Edit tour

Linux Analysis Report
qkbfi86.elf

Overview

General Information

Sample name:	qkbfi86.elf
Analysis ID:	1544586
MD5:	341e40c80cf54c01e50088bf85fecad4
SHA1:	3140fdfa5a0ccafc61421b4679a0803651369b74
SHA256:	5a217f011181d1f210b590161bf89153a7483733ffc2e713582f1473752d70ad
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Okiru

Score:	92
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Okiru

Machine Learning detection for sample

Sample deletes itself

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544586
Start date and time:	2024-10-29 15:53:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	qkbfi86.elf
Detection:	MAL
Classification:	mal92.troj.evad.linELF@0/0@61/0

Runtime Messages

Command:	/tmp/qkbfi86.elf
PID:	5519
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	about to cum inside a femboy btw
Standard Error:

Process Tree

system is lnxubuntu20

qkbfi86.elf (PID: 5519, Parent: 5446, MD5: 341e40c80cf54c01e50088bf85fecad4) Arguments: /tmp/qkbfi86.elf

qkbfi86.elf New Fork (PID: 5520, Parent: 5519)

qkbfi86.elf New Fork (PID: 5521, Parent: 5520)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
qkbfi86.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
qkbfi86.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
qkbfi86.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x11e68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ea4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11eb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ef4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fa8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fe4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ff8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
qkbfi86.elf	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x5a20:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
qkbfi86.elf	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0xac8d:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
qkbfi86.elf	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x7762:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
qkbfi86.elf	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0x192:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
qkbfi86.elf	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xdbd9:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
qkbfi86.elf	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xc44d:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
qkbfi86.elf	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x7732:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
5519.1.0000000008048000.000000000805c000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
5519.1.0000000008048000.000000000805c000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5519.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x11e68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ea4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11eb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ef4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11f94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fa8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fe4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ff8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5519.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x5a20:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5519.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0xac8d:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
5519.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x7762:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5519.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0x192:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
5519.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xdbd9:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5519.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xc44d:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5519.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x7732:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Process Memory Space: qkbfi86.elf PID: 5519	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: qkbfi86.elf PID: 5519	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: qkbfi86.elf PID: 5519	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x79f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x803:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x817:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x82b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x83f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x853:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x867:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x87b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x88f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x8a3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x8b7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x8cb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x8df:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x8f3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x907:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x91b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x92f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 8 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: qkbfi86.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: qkbfi86.elf

ReversingLabs: Detection: 42%

Machine Learning detection for sample

Source: qkbfi86.elf

Joe Sandbox ML: detected

Source: qkbfi86.elf

String: /proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverraw.eye-network.ruabcdefghijklmnopqrstuvwxyz/proc/%d/proc/self/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbin/poweroff/usr/bin/poweroff/usr/sbin/halt/usr/bin/halt

Networking

Sends malformed DNS queries

Source: global traffic

DNS traffic detected: malformed DNS query: raw.eye-network.ru. [malformed]

Source: global traffic

TCP traffic: 192.168.2.15:49926 -> 213.232.235.18:33966

Source: global traffic	DNS traffic detected: DNS query: raw.eye-network.ru
Source: global traffic	DNS traffic detected: DNS query: raw.eye-network.ru. [malformed]

System Summary

Malicious sample detected (through community Yara rule)

Source: qkbfi86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: qkbfi86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: qkbfi86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: qkbfi86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: qkbfi86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: qkbfi86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: qkbfi86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: qkbfi86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: Process Memory Space: qkbfi86.elf PID: 5519, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: /proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverraw.eye-network.ruabcdefghijklmnopqrstuvwxyz/proc/%d/proc/self/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbin/poweroff/usr/bin/poweroff/usr/sbin/halt/usr/bin/halt

Source: ELF static info symbol of initial sample

.symtab present: no

Source: qkbfi86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: qkbfi86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: qkbfi86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: qkbfi86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: qkbfi86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: qkbfi86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: qkbfi86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: qkbfi86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: Process Memory Space: qkbfi86.elf PID: 5519, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal92.troj.evad.linELF@0/0@61/0

Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/1333/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/1695/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/3751/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/911/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/1591/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/1585/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/804/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/3407/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/1484/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/133/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/1479/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/931/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/1595/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/812/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/933/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/3419/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/35/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/3310/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/260/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/261/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/262/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/142/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/263/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/264/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/265/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/145/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/266/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/267/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/268/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/3303/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/269/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/1486/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/1806/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/3440/cmdline	Jump to behavior
Source: /tmp/qkbfi86.elf (PID: 5521)	File opened: /proc/270/cmdline	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/qkbfi86.elf (PID: 5520)

