Edit tour

Linux Analysis Report
qkehusl.elf

Overview

General Information

Sample name:	qkehusl.elf
Analysis ID:	1558455
MD5:	e4f3735262f22ab4b2400fc49fceb2e9
SHA1:	daeb8179cea518267538a6c548402166660fcc32
SHA256:	3096ca6c4bf3d86614eb122c46b70f9c723e3ce218c7124b347e6fec907f86c5
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Sample deletes itself

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes the "rm" command used to delete files or directories

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558455
Start date and time:	2024-11-19 13:56:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	qkehusl.elf
Detection:	MAL
Classification:	mal76.troj.evad.linELF@0/1@24/0

Warnings

VT rate limit hit for: qkehusl.elf

Runtime Messages

Command:	/tmp/qkehusl.elf
PID:	5397
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	about to cum inside a femboy btw
Standard Error:

Process Tree

system is lnxubuntu20

qkehusl.elf (PID: 5397, Parent: 5322, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/qkehusl.elf

qkehusl.elf New Fork (PID: 5399, Parent: 5397)

qkehusl.elf New Fork (PID: 5401, Parent: 5399)

gnome-session-binary New Fork (PID: 5403, Parent: 1588)

sh (PID: 5403, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

gsd-rfkill (PID: 5403, Parent: 1588, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill

systemd New Fork (PID: 5408, Parent: 1)

systemd-hostnamed (PID: 5408, Parent: 1, MD5: 2cc8a5576629a2d5bd98e49a4b8bef65) Arguments: /lib/systemd/systemd-hostnamed

dash New Fork (PID: 5645, Parent: 3581)

rm (PID: 5645, Parent: 3581, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.NnFSfqi0aS /tmp/tmp.2s5j8aQSSM /tmp/tmp.rntxuk2mKK

dash New Fork (PID: 5646, Parent: 3581)

rm (PID: 5646, Parent: 3581, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.NnFSfqi0aS /tmp/tmp.2s5j8aQSSM /tmp/tmp.rntxuk2mKK

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
qkehusl.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
qkehusl.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x2bad0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bae4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2baf8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bb0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bb20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bb34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bb48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bb5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bb70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bb84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bb98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bbac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bbc0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bbd4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bbe8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bbfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bc10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bc24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bc38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bc4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bc60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
5397.1.00007f4ad8400000.00007f4ad842f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5397.1.00007f4ad8400000.00007f4ad842f000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x2bad0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bae4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2baf8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bb0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bb20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bb34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bb48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bb5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bb70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bb84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bb98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bbac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bbc0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bbd4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bbe8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bbfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bc10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bc24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bc38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bc4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2bc60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: qkehusl.elf PID: 5397	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: qkehusl.elf PID: 5397	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10d1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10e5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10f9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x110d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1121:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1135:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1149:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x115d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1171:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1185:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1199:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ad:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11c1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11d5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11fd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1211:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1225:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1239:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x124d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1261:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: qkehusl.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: qkehusl.elf

ReversingLabs: Detection: 39%

Source: qkehusl.elf

String: EOF/proc//proc/%s/cmdlinewgetcurlftpechokillbashrebootshutdownhaltpoweroff[locker] killed process: %s ;; pid: %d

Source: global traffic	TCP traffic: 192.168.2.13:49802 -> 154.216.16.109:33966
Source: global traffic	TCP traffic: 192.168.2.13:44732 -> 89.190.156.145:7733

Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 34.243.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 34.243.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 34.243.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.66.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.66.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.66.49
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 34.243.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.66.49

Source: global traffic

DNS traffic detected: DNS query: ksdjwi.eye-network.ru

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50548
Source: unknown	Network traffic detected: HTTP traffic on port 50548 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 45634 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 48202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 45634

System Summary

Malicious sample detected (through community Yara rule)

