Edit tour

Linux Analysis Report
Kloki.x86.elf

Overview

General Information

Sample name:	Kloki.x86.elf
Analysis ID:	1586171
MD5:	180781bb607ae6bde186929e3570ef0a
SHA1:	542d17f62e3372e220c4ace15a4480d78b4f4126
SHA256:	76f4346fd91acdf7b9c37ba5738afb215fcc793c02ef46df8a22355fedb91e01
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample tries to kill multiple processes (SIGKILL)

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Sample contains only a LOAD segment without any section mappings

Sample tries to kill a process (SIGKILL)

Suricata IDS alerts with low severity for network traffic

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586171
Start date and time:	2025-01-08 19:46:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Kloki.x86.elf
Detection:	MAL
Classification:	mal60.spre.linELF@0/0@1/0

Warnings

VT rate limit hit for: Kloki.x86.elf

Runtime Messages

Command:	/tmp/Kloki.x86.elf
PID:	5828
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	suka
Standard Error:

Process Tree

system is lnxubuntu20

Kloki.x86.elf (PID: 5828, Parent: 5754, MD5: 180781bb607ae6bde186929e3570ef0a) Arguments: /tmp/Kloki.x86.elf

Kloki.x86.elf New Fork (PID: 5829, Parent: 5828)

Kloki.x86.elf New Fork (PID: 5830, Parent: 5829)

Kloki.x86.elf New Fork (PID: 5831, Parent: 5829)

gnome-session-binary New Fork (PID: 5832, Parent: 1498)

sh (PID: 5832, Parent: 1498, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing

gsd-sharing (PID: 5832, Parent: 1498, MD5: e29d9025d98590fbb69f89fdbd4438b3) Arguments: /usr/libexec/gsd-sharing

gnome-session-binary New Fork (PID: 5854, Parent: 1498)

sh (PID: 5854, Parent: 1498, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell

gnome-shell (PID: 5854, Parent: 1498, MD5: da7a257239677622fe4b3a65972c9e87) Arguments: /usr/bin/gnome-shell

gnome-session-binary New Fork (PID: 5855, Parent: 1498)

sh (PID: 5855, Parent: 1498, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

gsd-rfkill (PID: 5855, Parent: 1498, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill

gnome-session-binary New Fork (PID: 5856, Parent: 1498)

sh (PID: 5856, Parent: 1498, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications

gsd-print-notifications (PID: 5856, Parent: 1498, MD5: 71539698aa691718cee775d6b9450ae2) Arguments: /usr/libexec/gsd-print-notifications

gdm3 New Fork (PID: 5859, Parent: 1333)

Default (PID: 5859, Parent: 1333, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 5860, Parent: 1333)

Default (PID: 5860, Parent: 1333, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 5866, Parent: 1)

systemd-user-runtime-dir (PID: 5866, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 127

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Kloki.x86.elf	Linux_Trojan_Mirai_b548632d	unknown	unknown	0x62b9:$a: 00 0B 01 00 00 0E 00 00 00 18 03 00 7F E9 38 32 C9 4D 04 9A

Memory Dumps

Source	Rule	Description	Author	Strings
5830.1.0000000008048000.0000000008055000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4840:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5830.1.0000000008048000.0000000008055000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x6cb2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5828.1.0000000008048000.0000000008055000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4840:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5828.1.0000000008048000.0000000008055000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x6cb2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5828.1.0000000008048000.0000000008055000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x9cec:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5828.1.0000000008048000.0000000008055000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x8557:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5828.1.0000000008048000.0000000008055000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x6c82:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
5830.1.0000000008048000.0000000008055000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x9cec:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5830.1.0000000008048000.0000000008055000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x8557:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5830.1.0000000008048000.0000000008055000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x6c82:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 5 entries

Suricata Signatures

ET COMPROMISED Known Compromised or Hostile Host Traffic group 19

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T19:47:27.694222+0100	2500036	2	Misc Attack	83.222.191.90	13566	192.168.2.15	58060	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Kloki.x86.elf

