Edit tour

Linux Analysis Report
dbus.elf

Overview

General Information

Sample name:	dbus.elf
Analysis ID:	1579014
MD5:	89282100982e5f4dc24ce6dff1690346
SHA1:	610a2ce20b7a81e059c9a79f6da19dd3fbd34fa0
SHA256:	ff0e1d1cd4f5cde24a3cb9ad571e92f8fa795aa9b42c829aeaeae2a6b8b020ae
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Found Tor onion address

Uses known network protocols on non-standard ports

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes the "ps" command used to list the status of processes

Reads CPU information from /sys indicative of miner or evasive malware

Reads system information from the proc file system

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579014
Start date and time:	2024-12-20 17:40:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	dbus.elf
Detection:	MAL
Classification:	mal56.troj.evad.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/dbus.elf
PID:	6239
Exit Code:
Exit Code Info:
Killed:	True
Standard Output:
Standard Error:	2024/12/20 10:40:59 Processo udiskssd no encontrado. Tentando reexecutar... 2024/12/20 10:40:59 Erro ao executar minerador diretamente: exec: "udiskssd": executable file not found in $PATH 2024/12/20 10:41:00 Erro ao buscar URL atualizado ou link invlido 2024/12/20 10:41:01 Erro ao contar instncias do processo: exit status 1 2024/12/20 10:41:14 Processo udiskssd no encontrado. Tentando reexecutar... 2024/12/20 10:41:14 Erro ao executar minerador diretamente: exec: "udiskssd": executable file not found in $PATH 2024/12/20 10:41:15 Erro ao buscar URL atualizado ou link invlido 2024/12/20 10:41:17 Erro ao contar instncias do processo: exit status 1 2024/12/20 10:41:29 Processo udiskssd no encontrado. Tentando reexecutar... 2024/12/20 10:41:29 Erro ao executar minerador diretamente: exec: "udiskssd": executable file not found in $PATH 2024/12/20 10:41:30 Erro ao buscar URL atualizado ou link invlido 2024/12/20 10:41:31 Erro ao contar instncias do processo: exit status 1

Process Tree

system is lnxubuntu20

dbus.elf (PID: 6239, Parent: 6161, MD5: 89282100982e5f4dc24ce6dff1690346) Arguments: /tmp/dbus.elf

dbus.elf New Fork (PID: 6243, Parent: 6239)

ps (PID: 6243, Parent: 6239, MD5: ab48054475a6f70f8e7fa847331f3327) Arguments: ps axo pid,comm,pcpu

dbus.elf New Fork (PID: 6244, Parent: 6239)

pgrep (PID: 6244, Parent: 6239, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep -x udiskssd

dbus.elf New Fork (PID: 6247, Parent: 6239)

pgrep (PID: 6247, Parent: 6239, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep -c udiskssd

dbus.elf New Fork (PID: 6253, Parent: 6239)

ps (PID: 6253, Parent: 6239, MD5: ab48054475a6f70f8e7fa847331f3327) Arguments: ps axo pid,comm,pcpu

dbus.elf New Fork (PID: 6254, Parent: 6239)

pgrep (PID: 6254, Parent: 6239, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep -x udiskssd

dbus.elf New Fork (PID: 6277, Parent: 6239)

pgrep (PID: 6277, Parent: 6239, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep -c udiskssd

dbus.elf New Fork (PID: 6282, Parent: 6239)

ps (PID: 6282, Parent: 6239, MD5: ab48054475a6f70f8e7fa847331f3327) Arguments: ps axo pid,comm,pcpu

dbus.elf New Fork (PID: 6285, Parent: 6239)

pgrep (PID: 6285, Parent: 6239, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep -x udiskssd

dbus.elf New Fork (PID: 6286, Parent: 6239)

pgrep (PID: 6286, Parent: 6239, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep -c udiskssd

dbus.elf New Fork (PID: 6292, Parent: 6239)

ps (PID: 6292, Parent: 6239, MD5: ab48054475a6f70f8e7fa847331f3327) Arguments: ps axo pid,comm,pcpu

cleanup

String found in binary or memory: m=nil base , val X25519%w%.0wuint16uint32uint64structchan<-<-chan ValueAcceptServernetdnsdomaingophertelnetlisten.onionndots:ip+netsocketCommonhangupkilled/proc/errno splicerdtscppopcntcmd/goheaderAnswerLengthSTREETavx512rdrandrdseedUpgradeTrailerHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUG:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECT (trap 19531259765625TuesdayJanuaryOctoberfloat32float64forcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingUNKNOWN:events, goid= s=nil

