Edit tour

Linux Analysis Report
VIVACIOUS_SNOWFLAKE.elf

Overview

General Information

Sample name:	VIVACIOUS_SNOWFLAKE.elf
Analysis ID:	1566973
MD5:	7c6af882f13545df23b5667432a09585
SHA1:	14185f9c8993a45ac670c772831b291dccd067ac
SHA256:	a80f7c3976a5235c6d8f1e86d8540452a30851ec27d34e56017f372732faaea6
Tags:	elfuser-abuse_ch
Infos:

Detection

Sliver

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Sliver Implants

Machine Learning detection for sample

Performs DNS TXT record lookups

Queries the IP of a very long domain name

Connects to many different domains

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1566973
Start date and time:	2024-12-02 21:43:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	VIVACIOUS_SNOWFLAKE.elf
Detection:	MAL
Classification:	mal84.troj.evad.linELF@0/0@38/0

Warnings

VT rate limit hit for: VIVACIOUS_SNOWFLAKE.elf

Runtime Messages

Command:	/tmp/VIVACIOUS_SNOWFLAKE.elf
PID:	6272
Exit Code:
Exit Code Info:
Killed:	True
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

VIVACIOUS_SNOWFLAKE.elf (PID: 6272, Parent: 6195, MD5: 7c6af882f13545df23b5667432a09585) Arguments: /tmp/VIVACIOUS_SNOWFLAKE.elf

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
VIVACIOUS_SNOWFLAKE.elf	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0xb8cc33:$a1: ).RequestResend 0xb8ab26:$a2: ).GetPrivInfo
VIVACIOUS_SNOWFLAKE.elf	INDICATOR_TOOL_Sliver	Detects Sliver implant cross-platform adversary emulation/red team	ditekSHen	0x9028da:$s3: .WGTCPForwarder 0x903e1b:$s3: .WGTCPForwarder 0x906eb8:$s3: .WGTCPForwarder 0x907def:$s3: .WGTCPForwarder 0x90aebf:$s3: .WGTCPForwarder 0x90c5b9:$s3: .WGTCPForwarder 0x8fdbb3:$s6: .BackdoorReq 0x90284a:$s7: .ProcessDumpReq 0x90682b:$s8: .InvokeSpawnDllReq 0x8fa916:$s9: .SpawnDll 0x8fdcc4:$s9: .SpawnDll

Memory Dumps

Source	Rule	Description	Author	Strings
6272.1.000000c000000000.000000c000800000.rw-.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
Process Memory Space: VIVACIOUS_SNOWFLAKE.elf PID: 6272	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security

Suricata Signatures

ETPRO MALWARE Sliver DNS Base58 Poll Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T21:44:28.482039+0100	2852745	1	Malware Command and Control Activity Detected	192.168.2.23	46635	1.1.1.1	53	UDP

ETPRO MALWARE Sliver DNS SessionInit Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T21:44:11.418401+0100	2852741	1	Malware Command and Control Activity Detected	192.168.2.23	54660	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: VIVACIOUS_SNOWFLAKE.elf

ReversingLabs: Detection: 52%

Machine Learning detection for sample

Source: VIVACIOUS_SNOWFLAKE.elf

Joe Sandbox ML: detected

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852741 - Severity 1 - ETPRO MALWARE Sliver DNS SessionInit Request : 192.168.2.23:54660 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2852745 - Severity 1 - ETPRO MALWARE Sliver DNS Base58 Poll Request : 192.168.2.23:46635 -> 1.1.1.1:53

Queries the IP of a very long domain name

Source: unknown	DNS traffic detected: query: Mw61bELXmC4yq4v2wXRjyJZwrVShKVjMiPmRCUV3ZEM6xxknuxU5BMpxnRFUbHu.FxPfSfyAKA3TXem6R5UPUnsdmvuLmvAWp9W6xPmXMSGemeAqz5RgbjhxBayhy1S.hs3uUMSZ9D8Be2U6GoiriwEWiAcBLSbwRPRREa5jKFzXvcTpTpgjQcnTFH9yXoX.DgnvB7vTsEwLa7NxEuS2mHDM8pbNV9DJV.0x0000b.fashionspeedy.com
Source: unknown	DNS traffic detected: query: 4CnUTQv52TZRaVn7dcv1gWgz11eyMXBSCf2vqawQhCK8V9upciceSZjSu568FKr.A9CUXP2PtUcQEcWAgGchy6dNGuoEhppe7AAZPRbWtd16QjArhrmGfLktKnBKWx5.SoQ8K4JcSs4dGn5A2cfYqiiUNEqiNxArAaw1QwLH5aSfgNqdGB.0x0000b.fashionspeedy.com
Source: unknown	DNS traffic detected: query: Mzd7mTh3RK7BTVwGwEFocG9vuCmyuqmS2sAySv8cEY2cQt51vEb3aDCnFQN5DW9.a2X1ifaCd9sJux3PHrS6EtACFowPb71T4bC3WynCuemUssBFJiwH4dQCrJxcN47.Gp2iTWHpKXE86W1gcBT16rjX7NNTmWBrCpNwNzbsEtXH3fGRaqF4YR5ShTV7bGi.bF5vUaaMXd3rupjn76z1ejpH6xkYhjn9q.0x0000b.fashionspeedy.com
Source: unknown	DNS traffic detected: query: Mzd7mTh3ReJRcSJAWVj2is2y88xRQCYRKRkfsJ73ZkfJajCoeM66KZfF2Qgu8AU.BJsUBFNBnRJGFM2Ak2mfGXp8DfokjLWHZdMbg9A4jWwFsgn7yg1fN2AvgYuY5nZ.feNHGbbevAgLYVWyAqZWc4nXuqxg8GXVK1RiSTRyTG93r1zFSBfTG9wXKUxkp57.So4Z8hyhHhdzW76kNYMnSPX3pukst4NJo.0x0000b.fashionspeedy.com
Source: unknown	DNS traffic detected: query: xGW6nFo6YzQH6j3RdiMggsgMfNZVaJQiuN8Ezd6sTizxTbf4jwvbgZaSrpMfwrQ.qsk8EHRz1gHmps.0x0000b.fashionspeedy.com
Source: unknown	DNS traffic detected: query: LpgfPusGunQMRGTjscuyVWkyZQt9KgdNAoiNdvpb3dsR5PGMKNXMzLr7XZQim6n.xstcgjEMoywwup3a69WxjzVmRGSsqEFcu3tCRTyEgfovAZDSP96NeJQtuhHaHZL.qKhL1XuGbMERpA6J2W2U1dxsY.0x0000b.fashionspeedy.com
Source: unknown	DNS traffic detected: query: LpgfPush4meiqhK4ZoWGmmZQVSq3avqPPSiPWg3phVsoQeFcKdzXCZwqfn5s3ia.TNuM65Lu4sQEB9i99zqd8Kh5rSiLwjUZoFDxLyFTqbF3sRhPAZyHFaNFp3eDNtU.5nh7K8CfsTDPVR1LqcWnzCCwY.0x0000b.fashionspeedy.com
Source: unknown	DNS traffic detected: query: LpgfPushDk65Fi5P54hjJGgwpqgzmbMR6xH7d12gFFXXwhpZP822UDTNHkLppPf.5uy3yqtwWy8zHcXEMyHYPmHCrKCeXf2mTp51xUeFL5qJHVn12WNb5pX73nQX24S.quYoab3RyKqgYM8zryQjnVaqb.0x0000b.fashionspeedy.com
Source: unknown	DNS traffic detected: query: LpgfPushNiuTfJ2t3vRqwWYcVTgCSYV9T44ZsuCPVw5RAdJTDobr8jBhZY7cmf7.xCcnkSTKQbTADbwSPyZ534GE3AY57RqQ41TbEArxhWwQmQDoPqFC6YA7xsgnHoj.hrYHEtqB5ZvDfJUUhe8FzFGpc.0x0000b.fashionspeedy.com
Source: unknown	DNS traffic detected: query: LpgfPushXhJq6JmSdsPa2RAARGBmVPtBiiB3bF8NPRGiyQ7vEuEQ5PT1XJCrc1P.Sipm7yrd4nHtqSt8tfs4Hot6oEHWgGJ4UzYDgJagPF9ydKyV8tgFZPNBeECfVqb.yrk9adeQv8PYUeF8xSKdX9sAp.0x0000b.fashionspeedy.com
Source: unknown	DNS traffic detected: query: LpgfPushGGAcVkhEPTuckGVnGTN7g4GrHiz5Zx2jTcXbb1cBoNJr1qxAU4N3RRS.FPsvmmY7ZGoeeZFm5iPAge3ev8pHgZNgPzsDiDiKMCEPp5as94UEh1SrtnVxZYw.ypXnpzQhhg7YePCPZ45AH9kT1.0x0000b.fashionspeedy.com
Source: unknown	DNS traffic detected: query: LpgfPushqfQZumEVH6g2f8MMmbrKdJgsD2yQ3j1KJeqfKbGYnXEcBZajfpw2HTt.h4tPzgPuP88M69yZjkcwvcTEGAVaHJ7d4fVzjU8ev8psq6CEEJ19aoVFFxwVymF.q8iy5tmkra4RSBCpqM5ciX5u2.0x0000b.fashionspeedy.com
Source: unknown	DNS traffic detected: query: LpgfPushzEewKnT5E86Gd7tiknL7pyH3VNyVT8a1SYaNLNp6MsdxKugY3j9Haf6.DKjreLjsWFryXFYMW4gj6bQe9fsghA2gooKEpYSpRnWMAjc9rMCbxqxtkKCUPar.LFmyX69PfhPLGq8QEH7cKNxfP.0x0000b.fashionspeedy.com

