Edit tour

Linux Analysis Report
mips.elf

Overview

General Information

Sample name:	mips.elf
Analysis ID:	1583603
MD5:	8114962499a4fb37d15a636e3676d572
SHA1:	edf095bad33e88bd9d21a1690a601232317ce351
SHA256:	afe1cc80e06d92bbe16070b220541a5edad0a767c9cf8aa566dc914a6ab66d60
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583603
Start date and time:	2025-01-03 07:52:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	mips.elf
Detection:	MAL
Classification:	mal48.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/mips.elf
PID:	6228
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

mips.elf (PID: 6228, Parent: 6151, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/mips.elf

mips.elf New Fork (PID: 6230, Parent: 6228)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: mips.elf

ReversingLabs: Detection: 15%

Source: global traffic

TCP traffic: 192.168.2.23:50742 -> 85.239.34.134:31337

Source: /tmp/mips.elf (PID: 6228)

Socket: 0.0.0.0:3142

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.linELF@0/0@0/0

Source: /tmp/mips.elf (PID: 6228)

Queries kernel information via 'uname':

Jump to behavior

Source: mips.elf, 6228.1.000055d69f144000.000055d69f1cb000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips
Source: mips.elf, 6228.1.000055d69f144000.000055d69f1cb000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: mips.elf, 6228.1.00007ffdc2fff000.00007ffdc3020000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mips.elf
Source: mips.elf, 6228.1.00007ffdc2fff000.00007ffdc3020000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mips.elf	16%	ReversingLabs	Linux.Backdoor.Gafgyt

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
85.239.34.134	unknown	Russian Federation	134121	RAINBOW-HKRainbownetworklimitedHK	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
85.239.34.134	arm7.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm6.elf	Get hash	malicious	Unknown	Browse
	m68k.elf	Get hash	malicious	Unknown	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	arm7.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Mirai	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	141.11.33.73-boatnet.arm-2025-01-03T05_39_17.elf	Get hash	malicious	Mirai	Browse
	arm5.elf	Get hash	malicious	Mirai	Browse
	i.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Mirai	Browse
	ARMV6L.elf	Get hash	malicious	Unknown	Browse
	MIPS.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	arm7.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Mirai	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	141.11.33.73-boatnet.arm-2025-01-03T05_39_17.elf	Get hash	malicious	Mirai	Browse
	arm5.elf	Get hash	malicious	Mirai	Browse
	i.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Mirai	Browse
	ARMV6L.elf	Get hash	malicious	Unknown	Browse
	MIPS.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RAINBOW-HKRainbownetworklimitedHK	arm7.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	arm.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63	Get hash	malicious	HTMLPhisher	Browse	45.138.161.76
	https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtml	Get hash	malicious	HTMLPhisher	Browse	45.138.161.75
	https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtml	Get hash	malicious	HTMLPhisher	Browse	45.138.161.71
	arm7.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	mpsl.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	arm5.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	ppc.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	mips.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
CANONICAL-ASGB	arm7.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	x86_64.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	141.11.33.73-boatnet.arm-2025-01-03T05_39_17.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	mpsl.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	ARMV6L.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	MIPS.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
INIT7CH	arm7.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	x86_64.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	141.11.33.73-boatnet.arm-2025-01-03T05_39_17.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	arm5.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	mpsl.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	ARMV6L.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	MIPS.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.236046755299733
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	mips.elf
File size:	31'008 bytes
MD5:	8114962499a4fb37d15a636e3676d572
SHA1:	edf095bad33e88bd9d21a1690a601232317ce351
SHA256:	afe1cc80e06d92bbe16070b220541a5edad0a767c9cf8aa566dc914a6ab66d60
SHA512:	d26126c76be19a3459fb1d50e4b4de18d9fe32ff2b2f82e85a0d314608bbe335a2d720a16ccf56e2c8c91e79d5dbf0d1f31367c9d3e724253f4a99b30ae87ec3
SSDEEP:	768:i0EYhmzU2uGP/C4iMsWJ+LT7KmnO4djH/mNwM:nhmz9uGC4iZKDk/mp
TLSH:	07D2725A6F228BECF75DC1380BB30A258269329522E5D5C4E27CE5051F3464FA84FFE8
File Content Preview:	.ELF.....................@.....4..vx.....4. ...(.............@...@....n...n...............p..@p..@p.......3...............pD.@pD.@pD................dt.Q............................<...'......!'.......................<...'......!........'9... .............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400290
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	4
Section Header Offset:	30328
Section Header Size:	40
Number of Section Headers:	17
Header String Table Index:	16