Source: qkehusl.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5397.1.00007f4ad8400000.00007f4ad842f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: qkehusl.elf PID: 5397, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: Initial sample	String containing 'busybox' found: BusyBox
Source: Initial sample	String containing 'busybox' found: BusyBoxps:/proc/%d/exe[killer/exe] killed process: %s ;; pid: %d

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/qkehusl.elf (PID: 5401)

SIGKILL sent: pid: 1884, result: successful

Jump to behavior

Source: qkehusl.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5397.1.00007f4ad8400000.00007f4ad842f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: qkehusl.elf PID: 5397, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal76.troj.evad.linELF@0/1@24/0

Source: /usr/libexec/gsd-rfkill (PID: 5403)	Directory: <invalid fd (9)>/..	Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 5403)	Directory: <invalid fd (8)>/..	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5408)	Directory: <invalid fd (10)>/..	Jump to behavior

Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/238/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/239/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/241/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/1482/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/1480/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/371/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/1238/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/134/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/1475/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/936/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/816/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/35/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/260/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/261/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/262/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/142/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/263/cmdline	Jump to behavior
Source: /tmp/qkehusl.elf (PID: 5401)	File opened: /proc/264/cmdline	Jump to behavior

Source: /usr/bin/dash (PID: 5645)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.NnFSfqi0aS /tmp/tmp.2s5j8aQSSM /tmp/tmp.rntxuk2mKK			Jump to behavior
Source: /usr/bin/dash (PID: 5646)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.NnFSfqi0aS /tmp/tmp.2s5j8aQSSM /tmp/tmp.rntxuk2mKK			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/qkehusl.elf (PID: 5399)

File: /tmp/qkehusl.elf

Jump to behavior

Source: /tmp/qkehusl.elf (PID: 5397)	Queries kernel information via 'uname':			Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5408)	Queries kernel information via 'uname':			Jump to behavior

Source: qkehusl.elf, 5397.1.00005636f6d1a000.00005636f6da1000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: qkehusl.elf, 5397.1.00007ffe0268b000.00007ffe026ac000.rw-.sdmp	Binary or memory string: /qemu-open.XXXXX
Source: qkehusl.elf, 5397.1.00007ffe0268b000.00007ffe026ac000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.DUtbgj
Source: qkehusl.elf, 5397.1.00005636f6d1a000.00005636f6da1000.rw-.sdmp	Binary or memory string: 6V!/etc/qemu-binfmt/mipsel
Source: qkehusl.elf, 5397.1.00007ffe0268b000.00007ffe026ac000.rw-.sdmp	Binary or memory string: 6V/tmp/qemu-open.DUtbgj\t
Source: qkehusl.elf, 5397.1.00007ffe0268b000.00007ffe026ac000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel
Source: qkehusl.elf, 5397.1.00007ffe0268b000.00007ffe026ac000.rw-.sdmp	Binary or memory string: !:Gx86_64/usr/bin/qemu-mipsel/tmp/qkehusl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/qkehusl.elf

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: qkehusl.elf, type: SAMPLE
Source: Yara match	File source: 5397.1.00007f4ad8400000.00007f4ad842f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qkehusl.elf PID: 5397, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: qkehusl.elf, type: SAMPLE
Source: Yara match	File source: 5397.1.00007f4ad8400000.00007f4ad842f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qkehusl.elf PID: 5397, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 Hidden Files and Directories	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 File Deletion	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
qkehusl.elf	39%	ReversingLabs	Linux.Backdoor.Mirai
qkehusl.elf	100%	Avira	EXP/ELF.Mirai.Z.A

