Edit tour

Linux Analysis Report
TGD4oHRCb5.elf

Overview

General Information

Sample name:	TGD4oHRCb5.elf renamed because original name is a hash value
Original sample name:	133562f29886fc8c85ce7083d4ff53fb.elf
Analysis ID:	1466535
MD5:	133562f29886fc8c85ce7083d4ff53fb
SHA1:	56a063ff06fbfdc55444ab9cd47b5e54a8ba50fd
SHA256:	3f509a48bfb5cf1a5da35c861c70b5777e61a5dbf250331e5e731a912a148672
Tags:	64elfmirai
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Sample is packed with UPX

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Executes the "rm" command used to delete files or directories

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466535
Start date and time:	2024-07-03 03:09:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	TGD4oHRCb5.elf renamed because original name is a hash value
Original Sample Name:	133562f29886fc8c85ce7083d4ff53fb.elf
Detection:	MAL
Classification:	mal76.troj.evad.linELF@0/0@38/0

Runtime Messages

Command:	/tmp/TGD4oHRCb5.elf
PID:	6213
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Hello, world!
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 6194, Parent: 4332)

rm (PID: 6194, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.2zzDf425XD /tmp/tmp.SCVAx0OdL5 /tmp/tmp.QAOBD2CJq1

dash New Fork (PID: 6195, Parent: 4332)

rm (PID: 6195, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.2zzDf425XD /tmp/tmp.SCVAx0OdL5 /tmp/tmp.QAOBD2CJq1

TGD4oHRCb5.elf (PID: 6213, Parent: 6126, MD5: 133562f29886fc8c85ce7083d4ff53fb) Arguments: /tmp/TGD4oHRCb5.elf

TGD4oHRCb5.elf New Fork (PID: 6214, Parent: 6213)

TGD4oHRCb5.elf New Fork (PID: 6215, Parent: 6214)

TGD4oHRCb5.elf New Fork (PID: 6216, Parent: 6214)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
6213.1.0000000000400000.000000000041c000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6213.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x185c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x185dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x185f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18604:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18618:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1862c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18640:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18654:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18668:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1867c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18690:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x186a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x186b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x186cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x186e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x186f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18708:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1871c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18730:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18744:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18758:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6213.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0xf090:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
6213.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0xf907:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
6213.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0xbd3a:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0xbf58:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
6213.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x12732:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
6213.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_d0c57a2e	unknown	unknown	0x175a2:$a: 07 0F B6 57 01 C1 E0 08 09 D0 89 06 0F BE 47 02 C1 E8 1F 89
6213.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0xf4c7:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
6213.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_0cd591cd	unknown	unknown	0xe8a2:$a: 4E F8 48 8D 4E D8 49 8D 42 E0 48 83 C7 03 EB 6B 4C 8B 46 F8 48 8D
6213.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0xf792:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
6213.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_a33a8363	unknown	unknown	0xea9b:$a: 41 88 02 48 85 D2 75 ED 5A 5B 5D 41 5C 41 5D 4C 89 F0 41 5E
6213.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Mirai_1e0c5ce0	unknown	unknown	0x4967:$a: 4C 24 54 31 F6 41 B8 04 00 00 00 BA 03 00 00 00 C7 44 24 54 01 00
6213.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Mirai_6a77af0f	unknown	unknown	0x69ff:$a: 31 D1 89 0F 48 83 C7 04 85 F6 7E 3B 44 89 C8 45 89 D1 45 89 C2 41
6213.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x5362:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
6216.1.0000000000400000.000000000041c000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6216.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x185c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x185dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x185f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18604:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18618:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1862c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18640:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18654:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18668:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1867c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18690:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x186a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x186b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x186cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x186e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x186f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18708:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1871c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18730:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18744:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18758:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6216.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0xf090:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
6216.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0xf907:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
6216.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0xbd3a:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0xbf58:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
6216.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x12732:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
6216.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_d0c57a2e	unknown	unknown	0x175a2:$a: 07 0F B6 57 01 C1 E0 08 09 D0 89 06 0F BE 47 02 C1 E8 1F 89
6216.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0xf4c7:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
6216.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_0cd591cd	unknown	unknown	0xe8a2:$a: 4E F8 48 8D 4E D8 49 8D 42 E0 48 83 C7 03 EB 6B 4C 8B 46 F8 48 8D
6216.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0xf792:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
6216.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_a33a8363	unknown	unknown	0xea9b:$a: 41 88 02 48 85 D2 75 ED 5A 5B 5D 41 5C 41 5D 4C 89 F0 41 5E
6216.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Mirai_1e0c5ce0	unknown	unknown	0x4967:$a: 4C 24 54 31 F6 41 B8 04 00 00 00 BA 03 00 00 00 C7 44 24 54 01 00
6216.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Mirai_6a77af0f	unknown	unknown	0x69ff:$a: 31 D1 89 0F 48 83 C7 04 85 F6 7E 3B 44 89 C8 45 89 D1 45 89 C2 41
6216.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x5362:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Process Memory Space: TGD4oHRCb5.elf PID: 6213	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: TGD4oHRCb5.elf PID: 6213	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1076:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x108a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x109e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10b2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10c6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10da:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10ee:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1102:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1116:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x112a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x113e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1152:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1166:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x117a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x118e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11a2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11b6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ca:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11de:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1206:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: TGD4oHRCb5.elf PID: 6216	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: TGD4oHRCb5.elf PID: 6216	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1110:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1124:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1138:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x114c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1160:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1174:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1188:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x119c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1200:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1214:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1228:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x123c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1250:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1264:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1278:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x128c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 27 entries

