Edit tour

Linux Analysis Report
vqsjh4.elf

Overview

General Information

Sample name:	vqsjh4.elf
Analysis ID:	1558457
MD5:	9868d80657a6dc3fd7054337bbba0123
SHA1:	a1bf9f6d171030555b996202113036906f901e0f
SHA256:	c21a31e2a7fc05a7a646c09f667e7cf839ca271a37a0625b960dade3de7700b4
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Sample deletes itself

Sends malformed DNS queries

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes the "rm" command used to delete files or directories

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558457
Start date and time:	2024-11-19 13:57:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	vqsjh4.elf
Detection:	MAL
Classification:	mal80.troj.evad.linELF@0/1@61/0

Warnings

VT rate limit hit for: vqsjh4.elf

Runtime Messages

Command:	/tmp/vqsjh4.elf
PID:	5519
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	about to cum inside a femboy btw
Standard Error:

Process Tree

system is lnxubuntu20

vqsjh4.elf (PID: 5519, Parent: 5436, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/vqsjh4.elf

vqsjh4.elf New Fork (PID: 5522, Parent: 5519)

vqsjh4.elf New Fork (PID: 5524, Parent: 5522)

gnome-session-binary New Fork (PID: 5528, Parent: 1498)

sh (PID: 5528, Parent: 1498, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

gsd-rfkill (PID: 5528, Parent: 1498, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill

systemd New Fork (PID: 5533, Parent: 1)

systemd-hostnamed (PID: 5533, Parent: 1, MD5: 2cc8a5576629a2d5bd98e49a4b8bef65) Arguments: /lib/systemd/systemd-hostnamed

dash New Fork (PID: 5760, Parent: 3670)

rm (PID: 5760, Parent: 3670, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.dovqtLfVZP /tmp/tmp.MxXNP16lO1 /tmp/tmp.jaXpkmGkJU

dash New Fork (PID: 5761, Parent: 3670)

rm (PID: 5761, Parent: 3670, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.dovqtLfVZP /tmp/tmp.MxXNP16lO1 /tmp/tmp.jaXpkmGkJU

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
vqsjh4.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
vqsjh4.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1b4a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b4b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b4cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b4e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b4f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b508:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b51c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b530:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b544:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b558:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b56c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b580:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b594:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b5a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b5bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b5d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b5e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b5f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b60c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b620:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b634:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
5519.1.00007f3cbc400000.00007f3cbc41f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5519.1.00007f3cbc400000.00007f3cbc41f000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1b4a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b4b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b4cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b4e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b4f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b508:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b51c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b530:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b544:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b558:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b56c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b580:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b594:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b5a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b5bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b5d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b5e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b5f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b60c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b620:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b634:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: vqsjh4.elf PID: 5519	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: vqsjh4.elf PID: 5519	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x4b93:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4ba7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4bbb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4bcf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4be3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4bf7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4c0b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4c1f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4c33:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4c47:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4c5b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4c6f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4c83:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4c97:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4cab:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4cbf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4cd3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4ce7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4cfb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4d0f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4d23:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: vqsjh4.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: vqsjh4.elf

ReversingLabs: Detection: 39%

Source: vqsjh4.elf

String: AEOF/proc//proc/%s/cmdlinewgetcurlftpechokillbashrebootshutdownhaltpoweroff[locker] killed process: %s ;; pid: %d

Networking

Sends malformed DNS queries

Source: global traffic

DNS traffic detected: malformed DNS query: ksdjwi.eye-network.ru. [malformed]

Source: global traffic	TCP traffic: 192.168.2.15:48276 -> 154.216.16.109:33966
Source: global traffic	TCP traffic: 192.168.2.15:37426 -> 89.190.156.145:7733

Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.130.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.130.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.130.49
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.130.49

Source: global traffic	DNS traffic detected: DNS query: ksdjwi.eye-network.ru
Source: global traffic	DNS traffic detected: DNS query: ksdjwi.eye-network.ru. [malformed]

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49580
Source: unknown	Network traffic detected: HTTP traffic on port 39828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39828
Source: unknown	Network traffic detected: HTTP traffic on port 49580 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: vqsjh4.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5519.1.00007f3cbc400000.00007f3cbc41f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: vqsjh4.elf PID: 5519, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: Initial sample	String containing 'busybox' found: BusyBox
Source: Initial sample	String containing 'busybox' found: BusyBoxps:/proc/%d/exe[killer/exe] killed process: %s ;; pid: %d

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/vqsjh4.elf (PID: 5524)

SIGKILL sent: pid: 1679, result: successful

Jump to behavior

Source: vqsjh4.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5519.1.00007f3cbc400000.00007f3cbc41f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: vqsjh4.elf PID: 5519, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal80.troj.evad.linELF@0/1@61/0

Source: /usr/libexec/gsd-rfkill (PID: 5528)	Directory: <invalid fd (9)>/..	Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 5528)	Directory: <invalid fd (8)>/..	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5533)	Directory: <invalid fd (10)>/..	Jump to behavior

Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/1333/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/911/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/1591/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/1585/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/804/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/1484/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/133/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/1479/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/931/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/1595/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/812/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/933/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/35/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/260/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/261/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/262/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/142/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/263/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/264/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/265/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/145/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/266/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/267/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/268/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/269/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/1486/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/270/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/271/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/272/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/273/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/274/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/275/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/276/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/277/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/278/cmdline	Jump to behavior
Source: /tmp/vqsjh4.elf (PID: 5524)	File opened: /proc/279/cmdline	Jump to behavior

