Edit tour

Linux Analysis Report
dlr.mpsl.elf

Overview

General Information

Sample name:	dlr.mpsl.elf
Analysis ID:	1586103
MD5:	bcd78981c1474e8a11b1ad5d5e93dd10
SHA1:	9d3dbeed8388fab8fb12a440cf2e8d811ec87872
SHA256:	061c6c1a2ff31f6d639592c9c881e9ce1a10926c1850e3bc1a82c5ae468ae931
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus detection for dropped file

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586103
Start date and time:	2025-01-08 18:02:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	dlr.mpsl.elf
Detection:	MAL
Classification:	mal48.linELF@0/1@0/0

Warnings

Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: dlr.mpsl.elf

Runtime Messages

Command:	/tmp/dlr.mpsl.elf
PID:	5429
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	AAA BAH
Standard Error:

Process Tree

system is lnxubuntu20

dlr.mpsl.elf (PID: 5429, Parent: 5354, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/dlr.mpsl.elf

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: /tmp/345

Avira: detection malicious, Label: EXP/ELF.Mirai.Hua.a

Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100
Source: unknown	TCP traffic detected without corresponding DNS query: 103.136.41.100

Source: global traffic

HTTP traffic detected: GET /2 HTTP/1.1Host: 127.0.0.1Connection: closeUser-Agent: wget (dlr)

Source: 345.12.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 345.12.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.linELF@0/1@0/0

Source: /tmp/dlr.mpsl.elf (PID: 5429)

File written: /tmp/345

Jump to dropped file

Source: /tmp/dlr.mpsl.elf (PID: 5429)

Queries kernel information via 'uname':

Jump to behavior

Source: dlr.mpsl.elf, 5429.1.0000555f7897d000.0000555f78a04000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: dlr.mpsl.elf, 5429.1.0000555f7897d000.0000555f78a04000.rw-.sdmp	Binary or memory string: x_U!/etc/qemu-binfmt/mipsel
Source: dlr.mpsl.elf, 5429.1.00007fffc2f46000.00007fffc2f67000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/dlr.mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/dlr.mpsl.elf
Source: dlr.mpsl.elf, 5429.1.00007fffc2f46000.00007fffc2f67000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dlr.mpsl.elf	3%	ReversingLabs	Linux.Downloader.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
/tmp/345	100%	Avira	EXP/ELF.Mirai.Hua.a

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1/2	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://127.0.0.1/2	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/soap/encoding/	345.12.dr	false		high
http://schemas.xmlsoap.org/soap/envelope/	345.12.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.136.41.100	unknown	India		139884	AGPL-AS-APApeironGlobalPvtLtdIN	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.136.41.100	qkOFMWXZmr	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AGPL-AS-APApeironGlobalPvtLtdIN	2461ACFA271F7D477CA53ABE428D6ADDE1F285E115F18.exe	Get hash	malicious	FFDroider	Browse	103.136.41.162
	wYWdigdSjn.exe	Get hash	malicious	Neshta	Browse	103.136.42.153
	38b2c7a1af454d382927f81543d86055886bc02863457.exe	Get hash	malicious	Unknown	Browse	103.136.42.153
	l39HA25qjw.exe	Get hash	malicious	ManusCrypt, Socelars	Browse	103.136.42.153
	SecuriteInfo.com.Win32.Malware-gen.30674.exe	Get hash	malicious	Unknown	Browse	103.136.42.153
	file.exe	Get hash	malicious	FFDroider	Browse	103.136.42.153
	qkOFMWXZmr	Get hash	malicious	Unknown	Browse	103.136.41.100
	njE4JoXEp6	Get hash	malicious	Unknown	Browse	103.136.41.110
	qICLEK5VRO	Get hash	malicious	Unknown	Browse	103.136.41.110
	qaE0C9rclb	Get hash	malicious	Unknown	Browse	103.136.41.110

