Edit tour

Linux Analysis Report
mips.elf

Overview

General Information

Sample name:	mips.elf
Analysis ID:	1560478
MD5:	d850a5c9d7caf7be1d875e3a90fea5b4
SHA1:	54f3a547cacd7d93148e828f5021416ee59267e9
SHA256:	c45913e08630068df6ba21fdeeb332fe5ff1dd75469f23dda35c39f7ba3f74bf
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560478
Start date and time:	2024-11-21 21:11:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	mips.elf
Detection:	MAL
Classification:	mal52.troj.linELF@0/0@21/0

Warnings

VT rate limit hit for: mips.elf

Runtime Messages

Command:	/tmp/mips.elf
PID:	6240
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	you are now apart of hail cock botnet
Standard Error:

Process Tree

system is lnxubuntu20

mips.elf (PID: 6240, Parent: 6163, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/mips.elf

mips.elf New Fork (PID: 6242, Parent: 6240)

mips.elf New Fork (PID: 6296, Parent: 6242)

mips.elf New Fork (PID: 6297, Parent: 6242)

mips.elf New Fork (PID: 6244, Parent: 6240)

mips.elf New Fork (PID: 6252, Parent: 6240)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: mips.elf

ReversingLabs: Detection: 15%

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 5.39.254.71 ports 23801,1,2,5,8,5821
Source: global traffic	TCP traffic: 209.141.57.98 ports 0,1,3,7,9,10793
Source: global traffic	TCP traffic: 45.140.168.235 ports 0,1,3,7,9,19703
Source: global traffic	TCP traffic: 205.185.114.79 ports 24908,0,2,4,8,9
Source: global traffic	TCP traffic: 209.141.44.226 ports 0,1,2,10427,4,7

Source: global traffic	TCP traffic: 192.168.2.23:34898 -> 209.141.61.182:2473
Source: global traffic	TCP traffic: 192.168.2.23:48896 -> 193.233.193.45:2473
Source: global traffic	TCP traffic: 192.168.2.23:54014 -> 45.140.168.235:19703
Source: global traffic	TCP traffic: 192.168.2.23:47572 -> 5.39.254.71:5821
Source: global traffic	TCP traffic: 192.168.2.23:60860 -> 209.141.44.226:10427
Source: global traffic	TCP traffic: 192.168.2.23:51696 -> 198.98.49.215:25400
Source: global traffic	TCP traffic: 192.168.2.23:48928 -> 31.13.248.13:19120
Source: global traffic	TCP traffic: 192.168.2.23:55798 -> 209.141.57.98:10793
Source: global traffic	TCP traffic: 192.168.2.23:48930 -> 45.147.200.148:1739
Source: global traffic	TCP traffic: 192.168.2.23:58600 -> 205.185.114.79:24908
Source: global traffic	TCP traffic: 192.168.2.23:51444 -> 88.151.195.22:6485
Source: global traffic	TCP traffic: 192.168.2.23:41010 -> 38.114.100.142:2829
Source: global traffic	TCP traffic: 192.168.2.23:46042 -> 81.29.149.178:20520
Source: global traffic	TCP traffic: 192.168.2.23:35954 -> 91.149.238.18:3238
Source: global traffic	TCP traffic: 192.168.2.23:33882 -> 217.28.130.41:14042

Source: /tmp/mips.elf (PID: 6240)

Socket: 127.0.0.1:1172

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.61.182
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.61.182
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.61.182
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.193.45
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.61.182
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.193.45
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.193.45
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.193.45
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.61.182
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.61.182
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.193.45
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.193.45
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.44.226
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.44.226
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.44.226
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.44.226
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.44.226
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.44.226
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 31.13.248.13
Source: unknown	TCP traffic detected without corresponding DNS query: 31.13.248.13
Source: unknown	TCP traffic detected without corresponding DNS query: 31.13.248.13
Source: unknown	TCP traffic detected without corresponding DNS query: 31.13.248.13
Source: unknown	TCP traffic detected without corresponding DNS query: 31.13.248.13
Source: unknown	TCP traffic detected without corresponding DNS query: 31.13.248.13
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.57.98
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.57.98

Source: global traffic

DNS traffic detected: DNS query: kingstonwikkerink.dyn

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal52.troj.linELF@0/0@21/0

Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6373/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6384/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6372/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6383/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6067/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6375/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6374/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6377/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6376/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6379/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6378/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6380/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6371/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6382/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6370/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6381/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6348/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6347/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6296)	File opened: /proc/6369/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6296/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6373/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6384/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6295/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6372/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6383/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6320/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6067/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6375/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6297/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6374/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6377/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6321/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6376/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6379/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6356/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6378/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6380/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6371/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6382/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6370/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6381/status	Jump to behavior
Source: /tmp/mips.elf (PID: 6244)	File opened: /proc/6369/status	Jump to behavior

Source: /tmp/mips.elf (PID: 6240)

Queries kernel information via 'uname':

