Edit tour

Linux Analysis Report
dlr.mpsl.elf

Overview

General Information

Sample name:	dlr.mpsl.elf
Analysis ID:	1582178
MD5:	9c9ac80ea8741a896f4efea0be51fcb2
SHA1:	3b0525e66b3045fb492ac183367d1f52dd71b9e9
SHA256:	9a076e55a638997f9e83677fa47539c788b3904231da51425341be59fb52a97a
Tags:	elfMiraiuser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

HTTP GET or POST without a user agent

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582178
Start date and time:	2024-12-30 03:30:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	dlr.mpsl.elf
Detection:	MAL
Classification:	mal48.linELF@0/1@0/0

Warnings

Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Runtime Messages

Command:	/tmp/dlr.mpsl.elf
PID:	5435
Exit Code:	5
Exit Code Info:
Killed:	False
Standard Output:	NIGGY RAY
Standard Error:

Process Tree

system is lnxubuntu20

dlr.mpsl.elf (PID: 5435, Parent: 5356, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/dlr.mpsl.elf

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: dlr.mpsl.elf	Virustotal: Detection: 31%			Perma Link
Source: dlr.mpsl.elf	ReversingLabs: Detection: 39%

Source: global traffic

HTTP traffic detected: GET /mpsl HTTP/1.0Data Raw: 00 00 52 41 59 0a 00 00 00 00 00 00 Data Ascii: RAY

Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 103.188.82.218

Source: global traffic

HTTP traffic detected: GET /mpsl HTTP/1.0Data Raw: 00 00 52 41 59 0a 00 00 00 00 00 00 Data Ascii: RAY

Source: unknown

Network traffic detected: HTTP traffic on port 48202 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.linELF@0/1@0/0

Source: /tmp/dlr.mpsl.elf (PID: 5435)

File written: /tmp/Galaxy

Jump to dropped file

Source: /tmp/dlr.mpsl.elf (PID: 5435)

Queries kernel information via 'uname':

Jump to behavior

Source: dlr.mpsl.elf, 5435.1.000055e37735e000.000055e3773e5000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: dlr.mpsl.elf, 5435.1.000055e37735e000.000055e3773e5000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: dlr.mpsl.elf, 5435.1.00007ffcd79e6000.00007ffcd7a07000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/dlr.mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/dlr.mpsl.elf
Source: dlr.mpsl.elf, 5435.1.00007ffcd79e6000.00007ffcd7a07000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dlr.mpsl.elf	32%	Virustotal		Browse
dlr.mpsl.elf	39%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

Source	Detection	Scanner	Label	Link
/tmp/Galaxy	11%	ReversingLabs	Linux.Trojan.Mirai
/tmp/Galaxy	54%	Virustotal		Browse

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.188.82.218	unknown	unknown		7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	false
185.125.190.26	unknown	United Kingdom		41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.188.82.218	dlr.mips.elf	Get hash	malicious	Unknown	Browse	/mips
	dlr.arm7.elf	Get hash	malicious	Unknown	Browse	/arm7
	dlr.arm6.elf	Get hash	malicious	Unknown	Browse	/arm6
185.125.190.26	debug.dbg.elf	Get hash	malicious	Mirai, Moobot	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	dlr.arm6.elf	Get hash	malicious	Unknown	Browse
	Aqua.arm6.elf	Get hash	malicious	Unknown	Browse
	Aqua.arm4.elf	Get hash	malicious	Unknown	Browse
	Aqua.ppc.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Unknown	Browse
	bot.x86.elf	Get hash	malicious	Mirai, Okiru	Browse
	armv6l.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	.Sarm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	zmap.arm6.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	debug.dbg.elf	Get hash	malicious	Mirai, Moobot	Browse	185.125.190.26
	.Smpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	rebirth.ppc.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	dlr.arm7.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	.Sm68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	m68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	dlr.mips.elf	Get hash	malicious	Unknown	Browse	103.188.82.218
	dlr.arm7.elf	Get hash	malicious	Unknown	Browse	103.188.82.218
	dlr.arm6.elf	Get hash	malicious	Unknown	Browse	103.188.82.218
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	103.187.127.118
	star.ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	103.187.81.199
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	157.85.109.58
	db0fa4b8db0333367e9bda3ab68b8042.sh4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	103.177.151.232
	db0fa4b8db0333367e9bda3ab68b8042.spc.elf	Get hash	malicious	Mirai, Gafgyt	Browse	103.183.119.78
	4qOTcmSTSq.exe	Get hash	malicious	Unknown	Browse	103.8.70.183
	https://fsharetv.co/	Get hash	malicious	Unknown	Browse	103.67.200.64