File: /tmp/qkbfi86.elf

Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: qkbfi86.elf, type: SAMPLE
Source: Yara match	File source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qkbfi86.elf PID: 5519, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: qkbfi86.elf, type: SAMPLE
Source: Yara match	File source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qkbfi86.elf PID: 5519, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: qkbfi86.elf, type: SAMPLE
Source: Yara match	File source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qkbfi86.elf PID: 5519, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: qkbfi86.elf, type: SAMPLE
Source: Yara match	File source: 5519.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qkbfi86.elf PID: 5519, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 File Deletion	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Source	Detection	Scanner	Label
qkbfi86.elf	42%	ReversingLabs	Linux.Backdoor.Mirai
qkbfi86.elf	100%	Avira	EXP/ELF.Mirai.Z.A
qkbfi86.elf	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
raw.eye-network.ru	213.232.235.18	true	true		unknown
raw.eye-network.ru. [malformed]	unknown	unknown	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.232.235.18	raw.eye-network.ru	Russian Federation		39824	ALMANET-ASKZ	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
213.232.235.18	qkehusl.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse
	vkjqpc.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse
	vqsjh4.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse
	jwwofba5.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse
	qkehusl.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse
	vqkjf64.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse
	vwkjebwi686.elf	Get hash	malicious	Mirai, Okiru	Browse
	dvwkja7.elf	Get hash	malicious	Mirai, Okiru	Browse
	wheiuwa4.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse
	qkbfi86.elf	Get hash	malicious	Mirai, Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.eye-network.ru	qkehusl.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse	213.232.235.18
	vkjqpc.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse	213.232.235.18
	qkehusl.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse	213.232.235.18
	vqkjf64.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse	213.232.235.18

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ALMANET-ASKZ	qkehusl.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse	213.232.235.18
	vkjqpc.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse	213.232.235.18
	vqsjh4.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse	213.232.235.18
	jwwofba5.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse	213.232.235.18
	qkehusl.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse	213.232.235.18
	vqkjf64.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse	213.232.235.18
	vwkjebwi686.elf	Get hash	malicious	Mirai, Okiru	Browse	213.232.235.18
	dvwkja7.elf	Get hash	malicious	Mirai, Okiru	Browse	213.232.235.18
	wheiuwa4.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse	213.232.235.18
	qkbfi86.elf	Get hash	malicious	Mirai, Okiru	Browse	213.232.235.18

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.803115463531146
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	qkbfi86.elf
File size:	100'808 bytes
MD5:	341e40c80cf54c01e50088bf85fecad4
SHA1:	3140fdfa5a0ccafc61421b4679a0803651369b74
SHA256:	5a217f011181d1f210b590161bf89153a7483733ffc2e713582f1473752d70ad
SHA512:	a63c064cec482047956d0b7ca55d9ef32dd76a9b06c3a72f8e8ab6ff307a44c8a1d9e759b6ca43b04fa244626ad0ed552cfdf26cca9f8f0163ec9aa4e5736fc9
SSDEEP:	1536:wkQZkU4MS392FgaQzRDGAefdCiuZHp3S+FPQ6zZBy85V7qOLcSCtv0:wNkU4MS3qgfGAe43S+xDfj5IYZW0
TLSH:	5CA37DD4F243D5F5E84704B5613BFB378B32F0B91129DA43D3AD6E32AC52901DA0A6AC
File Content Preview:	.ELF....................d...4...8.......4. ...(.....................3?..3?...............@...........G..............Q.td............................U..S.......{?...h........[]...$.............U......=.....t..5....D......D.......u........t....h4...........