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: TGD4oHRCb5.elf	ReversingLabs: Detection: 28%
Source: TGD4oHRCb5.elf	Virustotal: Detection: 17%			Perma Link

Machine Learning detection for sample

Source: TGD4oHRCb5.elf

Joe Sandbox ML: detected

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 37.49.229.111 ports 25608,25598,25597,25610,25602,25601,25604,25603,0,2,3,5,6

Source: global traffic

TCP traffic: 192.168.2.23:32812 -> 37.49.229.111:25603

Source: /tmp/TGD4oHRCb5.elf (PID: 6213)

Socket: 127.0.0.1:47845

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown	UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown	UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown	UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown	UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown	UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown	UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown	UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown	UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown	UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166

Source: global traffic

DNS traffic detected: DNS query: retardedclassmate.dyn

Source: TGD4oHRCb5.elf

String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: Process Memory Space: TGD4oHRCb5.elf PID: 6213, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: TGD4oHRCb5.elf PID: 6216, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: LOAD without section mappings

Program segment: 0x100000

Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
Source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
Source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: Process Memory Space: TGD4oHRCb5.elf PID: 6213, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: TGD4oHRCb5.elf PID: 6216, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal76.troj.evad.linELF@0/0@38/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /usr/bin/dash (PID: 6194)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.2zzDf425XD /tmp/tmp.SCVAx0OdL5 /tmp/tmp.QAOBD2CJq1			Jump to behavior
Source: /usr/bin/dash (PID: 6195)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.2zzDf425XD /tmp/tmp.SCVAx0OdL5 /tmp/tmp.QAOBD2CJq1			Jump to behavior

Source: TGD4oHRCb5.elf

Submission file: segment LOAD with 7.8763 entropy (max. 8.0)

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TGD4oHRCb5.elf PID: 6213, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TGD4oHRCb5.elf PID: 6216, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 6213.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6216.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TGD4oHRCb5.elf PID: 6213, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TGD4oHRCb5.elf PID: 6216, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File Deletion	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TGD4oHRCb5.elf	29%	ReversingLabs	Linux.Trojan.Mirai
TGD4oHRCb5.elf	17%	Virustotal		Browse
TGD4oHRCb5.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
retardedclassmate.dyn	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
retardedclassmate.dyn	37.49.229.111	true	true	8%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	TGD4oHRCb5.elf	true	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
37.49.229.111	retardedclassmate.dyn	Estonia	213371	SQUITTER-NETWORKSNL	true
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
37.49.229.111	kiCuTlZ599.elf	Get hash	malicious	Mirai	Browse
	zSElsVtQLN.elf	Get hash	malicious	Mirai	Browse
	qBrWcBE9JD.elf	Get hash	malicious	Mirai	Browse
	LcY8bb53Tg.elf	Get hash	malicious	Mirai	Browse
	XwkzjBi7Jb.elf	Get hash	malicious	Mirai	Browse
109.202.202.202	SecuriteInfo.com.Other.Malware-gen.2826.29620.elf	Get hash	malicious	Unknown	Browse
	ReMX69vsiG.elf	Get hash	malicious	Unknown	Browse
	yQWo9iRIXf.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Linux.Siggen.9999.16590.5821.elf	Get hash	malicious	Unknown	Browse
	trrRGN62ii.elf	Get hash	malicious	Mirai	Browse
	N5gbqIM7xp.elf	Get hash	malicious	Unknown	Browse
	gmA11dfzc2.elf	Get hash	malicious	Mirai	Browse
	naoen3DFXE.elf	Get hash	malicious	Mirai	Browse
	sljuMSgzt2.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	IOH6WSHsUQ.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
91.189.91.43	SecuriteInfo.com.Other.Malware-gen.2826.29620.elf	Get hash	malicious	Unknown	Browse
	ReMX69vsiG.elf	Get hash	malicious	Unknown	Browse
	yQWo9iRIXf.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Linux.Siggen.9999.16590.5821.elf	Get hash	malicious	Unknown	Browse
	trrRGN62ii.elf	Get hash	malicious	Mirai	Browse
	N5gbqIM7xp.elf	Get hash	malicious	Unknown	Browse
	gmA11dfzc2.elf	Get hash	malicious	Mirai	Browse
	naoen3DFXE.elf	Get hash	malicious	Mirai	Browse
	sljuMSgzt2.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	Vij3FJ8y4o.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	SecuriteInfo.com.Other.Malware-gen.2826.29620.elf	Get hash	malicious	Unknown	Browse
	ReMX69vsiG.elf	Get hash	malicious	Unknown	Browse
	yQWo9iRIXf.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Linux.Siggen.9999.16590.5821.elf	Get hash	malicious	Unknown	Browse
	trrRGN62ii.elf	Get hash	malicious	Mirai	Browse
	N5gbqIM7xp.elf	Get hash	malicious	Unknown	Browse
	gmA11dfzc2.elf	Get hash	malicious	Mirai	Browse
	naoen3DFXE.elf	Get hash	malicious	Mirai	Browse
	sljuMSgzt2.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	IOH6WSHsUQ.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
retardedclassmate.dyn	kiCuTlZ599.elf	Get hash	malicious	Mirai	Browse	37.49.229.111
	zSElsVtQLN.elf	Get hash	malicious	Mirai	Browse	37.49.229.111
	qBrWcBE9JD.elf	Get hash	malicious	Mirai	Browse	37.49.229.111
	arm5-20240623-2204.elf	Get hash	malicious	Mirai	Browse	37.49.229.111
	arm7-20240623-2204.elf	Get hash	malicious	Mirai	Browse	37.49.229.111
	arm4-20240623-2204.elf	Get hash	malicious	Mirai	Browse	37.49.229.111
	arm5-20240623-1330.elf	Get hash	malicious	Mirai	Browse	37.49.229.111
	arm4-20240623-1330.elf	Get hash	malicious	Mirai	Browse	37.49.229.111
	arm7-20240623-1330.elf	Get hash	malicious	Mirai	Browse	37.49.229.111
	hmips-20240623-1326.elf	Get hash	malicious	Mirai	Browse	37.49.229.111