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/tmp/345

Download File

Process:	/tmp/dlr.mpsl.elf
File Type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Category:	dropped
Size (bytes):	104176
Entropy (8bit):	5.530002614237804
Encrypted:	false
SSDEEP:	1536:CsKiAkifLt/sGgxKYbaKO3rYcaYGgikBNPYnj06e0Qo8jb:CsKiAkizRsGSKYbqYMd
MD5:	90D45B5ED746C7F1624D0461562C33A6
SHA1:	F339F2356808C11BD29EEC24F743AB29E4B8A16B
SHA-256:	50BF892BF688AED713FFD21B3CAC7A2A35E543CDAC3CC0B083EFB47C14E03794
SHA-512:	C02575EF1463A00FF62F4A5FBD331FF6D562E42E3E767F74D3CF821015C8D9046F1A5A3DC2DAD754F51958C2535AD8EF726EC0FC8D29650FD6D8BA821A23819F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	.ELF....................p.@.4...........4. ...(...............@...@.`...`...............`...`.E.`.E.....83..........Q.td...............................<...'!......'.......................<h..'!.............9'.. ........................<8..'!... ........q9'.. ......................... ..'...<...'!......' .......................@.".......@.......................Y....... ...B$.. ...............Y....... ...B$..........@....$.............. .`..$.......$@.". ...............(..'...<D..'!......'........h.........@.............h...`..$.. .D..$................t.........@.....\|......... .t..$...... . ..'............ ..'........!..............<...'!...!............'...$$.....'.................................. ............................<@..'!......'............................Y.@.! ......!(.... ....$........_.@............&!(.... ....$ .......d.@......... ..&!(.... ....$0.......i.@.........0..&!(.... ....$@.......n.@.........@..&!(.... ....$P.......s.@.........P..&!(.... ....$`.......x.@.....

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	4.567140512903918
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	dlr.mpsl.elf
File size:	11'676 bytes
MD5:	bcd78981c1474e8a11b1ad5d5e93dd10
SHA1:	9d3dbeed8388fab8fb12a440cf2e8d811ec87872
SHA256:	061c6c1a2ff31f6d639592c9c881e9ce1a10926c1850e3bc1a82c5ae468ae931
SHA512:	62a4c302e774a1f045d70cb8ecf427d70ba76e655a568da2015f6c4e67ab0f566c9fb144fd7a28246a987a08962ddbda8f39ee682f6586ee4dcbe70ca8109ad7
SSDEEP:	192:AUcdBx/gWJSAZZlMB2vb2Xi24ex0PJfAXJO4X4Cjf+rgzb:tcPx/gWrRMBhXi24ex0lmJO4X4CzK6
TLSH:	4232300BAF60DD37DC5FDC7305EA8B1024CDE8676164271A3130EAAC7A1B9874AD3DA4
File Content Preview:	.ELF......................@.4....*......4. ...(........p......@...@...........................@...@...................... ... D.. D.....P...........Q.td..................................................D....<...'!......'.......................<...'!......

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4002b0
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	4
Section Header Offset:	10916
Section Header Size:	40
Number of Section Headers:	19
Header String Table Index:	18

