Edit tour

Linux Analysis Report
ppc.elf

Overview

General Information

Sample name:	ppc.elf
Analysis ID:	1560542
MD5:	8a6c13121946059448cbb13347274282
SHA1:	694a112f75581af97eba3b2fa69656f86a330fe3
SHA256:	5777c2748ccc72669e094fa2bed241ed9c18d053defe7fb39be29d1b575fcbb0
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560542
Start date and time:	2024-11-21 22:57:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	ppc.elf
Detection:	MAL
Classification:	mal52.troj.linELF@0/0@38/0

Warnings

VT rate limit hit for: ppc.elf

Runtime Messages

Command:	/tmp/ppc.elf
PID:	5532
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	you are now apart of hail cock botnet
Standard Error:

Process Tree

system is lnxubuntu20

ppc.elf (PID: 5532, Parent: 5451, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/ppc.elf

ppc.elf New Fork (PID: 5534, Parent: 5532)

ppc.elf New Fork (PID: 5579, Parent: 5534)

ppc.elf New Fork (PID: 5581, Parent: 5534)

ppc.elf New Fork (PID: 5535, Parent: 5532)

ppc.elf New Fork (PID: 5536, Parent: 5532)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ppc.elf

ReversingLabs: Detection: 15%

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 209.141.61.182 ports 17543,0,2,4,24880,8
Source: global traffic	TCP traffic: 193.233.193.45 ports 10928,0,1,2,8,9
Source: global traffic	TCP traffic: 27.102.118.110 ports 23966,2,3,6,9,13124
Source: global traffic	TCP traffic: 107.189.8.204 ports 1,2,4,6,8,14268
Source: global traffic	TCP traffic: 198.98.49.215 ports 5124,1,5,7,9,15779
Source: global traffic	TCP traffic: 195.133.53.106 ports 16073,0,1,3,6,7
Source: global traffic	TCP traffic: 45.147.200.148 ports 16087,0,1,6,7,8

Source: global traffic	TCP traffic: 192.168.2.15:33024 -> 209.141.49.186:12114
Source: global traffic	TCP traffic: 192.168.2.15:41296 -> 205.185.114.79:21183
Source: global traffic	TCP traffic: 192.168.2.15:42698 -> 38.114.100.142:21183
Source: global traffic	TCP traffic: 192.168.2.15:52134 -> 198.98.49.215:15779
Source: global traffic	TCP traffic: 192.168.2.15:54852 -> 193.233.193.45:10928
Source: global traffic	TCP traffic: 192.168.2.15:60882 -> 27.102.118.110:23966
Source: global traffic	TCP traffic: 192.168.2.15:47390 -> 31.13.248.89:14247
Source: global traffic	TCP traffic: 192.168.2.15:46348 -> 88.151.195.22:3861
Source: global traffic	TCP traffic: 192.168.2.15:36242 -> 81.29.149.178:4013
Source: global traffic	TCP traffic: 192.168.2.15:59908 -> 209.141.61.182:24880
Source: global traffic	TCP traffic: 192.168.2.15:50414 -> 107.189.8.204:14268
Source: global traffic	TCP traffic: 192.168.2.15:59512 -> 176.32.39.112:8212
Source: global traffic	TCP traffic: 192.168.2.15:53000 -> 195.133.53.106:16073
Source: global traffic	TCP traffic: 192.168.2.15:47308 -> 45.147.200.148:16087
Source: global traffic	TCP traffic: 192.168.2.15:43786 -> 86.107.100.80:13441
Source: global traffic	TCP traffic: 192.168.2.15:33874 -> 89.32.41.42:3237

Source: /tmp/ppc.elf (PID: 5532)

Socket: 127.0.0.1:1172

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.49.186
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.49.186
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.49.186
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.49.186
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.49.186
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.49.186
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.49.186
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.49.186
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.49.186
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.49.186
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.49.186
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.49.186
Source: unknown	TCP traffic detected without corresponding DNS query: 205.185.114.79
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 205.185.114.79
Source: unknown	TCP traffic detected without corresponding DNS query: 205.185.114.79
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 205.185.114.79
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 38.114.100.142
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 205.185.114.79
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.193.45
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.193.45
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.193.45
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.193.45
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.193.45
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.49.215
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.193.45
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.193.45
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.193.45
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.193.45
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.193.45
Source: unknown	TCP traffic detected without corresponding DNS query: 27.102.118.110
Source: unknown	TCP traffic detected without corresponding DNS query: 27.102.118.110
Source: unknown	TCP traffic detected without corresponding DNS query: 27.102.118.110
Source: unknown	TCP traffic detected without corresponding DNS query: 27.102.118.110
Source: unknown	TCP traffic detected without corresponding DNS query: 27.102.118.110
Source: unknown	TCP traffic detected without corresponding DNS query: 27.102.118.110
Source: unknown	TCP traffic detected without corresponding DNS query: 31.13.248.89
Source: unknown	TCP traffic detected without corresponding DNS query: 31.13.248.89

Source: global traffic	DNS traffic detected: DNS query: kingstonwikkerink.dyn
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal52.troj.linELF@0/0@38/0

Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5660/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5650/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5661/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5651/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5662/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5630/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5652/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5663/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5653/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5664/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5629/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5368/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5654/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5665/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5655/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5666/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5656/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5667/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5657/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5658/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5579)	File opened: /proc/5659/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5581/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5660/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5661/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5662/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5663/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5620/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5664/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5654/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5655/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5633/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5656/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5579/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5657/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5658/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5659/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5571/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5650/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5651/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5652/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5653/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5368/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5665/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5666/status	Jump to behavior
Source: /tmp/ppc.elf (PID: 5535)	File opened: /proc/5667/status	Jump to behavior

Source: /tmp/ppc.elf (PID: 5532)

Queries kernel information via 'uname':

Jump to behavior

Source: ppc.elf, 5532.1.00007fff5374d000.00007fff5376e000.rw-.sdmp, ppc.elf, 5534.1.00007fff5374d000.00007fff5376e000.rw-.sdmp	Binary or memory string: 8x86_64/usr/bin/qemu-ppc/tmp/ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/ppc.elf
Source: ppc.elf, 5532.1.000056470f028000.000056470f0d8000.rw-.sdmp, ppc.elf, 5534.1.000056470f028000.000056470f0d8000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: ppc.elf, 5534.1.000056470f028000.000056470f0d8000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: ppc.elf, 5532.1.000056470f028000.000056470f0d8000.rw-.sdmp, ppc.elf, 5534.1.000056470f028000.000056470f0d8000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: ppc.elf, 5532.1.00007fff5374d000.00007fff5376e000.rw-.sdmp, ppc.elf, 5534.1.00007fff5374d000.00007fff5376e000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc
Source: ppc.elf, 5534.1.000056470f028000.000056470f0d8000.rw-.sdmp	Binary or memory string: !/proc/1509/exe0!/usr/bin/vmtoolsd1/usr/libexec/at-spi-bus-launcherK