Source: /usr/bin/dash (PID: 5760)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.dovqtLfVZP /tmp/tmp.MxXNP16lO1 /tmp/tmp.jaXpkmGkJU			Jump to behavior
Source: /usr/bin/dash (PID: 5761)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.dovqtLfVZP /tmp/tmp.MxXNP16lO1 /tmp/tmp.jaXpkmGkJU			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/vqsjh4.elf (PID: 5522)

File: /tmp/vqsjh4.elf

Jump to behavior

Source: /tmp/vqsjh4.elf (PID: 5519)	Queries kernel information via 'uname':			Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5533)	Queries kernel information via 'uname':			Jump to behavior

Source: vqsjh4.elf, 5519.1.00007ffc5715a000.00007ffc5717b000.rw-.sdmp	Binary or memory string: BV/tmp/qemu-open.4DAf2v\
Source: vqsjh4.elf, 5519.1.00007ffc5715a000.00007ffc5717b000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.4DAf2v
Source: vqsjh4.elf, 5519.1.00007ffc5715a000.00007ffc5717b000.rw-.sdmp	Binary or memory string: /qemu-open.XXXXX
Source: vqsjh4.elf, 5519.1.00007ffc5715a000.00007ffc5717b000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: vqsjh4.elf, 5519.1.00007ffc5715a000.00007ffc5717b000.rw-.sdmp	Binary or memory string: Cx86_64/usr/bin/qemu-sh4/tmp/vqsjh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/vqsjh4.elf
Source: vqsjh4.elf, 5519.1.00005642cce52000.00005642cceb5000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4
Source: vqsjh4.elf, 5519.1.00005642cce52000.00005642cceb5000.rw-.sdmp	Binary or memory string: BV5!/etc/qemu-binfmt/sh4

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: vqsjh4.elf, type: SAMPLE
Source: Yara match	File source: 5519.1.00007f3cbc400000.00007f3cbc41f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vqsjh4.elf PID: 5519, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: vqsjh4.elf, type: SAMPLE
Source: Yara match	File source: 5519.1.00007f3cbc400000.00007f3cbc41f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vqsjh4.elf PID: 5519, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 Hidden Files and Directories	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 File Deletion	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
vqsjh4.elf	39%	ReversingLabs	Linux.Exploit.Mirai
vqsjh4.elf	100%	Avira	EXP/ELF.Mirai.Z.A

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ksdjwi.eye-network.ru	154.216.16.109	true	false		high
ksdjwi.eye-network.ru. [malformed]	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.217.10.153	unknown	United States	16509	AMAZON-02US	false
151.101.130.49	unknown	United States	54113	FASTLYUS	false
154.216.16.109	ksdjwi.eye-network.ru	Seychelles	135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	false
89.190.156.145	unknown	United Kingdom	7489	HOSTUS-GLOBAL-ASHostUSHK	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
54.217.10.153	x-3.2-.ISIS.elf	Get hash	malicious	Gafgyt	Browse
	m68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	shindeVx86.elf	Get hash	malicious	Unknown	Browse
	linux_mips.elf	Get hash	malicious	Chaos	Browse
	assailant.mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	dlr.arm6.elf	Get hash	malicious	Okiru	Browse
	ppc.elf	Get hash	malicious	Mirai	Browse
	mipsel.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	oN6mhmUWXQ.elf	Get hash	malicious	Mirai	Browse
	Ir3LejoHU9.elf	Get hash	malicious	Unknown	Browse
151.101.130.49	wriww68k.elf	Get hash	malicious	Mirai	Browse
	wheiuwa4.elf	Get hash	malicious	Mirai	Browse
	tftp.elf	Get hash	malicious	Unknown	Browse
	https://t.co/WUjzOGRMNx	Get hash	malicious	Unknown	Browse
	http://3d1.gmobb.jp/dcm299ccyag4e/gov/	Get hash	malicious	Phisher	Browse
	https://www.mediafire.com/file/oyfycncwen0a3ue/DSP_Plan_Set.zip/file	Get hash	malicious	Unknown	Browse
	http://%D1%81%D0%BF%D0%B5%D1%86%D1%86%D0%BF%D1%80%D0%BE%D1%86%D0%B5%D1%81%D0%BE%D1%80.com/?amp=1&G92jCX4cdc=48OGWi&G92jCX4cdc=48OGWi&G92jCX4cdc=48OGWi=731	Get hash	malicious	Unknown	Browse
	https://cq5vm0t6.r.ap-south-1.awstrack.me/L0/https:%2F%2FLq80gs39wzn7cEJYS7QxVo93bIB.cmap.com.mx%2Fxianzjdjh%2Fvjvituyuhg%2Ffugurvihd%2FcnN0ZXBhbkBzdGVwYW4uY29t/1/0109019220636f55-7ee4148e-cca2-44ad-bd25-6ee1a4a237c9-000000/O3lzw3DZZGc8Aai1RaO7S2RLaAo=173	Get hash	malicious	HTMLPhisher	Browse
	https://primesportnews.co.uk/	Get hash	malicious	Unknown	Browse
	The Podor Law Firm -23749-24 .pdf	Get hash	malicious	HTMLPhisher	Browse
154.216.16.109	jwwofba5.elf	Get hash	malicious	Mirai	Browse
	qkehusl.elf	Get hash	malicious	Mirai	Browse
	wriww68k.elf	Get hash	malicious	Mirai	Browse
	vsbeps.elf	Get hash	malicious	Mirai	Browse
	vkjqpc.elf	Get hash	malicious	Mirai	Browse
	wheiuwa4.elf	Get hash	malicious	Mirai	Browse
	iwir64.elf	Get hash	malicious	Mirai	Browse
	vsbeps.elf	Get hash	malicious	Mirai	Browse
	vkjqpc.elf	Get hash	malicious	Mirai	Browse
	wnbw86.elf	Get hash	malicious	Mirai	Browse
89.190.156.145	jwwofba5.elf	Get hash	malicious	Mirai	Browse
	qkehusl.elf	Get hash	malicious	Mirai	Browse
	wriww68k.elf	Get hash	malicious	Mirai	Browse
	vsbeps.elf	Get hash	malicious	Mirai	Browse
	vkjqpc.elf	Get hash	malicious	Mirai	Browse
	wheiuwa4.elf	Get hash	malicious	Mirai	Browse
	iwir64.elf	Get hash	malicious	Mirai	Browse
	iwir64.elf	Get hash	malicious	Mirai	Browse
	jwwofba5.elf	Get hash	malicious	Mirai	Browse
	qkehusl.elf	Get hash	malicious	Mirai	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ksdjwi.eye-network.ru	qkehusl.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	vsbeps.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	vsbeps.elf	Get hash	malicious	Mirai	Browse	154.216.16.109

