Edit tour

Linux Analysis Report
jmhrc116WA.elf

Overview

General Information

Sample name:	jmhrc116WA.elf renamed because original name is a hash value
Original sample name:	ed89bad9f6e4d0e9b470861d46c50a7a.elf
Analysis ID:	1429150
MD5:	ed89bad9f6e4d0e9b470861d46c50a7a
SHA1:	42478f31b4db0dcc684e15b22a0af5429f48a5b5
SHA256:	9b3a4ab5bc37f73c5afb3746f6d2fecb88d7bf3e3c013e9a6139f02d38acde50
Tags:	32elfmiraisparc
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Deletes system log files

Manipulation of devices in /dev

Sample deletes itself

Sample tries to kill multiple processes (SIGKILL)

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Found strings indicative of a multi-platform dropper

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429150
Start date and time:	2024-04-21 02:11:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	jmhrc116WA.elf renamed because original name is a hash value
Original Sample Name:	ed89bad9f6e4d0e9b470861d46c50a7a.elf
Detection:	MAL
Classification:	mal76.spre.troj.evad.linELF@0/0@2/0

Runtime Messages

Command:	/tmp/jmhrc116WA.elf
PID:	6254
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	faggot got malware'd
Standard Error:

Process Tree

system is lnxubuntu20

jmhrc116WA.elf (PID: 6254, Parent: 6177, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/jmhrc116WA.elf

jmhrc116WA.elf New Fork (PID: 6257, Parent: 6254)

jmhrc116WA.elf New Fork (PID: 6259, Parent: 6257)

jmhrc116WA.elf New Fork (PID: 6296, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6298, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6300, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6306, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6308, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6310, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6317, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6320, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6347, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6350, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6360, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6362, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6368, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6371, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6376, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6379, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6384, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6387, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6392, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6395, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6404, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6407, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6412, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6414, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6419, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6423, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6428, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6430, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6435, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6438, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6440, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6447, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6450, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6455, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6459, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6461, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6468, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6471, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6476, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6479, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6486, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6488, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6494, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6497, Parent: 6259)

jmhrc116WA.elf New Fork (PID: 6260, Parent: 6257)

jmhrc116WA.elf New Fork (PID: 6263, Parent: 6260)

jmhrc116WA.elf New Fork (PID: 6352, Parent: 6257)

jmhrc116WA.elf New Fork (PID: 6354, Parent: 6352)

gnome-session-binary New Fork (PID: 6287, Parent: 1477)

sh (PID: 6287, Parent: 1477, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

gsd-rfkill (PID: 6287, Parent: 1477, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill

gdm3 New Fork (PID: 6292, Parent: 1320)

Default (PID: 6292, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6293, Parent: 1320)

Default (PID: 6293, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

cleanup

String: %s/%s/proc//proc/%s/cmdlinerwgetcurlnetstatgreppslsmvechokillkillallbashrebootshutdownhaltiptablespowerofffaggot got malware'd/tmp/opt/home/dev/var/sbin/proc/self/exe/mnt/root/dev/null/dev/console/dev/watchdog/dev/misc/watchdog/

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 104.168.45.11 ports 21425,1,2,4,5,7722

Source: global traffic

TCP traffic: 192.168.2.23:34620 -> 104.168.45.11:21425

Source: /tmp/jmhrc116WA.elf (PID: 6254)

Socket: 127.0.0.1::39123

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: tcpdown.su

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 912, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 918, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 1601, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 1877, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 6287, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6354)	SIGKILL sent: pid: 6352, result: successful	Jump to behavior

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 912, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 918, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 1601, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 1877, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	SIGKILL sent: pid: 6287, result: successful	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6354)	SIGKILL sent: pid: 6352, result: successful	Jump to behavior

Source: classification engine

Classification label: mal76.spre.troj.evad.linELF@0/0@2/0

Data Obfuscation

Manipulation of devices in /dev

Source: /tmp/jmhrc116WA.elf (PID: 6259)

Deleted: /dev/kmsg

Jump to behavior

Source: /usr/libexec/gsd-rfkill (PID: 6287)	Directory: <invalid fd (9)>/..			Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 6287)	Directory: <invalid fd (8)>/..			Jump to behavior

Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/jmhrc116WA.elf (PID: 6260)	File opened: /proc/1334/cmdline	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes system log files

Source: /tmp/jmhrc116WA.elf (PID: 6259)

Log files deleted: /var/log/kern.log

Jump to behavior

Sample deletes itself

Source: /tmp/jmhrc116WA.elf (PID: 6254)

