Edit tour

Linux Analysis Report
bot.x86.elf

Overview

General Information

Sample name:	bot.x86.elf
Analysis ID:	1584002
MD5:	a1dd69ef6e61882be9f64655205ce00f
SHA1:	d65112d59513e52804ec23a8d760c924c8d9c640
SHA256:	904a4a5c2dd5e9f2b0e919214ffe038032316819d81e938638c8ab07398b50cf
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Okiru

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Detected Mirai

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Mirai

Yara detected Okiru

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584002
Start date and time:	2025-01-04 02:22:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	bot.x86.elf
Detection:	MAL
Classification:	mal100.troj.linELF@0/0@16/0

Runtime Messages

Command:	/tmp/bot.x86.elf
PID:	6238
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	done.
Standard Error:

Process Tree

system is lnxubuntu20

bot.x86.elf (PID: 6238, Parent: 6163, MD5: a1dd69ef6e61882be9f64655205ce00f) Arguments: /tmp/bot.x86.elf

bot.x86.elf New Fork (PID: 6239, Parent: 6238)

bot.x86.elf New Fork (PID: 6240, Parent: 6239)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
bot.x86.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
bot.x86.elf	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
bot.x86.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
bot.x86.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10704:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10718:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1072c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10740:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10754:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10768:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1077c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10790:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10808:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1081c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10830:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10844:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10858:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1086c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10880:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10894:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
bot.x86.elf	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x105e4:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
bot.x86.elf	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4040:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
bot.x86.elf	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x93a5:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
bot.x86.elf	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x5cb2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
bot.x86.elf	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0x192:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
bot.x86.elf	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xc378:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
bot.x86.elf	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xac19:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
bot.x86.elf	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x5c82:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author	Strings
6238.1.0000000008048000.000000000805b000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6238.1.0000000008048000.000000000805b000.r-x.sdmp	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
6238.1.0000000008048000.000000000805b000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6238.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10704:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10718:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1072c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10740:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10754:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10768:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1077c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10790:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10808:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1081c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10830:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10844:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10858:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1086c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10880:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10894:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6238.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x105e4:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
6238.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4040:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6238.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x93a5:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
6238.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x5cb2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6238.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0x192:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
6238.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xc378:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
6238.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xac19:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6238.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x5c82:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Process Memory Space: bot.x86.elf PID: 6238	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: bot.x86.elf PID: 6238	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Process Memory Space: bot.x86.elf PID: 6238	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: bot.x86.elf PID: 6238	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xde6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xdfa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe0e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe22:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe36:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe4a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe5e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe72:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe86:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe9a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xeae:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xec2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xed6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xeea:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xefe:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf12:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf26:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf3a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf4e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf62:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf76:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: bot.x86.elf PID: 6238	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0xcd0:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Click to see the 12 entries

Suricata Signatures

ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T02:22:47.644018+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	60648	89.169.4.44	47925	TCP
2025-01-04T02:22:51.401367+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	60650	89.169.4.44	47925	TCP
2025-01-04T02:23:03.168552+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	60652	89.169.4.44	47925	TCP
2025-01-04T02:23:13.910709+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	60654	89.169.4.44	47925	TCP
2025-01-04T02:23:20.648690+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	60656	89.169.4.44	47925	TCP
2025-01-04T02:23:29.399000+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	60658	89.169.4.44	47925	TCP
2025-01-04T02:23:41.152330+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	60660	89.169.4.44	47925	TCP
2025-01-04T02:23:46.898439+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	60662	89.169.4.44	47925	TCP
2025-01-04T02:23:50.763107+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	60664	89.169.4.44	47925	TCP
2025-01-04T02:24:00.505985+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	60666	89.169.4.44	47925	TCP
2025-01-04T02:24:09.241179+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	60668	89.169.4.44	47925	TCP
2025-01-04T02:24:16.975757+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	60670	89.169.4.44	47925	TCP
2025-01-04T02:24:19.713364+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	60672	89.169.4.44	47925	TCP
2025-01-04T02:24:29.461466+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	60674	89.169.4.44	47925	TCP
2025-01-04T02:24:39.231194+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	60676	89.169.4.44	47925	TCP
2025-01-04T02:24:48.974428+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	60678	89.169.4.44	47925	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bot.x86.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: bot.x86.elf	Virustotal: Detection: 64%			Perma Link
Source: bot.x86.elf	ReversingLabs: Detection: 68%

