Edit tour

Linux Analysis Report
IBkWoEFOlH.elf

Overview

General Information

Sample name:	IBkWoEFOlH.elf renamed because original name is a hash value
Original sample name:	d6744b3d1944189efdf81e9faae5929aa01407f17768f4c59996804da095bf5a.elf
Analysis ID:	1425210
MD5:	31d7cae54418563352ab7150a1c39ac5
SHA1:	17c84a0c1353e5a4a213a2ab37ec77a643b5cda1
SHA256:	d6744b3d1944189efdf81e9faae5929aa01407f17768f4c59996804da095bf5a
Tags:	elf
Infos:

Detection

Mirai

Score:	88
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Connects to many ports of the same IP (likely port scanning)

Sample deletes itself

Sample is packed with UPX

Sample tries to kill multiple processes (SIGKILL)

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Executes the "rm" command used to delete files or directories

Reads the 'hosts' file potentially containing internal network hosts

Sample contains only a LOAD segment without any section mappings

Sample tries to kill a process (SIGKILL)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1425210
Start date and time:	2024-04-12 20:43:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	IBkWoEFOlH.elf renamed because original name is a hash value
Original Sample Name:	d6744b3d1944189efdf81e9faae5929aa01407f17768f4c59996804da095bf5a.elf
Detection:	MAL
Classification:	mal88.spre.troj.evad.linELF@0/0@2/0

Warnings

VT rate limit hit for: IBkWoEFOlH.elf

Runtime Messages

Command:	/tmp/IBkWoEFOlH.elf
PID:	5436
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 5414, Parent: 3580)

rm (PID: 5414, Parent: 3580, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.KKXipgzoA4 /tmp/tmp.LqiENZ6GHP /tmp/tmp.boPxTLcot7

dash New Fork (PID: 5416, Parent: 3580)

cat (PID: 5416, Parent: 3580, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.KKXipgzoA4

dash New Fork (PID: 5417, Parent: 3580)

head (PID: 5417, Parent: 3580, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5418, Parent: 3580)

tr (PID: 5418, Parent: 3580, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5419, Parent: 3580)

cut (PID: 5419, Parent: 3580, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5420, Parent: 3580)

cat (PID: 5420, Parent: 3580, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.KKXipgzoA4

dash New Fork (PID: 5421, Parent: 3580)

head (PID: 5421, Parent: 3580, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5422, Parent: 3580)

tr (PID: 5422, Parent: 3580, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5423, Parent: 3580)

cut (PID: 5423, Parent: 3580, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5424, Parent: 3580)

rm (PID: 5424, Parent: 3580, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.KKXipgzoA4 /tmp/tmp.LqiENZ6GHP /tmp/tmp.boPxTLcot7

IBkWoEFOlH.elf (PID: 5436, Parent: 5346, MD5: 31d7cae54418563352ab7150a1c39ac5) Arguments: /tmp/IBkWoEFOlH.elf

IBkWoEFOlH.elf New Fork (PID: 5437, Parent: 5436)

IBkWoEFOlH.elf New Fork (PID: 5438, Parent: 5436)

IBkWoEFOlH.elf New Fork (PID: 5440, Parent: 5438)

IBkWoEFOlH.elf New Fork (PID: 5441, Parent: 5438)

IBkWoEFOlH.elf New Fork (PID: 5442, Parent: 5438)

xfce4-panel New Fork (PID: 5468, Parent: 3147)

wrapper-2.0 (PID: 5468, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"

xfce4-panel New Fork (PID: 5469, Parent: 3147)

wrapper-2.0 (PID: 5469, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"

xfce4-panel New Fork (PID: 5470, Parent: 3147)

wrapper-2.0 (PID: 5470, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"

xfce4-panel New Fork (PID: 5471, Parent: 3147)

wrapper-2.0 (PID: 5471, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"

xfce4-panel New Fork (PID: 5472, Parent: 3147)

wrapper-2.0 (PID: 5472, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"

xfce4-panel New Fork (PID: 5474, Parent: 3147)

wrapper-2.0 (PID: 5474, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
5440.1.0000000008048000.000000000805e000.r-x.sdmp	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
5440.1.0000000008048000.000000000805e000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5440.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0xf43:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
5440.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x7530:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5440.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_93fc3657	unknown	unknown	0xfca:$a: 00 00 00 89 44 24 60 89 D1 31 C0 8B 7C 24 28 FC F3 AB 89 D1 8B 7C
5440.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_99d78950	unknown	unknown	0x1a9d:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x1b7d:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x1c52:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x1f00:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x2382:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00
5440.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_a68e498c	unknown	unknown	0xd8c:$a: 10 39 D0 7E 25 8B 4C 24 38 01 D1 8A 11 8D 42 9F 3C 19 77 05 8D
5440.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xc642:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5440.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0x192:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
5440.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xec89:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5440.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xd3f3:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5440.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xc612:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
5437.1.0000000008048000.000000000805e000.r-x.sdmp	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
5437.1.0000000008048000.000000000805e000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5437.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0xf43:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
5437.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x7530:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5437.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_93fc3657	unknown	unknown	0xfca:$a: 00 00 00 89 44 24 60 89 D1 31 C0 8B 7C 24 28 FC F3 AB 89 D1 8B 7C
5437.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_99d78950	unknown	unknown	0x1a9d:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x1b7d:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x1c52:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x1f00:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x2382:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00
5437.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_a68e498c	unknown	unknown	0xd8c:$a: 10 39 D0 7E 25 8B 4C 24 38 01 D1 8A 11 8D 42 9F 3C 19 77 05 8D
5437.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xc642:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5437.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0x192:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
5437.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xec89:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5437.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xd3f3:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5437.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xc612:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
5436.1.0000000008048000.000000000805e000.r-x.sdmp	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
5436.1.0000000008048000.000000000805e000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5436.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0xf43:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
5436.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x7530:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5436.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_93fc3657	unknown	unknown	0xfca:$a: 00 00 00 89 44 24 60 89 D1 31 C0 8B 7C 24 28 FC F3 AB 89 D1 8B 7C
5436.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_99d78950	unknown	unknown	0x1a9d:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x1b7d:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x1c52:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x1f00:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00 0x2382:$a: 10 89 C3 80 BC 04 83 00 00 00 20 0F 94 C0 8D B4 24 83 00 00 00 25 FF 00
5436.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_a68e498c	unknown	unknown	0xd8c:$a: 10 39 D0 7E 25 8B 4C 24 38 01 D1 8A 11 8D 42 9F 3C 19 77 05 8D
5436.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xc642:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5436.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0x192:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
5436.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xec89:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5436.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xd3f3:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5436.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xc612:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Process Memory Space: IBkWoEFOlH.elf PID: 5436	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
Process Memory Space: IBkWoEFOlH.elf PID: 5437	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
Process Memory Space: IBkWoEFOlH.elf PID: 5440	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
Click to see the 34 entries

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: IBkWoEFOlH.elf

ReversingLabs: Detection: 28%

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 32.163.50.161 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 222.86.188.138 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 212.8.194.244 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 39.155.85.33 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 207.115.84.207 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 16.94.122.119 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 69.230.134.137 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 60.198.19.72 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 71.96.72.63 ports 2,5,6,8,9,52869

Source: global traffic	TCP traffic: 192.168.2.13:46002 -> 45.86.86.60:5555
Source: global traffic	TCP traffic: 192.168.2.13:38814 -> 200.153.75.90:8080
Source: global traffic	TCP traffic: 192.168.2.13:36380 -> 201.128.115.9:8080
Source: global traffic	TCP traffic: 192.168.2.13:60204 -> 189.35.118.162:8080
Source: global traffic	TCP traffic: 192.168.2.13:38760 -> 189.230.51.55:8080
Source: global traffic	TCP traffic: 192.168.2.13:40384 -> 200.52.185.47:8080
Source: global traffic	TCP traffic: 192.168.2.13:42492 -> 207.56.58.213:8080
Source: global traffic	TCP traffic: 192.168.2.13:34424 -> 39.155.85.33:52869
Source: global traffic	TCP traffic: 192.168.2.13:36794 -> 60.198.19.72:52869
Source: global traffic	TCP traffic: 192.168.2.13:33250 -> 207.115.84.207:52869
Source: global traffic	TCP traffic: 192.168.2.13:44268 -> 119.195.35.93:52869
Source: global traffic	TCP traffic: 192.168.2.13:43586 -> 16.94.122.119:52869
Source: global traffic	TCP traffic: 192.168.2.13:51650 -> 71.96.72.63:52869
Source: global traffic	TCP traffic: 192.168.2.13:53690 -> 69.230.134.137:52869
Source: global traffic	TCP traffic: 192.168.2.13:48816 -> 32.163.50.161:52869
Source: global traffic	TCP traffic: 192.168.2.13:43372 -> 212.8.194.244:52869
Source: global traffic	TCP traffic: 192.168.2.13:51796 -> 222.86.188.138:52869
Source: global traffic	TCP traffic: 192.168.2.13:41238 -> 214.103.170.241:8080
Source: global traffic	TCP traffic: 192.168.2.13:41106 -> 143.47.127.230:8080
Source: global traffic	TCP traffic: 192.168.2.13:55468 -> 187.150.19.59:8080
Source: global traffic	TCP traffic: 192.168.2.13:42726 -> 97.198.38.251:8080
Source: global traffic	TCP traffic: 192.168.2.13:40928 -> 128.29.133.159:8080
Source: global traffic	TCP traffic: 192.168.2.13:48768 -> 125.246.168.72:8080
Source: global traffic	TCP traffic: 192.168.2.13:44416 -> 206.232.211.164:8080
Source: global traffic	TCP traffic: 192.168.2.13:59214 -> 12.91.123.158:8080
Source: global traffic	TCP traffic: 192.168.2.13:47490 -> 162.38.144.111:8080
Source: global traffic	TCP traffic: 192.168.2.13:33722 -> 90.144.214.1:8080