File: /tmp/jmhrc116WA.elf

Jump to behavior

Source: /tmp/jmhrc116WA.elf (PID: 6254)

Queries kernel information via 'uname':

Jump to behavior

Source: jmhrc116WA.elf, 6254.1.00005570c3423000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6296.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6298.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6300.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6306.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6308.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6310.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6317.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6320.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6347.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6350.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6360.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6362.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6368.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6371.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6376.1.00005570c3423000.00005570c3488000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: jmhrc116WA.elf, 6461.1.00005570c3488000.00005570c34a8000.rw-.sdmp	Binary or memory string: r/lib/vmware/VG!
Source: jmhrc116WA.elf, 6461.1.00007f4798045000.00007f4798252000.rw-.sdmp	Binary or memory string: /var/lib/vmware4/var/lib/PackageKit
Source: jmhrc116WA.elf, 6461.1.00007f4798036000.00007f4798045000.rw-.sdmp	Binary or memory string: $/tmp/vmware-root_721-4290559889,
Source: jmhrc116WA.elf, 6296.1.00005570c3488000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6298.1.00005570c3488000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6300.1.00005570c3488000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6306.1.00005570c3488000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6308.1.00005570c3488000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6310.1.00005570c3488000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6317.1.00005570c3488000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6320.1.00005570c3488000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6347.1.00005570c3488000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6350.1.00005570c3488000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6360.1.00005570c3488000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6362.1.00005570c3488000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6368.1.00005570c3488000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6371.1.00005570c3488000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6376.1.00005570c3488000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6379.1.00005570c3488000.00005570c34a8000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmtX
Source: jmhrc116WA.elf, 6461.1.00005570c3423000.00005570c3488000.rw-.sdmp	Binary or memory string: /tmp/vmware-root_721-4290559889
Source: jmhrc116WA.elf, 6461.1.00007f4798045000.00007f4798252000.rw-.sdmp	Binary or memory string: (/var/lib/vmware/VGAuth/aliasStore
Source: jmhrc116WA.elf, 6461.1.00005570c3423000.00005570c3488000.rw-.sdmp	Binary or memory string: pU!/var/lib/vmware
Source: jmhrc116WA.elf, 6461.1.00007f4798045000.00007f4798252000.rw-.sdmp	Binary or memory string: /var/lib/vmware
Source: jmhrc116WA.elf, 6461.1.00007f4798036000.00007f4798045000.rw-.sdmp	Binary or memory string: $/tmp/vmware-root_721-4290559889
Source: jmhrc116WA.elf, 6461.1.00007f4798045000.00007f4798252000.rw-.sdmp	Binary or memory string: 8(/var/lib/vmware/VGAuth/aliasStoreN\
Source: jmhrc116WA.elf, 6254.1.00005570c3423000.00005570c34a8000.rw-.sdmp, jmhrc116WA.elf, 6296.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6298.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6300.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6306.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6308.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6310.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6317.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6320.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6347.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6350.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6360.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6362.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6368.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6371.1.00005570c3423000.00005570c3488000.rw-.sdmp, jmhrc116WA.elf, 6376.1.00005570c3423000.00005570c3488000.rw-.sdmp	Binary or memory string: pU!/etc/qemu-binfmt/sparc
Source: jmhrc116WA.elf, 6461.1.00005570c3488000.00005570c34a8000.rw-.sdmp	Binary or memory string: 1/var/lib/fwupd/gnupg/private-keys-v1.d1/var/lib/update-notifierr/lib/vmware/VG!/dev/disk/by-partuuid1/var/lib/vmware/VGAuth/aliasStorepd/bui1/var/lib/update-notifier/user.dmware/VG!/dev/block !/var/lib/PackageKit1/var/lib/fwupd/remotes.d1/var/lib/systemd/catalog
Source: jmhrc116WA.elf, 6461.1.00007f4798045000.00007f4798252000.rw-.sdmp	Binary or memory string: /var/lib/vmware/VGAuth
Source: jmhrc116WA.elf, 6254.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6296.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6298.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6300.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6306.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6308.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6310.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6317.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6320.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6347.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6350.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6360.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6362.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6371.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6376.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6379.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/jmhrc116WA.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/jmhrc116WA.elf
Source: jmhrc116WA.elf, 6461.1.00005570c3423000.00005570c3488000.rw-.sdmp	Binary or memory string: 1/tmp/vmware-root_721-4290559889Q
Source: jmhrc116WA.elf, 6461.1.00007f4798045000.00007f4798252000.rw-.sdmp	Binary or memory string: T/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f/tmpX/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj\/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj/tmp$/tmp/vmware-root_721-4290559889P/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i4/tmp/snap.lxdc<
Source: jmhrc116WA.elf, 6254.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6296.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6298.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6300.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6306.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6308.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6310.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6317.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6320.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6347.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6350.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6360.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6362.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6371.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6376.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp, jmhrc116WA.elf, 6379.1.00007ffce3e93000.00007ffce3eb4000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc
Source: jmhrc116WA.elf, 6461.1.00005570c3488000.00005570c34a8000.rw-.sdmp	Binary or memory string: /var/lib/vmware/VGAuth/aliasStore
Source: jmhrc116WA.elf, 6461.1.00005570c3423000.00005570c3488000.rw-.sdmp	Binary or memory string: pU!/var/lib/vmware/VGAuth