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ksdjwi.eye-network.ru	154.216.16.109	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.125.190.26	unknown	United Kingdom	41231	CANONICAL-ASGB	false
154.216.16.109	ksdjwi.eye-network.ru	Seychelles	135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	false
89.190.156.145	unknown	United Kingdom	7489	HOSTUS-GLOBAL-ASHostUSHK	false
34.243.160.129	unknown	United States	16509	AMAZON-02US	false
151.101.66.49	unknown	United States	54113	FASTLYUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.125.190.26	vsbeps.elf	Get hash	malicious	Mirai	Browse
	vkjqpc.elf	Get hash	malicious	Mirai	Browse
	arm6.elf	Get hash	malicious	Mirai	Browse
	Satan.sh4.elf	Get hash	malicious	Unknown	Browse
	yakuza.mips.elf	Get hash	malicious	Mirai	Browse
	yakuza.arm6.elf	Get hash	malicious	Mirai	Browse
	arm7.elf	Get hash	malicious	Mirai	Browse
	dlr.m68k.elf	Get hash	malicious	Unknown	Browse
	jwwofba5.elf	Get hash	malicious	Unknown	Browse
	botnet.mpsl.elf	Get hash	malicious	Unknown	Browse
154.216.16.109	wriww68k.elf	Get hash	malicious	Mirai	Browse
	vsbeps.elf	Get hash	malicious	Mirai	Browse
	vkjqpc.elf	Get hash	malicious	Mirai	Browse
	wheiuwa4.elf	Get hash	malicious	Mirai	Browse
	iwir64.elf	Get hash	malicious	Mirai	Browse
	vsbeps.elf	Get hash	malicious	Mirai	Browse
	vkjqpc.elf	Get hash	malicious	Mirai	Browse
	wnbw86.elf	Get hash	malicious	Mirai	Browse
	vwkjebwi686.elf	Get hash	malicious	Mirai	Browse
	wriww68k.elf	Get hash	malicious	Mirai	Browse
89.190.156.145	wriww68k.elf	Get hash	malicious	Mirai	Browse
	vsbeps.elf	Get hash	malicious	Mirai	Browse
	vkjqpc.elf	Get hash	malicious	Mirai	Browse
	wheiuwa4.elf	Get hash	malicious	Mirai	Browse
	iwir64.elf	Get hash	malicious	Mirai	Browse
	iwir64.elf	Get hash	malicious	Mirai	Browse
	jwwofba5.elf	Get hash	malicious	Mirai	Browse
	qkehusl.elf	Get hash	malicious	Mirai	Browse
	vsbeps.elf	Get hash	malicious	Mirai	Browse
	dvwkja7.elf	Get hash	malicious	Mirai	Browse
34.243.160.129	x-8.6-.ISIS.elf	Get hash	malicious	Gafgyt	Browse
	main_mpsl.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Linux.GenericKD.28459.8905.27219.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	nPRmTlXhOT.elf	Get hash	malicious	Unknown	Browse
	main_arm.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	hidakibest.sparc.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	FBI.i686.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	na.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ksdjwi.eye-network.ru	vsbeps.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
ksdjwi.eye-network.ru	vsbeps.elf	Get hash	malicious	Mirai	Browse	154.216.16.109