Source: unknown

Network traffic detected: DNS query count 38

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: baakbt7jt8ca.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: 11vzd182342743ckeg3rzw6c.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: 11vzd182342dt9h897kxynkb.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: 11vzd182342f6z7uxjym04yh.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: 11vzd182342e7ucw5vjdyeqe.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: U8TLqVrTo6CVBz2wRTTS.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: U8TLqVrTnw9Qd26hM5Vv.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: U8TLqVrTnPtu6t9FixBj.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: U8TLqVrTnxasfkg9urnE.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: Mw61bELXmC4yq4v2wXRjyJZwrVShKVjMiPmRCUV3ZEM6xxknuxU5BMpxnRFUbHu.FxPfSfyAKA3TXem6R5UPUnsdmvuLmvAWp9W6xPmXMSGemeAqz5RgbjhxBayhy1S.hs3uUMSZ9D8Be2U6GoiriwEWiAcBLSbwRPRREa5jKFzXvcTpTpgjQcnTFH9yXoX.DgnvB7vTsEwLa7NxEuS2mHDM8pbNV9DJV.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: 4CnUTQv52TZRaVn7dcv1gWgz11eyMXBSCf2vqawQhCK8V9upciceSZjSu568FKr.A9CUXP2PtUcQEcWAgGchy6dNGuoEhppe7AAZPRbWtd16QjArhrmGfLktKnBKWx5.SoQ8K4JcSs4dGn5A2cfYqiiUNEqiNxArAaw1QwLH5aSfgNqdGB.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: Mzd7mTh3RK7BTVwGwEFocG9vuCmyuqmS2sAySv8cEY2cQt51vEb3aDCnFQN5DW9.a2X1ifaCd9sJux3PHrS6EtACFowPb71T4bC3WynCuemUssBFJiwH4dQCrJxcN47.Gp2iTWHpKXE86W1gcBT16rjX7NNTmWBrCpNwNzbsEtXH3fGRaqF4YR5ShTV7bGi.bF5vUaaMXd3rupjn76z1ejpH6xkYhjn9q.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: Mzd7mTh3ReJRcSJAWVj2is2y88xRQCYRKRkfsJ73ZkfJajCoeM66KZfF2Qgu8AU.BJsUBFNBnRJGFM2Ak2mfGXp8DfokjLWHZdMbg9A4jWwFsgn7yg1fN2AvgYuY5nZ.feNHGbbevAgLYVWyAqZWc4nXuqxg8GXVK1RiSTRyTG93r1zFSBfTG9wXKUxkp57.So4Z8hyhHhdzW76kNYMnSPX3pukst4NJo.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: xGW6nFo6YzQH6j3RdiMggsgMfNZVaJQiuN8Ezd6sTizxTbf4jwvbgZaSrpMfwrQ.qsk8EHRz1gHmps.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: LpgfPusGunQMRGTjscuyVWkyZQt9KgdNAoiNdvpb3dsR5PGMKNXMzLr7XZQim6n.xstcgjEMoywwup3a69WxjzVmRGSsqEFcu3tCRTyEgfovAZDSP96NeJQtuhHaHZL.qKhL1XuGbMERpA6J2W2U1dxsY.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: 6NguhvqpquxEq2i2E6pzWPE.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: backbhz9k431a78.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: LpgfPush4meiqhK4ZoWGmmZQVSq3avqPPSiPWg3phVsoQeFcKdzXCZwqfn5s3ia.TNuM65Lu4sQEB9i99zqd8Kh5rSiLwjUZoFDxLyFTqbF3sRhPAZyHFaNFp3eDNtU.5nh7K8CfsTDPVR1LqcWnzCCwY.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: 6NguhvqpquxEpZdDN5BnEqe.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: backbhz9k451a78.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: LpgfPushDk65Fi5P54hjJGgwpqgzmbMR6xH7d12gFFXXwhpZP822UDTNHkLppPf.5uy3yqtwWy8zHcXEMyHYPmHCrKCeXf2mTp51xUeFL5qJHVn12WNb5pX73nQX24S.quYoab3RyKqgYM8zryQjnVaqb.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: 6Nguhvqpquxf2RLvWN5wrb8.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: backbhz9k471a78.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: LpgfPushNiuTfJ2t3vRqwWYcVTgCSYV9T44ZsuCPVw5RAdJTDobr8jBhZY7cmf7.xCcnkSTKQbTADbwSPyZ534GE3AY57RqQ41TbEArxhWwQmQDoPqFC6YA7xsgnHoj.hrYHEtqB5ZvDfJUUhe8FzFGpc.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: 6NguhvqpquxEokX9xRofGjP.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: backbhz9k491a78.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: LpgfPushXhJq6JmSdsPa2RAARGBmVPtBiiB3bF8NPRGiyQ7vEuEQ5PT1XJCrc1P.Sipm7yrd4nHtqSt8tfs4Hot6oEHWgGJ4UzYDgJagPF9ydKyV8tgFZPNBeECfVqb.yrk9adeQv8PYUeF8xSKdX9sAp.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: 6Nguhvqpquxf4Zhsc3g6Wzf.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: backbhz9k4p1a78.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: LpgfPushGGAcVkhEPTuckGVnGTN7g4GrHiz5Zx2jTcXbb1cBoNJr1qxAU4N3RRS.FPsvmmY7ZGoeeZFm5iPAge3ev8pHgZNgPzsDiDiKMCEPp5as94UEh1SrtnVxZYw.ypXnpzQhhg7YePCPZ45AH9kT1.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: 6NguhvqpquxEhuSbi65st27.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: backbhz9k4u1a78.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: LpgfPushqfQZumEVH6g2f8MMmbrKdJgsD2yQ3j1KJeqfKbGYnXEcBZajfpw2HTt.h4tPzgPuP88M69yZjkcwvcTEGAVaHJ7d4fVzjU8ev8psq6CEEJ19aoVFFxwVymF.q8iy5tmkra4RSBCpqM5ciX5u2.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: 6NguhvqpquxESJybPHjHn25.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: backbhz9k4y1a78.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: LpgfPushzEewKnT5E86Gd7tiknL7pyH3VNyVT8a1SYaNLNp6MsdxKugY3j9Haf6.DKjreLjsWFryXFYMW4gj6bQe9fsghA2gooKEpYSpRnWMAjc9rMCbxqxtkKCUPar.LFmyX69PfhPLGq8QEH7cKNxfP.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: 6NguhvqpquxEGpxzq9kvu7r.0x0000b.fashionspeedy.com
Source: global traffic	DNS traffic detected: DNS query: backbhz9kf11a78.0x0000b.fashionspeedy.com