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 Hidden Files and Directories	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Indicator Removal	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
jmhrc116WA.elf	46%	Virustotal		Browse
jmhrc116WA.elf	53%	ReversingLabs	Linux.Trojan.Mirai
jmhrc116WA.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
tcpdown.su	2%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
tcpdown.su	172.245.119.70	true	false	2%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
104.168.45.11	unknown	United States	36352	AS-COLOCROSSINGUS	true
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
109.202.202.202	fMzYC0To1f.elf	Get hash	malicious	Unknown	Browse
	AoYpFFeeLv.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Gafgyt-AN.4176.31097.elf	Get hash	malicious	Unknown	Browse
	http://134.213.29.14:82/grep.x86_64	Get hash	malicious	IPRoyal Pawns	Browse
	SecuriteInfo.com.Linux.Siggen.4217.3025.25553.elf	Get hash	malicious	Unknown	Browse
	insetto-x86.elf	Get hash	malicious	Unknown	Browse
	1lkozpLZNX.elf	Get hash	malicious	Unknown	Browse
	ew3OL4dYca.elf	Get hash	malicious	Unknown	Browse
	JGG1a56dcB.elf	Get hash	malicious	Mirai	Browse
	pXwuZJXauT.elf	Get hash	malicious	Mirai, Okiru	Browse
104.168.45.11	fMzYC0To1f.elf	Get hash	malicious	Unknown	Browse
	Kt28gy4sgm.elf	Get hash	malicious	Mirai	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	i686.elf	Get hash	malicious	Unknown	Browse
	i586.elf	Get hash	malicious	Unknown	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
	powerpc.elf	Get hash	malicious	Unknown	Browse
	m68k.elf	Get hash	malicious	Unknown	Browse
	sparc.elf	Get hash	malicious	Unknown	Browse
91.189.91.43	fMzYC0To1f.elf	Get hash	malicious	Unknown	Browse
	AoYpFFeeLv.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Gafgyt-AN.4176.31097.elf	Get hash	malicious	Unknown	Browse
	http://134.213.29.14:82/grep.x86_64	Get hash	malicious	IPRoyal Pawns	Browse
	SecuriteInfo.com.Linux.Siggen.4217.3025.25553.elf	Get hash	malicious	Unknown	Browse
	insetto-x86.elf	Get hash	malicious	Unknown	Browse
	1lkozpLZNX.elf	Get hash	malicious	Unknown	Browse
	ew3OL4dYca.elf	Get hash	malicious	Unknown	Browse
	JGG1a56dcB.elf	Get hash	malicious	Mirai	Browse
	pXwuZJXauT.elf	Get hash	malicious	Mirai, Okiru	Browse
91.189.91.42	fMzYC0To1f.elf	Get hash	malicious	Unknown	Browse
	AoYpFFeeLv.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Gafgyt-AN.4176.31097.elf	Get hash	malicious	Unknown	Browse
	http://134.213.29.14:82/grep.x86_64	Get hash	malicious	IPRoyal Pawns	Browse
	SecuriteInfo.com.Linux.Siggen.4217.3025.25553.elf	Get hash	malicious	Unknown	Browse
	insetto-x86.elf	Get hash	malicious	Unknown	Browse
	1lkozpLZNX.elf	Get hash	malicious	Unknown	Browse
	ew3OL4dYca.elf	Get hash	malicious	Unknown	Browse
	JGG1a56dcB.elf	Get hash	malicious	Mirai	Browse
	pXwuZJXauT.elf	Get hash	malicious	Mirai, Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
tcpdown.su	VtMI9Eirot.elf	Get hash	malicious	Unknown	Browse	172.245.119.70