Source: /tmp/IBkWoEFOlH.elf (PID: 5441)

Reads hosts file: /etc/hosts

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.13:57078 -> 89.33.1.138:80
Source: global traffic	TCP traffic: 192.168.2.13:50082 -> 183.58.232.100:80
Source: global traffic	TCP traffic: 192.168.2.13:42886 -> 145.223.114.199:80
Source: global traffic	TCP traffic: 192.168.2.13:50664 -> 212.252.57.209:80
Source: global traffic	TCP traffic: 192.168.2.13:51798 -> 1.132.39.168:80
Source: global traffic	TCP traffic: 192.168.2.13:40578 -> 147.105.28.181:80
Source: global traffic	TCP traffic: 192.168.2.13:45038 -> 214.103.170.241:80
Source: global traffic	TCP traffic: 192.168.2.13:54860 -> 143.47.127.230:80
Source: global traffic	TCP traffic: 192.168.2.13:38334 -> 187.150.19.59:80
Source: global traffic	TCP traffic: 192.168.2.13:49498 -> 97.198.38.251:80
Source: global traffic	TCP traffic: 192.168.2.13:49968 -> 128.29.133.159:80
Source: global traffic	TCP traffic: 192.168.2.13:49692 -> 125.246.168.72:80
Source: global traffic	TCP traffic: 192.168.2.13:55344 -> 206.232.211.164:80
Source: global traffic	TCP traffic: 192.168.2.13:35988 -> 12.91.123.158:80
Source: global traffic	TCP traffic: 192.168.2.13:40768 -> 162.38.144.111:80
Source: global traffic	TCP traffic: 192.168.2.13:34000 -> 90.144.214.1:80

Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.86.60
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.86.60
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.86.60
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.86.60
Source: unknown	TCP traffic detected without corresponding DNS query: 200.153.75.90
Source: unknown	TCP traffic detected without corresponding DNS query: 201.128.115.9
Source: unknown	TCP traffic detected without corresponding DNS query: 201.128.115.9
Source: unknown	TCP traffic detected without corresponding DNS query: 201.128.115.9
Source: unknown	TCP traffic detected without corresponding DNS query: 189.35.118.162
Source: unknown	TCP traffic detected without corresponding DNS query: 189.35.118.162
Source: unknown	TCP traffic detected without corresponding DNS query: 189.35.118.162
Source: unknown	TCP traffic detected without corresponding DNS query: 189.230.51.55
Source: unknown	TCP traffic detected without corresponding DNS query: 189.230.51.55
Source: unknown	TCP traffic detected without corresponding DNS query: 201.128.115.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.86.60
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.86.60
Source: unknown	TCP traffic detected without corresponding DNS query: 189.230.51.55
Source: unknown	TCP traffic detected without corresponding DNS query: 200.52.185.47
Source: unknown	TCP traffic detected without corresponding DNS query: 200.52.185.47
Source: unknown	TCP traffic detected without corresponding DNS query: 189.35.118.162
Source: unknown	TCP traffic detected without corresponding DNS query: 200.52.185.47
Source: unknown	TCP traffic detected without corresponding DNS query: 207.56.58.213
Source: unknown	TCP traffic detected without corresponding DNS query: 207.56.58.213
Source: unknown	TCP traffic detected without corresponding DNS query: 189.230.51.55
Source: unknown	TCP traffic detected without corresponding DNS query: 207.56.58.213
Source: unknown	TCP traffic detected without corresponding DNS query: 201.128.115.9
Source: unknown	TCP traffic detected without corresponding DNS query: 89.33.1.138
Source: unknown	TCP traffic detected without corresponding DNS query: 200.52.185.47
Source: unknown	TCP traffic detected without corresponding DNS query: 183.58.232.100
Source: unknown	TCP traffic detected without corresponding DNS query: 183.58.232.100
Source: unknown	TCP traffic detected without corresponding DNS query: 189.35.118.162
Source: unknown	TCP traffic detected without corresponding DNS query: 207.56.58.213
Source: unknown	TCP traffic detected without corresponding DNS query: 183.58.232.100
Source: unknown	TCP traffic detected without corresponding DNS query: 145.223.114.199
Source: unknown	TCP traffic detected without corresponding DNS query: 145.223.114.199
Source: unknown	TCP traffic detected without corresponding DNS query: 189.230.51.55
Source: unknown	TCP traffic detected without corresponding DNS query: 145.223.114.199
Source: unknown	TCP traffic detected without corresponding DNS query: 212.252.57.209
Source: unknown	TCP traffic detected without corresponding DNS query: 183.58.232.100
Source: unknown	TCP traffic detected without corresponding DNS query: 212.252.57.209
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.86.60
Source: unknown	TCP traffic detected without corresponding DNS query: 200.52.185.47
Source: unknown	TCP traffic detected without corresponding DNS query: 212.252.57.209
Source: unknown	TCP traffic detected without corresponding DNS query: 1.132.39.168
Source: unknown	TCP traffic detected without corresponding DNS query: 145.223.114.199
Source: unknown	TCP traffic detected without corresponding DNS query: 1.132.39.168
Source: unknown	TCP traffic detected without corresponding DNS query: 207.56.58.213
Source: unknown	TCP traffic detected without corresponding DNS query: 1.132.39.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.105.28.181
Source: unknown	TCP traffic detected without corresponding DNS query: 147.105.28.181

Source: unknown

DNS traffic detected: queries for: daisy.ubuntu.com

Source: IBkWoEFOlH.elf, 5436.1.0000000008048000.000000000805e000.r-x.sdmp, IBkWoEFOlH.elf, 5437.1.0000000008048000.000000000805e000.r-x.sdmp, IBkWoEFOlH.elf, 5440.1.0000000008048000.000000000805e000.r-x.sdmp	String found in binary or memory: http://213.232.235.166/arm;chmod
Source: IBkWoEFOlH.elf, 5436.1.0000000008048000.000000000805e000.r-x.sdmp, IBkWoEFOlH.elf, 5437.1.0000000008048000.000000000805e000.r-x.sdmp, IBkWoEFOlH.elf, 5440.1.0000000008048000.000000000805e000.r-x.sdmp	String found in binary or memory: http://213.232.235.166/arm;chmod$
Source: IBkWoEFOlH.elf, 5440.1.0000000008048000.000000000805e000.r-x.sdmp	String found in binary or memory: http://213.232.235.166/mips
Source: IBkWoEFOlH.elf, 5436.1.0000000008048000.000000000805e000.r-x.sdmp, IBkWoEFOlH.elf, 5437.1.0000000008048000.000000000805e000.r-x.sdmp, IBkWoEFOlH.elf, 5440.1.0000000008048000.000000000805e000.r-x.sdmp	String found in binary or memory: http://213.232.235.166/mips;chmod
Source: IBkWoEFOlH.elf, 5440.1.0000000008048000.000000000805e000.r-x.sdmp	String found in binary or memory: http://213.232.235.166/mips;chmod$
Source: IBkWoEFOlH.elf, 5436.1.0000000008048000.000000000805e000.r-x.sdmp, IBkWoEFOlH.elf, 5437.1.0000000008048000.000000000805e000.r-x.sdmp, IBkWoEFOlH.elf, 5440.1.0000000008048000.000000000805e000.r-x.sdmp	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: IBkWoEFOlH.elf, 5440.1.0000000008048000.000000000805e000.r-x.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: IBkWoEFOlH.elf, 5440.1.0000000008048000.000000000805e000.r-x.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: IBkWoEFOlH.elf	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 Author: unknown
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 Author: unknown
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c Author: unknown
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 Author: unknown
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 Author: unknown
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c Author: unknown
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 Author: unknown
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 Author: unknown
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c Author: unknown
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3104, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3161, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3162, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3163, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3164, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3165, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3170, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3182, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3208, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3212, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 5468, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 5469, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 5470, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 5471, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 5472, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 5474, result: successful	Jump to behavior

Source: LOAD without section mappings

Program segment: 0x8048000

Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3104, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3161, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3162, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3163, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3164, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3165, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3170, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3182, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3208, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 3212, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 5468, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 5469, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 5470, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 5471, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 5472, result: successful	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	SIGKILL sent: pid: 5474, result: successful	Jump to behavior

Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d01a9e85a01fad913ca048b60bda1e5a2762f534e5308132c1d3098ac3f561ee, id = 93fc3657-fd21-4e93-a728-c084fc0a6a4a, last_modified = 2021-09-16
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3008edc4e7a099b64139a77d15ec0e2c3c1b55fc23ab156304571c4d14bc654c, id = 99d78950-ea23-4166-a85a-7a029209f5b1, last_modified = 2021-09-16
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 951c9dfcba531e5112c872395f6c144c4bc8b71c666d2c7d9d8574a23c163883, id = a68e498c-0768-4321-ab65-42dd6ef85323, last_modified = 2021-09-16
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d01a9e85a01fad913ca048b60bda1e5a2762f534e5308132c1d3098ac3f561ee, id = 93fc3657-fd21-4e93-a728-c084fc0a6a4a, last_modified = 2021-09-16
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3008edc4e7a099b64139a77d15ec0e2c3c1b55fc23ab156304571c4d14bc654c, id = 99d78950-ea23-4166-a85a-7a029209f5b1, last_modified = 2021-09-16
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 951c9dfcba531e5112c872395f6c144c4bc8b71c666d2c7d9d8574a23c163883, id = a68e498c-0768-4321-ab65-42dd6ef85323, last_modified = 2021-09-16
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d01a9e85a01fad913ca048b60bda1e5a2762f534e5308132c1d3098ac3f561ee, id = 93fc3657-fd21-4e93-a728-c084fc0a6a4a, last_modified = 2021-09-16
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3008edc4e7a099b64139a77d15ec0e2c3c1b55fc23ab156304571c4d14bc654c, id = 99d78950-ea23-4166-a85a-7a029209f5b1, last_modified = 2021-09-16
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 951c9dfcba531e5112c872395f6c144c4bc8b71c666d2c7d9d8574a23c163883, id = a68e498c-0768-4321-ab65-42dd6ef85323, last_modified = 2021-09-16
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: classification engine

Classification label: mal88.spre.troj.evad.linELF@0/0@2/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 4.10 Copyright (C) 1996-2023 the UPX Team. All Rights Reserved. $

Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/5263/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/238/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/239/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/3095/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/241/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/3762/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/1906/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/1482/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/1480/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/371/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/1238/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/134/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/3413/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/1475/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/936/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/IBkWoEFOlH.elf (PID: 5442)	File opened: /proc/816/cmdline	Jump to behavior

Source: /usr/bin/dash (PID: 5414)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.KKXipgzoA4 /tmp/tmp.LqiENZ6GHP /tmp/tmp.boPxTLcot7			Jump to behavior
Source: /usr/bin/dash (PID: 5424)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.KKXipgzoA4 /tmp/tmp.LqiENZ6GHP /tmp/tmp.boPxTLcot7			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/IBkWoEFOlH.elf (PID: 5436)

File: /tmp/IBkWoEFOlH.elf

Jump to behavior

Source: IBkWoEFOlH.elf	Submission file: segment LOAD with 7.7255 entropy (max. 8.0)
Source: IBkWoEFOlH.elf	Submission file: segment LOAD with 7.8794 entropy (max. 8.0)

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IBkWoEFOlH.elf PID: 5436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: IBkWoEFOlH.elf PID: 5437, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: IBkWoEFOlH.elf PID: 5440, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 5440.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5437.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5436.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IBkWoEFOlH.elf PID: 5436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: IBkWoEFOlH.elf PID: 5437, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: IBkWoEFOlH.elf PID: 5440, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 File Deletion	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IBkWoEFOlH.elf	29%	ReversingLabs	Linux.Trojan.Multiverze

