Edit tour

Linux Analysis Report
Space.mips.elf

Overview

General Information

Sample name:	Space.mips.elf
Analysis ID:	1575717
MD5:	47a3da5b7a3334ad0d7d3e319d5e5876
SHA1:	8710045d8e4ad5ab0561af69d328ba5bfe85ae85
SHA256:	467f8730b3df7738935b68efa0309ed7b154dc14ca2e87d04e00fddd49d34a2e
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Sample is packed with UPX

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Executes the "rm" command used to delete files or directories

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575717
Start date and time:	2024-12-16 08:56:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Space.mips.elf
Detection:	MAL
Classification:	mal68.troj.evad.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/Space.mips.elf
PID:	6262
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

system is lnxubuntu20

Space.mips.elf (PID: 6262, Parent: 6188, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/Space.mips.elf

Space.mips.elf New Fork (PID: 6264, Parent: 6262)

Space.mips.elf New Fork (PID: 6266, Parent: 6264)

Space.mips.elf New Fork (PID: 6267, Parent: 6264)

Space.mips.elf New Fork (PID: 6274, Parent: 6262)

Space.mips.elf New Fork (PID: 6276, Parent: 6262)

dash New Fork (PID: 6281, Parent: 4331)

rm (PID: 6281, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.drTjJyhArt /tmp/tmp.gkLWWzaWTF /tmp/tmp.zTIoASQolq

dash New Fork (PID: 6282, Parent: 4331)

rm (PID: 6282, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.drTjJyhArt /tmp/tmp.gkLWWzaWTF /tmp/tmp.zTIoASQolq

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
6264.1.00007f9de8400000.00007f9de8418000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6264.1.00007f9de8400000.00007f9de8418000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1470c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14720:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14734:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14748:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1475c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14770:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14784:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14798:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14810:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14824:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14838:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1484c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14860:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14874:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14888:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1489c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6266.1.00007f9de8400000.00007f9de8418000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6266.1.00007f9de8400000.00007f9de8418000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1470c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14720:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14734:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14748:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1475c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14770:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14784:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14798:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14810:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14824:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14838:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1484c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14860:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14874:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14888:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1489c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6262.1.00007f9de8400000.00007f9de8418000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6262.1.00007f9de8400000.00007f9de8418000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1470c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14720:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14734:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14748:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1475c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14770:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14784:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14798:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14810:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14824:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14838:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1484c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14860:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14874:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14888:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1489c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6274.1.00007f9de8400000.00007f9de8418000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6274.1.00007f9de8400000.00007f9de8418000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1470c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14720:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14734:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14748:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1475c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14770:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14784:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14798:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14810:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14824:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14838:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1484c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14860:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14874:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14888:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1489c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mips.elf PID: 6262	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Space.mips.elf PID: 6262	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x3568:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x357c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3590:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x35a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x35b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x35cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x35e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x35f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3608:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x361c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3630:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3644:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3658:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x366c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3680:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3694:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mips.elf PID: 6264	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Space.mips.elf PID: 6264	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x2c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x300:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x314:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x328:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x33c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x350:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x364:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x378:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x38c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x404:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x418:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x42c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x440:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x454:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mips.elf PID: 6266	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Space.mips.elf PID: 6266	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x3765:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3779:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x378d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x37a1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x37b5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x37c9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x37dd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x37f1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3805:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3819:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x382d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3841:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3855:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3869:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x387d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3891:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x38a5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x38b9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x38cd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x38e1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x38f5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mips.elf PID: 6274	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xad69:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xad7d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xad91:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xada5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xadb9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xadcd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xade1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xadf5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xae09:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xae1d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xae31:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xae45:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xae59:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xae6d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xae81:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xae95:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xaea9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xaebd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xaed1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xaee5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xaef9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 10 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Space.mips.elf	ReversingLabs: Detection: 36%
Source: Space.mips.elf	Virustotal: Detection: 37%			Perma Link