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ppc.elf	16%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.25	true	false		high
kingstonwikkerink.dyn	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.233.193.45	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
27.102.118.110	unknown	Korea Republic of	45996	GNJ-AS-KRDAOUTECHNOLOGYKR	true
31.13.248.89	unknown	Bulgaria	34224	NETERRA-ASBG	false
86.107.100.80	unknown	Romania	38995	AMG-ASRO	false
198.98.49.215	unknown	United States	53667	PONYNETUS	true
88.151.195.22	unknown	Azerbaijan	15723	AZERONLINEAZ	false
195.133.53.106	unknown	Russian Federation	21453	FLEX-ASRU	true
81.29.149.178	unknown	Switzerland	39616	COMUNICA_IT_SERVICESCH	false
45.147.200.148	unknown	Russian Federation	51659	ASBAXETRU	true
38.114.100.142	unknown	United States	22926	AS-WISPERUS	false
209.141.61.182	unknown	United States	53667	PONYNETUS	true
107.189.8.204	unknown	United States	53667	PONYNETUS	true
176.32.39.112	unknown	Russian Federation	51659	ASBAXETRU	false
209.141.49.186	unknown	United States	53667	PONYNETUS	false
205.185.114.79	unknown	United States	53667	PONYNETUS	false
89.32.41.42	unknown	Romania	48874	HOSTMAZEHOSTMAZERO	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
198.98.49.215	mips.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
88.151.195.22	mips.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	nsharm7.elf	Get hash	malicious	Unknown	Browse
	nsharm.elf	Get hash	malicious	Unknown	Browse
	nshppc.elf	Get hash	malicious	Unknown	Browse
	nshmips.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
193.233.193.45	mips.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	nshsh4.elf	Get hash	malicious	Unknown	Browse
	nsharm5.elf	Get hash	malicious	Unknown	Browse
	nsharm.elf	Get hash	malicious	Unknown	Browse
27.102.118.110	arm5.elf	Get hash	malicious	Unknown	Browse
27.102.118.110	ppc.elf	Get hash	malicious	Unknown	Browse
31.13.248.89	arm7.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	nshsh4.elf	Get hash	malicious	Unknown	Browse
86.107.100.80	ppc.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	harm4.elf	Get hash	malicious	Unknown	Browse
	nsharm7.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	anarchy.m68k.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	anarchy.ppc.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	anarchy.arm5.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	anarchy.mips.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	anarchy.arm7.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	anarchy.mpsl.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	anarchy.sh4.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	162.213.35.25
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	162.213.35.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NETERRA-ASBG	mips.elf	Get hash	malicious	Unknown	Browse	31.13.248.13
	arm7.elf	Get hash	malicious	Unknown	Browse	31.13.248.89
	x86.elf	Get hash	malicious	Unknown	Browse	31.13.248.13
	ppc.elf	Get hash	malicious	Unknown	Browse	31.13.248.13
	hmips.elf	Get hash	malicious	Unknown	Browse	31.13.248.13
	medk.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	87.120.37.120
	tab.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse	87.120.37.120
	arm5.elf	Get hash	malicious	Unknown	Browse	31.13.248.89
	arm7.elf	Get hash	malicious	Unknown	Browse	31.13.248.89
	arm.elf	Get hash	malicious	Unknown	Browse	31.13.248.89
GNJ-AS-KRDAOUTECHNOLOGYKR	arm7.elf	Get hash	malicious	Unknown	Browse	27.102.118.111
	x86.elf	Get hash	malicious	Unknown	Browse	27.102.118.111
	arm5.elf	Get hash	malicious	Unknown	Browse	27.102.118.110
	ppc.elf	Get hash	malicious	Unknown	Browse	27.102.118.111
	sh4.elf	Get hash	malicious	Mirai	Browse	14.129.24.157
	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	1.18.64.186
	arm5.elf	Get hash	malicious	Mirai	Browse	1.17.85.123
	sh4.elf	Get hash	malicious	Mirai	Browse	1.17.85.151
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	115.71.116.179
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	27.102.158.214
AMG-ASRO	ppc.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	hmips.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	arm5.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	mips.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	arm7.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	arm.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	harm4.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	harm5.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	harm4.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
	nsharm7.elf	Get hash	malicious	Unknown	Browse	86.107.100.80
FREE-NET-ASFREEnetEU	mips.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	x86.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	owari.mips.elf	Get hash	malicious	Unknown	Browse	147.45.234.212
	pdusf6w2SJ.exe	Get hash	malicious	RedLine	Browse	147.45.44.221
	ppc.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	hmips.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	file.exe	Get hash	malicious	DanaBot	Browse	193.233.232.101
	xd.spc.elf	Get hash	malicious	Mirai	Browse	193.233.234.114
	RECIBO TRANSFERENCIA#0000078.exe	Get hash	malicious	Unknown	Browse	193.233.203.63
	RECIBO TRANSFERENCIA#0000078.exe	Get hash	malicious	Unknown	Browse	193.233.203.63

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.193012166219038
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	ppc.elf
File size:	67'016 bytes
MD5:	8a6c13121946059448cbb13347274282
SHA1:	694a112f75581af97eba3b2fa69656f86a330fe3
SHA256:	5777c2748ccc72669e094fa2bed241ed9c18d053defe7fb39be29d1b575fcbb0
SHA512:	e5b84f57cc46f9c9d344c2d8a0d7ea10a112e80d93abfce6b213db73833631d309237c261b2bc99f0232717920da6b3044b0c59c24cbfa52252e8ee531c9556a
SSDEEP:	1536:DsHTu/NRvEk+C7HOwrNFdUfIO5JrcMM/bhR9QS:DwOHxefIO5FcDqS
TLSH:	93633B42B31C0D47D1635DB03A3F27D193AEA9D122E4E684751FAB4692B2E321586FCD
File Content Preview:	.ELF...........................4.........4. ...(.......................T...T..............................S.........dt.Q.............................!..\|......$H...H......$8!. \|...N.. .!..\|.......?.............../...@..\?........+../...A..$8...})......N..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x100001f0
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	66536
Section Header Size:	40
Number of Section Headers:	12
Header String Table Index:	11