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	SecuriteInfo.com.Other.Malware-gen.2826.29620.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ReMX69vsiG.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	7mo2kvC3FQ.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	yQWo9iRIXf.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	SecuriteInfo.com.Linux.Siggen.9999.16590.5821.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	CUfSSHbXry.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	Ak1kDlyIZ8.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	trrRGN62ii.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	N5gbqIM7xp.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	TbFoReHi2v.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
CANONICAL-ASGB	SecuriteInfo.com.Other.Malware-gen.2826.29620.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ReMX69vsiG.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	7mo2kvC3FQ.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	yQWo9iRIXf.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	SecuriteInfo.com.Linux.Siggen.9999.16590.5821.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	CUfSSHbXry.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	Ak1kDlyIZ8.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	trrRGN62ii.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	N5gbqIM7xp.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	TbFoReHi2v.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
INIT7CH	SecuriteInfo.com.Other.Malware-gen.2826.29620.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	ReMX69vsiG.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	yQWo9iRIXf.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	SecuriteInfo.com.Linux.Siggen.9999.16590.5821.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	trrRGN62ii.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	N5gbqIM7xp.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	gmA11dfzc2.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	naoen3DFXE.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	sljuMSgzt2.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	109.202.202.202
	IOH6WSHsUQ.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	109.202.202.202
SQUITTER-NETWORKSNL	kiCuTlZ599.elf	Get hash	malicious	Mirai	Browse	37.49.229.111
	zSElsVtQLN.elf	Get hash	malicious	Mirai	Browse	37.49.229.111
	qBrWcBE9JD.elf	Get hash	malicious	Mirai	Browse	37.49.229.111
	LcY8bb53Tg.elf	Get hash	malicious	Mirai	Browse	37.49.229.111
	XwkzjBi7Jb.elf	Get hash	malicious	Mirai	Browse	37.49.229.111
	metastealer.exe	Get hash	malicious	RedLine	Browse	85.209.3.13
	https://pornxp.cfd	Get hash	malicious	Unknown	Browse	103.145.13.133
	h1XMKL7Ewk.elf	Get hash	malicious	Unknown	Browse	37.49.228.204
	32MRl62q4C.elf	Get hash	malicious	Gafgyt, Mirai	Browse	37.49.228.204
	NclDmVTLPb.elf	Get hash	malicious	Gafgyt, Mirai	Browse	37.49.228.204

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.874044322530595
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	TGD4oHRCb5.elf
File size:	59'028 bytes
MD5:	133562f29886fc8c85ce7083d4ff53fb
SHA1:	56a063ff06fbfdc55444ab9cd47b5e54a8ba50fd
SHA256:	3f509a48bfb5cf1a5da35c861c70b5777e61a5dbf250331e5e731a912a148672
SHA512:	1c5965dc03cd2ae2403aa1079d006ebdaa9e7a9daa548d5df6588a5c5c75a6e4c75c62065927bc51f5860ad394733c89d73b04017c7bc482ae35ee68f3ef9212
SSDEEP:	768:kbvzoZ2MvVVIXXz86kV+VT84keDpgfpZ/Lsx5JCvB53+LQOpZM5qikqs:SvzoTVIXDDkV+97pEZ/LOJUBJVe2qids
TLSH:	5943026A62757591F79F75F2560F87C2FDFE0B02BB8A08915C48B3213C48D49873C265
File Content Preview:	.ELF..............>.....p.......@...................@.8...@.....................................p.......p.................................R.......R.............................Q.td.......................................................=UPX!.........@...@.