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTUS-GLOBAL-ASHostUSHK	jwwofba5.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	qkehusl.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	wriww68k.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	vsbeps.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	vkjqpc.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	wheiuwa4.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	iwir64.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	dlr.mips.elf	Get hash	malicious	Unknown	Browse	89.190.156.198
	iwir64.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
	jwwofba5.elf	Get hash	malicious	Mirai	Browse	89.190.156.145
FASTLYUS	jwwofba5.elf	Get hash	malicious	Mirai	Browse	151.101.66.49
	qkehusl.elf	Get hash	malicious	Mirai	Browse	151.101.66.49
	wriww68k.elf	Get hash	malicious	Mirai	Browse	151.101.130.49
	wheiuwa4.elf	Get hash	malicious	Mirai	Browse	151.101.130.49
	dUqzOmXv5z.elf	Get hash	malicious	Unknown	Browse	151.101.66.49
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	tftp.elf	Get hash	malicious	Unknown	Browse	151.101.130.49
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	jwwofba5.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	qkehusl.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	wriww68k.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	vsbeps.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	vkjqpc.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	wheiuwa4.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	http://154.216.17.96/mips	Get hash	malicious	Unknown	Browse	154.216.17.96
	NoteID [4962398] _Secure_Document_Mrettinger-46568.docx	Get hash	malicious	HTMLPhisher	Browse	154.216.17.193
	new.bat	Get hash	malicious	Unknown	Browse	154.216.17.175
	ungziped_file.exe	Get hash	malicious	Remcos	Browse	154.216.20.185
AMAZON-02US	jwwofba5.elf	Get hash	malicious	Mirai	Browse	54.247.62.1
	qkehusl.elf	Get hash	malicious	Mirai	Browse	34.243.160.129
	wriww68k.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	https://uxfol.io/p/7d34b6df/0299cc7b	Get hash	malicious	Unknown	Browse	76.223.11.49
	wheiuwa4.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	https://accounts.isdinproviders.com/document/pXfhPTQ4e	Get hash	malicious	Unknown	Browse	18.216.230.171
	dUqzOmXv5z.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	https://uxfol.io/p/7d34b6df/0299cc7b	Get hash	malicious	Unknown	Browse	76.223.11.49
	sshd.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	tftp.elf	Get hash	malicious	Unknown	Browse	34.249.145.219

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/tmp/qemu-open.4DAf2v (deleted)

Download File

Process:	/tmp/vqsjh4.elf
File Type:	data
Category:	dropped
Size (bytes):	26
Entropy (8bit):	4.132944044980959
Encrypted:	false
SSDEEP:	3:Tg7KloHJN:Tg6aJN
MD5:	713FE762BE989CB978FC94403F8F683B
SHA1:	66D8706274922B5D28DB4A054DA073596CE053B1
SHA-256:	97E2C8CAA0FE350C32A72DC308036B9F5721AF04547BAFE79E078F329CDCD775
SHA-512:	20CFB82CB1DC5CE143F1A3287C788E791E02A3537CE71B242D5916096AFCB1EF0903CF16EE1CB361D376F693D61BD1790A54EDB2C808F13D4501FDCF5E981913
Malicious:	false
Reputation:	low
Preview:	/tmp/vqsjh4.elf.nwlrbbmqbh

Static File Info

General

File type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.2874117502817395
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	vqsjh4.elf
File size:	146'240 bytes
MD5:	9868d80657a6dc3fd7054337bbba0123
SHA1:	a1bf9f6d171030555b996202113036906f901e0f
SHA256:	c21a31e2a7fc05a7a646c09f667e7cf839ca271a37a0625b960dade3de7700b4
SHA512:	030eae0ea81ed37ffc23c6495331ec899e8c59ec0ff26431d8b16b1ad5e9a1d39e30b887002ddc903e0780779f9bdc5928e93b0b0e367f68b25e162797c87916
SSDEEP:	3072:x1uhixE7XqnJ7G2ktE/3Q5x7dnLPWfmKVSiqr:x1uxroJXktE/+beuhiqr
TLSH:	EFE37C77D8666F68C1A4D174B434CF782F93A19582435FBE19A7C2748083E9CFA05BB8
File Content Preview:	.ELF.....................@.4....9......4. ...(...............@...@...........................B...B.DI..............Q.td............................././"O.n........#.@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	<unknown>
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4001a0
Flags:	0x9
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	145800
Section Header Size:	40
Number of Section Headers:	11
Header String Table Index:	10