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 58340 -> 3693
Source: unknown	Network traffic detected: HTTP traffic on port 58342 -> 3693
Source: unknown	Network traffic detected: HTTP traffic on port 58344 -> 3693

Source: global traffic

TCP traffic: 192.168.2.23:58340 -> 107.172.88.151:3693

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.88.151
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.88.151
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.88.151
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.88.151
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.88.151
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.88.151
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.88.151
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.88.151
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.88.151
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.88.151
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.88.151
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.88.151
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.88.151
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.88.151
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: global traffic	HTTP traffic detected: GET /get-url HTTP/1.1Host: 107.172.88.151:3693User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /get-url HTTP/1.1Host: 107.172.88.151:3693User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /get-url HTTP/1.1Host: 107.172.88.151:3693User-Agent: Go-http-client/1.1Accept-Encoding: gzip

Source: dbus.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	String found in binary or memory: http://107.172.88.151:3693
Source: dbus.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	String found in binary or memory: http://107.172.88.151:3693/get-url
Source: dbus.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	String found in binary or memory: http://107.172.88.151:3693/get-urlexec:
Source: dbus.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	String found in binary or memory: http://107.172.88.151:3693/get-urlhttp://107.172.88.151:3693/get-url2024/12/20
Source: dbus.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	String found in binary or memory: http://107.172.88.151:3693/usr/local/sbin/udiskssd/usr/lib/secure/udiskssd/var/tmp/config_daemon/udi
Source: dbus.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	String found in binary or memory: http://107.172.88.151:36932024/12/20
Source: dbus.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	String found in binary or memory: http://107.172.88.151:3693GET

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal56.troj.evad.linELF@0/0@0/0

Source: ELF file section

Submission: dbus.elf

Source: /bin/pgrep (PID: 6285)	File opened: /proc/1582/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/3088/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/230/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/230/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/110/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/110/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/231/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/231/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/111/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/111/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/232/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/232/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1579/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/112/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/112/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/233/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/233/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1699/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/113/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/113/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/234/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/234/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1335/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1698/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/114/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/114/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/235/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/235/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1334/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1576/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/2302/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/115/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/115/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/236/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/236/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/116/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/116/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/237/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/237/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/117/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/117/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/118/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/118/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/910/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/910/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/119/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/119/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/912/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/912/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/10/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/10/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/2307/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/11/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/11/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/918/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/918/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/12/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/12/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/13/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/13/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/14/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/14/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/15/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/15/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/16/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/16/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/17/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/17/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/18/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/18/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1594/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/120/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/120/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/121/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/121/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1349/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/1/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/122/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/122/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/243/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/243/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/123/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/123/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/2/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/2/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/124/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/124/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/3/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/3/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/4/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/4/cmdline	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/125/status	Jump to behavior
Source: /bin/pgrep (PID: 6285)	File opened: /proc/125/cmdline	Jump to behavior

Source: /tmp/dbus.elf (PID: 6243)	Ps executable: /bin/ps -> ps axo pid,comm,pcpu	Jump to behavior
Source: /tmp/dbus.elf (PID: 6253)	Ps executable: /bin/ps -> ps axo pid,comm,pcpu	Jump to behavior
Source: /tmp/dbus.elf (PID: 6282)	Ps executable: /bin/ps -> ps axo pid,comm,pcpu	Jump to behavior
Source: /tmp/dbus.elf (PID: 6292)	Ps executable: /bin/ps -> ps axo pid,comm,pcpu	Jump to behavior

Source: /bin/ps (PID: 6243)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /bin/ps (PID: 6253)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /bin/ps (PID: 6282)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /bin/ps (PID: 6292)	Reads from proc file: /proc/meminfo	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 58340 -> 3693
Source: unknown	Network traffic detected: HTTP traffic on port 58342 -> 3693
Source: unknown	Network traffic detected: HTTP traffic on port 58344 -> 3693

Source: /bin/pgrep (PID: 6244)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /bin/pgrep (PID: 6247)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /bin/pgrep (PID: 6254)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /bin/pgrep (PID: 6277)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /bin/pgrep (PID: 6285)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /bin/pgrep (PID: 6286)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Source: dbus.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp

