OrlQhDGl.elf, type: SAMPLE
      Source: Yara matchFile source: 5474.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 5471.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 5470.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
      Source: Initial sampleUser agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
      Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
      Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60
      Source: Initial sampleUser agent string found: Mozilla/5.0 (iPad; U; CPU OS 5_1 like Mac OS X) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10 UCBrowser/3.4.3.532
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
      Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
      Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
      Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
      Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; cn) Opera 11.00
      Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
      Source: Initial sampleUser agent string found: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
      Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
      Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: D8OrlQhDGl.elf, type: SAMPLE
      Source: Yara matchFile source: 5474.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 5471.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 5470.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting
      Valid AccountsWindows Management Instrumentation1
      Scripting
      Path InterceptionDirect Volume Access1
      OS Credential Dumping
      System Service DiscoveryRemote ServicesData from Local System1
      Data Obfuscation
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
      Non-Standard Port
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
      Non-Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
      Application Layer Protocol
      Traffic DuplicationData Destruction
      No configs have been found
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1419331 Sample: D8OrlQhDGl.elf Startdate: 03/04/2024 Architecture: LINUX Score: 68 21 185.196.9.193, 53460, 53462, 53464 SIMPLECARRIERCH Switzerland 2->21 23 daisy.ubuntu.com 2->23 25 Malicious sample detected (through community Yara rule) 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected Mirai 2->29 31 Machine Learning detection for sample 2->31 9 D8OrlQhDGl.elf 2->9         started        signatures3 process4 process5 11 D8OrlQhDGl.elf 9->11         started        process6 13 D8OrlQhDGl.elf 11->13         started        15 D8OrlQhDGl.elf 11->15         started        17 D8OrlQhDGl.elf 11->17         started        process7 19 D8OrlQhDGl.elf 13->19         started       
      SourceDetectionScannerLabelLink
      D8OrlQhDGl.elf50%ReversingLabsLinux.Trojan.LnxMirai
      D8OrlQhDGl.elf40%VirustotalBrowse
      D8OrlQhDGl.elf100%Joe Sandbox ML
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://www.billybobbot.com/crawler/)100%URL Reputationphishing
      http://fast.no/support/crawler.asp)0%URL Reputationsafe
      http://feedback.redkolibri.com/0%URL Reputationsafe