Source: global traffic

TCP traffic: 192.168.2.23:50962 -> 89.169.4.44:3778

Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44

Source: Space.mips.elf

String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39256
Source: unknown	Network traffic detected: HTTP traffic on port 39256 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 6264.1.00007f9de8400000.00007f9de8418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6266.1.00007f9de8400000.00007f9de8418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6262.1.00007f9de8400000.00007f9de8418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6274.1.00007f9de8400000.00007f9de8418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mips.elf PID: 6262, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mips.elf PID: 6264, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mips.elf PID: 6266, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mips.elf PID: 6274, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: LOAD without section mappings

Program segment: 0x100000

Source: 6264.1.00007f9de8400000.00007f9de8418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6266.1.00007f9de8400000.00007f9de8418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6262.1.00007f9de8400000.00007f9de8418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6274.1.00007f9de8400000.00007f9de8418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mips.elf PID: 6262, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mips.elf PID: 6264, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mips.elf PID: 6266, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mips.elf PID: 6274, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal68.troj.evad.linELF@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1582/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/3088/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/230/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/110/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/231/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/111/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/232/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1579/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/112/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/233/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1699/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/113/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/234/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1335/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1698/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/114/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/235/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1334/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1576/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/2302/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/115/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/236/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/116/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/237/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/117/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/118/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/910/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/119/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/912/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/10/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/2307/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/11/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/918/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/12/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/13/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/14/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/15/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/16/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/17/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/6247/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/18/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/6246/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1594/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/120/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/121/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1349/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/122/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/243/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/123/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/2/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/124/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/3/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/4/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/125/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/126/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1344/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1465/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1586/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/127/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/6/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/248/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/128/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/249/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1463/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/9/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/801/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/20/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/21/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1900/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/22/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/23/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/24/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/25/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/26/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/27/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/28/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/29/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/491/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/250/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/130/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/251/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/252/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/132/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/253/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/254/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/255/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/256/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1599/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/257/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1477/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/379/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/258/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1476/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/259/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1475/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/936/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/30/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/2208/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/6262/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/35/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/6267/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1809/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 6262)	File opened: /proc/1494/status	Jump to behavior

Source: /usr/bin/dash (PID: 6281)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.drTjJyhArt /tmp/tmp.gkLWWzaWTF /tmp/tmp.zTIoASQolq			Jump to behavior
Source: /usr/bin/dash (PID: 6282)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.drTjJyhArt /tmp/tmp.gkLWWzaWTF /tmp/tmp.zTIoASQolq			Jump to behavior

Source: Space.mips.elf

Submission file: segment LOAD with 7.932 entropy (max. 8.0)

Source: /tmp/Space.mips.elf (PID: 6262)

Queries kernel information via 'uname':

