Edit tour

Linux Analysis Report
vlxx.x86.elf

Overview

General Information

Sample name:	vlxx.x86.elf
Analysis ID:	1579426
MD5:	d4cf6488e7baf5ea3a0bed7e606d6672
SHA1:	f07a4bff745edbe4dca57202387404a970f2a6f2
SHA256:	effa9d68ed18240064ada35145f885db1203582298926ff348b3b6f2c47c38e8
Tags:	user-elfdigest
Infos:

Detection

Mirai, Okiru

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Detected Mirai

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Mirai

Yara detected Okiru

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579426
Start date and time:	2024-12-22 09:44:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	vlxx.x86.elf
Detection:	MAL
Classification:	mal100.troj.linELF@0/0@20/0

Runtime Messages

Command:	/tmp/vlxx.x86.elf
PID:	5842
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	done.
Standard Error:

Process Tree

system is lnxubuntu20

vlxx.x86.elf (PID: 5842, Parent: 5765, MD5: d4cf6488e7baf5ea3a0bed7e606d6672) Arguments: /tmp/vlxx.x86.elf

vlxx.x86.elf New Fork (PID: 5843, Parent: 5842)

vlxx.x86.elf New Fork (PID: 5844, Parent: 5843)

vlxx.x86.elf New Fork (PID: 5845, Parent: 5843)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
vlxx.x86.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
vlxx.x86.elf	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
vlxx.x86.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
vlxx.x86.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xf738:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf74c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf760:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf774:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf788:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf79c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf800:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf814:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf828:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf83c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf850:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf864:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf878:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf88c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf8a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf8b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf8c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
vlxx.x86.elf	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x32f0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
vlxx.x86.elf	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x86c5:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
vlxx.x86.elf	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x4fd2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
vlxx.x86.elf	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xb698:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
vlxx.x86.elf	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x9f39:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
vlxx.x86.elf	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x4fa2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
5842.1.0000000008048000.000000000805a000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
5842.1.0000000008048000.000000000805a000.r-x.sdmp	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
5842.1.0000000008048000.000000000805a000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5842.1.0000000008048000.000000000805a000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xf738:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf74c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf760:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf774:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf788:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf79c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf7ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf800:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf814:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf828:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf83c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf850:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf864:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf878:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf88c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf8a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf8b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf8c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5842.1.0000000008048000.000000000805a000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x32f0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5842.1.0000000008048000.000000000805a000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x86c5:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
5842.1.0000000008048000.000000000805a000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x4fd2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5842.1.0000000008048000.000000000805a000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xb698:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5842.1.0000000008048000.000000000805a000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x9f39:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5842.1.0000000008048000.000000000805a000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x4fa2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Process Memory Space: vlxx.x86.elf PID: 5842	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: vlxx.x86.elf PID: 5842	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Process Memory Space: vlxx.x86.elf PID: 5842	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: vlxx.x86.elf PID: 5842	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x547:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x55b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x56f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x583:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x597:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5ab:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5bf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5d3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5e7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5fb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x60f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x623:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x637:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x64b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x65f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x673:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x687:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x69b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 9 entries

