Edit tour

Linux Analysis Report
zerppc.elf

Overview

General Information

Sample name:	zerppc.elf
Analysis ID:	1543098
MD5:	dca795506df8d44ff8a9d45e85caf92b
SHA1:	1212e0e371e3ea71cc517f7ff644c9ff4362560e
SHA256:	6d86b401f77c1ffcc9d29d1b157f44b08611b84c4ea238b32d76c48eae4f62da
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543098
Start date and time:	2024-10-27 08:57:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	zerppc.elf
Detection:	MAL
Classification:	mal56.troj.linELF@0/0@18/0

Warnings

VT rate limit hit for: yellowchink.pirate

Runtime Messages

Command:	/tmp/zerppc.elf
PID:	5462
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	The Peoples Bank of China.
Standard Error:

Process Tree

system is lnxubuntu20

zerppc.elf (PID: 5462, Parent: 5370, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/zerppc.elf

zerppc.elf New Fork (PID: 5464, Parent: 5462)

zerppc.elf New Fork (PID: 5466, Parent: 5464)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: zerppc.elf	ReversingLabs: Detection: 39%
Source: zerppc.elf	Virustotal: Detection: 43%			Perma Link

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 185.150.24.67 ports 38241,1,2,3,4,8
Source: global traffic	TCP traffic: 45.156.86.24 ports 38241,1,2,3,4,8

Sends malformed DNS queries

Source: global traffic	DNS traffic detected: malformed DNS query: netfags.geek. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: burnthe.libre. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: yellowchink.pirate. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: chinklabs.dyn. [malformed]

Source: global traffic	TCP traffic: 192.168.2.13:33436 -> 185.150.24.67:38241
Source: global traffic	TCP traffic: 192.168.2.13:49400 -> 45.156.86.24:38241

Source: /tmp/zerppc.elf (PID: 5462)

Socket: 127.0.0.1:39148

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203

Source: global traffic	DNS traffic detected: DNS query: chinklabs.dyn
Source: global traffic	DNS traffic detected: DNS query: netfags.geek. [malformed]
Source: global traffic	DNS traffic detected: DNS query: yellowchink.pirate
Source: global traffic	DNS traffic detected: DNS query: burnthe.libre. [malformed]
Source: global traffic	DNS traffic detected: DNS query: burnthe.libre
Source: global traffic	DNS traffic detected: DNS query: yellowchink.pirate. [malformed]
Source: global traffic	DNS traffic detected: DNS query: chinklabs.dyn. [malformed]

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal56.troj.linELF@0/0@18/0

Source: /tmp/zerppc.elf (PID: 5462)

Queries kernel information via 'uname':

Jump to behavior

Source: zerppc.elf, 5462.1.000055557d443000.000055557d4f3000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: zerppc.elf, 5462.1.000055557d443000.000055557d4f3000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: zerppc.elf, 5462.1.00007ffd0768a000.00007ffd076ab000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc
Source: zerppc.elf, 5462.1.00007ffd0768a000.00007ffd076ab000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/zerppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zerppc.elf

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zerppc.elf	39%	ReversingLabs	Linux.Trojan.Mirai
zerppc.elf	43%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
yellowchink.pirate	45.156.86.24	true	true	unknown
chinklabs.dyn	185.150.24.67	true	true	unknown
burnthe.libre	45.156.86.24	true	true	unknown
chinklabs.dyn. [malformed]	unknown	unknown	true	unknown
netfags.geek. [malformed]	unknown	unknown	true	unknown
burnthe.libre. [malformed]	unknown	unknown	true	unknown
yellowchink.pirate. [malformed]	unknown	unknown	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.150.24.67	chinklabs.dyn	Netherlands		44592	SKYLINKNL	true
45.156.86.24	yellowchink.pirate	Germany		44592	SKYLINKNL	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.150.24.67	file.exe	Get hash	malicious	Unknown	Browse
185.150.24.67	https://search-dl3.com/staticpr/12.zip	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
burnthe.libre	jydeTkHxMv.elf	Get hash	malicious	Unknown	Browse	77.105.135.60
burnthe.libre	OCSM1XFiPg.elf	Get hash	malicious	Unknown	Browse	5.181.80.61
yellowchink.pirate	EGQr0VDazQ.elf	Get hash	malicious	Unknown	Browse	5.181.80.189
	q9WhhN00yY.elf	Get hash	malicious	Unknown	Browse	77.105.135.60
	ztGOiA742S.elf	Get hash	malicious	Unknown	Browse	77.105.135.60

