Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1536987
MD5:	8da59a8051c4fab98d00e1a4f7d0ac82
SHA1:	d695046adf4c2192bf7b8e2be6ebe887c4073c54
SHA256:	d6be8dc9b65a70b427159b85ad760287c3f308c2a67b7ef33a2f398a3c0be09c
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Mirai

Sample is packed with UPX

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1536987
Start date and time:	2024-10-18 13:35:52 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal60.troj.evad.linELF@0/0@0/0

Warnings

VT rate limit hit for: na.elf

Runtime Messages

Command:	/tmp/na.elf
PID:	5486
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

system is lnxubuntu20

na.elf (PID: 5486, Parent: 5412, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/na.elf

na.elf New Fork (PID: 5488, Parent: 5486)

na.elf New Fork (PID: 5490, Parent: 5488)

na.elf New Fork (PID: 5492, Parent: 5488)

na.elf New Fork (PID: 5504, Parent: 5486)

na.elf New Fork (PID: 5506, Parent: 5486)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
5504.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5504.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x11f2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fcc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fe0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ff4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12008:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1201c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12030:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12044:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1206c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x120a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x120bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5486.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5486.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x11f2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fcc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fe0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ff4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12008:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1201c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12030:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12044:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1206c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x120a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x120bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5490.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5490.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x11f2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fcc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fe0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ff4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12008:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1201c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12030:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12044:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1206c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x120a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x120bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5488.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5488.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x11f2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fcc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fe0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ff4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12008:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1201c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12030:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12044:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1206c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x120a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x120bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: na.elf PID: 5486	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: na.elf PID: 5486	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x4590:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x45a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x45b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x45cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x45e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x45f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4608:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x461c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4630:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4644:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4658:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x466c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4680:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4694:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x470c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4720:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: na.elf PID: 5488	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: na.elf PID: 5488	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x175c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x175db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x175ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17603:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17617:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1762b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1763f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17653:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17667:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1767b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1768f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x176a3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x176b7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x176cb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x176df:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x176f3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17707:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1771b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1772f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17743:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17757:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: na.elf PID: 5490	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: na.elf PID: 5490	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xce6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcfa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd0e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd22:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd36:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd4a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd72:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd86:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd9a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xdae:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xdc2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xdd6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xdea:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xdfe:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe12:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe26:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe3a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe4e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe62:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe76:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: na.elf PID: 5504	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: na.elf PID: 5504	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xb98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbc0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbd4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbe8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 11 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: global traffic

TCP traffic: 192.168.2.14:51136 -> 45.86.155.23:3778

Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23

Source: na.elf

String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 5504.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5486.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5490.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5488.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5486, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5488, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5490, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5504, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: LOAD without section mappings

Program segment: 0x8000

Source: 5504.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5486.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5490.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5488.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5486, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5488, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5490, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5504, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal60.troj.evad.linELF@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/na.elf (PID: 5486)	File opened: /proc/3760/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/1583/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/2672/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/110/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/3759/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/111/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/112/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/113/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/234/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/1577/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/114/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/235/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/115/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/116/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/117/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/118/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/119/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/3757/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/10/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/917/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/3758/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/11/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/12/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/13/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/14/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/15/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/16/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/17/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/18/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/19/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/1593/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/240/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/120/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/3094/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/121/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/242/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/3406/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/1/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/122/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/243/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/2/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/123/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/244/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/1589/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/3/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/124/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/245/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/1588/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/125/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/4/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/246/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/3402/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/126/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/5/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/247/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/127/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/6/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/248/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/128/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/7/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/249/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/8/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/129/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/9/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/801/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/803/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/20/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/806/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/21/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/807/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/928/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/22/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/23/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/24/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/25/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/26/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/27/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/28/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/29/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/3420/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/490/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/250/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/130/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/251/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/131/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/252/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/132/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/253/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/254/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/255/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/135/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/256/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/1599/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/257/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/378/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/258/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/3412/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/259/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/30/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/35/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/1371/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/260/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/261/status	Jump to behavior
Source: /tmp/na.elf (PID: 5486)	File opened: /proc/262/status	Jump to behavior