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/tmp/Galaxy

Download File

Process:	/tmp/dlr.mpsl.elf
File Type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Category:	dropped
Size (bytes):	89592
Entropy (8bit):	5.5067875693022295
Encrypted:	false
SSDEEP:	1536:xfiTTxk17uiHT15IKODOH0lstOk+guZBZq387JSJNgcfEMnpS:ViTdkFuSTTOlBg+BecwnpS
MD5:	525D304E17F85BF01A6394C78B4D3E26
SHA1:	723EDEECC90990BE009CFA2732AD3F088BEAC5F0
SHA-256:	36B4F8C1C40E347F5FF188DFB7807A04772EE591E881C8F2A9C4F6DAEF19D230
SHA-512:	F5AE3E8E9EF2D57B6FEC9E037344FDC8E89779497B3FC04623373891B14F6433D2C4922FB608BF1E60BC81EE31C623D7D183F4EA8C353B3CB1FC328188459B6E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11% Antivirus: Virustotal, Detection: 54%, Browse
Reputation:	low
Preview:	.ELF....................`.@.4....[......4. ...(...............@...@..Q...Q...............Q...QE..QE.p...4Z..........Q.td...............................<<.'!......'.......................<..'!... .........9'.. ........................<..'!............99'.. ......................... ..'...<..'!......' ........................[".......@..............R........Y....... ...B$.. ..R...R........Y....... ...B$.........@....$............. ..Q.$.......$.[". ...............(..'...<..'!......'.........................Q.$..@..[.$.. ......................R........@..R.$.. ........... . ..'............ ..'....!..............<d.'!...!..............'...$$.....'H....................... ......... ............................<..'!......'0...,...(...$... ...............P...!...!......0...0H..... ....$......P.......@.....0...,...(...$... ...............8..'P......... ...........P.......@.........L..... ...................... .........! @........... ....$.................. .! ............ .........

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	4.716905446595837
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	dlr.mpsl.elf
File size:	2'016 bytes
MD5:	9c9ac80ea8741a896f4efea0be51fcb2
SHA1:	3b0525e66b3045fb492ac183367d1f52dd71b9e9
SHA256:	9a076e55a638997f9e83677fa47539c788b3904231da51425341be59fb52a97a
SHA512:	efcc5e6740122cf12ee460d0e5578dc624f2cd0ec584e048054c8920a1223ed941285ea0e20cb4cdaa233451ba6adcbeb714e5ef9992021ff258b6f94807d9a2
SSDEEP:	48:kff2nNnuDW3B6df9HOScTLmPkOTNFSXZ:kffUnuqYf9uS4LmrT+J
TLSH:	F841121E6F801F37DD66CC36058B275139CC842BA16A63926334ED60BD3E605E7D38A8
File Content Preview:	.ELF......................@.4...........4. ...(...............@...@.@...@...............@...@.D.@.D.T...p...........Q.td...........................................0.,...&..% .....0...0% ...2..%0...".....0.......0.....6..%.C.%0......%.F....<D..'!...\...!(.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4004e4
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	1736
Section Header Size:	40
Number of Section Headers:	7
Header String Table Index:	6