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.reginfo	MIPS_REGINFO	0x4000b4	0xb4	0x18	0x18	0x2	A	4
.init	PROGBITS	0x4000cc	0xcc	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400160	0x160	0x1bc0	0x0	0x6	AX	16
.fini	PROGBITS	0x401d20	0x1d20	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x401d80	0x1d80	0x22c	0x0	0x2	A	16
.eh_frame	PROGBITS	0x442000	0x2000	0x4	0x0	0x3	WA	4
.ctors	PROGBITS	0x442004	0x2004	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x44200c	0x200c	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x442014	0x2014	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x442020	0x2020	0x70	0x0	0x3	WA	16
.got	PROGBITS	0x442090	0x2090	0x140	0x4	0x10000003	WAp	16
.sdata	PROGBITS	0x4421d0	0x21d0	0x4	0x0	0x10000003	WAp	4
.sbss	NOBITS	0x4421d4	0x21d4	0x8	0x0	0x10000003	WAp	4
.bss	NOBITS	0x4421e0	0x21d4	0x70	0x0	0x3	WA	16
.comment	PROGBITS	0x0	0x21d4	0x20a	0x0	0x0		1
.mdebug.abi32	PROGBITS	0x20a	0x23de	0x0	0x0	0x0		1
.pdr	PROGBITS	0x0	0x23e0	0x640	0x0	0x0		4
.shstrtab	STRTAB	0x0	0x2a20	0x84	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
<unknown>	0xb4	0x4000b4	0x4000b4	0x18	0x18	0.9834	0x4	R	0x4	.reginfo
LOAD	0x0	0x400000	0x400000	0x1fac	0x1fac	4.8942	0x5	R E	0x10000	.reginfo .init .text .fini .rodata
LOAD	0x2000	0x442000	0x442000	0x1d4	0x250	3.0045	0x6	RW	0x10000	.eh_frame .ctors .dtors .jcr .data .got .sdata .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 18:02:48.109560013 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.115320921 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.115411997 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.116590977 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.121346951 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.734803915 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.734827995 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.734842062 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.734855890 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.734869003 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.734880924 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.734894991 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.734908104 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.734920025 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.734937906 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.734942913 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.734942913 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.734942913 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.734983921 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.734983921 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.739882946 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.739923000 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.739939928 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.739953041 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.739974022 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.739974022 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.826381922 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.826397896 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.826410055 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.826423883 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.826436043 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.826450109 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.826459885 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.826482058 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.826482058 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.826482058 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.826503038 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.829428911 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.829442024 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.829454899 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.829467058 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.829468966 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.829468966 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.829479933 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.829483986 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.829490900 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.829505920 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.829516888 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.829535007 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.829581022 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.829593897 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.829605103 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.829615116 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.829627991 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.829639912 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.829652071 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.829672098 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.830837011 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.831995964 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.875235081 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.916412115 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.916429043 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.916441917 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.916503906 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.916527033 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.916539907 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.916551113 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.917002916 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.917018890 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.917177916 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.917191029 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.917203903 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.917325974 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.917339087 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.917351961 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.918267012 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.918286085 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.918298960 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.918312073 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.918323994 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.918438911 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.918811083 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.919270039 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.919281960 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.919294119 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.919307947 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.919326067 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.919337988 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.920157909 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.920171022 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.920181990 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.920193911 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.920306921 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.920320034 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.920752048 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.921089888 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.921103001 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.921120882 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.921232939 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.921247959 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.921261072 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.921896935 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.922082901 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.922094107 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.922103882 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.922115088 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.922126055 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.922651052 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.922979116 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.922991037 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.923002005 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:48.924566984 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:48.994158983 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:49.006681919 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:49.006697893 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:49.006716013 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:49.006727934 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:49.006737947 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:49.006812096 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:49.006824970 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:49.006836891 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:49.006917953 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:49.006922007 CET	80	50808	103.136.41.100	192.168.2.13
Jan 8, 2025 18:02:49.032464981 CET	50808	80	192.168.2.13	103.136.41.100
Jan 8, 2025 18:02:49.037261963 CET	80	50808	103.136.41.100	192.168.2.13