Source: na.elf

Submission file: segment LOAD with 7.9706 entropy (max. 8.0)

Source: /tmp/na.elf (PID: 5486)

Queries kernel information via 'uname':

Jump to behavior

Source: na.elf, 5486.1.00005653a33b6000.00005653a3566000.rw-.sdmp, na.elf, 5488.1.00005653a33b6000.00005653a3544000.rw-.sdmp, na.elf, 5490.1.00005653a33b6000.00005653a3544000.rw-.sdmp, na.elf, 5504.1.00005653a33b6000.00005653a3566000.rw-.sdmp	Binary or memory string: SV!/etc/qemu-binfmt/arm
Source: na.elf, 5486.1.00005653a33b6000.00005653a3566000.rw-.sdmp, na.elf, 5488.1.00005653a33b6000.00005653a3544000.rw-.sdmp, na.elf, 5490.1.00005653a33b6000.00005653a3544000.rw-.sdmp, na.elf, 5504.1.00005653a33b6000.00005653a3566000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: na.elf, 5486.1.00007ffe11ed8000.00007ffe11ef9000.rw-.sdmp, na.elf, 5488.1.00007ffe11ed8000.00007ffe11ef9000.rw-.sdmp, na.elf, 5490.1.00007ffe11ed8000.00007ffe11ef9000.rw-.sdmp, na.elf, 5504.1.00007ffe11ed8000.00007ffe11ef9000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: na.elf, 5486.1.00007ffe11ed8000.00007ffe11ef9000.rw-.sdmp, na.elf, 5488.1.00007ffe11ed8000.00007ffe11ef9000.rw-.sdmp, na.elf, 5490.1.00007ffe11ed8000.00007ffe11ef9000.rw-.sdmp, na.elf, 5504.1.00007ffe11ed8000.00007ffe11ef9000.rw-.sdmp	Binary or memory string: ,3:rUx86_64/usr/bin/qemu-arm/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 5504.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5486.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5490.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5488.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5486, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: na.elf PID: 5488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: na.elf PID: 5490, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: na.elf PID: 5504, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 5504.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5486.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5490.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5488.1.00007f10fc017000.00007f10fc02c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5486, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: na.elf PID: 5488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: na.elf PID: 5490, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: na.elf PID: 5504, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	na.elf	true	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.86.155.23	unknown	Germany		202322	EVERYONE-BANDWIDTH-INCDE	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
45.86.155.23	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EVERYONE-BANDWIDTH-INCDE	na.elf	Get hash	malicious	Unknown	Browse	45.86.155.23
	na.elf	Get hash	malicious	Unknown	Browse	45.86.155.23
	na.elf	Get hash	malicious	Unknown	Browse	45.86.155.23
	na.elf	Get hash	malicious	Unknown	Browse	45.86.155.23
	na.elf	Get hash	malicious	Mirai	Browse	45.86.155.23
	na.elf	Get hash	malicious	Unknown	Browse	45.86.155.23
	na.elf	Get hash	malicious	Unknown	Browse	45.86.155.23
	http://qgasyntax.com/2753402WB7192675vw697764118Il17367cC38SJr190893GZ	Get hash	malicious	Phisher	Browse	45.13.225.215
	K5P6Oe31Kq.elf	Get hash	malicious	Mirai	Browse	45.133.73.210

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
Entropy (8bit):	7.968810757771445
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	na.elf
File size:	39'288 bytes
MD5:	8da59a8051c4fab98d00e1a4f7d0ac82
SHA1:	d695046adf4c2192bf7b8e2be6ebe887c4073c54
SHA256:	d6be8dc9b65a70b427159b85ad760287c3f308c2a67b7ef33a2f398a3c0be09c
SHA512:	43b79a9853cbf1734fe2e51abe5e20c25333a851967774b7feb26d1c226e2c634f39544ac763f5a10921820c6accc1e4b58d4e6daeb2c6ff5d07aa0d2e3685af
SSDEEP:	768:Hu7RATMUu4f7RDdP6NM8I52VNbvdFsDJ4iW1Hk7gs3UozOi:ARAC4fNDdP6N5pd+DS1HazOi
TLSH:	C40302927999D512AD604530EE3F1513BB2BBBBCD1DF712CE2210538B9C0647722CF9A
File Content Preview:	.ELF...a..........(.........4...........4. ...(.....................W...W................{...{...{..................Q.td............................s.y.UPX!.........T...T......S..........?.E.h;.}...^..........fK..z..,vU...].XLU..0.)..0(7n..V5.'...,;.q9...