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: VIVACIOUS_SNOWFLAKE.elf, type: SAMPLE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: VIVACIOUS_SNOWFLAKE.elf, type: SAMPLE	Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen

Source: ELF static info symbol of initial sample

.symtab present: no

Source: VIVACIOUS_SNOWFLAKE.elf, type: SAMPLE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: VIVACIOUS_SNOWFLAKE.elf, type: SAMPLE	Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team

Source: classification engine

Classification label: mal84.troj.evad.linELF@0/0@38/0

Source: ELF file section

Submission: VIVACIOUS_SNOWFLAKE.elf

Source: /tmp/VIVACIOUS_SNOWFLAKE.elf (PID: 6272)

Queries kernel information via 'uname':

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Performs DNS TXT record lookups

Source: Traffic	DNS traffic detected: queries for: Mw61bELXmC4yq4v2wXRjyJZwrVShKVjMiPmRCUV3ZEM6xxknuxU5BMpxnRFUbHu.FxPfSfyAKA3TXem6R5UPUnsdmvuLmvAWp9W6xPmXMSGemeAqz5RgbjhxBayhy1S.hs3uUMSZ9D8Be2U6GoiriwEWiAcBLSbwRPRREa5jKFzXvcTpTpgjQcnTFH9yXoX.DgnvB7vTsEwLa7NxEuS2mHDM8pbNV9DJV.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: 4CnUTQv52TZRaVn7dcv1gWgz11eyMXBSCf2vqawQhCK8V9upciceSZjSu568FKr.A9CUXP2PtUcQEcWAgGchy6dNGuoEhppe7AAZPRbWtd16QjArhrmGfLktKnBKWx5.SoQ8K4JcSs4dGn5A2cfYqiiUNEqiNxArAaw1QwLH5aSfgNqdGB.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: 6NguhvqpquxEq2i2E6pzWPE.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: backbhz9k431a78.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: 6NguhvqpquxEpZdDN5BnEqe.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: backbhz9k451a78.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: 6Nguhvqpquxf2RLvWN5wrb8.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: backbhz9k471a78.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: 6NguhvqpquxEokX9xRofGjP.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: backbhz9k491a78.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: 6Nguhvqpquxf4Zhsc3g6Wzf.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: backbhz9k4p1a78.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: 6NguhvqpquxEhuSbi65st27.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: backbhz9k4u1a78.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: 6NguhvqpquxESJybPHjHn25.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: backbhz9k4y1a78.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: 6NguhvqpquxEGpxzq9kvu7r.0x0000b.fashionspeedy.com
Source: Traffic	DNS traffic detected: queries for: backbhz9kf11a78.0x0000b.fashionspeedy.com

Stealing of Sensitive Information

Yara detected Sliver Implants

Source: Yara match	File source: 6272.1.000000c000000000.000000c000800000.rw-.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VIVACIOUS_SNOWFLAKE.elf PID: 6272, type: MEMORYSTR