HTTP Request Dependency Graph

127.0.0.1

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.13	50808	103.136.41.100	80

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 18:02:48.116590977 CET	91	OUT	GET /2 HTTP/1.1 Host: 127.0.0.1 Connection: close User-Agent: wget (dlr)
Jan 8, 2025 18:02:48.734803915 CET	1236	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 104176 Content-Type: application/octet-stream Last-Modified: Wed, 08 Jan 2025 16:59:29 GMT Date: Wed, 08 Jan 2025 17:02:48 GMT Connection: close Data Raw: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 08 00 01 00 00 00 70 02 40 00 34 00 00 00 98 94 01 00 07 10 00 00 34 00 20 00 03 00 28 00 0f 00 0e 00 01 00 00 00 00 00 00 00 00 00 40 00 00 00 40 00 60 8a 01 00 60 8a 01 00 05 00 00 00 00 00 01 00 01 00 00 00 60 8a 01 00 60 8a 45 00 60 8a 45 00 c8 09 00 00 38 33 00 00 06 00 00 00 00 00 01 00 51 e5 74 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 04 00 00 00 06 00 1c 3c 8c 0e 9c 27 21 e0 99 03 e0 ff bd 27 10 00 bc af 1c 00 bf af 18 00 bc af 01 00 11 04 00 00 00 00 06 00 1c 3c 68 0e 9c 27 21 e0 9f 03 1c 80 99 8f 00 00 00 00 dc 01 39 27 09 f8 20 03 00 00 00 00 10 00 bc 8f 00 00 00 00 01 00 11 04 00 00 00 00 06 00 1c 3c 38 0e 9c 27 21 e0 9f 03 20 80 99 8f 00 00 00 00 90 71 39 27 09 f8 20 03 00 00 00 00 10 00 bc 8f 00 00 00 00 1c 00 bf 8f 00 00 00 00 08 00 e0 03 20 00 bd 27 06 00 1c 3c 00 0e 9c 27 21 e0 99 03 d8 ff bd 27 20 00 bf af 1c 00 b1 af 18 00 b0 af 10 00 bc af 18 80 91 8f 00 00 00 00 40 94 22 92 00 00 00 00 1d 00 [TRUNCATED] Data Ascii: ELFp@44 (@@````E`E83Qtd<'!'<h'!9' <8'! q9' '<'!' @"@Y B$ Y B$@$ `$$@" ('<D'!'h@h`$ D$t@\| t$ ' '!<'!!'$$' <@'!'Y@! !( $_@&!( $ d@ &!( $0i@0&!( $@n@@&!( $Ps@P&!( $`x@`&!( [TRUNCATED]
Jan 8, 2025 18:02:48.734827995 CET	1236	IN	Data Raw: 00 06 24 70 00 02 8e 10 00 bc 8f 7d 00 40 14 00 00 00 00 04 84 99 8f 70 00 04 26 21 28 00 00 09 f8 20 03 10 00 06 24 80 00 02 8e 10 00 bc 8f 82 00 40 14 00 00 00 00 04 84 99 8f 80 00 04 26 21 28 00 00 09 f8 20 03 10 00 06 24 90 00 02 8e 10 00 bc Data Ascii: $p}@p&!( $@&!( $@&!($ ' $! !( $@ $&!( $ @$
Jan 8, 2025 18:02:48.734842062 CET	1203	IN	Data Raw: 00 40 10 00 00 00 00 20 00 02 8e 00 00 00 00 58 00 40 10 00 00 00 00 30 00 02 8e 00 00 00 00 56 00 40 10 00 00 00 00 40 00 02 8e 00 00 00 00 54 00 40 10 00 00 00 00 50 00 02 8e 00 00 00 00 52 00 40 10 00 00 00 00 60 00 02 8e 00 00 00 00 37 00 40 Data Ascii: @ X@0V@@T@PR@`7@p4@$0@$,@$0,($ 8'( !@$b0`L !
Jan 8, 2025 18:02:48.734855890 CET	1236	IN	Data Raw: d5 ff 00 12 fe ff a3 26 01 00 22 92 d2 ff 60 10 04 00 82 a2 02 00 30 92 fd ff b5 26 2a 10 b0 02 cd ff 40 14 03 00 32 26 f4 82 99 8f 00 00 00 00 38 00 b9 af e8 83 99 8f 08 00 82 26 21 88 80 02 21 f0 00 00 34 00 b9 af 0c 00 00 10 28 00 a2 af c1 ff Data Ascii: &"`0&@2&8&!!4(b"p@4& $"(! @8"&!(@!0 ('# !$r$$<'!'$