ReversingLabs: Detection: 21%

Source: global traffic	TCP traffic: 192.168.2.15:33866 -> 83.222.248.238:13566
Source: global traffic	TCP traffic: 192.168.2.15:48440 -> 83.222.233.251:13566
Source: global traffic	TCP traffic: 192.168.2.15:34070 -> 83.222.181.63:13566
Source: global traffic	TCP traffic: 192.168.2.15:52784 -> 83.222.153.88:13566
Source: global traffic	TCP traffic: 192.168.2.15:45148 -> 83.222.68.210:13566
Source: global traffic	TCP traffic: 192.168.2.15:47030 -> 83.222.250.174:13566
Source: global traffic	TCP traffic: 192.168.2.15:40580 -> 83.222.98.204:13566
Source: global traffic	TCP traffic: 192.168.2.15:44250 -> 83.222.46.229:13566
Source: global traffic	TCP traffic: 192.168.2.15:43086 -> 83.222.164.65:13566
Source: global traffic	TCP traffic: 192.168.2.15:53218 -> 83.222.133.159:13566
Source: global traffic	TCP traffic: 192.168.2.15:34054 -> 83.222.234.152:13566
Source: global traffic	TCP traffic: 192.168.2.15:38990 -> 83.222.231.59:13566
Source: global traffic	TCP traffic: 192.168.2.15:33442 -> 83.222.165.88:13566
Source: global traffic	TCP traffic: 192.168.2.15:56662 -> 83.222.190.214:13566
Source: global traffic	TCP traffic: 192.168.2.15:59716 -> 83.222.6.47:13566
Source: global traffic	TCP traffic: 192.168.2.15:53406 -> 83.222.171.254:13566
Source: global traffic	TCP traffic: 192.168.2.15:35544 -> 83.222.29.148:13566
Source: global traffic	TCP traffic: 192.168.2.15:41550 -> 83.222.250.210:13566
Source: global traffic	TCP traffic: 192.168.2.15:48744 -> 83.222.212.147:13566
Source: global traffic	TCP traffic: 192.168.2.15:40142 -> 83.222.43.24:13566
Source: global traffic	TCP traffic: 192.168.2.15:54910 -> 83.222.101.37:13566
Source: global traffic	TCP traffic: 192.168.2.15:52830 -> 83.222.199.199:13566
Source: global traffic	TCP traffic: 192.168.2.15:32864 -> 83.222.241.245:13566
Source: global traffic	TCP traffic: 192.168.2.15:47822 -> 83.222.172.149:13566
Source: global traffic	TCP traffic: 192.168.2.15:46546 -> 83.222.55.50:13566
Source: global traffic	TCP traffic: 192.168.2.15:47342 -> 83.222.52.33:13566
Source: global traffic	TCP traffic: 192.168.2.15:55226 -> 83.222.202.242:13566
Source: global traffic	TCP traffic: 192.168.2.15:51280 -> 83.222.247.177:13566
Source: global traffic	TCP traffic: 192.168.2.15:59548 -> 83.222.46.156:13566
Source: global traffic	TCP traffic: 192.168.2.15:41144 -> 83.222.9.52:13566
Source: global traffic	TCP traffic: 192.168.2.15:46988 -> 83.222.203.181:13566
Source: global traffic	TCP traffic: 192.168.2.15:59126 -> 83.222.50.232:13566
Source: global traffic	TCP traffic: 192.168.2.15:35092 -> 83.222.73.44:13566
Source: global traffic	TCP traffic: 192.168.2.15:60010 -> 83.222.191.230:13566
Source: global traffic	TCP traffic: 192.168.2.15:39898 -> 83.222.187.29:13566
Source: global traffic	TCP traffic: 192.168.2.15:57576 -> 83.222.11.253:13566
Source: global traffic	TCP traffic: 192.168.2.15:44316 -> 83.222.54.36:13566
Source: global traffic	TCP traffic: 192.168.2.15:54522 -> 83.222.236.252:13566
Source: global traffic	TCP traffic: 192.168.2.15:45778 -> 83.222.242.152:13566
Source: global traffic	TCP traffic: 192.168.2.15:35794 -> 83.222.145.41:13566
Source: global traffic	TCP traffic: 192.168.2.15:41056 -> 83.222.202.198:13566
Source: global traffic	TCP traffic: 192.168.2.15:54346 -> 83.222.74.148:13566
Source: global traffic	TCP traffic: 192.168.2.15:43454 -> 83.222.184.66:13566
Source: global traffic	TCP traffic: 192.168.2.15:49900 -> 83.222.70.230:13566
Source: global traffic	TCP traffic: 192.168.2.15:45918 -> 83.222.222.79:13566
Source: global traffic	TCP traffic: 192.168.2.15:41408 -> 83.222.26.170:13566
Source: global traffic	TCP traffic: 192.168.2.15:41158 -> 83.222.4.77:13566
Source: global traffic	TCP traffic: 192.168.2.15:53764 -> 83.222.146.78:13566
Source: global traffic	TCP traffic: 192.168.2.15:55242 -> 83.222.121.77:13566
Source: global traffic	TCP traffic: 192.168.2.15:47552 -> 83.222.107.57:13566
Source: global traffic	TCP traffic: 192.168.2.15:37706 -> 83.222.51.161:13566
Source: global traffic	TCP traffic: 192.168.2.15:55974 -> 83.222.93.62:13566
Source: global traffic	TCP traffic: 192.168.2.15:60770 -> 83.222.158.73:13566
Source: global traffic	TCP traffic: 192.168.2.15:54220 -> 83.222.58.145:13566
Source: global traffic	TCP traffic: 192.168.2.15:49172 -> 83.222.226.204:13566
Source: global traffic	TCP traffic: 192.168.2.15:44004 -> 83.222.186.172:13566
Source: global traffic	TCP traffic: 192.168.2.15:47718 -> 83.222.146.5:13566
Source: global traffic	TCP traffic: 192.168.2.15:58000 -> 83.222.65.74:13566
Source: global traffic	TCP traffic: 192.168.2.15:44186 -> 83.222.71.135:13566
Source: global traffic	TCP traffic: 192.168.2.15:43358 -> 83.222.49.37:13566
Source: global traffic	TCP traffic: 192.168.2.15:47042 -> 83.222.214.75:13566
Source: global traffic	TCP traffic: 192.168.2.15:53540 -> 83.222.207.219:13566
Source: global traffic	TCP traffic: 192.168.2.15:42426 -> 83.222.152.98:13566
Source: global traffic	TCP traffic: 192.168.2.15:46994 -> 83.222.41.18:13566
Source: global traffic	TCP traffic: 192.168.2.15:60286 -> 83.222.175.148:13566
Source: global traffic	TCP traffic: 192.168.2.15:59196 -> 83.222.75.227:13566
Source: global traffic	TCP traffic: 192.168.2.15:33894 -> 83.222.54.168:13566
Source: global traffic	TCP traffic: 192.168.2.15:59212 -> 83.222.33.212:13566
Source: global traffic	TCP traffic: 192.168.2.15:41816 -> 83.222.242.92:13566
Source: global traffic	TCP traffic: 192.168.2.15:56660 -> 83.222.101.212:13566
Source: global traffic	TCP traffic: 192.168.2.15:58060 -> 83.222.191.90:13566

Source: Network traffic

Suricata IDS: 2500036 - Severity 2 - ET COMPROMISED Known Compromised or Hostile Host Traffic group 19 : 83.222.191.90:13566 -> 192.168.2.15:58060

Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.248.238
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.233.251
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.181.63
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.153.88
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.68.210
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.250.174
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.98.204
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.46.229
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.164.65
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.133.159
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.234.152
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.231.59
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.165.88
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.190.214
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.6.47
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.171.254
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.29.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.250.210
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.212.147
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.43.24
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.101.37
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.199.199
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.241.245
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.172.149
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.55.50
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.52.33
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.202.242
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.247.177
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.46.156
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.9.52
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.203.181
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.50.232
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.73.44
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.191.230
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.187.29
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.11.253
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.54.36
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.236.252
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.242.152
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.145.41
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.202.198
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.74.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.184.66
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.70.230
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.222.79
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.26.170
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.4.77
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.146.78
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.121.77
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.107.57

Source: global traffic

DNS traffic detected: DNS query: secure-network-rebirthltd.ru

System Summary

Malicious sample detected (through community Yara rule)

Source: Kloki.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b548632d Author: unknown
Source: 5830.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5830.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5828.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5828.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5828.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5828.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5828.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5830.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5830.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5830.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 917, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 931, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 933, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 1553, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 1659, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 1669, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 1679, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 3157, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 3332, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 3483, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 5813, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 5832, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 5854, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 5855, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 5856, result: successful	Jump to behavior

Source: LOAD without section mappings

Program segment: 0x8048000

Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 917, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 931, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 933, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 1553, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 1659, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 1669, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 1679, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 3157, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 3332, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 3483, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 5813, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 5832, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 5854, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 5855, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5831)	SIGKILL sent: pid: 5856, result: successful	Jump to behavior