Machine Learning detection for sample

Source: bot.x86.elf

Joe Sandbox ML: detected

Source: bot.x86.elf

String: HTTP/1.1 200 OKtop1hbt.armtop1hbt.arm5top1hbt.arm6top1hbt.arm7top1hbt.mipstop1hbt.mpsltop1hbt.x86_64top1hbt.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:60678 -> 89.169.4.44:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:60648 -> 89.169.4.44:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:60652 -> 89.169.4.44:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:60654 -> 89.169.4.44:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:60650 -> 89.169.4.44:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:60672 -> 89.169.4.44:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:60664 -> 89.169.4.44:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:60676 -> 89.169.4.44:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:60674 -> 89.169.4.44:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:60656 -> 89.169.4.44:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:60658 -> 89.169.4.44:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:60662 -> 89.169.4.44:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:60668 -> 89.169.4.44:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:60666 -> 89.169.4.44:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:60660 -> 89.169.4.44:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:60670 -> 89.169.4.44:47925

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 89.169.4.44 ports 47925,2,4,5,7,9

Source: global traffic

TCP traffic: 192.168.2.23:60648 -> 89.169.4.44:47925

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: global traffic

DNS traffic detected: DNS query: seyfhg.work.gd

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: Process Memory Space: bot.x86.elf PID: 6238, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: bot.x86.elf PID: 6238, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: HTTP/1.1 200 OKtop1hbt.armtop1hbt.arm5top1hbt.arm6top1hbt.arm7top1hbt.mipstop1hbt.mpsltop1hbt.x86_64top1hbt.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f

Source: ELF static info symbol of initial sample

.symtab present: no

Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: Process Memory Space: bot.x86.elf PID: 6238, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: bot.x86.elf PID: 6238, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal100.troj.linELF@0/0@16/0

Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/910/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/912/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/918/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/6240/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1344/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1465/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1586/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1463/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/801/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/6239/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1900/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/491/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/4507/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1599/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1477/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/379/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1476/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/1475/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/4500/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/4502/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/936/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/4504/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/2208/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 6240)	File opened: /proc/35/cmdline	Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: bot.x86.elf, type: SAMPLE
Source: Yara match	File source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bot.x86.elf PID: 6238, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: bot.x86.elf, type: SAMPLE
Source: Yara match	File source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bot.x86.elf PID: 6238, type: MEMORYSTR

Remote Access Functionality

Detected Mirai

Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Yara detected Mirai

Source: Yara match	File source: bot.x86.elf, type: SAMPLE
Source: Yara match	File source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bot.x86.elf PID: 6238, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: bot.x86.elf, type: SAMPLE
Source: Yara match	File source: 6238.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bot.x86.elf PID: 6238, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	Direct Volume Access	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
bot.x86.elf	64%	Virustotal		Browse
bot.x86.elf	68%	ReversingLabs	Linux.Backdoor.Mirai
bot.x86.elf	100%	Avira	EXP/ELF.Mirai.Z.A
bot.x86.elf	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
seyfhg.work.gd	89.169.4.44	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
89.169.4.44	seyfhg.work.gd	Russian Federation	31514	INF-NET-ASRU	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
89.169.4.44	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	bot.sh4.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	bot.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	bot.x86_64.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	bot.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	bot.arm5.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	bot.mips.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	Space.mpsl.elf	Get hash	malicious	Mirai	Browse
	Space.ppc.elf	Get hash	malicious	Mirai	Browse
	Space.arm7.elf	Get hash	malicious	Mirai	Browse
91.189.91.43	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	bot.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	185.232.205.45-boatnet.arm-2025-01-03T23_59_46.elf	Get hash	malicious	Mirai	Browse
	185.232.205.45-boatnet.mpsl-2025-01-03T23_59_46.elf	Get hash	malicious	Mirai	Browse
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse
	91.188.254.21-mips-2024-12-27T14_00_54.elf	Get hash	malicious	Unknown	Browse
	bot.x86_64.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	Mozi.m.elf	Get hash	malicious	Mirai	Browse
	bot.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
seyfhg.work.gd	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	89.169.4.44
	bot.sh4.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	89.169.4.44
	bot.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	89.169.4.44
	bot.x86_64.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	89.169.4.44
	bot.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	89.169.4.44
	bot.arm5.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	89.169.4.44
	bot.mips.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	89.169.4.44
	bot.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	89.169.4.44
	bot.ppc.elf	Get hash	malicious	Mirai, Okiru	Browse	89.169.4.44
	bot.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	89.169.4.44