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	fMzYC0To1f.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Ykwey8qoU2.elf	Get hash	malicious	Mirai, Gafgyt	Browse	185.125.190.26
	AoYpFFeeLv.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	SecuriteInfo.com.ELF.Gafgyt-AN.4176.31097.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	http://134.213.29.14:82/grep.x86_64	Get hash	malicious	IPRoyal Pawns	Browse	91.189.91.42
	SecuriteInfo.com.Linux.Siggen.4217.3025.25553.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	insetto-x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	1lkozpLZNX.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ew3OL4dYca.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	JGG1a56dcB.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
CANONICAL-ASGB	fMzYC0To1f.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Ykwey8qoU2.elf	Get hash	malicious	Mirai, Gafgyt	Browse	185.125.190.26
	AoYpFFeeLv.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	SecuriteInfo.com.ELF.Gafgyt-AN.4176.31097.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	http://134.213.29.14:82/grep.x86_64	Get hash	malicious	IPRoyal Pawns	Browse	91.189.91.42
	SecuriteInfo.com.Linux.Siggen.4217.3025.25553.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	insetto-x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	1lkozpLZNX.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ew3OL4dYca.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	JGG1a56dcB.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
AS-COLOCROSSINGUS	5wzoTNEJJy.elf	Get hash	malicious	Unknown	Browse	172.245.119.70
	fMzYC0To1f.elf	Get hash	malicious	Unknown	Browse	104.168.45.11
	https://sekulstrip.com/	Get hash	malicious	Unknown	Browse	192.227.164.153
	https://ibareed.com/	Get hash	malicious	Unknown	Browse	192.227.164.153
	https://slutlad.com/	Get hash	malicious	Unknown	Browse	192.227.164.153
	https://www.lestjacques.com/	Get hash	malicious	Unknown	Browse	192.227.164.153
	https://www.jrbishop.com/	Get hash	malicious	Unknown	Browse	192.227.164.153
	SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	Get hash	malicious	Remcos	Browse	23.95.60.75
	https://28.104-168-101-28.cprapid.com/Pay-PaI/	Get hash	malicious	PayPal Phisher	Browse	104.168.101.28
	SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsx	Get hash	malicious	AgentTesla	Browse	192.3.216.151
INIT7CH	fMzYC0To1f.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	AoYpFFeeLv.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	SecuriteInfo.com.ELF.Gafgyt-AN.4176.31097.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	http://134.213.29.14:82/grep.x86_64	Get hash	malicious	IPRoyal Pawns	Browse	109.202.202.202
	SecuriteInfo.com.Linux.Siggen.4217.3025.25553.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	insetto-x86.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	1lkozpLZNX.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	ew3OL4dYca.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	JGG1a56dcB.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	pXwuZJXauT.elf	Get hash	malicious	Mirai, Okiru	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.861874598271672
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	jmhrc116WA.elf
File size:	83'392 bytes
MD5:	ed89bad9f6e4d0e9b470861d46c50a7a
SHA1:	42478f31b4db0dcc684e15b22a0af5429f48a5b5
SHA256:	9b3a4ab5bc37f73c5afb3746f6d2fecb88d7bf3e3c013e9a6139f02d38acde50
SHA512:	b333537d67151d09b1b53c867676c5463c3cf37c1f1ef4136e106605e7188b28ae6dbacfe3ad4aca16850b1abab1557b6bf3266f6a588700b907c712ddb2793d
SSDEEP:	1536:9OQSMfnzBW59dXklKR8OJP+U/NgtEh7F8lM5IGtXzm:kFY8OlGJgah6l8nzm
TLSH:	C6834C32BA751E2BC0D5A87A61F34324F2F6479A25E8CA1F7D720E4EBF2164025477B4
File Content Preview:	.ELF...........................4..D0.....4. ...(......................:...:...............@...@...@.................dt.Q................................@..(....@.Dk................#.....c...`.....!..... ...@.....".........`......$ ... ...@...........`....