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048164
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	100408
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0x11626	0x0	0x6	AX	16
.fini	PROGBITS	0x80596d6	0x116d6	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x8059700	0x11700	0x2833	0x0	0x2	A	32
.ctors	PROGBITS	0x805c000	0x14000	0xc	0x0	0x3	WA	4
.dtors	PROGBITS	0x805c00c	0x1400c	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x805c040	0x14040	0x47b8	0x0	0x3	WA	32
.bss	NOBITS	0x8060800	0x187f8	0x49ec	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x187f8	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0x13f33	0x13f33	6.5765	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0x14000	0x805c000	0x805c000	0x47f8	0x91ec	0.4108	0x6	RW	0x1000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 15:54:00.529956102 CET	49926	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:00.536798954 CET	33966	49926	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:00.536890984 CET	49926	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:00.536890984 CET	49926	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:00.542309999 CET	33966	49926	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:00.542432070 CET	49926	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:00.547934055 CET	33966	49926	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:01.438714981 CET	33966	49926	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:01.438793898 CET	49926	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:01.438793898 CET	49926	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:01.519148111 CET	49928	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:01.525404930 CET	33966	49928	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:01.525471926 CET	49928	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:01.525489092 CET	49928	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:01.531233072 CET	33966	49928	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:01.531277895 CET	49928	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:01.536977053 CET	33966	49928	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:02.420346022 CET	33966	49928	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:02.420479059 CET	49928	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:02.420479059 CET	49928	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:02.510375023 CET	49930	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:02.515815973 CET	33966	49930	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:02.515960932 CET	49930	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:02.515960932 CET	49930	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:02.521457911 CET	33966	49930	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:02.521687031 CET	49930	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:02.527482033 CET	33966	49930	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:03.425896883 CET	33966	49930	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:03.425981998 CET	49930	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:03.426060915 CET	49930	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:03.500611067 CET	49932	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:03.506038904 CET	33966	49932	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:03.506119013 CET	49932	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:03.506119013 CET	49932	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:03.511773109 CET	33966	49932	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:03.511850119 CET	49932	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:03.517437935 CET	33966	49932	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:04.433820963 CET	33966	49932	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:04.433902979 CET	49932	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:04.433902979 CET	49932	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:04.514709949 CET	49934	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:04.520597935 CET	33966	49934	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:04.520683050 CET	49934	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:04.520683050 CET	49934	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:04.526385069 CET	33966	49934	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:04.526628017 CET	49934	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:04.532383919 CET	33966	49934	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:05.408495903 CET	33966	49934	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:05.408581018 CET	49934	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:05.408581018 CET	49934	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:05.490586042 CET	49936	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:05.496119022 CET	33966	49936	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:05.496220112 CET	49936	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:05.496220112 CET	49936	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:05.502429008 CET	33966	49936	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:05.502494097 CET	49936	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:05.508057117 CET	33966	49936	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:07.314549923 CET	33966	49936	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:07.314682961 CET	33966	49936	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:07.314718008 CET	49936	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:07.314718962 CET	49936	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:07.314806938 CET	49936	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:07.314856052 CET	33966	49936	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:07.314898014 CET	49936	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:07.468337059 CET	49938	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:07.473797083 CET	33966	49938	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:07.473884106 CET	49938	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:07.473884106 CET	49938	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:07.479299068 CET	33966	49938	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:07.480331898 CET	