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10000094	0x94	0x24	0x0	0x6	AX	4
.text	PROGBITS	0x100000b8	0xb8	0xe814	0x0	0x6	AX	4
.fini	PROGBITS	0x1000e8cc	0xe8cc	0x20	0x0	0x6	AX	4
.rodata	PROGBITS	0x1000e8f0	0xe8f0	0x1664	0x0	0x2	A	8
.ctors	PROGBITS	0x10010000	0x10000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x10010008	0x10008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x10010018	0x10018	0x344	0x0	0x3	WA	8
.sdata	PROGBITS	0x1001035c	0x1035c	0x40	0x0	0x3	WA	4
.sbss	NOBITS	0x1001039c	0x1039c	0x70	0x0	0x3	WA	4
.bss	NOBITS	0x1001040c	0x1039c	0x4fec	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x1039c	0x4b	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000000	0x10000000	0xff54	0xff54	6.2518	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x10000	0x10010000	0x10010000	0x39c	0x53f8	2.9386	0x6	RW	0x10000	.ctors .dtors .data .sdata .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 22:58:28.026174068 CET	33024	12114	192.168.2.15	209.141.49.186
Nov 21, 2024 22:58:28.141356945 CET	33026	12114	192.168.2.15	209.141.49.186
Nov 21, 2024 22:58:28.145714998 CET	12114	33024	209.141.49.186	192.168.2.15
Nov 21, 2024 22:58:28.145766973 CET	33024	12114	192.168.2.15	209.141.49.186
Nov 21, 2024 22:58:28.145991087 CET	33024	12114	192.168.2.15	209.141.49.186
Nov 21, 2024 22:58:28.261006117 CET	12114	33026	209.141.49.186	192.168.2.15
Nov 21, 2024 22:58:28.261060953 CET	33026	12114	192.168.2.15	209.141.49.186
Nov 21, 2024 22:58:28.261287928 CET	33026	12114	192.168.2.15	209.141.49.186
Nov 21, 2024 22:58:28.265412092 CET	12114	33024	209.141.49.186	192.168.2.15
Nov 21, 2024 22:58:28.265455008 CET	33024	12114	192.168.2.15	209.141.49.186
Nov 21, 2024 22:58:28.380738974 CET	12114	33026	209.141.49.186	192.168.2.15
Nov 21, 2024 22:58:28.380800962 CET	33026	12114	192.168.2.15	209.141.49.186
Nov 21, 2024 22:58:28.384880066 CET	12114	33024	209.141.49.186	192.168.2.15
Nov 21, 2024 22:58:28.500365973 CET	12114	33026	209.141.49.186	192.168.2.15
Nov 21, 2024 22:58:38.153624058 CET	33024	12114	192.168.2.15	209.141.49.186
Nov 21, 2024 22:58:38.269619942 CET	33026	12114	192.168.2.15	209.141.49.186
Nov 21, 2024 22:58:38.273437023 CET	12114	33024	209.141.49.186	192.168.2.15
Nov 21, 2024 22:58:38.389326096 CET	12114	33026	209.141.49.186	192.168.2.15
Nov 21, 2024 22:58:50.158885956 CET	12114	33024	209.141.49.186	192.168.2.15
Nov 21, 2024 22:58:50.159101009 CET	33024	12114	192.168.2.15	209.141.49.186
Nov 21, 2024 22:58:50.221409082 CET	12114	33026	209.141.49.186	192.168.2.15
Nov 21, 2024 22:58:50.221550941 CET	33026	12114	192.168.2.15	209.141.49.186
Nov 21, 2024 22:58:50.278593063 CET	12114	33024	209.141.49.186	192.168.2.15
Nov 21, 2024 22:58:50.340970039 CET	12114	33026	209.141.49.186	192.168.2.15
Nov 21, 2024 22:58:55.936469078 CET	41296	21183	192.168.2.15	205.185.114.79
Nov 21, 2024 22:58:55.966957092 CET	42698	21183	192.168.2.15	38.114.100.142
Nov 21, 2024 22:58:56.055938959 CET	21183	41296	205.185.114.79	192.168.2.15
Nov 21, 2024 22:58:56.056019068 CET	41296	21183	192.168.2.15	205.185.114.79
Nov 21, 2024 22:58:56.056046963 CET	41296	21183	192.168.2.15	205.185.114.79
Nov 21, 2024 22:58:56.086677074 CET	21183	42698	38.114.100.142	192.168.2.15
Nov 21, 2024 22:58:56.086741924 CET	42698	21183	192.168.2.15	38.114.100.142
Nov 21, 2024 22:58:56.086770058 CET	42698	21183	192.168.2.15	38.114.100.142
Nov 21, 2024 22:58:56.175486088 CET	21183	41296	205.185.114.79	192.168.2.15
Nov 21, 2024 22:58:56.175581932 CET	41296	21183	192.168.2.15	205.185.114.79
Nov 21, 2024 22:58:56.206718922 CET	21183	42698	38.114.100.142	192.168.2.15
Nov 21, 2024 22:58:56.206788063 CET	42698	21183	192.168.2.15	38.114.100.142
Nov 21, 2024 22:58:56.297080994 CET	21183	41296	205.185.114.79	192.168.2.15
Nov 21, 2024 22:58:56.327500105 CET	21183	42698	38.114.100.142	192.168.2.15
Nov 21, 2024 22:58:57.397454023 CET	21183	42698	38.114.100.142	192.168.2.15
Nov 21, 2024 22:58:57.397545099 CET	42698	21183	192.168.2.15	38.114.100.142
Nov 21, 2024 22:58:57.397620916 CET	42698	21183	192.168.2.15	38.114.100.142
Nov 21, 2024 22:59:02.659833908 CET	52134	15779	192.168.2.15	198.98.49.215
Nov 21, 2024 22:59:02.779337883 CET	15779	52134	198.98.49.215	192.168.2.15
Nov 21, 2024 22:59:02.779393911 CET	52134	15779	192.168.2.15	198.98.49.215
Nov 21, 2024 22:59:02.779431105 CET	52134	15779	192.168.2.15	198.98.49.215
Nov 21, 2024 22:59:02.899049997 CET	15779	52134	198.98.49.215	192.168.2.15
Nov 21, 2024 22:59:02.899100065 CET	52134	15779	192.168.2.15	198.98.49.215
Nov 21, 2024 22:59:03.018534899 CET	15779	52134	198.98.49.215	192.168.2.15
Nov 21, 2024 22:59:18.003235102 CET	21183	41296	205.185.114.79	192.168.2.15
Nov 21, 2024 22:59:18.003474951 CET	41296	21183	192.168.2.15	205.185.114.79
Nov 21, 2024 22:59:18.123194933 CET	21183	41296	205.185.114.79	192.168.2.15
Nov 21, 2024 22:59:23.269421101 CET	54852	10928	192.168.2.15	193.233.193.45
Nov 21, 2024 22:59:23.389117002 CET	10928	54852	193.233.193.45	192.168.2.15
Nov 21, 2024 22:59:23.389355898 CET	54852	10928	192.168.2.15	193.233.193.45
Nov 21, 2024 22:59:23.389355898 CET	54852	10928	192.168.2.15	193.233.193.45
Nov 21, 2024 22:59:23.509077072 CET	10928	54852	193.233.193.45	192.168.2.15
Nov 21, 2024 22:59:23.509303093 CET	54852	10928	192.168.2.15	193.233.193.45
Nov 21, 2024 22:59:23.628968954 CET	10928	54852	193.233.193.45	192.168.2.15
Nov 21, 2024 22:59:24.737903118 CET	15779	52134	198.98.49.215	192.168.2.15
Nov 21, 2024 22:59:24.738282919 CET	52134	15779	192.168.2.15	198.98.49.215