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	Sparc
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x101a4
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	82992
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10094	0x94	0x1c	0x0	0x6	AX	4
.text	PROGBITS	0x100b0	0xb0	0x111e4	0x0	0x6	AX	4
.fini	PROGBITS	0x21294	0x11294	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x212a8	0x112a8	0x2848	0x0	0x2	A	8
.ctors	PROGBITS	0x34000	0x14000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x34008	0x14008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x34018	0x14018	0x3d8	0x0	0x3	WA	8
.bss	NOBITS	0x343f0	0x143f0	0xe720	0x0	0x3	WA	8
.shstrtab	STRTAB	0x0	0x143f0	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000	0x10000	0x13af0	0x13af0	5.9517	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x14000	0x34000	0x34000	0x3f0	0xeb10	2.6925	0x6	RW	0x10000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 21, 2024 02:12:02.050098896 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 21, 2024 02:12:03.792915106 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:04.023736954 CEST	21425	34620	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:04.023875952 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:04.024324894 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:04.255136967 CEST	21425	34620	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:04.255223036 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:04.486196041 CEST	21425	34620	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:07.425116062 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 21, 2024 02:12:08.193007946 CEST	42516	80	192.168.2.23	109.202.202.202
Apr 21, 2024 02:12:12.044316053 CEST	60508	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:12.063250065 CEST	60510	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:12.180516005 CEST	7722	60508	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:12.199728966 CEST	7722	60510	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:12.528368950 CEST	60512	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:12.665442944 CEST	7722	60512	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:14.032298088 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:14.146806955 CEST	60514	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:14.166941881 CEST	60516	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:14.186014891 CEST	60518	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:14.264231920 CEST	21425	34620	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:14.264302015 CEST	21425	34620	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:14.264348984 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:14.292967081 CEST	7722	60514	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:14.306288004 CEST	7722	60516	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:14.323029995 CEST	7722	60518	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:19.217156887 CEST	60520	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:19.231745958 CEST	60522	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:19.353590965 CEST	7722	60520	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:19.367825031 CEST	7722	60522	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:23.038927078 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 21, 2024 02:12:24.254769087 CEST	60524	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:24.391808033 CEST	7722	60524	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:24.547008038 CEST	60526	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:24.683917999 CEST	7722	60526	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:28.413626909 CEST	21425	34620	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:28.413707018 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:29.411216021 CEST	60528	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:29.421231031 CEST	60530	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:29.593558073 CEST	7722	60528	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:29.593890905 CEST	7722	60530	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:33.281620979 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 21, 2024 02:12:34.410855055 CEST	60532	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:35.425276041 CEST	60532	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:36.806684971 CEST	60534	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:36.971200943 CEST	7722	60534	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:37.436914921 CEST	60532	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:39.420646906 CEST	42516	80	192.168.2.23	109.202.202.202
Apr 21, 2024 02:12:39.486257076 CEST	60536	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:39.493503094 CEST	60538	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:40.508486986 CEST	60538	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:40.508495092 CEST	60536	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:41.472377062 CEST	60532	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:42.524228096 CEST	60536	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:42.524259090 CEST	60538	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:43.984555960 CEST	21425	34620	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:43.984611034 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:44.464020967 CEST	60540	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:44.470016003 CEST	60542	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:44.686284065 CEST	7722	60542	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:45.467837095 CEST	60540	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:46.587687969 CEST	60538	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:46.587687969 CEST	60536	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:47.483529091 CEST	60540	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:49.663235903 CEST	60532	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:51.707056046 CEST	60540	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:51.822225094 CEST	60544	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:51.834243059 CEST	60546	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:52.148168087 CEST	7722	60540	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:52.826936960 CEST	60544	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:52.858864069 CEST	60546	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:54.778572083 CEST	60536	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:54.778574944 CEST	60538	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:54.842551947 CEST	60544	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:54.874505997 CEST	60546	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:55.117408991 CEST	7722	60536	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:55.117429018 CEST	7722	60538	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:55.117495060 CEST	7722	60544	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:58.944359064 CEST	21425	34620	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:58.944645882 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:59.129993916 CEST	60546	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:59.146538019 CEST	60548	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:59.160799980 CEST	60550	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:12:59.596749067 CEST	7722	60546	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:59.596803904 CEST	7722	60548	104.168.45.11	192.168.2.23