Source: Kloki.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b548632d reference_sample = 639d9d6da22e84fb6b6fc676a1c4cfd74a8ed546ce8661500ab2ef971242df07, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8b355e9c1150d43f52e6e9e052eda87ba158041f7b645f4f67c32dd549c09f28, id = b548632d-7916-444a-aa68-4b3e38251905, last_modified = 2021-09-16
Source: 5830.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5830.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5828.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5828.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5828.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5828.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5828.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5830.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5830.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5830.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: classification engine

Classification label: mal60.spre.linELF@0/0@1/0

Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/4177/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3241/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/1333/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3235/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3234/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/1615/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5814/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5673/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3255/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3253/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3252/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3251/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3250/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/1623/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3249/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/764/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3368/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3246/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3488/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/766/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/888/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/802/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/803/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/804/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/1867/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3407/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5840/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/490/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5838/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5839/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3379/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/777/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/658/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/779/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/812/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/933/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5833/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5834/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5835/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3419/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5836/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5837/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5850/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5851/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3310/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3275/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3274/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3273/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3394/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3272/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5849/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/782/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3303/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3027/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/789/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5841/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5842/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5843/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5844/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5845/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5846/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5847/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5848/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/5861/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3044/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3440/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/793/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/794/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3316/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/796/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3157/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3278/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3399/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3711/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3210/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3298/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3055/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3052/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3292/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3205/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3047/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3201/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/723/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/724/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3060/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/1440/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3222/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3188/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3220/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3461/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3064/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3062/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3183/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/850/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/1432/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3456/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/1431/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3192/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3475/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3197/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3074/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/1445/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3469/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5830)	File opened: /proc/3465/status	Jump to behavior

Source: Kloki.x86.elf	Submission file: segment LOAD with 7.8815 entropy (max. 8.0)
Source: Kloki.x86.elf	Submission file: segment LOAD with 7.9483 entropy (max. 8.0)

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Kloki.x86.elf	21%	ReversingLabs	Win32.Trojan.Generic
Kloki.x86.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
secure-network-rebirthltd.ru	83.222.191.90	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
83.222.70.230	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.43.24	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.121.77	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.55.50	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.46.156	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.242.152	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.145.41	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.6.47	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.202.242	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.158.73	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.54.36	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.98.204	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.234.152	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.247.177	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.152.98	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.242.92	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.29.148	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.101.37	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.46.229	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.54.168	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.212.147	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.58.145	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.73.44	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.199.199	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.175.148	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.171.254	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.165.88	unknown	Bulgaria	31037	WAVENETLB	false
83.222.4.77	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.74.148	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.33.212	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.107.57	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.214.75	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.75.227	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.250.174	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.233.251	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.250.210	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.146.78	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.65.74	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.51.161	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.191.230	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.172.149	unknown	Bulgaria	49040	KIG-UNISAT-TVBG	false
83.222.93.62	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.101.212	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.11.253	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.52.33	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.164.65	unknown	Bulgaria	31037	WAVENETLB	false
83.222.186.172	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.248.238	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.184.66	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.50.232	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.133.159	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.187.29	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.241.245	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.71.135	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.153.88	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.49.37	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.9.52	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.203.181	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.191.90	secure-network-rebirthltd.ru	Bulgaria	43561	NET1-ASBG	false
83.222.236.252	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.41.18	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.207.219	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.181.63	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.190.214	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.202.198	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.68.210	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.222.79	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.146.5	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.226.204	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.26.170	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.231.59	unknown	United Kingdom	13768	COGECO-PEER1CA	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
secure-network-rebirthltd.ru	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.191.90

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.64.159
	skid.x86.elf	Get hash	malicious	Moobot	Browse	83.222.64.191
	XfUkJyh9A3.elf	Get hash	malicious	Mirai	Browse	37.209.228.199
	nSQgTX0uEc.dll	Get hash	malicious	Wannacry	Browse	213.141.249.89
	e7N7Kz9Bar	Get hash	malicious	Unknown	Browse	37.209.226.155
	G2JJHi7jyh	Get hash	malicious	Mirai	Browse	212.75.151.147
	KiDRFl2BaN	Get hash	malicious	Mirai	Browse	212.75.129.46
	UbjnMZrdW8	Get hash	malicious	Mirai	Browse	37.209.228.197
	vEjGHdNRFj	Get hash	malicious	Gafgyt Mirai	Browse	37.209.228.196
	6LmZoebUdA	Get hash	malicious	Mirai	Browse	37.209.236.25
LOL-ASluLU	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.38.250
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.39.173
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.34.98
	jew.x86.elf	Get hash	malicious	Unknown	Browse	85.10.122.249
	ppc.elf	Get hash	malicious	Mirai	Browse	85.10.122.239
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	85.10.122.206
	debug.dbg.elf	Get hash	malicious	Mirai, Gafgyt	Browse	85.10.122.235
	sh4.elf	Get hash	malicious	Unknown	Browse	85.10.122.213
	wlcougQfbn.elf	Get hash	malicious	Unknown	Browse	85.10.122.243
	J8hytxrLBJ.elf	Get hash	malicious	Mirai	Browse	85.10.122.212
MNOGOBYTE-ASMoscowRussiaRU	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.110.86
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.112.137
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.121.44
	Hilix.m68k.elf	Get hash	malicious	Mirai	Browse	45.87.110.254
	arm6.elf	Get hash	malicious	Unknown	Browse	83.222.115.109
	https://santa-secret.ru/api/verify?a=NjgyODEwNCw1bWluOHE2MHpuX3J1LC9hY2NvdW50L2JveGVzLHZsYWRpbWlyLmdsdXNoZW5rb0Bob2NobGFuZC5ydSwyNDE0MTYzMg==	Get hash	malicious	Unknown	Browse	83.222.104.70
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	77.220.164.91
	i686.elf	Get hash	malicious	Unknown	Browse	83.222.115.100
	mpsl.elf	Get hash	malicious	Mirai	Browse	146.255.196.1
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	146.255.202.89
LOL-ASluLU	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.34.98
	jew.x86.elf	Get hash	malicious	Unknown	Browse	85.10.122.249
	ppc.elf	Get hash	malicious	Mirai	Browse	85.10.122.239
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	85.10.122.206
	debug.dbg.elf	Get hash	malicious	Mirai, Gafgyt	Browse	85.10.122.235
	sh4.elf	Get hash	malicious	Unknown	Browse	85.10.122.213
	wlcougQfbn.elf	Get hash	malicious	Unknown	Browse	85.10.122.243
	J8hytxrLBJ.elf	Get hash	malicious	Mirai	Browse	85.10.122.212
	u3FxQf1X9v.elf	Get hash	malicious	Mirai	Browse	85.10.122.211
	9BrsO1bmfY.elf	Get hash	malicious	Mirai	Browse	185.6.235.73