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://purenetworks.com/HNAP1/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.25	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://213.232.235.166/mips	IBkWoEFOlH.elf, 5440.1.0000000008048000.000000000805e000.r-x.sdmp	false		unknown
http://upx.sf.net	IBkWoEFOlH.elf	false		high
http://schemas.xmlsoap.org/soap/encoding/	IBkWoEFOlH.elf, 5440.1.0000000008048000.000000000805e000.r-x.sdmp	false		high
http://213.232.235.166/mips;chmod	IBkWoEFOlH.elf, 5436.1.0000000008048000.000000000805e000.r-x.sdmp, IBkWoEFOlH.elf, 5437.1.0000000008048000.000000000805e000.r-x.sdmp, IBkWoEFOlH.elf, 5440.1.0000000008048000.000000000805e000.r-x.sdmp	false		unknown
http://213.232.235.166/mips;chmod$	IBkWoEFOlH.elf, 5440.1.0000000008048000.000000000805e000.r-x.sdmp	false		unknown
http://213.232.235.166/arm;chmod	IBkWoEFOlH.elf, 5436.1.0000000008048000.000000000805e000.r-x.sdmp, IBkWoEFOlH.elf, 5437.1.0000000008048000.000000000805e000.r-x.sdmp, IBkWoEFOlH.elf, 5440.1.0000000008048000.000000000805e000.r-x.sdmp	false		unknown
http://purenetworks.com/HNAP1/	IBkWoEFOlH.elf, 5436.1.0000000008048000.000000000805e000.r-x.sdmp, IBkWoEFOlH.elf, 5437.1.0000000008048000.000000000805e000.r-x.sdmp, IBkWoEFOlH.elf, 5440.1.0000000008048000.000000000805e000.r-x.sdmp	false	URL Reputation: safe	unknown
http://213.232.235.166/arm;chmod$	IBkWoEFOlH.elf, 5436.1.0000000008048000.000000000805e000.r-x.sdmp, IBkWoEFOlH.elf, 5437.1.0000000008048000.000000000805e000.r-x.sdmp, IBkWoEFOlH.elf, 5440.1.0000000008048000.000000000805e000.r-x.sdmp	false		unknown
http://schemas.xmlsoap.org/soap/envelope/	IBkWoEFOlH.elf, 5440.1.0000000008048000.000000000805e000.r-x.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
32.163.50.161	unknown	United States	2686	ATGS-MMD-ASUS	true
1.132.39.168	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
147.105.28.181	unknown	United States	22522	ULALAUNCHUS	false
143.47.127.230	unknown	Ireland	52019	ORCL-EMEA-ASSE	false
119.195.35.93	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
222.86.188.138	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	true
145.223.114.199	unknown	Netherlands	44074	VBA-ASNL	false
212.8.194.244	unknown	Germany	8925	TEUTONET-ASDE	true
90.144.214.1	unknown	Sweden	1257	TELE2EU	false
189.35.118.162	unknown	Brazil	28573	CLAROSABR	false
214.103.170.241	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
183.58.232.100	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
39.155.85.33	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	true
125.246.168.72	unknown	Korea Republic of	38402	GOESW-AS-KRGyeonggiProvincialSuwonOfficeofEducationK	false
162.38.144.111	unknown	France	2065	FR-RENATER-HDMONReseaumetropolitaindeMontpellierHDMON	false
207.56.58.213	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
207.115.84.207	unknown	United States	18530	ISOMEDIA-1US	true
200.153.75.90	unknown	Brazil	10429	TELEFONICABRASILSABR	false
189.230.51.55	unknown	Mexico	8151	UninetSAdeCVMX	false
16.94.122.119	unknown	United States	unknown	unknown	true
69.230.134.137	unknown	United States	7018	ATT-INTERNET4US	true
128.29.133.159	unknown	United States	5691	MITRE-AS-5US	false
200.52.185.47	unknown	Mexico	13999	MegaCableSAdeCVMX	false
45.86.86.60	unknown	Italy	205516	DALANETKZ	false
212.252.57.209	unknown	Turkey	34984	TELLCOM-ASTR	false
201.128.115.9	unknown	Mexico	8151	UninetSAdeCVMX	false
89.33.1.138	unknown	Netherlands	39855	MOD-EUNL	false
187.150.19.59	unknown	Mexico	8151	UninetSAdeCVMX	false
206.232.211.164	unknown	United States	174	COGENT-174US	false
60.198.19.72	unknown	Taiwan; Republic of China (ROC)	9924	TFN-TWTaiwanFixedNetworkTelcoandNetworkServiceProvi	true
71.96.72.63	unknown	United States	5650	FRONTIER-FRTRUS	true
97.198.38.251	unknown	United States	6167	CELLCO-PARTUS	false
12.91.123.158	unknown	United States	7018	ATT-INTERNET4US	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
45.86.86.60	TbUvEkazXX.elf	Get hash	malicious	Mirai	Browse
	Zs2E7QU2o1.elf	Get hash	malicious	Mirai	Browse
	iZL9tIPlj3.elf	Get hash	malicious	Mirai	Browse
	u1rODethPQ.elf	Get hash	malicious	Mirai	Browse
	ov5s7QTVDN.elf	Get hash	malicious	Mirai	Browse
	yiq277KT17.elf	Get hash	malicious	Mirai	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	arm6.elf	Get hash	malicious	Mirai, Moobot	Browse	162.213.35.24
	Wp3NPf3O6P.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	VLhJ8JWLwO.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	UmUN8y2vQQ.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	ISYw3uFmjy.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	v23F3z3gG3.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	RYKFgaIc0U.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	GM3fsq2FfN.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24
	gLFBJp1onQ.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24
	X58tLsvafn.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORCL-EMEA-ASSE	x86	Get hash	malicious	Unknown	Browse	143.47.255.142
	8holJWXFZe.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	143.47.57.133
	https://app.mscomm.morningstar.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=none&utm_content=50143&s=1258972516&lid=68118&elqTrackId=965436743A762AADE10F1A3DCFCB8022&elq=1deb1977a88a46d28eb06bfebd04b660&elqaid=50143&elqat=1	Get hash	malicious	HTMLPhisher	Browse	143.47.125.171
	w7Sv91ASGi.elf	Get hash	malicious	Mirai	Browse	143.47.119.230
	Photo.scr.exe	Get hash	malicious	Xmrig	Browse	143.47.255.141
	https://prs.bubbl.tech/redirect/-/dns-postbank-bestsign/c1a75b3/Login.php	Get hash	malicious	Unknown	Browse	143.47.252.18
	v9lIRQBhwB.elf	Get hash	malicious	Mirai	Browse	143.47.207.206
	FXsBoE8VHL.elf	Get hash	malicious	Mirai	Browse	143.47.207.205
	3GBjmckMvq.elf	Get hash	malicious	Mirai, Moobot	Browse	143.47.207.212
	NBHQDUkuK8.elf	Get hash	malicious	Mirai	Browse	143.47.255.117
ASN-TELSTRATelstraCorporationLtdAU	g6W1NW8Q8t.elf	Get hash	malicious	Unknown	Browse	124.178.212.141
	Nc2zs66ZvW.elf	Get hash	malicious	Unknown	Browse	60.227.248.119
	HmBC8e0eux.elf	Get hash	malicious	Unknown	Browse	138.130.190.116
	AmB1BEuML9.elf	Get hash	malicious	Unknown	Browse	139.173.68.102
	x86	Get hash	malicious	Unknown	Browse	120.154.121.60
	Gq730kmpiE.elf	Get hash	malicious	Unknown	Browse	101.173.194.72
	xgyQlJrWjW.elf	Get hash	malicious	Mirai	Browse	1.146.46.92
	M0akqPlgtl.elf	Get hash	malicious	Mirai	Browse	139.134.64.227
	PLbUBC99tq.elf	Get hash	malicious	Mirai	Browse	110.147.37.3
	WLVELWn88h.elf	Get hash	malicious	Mirai	Browse	101.186.140.166
ULALAUNCHUS	3RIodZx5Hr.elf	Get hash	malicious	Mirai, Okiru	Browse	147.105.194.57
	kZX5U74quv.elf	Get hash	malicious	Mirai	Browse	147.105.169.16
	rehsc3y8Kc.elf	Get hash	malicious	Mirai	Browse	147.105.170.49
	QvDJbC4uaN	Get hash	malicious	Xmrig	Browse	147.105.121.77
	8e0nyWHFII.elf	Get hash	malicious	Mirai	Browse	147.105.194.23
	822oN1h72g.elf	Get hash	malicious	Mirai	Browse	147.105.246.145
	xIDAhc6fws.elf	Get hash	malicious	Mirai	Browse	147.105.39.188
	HoDXu8xCf7.elf	Get hash	malicious	Mirai	Browse	147.105.121.77
	if33NMq1O2.elf	Get hash	malicious	Mirai	Browse	147.105.8.216
	skid.mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	147.105.111.168
ATGS-MMD-ASUS	http://www.sdmts.com/business-center/for-hire-vehicle-administration&c=E,1,pc5oom8YsW1RqHtANaUTLgMvd2z37r_4n-NR90jlF12Z7NyUKYXr1sKmCXY3dgMIENHwNl8jxylzX2garHrVx3wU2gE5fuDMBydZQ2COLEQJ&typo=1	Get hash	malicious	Unknown	Browse	34.36.216.150
	https://v30w0wo5w6cixye.blob.core.windows.net/v30w0wo5w6cixye/1.html?4CoMSo6562ujaA82wudcgedvic941PVMKUGXTEKPXJSL142904IJBS12196w15#15/82-6562/941-142904-12196	Get hash	malicious	HTMLPhisher	Browse	34.149.120.191
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	34.8.81.126
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	57.49.80.75
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	34.165.16.81
	https://sociallinks.lt.acemlnb.com/Prod/link-tracker?redirectUrl=aHR0cHMlM0ElMkYlMkZzb2NpYWxsaW5rcy5pbyUyRm9zaW50LXdlYmluYXJzJTJGd2ViaW5hci1lbmhhbmNpbmctYW1sLWludmVzdGlnYXRpb25zLXdpdGgtb3NpbnQlM0Z1dG1fc291cmNlJTNEZW1haWwlMjZ1dG1fbWVkaXVtJTNEd2ViaW5hciUyNnV0bV9jYW1wYWlnbiUzRGFtbF8wNF8yNA==&sig=bEXSTLMngghhoUjnhUiGrKrf6GsWGU1eAwJ54z8GbBH&iat=1712921684&a=%7C%7C612077526%7C%7C&account=sociallinks%2Eactivehosted%2Ecom&email=I4809riumLU7t4jf%2BoK9uHOsQeuYYw6CYkuCsQDv%3AFRtI69CZolNJDOUhiGMO%2BO9bqaecpEWw&s=f7847248dd0f6e35d5eb6514571a7081&i=993A1018A3A5488	Get hash	malicious	Unknown	Browse	34.36.213.229
	https://sociallinks.lt.acemlnb.com/Prod/link-tracker?redirectUrl=aHR0cHMlM0ElMkYlMkZzb2NpYWxsaW5rcy5pbyUyRm9zaW50LXdlYmluYXJzJTJGd2ViaW5hci1lbmhhbmNpbmctYW1sLWludmVzdGlnYXRpb25zLXdpdGgtb3NpbnQlM0Z1dG1fc291cmNlJTNEZW1haWwlMjZ1dG1fbWVkaXVtJTNEd2ViaW5hciUyNnV0bV9jYW1wYWlnbiUzRGFtbF8wNF8yNA==&sig=bEXSTLMngghhoUjnhUiGrKrf6GsWGU1eAwJ54z8GbBH&iat=1712921684&a=%7C%7C612077526%7C%7C&account=sociallinks%2Eactivehosted%2Ecom&email=I4809riumLU7t4jf%2BoK9uHOsQeuYYw6CYkuCsQDv%3AFRtI69CZolNJDOUhiGMO%2BO9bqaecpEWw&s=f7847248dd0f6e35d5eb6514571a7081&i=993A1018A3A5488	Get hash	malicious	Unknown	Browse	34.36.213.229
	https://sociallinks.lt.acemlnb.com/Prod/link-tracker?redirectUrl=aHR0cHMlM0ElMkYlMkZzb2NpYWxsaW5rcy5pbyUyRm9zaW50LXdlYmluYXJzJTJGd2ViaW5hci1lbmhhbmNpbmctYW1sLWludmVzdGlnYXRpb25zLXdpdGgtb3NpbnQlM0Z1dG1fc291cmNlJTNEZW1haWwlMjZ1dG1fbWVkaXVtJTNEd2ViaW5hciUyNnV0bV9jYW1wYWlnbiUzRGFtbF8wNF8yNA==&sig=bEXSTLMngghhoUjnhUiGrKrf6GsWGU1eAwJ54z8GbBH&iat=1712921684&a=%7C%7C612077526%7C%7C&account=sociallinks%2Eactivehosted%2Ecom&email=I4809riumLU7t4jf%2BoK9uHOsQeuYYw6CYkuCsQDv%3AFRtI69CZolNJDOUhiGMO%2BO9bqaecpEWw&s=f7847248dd0f6e35d5eb6514571a7081&i=993A1018A3A5488	Get hash	malicious	Unknown	Browse	34.36.213.229
	https://autode.sk/3TMJbtm	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	34.160.78.217
	5lrOsR7kdX.elf	Get hash	malicious	Mirai	Browse	51.80.11.191
KIXS-AS-KRKoreaTelecomKR	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	220.126.129.159
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	121.153.206.188
	NsMBSCHqbQ.elf	Get hash	malicious	Mirai	Browse	210.106.86.149
	g6W1NW8Q8t.elf	Get hash	malicious	Unknown	Browse	115.144.192.123
	68p3Nl7QRc.elf	Get hash	malicious	Unknown	Browse	118.61.195.245
	b936ul4d4L.elf	Get hash	malicious	Mirai	Browse	183.110.105.205
	SFTNQEBmOA.elf	Get hash	malicious	Unknown	Browse	115.19.205.137
	SecuriteInfo.com.Linux.Siggen.9999.29368.28955.elf	Get hash	malicious	Mirai	Browse	218.151.28.179
	Q8wCX4F69j.elf	Get hash	malicious	Mirai	Browse	14.83.31.70
	6UN4xYCTnf.elf	Get hash	malicious	Mirai	Browse	222.104.235.135