Remote Access Functionality

Yara detected Sliver Implants

Source: Yara match	File source: 6272.1.000000c000000000.000000c000800000.rw-.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VIVACIOUS_SNOWFLAKE.elf PID: 6272, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
VIVACIOUS_SNOWFLAKE.elf	53%	ReversingLabs	Linux.Trojan.Sliver
VIVACIOUS_SNOWFLAKE.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
U8TLqVrTnxasfkg9urnE.0x0000b.fashionspeedy.com	66.232.194.253	true	false	unknown
LpgfPushGGAcVkhEPTuckGVnGTN7g4GrHiz5Zx2jTcXbb1cBoNJr1qxAU4N3RRS.FPsvmmY7ZGoeeZFm5iPAge3ev8pHgZNgPzsDiDiKMCEPp5as94UEh1SrtnVxZYw.ypXnpzQhhg7YePCPZ45AH9kT1.0x0000b.fashionspeedy.com	1.84.239.125	true	true	unknown
LpgfPusGunQMRGTjscuyVWkyZQt9KgdNAoiNdvpb3dsR5PGMKNXMzLr7XZQim6n.xstcgjEMoywwup3a69WxjzVmRGSsqEFcu3tCRTyEgfovAZDSP96NeJQtuhHaHZL.qKhL1XuGbMERpA6J2W2U1dxsY.0x0000b.fashionspeedy.com	206.4.237.138	true	true	unknown
xGW6nFo6YzQH6j3RdiMggsgMfNZVaJQiuN8Ezd6sTizxTbf4jwvbgZaSrpMfwrQ.qsk8EHRz1gHmps.0x0000b.fashionspeedy.com	209.130.158.56	true	true	unknown
U8TLqVrTnPtu6t9FixBj.0x0000b.fashionspeedy.com	188.94.122.38	true	false	unknown
baakbt7jt8ca.0x0000b.fashionspeedy.com	55.185.130.14	true	false	unknown
11vzd182342743ckeg3rzw6c.0x0000b.fashionspeedy.com	137.154.240.38	true	false	unknown
Mzd7mTh3RK7BTVwGwEFocG9vuCmyuqmS2sAySv8cEY2cQt51vEb3aDCnFQN5DW9.a2X1ifaCd9sJux3PHrS6EtACFowPb71T4bC3WynCuemUssBFJiwH4dQCrJxcN47.Gp2iTWHpKXE86W1gcBT16rjX7NNTmWBrCpNwNzbsEtXH3fGRaqF4YR5ShTV7bGi.bF5vUaaMXd3rupjn76z1ejpH6xkYhjn9q.0x0000b.fashionspeedy.com	172.136.140.167	true	true	unknown
LpgfPushXhJq6JmSdsPa2RAARGBmVPtBiiB3bF8NPRGiyQ7vEuEQ5PT1XJCrc1P.Sipm7yrd4nHtqSt8tfs4Hot6oEHWgGJ4UzYDgJagPF9ydKyV8tgFZPNBeECfVqb.yrk9adeQv8PYUeF8xSKdX9sAp.0x0000b.fashionspeedy.com	142.219.25.241	true	true	unknown
U8TLqVrTnw9Qd26hM5Vv.0x0000b.fashionspeedy.com	15.14.166.112	true	false	unknown
11vzd182342dt9h897kxynkb.0x0000b.fashionspeedy.com	246.41.15.231	true	false	unknown
Mzd7mTh3ReJRcSJAWVj2is2y88xRQCYRKRkfsJ73ZkfJajCoeM66KZfF2Qgu8AU.BJsUBFNBnRJGFM2Ak2mfGXp8DfokjLWHZdMbg9A4jWwFsgn7yg1fN2AvgYuY5nZ.feNHGbbevAgLYVWyAqZWc4nXuqxg8GXVK1RiSTRyTG93r1zFSBfTG9wXKUxkp57.So4Z8hyhHhdzW76kNYMnSPX3pukst4NJo.0x0000b.fashionspeedy.com	123.42.4.50	true	true	unknown
LpgfPushqfQZumEVH6g2f8MMmbrKdJgsD2yQ3j1KJeqfKbGYnXEcBZajfpw2HTt.h4tPzgPuP88M69yZjkcwvcTEGAVaHJ7d4fVzjU8ev8psq6CEEJ19aoVFFxwVymF.q8iy5tmkra4RSBCpqM5ciX5u2.0x0000b.fashionspeedy.com	19.68.163.193	true	true	unknown
LpgfPushNiuTfJ2t3vRqwWYcVTgCSYV9T44ZsuCPVw5RAdJTDobr8jBhZY7cmf7.xCcnkSTKQbTADbwSPyZ534GE3AY57RqQ41TbEArxhWwQmQDoPqFC6YA7xsgnHoj.hrYHEtqB5ZvDfJUUhe8FzFGpc.0x0000b.fashionspeedy.com	194.59.188.10	true	true	unknown
11vzd182342f6z7uxjym04yh.0x0000b.fashionspeedy.com	178.215.145.199	true	false	unknown
11vzd182342e7ucw5vjdyeqe.0x0000b.fashionspeedy.com	1.247.215.215	true	false	unknown
U8TLqVrTo6CVBz2wRTTS.0x0000b.fashionspeedy.com	181.99.74.228	true	false	unknown
LpgfPush4meiqhK4ZoWGmmZQVSq3avqPPSiPWg3phVsoQeFcKdzXCZwqfn5s3ia.TNuM65Lu4sQEB9i99zqd8Kh5rSiLwjUZoFDxLyFTqbF3sRhPAZyHFaNFp3eDNtU.5nh7K8CfsTDPVR1LqcWnzCCwY.0x0000b.fashionspeedy.com	156.49.83.116	true	true	unknown
LpgfPushDk65Fi5P54hjJGgwpqgzmbMR6xH7d12gFFXXwhpZP822UDTNHkLppPf.5uy3yqtwWy8zHcXEMyHYPmHCrKCeXf2mTp51xUeFL5qJHVn12WNb5pX73nQX24S.quYoab3RyKqgYM8zryQjnVaqb.0x0000b.fashionspeedy.com	82.88.235.84	true	true	unknown
LpgfPushzEewKnT5E86Gd7tiknL7pyH3VNyVT8a1SYaNLNp6MsdxKugY3j9Haf6.DKjreLjsWFryXFYMW4gj6bQe9fsghA2gooKEpYSpRnWMAjc9rMCbxqxtkKCUPar.LFmyX69PfhPLGq8QEH7cKNxfP.0x0000b.fashionspeedy.com	245.2.250.60	true	true	unknown
6NguhvqpquxEhuSbi65st27.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
backbhz9k451a78.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
6NguhvqpquxEq2i2E6pzWPE.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
backbhz9k4u1a78.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
6Nguhvqpquxf4Zhsc3g6Wzf.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
backbhz9kf11a78.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
6NguhvqpquxEGpxzq9kvu7r.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
backbhz9k491a78.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
6NguhvqpquxESJybPHjHn25.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
backbhz9k471a78.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
6NguhvqpquxEpZdDN5BnEqe.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
4CnUTQv52TZRaVn7dcv1gWgz11eyMXBSCf2vqawQhCK8V9upciceSZjSu568FKr.A9CUXP2PtUcQEcWAgGchy6dNGuoEhppe7AAZPRbWtd16QjArhrmGfLktKnBKWx5.SoQ8K4JcSs4dGn5A2cfYqiiUNEqiNxArAaw1QwLH5aSfgNqdGB.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
backbhz9k4p1a78.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
backbhz9k4y1a78.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
Mw61bELXmC4yq4v2wXRjyJZwrVShKVjMiPmRCUV3ZEM6xxknuxU5BMpxnRFUbHu.FxPfSfyAKA3TXem6R5UPUnsdmvuLmvAWp9W6xPmXMSGemeAqz5RgbjhxBayhy1S.hs3uUMSZ9D8Be2U6GoiriwEWiAcBLSbwRPRREa5jKFzXvcTpTpgjQcnTFH9yXoX.DgnvB7vTsEwLa7NxEuS2mHDM8pbNV9DJV.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
backbhz9k431a78.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
6Nguhvqpquxf2RLvWN5wrb8.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown
6NguhvqpquxEokX9xRofGjP.0x0000b.fashionspeedy.com	unknown	unknown	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	agent.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Mirai	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	ub8ehJSePAfc9FYqZIT6.arm5.elf	Get hash	malicious	Unknown	Browse
	ub8ehJSePAfc9FYqZIT6.arm6.elf	Get hash	malicious	Unknown	Browse
	ub8ehJSePAfc9FYqZIT6.arm.elf	Get hash	malicious	Mirai	Browse
	ub8ehJSePAfc9FYqZIT6.i686.elf	Get hash	malicious	Unknown	Browse
	tftp.elf	Get hash	malicious	Unknown	Browse
	i686.elf	Get hash	malicious	Unknown	Browse
	ub8ehJSePAfc9FYqZIT6.x86_64.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	agent.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Mirai	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	ub8ehJSePAfc9FYqZIT6.arm5.elf	Get hash	malicious	Unknown	Browse
	ub8ehJSePAfc9FYqZIT6.arm6.elf	Get hash	malicious	Unknown	Browse
	ub8ehJSePAfc9FYqZIT6.arm.elf	Get hash	malicious	Mirai	Browse
	ub8ehJSePAfc9FYqZIT6.i686.elf	Get hash	malicious	Unknown	Browse
	Demon.sh4.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	tftp.elf	Get hash	malicious	Unknown	Browse
	i686.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	agent.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ppc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ub8ehJSePAfc9FYqZIT6.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ub8ehJSePAfc9FYqZIT6.arm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ub8ehJSePAfc9FYqZIT6.arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	ub8ehJSePAfc9FYqZIT6.mips.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	ub8ehJSePAfc9FYqZIT6.i686.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Demon.i586.elf	Get hash	malicious	Mirai, Gafgyt	Browse	185.125.190.26
	Demon.sh4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	91.189.91.42
CANONICAL-ASGB	agent.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ppc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ub8ehJSePAfc9FYqZIT6.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ub8ehJSePAfc9FYqZIT6.arm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ub8ehJSePAfc9FYqZIT6.arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	ub8ehJSePAfc9FYqZIT6.mips.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	ub8ehJSePAfc9FYqZIT6.i686.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Demon.i586.elf	Get hash	malicious	Mirai, Gafgyt	Browse	185.125.190.26
	Demon.sh4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	91.189.91.42
INIT7CH	agent.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	ppc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	ub8ehJSePAfc9FYqZIT6.arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	ub8ehJSePAfc9FYqZIT6.arm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	ub8ehJSePAfc9FYqZIT6.arm.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	ub8ehJSePAfc9FYqZIT6.i686.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Demon.sh4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	109.202.202.202
	tftp.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	i686.elf	Get hash	malicious	Unknown	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.094863602972719
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	VIVACIOUS_SNOWFLAKE.elf
File size:	15'392'768 bytes
MD5:	7c6af882f13545df23b5667432a09585
SHA1:	14185f9c8993a45ac670c772831b291dccd067ac
SHA256:	a80f7c3976a5235c6d8f1e86d8540452a30851ec27d34e56017f372732faaea6
SHA512:	13a01f607732e18f6f4ec1080b7820eeb459ad9de36a6eebc2979172042e282a8414cd21c00454fcf4647b1e1e5a73bbfeb22c6dc9d1d69a34c65b72b6c631b1
SSDEEP:	98304:cM8QB9a8tlOjctjo8Yu6e+xBlZJDbRf0II0FNBmYG+E3C2M3BuSu:cM8QB08Yde+tRf0ILFNBmYG73lM39u
TLSH:	CEF62A03F8D514D5C4EAD1B489214272BA71785C0B7923CB2BA1F7B82B32BF49E7A754
File Content Preview:	.ELF..............>.......E.....@...................@.8...@.............@.......@.@.....@.@.....P.......P.................................@.......@......^.......^.......................`.......`.......`.......OX......OX...............................&....