Nov 21, 2024 22:59:24.857937098 CET	15779	52134	198.98.49.215	192.168.2.15
Nov 21, 2024 22:59:25.995465040 CET	10928	54852	193.233.193.45	192.168.2.15
Nov 21, 2024 22:59:25.995796919 CET	54852	10928	192.168.2.15	193.233.193.45
Nov 21, 2024 22:59:26.115464926 CET	10928	54852	193.233.193.45	192.168.2.15
Nov 21, 2024 22:59:45.010843992 CET	52138	15779	192.168.2.15	198.98.49.215
Nov 21, 2024 22:59:45.131372929 CET	15779	52138	198.98.49.215	192.168.2.15
Nov 21, 2024 22:59:45.131508112 CET	52138	15779	192.168.2.15	198.98.49.215
Nov 21, 2024 22:59:45.131556034 CET	52138	15779	192.168.2.15	198.98.49.215
Nov 21, 2024 22:59:45.251187086 CET	15779	52138	198.98.49.215	192.168.2.15
Nov 21, 2024 22:59:45.251363039 CET	52138	15779	192.168.2.15	198.98.49.215
Nov 21, 2024 22:59:45.370920897 CET	15779	52138	198.98.49.215	192.168.2.15
Nov 21, 2024 22:59:46.258541107 CET	54856	10928	192.168.2.15	193.233.193.45
Nov 21, 2024 22:59:46.378355980 CET	10928	54856	193.233.193.45	192.168.2.15
Nov 21, 2024 22:59:46.378711939 CET	54856	10928	192.168.2.15	193.233.193.45
Nov 21, 2024 22:59:46.378712893 CET	54856	10928	192.168.2.15	193.233.193.45
Nov 21, 2024 22:59:46.498852015 CET	10928	54856	193.233.193.45	192.168.2.15
Nov 21, 2024 22:59:46.499151945 CET	54856	10928	192.168.2.15	193.233.193.45
Nov 21, 2024 22:59:46.618727922 CET	10928	54856	193.233.193.45	192.168.2.15
Nov 21, 2024 22:59:49.055900097 CET	10928	54856	193.233.193.45	192.168.2.15
Nov 21, 2024 22:59:49.056197882 CET	54856	10928	192.168.2.15	193.233.193.45
Nov 21, 2024 22:59:49.175721884 CET	10928	54856	193.233.193.45	192.168.2.15
Nov 21, 2024 22:59:54.316421986 CET	60882	23966	192.168.2.15	27.102.118.110
Nov 21, 2024 22:59:54.436265945 CET	23966	60882	27.102.118.110	192.168.2.15
Nov 21, 2024 22:59:54.436450005 CET	60882	23966	192.168.2.15	27.102.118.110
Nov 21, 2024 22:59:54.436511040 CET	60882	23966	192.168.2.15	27.102.118.110
Nov 21, 2024 22:59:54.556085110 CET	23966	60882	27.102.118.110	192.168.2.15
Nov 21, 2024 22:59:54.556328058 CET	60882	23966	192.168.2.15	27.102.118.110
Nov 21, 2024 22:59:54.676367044 CET	23966	60882	27.102.118.110	192.168.2.15
Nov 21, 2024 22:59:56.280641079 CET	23966	60882	27.102.118.110	192.168.2.15
Nov 21, 2024 22:59:56.280834913 CET	60882	23966	192.168.2.15	27.102.118.110
Nov 21, 2024 22:59:56.281104088 CET	60882	23966	192.168.2.15	27.102.118.110
Nov 21, 2024 23:00:01.529092073 CET	47390	14247	192.168.2.15	31.13.248.89
Nov 21, 2024 23:00:01.648643017 CET	14247	47390	31.13.248.89	192.168.2.15
Nov 21, 2024 23:00:01.648773909 CET	47390	14247	192.168.2.15	31.13.248.89
Nov 21, 2024 23:00:01.648806095 CET	47390	14247	192.168.2.15	31.13.248.89
Nov 21, 2024 23:00:01.768419981 CET	14247	47390	31.13.248.89	192.168.2.15
Nov 21, 2024 23:00:01.768630028 CET	47390	14247	192.168.2.15	31.13.248.89
Nov 21, 2024 23:00:01.888142109 CET	14247	47390	31.13.248.89	192.168.2.15
Nov 21, 2024 23:00:03.929936886 CET	14247	47390	31.13.248.89	192.168.2.15
Nov 21, 2024 23:00:03.930175066 CET	47390	14247	192.168.2.15	31.13.248.89
Nov 21, 2024 23:00:04.049616098 CET	14247	47390	31.13.248.89	192.168.2.15
Nov 21, 2024 23:00:07.098246098 CET	15779	52138	198.98.49.215	192.168.2.15
Nov 21, 2024 23:00:07.098418951 CET	52138	15779	192.168.2.15	198.98.49.215
Nov 21, 2024 23:00:07.217901945 CET	15779	52138	198.98.49.215	192.168.2.15
Nov 21, 2024 23:00:12.362464905 CET	35112	13124	192.168.2.15	27.102.118.110
Nov 21, 2024 23:00:12.482033968 CET	13124	35112	27.102.118.110	192.168.2.15
Nov 21, 2024 23:00:12.482146025 CET	35112	13124	192.168.2.15	27.102.118.110
Nov 21, 2024 23:00:12.482287884 CET	35112	13124	192.168.2.15	27.102.118.110
Nov 21, 2024 23:00:12.601771116 CET	13124	35112	27.102.118.110	192.168.2.15
Nov 21, 2024 23:00:12.601902008 CET	35112	13124	192.168.2.15	27.102.118.110
Nov 21, 2024 23:00:12.721539021 CET	13124	35112	27.102.118.110	192.168.2.15
Nov 21, 2024 23:00:14.349885941 CET	13124	35112	27.102.118.110	192.168.2.15
Nov 21, 2024 23:00:14.350127935 CET	35112	13124	192.168.2.15	27.102.118.110
Nov 21, 2024 23:00:14.350127935 CET	35112	13124	192.168.2.15	27.102.118.110
Nov 21, 2024 23:00:14.419869900 CET	46348	3861	192.168.2.15	88.151.195.22
Nov 21, 2024 23:00:14.539582968 CET	3861	46348	88.151.195.22	192.168.2.15
Nov 21, 2024 23:00:14.539777994 CET	46348	3861	192.168.2.15	88.151.195.22
Nov 21, 2024 23:00:14.539841890 CET	46348	3861	192.168.2.15	88.151.195.22
Nov 21, 2024 23:00:14.659472942 CET	3861	46348	88.151.195.22	192.168.2.15
Nov 21, 2024 23:00:14.659569979 CET	46348	3861	192.168.2.15	88.151.195.22
Nov 21, 2024 23:00:14.778991938 CET	3861	46348	88.151.195.22	192.168.2.15
Nov 21, 2024 23:00:19.596034050 CET	36242	4013	192.168.2.15	81.29.149.178
Nov 21, 2024 23:00:19.715557098 CET	4013	36242	81.29.149.178	192.168.2.15
Nov 21, 2024 23:00:19.715692043 CET	36242	4013	192.168.2.15	81.29.149.178
Nov 21, 2024 23:00:19.715764046 CET	36242	4013	192.168.2.15	81.29.149.178
Nov 21, 2024 23:00:19.836756945 CET	4013	36242	81.29.149.178	192.168.2.15
Nov 21, 2024 23:00:19.836863995 CET	36242	4013	192.168.2.15	81.29.149.178
Nov 21, 2024 23:00:19.956568956 CET	4013	36242	81.29.149.178	192.168.2.15
Nov 21, 2024 23:00:36.457916975 CET	3861	46348	88.151.195.22	192.168.2.15
Nov 21, 2024 23:00:36.458218098 CET	46348	3861	192.168.2.15	88.151.195.22
Nov 21, 2024 23:00:36.577841997 CET	3861	46348	88.151.195.22	192.168.2.15
Nov 21, 2024 23:00:41.707967997 CET	4013	36242	81.29.149.178	192.168.2.15
Nov 21, 2024 23:00:41.708204985 CET	36242	4013	192.168.2.15	81.29.149.178