Jump to behavior

Source: mips.elf, 6240.1.000055aeceedb000.000055aecefa8000.rw-.sdmp, mips.elf, 6242.1.000055aeceedb000.000055aecefa8000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips
Source: mips.elf, 6240.1.000055aeceedb000.000055aecefa8000.rw-.sdmp, mips.elf, 6242.1.000055aeceedb000.000055aecefa8000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: mips.elf, 6240.1.000055aeceedb000.000055aecefa8000.rw-.sdmp, mips.elf, 6242.1.000055aeceedb000.000055aecefa8000.rw-.sdmp	Binary or memory string: tc/qemu-binfmtP
Source: mips.elf, 6242.1.000055aeceedb000.000055aecefa8000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: mips.elf, 6240.1.00007ffcd222b000.00007ffcd224c000.rw-.sdmp, mips.elf, 6242.1.00007ffcd222b000.00007ffcd224c000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mips.elf
Source: mips.elf, 6240.1.00007ffcd222b000.00007ffcd224c000.rw-.sdmp, mips.elf, 6242.1.00007ffcd222b000.00007ffcd224c000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: mips.elf, 6242.1.000055aeceedb000.000055aecefa8000.rw-.sdmp	Binary or memory string: U0!/usr/bin/vmtoolsd
Source: mips.elf, 6240.1.000055aeceedb000.000055aecefa8000.rw-.sdmp, mips.elf, 6242.1.000055aeceedb000.000055aecefa8000.rw-.sdmp	Binary or memory string: r-managertc/qemu-binfmtP /proc/2102/exexfce4/xfc!/proc/2123/exe/mips/pr1/usr/bin/xfce4-power-manager0!/proc/2114/exe!/proc/2242/exet/mips/pr

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mips.elf	16%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kingstonwikkerink.dyn	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
217.28.130.41	unknown	United Kingdom	15839	COBWEB-NETGB	false
193.233.193.45	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
198.98.49.215	unknown	United States	53667	PONYNETUS	false
209.141.57.98	unknown	United States	53667	PONYNETUS	true
88.151.195.22	unknown	Azerbaijan	15723	AZERONLINEAZ	false
81.29.149.178	unknown	Switzerland	39616	COMUNICA_IT_SERVICESCH	false
91.149.238.18	unknown	Poland	41952	MARTON-ASPL	false
45.147.200.148	unknown	Russian Federation	51659	ASBAXETRU	false
45.140.168.235	unknown	Russian Federation	51659	ASBAXETRU	true
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false
5.39.254.71	unknown	United Kingdom	30938	ABSTATIONwwwabstationnetGB	true
38.114.100.142	unknown	United States	22926	AS-WISPERUS	false
209.141.61.182	unknown	United States	53667	PONYNETUS	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
31.13.248.13	unknown	Bulgaria	34224	NETERRA-ASBG	false
205.185.114.79	unknown	United States	53667	PONYNETUS	true
209.141.44.226	unknown	United States	53667	PONYNETUS	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
217.28.130.41	ppc.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	nsharm.elf	Get hash	malicious	Unknown	Browse
	nshppc.elf	Get hash	malicious	Unknown	Browse
	nshmips.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
198.98.49.215	x86.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
209.141.57.98	arm7.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
88.151.195.22	harm5.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	nsharm7.elf	Get hash	malicious	Unknown	Browse
	nsharm.elf	Get hash	malicious	Unknown	Browse
	nshppc.elf	Get hash	malicious	Unknown	Browse
	nshmips.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
193.233.193.45	x86.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	nshsh4.elf	Get hash	malicious	Unknown	Browse
	nsharm5.elf	Get hash	malicious	Unknown	Browse
	nsharm.elf	Get hash	malicious	Unknown	Browse
	nshppc.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PONYNETUS	arm7.elf	Get hash	malicious	Unknown	Browse	209.141.44.226
	x86.elf	Get hash	malicious	Unknown	Browse	209.141.49.186
	AD6dpKQm7n.exe	Get hash	malicious	Unknown	Browse	107.189.5.7
	NfFibKKmiz.exe	Get hash	malicious	Unknown	Browse	107.189.8.65
	harm5.elf	Get hash	malicious	Unknown	Browse	205.185.114.79
	ppc.elf	Get hash	malicious	Unknown	Browse	209.141.49.186
	hmips.elf	Get hash	malicious	Unknown	Browse	209.141.57.98
	iGmpF31juG.exe	Get hash	malicious	Unknown	Browse	104.194.143.39
	iGmpF31juG.exe	Get hash	malicious	Unknown	Browse	104.194.143.39
	mpsl.elf	Get hash	malicious	Unknown	Browse	209.141.44.226
COBWEB-NETGB	ppc.elf	Get hash	malicious	Unknown	Browse	217.28.130.41
	mpsl.elf	Get hash	malicious	Unknown	Browse	217.28.130.41
	arm5.elf	Get hash	malicious	Unknown	Browse	217.28.130.41
	ppc.elf	Get hash	malicious	Unknown	Browse	217.28.130.41
	harm4.elf	Get hash	malicious	Unknown	Browse	217.28.130.41
	harm5.elf	Get hash	malicious	Unknown	Browse	217.28.130.41
	nsharm.elf	Get hash	malicious	Unknown	Browse	217.28.130.41
	nshppc.elf	Get hash	malicious	Unknown	Browse	217.28.130.41
	nshmips.elf	Get hash	malicious	Unknown	Browse	217.28.130.41
	harm4.elf	Get hash	malicious	Unknown	Browse	217.28.130.41
FREE-NET-ASFREEnetEU	x86.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	owari.mips.elf	Get hash	malicious	Unknown	Browse	147.45.234.212
	pdusf6w2SJ.exe	Get hash	malicious	RedLine	Browse	147.45.44.221
	ppc.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	hmips.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	file.exe	Get hash	malicious	DanaBot	Browse	193.233.232.101
	xd.spc.elf	Get hash	malicious	Mirai	Browse	193.233.234.114
	RECIBO TRANSFERENCIA#0000078.exe	Get hash	malicious	Unknown	Browse	193.233.203.63
	RECIBO TRANSFERENCIA#0000078.exe	Get hash	malicious	Unknown	Browse	193.233.203.63
	n7ZKbApaa3.dll	Get hash	malicious	LummaC, Xmrig	Browse	147.45.47.81