Apr 21, 2024 02:12:59.596826077 CEST	7722	60550	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:03.997277021 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 21, 2024 02:13:04.143055916 CEST	60552	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:04.151179075 CEST	60554	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:05.145071030 CEST	60552	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:05.177169085 CEST	60554	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:05.785024881 CEST	60532	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:07.160799980 CEST	60552	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:07.192961931 CEST	60554	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:09.151320934 CEST	60556	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:09.162575960 CEST	60558	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:10.168481112 CEST	60556	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:10.168488026 CEST	60558	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:10.625931978 CEST	7722	60558	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:10.625947952 CEST	7722	60556	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:11.416249037 CEST	60552	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:11.416271925 CEST	60554	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:14.152199030 CEST	60560	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:14.162012100 CEST	60562	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:15.159693956 CEST	60560	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:15.191654921 CEST	60562	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:17.175374031 CEST	60560	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:17.207384109 CEST	60562	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:18.451349020 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:19.063297033 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:19.607093096 CEST	60552	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:19.607093096 CEST	60554	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:19.671087980 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:20.886924028 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:21.198867083 CEST	21425	34620	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:21.199101925 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:21.402807951 CEST	60562	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:21.402808905 CEST	60560	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:21.596941948 CEST	7722	60560	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:21.596972942 CEST	7722	60562	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:21.853756905 CEST	60564	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:21.871326923 CEST	60566	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:21.877404928 CEST	60568	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:22.870692968 CEST	60564	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:22.902636051 CEST	60566	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:22.902677059 CEST	60568	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:24.470406055 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 21, 2024 02:13:24.886377096 CEST	60564	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:24.918334961 CEST	60568	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:24.918384075 CEST	60566	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:25.615118980 CEST	7722	60564	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:25.615171909 CEST	7722	60568	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:25.714355946 CEST	7722	60566	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:29.152436018 CEST	60570	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:29.162558079 CEST	60572	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:29.288149118 CEST	7722	60570	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:29.298104048 CEST	7722	60572	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:35.732956886 CEST	60552	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:35.732960939 CEST	60554	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:35.869617939 CEST	7722	60552	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:35.879745960 CEST	7722	60554	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:36.568280935 CEST	21425	34620	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:36.568608999 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:36.878586054 CEST	60574	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:36.907010078 CEST	60576	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:36.925132990 CEST	60578	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:37.024353981 CEST	7722	60574	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:37.042994022 CEST	7722	60576	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:37.061811924 CEST	7722	60578	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:38.804575920 CEST	60532	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:38.940161943 CEST	7722	60532	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:44.154350042 CEST	60580	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:44.159116030 CEST	60582	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:44.296302080 CEST	7722	60582	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:44.301033020 CEST	7722	60580	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:49.169368029 CEST	60584	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:49.308260918 CEST	7722	60584	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:51.800756931 CEST	21425	34620	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:51.801191092 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:51.864902020 CEST	60586	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:52.002017975 CEST	7722	60586	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:59.179384947 CEST	60588	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:59.187802076 CEST	60590	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:13:59.316206932 CEST	7722	60588	104.168.45.11	192.168.2.23
Apr 21, 2024 02:13:59.324703932 CEST	7722	60590	104.168.45.11	192.168.2.23
Apr 21, 2024 02:14:06.884910107 CEST	60592	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:14:06.901601076 CEST	60594	7722	192.168.2.23	104.168.45.11
Apr 21, 2024 02:14:07.021950960 CEST	7722	60592	104.168.45.11	192.168.2.23
Apr 21, 2024 02:14:07.033390999 CEST	21425	34620	104.168.45.11	192.168.2.23
Apr 21, 2024 02:14:07.033513069 CEST	34620	21425	192.168.2.23	104.168.45.11
Apr 21, 2024 02:14:07.038300037 CEST	7722	60594	104.168.45.11	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 21, 2024 02:12:03.119334936 CEST	39682	53	192.168.2.23	1.1.1.1
Apr 21, 2024 02:12:03.377203941 CEST	53	39682	1.1.1.1	192.168.2.23
Apr 21, 2024 02:12:03.377902985 CEST	55812	53	192.168.2.23	1.1.1.1
Apr 21, 2024 02:12:03.792644024 CEST	53	55812	1.1.1.1	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 21, 2024 02:12:03.119334936 CEST	192.168.2.23	1.1.1.1	0xab89	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Apr 21, 2024 02:12:03.377902985 CEST	192.168.2.23	1.1.1.1	0xda33	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 21, 2024 02:12:03.377203941 CEST	1.1.1.1	192.168.2.23	0xab89	No error (0)	tcpdown.su	172.245.119.70	A (IP address)	IN (0x0001)	false
Apr 21, 2024 02:12:03.377203941 CEST	1.1.1.1	192.168.2.23	0xab89	No error (0)	tcpdown.su	198.12.124.76	A (IP address)	IN (0x0001)	false
Apr 21, 2024 02:12:03.377203941 CEST	1.1.1.1	192.168.2.23	0xab89	No error (0)	tcpdown.su	185.216.70.250	A (IP address)	IN (0x0001)	false
Apr 21, 2024 02:12:03.377203941 CEST	1.1.1.1	192.168.2.23	0xab89	No error (0)	tcpdown.su	104.168.45.11	A (IP address)	IN (0x0001)	false
Apr 21, 2024 02:12:03.377203941 CEST	1.1.1.1	192.168.2.23	0xab89	No error (0)	tcpdown.su	185.216.70.169	A (IP address)	IN (0x0001)	false
Apr 21, 2024 02:12:03.377203941 CEST	1.1.1.1	192.168.2.23	0xab89	No error (0)	tcpdown.su	185.216.70.168	A (IP address)	IN (0x0001)	false
Apr 21, 2024 02:12:03.377203941 CEST	1.1.1.1	192.168.2.23	0xab89	No error (0)	tcpdown.su	172.245.119.63	A (IP address)	IN (0x0001)	false
Apr 21, 2024 02:12:03.377203941 CEST	1.1.1.1	192.168.2.23	0xab89	No error (0)	tcpdown.su	104.168.32.17	A (IP address)	IN (0x0001)	false
Apr 21, 2024 02:12:03.792644024 CEST	1.1.1.1	192.168.2.23	0xda33	No error (0)	tcpdown.su	104.168.32.17	A (IP address)	IN (0x0001)	false
Apr 21, 2024 02:12:03.792644024 CEST	1.1.1.1	192.168.2.23	0xda33	No error (0)	tcpdown.su	104.168.45.11	A (IP address)	IN (0x0001)	false
Apr 21, 2024 02:12:03.792644024 CEST	1.1.1.1	192.168.2.23	0xda33	No error (0)	tcpdown.su	185.216.70.168	A (IP address)	IN (0x0001)	false
Apr 21, 2024 02:12:03.792644024 CEST	1.1.1.1	192.168.2.23	0xda33	No error (0)	tcpdown.su	185.216.70.169	A (IP address)	IN (0x0001)	false
Apr 21, 2024 02:12:03.792644024 CEST	1.1.1.1	192.168.2.23	0xda33	No error (0)	tcpdown.su	172.245.119.63	A (IP address)	IN (0x0001)	false
Apr 21, 2024 02:12:03.792644024 CEST	1.1.1.1	192.168.2.23	0xda33	No error (0)	tcpdown.su	172.245.119.70	A (IP address)	IN (0x0001)	false
Apr 21, 2024 02:12:03.792644024 CEST	1.1.1.1	192.168.2.23	0xda33	No error (0)	tcpdown.su	198.12.124.76	A (IP address)	IN (0x0001)	false
Apr 21, 2024 02:12:03.792644024 CEST	1.1.1.1	192.168.2.23	0xda33	No error (0)	tcpdown.su	185.216.70.250	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: jmhrc116WA.elf PID: 6254, Parent PID: 6177

