Edit tour

Linux Analysis Report
x86.elf

Overview

General Information

Sample name:	x86.elf
Analysis ID:	1560453
MD5:	a9d64be9ff4fba73dcfdd4ed203d63ff
SHA1:	0107489cb35a8b9e8de5754ddae4853fe2510a49
SHA256:	689dc11cf67c279bb00fe5e6ea3b499decd1f300e37b459aa6183ac39d050a5f
Tags:	user-elfdigest
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Sample has stripped symbol table

Sample listens on a socket

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560453
Start date and time:	2024-11-21 20:33:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	x86.elf
Detection:	MAL
Classification:	mal64.troj.linELF@0/0@26/0

Warnings

VT rate limit hit for: x86.elf

Runtime Messages

Command:	/tmp/x86.elf
PID:	5529
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	you are now apart of hail cock botnet
Standard Error:

Process Tree

system is lnxubuntu20

x86.elf (PID: 5529, Parent: 5454, MD5: a9d64be9ff4fba73dcfdd4ed203d63ff) Arguments: /tmp/x86.elf

x86.elf New Fork (PID: 5530, Parent: 5529)

x86.elf New Fork (PID: 5531, Parent: 5529)

x86.elf New Fork (PID: 5535, Parent: 5529)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
x86.elf	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0x8794:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
x86.elf	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0x8f83:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
x86.elf	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x5c16:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0xab1c:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
x86.elf	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0xc8d6:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
x86.elf	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0x8b43:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
x86.elf	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0x8e0e:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
x86.elf	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x2872:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
5529.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0x8794:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
5529.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0x8f83:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
5529.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x5c16:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0xab1c:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
5529.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0xc8d6:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
5529.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0x8b43:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
5529.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0x8e0e:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
5529.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x2872:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Click to see the 2 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: x86.elf

ReversingLabs: Detection: 18%

Machine Learning detection for sample

Source: x86.elf

Joe Sandbox ML: detected

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 194.58.66.244 ports 16366,3,4,5,9,4359
Source: global traffic	TCP traffic: 193.233.193.45 ports 0,1,2,3,9,21390
Source: global traffic	TCP traffic: 31.13.248.13 ports 0,1,10846,4,6,8
Source: global traffic	TCP traffic: 103.136.150.114 ports 9576,20377,10053,5,6,7,9
Source: global traffic	TCP traffic: 45.140.169.21 ports 19343,1,11407,3,7,8,17138

Source: global traffic	TCP traffic: 192.168.2.15:48626 -> 103.136.150.114:9576
Source: global traffic	TCP traffic: 192.168.2.15:52510 -> 107.189.8.204:9725
Source: global traffic	TCP traffic: 192.168.2.15:35398 -> 176.32.39.112:6888
Source: global traffic	TCP traffic: 192.168.2.15:46270 -> 45.140.169.21:17138
Source: global traffic	TCP traffic: 192.168.2.15:35552 -> 198.98.49.215:10644
Source: global traffic	TCP traffic: 192.168.2.15:41372 -> 81.29.149.178:9885
Source: global traffic	TCP traffic: 192.168.2.15:46744 -> 27.102.118.111:5264
Source: global traffic	TCP traffic: 192.168.2.15:33522 -> 193.233.193.45:21390
Source: global traffic	TCP traffic: 192.168.2.15:51108 -> 31.13.248.89:18865
Source: global traffic	TCP traffic: 192.168.2.15:32904 -> 209.141.61.182:5262
Source: global traffic	TCP traffic: 192.168.2.15:50410 -> 209.141.49.186:11564
Source: global traffic	TCP traffic: 192.168.2.15:46680 -> 194.58.66.244:4359
Source: global traffic	TCP traffic: 192.168.2.15:44208 -> 31.13.248.13:10846
Source: global traffic	TCP traffic: 192.168.2.15:38422 -> 88.151.195.157:21235

Source: /tmp/x86.elf (PID: 5529)

Socket: 127.0.0.1:1172

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 107.189.8.204
Source: unknown	TCP traffic detected without corresponding DNS query: 107.189.8.204
Source: unknown	TCP traffic detected without corresponding DNS query: 107.189.8.204
Source: unknown	TCP traffic detected without corresponding DNS query: 107.189.8.204
Source: unknown	TCP traffic detected without corresponding DNS query: 107.189.8.204
Source: unknown	TCP traffic detected without corresponding DNS query: 107.189.8.204
Source: unknown	TCP traffic detected without corresponding DNS query: 176.32.39.112
Source: unknown	TCP traffic detected without corresponding DNS query: 176.32.39.112
Source: unknown	TCP traffic detected without corresponding DNS query: 176.32.39.112
Source: unknown	TCP traffic detected without corresponding DNS query: 176.32.39.112
Source: unknown	TCP traffic detected without corresponding DNS query: 176.32.39.112
Source: unknown	TCP traffic detected without corresponding DNS query: 176.32.39.112
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.169.21
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.169.21
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.169.21
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.169.21
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.169.21
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.169.21
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 81.29.149.178
Source: unknown	TCP traffic detected without corresponding DNS query: 81.29.149.178
Source: unknown	TCP traffic detected without corresponding DNS query: 81.29.149.178
Source: unknown	TCP traffic detected without corresponding DNS query: 81.29.149.178
Source: unknown	TCP traffic detected without corresponding DNS query: 81.29.149.178
Source: unknown	TCP traffic detected without corresponding DNS query: 27.102.118.111
Source: unknown	TCP traffic detected without corresponding DNS query: 27.102.118.111
Source: unknown	TCP traffic detected without corresponding DNS query: 27.102.118.111
Source: unknown	TCP traffic detected without corresponding DNS query: 27.102.118.111
Source: unknown	TCP traffic detected without corresponding DNS query: 27.102.118.111
Source: unknown	TCP traffic detected without corresponding DNS query: 27.102.118.111
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.169.21
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.169.21
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.169.21
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.169.21
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.169.21
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.169.21
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114