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.37538862369473
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	mips.elf
File size:	89'128 bytes
MD5:	d850a5c9d7caf7be1d875e3a90fea5b4
SHA1:	54f3a547cacd7d93148e828f5021416ee59267e9
SHA256:	c45913e08630068df6ba21fdeeb332fe5ff1dd75469f23dda35c39f7ba3f74bf
SHA512:	cc03ef29f7e0046fd692d0020f073a06d7d47ec7dc57668aeeba863a62fca68699dc9ef3b53dff35f159d6b3a9ca58e54429a9b03754236f956ea5c5d7138cf0
SSDEEP:	1536:Qe9lKfE4K2oWC9OFXOF3dFywMfjxmeGroierkJ7BsL1:ZIfr2WCoVmewoqBsZ
TLSH:	4193C71E6E218FEDF768C23047B74A31A75923D623E1D685E2ACD6101F7024E585FFA8
File Content Preview:	.ELF.....................@.`...4..Y......4. ...(.............@...@....E...E...............P..EP..EP.......Zh........dt.Q............................<...'..L...!'.......................<...'..(...!... ....'9... ......................<...'......!........'9-

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	88568
Section Header Size:	40
Number of Section Headers:	14
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x12ca0	0x0	0x6	AX	16
.fini	PROGBITS	0x412dc0	0x12dc0	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x412e20	0x12e20	0x1790	0x0	0x2	A	16
.ctors	PROGBITS	0x455000	0x15000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x455008	0x15008	0x8	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x455014	0x15014	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x455020	0x15020	0x3c8	0x0	0x3	WA	16
.got	PROGBITS	0x4553f0	0x153f0	0x5a4	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x455994	0x15994	0x20	0x0	0x10000003	WAp	4
.bss	NOBITS	0x4559c0	0x15994	0x50a8	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0xc2a	0x15994	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x15994	0x64	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x145b0	0x145b0	5.5162	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x15000	0x455000	0x455000	0x994	0x5a68	3.8564	0x6	RW	0x10000	.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 21:11:50.599426985 CET	43928	443	192.168.2.23	91.189.91.42
Nov 21, 2024 21:11:50.841958046 CET	34898	2473	192.168.2.23	209.141.61.182
Nov 21, 2024 21:11:50.962625027 CET	2473	34898	209.141.61.182	192.168.2.23
Nov 21, 2024 21:11:50.962713003 CET	34898	2473	192.168.2.23	209.141.61.182
Nov 21, 2024 21:11:50.962977886 CET	34898	2473	192.168.2.23	209.141.61.182
Nov 21, 2024 21:11:50.991390944 CET	48896	2473	192.168.2.23	193.233.193.45
Nov 21, 2024 21:11:51.084230900 CET	2473	34898	209.141.61.182	192.168.2.23
Nov 21, 2024 21:11:51.084295988 CET	34898	2473	192.168.2.23	209.141.61.182
Nov 21, 2024 21:11:51.111337900 CET	2473	48896	193.233.193.45	192.168.2.23
Nov 21, 2024 21:11:51.111407995 CET	48896	2473	192.168.2.23	193.233.193.45
Nov 21, 2024 21:11:51.111843109 CET	48896	2473	192.168.2.23	193.233.193.45
Nov 21, 2024 21:11:51.204663038 CET	2473	34898	209.141.61.182	192.168.2.23
Nov 21, 2024 21:11:51.232319117 CET	2473	48896	193.233.193.45	192.168.2.23
Nov 21, 2024 21:11:51.232382059 CET	48896	2473	192.168.2.23	193.233.193.45
Nov 21, 2024 21:11:51.353154898 CET	2473	48896	193.233.193.45	192.168.2.23
Nov 21, 2024 21:11:52.234594107 CET	2473	34898	209.141.61.182	192.168.2.23
Nov 21, 2024 21:11:52.234677076 CET	34898	2473	192.168.2.23	209.141.61.182
Nov 21, 2024 21:11:52.234896898 CET	34898	2473	192.168.2.23	209.141.61.182
Nov 21, 2024 21:11:53.714854956 CET	2473	48896	193.233.193.45	192.168.2.23
Nov 21, 2024 21:11:53.715141058 CET	48896	2473	192.168.2.23	193.233.193.45
Nov 21, 2024 21:11:53.715141058 CET	48896	2473	192.168.2.23	193.233.193.45
Nov 21, 2024 21:11:53.834794998 CET	2473	48896	193.233.193.45	192.168.2.23
Nov 21, 2024 21:11:56.230647087 CET	42836	443	192.168.2.23	91.189.91.43
Nov 21, 2024 21:11:57.254507065 CET	42516	80	192.168.2.23	109.202.202.202
Nov 21, 2024 21:11:57.501033068 CET	54014	19703	192.168.2.23	45.140.168.235
Nov 21, 2024 21:11:57.620790005 CET	19703	54014	45.140.168.235	192.168.2.23
Nov 21, 2024 21:11:57.620876074 CET	54014	19703	192.168.2.23	45.140.168.235
Nov 21, 2024 21:11:57.620954037 CET	54014	19703	192.168.2.23	45.140.168.235
Nov 21, 2024 21:11:57.740727901 CET	19703	54014	45.140.168.235	192.168.2.23
Nov 21, 2024 21:11:57.740787029 CET	54014	19703	192.168.2.23	45.140.168.235
Nov 21, 2024 21:11:57.861346960 CET	19703	54014	45.140.168.235	192.168.2.23