Jump to behavior

Source: Space.mips.elf, 6262.1.00007fffe9903000.00007fffe9924000.rw-.sdmp, Space.mips.elf, 6264.1.00007fffe9903000.00007fffe9924000.rw-.sdmp, Space.mips.elf, 6266.1.00007fffe9903000.00007fffe9924000.rw-.sdmp, Space.mips.elf, 6274.1.00007fffe9903000.00007fffe9924000.rw-.sdmp	Binary or memory string: >x86_64/usr/bin/qemu-mips/tmp/Space.mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Space.mips.elf
Source: Space.mips.elf, 6262.1.000055d4b4800000.000055d4b48a7000.rw-.sdmp, Space.mips.elf, 6264.1.000055d4b4800000.000055d4b48a7000.rw-.sdmp, Space.mips.elf, 6266.1.000055d4b4800000.000055d4b48a7000.rw-.sdmp, Space.mips.elf, 6274.1.000055d4b4800000.000055d4b48a7000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips
Source: Space.mips.elf, 6262.1.000055d4b4800000.000055d4b48a7000.rw-.sdmp, Space.mips.elf, 6264.1.000055d4b4800000.000055d4b48a7000.rw-.sdmp, Space.mips.elf, 6266.1.000055d4b4800000.000055d4b48a7000.rw-.sdmp, Space.mips.elf, 6274.1.000055d4b4800000.000055d4b48a7000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: Space.mips.elf, 6262.1.00007fffe9903000.00007fffe9924000.rw-.sdmp, Space.mips.elf, 6264.1.00007fffe9903000.00007fffe9924000.rw-.sdmp, Space.mips.elf, 6266.1.00007fffe9903000.00007fffe9924000.rw-.sdmp, Space.mips.elf, 6274.1.00007fffe9903000.00007fffe9924000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 6264.1.00007f9de8400000.00007f9de8418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6266.1.00007f9de8400000.00007f9de8418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6262.1.00007f9de8400000.00007f9de8418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6274.1.00007f9de8400000.00007f9de8418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Space.mips.elf PID: 6262, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.mips.elf PID: 6264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.mips.elf PID: 6266, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 6264.1.00007f9de8400000.00007f9de8418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6266.1.00007f9de8400000.00007f9de8418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6262.1.00007f9de8400000.00007f9de8418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6274.1.00007f9de8400000.00007f9de8418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Space.mips.elf PID: 6262, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.mips.elf PID: 6264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.mips.elf PID: 6266, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File Deletion	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Space.mips.elf	37%	ReversingLabs	Linux.Trojan.Mirai
Space.mips.elf	38%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Space.mips.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.249.145.219	unknown	United States	16509	AMAZON-02US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
89.169.4.44	unknown	Russian Federation	31514	INF-NET-ASRU	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.249.145.219	hmips.elf	Get hash	malicious	Unknown	Browse
	armv4l.elf	Get hash	malicious	Unknown	Browse
	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x-8.6-.Logicnet.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	mips.xxx.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	main_arm5.elf	Get hash	malicious	Mirai	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	roze.ppc.elf	Get hash	malicious	Gafgyt, Mirai	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
89.169.4.44	Space.x86.elf	Get hash	malicious	Mirai	Browse
	Space.arm.elf	Get hash	malicious	Mirai	Browse
	Space.sh4.elf	Get hash	malicious	Mirai	Browse
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse
91.189.91.42	Space.arm.elf	Get hash	malicious	Mirai	Browse
	m68k.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	bin.sh.elf	Get hash	malicious	Mirai	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	spc.elf	Get hash	malicious	Unknown	Browse
	m68k.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	Space.arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	m68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	bin.sh.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	spc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	m68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
INF-NET-ASRU	Space.x86.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.arm.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.sh4.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	jade.m68k.elf	Get hash	malicious	Mirai	Browse	89.169.156.74
	https://santa-secret.ru/api/verify?a=NjgyODEwNCw1bWluOHE2MHpuX3J1LC9hY2NvdW50L2JveGVzLHZsYWRpbWlyLmdsdXNoZW5rb0Bob2NobGFuZC5ydSwyNDE0MTYzMg==	Get hash	malicious	Unknown	Browse	87.228.10.139
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
INIT7CH	Space.arm.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	m68k.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	x86.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	bin.sh.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	mpsl.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	spc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	m68k.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	mips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	arm.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
AMAZON-02US	lmao.exe	Get hash	malicious	Quasar	Browse	52.8.11.142
	executablelol.exe	Get hash	malicious	Quasar	Browse	52.9.128.160
	negarque.exe	Get hash	malicious	Quasar	Browse	50.18.181.119
	enai2.exe	Get hash	malicious	Njrat	Browse	3.69.115.178
	fern_wifi_recon%2.34.exe	Get hash	malicious	Metasploit	Browse	3.6.115.64
	Krishna33.exe	Get hash	malicious	AsyncRAT	Browse	13.215.170.190
	aaa (3).exe	Get hash	malicious	AsyncRAT	Browse	3.68.171.119
	anne.exe	Get hash	malicious	AsyncRAT	Browse	52.14.18.129
	CrSpoofer.exe	Get hash	malicious	AsyncRAT	Browse	18.153.198.123
	http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450	Get hash	malicious	Unknown	Browse	18.224.21.137

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.929137604923233
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	Space.mips.elf
File size:	38'116 bytes
MD5:	47a3da5b7a3334ad0d7d3e319d5e5876
SHA1:	8710045d8e4ad5ab0561af69d328ba5bfe85ae85
SHA256:	467f8730b3df7738935b68efa0309ed7b154dc14ca2e87d04e00fddd49d34a2e
SHA512:	498eca619092e02b0529e37b710c8ae2b4cc23f4afb13b46dc90d67b9f5a17e46e32cc4964469a749e4adc7670ad2718f40387950069106a9f0b2507738334ab
SSDEEP:	768:EyI187beFSc+RX4qCw7kwGDGRfHBoHJgGlzDpbuR1JI:Eyf7beMbIqCw7jcGXoFVJuK
TLSH:	0003E166F9300989EA6CE0B80FDC0B615D685F61D4854C36B9E3F6178FE30B230966DD
File Content Preview:	.ELF.......................h...4.........4. ...(...........................................`.E.`.E.`....................UPX!.d.........D...D.......U.......?.E.h4...@b..) ..]....E..n\rc.. ....M.4Xk8....I.......K......{.1.Z..9..+nj.....8Y...r\|..{...........