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.875242603979888
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	IBkWoEFOlH.elf
File size:	36'968 bytes
MD5:	31d7cae54418563352ab7150a1c39ac5
SHA1:	17c84a0c1353e5a4a213a2ab37ec77a643b5cda1
SHA256:	d6744b3d1944189efdf81e9faae5929aa01407f17768f4c59996804da095bf5a
SHA512:	8fb9ba7237252e36907ae738ab08a69f147d91d352d640b65b347bedca1eedd27d30315b9e7cca101742bbee93d9f3ed0f0c809652d9fc951284f366e147fcdf
SSDEEP:	768:oFetzn1Ew4Dbd/rKKJJ1tQbcWTZa6nTOdLc5vaf51bK2EffPJdy:CeEfdjDJTuckZa6nTYLc5vafan3vy
TLSH:	EBF2F1218267CEF9EF35C177075338881BC07A0267EB8A6D6F8AD265DB733059F45606
File Content Preview:	.ELF........................4...........4. .............................d....................P...P..H...H...........Q.td................................UPX!........4e..DX......`........?d..ELF.......d...m...4.\|c.. .(......m..-.#.DX...........`.....4.O.}..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x806d688
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	0
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8048000	0x8048000	0x1000	0x1cd64	7.7255	0x6	RW	0x1000
LOAD	0x0	0x8065000	0x8065000	0x8f48	0x8f48	7.8794	0x5	R E	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2024 20:43:49.446623087 CEST	46002	5555	192.168.2.13	45.86.86.60
Apr 12, 2024 20:43:49.658556938 CEST	5555	46002	45.86.86.60	192.168.2.13
Apr 12, 2024 20:43:49.658617973 CEST	46002	5555	192.168.2.13	45.86.86.60
Apr 12, 2024 20:43:49.658659935 CEST	46002	5555	192.168.2.13	45.86.86.60
Apr 12, 2024 20:43:49.870574951 CEST	5555	46002	45.86.86.60	192.168.2.13
Apr 12, 2024 20:43:49.870625973 CEST	46002	5555	192.168.2.13	45.86.86.60
Apr 12, 2024 20:43:50.082385063 CEST	5555	46002	45.86.86.60	192.168.2.13
Apr 12, 2024 20:43:50.462738037 CEST	38814	8080	192.168.2.13	200.153.75.90
Apr 12, 2024 20:43:50.670886993 CEST	8080	38814	200.153.75.90	192.168.2.13
Apr 12, 2024 20:43:50.710076094 CEST	36380	8080	192.168.2.13	201.128.115.9
Apr 12, 2024 20:43:51.716356993 CEST	36380	8080	192.168.2.13	201.128.115.9
Apr 12, 2024 20:43:53.732249975 CEST	36380	8080	192.168.2.13	201.128.115.9
Apr 12, 2024 20:43:53.834888935 CEST	60204	8080	192.168.2.13	189.35.118.162
Apr 12, 2024 20:43:54.852266073 CEST	60204	8080	192.168.2.13	189.35.118.162
Apr 12, 2024 20:43:56.868364096 CEST	60204	8080	192.168.2.13	189.35.118.162
Apr 12, 2024 20:43:56.921763897 CEST	38760	8080	192.168.2.13	189.230.51.55
Apr 12, 2024 20:43:57.924254894 CEST	38760	8080	192.168.2.13	189.230.51.55
Apr 12, 2024 20:43:57.924256086 CEST	36380	8080	192.168.2.13	201.128.115.9
Apr 12, 2024 20:43:59.668277025 CEST	46002	5555	192.168.2.13	45.86.86.60
Apr 12, 2024 20:43:59.880577087 CEST	5555	46002	45.86.86.60	192.168.2.13
Apr 12, 2024 20:43:59.880609989 CEST	5555	46002	45.86.86.60	192.168.2.13
Apr 12, 2024 20:43:59.880776882 CEST	46002	5555	192.168.2.13	45.86.86.60
Apr 12, 2024 20:43:59.940334082 CEST	38760	8080	192.168.2.13	189.230.51.55
Apr 12, 2024 20:43:59.976265907 CEST	40384	8080	192.168.2.13	200.52.185.47
Apr 12, 2024 20:44:00.996357918 CEST	40384	8080	192.168.2.13	200.52.185.47
Apr 12, 2024 20:44:00.996362925 CEST	60204	8080	192.168.2.13	189.35.118.162
Apr 12, 2024 20:44:03.012398005 CEST	40384	8080	192.168.2.13	200.52.185.47
Apr 12, 2024 20:44:03.047578096 CEST	42492	8080	192.168.2.13	207.56.58.213
Apr 12, 2024 20:44:04.068373919 CEST	42492	8080	192.168.2.13	207.56.58.213
Apr 12, 2024 20:44:04.068408012 CEST	38760	8080	192.168.2.13	189.230.51.55
Apr 12, 2024 20:44:06.084306955 CEST	42492	8080	192.168.2.13	207.56.58.213
Apr 12, 2024 20:44:06.116261005 CEST	36380	8080	192.168.2.13	201.128.115.9
Apr 12, 2024 20:44:07.118654966 CEST	57078	80	192.168.2.13	89.33.1.138
Apr 12, 2024 20:44:07.140243053 CEST	40384	8080	192.168.2.13	200.52.185.47
Apr 12, 2024 20:44:07.271877050 CEST	50082	80	192.168.2.13	183.58.232.100
Apr 12, 2024 20:44:08.292407990 CEST	50082	80	192.168.2.13	183.58.232.100
Apr 12, 2024 20:44:09.188390970 CEST	60204	8080	192.168.2.13	189.35.118.162
Apr 12, 2024 20:44:10.212263107 CEST	42492	8080	192.168.2.13	207.56.58.213
Apr 12, 2024 20:44:10.308259010 CEST	50082	80	192.168.2.13	183.58.232.100
Apr 12, 2024 20:44:10.470684052 CEST	42886	80	192.168.2.13	145.223.114.199
Apr 12, 2024 20:44:11.492366076 CEST	42886	80	192.168.2.13	145.223.114.199
Apr 12, 2024 20:44:12.260380983 CEST	38760	8080	192.168.2.13	189.230.51.55
Apr 12, 2024 20:44:13.508363962 CEST	42886	80	192.168.2.13	145.223.114.199
Apr 12, 2024 20:44:13.543508053 CEST	50664	80	192.168.2.13	212.252.57.209
Apr 12, 2024 20:44:14.564306974 CEST	50082	80	192.168.2.13	183.58.232.100
Apr 12, 2024 20:44:14.564344883 CEST	50664	80	192.168.2.13	212.252.57.209
Apr 12, 2024 20:44:15.148140907 CEST	5555	46002	45.86.86.60	192.168.2.13
Apr 12, 2024 20:44:15.148329973 CEST	46002	5555	192.168.2.13	45.86.86.60
Apr 12, 2024 20:44:15.332318068 CEST	40384	8080	192.168.2.13	200.52.185.47
Apr 12, 2024 20:44:16.580280066 CEST	50664	80	192.168.2.13	212.252.57.209
Apr 12, 2024 20:44:16.615911961 CEST	51798	80	192.168.2.13	1.132.39.168
Apr 12, 2024 20:44:17.636425972 CEST	42886	80	192.168.2.13	145.223.114.199
Apr 12, 2024 20:44:17.636435986 CEST	51798	80	192.168.2.13	1.132.39.168
Apr 12, 2024 20:44:18.404336929 CEST	42492	8080	192.168.2.13	207.56.58.213
Apr 12, 2024 20:44:19.652299881 CEST	51798	80	192.168.2.13	1.132.39.168
Apr 12, 2024 20:44:19.687710047 CEST	40578	80	192.168.2.13	147.105.28.181
Apr 12, 2024 20:44:20.708286047 CEST	40578	80	192.168.2.13	147.105.28.181
Apr 12, 2024 20:44:20.708286047 CEST	50664	80	192.168.2.13	212.252.57.209
Apr 12, 2024 20:44:22.244275093 CEST	36380	8080	192.168.2.13	201.128.115.9
Apr 12, 2024 20:44:22.724363089 CEST	40578	80	192.168.2.13	147.105.28.181
Apr 12, 2024 20:44:22.756294966 CEST	50082	80	192.168.2.13	183.58.232.100
Apr 12, 2024 20:44:23.759500027 CEST	34424	52869	192.168.2.13	39.155.85.33
Apr 12, 2024 20:44:23.780245066 CEST	51798	80	192.168.2.13	1.132.39.168
Apr 12, 2024 20:44:24.772262096 CEST	34424	52869	192.168.2.13	39.155.85.33
Apr 12, 2024 20:44:25.316284895 CEST	60204	8080	192.168.2.13	189.35.118.162
Apr 12, 2024 20:44:25.828280926 CEST	42886	80	192.168.2.13	145.223.114.199
Apr 12, 2024 20:44:26.788386106 CEST	34424	52869	192.168.2.13	39.155.85.33
Apr 12, 2024 20:44:26.852351904 CEST	40578	80	192.168.2.13	147.105.28.181
Apr 12, 2024 20:44:26.855304956 CEST	36794	52869	192.168.2.13	60.198.19.72
Apr 12, 2024 20:44:27.876348972 CEST	36794	52869	192.168.2.13	60.198.19.72
Apr 12, 2024 20:44:28.388326883 CEST	38760	8080	192.168.2.13	189.230.51.55
Apr 12, 2024 20:44:28.900266886 CEST	50664	80	192.168.2.13	212.252.57.209
Apr 12, 2024 20:44:29.892283916 CEST	36794	52869	192.168.2.13	60.198.19.72
Apr 12, 2024 20:44:29.927521944 CEST	33250	52869	192.168.2.13	207.115.84.207
Apr 12, 2024 20:44:30.372029066 CEST	5555	46002	45.86.86.60	192.168.2.13
Apr 12, 2024 20:44:30.372256994 CEST	46002	5555	192.168.2.13	45.86.86.60
Apr 12, 2024 20:44:30.948333979 CEST	34424	52869	192.168.2.13	39.155.85.33
Apr 12, 2024 20:44:30.948426962 CEST	33250	52869	192.168.2.13	207.115.84.207
Apr 12, 2024 20:44:31.460340023 CEST	40384	8080	192.168.2.13	200.52.185.47
Apr 12, 2024 20:44:31.972279072 CEST	51798	80	192.168.2.13	1.132.39.168
Apr 12, 2024 20:44:32.964379072 CEST	33250	52869	192.168.2.13	207.115.84.207
Apr 12, 2024 20:44:33.004055023 CEST	44268	52869	192.168.2.13	119.195.35.93
Apr 12, 2024 20:44:33.272006989 CEST	52869	44268	119.195.35.93	192.168.2.13
Apr 12, 2024 20:44:33.275547981 CEST	43586	52869	192.168.2.13	16.94.122.119
Apr 12, 2024 20:44:34.020252943 CEST	36794	52869	192.168.2.13	60.198.19.72
Apr 12, 2024 20:44:34.276241064 CEST	43586	52869	192.168.2.13	16.94.122.119
Apr 12, 2024 20:44:34.532280922 CEST	42492	8080	192.168.2.13	207.56.58.213
Apr 12, 2024 20:44:35.044267893 CEST	40578	80	192.168.2.13	147.105.28.181
Apr 12, 2024 20:44:36.292329073 CEST	43586	52869	192.168.2.13	16.94.122.119
Apr 12, 2024 20:44:36.328088999 CEST	51650	52869	192.168.2.13	71.96.72.63
Apr 12, 2024 20:44:37.092288971 CEST	33250	52869	192.168.2.13	207.115.84.207
Apr 12, 2024 20:44:37.348325014 CEST	51650	52869	192.168.2.13	71.96.72.63
Apr 12, 2024 20:44:38.884272099 CEST	50082	80	192.168.2.13	183.58.232.100
Apr 12, 2024 20:44:39.140341997 CEST	34424	52869	192.168.2.13	39.155.85.33
Apr 12, 2024 20:44:39.364367962 CEST	51650	52869	192.168.2.13	71.96.72.63
Apr 12, 2024 20:44:39.401186943 CEST	53690	52869	192.168.2.13	69.230.134.137
Apr 12, 2024 20:44:40.420301914 CEST	43586	52869	192.168.2.13	16.94.122.119
Apr 12, 2024 20:44:40.420413971 CEST	53690	52869	192.168.2.13	69.230.134.137
Apr 12, 2024 20:44:41.956293106 CEST	42886	80	192.168.2.13	145.223.114.199
Apr 12, 2024 20:44:42.212268114 CEST	36794	52869	192.168.2.13	60.198.19.72
Apr 12, 2024 20:44:42.436316013 CEST	53690	52869	192.168.2.13	69.230.134.137
Apr 12, 2024 20:44:42.471995115 CEST	48816	52869	192.168.2.13	32.163.50.161
Apr 12, 2024 20:44:43.492269039 CEST	48816	52869	192.168.2.13	32.163.50.161
Apr 12, 2024 20:44:43.492280960 CEST	51650	52869	192.168.2.13	71.96.72.63
Apr 12, 2024 20:44:45.028366089 CEST	50664	80	192.168.2.13	212.252.57.209
Apr 12, 2024 20:44:45.284454107 CEST	33250	52869	192.168.2.13	207.115.84.207
Apr 12, 2024 20:44:45.508358955 CEST	48816	52869	192.168.2.13	32.163.50.161
Apr 12, 2024 20:44:45.543868065 CEST	43372	52869	192.168.2.13	212.8.194.244
Apr 12, 2024 20:44:45.612370968 CEST	5555	46002	45.86.86.60	192.168.2.13
Apr 12, 2024 20:44:45.612593889 CEST	46002	5555	192.168.2.13	45.86.86.60
Apr 12, 2024 20:44:46.564280987 CEST	53690	52869	192.168.2.13	69.230.134.137
Apr 12, 2024 20:44:46.564285040 CEST	43372	52869	192.168.2.13	212.8.194.244
Apr 12, 2024 20:44:48.100251913 CEST	51798	80	192.168.2.13	1.132.39.168
Apr 12, 2024 20:44:48.580277920 CEST	43372	52869	192.168.2.13	212.8.194.244
Apr 12, 2024 20:44:48.612258911 CEST	43586	52869	192.168.2.13	16.94.122.119
Apr 12, 2024 20:44:48.614897966 CEST	51796	52869	192.168.2.13	222.86.188.138
Apr 12, 2024 20:44:49.636241913 CEST	48816	52869	192.168.2.13	32.163.50.161
Apr 12, 2024 20:44:49.636281013 CEST	51796	52869	192.168.2.13	222.86.188.138
Apr 12, 2024 20:44:51.172276974 CEST	40578	80	192.168.2.13	147.105.28.181
Apr 12, 2024 20:44:51.652446032 CEST	51796	52869	192.168.2.13	222.86.188.138
Apr 12, 2024 20:44:51.684320927 CEST	51650	52869	192.168.2.13	71.96.72.63
Apr 12, 2024 20:44:52.686918020 CEST	41238	8080	192.168.2.13	214.103.170.241
Apr 12, 2024 20:44:52.708240986 CEST	43372	52869	192.168.2.13	212.8.194.244
Apr 12, 2024 20:44:53.700251102 CEST	41238	8080	192.168.2.13	214.103.170.241
Apr 12, 2024 20:44:54.756283045 CEST	53690	52869	192.168.2.13	69.230.134.137