Suricata Signatures

ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-22T09:45:29.869840+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58814	147.93.12.224	42597	TCP
2024-12-22T09:45:35.248299+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58816	147.93.12.224	42597	TCP
2024-12-22T09:45:40.635269+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58818	147.93.12.224	42597	TCP
2024-12-22T09:45:46.012971+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58820	147.93.12.224	42597	TCP
2024-12-22T09:45:51.390259+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58822	147.93.12.224	42597	TCP
2024-12-22T09:46:02.770043+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58824	147.93.12.224	42597	TCP
2024-12-22T09:46:10.148324+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58826	147.93.12.224	42597	TCP
2024-12-22T09:46:17.638736+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58828	147.93.12.224	42597	TCP
2024-12-22T09:46:26.131552+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58830	147.93.12.224	42597	TCP
2024-12-22T09:46:29.510231+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58832	147.93.12.224	42597	TCP
2024-12-22T09:46:37.902992+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58834	147.93.12.224	42597	TCP
2024-12-22T09:46:40.280285+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58836	147.93.12.224	42597	TCP
2024-12-22T09:46:42.657589+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58838	147.93.12.224	42597	TCP
2024-12-22T09:46:53.035159+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58840	147.93.12.224	42597	TCP
2024-12-22T09:46:58.400061+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58842	147.93.12.224	42597	TCP
2024-12-22T09:47:05.775610+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58844	147.93.12.224	42597	TCP
2024-12-22T09:47:10.154713+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58846	147.93.12.224	42597	TCP
2024-12-22T09:47:20.533379+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58848	147.93.12.224	42597	TCP
2024-12-22T09:47:25.900253+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58850	147.93.12.224	42597	TCP
2024-12-22T09:47:34.291723+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	58852	147.93.12.224	42597	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: vlxx.x86.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: vlxx.x86.elf	Virustotal: Detection: 60%			Perma Link
Source: vlxx.x86.elf	ReversingLabs: Detection: 65%

Machine Learning detection for sample

Source: vlxx.x86.elf

Joe Sandbox ML: detected

Source: vlxx.x86.elf

String: HTTP/1.1 200 OKcundi.armcundi.arm5cundi.arm6cundi.arm7cundi.mipscundi.mpslcundi.x86_64cundi.sh4/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverwgetcurlecho/proc/proc/%d/cmdlineabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58818 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58816 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58830 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58826 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58814 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58820 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58834 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58842 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58838 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58822 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58836 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58844 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58852 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58828 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58846 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58832 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58840 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58848 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58824 -> 147.93.12.224:42597
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:58850 -> 147.93.12.224:42597

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.93.12.224 ports 42597,2,4,5,7,9

Source: global traffic

TCP traffic: 192.168.2.15:58814 -> 147.93.12.224:42597

Source: global traffic

DNS traffic detected: DNS query: era-bot.zapto.org

System Summary

Malicious sample detected (through community Yara rule)

Source: vlxx.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: vlxx.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: vlxx.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: vlxx.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: vlxx.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: vlxx.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: vlxx.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: Process Memory Space: vlxx.x86.elf PID: 5842, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: HTTP/1.1 200 OKcundi.armcundi.arm5cundi.arm6cundi.arm7cundi.mipscundi.mpslcundi.x86_64cundi.sh4/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverwgetcurlecho/proc/proc/%d/cmdlineabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f

Source: ELF static info symbol of initial sample

.symtab present: no

Source: vlxx.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: vlxx.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: vlxx.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: vlxx.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: vlxx.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: vlxx.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: vlxx.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: Process Memory Space: vlxx.x86.elf PID: 5842, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal100.troj.linELF@0/0@20/0

Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/1333/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/1695/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/911/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/1591/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/5827/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/1585/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/804/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/3407/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/5826/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/1484/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/133/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/1479/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/931/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/1595/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/812/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/933/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/3419/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/35/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/3310/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/260/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/261/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/262/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/142/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/263/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/264/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/265/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/145/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/266/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/267/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/268/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/3303/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/269/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/1486/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/1806/cmdline	Jump to behavior
Source: /tmp/vlxx.x86.elf (PID: 5845)	File opened: /proc/5843/cmdline	Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: vlxx.x86.elf, type: SAMPLE
Source: Yara match	File source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlxx.x86.elf PID: 5842, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: vlxx.x86.elf, type: SAMPLE
Source: Yara match	File source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlxx.x86.elf PID: 5842, type: MEMORYSTR