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x108068
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0x93ac	0x93ac	7.9320	0x5	R E	0x10000
LOAD	0xaf60	0x45af60	0x45af60	0x0	0x0	0.0000	0x6	RW	0x10000

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 08:57:28.666835070 CET	50962	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:28.786861897 CET	3778	50962	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:28.787133932 CET	50962	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:28.864351034 CET	43928	443	192.168.2.23	91.189.91.42
Dec 16, 2024 08:57:29.021192074 CET	50962	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:29.141252995 CET	3778	50962	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:29.141309977 CET	50962	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:29.261135101 CET	3778	50962	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:30.110126972 CET	3778	50962	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:30.110358000 CET	50962	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:30.110358953 CET	50962	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:30.117027998 CET	50964	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:30.236787081 CET	3778	50964	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:30.236896038 CET	50964	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:30.238781929 CET	50964	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:30.358468056 CET	3778	50964	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:30.358536005 CET	50964	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:30.478368998 CET	3778	50964	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:31.559518099 CET	3778	50964	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:31.559830904 CET	50964	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:31.559832096 CET	50964	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:31.560415030 CET	50966	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:31.680315018 CET	3778	50966	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:31.680597067 CET	50966	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:31.681412935 CET	50966	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:31.801424026 CET	3778	50966	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:31.801651955 CET	50966	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:31.921730042 CET	3778	50966	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:33.030785084 CET	3778	50966	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:33.030949116 CET	50966	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:33.030983925 CET	50966	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:33.031477928 CET	50968	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:33.153953075 CET	3778	50968	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:33.154067039 CET	50968	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:33.154897928 CET	50968	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:33.274554968 CET	3778	50968	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:33.274672031 CET	50968	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:33.394486904 CET	3778	50968	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:34.481374979 CET	3778	50968	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:34.481621027 CET	50968	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:34.481621027 CET	50968	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:34.482508898 CET	50970	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:34.602199078 CET	3778	50970	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:34.602308989 CET	50970	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:34.603634119 CET	50970	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:34.723560095 CET	3778	50970	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:34.723773956 CET	50970	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:34.843522072 CET	3778	50970	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:35.309587002 CET	50972	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:35.429383039 CET	3778	50972	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:35.429450035 CET	50972	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:35.442035913 CET	50972	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:35.562632084 CET	3778	50972	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:35.562679052 CET	50972	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:35.682454109 CET	3778	50972	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:35.929713964 CET	3778	50970	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:35.929930925 CET	50970	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:35.929930925 CET	50970	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:35.930557966 CET	50974	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:36.050277948 CET	3778	50974	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:36.050479889 CET	50974	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:36.051594019 CET	50974	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:36.171279907 CET	3778	50974	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:36.171386957 CET	50974	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:36.291260004 CET	3778	50974	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:36.752084017 CET	3778	50972	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:36.752233028 CET	50972	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:36.752386093 CET	50972	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:36.753098011 CET	50976	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:36.872840881 CET	3778	50976	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:36.873016119 CET	50976	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:36.874006033 CET	50976	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:36.993768930 CET	3778	50976	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:36.993839025 CET	50976	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:37.113868952 CET	3778	50976	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:37.397825956 CET	3778	50974	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:37.397892952 CET	50974	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:37.397942066 CET	50974	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:37.400970936 CET	50978	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:37.520925999 CET	3778	50978	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:37.521127939 CET	50978	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:37.522839069 CET	50978	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:37.642553091 CET	3778	50978	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:37.642721891 CET	50978	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:37.762502909 CET	3778	50978	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:38.218452930 CET	3778	50976	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:38.218568087 CET	50976	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:38.218622923 CET	50976	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:38.219264030 CET	50980	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:38.339118958 CET	3778	50980	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:38.339365005 CET	50980	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:38.340310097 CET	50980	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:38.459995031 CET	3778	50980	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:38.460196018 CET	50980	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:38.580043077 CET	3778	50980	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:38.845655918 CET	3778	50978	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:38.845855951 CET	50978	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:38.845855951 CET	50978	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:38.846302986 CET	50982	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:38.965985060 CET	3778	50982	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:38.966078043 CET	50982	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:38.967540979 CET	50982	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:39.087268114 CET	3778	50982	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:39.087405920 CET	50982	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:39.207137108 CET	3778	50982	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:39.660981894 CET	3778	50980	