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.945227559697287
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	Kloki.x86.elf
File size:	30'472 bytes
MD5:	180781bb607ae6bde186929e3570ef0a
SHA1:	542d17f62e3372e220c4ace15a4480d78b4f4126
SHA256:	76f4346fd91acdf7b9c37ba5738afb215fcc793c02ef46df8a22355fedb91e01
SHA512:	93734013ec6bbc30abc663cb49f8d5f617346984c93e73c0b418795d701977a476a6835d375493034db0e634ce956c8ab6f83be438923ef316ef27c3347683aa
SSDEEP:	768:F/DkhFYywTBFgoTCJCHjJ2WlfxSkbZnbcuyD7UoURb:Fr8YzdFjxj9fRZnouy8J
TLSH:	44D2F15CA1D86864D05F917B261EB40A89A0B90DE6E8C9BBCDFC343782D07E4792961F
File Content Preview:	.ELF........................4...........4. ...(......................................................v...v..........Q.td.............................j=.sfgaD...................S..........?..k.I/.j....\.d*nlz.g...S.......c.J...RE..V.r.V.}.=.&.d..j.jQ......

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x805f3d8
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8048000	0x8048000	0x1000	0x107c0	7.8815	0x6	RW	0x1000
LOAD	0x0	0x8059000	0x8059000	0x7611	0x7611	7.9483	0x5	R E	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T19:47:27.694222+0100	2500036	ET COMPROMISED Known Compromised or Hostile Host Traffic group 19	2	83.222.191.90	13566	192.168.2.15	58060	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 19:47:27.663212061 CET	33866	13566	192.168.2.15	83.222.248.238
Jan 8, 2025 19:47:27.663217068 CET	48440	13566	192.168.2.15	83.222.233.251
Jan 8, 2025 19:47:27.663228035 CET	34070	13566	192.168.2.15	83.222.181.63
Jan 8, 2025 19:47:27.663233042 CET	52784	13566	192.168.2.15	83.222.153.88
Jan 8, 2025 19:47:27.663299084 CET	45148	13566	192.168.2.15	83.222.68.210
Jan 8, 2025 19:47:27.663309097 CET	47030	13566	192.168.2.15	83.222.250.174
Jan 8, 2025 19:47:27.663325071 CET	40580	13566	192.168.2.15	83.222.98.204
Jan 8, 2025 19:47:27.663330078 CET	44250	13566	192.168.2.15	83.222.46.229
Jan 8, 2025 19:47:27.663343906 CET	43086	13566	192.168.2.15	83.222.164.65
Jan 8, 2025 19:47:27.663361073 CET	53218	13566	192.168.2.15	83.222.133.159
Jan 8, 2025 19:47:27.663366079 CET	34054	13566	192.168.2.15	83.222.234.152
Jan 8, 2025 19:47:27.663419008 CET	38990	13566	192.168.2.15	83.222.231.59
Jan 8, 2025 19:47:27.663423061 CET	33442	13566	192.168.2.15	83.222.165.88
Jan 8, 2025 19:47:27.663429022 CET	56662	13566	192.168.2.15	83.222.190.214
Jan 8, 2025 19:47:27.663435936 CET	59716	13566	192.168.2.15	83.222.6.47
Jan 8, 2025 19:47:27.663446903 CET	53406	13566	192.168.2.15	83.222.171.254
Jan 8, 2025 19:47:27.663460016 CET	35544	13566	192.168.2.15	83.222.29.148
Jan 8, 2025 19:47:27.663479090 CET	41550	13566	192.168.2.15	83.222.250.210
Jan 8, 2025 19:47:27.663506985 CET	48744	13566	192.168.2.15	83.222.212.147
Jan 8, 2025 19:47:27.663522005 CET	40142	13566	192.168.2.15	83.222.43.24
Jan 8, 2025 19:47:27.663930893 CET	54910	13566	192.168.2.15	83.222.101.37
Jan 8, 2025 19:47:27.663939953 CET	52830	13566	192.168.2.15	83.222.199.199
Jan 8, 2025 19:47:27.663960934 CET	32864	13566	192.168.2.15	83.222.241.245
Jan 8, 2025 19:47:27.663964987 CET	47822	13566	192.168.2.15	83.222.172.149
Jan 8, 2025 19:47:27.663975954 CET	46546	13566	192.168.2.15	83.222.55.50
Jan 8, 2025 19:47:27.663986921 CET	47342	13566	192.168.2.15	83.222.52.33
Jan 8, 2025 19:47:27.664005041 CET	55226	13566	192.168.2.15	83.222.202.242
Jan 8, 2025 19:47:27.664020061 CET	51280	13566	192.168.2.15	83.222.247.177
Jan 8, 2025 19:47:27.664021969 CET	59548	13566	192.168.2.15	83.222.46.156
Jan 8, 2025 19:47:27.664038897 CET	41144	13566	192.168.2.15	83.222.9.52
Jan 8, 2025 19:47:27.664042950 CET	46988	13566	192.168.2.15	83.222.203.181
Jan 8, 2025 19:47:27.664057016 CET	59126	13566	192.168.2.15	83.222.50.232
Jan 8, 2025 19:47:27.664072037 CET	35092	13566	192.168.2.15	83.222.73.44
Jan 8, 2025 19:47:27.664139986 CET	60010	13566	192.168.2.15	83.222.191.230
Jan 8, 2025 19:47:27.664139986 CET	39898	13566	192.168.2.15	83.222.187.29
Jan 8, 2025 19:47:27.664139986 CET	57576	13566	192.168.2.15	83.222.11.253
Jan 8, 2025 19:47:27.664144039 CET	44316	13566	192.168.2.15	83.222.54.36
Jan 8, 2025 19:47:27.664158106 CET	54522	13566	192.168.2.15	83.222.236.252
Jan 8, 2025 19:47:27.664176941 CET	45778	13566	192.168.2.15	83.222.242.152
Jan 8, 2025 19:47:27.664181948 CET	35794	13566	192.168.2.15	83.222.145.41
Jan 8, 2025 19:47:27.664236069 CET	41056	13566	192.168.2.15	83.222.202.198
Jan 8, 2025 19:47:27.664243937 CET	54346	13566	192.168.2.15	83.222.74.148
Jan 8, 2025 19:47:27.664259911 CET	43454	13566	192.168.2.15	83.222.184.66
Jan 8, 2025 19:47:27.664264917 CET	49900	13566	192.168.2.15	83.222.70.230
Jan 8, 2025 19:47:27.664283991 CET	45918	13566	192.168.2.15	83.222.222.79