      Download Network PCAP: filteredfull

      NameIPActiveMaliciousAntivirus DetectionReputation
      daisy.ubuntu.com
      162.213.35.25
      truefalse
        high
        NameSourceMaliciousAntivirus DetectionReputation
        http://www.baidu.com/search/spider.html)D8OrlQhDGl.elffalse
          high
          http://www.billybobbot.com/crawler/)D8OrlQhDGl.elftrue
          • URL Reputation: phishing
          unknown
          http://fast.no/support/crawler.asp)D8OrlQhDGl.elffalse
          • URL Reputation: safe
          unknown
          http://feedback.redkolibri.com/D8OrlQhDGl.elffalse
          • URL Reputation: safe
          unknown
          http://www.baidu.com/search/spider.htm)D8OrlQhDGl.elffalse
            high
            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs
            IPDomainCountryFlagASNASN NameMalicious
            185.196.9.193
            unknownSwitzerland
            42624SIMPLECARRIERCHfalse
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            185.196.9.193Y2tzBVyXex.elfGet hashmaliciousMiraiBrowse
              27RpVWZvbb.elfGet hashmaliciousMiraiBrowse
                ZrSV2me7r2.elfGet hashmaliciousMiraiBrowse
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  daisy.ubuntu.comNEl7fh6qgr.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 162.213.35.25
                  Y2tzBVyXex.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.25
                  27RpVWZvbb.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.24
                  jXqqEeYHRT.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 162.213.35.25
                  SecuriteInfo.com.ELF.Pawns-B.22939.32545.elfGet hashmaliciousIPRoyal PawnsBrowse
                  • 162.213.35.24
                  SecuriteInfo.com.ELF.Pawns-B.8690.31893.elfGet hashmaliciousIPRoyal PawnsBrowse
                  • 162.213.35.25
                  SecuriteInfo.com.ELF.IPRoyal-A.22413.12324.elfGet hashmaliciousIPRoyal PawnsBrowse
                  • 162.213.35.24
                  logt3M31Ho.elfGet hashmaliciousMirai, OkiruBrowse
                  • 162.213.35.24
                  kCyvYHV7F1.elfGet hashmaliciousMirai, MoobotBrowse
                  • 162.213.35.25
                  5smI0bod9g.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 162.213.35.25
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  SIMPLECARRIERCHY2tzBVyXex.elfGet hashmaliciousMiraiBrowse
                  • 185.196.9.193
                  27RpVWZvbb.elfGet hashmaliciousMiraiBrowse
                  • 185.196.9.193
                  ZrSV2me7r2.elfGet hashmaliciousMiraiBrowse
                  • 185.196.9.193
                  dekont.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 185.196.11.12
                  gfYewT10Hk.exeGet hashmaliciousQuasarBrowse
                  • 185.196.10.233
                  9sSx6u3Hhp.exeGet hashmaliciousAsyncRATBrowse
                  • 185.196.10.233
                  tdsWKDnPqg.exeGet hashmaliciousQuasarBrowse
                  • 185.196.10.233
                  govFLMmsZl.exeGet hashmaliciousPureLog Stealer, Quasar, zgRATBrowse
                  • 185.196.10.233
                  1m70ggeepT.exeGet hashmaliciousRemcosBrowse
                  • 185.196.11.223
                  file.exeGet hashmaliciousAsyncRATBrowse
                  • 185.196.11.223
                  No context
                  No context
                  No created / dropped files found
                  File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
                  Entropy (8bit):6.673274288779359
                  TrID:
                  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                  File name:D8OrlQhDGl.elf
                  File size:67'212 bytes
                  MD5:6f35026b7878d58d950acd326f7ed635
                  SHA1:bde4dee977e3ef3677317a1d7a45f96e963a83b2
                  SHA256:559ce9dfd20ba48e25172ab780cb3e50e318ad5cdc4410a1b86498b9e1c9de95
                  SHA512:00de1e7c9ab1fc9abc399ee185d57f0cf1eecbb362f78390596f296996734905deb03417050acb344c1cdf3a770c3d339eb937f206622ff5d37dee1197d6991b
                  SSDEEP:1536:UNoolhNNoKVp4nvb3FISTrZ/xWFSqco8u5hM:AdvbVMvb3aSHlwxcW5hM
                  TLSH:59635CCFD643C9B0E91909712126FB16C732E73B449ADA57D7885872DC22A12D317BDC
                  File Content Preview:.ELF....................d...4...........4. ...(..........................................................l..........Q.td............................U..S.......[....h........[]...$.............U......=.....t..5....$......$.......u........t....h............

                  ELF header

                  Class:ELF32
                  Data:2's complement, little endian
                  Version:1 (current)
                  Machine:Intel 80386
                  Version Number:0x1
                  Type:EXEC (Executable file)
                  OS/ABI:UNIX - System V
                  ABI Version:0
                  Entry Point Address:0x8048164
                  Flags:0x0
                  ELF Header Size:52
                  Program Header Offset:52
                  Program Header Size:32
                  Number of Program Headers:3
                  Section Header Offset:66812
                  Section Header Size:40
                  Number of Section Headers:10
                  Header String Table Index:9
                  NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                  NULL0x00x00x00x00x0000
                  .initPROGBITS0x80480940x940x1c0x00x6AX001
                  .textPROGBITS0x80480b00xb00xcc360x00x6AX0016
                  .finiPROGBITS0x8054ce60xcce60x170x00x6AX001
                  .rodataPROGBITS0x8054d000xcd000x33e00x00x2A0032
                  .ctorsPROGBITS0x80590e40x100e40x80x00x3WA004
                  .dtorsPROGBITS0x80590ec0x100ec0x80x00x3WA004
                  .dataPROGBITS0x80591200x101200x39c0x00x3WA0032
                  .bssNOBITS0x80594c00x104bc0x69040x00x3WA0032
                  .shstrtabSTRTAB0x00x104bc0x3e0x00x0001
                  TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                  LOAD0x00x80480000x80480000x100e00x100e06.71110x5R E0x1000.init .text .fini .rodata
                  LOAD0x100e40x80590e40x80590e40x3d80x6ce04.02210x6RW 0x1000.ctors .dtors .data .bss
                  GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                  Download Network PCAP: filteredfull