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTUS-GLOBAL-ASHostUSHK	wriww68k.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	vsbeps.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	vkjqpc.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	wheiuwa4.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	iwir64.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	dlr.mips.elf	Get hash	malicious	Unknown	Browse	89.190.156.198
	iwir64.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	jwwofba5.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	qkehusl.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	vsbeps.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
AMAZON-02US	wriww68k.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	https://uxfol.io/p/7d34b6df/0299cc7b	Get hash	malicious	Unknown	Browse	76.223.11.49
	wheiuwa4.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	https://accounts.isdinproviders.com/document/pXfhPTQ4e	Get hash	malicious	Unknown	Browse	18.216.230.171
	dUqzOmXv5z.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	https://uxfol.io/p/7d34b6df/0299cc7b	Get hash	malicious	Unknown	Browse	76.223.11.49
	sshd.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	tftp.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	ps1010.ps1	Get hash	malicious	Metasploit	Browse	18.158.58.205
	remittance receipt.html	Get hash	malicious	Unknown	Browse	18.245.60.4
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	wriww68k.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	vsbeps.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	vkjqpc.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	wheiuwa4.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	http://154.216.17.96/mips	Get hash	malicious	Unknown	Browse	154.216.17.96
	NoteID [4962398] _Secure_Document_Mrettinger-46568.docx	Get hash	malicious	HTMLPhisher	Browse	154.216.17.193
	new.bat	Get hash	malicious	Unknown	Browse	154.216.17.175
	ungziped_file.exe	Get hash	malicious	Remcos	Browse	154.216.20.185
	iwir64.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	#U051d==.eml	Get hash	malicious	Unknown	Browse	154.216.17.193
CANONICAL-ASGB	wriww68k.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	vsbeps.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	vkjqpc.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	wheiuwa4.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	dUqzOmXv5z.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sshd.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	tftp.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	mmb10.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	mmb6.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	mmb3.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
FASTLYUS	wriww68k.elf	Get hash	malicious	Mirai	Browse	151.101.130.49
	wheiuwa4.elf	Get hash	malicious	Mirai	Browse	151.101.130.49
	dUqzOmXv5z.elf	Get hash	malicious	Unknown	Browse	151.101.66.49
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	tftp.elf	Get hash	malicious	Unknown	Browse	151.101.130.49
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	Dell-Command-Update-Windows-Universal-Application_9M35M_WIN_5.4.0_A00.EXE	Get hash	malicious	Unknown	Browse	199.232.214.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/tmp/qemu-open.DUtbgj (deleted)

Download File

Process:	/tmp/qkehusl.elf
File Type:	data
Category:	dropped
Size (bytes):	27
Entropy (8bit):	4.032303242743954
Encrypted:	false
SSDEEP:	3:Tg+c8HJN:TgSJN
MD5:	6842235084A036811C73EEB14922802B
SHA1:	C9687A0281ECF147D7AFB5036382C2F968680CF5
SHA-256:	D99AC378AD9AD0AD55C5BCD7DB298A6E276D76B8339C82106C56DC9AB8797406
SHA-512:	7A1E628521A766D5F61258208E1D6D4C41A5D0B72C6D345A2ED7B6E2BBC7E2CE641A8DFC9EF54CF70236605F4965A352BDF3ED68F848645C61EF48AFC209F323
Malicious:	false
Reputation:	low
Preview:	/tmp/qkehusl.elf.nwlrbbmqbh

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.1858232854724555
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	qkehusl.elf
File size:	214'564 bytes
MD5:	e4f3735262f22ab4b2400fc49fceb2e9
SHA1:	daeb8179cea518267538a6c548402166660fcc32
SHA256:	3096ca6c4bf3d86614eb122c46b70f9c723e3ce218c7124b347e6fec907f86c5
SHA512:	aed645a734f94f274e492d465ffe6a61bf4f1b8806c2b541b7180bd73a6870567df58538cb81e978838c413f94b14c43b7d2206acd521788dedae4070791852e
SSDEEP:	3072:TsUTWyur1MApOrRQETeVJjuJ00zexqHW5:THTDur1xOiLVEJVpW
TLSH:	4824D71AAB520EFBDCAFCD3706E90B0129CC654722A53B363674D928F54B54B49E3C78
File Content Preview:	.ELF....................`.@.4....C......4. ...(...............@...@. ... ...............$...$.F.$.F.lX..............Q.td...............................<...'!......'.......................<h..'!... .........9'.. ........................<8..'!........... .9