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	91.189.91.42
	bot.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	91.189.91.42
	185.232.205.45-boatnet.arm-2025-01-03T23_59_46.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	185.232.205.45-boatnet.mips-2025-01-03T23_59_45.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	185.232.205.45-boatnet.mpsl-2025-01-03T23_59_46.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	185.232.205.45-boatnet.m68k-2025-01-03T23_59_48.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	154.216.18.23-boatnet.arm-2025-01-03T11_40_59.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	91.188.254.21-mips-2024-12-27T14_00_54.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	bot.x86_64.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	91.189.91.42
INF-NET-ASRU	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	89.169.4.44
	bot.sh4.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	89.169.4.44
	bot.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	89.169.4.44
	bot.x86_64.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	89.169.4.44
	bot.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	89.169.4.44
	bot.arm5.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	89.169.4.44
	bot.mips.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	89.169.4.44
	downloaded_exe.exe	Get hash	malicious	RHADAMANTHYS	Browse	5.35.36.120
	Corporate_Code_of_Ethics_and_Business_Conduct_Policy_2024.pdf.lnk.d.lnk	Get hash	malicious	RHADAMANTHYS	Browse	5.35.36.120
	main.exe	Get hash	malicious	RHADAMANTHYS	Browse	5.35.36.120
INIT7CH	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	109.202.202.202
	bot.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	109.202.202.202
	185.232.205.45-boatnet.arm-2025-01-03T23_59_46.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	185.232.205.45-boatnet.mpsl-2025-01-03T23_59_46.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	91.188.254.21-mips-2024-12-27T14_00_54.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	bot.x86_64.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	109.202.202.202
	mips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Mozi.m.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	bot.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	109.202.202.202