                  • Total Packets: 94
                  • 6666 undefined
                  • 53 (DNS)
                  TimestampSource PortDest PortSource IPDest IP
                  Apr 3, 2024 14:26:33.281232119 CEST534606666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:26:33.524310112 CEST666653460185.196.9.193192.168.2.14
                  Apr 3, 2024 14:26:33.524367094 CEST534606666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:26:33.524424076 CEST534606666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:26:33.767446041 CEST666653460185.196.9.193192.168.2.14
                  Apr 3, 2024 14:26:33.767640114 CEST666653460185.196.9.193192.168.2.14
                  Apr 3, 2024 14:26:33.767652988 CEST666653460185.196.9.193192.168.2.14
                  Apr 3, 2024 14:26:33.767679930 CEST534606666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:26:34.012881994 CEST666653460185.196.9.193192.168.2.14
                  Apr 3, 2024 14:26:42.767755032 CEST534626666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:26:43.010930061 CEST666653462185.196.9.193192.168.2.14
                  Apr 3, 2024 14:26:43.011069059 CEST534626666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:26:43.011116982 CEST534626666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:26:43.256035089 CEST666653462185.196.9.193192.168.2.14
                  Apr 3, 2024 14:26:43.256061077 CEST666653462185.196.9.193192.168.2.14
                  Apr 3, 2024 14:26:43.256073952 CEST666653462185.196.9.193192.168.2.14
                  Apr 3, 2024 14:26:43.256131887 CEST534626666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:26:43.499231100 CEST666653462185.196.9.193192.168.2.14
                  Apr 3, 2024 14:26:52.256277084 CEST534646666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:26:52.499850035 CEST666653464185.196.9.193192.168.2.14
                  Apr 3, 2024 14:26:52.499949932 CEST534646666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:26:52.499982119 CEST534646666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:26:52.743346930 CEST666653464185.196.9.193192.168.2.14
                  Apr 3, 2024 14:26:52.743383884 CEST666653464185.196.9.193192.168.2.14
                  Apr 3, 2024 14:26:52.743417978 CEST666653464185.196.9.193192.168.2.14
                  Apr 3, 2024 14:26:52.743447065 CEST534646666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:26:52.986887932 CEST666653464185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:01.743645906 CEST534666666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:01.986040115 CEST666653466185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:01.986387968 CEST534666666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:01.986387968 CEST534666666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:02.230768919 CEST666653466185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:02.230844975 CEST666653466185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:02.230859041 CEST666653466185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:02.231053114 CEST534666666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:02.473666906 CEST666653466185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:11.231221914 CEST534686666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:11.474598885 CEST666653468185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:11.474824905 CEST534686666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:11.474859953 CEST534686666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:11.717869997 CEST666653468185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:11.717890978 CEST666653468185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:11.717904091 CEST666653468185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:11.717995882 CEST534686666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:11.961366892 CEST666653468185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:20.718228102 CEST534706666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:20.961579084 CEST666653470185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:20.961787939 CEST534706666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:20.961816072 CEST534706666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:21.205100060 CEST666653470185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:21.205116987 CEST666653470185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:21.205128908 CEST666653470185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:21.205388069 CEST534706666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:21.448577881 CEST666653470185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:30.205720901 CEST534726666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:30.448854923 CEST666653472185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:30.449043989 CEST534726666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:30.449080944 CEST534726666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:30.692305088 CEST666653472185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:30.692352057 CEST666653472185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:30.692359924 CEST666653472185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:30.692591906 CEST534726666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:30.935792923 CEST666653472185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:39.693216085 CEST534746666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:39.939275026 CEST666653474185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:39.939558029 CEST534746666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:39.939634085 CEST534746666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:40.183067083 CEST666653474185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:40.183109999 CEST666653474185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:40.183149099 CEST666653474185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:40.183202028 CEST534746666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:40.426601887 CEST666653474185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:49.183495045 CEST534766666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:49.426192999 CEST666653476185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:49.426424980 CEST534766666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:49.426570892 CEST534766666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:49.669301987 CEST666653476185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:49.669317961 CEST666653476185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:49.669331074 CEST666653476185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:49.669441938 CEST534766666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:49.912148952 CEST666653476185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:58.669663906 CEST534786666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:58.912719965 CEST666653478185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:58.912899017 CEST534786666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:58.912965059 CEST534786666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:59.155586958 CEST666653478185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:59.155884027 CEST666653478185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:59.155935049 CEST666653478185.196.9.193192.168.2.14
                  Apr 3, 2024 14:27:59.155973911 CEST534786666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:27:59.398613930 CEST666653478185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:08.156397104 CEST534806666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:08.398828983 CEST666653480185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:08.399184942 CEST534806666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:08.399223089 CEST534806666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:08.645256042 CEST666653480185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:08.645297050 CEST666653480185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:08.645318031 CEST666653480185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:08.645474911 CEST534806666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:08.887777090 CEST666653480185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:17.645925999 CEST534826666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:17.889462948 CEST666653482185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:17.889612913 CEST534826666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:17.889662027 CEST534826666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:18.133061886 CEST666653482185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:18.133090973 CEST666653482185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:18.133104086 CEST666653482185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:18.133254051 CEST534826666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:18.376856089 CEST666653482185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:27.133569956 