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	214004
Section Header Size:	40
Number of Section Headers:	14
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x2b870	0x0	0x6	AX	16
.fini	PROGBITS	0x42b990	0x2b990	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x42b9f0	0x2b9f0	0x3130	0x0	0x2	A	16
.ctors	PROGBITS	0x46eb24	0x2eb24	0xc	0x0	0x3	WA	4
.dtors	PROGBITS	0x46eb30	0x2eb30	0x8	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x46eb3c	0x2eb3c	0x464	0x0	0x3	WA	4
.data	PROGBITS	0x46efa0	0x2efa0	0x4990	0x0	0x3	WA	32
.got	PROGBITS	0x473930	0x33930	0xa60	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x474390	0x34390	0x44	0x0	0x10000003	WAp	4
.bss	NOBITS	0x4743e0	0x34390	0x4748	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0x139e	0x34390	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x34390	0x64	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x2eb20	0x2eb20	5.4878	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x2eb24	0x46eb24	0x46eb24	0x586c	0xa004	1.4375	0x6	RW	0x10000	.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 13:56:51.301431894 CET	49802	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:56:51.763117075 CET	44732	7733	192.168.2.13	89.190.156.145
Nov 19, 2024 13:56:52.321687937 CET	49802	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:56:52.766568899 CET	44732	7733	192.168.2.13	89.190.156.145
Nov 19, 2024 13:56:54.333765984 CET	49802	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:56:54.781872988 CET	44732	7733	192.168.2.13	89.190.156.145
Nov 19, 2024 13:56:58.365775108 CET	49802	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:56:58.877768993 CET	48202	443	192.168.2.13	185.125.190.26
Nov 19, 2024 13:56:58.877773046 CET	44732	7733	192.168.2.13	89.190.156.145
Nov 19, 2024 13:57:02.330719948 CET	49806	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:03.357851028 CET	49806	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:05.373905897 CET	49806	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:07.069869995 CET	44732	7733	192.168.2.13	89.190.156.145
Nov 19, 2024 13:57:09.629791975 CET	49806	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:13.359448910 CET	49808	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:14.365776062 CET	49808	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:15.076878071 CET	50548	443	192.168.2.13	34.243.160.129
Nov 19, 2024 13:57:15.076925993 CET	443	50548	34.243.160.129	192.168.2.13
Nov 19, 2024 13:57:15.077177048 CET	50548	443	192.168.2.13	34.243.160.129
Nov 19, 2024 13:57:15.079304934 CET	50548	443	192.168.2.13	34.243.160.129
Nov 19, 2024 13:57:15.079324007 CET	443	50548	34.243.160.129	192.168.2.13
Nov 19, 2024 13:57:15.083388090 CET	45634	443	192.168.2.13	151.101.66.49
Nov 19, 2024 13:57:15.083435059 CET	443	45634	151.101.66.49	192.168.2.13
Nov 19, 2024 13:57:15.083648920 CET	45634	443	192.168.2.13	151.101.66.49
Nov 19, 2024 13:57:15.086280107 CET	45634	443	192.168.2.13	151.101.66.49
Nov 19, 2024 13:57:15.086298943 CET	443	45634	151.101.66.49	192.168.2.13
Nov 19, 2024 13:57:16.381762981 CET	49808	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:20.637677908 CET	49808	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:23.197772980 CET	44732	7733	192.168.2.13	89.190.156.145
Nov 19, 2024 13:57:24.391386032 CET	49814	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:25.405796051 CET	49814	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:27.421842098 CET	49814	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:29.853688955 CET	48202	443	192.168.2.13	185.125.190.26
Nov 19, 2024 13:57:31.645679951 CET	49814	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:35.422075033 CET	49816	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:36.445759058 CET	49816	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:38.461632013 CET	49816	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:42.653692007 CET	49816	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:46.449996948 CET	49818	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:47.453655958 CET	49818	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:49.469631910 CET	49818	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:53.661669970 CET	49818	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:56.481563091 CET	44732	7733	192.168.2.13	89.190.156.145
Nov 19, 2024 13:57:57.483141899 CET	49820	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:57:58.493603945 CET	49820	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:00.509592056 CET	49820	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:04.669718027 CET	49820	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:08.513406992 CET	49822	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:09.533557892 CET	49822	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:11.549585104 CET	49822	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:15.077517033 CET	50548	443	192.168.2.13	34.243.160.129
Nov 19, 2024 13:58:15.119343996 CET	443	50548	34.243.160.129	192.168.2.13
Nov 19, 2024 13:58:15.146248102 CET	45634	443	192.168.2.13	151.101.66.49
Nov 19, 2024 13:58:15.191337109 CET	443	45634	151.101.66.49	192.168.2.13
Nov 19, 2024 13:58:15.677532911 CET	49822	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:19.542650938 CET	49824	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:20.573640108 CET	49824	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:22.589549065 CET	49824	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:26.685662031 CET	49824	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:30.564970970 CET	49826	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:31.581500053 CET	49826	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:33.597883940 CET	49826	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:37.693501949 CET	49826	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:41.596074104 CET	49828	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:42.621522903 CET	49828	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:44.637501955 CET	49828	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:48.701584101 CET	49828	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:52.626754045 CET	49830	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:53.629451990 CET	49830	33966	192.168.2.13	154.216.16.109
Nov 19, 2024 13:58:54.856920004 CET	443	45634	151.101.66.49	192.168.2.13
Nov 19, 2024 13:58:54.856951952 CET	443	50548	34.243.160.129	192.168.2.13
Nov 19, 2024 13:58:55.645611048 CET	49830	33966	192.168.2.13	154.216.16.109