Nov 21, 2024 23:00:41.710556984 CET	59908	24880	192.168.2.15	209.141.61.182
Nov 21, 2024 23:00:41.827754021 CET	4013	36242	81.29.149.178	192.168.2.15
Nov 21, 2024 23:00:41.830204010 CET	24880	59908	209.141.61.182	192.168.2.15
Nov 21, 2024 23:00:41.830311060 CET	59908	24880	192.168.2.15	209.141.61.182
Nov 21, 2024 23:00:41.830430984 CET	59908	24880	192.168.2.15	209.141.61.182
Nov 21, 2024 23:00:41.950093031 CET	24880	59908	209.141.61.182	192.168.2.15
Nov 21, 2024 23:00:41.950406075 CET	59908	24880	192.168.2.15	209.141.61.182
Nov 21, 2024 23:00:42.069938898 CET	24880	59908	209.141.61.182	192.168.2.15
Nov 21, 2024 23:00:43.111526012 CET	24880	59908	209.141.61.182	192.168.2.15
Nov 21, 2024 23:00:43.111852884 CET	59908	24880	192.168.2.15	209.141.61.182
Nov 21, 2024 23:00:43.111934900 CET	59908	24880	192.168.2.15	209.141.61.182
Nov 21, 2024 23:00:48.354237080 CET	48518	5124	192.168.2.15	198.98.49.215
Nov 21, 2024 23:00:48.473767042 CET	5124	48518	198.98.49.215	192.168.2.15
Nov 21, 2024 23:00:48.474015951 CET	48518	5124	192.168.2.15	198.98.49.215
Nov 21, 2024 23:00:48.474077940 CET	48518	5124	192.168.2.15	198.98.49.215
Nov 21, 2024 23:00:48.593543053 CET	5124	48518	198.98.49.215	192.168.2.15
Nov 21, 2024 23:00:48.593729973 CET	48518	5124	192.168.2.15	198.98.49.215
Nov 21, 2024 23:00:48.713222980 CET	5124	48518	198.98.49.215	192.168.2.15
Nov 21, 2024 23:00:52.198591948 CET	50414	14268	192.168.2.15	107.189.8.204
Nov 21, 2024 23:00:52.318423986 CET	14268	50414	107.189.8.204	192.168.2.15
Nov 21, 2024 23:00:52.318520069 CET	50414	14268	192.168.2.15	107.189.8.204
Nov 21, 2024 23:00:52.318583012 CET	50414	14268	192.168.2.15	107.189.8.204
Nov 21, 2024 23:00:52.555819035 CET	14268	50414	107.189.8.204	192.168.2.15
Nov 21, 2024 23:00:52.556309938 CET	50414	14268	192.168.2.15	107.189.8.204
Nov 21, 2024 23:00:52.675865889 CET	14268	50414	107.189.8.204	192.168.2.15
Nov 21, 2024 23:01:02.325742960 CET	50414	14268	192.168.2.15	107.189.8.204
Nov 21, 2024 23:01:02.445245981 CET	14268	50414	107.189.8.204	192.168.2.15
Nov 21, 2024 23:01:10.418121099 CET	5124	48518	198.98.49.215	192.168.2.15
Nov 21, 2024 23:01:10.418373108 CET	48518	5124	192.168.2.15	198.98.49.215
Nov 21, 2024 23:01:10.538139105 CET	5124	48518	198.98.49.215	192.168.2.15
Nov 21, 2024 23:01:14.230855942 CET	14268	50414	107.189.8.204	192.168.2.15
Nov 21, 2024 23:01:14.231244087 CET	50414	14268	192.168.2.15	107.189.8.204
Nov 21, 2024 23:01:14.350766897 CET	14268	50414	107.189.8.204	192.168.2.15
Nov 21, 2024 23:01:15.684628963 CET	59512	8212	192.168.2.15	176.32.39.112
Nov 21, 2024 23:01:15.804344893 CET	8212	59512	176.32.39.112	192.168.2.15
Nov 21, 2024 23:01:15.804461002 CET	59512	8212	192.168.2.15	176.32.39.112
Nov 21, 2024 23:01:15.804461002 CET	59512	8212	192.168.2.15	176.32.39.112
Nov 21, 2024 23:01:15.924108982 CET	8212	59512	176.32.39.112	192.168.2.15
Nov 21, 2024 23:01:15.924221992 CET	59512	8212	192.168.2.15	176.32.39.112
Nov 21, 2024 23:01:16.043838024 CET	8212	59512	176.32.39.112	192.168.2.15
Nov 21, 2024 23:01:17.466444016 CET	8212	59512	176.32.39.112	192.168.2.15
Nov 21, 2024 23:01:17.466542959 CET	59512	8212	192.168.2.15	176.32.39.112
Nov 21, 2024 23:01:17.466620922 CET	59512	8212	192.168.2.15	176.32.39.112
Nov 21, 2024 23:01:19.477777004 CET	53000	16073	192.168.2.15	195.133.53.106
Nov 21, 2024 23:01:19.597573042 CET	16073	53000	195.133.53.106	192.168.2.15
Nov 21, 2024 23:01:19.597712040 CET	53000	16073	192.168.2.15	195.133.53.106
Nov 21, 2024 23:01:19.597712994 CET	53000	16073	192.168.2.15	195.133.53.106
Nov 21, 2024 23:01:19.717647076 CET	16073	53000	195.133.53.106	192.168.2.15
Nov 21, 2024 23:01:19.717824936 CET	53000	16073	192.168.2.15	195.133.53.106
Nov 21, 2024 23:01:19.837625027 CET	16073	53000	195.133.53.106	192.168.2.15
Nov 21, 2024 23:01:21.383691072 CET	16073	53000	195.133.53.106	192.168.2.15
Nov 21, 2024 23:01:21.383904934 CET	53000	16073	192.168.2.15	195.133.53.106
Nov 21, 2024 23:01:21.383904934 CET	53000	16073	192.168.2.15	195.133.53.106
Nov 21, 2024 23:01:22.708501101 CET	47308	16087	192.168.2.15	45.147.200.148
Nov 21, 2024 23:01:22.828180075 CET	16087	47308	45.147.200.148	192.168.2.15
Nov 21, 2024 23:01:22.828275919 CET	47308	16087	192.168.2.15	45.147.200.148
Nov 21, 2024 23:01:22.828296900 CET	47308	16087	192.168.2.15	45.147.200.148
Nov 21, 2024 23:01:22.947962999 CET	16087	47308	45.147.200.148	192.168.2.15
Nov 21, 2024 23:01:22.948033094 CET	47308	16087	192.168.2.15	45.147.200.148
Nov 21, 2024 23:01:23.067650080 CET	16087	47308	45.147.200.148	192.168.2.15
Nov 21, 2024 23:01:24.531569004 CET	16087	47308	45.147.200.148	192.168.2.15
Nov 21, 2024 23:01:24.531800985 CET	47308	16087	192.168.2.15	45.147.200.148
Nov 21, 2024 23:01:24.531800985 CET	47308	16087	192.168.2.15	45.147.200.148
Nov 21, 2024 23:01:26.627125025 CET	50974	17543	192.168.2.15	209.141.61.182
Nov 21, 2024 23:01:26.746751070 CET	17543	50974	209.141.61.182	192.168.2.15
Nov 21, 2024 23:01:26.747004986 CET	50974	17543	192.168.2.15	209.141.61.182
Nov 21, 2024 23:01:26.747004986 CET	50974	17543	192.168.2.15	209.141.61.182
Nov 21, 2024 23:01:26.866630077 CET	17543	50974	209.141.61.182	192.168.2.15
Nov 21, 2024 23:01:26.866735935 CET	50974	17543	192.168.2.15	209.141.61.182
Nov 21, 2024 23:01:26.986257076 CET	17543	50974	209.141.61.182	192.168.2.15
Nov 21, 2024 23:01:29.779470921 CET	43786	13441	192.168.2.15	86.107.100.80
Nov 21, 2024 23:01:29.899045944 CET	13441	43786	86.107.100.80	192.168.2.15
