Edit tour

Linux Analysis Report
harm5.elf

Overview

General Information

Sample name:	harm5.elf
Analysis ID:	1564145
MD5:	10b53524fa891efe7bbf4af08d98bae0
SHA1:	ab849de6c89068afae4f771ac2cf3dacece0f275
SHA256:	d5aa0a87aef6811e32b9c3bea638e3c977e2957f4757f7732487aba463bb983b
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Connects to many ports of the same IP (likely port scanning)

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564145
Start date and time:	2024-11-27 22:06:01 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	harm5.elf
Detection:	MAL
Classification:	mal48.troj.linELF@0/0@16/0

Warnings

VT rate limit hit for: harm5.elf

Runtime Messages

Command:	/tmp/harm5.elf
PID:	5435
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	I jun ok ter my cats, man.
Standard Error:

Process Tree

system is lnxubuntu20

harm5.elf (PID: 5435, Parent: 5357, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/harm5.elf

harm5.elf New Fork (PID: 5437, Parent: 5435)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 194.58.66.131 ports 7116,15660,0,1,5,6
Source: global traffic	TCP traffic: 5.39.254.71 ports 19761,8269,1,6,7,9
Source: global traffic	TCP traffic: 103.136.150.114 ports 19364,1,3,4,6,9

Sends malformed DNS queries

Source: global traffic	DNS traffic detected: malformed DNS query: hikvision.geek. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: shitrocket.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: catvision.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: catlovingfools.geek. [malformed]

Source: global traffic	TCP traffic: 192.168.2.13:39502 -> 194.58.66.131:15660
Source: global traffic	TCP traffic: 192.168.2.13:49620 -> 45.147.200.148:3783
Source: global traffic	TCP traffic: 192.168.2.13:52496 -> 5.39.254.71:19761
Source: global traffic	TCP traffic: 192.168.2.13:33474 -> 45.140.168.235:10310
Source: global traffic	TCP traffic: 192.168.2.13:39282 -> 103.136.150.114:19364

Source: /tmp/harm5.elf (PID: 5435)

Socket: 127.0.0.1:1172

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.131
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.131
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.131
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.131
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.131
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.131
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 45.147.200.148
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.131
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.131
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.131
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.131
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.131
Source: unknown	TCP traffic detected without corresponding DNS query: 194.58.66.131
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 45.140.168.235
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 5.39.254.71
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.150.114

Source: global traffic	DNS traffic detected: DNS query: hikvision.geek
Source: global traffic	DNS traffic detected: DNS query: catlovingfools.geek
Source: global traffic	DNS traffic detected: DNS query: hikvision.geek. [malformed]
Source: global traffic	DNS traffic detected: DNS query: shitrocket.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: catvision.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: catlovingfools.geek. [malformed]
Source: global traffic	DNS traffic detected: DNS query: shitrocket.dyn

Source: unknown

Network traffic detected: HTTP traffic on port 48202 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.troj.linELF@0/0@16/0

Source: /tmp/harm5.elf (PID: 5435)

Queries kernel information via 'uname':

Jump to behavior

Source: harm5.elf, 5435.1.0000558575844000.00005585759b9000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: harm5.elf, 5435.1.0000558575844000.00005585759b9000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: harm5.elf, 5435.1.00007ffc92240000.00007ffc92261000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: harm5.elf, 5435.1.00007ffc92240000.00007ffc92261000.rw-.sdmp	Binary or memory string: Qpx86_64/usr/bin/qemu-arm/tmp/harm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/harm5.elf