Nov 21, 2024 21:11:58.975240946 CET	47572	5821	192.168.2.23	5.39.254.71
Nov 21, 2024 21:11:59.095181942 CET	5821	47572	5.39.254.71	192.168.2.23
Nov 21, 2024 21:11:59.095252991 CET	47572	5821	192.168.2.23	5.39.254.71
Nov 21, 2024 21:11:59.095280886 CET	47572	5821	192.168.2.23	5.39.254.71
Nov 21, 2024 21:11:59.214808941 CET	5821	47572	5.39.254.71	192.168.2.23
Nov 21, 2024 21:11:59.214864016 CET	47572	5821	192.168.2.23	5.39.254.71
Nov 21, 2024 21:11:59.334405899 CET	5821	47572	5.39.254.71	192.168.2.23
Nov 21, 2024 21:11:59.337301970 CET	19703	54014	45.140.168.235	192.168.2.23
Nov 21, 2024 21:11:59.337374926 CET	54014	19703	192.168.2.23	45.140.168.235
Nov 21, 2024 21:11:59.337412119 CET	54014	19703	192.168.2.23	45.140.168.235
Nov 21, 2024 21:12:01.761590004 CET	5821	47572	5.39.254.71	192.168.2.23
Nov 21, 2024 21:12:01.761671066 CET	47572	5821	192.168.2.23	5.39.254.71
Nov 21, 2024 21:12:01.761774063 CET	47572	5821	192.168.2.23	5.39.254.71
Nov 21, 2024 21:12:04.989805937 CET	60860	10427	192.168.2.23	209.141.44.226
Nov 21, 2024 21:12:05.109652042 CET	10427	60860	209.141.44.226	192.168.2.23
Nov 21, 2024 21:12:05.109740019 CET	60860	10427	192.168.2.23	209.141.44.226
Nov 21, 2024 21:12:05.109776974 CET	60860	10427	192.168.2.23	209.141.44.226
Nov 21, 2024 21:12:05.288017988 CET	10427	60860	209.141.44.226	192.168.2.23
Nov 21, 2024 21:12:05.288115978 CET	60860	10427	192.168.2.23	209.141.44.226
Nov 21, 2024 21:12:05.407860994 CET	10427	60860	209.141.44.226	192.168.2.23
Nov 21, 2024 21:12:07.409612894 CET	51696	25400	192.168.2.23	198.98.49.215
Nov 21, 2024 21:12:07.529315948 CET	25400	51696	198.98.49.215	192.168.2.23
Nov 21, 2024 21:12:07.529417992 CET	51696	25400	192.168.2.23	198.98.49.215
Nov 21, 2024 21:12:07.529463053 CET	51696	25400	192.168.2.23	198.98.49.215
Nov 21, 2024 21:12:07.649404049 CET	25400	51696	198.98.49.215	192.168.2.23
Nov 21, 2024 21:12:07.649499893 CET	51696	25400	192.168.2.23	198.98.49.215
Nov 21, 2024 21:12:07.769283056 CET	25400	51696	198.98.49.215	192.168.2.23
Nov 21, 2024 21:12:11.588511944 CET	43928	443	192.168.2.23	91.189.91.42
Nov 21, 2024 21:12:15.116128922 CET	60860	10427	192.168.2.23	209.141.44.226
Nov 21, 2024 21:12:15.235912085 CET	10427	60860	209.141.44.226	192.168.2.23
Nov 21, 2024 21:12:17.535805941 CET	51696	25400	192.168.2.23	198.98.49.215
Nov 21, 2024 21:12:17.655487061 CET	25400	51696	198.98.49.215	192.168.2.23
Nov 21, 2024 21:12:21.827104092 CET	42836	443	192.168.2.23	91.189.91.43
Nov 21, 2024 21:12:27.085839033 CET	10427	60860	209.141.44.226	192.168.2.23
Nov 21, 2024 21:12:27.086018085 CET	60860	10427	192.168.2.23	209.141.44.226
Nov 21, 2024 21:12:27.206073046 CET	10427	60860	209.141.44.226	192.168.2.23
Nov 21, 2024 21:12:27.970248938 CET	42516	80	192.168.2.23	109.202.202.202
Nov 21, 2024 21:12:29.467164040 CET	25400	51696	198.98.49.215	192.168.2.23
Nov 21, 2024 21:12:29.467298985 CET	51696	25400	192.168.2.23	198.98.49.215
Nov 21, 2024 21:12:29.587534904 CET	25400	51696	198.98.49.215	192.168.2.23
Nov 21, 2024 21:12:32.331540108 CET	48928	19120	192.168.2.23	31.13.248.13
Nov 21, 2024 21:12:32.451148987 CET	19120	48928	31.13.248.13	192.168.2.23
Nov 21, 2024 21:12:32.451266050 CET	48928	19120	192.168.2.23	31.13.248.13
Nov 21, 2024 21:12:32.451316118 CET	48928	19120	192.168.2.23	31.13.248.13
Nov 21, 2024 21:12:32.571719885 CET	19120	48928	31.13.248.13	192.168.2.23
Nov 21, 2024 21:12:32.571912050 CET	48928	19120	192.168.2.23	31.13.248.13
Nov 21, 2024 21:12:32.691576004 CET	19120	48928	31.13.248.13	192.168.2.23
Nov 21, 2024 21:12:34.081949949 CET	19120	48928	31.13.248.13	192.168.2.23
Nov 21, 2024 21:12:34.082181931 CET	48928	19120	192.168.2.23	31.13.248.13
Nov 21, 2024 21:12:34.082217932 CET	48928	19120	192.168.2.23	31.13.248.13
Nov 21, 2024 21:12:34.713882923 CET	55798	10793	192.168.2.23	209.141.57.98
Nov 21, 2024 21:12:34.833767891 CET	10793	55798	209.141.57.98	192.168.2.23
Nov 21, 2024 21:12:34.833903074 CET	55798	10793	192.168.2.23	209.141.57.98
Nov 21, 2024 21:12:34.833951950 CET	55798	10793	192.168.2.23	209.141.57.98
Nov 21, 2024 21:12:35.201298952 CET	55798	10793	192.168.2.23	209.141.57.98
Nov 21, 2024 21:12:35.457977057 CET	10793	55798	209.141.57.98	192.168.2.23
Nov 21, 2024 21:12:35.458009005 CET	10793	55798	209.141.57.98	192.168.2.23