Binary or memory string: 721 vmtoolsd 0.2

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	1 Proxy	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	1 Ingress Tool Transfer	Data Transfer Size Limits	Service Stop

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Source	Detection	Scanner	Label	Link
dbus.elf	32%	ReversingLabs	Win32.Trojan.Generic

Name	Malicious	Antivirus Detection	Reputation
http://107.172.88.151:3693/get-url	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://107.172.88.151:3693	dbus.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	false	unknown
http://107.172.88.151:3693/get-urlhttp://107.172.88.151:3693/get-url2024/12/20	dbus.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	false	unknown
http://107.172.88.151:3693/get-urlexec:	dbus.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	false	unknown
http://107.172.88.151:3693/usr/local/sbin/udiskssd/usr/lib/secure/udiskssd/var/tmp/config_daemon/udi	dbus.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	false	unknown
http://107.172.88.151:3693GET	dbus.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	false	unknown
http://107.172.88.151:36932024/12/20	dbus.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
107.172.88.151	unknown	United States	36352	AS-COLOCROSSINGUS	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
107.172.88.151	AI7f43Z7AC.exe	Get hash	malicious	Unknown	Browse	107.172.88.151:3693/get-url-win
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	fenty.arm4.elf	Get hash	malicious	Mirai	Browse
	CONSTANT_STRATEGY.elf	Get hash	malicious	Sliver	Browse
	10000.elf	Get hash	malicious	Unknown	Browse
	la.bot.arc.elf	Get hash	malicious	Mirai	Browse
	gnjqwpc.elf	Get hash	malicious	Mirai	Browse
	copy_netaddr.elf	Get hash	malicious	Xmrig	Browse
	wiewa64.elf	Get hash	malicious	Mirai	Browse
	njvwa4.elf	Get hash	malicious	Mirai	Browse
	wrjkngh4.elf	Get hash	malicious	Mirai	Browse
	woega6.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	fenty.arm4.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	CONSTANT_STRATEGY.elf	Get hash	malicious	Sliver	Browse	91.189.91.42
	10000.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	la.bot.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	gnjqwpc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	copy_netaddr.elf	Get hash	malicious	Xmrig	Browse	91.189.91.42
	wiewa64.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	wkb86.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	njvwa4.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	wrjkngh4.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
AS-COLOCROSSINGUS	cB1ItKbbhY.msi	Get hash	malicious	Unknown	Browse	23.94.207.151
	tTdMHr6SlJ.dll	Get hash	malicious	Unknown	Browse	23.94.207.151
	e5mIhMkcj5.exe	Get hash	malicious	Unknown	Browse	23.94.207.151
	PVKDyWHOaX.exe	Get hash	malicious	Unknown	Browse	23.94.207.151
	RcFBMph6zu.exe	Get hash	malicious	Unknown	Browse	23.94.207.151
	tTdMHr6SlJ.dll	Get hash	malicious	Unknown	Browse	23.94.207.151
	e5mIhMkcj5.exe	Get hash	malicious	Unknown	Browse	23.94.207.151
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	107.174.209.17
	uctgkfb7.exe	Get hash	malicious	XWorm	Browse	192.210.175.202
	file.exe	Get hash	malicious	Remcos	Browse	107.173.4.16
INIT7CH	fenty.arm4.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	CONSTANT_STRATEGY.elf	Get hash	malicious	Sliver	Browse	109.202.202.202
	10000.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	la.bot.arc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	gnjqwpc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	copy_netaddr.elf	Get hash	malicious	Xmrig	Browse	109.202.202.202
	wiewa64.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	njvwa4.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	wrjkngh4.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	woega6.elf	Get hash	malicious	Mirai	Browse	109.202.202.202