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x10dd70
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	64
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x100000	0x100000	0xe570	0xe570	7.8763	0x5	R E	0x100000
LOAD	0xda0	0x52bda0	0x52bda0	0x0	0x0	0.0000	0x6	RW	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 03:09:41.639496088 CEST	32812	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:09:41.645564079 CEST	25603	32812	37.49.229.111	192.168.2.23
Jul 3, 2024 03:09:41.645608902 CEST	32812	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:09:41.645620108 CEST	32812	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:09:41.653116941 CEST	25603	32812	37.49.229.111	192.168.2.23
Jul 3, 2024 03:09:41.653182030 CEST	32812	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:09:41.661168098 CEST	25603	32812	37.49.229.111	192.168.2.23
Jul 3, 2024 03:09:42.314922094 CEST	25603	32812	37.49.229.111	192.168.2.23
Jul 3, 2024 03:09:42.315007925 CEST	32812	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:09:42.315025091 CEST	32812	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:09:43.706775904 CEST	43928	443	192.168.2.23	91.189.91.42
Jul 3, 2024 03:09:49.338000059 CEST	42836	443	192.168.2.23	91.189.91.43
Jul 3, 2024 03:09:50.873811007 CEST	42516	80	192.168.2.23	109.202.202.202
Jul 3, 2024 03:10:05.463783026 CEST	43928	443	192.168.2.23	91.189.91.42
Jul 3, 2024 03:10:07.339870930 CEST	32814	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:07.344748974 CEST	25603	32814	37.49.229.111	192.168.2.23
Jul 3, 2024 03:10:07.344808102 CEST	32814	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:07.344835043 CEST	32814	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:07.349606037 CEST	25603	32814	37.49.229.111	192.168.2.23
Jul 3, 2024 03:10:07.349646091 CEST	32814	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:07.354496956 CEST	25603	32814	37.49.229.111	192.168.2.23
Jul 3, 2024 03:10:08.017502069 CEST	25603	32814	37.49.229.111	192.168.2.23
Jul 3, 2024 03:10:08.017561913 CEST	32814	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:08.017608881 CEST	32814	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:15.702370882 CEST	42836	443	192.168.2.23	91.189.91.43
Jul 3, 2024 03:10:21.845526934 CEST	42516	80	192.168.2.23	109.202.202.202
Jul 3, 2024 03:10:33.037920952 CEST	32816	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:33.043400049 CEST	25603	32816	37.49.229.111	192.168.2.23
Jul 3, 2024 03:10:33.043461084 CEST	32816	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:33.043490887 CEST	32816	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:33.048932076 CEST	25603	32816	37.49.229.111	192.168.2.23
Jul 3, 2024 03:10:33.048968077 CEST	32816	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:33.053765059 CEST	25603	32816	37.49.229.111	192.168.2.23
Jul 3, 2024 03:10:33.729504108 CEST	25603	32816	37.49.229.111	192.168.2.23
Jul 3, 2024 03:10:33.729605913 CEST	32816	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:33.729640007 CEST	32816	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:46.418322086 CEST	43928	443	192.168.2.23	91.189.91.42
Jul 3, 2024 03:10:58.759167910 CEST	32818	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:58.764806986 CEST	25603	32818	37.49.229.111	192.168.2.23
Jul 3, 2024 03:10:58.764925957 CEST	32818	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:58.764959097 CEST	32818	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:58.769726992 CEST	25603	32818	37.49.229.111	192.168.2.23
Jul 3, 2024 03:10:58.769787073 CEST	32818	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:58.774621010 CEST	25603	32818	37.49.229.111	192.168.2.23
Jul 3, 2024 03:10:59.439377069 CEST	25603	32818	37.49.229.111	192.168.2.23
Jul 3, 2024 03:10:59.439693928 CEST	32818	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:10:59.439770937 CEST	32818	25603	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:10.574316025 CEST	48526	25610	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:10.579569101 CEST	25610	48526	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:10.579659939 CEST	48526	25610	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:10.579684019 CEST	48526	25610	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:10.585417986 CEST	25610	48526	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:10.585473061 CEST	48526	25610	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:10.590990067 CEST	25610	48526	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:11.246062040 CEST	25610	48526	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:11.246323109 CEST	48526	25610	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:11.246360064 CEST	48526	25610	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:11.262866020 CEST	49462	25602	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:11.267764091 CEST	25602	49462	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:11.267834902 CEST	49462	25602	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:11.267855883 CEST	49462	25602	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:11.272727966 CEST	25602	49462	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:11.272785902 CEST	49462	25602	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:11.277643919 CEST	25602	49462	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:11.988043070 CEST	25602	49462	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:11.988208055 CEST	49462	25602	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:11.988226891 CEST	49462	25602	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:12.004697084 CEST	43834	25598	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:12.009505033 CEST	25598	43834	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:12.009582996 CEST	43834	25598	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:12.009582996 CEST	43834	25598	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:12.014417887 CEST	25598	43834	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:12.014498949 CEST	43834	25598	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:12.019339085 CEST	25598	43834	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:12.689635038 CEST	25598	43834	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:12.689796925 CEST	43834	25598	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:12.689841032 CEST	43834	25598	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:19.191274881 CEST	34566	25601	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:19.196125984 CEST	25601	