Source: global traffic	DNS traffic detected: DNS query: kingstonwikkerink.dyn
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

System Summary

Malicious sample detected (through community Yara rule)

Source: x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 5529.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5529.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5529.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5529.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5529.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5529.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5529.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 5529.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5529.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5529.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5529.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5529.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5529.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5529.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16

Source: classification engine

Classification label: mal64.troj.linELF@0/0@26/0

Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5591/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5592/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5593/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5594/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5595/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5596/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5597/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5598/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5370/cmdline	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5590/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5599/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5556/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5589/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5600/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5601/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5558/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5602/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5603/status	Jump to behavior
Source: /tmp/x86.elf (PID: 5531)	File opened: /proc/5604/status	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
x86.elf	18%	ReversingLabs	Linux.Backdoor.Mirai
x86.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.25	true	false		high
kingstonwikkerink.dyn	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.58.66.244	unknown	Russian Federation	2118	RELCOM-ASRelcomGroup19022019RU	true
193.233.193.45	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
27.102.118.111	unknown	Korea Republic of	45996	GNJ-AS-KRDAOUTECHNOLOGYKR	false
31.13.248.89	unknown	Bulgaria	34224	NETERRA-ASBG	false
198.98.49.215	unknown	United States	53667	PONYNETUS	false
88.151.195.157	unknown	Azerbaijan	15723	AZERONLINEAZ	false
81.29.149.178	unknown	Switzerland	39616	COMUNICA_IT_SERVICESCH	false
45.140.169.21	unknown	Russian Federation	51659	ASBAXETRU	true
209.141.61.182	unknown	United States	53667	PONYNETUS	false
31.13.248.13	unknown	Bulgaria	34224	NETERRA-ASBG	true
107.189.8.204	unknown	United States	53667	PONYNETUS	false
176.32.39.112	unknown	Russian Federation	51659	ASBAXETRU	false
209.141.49.186	unknown	United States	53667	PONYNETUS	false
103.136.150.114	unknown	Hong Kong	46261	QUICKPACKETUS	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
198.98.49.215	mpsl.elf	Get hash	malicious	Unknown	Browse
198.98.49.215	arm5.elf	Get hash	malicious	Unknown	Browse
194.58.66.244	ppc.elf	Get hash	malicious	Unknown	Browse
194.58.66.244	hmips.elf	Get hash	malicious	Unknown	Browse
193.233.193.45	ppc.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	nshsh4.elf	Get hash	malicious	Unknown	Browse
	nsharm5.elf	Get hash	malicious	Unknown	Browse
	nsharm.elf	Get hash	malicious	Unknown	Browse
	nshppc.elf	Get hash	malicious	Unknown	Browse
	nshmips.elf	Get hash	malicious	Unknown	Browse
27.102.118.111	ppc.elf	Get hash	malicious	Unknown	Browse
81.29.149.178	hmips.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	nshsh4.elf	Get hash	malicious	Unknown	Browse
	nsharm7.elf	Get hash	malicious	Unknown	Browse
	nsharm.elf	Get hash	malicious	Unknown	Browse
	nshppc.elf	Get hash	malicious	Unknown	Browse
	nshmips.elf	Get hash	malicious	Unknown	Browse
31.13.248.89	ppc.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	nshsh4.elf	Get hash	malicious	Unknown	Browse
	nsharm7.elf	Get hash	malicious	Unknown	Browse
	nshppc.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	arm6.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	7kM7p7yctU.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	162.213.35.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NETERRA-ASBG	ppc.elf	Get hash	malicious	Unknown	Browse	31.13.248.13
	hmips.elf	Get hash	malicious	Unknown	Browse	31.13.248.13
	medk.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	87.120.37.120
	tab.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse	87.120.37.120
	arm5.elf	Get hash	malicious	Unknown	Browse	31.13.248.89
	arm7.elf	Get hash	malicious	Unknown	Browse	31.13.248.89
	arm.elf	Get hash	malicious	Unknown	Browse	31.13.248.89
	harm4.elf	Get hash	malicious	Unknown	Browse	31.13.248.89
	harm5.elf	Get hash	malicious	Unknown	Browse	31.13.248.89
	harm4.elf	Get hash	malicious	Unknown	Browse	31.13.248.89
RELCOM-ASRelcomGroup19022019RU	ppc.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
	hmips.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
	Supply Contract 12 Additional Agreement to 76_24_.exe	Get hash	malicious	GuLoader, Remcos	Browse	194.58.83.68
	lchs.exe	Get hash	malicious	Quasar	Browse	193.124.33.141
	jKira.arm	Get hash	malicious	Mirai	Browse	195.133.54.44
GNJ-AS-KRDAOUTECHNOLOGYKR	ppc.elf	Get hash	malicious	Unknown	Browse	27.102.118.111
	sh4.elf	Get hash	malicious	Mirai	Browse	14.129.24.157
	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	1.18.64.186
	arm5.elf	Get hash	malicious	Mirai	Browse	1.17.85.123
	sh4.elf	Get hash	malicious	Mirai	Browse	1.17.85.151
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	115.71.116.179
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	27.102.158.214
	botnet.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	27.103.206.241
	czHBnd67gp.elf	Get hash	malicious	Unknown	Browse	1.17.85.185
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	27.103.36.59
FREE-NET-ASFREEnetEU	owari.mips.elf	Get hash	malicious	Unknown	Browse	147.45.234.212
	pdusf6w2SJ.exe	Get hash	malicious	RedLine	Browse	147.45.44.221
	ppc.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	hmips.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	file.exe	Get hash	malicious	DanaBot	Browse	193.233.232.101
	xd.spc.elf	Get hash	malicious	Mirai	Browse	193.233.234.114
	RECIBO TRANSFERENCIA#0000078.exe	Get hash	malicious	Unknown	Browse	193.233.203.63
	RECIBO TRANSFERENCIA#0000078.exe	Get hash	malicious	Unknown	Browse	193.233.203.63
	n7ZKbApaa3.dll	Get hash	malicious	LummaC, Xmrig	Browse	147.45.47.81
	nlJ2sNaZVi.exe	Get hash	malicious	LummaC	Browse	147.45.44.131