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
harm5.elf	11%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
catlovingfools.geek. [malformed]	unknown	unknown	true	unknown
catlovingfools.geek	unknown	unknown	true	unknown
shitrocket.dyn	unknown	unknown	true	unknown
hikvision.geek. [malformed]	unknown	unknown	true	unknown
shitrocket.dyn. [malformed]	unknown	unknown	true	unknown
catvision.dyn. [malformed]	unknown	unknown	true	unknown
hikvision.geek	unknown	unknown	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.58.66.131	unknown	Russian Federation	2118	RELCOM-ASRelcomGroup19022019RU	true
5.39.254.71	unknown	United Kingdom	30938	ABSTATIONwwwabstationnetGB	true
185.125.190.26	unknown	United Kingdom	41231	CANONICAL-ASGB	false
103.136.150.114	unknown	Hong Kong	46261	QUICKPACKETUS	true
45.147.200.148	unknown	Russian Federation	51659	ASBAXETRU	false
45.140.168.235	unknown	Russian Federation	51659	ASBAXETRU	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
5.39.254.71	mips.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	harm5.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
185.125.190.26	xblkpfZ8Y3.elf	Get hash	malicious	Unknown	Browse
	opt_observer.elf	Get hash	malicious	Unknown	Browse
	zermpsl.elf	Get hash	malicious	Unknown	Browse
	linux_ppc64.elf	Get hash	malicious	Chaos	Browse
	linux_mipsel.elf	Get hash	malicious	Chaos	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
	pXdN91.armv4l.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	hidakibest.mpsl.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	main_x86.elf	Get hash	malicious	Mirai	Browse
	main_arm.elf	Get hash	malicious	Mirai	Browse
103.136.150.114	mips.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
45.147.200.148	mips.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
45.140.168.235	mips.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	hmips.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ABSTATIONwwwabstationnetGB	mips.elf	Get hash	malicious	Unknown	Browse	5.39.254.71
	hmips.elf	Get hash	malicious	Unknown	Browse	5.39.254.71
	hmips.elf	Get hash	malicious	Unknown	Browse	5.39.254.71
	mips.elf	Get hash	malicious	Unknown	Browse	5.39.254.71
	arm7.elf	Get hash	malicious	Unknown	Browse	5.39.254.71
	https://blacksaltys.com	Get hash	malicious	Unknown	Browse	5.144.179.245
	https://packedbrick.com	Get hash	malicious	Unknown	Browse	5.144.179.245
	harm5.elf	Get hash	malicious	Unknown	Browse	5.39.254.71
	ppc.elf	Get hash	malicious	Unknown	Browse	5.39.254.71
	SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf	Get hash	malicious	Mirai	Browse	103.101.86.128
CANONICAL-ASGB	mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	tftp.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sshd.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	xblkpfZ8Y2.elf	Get hash	malicious	Xmrig	Browse	91.189.91.42
	xblkpfZ8Y3.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	dlr.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	dlr.sh4.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	hidakibest.x86.elf	Get hash	malicious	Mirai, Gafgyt	Browse	91.189.91.42
	hidakibest.arm7.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	m68k.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
RELCOM-ASRelcomGroup19022019RU	hmips.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	arm7.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
	x86.elf	Get hash	malicious	Unknown	Browse	194.58.66.244
	ppc.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
	hmips.elf	Get hash	malicious	Unknown	Browse	194.87.30.79
	Supply Contract 12 Additional Agreement to 76_24_.exe	Get hash	malicious	GuLoader, Remcos	Browse	194.58.83.68
	lchs.exe	Get hash	malicious	Quasar	Browse	193.124.33.141
	jKira.arm	Get hash	malicious	Mirai	Browse	195.133.54.44
QUICKPACKETUS	mips.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
	hmips.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
	http://server.citierupticx.com/specId/product-mje%EF%BC%A0ml.avio.co.jp	Get hash	malicious	HTMLPhisher	Browse	185.212.70.145
	splarm7.elf	Get hash	malicious	Unknown	Browse	185.209.222.56
	hmips.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
	arm7.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
	x86.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
	hmips.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
	o4QEzeCniw.exe	Get hash	malicious	Unknown	Browse	193.26.115.43
	q1M9Xfi0yC.exe	Get hash	malicious	ScreenConnect Tool	Browse	173.46.80.52