Remote Access Functionality

Detected Mirai

Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Yara detected Mirai

Source: Yara match	File source: vlxx.x86.elf, type: SAMPLE
Source: Yara match	File source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlxx.x86.elf PID: 5842, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: vlxx.x86.elf, type: SAMPLE
Source: Yara match	File source: 5842.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlxx.x86.elf PID: 5842, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	Direct Volume Access	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
vlxx.x86.elf	61%	Virustotal		Browse
vlxx.x86.elf	66%	ReversingLabs	Linux.Backdoor.Mirai
vlxx.x86.elf	100%	Avira	EXP/ELF.Mirai.Z.A
vlxx.x86.elf	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
era-bot.zapto.org	147.93.12.224	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.93.12.224	era-bot.zapto.org	Belgium		6122	ICN-ASUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.93.12.224	vlxx.x86_64.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	vlxx.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse
	vlxx.mips.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	vlxx.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	vlxx.mpsl.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
era-bot.zapto.org	vlxx.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	147.93.12.224
	vlxx.mips.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	147.93.12.224
	vlxx.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	147.93.12.224
	vlxx.mpsl.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	147.93.12.224

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ICN-ASUS	vlxx.x86_64.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	147.93.12.224
	vlxx.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	147.93.12.224
	vlxx.mips.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	147.93.12.224
	vlxx.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	147.93.12.224
	vlxx.mpsl.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	147.93.12.224
	nshkarm.elf	Get hash	malicious	Mirai	Browse	165.206.43.167
	nshkppc.elf	Get hash	malicious	Mirai	Browse	207.165.106.243
	nshmips.elf	Get hash	malicious	Mirai	Browse	209.56.145.193
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	165.206.8.54
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	147.93.240.115