Jan 8, 2025 19:47:27.664294004 CET	41408	13566	192.168.2.15	83.222.26.170
Jan 8, 2025 19:47:27.664308071 CET	41158	13566	192.168.2.15	83.222.4.77
Jan 8, 2025 19:47:27.664316893 CET	53764	13566	192.168.2.15	83.222.146.78
Jan 8, 2025 19:47:27.664351940 CET	55242	13566	192.168.2.15	83.222.121.77
Jan 8, 2025 19:47:27.664361954 CET	47552	13566	192.168.2.15	83.222.107.57
Jan 8, 2025 19:47:27.664374113 CET	37706	13566	192.168.2.15	83.222.51.161
Jan 8, 2025 19:47:27.664385080 CET	55974	13566	192.168.2.15	83.222.93.62
Jan 8, 2025 19:47:27.664403915 CET	60770	13566	192.168.2.15	83.222.158.73
Jan 8, 2025 19:47:27.664414883 CET	54220	13566	192.168.2.15	83.222.58.145
Jan 8, 2025 19:47:27.664427996 CET	49172	13566	192.168.2.15	83.222.226.204
Jan 8, 2025 19:47:27.664468050 CET	44004	13566	192.168.2.15	83.222.186.172
Jan 8, 2025 19:47:27.664473057 CET	47718	13566	192.168.2.15	83.222.146.5
Jan 8, 2025 19:47:27.664488077 CET	58000	13566	192.168.2.15	83.222.65.74
Jan 8, 2025 19:47:27.664498091 CET	44186	13566	192.168.2.15	83.222.71.135
Jan 8, 2025 19:47:27.664518118 CET	43358	13566	192.168.2.15	83.222.49.37
Jan 8, 2025 19:47:27.664532900 CET	47042	13566	192.168.2.15	83.222.214.75
Jan 8, 2025 19:47:27.664545059 CET	53540	13566	192.168.2.15	83.222.207.219
Jan 8, 2025 19:47:27.664760113 CET	42426	13566	192.168.2.15	83.222.152.98
Jan 8, 2025 19:47:27.664777040 CET	46994	13566	192.168.2.15	83.222.41.18
Jan 8, 2025 19:47:27.664788008 CET	60286	13566	192.168.2.15	83.222.175.148
Jan 8, 2025 19:47:27.664804935 CET	59196	13566	192.168.2.15	83.222.75.227
Jan 8, 2025 19:47:27.664820910 CET	33894	13566	192.168.2.15	83.222.54.168
Jan 8, 2025 19:47:27.664824963 CET	59212	13566	192.168.2.15	83.222.33.212
Jan 8, 2025 19:47:27.664839029 CET	41816	13566	192.168.2.15	83.222.242.92
Jan 8, 2025 19:47:27.664853096 CET	56660	13566	192.168.2.15	83.222.101.212
Jan 8, 2025 19:47:27.668056965 CET	13566	48440	83.222.233.251	192.168.2.15
Jan 8, 2025 19:47:27.668112040 CET	48440	13566	192.168.2.15	83.222.233.251
Jan 8, 2025 19:47:27.668275118 CET	13566	52784	83.222.153.88	192.168.2.15
Jan 8, 2025 19:47:27.668287039 CET	13566	34070	83.222.181.63	192.168.2.15
Jan 8, 2025 19:47:27.668297052 CET	13566	33866	83.222.248.238	192.168.2.15
Jan 8, 2025 19:47:27.668304920 CET	52784	13566	192.168.2.15	83.222.153.88
Jan 8, 2025 19:47:27.668308020 CET	13566	45148	83.222.68.210	192.168.2.15
Jan 8, 2025 19:47:27.668318033 CET	34070	13566	192.168.2.15	83.222.181.63
Jan 8, 2025 19:47:27.668319941 CET	13566	47030	83.222.250.174	192.168.2.15
Jan 8, 2025 19:47:27.668327093 CET	33866	13566	192.168.2.15	83.222.248.238
Jan 8, 2025 19:47:27.668330908 CET	13566	40580	83.222.98.204	192.168.2.15
Jan 8, 2025 19:47:27.668339014 CET	45148	13566	192.168.2.15	83.222.68.210
Jan 8, 2025 19:47:27.668342113 CET	13566	44250	83.222.46.229	192.168.2.15
Jan 8, 2025 19:47:27.668344021 CET	47030	13566	192.168.2.15	83.222.250.174
Jan 8, 2025 19:47:27.668353081 CET	13566	43086	83.222.164.65	192.168.2.15
Jan 8, 2025 19:47:27.668356895 CET	40580	13566	192.168.2.15	83.222.98.204
Jan 8, 2025 19:47:27.668361902 CET	13566	34054	83.222.234.152	192.168.2.15
Jan 8, 2025 19:47:27.668365955 CET	44250	13566	192.168.2.15	83.222.46.229
Jan 8, 2025 19:47:27.668373108 CET	13566	53218	83.222.133.159	192.168.2.15
Jan 8, 2025 19:47:27.668375015 CET	43086	13566	192.168.2.15	83.222.164.65
Jan 8, 2025 19:47:27.668387890 CET	34054	13566	192.168.2.15	83.222.234.152
Jan 8, 2025 19:47:27.668401003 CET	53218	13566	192.168.2.15	83.222.133.159
Jan 8, 2025 19:47:27.673073053 CET	13566	33442	83.222.165.88	192.168.2.15
Jan 8, 2025 19:47:27.673083067 CET	13566	38990	83.222.231.59	192.168.2.15
Jan 8, 2025 19:47:27.673094034 CET	13566	56662	83.222.190.214	192.168.2.15
Jan 8, 2025 19:47:27.673110962 CET	33442	13566	192.168.2.15	83.222.165.88
Jan 8, 2025 19:47:27.673114061 CET	38990	13566	192.168.2.15	83.222.231.59
Jan 8, 2025 19:47:27.673115015 CET	13566	59716	83.222.6.47	192.168.2.15
Jan 8, 2025 19:47:27.673125982 CET	13566	53406	83.222.171.254	192.168.2.15
Jan 8, 2025 19:47:27.673126936 CET	56662	13566	192.168.2.15	83.222.190.214
Jan 8, 2025 19:47:27.673136950 CET	13566	35544	83.222.29.148	192.168.2.15
Jan 8, 2025 19:47:27.673144102 CET	59716	13566	192.168.2.15	83.222.6.47
Jan 8, 2025 19:47:27.673147917 CET	13566	41550	83.222.250.210	192.168.2.15
Jan 8, 2025 19:47:27.673155069 CET	53406	13566	192.168.2.15	83.222.171.254
Jan 8, 2025 19:47:27.673160076 CET	13566	48744	83.222.212.147	192.168.2.15
Jan 8, 2025 19:47:27.673162937 CET	35544	13566	192.168.2.15	83.222.29.148
Jan 8, 2025 19:47:27.673168898 CET	13566	40142	83.222.43.24	192.168.2.15
Jan 8, 2025 19:47:27.673177958 CET	41550	13566	192.168.2.15	83.222.250.210
Jan 8, 2025 19:47:27.673178911 CET	13566	54910	83.222.101.37	192.168.2.15