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x45d0e0
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	6
Section Header Offset:	400
Section Header Size:	64
Number of Section Headers:	13
Header String Table Index:	3

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.text	PROGBITS	0x401000	0x1000	0x8e4e9d	0x0	0x6	AX	32
.rodata	PROGBITS	0xce6000	0x8e6000	0x271943	0x0	0x2	A	32
.shstrtab	STRTAB	0x0	0xb57960	0x87	0x0	0x0		1
.typelink	PROGBITS	0xf57a00	0xb57a00	0x48c4	0x0	0x2	A	32
.itablink	PROGBITS	0xf5c2e0	0xb5c2e0	0x1890	0x0	0x2	A	32
.gosymtab	PROGBITS	0xf5db70	0xb5db70	0x0	0x0	0x2	A	1
.gopclntab	PROGBITS	0xf5db80	0xb5db80	0x30d400	0x0	0x2	A	32
.go.buildinfo	PROGBITS	0x126b000	0xe6b000	0x30	0x0	0x3	WA	16
.noptrdata	PROGBITS	0x126b040	0xe6b040	0x32240	0x0	0x3	WA	32
.data	PROGBITS	0x129d280	0xe9d280	0x10638	0x0	0x3	WA	32
.bss	NOBITS	0x12ad8c0	0xead8c0	0x33500	0x0	0x3	WA	32
.noptrbss	NOBITS	0x12e0dc0	0xee0dc0	0x132b0	0x0	0x3	WA	32

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
PHDR	0x40	0x400040	0x400040	0x150	0x150	1.6392	0x4	R	0x1000
LOAD	0x0	0x400000	0x400000	0x8e5e9d	0x8e5e9d	6.1967	0x5	R E	0x1000	.text
LOAD	0x8e6000	0xce6000	0xce6000	0x584f80	0x584f80	5.2063	0x4	R	0x1000	.rodata .typelink .itablink .gosymtab .gopclntab
LOAD	0xe6b000	0x126b000	0x126b000	0x428c0	0x89070	4.6778	0x6	RW	0x1000	.go.buildinfo .noptrdata .data .bss .noptrbss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8
LOOS+5041580	0x0	0x0	0x0	0x0	0x0	0.0000	0x2a00		0x8

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-02T21:44:11.418401+0100	2852741	ETPRO MALWARE Sliver DNS SessionInit Request	1	192.168.2.23	54660	1.1.1.1	53	UDP
2024-12-02T21:44:28.482039+0100	2852745	ETPRO MALWARE Sliver DNS Base58 Poll Request	1	192.168.2.23	46635	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 21:44:13.724657059 CET	43928	443	192.168.2.23	91.189.91.42
Dec 2, 2024 21:44:19.355817080 CET	42836	443	192.168.2.23	91.189.91.43
Dec 2, 2024 21:44:34.201714039 CET	43928	443	192.168.2.23	91.189.91.42
Dec 2, 2024 21:44:38.297264099 CET	42516	80	192.168.2.23	109.202.202.202
Dec 2, 2024 21:44:46.488123894 CET	42836	443	192.168.2.23	91.189.91.43
Dec 2, 2024 21:45:15.156197071 CET	43928	443	192.168.2.23	91.189.91.42