49938	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:07.485580921 CET	33966	49938	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:08.628127098 CET	33966	49938	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:08.628249884 CET	49938	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:08.628288984 CET	49938	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:08.637607098 CET	33966	49938	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:08.637675047 CET	49938	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:08.711361885 CET	49940	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:08.717097044 CET	33966	49940	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:08.717170954 CET	49940	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:08.717189074 CET	49940	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:08.722554922 CET	33966	49940	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:08.722593069 CET	49940	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:08.728255987 CET	33966	49940	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:09.622260094 CET	33966	49940	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:09.622364044 CET	49940	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:09.622380018 CET	49940	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:09.755096912 CET	49942	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:09.762361050 CET	33966	49942	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:09.762422085 CET	49942	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:09.762459040 CET	49942	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:09.769206047 CET	33966	49942	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:09.769256115 CET	49942	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:09.774841070 CET	33966	49942	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:10.672507048 CET	33966	49942	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:10.672610044 CET	49942	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:10.672610044 CET	49942	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:10.757224083 CET	49944	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:10.762684107 CET	33966	49944	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:10.762741089 CET	49944	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:10.762758970 CET	49944	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:10.768259048 CET	33966	49944	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:10.768311024 CET	49944	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:10.775361061 CET	33966	49944	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:11.665796995 CET	33966	49944	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:11.666002035 CET	49944	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:11.666002035 CET	49944	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:11.750698090 CET	49946	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:11.756082058 CET	33966	49946	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:11.756156921 CET	49946	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:11.756299019 CET	49946	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:11.762096882 CET	33966	49946	213.232.235.18	192.168.2.15
Oct 29, 2024 15:54:11.762147903 CET	49946	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:54:11.767956018 CET	33966	49946	213.232.235.18	192.168.2.15
Oct 29, 2024 15:55:21.800712109 CET	49946	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:55:21.806708097 CET	33966	49946	213.232.235.18	192.168.2.15
Oct 29, 2024 15:55:31.804387093 CET	49946	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:55:31.810945034 CET	33966	49946	213.232.235.18	192.168.2.15
Oct 29, 2024 15:56:01.476484060 CET	33966	49946	213.232.235.18	192.168.2.15
Oct 29, 2024 15:56:01.476752996 CET	49946	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:56:01.482180119 CET	33966	49946	213.232.235.18	192.168.2.15
Oct 29, 2024 15:56:02.553184032 CET	49948	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:56:02.558676004 CET	33966	49948	213.232.235.18	192.168.2.15
Oct 29, 2024 15:56:02.558772087 CET	49948	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:56:02.558814049 CET	49948	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:56:02.564258099 CET	33966	49948	213.232.235.18	192.168.2.15
Oct 29, 2024 15:56:02.564332962 CET	49948	33966	192.168.2.15	213.232.235.18
Oct 29, 2024 15:56:02.569907904 CET	33966	49948	213.232.235.18	192.168.2.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 15:54:00.438857079 CET	54623	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:00.493567944 CET	53	54623	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:00.493685961 CET	46542	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:00.501048088 CET	53	46542	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:00.501127958 CET	48532	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:00.508089066 CET	53	48532	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:00.508222103 CET	50928	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:00.515189886 CET	53	50928	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:00.515259027 CET	58221	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:00.522316933 CET	53	58221	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:00.522392035 CET	56482	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:00.529879093 CET	53	56482	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:01.438883066 CET	39489	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:01.446638107 CET	53	39489	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:01.446755886 CET	52394	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:01.455605030 CET	53	52394	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:01.455665112 CET	56565	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:01.463723898 CET	53	56565	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:01.464318037 CET	51562	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:01.471641064 CET	53	51562	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:01.471831083 CET	39559	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:01.481231928 CET	53	39559	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:01.481313944 CET	53852	