34566	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:19.196192026 CEST	34566	25601	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:19.196244955 CEST	34566	25601	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:19.201628923 CEST	25601	34566	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:19.201683044 CEST	34566	25601	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:19.206698895 CEST	25601	34566	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:19.883065939 CEST	25601	34566	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:19.883496046 CEST	34566	25601	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:19.883650064 CEST	34566	25601	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:19.892327070 CEST	49468	25602	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:19.897099018 CEST	25602	49468	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:19.897171021 CEST	49468	25602	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:19.897214890 CEST	49468	25602	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:19.901990891 CEST	25602	49468	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:19.902045012 CEST	49468	25602	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:19.906779051 CEST	25602	49468	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:20.562182903 CEST	25602	49468	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:20.562433004 CEST	49468	25602	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:20.562520027 CEST	49468	25602	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:40.297260046 CEST	45228	25604	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:40.302122116 CEST	25604	45228	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:40.302186012 CEST	45228	25604	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:40.302221060 CEST	45228	25604	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:40.307039022 CEST	25604	45228	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:40.307096004 CEST	45228	25604	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:40.311889887 CEST	25604	45228	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:40.984047890 CEST	25604	45228	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:40.984364033 CEST	45228	25604	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:40.984440088 CEST	45228	25604	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:41.041858912 CEST	45230	25604	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:41.046648979 CEST	25604	45230	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:41.046713114 CEST	45230	25604	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:41.046749115 CEST	45230	25604	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:41.052207947 CEST	25604	45230	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:41.052263021 CEST	45230	25604	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:41.057112932 CEST	25604	45230	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:41.710988045 CEST	25604	45230	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:41.711179018 CEST	45230	25604	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:41.711252928 CEST	45230	25604	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:41.729146004 CEST	52982	25597	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:41.734085083 CEST	25597	52982	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:41.734220028 CEST	52982	25597	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:41.734265089 CEST	52982	25597	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:41.740381956 CEST	25597	52982	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:41.740458965 CEST	52982	25597	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:41.745376110 CEST	25597	52982	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:42.444191933 CEST	25597	52982	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:42.444370985 CEST	52982	25597	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:42.444544077 CEST	52982	25597	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:42.460912943 CEST	42792	25608	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:42.465838909 CEST	25608	42792	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:42.465929985 CEST	42792	25608	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:42.465945959 CEST	42792	25608	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:42.470778942 CEST	25608	42792	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:42.470834017 CEST	42792	25608	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:42.475709915 CEST	25608	42792	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:43.158886909 CEST	25608	42792	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:43.159022093 CEST	42792	25608	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:43.159131050 CEST	42792	25608	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:43.170783997 CEST	42794	25608	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:43.175709009 CEST	25608	42794	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:43.175818920 CEST	42794	25608	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:43.175818920 CEST	42794	25608	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:43.180679083 CEST	25608	42794	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:43.180747032 CEST	42794	25608	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:43.185556889 CEST	25608	42794	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:43.848269939 CEST	25608	42794	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:43.848448992 CEST	42794	25608	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:43.848448992 CEST	42794	25608	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:43.876693964 CEST	43850	25598	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:43.882842064 CEST	25598	43850	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:43.882898092 CEST	43850	25598	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:43.882898092 CEST	43850	25598	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:43.890642881 CEST	25598	43850	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:43.890691996 CEST	43850	25598	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:43.897423029 CEST	25598	43850	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:44.552989006 CEST	25598	43850	37.49.229.111	192.168.2.23
Jul 3, 2024 03:11:44.553141117 CEST	43850	25598	192.168.2.23	37.49.229.111
Jul 3, 2024 03:11:44.553178072 CEST	43850	25598	192.168.2.23	37.49.229.111