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 21:44:11.418401003 CET	54660	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:11.772806883 CET	53	54660	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:11.779062033 CET	53447	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:12.125320911 CET	53	53447	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:12.129070997 CET	56648	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:12.481369019 CET	53	56648	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:12.486340046 CET	46701	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:12.840188980 CET	53	46701	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:12.845212936 CET	52634	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:13.195004940 CET	53	52634	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:13.198190928 CET	41219	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:13.548901081 CET	53	41219	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:13.552633047 CET	60830	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:13.904458046 CET	53	60830	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:13.907392979 CET	49961	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:14.260323048 CET	53	49961	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:14.264158964 CET	44872	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:14.616060972 CET	53	44872	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:14.621933937 CET	35802	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:15.204693079 CET	53	35802	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:15.209120035 CET	58677	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:15.767826080 CET	53	58677	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:15.779898882 CET	52777	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:15.782012939 CET	55441	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:16.335663080 CET	53	55441	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:16.336169004 CET	53	52777	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:16.340684891 CET	50799	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:16.897880077 CET	53	50799	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:17.904680967 CET	36403	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:18.460571051 CET	53	36403	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:18.466922998 CET	47589	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:18.816339016 CET	53	47589	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:18.822359085 CET	49896	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:19.176155090 CET	53	49896	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:22.905930996 CET	58699	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:23.467206001 CET	53	58699	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:23.472304106 CET	59052	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:23.825366020 CET	53	59052	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:23.832119942 CET	46949	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:24.180372000 CET	53	46949	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:27.914053917 CET	58104	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:28.474632025 CET	53	58104	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:28.482038975 CET	46635	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:28.830612898 CET	53	46635	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:28.836647034 CET	60906	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:29.191901922 CET	53	60906	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:32.907613993 CET	37459	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:33.466341972 CET	53	37459	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:33.476612091 CET	40099	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:33.830091953 CET	53	40099	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:33.838598013 CET	47434	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:34.192389965 CET	53	47434	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:37.910440922 CET	41998	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:38.470710039 CET	53	41998	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:38.478661060 CET	41510	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:38.835522890 CET	53	41510	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:38.842047930 CET	58759	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:39.194166899 CET	53	58759	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:42.906208038 CET	55637	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:43.466104984 CET	53	55637	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:43.473568916 CET	44908	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:43.821137905 CET	53	44908	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:43.825912952 CET	50997	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:44.177736998 CET	53	50997	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:47.911681890 CET	52712	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:48.463571072 CET	53	52712	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:48.472692966 CET	41035	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:48.819602966 CET	53	41035	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:48.826531887 CET	35671	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:49.179352999 CET	53	35671	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:52.910753012 CET	59876	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:53.470062971 CET	53	59876	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:53.477086067 CET	45440	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:53.824803114 CET	53	45440	1.1.1.1	192.168.2.23
Dec 2, 2024 21:44:53.831603050 CET	33684	53	192.168.2.23	1.1.1.1
Dec 2, 2024 21:44:54.178807020 CET	53	33684	1.1.1.1	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 2, 2024 21:44:11.418401003 CET	192.168.2.23	1.1.1.1	0x3814	Standard query (0)	baakbt7jt8ca.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:11.779062033 CET	192.168.2.23	1.1.1.1	0xf657	Standard query (0)	11vzd182342743ckeg3rzw6c.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:12.129070997 CET	192.168.2.23	1.1.1.1	0xc4ee	Standard query (0)	11vzd182342dt9h897kxynkb.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:12.486340046 CET	192.168.2.23	1.1.1.1	0x2898	Standard query (0)	11vzd182342f6z7uxjym04yh.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:12.845212936 CET	192.168.2.23	1.1.1.1	0xbed2	Standard query (0)	11vzd182342e7ucw5vjdyeqe.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:13.198190928 CET	192.168.2.23	1.1.1.1	0xab7f	Standard query (0)	U8TLqVrTo6CVBz2wRTTS.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:13.552633047 CET	192.168.2.23	1.1.1.1	0xa877	Standard query (0)	U8TLqVrTnw9Qd26hM5Vv.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:13.907392979 CET	192.168.2.23	1.1.1.1	0x9dbd	Standard query (0)	U8TLqVrTnPtu6t9FixBj.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:14.264158964 CET	192.168.2.23	1.1.1.1	0x812d	Standard query (0)	U8TLqVrTnxasfkg9urnE.