Jan 8, 2025 19:47:27.673187971 CET	48744	13566	192.168.2.15	83.222.212.147
Jan 8, 2025 19:47:27.673187971 CET	13566	52830	83.222.199.199	192.168.2.15
Jan 8, 2025 19:47:27.673192024 CET	40142	13566	192.168.2.15	83.222.43.24
Jan 8, 2025 19:47:27.673202038 CET	54910	13566	192.168.2.15	83.222.101.37
Jan 8, 2025 19:47:27.673207045 CET	13566	32864	83.222.241.245	192.168.2.15
Jan 8, 2025 19:47:27.673213959 CET	52830	13566	192.168.2.15	83.222.199.199
Jan 8, 2025 19:47:27.673216105 CET	13566	47822	83.222.172.149	192.168.2.15
Jan 8, 2025 19:47:27.673224926 CET	13566	46546	83.222.55.50	192.168.2.15
Jan 8, 2025 19:47:27.673233032 CET	32864	13566	192.168.2.15	83.222.241.245
Jan 8, 2025 19:47:27.673233986 CET	13566	47342	83.222.52.33	192.168.2.15
Jan 8, 2025 19:47:27.673240900 CET	47822	13566	192.168.2.15	83.222.172.149
Jan 8, 2025 19:47:27.673244953 CET	13566	55226	83.222.202.242	192.168.2.15
Jan 8, 2025 19:47:27.673249960 CET	46546	13566	192.168.2.15	83.222.55.50
Jan 8, 2025 19:47:27.673254967 CET	13566	51280	83.222.247.177	192.168.2.15
Jan 8, 2025 19:47:27.673264027 CET	13566	59548	83.222.46.156	192.168.2.15
Jan 8, 2025 19:47:27.673264980 CET	47342	13566	192.168.2.15	83.222.52.33
Jan 8, 2025 19:47:27.673274040 CET	55226	13566	192.168.2.15	83.222.202.242
Jan 8, 2025 19:47:27.673274040 CET	13566	41144	83.222.9.52	192.168.2.15
Jan 8, 2025 19:47:27.673281908 CET	51280	13566	192.168.2.15	83.222.247.177
Jan 8, 2025 19:47:27.673285007 CET	13566	46988	83.222.203.181	192.168.2.15
Jan 8, 2025 19:47:27.673289061 CET	59548	13566	192.168.2.15	83.222.46.156
Jan 8, 2025 19:47:27.673295021 CET	13566	59126	83.222.50.232	192.168.2.15
Jan 8, 2025 19:47:27.673300028 CET	41144	13566	192.168.2.15	83.222.9.52
Jan 8, 2025 19:47:27.673306942 CET	13566	35092	83.222.73.44	192.168.2.15
Jan 8, 2025 19:47:27.673309088 CET	46988	13566	192.168.2.15	83.222.203.181
Jan 8, 2025 19:47:27.673316956 CET	59126	13566	192.168.2.15	83.222.50.232
Jan 8, 2025 19:47:27.673331976 CET	35092	13566	192.168.2.15	83.222.73.44
Jan 8, 2025 19:47:27.673557997 CET	13566	60010	83.222.191.230	192.168.2.15
Jan 8, 2025 19:47:27.673568010 CET	13566	39898	83.222.187.29	192.168.2.15
Jan 8, 2025 19:47:27.673578978 CET	13566	44316	83.222.54.36	192.168.2.15
Jan 8, 2025 19:47:27.673587084 CET	60010	13566	192.168.2.15	83.222.191.230
Jan 8, 2025 19:47:27.673588991 CET	13566	57576	83.222.11.253	192.168.2.15
Jan 8, 2025 19:47:27.673593044 CET	39898	13566	192.168.2.15	83.222.187.29
Jan 8, 2025 19:47:27.673599958 CET	13566	54522	83.222.236.252	192.168.2.15
Jan 8, 2025 19:47:27.673605919 CET	44316	13566	192.168.2.15	83.222.54.36
Jan 8, 2025 19:47:27.673609972 CET	13566	45778	83.222.242.152	192.168.2.15
Jan 8, 2025 19:47:27.673610926 CET	57576	13566	192.168.2.15	83.222.11.253
Jan 8, 2025 19:47:27.673619032 CET	13566	35794	83.222.145.41	192.168.2.15
Jan 8, 2025 19:47:27.673624039 CET	54522	13566	192.168.2.15	83.222.236.252
Jan 8, 2025 19:47:27.673635960 CET	45778	13566	192.168.2.15	83.222.242.152
Jan 8, 2025 19:47:27.673638105 CET	13566	41056	83.222.202.198	192.168.2.15
Jan 8, 2025 19:47:27.673640966 CET	35794	13566	192.168.2.15	83.222.145.41
Jan 8, 2025 19:47:27.673648119 CET	13566	54346	83.222.74.148	192.168.2.15
Jan 8, 2025 19:47:27.673657894 CET	13566	43454	83.222.184.66	192.168.2.15
Jan 8, 2025 19:47:27.673665047 CET	41056	13566	192.168.2.15	83.222.202.198
Jan 8, 2025 19:47:27.673667908 CET	13566	49900	83.222.70.230	192.168.2.15
Jan 8, 2025 19:47:27.673671961 CET	54346	13566	192.168.2.15	83.222.74.148
Jan 8, 2025 19:47:27.673677921 CET	13566	45918	83.222.222.79	192.168.2.15
Jan 8, 2025 19:47:27.673688889 CET	13566	41408	83.222.26.170	192.168.2.15
Jan 8, 2025 19:47:27.673688889 CET	43454	13566	192.168.2.15	83.222.184.66
Jan 8, 2025 19:47:27.673698902 CET	13566	41158	83.222.4.77	192.168.2.15
Jan 8, 2025 19:47:27.673708916 CET	13566	53764	83.222.146.78	192.168.2.15
Jan 8, 2025 19:47:27.673710108 CET	49900	13566	192.168.2.15	83.222.70.230
Jan 8, 2025 19:47:27.673712969 CET	41408	13566	192.168.2.15	83.222.26.170
Jan 8, 2025 19:47:27.673719883 CET	13566	55242	83.222.121.77	192.168.2.15
Jan 8, 2025 19:47:27.673722029 CET	45918	13566	192.168.2.15	83.222.222.79
Jan 8, 2025 19:47:27.673728943 CET	13566	47552	83.222.107.57	192.168.2.15
Jan 8, 2025 19:47:27.673727036 CET	41158	13566	192.168.2.15	83.222.4.77
Jan 8, 2025 19:47:27.673727036 CET	53764	13566	192.168.2.15	83.222.146.78
Jan 8, 2025 19:47:27.673738956 CET	13566	37706	83.222.51.161	192.168.2.15
Jan 8, 2025 19:47:27.673741102 CET	55242	13566	192.168.2.15	83.222.121.77
Jan 8, 2025 19:47:27.673747063 CET	13566	55974	83.222.93.62	192.168.2.15
Jan 8, 2025 19:47:27.673752069 CET	47552	13566	192.168.2.15	83.222.107.57