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=wHNpBASXUQTlIKIQT1Y7/b7VbUY7Gjk02LB7P0PXR/U8Aojfug2dk2HTUa_U2t/kT43g35hV1_VmqIOBlJn, stripped
Entropy (8bit):	6.226180706643571
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 49.77% ELF Executable and Linkable format (generic) (4004/1) 49.46% Lumena CEL bitmap (63/63) 0.78%
File name:	dbus.elf
File size:	4'948'120 bytes
MD5:	89282100982e5f4dc24ce6dff1690346
SHA1:	610a2ce20b7a81e059c9a79f6da19dd3fbd34fa0
SHA256:	ff0e1d1cd4f5cde24a3cb9ad571e92f8fa795aa9b42c829aeaeae2a6b8b020ae
SHA512:	0a665e856ffc66eefc3563da31a2b0aac1cc2eb4eba35d9b381282946d72e6bc530552f4e7bfcd3d4dd7a4824f8a566a39b05c57069f506a41d3be65df43e142
SSDEEP:	49152:mKGGrlmcbl3/hS/rybEXsyCjRqpPZ6s5x5EYhcguvW/j8dwi:QpcbhJLDRqP0yEYh/Yr
TLSH:	4A363B07EC9545E5C0AEE6318662D253BA717C485B3023D33FA0F7292F76BD0AAB9714
File Content Preview:	.ELF..............>.......F.....@...................@.8...@.............@.......@.@.....@.@.....P.......P.................................@.......@.....d.......d.................................@.......@.....{z#.....{z#.......................#.......c....

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x46d9a0
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	6
Section Header Offset:	400
Section Header Size:	64
Number of Section Headers:	14
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.text	PROGBITS	0x401000	0x1000	0x236a7b	0x0	0x6	AX	32
.rodata	PROGBITS	0x638000	0x238000	0xf1567	0x0	0x2	A	32
.typelink	PROGBITS	0x729580	0x329580	0x1668	0x0	0x2	A	32
.itablink	PROGBITS	0x72ac00	0x32ac00	0x848	0x0	0x2	A	32
.gosymtab	PROGBITS	0x72b448	0x32b448	0x0	0x0	0x2	A	1
.gopclntab	PROGBITS	0x72b460	0x32b460	0x159cf0	0x0	0x2	A	32
.go.buildinfo	PROGBITS	0x886000	0x486000	0xf0	0x0	0x3	WA	16
.noptrdata	PROGBITS	0x886100	0x486100	0x26842	0x0	0x3	WA	32
.data	PROGBITS	0x8ac960	0x4ac960	0xa9d0	0x0	0x3	WA	32
.bss	NOBITS	0x8b7340	0x4b7340	0x61d30	0x0	0x3	WA	32
.noptrbss	NOBITS	0x919080	0x519080	0x6700	0x0	0x3	WA	32
.note.go.buildid	NOTE	0x400f9c	0xf9c	0x64	0x0	0x2	A	4
.shstrtab	STRTAB	0x0	0x4b8000	0x98	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
PHDR	0x40	0x400040	0x400040	0x150	0x150	1.7117	0x4	R	0x1000
NOTE	0xf9c	0x400f9c	0x400f9c	0x64	0x64	5.2598	0x4	R	0x4	.note.go.buildid
LOAD	0x0	0x400000	0x400000	0x237a7b	0x237a7b	6.2006	0x5	R E	0x1000	.text .note.go.buildid
LOAD	0x238000	0x638000	0x638000	0x24d150	0x24d150	5.6726	0x4	R	0x1000	.rodata .typelink .itablink .gosymtab .gopclntab
LOAD	0x486000	0x886000	0x886000	0x31340	0x99780	5.4471	0x6	RW	0x1000	.go.buildinfo .noptrdata .data .bss .noptrbss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 17:40:54.127785921 CET	43928	443	192.168.2.23	91.189.91.42
Dec 20, 2024 17:40:59.502840042 CET	42836	443	192.168.2.23	91.189.91.43
Dec 20, 2024 17:40:59.537585020 CET	58340	3693	192.168.2.23	107.172.88.151
Dec 20, 2024 17:40:59.657471895 CET	3693	58340	107.172.88.151	192.168.2.23
Dec 20, 2024 17:40:59.657752991 CET	58340	3693	192.168.2.23	107.172.88.151
Dec 20, 2024 17:40:59.660732985 CET	58340	3693	192.168.2.23	107.172.88.151
Dec 20, 2024 17:40:59.780672073 CET	3693	58340	107.172.88.151	192.168.2.23
Dec 20, 2024 17:41:00.582024097 CET	3693	58340	107.172.88.151	192.168.2.23
Dec 20, 2024 17:41:00.582667112 CET	58340	3693	192.168.2.23	107.172.88.151
Dec 20, 2024 17:41:00.584243059 CET	58340	3693	192.168.2.23	107.172.88.151
Dec 20, 2024 17:41:00.704132080 CET	3693	58340	107.172.88.151	192.168.2.23
Dec 20, 2024 17:41:01.038614035 CET	42516	80	192.168.2.23	109.202.202.202
Dec 20, 2024 17:41:14.837482929 CET	58342	3693	192.168.2.23	107.172.88.151
Dec 20, 2024 17:41:14.960921049 CET	3693	58342	107.172.88.151	192.168.2.23
Dec 20, 2024 17:41:14.961124897 CET	58342	3693	192.168.2.23	107.172.88.151
Dec 20, 2024 17:41:14.963249922 CET	58342	3693	192.168.2.23	107.172.88.151
Dec 20, 2024 17:41:15.086863041 CET	3693	58342	107.172.88.151	192.168.2.23
Dec 20, 2024 17:41:15.372618914 CET	43928	443	192.168.2.23	91.189.91.42
Dec 20, 2024 17:41:16.013242006 CET	3693	58342	107.172.88.151	192.168.2.23
Dec 20, 2024 17:41:16.015171051 CET	58342	3693	192.168.2.23	107.172.88.151
Dec 20, 2024 17:41:16.134895086 CET	3693	58342	107.172.88.151	192.168.2.23
Dec 20, 2024 17:41:25.611309052 CET	42836	443	192.168.2.23	91.189.91.43
Dec 20, 2024 17:41:29.773122072 CET	58344	3693	192.168.2.23	107.172.88.151
Dec 20, 2024 17:41:29.892784119 CET	3693	58344	107.172.88.151	192.168.2.23
Dec 20, 2024 17:41:29.893099070 CET	58344	3693	192.168.2.23	107.172.88.151
Dec 20, 2024 17:41:29.895190001 CET	58344	3693	192.168.2.23	107.172.88.151
Dec 20, 2024 17:41:30.016489029 CET	3693	58344	107.172.88.151	192.168.2.23
Dec 20, 2024 17:41:30.825978041 CET	3693	58344	107.172.88.151	192.168.2.23
Dec 20, 2024 17:41:30.826339960 CET	58344	3693	192.168.2.23	107.172.88.151
Dec 20, 2024 17:41:30.828073978 CET	58344	3693	192.168.2.23	107.172.88.151
Dec 20, 2024 17:41:30.947871923 CET	3693	58344	107.172.88.151	192.168.2.23
Dec 20, 2024 17:41:31.754216909 CET	42516	80	192.168.2.23	109.202.202.202
Dec 20, 2024 17:41:56.326914072 CET	43928	443	192.168.2.23	91.189.91.42
Dec 20, 2024 17:42:16.803942919 CET	42836	443	192.168.2.23	91.189.91.43