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x106a8
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8000	0x8000	0x9857	0x9857	7.9706	0x5	R E	0x8000
LOAD	0x7bc8	0x27bc8	0x27bc8	0x0	0x0	0.0000	0x6	RW	0x8000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 18, 2024 13:36:38.210316896 CEST	51136	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:38.215293884 CEST	3778	51136	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:38.215344906 CEST	51136	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:38.268157959 CEST	51136	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:38.273034096 CEST	3778	51136	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:38.273088932 CEST	51136	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:38.277971029 CEST	3778	51136	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:39.061511040 CEST	3778	51136	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:39.061568975 CEST	51136	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:39.061719894 CEST	51136	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:39.062246084 CEST	51138	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:39.067241907 CEST	3778	51138	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:39.067296982 CEST	51138	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:39.068583965 CEST	51138	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:39.073646069 CEST	3778	51138	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:39.073692083 CEST	51138	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:39.078505993 CEST	3778	51138	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:39.894740105 CEST	3778	51138	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:39.895020008 CEST	51138	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:39.895143986 CEST	51138	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:39.896234035 CEST	51140	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:39.901050091 CEST	3778	51140	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:39.901125908 CEST	51140	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:39.901839018 CEST	51140	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:39.906615973 CEST	3778	51140	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:39.906692028 CEST	51140	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:39.911554098 CEST	3778	51140	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:40.728943110 CEST	3778	51140	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:40.729104996 CEST	51140	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:40.729211092 CEST	51140	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:40.730010033 CEST	51142	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:40.734921932 CEST	3778	51142	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:40.734991074 CEST	51142	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:40.735837936 CEST	51142	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:40.740704060 CEST	3778	51142	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:40.740772009 CEST	51142	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:40.745707989 CEST	3778	51142	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:41.568209887 CEST	3778	51142	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:41.568507910 CEST	51142	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:41.568507910 CEST	51142	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:41.569119930 CEST	51144	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:41.574065924 CEST	3778	51144	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:41.574160099 CEST	51144	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:41.575031996 CEST	51144	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:41.579988003 CEST	3778	51144	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:41.580075026 CEST	51144	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:41.585055113 CEST	3778	51144	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:42.404047966 CEST	3778	51144	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:42.404301882 CEST	51144	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:42.404301882 CEST	51144	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:42.404856920 CEST	51146	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:42.409713030 CEST	3778	51146	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:42.409778118 CEST	51146	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:42.410521984 CEST	51146	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:42.415307045 CEST	3778	51146	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:42.415364027 CEST	51146	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:42.420243979 CEST	3778	51146	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:43.245776892 CEST	3778	51146	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:43.245929003 CEST	51146	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:43.246006966 CEST	51146	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:43.246694088 CEST	51148	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:43.251589060 CEST	3778	51148	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:43.251657009 CEST	51148	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:43.252412081 CEST	51148	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:43.257217884 CEST	3778	51148	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:43.257270098 CEST	51148	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:43.262178898 CEST	3778	51148	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:44.077874899 CEST	3778	51148	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:44.078080893 CEST	51148	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.078202963 CEST	51148	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.078869104 CEST	51150	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.084074020 CEST	3778	51150	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:44.084177017 CEST	51150	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.084963083 CEST	51150	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.090162039 CEST	3778	51150	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:44.090248108 CEST	51150	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.095256090 CEST	3778	51150	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:44.186093092 CEST	51152	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.191034079 CEST	3778	51152	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:44.191124916 CEST	51152	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.219903946 CEST	51152	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.224966049 CEST	3778	51152	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:44.225047112 CEST	51152	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.229938984 CEST	3778	51152	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:44.911129951 CEST	3778	51150	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:44.911192894 CEST	3778	51150	