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:14.621933937 CET	192.168.2.23	1.1.1.1	0x3122	Standard query (0)	Mw61bELXmC4yq4v2wXRjyJZwrVShKVjMiPmRCUV3ZEM6xxknuxU5BMpxnRFUbHu.FxPfSfyAKA3TXem6R5UPUnsdmvuLmvAWp9W6xPmXMSGemeAqz5RgbjhxBayhy1S.hs3uUMSZ9D8Be2U6GoiriwEWiAcBLSbwRPRREa5jKFzXvcTpTpgjQcnTFH9yXoX.DgnvB7vTsEwLa7NxEuS2mHDM8pbNV9DJV.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:15.209120035 CET	192.168.2.23	1.1.1.1	0x8e	Standard query (0)	4CnUTQv52TZRaVn7dcv1gWgz11eyMXBSCf2vqawQhCK8V9upciceSZjSu568FKr.A9CUXP2PtUcQEcWAgGchy6dNGuoEhppe7AAZPRbWtd16QjArhrmGfLktKnBKWx5.SoQ8K4JcSs4dGn5A2cfYqiiUNEqiNxArAaw1QwLH5aSfgNqdGB.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:15.779898882 CET	192.168.2.23	1.1.1.1	0xb905	Standard query (0)	Mzd7mTh3RK7BTVwGwEFocG9vuCmyuqmS2sAySv8cEY2cQt51vEb3aDCnFQN5DW9.a2X1ifaCd9sJux3PHrS6EtACFowPb71T4bC3WynCuemUssBFJiwH4dQCrJxcN47.Gp2iTWHpKXE86W1gcBT16rjX7NNTmWBrCpNwNzbsEtXH3fGRaqF4YR5ShTV7bGi.bF5vUaaMXd3rupjn76z1ejpH6xkYhjn9q.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:15.782012939 CET	192.168.2.23	1.1.1.1	0x2c17	Standard query (0)	Mzd7mTh3ReJRcSJAWVj2is2y88xRQCYRKRkfsJ73ZkfJajCoeM66KZfF2Qgu8AU.BJsUBFNBnRJGFM2Ak2mfGXp8DfokjLWHZdMbg9A4jWwFsgn7yg1fN2AvgYuY5nZ.feNHGbbevAgLYVWyAqZWc4nXuqxg8GXVK1RiSTRyTG93r1zFSBfTG9wXKUxkp57.So4Z8hyhHhdzW76kNYMnSPX3pukst4NJo.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:16.340684891 CET	192.168.2.23	1.1.1.1	0xcac9	Standard query (0)	xGW6nFo6YzQH6j3RdiMggsgMfNZVaJQiuN8Ezd6sTizxTbf4jwvbgZaSrpMfwrQ.qsk8EHRz1gHmps.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:17.904680967 CET	192.168.2.23	1.1.1.1	0x64d	Standard query (0)	LpgfPusGunQMRGTjscuyVWkyZQt9KgdNAoiNdvpb3dsR5PGMKNXMzLr7XZQim6n.xstcgjEMoywwup3a69WxjzVmRGSsqEFcu3tCRTyEgfovAZDSP96NeJQtuhHaHZL.qKhL1XuGbMERpA6J2W2U1dxsY.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:18.466922998 CET	192.168.2.23	1.1.1.1	0xab1f	Standard query (0)	6NguhvqpquxEq2i2E6pzWPE.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:18.822359085 CET	192.168.2.23	1.1.1.1	0x1182	Standard query (0)	backbhz9k431a78.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:22.905930996 CET	192.168.2.23	1.1.1.1	0xedff	Standard query (0)	LpgfPush4meiqhK4ZoWGmmZQVSq3avqPPSiPWg3phVsoQeFcKdzXCZwqfn5s3ia.TNuM65Lu4sQEB9i99zqd8Kh5rSiLwjUZoFDxLyFTqbF3sRhPAZyHFaNFp3eDNtU.5nh7K8CfsTDPVR1LqcWnzCCwY.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:23.472304106 CET	192.168.2.23	1.1.1.1	0x8904	Standard query (0)	6NguhvqpquxEpZdDN5BnEqe.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:23.832119942 CET	192.168.2.23	1.1.1.1	0x11a0	Standard query (0)	backbhz9k451a78.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:27.914053917 CET	192.168.2.23	1.1.1.1	0xeae4	Standard query (0)	LpgfPushDk65Fi5P54hjJGgwpqgzmbMR6xH7d12gFFXXwhpZP822UDTNHkLppPf.5uy3yqtwWy8zHcXEMyHYPmHCrKCeXf2mTp51xUeFL5qJHVn12WNb5pX73nQX24S.quYoab3RyKqgYM8zryQjnVaqb.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:28.482038975 CET	192.168.2.23	1.1.1.1	0x8b68	Standard query (0)	6Nguhvqpquxf2RLvWN5wrb8.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:28.836647034 CET	192.168.2.23	1.1.1.1	0xa4f2	Standard query (0)	backbhz9k471a78.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:32.907613993 CET	192.168.2.23	1.1.1.1	0xb79d	Standard query (0)	LpgfPushNiuTfJ2t3vRqwWYcVTgCSYV9T44ZsuCPVw5RAdJTDobr8jBhZY7cmf7.xCcnkSTKQbTADbwSPyZ534GE3AY57RqQ41TbEArxhWwQmQDoPqFC6YA7xsgnHoj.hrYHEtqB5ZvDfJUUhe8FzFGpc.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:33.476612091 CET	192.168.2.23	1.1.1.1	0xc631	Standard query (0)	6NguhvqpquxEokX9xRofGjP.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:33.838598013 CET	192.168.2.23	1.1.1.1	0x307d	Standard query (0)	backbhz9k491a78.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:37.910440922 CET	192.168.2.23	1.1.1.1	0x7257	Standard query (0)	LpgfPushXhJq6JmSdsPa2RAARGBmVPtBiiB3bF8NPRGiyQ7vEuEQ5PT1XJCrc1P.Sipm7yrd4nHtqSt8tfs4Hot6oEHWgGJ4UzYDgJagPF9ydKyV8tgFZPNBeECfVqb.yrk9adeQv8PYUeF8xSKdX9sAp.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:38.478661060 CET	192.168.2.23	1.1.1.1	0x2940	Standard query (0)	6Nguhvqpquxf4Zhsc3g6Wzf.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:38.842047930 CET	192.168.2.23	1.1.1.1	0xbdd6	Standard query (0)	backbhz9k4p1a78.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:42.906208038 CET	192.168.2.23	1.1.1.1	0x2b41	Standard query (0)	LpgfPushGGAcVkhEPTuckGVnGTN7g4GrHiz5Zx2jTcXbb1cBoNJr1qxAU4N3RRS.FPsvmmY7ZGoeeZFm5iPAge3ev8pHgZNgPzsDiDiKMCEPp5as94UEh1SrtnVxZYw.ypXnpzQhhg7YePCPZ45AH9kT1.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:43.473568916 CET	192.168.2.23	1.1.1.1	0xb14a	Standard query (0)	6NguhvqpquxEhuSbi65st27.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:43.825912952 CET	192.168.2.23	1.1.1.1	0x24e2	Standard query (0)	backbhz9k4u1a78.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:47.911681890 CET	192.168.2.23	1.1.1.1	0x65e1	Standard query (0)	LpgfPushqfQZumEVH6g2f8MMmbrKdJgsD2yQ3j1KJeqfKbGYnXEcBZajfpw2HTt.h4tPzgPuP88M69yZjkcwvcTEGAVaHJ7d4fVzjU8ev8psq6CEEJ19aoVFFxwVymF.q8iy5tmkra4RSBCpqM5ciX5u2.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:48.472692966 CET	192.168.2.23	1.1.1.1	0xcdd7	Standard query (0)	6NguhvqpquxESJybPHjHn25.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:48.826531887 CET	192.168.2.23	1.1.1.1	0x4b16	Standard query (0)	backbhz9k4y1a78.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:52.910753012 CET	192.168.2.23	1.1.1.1	0x1927	Standard query (0)	LpgfPushzEewKnT5E86Gd7tiknL7pyH3VNyVT8a1SYaNLNp6MsdxKugY3j9Haf6.DKjreLjsWFryXFYMW4gj6bQe9fsghA2gooKEpYSpRnWMAjc9rMCbxqxtkKCUPar.LFmyX69PfhPLGq8QEH7cKNxfP.0x0000b.fashionspeedy.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:53.477086067 CET	192.168.2.23	1.1.1.1	0x4b6a	Standard query (0)	6NguhvqpquxEGpxzq9kvu7r.0x0000b.fashionspeedy.com	16	IN (0x0001)	false
Dec 2, 2024 21:44:53.831603050 CET	192.168.2.23	1.1.1.1	0xc77c	Standard query (0)	backbhz9kf11a78.0x0000b.fashionspeedy.com	16	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 2, 2024 21:44:11.772806883 CET	1.1.1.1	192.168.2.23	0x3814	No error (0)	baakbt7jt8ca.0x0000b.fashionspeedy.com	55.185.130.14	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:12.125320911 CET	1.1.1.1	192.168.2.23	0xf657	No error (0)	11vzd182342743ckeg3rzw6c.0x0000b.fashionspeedy.com	137.154.240.38	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:12.481369019 CET	1.1.1.1	192.168.2.23	0xc4ee	No error (0)	11vzd182342dt9h897kxynkb.0x0000b.fashionspeedy.com	246.41.15.231	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:12.840188980 CET	1.1.1.1	192.168.2.23	0x2898	No error (0)	11vzd182342f6z7uxjym04yh.0x0000b.fashionspeedy.com	178.215.145.199	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:13.195004940 CET	1.1.1.1	192.168.2.23	0xbed2	No error (0)	11vzd182342e7ucw5vjdyeqe.0x0000b.fashionspeedy.com	1.247.215.215	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:13.548901081 CET	1.1.1.1	192.168.2.23	0xab7f	No error (0)	U8TLqVrTo6CVBz2wRTTS.0x0000b.fashionspeedy.com	181.99.74.228	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:13.904458046 CET	1.1.1.1	192.168.2.23	0xa877	No error (0)	U8TLqVrTnw9Qd26hM5Vv.0x0000b.fashionspeedy.com	15.14.166.112	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:14.260323048 CET	1.1.1.1	192.168.2.23	0x9dbd	No error (0)	U8TLqVrTnPtu6t9FixBj.0x0000b.fashionspeedy.com	188.94.122.38	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:14.616060972 CET	1.1.1.1	192.168.2.23	0x812d	No error (0)	U8TLqVrTnxasfkg9urnE.0x0000b.fashionspeedy.com	66.232.194.253	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:15.204693079 CET	1.1.1.1	192.168.2.23	0x3122	No error (0)	Mw61bELXmC4yq4v2wXRjyJZwrVShKVjMiPmRCUV3ZEM6xxknuxU5BMpxnRFUbHu.FxPfSfyAKA3TXem6R5UPUnsdmvuLmvAWp9W6xPmXMSGemeAqz5RgbjhxBayhy1S.hs3uUMSZ9D8Be2U6GoiriwEWiAcBLSbwRPRREa5jKFzXvcTpTpgjQcnTFH9yXoX.DgnvB7vTsEwLa7NxEuS2mHDM8pbNV9DJV.