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:01.488557100 CET	53	53852	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:01.488663912 CET	39630	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:01.495985031 CET	53	39630	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:01.496061087 CET	59503	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:01.503854036 CET	53	59503	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:01.503935099 CET	35081	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:01.512058973 CET	53	35081	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:01.512145996 CET	39488	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:01.519062996 CET	53	39488	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:02.420490026 CET	35744	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:02.430264950 CET	53	35744	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:02.430357933 CET	37383	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:02.439466953 CET	53	37383	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:02.439569950 CET	60144	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:02.446290016 CET	53	60144	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:02.446440935 CET	33281	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:02.453665972 CET	53	33281	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:02.453741074 CET	48586	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:02.460911989 CET	53	48586	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:02.462783098 CET	54959	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:02.470837116 CET	53	54959	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:02.470969915 CET	39744	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:02.481951952 CET	53	39744	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:02.483104944 CET	35156	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:02.491538048 CET	53	35156	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:02.491667032 CET	51322	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:02.499109983 CET	53	51322	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:02.502469063 CET	47983	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:02.509691954 CET	53	47983	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:03.426065922 CET	44238	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:03.433252096 CET	53	44238	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:03.433362961 CET	35934	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:03.440615892 CET	53	35934	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:03.440700054 CET	43788	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:03.448693037 CET	53	43788	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:03.448781967 CET	35281	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:03.456211090 CET	53	35281	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:03.456288099 CET	34495	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:03.463515043 CET	53	34495	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:03.463584900 CET	58969	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:03.470629930 CET	53	58969	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:03.470714092 CET	49932	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:03.478133917 CET	53	49932	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:03.478204966 CET	42344	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:03.485774040 CET	53	42344	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:03.485874891 CET	59978	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:03.493284941 CET	53	59978	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:03.493359089 CET	33221	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:03.500540972 CET	53	33221	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:04.433984995 CET	51764	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:04.441545010 CET	53	51764	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:04.441656113 CET	47852	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:04.451169014 CET	53	47852	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:04.451241970 CET	55602	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:04.458529949 CET	53	55602	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:04.458590984 CET	32954	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:04.465831041 CET	53	32954	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:04.465971947 CET	59375	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:04.473944902 CET	53	59375	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:04.474020004 CET	50610	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:04.481587887 CET	53	50610	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:04.481668949 CET	46971	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:04.488782883 CET	53	46971	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:04.488850117 CET	44472	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:04.496778965 CET	53	44472	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:04.496870041 CET	53228	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:04.506942987 CET	53	53228	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:04.507011890 CET	55543	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:04.514600992 CET	53	55543	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:05.408669949 CET	41325	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:05.417289019 CET	53	41325	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:05.417474031 CET	59655	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:05.424741983 CET	53	59655	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:05.424918890 CET	45244	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:05.432041883 CET	53	45244	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:05.432157040 CET	41512	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:05.439647913 CET	53	41512	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:05.439790010 CET	60981	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:05.448359013 CET	53	60981	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:05.448455095 CET	43060	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:05.456553936 