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 03:09:41.621407032 CEST	54287	53	192.168.2.23	51.158.108.203
Jul 3, 2024 03:09:41.639056921 CEST	53	54287	51.158.108.203	192.168.2.23
Jul 3, 2024 03:09:42.315787077 CEST	52414	53	192.168.2.23	178.254.22.166
Jul 3, 2024 03:09:47.320914030 CEST	60677	53	192.168.2.23	178.254.22.166
Jul 3, 2024 03:09:52.322242975 CEST	45486	53	192.168.2.23	178.254.22.166
Jul 3, 2024 03:09:57.327719927 CEST	57920	53	192.168.2.23	178.254.22.166
Jul 3, 2024 03:10:02.335410118 CEST	45535	53	192.168.2.23	178.254.22.166
Jul 3, 2024 03:10:08.018642902 CEST	47765	53	192.168.2.23	91.217.137.37
Jul 3, 2024 03:10:13.019459009 CEST	50802	53	192.168.2.23	91.217.137.37
Jul 3, 2024 03:10:18.022732019 CEST	41807	53	192.168.2.23	91.217.137.37
Jul 3, 2024 03:10:23.027889967 CEST	45429	53	192.168.2.23	91.217.137.37
Jul 3, 2024 03:10:28.033081055 CEST	60624	53	192.168.2.23	91.217.137.37
Jul 3, 2024 03:10:33.730639935 CEST	34225	53	192.168.2.23	91.217.137.37
Jul 3, 2024 03:10:38.736443043 CEST	43414	53	192.168.2.23	91.217.137.37
Jul 3, 2024 03:10:43.742296934 CEST	47309	53	192.168.2.23	91.217.137.37
Jul 3, 2024 03:10:48.748023987 CEST	37816	53	192.168.2.23	91.217.137.37
Jul 3, 2024 03:10:53.753972054 CEST	33877	53	192.168.2.23	91.217.137.37
Jul 3, 2024 03:10:59.440937042 CEST	39845	53	192.168.2.23	51.77.149.139
Jul 3, 2024 03:11:04.446917057 CEST	49959	53	192.168.2.23	51.77.149.139
Jul 3, 2024 03:11:09.452594995 CEST	47465	53	192.168.2.23	51.77.149.139
Jul 3, 2024 03:11:10.573115110 CEST	53	47465	51.77.149.139	192.168.2.23
Jul 3, 2024 03:11:11.247777939 CEST	59831	53	192.168.2.23	51.254.162.59
Jul 3, 2024 03:11:11.262234926 CEST	53	59831	51.254.162.59	192.168.2.23
Jul 3, 2024 03:11:11.989367962 CEST	36376	53	192.168.2.23	51.254.162.59
Jul 3, 2024 03:11:12.004173040 CEST	53	36376	51.254.162.59	192.168.2.23
Jul 3, 2024 03:11:12.691131115 CEST	42204	53	192.168.2.23	51.77.149.139
Jul 3, 2024 03:11:17.697165012 CEST	41361	53	192.168.2.23	51.77.149.139
Jul 3, 2024 03:11:19.189944983 CEST	53	41361	51.77.149.139	192.168.2.23
Jul 3, 2024 03:11:19.885023117 CEST	60391	53	192.168.2.23	195.10.195.195
Jul 3, 2024 03:11:19.891813993 CEST	53	60391	195.10.195.195	192.168.2.23
Jul 3, 2024 03:11:20.563769102 CEST	37930	53	192.168.2.23	51.77.149.139
Jul 3, 2024 03:11:25.569298029 CEST	38112	53	192.168.2.23	51.77.149.139
Jul 3, 2024 03:11:30.575395107 CEST	43666	53	192.168.2.23	51.77.149.139
Jul 3, 2024 03:11:35.581394911 CEST	57501	53	192.168.2.23	51.77.149.139
Jul 3, 2024 03:11:40.296303034 CEST	53	57501	51.77.149.139	192.168.2.23
Jul 3, 2024 03:11:40.985733986 CEST	40842	53	192.168.2.23	94.16.114.254
Jul 3, 2024 03:11:40.997499943 CEST	40686	53	192.168.2.23	94.16.114.254
Jul 3, 2024 03:11:41.008563042 CEST	51845	53	192.168.2.23	94.16.114.254
Jul 3, 2024 03:11:41.019568920 CEST	36540	53	192.168.2.23	94.16.114.254
Jul 3, 2024 03:11:41.031438112 CEST	45484	53	192.168.2.23	94.16.114.254
Jul 3, 2024 03:11:41.712562084 CEST	51001	53	192.168.2.23	51.158.108.203
Jul 3, 2024 03:11:41.728621960 CEST	53	51001	51.158.108.203	192.168.2.23
Jul 3, 2024 03:11:42.445801973 CEST	43528	53	192.168.2.23	51.254.162.59
Jul 3, 2024 03:11:42.460382938 CEST	53	43528	51.254.162.59	192.168.2.23
Jul 3, 2024 03:11:43.160406113 CEST	34252	53	192.168.2.23	194.36.144.87
Jul 3, 2024 03:11:43.170239925 CEST	53	34252	194.36.144.87	192.168.2.23
Jul 3, 2024 03:11:43.849234104 CEST	36036	53	192.168.2.23	81.169.136.222
Jul 3, 2024 03:11:43.876318932 CEST	53	36036	81.169.136.222	192.168.2.23
Jul 3, 2024 03:11:44.554420948 CEST	32905	53	192.168.2.23	178.254.22.166