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.2601269140156655
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	x86.elf
File size:	63'416 bytes
MD5:	a9d64be9ff4fba73dcfdd4ed203d63ff
SHA1:	0107489cb35a8b9e8de5754ddae4853fe2510a49
SHA256:	689dc11cf67c279bb00fe5e6ea3b499decd1f300e37b459aa6183ac39d050a5f
SHA512:	5e855192c33205b96332001c04e23cf77011c240591a46b83ff3a0945705fdd53b6e719057e6c47068eae81a00b8c276163adb408b31c35e434832a91d279a7d
SSDEEP:	1536:wPhOWQuxmmfZrFeU8ptubAN+h99YxDs27IasfcxPmeIEG6E:wP/QSfZwubAN+BYp1HYcxPmens
TLSH:	04536C17BAD1C0FDC49DC134076AA53AD9B3747D0335B62D6BD8FA226E89E212F6C940
File Content Preview:	.ELF..............>.......@.....@...................@.8...@.......................@.......@.....$.......$.................................P.......P..............l..............Q.td....................................................H...._........H........

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400194
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	62712
Section Header Size:	64
Number of Section Headers:	11
Header String Table Index:	10

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x4000e8	0xe8	0x13	0x0	0x6	AX	1
.text	PROGBITS	0x400100	0x100	0xd0d6	0x0	0x6	AX	16
.fini	PROGBITS	0x40d1d6	0xd1d6	0xe	0x0	0x6	AX	1
.rodata	PROGBITS	0x40d200	0xd200	0x1c20	0x0	0x2	A	32
.eh_frame	PROGBITS	0x40ee20	0xee20	0x4	0x0	0x2	A	4
.ctors	PROGBITS	0x50f000	0xf000	0x10	0x0	0x3	WA	8
.dtors	PROGBITS	0x50f010	0xf010	0x10	0x0	0x3	WA	8
.data	PROGBITS	0x50f040	0xf040	0x470	0x0	0x3	WA	32
.bss	NOBITS	0x50f4c0	0xf4b0	0x67e8	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0xf4b0	0x48	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0xee24	0xee24	6.3702	0x5	R E	0x100000	.init .text .fini .rodata .eh_frame
LOAD	0xf000	0x50f000	0x50f000	0x4b0	0x6ca8	2.3775	0x6	RW	0x100000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 20:33:58.722934961 CET	48626	9576	192.168.2.15	103.136.150.114
Nov 21, 2024 20:33:58.842540979 CET	9576	48626	103.136.150.114	192.168.2.15
Nov 21, 2024 20:33:58.842617989 CET	48626	9576	192.168.2.15	103.136.150.114
Nov 21, 2024 20:33:58.842645884 CET	48626	9576	192.168.2.15	103.136.150.114
Nov 21, 2024 20:33:58.962272882 CET	9576	48626	103.136.150.114	192.168.2.15
Nov 21, 2024 20:33:58.962351084 CET	48626	9576	192.168.2.15	103.136.150.114
Nov 21, 2024 20:33:59.082067013 CET	9576	48626	103.136.150.114	192.168.2.15
Nov 21, 2024 20:34:00.798670053 CET	9576	48626	103.136.150.114	192.168.2.15
Nov 21, 2024 20:34:00.798780918 CET	48626	9576	192.168.2.15	103.136.150.114
Nov 21, 2024 20:34:00.798825026 CET	48626	9576	192.168.2.15	103.136.150.114
Nov 21, 2024 20:34:06.039273024 CET	52510	9725	192.168.2.15	107.189.8.204
Nov 21, 2024 20:34:06.160197020 CET	9725	52510	107.189.8.204	192.168.2.15
Nov 21, 2024 20:34:06.160268068 CET	52510	9725	192.168.2.15	107.189.8.204
Nov 21, 2024 20:34:06.160298109 CET	52510	9725	192.168.2.15	107.189.8.204
Nov 21, 2024 20:34:06.280726910 CET	9725	52510	107.189.8.204	192.168.2.15
Nov 21, 2024 20:34:06.280808926 CET	52510	9725	192.168.2.15	107.189.8.204
Nov 21, 2024 20:34:06.400810957 CET	9725	52510	107.189.8.204	192.168.2.15
Nov 21, 2024 20:34:16.167742014 CET	52510	9725	192.168.2.15	107.189.8.204
Nov 21, 2024 20:34:16.287648916 CET	9725	52510	107.189.8.204	192.168.2.15
Nov 21, 2024 20:34:28.065434933 CET	9725	52510	107.189.8.204	192.168.2.15
Nov 21, 2024 20:34:28.065642118 CET	52510	9725	192.168.2.15	107.189.8.204
Nov 21, 2024 20:34:28.190088034 CET	9725	52510	107.189.8.204	192.168.2.15
Nov 21, 2024 20:34:33.405698061 CET	35398	6888	192.168.2.15	176.32.39.112
Nov 21, 2024 20:34:33.525614977 CET	6888	35398	176.32.39.112	192.168.2.15
Nov 21, 2024 20:34:33.525686026 CET	35398	6888	192.168.2.15	176.32.39.112
Nov 21, 2024 20:34:33.525713921 CET	35398	6888	192.168.2.15	176.32.39.112
Nov 21, 2024 20:34:33.645508051 CET	6888	35398	176.32.39.112	192.168.2.15
Nov 21, 2024 20:34:33.645569086 CET	35398	6888	192.168.2.15	176.32.39.112
Nov 21, 2024 20:34:33.765233040 CET	6888	35398	176.32.39.112	192.168.2.15
Nov 21, 2024 20:34:35.164412975 CET	6888	35398	176.32.39.112	192.168.2.15