CEST534846666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:27.377041101 CEST666653484185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:27.377176046 CEST534846666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:27.377223969 CEST534846666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:27.621639967 CEST666653484185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:27.621674061 CEST666653484185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:27.621690035 CEST666653484185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:27.621743917 CEST534846666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:27.864923000 CEST666653484185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:36.622025967 CEST534866666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:36.865035057 CEST666653486185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:36.865206003 CEST534866666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:36.865252972 CEST534866666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:37.107669115 CEST666653486185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:37.107697964 CEST666653486185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:37.107712984 CEST666653486185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:37.107827902 CEST534866666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:37.350542068 CEST666653486185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:46.108063936 CEST534886666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:46.351593018 CEST666653488185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:46.351741076 CEST534886666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:46.351772070 CEST534886666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:46.595468998 CEST666653488185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:46.595487118 CEST666653488185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:46.595499039 CEST666653488185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:46.595602036 CEST534886666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:46.839288950 CEST666653488185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:55.595875025 CEST534906666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:55.838604927 CEST666653490185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:55.838864088 CEST534906666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:55.838881016 CEST534906666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:56.082176924 CEST666653490185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:56.082190037 CEST666653490185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:56.082201958 CEST666653490185.196.9.193192.168.2.14
                  Apr 3, 2024 14:28:56.082310915 CEST534906666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:28:56.325465918 CEST666653490185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:05.082601070 CEST534926666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:05.325517893 CEST666653492185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:05.325699091 CEST534926666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:05.325752020 CEST534926666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:05.568674088 CEST666653492185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:05.568717957 CEST666653492185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:05.568741083 CEST666653492185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:05.568872929 CEST534926666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:05.811559916 CEST666653492185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:14.569194078 CEST534946666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:14.812129021 CEST666653494185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:14.812241077 CEST534946666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:14.812292099 CEST534946666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:15.056235075 CEST666653494185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:15.056266069 CEST666653494185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:15.056309938 CEST666653494185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:15.056343079 CEST534946666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:15.299081087 CEST666653494185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:24.056447983 CEST534966666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:24.299515009 CEST666653496185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:24.299643993 CEST534966666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:24.299681902 CEST534966666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:24.542984962 CEST666653496185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:24.543001890 CEST666653496185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:24.543070078 CEST666653496185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:24.543098927 CEST534966666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:24.786212921 CEST666653496185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:33.543368101 CEST534986666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:33.787554979 CEST666653498185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:33.787822008 CEST534986666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:33.787822008 CEST534986666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:34.035330057 CEST666653498185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:34.035410881 CEST666653498185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:34.035430908 CEST666653498185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:34.035547972 CEST534986666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:34.279793978 CEST666653498185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:43.035715103 CEST535006666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:43.280523062 CEST666653500185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:43.280644894 CEST535006666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:43.280674934 CEST535006666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:43.524038076 CEST666653500185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:43.524061918 CEST666653500185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:43.524076939 CEST666653500185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:43.524163961 CEST535006666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:43.767277002 CEST666653500185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:52.524426937 CEST535026666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:52.767314911 CEST666653502185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:52.767442942 CEST535026666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:52.767549038 CEST535026666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:53.010346889 CEST666653502185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:53.010376930 CEST666653502185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:53.010421038 CEST666653502185.196.9.193192.168.2.14
                  Apr 3, 2024 14:29:53.010446072 CEST535026666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:29:53.258511066 CEST666653502185.196.9.193192.168.2.14
                  Apr 3, 2024 14:30:02.010792971 CEST535046666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:30:02.253695965 CEST666653504185.196.9.193192.168.2.14
                  Apr 3, 2024 14:30:02.253885984 CEST535046666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:30:02.253957987 CEST535046666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:30:02.496632099 CEST666653504185.196.9.193192.168.2.14
                  Apr 3, 2024 14:30:02.496663094 CEST666653504185.196.9.193192.168.2.14
                  Apr 3, 2024 14:30:02.496678114 CEST666653504185.196.9.193192.168.2.14
                  Apr 3, 2024 14:30:02.496786118 CEST535046666192.168.2.14185.196.9.193
                  Apr 3, 2024 14:30:02.739509106 CEST666653504185.196.9.193192.168.2.14
                  TimestampSource PortDest PortSource IPDest IP
                  Apr 3, 2024 14:29:20.860728979 CEST3650853192.168.2.141.1.1.1
                  Apr 3, 2024 14:29:20.860774994 CEST3445653192.168.2.141.1.1.1
                  Apr 3, 2024 14:29:20.988285065 CEST53365081.1.1.1192.168.2.14
                  Apr 3, 2024 14:29:20.990195036 CEST53344561.1.1.1192.168.2.14
                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Apr 3, 2024 14:29:20.860728979 CEST192.168.2.141.1.1.10x41d7Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                  Apr 3, 2024 14:29:20.860774994 CEST192.168.2.141.1.1.10xad87Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Apr 3, 2024 14:29:20.988285065 CEST1.1.1.1192.168.2.140x41d7No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                  Apr 3, 2024 14:29:20.988285065 CEST1.1.1.1192.168.2.140x41d7No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                  System Behavior