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:44.911313057 CEST	51150	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.911313057 CEST	51150	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.911370993 CEST	51150	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.912102938 CEST	51154	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.917129993 CEST	3778	51154	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:44.917220116 CEST	51154	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.918181896 CEST	51154	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.922996998 CEST	3778	51154	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:44.923051119 CEST	51154	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:44.928086996 CEST	3778	51154	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:45.035845041 CEST	3778	51152	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:45.035968065 CEST	51152	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.036240101 CEST	51152	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.036784887 CEST	51156	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.041841984 CEST	3778	51156	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:45.041908026 CEST	51156	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.042974949 CEST	51156	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.047919035 CEST	3778	51156	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:45.047986984 CEST	51156	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.052922964 CEST	3778	51156	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:45.736341953 CEST	3778	51154	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:45.736521006 CEST	51154	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.736649036 CEST	51154	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.737087011 CEST	3778	51154	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:45.737144947 CEST	51154	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.737200022 CEST	51158	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.742139101 CEST	3778	51158	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:45.742216110 CEST	51158	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.743110895 CEST	51158	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.748063087 CEST	3778	51158	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:45.748136044 CEST	51158	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.753055096 CEST	3778	51158	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:45.879774094 CEST	3778	51156	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:45.879981041 CEST	51156	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.880099058 CEST	51156	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.880990982 CEST	51160	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.886013985 CEST	3778	51160	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:45.886126995 CEST	51160	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.887172937 CEST	51160	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.892050028 CEST	3778	51160	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:45.892159939 CEST	51160	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:45.897264004 CEST	3778	51160	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:46.570147038 CEST	3778	51158	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:46.570230007 CEST	51158	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:46.570285082 CEST	51158	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:46.570782900 CEST	51162	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:46.575707912 CEST	3778	51162	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:46.575778961 CEST	51162	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:46.576376915 CEST	51162	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:46.581250906 CEST	3778	51162	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:46.581418037 CEST	51162	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:46.586755991 CEST	3778	51162	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:46.729512930 CEST	3778	51160	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:46.729532003 CEST	3778	51160	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:46.729630947 CEST	51160	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:46.729630947 CEST	51160	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:46.729670048 CEST	51160	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:46.730118990 CEST	51164	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:46.735131025 CEST	3778	51164	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:46.735196114 CEST	51164	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:46.735887051 CEST	51164	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:46.740739107 CEST	3778	51164	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:46.740784883 CEST	51164	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:46.745646000 CEST	3778	51164	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:47.411272049 CEST	3778	51162	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:47.411521912 CEST	51162	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:47.411521912 CEST	51162	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:47.412055969 CEST	51166	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:47.416990042 CEST	3778	51166	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:47.417056084 CEST	51166	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:47.417798996 CEST	51166	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:47.422632933 CEST	3778	51166	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:47.422753096 CEST	51166	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:47.427603006 CEST	3778	51166	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:47.566592932 CEST	3778	51164	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:47.566703081 CEST	51164	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:47.566751003 CEST	51164	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:47.567317963 CEST	51168	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:47.572149992 CEST	3778	51168	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:47.572201967 CEST	51168	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:47.573079109 CEST	51168	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:47.577945948 CEST	3778	51168	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:47.577991009 CEST	51168	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:47.582801104 CEST	3778	51168	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:48.268390894 CEST	3778	51166	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:48.268650055 CEST	51166	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:48.268759012 CEST	51166	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:48.269252062 CEST	51170	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:48.274116993 CEST	3778	51170	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:48.274188995 CEST	