Nov 21, 2024 20:34:35.164779902 CET	35398	6888	192.168.2.15	176.32.39.112
Nov 21, 2024 20:34:35.164779902 CET	35398	6888	192.168.2.15	176.32.39.112
Nov 21, 2024 20:34:40.477823019 CET	46270	17138	192.168.2.15	45.140.169.21
Nov 21, 2024 20:34:40.598325014 CET	17138	46270	45.140.169.21	192.168.2.15
Nov 21, 2024 20:34:40.598468065 CET	46270	17138	192.168.2.15	45.140.169.21
Nov 21, 2024 20:34:40.598516941 CET	46270	17138	192.168.2.15	45.140.169.21
Nov 21, 2024 20:34:40.718290091 CET	17138	46270	45.140.169.21	192.168.2.15
Nov 21, 2024 20:34:40.718472958 CET	46270	17138	192.168.2.15	45.140.169.21
Nov 21, 2024 20:34:40.838475943 CET	17138	46270	45.140.169.21	192.168.2.15
Nov 21, 2024 20:34:42.253034115 CET	17138	46270	45.140.169.21	192.168.2.15
Nov 21, 2024 20:34:42.253273010 CET	46270	17138	192.168.2.15	45.140.169.21
Nov 21, 2024 20:34:42.253273964 CET	46270	17138	192.168.2.15	45.140.169.21
Nov 21, 2024 20:34:47.737771034 CET	35552	10644	192.168.2.15	198.98.49.215
Nov 21, 2024 20:34:47.857461929 CET	10644	35552	198.98.49.215	192.168.2.15
Nov 21, 2024 20:34:47.857753038 CET	35552	10644	192.168.2.15	198.98.49.215
Nov 21, 2024 20:34:47.857753992 CET	35552	10644	192.168.2.15	198.98.49.215
Nov 21, 2024 20:34:47.979005098 CET	10644	35552	198.98.49.215	192.168.2.15
Nov 21, 2024 20:34:47.979183912 CET	35552	10644	192.168.2.15	198.98.49.215
Nov 21, 2024 20:34:48.099124908 CET	10644	35552	198.98.49.215	192.168.2.15
Nov 21, 2024 20:35:09.825433016 CET	10644	35552	198.98.49.215	192.168.2.15
Nov 21, 2024 20:35:09.826021910 CET	35552	10644	192.168.2.15	198.98.49.215
Nov 21, 2024 20:35:09.946799994 CET	10644	35552	198.98.49.215	192.168.2.15
Nov 21, 2024 20:35:15.231813908 CET	41372	9885	192.168.2.15	81.29.149.178
Nov 21, 2024 20:35:15.353514910 CET	9885	41372	81.29.149.178	192.168.2.15
Nov 21, 2024 20:35:15.353636980 CET	41372	9885	192.168.2.15	81.29.149.178
Nov 21, 2024 20:35:15.353681087 CET	41372	9885	192.168.2.15	81.29.149.178
Nov 21, 2024 20:35:15.473423958 CET	9885	41372	81.29.149.178	192.168.2.15
Nov 21, 2024 20:35:15.473634005 CET	41372	9885	192.168.2.15	81.29.149.178
Nov 21, 2024 20:35:15.594321966 CET	9885	41372	81.29.149.178	192.168.2.15
Nov 21, 2024 20:35:37.325880051 CET	9885	41372	81.29.149.178	192.168.2.15
Nov 21, 2024 20:35:37.326322079 CET	41372	9885	192.168.2.15	81.29.149.178
Nov 21, 2024 20:35:37.448128939 CET	9885	41372	81.29.149.178	192.168.2.15
Nov 21, 2024 20:35:43.062980890 CET	46744	5264	192.168.2.15	27.102.118.111
Nov 21, 2024 20:35:43.184402943 CET	5264	46744	27.102.118.111	192.168.2.15
Nov 21, 2024 20:35:43.184631109 CET	46744	5264	192.168.2.15	27.102.118.111
Nov 21, 2024 20:35:43.184689045 CET	46744	5264	192.168.2.15	27.102.118.111
Nov 21, 2024 20:35:43.305222988 CET	5264	46744	27.102.118.111	192.168.2.15
Nov 21, 2024 20:35:43.305421114 CET	46744	5264	192.168.2.15	27.102.118.111
Nov 21, 2024 20:35:43.431253910 CET	5264	46744	27.102.118.111	192.168.2.15
Nov 21, 2024 20:35:45.117700100 CET	5264	46744	27.102.118.111	192.168.2.15
Nov 21, 2024 20:35:45.117974997 CET	46744	5264	192.168.2.15	27.102.118.111
Nov 21, 2024 20:35:45.118036985 CET	46744	5264	192.168.2.15	27.102.118.111
Nov 21, 2024 20:35:50.366601944 CET	52916	11407	192.168.2.15	45.140.169.21
Nov 21, 2024 20:35:50.492733955 CET	11407	52916	45.140.169.21	192.168.2.15
Nov 21, 2024 20:35:50.492995024 CET	52916	11407	192.168.2.15	45.140.169.21
Nov 21, 2024 20:35:50.492995024 CET	52916	11407	192.168.2.15	45.140.169.21
Nov 21, 2024 20:35:50.612817049 CET	11407	52916	45.140.169.21	192.168.2.15
Nov 21, 2024 20:35:50.612914085 CET	52916	11407	192.168.2.15	45.140.169.21
Nov 21, 2024 20:35:50.732597113 CET	11407	52916	45.140.169.21	192.168.2.15
Nov 21, 2024 20:35:52.157751083 CET	11407	52916	45.140.169.21	192.168.2.15
Nov 21, 2024 20:35:52.157987118 CET	52916	11407	192.168.2.15	45.140.169.21
Nov 21, 2024 20:35:52.158013105 CET	52916	11407	192.168.2.15	45.140.169.21
Nov 21, 2024 20:35:57.690293074 CET	44936	10053	192.168.2.15	103.136.150.114
Nov 21, 2024 20:35:57.811460972 CET	10053	44936	103.136.150.114	192.168.2.15
Nov 21, 2024 20:35:57.811556101 CET	44936	10053	192.168.2.15	103.136.150.114