Nov 21, 2024 21:12:39.543901920 CET	48930	1739	192.168.2.23	45.147.200.148
Nov 21, 2024 21:12:39.663894892 CET	1739	48930	45.147.200.148	192.168.2.23
Nov 21, 2024 21:12:39.664052010 CET	48930	1739	192.168.2.23	45.147.200.148
Nov 21, 2024 21:12:39.664052010 CET	48930	1739	192.168.2.23	45.147.200.148
Nov 21, 2024 21:12:39.785015106 CET	1739	48930	45.147.200.148	192.168.2.23
Nov 21, 2024 21:12:39.785177946 CET	48930	1739	192.168.2.23	45.147.200.148
Nov 21, 2024 21:12:39.905659914 CET	1739	48930	45.147.200.148	192.168.2.23
Nov 21, 2024 21:12:52.546926022 CET	43928	443	192.168.2.23	91.189.91.42
Nov 21, 2024 21:12:57.289406061 CET	10793	55798	209.141.57.98	192.168.2.23
Nov 21, 2024 21:12:57.289676905 CET	55798	10793	192.168.2.23	209.141.57.98
Nov 21, 2024 21:12:57.409934044 CET	10793	55798	209.141.57.98	192.168.2.23
Nov 21, 2024 21:13:02.567065954 CET	34056	23801	192.168.2.23	5.39.254.71
Nov 21, 2024 21:13:02.687897921 CET	23801	34056	5.39.254.71	192.168.2.23
Nov 21, 2024 21:13:02.688031912 CET	34056	23801	192.168.2.23	5.39.254.71
Nov 21, 2024 21:13:02.688066959 CET	34056	23801	192.168.2.23	5.39.254.71
Nov 21, 2024 21:13:02.808209896 CET	23801	34056	5.39.254.71	192.168.2.23
Nov 21, 2024 21:13:02.808427095 CET	34056	23801	192.168.2.23	5.39.254.71
Nov 21, 2024 21:13:02.929780960 CET	23801	34056	5.39.254.71	192.168.2.23
Nov 21, 2024 21:13:04.218192101 CET	23801	34056	5.39.254.71	192.168.2.23
Nov 21, 2024 21:13:04.218384981 CET	34056	23801	192.168.2.23	5.39.254.71
Nov 21, 2024 21:13:04.218430996 CET	34056	23801	192.168.2.23	5.39.254.71
Nov 21, 2024 21:13:09.526355982 CET	58600	24908	192.168.2.23	205.185.114.79
Nov 21, 2024 21:13:09.646056890 CET	24908	58600	205.185.114.79	192.168.2.23
Nov 21, 2024 21:13:09.646195889 CET	58600	24908	192.168.2.23	205.185.114.79
Nov 21, 2024 21:13:09.646267891 CET	58600	24908	192.168.2.23	205.185.114.79
Nov 21, 2024 21:13:09.767219067 CET	24908	58600	205.185.114.79	192.168.2.23
Nov 21, 2024 21:13:09.767395020 CET	58600	24908	192.168.2.23	205.185.114.79
Nov 21, 2024 21:13:09.888283014 CET	24908	58600	205.185.114.79	192.168.2.23
Nov 21, 2024 21:13:13.020143032 CET	42836	443	192.168.2.23	91.189.91.43
Nov 21, 2024 21:13:31.618221998 CET	24908	58600	205.185.114.79	192.168.2.23
Nov 21, 2024 21:13:31.618455887 CET	58600	24908	192.168.2.23	205.185.114.79
Nov 21, 2024 21:13:31.739711046 CET	24908	58600	205.185.114.79	192.168.2.23
Nov 21, 2024 21:13:36.880171061 CET	51444	6485	192.168.2.23	88.151.195.22
Nov 21, 2024 21:13:37.001044989 CET	6485	51444	88.151.195.22	192.168.2.23
Nov 21, 2024 21:13:37.001302958 CET	51444	6485	192.168.2.23	88.151.195.22
Nov 21, 2024 21:13:37.001394987 CET	51444	6485	192.168.2.23	88.151.195.22
Nov 21, 2024 21:13:37.122203112 CET	6485	51444	88.151.195.22	192.168.2.23
Nov 21, 2024 21:13:37.122526884 CET	51444	6485	192.168.2.23	88.151.195.22
Nov 21, 2024 21:13:37.243576050 CET	6485	51444	88.151.195.22	192.168.2.23
Nov 21, 2024 21:13:49.711110115 CET	48930	1739	192.168.2.23	45.147.200.148
Nov 21, 2024 21:13:49.831948996 CET	1739	48930	45.147.200.148	192.168.2.23
Nov 21, 2024 21:13:50.333625078 CET	1739	48930	45.147.200.148	192.168.2.23
Nov 21, 2024 21:13:50.333898067 CET	48930	1739	192.168.2.23	45.147.200.148
Nov 21, 2024 21:13:58.980887890 CET	6485	51444	88.151.195.22	192.168.2.23
Nov 21, 2024 21:13:58.981262922 CET	51444	6485	192.168.2.23	88.151.195.22
Nov 21, 2024 21:13:59.101325989 CET	6485	51444	88.151.195.22	192.168.2.23
Nov 21, 2024 21:14:04.225457907 CET	41010	2829	192.168.2.23	38.114.100.142
Nov 21, 2024 21:14:04.345913887 CET	2829	41010	38.114.100.142	192.168.2.23
Nov 21, 2024 21:14:04.346052885 CET	41010	2829	192.168.2.23	38.114.100.142
Nov 21, 2024 21:14:04.346215010 CET	41010	2829	192.168.2.23	38.114.100.142
Nov 21, 2024 21:14:04.465826988 CET	2829	41010	38.114.100.142	192.168.2.23
Nov 21, 2024 21:14:04.466180086 CET	41010	2829	192.168.2.23	38.114.100.142
Nov 21, 2024 21:14:04.585901022 CET	2829	41010	38.114.100.142	192.168.2.23
Nov 21, 2024 21:14:05.642404079 CET	2829	41010	38.114.100.142	192.168.2.23
Nov 21, 2024 21:14:05.642667055 CET	41010	2829	192.168.2.23	38.114.100.142
Nov 21, 2024 21:14:05.642667055 CET	41010	2829	192.168.2.23	38.114.100.142
Nov 21, 2024 21:14:10.878395081 CET	46042	20520	192.168.2.23	81.29.149.178