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x4000b4	0xb4	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400140	0x140	0x6960	0x0	0x6	AX	16
.fini	PROGBITS	0x406aa0	0x6aa0	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x406b00	0x6b00	0x3f0	0x0	0x2	A	16
.eh_frame	PROGBITS	0x407000	0x7000	0x44	0x0	0x3	WA	4
.tbss	NOBITS	0x407044	0x7044	0x8	0x0	0x403	WAT	4
.ctors	PROGBITS	0x407044	0x7044	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x40704c	0x704c	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x407054	0x7054	0x4	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x407058	0x7058	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x407060	0x7060	0x148	0x0	0x3	WA	16
.got	PROGBITS	0x4071b0	0x71b0	0x44c	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x4075fc	0x75fc	0x28	0x0	0x10000003	WAp	4
.bss	NOBITS	0x407630	0x75fc	0x2dcc	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0x7bc	0x75fc	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x75fc	0x79	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x6ef0	0x6ef0	5.3725	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0x7000	0x407000	0x407000	0x5fc	0x33fc	2.7181	0x6	RW	0x1000	.eh_frame .tbss .ctors .dtors .jcr .data.rel.ro .data .got .sbss .bss
TLS	0x7044	0x407044	0x407044	0x0	0x8	0.0000	0x4	R	0x4	.tbss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 07:52:52.519531965 CET	50742	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:52:52.524486065 CET	31337	50742	85.239.34.134	192.168.2.23
Jan 3, 2025 07:52:52.524557114 CET	50742	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:52:52.524909019 CET	50742	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:52:52.529690027 CET	31337	50742	85.239.34.134	192.168.2.23
Jan 3, 2025 07:52:53.236615896 CET	31337	50742	85.239.34.134	192.168.2.23
Jan 3, 2025 07:52:53.237188101 CET	50742	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:52:53.237246037 CET	50742	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:52:53.242005110 CET	31337	50742	85.239.34.134	192.168.2.23
Jan 3, 2025 07:52:55.105034113 CET	43928	443	192.168.2.23	91.189.91.42
Jan 3, 2025 07:52:59.238343954 CET	50744	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:52:59.243212938 CET	31337	50744	85.239.34.134	192.168.2.23
Jan 3, 2025 07:52:59.243295908 CET	50744	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:52:59.243319035 CET	50744	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:52:59.248037100 CET	31337	50744	85.239.34.134	192.168.2.23
Jan 3, 2025 07:52:59.959348917 CET	31337	50744	85.239.34.134	192.168.2.23
Jan 3, 2025 07:52:59.959609985 CET	50744	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:52:59.964406013 CET	31337	50744	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:00.480077028 CET	42836	443	192.168.2.23	91.189.91.43
Jan 3, 2025 07:53:02.271920919 CET	42516	80	192.168.2.23	109.202.202.202
Jan 3, 2025 07:53:06.960490942 CET	50746	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:06.965415001 CET	31337	50746	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:06.965511084 CET	50746	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:06.965533972 CET	50746	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:06.970309973 CET	31337	50746	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:07.657396078 CET	31337	50746	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:07.657840967 CET	50746	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:07.662643909 CET	31337	50746	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:12.659307003 CET	50748	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:12.664176941 CET	31337	50748	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:12.664273024 CET	50748	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:12.664316893 CET	50748	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:12.669044971 CET	31337	50748	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:13.363527060 CET	31337	50748	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:13.363806009 CET	50748	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:13.368581057 CET	31337	50748	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:15.581989050 CET	43928	443	192.168.2.23	91.189.91.42
Jan 3, 2025 07:53:19.364360094 CET	50750	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:19.369105101 CET	31337	50750	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:19.369179964 CET	50750	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:19.369196892 CET	50750	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:19.373948097 CET	31337	50750	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:20.096026897 CET	31337	50750	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:20.096230030 CET	50750	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:20.100959063 CET	31337	50750	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:27.097207069 CET	50752	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:27.273047924 CET	31337	50752	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:27.273108006 CET	50752	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:27.273124933 CET	50752	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:27.277870893 CET	31337	50752	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:27.868266106 CET	42836	443	192.168.2.23	91.189.91.43
Jan 3, 2025 07:53:27.980261087 CET	31337	50752	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:27.980345964 CET	50752	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:27.985148907 CET	31337	50752	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:31.963613987 CET	42516	80	192.168.2.23	109.202.202.202
Jan 3, 2025 07:53:36.981278896 CET	50754	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:36.986159086 CET	31337	50754	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:36.986217022 CET	50754	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:36.986246109 CET	50754	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:36.991065025 CET	31337	50754	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:37.678783894 CET	31337	50754	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:37.679122925 CET	50754	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:37.683984041 CET	31337	50754	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:43.681031942 CET	50756	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:43.686012983 CET	31337	50756	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:43.686069965 CET	50756	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:43.686110973 CET	50756	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:43.690857887 CET	31337	50756	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:44.428877115 CET	31337	50756	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:44.429131985 CET	50756	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:44.433990002 CET	31337	50756	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:52.430845976 CET	50758	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:52.435786009 CET	31337	50758	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:52.435870886 CET	50758	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:52.435939074 CET	50758	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:52.440648079 CET	31337	50758	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:53.147733927 CET	31337	50758	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:53.147861958 CET	50758	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:53:53.152802944 CET	31337	50758	85.239.34.134	192.168.2.23