HTTP Request Dependency Graph

107.172.88.151:3693

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.23	58340	107.172.88.151	3693

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 17:40:59.660732985 CET	119	OUT	GET /get-url HTTP/1.1 Host: 107.172.88.151:3693 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.23	58342	107.172.88.151	3693

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 17:41:14.963249922 CET	119	OUT	GET /get-url HTTP/1.1 Host: 107.172.88.151:3693 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.23	58344	107.172.88.151	3693

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 17:41:29.895190001 CET	119	OUT	GET /get-url HTTP/1.1 Host: 107.172.88.151:3693 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip

System Behavior

Analysis Process: dbus.elf PID: 6239, Parent PID: 6161

General

Start time (UTC):	16:40:55
Start date (UTC):	20/12/2024
Path:	/tmp/dbus.elf
Arguments:	/tmp/dbus.elf
File size:	4948120 bytes
MD5 hash:	89282100982e5f4dc24ce6dff1690346

Start time (UTC):	16:40:55
Start date (UTC):	20/12/2024
Path:	/tmp/dbus.elf
Arguments:	-
File size:	4948120 bytes
MD5 hash:	89282100982e5f4dc24ce6dff1690346

Start time (UTC):	16:40:55
Start date (UTC):	20/12/2024
Path:	/bin/ps
Arguments:	ps axo pid,comm,pcpu
File size:	137688 bytes
MD5 hash:	ab48054475a6f70f8e7fa847331f3327

Start time (UTC):	16:40:57
Start date (UTC):	20/12/2024
Path:	/tmp/dbus.elf
Arguments:	-
File size:	4948120 bytes
MD5 hash:	89282100982e5f4dc24ce6dff1690346