General

Start time (UTC):	00:12:02
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	/tmp/jmhrc116WA.elf
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: jmhrc116WA.elf PID: 6257, Parent PID: 6254

General

Start time (UTC):	00:12:02
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: jmhrc116WA.elf PID: 6259, Parent PID: 6257

General

Start time (UTC):	00:12:02
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: jmhrc116WA.elf PID: 6296, Parent PID: 6259

General

Start time (UTC):	00:12:11
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6298, Parent PID: 6259

General

Start time (UTC):	00:12:11
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6300, Parent PID: 6259

General

Start time (UTC):	00:12:12
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6306, Parent PID: 6259

General

Start time (UTC):	00:12:13
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6308, Parent PID: 6259

General

Start time (UTC):	00:12:13
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6310, Parent PID: 6259

General

Start time (UTC):	00:12:13
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6317, Parent PID: 6259

General

Start time (UTC):	00:12:18
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6320, Parent PID: 6259

General

Start time (UTC):	00:12:18
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6347, Parent PID: 6259

General

Start time (UTC):	00:12:23
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6350, Parent PID: 6259

General

Start time (UTC):	00:12:24
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6360, Parent PID: 6259

General

Start time (UTC):	00:12:29
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6362, Parent PID: 6259

General

Start time (UTC):	00:12:29
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6368, Parent PID: 6259

General

Start time (UTC):	00:12:34
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6371, Parent PID: 6259

General

Start time (UTC):	00:12:36
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6376, Parent PID: 6259

General

Start time (UTC):	00:12:39
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6379, Parent PID: 6259

General

Start time (UTC):	00:12:39
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6384, Parent PID: 6259

General

Start time (UTC):	00:12:44
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6387, Parent PID: 6259

General

Start time (UTC):	00:12:44
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6392, Parent PID: 6259

General

Start time (UTC):	00:12:51
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6395, Parent PID: 6259

General

Start time (UTC):	00:12:51
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6404, Parent PID: 6259

General

Start time (UTC):	00:12:58
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6407, Parent PID: 6259

General

Start time (UTC):	00:12:58
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6412, Parent PID: 6259