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:15.767826080 CET	1.1.1.1	192.168.2.23	0x8e	No error (0)	4CnUTQv52TZRaVn7dcv1gWgz11eyMXBSCf2vqawQhCK8V9upciceSZjSu568FKr.A9CUXP2PtUcQEcWAgGchy6dNGuoEhppe7AAZPRbWtd16QjArhrmGfLktKnBKWx5.SoQ8K4JcSs4dGn5A2cfYqiiUNEqiNxArAaw1QwLH5aSfgNqdGB.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:16.335663080 CET	1.1.1.1	192.168.2.23	0x2c17	No error (0)	Mzd7mTh3ReJRcSJAWVj2is2y88xRQCYRKRkfsJ73ZkfJajCoeM66KZfF2Qgu8AU.BJsUBFNBnRJGFM2Ak2mfGXp8DfokjLWHZdMbg9A4jWwFsgn7yg1fN2AvgYuY5nZ.feNHGbbevAgLYVWyAqZWc4nXuqxg8GXVK1RiSTRyTG93r1zFSBfTG9wXKUxkp57.So4Z8hyhHhdzW76kNYMnSPX3pukst4NJo.0x0000b.fashionspeedy.com	123.42.4.50	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:16.336169004 CET	1.1.1.1	192.168.2.23	0xb905	No error (0)	Mzd7mTh3RK7BTVwGwEFocG9vuCmyuqmS2sAySv8cEY2cQt51vEb3aDCnFQN5DW9.a2X1ifaCd9sJux3PHrS6EtACFowPb71T4bC3WynCuemUssBFJiwH4dQCrJxcN47.Gp2iTWHpKXE86W1gcBT16rjX7NNTmWBrCpNwNzbsEtXH3fGRaqF4YR5ShTV7bGi.bF5vUaaMXd3rupjn76z1ejpH6xkYhjn9q.0x0000b.fashionspeedy.com	172.136.140.167	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:16.897880077 CET	1.1.1.1	192.168.2.23	0xcac9	No error (0)	xGW6nFo6YzQH6j3RdiMggsgMfNZVaJQiuN8Ezd6sTizxTbf4jwvbgZaSrpMfwrQ.qsk8EHRz1gHmps.0x0000b.fashionspeedy.com	209.130.158.56	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:18.460571051 CET	1.1.1.1	192.168.2.23	0x64d	No error (0)	LpgfPusGunQMRGTjscuyVWkyZQt9KgdNAoiNdvpb3dsR5PGMKNXMzLr7XZQim6n.xstcgjEMoywwup3a69WxjzVmRGSsqEFcu3tCRTyEgfovAZDSP96NeJQtuhHaHZL.qKhL1XuGbMERpA6J2W2U1dxsY.0x0000b.fashionspeedy.com	206.4.237.138	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:18.816339016 CET	1.1.1.1	192.168.2.23	0xab1f	No error (0)	6NguhvqpquxEq2i2E6pzWPE.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:19.176155090 CET	1.1.1.1	192.168.2.23	0x1182	No error (0)	backbhz9k431a78.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:23.467206001 CET	1.1.1.1	192.168.2.23	0xedff	No error (0)	LpgfPush4meiqhK4ZoWGmmZQVSq3avqPPSiPWg3phVsoQeFcKdzXCZwqfn5s3ia.TNuM65Lu4sQEB9i99zqd8Kh5rSiLwjUZoFDxLyFTqbF3sRhPAZyHFaNFp3eDNtU.5nh7K8CfsTDPVR1LqcWnzCCwY.0x0000b.fashionspeedy.com	156.49.83.116	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:23.825366020 CET	1.1.1.1	192.168.2.23	0x8904	No error (0)	6NguhvqpquxEpZdDN5BnEqe.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:24.180372000 CET	1.1.1.1	192.168.2.23	0x11a0	No error (0)	backbhz9k451a78.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:28.474632025 CET	1.1.1.1	192.168.2.23	0xeae4	No error (0)	LpgfPushDk65Fi5P54hjJGgwpqgzmbMR6xH7d12gFFXXwhpZP822UDTNHkLppPf.5uy3yqtwWy8zHcXEMyHYPmHCrKCeXf2mTp51xUeFL5qJHVn12WNb5pX73nQX24S.quYoab3RyKqgYM8zryQjnVaqb.0x0000b.fashionspeedy.com	82.88.235.84	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:28.830612898 CET	1.1.1.1	192.168.2.23	0x8b68	No error (0)	6Nguhvqpquxf2RLvWN5wrb8.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:29.191901922 CET	1.1.1.1	192.168.2.23	0xa4f2	No error (0)	backbhz9k471a78.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:33.466341972 CET	1.1.1.1	192.168.2.23	0xb79d	No error (0)	LpgfPushNiuTfJ2t3vRqwWYcVTgCSYV9T44ZsuCPVw5RAdJTDobr8jBhZY7cmf7.xCcnkSTKQbTADbwSPyZ534GE3AY57RqQ41TbEArxhWwQmQDoPqFC6YA7xsgnHoj.hrYHEtqB5ZvDfJUUhe8FzFGpc.0x0000b.fashionspeedy.com	194.59.188.10	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:33.830091953 CET	1.1.1.1	192.168.2.23	0xc631	No error (0)	6NguhvqpquxEokX9xRofGjP.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:34.192389965 CET	1.1.1.1	192.168.2.23	0x307d	No error (0)	backbhz9k491a78.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:38.470710039 CET	1.1.1.1	192.168.2.23	0x7257	No error (0)	LpgfPushXhJq6JmSdsPa2RAARGBmVPtBiiB3bF8NPRGiyQ7vEuEQ5PT1XJCrc1P.Sipm7yrd4nHtqSt8tfs4Hot6oEHWgGJ4UzYDgJagPF9ydKyV8tgFZPNBeECfVqb.yrk9adeQv8PYUeF8xSKdX9sAp.0x0000b.fashionspeedy.com	142.219.25.241	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:38.835522890 CET	1.1.1.1	192.168.2.23	0x2940	No error (0)	6Nguhvqpquxf4Zhsc3g6Wzf.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:39.194166899 CET	1.1.1.1	192.168.2.23	0xbdd6	No error (0)	backbhz9k4p1a78.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:43.466104984 CET	1.1.1.1	192.168.2.23	0x2b41	No error (0)	LpgfPushGGAcVkhEPTuckGVnGTN7g4GrHiz5Zx2jTcXbb1cBoNJr1qxAU4N3RRS.FPsvmmY7ZGoeeZFm5iPAge3ev8pHgZNgPzsDiDiKMCEPp5as94UEh1SrtnVxZYw.ypXnpzQhhg7YePCPZ45AH9kT1.0x0000b.fashionspeedy.com	1.84.239.125	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:43.821137905 CET	1.1.1.1	192.168.2.23	0xb14a	No error (0)	6NguhvqpquxEhuSbi65st27.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:44.177736998 CET	1.1.1.1	192.168.2.23	0x24e2	No error (0)	backbhz9k4u1a78.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:48.463571072 CET	1.1.1.1	192.168.2.23	0x65e1	No error (0)	LpgfPushqfQZumEVH6g2f8MMmbrKdJgsD2yQ3j1KJeqfKbGYnXEcBZajfpw2HTt.h4tPzgPuP88M69yZjkcwvcTEGAVaHJ7d4fVzjU8ev8psq6CEEJ19aoVFFxwVymF.q8iy5tmkra4RSBCpqM5ciX5u2.0x0000b.fashionspeedy.com	19.68.163.193	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:48.819602966 CET	1.1.1.1	192.168.2.23	0xcdd7	No error (0)	6NguhvqpquxESJybPHjHn25.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:49.179352999 CET	1.1.1.1	192.168.2.23	0x4b16	No error (0)	backbhz9k4y1a78.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:53.470062971 CET	1.1.1.1	192.168.2.23	0x1927	No error (0)	LpgfPushzEewKnT5E86Gd7tiknL7pyH3VNyVT8a1SYaNLNp6MsdxKugY3j9Haf6.DKjreLjsWFryXFYMW4gj6bQe9fsghA2gooKEpYSpRnWMAjc9rMCbxqxtkKCUPar.LFmyX69PfhPLGq8QEH7cKNxfP.0x0000b.fashionspeedy.com	245.2.250.60	A (IP address)	IN (0x0001)	false
Dec 2, 2024 21:44:53.824803114 CET	1.1.1.1	192.168.2.23	0x4b6a	No error (0)	6NguhvqpquxEGpxzq9kvu7r.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false
Dec 2, 2024 21:44:54.178807020 CET	1.1.1.1	192.168.2.23	0xc77c	No error (0)	backbhz9kf11a78.0x0000b.fashionspeedy.com		TXT (Text strings)	IN (0x0001)	false

System Behavior

Analysis Process: VIVACIOUS_SNOWFLAKE.elf PID: 6272, Parent PID: 6195

General

Start time (UTC):	20:44:10
Start date (UTC):	02/12/2024
Path:	/tmp/VIVACIOUS_SNOWFLAKE.elf
Arguments:	/tmp/VIVACIOUS_SNOWFLAKE.elf
File size:	15392768 bytes
MD5 hash:	7c6af882f13545df23b5667432a09585

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report VIVACIOUS_SNOWFLAKE.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: VIVACIOUS_SNOWFLAKE.elf PID: 6272, Parent PID: 6195

General

Chronological Activities

Linux Analysis Report
VIVACIOUS_SNOWFLAKE.elf