CET	53	43060	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:05.456666946 CET	52838	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:05.463998079 CET	53	52838	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:05.464099884 CET	37186	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:05.471352100 CET	53	37186	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:05.471617937 CET	33857	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:05.479130030 CET	53	33857	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:05.479231119 CET	34957	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:05.490483999 CET	53	34957	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:07.314898014 CET	52111	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:07.343285084 CET	53	52111	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:07.344336033 CET	40693	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:07.377692938 CET	53	40693	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:07.380341053 CET	44098	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:07.387830019 CET	53	44098	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:07.388331890 CET	36715	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:07.413391113 CET	53	36715	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:07.413505077 CET	53716	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:07.421700954 CET	53	53716	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:07.421775103 CET	50473	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:07.429861069 CET	53	50473	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:07.432332993 CET	33251	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:07.440248013 CET	53	33251	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:07.444335938 CET	44000	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:07.452636003 CET	53	44000	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:07.452708006 CET	50220	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:07.460319042 CET	53	50220	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:07.460383892 CET	39737	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:07.467927933 CET	53	39737	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:08.628329992 CET	59392	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:08.638111115 CET	53	59392	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:08.638197899 CET	57333	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:08.645464897 CET	53	57333	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:08.645591974 CET	41510	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:08.652842045 CET	53	41510	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:08.652935982 CET	35929	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:08.660341978 CET	53	35929	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:08.660419941 CET	41091	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:08.674452066 CET	53	41091	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:08.674530983 CET	60025	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:08.681756973 CET	53	60025	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:08.681828976 CET	35227	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:08.689356089 CET	53	35227	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:08.689418077 CET	51127	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:08.696608067 CET	53	51127	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:08.696671963 CET	41843	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:08.703994036 CET	53	41843	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:08.704055071 CET	36997	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:08.711297035 CET	53	36997	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:09.622426033 CET	60953	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:09.660227060 CET	53	60953	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:09.660377026 CET	36612	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:09.680835009 CET	53	36612	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:09.680922031 CET	56253	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:09.690695047 CET	53	56253	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:09.690776110 CET	54531	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:09.697626114 CET	53	54531	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:09.697695971 CET	60914	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:09.705461979 CET	53	60914	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:09.705529928 CET	42789	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:09.712727070 CET	53	42789	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:09.712795019 CET	49263	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:09.720755100 CET	53	49263	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:09.720819950 CET	35618	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:09.731398106 CET	53	35618	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:09.731462955 CET	45083	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:09.743669987 CET	53	45083	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:09.743796110 CET	33012	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:09.754986048 CET	53	33012	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:10.672652960 CET	58771	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:10.681914091 CET	53	58771	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:10.682009935 CET	47207	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:10.690359116 CET	53	47207	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:10.690428972 CET	58975	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:10.697916985 CET	53	58975	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:10.697978973 CET	40747	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:10.708610058 CET	53	40747	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:10.708677053 CET	57252	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:10.716223001 CET	53	57252	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:10.716300964 CET	46083	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:10.724939108 CET	53	46083	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:10.725009918 