Apr 12, 2024 20:44:55.268249035 CEST	34424	52869	192.168.2.13	39.155.85.33
Apr 12, 2024 20:44:55.716279984 CEST	41238	8080	192.168.2.13	214.103.170.241
Apr 12, 2024 20:44:55.780251980 CEST	51796	52869	192.168.2.13	222.86.188.138
Apr 12, 2024 20:44:55.783641100 CEST	45038	80	192.168.2.13	214.103.170.241
Apr 12, 2024 20:44:56.292273998 CEST	36380	8080	192.168.2.13	201.128.115.9
Apr 12, 2024 20:44:56.804358959 CEST	45038	80	192.168.2.13	214.103.170.241
Apr 12, 2024 20:44:57.828300953 CEST	48816	52869	192.168.2.13	32.163.50.161
Apr 12, 2024 20:44:58.340281963 CEST	36794	52869	192.168.2.13	60.198.19.72
Apr 12, 2024 20:44:58.340291977 CEST	60204	8080	192.168.2.13	189.35.118.162
Apr 12, 2024 20:44:58.820236921 CEST	45038	80	192.168.2.13	214.103.170.241
Apr 12, 2024 20:44:58.854943037 CEST	41106	8080	192.168.2.13	143.47.127.230
Apr 12, 2024 20:44:59.876308918 CEST	41106	8080	192.168.2.13	143.47.127.230
Apr 12, 2024 20:44:59.876322031 CEST	41238	8080	192.168.2.13	214.103.170.241
Apr 12, 2024 20:44:59.930681944 CEST	46002	5555	192.168.2.13	45.86.86.60
Apr 12, 2024 20:45:00.142755985 CEST	5555	46002	45.86.86.60	192.168.2.13
Apr 12, 2024 20:45:00.142885923 CEST	46002	5555	192.168.2.13	45.86.86.60
Apr 12, 2024 20:45:00.900434971 CEST	43372	52869	192.168.2.13	212.8.194.244
Apr 12, 2024 20:45:01.412329912 CEST	33250	52869	192.168.2.13	207.115.84.207
Apr 12, 2024 20:45:01.892312050 CEST	41106	8080	192.168.2.13	143.47.127.230
Apr 12, 2024 20:45:01.928280115 CEST	54860	80	192.168.2.13	143.47.127.230
Apr 12, 2024 20:45:02.436290979 CEST	38760	8080	192.168.2.13	189.230.51.55
Apr 12, 2024 20:45:02.948327065 CEST	45038	80	192.168.2.13	214.103.170.241
Apr 12, 2024 20:45:02.948368073 CEST	54860	80	192.168.2.13	143.47.127.230
Apr 12, 2024 20:45:03.972260952 CEST	51796	52869	192.168.2.13	222.86.188.138
Apr 12, 2024 20:45:04.484270096 CEST	40384	8080	192.168.2.13	200.52.185.47
Apr 12, 2024 20:45:04.740233898 CEST	43586	52869	192.168.2.13	16.94.122.119
Apr 12, 2024 20:45:04.964256048 CEST	54860	80	192.168.2.13	143.47.127.230
Apr 12, 2024 20:45:04.999105930 CEST	55468	8080	192.168.2.13	187.150.19.59
Apr 12, 2024 20:45:06.024236917 CEST	55468	8080	192.168.2.13	187.150.19.59
Apr 12, 2024 20:45:06.024322987 CEST	41106	8080	192.168.2.13	143.47.127.230
Apr 12, 2024 20:45:07.812354088 CEST	51650	52869	192.168.2.13	71.96.72.63
Apr 12, 2024 20:45:08.036247015 CEST	55468	8080	192.168.2.13	187.150.19.59
Apr 12, 2024 20:45:08.068244934 CEST	41238	8080	192.168.2.13	214.103.170.241
Apr 12, 2024 20:45:08.071325064 CEST	38334	80	192.168.2.13	187.150.19.59
Apr 12, 2024 20:45:08.580296040 CEST	42492	8080	192.168.2.13	207.56.58.213
Apr 12, 2024 20:45:09.092305899 CEST	54860	80	192.168.2.13	143.47.127.230
Apr 12, 2024 20:45:09.092307091 CEST	38334	80	192.168.2.13	187.150.19.59
Apr 12, 2024 20:45:10.884336948 CEST	53690	52869	192.168.2.13	69.230.134.137
Apr 12, 2024 20:45:11.108331919 CEST	38334	80	192.168.2.13	187.150.19.59
Apr 12, 2024 20:45:11.140250921 CEST	45038	80	192.168.2.13	214.103.170.241
Apr 12, 2024 20:45:11.143373013 CEST	42726	8080	192.168.2.13	97.198.38.251
Apr 12, 2024 20:45:12.164248943 CEST	55468	8080	192.168.2.13	187.150.19.59
Apr 12, 2024 20:45:12.164249897 CEST	42726	8080	192.168.2.13	97.198.38.251
Apr 12, 2024 20:45:12.676453114 CEST	50082	80	192.168.2.13	183.58.232.100
Apr 12, 2024 20:45:13.956257105 CEST	48816	52869	192.168.2.13	32.163.50.161
Apr 12, 2024 20:45:14.180434942 CEST	42726	8080	192.168.2.13	97.198.38.251
Apr 12, 2024 20:45:14.212234974 CEST	41106	8080	192.168.2.13	143.47.127.230
Apr 12, 2024 20:45:14.216126919 CEST	49498	80	192.168.2.13	97.198.38.251
Apr 12, 2024 20:45:14.728240967 CEST	42886	80	192.168.2.13	145.223.114.199
Apr 12, 2024 20:45:15.236296892 CEST	38334	80	192.168.2.13	187.150.19.59
Apr 12, 2024 20:45:15.236298084 CEST	49498	80	192.168.2.13	97.198.38.251
Apr 12, 2024 20:45:15.564248085 CEST	5555	46002	45.86.86.60	192.168.2.13
Apr 12, 2024 20:45:15.564374924 CEST	46002	5555	192.168.2.13	45.86.86.60
Apr 12, 2024 20:45:17.028264999 CEST	43372	52869	192.168.2.13	212.8.194.244
Apr 12, 2024 20:45:17.252296925 CEST	49498	80	192.168.2.13	97.198.38.251
Apr 12, 2024 20:45:17.284248114 CEST	54860	80	192.168.2.13	143.47.127.230
Apr 12, 2024 20:45:17.287539005 CEST	40928	8080	192.168.2.13	128.29.133.159
Apr 12, 2024 20:45:18.308268070 CEST	42726	8080	192.168.2.13	97.198.38.251
Apr 12, 2024 20:45:18.308409929 CEST	40928	8080	192.168.2.13	128.29.133.159
Apr 12, 2024 20:45:18.820426941 CEST	50664	80	192.168.2.13	212.252.57.209
Apr 12, 2024 20:45:20.104345083 CEST	51796	52869	192.168.2.13	222.86.188.138
Apr 12, 2024 20:45:20.324273109 CEST	40928	8080	192.168.2.13	128.29.133.159
Apr 12, 2024 20:45:20.356308937 CEST	55468	8080	192.168.2.13	187.150.19.59
Apr 12, 2024 20:45:20.360121012 CEST	49968	80	192.168.2.13	128.29.133.159
Apr 12, 2024 20:45:20.868238926 CEST	51798	80	192.168.2.13	1.132.39.168
Apr 12, 2024 20:45:21.380251884 CEST	49968	80	192.168.2.13	128.29.133.159
Apr 12, 2024 20:45:21.380264997 CEST	49498	80	192.168.2.13	97.198.38.251
Apr 12, 2024 20:45:23.396264076 CEST	49968	80	192.168.2.13	128.29.133.159
Apr 12, 2024 20:45:23.428240061 CEST	38334	80	192.168.2.13	187.150.19.59
Apr 12, 2024 20:45:23.432542086 CEST	48768	8080	192.168.2.13	125.246.168.72
Apr 12, 2024 20:45:24.196274996 CEST	41238	8080	192.168.2.13	214.103.170.241
Apr 12, 2024 20:45:24.452291012 CEST	48768	8080	192.168.2.13	125.246.168.72
Apr 12, 2024 20:45:24.452295065 CEST	40928	8080	192.168.2.13	128.29.133.159
Apr 12, 2024 20:45:24.964570999 CEST	40578	80	192.168.2.13	147.105.28.181
Apr 12, 2024 20:45:26.468344927 CEST	48768	8080	192.168.2.13	125.246.168.72
Apr 12, 2024 20:45:26.500513077 CEST	42726	8080	192.168.2.13	97.198.38.251
Apr 12, 2024 20:45:26.503463030 CEST	49692	80	192.168.2.13	125.246.168.72
Apr 12, 2024 20:45:27.268279076 CEST	45038	80	192.168.2.13	214.103.170.241
Apr 12, 2024 20:45:27.524247885 CEST	49968	80	192.168.2.13	128.29.133.159
Apr 12, 2024 20:45:27.524380922 CEST	49692	80	192.168.2.13	125.246.168.72
Apr 12, 2024 20:45:29.060484886 CEST	34424	52869	192.168.2.13	39.155.85.33
Apr 12, 2024 20:45:29.540350914 CEST	49692	80	192.168.2.13	125.246.168.72
Apr 12, 2024 20:45:29.572338104 CEST	49498	80	192.168.2.13	97.198.38.251
Apr 12, 2024 20:45:29.576143026 CEST	44416	8080	192.168.2.13	206.232.211.164
Apr 12, 2024 20:45:30.340364933 CEST	41106	8080	192.168.2.13	143.47.127.230
Apr 12, 2024 20:45:30.596240044 CEST	48768	8080	192.168.2.13	125.246.168.72
Apr 12, 2024 20:45:30.596240044 CEST	44416	8080	192.168.2.13	206.232.211.164
Apr 12, 2024 20:45:30.776236057 CEST	5555	46002	45.86.86.60	192.168.2.13
Apr 12, 2024 20:45:30.776422024 CEST	46002	5555	192.168.2.13	45.86.86.60
Apr 12, 2024 20:45:31.108396053 CEST	36794	52869	192.168.2.13	60.198.19.72
Apr 12, 2024 20:45:32.612268925 CEST	44416	8080	192.168.2.13	206.232.211.164
Apr 12, 2024 20:45:32.644251108 CEST	40928	8080	192.168.2.13	128.29.133.159
Apr 12, 2024 20:45:32.648073912 CEST	55344	80	192.168.2.13	206.232.211.164
Apr 12, 2024 20:45:33.412303925 CEST	54860	80	192.168.2.13	143.47.127.230
Apr 12, 2024 20:45:33.668267012 CEST	55344	80	192.168.2.13	206.232.211.164
Apr 12, 2024 20:45:33.668284893 CEST	49692	80	192.168.2.13	125.246.168.72
Apr 12, 2024 20:45:35.204271078 CEST	33250	52869	192.168.2.13	207.115.84.207
Apr 12, 2024 20:45:35.684309006 CEST	55344	80	192.168.2.13	206.232.211.164
Apr 12, 2024 20:45:35.716260910 CEST	49968	80	192.168.2.13	128.29.133.159
Apr 12, 2024 20:45:35.721730947 CEST	59214	8080	192.168.2.13	12.91.123.158
Apr 12, 2024 20:45:36.484350920 CEST	55468	8080	192.168.2.13	187.150.19.59
Apr 12, 2024 20:45:36.744250059 CEST	44416	8080	192.168.2.13	206.232.211.164
Apr 12, 2024 20:45:36.744385958 CEST	59214	8080	192.168.2.13	12.91.123.158
Apr 12, 2024 20:45:37.252266884 CEST	43586	52869	192.168.2.13	16.94.122.119
Apr 12, 2024 20:45:38.756305933 CEST	59214	8080	192.168.2.13	12.91.123.158
Apr 12, 2024 20:45:38.792241096 CEST	48768	8080	192.168.2.13	125.246.168.72
Apr 12, 2024 20:45:38.794868946 CEST	35988	80	192.168.2.13	12.91.123.158
Apr 12, 2024 20:45:39.556255102 CEST	38334	80	192.168.2.13	187.150.19.59
Apr 12, 2024 20:45:39.812248945 CEST	55344	80	192.168.2.13	206.232.211.164
Apr 12, 2024 20:45:39.812266111 CEST	35988	80	192.168.2.13	12.91.123.158
Apr 12, 2024 20:45:41.348242998 CEST	51650	52869	192.168.2.13	71.96.72.63
Apr 12, 2024 20:45:41.828299999 CEST	35988	80	192.168.2.13	12.91.123.158
Apr 12, 2024 20:45:41.860430002 CEST	49692	80	192.168.2.13	125.246.168.72
Apr 12, 2024 20:45:41.865246058 CEST	47490	8080	192.168.2.13	162.38.144.111
Apr 12, 2024 20:45:42.628308058 CEST	42726	8080	192.168.2.13	97.198.38.251
Apr 12, 2024 20:45:42.884454966 CEST	47490	8080	192.168.2.13	162.38.144.111
Apr 12, 2024 20:45:43.396286964 CEST	53690	52869	192.168.2.13	69.230.134.137
Apr 12, 2024 20:45:44.900535107 CEST	47490	8080	192.168.2.13	162.38.144.111
Apr 12, 2024 20:45:44.932301044 CEST	44416	8080	192.168.2.13	206.232.211.164
Apr 12, 2024 20:45:44.937294960 CEST	40768	80	192.168.2.13	162.38.144.111
Apr 12, 2024 20:45:45.700300932 CEST	49498	80	192.168.2.13	97.198.38.251
Apr 12, 2024 20:45:45.956305027 CEST	35988	80	192.168.2.13	12.91.123.158
Apr 12, 2024 20:45:45.956320047 CEST	40768	80	192.168.2.13	162.38.144.111
Apr 12, 2024 20:45:46.028302908 CEST	5555	46002	45.86.86.60	192.168.2.13
Apr 12, 2024 20:45:46.028404951 CEST	46002	5555	192.168.2.13	45.86.86.60
Apr 12, 2024 20:45:47.492296934 CEST	48816	52869	192.168.2.13	32.163.50.161
Apr 12, 2024 20:45:47.972302914 CEST	40768	80	192.168.2.13	162.38.144.111
Apr 12, 2024 20:45:48.004250050 CEST	55344	80	192.168.2.13	206.232.211.164
Apr 12, 2024 20:45:48.008037090 CEST	33722	8080	192.168.2.13	90.144.214.1
Apr 12, 2024 20:45:48.772448063 CEST	40928	8080	192.168.2.13	128.29.133.159
Apr 12, 2024 20:45:49.028273106 CEST	33722	8080	192.168.2.13	90.144.214.1
Apr 12, 2024 20:45:49.028274059 CEST	47490	8080	192.168.2.13	162.38.144.111
Apr 12, 2024 20:45:49.540260077 CEST	43372	52869	192.168.2.13	212.8.194.244
Apr 12, 2024 20:45:51.044311047 CEST	33722	8080	192.168.2.13	90.144.214.1
Apr 12, 2024 20:45:51.081042051 CEST	34000	80	192.168.2.13	90.144.214.1
Apr 12, 2024 20:45:51.844312906 CEST	49968	80	192.168.2.13	128.29.133.159
Apr 12, 2024 20:45:52.100253105 CEST	40768	80	192.168.2.13	162.38.144.111
Apr 12, 2024 20:45:52.100270033 CEST	34000	80	192.168.2.13	90.144.214.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2024 20:43:51.926955938 CEST	37278	53	192.168.2.13	1.1.1.1
Apr 12, 2024 20:43:51.927063942 CEST	39909	53	192.168.2.13	1.1.1.1
Apr 12, 2024 20:43:52.010941029 CEST	53	39909	1.1.1.1	192.168.2.13
Apr 12, 2024 20:43:52.011382103 CEST	53	37278	1.1.1.1	192.168.2.13