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:39.661294937 CET	50980	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:39.661294937 CET	50980	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:39.662275076 CET	50984	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:39.782044888 CET	3778	50984	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:39.782183886 CET	50984	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:39.784284115 CET	50984	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:39.904257059 CET	3778	50984	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:39.904541969 CET	50984	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:40.024323940 CET	3778	50984	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:40.287306070 CET	3778	50982	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:40.287504911 CET	50982	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:40.287570953 CET	50982	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:40.288516045 CET	50986	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:40.408196926 CET	3778	50986	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:40.408441067 CET	50986	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:40.409966946 CET	50986	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:40.529680967 CET	3778	50986	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:40.529941082 CET	50986	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:40.848608971 CET	3778	50986	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:41.105703115 CET	3778	50984	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:41.106096029 CET	50984	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:41.106172085 CET	50984	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:41.107434988 CET	50988	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:41.227185965 CET	3778	50988	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:41.227555990 CET	50988	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:41.229614973 CET	50988	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:41.349597931 CET	3778	50988	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:41.349764109 CET	50988	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:41.469535112 CET	3778	50988	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:41.729726076 CET	3778	50986	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:41.729845047 CET	50986	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:41.729875088 CET	50986	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:41.730529070 CET	50990	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:41.850318909 CET	3778	50990	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:41.850394011 CET	50990	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:41.851758957 CET	50990	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:41.971435070 CET	3778	50990	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:41.971534014 CET	50990	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:42.091602087 CET	3778	50990	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:42.554409981 CET	3778	50988	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:42.554553032 CET	50988	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:42.554613113 CET	50988	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:42.555360079 CET	50992	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:42.675149918 CET	3778	50992	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:42.675380945 CET	50992	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:42.676290035 CET	50992	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:42.796039104 CET	3778	50992	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:42.796133995 CET	50992	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:42.915977001 CET	3778	50992	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:43.193372965 CET	3778	50990	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:43.193640947 CET	50990	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:43.193640947 CET	50990	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:43.194825888 CET	50994	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:43.314523935 CET	3778	50994	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:43.315097094 CET	50994	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:43.317713022 CET	50994	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:43.437377930 CET	3778	50994	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:43.437603951 CET	50994	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:43.557419062 CET	3778	50994	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:43.586571932 CET	443	39256	34.249.145.219	192.168.2.23
Dec 16, 2024 08:57:43.587011099 CET	39256	443	192.168.2.23	34.249.145.219
Dec 16, 2024 08:57:43.706855059 CET	443	39256	34.249.145.219	192.168.2.23
Dec 16, 2024 08:57:44.000701904 CET	3778	50992	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:44.000972033 CET	50992	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:44.001015902 CET	50992	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:44.001693964 CET	50996	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:44.121690989 CET	3778	50996	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:44.121876955 CET	50996	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:44.122970104 CET	50996	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:44.242820024 CET	3778	50996	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:44.242953062 CET	50996	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:44.362857103 CET	3778	50996	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:44.638344049 CET	3778	50994	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:44.638508081 CET	50994	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:44.638597965 CET	50994	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:44.639436960 CET	50998	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:44.759085894 CET	3778	50998	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:44.759181023 CET	50998	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:45.447596073 CET	3778	50996	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:45.447906971 CET	50996	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:45.447906971 CET	50996	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:45.448843002 CET	51000	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:45.568614006 CET	3778	51000	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:45.568825006 CET	51000	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:45.570657969 CET	51000	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:45.661828995 CET	50998	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:45.690468073 CET	3778	51000	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:45.690583944 CET	51000	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:45.781610966 CET	3778	50998	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:45.781702995 CET	50998	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:45.782883883 CET	50998	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:45.810431957 CET	3778	51000	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:45.902637959 CET	3778	50998	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:45.902862072 CET	50998	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:46.022604942 CET	3778	50998	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:46.893695116 CET	3778	51000	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:46.893817902 CET	51000	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:46.894047976 CET	51000	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:46.894702911 CET	51002	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:47.014441013 CET	3778	51002	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:47.014616013 CET	51002	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:47.016932964 CET	51002	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:47.037636995 CET	42516	80	192.168.2.23	109.202.202.202