Nov 21, 2024 20:35:57.811556101 CET	44936	10053	192.168.2.15	103.136.150.114
Nov 21, 2024 20:35:57.931168079 CET	10053	44936	103.136.150.114	192.168.2.15
Nov 21, 2024 20:35:57.931329966 CET	44936	10053	192.168.2.15	103.136.150.114
Nov 21, 2024 20:35:58.051834106 CET	10053	44936	103.136.150.114	192.168.2.15
Nov 21, 2024 20:35:59.686158895 CET	10053	44936	103.136.150.114	192.168.2.15
Nov 21, 2024 20:35:59.686343908 CET	44936	10053	192.168.2.15	103.136.150.114
Nov 21, 2024 20:35:59.686367989 CET	44936	10053	192.168.2.15	103.136.150.114
Nov 21, 2024 20:36:04.938118935 CET	34374	19343	192.168.2.15	45.140.169.21
Nov 21, 2024 20:36:05.062366009 CET	19343	34374	45.140.169.21	192.168.2.15
Nov 21, 2024 20:36:05.062623978 CET	34374	19343	192.168.2.15	45.140.169.21
Nov 21, 2024 20:36:05.062623978 CET	34374	19343	192.168.2.15	45.140.169.21
Nov 21, 2024 20:36:05.188996077 CET	19343	34374	45.140.169.21	192.168.2.15
Nov 21, 2024 20:36:05.189172029 CET	34374	19343	192.168.2.15	45.140.169.21
Nov 21, 2024 20:36:05.308779001 CET	19343	34374	45.140.169.21	192.168.2.15
Nov 21, 2024 20:36:06.911947012 CET	19343	34374	45.140.169.21	192.168.2.15
Nov 21, 2024 20:36:06.912094116 CET	34374	19343	192.168.2.15	45.140.169.21
Nov 21, 2024 20:36:06.912133932 CET	34374	19343	192.168.2.15	45.140.169.21
Nov 21, 2024 20:36:12.185827971 CET	33522	21390	192.168.2.15	193.233.193.45
Nov 21, 2024 20:36:12.305433989 CET	21390	33522	193.233.193.45	192.168.2.15
Nov 21, 2024 20:36:12.305732965 CET	33522	21390	192.168.2.15	193.233.193.45
Nov 21, 2024 20:36:12.305911064 CET	33522	21390	192.168.2.15	193.233.193.45
Nov 21, 2024 20:36:12.425887108 CET	21390	33522	193.233.193.45	192.168.2.15
Nov 21, 2024 20:36:12.426054955 CET	33522	21390	192.168.2.15	193.233.193.45
Nov 21, 2024 20:36:12.545886993 CET	21390	33522	193.233.193.45	192.168.2.15
Nov 21, 2024 20:36:14.878665924 CET	21390	33522	193.233.193.45	192.168.2.15
Nov 21, 2024 20:36:14.878953934 CET	33522	21390	192.168.2.15	193.233.193.45
Nov 21, 2024 20:36:15.001892090 CET	21390	33522	193.233.193.45	192.168.2.15
Nov 21, 2024 20:36:20.128809929 CET	32932	20377	192.168.2.15	103.136.150.114
Nov 21, 2024 20:36:20.248297930 CET	20377	32932	103.136.150.114	192.168.2.15
Nov 21, 2024 20:36:20.248425961 CET	32932	20377	192.168.2.15	103.136.150.114
Nov 21, 2024 20:36:20.248531103 CET	32932	20377	192.168.2.15	103.136.150.114
Nov 21, 2024 20:36:20.368050098 CET	20377	32932	103.136.150.114	192.168.2.15
Nov 21, 2024 20:36:20.368145943 CET	32932	20377	192.168.2.15	103.136.150.114
Nov 21, 2024 20:36:20.562232018 CET	20377	32932	103.136.150.114	192.168.2.15
Nov 21, 2024 20:36:22.123415947 CET	20377	32932	103.136.150.114	192.168.2.15
Nov 21, 2024 20:36:22.123610973 CET	32932	20377	192.168.2.15	103.136.150.114
Nov 21, 2024 20:36:22.123651028 CET	32932	20377	192.168.2.15	103.136.150.114
Nov 21, 2024 20:36:27.373354912 CET	51108	18865	192.168.2.15	31.13.248.89
Nov 21, 2024 20:36:27.493124962 CET	18865	51108	31.13.248.89	192.168.2.15
Nov 21, 2024 20:36:27.493233919 CET	51108	18865	192.168.2.15	31.13.248.89
Nov 21, 2024 20:36:27.493278027 CET	51108	18865	192.168.2.15	31.13.248.89
Nov 21, 2024 20:36:27.612881899 CET	18865	51108	31.13.248.89	192.168.2.15
Nov 21, 2024 20:36:27.612994909 CET	51108	18865	192.168.2.15	31.13.248.89
Nov 21, 2024 20:36:27.732594013 CET	18865	51108	31.13.248.89	192.168.2.15
Nov 21, 2024 20:36:29.743865013 CET	18865	51108	31.13.248.89	192.168.2.15
Nov 21, 2024 20:36:29.744044065 CET	51108	18865	192.168.2.15	31.13.248.89
Nov 21, 2024 20:36:29.863564968 CET	18865	51108	31.13.248.89	192.168.2.15
Nov 21, 2024 20:36:35.009916067 CET	32904	5262	192.168.2.15	209.141.61.182
Nov 21, 2024 20:36:35.129517078 CET	5262	32904	209.141.61.182	192.168.2.15
Nov 21, 2024 20:36:35.129681110 CET	32904	5262	192.168.2.15	209.141.61.182
Nov 21, 2024 20:36:35.129731894 CET	32904	5262	192.168.2.15	209.141.61.182
Nov 21, 2024 20:36:35.249308109 CET	5262	32904	209.141.61.182	192.168.2.15
Nov 21, 2024 20:36:35.249571085 CET	32904	5262	192.168.2.15	209.141.61.182
Nov 21, 2024 20:36:35.374449968 CET	5262	32904	209.141.61.182	192.168.2.15