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.002117157241212
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	harm5.elf
File size:	36'796 bytes
MD5:	10b53524fa891efe7bbf4af08d98bae0
SHA1:	ab849de6c89068afae4f771ac2cf3dacece0f275
SHA256:	d5aa0a87aef6811e32b9c3bea638e3c977e2957f4757f7732487aba463bb983b
SHA512:	8ba616447527e11b0b71d8902283b47f32634bced3f0e30f05650b8f4124a542aee8686cc89b85368c9722ad79fbbd0b9c105daafd9567764246654f49f2ce76
SSDEEP:	768:gm6N8JIkGnCIIAdC1R9J26NQp6T8bZFEXH:HuI79JEETA8
TLSH:	D0F22A81FD918A17CAD4127BBA1E82CD37271368D2EF7303DA166F21338A96B0D77641
File Content Preview:	.ELF...a..........(.........4...........4. ...(.....................,...,...............,...,...,........$..........Q.td..................................-...L."....!..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x2
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	36356
Section Header Size:	40
Number of Section Headers:	11
Header String Table Index:	10

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x879c	0x0	0x6	AX	16
.fini	PROGBITS	0x1084c	0x884c	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x10860	0x8860	0x1c8	0x0	0x2	A	4
.eh_frame	PROGBITS	0x10a28	0x8a28	0x4	0x0	0x2	A	4
.ctors	PROGBITS	0x18a2c	0x8a2c	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x18a34	0x8a34	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x18a40	0x8a40	0x37c	0x0	0x3	WA	4
.bss	NOBITS	0x18dbc	0x8dbc	0x2140	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x8dbc	0x48	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x8a2c	0x8a2c	6.0605	0x5	R E	0x8000	.init .text .fini .rodata .eh_frame
LOAD	0x8a2c	0x18a2c	0x18a2c	0x390	0x24d0	2.6878	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2024 22:06:41.834783077 CET	39502	15660	192.168.2.13	194.58.66.131
Nov 27, 2024 22:06:41.954912901 CET	15660	39502	194.58.66.131	192.168.2.13
Nov 27, 2024 22:06:41.955046892 CET	39502	15660	192.168.2.13	194.58.66.131
Nov 27, 2024 22:06:41.955208063 CET	39502	15660	192.168.2.13	194.58.66.131
Nov 27, 2024 22:06:42.075396061 CET	15660	39502	194.58.66.131	192.168.2.13
Nov 27, 2024 22:06:42.075565100 CET	39502	15660	192.168.2.13	194.58.66.131
Nov 27, 2024 22:06:42.195943117 CET	15660	39502	194.58.66.131	192.168.2.13
Nov 27, 2024 22:06:43.497401953 CET	15660	39502	194.58.66.131	192.168.2.13
Nov 27, 2024 22:06:43.497620106 CET	39502	15660	192.168.2.13	194.58.66.131
Nov 27, 2024 22:06:43.497772932 CET	39502	15660	192.168.2.13	194.58.66.131
Nov 27, 2024 22:06:48.760375977 CET	49620	3783	192.168.2.13	45.147.200.148
Nov 27, 2024 22:06:48.880383015 CET	3783	49620	45.147.200.148	192.168.2.13
Nov 27, 2024 22:06:48.880500078 CET	49620	3783	192.168.2.13	45.147.200.148
Nov 27, 2024 22:06:48.880830050 CET	49620	3783	192.168.2.13	45.147.200.148
Nov 27, 2024 22:06:49.000803947 CET	3783	49620	45.147.200.148	192.168.2.13
Nov 27, 2024 22:06:49.001017094 CET	49620	3783	192.168.2.13	45.147.200.148