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jul 3, 2024 03:10:08.069550991 CEST	77.87.200.190	192.168.2.23	52fd	(Host unreachable)	Destination Unreachable
Jul 3, 2024 03:10:13.068844080 CEST	77.87.200.190	192.168.2.23	52fd	(Host unreachable)	Destination Unreachable
Jul 3, 2024 03:10:18.074944973 CEST	77.87.200.190	192.168.2.23	52fd	(Host unreachable)	Destination Unreachable
Jul 3, 2024 03:10:23.080823898 CEST	77.87.200.190	192.168.2.23	52fd	(Host unreachable)	Destination Unreachable
Jul 3, 2024 03:10:28.085483074 CEST	77.87.200.190	192.168.2.23	52fd	(Host unreachable)	Destination Unreachable
Jul 3, 2024 03:10:33.781419039 CEST	77.87.200.190	192.168.2.23	c23d	(Host unreachable)	Destination Unreachable
Jul 3, 2024 03:10:38.785450935 CEST	77.87.200.190	192.168.2.23	c23d	(Host unreachable)	Destination Unreachable
Jul 3, 2024 03:10:43.791348934 CEST	77.87.200.190	192.168.2.23	c23d	(Host unreachable)	Destination Unreachable
Jul 3, 2024 03:10:48.800199986 CEST	77.87.200.190	192.168.2.23	c23d	(Host unreachable)	Destination Unreachable
Jul 3, 2024 03:10:53.803049088 CEST	77.87.200.190	192.168.2.23	c23d	(Host unreachable)	Destination Unreachable
Jul 3, 2024 03:11:40.996498108 CEST	94.16.114.254	192.168.2.23	910b	(Port unreachable)	Destination Unreachable
Jul 3, 2024 03:11:41.007584095 CEST	94.16.114.254	192.168.2.23	910b	(Port unreachable)	Destination Unreachable
Jul 3, 2024 03:11:41.018568993 CEST	94.16.114.254	192.168.2.23	910b	(Port unreachable)	Destination Unreachable
Jul 3, 2024 03:11:41.030483961 CEST	94.16.114.254	192.168.2.23	910b	(Port unreachable)	Destination Unreachable
Jul 3, 2024 03:11:41.041402102 CEST	94.16.114.254	192.168.2.23	910b	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 03:09:41.621407032 CEST	192.168.2.23	51.158.108.203	0x4cd2	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:09:42.315787077 CEST	192.168.2.23	178.254.22.166	0x11ca	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:09:47.320914030 CEST	192.168.2.23	178.254.22.166	0x11ca	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:09:52.322242975 CEST	192.168.2.23	178.254.22.166	0x11ca	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:09:57.327719927 CEST	192.168.2.23	178.254.22.166	0x11ca	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:10:02.335410118 CEST	192.168.2.23	178.254.22.166	0x11ca	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:10:08.018642902 CEST	192.168.2.23	91.217.137.37	0xcb6e	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:10:13.019459009 CEST	192.168.2.23	91.217.137.37	0xcb6e	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:10:18.022732019 CEST	192.168.2.23	91.217.137.37	0xcb6e	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:10:23.027889967 CEST	192.168.2.23	91.217.137.37	0xcb6e	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:10:28.033081055 CEST	192.168.2.23	91.217.137.37	0xcb6e	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:10:33.730639935 CEST	192.168.2.23	91.217.137.37	0x3aaf	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:10:38.736443043 CEST	192.168.2.23	91.217.137.37	0x3aaf	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:10:43.742296934 CEST	192.168.2.23	91.217.137.37	0x3aaf	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:10:48.748023987 CEST	192.168.2.23	91.217.137.37	0x3aaf	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:10:53.753972054 CEST	192.168.2.23	91.217.137.37	0x3aaf	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:10:59.440937042 CEST	192.168.2.23	51.77.149.139	0xe69a	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:04.446917057 CEST	192.168.2.23	51.77.149.139	0xe69a	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:09.452594995 CEST	192.168.2.23	51.77.149.139	0xe69a	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:11.247777939 CEST	192.168.2.23	51.254.162.59	0xc7c7	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:11.989367962 CEST	192.168.2.23	51.254.162.59	0x99f2	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:12.691131115 CEST	192.168.2.23	51.77.149.139	0x39c0	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:17.697165012 CEST	192.168.2.23	51.77.149.139	0x39c0	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:19.885023117 CEST	192.168.2.23	195.10.195.195	0x4f4a	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:20.563769102 CEST	192.168.2.23	51.77.149.139	0xb66e	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:25.569298029 CEST	192.168.2.23	51.77.149.139	0xb66e	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:30.575395107 CEST	192.168.2.23	51.77.149.139	0xb66e	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:35.581394911 CEST	192.168.2.23	51.77.149.139	0xb66e	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:40.985733986 CEST	192.168.2.23	94.16.114.254	0x84f8	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:40.997499943 CEST	192.168.2.23	94.16.114.254	0x84f8	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:41.008563042 CEST	192.168.2.23	94.16.114.254	0x84f8	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:41.019568920 CEST	192.168.2.23	94.16.114.254	0x84f8	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:41.031438112 CEST	192.168.2.23	94.16.114.254	0x84f8	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:41.712562084 CEST	192.168.2.23	51.158.108.203	0x9319	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:42.445801973 CEST	192.168.2.23	51.254.162.59	0x4751	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:43.160406113 CEST	192.168.2.23	194.36.144.87	0xd114	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:43.849234104 CEST	192.168.2.23	81.169.136.222	0x572a	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:44.554420948 CEST	192.168.2.23	178.254.22.166	0xbf42	Standard query (0)	retardedclassmate.dyn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 03:09:41.639056921 CEST	51.158.108.203	192.168.2.23	0x4cd2	No error (0)	retardedclassmate.dyn	37.49.229.111	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:10.573115110 CEST	51.77.149.139	192.168.2.23	0xe69a	No error (0)	retardedclassmate.dyn	37.49.229.111	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:11.262234926 CEST	51.254.162.59	192.168.2.23	0xc7c7	No error (0)	retardedclassmate.dyn	37.49.229.111	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:12.004173040 CEST	51.254.162.59	192.168.2.23	0x99f2	No error (0)	retardedclassmate.dyn	37.49.229.111	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:19.189944983 CEST	51.77.149.139	192.168.2.23	0x39c0	No error (0)	retardedclassmate.dyn	37.49.229.111	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:19.891813993 CEST	195.10.195.195	192.168.2.23	0x4f4a	No error (0)	retardedclassmate.dyn	37.49.229.111	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:40.296303034 CEST	51.77.149.139	192.168.2.23	0xb66e	No error (0)	retardedclassmate.dyn	37.49.229.111	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:41.728621960 CEST	51.158.108.203	192.168.2.23	0x9319	No error (0)	retardedclassmate.dyn	37.49.229.111	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:42.460382938 CEST	51.254.162.59	192.168.2.23	0x4751	No error (0)	retardedclassmate.dyn	37.49.229.111	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:43.170239925 CEST	194.36.144.87	192.168.2.23	0xd114	No error (0)	retardedclassmate.dyn	37.49.229.111	A (IP address)	IN (0x0001)	false
Jul 3, 2024 03:11:43.876318932 CEST	81.169.136.222	192.168.2.23	0x572a	No error (0)	retardedclassmate.dyn	37.49.229.111	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: dash PID: 6194, Parent PID: 4332