                  Start time (UTC):12:26:32
                  Start date (UTC):03/04/2024
                  Path:/tmp/D8OrlQhDGl.elf
                  Arguments:/tmp/D8OrlQhDGl.elf
                  File size:67212 bytes
                  MD5 hash:6f35026b7878d58d950acd326f7ed635

                  Start time (UTC):12:26:32
                  Start date (UTC):03/04/2024
                  Path:/tmp/D8OrlQhDGl.elf
                  Arguments:-
                  File size:67212 bytes
                  MD5 hash:6f35026b7878d58d950acd326f7ed635

                  Start time (UTC):12:26:32
                  Start date (UTC):03/04/2024
                  Path:/tmp/D8OrlQhDGl.elf
                  Arguments:-
                  File size:67212 bytes
                  MD5 hash:6f35026b7878d58d950acd326f7ed635

                  Start time (UTC):12:26:32
                  Start date (UTC):03/04/2024
                  Path:/tmp/D8OrlQhDGl.elf
                  Arguments:-
                  File size:67212 bytes
                  MD5 hash:6f35026b7878d58d950acd326f7ed635

                  Start time (UTC):12:26:32
                  Start date (UTC):03/04/2024
                  Path:/tmp/D8OrlQhDGl.elf
                  Arguments:-
                  File size:67212 bytes
                  MD5 hash:6f35026b7878d58d950acd326f7ed635

                  Start time (UTC):12:26:32
                  Start date (UTC):03/04/2024
                  Path:/tmp/D8OrlQhDGl.elf
                  Arguments:-
                  File size:67212 bytes
                  MD5 hash:6f35026b7878d58d950acd326f7ed635