Nov 27, 2024 22:06:49.121925116 CET	3783	49620	45.147.200.148	192.168.2.13
Nov 27, 2024 22:06:50.520010948 CET	3783	49620	45.147.200.148	192.168.2.13
Nov 27, 2024 22:06:50.520201921 CET	49620	3783	192.168.2.13	45.147.200.148
Nov 27, 2024 22:06:50.520257950 CET	49620	3783	192.168.2.13	45.147.200.148
Nov 27, 2024 22:06:52.013361931 CET	48202	443	192.168.2.13	185.125.190.26
Nov 27, 2024 22:06:55.798105955 CET	52496	19761	192.168.2.13	5.39.254.71
Nov 27, 2024 22:06:55.918436050 CET	19761	52496	5.39.254.71	192.168.2.13
Nov 27, 2024 22:06:55.918684959 CET	52496	19761	192.168.2.13	5.39.254.71
Nov 27, 2024 22:06:55.918766022 CET	52496	19761	192.168.2.13	5.39.254.71
Nov 27, 2024 22:06:56.039819956 CET	19761	52496	5.39.254.71	192.168.2.13
Nov 27, 2024 22:06:56.040024042 CET	52496	19761	192.168.2.13	5.39.254.71
Nov 27, 2024 22:06:56.160235882 CET	19761	52496	5.39.254.71	192.168.2.13
Nov 27, 2024 22:06:57.402301073 CET	19761	52496	5.39.254.71	192.168.2.13
Nov 27, 2024 22:06:57.402518034 CET	52496	19761	192.168.2.13	5.39.254.71
Nov 27, 2024 22:06:57.402595043 CET	52496	19761	192.168.2.13	5.39.254.71
Nov 27, 2024 22:07:03.518412113 CET	52498	19761	192.168.2.13	5.39.254.71
Nov 27, 2024 22:07:03.638509989 CET	19761	52498	5.39.254.71	192.168.2.13
Nov 27, 2024 22:07:03.638731956 CET	52498	19761	192.168.2.13	5.39.254.71
Nov 27, 2024 22:07:03.639065981 CET	52498	19761	192.168.2.13	5.39.254.71
Nov 27, 2024 22:07:03.758966923 CET	19761	52498	5.39.254.71	192.168.2.13
Nov 27, 2024 22:07:03.759316921 CET	52498	19761	192.168.2.13	5.39.254.71
Nov 27, 2024 22:07:03.879421949 CET	19761	52498	5.39.254.71	192.168.2.13
Nov 27, 2024 22:07:05.169406891 CET	19761	52498	5.39.254.71	192.168.2.13
Nov 27, 2024 22:07:05.169656038 CET	52498	19761	192.168.2.13	5.39.254.71
Nov 27, 2024 22:07:05.169656038 CET	52498	19761	192.168.2.13	5.39.254.71
Nov 27, 2024 22:07:11.177704096 CET	45634	7116	192.168.2.13	194.58.66.131
Nov 27, 2024 22:07:11.298011065 CET	7116	45634	194.58.66.131	192.168.2.13
Nov 27, 2024 22:07:11.298258066 CET	45634	7116	192.168.2.13	194.58.66.131
Nov 27, 2024 22:07:11.298358917 CET	45634	7116	192.168.2.13	194.58.66.131
Nov 27, 2024 22:07:11.418302059 CET	7116	45634	194.58.66.131	192.168.2.13
Nov 27, 2024 22:07:11.418546915 CET	45634	7116	192.168.2.13	194.58.66.131
Nov 27, 2024 22:07:11.538554907 CET	7116	45634	194.58.66.131	192.168.2.13
Nov 27, 2024 22:07:12.928306103 CET	7116	45634	194.58.66.131	192.168.2.13
Nov 27, 2024 22:07:12.928661108 CET	45634	7116	192.168.2.13	194.58.66.131
Nov 27, 2024 22:07:12.928806067 CET	45634	7116	192.168.2.13	194.58.66.131
Nov 27, 2024 22:07:18.167069912 CET	33474	10310	192.168.2.13	45.140.168.235
Nov 27, 2024 22:07:18.287125111 CET	10310	33474	45.140.168.235	192.168.2.13
Nov 27, 2024 22:07:18.287410975 CET	33474	10310	192.168.2.13	45.140.168.235
Nov 27, 2024 22:07:18.287497044 CET	33474	10310	192.168.2.13	45.140.168.235