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.710723858709366
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	vlxx.x86.elf
File size:	89'672 bytes
MD5:	d4cf6488e7baf5ea3a0bed7e606d6672
SHA1:	f07a4bff745edbe4dca57202387404a970f2a6f2
SHA256:	effa9d68ed18240064ada35145f885db1203582298926ff348b3b6f2c47c38e8
SHA512:	b1d37c3e32f5e01d9c556aff5ee4612f9eeedd60908d34e43b38190fa57042a6137fda57e6ce4a909696bc39f9815c9aaae6c5de2aaf8431a198828d098e51f4
SSDEEP:	1536:sUYl80AvyebhzEzASUR3JIaJi7M3gLkiNgKVL4GRUS3tkDNB7:sUYq0ovNHSe3JIPIWkDKVEeBMn7
TLSH:	2A937DC5F243D0F5EC8705B15137AF379B33E0B91029EA43C3696972ECA1951EA16BAC
File Content Preview:	.ELF....................d...4....\......4. ...(......................................................G..8...........Q.td............................U..S.......o$...h........[]...$.............U......=.....t..5....$......$.......u........t....h............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048164
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	89272
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0xf1a6	0x0	0x6	AX	16
.fini	PROGBITS	0x8057256	0xf256	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x8057280	0xf280	0x2270	0x0	0x2	A	32
.ctors	PROGBITS	0x805a4f4	0x114f4	0xc	0x0	0x3	WA	4
.dtors	PROGBITS	0x805a500	0x11500	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x805a520	0x11520	0x4758	0x0	0x3	WA	32
.bss	NOBITS	0x805ec80	0x15c78	0x49ac	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x15c78	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0x114f0	0x114f0	6.5836	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0x114f4	0x805a4f4	0x805a4f4	0x4784	0x9138	0.3650	0x6	RW	0x1000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-22T09:45:29.869840+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58814	147.93.12.224	42597	TCP
2024-12-22T09:45:35.248299+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58816	147.93.12.224	42597	TCP
2024-12-22T09:45:40.635269+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58818	147.93.12.224	42597	TCP
2024-12-22T09:45:46.012971+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58820	147.93.12.224	42597	TCP
2024-12-22T09:45:51.390259+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58822	147.93.12.224	42597	TCP
2024-12-22T09:46:02.770043+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58824	147.93.12.224	42597	TCP
2024-12-22T09:46:10.148324+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58826	147.93.12.224	42597	TCP
2024-12-22T09:46:17.638736+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58828	147.93.12.224	42597	TCP
2024-12-22T09:46:26.131552+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58830	147.93.12.224	42597	TCP
2024-12-22T09:46:29.510231+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58832	147.93.12.224	42597	TCP
2024-12-22T09:46:37.902992+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58834	147.93.12.224	42597	TCP
2024-12-22T09:46:40.280285+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58836	147.93.12.224	42597	TCP
2024-12-22T09:46:42.657589+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58838	147.93.12.224	42597	TCP
2024-12-22T09:46:53.035159+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58840	147.93.12.224	42597	TCP
2024-12-22T09:46:58.400061+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58842	147.93.12.224	42597	TCP
2024-12-22T09:47:05.775610+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58844	147.93.12.224	42597	TCP
2024-12-22T09:47:10.154713+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58846	147.93.12.224	42597	TCP
2024-12-22T09:47:20.533379+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58848	147.93.12.224	42597	TCP
2024-12-22T09:47:25.900253+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58850	147.93.12.224	42597	TCP
2024-12-22T09:47:34.291723+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	58852	147.93.12.224	42597	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 22, 2024 09:45:29.750097990 CET	58814	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:29.869626999 CET	42597	58814	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:29.869786024 CET	58814	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:29.869839907 CET	58814	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:29.989299059 CET	42597	58814	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:30.990530014 CET	42597	58814	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:30.990612030 CET	58814	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:31.110223055 CET	42597	58814	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:35.128364086 CET	58816	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:35.248132944 CET	42597	58816	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:35.248210907 CET	58816	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:35.248298883 CET	58816	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:35.367862940 CET	42597	58816	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:36.376915932 CET	42597	58816	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:36.377063990 CET	58816	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:36.496587038 CET	42597	58816	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:40.515466928 CET	58818	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:40.635054111 CET	42597	58818	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:40.635198116 CET	58818	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:40.635268927 CET	58818	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:40.754806995 CET	42597	58818	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:41.758202076 CET	42597	58818	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:41.758285046 CET	58818	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:41.877799988 CET	42597	58818	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:45.893146992 CET	58820	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:46.012809992 CET	42597	58820	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:46.012938976 CET	58820	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:46.012970924 CET	58820	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:46.132447958 CET	42597	58820	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:47.135428905 CET	42597	58820	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:47.135570049 CET	58820	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:47.255166054 CET	42597	58820	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:51.270474911 CET	58822	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:51.390027046 CET	42597	58822	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:51.390175104 CET	58822	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:51.390259027 CET	58822	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:51.509835958 CET	42597	58822	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:52.511414051 CET	42597	58822	147.93.12.224	192.168.2.15