Jan 8, 2025 19:47:27.673757076 CET	13566	60770	83.222.158.73	192.168.2.15
Jan 8, 2025 19:47:27.673760891 CET	37706	13566	192.168.2.15	83.222.51.161
Jan 8, 2025 19:47:27.673765898 CET	13566	54220	83.222.58.145	192.168.2.15
Jan 8, 2025 19:47:27.673768044 CET	55974	13566	192.168.2.15	83.222.93.62
Jan 8, 2025 19:47:27.673775911 CET	13566	49172	83.222.226.204	192.168.2.15
Jan 8, 2025 19:47:27.673777103 CET	60770	13566	192.168.2.15	83.222.158.73
Jan 8, 2025 19:47:27.673784971 CET	54220	13566	192.168.2.15	83.222.58.145
Jan 8, 2025 19:47:27.673811913 CET	49172	13566	192.168.2.15	83.222.226.204
Jan 8, 2025 19:47:27.673928976 CET	13566	44004	83.222.186.172	192.168.2.15
Jan 8, 2025 19:47:27.673938990 CET	13566	47718	83.222.146.5	192.168.2.15
Jan 8, 2025 19:47:27.673948050 CET	13566	58000	83.222.65.74	192.168.2.15
Jan 8, 2025 19:47:27.673958063 CET	13566	44186	83.222.71.135	192.168.2.15
Jan 8, 2025 19:47:27.673960924 CET	47718	13566	192.168.2.15	83.222.146.5
Jan 8, 2025 19:47:27.673966885 CET	13566	43358	83.222.49.37	192.168.2.15
Jan 8, 2025 19:47:27.673969030 CET	44004	13566	192.168.2.15	83.222.186.172
Jan 8, 2025 19:47:27.673970938 CET	58000	13566	192.168.2.15	83.222.65.74
Jan 8, 2025 19:47:27.673978090 CET	13566	47042	83.222.214.75	192.168.2.15
Jan 8, 2025 19:47:27.673989058 CET	44186	13566	192.168.2.15	83.222.71.135
Jan 8, 2025 19:47:27.673991919 CET	43358	13566	192.168.2.15	83.222.49.37
Jan 8, 2025 19:47:27.673995972 CET	13566	53540	83.222.207.219	192.168.2.15
Jan 8, 2025 19:47:27.674004078 CET	47042	13566	192.168.2.15	83.222.214.75
Jan 8, 2025 19:47:27.674005985 CET	13566	42426	83.222.152.98	192.168.2.15
Jan 8, 2025 19:47:27.674015999 CET	13566	46994	83.222.41.18	192.168.2.15
Jan 8, 2025 19:47:27.674015999 CET	53540	13566	192.168.2.15	83.222.207.219
Jan 8, 2025 19:47:27.674026012 CET	13566	60286	83.222.175.148	192.168.2.15
Jan 8, 2025 19:47:27.674030066 CET	42426	13566	192.168.2.15	83.222.152.98
Jan 8, 2025 19:47:27.674036980 CET	13566	59196	83.222.75.227	192.168.2.15
Jan 8, 2025 19:47:27.674040079 CET	46994	13566	192.168.2.15	83.222.41.18
Jan 8, 2025 19:47:27.674046040 CET	13566	33894	83.222.54.168	192.168.2.15
Jan 8, 2025 19:47:27.674052000 CET	60286	13566	192.168.2.15	83.222.175.148
Jan 8, 2025 19:47:27.674057007 CET	13566	59212	83.222.33.212	192.168.2.15
Jan 8, 2025 19:47:27.674067020 CET	59196	13566	192.168.2.15	83.222.75.227
Jan 8, 2025 19:47:27.674078941 CET	33894	13566	192.168.2.15	83.222.54.168
Jan 8, 2025 19:47:27.674098969 CET	13566	41816	83.222.242.92	192.168.2.15
Jan 8, 2025 19:47:27.674109936 CET	13566	56660	83.222.101.212	192.168.2.15
Jan 8, 2025 19:47:27.674113035 CET	59212	13566	192.168.2.15	83.222.33.212
Jan 8, 2025 19:47:27.674122095 CET	41816	13566	192.168.2.15	83.222.242.92
Jan 8, 2025 19:47:27.674139023 CET	56660	13566	192.168.2.15	83.222.101.212
Jan 8, 2025 19:47:27.689464092 CET	58060	13566	192.168.2.15	83.222.191.90
Jan 8, 2025 19:47:27.694221973 CET	13566	58060	83.222.191.90	192.168.2.15
Jan 8, 2025 19:47:27.694312096 CET	58060	13566	192.168.2.15	83.222.191.90
Jan 8, 2025 19:47:27.694312096 CET	58060	13566	192.168.2.15	83.222.191.90
Jan 8, 2025 19:47:27.699110031 CET	13566	58060	83.222.191.90	192.168.2.15
Jan 8, 2025 19:47:27.699157000 CET	58060	13566	192.168.2.15	83.222.191.90
Jan 8, 2025 19:47:27.703958988 CET	13566	58060	83.222.191.90	192.168.2.15
Jan 8, 2025 19:47:37.704150915 CET	58060	13566	192.168.2.15	83.222.191.90
Jan 8, 2025 19:47:37.709851027 CET	13566	58060	83.222.191.90	192.168.2.15
Jan 8, 2025 19:47:37.908284903 CET	13566	58060	83.222.191.90	192.168.2.15
Jan 8, 2025 19:47:37.908356905 CET	58060	13566	192.168.2.15	83.222.191.90
Jan 8, 2025 19:47:38.271790028 CET	13566	58060	83.222.191.90	192.168.2.15
Jan 8, 2025 19:47:38.271847010 CET	58060	13566	192.168.2.15	83.222.191.90
Jan 8, 2025 19:48:38.322736979 CET	58060	13566	192.168.2.15	83.222.191.90
Jan 8, 2025 19:48:38.327615976 CET	13566	58060	83.222.191.90	192.168.2.15
Jan 8, 2025 19:48:38.524960041 CET	13566	58060	83.222.191.90	192.168.2.15
Jan 8, 2025 19:48:38.525135040 CET	58060	13566	192.168.2.15	83.222.191.90
Jan 8, 2025 19:48:39.272656918 CET	13566	58060	83.222.191.90	192.168.2.15
Jan 8, 2025 19:48:39.272800922 CET	58060	13566	192.168.2.15	83.222.191.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 19:47:27.664890051 CET	55839	53	192.168.2.15	8.8.8.8
Jan 8, 2025 19:47:27.686042070 CET	53	55839	8.8.8.8	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 19:47:27.664890051 CET	192.168.2.15	8.8.8.8	0x6699	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 19:47:27.686042070 CET	8.8.8.8	192.168.2.15	0x6699	No error (0)	secure-network-rebirthltd.ru		83.222.191.90	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: Kloki.x86.elf PID: 5828, Parent PID: 5754