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKYLINKNL	SecuriteInfo.com.Win64.TrojanX-gen.14578.3729.exe	Get hash	malicious	Unknown	Browse	45.141.37.12
	http://185.150.26.210/bot.x86_64	Get hash	malicious	Unknown	Browse	185.150.26.210
	bot.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	185.150.26.210
	SecuriteInfo.com.Linux.Siggen.9999.2215.16365.elf	Get hash	malicious	Mirai, Okiru	Browse	185.150.26.210
	SecuriteInfo.com.Linux.Siggen.9999.23508.27121.elf	Get hash	malicious	Mirai, Okiru	Browse	185.150.26.210
	IUuKCHla6X.elf	Get hash	malicious	Mirai, Okiru	Browse	185.150.26.210
	4GZzy6vjRR.elf	Get hash	malicious	Mirai, Okiru	Browse	185.150.26.210
	QXdKX2YT7x.elf	Get hash	malicious	Mirai, Okiru	Browse	185.150.26.210
	FyLw329X1Q.elf	Get hash	malicious	Mirai, Okiru	Browse	185.150.26.210
	84v276RQAQ.elf	Get hash	malicious	Mirai, Okiru	Browse	185.150.26.210
SKYLINKNL	SecuriteInfo.com.Win64.TrojanX-gen.14578.3729.exe	Get hash	malicious	Unknown	Browse	45.141.37.12
	http://185.150.26.210/bot.x86_64	Get hash	malicious	Unknown	Browse	185.150.26.210
	bot.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	185.150.26.210
	SecuriteInfo.com.Linux.Siggen.9999.2215.16365.elf	Get hash	malicious	Mirai, Okiru	Browse	185.150.26.210
	SecuriteInfo.com.Linux.Siggen.9999.23508.27121.elf	Get hash	malicious	Mirai, Okiru	Browse	185.150.26.210
	IUuKCHla6X.elf	Get hash	malicious	Mirai, Okiru	Browse	185.150.26.210
	4GZzy6vjRR.elf	Get hash	malicious	Mirai, Okiru	Browse	185.150.26.210
	QXdKX2YT7x.elf	Get hash	malicious	Mirai, Okiru	Browse	185.150.26.210
	FyLw329X1Q.elf	Get hash	malicious	Mirai, Okiru	Browse	185.150.26.210
	84v276RQAQ.elf	Get hash	malicious	Mirai, Okiru	Browse	185.150.26.210

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.217742381176895
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	zerppc.elf
File size:	46'296 bytes
MD5:	dca795506df8d44ff8a9d45e85caf92b
SHA1:	1212e0e371e3ea71cc517f7ff644c9ff4362560e
SHA256:	6d86b401f77c1ffcc9d29d1b157f44b08611b84c4ea238b32d76c48eae4f62da
SHA512:	48173f7875e5dbf9333f0555bfc9839ee3703dbfb236e66ba353ef8b81850eeb38f32dca98a4c580ed4247b5c1602e45086b9a53c2331856f7b43b6dfaab0926
SSDEEP:	768:UrpFtoekRioB66QTNC0SRhWELuIGSfZPsNDSYYc7qNnH:2FWTEX6QWRhWDShP0DSYB7unH
TLSH:	19234B43721C0A27C5A25774253F17F093FFADA025E4B688A40F9B5A8971F372486F9E
File Content Preview:	.ELF...........................4.........4. ...(....................................................................dt.Q.............................!..\|......$H...H..m...$8!. \|...N.. .!..\|.......?.............../...@..\?........+../...A..$8...})......N..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x100001f0
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	45776
Section Header Size:	40
Number of Section Headers:	13
Header String Table Index:	12