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.77220580654577
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	bot.x86.elf
File size:	93'768 bytes
MD5:	a1dd69ef6e61882be9f64655205ce00f
SHA1:	d65112d59513e52804ec23a8d760c924c8d9c640
SHA256:	904a4a5c2dd5e9f2b0e919214ffe038032316819d81e938638c8ab07398b50cf
SHA512:	7a13381e7b9e2f3f0fedfb4ea538900a9d8e0135b58902d9328731733aaa35ce2196491284a45574613bcdfff3c9488771fe34aa07d6d3b313253c3987972fb6
SSDEEP:	1536:oFd1IRgCXUzx7t0fMqlHgQEiyhcg+7ju72wPZnWhZS5xtY+g:oFdmR9XUzxh0fMgHgQEimEjLAdew5bg
TLSH:	C4936BC4F243E5F1EC5709B16137EB374B32F0BA111AEA43C7699972DCA2541DA06B9C
File Content Preview:	.ELF....................d...4....l......4. ...(......................$...$...............$...........G..8...........Q.td............................U..S.......o4...h....c...[]...$.............U......=.....t..5....$......$.......u........t....h............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048164
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	93368
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0xfe86	0x0	0x6	AX	16
.fini	PROGBITS	0x8057f36	0xff36	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x8057f60	0xff60	0x2590	0x0	0x2	A	32
.ctors	PROGBITS	0x805b4f4	0x124f4	0xc	0x0	0x3	WA	4
.dtors	PROGBITS	0x805b500	0x12500	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x805b520	0x12520	0x4758	0x0	0x3	WA	32
.bss	NOBITS	0x805fc80	0x16c78	0x49ac	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x16c78	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0x124f0	0x124f0	6.6050	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0x124f4	0x805b4f4	0x805b4f4	0x4784	0x9138	0.3642	0x6	RW	0x1000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-04T02:22:47.644018+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	60648	89.169.4.44	47925	TCP
2025-01-04T02:22:51.401367+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	60650	89.169.4.44	47925	TCP
2025-01-04T02:23:03.168552+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	60652	89.169.4.44	47925	TCP
2025-01-04T02:23:13.910709+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	60654	89.169.4.44	47925	TCP
2025-01-04T02:23:20.648690+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	60656	89.169.4.44	47925	TCP
2025-01-04T02:23:29.399000+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	60658	89.169.4.44	47925	TCP
2025-01-04T02:23:41.152330+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	60660	89.169.4.44	47925	TCP
2025-01-04T02:23:46.898439+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	60662	89.169.4.44	47925	TCP
2025-01-04T02:23:50.763107+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	60664	89.169.4.44	47925	TCP
2025-01-04T02:24:00.505985+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	60666	89.169.4.44	47925	TCP
2025-01-04T02:24:09.241179+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	60668	89.169.4.44	47925	TCP
2025-01-04T02:24:16.975757+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	60670	89.169.4.44	47925	TCP
2025-01-04T02:24:19.713364+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	60672	89.169.4.44	47925	TCP
2025-01-04T02:24:29.461466+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	60674	89.169.4.44	47925	TCP
2025-01-04T02:24:39.231194+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	60676	89.169.4.44	47925	TCP
2025-01-04T02:24:48.974428+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	60678	89.169.4.44	47925	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2025 02:22:47.639082909 CET	60648	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:22:47.643953085 CET	47925	60648	89.169.4.44	192.168.2.23
Jan 4, 2025 02:22:47.644001961 CET	60648	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:22:47.644017935 CET	60648	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:22:47.648873091 CET	47925	60648	89.169.4.44	192.168.2.23
Jan 4, 2025 02:22:49.387691021 CET	47925	60648	89.169.4.44	192.168.2.23
Jan 4, 2025 02:22:49.387801886 CET	60648	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:22:49.392616034 CET	47925	60648	89.169.4.44	192.168.2.23
Jan 4, 2025 02:22:50.388900995 CET	43928	443	192.168.2.23	91.189.91.42
Jan 4, 2025 02:22:51.396459103 CET	60650	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:22:51.401271105 CET	47925	60650	89.169.4.44	192.168.2.23
Jan 4, 2025 02:22:51.401350021 CET	60650	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:22:51.401366949 CET	60650	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:22:51.406124115 CET	47925	60650	89.169.4.44	192.168.2.23
Jan 4, 2025 02:22:53.157037973 CET	47925	60650	89.169.4.44	192.168.2.23
Jan 4, 2025 02:22:53.157138109 CET	60650	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:22:53.162038088 CET	47925	60650	89.169.4.44	192.168.2.23
Jan 4, 2025 02:22:56.020163059 CET	42836	443	192.168.2.23	91.189.91.43
Jan 4, 2025 02:22:57.555932999 CET	42516	80	192.168.2.23	109.202.202.202
Jan 4, 2025 02:23:03.163605928 CET	60652	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:03.168473005 CET	47925	60652	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:03.168529034 CET	60652	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:03.168551922 CET	60652	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:03.173351049 CET	47925	60652	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:04.898114920 CET	47925	60652	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:04.898268938 CET	60652	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:04.903100967 CET	47925	60652	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:10.354134083 CET	43928	443	192.168.2.23	91.189.91.42