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x30	0x0	0x6	AX	4
.text	PROGBITS	0x4000e0	0xe0	0x1b2c0	0x0	0x6	AX	32
.fini	PROGBITS	0x41b3a0	0x1b3a0	0x24	0x0	0x6	AX	4
.rodata	PROGBITS	0x41b3c4	0x1b3c4	0x30c0	0x0	0x2	A	4
.ctors	PROGBITS	0x42f000	0x1f000	0xc	0x0	0x3	WA	4
.dtors	PROGBITS	0x42f00c	0x1f00c	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x42f020	0x1f020	0x4910	0x0	0x3	WA	32
.got	PROGBITS	0x433930	0x23930	0x14	0x4	0x3	WA	4
.bss	NOBITS	0x433944	0x23944	0x45c4	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x23944	0x43	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x1e484	0x1e484	6.9208	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x1f000	0x42f000	0x42f000	0x4944	0x8f08	0.4297	0x6	RW	0x10000	.ctors .dtors .data .got .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 13:58:05.855945110 CET	48276	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:06.349891901 CET	37426	7733	192.168.2.15	89.190.156.145
Nov 19, 2024 13:58:06.871782064 CET	48276	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:07.351757050 CET	37426	7733	192.168.2.15	89.190.156.145
Nov 19, 2024 13:58:08.887785912 CET	48276	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:09.367743969 CET	37426	7733	192.168.2.15	89.190.156.145
Nov 19, 2024 13:58:13.015719891 CET	48276	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:13.527771950 CET	37426	7733	192.168.2.15	89.190.156.145
Nov 19, 2024 13:58:16.944324017 CET	48280	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:17.975492001 CET	48280	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:19.991458893 CET	48280	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:21.719386101 CET	37426	7733	192.168.2.15	89.190.156.145
Nov 19, 2024 13:58:24.023360014 CET	48280	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:25.525635958 CET	49580	443	192.168.2.15	54.217.10.153
Nov 19, 2024 13:58:25.525695086 CET	443	49580	54.217.10.153	192.168.2.15
Nov 19, 2024 13:58:25.525768042 CET	49580	443	192.168.2.15	54.217.10.153
Nov 19, 2024 13:58:25.526928902 CET	49580	443	192.168.2.15	54.217.10.153
Nov 19, 2024 13:58:25.526953936 CET	443	49580	54.217.10.153	192.168.2.15
Nov 19, 2024 13:58:25.599762917 CET	39828	443	192.168.2.15	151.101.130.49
Nov 19, 2024 13:58:25.599817991 CET	443	39828	151.101.130.49	192.168.2.15
Nov 19, 2024 13:58:25.599977016 CET	39828	443	192.168.2.15	151.101.130.49
Nov 19, 2024 13:58:25.602778912 CET	39828	443	192.168.2.15	151.101.130.49
Nov 19, 2024 13:58:25.602817059 CET	443	39828	151.101.130.49	192.168.2.15
Nov 19, 2024 13:58:28.035178900 CET	48286	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:29.047211885 CET	48286	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:31.063082933 CET	48286	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:35.287028074 CET	48286	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:37.846971989 CET	37426	7733	192.168.2.15	89.190.156.145
Nov 19, 2024 13:58:39.131447077 CET	48288	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:40.150815010 CET	48288	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:42.166872978 CET	48288	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:46.294682026 CET	48288	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:50.218430996 CET	48290	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:51.222563982 CET	48290	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:53.238461018 CET	48290	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:58:57.302337885 CET	48290	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:01.309993029 CET	48292	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:02.326147079 CET	48292	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:04.342139959 CET	48292	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:08.566041946 CET	48292	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:10.613908052 CET	37426	7733	192.168.2.15	89.190.156.145
Nov 19, 2024 13:59:12.635859013 CET	48294	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:13.653810978 CET	48294	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:15.669800043 CET	48294	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:19.829613924 CET	48294	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:23.722034931 CET	48296	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:24.725631952 CET	48296	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:25.524354935 CET	49580	443	192.168.2.15	54.217.10.153
Nov 19, 2024 13:59:25.571345091 CET	443	49580	54.217.10.153	192.168.2.15
Nov 19, 2024 13:59:25.651796103 CET	39828	443	192.168.2.15	151.101.130.49
Nov 19, 2024 13:59:25.695341110 CET	443	39828	151.101.130.49	192.168.2.15
Nov 19, 2024 13:59:26.741492033 CET	48296	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:30.837584972 CET	48296	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:34.917409897 CET	48298	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:35.925226927 CET	48298	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:37.941140890 CET	48298	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:42.100992918 CET	48298	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:46.006234884 CET	48300	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:47.028913975 CET	48300	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:49.044897079 CET	48300	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:53.108675957 CET	48300	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:57.092360020 CET	48302	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 13:59:58.100559950 CET	48302	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 14:00:00.116471052 CET	48302	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 14:00:04.372292995 CET	48302	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 14:00:08.174084902 CET	48304	33966	192.168.2.15	154.216.16.109
Nov 19, 2024 14:00:08.384207010 CET	443	39828	151.101.130.49	192.168.2.15
Nov 19, 2024 14:00:08.384238005 CET	443	49580	54.217.10.153	192.168.2.15
Nov 19, 2024 14:00:09.204205990 CET	48304	33966	192.168.2.15	154.216.16.109