Nov 27, 2024 22:07:18.409389019 CET	10310	33474	45.140.168.235	192.168.2.13
Nov 27, 2024 22:07:18.409548998 CET	33474	10310	192.168.2.13	45.140.168.235
Nov 27, 2024 22:07:18.529553890 CET	10310	33474	45.140.168.235	192.168.2.13
Nov 27, 2024 22:07:19.986732960 CET	10310	33474	45.140.168.235	192.168.2.13
Nov 27, 2024 22:07:19.987096071 CET	33474	10310	192.168.2.13	45.140.168.235
Nov 27, 2024 22:07:19.987554073 CET	33474	10310	192.168.2.13	45.140.168.235
Nov 27, 2024 22:07:22.989490032 CET	48202	443	192.168.2.13	185.125.190.26
Nov 27, 2024 22:07:30.246385098 CET	32774	8269	192.168.2.13	5.39.254.71
Nov 27, 2024 22:07:30.366331100 CET	8269	32774	5.39.254.71	192.168.2.13
Nov 27, 2024 22:07:30.366624117 CET	32774	8269	192.168.2.13	5.39.254.71
Nov 27, 2024 22:07:30.366678953 CET	32774	8269	192.168.2.13	5.39.254.71
Nov 27, 2024 22:07:30.489294052 CET	8269	32774	5.39.254.71	192.168.2.13
Nov 27, 2024 22:07:30.489461899 CET	32774	8269	192.168.2.13	5.39.254.71
Nov 27, 2024 22:07:30.612838984 CET	8269	32774	5.39.254.71	192.168.2.13
Nov 27, 2024 22:07:31.853458881 CET	8269	32774	5.39.254.71	192.168.2.13
Nov 27, 2024 22:07:31.853688955 CET	32774	8269	192.168.2.13	5.39.254.71
Nov 27, 2024 22:07:31.853708029 CET	32774	8269	192.168.2.13	5.39.254.71
Nov 27, 2024 22:07:37.096368074 CET	39282	19364	192.168.2.13	103.136.150.114
Nov 27, 2024 22:07:37.217128038 CET	19364	39282	103.136.150.114	192.168.2.13
Nov 27, 2024 22:07:37.217206955 CET	39282	19364	192.168.2.13	103.136.150.114
Nov 27, 2024 22:07:37.217225075 CET	39282	19364	192.168.2.13	103.136.150.114
Nov 27, 2024 22:07:37.337587118 CET	19364	39282	103.136.150.114	192.168.2.13
Nov 27, 2024 22:07:37.337804079 CET	39282	19364	192.168.2.13	103.136.150.114
Nov 27, 2024 22:07:37.462390900 CET	19364	39282	103.136.150.114	192.168.2.13
Nov 27, 2024 22:07:39.199804068 CET	19364	39282	103.136.150.114	192.168.2.13
Nov 27, 2024 22:07:39.200017929 CET	39282	19364	192.168.2.13	103.136.150.114
Nov 27, 2024 22:07:39.200017929 CET	39282	19364	192.168.2.13	103.136.150.114
Nov 27, 2024 22:07:44.451719046 CET	59922	22093	192.168.2.13	45.147.200.148
Nov 27, 2024 22:07:44.571682930 CET	22093	59922	45.147.200.148	192.168.2.13
Nov 27, 2024 22:07:44.571965933 CET	59922	22093	192.168.2.13	45.147.200.148
Nov 27, 2024 22:07:44.572052956 CET	59922	22093	192.168.2.13	45.147.200.148
Nov 27, 2024 22:07:44.692488909 CET	22093	59922	45.147.200.148	192.168.2.13
Nov 27, 2024 22:07:44.692671061 CET	59922	22093	192.168.2.13	45.147.200.148
Nov 27, 2024 22:07:44.812695980 CET	22093	59922	45.147.200.148	192.168.2.13
Nov 27, 2024 22:07:54.580857038 CET	59922	22093	192.168.2.13	45.147.200.148
Nov 27, 2024 22:07:54.701272964 CET	22093	59922	45.147.200.148	192.168.2.13
Nov 27, 2024 22:07:55.187732935 CET	22093	59922	45.147.200.148	192.168.2.13
Nov 27, 2024 22:07:55.187915087 CET	59922	22093	192.168.2.13	45.147.200.148