Nov 21, 2024 20:36:36.405708075 CET	5262	32904	209.141.61.182	192.168.2.15
Nov 21, 2024 20:36:36.405962944 CET	32904	5262	192.168.2.15	209.141.61.182
Nov 21, 2024 20:36:36.406030893 CET	32904	5262	192.168.2.15	209.141.61.182
Nov 21, 2024 20:36:41.649028063 CET	50410	11564	192.168.2.15	209.141.49.186
Nov 21, 2024 20:36:41.774090052 CET	11564	50410	209.141.49.186	192.168.2.15
Nov 21, 2024 20:36:41.774230957 CET	50410	11564	192.168.2.15	209.141.49.186
Nov 21, 2024 20:36:41.774264097 CET	50410	11564	192.168.2.15	209.141.49.186
Nov 21, 2024 20:36:41.897412062 CET	11564	50410	209.141.49.186	192.168.2.15
Nov 21, 2024 20:36:41.897521019 CET	50410	11564	192.168.2.15	209.141.49.186
Nov 21, 2024 20:36:42.025382042 CET	11564	50410	209.141.49.186	192.168.2.15
Nov 21, 2024 20:37:03.749216080 CET	11564	50410	209.141.49.186	192.168.2.15
Nov 21, 2024 20:37:03.749560118 CET	50410	11564	192.168.2.15	209.141.49.186
Nov 21, 2024 20:37:03.874696970 CET	11564	50410	209.141.49.186	192.168.2.15
Nov 21, 2024 20:37:08.998011112 CET	46680	4359	192.168.2.15	194.58.66.244
Nov 21, 2024 20:37:09.120543003 CET	4359	46680	194.58.66.244	192.168.2.15
Nov 21, 2024 20:37:09.120660067 CET	46680	4359	192.168.2.15	194.58.66.244
Nov 21, 2024 20:37:09.120702982 CET	46680	4359	192.168.2.15	194.58.66.244
Nov 21, 2024 20:37:09.240309000 CET	4359	46680	194.58.66.244	192.168.2.15
Nov 21, 2024 20:37:09.240417957 CET	46680	4359	192.168.2.15	194.58.66.244
Nov 21, 2024 20:37:09.611031055 CET	46680	4359	192.168.2.15	194.58.66.244
Nov 21, 2024 20:37:09.628480911 CET	4359	46680	194.58.66.244	192.168.2.15
Nov 21, 2024 20:37:09.733474016 CET	4359	46680	194.58.66.244	192.168.2.15
Nov 21, 2024 20:37:11.140017986 CET	4359	46680	194.58.66.244	192.168.2.15
Nov 21, 2024 20:37:11.140168905 CET	46680	4359	192.168.2.15	194.58.66.244
Nov 21, 2024 20:37:11.140212059 CET	46680	4359	192.168.2.15	194.58.66.244
Nov 21, 2024 20:37:17.258533001 CET	44208	10846	192.168.2.15	31.13.248.13
Nov 21, 2024 20:37:17.379385948 CET	10846	44208	31.13.248.13	192.168.2.15
Nov 21, 2024 20:37:17.379540920 CET	44208	10846	192.168.2.15	31.13.248.13
Nov 21, 2024 20:37:17.379609108 CET	44208	10846	192.168.2.15	31.13.248.13
Nov 21, 2024 20:37:17.505666971 CET	10846	44208	31.13.248.13	192.168.2.15
Nov 21, 2024 20:37:17.505819082 CET	44208	10846	192.168.2.15	31.13.248.13
Nov 21, 2024 20:37:17.626650095 CET	10846	44208	31.13.248.13	192.168.2.15
Nov 21, 2024 20:37:18.973896980 CET	10846	44208	31.13.248.13	192.168.2.15
Nov 21, 2024 20:37:18.974216938 CET	44208	10846	192.168.2.15	31.13.248.13
Nov 21, 2024 20:37:18.974216938 CET	44208	10846	192.168.2.15	31.13.248.13
Nov 21, 2024 20:37:24.237884998 CET	38422	21235	192.168.2.15	88.151.195.157
Nov 21, 2024 20:37:24.358447075 CET	21235	38422	88.151.195.157	192.168.2.15
Nov 21, 2024 20:37:24.358654022 CET	38422	21235	192.168.2.15	88.151.195.157
Nov 21, 2024 20:37:24.358715057 CET	38422	21235	192.168.2.15	88.151.195.157
Nov 21, 2024 20:37:24.483293056 CET	21235	38422	88.151.195.157	192.168.2.15
Nov 21, 2024 20:37:24.483407021 CET	38422	21235	192.168.2.15	88.151.195.157
Nov 21, 2024 20:37:24.603235006 CET	21235	38422	88.151.195.157	192.168.2.15
Nov 21, 2024 20:37:26.043998003 CET	21235	38422	88.151.195.157	192.168.2.15
Nov 21, 2024 20:37:26.044184923 CET	38422	21235	192.168.2.15	88.151.195.157
Nov 21, 2024 20:37:26.044239044 CET	38422	21235	192.168.2.15	88.151.195.157
Nov 21, 2024 20:37:31.292025089 CET	60792	16366	192.168.2.15	194.58.66.244
Nov 21, 2024 20:37:31.412374020 CET	16366	60792	194.58.66.244	192.168.2.15
Nov 21, 2024 20:37:31.412561893 CET	60792	16366	192.168.2.15	194.58.66.244
Nov 21, 2024 20:37:31.412595987 CET	60792	16366	192.168.2.15	194.58.66.244
Nov 21, 2024 20:37:31.532201052 CET	16366	60792	194.58.66.244	192.168.2.15
Nov 21, 2024 20:37:31.532363892 CET	60792	16366	192.168.2.15	194.58.66.244
Nov 21, 2024 20:37:31.652050018 CET	16366	60792	194.58.66.244	192.168.2.15
Nov 21, 2024 20:37:33.006525993 CET	16366	60792	194.58.66.244	192.168.2.15
Nov 21, 2024 20:37:33.006635904 CET	60792	16366	192.168.2.15	194.58.66.244
Nov 21, 2024 20:37:33.006673098 CET	60792	16366	192.168.2.15	194.58.66.244