Jan 4, 2025 02:23:13.905771971 CET	60654	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:13.910624027 CET	47925	60654	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:13.910682917 CET	60654	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:13.910708904 CET	60654	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:13.915540934 CET	47925	60654	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:15.636121988 CET	47925	60654	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:15.636356115 CET	60654	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:15.641163111 CET	47925	60654	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:20.643713951 CET	60656	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:20.648576021 CET	47925	60656	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:20.648653030 CET	60656	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:20.648689985 CET	60656	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:20.653477907 CET	47925	60656	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:22.386001110 CET	47925	60656	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:22.386265039 CET	60656	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:22.391129971 CET	47925	60656	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:22.640501022 CET	42836	443	192.168.2.23	91.189.91.43
Jan 4, 2025 02:23:28.783602953 CET	42516	80	192.168.2.23	109.202.202.202
Jan 4, 2025 02:23:29.394161940 CET	60658	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:29.398907900 CET	47925	60658	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:29.398987055 CET	60658	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:29.398999929 CET	60658	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:29.403796911 CET	47925	60658	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:31.140343904 CET	47925	60658	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:31.140508890 CET	60658	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:31.145394087 CET	47925	60658	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:41.147484064 CET	60660	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:41.152261972 CET	47925	60660	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:41.152314901 CET	60660	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:41.152329922 CET	60660	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:41.157157898 CET	47925	60660	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:42.885814905 CET	47925	60660	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:42.886053085 CET	60660	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:42.890893936 CET	47925	60660	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:46.893465042 CET	60662	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:46.898324013 CET	47925	60662	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:46.898381948 CET	60662	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:46.898438931 CET	60662	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:46.903256893 CET	47925	60662	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:48.637757063 CET	47925	60662	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:48.637917995 CET	60662	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:48.642781019 CET	47925	60662	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:50.758198023 CET	60664	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:50.762999058 CET	47925	60664	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:50.763062954 CET	60664	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:50.763107061 CET	60664	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:50.767873049 CET	47925	60664	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:51.308473110 CET	43928	443	192.168.2.23	91.189.91.42
Jan 4, 2025 02:23:52.493573904 CET	47925	60664	89.169.4.44	192.168.2.23
Jan 4, 2025 02:23:52.493748903 CET	60664	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:23:52.498529911 CET	47925	60664	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:00.501069069 CET	60666	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:00.505892992 CET	47925	60666	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:00.505970955 CET	60666	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:00.505985022 CET	60666	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:00.510798931 CET	47925	60666	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:02.229165077 CET	47925	60666	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:02.229252100 CET	60666	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:02.234070063 CET	47925	60666	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:09.236203909 CET	60668	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:09.241079092 CET	47925	60668	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:09.241178989 CET	60668	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:09.241178989 CET	60668	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:09.245965004 CET	47925	60668	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:10.962368011 CET	47925	60668	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:10.962502956 CET	60668	