51170	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:48.275032043 CEST	51170	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:48.279838085 CEST	3778	51170	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:48.279901028 CEST	51170	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:48.284866095 CEST	3778	51170	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:48.403289080 CEST	3778	51168	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:48.403305054 CEST	3778	51168	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:48.403485060 CEST	51168	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:48.403485060 CEST	51168	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:48.403542042 CEST	51168	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:48.404078960 CEST	51172	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:48.408911943 CEST	3778	51172	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:48.408993006 CEST	51172	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:48.409900904 CEST	51172	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:48.414655924 CEST	3778	51172	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:48.414700985 CEST	51172	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:48.419605017 CEST	3778	51172	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:49.118557930 CEST	3778	51170	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:49.118801117 CEST	51170	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:49.118854046 CEST	51170	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:49.119550943 CEST	51174	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:49.124454975 CEST	3778	51174	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:49.124573946 CEST	51174	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:49.125621080 CEST	51174	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:49.130589962 CEST	3778	51174	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:49.130712986 CEST	51174	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:49.135623932 CEST	3778	51174	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:49.963258982 CEST	3778	51174	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:49.963398933 CEST	51174	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:49.963449001 CEST	51174	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:49.964046001 CEST	51176	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:49.969069004 CEST	3778	51176	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:49.969137907 CEST	51176	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:49.969810963 CEST	51176	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:49.974828959 CEST	3778	51176	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:49.974883080 CEST	51176	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:49.979827881 CEST	3778	51176	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:50.807821035 CEST	3778	51176	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:50.807977915 CEST	51176	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:50.808058977 CEST	51176	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:50.808549881 CEST	51178	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:50.814100981 CEST	3778	51178	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:50.814177990 CEST	51178	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:50.815108061 CEST	51178	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:50.820360899 CEST	3778	51178	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:50.820415974 CEST	51178	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:50.825758934 CEST	3778	51178	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:51.644068956 CEST	3778	51178	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:51.644473076 CEST	51178	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:51.644505024 CEST	51178	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:51.645215034 CEST	51180	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:51.651051044 CEST	3778	51180	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:51.651112080 CEST	51180	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:51.652055979 CEST	51180	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:51.657083035 CEST	3778	51180	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:51.657134056 CEST	51180	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:51.662084103 CEST	3778	51180	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:58.420443058 CEST	51172	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:36:58.425791979 CEST	3778	51172	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:58.677294016 CEST	3778	51172	45.86.155.23	192.168.2.14
Oct 18, 2024 13:36:58.677416086 CEST	51172	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:37:01.652682066 CEST	51180	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:37:01.658418894 CEST	3778	51180	45.86.155.23	192.168.2.14
Oct 18, 2024 13:37:01.895195961 CEST	3778	51180	45.86.155.23	192.168.2.14
Oct 18, 2024 13:37:01.895276070 CEST	51180	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:37:58.735873938 CEST	51172	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:37:58.740788937 CEST	3778	51172	45.86.155.23	192.168.2.14
Oct 18, 2024 13:37:58.982598066 CEST	3778	51172	45.86.155.23	192.168.2.14
Oct 18, 2024 13:37:58.982769966 CEST	51172	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:38:01.935842037 CEST	51180	3778	192.168.2.14	45.86.155.23
Oct 18, 2024 13:38:01.940743923 CEST	3778	51180	45.86.155.23	192.168.2.14
Oct 18, 2024 13:38:02.176104069 CEST	3778	51180	45.86.155.23	192.168.2.14
Oct 18, 2024 13:38:02.176333904 CEST	51180	3778	192.168.2.14	45.86.155.23

System Behavior

Analysis Process: na.elf PID: 5486, Parent PID: 5412

General

Start time (UTC):	11:36:37
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: na.elf PID: 5488, Parent PID: 5486

General

Start time (UTC):	11:36:37
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: na.elf PID: 5490, Parent PID: 5488

General

Start time (UTC):	11:36:37
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: na.elf PID: 5492, Parent PID: 5488

General

Start time (UTC):	11:36:37
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: na.elf PID: 5504, Parent PID: 5486

General

Start time (UTC):	11:36:43
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: na.elf PID: 5506, Parent PID: 5486

General

Start time (UTC):	11:36:43
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: na.elf PID: 5486, Parent PID: 5412

General

Chronological Activities

Analysis Process: na.elf PID: 5488, Parent PID: 5486

General

Chronological Activities

Analysis Process: na.elf PID: 5490, Parent PID: 5488

General

Chronological Activities

Analysis Process: na.elf PID: 5492, Parent PID: 5488

General

Chronological Activities

Analysis Process: na.elf PID: 5504, Parent PID: 5486

General

Chronological Activities

Analysis Process: na.elf PID: 5506, Parent PID: 5486

General

Chronological Activities

Linux Analysis Report
na.elf