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.text	PROGBITS	0x4000a0	0xa0	0x560	0x0	0x6	AX	16
.rodata	PROGBITS	0x400600	0x600	0x40	0x1	0x32	AMS	4
.got	PROGBITS	0x440640	0x640	0x54	0x4	0x10000003	WAp	16
.bss	NOBITS	0x4406a0	0x694	0x10	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0x48	0x694	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x694	0x31	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x640	0x640	5.0103	0x5	R E	0x10000	.text .rodata
LOAD	0x640	0x440640	0x440640	0x54	0x70	2.6125	0x6	RW	0x10000	.got .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 03:30:59.214306116 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:30:59.219233036 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:30:59.219286919 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:30:59.220451117 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:30:59.225265980 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.156136036 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.156157970 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.156169891 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.156181097 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.156192064 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.156203985 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.156215906 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.156220913 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.156234026 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.156245947 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.156253099 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.156253099 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.156285048 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.156285048 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.156285048 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.156285048 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.156285048 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.156285048 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.156285048 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.156285048 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.161113024 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.161127090 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.161145926 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.161145926 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.409912109 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.409928083 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.409939051 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.409967899 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.409967899 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.409986019 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.418833971 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.418844938 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.418854952 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.418873072 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.418873072 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.418884039 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.436723948 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.436737061 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.436747074 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.436758995 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.436758995 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.436770916 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.454381943 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.454397917 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.454406977 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.454417944 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.454417944 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.454433918 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.472206116 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.472218037 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.472228050 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.472242117 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.472253084 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.472258091 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.489835024 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.489845037 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.489855051 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.489892006 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.490902901 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.507781029 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.507791996 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.507802010 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.509289026 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.525465012 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.525475979 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.525487900 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.526218891 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.543127060 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.543139935 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.543150902 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.545362949 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.561078072 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.561088085 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.561099052 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.561682940 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.663563967 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.663578033 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.663590908 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.663609982 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.672641039 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.672653913 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.672663927 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.674993038 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.690386057 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.690398932 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.690408945 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.690942049 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.708002090 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.708012104 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.708023071 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.710436106 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.725989103 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.726001024 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.726011038 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.727106094 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.743546963 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.743558884 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.743568897 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.743788004 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.761415958 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.761426926 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.761497974 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.761512995 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.762947083 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.779495955 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.779508114 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.779520035 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.781723976 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.798242092 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.798250914 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.798255920 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.798266888 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.799412966 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.812947989 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.812958956 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.812974930 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.814048052 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.827966928 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.827975988 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.828548908 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.834861040 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.834871054 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.834882021 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.837093115 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.849282026 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.849292040 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.849302053 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.849793911 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.863445044 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.863456011 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.863466024 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.865039110 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.877691031 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.877701998 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.877711058 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.877768040 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.891808987 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.891824961 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.893102884 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.939229965 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:00.944122076 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.944134951 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.944147110 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:00.945511103 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:02.129395008 CET	41030	80	192.168.2.13	103.188.82.218
Dec 30, 2024 03:31:02.134290934 CET	80	41030	103.188.82.218	192.168.2.13
Dec 30, 2024 03:31:11.053858042 CET	48202	443	192.168.2.13	185.125.190.26
Dec 30, 2024 03:31:43.309909105 CET	48202	443	192.168.2.13	185.125.190.26