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 13:58:05.762016058 CET	46719	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:05.769006968 CET	53	46719	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:05.786340952 CET	38816	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:05.792838097 CET	53	38816	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:05.809511900 CET	60917	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:05.815923929 CET	53	60917	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:05.828807116 CET	56806	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:05.835191965 CET	53	56806	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:05.837825060 CET	42768	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:05.844494104 CET	53	42768	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:05.847157955 CET	60064	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:05.854221106 CET	53	60064	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:16.870335102 CET	38434	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:16.876722097 CET	53	38434	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:16.877748013 CET	44701	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:16.884109020 CET	53	44701	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:16.885169029 CET	51743	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:16.891344070 CET	53	51743	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:16.892416954 CET	59783	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:16.899007082 CET	53	59783	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:16.899919033 CET	42350	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:16.906210899 CET	53	42350	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:16.907177925 CET	60629	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:16.913584948 CET	53	60629	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:16.914503098 CET	54985	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:16.920734882 CET	53	54985	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:16.921884060 CET	56373	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:16.928363085 CET	53	56373	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:16.929466009 CET	43102	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:16.935775995 CET	53	43102	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:16.936686039 CET	44634	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:16.943850994 CET	53	44634	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:27.958673000 CET	36827	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:27.965281963 CET	53	36827	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:27.966840982 CET	55103	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:27.973371029 CET	53	55103	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:27.974896908 CET	56395	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:27.981578112 CET	53	56395	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:27.982933044 CET	57284	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:27.989259005 CET	53	57284	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:27.990852118 CET	33024	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:27.997633934 CET	53	33024	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:27.998708010 CET	60808	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:28.005048037 CET	53	60808	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:28.005978107 CET	41688	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:28.012339115 CET	53	41688	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:28.013231993 CET	35490	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:28.019582987 CET	53	35490	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:28.020669937 CET	41394	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:28.027112961 CET	53	41394	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:28.028238058 CET	49410	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:28.034601927 CET	53	49410	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:39.048935890 CET	47913	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:39.061861992 CET	53	47913	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:39.063204050 CET	50472	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:39.069853067 CET	53	50472	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:39.071160078 CET	41573	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:39.077704906 CET	53	41573	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:39.078870058 CET	34976	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:39.085462093 CET	53	34976	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:39.086915016 CET	45689	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:39.093621969 CET	53	45689	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:39.094727993 CET	43572	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:39.100949049 CET	53	43572	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:39.102066994 CET	42690	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:39.108479977 CET	53	42690	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:39.109527111 CET	36201	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:39.115865946 CET	53	36201	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:39.116916895 CET	52978	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:39.123419046 CET	53	52978	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:39.124512911 CET	45807	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:39.130907059 CET	53	45807	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:50.144731998 CET	41341	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:50.150963068 CET	53	41341	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:50.152082920 CET	34689	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:50.158452988 CET	53	34689	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:50.159559965 CET	41933	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:50.165905952 CET	53	41933	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:50.167026043 CET	53594	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:50.173331022 CET	53	53594	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:50.174431086 CET	59220	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:50.180700064 CET	53	59220	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:50.181777954 CET	38528	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:50.188112974 CET	53	38528	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:50.189222097 CET	52164	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:50.195584059 CET	53	52164	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:50.196631908 CET	38199	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:50.203042984 CET	53	38199	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:50.204210997 CET	37224	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:50.210758924 CET	53	37224	8.8.8.8	192.168.2.15
Nov 19, 2024 13:58:50.211807013 CET	60734	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:58:50.217813969 CET	53	60734	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:01.231611013 CET	35220	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:01.237850904 CET	53	35220	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:01.238935947 CET	35129	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:01.245110035 CET	53	35129	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:01.246104956 CET	43312	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:01.252213955 CET	53	43312	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:01.253540039 CET	59197	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:01.259848118 CET	53	59197	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:01.261168003 CET	59717	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:01.267550945 CET	53	59717	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:01.268749952 CET	33595	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:01.275127888 CET	53	33595	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:01.275878906 CET	56911	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:01.282250881 CET	53	56911	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:01.283240080 CET	41704	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:01.294622898 CET	53	41704	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:01.295594931 CET	55802	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:01.302161932 CET	53	55802	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:01.303128958 