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Apr 12, 2024 20:44:07.269663095 CEST	89.33.1.138	192.168.2.13	1a82	(Unknown)	Destination Unreachable
Apr 12, 2024 20:45:40.310524940 CEST	12.122.156.25	192.168.2.13	47cb	(Host unreachable)	Destination Unreachable
Apr 12, 2024 20:45:46.483580112 CEST	12.122.156.25	192.168.2.13	47cb	(Host unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 12, 2024 20:43:51.926955938 CEST	192.168.2.13	1.1.1.1	0x6cc5	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Apr 12, 2024 20:43:51.927063942 CEST	192.168.2.13	1.1.1.1	0x92c5	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 12, 2024 20:43:52.011382103 CEST	1.1.1.1	192.168.2.13	0x6cc5	No error (0)	daisy.ubuntu.com		162.213.35.25	A (IP address)	IN (0x0001)	false
Apr 12, 2024 20:43:52.011382103 CEST	1.1.1.1	192.168.2.13	0x6cc5	No error (0)	daisy.ubuntu.com		162.213.35.24	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: dash PID: 5414, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5414, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.KKXipgzoA4 /tmp/tmp.LqiENZ6GHP /tmp/tmp.boPxTLcot7
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 5416, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5416, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.KKXipgzoA4
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: dash PID: 5417, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: head PID: 5417, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Chronological Activities