Dec 16, 2024 08:57:47.125659943 CET	3778	50998	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:47.125772953 CET	50998	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:47.125879049 CET	50998	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:47.126961946 CET	51004	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:47.136624098 CET	3778	51002	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:47.136694908 CET	51002	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:47.246922016 CET	3778	51004	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:47.247103930 CET	51004	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:47.249212027 CET	51004	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:47.256484985 CET	3778	51002	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:47.369342089 CET	3778	51004	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:47.369709015 CET	51004	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:47.489597082 CET	3778	51004	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:48.338044882 CET	3778	51002	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:48.338315964 CET	51002	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:48.338367939 CET	51002	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:48.338906050 CET	51006	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:48.458686113 CET	3778	51006	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:48.458899975 CET	51006	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:48.460546017 CET	51006	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:48.568789005 CET	3778	51004	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:48.568954945 CET	51004	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:48.569048882 CET	51004	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:48.569720030 CET	51008	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:48.580322027 CET	3778	51006	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:48.580391884 CET	51006	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:48.690387964 CET	3778	51008	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:48.690520048 CET	51008	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:48.700200081 CET	3778	51006	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:49.085469007 CET	43928	443	192.168.2.23	91.189.91.42
Dec 16, 2024 08:57:49.597372055 CET	51008	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:49.717423916 CET	3778	51008	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:49.717658997 CET	51008	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:49.720169067 CET	51008	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:49.782212973 CET	3778	51006	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:49.782361031 CET	51006	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:49.782452106 CET	51006	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:49.783063889 CET	51010	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:49.839915991 CET	3778	51008	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:49.840348005 CET	51008	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:49.902837992 CET	3778	51010	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:49.902964115 CET	51010	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:49.904258966 CET	51010	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:49.960284948 CET	3778	51008	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:50.024286032 CET	3778	51010	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:50.024492979 CET	51010	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:50.144531965 CET	3778	51010	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:51.049809933 CET	3778	51008	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:51.050256014 CET	51008	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:51.050333977 CET	51008	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:51.051326990 CET	51012	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:51.171117067 CET	3778	51012	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:51.171394110 CET	51012	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:51.174117088 CET	51012	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:51.230859041 CET	3778	51010	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:51.231215954 CET	51010	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:51.231259108 CET	51010	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:51.232166052 CET	51014	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:51.293883085 CET	3778	51012	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:51.293984890 CET	51012	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:51.351906061 CET	3778	51014	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:51.352106094 CET	51014	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:51.353636980 CET	51014	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:51.413863897 CET	3778	51012	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:51.473398924 CET	3778	51014	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:51.473648071 CET	51014	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:51.593342066 CET	3778	51014	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:52.675941944 CET	3778	51014	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:52.676244020 CET	51014	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:52.676367044 CET	51014	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:52.677294970 CET	51016	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:52.797044039 CET	3778	51016	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:52.797146082 CET	51016	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:52.798259974 CET	51016	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:52.917975903 CET	3778	51016	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:52.918303967 CET	51016	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:53.038096905 CET	3778	51016	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:54.116909981 CET	3778	51016	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:54.117198944 CET	51016	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:54.117198944 CET	51016	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:54.117798090 CET	51018	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:54.237631083 CET	3778	51018	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:54.237876892 CET	51018	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:54.238934994 CET	51018	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:54.358867884 CET	3778	51018	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:54.358983040 CET	51018	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:54.478910923 CET	3778	51018	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:55.559587955 CET	3778	51018	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:55.559935093 CET	51018	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:55.560023069 CET	51018	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:55.560734034 CET	51020	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:55.680593967 CET	3778	51020	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:55.681034088 CET	51020	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:55.682235003 CET	51020	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:55.801966906 CET	3778	51020	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:55.802123070 CET	51020	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:55.922054052 CET	3778	51020	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:57.002425909 CET	3778	51020	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:57.002749920 CET	51020	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:57.002749920 CET	51020	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:57.003469944 CET	51022	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:57.123450994 CET	3778	51022	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:57.123624086 CET	51022	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:57.125021935 CET	51022	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:57.245054960 CET	3778	51022	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:57.245302916 CET	51022	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:57.365185976 CET	3778	51022	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:58.450016022 CET	3778	51022	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:58.450350046 CET	51022	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:58.450443029 CET	51022	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:58.451082945 CET	51024	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:58.570862055 CET	3778	51024	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:58.570934057 CET	51024	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:58.572266102 CET	51024	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:58.692094088 CET	3778	51024	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:58.692186117 CET	51024	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:58.811877012 CET	3778	51024	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:59.894962072 CET	3778	51024	89.169.4.44	192.168.2.23