Nov 21, 2024 23:01:29.899194002 CET	43786	13441	192.168.2.15	86.107.100.80
Nov 21, 2024 23:01:29.899281025 CET	43786	13441	192.168.2.15	86.107.100.80
Nov 21, 2024 23:01:30.018991947 CET	13441	43786	86.107.100.80	192.168.2.15
Nov 21, 2024 23:01:30.019128084 CET	43786	13441	192.168.2.15	86.107.100.80
Nov 21, 2024 23:01:30.138689995 CET	13441	43786	86.107.100.80	192.168.2.15
Nov 21, 2024 23:01:39.908723116 CET	43786	13441	192.168.2.15	86.107.100.80
Nov 21, 2024 23:01:40.028364897 CET	13441	43786	86.107.100.80	192.168.2.15
Nov 21, 2024 23:01:51.825468063 CET	13441	43786	86.107.100.80	192.168.2.15
Nov 21, 2024 23:01:51.826245070 CET	43786	13441	192.168.2.15	86.107.100.80
Nov 21, 2024 23:01:51.945787907 CET	13441	43786	86.107.100.80	192.168.2.15
Nov 21, 2024 23:01:57.090082884 CET	33874	3237	192.168.2.15	89.32.41.42
Nov 21, 2024 23:01:57.209671974 CET	3237	33874	89.32.41.42	192.168.2.15
Nov 21, 2024 23:01:57.209799051 CET	33874	3237	192.168.2.15	89.32.41.42
Nov 21, 2024 23:01:57.210050106 CET	33874	3237	192.168.2.15	89.32.41.42
Nov 21, 2024 23:01:57.329577923 CET	3237	33874	89.32.41.42	192.168.2.15
Nov 21, 2024 23:01:57.329699039 CET	33874	3237	192.168.2.15	89.32.41.42
Nov 21, 2024 23:01:57.449265957 CET	3237	33874	89.32.41.42	192.168.2.15
Nov 21, 2024 23:01:59.554346085 CET	3237	33874	89.32.41.42	192.168.2.15
Nov 21, 2024 23:01:59.554497957 CET	33874	3237	192.168.2.15	89.32.41.42
Nov 21, 2024 23:01:59.674241066 CET	3237	33874	89.32.41.42	192.168.2.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 22:58:27.712152958 CET	46483	53	192.168.2.15	168.235.111.72
Nov 21, 2024 22:58:27.841348886 CET	55095	53	192.168.2.15	168.235.111.72
Nov 21, 2024 22:58:28.025309086 CET	53	46483	168.235.111.72	192.168.2.15
Nov 21, 2024 22:58:28.140081882 CET	53	55095	168.235.111.72	192.168.2.15
Nov 21, 2024 22:58:55.189560890 CET	47193	53	192.168.2.15	51.158.108.203
Nov 21, 2024 22:58:55.231400967 CET	44023	53	192.168.2.15	51.158.108.203
Nov 21, 2024 22:58:55.442296982 CET	53	47193	51.158.108.203	192.168.2.15
Nov 21, 2024 22:58:55.443402052 CET	39214	53	192.168.2.15	51.158.108.203
Nov 21, 2024 22:58:55.487888098 CET	53	44023	51.158.108.203	192.168.2.15
Nov 21, 2024 22:58:55.488729954 CET	36624	53	192.168.2.15	51.158.108.203
Nov 21, 2024 22:58:55.696969986 CET	53	39214	51.158.108.203	192.168.2.15
Nov 21, 2024 22:58:55.698113918 CET	36720	53	192.168.2.15	217.160.70.42
Nov 21, 2024 22:58:55.727658987 CET	53	36624	51.158.108.203	192.168.2.15
Nov 21, 2024 22:58:55.728689909 CET	34651	53	192.168.2.15	217.160.70.42
Nov 21, 2024 22:58:55.935959101 CET	53	36720	217.160.70.42	192.168.2.15
Nov 21, 2024 22:58:55.966542006 CET	53	34651	217.160.70.42	192.168.2.15
Nov 21, 2024 22:59:02.399609089 CET	33300	53	192.168.2.15	185.181.61.24
Nov 21, 2024 22:59:02.659239054 CET	53	33300	185.181.61.24	192.168.2.15
Nov 21, 2024 22:59:23.005968094 CET	49627	53	192.168.2.15	185.181.61.24
Nov 21, 2024 22:59:23.268625975 CET	53	49627	185.181.61.24	192.168.2.15
Nov 21, 2024 22:59:29.740999937 CET	55705	53	192.168.2.15	109.91.184.21
Nov 21, 2024 22:59:30.998264074 CET	55312	53	192.168.2.15	109.91.184.21
Nov 21, 2024 22:59:34.745419979 CET	39306	53	192.168.2.15	152.53.15.127
Nov 21, 2024 22:59:34.997785091 CET	53	39306	152.53.15.127	192.168.2.15
Nov 21, 2024 22:59:34.999592066 CET	49537	53	192.168.2.15	109.91.184.21
Nov 21, 2024 22:59:36.001987934 CET	47640	53	192.168.2.15	152.53.15.127
Nov 21, 2024 22:59:36.245817900 CET	53	47640	152.53.15.127	192.168.2.15
Nov 21, 2024 22:59:36.247258902 CET	39284	53	192.168.2.15	109.91.184.21
Nov 21, 2024 22:59:40.005719900 CET	56030	53	192.168.2.15	109.91.184.21
Nov 21, 2024 22:59:41.253492117 CET	60602	53	192.168.2.15	109.91.184.21
Nov 21, 2024 22:59:54.059391975 CET	42431	53	192.168.2.15	185.181.61.24
Nov 21, 2024 22:59:54.315716028 CET	53	42431	185.181.61.24	192.168.2.15
Nov 21, 2024 23:00:01.284449100 CET	50662	53	192.168.2.15	81.169.136.222
Nov 21, 2024 23:00:01.527965069 CET	53	50662	81.169.136.222	192.168.2.15
Nov 21, 2024 23:00:08.933535099 CET	34282	53	192.168.2.15	80.152.203.134
Nov 21, 2024 23:00:12.100945950 CET	47611	53	192.168.2.15	185.181.61.24
Nov 21, 2024 23:00:12.361243963 CET	53	47611	185.181.61.24	192.168.2.15
Nov 21, 2024 23:00:13.936474085 CET	46935	53	192.168.2.15	51.158.108.203
Nov 21, 2024 23:00:14.176486015 CET	53	46935	51.158.108.203	192.168.2.15
Nov 21, 2024 23:00:14.178728104 CET	56575	53	192.168.2.15	81.169.136.222
Nov 21, 2024 23:00:14.418914080 CET	53	56575	81.169.136.222	192.168.2.15
Nov 21, 2024 23:00:19.353487968 CET	46880	53	192.168.2.15	81.169.136.222
Nov 21, 2024 23:00:19.592540979 CET	53	46880	81.169.136.222	192.168.2.15
Nov 21, 2024 23:00:41.460995913 CET	45321	53	192.168.2.15	202.61.197.122
Nov 21, 2024 23:00:41.709733009 CET	53	45321	202.61.197.122	192.168.2.15
Nov 21, 2024 23:00:46.710696936 CET	57133	53	192.168.2.15	80.152.203.134
Nov 21, 2024 23:00:48.114902020 CET	39616	53	192.168.2.15	81.169.136.222
Nov 21, 2024 23:00:48.353068113 CET	53	39616	81.169.136.222	192.168.2.15
Nov 21, 2024 23:00:51.715748072 CET	54204	53	192.168.2.15	51.158.108.203
Nov 21, 2024 23:00:51.957670927 CET	53	54204	51.158.108.203	192.168.2.15
Nov 21, 2024 23:00:51.959228039 CET	39577	53	192.168.2.15	81.169.136.222
Nov 21, 2024 23:00:52.197762012 CET	53	39577	81.169.136.222	192.168.2.15
Nov 21, 2024 23:01:11.342849016 CET	49331	53	192.168.2.15	1.1.1.1
Nov 21, 2024 23:01:11.342916012 CET	33385	53	192.168.2.15	1.1.1.1
Nov 21, 2024 23:01:11.480772018 CET	53	49331	1.1.1.1	192.168.2.15