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.13	41030	103.188.82.218	80

Timestamp	Bytes transferred	Direction	Data
Dec 30, 2024 03:30:59.220451117 CET	46	OUT	GET /mpsl HTTP/1.0 Data Raw: 00 00 52 41 59 0a 00 00 00 00 00 00 Data Ascii: RAY
Dec 30, 2024 03:31:00.156136036 CET	1236	IN	HTTP/1.0 200 OK Accept-Ranges: bytes Content-Length: 89592 Content-Type: application/octet-stream Last-Modified: Wed, 25 Dec 2024 10:50:34 GMT Date: Mon, 30 Dec 2024 02:30:59 GMT Data Raw: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 08 00 01 00 00 00 60 02 40 00 34 00 00 00 c8 5b 01 00 07 10 00 00 34 00 20 00 03 00 28 00 0e 00 0d 00 01 00 00 00 00 00 00 00 00 00 40 00 00 00 40 00 f0 51 01 00 f0 51 01 00 05 00 00 00 00 00 01 00 01 00 00 00 f4 51 01 00 f4 51 45 00 f4 51 45 00 70 09 00 00 34 5a 00 00 06 00 00 00 00 00 01 00 51 e5 74 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 04 00 00 00 06 00 1c 3c 3c d5 9c 27 21 e0 99 03 e0 ff bd 27 10 00 bc af 1c 00 bf af 18 00 bc af 01 00 11 04 00 00 00 00 06 00 1c 3c 18 d5 9c 27 21 e0 9f 03 20 80 99 8f 00 00 00 00 dc 01 39 27 09 f8 20 03 00 00 00 00 10 00 bc 8f 00 00 00 00 01 00 11 04 00 00 00 00 06 00 1c 3c e8 d4 9c 27 21 e0 9f 03 1c 80 99 8f 00 00 00 00 90 39 39 27 09 f8 20 03 00 00 00 00 10 00 bc 8f 00 00 00 00 1c 00 bf 8f 00 00 00 00 08 00 e0 03 20 00 bd 27 06 00 1c 3c b0 d4 9c 27 21 e0 99 03 d8 ff bd 27 20 00 bf af 1c 00 b1 af 18 00 b0 af 10 00 bc af 18 80 91 8f 00 00 00 00 80 5b 22 92 00 00 00 00 1d 00 [TRUNCATED] Data Ascii: ELF`@4[4 (@@QQQQEQEp4ZQtd<<'!'<'! 9' <'!99' '<'!' ["@RY B$ RRY B$@$ Q$$[" ('<'!'Q$@[$ R@R$ ' '!<d'!!'$$'H <'!'0,($ P!!00H $P@0,($ 8'P P@L ! @ $ ! [TRUNCATED]
Dec 30, 2024 03:31:00.156157970 CET	1236	IN	Data Raw: 00 46 90 00 00 00 00 16 00 c0 18 00 00 00 00 04 84 82 8f 00 00 00 00 00 00 43 8c 00 00 00 00 00 00 64 8c 00 00 00 00 04 00 82 90 00 00 00 00 10 00 51 10 21 28 00 00 08 00 00 10 01 00 a5 24 04 00 64 8c 00 00 00 00 04 00 82 90 00 00 00 00 08 00 51 Data Ascii: FCdQ!($dQc$$ ! !(! @!0` !8<,'!000F$!@bc$%!(`!
Dec 30, 2024 03:31:00.156169891 CET	1236	IN	Data Raw: 00 04 a2 08 00 05 24 09 f8 20 03 01 00 04 24 10 00 bc 8f 00 00 05 92 70 82 83 8f 70 83 99 8f 21 88 40 00 00 00 44 8e 02 00 02 24 80 28 05 00 00 00 23 ae 04 00 22 a2 09 f8 20 03 04 00 a5 24 00 00 04 92 10 00 bc 8f 80 18 04 00 24 84 99 8f 21 18 62 Data Ascii: $ $pp!@D$(#" $$!b$qB$ $p!@D$(#" $$!b$qB$ $p!@D$(#
Dec 30, 2024 03:31:00.156181097 CET	1236	IN	Data Raw: 00 b1 a3 24 18 50 00 10 00 bc 8f 31 01 60 04 00 ff 02 24 94 83 99 8f 00 00 00 00 09 f8 20 03 29 00 a3 a3 24 18 50 00 10 00 bc 8f 25 01 60 04 00 ff 02 24 94 83 99 8f 00 00 00 00 09 f8 20 03 2a 00 a3 a3 24 18 50 00 10 00 bc 8f 19 01 60 04 00 ff 02 Data Ascii: $P1`$ )$P%`$ *$P`$$+,$=$-.0$$/0$$12$D$34{$#$569$$78$$9:$$<=$$>@$
Dec 30, 2024 03:31:00.156192064 CET	1236	IN	Data Raw: 18 62 00 d9 fe 00 10 01 00 63 24 ff ff 63 24 25 18 62 00 cd fe 00 10 01 00 63 24 06 00 1c 3c 50 c3 9c 27 21 e0 99 03 70 ff bd 27 8c 00 bf af 88 00 be af 84 00 b7 af 80 00 b6 af 7c 00 b5 af 78 00 b4 af 74 00 b3 af 70 00 b2 af 6c 00 b1 af 68 00 b0 Data Ascii: bc$c$%bc$<P'!p'\|xtplh('`:H$!0!0!00%%$ ) 6'