Dec 22, 2024 09:45:52.511537075 CET	58822	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:45:52.631160021 CET	42597	58822	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:02.647406101 CET	58824	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:02.769917011 CET	42597	58824	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:02.770042896 CET	58824	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:02.770042896 CET	58824	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:02.889703989 CET	42597	58824	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:03.892654896 CET	42597	58824	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:03.892817974 CET	58824	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:04.012824059 CET	42597	58824	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:10.028460026 CET	58826	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:10.148159027 CET	42597	58826	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:10.148323059 CET	58826	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:10.148324013 CET	58826	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:10.267987013 CET	42597	58826	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:11.268975019 CET	42597	58826	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:11.269114971 CET	58826	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:11.388673067 CET	42597	58826	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:17.518963099 CET	58828	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:17.638619900 CET	42597	58828	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:17.638705969 CET	58828	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:17.638736010 CET	58828	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:17.758296013 CET	42597	58828	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:18.760056973 CET	42597	58828	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:18.760303974 CET	58828	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:18.879959106 CET	42597	58828	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:26.011611938 CET	58830	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:26.131371975 CET	42597	58830	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:26.131551981 CET	58830	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:26.131551981 CET	58830	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:26.251245022 CET	42597	58830	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:27.254324913 CET	42597	58830	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:27.254462957 CET	58830	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:27.374165058 CET	42597	58830	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:29.390429974 CET	58832	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:29.510149956 CET	42597	58832	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:29.510231018 CET	58832	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:29.510231018 CET	58832	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:29.629889965 CET	42597	58832	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:30.632283926 CET	42597	58832	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:30.632452965 CET	58832	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:30.752316952 CET	42597	58832	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:37.783328056 CET	58834	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:37.902879953 CET	42597	58834	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:37.902967930 CET	58834	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:37.902992010 CET	58834	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:38.022623062 CET	42597	58834	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:39.024209976 CET	42597	58834	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:39.024329901 CET	58834	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:39.144157887 CET	42597	58834	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:40.160634041 CET	58836	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:40.280184984 CET	42597	58836	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:40.280266047 CET	58836	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:40.280284882 CET	58836	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:40.399825096 CET	42597	58836	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:41.401607990 CET	42597	58836	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:41.401731968 CET	58836	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:41.521258116 CET	42597	58836	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:42.537316084 CET	58838	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:42.657469988 CET	42597	58838	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:42.657569885 CET	58838	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:42.657588959 CET	58838	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:42.777122021 CET	42597	58838	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:43.778593063 CET	42597	58838	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:43.778701067 CET	58838	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:43.898163080 CET	42597	58838	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:52.915108919 CET	58840	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:53.035057068 CET	42597	58840	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:53.035159111 CET	58840	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:53.035159111 CET	58840	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:53.154784918 CET	42597	58840	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:54.155998945 CET	42597	58840	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:54.156124115 CET	58840	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:54.275747061 CET	42597	58840	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:58.280427933 CET	58842	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:58.399950027 CET	42597	58842	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:58.400060892 CET	58842	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:58.400060892 CET	58842	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:58.519598961 CET	42597	58842	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:59.520220041 CET	42597	58842	147.93.12.224	192.168.2.15
Dec 22, 2024 09:46:59.520355940 CET	58842	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:46:59.639894962 CET	42597	58842	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:05.655994892 CET	58844	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:05.775504112 CET	42597	58844	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:05.775609970 CET	58844	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:05.775609970 CET	58844	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:05.895185947 CET	42597	58844	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:06.899558067 CET	42597	58844	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:06.899760008 CET	58844	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:07.019289017 CET	42597	58844	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:10.035084963 CET	58846	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:10.154604912 CET	42597	58846	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:10.154712915 CET	58846	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:10.154712915 CET	58846	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:10.274280071 CET	42597	58846	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:11.277174950 CET	42597	58846	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:11.277326107 CET	58846	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:11.397057056 CET	42597	58846	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:20.413698912 CET	58848	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:20.533258915 CET	42597	58848	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:20.533377886 CET	58848	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:20.533379078 CET	58848	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:20.653008938 CET	42597	58848	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:21.655556917 CET	42597	58848	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:21.655716896 CET	58848	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:21.775249004 CET	42597	58848	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:25.780498028 CET	58850	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:25.900075912 CET	42597	58850	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:25.900252104 CET	58850	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:25.900253057 CET	58850	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:26.020299911 CET	42597	58850	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:27.022166014 CET	42597	58850	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:27.022275925 CET	58850	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:27.141830921 CET	42597	58850	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:34.171925068 CET	58852	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:34.291615009 CET	42597	58852	147.93.12.224	192.168.2.15