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 20:33:58.481462002 CET	33416	53	192.168.2.15	81.169.136.222
Nov 21, 2024 20:33:58.722346067 CET	53	33416	81.169.136.222	192.168.2.15
Nov 21, 2024 20:34:05.800353050 CET	40363	53	192.168.2.15	213.202.211.221
Nov 21, 2024 20:34:06.038750887 CET	53	40363	213.202.211.221	192.168.2.15
Nov 21, 2024 20:34:33.068039894 CET	56274	53	192.168.2.15	109.91.184.21
Nov 21, 2024 20:34:33.405147076 CET	53	56274	109.91.184.21	192.168.2.15
Nov 21, 2024 20:34:40.167258024 CET	55505	53	192.168.2.15	168.235.111.72
Nov 21, 2024 20:34:40.476914883 CET	53	55505	168.235.111.72	192.168.2.15
Nov 21, 2024 20:34:47.257545948 CET	43431	53	192.168.2.15	51.158.108.203
Nov 21, 2024 20:34:47.496117115 CET	53	43431	51.158.108.203	192.168.2.15
Nov 21, 2024 20:34:47.497680902 CET	45346	53	192.168.2.15	81.169.136.222
Nov 21, 2024 20:34:47.736840010 CET	53	45346	81.169.136.222	192.168.2.15
Nov 21, 2024 20:35:14.828804970 CET	54111	53	192.168.2.15	168.138.12.137
Nov 21, 2024 20:35:15.230586052 CET	53	54111	168.138.12.137	192.168.2.15
Nov 21, 2024 20:35:42.329602003 CET	40954	53	192.168.2.15	152.53.15.127
Nov 21, 2024 20:35:42.575942993 CET	53	40954	152.53.15.127	192.168.2.15
Nov 21, 2024 20:35:42.577554941 CET	59726	53	192.168.2.15	152.53.15.127
Nov 21, 2024 20:35:42.821196079 CET	53	59726	152.53.15.127	192.168.2.15
Nov 21, 2024 20:35:42.823107004 CET	55426	53	192.168.2.15	81.169.136.222
Nov 21, 2024 20:35:43.061883926 CET	53	55426	81.169.136.222	192.168.2.15
Nov 21, 2024 20:35:50.120548964 CET	37990	53	192.168.2.15	202.61.197.122
Nov 21, 2024 20:35:50.365690947 CET	53	37990	202.61.197.122	192.168.2.15
Nov 21, 2024 20:35:57.161756992 CET	51572	53	192.168.2.15	185.181.61.24
Nov 21, 2024 20:35:57.689013004 CET	53	51572	185.181.61.24	192.168.2.15
Nov 21, 2024 20:36:04.689548969 CET	52635	53	192.168.2.15	202.61.197.122
Nov 21, 2024 20:36:04.937051058 CET	53	52635	202.61.197.122	192.168.2.15
Nov 21, 2024 20:36:11.915638924 CET	58330	53	192.168.2.15	185.181.61.24
Nov 21, 2024 20:36:12.184874058 CET	53	58330	185.181.61.24	192.168.2.15
Nov 21, 2024 20:36:19.881673098 CET	50892	53	192.168.2.15	202.61.197.122
Nov 21, 2024 20:36:20.127780914 CET	53	50892	202.61.197.122	192.168.2.15
Nov 21, 2024 20:36:27.126723051 CET	53234	53	192.168.2.15	217.160.70.42
Nov 21, 2024 20:36:27.372267008 CET	53	53234	217.160.70.42	192.168.2.15
Nov 21, 2024 20:36:34.747308016 CET	40061	53	192.168.2.15	185.181.61.24
Nov 21, 2024 20:36:35.009038925 CET	53	40061	185.181.61.24	192.168.2.15
Nov 21, 2024 20:36:41.409471989 CET	60524	53	192.168.2.15	81.169.136.222
Nov 21, 2024 20:36:41.647934914 CET	53	60524	81.169.136.222	192.168.2.15
Nov 21, 2024 20:36:43.745716095 CET	51978	53	192.168.2.15	1.1.1.1
Nov 21, 2024 20:36:43.745778084 CET	59477	53	192.168.2.15	1.1.1.1
Nov 21, 2024 20:36:43.888365030 CET	53	59477	1.1.1.1	192.168.2.15
Nov 21, 2024 20:36:44.005367041 CET	53	51978	1.1.1.1	192.168.2.15
Nov 21, 2024 20:37:08.752662897 CET	33969	53	192.168.2.15	81.169.136.222
Nov 21, 2024 20:37:08.996805906 CET	53	33969	81.169.136.222	192.168.2.15
Nov 21, 2024 20:37:16.144066095 CET	43217	53	192.168.2.15	194.36.144.87
Nov 21, 2024 20:37:16.767713070 CET	53	43217	194.36.144.87	192.168.2.15
Nov 21, 2024 20:37:16.769465923 CET	59424	53	192.168.2.15	152.53.15.127
Nov 21, 2024 20:37:17.017268896 CET	53	59424	152.53.15.127	192.168.2.15
Nov 21, 2024 20:37:17.019016981 CET	42870	53	192.168.2.15	81.169.136.222
Nov 21, 2024 20:37:17.257623911 CET	53	42870	81.169.136.222	192.168.2.15
Nov 21, 2024 20:37:23.977464914 CET	45605	53	192.168.2.15	185.181.61.24
Nov 21, 2024 20:37:24.237190962 CET	53	45605	185.181.61.24	192.168.2.15
Nov 21, 2024 20:37:31.046812057 CET	53421	53	192.168.2.15	81.169.136.222
Nov 21, 2024 20:37:31.290987015 CET	53	53421	81.169.136.222	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 20:33:58.481462002 CET	192.168.2.15	81.169.136.222	0x3f7e	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:34:05.800353050 CET	192.168.2.15	213.202.211.221	0x178d	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:34:33.068039894 CET	192.168.2.15	109.91.184.21	0xe59f	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:34:40.167258024 CET	192.168.2.15	168.235.111.72	0x1bd5	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:34:47.257545948 CET	192.168.2.15	51.158.108.203	0x175f	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:34:47.497680902 CET	192.168.2.15	81.169.136.222	0x7f1d	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:35:14.828804970 CET	192.168.2.15	168.138.12.137	0xbe80	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:35:42.329602003 CET	192.168.2.15	152.53.15.127	0xea75	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:35:42.577554941 CET	192.168.2.15	152.53.15.127	0x5468	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:35:42.823107004 CET	192.168.2.15	81.169.136.222	0xe3db	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:35:50.120548964 CET	192.168.2.15	202.61.197.122	0xdead	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:35:57.161756992 CET	192.168.2.15	185.181.61.24	0x3158	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:36:04.689548969 CET	192.168.2.15	202.61.197.122	0xba8c	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:36:11.915638924 CET	192.168.2.15	185.181.61.24	0x7076	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:36:19.881673098 CET	192.168.2.15	202.61.197.122	0xa68	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:36:27.126723051 CET	192.168.2.15	217.160.70.42	0xbcc6	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:36:34.747308016 CET	192.168.2.15	185.181.61.24	0xb92e	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:36:41.409471989 CET	192.168.2.15	81.169.136.222	0x8f77	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:36:43.745716095 CET	192.168.2.15	1.1.1.1	0x34fa	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:36:43.745778084 CET	192.168.2.15	1.1.1.1	0x8799	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Nov 21, 2024 20:37:08.752662897 CET	192.168.2.15	81.169.136.222	0xbac5	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:37:16.144066095 CET	192.168.2.15	194.36.144.87	0x75d	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:37:16.769465923 CET	192.168.2.15	152.53.15.127	0x1b43	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:37:17.019016981 CET	192.168.2.15	81.169.136.222	0xd582	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:37:23.977464914 CET	192.168.2.15	185.181.61.24	0xb5a2	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:37:31.046812057 CET	192.168.2.15	81.169.136.222	0xbb66	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 20:36:44.005367041 CET	1.1.1.1	192.168.2.15	0x34fa	No error (0)	daisy.ubuntu.com		162.213.35.25	A (IP address)	IN (0x0001)	false
Nov 21, 2024 20:36:44.005367041 CET	1.1.1.1	192.168.2.15	0x34fa	No error (0)	daisy.ubuntu.com		162.213.35.24	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: x86.elf PID: 5529, Parent PID: 5454