Dec 16, 2024 08:57:59.895179987 CET	51024	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:59.895179987 CET	51024	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:57:59.896106005 CET	51026	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:00.016263962 CET	3778	51026	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:00.016479969 CET	51026	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:00.018064022 CET	51026	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:00.137880087 CET	3778	51026	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:00.138180017 CET	51026	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:00.258009911 CET	3778	51026	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:01.182991982 CET	51012	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:01.302958012 CET	3778	51012	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:01.341576099 CET	3778	51026	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:01.341701031 CET	51026	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:01.341876030 CET	51026	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:01.342621088 CET	51028	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:01.462593079 CET	3778	51028	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:01.462752104 CET	51028	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:01.464103937 CET	51028	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:01.585645914 CET	3778	51028	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:01.585777044 CET	51028	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:01.618179083 CET	3778	51012	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:01.618271112 CET	51012	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:01.706583977 CET	3778	51028	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:02.786895037 CET	3778	51028	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:02.787107944 CET	51028	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:02.787107944 CET	51028	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:02.787990093 CET	51030	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:02.907665014 CET	3778	51030	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:02.907824039 CET	51030	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:02.909120083 CET	51030	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:03.028877020 CET	3778	51030	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:03.029112101 CET	51030	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:03.149055958 CET	3778	51030	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:04.229733944 CET	3778	51030	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:04.230113983 CET	51030	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:04.230114937 CET	51030	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:04.231292963 CET	51032	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:04.351135015 CET	3778	51032	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:04.351555109 CET	51032	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:04.353037119 CET	51032	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:04.472815037 CET	3778	51032	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:04.473067999 CET	51032	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:04.592947960 CET	3778	51032	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:05.678777933 CET	3778	51032	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:05.679076910 CET	51032	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:05.679207087 CET	51032	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:05.679969072 CET	51034	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:05.799824953 CET	3778	51034	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:05.800153971 CET	51034	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:05.801825047 CET	51034	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:05.921888113 CET	3778	51034	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:05.922029018 CET	51034	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:06.041953087 CET	3778	51034	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:07.121737957 CET	3778	51034	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:07.121915102 CET	51034	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:07.121958971 CET	51034	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:07.122481108 CET	51036	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:07.242254972 CET	3778	51036	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:07.242563963 CET	51036	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:07.243415117 CET	51036	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:07.363167048 CET	3778	51036	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:07.363353014 CET	51036	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:07.483392954 CET	3778	51036	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:08.570902109 CET	3778	51036	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:08.571144104 CET	51036	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:08.571144104 CET	51036	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:08.571804047 CET	51038	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:08.691855907 CET	3778	51038	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:08.692156076 CET	51038	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:08.693327904 CET	51038	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:08.813429117 CET	3778	51038	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:08.813556910 CET	51038	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:08.933756113 CET	3778	51038	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:10.053082943 CET	3778	51038	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:10.053412914 CET	51038	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:10.053412914 CET	51038	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:10.054100990 CET	51040	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:10.173985004 CET	3778	51040	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:10.174120903 CET	51040	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:10.175421000 CET	51040	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:10.295267105 CET	3778	51040	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:10.295471907 CET	51040	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:10.415666103 CET	3778	51040	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:11.498759031 CET	3778	51040	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:11.499013901 CET	51040	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:11.499059916 CET	51040	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:11.499666929 CET	51042	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:11.619646072 CET	3778	51042	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:11.619775057 CET	51042	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:11.620443106 CET	51042	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:11.740232944 CET	3778	51042	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:11.740377903 CET	51042	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:11.861118078 CET	3778	51042	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:21.629983902 CET	51042	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:21.750202894 CET	3778	51042	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:22.061608076 CET	3778	51042	89.169.4.44	192.168.2.23
Dec 16, 2024 08:58:22.061944008 CET	51042	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:58:30.039438009 CET	43928	443	192.168.2.23	91.189.91.42
Dec 16, 2024 08:59:01.666040897 CET	51012	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:59:01.786052942 CET	3778	51012	89.169.4.44	192.168.2.23
Dec 16, 2024 08:59:02.100426912 CET	3778	51012	89.169.4.44	192.168.2.23
Dec 16, 2024 08:59:02.100754023 CET	51012	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:59:22.103843927 CET	51042	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:59:22.224523067 CET	3778	51042	89.169.4.44	192.168.2.23
Dec 16, 2024 08:59:22.536818981 CET	3778	51042	89.169.4.44	192.168.2.23
Dec 16, 2024 08:59:22.537307978 CET	51042	3778	192.168.2.23	89.169.4.44