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10000094	0x94	0x24	0x0	0x6	AX	4
.text	PROGBITS	0x100000b8	0xb8	0xa6c4	0x0	0x6	AX	4
.fini	PROGBITS	0x1000a77c	0xa77c	0x20	0x0	0x6	AX	4
.rodata	PROGBITS	0x1000a79c	0xa79c	0x95c	0x0	0x2	A	4
.ctors	PROGBITS	0x1001b0fc	0xb0fc	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x1001b104	0xb104	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x1001b10c	0xb10c	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x1001b110	0xb110	0x148	0x0	0x3	WA	8
.sdata	PROGBITS	0x1001b258	0xb258	0x28	0x0	0x3	WA	4
.sbss	NOBITS	0x1001b280	0xb280	0x5c	0x0	0x3	WA	4
.bss	NOBITS	0x1001b2dc	0xb280	0x10c	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xb280	0x50	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000000	0x10000000	0xb0f8	0xb0f8	6.2749	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xb0fc	0x1001b0fc	0x1001b0fc	0x184	0x2ec	0.8988	0x6	RW	0x10000	.ctors .dtors .jcr .data .sdata .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 08:58:03.487375021 CET	33436	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:03.492981911 CET	38241	33436	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:03.493212938 CET	33436	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:03.506023884 CET	33436	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:03.511667967 CET	38241	33436	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:03.511856079 CET	33436	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:03.517400980 CET	38241	33436	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:04.275667906 CET	38241	33436	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:04.276146889 CET	33436	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:04.282031059 CET	38241	33436	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:05.289815903 CET	33438	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:05.295377970 CET	38241	33438	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:05.295444012 CET	33438	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:05.296185017 CET	33438	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:05.301441908 CET	38241	33438	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:05.301491976 CET	33438	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:05.306849957 CET	38241	33438	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:05.895735979 CET	38241	33438	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:05.896171093 CET	33438	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:05.901988029 CET	38241	33438	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:06.910146952 CET	33440	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:06.916084051 CET	38241	33440	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:06.916176081 CET	33440	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:06.917084932 CET	33440	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:06.922831059 CET	38241	33440	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:06.922992945 CET	33440	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:06.928656101 CET	38241	33440	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:07.504314899 CET	38241	33440	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:07.504689932 CET	33440	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:07.510468960 CET	38241	33440	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:08.523277998 CET	49400	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:08.528814077 CET	38241	49400	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:08.528871059 CET	49400	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:08.530217886 CET	49400	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:08.535504103 CET	38241	49400	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:08.535559893 CET	49400	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:08.540958881 CET	38241	49400	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:18.540407896 CET	49400	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:18.545696020 CET	38241	49400	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:18.908116102 CET	38241	49400	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:18.908360958 CET	49400	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:18.913805962 CET	38241	49400	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:19.940155983 CET	49402	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:19.945480108 CET	38241	49402	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:19.945599079 CET	49402	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:19.946753025 CET	49402	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:19.951170921 CET	38241	49402	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:19.951288939 CET	49402	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:19.952076912 CET	38241	49402	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:19.956867933 CET	38241	49402	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:20.966356039 CET	49404	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:20.972070932 CET	38241	49404	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:20.972330093 CET	49404	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:20.973454952 CET	49404	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:20.978754997 CET	38241	49404	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:20.978816986 CET	49404	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:20.984126091 CET	38241	49404	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:31.791130066 CET	38241	49404	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:31.791388035 CET	49404	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:31.796966076 CET	38241	49404	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:32.828563929 CET	33448	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:32.835189104 CET	38241	33448	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:32.835275888 CET	33448	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:32.836328983 CET	33448	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:32.842963934 CET	38241	33448	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:32.843024015 CET	33448	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:32.848917961 CET	38241	33448	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:33.432430029 CET	38241	33448	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:33.432663918 CET	33448	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:33.437984943 CET	38241	33448	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:34.464654922 CET	33450	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:34.469948053 CET	38241	33450	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:34.469990015 CET	33450	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:34.470756054 CET	33450	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:34.476011038 CET	38241	33450	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:34.476066113 CET	33450	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:34.481430054 CET	38241	33450	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:35.058887959 CET	38241	33450	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:35.059062958 CET	33450	38241	192.168.2.13	185.150.24.67
Oct 27, 2024 08:58:35.064425945 CET	38241	33450	185.150.24.67	192.168.2.13