CET	41576	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:01.309503078 CET	53	41576	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:12.324171066 CET	37306	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:12.564743042 CET	53	37306	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:12.566832066 CET	50962	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:12.573246956 CET	53	50962	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:12.574671030 CET	60988	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:12.581144094 CET	53	60988	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:12.582499981 CET	53518	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:12.589365005 CET	53	53518	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:12.590739012 CET	55364	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:12.597109079 CET	53	55364	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:12.598381042 CET	42847	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:12.604851961 CET	53	42847	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:12.605920076 CET	59026	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:12.612215996 CET	53	59026	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:12.613516092 CET	42243	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:12.620057106 CET	53	42243	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:12.621395111 CET	47793	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:12.627609015 CET	53	47793	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:12.628896952 CET	58139	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:12.635232925 CET	53	58139	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:23.644648075 CET	50794	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:23.650814056 CET	53	50794	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:23.652370930 CET	50284	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:23.659050941 CET	53	50284	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:23.660424948 CET	55690	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:23.666630983 CET	53	55690	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:23.667952061 CET	54457	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:23.674418926 CET	53	54457	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:23.675909042 CET	38965	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:23.683461905 CET	53	38965	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:23.684779882 CET	53443	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:23.691009045 CET	53	53443	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:23.692353964 CET	57038	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:23.698657990 CET	53	57038	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:23.699968100 CET	37481	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:23.706238985 CET	53	37481	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:23.707655907 CET	38634	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:23.713850021 CET	53	38634	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:23.715123892 CET	40067	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:23.721380949 CET	53	40067	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:34.735773087 CET	52399	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:34.847352028 CET	53	52399	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:34.849396944 CET	41918	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:34.855487108 CET	53	41918	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:34.856760025 CET	60743	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:34.862838984 CET	53	60743	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:34.863893986 CET	49239	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:34.870568991 CET	53	49239	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:34.871645927 CET	37387	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:34.878144026 CET	53	37387	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:34.879189014 CET	55583	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:34.885462046 CET	53	55583	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:34.886543989 CET	36213	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:34.893433094 CET	53	36213	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:34.894845963 CET	35655	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:34.901462078 CET	53	35655	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:34.902465105 CET	34026	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:34.908848047 CET	53	34026	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:34.910070896 CET	37545	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:34.916786909 CET	53	37545	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:45.931750059 CET	56240	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:45.937948942 CET	53	56240	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:45.938954115 CET	54699	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:45.945344925 CET	53	54699	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:45.946635008 CET	43030	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:45.953202009 CET	53	43030	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:45.954530001 CET	40430	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:45.960957050 CET	53	40430	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:45.961919069 CET	59903	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:45.968568087 CET	53	59903	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:45.969592094 CET	46929	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:45.976265907 CET	53	46929	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:45.977268934 CET	60653	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:45.983644962 CET	53	60653	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:45.984656096 CET	59819	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:45.990890026 CET	53	59819	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:45.991928101 CET	51104	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:45.998270988 CET	53	51104	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:45.999277115 CET	53215	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:46.005613089 CET	53	53215	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:57.019985914 CET	33597	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:57.026521921 CET	53	33597	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:57.027738094 CET	55616	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:57.034075975 CET	53	55616	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:57.035209894 CET	56390	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:57.041512012 CET	53	56390	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:57.042994022 CET	58804	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:57.049310923 CET	53	58804	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:57.050297976 CET	35689	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:57.056541920 CET	53	35689	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:57.057305098 CET	51596	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:57.063635111 CET	53	51596	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:57.064397097 CET	33614	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:57.070672035 CET	53	33614	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:57.071422100 CET	50567	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:57.077652931 CET	53	50567	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:57.078421116 CET	39455	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:57.084495068 CET	53	39455	8.8.8.8	192.168.2.15
Nov 19, 2024 13:59:57.085448027 CET	42190	53	192.168.2.15	8.8.8.8
Nov 19, 2024 13:59:57.091840029 CET	53	42190	8.8.8.8	192.168.2.15
Nov 19, 2024 14:00:08.097023010 CET	40065	53	192.168.2.15	8.8.8.8
Nov 19, 2024 14:00:08.104006052 CET	53	40065	8.8.8.8	192.168.2.15
Nov 19, 2024 14:00:08.105232954 CET	46280	53	192.168.2.15	8.8.8.8
Nov 19, 2024 14:00:08.113145113 CET	53	46280	8.8.8.8	192.168.2.15
Nov 19, 2024 14:00:08.114254951 CET	55003	53	192.168.2.15	8.8.8.8
Nov 19, 2024 14:00:08.121068001 CET	53	55003	8.8.8.8	192.168.2.15
Nov 19, 2024 14:00:08.122133017 CET	36610	53	192.168.2.15	8.8.8.8
Nov 19, 2024 14:00:08.128900051 CET	53	36610	8.8.8.8	192.168.2.15
Nov 19, 2024 14:00:08.130151033 CET	37947	53	192.168.2.15	8.8.8.8
Nov 19, 2024 14:00:08.136498928 CET	53	37947	8.8.8.8	192.168.2.15
Nov 19, 2024 14:00:08.137881041 CET	42475	53	192.168.2.15	8.8.8.8