Dec 22, 2024 09:47:34.291692972 CET	58852	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:34.291723013 CET	58852	42597	192.168.2.15	147.93.12.224
Dec 22, 2024 09:47:34.411962032 CET	42597	58852	147.93.12.224	192.168.2.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 22, 2024 09:45:29.600027084 CET	60266	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:45:29.749838114 CET	53	60266	8.8.8.8	192.168.2.15
Dec 22, 2024 09:45:34.993801117 CET	53898	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:45:35.128165007 CET	53	53898	8.8.8.8	192.168.2.15
Dec 22, 2024 09:45:40.380386114 CET	43612	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:45:40.514440060 CET	53	43612	8.8.8.8	192.168.2.15
Dec 22, 2024 09:45:45.759251118 CET	44105	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:45:45.892963886 CET	53	44105	8.8.8.8	192.168.2.15
Dec 22, 2024 09:45:51.136508942 CET	53564	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:45:51.270339966 CET	53	53564	8.8.8.8	192.168.2.15
Dec 22, 2024 09:46:02.512887955 CET	54855	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:46:02.647217035 CET	53	54855	8.8.8.8	192.168.2.15
Dec 22, 2024 09:46:09.894368887 CET	48339	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:46:10.028311968 CET	53	48339	8.8.8.8	192.168.2.15
Dec 22, 2024 09:46:17.270613909 CET	44117	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:46:17.518841028 CET	53	44117	8.8.8.8	192.168.2.15
Dec 22, 2024 09:46:25.761739016 CET	46209	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:46:26.011414051 CET	53	46209	8.8.8.8	192.168.2.15
Dec 22, 2024 09:46:29.256180048 CET	56537	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:46:29.390279055 CET	53	56537	8.8.8.8	192.168.2.15
Dec 22, 2024 09:46:37.634067059 CET	59324	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:46:37.783149958 CET	53	59324	8.8.8.8	192.168.2.15
Dec 22, 2024 09:46:40.025935888 CET	51666	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:46:40.160490990 CET	53	51666	8.8.8.8	192.168.2.15
Dec 22, 2024 09:46:42.403392076 CET	50897	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:46:42.537184000 CET	53	50897	8.8.8.8	192.168.2.15
Dec 22, 2024 09:46:52.780369997 CET	49675	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:46:52.914997101 CET	53	49675	8.8.8.8	192.168.2.15
Dec 22, 2024 09:46:58.157766104 CET	49154	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:46:58.280293941 CET	53	49154	8.8.8.8	192.168.2.15
Dec 22, 2024 09:47:05.521936893 CET	59929	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:47:05.655837059 CET	53	59929	8.8.8.8	192.168.2.15
Dec 22, 2024 09:47:09.901248932 CET	58089	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:47:10.034970045 CET	53	58089	8.8.8.8	192.168.2.15
Dec 22, 2024 09:47:20.278727055 CET	58602	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:47:20.413585901 CET	53	58602	8.8.8.8	192.168.2.15
Dec 22, 2024 09:47:25.657542944 CET	59542	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:47:25.780365944 CET	53	59542	8.8.8.8	192.168.2.15
Dec 22, 2024 09:47:34.023561954 CET	53183	53	192.168.2.15	8.8.8.8
Dec 22, 2024 09:47:34.171827078 CET	53	53183	8.8.8.8	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 22, 2024 09:45:29.600027084 CET	192.168.2.15	8.8.8.8	0x21d5	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:45:34.993801117 CET	192.168.2.15	8.8.8.8	0xbca	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:45:40.380386114 CET	192.168.2.15	8.8.8.8	0xa17b	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:45:45.759251118 CET	192.168.2.15	8.8.8.8	0x68e6	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:45:51.136508942 CET	192.168.2.15	8.8.8.8	0x2c92	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:02.512887955 CET	192.168.2.15	8.8.8.8	0xbcf7	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:09.894368887 CET	192.168.2.15	8.8.8.8	0xef52	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:17.270613909 CET	192.168.2.15	8.8.8.8	0xfd5c	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:25.761739016 CET	192.168.2.15	8.8.8.8	0x12ce	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:29.256180048 CET	192.168.2.15	8.8.8.8	0x5aec	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:37.634067059 CET	192.168.2.15	8.8.8.8	0xf604	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:40.025935888 CET	192.168.2.15	8.8.8.8	0xa7c9	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:42.403392076 CET	192.168.2.15	8.8.8.8	0x7e97	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:52.780369997 CET	192.168.2.15	8.8.8.8	0x328	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:58.157766104 CET	192.168.2.15	8.8.8.8	0xcabe	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:47:05.521936893 CET	192.168.2.15	8.8.8.8	0x7b43	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:47:09.901248932 CET	192.168.2.15	8.8.8.8	0x6911	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:47:20.278727055 CET	192.168.2.15	8.8.8.8	0xeb06	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:47:25.657542944 CET	192.168.2.15	8.8.8.8	0xed71	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:47:34.023561954 CET	192.168.2.15	8.8.8.8	0x43da	Standard query (0)	era-bot.zapto.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 22, 2024 09:45:29.749838114 CET	8.8.8.8	192.168.2.15	0x21d5	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:45:35.128165007 CET	8.8.8.8	192.168.2.15	0xbca	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:45:40.514440060 CET	8.8.8.8	192.168.2.15	0xa17b	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:45:45.892963886 CET	8.8.8.8	192.168.2.15	0x68e6	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:45:51.270339966 CET	8.8.8.8	192.168.2.15	0x2c92	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:02.647217035 CET	8.8.8.8	192.168.2.15	0xbcf7	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:10.028311968 CET	8.8.8.8	192.168.2.15	0xef52	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:17.518841028 CET	8.8.8.8	192.168.2.15	0xfd5c	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:26.011414051 CET	8.8.8.8	192.168.2.15	0x12ce	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:29.390279055 CET	8.8.8.8	192.168.2.15	0x5aec	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:37.783149958 CET	8.8.8.8	192.168.2.15	0xf604	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:40.160490990 CET	8.8.8.8	192.168.2.15	0xa7c9	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:42.537184000 CET	8.8.8.8	192.168.2.15	0x7e97	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:52.914997101 CET	8.8.8.8	192.168.2.15	0x328	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:46:58.280293941 CET	8.8.8.8	192.168.2.15	0xcabe	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:47:05.655837059 CET	8.8.8.8	192.168.2.15	0x7b43	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:47:10.034970045 CET	8.8.8.8	192.168.2.15	0x6911	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:47:20.413585901 CET	8.8.8.8	192.168.2.15	0xeb06	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:47:25.780365944 CET	8.8.8.8	192.168.2.15	0xed71	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false
Dec 22, 2024 09:47:34.171827078 CET	8.8.8.8	192.168.2.15	0x43da	No error (0)	era-bot.zapto.org	147.93.12.224	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: vlxx.x86.elf PID: 5842, Parent PID: 5765