General

Start time (UTC):	01:09:33
Start date (UTC):	03/07/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6194, Parent PID: 4332

General

Start time (UTC):	01:09:33
Start date (UTC):	03/07/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.2zzDf425XD /tmp/tmp.SCVAx0OdL5 /tmp/tmp.QAOBD2CJq1
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 6195, Parent PID: 4332

General

Start time (UTC):	01:09:33
Start date (UTC):	03/07/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6195, Parent PID: 4332

General

Start time (UTC):	01:09:33
Start date (UTC):	03/07/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.2zzDf425XD /tmp/tmp.SCVAx0OdL5 /tmp/tmp.QAOBD2CJq1
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: TGD4oHRCb5.elf PID: 6213, Parent PID: 6126

General

Start time (UTC):	01:09:40
Start date (UTC):	03/07/2024
Path:	/tmp/TGD4oHRCb5.elf
Arguments:	/tmp/TGD4oHRCb5.elf
File size:	59028 bytes
MD5 hash:	133562f29886fc8c85ce7083d4ff53fb

Chronological Activities

Analysis Process: TGD4oHRCb5.elf PID: 6214, Parent PID: 6213

General

Start time (UTC):	01:09:40
Start date (UTC):	03/07/2024
Path:	/tmp/TGD4oHRCb5.elf
Arguments:	-
File size:	59028 bytes
MD5 hash:	133562f29886fc8c85ce7083d4ff53fb

Chronological Activities

Analysis Process: TGD4oHRCb5.elf PID: 6215, Parent PID: 6214

General

Start time (UTC):	01:09:40
Start date (UTC):	03/07/2024
Path:	/tmp/TGD4oHRCb5.elf
Arguments:	-
File size:	59028 bytes
MD5 hash:	133562f29886fc8c85ce7083d4ff53fb

Chronological Activities

Analysis Process: TGD4oHRCb5.elf PID: 6216, Parent PID: 6214

General

Start time (UTC):	01:09:40
Start date (UTC):	03/07/2024
Path:	/tmp/TGD4oHRCb5.elf
Arguments:	-
File size:	59028 bytes
MD5 hash:	133562f29886fc8c85ce7083d4ff53fb

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report TGD4oHRCb5.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: dash PID: 6194, Parent PID: 4332

General

Chronological Activities

Analysis Process: rm PID: 6194, Parent PID: 4332

General

Chronological Activities

Analysis Process: dash PID: 6195, Parent PID: 4332

General

Chronological Activities

Analysis Process: rm PID: 6195, Parent PID: 4332

General

Chronological Activities

Analysis Process: TGD4oHRCb5.elf PID: 6213, Parent PID: 6126

General

Chronological Activities

Analysis Process: TGD4oHRCb5.elf PID: 6214, Parent PID: 6213

Linux Analysis Report
TGD4oHRCb5.elf