System Behavior

Analysis Process: Space.mips.elf PID: 6262, Parent PID: 6188

General

Start time (UTC):	07:57:27
Start date (UTC):	16/12/2024
Path:	/tmp/Space.mips.elf
Arguments:	/tmp/Space.mips.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: Space.mips.elf PID: 6264, Parent PID: 6262

General

Start time (UTC):	07:57:27
Start date (UTC):	16/12/2024
Path:	/tmp/Space.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: Space.mips.elf PID: 6266, Parent PID: 6264

General

Start time (UTC):	07:57:27
Start date (UTC):	16/12/2024
Path:	/tmp/Space.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: Space.mips.elf PID: 6267, Parent PID: 6264

General

Start time (UTC):	07:57:27
Start date (UTC):	16/12/2024
Path:	/tmp/Space.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: Space.mips.elf PID: 6274, Parent PID: 6262

General

Start time (UTC):	07:57:34
Start date (UTC):	16/12/2024
Path:	/tmp/Space.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: Space.mips.elf PID: 6276, Parent PID: 6262

General

Start time (UTC):	07:57:34
Start date (UTC):	16/12/2024
Path:	/tmp/Space.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: dash PID: 6281, Parent PID: 4331

General

Start time (UTC):	07:57:42
Start date (UTC):	16/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6281, Parent PID: 4331

General

Start time (UTC):	07:57:42
Start date (UTC):	16/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.drTjJyhArt /tmp/tmp.gkLWWzaWTF /tmp/tmp.zTIoASQolq
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 6282, Parent PID: 4331

General

Start time (UTC):	07:57:42
Start date (UTC):	16/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6282, Parent PID: 4331

General

Start time (UTC):	07:57:42
Start date (UTC):	16/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.drTjJyhArt /tmp/tmp.gkLWWzaWTF /tmp/tmp.zTIoASQolq
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Space.mips.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: Space.mips.elf PID: 6262, Parent PID: 6188

General

Chronological Activities

Analysis Process: Space.mips.elf PID: 6264, Parent PID: 6262

General

Chronological Activities

Analysis Process: Space.mips.elf PID: 6266, Parent PID: 6264

General

Chronological Activities

Analysis Process: Space.mips.elf PID: 6267, Parent PID: 6264

General

Chronological Activities

Analysis Process: Space.mips.elf PID: 6274, Parent PID: 6262

General

Chronological Activities

Analysis Process: Space.mips.elf PID: 6276, Parent PID: 6262

General

Chronological Activities

Analysis Process: dash PID: 6281, Parent PID: 4331

General

Chronological Activities

Linux Analysis Report
Space.mips.elf