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:10.967322111 CET	47925	60668	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:16.970758915 CET	60670	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:16.975650072 CET	47925	60670	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:16.975708961 CET	60670	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:16.975756884 CET	60670	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:16.980554104 CET	47925	60670	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:18.699841976 CET	47925	60670	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:18.700067043 CET	60670	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:18.704828978 CET	47925	60670	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:19.708529949 CET	60672	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:19.713289022 CET	47925	60672	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:19.713346958 CET	60672	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:19.713363886 CET	60672	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:19.718202114 CET	47925	60672	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:21.448937893 CET	47925	60672	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:21.449163914 CET	60672	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:21.454011917 CET	47925	60672	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:29.456604958 CET	60674	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:29.461395025 CET	47925	60674	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:29.461447954 CET	60674	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:29.461466074 CET	60674	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:29.466316938 CET	47925	60674	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:31.218897104 CET	47925	60674	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:31.219019890 CET	60674	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:31.223866940 CET	47925	60674	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:39.226309061 CET	60676	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:39.231123924 CET	47925	60676	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:39.231179953 CET	60676	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:39.231194019 CET	60676	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:39.235972881 CET	47925	60676	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:40.962235928 CET	47925	60676	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:40.962347984 CET	60676	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:40.967171907 CET	47925	60676	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:48.969441891 CET	60678	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:48.974349022 CET	47925	60678	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:48.974401951 CET	60678	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:48.974427938 CET	60678	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:48.979238987 CET	47925	60678	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:50.698307991 CET	47925	60678	89.169.4.44	192.168.2.23
Jan 4, 2025 02:24:50.698431969 CET	60678	47925	192.168.2.23	89.169.4.44
Jan 4, 2025 02:24:50.703285933 CET	47925	60678	89.169.4.44	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2025 02:22:47.631731987 CET	48535	53	192.168.2.23	8.8.8.8
Jan 4, 2025 02:22:47.639007092 CET	53	48535	8.8.8.8	192.168.2.23
Jan 4, 2025 02:22:51.389561892 CET	38336	53	192.168.2.23	8.8.8.8
Jan 4, 2025 02:22:51.396375895 CET	53	38336	8.8.8.8	192.168.2.23
Jan 4, 2025 02:23:03.156910896 CET	35316	53	192.168.2.23	8.8.8.8
Jan 4, 2025 02:23:03.163512945 CET	53	35316	8.8.8.8	192.168.2.23
Jan 4, 2025 02:23:13.898441076 CET	43538	53	192.168.2.23	8.8.8.8
Jan 4, 2025 02:23:13.905663967 CET	53	43538	8.8.8.8	192.168.2.23
Jan 4, 2025 02:23:20.637068033 CET	41345	53	192.168.2.23	8.8.8.8
Jan 4, 2025 02:23:20.643627882 CET	53	41345	8.8.8.8	192.168.2.23
Jan 4, 2025 02:23:29.386604071 CET	42908	53	192.168.2.23	8.8.8.8
Jan 4, 2025 02:23:29.394071102 CET	53	42908	8.8.8.8	192.168.2.23
Jan 4, 2025 02:23:41.140542984 CET	37272	53	192.168.2.23	8.8.8.8
Jan 4, 2025 02:23:41.147394896 CET	53	37272	8.8.8.8	192.168.2.23
Jan 4, 2025 02:23:46.886953115 CET	36771	53	192.168.2.23	8.8.8.8
Jan 4, 2025 02:23:46.893326998 CET	53	36771	8.8.8.8	192.168.2.23
Jan 4, 2025 02:23:50.639139891 CET	36374	53	192.168.2.23	8.8.8.8
Jan 4, 2025 02:23:50.758044004 CET	53	36374	8.8.8.8	192.168.2.23
Jan 4, 2025 02:24:00.493999958 CET	45797	53	192.168.2.23	8.8.8.8
Jan 4, 2025 02:24:00.500979900 CET	53	45797	8.8.8.8	192.168.2.23
Jan 4, 2025 02:24:09.229507923 CET	60519	53	192.168.2.23	8.8.8.8
Jan 4, 2025 02:24:09.236113071 CET	53	60519	8.8.8.8	192.168.2.23
Jan 4, 2025 02:24:16.963181973 CET	39596	53	192.168.2.23	8.8.8.8
Jan 4, 2025 02:24:16.970614910 CET	53	39596	8.8.8.8	192.168.2.23
Jan 4, 2025 02:24:19.700896978 CET	38347	53	192.168.2.23	8.8.8.8
Jan 4, 2025 02:24:19.708430052 CET	53	38347	8.8.8.8	192.168.2.23
Jan 4, 2025 02:24:29.449428082 CET	53792	53	192.168.2.23	8.8.8.8
Jan 4, 2025 02:24:29.456520081 CET	53	53792	8.8.8.8	192.168.2.23
Jan 4, 2025 02:24:39.219327927 CET	33202	53	192.168.2.23	8.8.8.8
Jan 4, 2025 02:24:39.226207018 CET	53	33202	8.8.8.8	192.168.2.23
Jan 4, 2025 02:24:48.962434053 CET	35572	53	192.168.2.23	8.8.8.8