Nov 21, 2024 21:14:11.004486084 CET	20520	46042	81.29.149.178	192.168.2.23
Nov 21, 2024 21:14:11.004802942 CET	46042	20520	192.168.2.23	81.29.149.178
Nov 21, 2024 21:14:11.004956961 CET	46042	20520	192.168.2.23	81.29.149.178
Nov 21, 2024 21:14:11.130700111 CET	20520	46042	81.29.149.178	192.168.2.23
Nov 21, 2024 21:14:11.130917072 CET	46042	20520	192.168.2.23	81.29.149.178
Nov 21, 2024 21:14:11.252563000 CET	20520	46042	81.29.149.178	192.168.2.23
Nov 21, 2024 21:14:21.005593061 CET	46042	20520	192.168.2.23	81.29.149.178
Nov 21, 2024 21:14:21.125801086 CET	20520	46042	81.29.149.178	192.168.2.23
Nov 21, 2024 21:14:32.954037905 CET	20520	46042	81.29.149.178	192.168.2.23
Nov 21, 2024 21:14:32.954397917 CET	46042	20520	192.168.2.23	81.29.149.178
Nov 21, 2024 21:14:33.074197054 CET	20520	46042	81.29.149.178	192.168.2.23
Nov 21, 2024 21:14:38.208585024 CET	35954	3238	192.168.2.23	91.149.238.18
Nov 21, 2024 21:14:38.328418016 CET	3238	35954	91.149.238.18	192.168.2.23
Nov 21, 2024 21:14:38.328615904 CET	35954	3238	192.168.2.23	91.149.238.18
Nov 21, 2024 21:14:38.328615904 CET	35954	3238	192.168.2.23	91.149.238.18
Nov 21, 2024 21:14:38.448870897 CET	3238	35954	91.149.238.18	192.168.2.23
Nov 21, 2024 21:14:38.449059010 CET	35954	3238	192.168.2.23	91.149.238.18
Nov 21, 2024 21:14:38.569988966 CET	3238	35954	91.149.238.18	192.168.2.23
Nov 21, 2024 21:14:40.508325100 CET	3238	35954	91.149.238.18	192.168.2.23
Nov 21, 2024 21:14:40.508625984 CET	35954	3238	192.168.2.23	91.149.238.18
Nov 21, 2024 21:14:40.628289938 CET	3238	35954	91.149.238.18	192.168.2.23
Nov 21, 2024 21:14:46.248372078 CET	50980	13438	192.168.2.23	81.29.149.178
Nov 21, 2024 21:14:46.368313074 CET	13438	50980	81.29.149.178	192.168.2.23
Nov 21, 2024 21:14:46.368442059 CET	50980	13438	192.168.2.23	81.29.149.178
Nov 21, 2024 21:14:46.368500948 CET	50980	13438	192.168.2.23	81.29.149.178
Nov 21, 2024 21:14:46.491693974 CET	13438	50980	81.29.149.178	192.168.2.23
Nov 21, 2024 21:14:46.491816044 CET	50980	13438	192.168.2.23	81.29.149.178
Nov 21, 2024 21:14:46.618464947 CET	13438	50980	81.29.149.178	192.168.2.23
Nov 21, 2024 21:15:08.329833031 CET	13438	50980	81.29.149.178	192.168.2.23
Nov 21, 2024 21:15:08.330163956 CET	50980	13438	192.168.2.23	81.29.149.178
Nov 21, 2024 21:15:08.450268030 CET	13438	50980	81.29.149.178	192.168.2.23
Nov 21, 2024 21:15:10.379968882 CET	48930	1739	192.168.2.23	45.147.200.148
Nov 21, 2024 21:15:10.500133038 CET	1739	48930	45.147.200.148	192.168.2.23
Nov 21, 2024 21:15:10.994498014 CET	1739	48930	45.147.200.148	192.168.2.23
Nov 21, 2024 21:15:10.994689941 CET	48930	1739	192.168.2.23	45.147.200.148
Nov 21, 2024 21:15:13.580516100 CET	33882	14042	192.168.2.23	217.28.130.41
Nov 21, 2024 21:15:13.703018904 CET	14042	33882	217.28.130.41	192.168.2.23
Nov 21, 2024 21:15:13.703393936 CET	33882	14042	192.168.2.23	217.28.130.41
Nov 21, 2024 21:15:13.703393936 CET	33882	14042	192.168.2.23	217.28.130.41
Nov 21, 2024 21:15:13.826718092 CET	14042	33882	217.28.130.41	192.168.2.23
Nov 21, 2024 21:15:13.827264071 CET	33882	14042	192.168.2.23	217.28.130.41
Nov 21, 2024 21:15:13.954041958 CET	14042	33882	217.28.130.41	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 21:11:50.595194101 CET	39085	53	192.168.2.23	81.169.136.222
Nov 21, 2024 21:11:50.746087074 CET	57996	53	192.168.2.23	81.169.136.222
Nov 21, 2024 21:11:50.839258909 CET	53	39085	81.169.136.222	192.168.2.23
Nov 21, 2024 21:11:50.989804983 CET	53	57996	81.169.136.222	192.168.2.23
Nov 21, 2024 21:11:57.247224092 CET	52775	53	192.168.2.23	80.152.203.134
Nov 21, 2024 21:11:57.499103069 CET	53	52775	80.152.203.134	192.168.2.23
Nov 21, 2024 21:11:58.717382908 CET	53195	53	192.168.2.23	80.152.203.134
Nov 21, 2024 21:11:58.972589970 CET	53	53195	80.152.203.134	192.168.2.23
Nov 21, 2024 21:12:04.339016914 CET	52810	53	192.168.2.23	194.36.144.87
Nov 21, 2024 21:12:04.585726023 CET	53	52810	194.36.144.87	192.168.2.23
Nov 21, 2024 21:12:04.586780071 CET	51530	53	192.168.2.23	168.138.12.137
Nov 21, 2024 21:12:04.989254951 CET	53	51530	168.138.12.137	192.168.2.23
Nov 21, 2024 21:12:06.763169050 CET	44631	53	192.168.2.23	194.36.144.87
Nov 21, 2024 21:12:07.009711981 CET	53	44631	194.36.144.87	192.168.2.23
Nov 21, 2024 21:12:07.010631084 CET	47201	53	192.168.2.23	168.138.12.137
Nov 21, 2024 21:12:07.408879042 CET	53	47201	168.138.12.137	192.168.2.23