CET	49968	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:10.735035896 CET	53	49968	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:10.735093117 CET	51030	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:10.742356062 CET	53	51030	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:10.742415905 CET	60216	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:10.749746084 CET	53	60216	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:10.749820948 CET	36186	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:10.757091999 CET	53	36186	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:11.666055918 CET	34106	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:11.674376011 CET	53	34106	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:11.674711943 CET	57110	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:11.683062077 CET	53	57110	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:11.683209896 CET	60721	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:11.692240953 CET	53	60721	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:11.692414045 CET	38301	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:11.699578047 CET	53	38301	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:11.699676991 CET	57702	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:11.708720922 CET	53	57702	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:11.708811998 CET	58639	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:11.716953039 CET	53	58639	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:11.717066050 CET	54825	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:11.724984884 CET	53	54825	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:11.725054026 CET	57658	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:11.734009027 CET	53	57658	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:11.734095097 CET	49640	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:11.742893934 CET	53	49640	8.8.8.8	192.168.2.15
Oct 29, 2024 15:54:11.742955923 CET	46342	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:54:11.750593901 CET	53	46342	8.8.8.8	192.168.2.15
Oct 29, 2024 15:56:02.478288889 CET	49479	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:56:02.485284090 CET	53	49479	8.8.8.8	192.168.2.15
Oct 29, 2024 15:56:02.485430956 CET	43614	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:56:02.492489100 CET	53	43614	8.8.8.8	192.168.2.15
Oct 29, 2024 15:56:02.492609978 CET	59051	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:56:02.500396967 CET	53	59051	8.8.8.8	192.168.2.15
Oct 29, 2024 15:56:02.500499964 CET	36868	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:56:02.508173943 CET	53	36868	8.8.8.8	192.168.2.15
Oct 29, 2024 15:56:02.508275986 CET	38348	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:56:02.515197039 CET	53	38348	8.8.8.8	192.168.2.15
Oct 29, 2024 15:56:02.515326977 CET	54862	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:56:02.522735119 CET	53	54862	8.8.8.8	192.168.2.15
Oct 29, 2024 15:56:02.522850990 CET	43939	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:56:02.530019999 CET	53	43939	8.8.8.8	192.168.2.15
Oct 29, 2024 15:56:02.530122042 CET	56184	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:56:02.538091898 CET	53	56184	8.8.8.8	192.168.2.15
Oct 29, 2024 15:56:02.538201094 CET	39802	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:56:02.545797110 CET	53	39802	8.8.8.8	192.168.2.15
Oct 29, 2024 15:56:02.545917034 CET	46846	53	192.168.2.15	8.8.8.8
Oct 29, 2024 15:56:02.553072929 CET	53	46846	8.8.8.8	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 15:54:00.438857079 CET	192.168.2.15	8.8.8.8	0xf9b7	Standard query (0)	raw.eye-network.ru	A (IP address)	IN (0x0001)	false
Oct 29, 2024 15:54:00.493685961 CET	192.168.2.15	8.8.8.8	0x7e7a	Standard query (0)	raw.eye-network.ru. [malformed]	256	264	false
Oct 29, 2024 15:54:00.501127958 CET	192.168.2.15	8.8.8.8	0x7e7a	Standard query (0)	raw.eye-network.ru. [malformed]	256	264	false
Oct 29, 2024 15:54:00.508222103 CET	192.168.2.15	8.8.8.8	0x7e7a	Standard query (0)	raw.eye-network.ru. [malformed]	256	264	false
Oct 29, 2024 15:54:00.515259027 CET	192.168.2.15	8.8.8.8	0x7e7a	Standard query (0)	raw.eye-network.ru. [malformed]	256	264	false
Oct 29, 2024 15:54:00.522392035 CET	192.168.2.15	8.8.8.8	0x7e7a	Standard query (0)	raw.eye-network.ru. [malformed]	256	264	false
Oct 29, 2024 15:54:01.481313944 CET	192.168.2.15	8.8.8.8	0x7a0a	Standard query (0)	raw.eye-network.ru. [malformed]	256	265	false
Oct 29, 2024 15:54:01.488663912 CET	192.168.2.15	8.8.8.8	0x7a0a	Standard query (0)	raw.eye-network.ru. [malformed]	256	265	false
Oct 29, 2024 15:54:01.496061087 CET	192.168.2.15	8.8.8.8	0x7a0a	Standard query (0)	raw.eye-network.ru. [malformed]	256	265	false
Oct 29, 2024 15:54:01.503935099 CET	192.168.2.15	8.8.8.8	0x7a0a	Standard query (0)	raw.eye-network.ru. [malformed]	256	265	false
Oct 29, 2024 15:54:01.512145996 CET	192.168.2.15	8.8.8.8	0x7a0a	Standard query (0)	raw.eye-network.ru. [malformed]	256	265	false
Oct 29, 2024 15:54:02.462783098 CET	192.168.2.15	8.8.8.8	0x2791	Standard query (0)	raw.eye-network.ru. [malformed]	256	266	false
Oct 29, 2024 15:54:02.470969915 CET	192.168.2.15	8.8.8.8	0x2791	Standard query (0)	raw.eye-network.ru. [malformed]	256	266	false
Oct 29, 2024 15:54:02.483104944 CET	192.168.2.15	8.8.8.8	0x2791	Standard query (0)	raw.eye-network.ru. [malformed]	256	266	false
Oct 29, 2024 15:54:02.491667032 CET	192.168.2.15	8.8.8.8	0x2791	Standard query (0)	raw.eye-network.ru. [malformed]	256	266	false
Oct 29, 2024 15:54:02.502469063 CET	192.168.2.15	8.8.8.8	0x2791	Standard query (0)	raw.eye-network.ru. [malformed]	256	266	false
Oct 29, 2024 15:54:03.463584900 CET	192.168.2.15	8.8.8.8	0x572a	Standard query (0)	raw.eye-network.ru. [malformed]	256	267	false
Oct 29, 2024 15:54:03.470714092 CET	192.168.2.15	8.8.8.8	0x572a	Standard query (0)	raw.eye-network.ru. [malformed]	256	267	false
Oct 29, 2024 15:54:03.478204966 CET	192.168.2.15	8.8.8.8	0x572a	Standard query (0)	raw.eye-network.ru. [malformed]	256	267	false
Oct 29, 2024 15:54:03.485874891 CET	192.168.2.15	8.8.8.8	0x572a	Standard query (0)	raw.eye-network.ru. [malformed]	256	267	false
Oct 29, 2024 15:54:03.493359089 CET	192.168.2.15	8.8.8.8	0x572a	Standard query (0)	raw.eye-network.ru. [malformed]	256	267	false