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2024 22:06:41.581583977 CET	56036	53	192.168.2.13	202.61.197.122
Nov 27, 2024 22:06:41.833098888 CET	53	56036	202.61.197.122	192.168.2.13
Nov 27, 2024 22:06:48.500421047 CET	57685	53	192.168.2.13	194.36.144.87
Nov 27, 2024 22:06:48.759342909 CET	53	57685	194.36.144.87	192.168.2.13
Nov 27, 2024 22:06:55.522733927 CET	46609	53	192.168.2.13	109.91.184.21
Nov 27, 2024 22:06:55.796818018 CET	53	46609	109.91.184.21	192.168.2.13
Nov 27, 2024 22:07:02.405632973 CET	60249	53	192.168.2.13	51.158.108.203
Nov 27, 2024 22:07:02.654331923 CET	53	60249	51.158.108.203	192.168.2.13
Nov 27, 2024 22:07:02.656310081 CET	57211	53	192.168.2.13	152.53.15.127
Nov 27, 2024 22:07:02.901088953 CET	53	57211	152.53.15.127	192.168.2.13
Nov 27, 2024 22:07:02.903276920 CET	44608	53	192.168.2.13	109.91.184.21
Nov 27, 2024 22:07:03.264084101 CET	53	44608	109.91.184.21	192.168.2.13
Nov 27, 2024 22:07:03.266000986 CET	58091	53	192.168.2.13	152.53.15.127
Nov 27, 2024 22:07:03.517174006 CET	53	58091	152.53.15.127	192.168.2.13
Nov 27, 2024 22:07:10.171791077 CET	44337	53	192.168.2.13	152.53.15.127
Nov 27, 2024 22:07:10.426228046 CET	53	44337	152.53.15.127	192.168.2.13
Nov 27, 2024 22:07:10.427282095 CET	58018	53	192.168.2.13	51.158.108.203
Nov 27, 2024 22:07:10.676275969 CET	53	58018	51.158.108.203	192.168.2.13
Nov 27, 2024 22:07:10.677373886 CET	37682	53	192.168.2.13	185.181.61.24
Nov 27, 2024 22:07:10.935777903 CET	53	37682	185.181.61.24	192.168.2.13
Nov 27, 2024 22:07:10.936778069 CET	49009	53	192.168.2.13	81.169.136.222
Nov 27, 2024 22:07:11.176799059 CET	53	49009	81.169.136.222	192.168.2.13
Nov 27, 2024 22:07:17.932404995 CET	58635	53	192.168.2.13	213.202.211.221
Nov 27, 2024 22:07:18.165884018 CET	53	58635	213.202.211.221	192.168.2.13
Nov 27, 2024 22:07:24.989886045 CET	44132	53	192.168.2.13	168.138.12.137
Nov 27, 2024 22:07:29.995938063 CET	36024	53	192.168.2.13	194.36.144.87
Nov 27, 2024 22:07:30.245814085 CET	53	36024	194.36.144.87	192.168.2.13
Nov 27, 2024 22:07:36.856554031 CET	40773	53	192.168.2.13	217.160.70.42
Nov 27, 2024 22:07:37.095699072 CET	53	40773	217.160.70.42	192.168.2.13
Nov 27, 2024 22:07:44.202359915 CET	36211	53	192.168.2.13	51.158.108.203
Nov 27, 2024 22:07:44.450886011 CET	53	36211	51.158.108.203	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 27, 2024 22:06:41.581583977 CET	192.168.2.13	202.61.197.122	0xf329	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:06:48.500421047 CET	192.168.2.13	194.36.144.87	0xf21	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:06:55.522733927 CET	192.168.2.13	109.91.184.21	0x5f0c	Standard query (0)	catlovingfools.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:07:02.405632973 CET	192.168.2.13	51.158.108.203	0x6097	Standard query (0)	hikvision.geek. [malformed]	256	502	false
Nov 27, 2024 22:07:02.656310081 CET	192.168.2.13	152.53.15.127	0x170	Standard query (0)	shitrocket.dyn. [malformed]	256	502	false