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 13:56:51.272716999 CET	48892	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:56:51.279539108 CET	53	48892	8.8.8.8	192.168.2.13
Nov 19, 2024 13:56:51.288249969 CET	56551	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:56:51.299737930 CET	53	56551	8.8.8.8	192.168.2.13
Nov 19, 2024 13:57:02.311849117 CET	37109	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:57:02.322479963 CET	53	37109	8.8.8.8	192.168.2.13
Nov 19, 2024 13:57:02.323118925 CET	45217	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:57:02.330354929 CET	53	45217	8.8.8.8	192.168.2.13
Nov 19, 2024 13:57:13.344144106 CET	42717	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:57:13.351046085 CET	53	42717	8.8.8.8	192.168.2.13
Nov 19, 2024 13:57:13.351938009 CET	47111	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:57:13.358922005 CET	53	47111	8.8.8.8	192.168.2.13
Nov 19, 2024 13:57:24.372359991 CET	49158	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:57:24.379467010 CET	53	49158	8.8.8.8	192.168.2.13
Nov 19, 2024 13:57:24.380579948 CET	48114	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:57:24.390635967 CET	53	48114	8.8.8.8	192.168.2.13
Nov 19, 2024 13:57:35.404390097 CET	36200	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:57:35.411185026 CET	53	36200	8.8.8.8	192.168.2.13
Nov 19, 2024 13:57:35.411950111 CET	51961	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:57:35.421703100 CET	53	51961	8.8.8.8	192.168.2.13
Nov 19, 2024 13:57:46.434125900 CET	40174	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:57:46.441407919 CET	53	40174	8.8.8.8	192.168.2.13
Nov 19, 2024 13:57:46.442557096 CET	50179	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:57:46.449549913 CET	53	50179	8.8.8.8	192.168.2.13
Nov 19, 2024 13:57:57.467336893 CET	36486	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:57:57.474338055 CET	53	36486	8.8.8.8	192.168.2.13
Nov 19, 2024 13:57:57.475625038 CET	40176	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:57:57.482486963 CET	53	40176	8.8.8.8	192.168.2.13
Nov 19, 2024 13:58:08.497415066 CET	59440	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:58:08.504651070 CET	53	59440	8.8.8.8	192.168.2.13
Nov 19, 2024 13:58:08.505862951 CET	41303	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:58:08.512973070 CET	53	41303	8.8.8.8	192.168.2.13
Nov 19, 2024 13:58:19.526690960 CET	57334	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:58:19.533731937 CET	53	57334	8.8.8.8	192.168.2.13
Nov 19, 2024 13:58:19.534769058 CET	50510	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:58:19.541949034 CET	53	50510	8.8.8.8	192.168.2.13
Nov 19, 2024 13:58:30.548048973 CET	35041	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:58:30.555448055 CET	53	35041	8.8.8.8	192.168.2.13
Nov 19, 2024 13:58:30.557105064 CET	59226	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:58:30.564183950 CET	53	59226	8.8.8.8	192.168.2.13
Nov 19, 2024 13:58:41.579514027 CET	38571	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:58:41.586539984 CET	53	38571	8.8.8.8	192.168.2.13
Nov 19, 2024 13:58:41.588344097 CET	57757	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:58:41.595118046 CET	53	57757	8.8.8.8	192.168.2.13
Nov 19, 2024 13:58:52.610475063 CET	43928	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:58:52.617893934 CET	53	43928	8.8.8.8	192.168.2.13
Nov 19, 2024 13:58:52.618891954 CET	36467	53	192.168.2.13	8.8.8.8
Nov 19, 2024 13:58:52.626075983 CET	53	36467	8.8.8.8	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 19, 2024 13:56:51.272716999 CET	192.168.2.13	8.8.8.8	0xddb4	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:56:51.288249969 CET	192.168.2.13	8.8.8.8	0x5a7a	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:02.311849117 CET	192.168.2.13	8.8.8.8	0xc0a	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:02.323118925 CET	192.168.2.13	8.8.8.8	0x8718	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:13.344144106 CET	192.168.2.13	8.8.8.8	0xd367	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:13.351938009 CET	192.168.2.13	8.8.8.8	0x376f	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:24.372359991 CET	192.168.2.13	8.8.8.8	0x721e	