Jan 4, 2025 02:24:48.969351053 CET	53	35572	8.8.8.8	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 4, 2025 02:22:47.631731987 CET	192.168.2.23	8.8.8.8	0x4752	Standard query (0)	seyfhg.work.gd	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:22:51.389561892 CET	192.168.2.23	8.8.8.8	0x915e	Standard query (0)	seyfhg.work.gd	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:23:03.156910896 CET	192.168.2.23	8.8.8.8	0x5dfb	Standard query (0)	seyfhg.work.gd	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:23:13.898441076 CET	192.168.2.23	8.8.8.8	0x15d4	Standard query (0)	seyfhg.work.gd	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:23:20.637068033 CET	192.168.2.23	8.8.8.8	0xf436	Standard query (0)	seyfhg.work.gd	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:23:29.386604071 CET	192.168.2.23	8.8.8.8	0xc9b7	Standard query (0)	seyfhg.work.gd	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:23:41.140542984 CET	192.168.2.23	8.8.8.8	0x104	Standard query (0)	seyfhg.work.gd	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:23:46.886953115 CET	192.168.2.23	8.8.8.8	0xbf0c	Standard query (0)	seyfhg.work.gd	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:23:50.639139891 CET	192.168.2.23	8.8.8.8	0x6d44	Standard query (0)	seyfhg.work.gd	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:24:00.493999958 CET	192.168.2.23	8.8.8.8	0xbc1	Standard query (0)	seyfhg.work.gd	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:24:09.229507923 CET	192.168.2.23	8.8.8.8	0x410d	Standard query (0)	seyfhg.work.gd	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:24:16.963181973 CET	192.168.2.23	8.8.8.8	0xfc88	Standard query (0)	seyfhg.work.gd	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:24:19.700896978 CET	192.168.2.23	8.8.8.8	0xaa63	Standard query (0)	seyfhg.work.gd	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:24:29.449428082 CET	192.168.2.23	8.8.8.8	0xd52	Standard query (0)	seyfhg.work.gd	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:24:39.219327927 CET	192.168.2.23	8.8.8.8	0x5bff	Standard query (0)	seyfhg.work.gd	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:24:48.962434053 CET	192.168.2.23	8.8.8.8	0xb784	Standard query (0)	seyfhg.work.gd	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 4, 2025 02:22:47.639007092 CET	8.8.8.8	192.168.2.23	0x4752	No error (0)	seyfhg.work.gd	89.169.4.44	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:22:51.396375895 CET	8.8.8.8	192.168.2.23	0x915e	No error (0)	seyfhg.work.gd	89.169.4.44	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:23:03.163512945 CET	8.8.8.8	192.168.2.23	0x5dfb	No error (0)	seyfhg.work.gd	89.169.4.44	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:23:13.905663967 CET	8.8.8.8	192.168.2.23	0x15d4	No error (0)	seyfhg.work.gd	89.169.4.44	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:23:20.643627882 CET	8.8.8.8	192.168.2.23	0xf436	No error (0)	seyfhg.work.gd	89.169.4.44	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:23:29.394071102 CET	8.8.8.8	192.168.2.23	0xc9b7	No error (0)	seyfhg.work.gd	89.169.4.44	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:23:41.147394896 CET	8.8.8.8	192.168.2.23	0x104	No error (0)	seyfhg.work.gd	89.169.4.44	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:23:46.893326998 CET	8.8.8.8	192.168.2.23	0xbf0c	No error (0)	seyfhg.work.gd	89.169.4.44	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:23:50.758044004 CET	8.8.8.8	192.168.2.23	0x6d44	No error (0)	seyfhg.work.gd	89.169.4.44	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:24:00.500979900 CET	8.8.8.8	192.168.2.23	0xbc1	No error (0)	seyfhg.work.gd	89.169.4.44	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:24:09.236113071 CET	8.8.8.8	192.168.2.23	0x410d	No error (0)	seyfhg.work.gd	89.169.4.44	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:24:16.970614910 CET	8.8.8.8	192.168.2.23	0xfc88	No error (0)	seyfhg.work.gd	89.169.4.44	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:24:19.708430052 CET	8.8.8.8	192.168.2.23	0xaa63	No error (0)	seyfhg.work.gd	89.169.4.44	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:24:29.456520081 CET	8.8.8.8	192.168.2.23	0xd52	No error (0)	seyfhg.work.gd	89.169.4.44	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:24:39.226207018 CET	8.8.8.8	192.168.2.23	0x5bff	No error (0)	seyfhg.work.gd	89.169.4.44	A (IP address)	IN (0x0001)	false
Jan 4, 2025 02:24:48.969351053 CET	8.8.8.8	192.168.2.23	0xb784	No error (0)	seyfhg.work.gd	89.169.4.44	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: bot.x86.elf PID: 6238, Parent PID: 6163

General

Start time (UTC):	01:22:46
Start date (UTC):	04/01/2025
Path:	/tmp/bot.x86.elf
Arguments:	/tmp/bot.x86.elf
File size:	93768 bytes
MD5 hash:	a1dd69ef6e61882be9f64655205ce00f

Start time (UTC):	01:22:46
Start date (UTC):	04/01/2025
Path:	/tmp/bot.x86.elf
Arguments:	-
File size:	93768 bytes
MD5 hash:	a1dd69ef6e61882be9f64655205ce00f

Start time (UTC):	01:22:46
Start date (UTC):	04/01/2025
Path:	/tmp/bot.x86.elf
Arguments:	-
File size:	93768 bytes
MD5 hash:	a1dd69ef6e61882be9f64655205ce00f

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report bot.x86.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: bot.x86.elf PID: 6238, Parent PID: 6163

General

Chronological Activities

Analysis Process: bot.x86.elf PID: 6239, Parent PID: 6238

General

Chronological Activities

Analysis Process: bot.x86.elf PID: 6240, Parent PID: 6239

General

Chronological Activities

Linux Analysis Report
bot.x86.elf