Nov 21, 2024 21:12:32.087244987 CET	41062	53	192.168.2.23	81.169.136.222
Nov 21, 2024 21:12:32.330804110 CET	53	41062	81.169.136.222	192.168.2.23
Nov 21, 2024 21:12:34.468498945 CET	38929	53	192.168.2.23	81.169.136.222
Nov 21, 2024 21:12:34.713088036 CET	53	38929	81.169.136.222	192.168.2.23
Nov 21, 2024 21:12:39.085246086 CET	48869	53	192.168.2.23	109.91.184.21
Nov 21, 2024 21:12:39.543087959 CET	53	48869	109.91.184.21	192.168.2.23
Nov 21, 2024 21:13:02.293087006 CET	42183	53	192.168.2.23	109.91.184.21
Nov 21, 2024 21:13:02.566138983 CET	53	42183	109.91.184.21	192.168.2.23
Nov 21, 2024 21:13:09.221952915 CET	41015	53	192.168.2.23	168.235.111.72
Nov 21, 2024 21:13:09.525322914 CET	53	41015	168.235.111.72	192.168.2.23
Nov 21, 2024 21:13:36.621978998 CET	43713	53	192.168.2.23	185.181.61.24
Nov 21, 2024 21:13:36.878694057 CET	53	43713	185.181.61.24	192.168.2.23
Nov 21, 2024 21:14:03.984500885 CET	45855	53	192.168.2.23	81.169.136.222
Nov 21, 2024 21:14:04.224391937 CET	53	45855	81.169.136.222	192.168.2.23
Nov 21, 2024 21:14:10.646173000 CET	47868	53	192.168.2.23	213.202.211.221
Nov 21, 2024 21:14:10.877048016 CET	53	47868	213.202.211.221	192.168.2.23
Nov 21, 2024 21:14:37.956909895 CET	36171	53	192.168.2.23	80.152.203.134
Nov 21, 2024 21:14:38.207855940 CET	53	36171	80.152.203.134	192.168.2.23
Nov 21, 2024 21:14:45.511301041 CET	41835	53	192.168.2.23	152.53.15.127
Nov 21, 2024 21:14:45.759183884 CET	53	41835	152.53.15.127	192.168.2.23
Nov 21, 2024 21:14:45.760164976 CET	58572	53	192.168.2.23	152.53.15.127
Nov 21, 2024 21:14:46.007472038 CET	53	58572	152.53.15.127	192.168.2.23
Nov 21, 2024 21:14:46.009114027 CET	40275	53	192.168.2.23	217.160.70.42
Nov 21, 2024 21:14:46.247508049 CET	53	40275	217.160.70.42	192.168.2.23
Nov 21, 2024 21:15:13.334750891 CET	59704	53	192.168.2.23	81.169.136.222
Nov 21, 2024 21:15:13.579047918 CET	53	59704	81.169.136.222	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 21:11:50.595194101 CET	192.168.2.23	81.169.136.222	0xf1fe	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:11:50.746087074 CET	192.168.2.23	81.169.136.222	0xf1fe	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:11:57.247224092 CET	192.168.2.23	80.152.203.134	0xe0f3	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:11:58.717382908 CET	192.168.2.23	80.152.203.134	0xe0f3	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:12:04.339016914 CET	192.168.2.23	194.36.144.87	0x3b24	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:12:04.586780071 CET	192.168.2.23	168.138.12.137	0xc7cd	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:12:06.763169050 CET	192.168.2.23	194.36.144.87	0x3b24	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:12:07.010631084 CET	192.168.2.23	168.138.12.137	0xc7cd	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:12:32.087244987 CET	192.168.2.23	81.169.136.222	0x3c22	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:12:34.468498945 CET	192.168.2.23	81.169.136.222	0x3c22	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:12:39.085246086 CET	192.168.2.23	109.91.184.21	0xc999	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:13:02.293087006 CET	192.168.2.23	109.91.184.21	0xc999	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:13:09.221952915 CET	192.168.2.23	168.235.111.72	0xbf99	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:13:36.621978998 CET	192.168.2.23	185.181.61.24	0x3a9a	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:14:03.984500885 CET	192.168.2.23	81.169.136.222	0x7cf0	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:14:10.646173000 CET	192.168.2.23	213.202.211.221	0x42a9	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:14:37.956909895 CET	192.168.2.23	80.152.203.134	0x2f8	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:14:45.511301041 CET	192.168.2.23	152.53.15.127	0x9c30	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:14:45.760164976 CET	192.168.2.23	152.53.15.127	0x5c1b	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:14:46.009114027 CET	192.168.2.23	217.160.70.42	0xfbce	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 21:15:13.334750891 CET	192.168.2.23	81.169.136.222	0x3131	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: mips.elf PID: 6240, Parent PID: 6163