Nov 27, 2024 22:07:02.903276920 CET	192.168.2.13	109.91.184.21	0x478a	Standard query (0)	catvision.dyn. [malformed]	256	503	false
Nov 27, 2024 22:07:03.266000986 CET	192.168.2.13	152.53.15.127	0xc8b	Standard query (0)	catlovingfools.geek. [malformed]	256	503	false
Nov 27, 2024 22:07:10.171791077 CET	192.168.2.13	152.53.15.127	0x45e3	Standard query (0)	shitrocket.dyn. [malformed]	256	510	false
Nov 27, 2024 22:07:10.427282095 CET	192.168.2.13	51.158.108.203	0x2f47	Standard query (0)	catlovingfools.geek. [malformed]	256	510	false
Nov 27, 2024 22:07:10.677373886 CET	192.168.2.13	185.181.61.24	0xc008	Standard query (0)	catvision.dyn. [malformed]	256	510	false
Nov 27, 2024 22:07:10.936778069 CET	192.168.2.13	81.169.136.222	0x55b1	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:07:17.932404995 CET	192.168.2.13	213.202.211.221	0xdcb1	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:07:24.989886045 CET	192.168.2.13	168.138.12.137	0x6dae	Standard query (0)	catvision.dyn. [malformed]	256	273	false
Nov 27, 2024 22:07:29.995938063 CET	192.168.2.13	194.36.144.87	0xd842	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:07:36.856554031 CET	192.168.2.13	217.160.70.42	0x2c20	Standard query (0)	shitrocket.dyn	A (IP address)	IN (0x0001)	false
Nov 27, 2024 22:07:44.202359915 CET	192.168.2.13	51.158.108.203	0x6774	Standard query (0)	hikvision.geek	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 27, 2024 22:07:02.654331923 CET	51.158.108.203	192.168.2.13	0x6097	Format error (1)	hikvision.geek. [malformed]	none	none	256	502	false
Nov 27, 2024 22:07:02.901088953 CET	152.53.15.127	192.168.2.13	0x170	Format error (1)	shitrocket.dyn. [malformed]	none	none	256	502	false
Nov 27, 2024 22:07:03.264084101 CET	109.91.184.21	192.168.2.13	0x478a	Format error (1)	catvision.dyn. [malformed]	none	none	256	503	false
Nov 27, 2024 22:07:03.517174006 CET	152.53.15.127	192.168.2.13	0xc8b	Format error (1)	catlovingfools.geek. [malformed]	none	none	256	503	false
Nov 27, 2024 22:07:10.426228046 CET	152.53.15.127	192.168.2.13	0x45e3	Format error (1)	shitrocket.dyn. [malformed]	none	none	256	510	false
Nov 27, 2024 22:07:10.676275969 CET	51.158.108.203	192.168.2.13	0x2f47	Format error (1)	catlovingfools.geek. [malformed]	none	none	256	510	false

System Behavior

Analysis Process: harm5.elf PID: 5435, Parent PID: 5357

General

Start time (UTC):	21:06:40
Start date (UTC):	27/11/2024
Path:	/tmp/harm5.elf
Arguments:	/tmp/harm5.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: harm5.elf PID: 5437, Parent PID: 5435

General

Start time (UTC):	21:06:40
Start date (UTC):	27/11/2024
Path:	/tmp/harm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report harm5.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: harm5.elf PID: 5435, Parent PID: 5357

General

Chronological Activities

Analysis Process: harm5.elf PID: 5437, Parent PID: 5435

General

Chronological Activities

Linux Analysis Report
harm5.elf