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:24.380579948 CET	192.168.2.13	8.8.8.8	0x6d38	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:35.404390097 CET	192.168.2.13	8.8.8.8	0x7a84	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:35.411950111 CET	192.168.2.13	8.8.8.8	0x2c81	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:46.434125900 CET	192.168.2.13	8.8.8.8	0x7ffc	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:46.442557096 CET	192.168.2.13	8.8.8.8	0xd25f	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:57.467336893 CET	192.168.2.13	8.8.8.8	0x6828	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:57.475625038 CET	192.168.2.13	8.8.8.8	0x2bfb	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:08.497415066 CET	192.168.2.13	8.8.8.8	0xa691	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:08.505862951 CET	192.168.2.13	8.8.8.8	0xbe47	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:19.526690960 CET	192.168.2.13	8.8.8.8	0x9893	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:19.534769058 CET	192.168.2.13	8.8.8.8	0xa054	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:30.548048973 CET	192.168.2.13	8.8.8.8	0xf209	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:30.557105064 CET	192.168.2.13	8.8.8.8	0x8c0f	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:41.579514027 CET	192.168.2.13	8.8.8.8	0x8794	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:41.588344097 CET	192.168.2.13	8.8.8.8	0x643d	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:52.610475063 CET	192.168.2.13	8.8.8.8	0xafad	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:52.618891954 CET	192.168.2.13	8.8.8.8	0x38dd	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 19, 2024 13:56:51.279539108 CET	8.8.8.8	192.168.2.13	0xddb4	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:56:51.299737930 CET	8.8.8.8	192.168.2.13	0x5a7a	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:02.322479963 CET	8.8.8.8	192.168.2.13	0xc0a	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:02.330354929 CET	8.8.8.8	192.168.2.13	0x8718	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:13.351046085 CET	8.8.8.8	192.168.2.13	0xd367	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:13.358922005 CET	8.8.8.8	192.168.2.13	0x376f	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:24.379467010 CET	8.8.8.8	192.168.2.13	0x721e	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:24.390635967 CET	8.8.8.8	192.168.2.13	0x6d38	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:35.411185026 CET	8.8.8.8	192.168.2.13	0x7a84	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:35.421703100 CET	8.8.8.8	192.168.2.13	0x2c81	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:46.441407919 CET	8.8.8.8	192.168.2.13	0x7ffc	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:46.449549913 CET	8.8.8.8	192.168.2.13	0xd25f	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:57.474338055 CET	8.8.8.8	192.168.2.13	0x6828	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:57:57.482486963 CET	8.8.8.8	192.168.2.13	0x2bfb	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:08.504651070 CET	8.8.8.8	192.168.2.13	0xa691	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:08.512973070 CET	8.8.8.8	192.168.2.13	0xbe47	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:19.533731937 CET	8.8.8.8	192.168.2.13	0x9893	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:19.541949034 CET	8.8.8.8	192.168.2.13	0xa054	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:30.555448055 CET	8.8.8.8	192.168.2.13	0xf209	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:30.564183950 CET	8.8.8.8	192.168.2.13	0x8c0f	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:41.586539984 CET	8.8.8.8	192.168.2.13	0x8794	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:41.595118046 CET	8.8.8.8	192.168.2.13	0x643d	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:52.617893934 CET	8.8.8.8	192.168.2.13	0xafad	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:52.626075983 CET	8.8.8.8	192.168.2.13	0x38dd	No error (0)	ksdjwi.eye-network.ru	154.216.16.109	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: qkehusl.elf PID: 5397, Parent PID: 5322