General

Start time (UTC):	18:47:26
Start date (UTC):	08/01/2025
Path:	/tmp/Kloki.x86.elf
Arguments:	/tmp/Kloki.x86.elf
File size:	30472 bytes
MD5 hash:	180781bb607ae6bde186929e3570ef0a

Chronological Activities

Analysis Process: Kloki.x86.elf PID: 5829, Parent PID: 5828

General

Start time (UTC):	18:47:26
Start date (UTC):	08/01/2025
Path:	/tmp/Kloki.x86.elf
Arguments:	-
File size:	30472 bytes
MD5 hash:	180781bb607ae6bde186929e3570ef0a

Chronological Activities

Analysis Process: Kloki.x86.elf PID: 5830, Parent PID: 5829

General

Start time (UTC):	18:47:26
Start date (UTC):	08/01/2025
Path:	/tmp/Kloki.x86.elf
Arguments:	-
File size:	30472 bytes
MD5 hash:	180781bb607ae6bde186929e3570ef0a

Chronological Activities

Analysis Process: Kloki.x86.elf PID: 5831, Parent PID: 5829

General

Start time (UTC):	18:47:26
Start date (UTC):	08/01/2025
Path:	/tmp/Kloki.x86.elf
Arguments:	-
File size:	30472 bytes
MD5 hash:	180781bb607ae6bde186929e3570ef0a

Chronological Activities

Analysis Process: gnome-session-binary PID: 5832, Parent PID: 1498

General

Start time (UTC):	18:47:26
Start date (UTC):	08/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5832, Parent PID: 1498

General

Start time (UTC):	18:47:26
Start date (UTC):	08/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-sharing PID: 5832, Parent PID: 1498

General

Start time (UTC):	18:47:26
Start date (UTC):	08/01/2025
Path:	/usr/libexec/gsd-sharing
Arguments:	/usr/libexec/gsd-sharing
File size:	35424 bytes
MD5 hash:	e29d9025d98590fbb69f89fdbd4438b3

Chronological Activities

Analysis Process: gnome-session-binary PID: 5854, Parent PID: 1498

General

Start time (UTC):	18:47:26
Start date (UTC):	08/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5854, Parent PID: 1498

General

Start time (UTC):	18:47:26
Start date (UTC):	08/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gnome-shell PID: 5854, Parent PID: 1498

General

Start time (UTC):	18:47:26
Start date (UTC):	08/01/2025
Path:	/usr/bin/gnome-shell
Arguments:	/usr/bin/gnome-shell
File size:	23168 bytes
MD5 hash:	da7a257239677622fe4b3a65972c9e87

Chronological Activities

Analysis Process: gnome-session-binary PID: 5855, Parent PID: 1498

General

Start time (UTC):	18:47:26
Start date (UTC):	08/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5855, Parent PID: 1498

General

Start time (UTC):	18:47:26
Start date (UTC):	08/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-rfkill PID: 5855, Parent PID: 1498

General

Start time (UTC):	18:47:26
Start date (UTC):	08/01/2025
Path:	/usr/libexec/gsd-rfkill
Arguments:	/usr/libexec/gsd-rfkill
File size:	51808 bytes
MD5 hash:	88a16a3c0aba1759358c06215ecfb5cc

Chronological Activities

Analysis Process: gnome-session-binary PID: 5856, Parent PID: 1498

General

Start time (UTC):	18:47:26
Start date (UTC):	08/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5856, Parent PID: 1498

General

Start time (UTC):	18:47:26
Start date (UTC):	08/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-print-notifications PID: 5856, Parent PID: 1498

General

Start time (UTC):	18:47:26
Start date (UTC):	08/01/2025
Path:	/usr/libexec/gsd-print-notifications
Arguments:	/usr/libexec/gsd-print-notifications
File size:	51840 bytes
MD5 hash:	71539698aa691718cee775d6b9450ae2

Chronological Activities

Analysis Process: gdm3 PID: 5859, Parent PID: 1333

General

Start time (UTC):	18:47:27
Start date (UTC):	08/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5859, Parent PID: 1333

General

Start time (UTC):	18:47:27
Start date (UTC):	08/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gdm3 PID: 5860, Parent PID: 1333

General

Start time (UTC):	18:47:27
Start date (UTC):	08/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5860, Parent PID: 1333

General

Start time (UTC):	18:47:27
Start date (UTC):	08/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemd PID: 5866, Parent PID: 1

General

Start time (UTC):	18:47:37
Start date (UTC):	08/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-user-runtime-dir PID: 5866, Parent PID: 1

General

Start time (UTC):	18:47:37
Start date (UTC):	08/01/2025
Path:	/lib/systemd/systemd-user-runtime-dir
Arguments:	/lib/systemd/systemd-user-runtime-dir stop 127
File size:	22672 bytes
MD5 hash:	d55f4b0847f88131dbcfb07435178e54

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Kloki.x86.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: Kloki.x86.elf PID: 5828, Parent PID: 5754

General

Chronological Activities

Analysis Process: Kloki.x86.elf PID: 5829, Parent PID: 5828

General

Chronological Activities

Analysis Process: Kloki.x86.elf PID: 5830, Parent PID: 5829

General

Chronological Activities

Analysis Process: Kloki.x86.elf PID: 5831, Parent PID: 5829

General

Chronological Activities

Analysis Process: gnome-session-binary PID: 5832, Parent PID: 1498

General

Chronological Activities

Analysis Process: sh PID: 5832, Parent PID: 1498

General

Chronological Activities

Analysis Process: gsd-sharing PID: 5832, Parent PID: 1498

General

Chronological Activities

Linux Analysis Report
Kloki.x86.elf