Oct 29, 2024 15:54:04.474020004 CET	192.168.2.15	8.8.8.8	0x9128	Standard query (0)	raw.eye-network.ru. [malformed]	256	268	false
Oct 29, 2024 15:54:04.481668949 CET	192.168.2.15	8.8.8.8	0x9128	Standard query (0)	raw.eye-network.ru. [malformed]	256	268	false
Oct 29, 2024 15:54:04.488850117 CET	192.168.2.15	8.8.8.8	0x9128	Standard query (0)	raw.eye-network.ru. [malformed]	256	268	false
Oct 29, 2024 15:54:04.496870041 CET	192.168.2.15	8.8.8.8	0x9128	Standard query (0)	raw.eye-network.ru. [malformed]	256	268	false
Oct 29, 2024 15:54:04.507011890 CET	192.168.2.15	8.8.8.8	0x9128	Standard query (0)	raw.eye-network.ru. [malformed]	256	268	false
Oct 29, 2024 15:54:05.448455095 CET	192.168.2.15	8.8.8.8	0xd6cf	Standard query (0)	raw.eye-network.ru. [malformed]	256	269	false
Oct 29, 2024 15:54:05.456666946 CET	192.168.2.15	8.8.8.8	0xd6cf	Standard query (0)	raw.eye-network.ru. [malformed]	256	269	false
Oct 29, 2024 15:54:05.464099884 CET	192.168.2.15	8.8.8.8	0xd6cf	Standard query (0)	raw.eye-network.ru. [malformed]	256	269	false
Oct 29, 2024 15:54:05.471617937 CET	192.168.2.15	8.8.8.8	0xd6cf	Standard query (0)	raw.eye-network.ru. [malformed]	256	269	false
Oct 29, 2024 15:54:05.479231119 CET	192.168.2.15	8.8.8.8	0xd6cf	Standard query (0)	raw.eye-network.ru. [malformed]	256	269	false
Oct 29, 2024 15:54:07.421775103 CET	192.168.2.15	8.8.8.8	0x2a58	Standard query (0)	raw.eye-network.ru. [malformed]	256	271	false
Oct 29, 2024 15:54:07.432332993 CET	192.168.2.15	8.8.8.8	0x2a58	Standard query (0)	raw.eye-network.ru. [malformed]	256	271	false
Oct 29, 2024 15:54:07.444335938 CET	192.168.2.15	8.8.8.8	0x2a58	Standard query (0)	raw.eye-network.ru. [malformed]	256	271	false
Oct 29, 2024 15:54:07.452708006 CET	192.168.2.15	8.8.8.8	0x2a58	Standard query (0)	raw.eye-network.ru. [malformed]	256	271	false
Oct 29, 2024 15:54:07.460383892 CET	192.168.2.15	8.8.8.8	0x2a58	Standard query (0)	raw.eye-network.ru. [malformed]	256	271	false
Oct 29, 2024 15:54:08.674530983 CET	192.168.2.15	8.8.8.8	0x3119	Standard query (0)	raw.eye-network.ru. [malformed]	256	272	false
Oct 29, 2024 15:54:08.681828976 CET	192.168.2.15	8.8.8.8	0x3119	Standard query (0)	raw.eye-network.ru. [malformed]	256	272	false
Oct 29, 2024 15:54:08.689418077 CET	192.168.2.15	8.8.8.8	0x3119	Standard query (0)	raw.eye-network.ru. [malformed]	256	272	false
Oct 29, 2024 15:54:08.696671963 CET	192.168.2.15	8.8.8.8	0x3119	Standard query (0)	raw.eye-network.ru. [malformed]	256	272	false
Oct 29, 2024 15:54:08.704055071 CET	192.168.2.15	8.8.8.8	0x3119	Standard query (0)	raw.eye-network.ru. [malformed]	256	272	false
Oct 29, 2024 15:54:09.705529928 CET	192.168.2.15	8.8.8.8	0xe6e1	Standard query (0)	raw.eye-network.ru. [malformed]	256	273	false
Oct 29, 2024 15:54:09.712795019 CET	192.168.2.15	8.8.8.8	0xe6e1	Standard query (0)	raw.eye-network.ru. [malformed]	256	273	false
Oct 29, 2024 15:54:09.720819950 CET	192.168.2.15	8.8.8.8	0xe6e1	Standard query (0)	raw.eye-network.ru. [malformed]	256	273	false
Oct 29, 2024 15:54:09.731462955 CET	192.168.2.15	8.8.8.8	0xe6e1	Standard query (0)	raw.eye-network.ru. [malformed]	256	273	false
Oct 29, 2024 15:54:09.743796110 CET	192.168.2.15	8.8.8.8	0xe6e1	Standard query (0)	raw.eye-network.ru. [malformed]	256	273	false
Oct 29, 2024 15:54:10.716300964 CET	192.168.2.15	8.8.8.8	0x9ee5	Standard query (0)	raw.eye-network.ru. [malformed]	256	274	false
Oct 29, 2024 15:54:10.725009918 CET	192.168.2.15	8.8.8.8	0x9ee5	Standard query (0)	raw.eye-network.ru. [malformed]	256	274	false
Oct 29, 2024 15:54:10.735093117 CET	192.168.2.15	8.8.8.8	0x9ee5	Standard query (0)	raw.eye-network.ru. [malformed]	256	274	false
Oct 29, 2024 15:54:10.742415905 CET	192.168.2.15	8.8.8.8	0x9ee5	Standard query (0)	raw.eye-network.ru. [malformed]	256	274	false
Oct 29, 2024 15:54:10.749820948 CET	192.168.2.15	8.8.8.8	0x9ee5	Standard query (0)	raw.eye-network.ru. [malformed]	256	274	false
Oct 29, 2024 15:54:11.708811998 CET	192.168.2.15	8.8.8.8	0x84fd	Standard query (0)	raw.eye-network.ru. [malformed]	256	275	false
Oct 29, 2024 15:54:11.717066050 CET	192.168.2.15	8.8.8.8	0x84fd	Standard query (0)	raw.eye-network.ru. [malformed]	256	275	false
Oct 29, 2024 15:54:11.725054026 CET	192.168.2.15	8.8.8.8	0x84fd	Standard query (0)	raw.eye-network.ru. [malformed]	256	275	false
Oct 29, 2024 15:54:11.734095097 CET	192.168.2.15	8.8.8.8	0x84fd	Standard query (0)	raw.eye-network.ru. [malformed]	256	275	false
Oct 29, 2024 15:54:11.742955923 CET	192.168.2.15	8.8.8.8	0x84fd	Standard query (0)	raw.eye-network.ru. [malformed]	256	275	false
Oct 29, 2024 15:56:02.515326977 CET	192.168.2.15	8.8.8.8	0xe691	Standard query (0)	raw.eye-network.ru. [malformed]	256	386	false
Oct 29, 2024 15:56:02.522850990 CET	192.168.2.15	8.8.8.8	0xe691	Standard query (0)	raw.eye-network.ru. [malformed]	256	386	false
Oct 29, 2024 15:56:02.530122042 CET	192.168.2.15	8.8.8.8	0xe691	Standard query (0)	raw.eye-network.ru. [malformed]	256	386	false
Oct 29, 2024 15:56:02.538201094 CET	192.168.2.15	8.8.8.8	0xe691	Standard query (0)	raw.eye-network.ru. [malformed]	256	386	false
Oct 29, 2024 15:56:02.545917034 CET	192.168.2.15	8.8.8.8	0xe691	Standard query (0)	raw.eye-network.ru. [malformed]	256	386	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 15:54:00.493567944 CET	8.8.8.8	192.168.2.15	0xf9b7	No error (0)	raw.eye-network.ru		213.232.235.18	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: qkbfi86.elf PID: 5519, Parent PID: 5446

General

Start time (UTC):	14:53:59
Start date (UTC):	29/10/2024
Path:	/tmp/qkbfi86.elf
Arguments:	/tmp/qkbfi86.elf
File size:	100808 bytes
MD5 hash:	341e40c80cf54c01e50088bf85fecad4

Start time (UTC):	14:53:59
Start date (UTC):	29/10/2024
Path:	/tmp/qkbfi86.elf
Arguments:	-
File size:	100808 bytes
MD5 hash:	341e40c80cf54c01e50088bf85fecad4

Start time (UTC):	14:53:59
Start date (UTC):	29/10/2024
Path:	/tmp/qkbfi86.elf
Arguments:	-
File size:	100808 bytes
MD5 hash:	341e40c80cf54c01e50088bf85fecad4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report qkbfi86.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: qkbfi86.elf PID: 5519, Parent PID: 5446

General

Chronological Activities

Analysis Process: qkbfi86.elf PID: 5520, Parent PID: 5519

General

Chronological Activities

Analysis Process: qkbfi86.elf PID: 5521, Parent PID: 5520

General

Chronological Activities

Linux Analysis Report
qkbfi86.elf