General

Start time (UTC):	12:56:49
Start date (UTC):	19/11/2024
Path:	/tmp/qkehusl.elf
Arguments:	/tmp/qkehusl.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: qkehusl.elf PID: 5399, Parent PID: 5397

General

Start time (UTC):	12:56:50
Start date (UTC):	19/11/2024
Path:	/tmp/qkehusl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: qkehusl.elf PID: 5401, Parent PID: 5399

General

Start time (UTC):	12:56:50
Start date (UTC):	19/11/2024
Path:	/tmp/qkehusl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: gnome-session-binary PID: 5403, Parent PID: 1588

General

Start time (UTC):	12:56:50
Start date (UTC):	19/11/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5403, Parent PID: 1588

General

Start time (UTC):	12:56:50
Start date (UTC):	19/11/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-rfkill PID: 5403, Parent PID: 1588

General

Start time (UTC):	12:56:50
Start date (UTC):	19/11/2024
Path:	/usr/libexec/gsd-rfkill
Arguments:	/usr/libexec/gsd-rfkill
File size:	51808 bytes
MD5 hash:	88a16a3c0aba1759358c06215ecfb5cc

Chronological Activities

Analysis Process: systemd PID: 5408, Parent PID: 1

General

Start time (UTC):	12:56:51
Start date (UTC):	19/11/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-hostnamed PID: 5408, Parent PID: 1

General

Start time (UTC):	12:56:51
Start date (UTC):	19/11/2024
Path:	/lib/systemd/systemd-hostnamed
Arguments:	/lib/systemd/systemd-hostnamed
File size:	35040 bytes
MD5 hash:	2cc8a5576629a2d5bd98e49a4b8bef65

Chronological Activities

Analysis Process: dash PID: 5645, Parent PID: 3581

General

Start time (UTC):	12:58:13
Start date (UTC):	19/11/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5645, Parent PID: 3581

General

Start time (UTC):	12:58:13
Start date (UTC):	19/11/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.NnFSfqi0aS /tmp/tmp.2s5j8aQSSM /tmp/tmp.rntxuk2mKK
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 5646, Parent PID: 3581

General

Start time (UTC):	12:58:13
Start date (UTC):	19/11/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5646, Parent PID: 3581

General

Start time (UTC):	12:58:13
Start date (UTC):	19/11/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.NnFSfqi0aS /tmp/tmp.2s5j8aQSSM /tmp/tmp.rntxuk2mKK
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report qkehusl.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/tmp/qemu-open.DUtbgj (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: qkehusl.elf PID: 5397, Parent PID: 5322

General

Chronological Activities

Analysis Process: qkehusl.elf PID: 5399, Parent PID: 5397

General

Chronological Activities

Analysis Process: qkehusl.elf PID: 5401, Parent PID: 5399

General

Chronological Activities

Analysis Process: gnome-session-binary PID: 5403, Parent PID: 1588

General

Chronological Activities

Analysis Process: sh PID: 5403, Parent PID: 1588

General

Chronological Activities

Linux Analysis Report
qkehusl.elf