Nov 21, 2024 23:01:11.480808020 CET	53	33385	1.1.1.1	192.168.2.15
Nov 21, 2024 23:01:15.420177937 CET	58883	53	192.168.2.15	185.181.61.24
Nov 21, 2024 23:01:15.683942080 CET	53	58883	185.181.61.24	192.168.2.15
Nov 21, 2024 23:01:19.233485937 CET	34240	53	192.168.2.15	202.61.197.122
Nov 21, 2024 23:01:19.476942062 CET	53	34240	202.61.197.122	192.168.2.15
Nov 21, 2024 23:01:22.469373941 CET	38758	53	192.168.2.15	217.160.70.42
Nov 21, 2024 23:01:22.707573891 CET	53	38758	217.160.70.42	192.168.2.15
Nov 21, 2024 23:01:26.387190104 CET	36440	53	192.168.2.15	81.169.136.222
Nov 21, 2024 23:01:26.626161098 CET	53	36440	81.169.136.222	192.168.2.15
Nov 21, 2024 23:01:29.534758091 CET	43004	53	192.168.2.15	81.169.136.222
Nov 21, 2024 23:01:29.778525114 CET	53	43004	81.169.136.222	192.168.2.15
Nov 21, 2024 23:01:56.829080105 CET	49598	53	192.168.2.15	185.181.61.24
Nov 21, 2024 23:01:57.089133024 CET	53	49598	185.181.61.24	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 22:58:27.712152958 CET	192.168.2.15	168.235.111.72	0x3a26	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:58:27.841348886 CET	192.168.2.15	168.235.111.72	0x3a26	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:58:55.189560890 CET	192.168.2.15	51.158.108.203	0x2742	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:58:55.231400967 CET	192.168.2.15	51.158.108.203	0x2742	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:58:55.443402052 CET	192.168.2.15	51.158.108.203	0x901f	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:58:55.488729954 CET	192.168.2.15	51.158.108.203	0x901f	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:58:55.698113918 CET	192.168.2.15	217.160.70.42	0xdf56	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:58:55.728689909 CET	192.168.2.15	217.160.70.42	0xdf56	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:59:02.399609089 CET	192.168.2.15	185.181.61.24	0x614f	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:59:23.005968094 CET	192.168.2.15	185.181.61.24	0x614f	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:59:29.740999937 CET	192.168.2.15	109.91.184.21	0x1b71	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:59:30.998264074 CET	192.168.2.15	109.91.184.21	0x1b71	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:59:34.745419979 CET	192.168.2.15	152.53.15.127	0x71bc	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:59:34.999592066 CET	192.168.2.15	109.91.184.21	0xf9c8	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:59:36.001987934 CET	192.168.2.15	152.53.15.127	0x71bc	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:59:36.247258902 CET	192.168.2.15	109.91.184.21	0xf9c8	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:59:40.005719900 CET	192.168.2.15	109.91.184.21	0x8a5c	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:59:41.253492117 CET	192.168.2.15	109.91.184.21	0x8a5c	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:59:54.059391975 CET	192.168.2.15	185.181.61.24	0xf3f5	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:00:01.284449100 CET	192.168.2.15	81.169.136.222	0xcebd	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:00:08.933535099 CET	192.168.2.15	80.152.203.134	0x7c72	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:00:12.100945950 CET	192.168.2.15	185.181.61.24	0xf3f5	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:00:13.936474085 CET	192.168.2.15	51.158.108.203	0xc907	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:00:14.178728104 CET	192.168.2.15	81.169.136.222	0xb425	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:00:19.353487968 CET	192.168.2.15	81.169.136.222	0xcebd	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:00:41.460995913 CET	192.168.2.15	202.61.197.122	0x1d91	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:00:46.710696936 CET	192.168.2.15	80.152.203.134	0x7c72	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:00:48.114902020 CET	192.168.2.15	81.169.136.222	0x45e5	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:00:51.715748072 CET	192.168.2.15	51.158.108.203	0xc907	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:00:51.959228039 CET	192.168.2.15	81.169.136.222	0xb425	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:01:11.342849016 CET	192.168.2.15	1.1.1.1	0x60b9	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:01:11.342916012 CET	192.168.2.15	1.1.1.1	0xf422	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Nov 21, 2024 23:01:15.420177937 CET	192.168.2.15	185.181.61.24	0xb333	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:01:19.233485937 CET	192.168.2.15	202.61.197.122	0x1d91	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:01:22.469373941 CET	192.168.2.15	217.160.70.42	0xe662	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:01:26.387190104 CET	192.168.2.15	81.169.136.222	0x45e5	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:01:29.534758091 CET	192.168.2.15	81.169.136.222	0x2072	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:01:56.829080105 CET	192.168.2.15	185.181.61.24	0x81a8	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 23:01:11.480772018 CET	1.1.1.1	192.168.2.15	0x60b9	No error (0)	daisy.ubuntu.com		162.213.35.25	A (IP address)	IN (0x0001)	false
Nov 21, 2024 23:01:11.480772018 CET	1.1.1.1	192.168.2.15	0x60b9	No error (0)	daisy.ubuntu.com		162.213.35.24	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: ppc.elf PID: 5532, Parent PID: 5451