General

Start time (UTC):	00:13:03
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6414, Parent PID: 6259

General

Start time (UTC):	00:13:03
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6419, Parent PID: 6259

General

Start time (UTC):	00:13:08
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6423, Parent PID: 6259

General

Start time (UTC):	00:13:08
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6428, Parent PID: 6259

General

Start time (UTC):	00:13:13
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6430, Parent PID: 6259

General

Start time (UTC):	00:13:13
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6435, Parent PID: 6259

General

Start time (UTC):	00:13:21
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6438, Parent PID: 6259

General

Start time (UTC):	00:13:21
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6440, Parent PID: 6259

General

Start time (UTC):	00:13:21
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6447, Parent PID: 6259

General

Start time (UTC):	00:13:28
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6450, Parent PID: 6259

General

Start time (UTC):	00:13:28
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6455, Parent PID: 6259

General

Start time (UTC):	00:13:36
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6459, Parent PID: 6259

General

Start time (UTC):	00:13:36
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6461, Parent PID: 6259

General

Start time (UTC):	00:13:36
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6468, Parent PID: 6259

General

Start time (UTC):	00:13:43
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6471, Parent PID: 6259

General

Start time (UTC):	00:13:43
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6476, Parent PID: 6259

General

Start time (UTC):	00:13:48
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6479, Parent PID: 6259

General

Start time (UTC):	00:13:51
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6486, Parent PID: 6259

General

Start time (UTC):	00:13:58
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6488, Parent PID: 6259

General

Start time (UTC):	00:13:58
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6494, Parent PID: 6259

General

Start time (UTC):	00:14:06
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6497, Parent PID: 6259

General

Start time (UTC):	00:14:06
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: jmhrc116WA.elf PID: 6260, Parent PID: 6257

General

Start time (UTC):	00:12:02
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: jmhrc116WA.elf PID: 6263, Parent PID: 6260

General

Start time (UTC):	00:12:02
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: jmhrc116WA.elf PID: 6352, Parent PID: 6257

General

Start time (UTC):	00:12:28
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: jmhrc116WA.elf PID: 6354, Parent PID: 6352

General

Start time (UTC):	00:12:28
Start date (UTC):	21/04/2024
Path:	/tmp/jmhrc116WA.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: gnome-session-binary PID: 6287, Parent PID: 1477

General

Start time (UTC):	00:12:05
Start date (UTC):	21/04/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 6287, Parent PID: 1477

General

Start time (UTC):	00:12:05
Start date (UTC):	21/04/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-rfkill PID: 6287, Parent PID: 1477

General

Start time (UTC):	00:12:05
Start date (UTC):	21/04/2024
Path:	/usr/libexec/gsd-rfkill
Arguments:	/usr/libexec/gsd-rfkill
File size:	51808 bytes
MD5 hash:	88a16a3c0aba1759358c06215ecfb5cc

Chronological Activities

Analysis Process: gdm3 PID: 6292, Parent PID: 1320

General

Start time (UTC):	00:12:07
Start date (UTC):	21/04/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 6292, Parent PID: 1320

General

Start time (UTC):	00:12:07
Start date (UTC):	21/04/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gdm3 PID: 6293, Parent PID: 1320

General

Start time (UTC):	00:12:07
Start date (UTC):	21/04/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 6293, Parent PID: 1320

General

Start time (UTC):	00:12:07
Start date (UTC):	21/04/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Source: jmhrc116WA.elf	Virustotal: Detection: 45%			Perma Link
Source: jmhrc116WA.elf	ReversingLabs: Detection: 52%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report jmhrc116WA.elf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Runtime Messages

Process Tree

Yara Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: jmhrc116WA.elf PID: 6254, Parent PID: 6177

General

Chronological Activities

Analysis Process: jmhrc116WA.elf PID: 6257, Parent PID: 6254

General

Chronological Activities

Analysis Process: jmhrc116WA.elf PID: 6259, Parent PID: 6257

General

Chronological Activities

Analysis Process: jmhrc116WA.elf PID: 6296, Parent PID: 6259

General

Analysis Process: jmhrc116WA.elf PID: 6298, Parent PID: 6259

General

Analysis Process: jmhrc116WA.elf PID: 6300, Parent PID: 6259

General

Analysis Process: jmhrc116WA.elf PID: 6306, Parent PID: 6259

General

Analysis Process: jmhrc116WA.elf PID: 6308, Parent PID: 6259

General

Analysis Process: jmhrc116WA.elf PID: 6310, Parent PID: 6259

Linux Analysis Report
jmhrc116WA.elf