Oct 27, 2024 08:58:36.073278904 CET	49410	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:36.079051971 CET	38241	49410	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:36.079124928 CET	49410	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:36.080343008 CET	49410	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:36.084661961 CET	38241	49410	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:36.084726095 CET	49410	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:36.085566998 CET	38241	49410	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:36.092138052 CET	38241	49410	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:37.099772930 CET	49412	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:37.105921030 CET	38241	49412	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:37.105993986 CET	49412	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:37.106914997 CET	49412	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:37.112454891 CET	38241	49412	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:37.112560987 CET	49412	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:37.112724066 CET	38241	49412	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:37.119359016 CET	38241	49412	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:38.149538040 CET	49414	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:38.154901981 CET	38241	49414	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:38.154972076 CET	49414	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:38.156421900 CET	49414	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:38.161798000 CET	38241	49414	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:38.161856890 CET	49414	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:38.167203903 CET	38241	49414	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:48.988919020 CET	38241	49414	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:48.989198923 CET	49414	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:48.994652033 CET	38241	49414	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:50.003118038 CET	49416	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:50.008450031 CET	38241	49416	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:50.008584976 CET	49416	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:50.009548903 CET	49416	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:50.014970064 CET	38241	49416	45.156.86.24	192.168.2.13
Oct 27, 2024 08:58:50.015111923 CET	49416	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:58:50.020457029 CET	38241	49416	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:00.846548080 CET	38241	49416	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:00.846698046 CET	49416	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:00.853811979 CET	38241	49416	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:01.879578114 CET	49418	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:01.884915113 CET	38241	49418	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:01.885001898 CET	49418	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:01.886126041 CET	49418	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:01.891594887 CET	38241	49418	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:01.891663074 CET	49418	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:01.897073030 CET	38241	49418	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:12.713751078 CET	38241	49418	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:12.714024067 CET	49418	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:12.719320059 CET	38241	49418	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:13.734813929 CET	49420	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:13.740230083 CET	38241	49420	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:13.740300894 CET	49420	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:13.741133928 CET	49420	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:13.746817112 CET	38241	49420	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:13.746922016 CET	49420	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:13.752222061 CET	38241	49420	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:24.648431063 CET	38241	49420	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:24.648576021 CET	49420	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:24.654088020 CET	38241	49420	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:25.663589954 CET	49422	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:25.668962955 CET	38241	49422	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:25.669054031 CET	49422	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:25.670047998 CET	49422	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:25.675384998 CET	38241	49422	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:25.675442934 CET	49422	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:25.680809975 CET	38241	49422	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:35.680258036 CET	49422	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:35.685676098 CET	38241	49422	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:36.048253059 CET	38241	49422	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:36.048736095 CET	49422	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:36.054058075 CET	38241	49422	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:37.070190907 CET	49424	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:37.075700998 CET	38241	49424	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:37.075794935 CET	49424	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:37.077317953 CET	49424	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:37.082617998 CET	38241	49424	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:37.082686901 CET	49424	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:37.088217974 CET	38241	49424	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:47.890459061 CET	38241	49424	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:47.890786886 CET	49424	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:47.896379948 CET	38241	49424	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:48.908127069 CET	49426	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:48.913664103 CET	38241	49426	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:48.913789034 CET	49426	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:48.915234089 CET	49426	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:48.920620918 CET	38241	49426	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:48.920829058 CET	49426	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:48.926218033 CET	38241	49426	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:59.747068882 CET	38241	49426	45.156.86.24	192.168.2.13
Oct 27, 2024 08:59:59.747354031 CET	49426	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 08:59:59.752747059 CET	38241	49426	45.156.86.24	192.168.2.13
Oct 27, 2024 09:00:00.767774105 CET	49428	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 09:00:00.773186922 CET	38241	49428	45.156.86.24	192.168.2.13
Oct 27, 2024 09:00:00.773297071 CET	49428	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 09:00:00.774115086 CET	49428	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 09:00:00.779386997 CET	38241	49428	45.156.86.24	192.168.2.13
Oct 27, 2024 09:00:00.779434919 CET	49428	38241	192.168.2.13	45.156.86.24
Oct 27, 2024 09:00:00.784787893 CET	38241	49428	45.156.86.24	192.168.2.13