Nov 19, 2024 14:00:08.144120932 CET	53	42475	8.8.8.8	192.168.2.15
Nov 19, 2024 14:00:08.145185947 CET	57831	53	192.168.2.15	8.8.8.8
Nov 19, 2024 14:00:08.151480913 CET	53	57831	8.8.8.8	192.168.2.15
Nov 19, 2024 14:00:08.152754068 CET	50546	53	192.168.2.15	8.8.8.8
Nov 19, 2024 14:00:08.158890009 CET	53	50546	8.8.8.8	192.168.2.15
Nov 19, 2024 14:00:08.159980059 CET	40020	53	192.168.2.15	8.8.8.8
Nov 19, 2024 14:00:08.166193008 CET	53	40020	8.8.8.8	192.168.2.15
Nov 19, 2024 14:00:08.167193890 CET	57563	53	192.168.2.15	8.8.8.8
Nov 19, 2024 14:00:08.173500061 CET	53	57563	8.8.8.8	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 19, 2024 13:58:05.762016058 CET	192.168.2.15	8.8.8.8	0x89c7	Standard query (0)	ksdjwi.eye-network.ru	A (IP address)	IN (0x0001)	false
Nov 19, 2024 13:58:05.786340952 CET	192.168.2.15	8.8.8.8	0x7563	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	349	false
Nov 19, 2024 13:58:05.809511900 CET	192.168.2.15	8.8.8.8	0x7563	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	349	false
Nov 19, 2024 13:58:05.828807116 CET	192.168.2.15	8.8.8.8	0x7563	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	349	false
Nov 19, 2024 13:58:05.837825060 CET	192.168.2.15	8.8.8.8	0x7563	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	349	false
Nov 19, 2024 13:58:05.847157955 CET	192.168.2.15	8.8.8.8	0x7563	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	349	false
Nov 19, 2024 13:58:16.907177925 CET	192.168.2.15	8.8.8.8	0xe202	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	360	false
Nov 19, 2024 13:58:16.914503098 CET	192.168.2.15	8.8.8.8	0xe202	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	360	false
Nov 19, 2024 13:58:16.921884060 CET	192.168.2.15	8.8.8.8	0xe202	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	360	false
Nov 19, 2024 13:58:16.929466009 CET	192.168.2.15	8.8.8.8	0xe202	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	360	false
Nov 19, 2024 13:58:16.936686039 CET	192.168.2.15	8.8.8.8	0xe202	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	360	false
Nov 19, 2024 13:58:27.998708010 CET	192.168.2.15	8.8.8.8	0x472d	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	372	false
Nov 19, 2024 13:58:28.005978107 CET	192.168.2.15	8.8.8.8	0x472d	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	372	false
Nov 19, 2024 13:58:28.013231993 CET	192.168.2.15	8.8.8.8	0x472d	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	372	false
Nov 19, 2024 13:58:28.020669937 CET	192.168.2.15	8.8.8.8	0x472d	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	372	false
Nov 19, 2024 13:58:28.028238058 CET	192.168.2.15	8.8.8.8	0x472d	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	372	false
Nov 19, 2024 13:58:39.094727993 CET	192.168.2.15	8.8.8.8	0xfdca	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	383	false
Nov 19, 2024 13:58:39.102066994 CET	192.168.2.15	8.8.8.8	0xfdca	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	383	false
Nov 19, 2024 13:58:39.109527111 CET	192.168.2.15	8.8.8.8	0xfdca	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	383	false
Nov 19, 2024 13:58:39.116916895 CET	192.168.2.15	8.8.8.8	0xfdca	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	383	false
Nov 19, 2024 13:58:39.124512911 CET	192.168.2.15	8.8.8.8	0xfdca	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	383	false
Nov 19, 2024 13:58:50.181777954 CET	192.168.2.15	8.8.8.8	0xfcb9	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	394	false
Nov 19, 2024 13:58:50.189222097 CET	192.168.2.15	8.8.8.8	0xfcb9	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	394	false
Nov 19, 2024 13:58:50.196631908 CET	192.168.2.15	8.8.8.8	0xfcb9	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	394	false
Nov 19, 2024 13:58:50.204210997 CET	192.168.2.15	8.8.8.8	0xfcb9	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	394	false
Nov 19, 2024 13:58:50.211807013 CET	192.168.2.15	8.8.8.8	0xfcb9	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	394	false
Nov 19, 2024 13:59:01.268749952 CET	192.168.2.15	8.8.8.8	0xddff	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	405	false
Nov 19, 2024 13:59:01.275878906 CET	192.168.2.15	8.8.8.8	0xddff	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	405	false
Nov 19, 2024 13:59:01.283240080 CET	192.168.2.15	8.8.8.8	0xddff	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	405	false
Nov 19, 2024 13:59:01.295594931 CET	192.168.2.15	8.8.8.8	0xddff	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	405	false
Nov 19, 2024 13:59:01.303128958 CET	192.168.2.15	8.8.8.8	0xddff	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	405	false
Nov 19, 2024 13:59:12.598381042 CET	192.168.2.15	8.8.8.8	0x421d	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	416	false
Nov 19, 2024 13:59:12.605920076 CET	192.168.2.15	8.8.8.8	0x421d	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	416	false
Nov 19, 2024 13:59:12.613516092 CET	192.168.2.15	8.8.8.8	0x421d	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	416	false
Nov 19, 2024 13:59:12.621395111 CET	192.168.2.15	8.8.8.8	0x421d	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	416	false
Nov 19, 2024 13:59:12.628896952 CET	192.168.2.15	8.8.8.8	0x421d	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	416	false
Nov 19, 2024 13:59:23.684779882 CET	192.168.2.15	8.8.8.8	0x1285	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	427	false
Nov 19, 2024 13:59:23.692353964 CET	192.168.2.15	8.8.8.8	0x1285	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	427	false
Nov 19, 2024 13:59:23.699968100 CET	192.168.2.15	8.8.8.8	0x1285	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	427	false
Nov 19, 2024 13:59:23.707655907 CET	192.168.2.15	8.8.8.8	0x1285	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	427	false
Nov 19, 2024 13:59:23.715123892 CET	192.168.2.15	8.8.8.8	0x1285	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	427	false
Nov 19, 2024 13:59:34.879189014 CET	192.168.2.15	8.8.8.8	0x1ee7	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	438	false
Nov 19, 2024 13:59:34.886543989 CET	192.168.2.15	8.8.8.8	0x1ee7	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	438	false
Nov 19, 2024 13:59:34.894845963 CET	192.168.2.15	8.8.8.8	0x1ee7	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	438	false
Nov 19, 2024 13:59:34.902465105 CET	192.168.2.15	8.8.8.8	0x1ee7	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	438	false
Nov 19, 2024 13:59:34.910070896 CET	192.168.2.15	8.8.8.8	0x1ee7	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	438	false
Nov 19, 2024 13:59:45.969592094 CET	192.168.2.15	8.8.8.8	0xf10	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	449	false
Nov 19, 2024 13:59:45.977268934 CET	192.168.2.15	8.8.8.8	0xf10	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	449	false
Nov 19, 2024 13:59:45.984656096 CET	192.168.2.15	8.8.8.8	0xf10	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	449	false
Nov 19, 2024 13:59:45.991928101 CET	192.168.2.15	8.8.8.8	0xf10	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	449	false
Nov 19, 2024 13:59:45.999277115 CET	192.168.2.15	8.8.8.8	0xf10	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	450	false
Nov 19, 2024 13:59:57.057305098 CET	192.168.2.15	8.8.8.8	0x5d78	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	461	false
Nov 19, 2024 13:59:57.064397097 CET	192.168.2.15	8.8.8.8	0x5d78	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	461	false
Nov 19, 2024 13:59:57.071422100 CET	192.168.2.15	8.8.8.8	0x5d78	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	461	false
Nov 19, 2024 13:59:57.078421116 CET	192.168.2.15	8.8.8.8	0x5d78	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	461	false
Nov 19, 2024 13:59:57.085448027 CET	192.168.2.15	8.8.8.8	0x5d78	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	461	false
Nov 19, 2024 14:00:08.137881041 CET	192.168.2.15	8.8.8.8	0xe9b1	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	472	false
Nov 19, 2024 14:00:08.145185947 CET	192.168.2.15	8.8.8.8	0xe9b1	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	472	false
Nov 19, 2024 14:00:08.152754068 CET	192.168.2.15	8.8.8.8	0xe9b1	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	472	false
Nov 19, 2024 14:00:08.159980059 CET	192.168.2.15	8.8.8.8	0xe9b1	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	472	false
Nov 19, 2024 14:00:08.167193890 CET	192.168.2.15	8.8.8.8	0xe9b1	Standard query (0)	ksdjwi.eye-network.ru. [malformed]	256	472	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 19, 2024 13:58:05.769006968 CET	8.8.8.8	192.168.2.15	0x89c7	No error (0)	ksdjwi.eye-network.ru		154.216.16.109	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: vqsjh4.elf PID: 5519, Parent PID: 5436