Dec 30, 2024 03:31:00.156203985 CET	431	IN	Data Raw: 00 43 30 00 1a 03 00 02 12 02 00 18 00 bc 8f 25 98 43 00 20 00 b4 27 0b 00 00 10 ff 00 15 3c 10 00 50 8e 60 85 99 8f 28 00 b0 af 21 20 20 02 24 00 a5 27 09 f8 20 03 10 00 06 24 18 00 bc 8f 3e 00 40 04 00 00 00 00 c4 83 99 8f 04 00 03 24 01 00 02 Data Ascii: C0%C '<P`(! $' $>@$$!8! 4$ $$ !0H)@!@C$ c,$`&P $ 2F."%e%%!$
Dec 30, 2024 03:31:00.156215906 CET	1236	IN	Data Raw: ff 00 92 30 64 00 a5 af 21 20 40 02 04 00 05 24 21 80 e0 00 09 f8 20 03 ff 00 d1 30 10 00 bc 8f 21 20 40 02 24 84 99 8f 04 00 05 24 09 f8 20 03 21 a8 40 00 10 00 bc 8f 21 20 20 02 84 82 99 8f 21 28 00 02 07 00 06 24 ff ff 07 34 09 f8 20 03 21 a0 Data Ascii: 0d! @$! 0! @$$ !@! !($4 !@B0! !($4 0! !(!0$ W0! !($$ S04 $(!2%b
Dec 30, 2024 03:31:00.156220913 CET	1236	IN	Data Raw: ec 83 83 8f 84 82 99 8f 00 00 67 8c 03 16 02 00 19 00 06 24 21 20 20 02 21 28 00 02 09 f8 20 03 28 00 a2 af 18 00 bc 8f 38 00 a2 af 84 82 99 8f 21 20 20 02 21 28 00 02 21 30 00 00 09 f8 20 03 00 02 07 24 21 f0 40 00 79 05 42 28 18 00 bc 8f 02 00 Data Ascii: g$! !( (8! !(!0 $!@yB(@$$$ $$P4$$4 !($ 'PW2 '2C02"*%b%!$$
Dec 30, 2024 03:31:00.156234026 CET	1236	IN	Data Raw: 5c 00 a2 af 18 00 bc 8f ff 00 42 30 84 82 99 8f 21 28 00 02 03 00 06 24 ff ff 07 34 21 20 20 02 09 f8 20 03 54 00 a2 af 18 00 bc 8f 21 28 00 02 84 82 99 8f 21 20 20 02 04 00 06 24 40 00 07 24 09 f8 20 03 21 b0 40 00 18 00 bc 8f ff 00 42 30 84 82 Data Ascii: \B0!($4! T!(! $@$ !@B0!(! $$ P!($4! L!(! $4 !@!(! !0$ !@!(! $$ H
Dec 30, 2024 03:31:00.156245947 CET	1236	IN	Data Raw: 00 00 00 00 80 00 b0 12 00 00 00 00 40 00 a4 8f 00 00 00 00 84 00 80 10 00 00 00 00 10 00 22 8e 00 00 00 00 10 00 42 ae 44 00 a2 8f 00 00 00 00 87 00 40 14 00 00 00 00 c8 82 99 8f 21 20 20 02 14 00 05 24 09 f8 20 03 0a 00 20 a6 18 00 bc 8f 21 20 Data Ascii: @"BD@! $ ! @"$ @Bf`! @!(` ` @!# b! %$t$d@$!( ! d$*
Dec 30, 2024 03:31:00.161113024 CET	1236	IN	Data Raw: 25 10 44 00 25 80 03 02 10 00 bc 8f 25 80 02 02 04 00 30 ae 60 85 99 8f 00 00 44 8e 21 28 20 02 09 f8 20 03 10 00 06 24 04 00 52 26 10 00 bc 8f b4 ff 74 16 18 00 31 26 ff ff 80 1a 00 00 00 00 21 98 00 00 21 90 00 00 54 82 99 8f 21 10 56 02 64 00 Data Ascii: %D%%0`D!( $R&t1&!!T!Vd$Q $P0! !(!\D!( !0@$ s&tR&! "TPLHD@<840

System Behavior

Analysis Process: dlr.mpsl.elf PID: 5435, Parent PID: 5356

General

Start time (UTC):	02:30:58
Start date (UTC):	30/12/2024
Path:	/tmp/dlr.mpsl.elf
Arguments:	/tmp/dlr.mpsl.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report dlr.mpsl.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/tmp/Galaxy

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

HTTP Packets

System Behavior

Analysis Process: dlr.mpsl.elf PID: 5435, Parent PID: 5356

General

Chronological Activities

Linux Analysis Report
dlr.mpsl.elf