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 08:58:03.465802908 CET	34518	53	192.168.2.13	51.158.108.203
Oct 27, 2024 08:58:03.482372999 CET	53	34518	51.158.108.203	192.168.2.13
Oct 27, 2024 08:58:05.278806925 CET	59676	53	192.168.2.13	202.61.197.122
Oct 27, 2024 08:58:05.289331913 CET	53	59676	202.61.197.122	192.168.2.13
Oct 27, 2024 08:58:06.898382902 CET	51081	53	192.168.2.13	152.53.15.127
Oct 27, 2024 08:58:06.909492016 CET	53	51081	152.53.15.127	192.168.2.13
Oct 27, 2024 08:58:08.506511927 CET	44010	53	192.168.2.13	51.158.108.203
Oct 27, 2024 08:58:08.522433043 CET	53	44010	51.158.108.203	192.168.2.13
Oct 27, 2024 08:58:19.911047935 CET	60402	53	192.168.2.13	81.169.136.222
Oct 27, 2024 08:58:19.939189911 CET	53	60402	81.169.136.222	192.168.2.13
Oct 27, 2024 08:58:20.954787970 CET	45463	53	192.168.2.13	194.36.144.87
Oct 27, 2024 08:58:20.965321064 CET	53	45463	194.36.144.87	192.168.2.13
Oct 27, 2024 08:58:32.794020891 CET	49456	53	192.168.2.13	185.181.61.24
Oct 27, 2024 08:58:32.827630043 CET	53	49456	185.181.61.24	192.168.2.13
Oct 27, 2024 08:58:34.435870886 CET	43879	53	192.168.2.13	81.169.136.222
Oct 27, 2024 08:58:34.464160919 CET	53	43879	81.169.136.222	192.168.2.13
Oct 27, 2024 08:58:36.061888933 CET	38702	53	192.168.2.13	194.36.144.87
Oct 27, 2024 08:58:36.072698116 CET	53	38702	194.36.144.87	192.168.2.13
Oct 27, 2024 08:58:37.087366104 CET	39837	53	192.168.2.13	152.53.15.127
Oct 27, 2024 08:58:37.099116087 CET	53	39837	152.53.15.127	192.168.2.13
Oct 27, 2024 08:58:38.115178108 CET	59379	53	192.168.2.13	185.181.61.24
Oct 27, 2024 08:58:38.148529053 CET	53	59379	185.181.61.24	192.168.2.13
Oct 27, 2024 08:58:49.991590023 CET	39409	53	192.168.2.13	202.61.197.122
Oct 27, 2024 08:58:50.002639055 CET	53	39409	202.61.197.122	192.168.2.13
Oct 27, 2024 08:59:01.849875927 CET	59081	53	192.168.2.13	81.169.136.222
Oct 27, 2024 08:59:01.878751993 CET	53	59081	81.169.136.222	192.168.2.13
Oct 27, 2024 08:59:13.717858076 CET	51063	53	192.168.2.13	51.158.108.203
Oct 27, 2024 08:59:13.734034061 CET	53	51063	51.158.108.203	192.168.2.13
Oct 27, 2024 08:59:25.652400970 CET	40611	53	192.168.2.13	202.61.197.122
Oct 27, 2024 08:59:25.663000107 CET	53	40611	202.61.197.122	192.168.2.13
Oct 27, 2024 08:59:37.052851915 CET	56960	53	192.168.2.13	51.158.108.203
Oct 27, 2024 08:59:37.069034100 CET	53	56960	51.158.108.203	192.168.2.13
Oct 27, 2024 08:59:48.896055937 CET	41743	53	192.168.2.13	202.61.197.122
Oct 27, 2024 08:59:48.906852961 CET	53	41743	202.61.197.122	192.168.2.13
Oct 27, 2024 09:00:00.750327110 CET	56213	53	192.168.2.13	51.158.108.203
Oct 27, 2024 09:00:00.767127991 CET	53	56213	51.158.108.203	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 27, 2024 08:58:03.465802908 CET	192.168.2.13	51.158.108.203	0xa175	Standard query (0)	chinklabs.dyn	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:58:05.278806925 CET	192.168.2.13	202.61.197.122	0x76d0	Standard query (0)	netfags.geek. [malformed]	256	397	false
Oct 27, 2024 08:58:06.898382902 CET	192.168.2.13	152.53.15.127	0x2f6f	Standard query (0)	netfags.geek. [malformed]	256	398	false
Oct 27, 2024 08:58:08.506511927 CET	192.168.2.13	51.158.108.203	0xee81	Standard query (0)	yellowchink.pirate	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:58:19.911047935 CET	192.168.2.13	81.169.136.222	0x32a0	Standard query (0)	burnthe.libre. [malformed]	256	411	false
Oct 27, 2024 08:58:20.954787970 CET	192.168.2.13	194.36.144.87	0xd221	Standard query (0)	netfags.geek. [malformed]	256	412	false
Oct 27, 2024 08:58:32.794020891 CET	192.168.2.13	185.181.61.24	0xe8e0	Standard query (0)	chinklabs.dyn	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:58:34.435870886 CET	192.168.2.13	81.169.136.222	0xc402	Standard query (0)	netfags.geek. [malformed]	256	426	false