General

Start time (UTC):	20:11:49
Start date (UTC):	21/11/2024
Path:	/tmp/mips.elf
Arguments:	/tmp/mips.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: mips.elf PID: 6242, Parent PID: 6240

General

Start time (UTC):	20:11:49
Start date (UTC):	21/11/2024
Path:	/tmp/mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: mips.elf PID: 6296, Parent PID: 6242

General

Start time (UTC):	20:11:49
Start date (UTC):	21/11/2024
Path:	/tmp/mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: mips.elf PID: 6297, Parent PID: 6242

General

Start time (UTC):	20:11:49
Start date (UTC):	21/11/2024
Path:	/tmp/mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: mips.elf PID: 6244, Parent PID: 6240

General

Start time (UTC):	20:11:49
Start date (UTC):	21/11/2024
Path:	/tmp/mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: mips.elf PID: 6252, Parent PID: 6240

General

Start time (UTC):	20:11:49
Start date (UTC):	21/11/2024
Path:	/tmp/mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report mips.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

System Behavior

Analysis Process: mips.elf PID: 6240, Parent PID: 6163

General

Chronological Activities

Analysis Process: mips.elf PID: 6242, Parent PID: 6240

General

Chronological Activities

Analysis Process: mips.elf PID: 6296, Parent PID: 6242

General

Chronological Activities

Analysis Process: mips.elf PID: 6297, Parent PID: 6242

General

Chronological Activities

Analysis Process: mips.elf PID: 6244, Parent PID: 6240

General

Chronological Activities

Analysis Process: mips.elf PID: 6252, Parent PID: 6240

General

Chronological Activities

Linux Analysis Report
mips.elf