Jan 3, 2025 07:53:56.536262989 CET	43928	443	192.168.2.23	91.189.91.42
Jan 3, 2025 07:54:01.148855925 CET	50760	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:01.153750896 CET	31337	50760	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:01.153803110 CET	50760	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:01.153829098 CET	50760	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:01.158576012 CET	31337	50760	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:01.873569012 CET	31337	50760	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:01.873687983 CET	50760	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:01.878473997 CET	31337	50760	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:06.875524998 CET	50762	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:06.880348921 CET	31337	50762	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:06.880393028 CET	50762	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:06.880419970 CET	50762	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:06.885149002 CET	31337	50762	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:07.592096090 CET	31337	50762	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:07.592206955 CET	50762	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:07.596977949 CET	31337	50762	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:13.593527079 CET	50764	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:13.598592997 CET	31337	50764	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:13.598649979 CET	50764	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:13.598676920 CET	50764	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:13.603493929 CET	31337	50764	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:14.327884912 CET	31337	50764	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:14.328068972 CET	50764	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:14.332910061 CET	31337	50764	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:19.329523087 CET	50766	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:19.334474087 CET	31337	50766	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:19.334522009 CET	50766	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:19.334543943 CET	50766	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:19.339284897 CET	31337	50766	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:20.035917997 CET	31337	50766	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:20.036055088 CET	50766	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:20.041176081 CET	31337	50766	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:28.037693977 CET	50768	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:28.042552948 CET	31337	50768	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:28.042650938 CET	50768	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:28.042731047 CET	50768	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:28.047456026 CET	31337	50768	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:28.752939939 CET	31337	50768	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:28.753209114 CET	50768	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:28.758018017 CET	31337	50768	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:34.754878044 CET	50770	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:34.759782076 CET	31337	50770	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:34.759836912 CET	50770	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:34.759855986 CET	50770	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:34.765788078 CET	31337	50770	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:35.554883003 CET	31337	50770	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:35.555013895 CET	50770	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:35.559865952 CET	31337	50770	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:43.555771112 CET	50772	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:43.561104059 CET	31337	50772	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:43.561187029 CET	50772	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:43.561264038 CET	50772	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:43.565972090 CET	31337	50772	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:44.280205965 CET	31337	50772	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:44.280311108 CET	50772	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:44.285109043 CET	31337	50772	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:52.281454086 CET	50774	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:52.286412001 CET	31337	50774	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:52.286474943 CET	50774	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:52.286514044 CET	50774	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:52.291297913 CET	31337	50774	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:52.981475115 CET	31337	50774	85.239.34.134	192.168.2.23
Jan 3, 2025 07:54:52.981671095 CET	50774	31337	192.168.2.23	85.239.34.134
Jan 3, 2025 07:54:52.986512899 CET	31337	50774	85.239.34.134	192.168.2.23

System Behavior

Analysis Process: mips.elf PID: 6228, Parent PID: 6151

General

Start time (UTC):	06:52:51
Start date (UTC):	03/01/2025
Path:	/tmp/mips.elf
Arguments:	/tmp/mips.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: mips.elf PID: 6230, Parent PID: 6228

General

Start time (UTC):	06:52:51
Start date (UTC):	03/01/2025
Path:	/tmp/mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report mips.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: mips.elf PID: 6228, Parent PID: 6151

General

Chronological Activities

Analysis Process: mips.elf PID: 6230, Parent PID: 6228

General

Chronological Activities

Linux Analysis Report
mips.elf