Oct 27, 2024 08:58:36.061888933 CET	192.168.2.13	194.36.144.87	0x8286	Standard query (0)	burnthe.libre	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:58:37.087366104 CET	192.168.2.13	152.53.15.127	0xd359	Standard query (0)	yellowchink.pirate. [malformed]	256	429	false
Oct 27, 2024 08:58:38.115178108 CET	192.168.2.13	185.181.61.24	0x4045	Standard query (0)	chinklabs.dyn. [malformed]	256	430	false
Oct 27, 2024 08:58:49.991590023 CET	192.168.2.13	202.61.197.122	0x91e0	Standard query (0)	netfags.geek. [malformed]	256	442	false
Oct 27, 2024 08:59:01.849875927 CET	192.168.2.13	81.169.136.222	0xbb0d	Standard query (0)	yellowchink.pirate. [malformed]	256	453	false
Oct 27, 2024 08:59:13.717858076 CET	192.168.2.13	51.158.108.203	0xf354	Standard query (0)	burnthe.libre. [malformed]	256	465	false
Oct 27, 2024 08:59:25.652400970 CET	192.168.2.13	202.61.197.122	0x802a	Standard query (0)	chinklabs.dyn. [malformed]	256	477	false
Oct 27, 2024 08:59:37.052851915 CET	192.168.2.13	51.158.108.203	0x217e	Standard query (0)	chinklabs.dyn. [malformed]	256	489	false
Oct 27, 2024 08:59:48.896055937 CET	192.168.2.13	202.61.197.122	0xb8ec	Standard query (0)	burnthe.libre. [malformed]	256	500	false
Oct 27, 2024 09:00:00.750327110 CET	192.168.2.13	51.158.108.203	0x95ee	Standard query (0)	netfags.geek. [malformed]	256	256	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 08:58:03.482372999 CET	51.158.108.203	192.168.2.13	0xa175	No error (0)	chinklabs.dyn		185.150.24.67	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:58:06.909492016 CET	152.53.15.127	192.168.2.13	0x2f6f	Format error (1)	netfags.geek. [malformed]	none	none	256	398	false
Oct 27, 2024 08:58:08.522433043 CET	51.158.108.203	192.168.2.13	0xee81	No error (0)	yellowchink.pirate		45.156.86.24	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:58:20.965321064 CET	194.36.144.87	192.168.2.13	0xd221	Format error (1)	netfags.geek. [malformed]	none	none	256	412	false
Oct 27, 2024 08:58:32.827630043 CET	185.181.61.24	192.168.2.13	0xe8e0	No error (0)	chinklabs.dyn		185.150.24.67	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:58:36.072698116 CET	194.36.144.87	192.168.2.13	0x8286	No error (0)	burnthe.libre		45.156.86.24	A (IP address)	IN (0x0001)	false
Oct 27, 2024 08:58:37.099116087 CET	152.53.15.127	192.168.2.13	0xd359	Format error (1)	yellowchink.pirate. [malformed]	none	none	256	429	false
Oct 27, 2024 08:59:13.734034061 CET	51.158.108.203	192.168.2.13	0xf354	Format error (1)	burnthe.libre. [malformed]	none	none	256	465	false
Oct 27, 2024 08:59:37.069034100 CET	51.158.108.203	192.168.2.13	0x217e	Format error (1)	chinklabs.dyn. [malformed]	none	none	256	489	false
Oct 27, 2024 09:00:00.767127991 CET	51.158.108.203	192.168.2.13	0x95ee	Format error (1)	netfags.geek. [malformed]	none	none	256	256	false

System Behavior

Analysis Process: zerppc.elf PID: 5462, Parent PID: 5370

General

Start time (UTC):	07:58:02
Start date (UTC):	27/10/2024
Path:	/tmp/zerppc.elf
Arguments:	/tmp/zerppc.elf
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: zerppc.elf PID: 5464, Parent PID: 5462

General

Start time (UTC):	07:58:02
Start date (UTC):	27/10/2024
Path:	/tmp/zerppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: zerppc.elf PID: 5466, Parent PID: 5464

General

Start time (UTC):	07:58:02
Start date (UTC):	27/10/2024
Path:	/tmp/zerppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report zerppc.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: zerppc.elf PID: 5462, Parent PID: 5370

General

Chronological Activities

Analysis Process: zerppc.elf PID: 5464, Parent PID: 5462

General

Chronological Activities

Analysis Process: zerppc.elf PID: 5466, Parent PID: 5464

General

Chronological Activities

Linux Analysis Report
zerppc.elf