General

Start time (UTC):	12:58:04
Start date (UTC):	19/11/2024
Path:	/tmp/vqsjh4.elf
Arguments:	/tmp/vqsjh4.elf
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: vqsjh4.elf PID: 5522, Parent PID: 5519

General

Start time (UTC):	12:58:04
Start date (UTC):	19/11/2024
Path:	/tmp/vqsjh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: vqsjh4.elf PID: 5524, Parent PID: 5522

General

Start time (UTC):	12:58:04
Start date (UTC):	19/11/2024
Path:	/tmp/vqsjh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: gnome-session-binary PID: 5528, Parent PID: 1498

General

Start time (UTC):	12:58:05
Start date (UTC):	19/11/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5528, Parent PID: 1498

General

Start time (UTC):	12:58:05
Start date (UTC):	19/11/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-rfkill PID: 5528, Parent PID: 1498

General

Start time (UTC):	12:58:05
Start date (UTC):	19/11/2024
Path:	/usr/libexec/gsd-rfkill
Arguments:	/usr/libexec/gsd-rfkill
File size:	51808 bytes
MD5 hash:	88a16a3c0aba1759358c06215ecfb5cc

Chronological Activities

Analysis Process: systemd PID: 5533, Parent PID: 1

General

Start time (UTC):	12:58:05
Start date (UTC):	19/11/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-hostnamed PID: 5533, Parent PID: 1

General

Start time (UTC):	12:58:05
Start date (UTC):	19/11/2024
Path:	/lib/systemd/systemd-hostnamed
Arguments:	/lib/systemd/systemd-hostnamed
File size:	35040 bytes
MD5 hash:	2cc8a5576629a2d5bd98e49a4b8bef65

Chronological Activities

Analysis Process: dash PID: 5760, Parent PID: 3670

General

Start time (UTC):	12:59:24
Start date (UTC):	19/11/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5760, Parent PID: 3670

General

Start time (UTC):	12:59:24
Start date (UTC):	19/11/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.dovqtLfVZP /tmp/tmp.MxXNP16lO1 /tmp/tmp.jaXpkmGkJU
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 5761, Parent PID: 3670

General

Start time (UTC):	12:59:24
Start date (UTC):	19/11/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5761, Parent PID: 3670

General

Start time (UTC):	12:59:24
Start date (UTC):	19/11/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.dovqtLfVZP /tmp/tmp.MxXNP16lO1 /tmp/tmp.jaXpkmGkJU
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report vqsjh4.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/tmp/qemu-open.4DAf2v (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: vqsjh4.elf PID: 5519, Parent PID: 5436

General

Chronological Activities

Analysis Process: vqsjh4.elf PID: 5522, Parent PID: 5519

General

Chronological Activities

Analysis Process: vqsjh4.elf PID: 5524, Parent PID: 5522

General

Chronological Activities

Analysis Process: gnome-session-binary PID: 5528, Parent PID: 1498

General

Chronological Activities

Analysis Process: sh PID: 5528, Parent PID: 1498

Linux Analysis Report
vqsjh4.elf