Jan 8, 2025 18:02:48.734869003 CET	1236	IN	Data Raw: 09 f8 20 03 01 00 04 24 10 00 bc 8f 00 00 05 92 8c 81 83 8f 3c 83 99 8f 21 88 40 00 00 00 44 8e 05 00 02 24 01 00 a5 24 00 00 23 ae 04 00 22 a2 09 f8 20 03 80 28 05 00 00 00 04 92 10 00 bc 8f 80 18 04 00 e8 83 99 8f 21 18 62 00 01 00 84 24 00 00 Data Ascii: $<!@D$$#" (!b$qB$ $<!@D$$#" (!b$qB$ $\!@<D$$#"
Jan 8, 2025 18:02:48.734880924 CET	1236	IN	Data Raw: 00 00 70 8c 0f ff 03 24 00 00 02 8e 14 00 11 26 24 10 43 00 40 00 42 34 f0 ff 03 24 24 10 43 00 05 00 42 34 ff ff 03 24 00 00 02 ae 04 00 03 a6 00 40 02 24 40 00 03 24 02 00 02 a6 06 00 03 a6 42 01 a0 12 01 00 00 a2 06 00 02 24 09 00 02 a2 08 00 Data Ascii: p$&$C@B4$$CB4$@$@$B$ @#C!FC"$$C%G$$C$%H$C$%I$C$%J$C$%K$C%L" 4
Jan 8, 2025 18:02:48.734894991 CET	1236	IN	Data Raw: 21 20 60 02 21 28 80 02 00 2c 06 24 2c 00 07 24 09 f8 20 03 10 00 80 a6 20 00 a3 8f 02 00 85 96 40 21 03 00 c0 18 03 00 23 20 83 00 14 01 a3 8f 18 00 bc 8f 21 20 83 00 10 00 82 a6 c4 00 b9 8f 02 00 85 a4 10 00 02 24 10 00 a4 af 9c 00 a4 8f 14 00 Data Ascii: ! `!(,$,$ @!# ! $!(`@$ @$ d$*@ !@ B<4D# CB !d@!# #DdB$U0d
Jan 8, 2025 18:02:48.734908104 CET	388	IN	Data Raw: 25 b0 65 00 44 00 a4 af 48 00 a6 af 4c 00 a7 af 50 00 a8 af 54 00 a9 af 58 00 aa af 5c 00 ab af 21 80 00 00 80 00 04 24 21 c8 e0 02 09 f8 20 03 01 00 05 24 20 00 a5 8f 40 00 a4 8f 40 00 ac 8f 80 18 10 00 21 18 64 00 80 20 05 00 18 00 bc 8f 21 20 Data Ascii: %eDHLPTX\!$! $ @@!d ! b$$$F@B4$CB4$@$(@!(# ! $<$D@$&"H$F$B4$CL
Jan 8, 2025 18:02:48.734920025 CET	1236	IN	Data Raw: 04 00 13 24 18 00 bc 8f 0e 00 23 a6 28 00 12 a2 29 00 13 a2 60 00 b9 8f 00 00 00 00 09 f8 20 03 00 00 00 00 0f 00 42 30 63 05 42 24 ff 00 43 30 00 1a 03 00 02 12 02 00 25 18 62 00 18 00 bc 8f 08 00 02 24 2a 00 03 a6 0a 00 03 24 2f 00 03 a2 2c 00 Data Ascii: $#()` B0cB$C0%b$$/,-.` $0$:9;84 P$` @! ! ! ! ! @#C
Jan 8, 2025 18:02:48.734937906 CET	1236	IN	Data Raw: 21 98 40 00 18 00 bc 8f 21 90 40 00 a4 83 82 8f 80 84 99 8f 00 00 47 8c 21 28 00 02 21 20 20 02 09 f8 20 03 03 00 06 24 18 00 bc 8f 28 00 a2 af 44 84 99 8f 02 00 04 24 03 00 05 24 09 f8 20 03 06 00 06 24 ff ff 10 24 18 00 bc 8f 37 01 50 10 34 00 Data Ascii: !@!@G!(! $(D$$ $$7P4$$4 !($ '%P38<B00, D0 ,0222F03j2K2\"*@3
Jan 8, 2025 18:02:48.739882946 CET	1236	IN	Data Raw: 18 00 bc 8f 21 c8 40 02 09 f8 20 03 02 00 02 a6 18 00 bc 8f 21 c8 40 02 09 f8 20 03 04 00 02 ae 18 00 bc 8f 08 00 02 ae 2c 00 a2 8f 00 00 00 00 af ff 40 10 21 20 20 02 21 c8 40 02 09 f8 20 03 00 00 00 00 18 00 bc 8f a8 ff 00 10 12 00 02 a6 64 81 Data Ascii: !@ !@ ,@! !@ d4 \|xtplhd`'<'!`'\|x0! $! 0

System Behavior

Analysis Process: dlr.mpsl.elf PID: 5429, Parent PID: 5354

General

Start time (UTC):	17:02:46
Start date (UTC):	08/01/2025
Path:	/tmp/dlr.mpsl.elf
Arguments:	/tmp/dlr.mpsl.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report dlr.mpsl.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/tmp/345

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

System Behavior

Analysis Process: dlr.mpsl.elf PID: 5429, Parent PID: 5354

General

Chronological Activities

Linux Analysis Report
dlr.mpsl.elf