General

Start time (UTC):	19:33:57
Start date (UTC):	21/11/2024
Path:	/tmp/x86.elf
Arguments:	/tmp/x86.elf
File size:	63416 bytes
MD5 hash:	a9d64be9ff4fba73dcfdd4ed203d63ff

Chronological Activities

Analysis Process: x86.elf PID: 5530, Parent PID: 5529

General

Start time (UTC):	19:33:57
Start date (UTC):	21/11/2024
Path:	/tmp/x86.elf
Arguments:	-
File size:	63416 bytes
MD5 hash:	a9d64be9ff4fba73dcfdd4ed203d63ff

Chronological Activities

Analysis Process: x86.elf PID: 5531, Parent PID: 5529

General

Start time (UTC):	19:33:57
Start date (UTC):	21/11/2024
Path:	/tmp/x86.elf
Arguments:	-
File size:	63416 bytes
MD5 hash:	a9d64be9ff4fba73dcfdd4ed203d63ff

Chronological Activities

Analysis Process: x86.elf PID: 5535, Parent PID: 5529

General

Start time (UTC):	19:33:57
Start date (UTC):	21/11/2024
Path:	/tmp/x86.elf
Arguments:	-
File size:	63416 bytes
MD5 hash:	a9d64be9ff4fba73dcfdd4ed203d63ff

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report x86.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: x86.elf PID: 5529, Parent PID: 5454

General

Chronological Activities

Analysis Process: x86.elf PID: 5530, Parent PID: 5529

General

Chronological Activities

Analysis Process: x86.elf PID: 5531, Parent PID: 5529

General

Chronological Activities

Analysis Process: x86.elf PID: 5535, Parent PID: 5529

General

Chronological Activities

Linux Analysis Report
x86.elf