General

Start time (UTC):	08:45:28
Start date (UTC):	22/12/2024
Path:	/tmp/vlxx.x86.elf
Arguments:	/tmp/vlxx.x86.elf
File size:	89672 bytes
MD5 hash:	d4cf6488e7baf5ea3a0bed7e606d6672

Start time (UTC):	08:45:28
Start date (UTC):	22/12/2024
Path:	/tmp/vlxx.x86.elf
Arguments:	-
File size:	89672 bytes
MD5 hash:	d4cf6488e7baf5ea3a0bed7e606d6672

Start time (UTC):	08:45:28
Start date (UTC):	22/12/2024
Path:	/tmp/vlxx.x86.elf
Arguments:	-
File size:	89672 bytes
MD5 hash:	d4cf6488e7baf5ea3a0bed7e606d6672

Start time (UTC):	08:45:28
Start date (UTC):	22/12/2024
Path:	/tmp/vlxx.x86.elf
Arguments:	-
File size:	89672 bytes
MD5 hash:	d4cf6488e7baf5ea3a0bed7e606d6672

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report vlxx.x86.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: vlxx.x86.elf PID: 5842, Parent PID: 5765

General

Chronological Activities

Analysis Process: vlxx.x86.elf PID: 5843, Parent PID: 5842

General

Chronological Activities

Analysis Process: vlxx.x86.elf PID: 5844, Parent PID: 5843

General

Chronological Activities

Analysis Process: vlxx.x86.elf PID: 5845, Parent PID: 5843

General

Chronological Activities

Linux Analysis Report
vlxx.x86.elf