Start time (UTC):	16:40:57
Start date (UTC):	20/12/2024
Path:	/bin/pgrep
Arguments:	pgrep -x udiskssd
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

Start time (UTC):	16:41:00
Start date (UTC):	20/12/2024
Path:	/tmp/dbus.elf
Arguments:	-
File size:	4948120 bytes
MD5 hash:	89282100982e5f4dc24ce6dff1690346

Start time (UTC):	16:41:00
Start date (UTC):	20/12/2024
Path:	/bin/pgrep
Arguments:	pgrep -c udiskssd
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

Start time (UTC):	16:41:10
Start date (UTC):	20/12/2024
Path:	/tmp/dbus.elf
Arguments:	-
File size:	4948120 bytes
MD5 hash:	89282100982e5f4dc24ce6dff1690346

Start time (UTC):	16:41:10
Start date (UTC):	20/12/2024
Path:	/bin/ps
Arguments:	ps axo pid,comm,pcpu
File size:	137688 bytes
MD5 hash:	ab48054475a6f70f8e7fa847331f3327

Start time (UTC):	16:41:12
Start date (UTC):	20/12/2024
Path:	/tmp/dbus.elf
Arguments:	-
File size:	4948120 bytes
MD5 hash:	89282100982e5f4dc24ce6dff1690346

Start time (UTC):	16:41:12
Start date (UTC):	20/12/2024
Path:	/bin/pgrep
Arguments:	pgrep -x udiskssd
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

Start time (UTC):	16:41:15
Start date (UTC):	20/12/2024
Path:	/tmp/dbus.elf
Arguments:	-
File size:	4948120 bytes
MD5 hash:	89282100982e5f4dc24ce6dff1690346

Start time (UTC):	16:41:15
Start date (UTC):	20/12/2024
Path:	/bin/pgrep
Arguments:	pgrep -c udiskssd
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

Start time (UTC):	16:41:26
Start date (UTC):	20/12/2024
Path:	/tmp/dbus.elf
Arguments:	-
File size:	4948120 bytes
MD5 hash:	89282100982e5f4dc24ce6dff1690346

Start time (UTC):	16:41:26
Start date (UTC):	20/12/2024
Path:	/bin/ps
Arguments:	ps axo pid,comm,pcpu
File size:	137688 bytes
MD5 hash:	ab48054475a6f70f8e7fa847331f3327

Start time (UTC):	16:41:27
Start date (UTC):	20/12/2024
Path:	/tmp/dbus.elf
Arguments:	-
File size:	4948120 bytes
MD5 hash:	89282100982e5f4dc24ce6dff1690346

Start time (UTC):	16:41:27
Start date (UTC):	20/12/2024
Path:	/bin/pgrep
Arguments:	pgrep -x udiskssd
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

Start time (UTC):	16:41:30
Start date (UTC):	20/12/2024
Path:	/tmp/dbus.elf
Arguments:	-
File size:	4948120 bytes
MD5 hash:	89282100982e5f4dc24ce6dff1690346

Start time (UTC):	16:41:30
Start date (UTC):	20/12/2024
Path:	/bin/pgrep
Arguments:	pgrep -c udiskssd
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

Start time (UTC):	16:41:40
Start date (UTC):	20/12/2024
Path:	/tmp/dbus.elf
Arguments:	-
File size:	4948120 bytes
MD5 hash:	89282100982e5f4dc24ce6dff1690346

Start time (UTC):	16:41:40
Start date (UTC):	20/12/2024
Path:	/bin/ps
Arguments:	ps axo pid,comm,pcpu
File size:	137688 bytes
MD5 hash:	ab48054475a6f70f8e7fa847331f3327

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report dbus.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

System Behavior

Analysis Process: dbus.elf PID: 6239, Parent PID: 6161

General

Chronological Activities

Analysis Process: dbus.elf PID: 6243, Parent PID: 6239

General

Chronological Activities

Analysis Process: ps PID: 6243, Parent PID: 6239

General

Chronological Activities

Analysis Process: dbus.elf PID: 6244, Parent PID: 6239

General

Chronological Activities

Analysis Process: pgrep PID: 6244, Parent PID: 6239

General

Chronological Activities

Analysis Process: dbus.elf PID: 6247, Parent PID: 6239

General

Chronological Activities

Linux Analysis Report
dbus.elf