General

Start time (UTC):	21:58:26
Start date (UTC):	21/11/2024
Path:	/tmp/ppc.elf
Arguments:	/tmp/ppc.elf
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: ppc.elf PID: 5534, Parent PID: 5532

General

Start time (UTC):	21:58:26
Start date (UTC):	21/11/2024
Path:	/tmp/ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: ppc.elf PID: 5579, Parent PID: 5534

General

Start time (UTC):	21:58:26
Start date (UTC):	21/11/2024
Path:	/tmp/ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: ppc.elf PID: 5581, Parent PID: 5534

General

Start time (UTC):	21:58:26
Start date (UTC):	21/11/2024
Path:	/tmp/ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: ppc.elf PID: 5535, Parent PID: 5532

General

Start time (UTC):	21:58:26
Start date (UTC):	21/11/2024
Path:	/tmp/ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: ppc.elf PID: 5536, Parent PID: 5532

General

Start time (UTC):	21:58:26
Start date (UTC):	21/11/2024
Path:	/tmp/ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report ppc.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: ppc.elf PID: 5532, Parent PID: 5451

General

Chronological Activities

Analysis Process: ppc.elf PID: 5534, Parent PID: 5532

General

Chronological Activities

Analysis Process: ppc.elf PID: 5579, Parent PID: 5534

General

Chronological Activities

Analysis Process: ppc.elf PID: 5581, Parent PID: 5534

General

Chronological Activities

Analysis Process: ppc.elf PID: 5535, Parent PID: 5532

General

Chronological Activities

Analysis Process: ppc.elf PID: 5536, Parent PID: 5532

General

Chronological Activities

Linux Analysis Report
ppc.elf