Analysis Process: dash PID: 5418, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: tr PID: 5418, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Chronological Activities

Analysis Process: dash PID: 5419, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cut PID: 5419, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Chronological Activities

Analysis Process: dash PID: 5420, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5420, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.KKXipgzoA4
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: dash PID: 5421, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: head PID: 5421, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Chronological Activities

Analysis Process: dash PID: 5422, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: tr PID: 5422, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Chronological Activities

Analysis Process: dash PID: 5423, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cut PID: 5423, Parent PID: 3580

General

Start time (UTC):	18:43:38
Start date (UTC):	12/04/2024
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Chronological Activities

Analysis Process: dash PID: 5424, Parent PID: 3580

General

Start time (UTC):	18:43:39
Start date (UTC):	12/04/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5424, Parent PID: 3580

General

Start time (UTC):	18:43:39
Start date (UTC):	12/04/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.KKXipgzoA4 /tmp/tmp.LqiENZ6GHP /tmp/tmp.boPxTLcot7
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: IBkWoEFOlH.elf PID: 5436, Parent PID: 5346

General

Start time (UTC):	18:43:48
Start date (UTC):	12/04/2024
Path:	/tmp/IBkWoEFOlH.elf
Arguments:	/tmp/IBkWoEFOlH.elf
File size:	36968 bytes
MD5 hash:	31d7cae54418563352ab7150a1c39ac5

Chronological Activities

Analysis Process: IBkWoEFOlH.elf PID: 5437, Parent PID: 5436

General

Start time (UTC):	18:43:48
Start date (UTC):	12/04/2024
Path:	/tmp/IBkWoEFOlH.elf
Arguments:	-
File size:	36968 bytes
MD5 hash:	31d7cae54418563352ab7150a1c39ac5

Analysis Process: IBkWoEFOlH.elf PID: 5438, Parent PID: 5436

General

Start time (UTC):	18:43:48
Start date (UTC):	12/04/2024
Path:	/tmp/IBkWoEFOlH.elf
Arguments:	-
File size:	36968 bytes
MD5 hash:	31d7cae54418563352ab7150a1c39ac5

Chronological Activities

Analysis Process: IBkWoEFOlH.elf PID: 5440, Parent PID: 5438

General

Start time (UTC):	18:43:48
Start date (UTC):	12/04/2024
Path:	/tmp/IBkWoEFOlH.elf
Arguments:	-
File size:	36968 bytes
MD5 hash:	31d7cae54418563352ab7150a1c39ac5

Chronological Activities

Analysis Process: IBkWoEFOlH.elf PID: 5441, Parent PID: 5438

General

Start time (UTC):	18:43:48
Start date (UTC):	12/04/2024
Path:	/tmp/IBkWoEFOlH.elf
Arguments:	-
File size:	36968 bytes
MD5 hash:	31d7cae54418563352ab7150a1c39ac5

Chronological Activities

Analysis Process: IBkWoEFOlH.elf PID: 5442, Parent PID: 5438

General

Start time (UTC):	18:43:48
Start date (UTC):	12/04/2024
Path:	/tmp/IBkWoEFOlH.elf
Arguments:	-
File size:	36968 bytes
MD5 hash:	31d7cae54418563352ab7150a1c39ac5

Chronological Activities

Analysis Process: xfce4-panel PID: 5468, Parent PID: 3147

General

Start time (UTC):	18:43:49
Start date (UTC):	12/04/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5468, Parent PID: 3147

General

Start time (UTC):	18:43:49
Start date (UTC):	12/04/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: xfce4-panel PID: 5469, Parent PID: 3147

General

Start time (UTC):	18:43:49
Start date (UTC):	12/04/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5469, Parent PID: 3147

General

Start time (UTC):	18:43:49
Start date (UTC):	12/04/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: xfce4-panel PID: 5470, Parent PID: 3147

General

Start time (UTC):	18:43:49
Start date (UTC):	12/04/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5470, Parent PID: 3147

General

Start time (UTC):	18:43:49
Start date (UTC):	12/04/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: xfce4-panel PID: 5471, Parent PID: 3147

General

Start time (UTC):	18:43:50
Start date (UTC):	12/04/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5471, Parent PID: 3147

General

Start time (UTC):	18:43:50
Start date (UTC):	12/04/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: xfce4-panel PID: 5472, Parent PID: 3147

General

Start time (UTC):	18:43:50
Start date (UTC):	12/04/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5472, Parent PID: 3147

General

Start time (UTC):	18:43:50
Start date (UTC):	12/04/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: xfce4-panel PID: 5474, Parent PID: 3147

General

Start time (UTC):	18:43:50
Start date (UTC):	12/04/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5474, Parent PID: 3147

General

Start time (UTC):	18:43:50
Start date (UTC):	12/04/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report IBkWoEFOlH.elf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: dash PID: 5414, Parent PID: 3580

General

Chronological Activities

Analysis Process: rm PID: 5414, Parent PID: 3580

General

Chronological Activities

Analysis Process: dash PID: 5416, Parent PID: 3580

General

Chronological Activities

Analysis Process: cat PID: 5416, Parent PID: 3580

General

Chronological Activities

Analysis Process: dash PID: 5417, Parent PID: 3580

General

Linux Analysis Report
IBkWoEFOlH.elf