Edit tour

Linux Analysis Report
Kloki.x86_64.elf

Overview

General Information

Sample name:	Kloki.x86_64.elf
Analysis ID:	1586172
MD5:	87a674a1cd303c58d819270cddd7fc63
SHA1:	c3d59d459d603e8affd3450090e2b1a9619ace5a
SHA256:	192dc6e6726aaa9cce13eaaf812b070d7aa9b4824c2b1dee17e680e3d75284f7
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Sample tries to kill multiple processes (SIGKILL)

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Suricata IDS alerts with low severity for network traffic

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586172
Start date and time:	2025-01-08 19:50:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Kloki.x86_64.elf
Detection:	MAL
Classification:	mal64.spre.linELF@0/0@1/0

Warnings

VT rate limit hit for: Kloki.x86_64.elf

Runtime Messages

Command:	/tmp/Kloki.x86_64.elf
PID:	5514
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	suka
Standard Error:

Process Tree

system is lnxubuntu20

Kloki.x86_64.elf (PID: 5514, Parent: 5432, MD5: 87a674a1cd303c58d819270cddd7fc63) Arguments: /tmp/Kloki.x86_64.elf

Kloki.x86_64.elf New Fork (PID: 5515, Parent: 5514)

Kloki.x86_64.elf New Fork (PID: 5516, Parent: 5515)

Kloki.x86_64.elf New Fork (PID: 5517, Parent: 5515)

gnome-session-binary New Fork (PID: 5518, Parent: 1383)

sh (PID: 5518, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing

gsd-sharing (PID: 5518, Parent: 1383, MD5: e29d9025d98590fbb69f89fdbd4438b3) Arguments: /usr/libexec/gsd-sharing

gnome-session-binary New Fork (PID: 5538, Parent: 1383)

sh (PID: 5538, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell

gnome-shell (PID: 5538, Parent: 1383, MD5: da7a257239677622fe4b3a65972c9e87) Arguments: /usr/bin/gnome-shell

gnome-session-binary New Fork (PID: 5540, Parent: 1383)

sh (PID: 5540, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications

gsd-print-notifications (PID: 5540, Parent: 1383, MD5: 71539698aa691718cee775d6b9450ae2) Arguments: /usr/libexec/gsd-print-notifications

gnome-session-binary New Fork (PID: 5541, Parent: 1383)

sh (PID: 5541, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

gsd-rfkill (PID: 5541, Parent: 1383, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill

gdm3 New Fork (PID: 5542, Parent: 1289)

Default (PID: 5542, Parent: 1289, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 5545, Parent: 1289)

Default (PID: 5545, Parent: 1289, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 5551, Parent: 1)

systemd-user-runtime-dir (PID: 5551, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 127

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
5516.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0x9654:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
5516.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0x9e43:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
5516.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x779e:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x78d4:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
5516.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0xc74e:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
5516.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0x9a03:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
5516.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0x9cce:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
5514.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0x9654:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
5514.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0x9e43:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
5514.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x779e:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x78d4:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
5514.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0xc74e:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
5514.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0x9a03:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
5514.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0x9cce:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
5514.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Mirai_520deeb8	unknown	unknown	0x4aa:$a: ED 48 89 44 24 30 44 89 6C 24 10 7E 47 48 89 C1 44 89 E8 44
5514.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Mirai_01e4a728	unknown	unknown	0x5ad:$a: 44 24 23 48 8B 6C 24 28 83 F9 01 4A 8D 14 20 0F B6 02 88 45 08
5514.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x4d22:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
5516.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Mirai_520deeb8	unknown	unknown	0x4aa:$a: ED 48 89 44 24 30 44 89 6C 24 10 7E 47 48 89 C1 44 89 E8 44
5516.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Mirai_01e4a728	unknown	unknown	0x5ad:$a: 44 24 23 48 8B 6C 24 28 83 F9 01 4A 8D 14 20 0F B6 02 88 45 08
5516.1.0000000000400000.000000000040f000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x4d22:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Click to see the 13 entries

Suricata Signatures

ET COMPROMISED Known Compromised or Hostile Host Traffic group 19

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T19:51:05.258590+0100	2500036	2	Misc Attack	83.222.191.90	13566	192.168.2.14	56566	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Kloki.x86_64.elf

ReversingLabs: Detection: 18%

Machine Learning detection for sample

Source: Kloki.x86_64.elf

Joe Sandbox ML: detected

Source: global traffic	TCP traffic: 192.168.2.14:54890 -> 83.222.176.215:13566
Source: global traffic	TCP traffic: 192.168.2.14:40004 -> 83.222.142.119:13566
Source: global traffic	TCP traffic: 192.168.2.14:54804 -> 83.222.168.232:13566
Source: global traffic	TCP traffic: 192.168.2.14:57106 -> 83.222.84.153:13566
Source: global traffic	TCP traffic: 192.168.2.14:49962 -> 83.222.207.35:13566
Source: global traffic	TCP traffic: 192.168.2.14:32964 -> 83.222.137.76:13566
Source: global traffic	TCP traffic: 192.168.2.14:56292 -> 83.222.180.208:13566
Source: global traffic	TCP traffic: 192.168.2.14:33584 -> 83.222.72.118:13566
Source: global traffic	TCP traffic: 192.168.2.14:57460 -> 83.222.77.71:13566
Source: global traffic	TCP traffic: 192.168.2.14:57814 -> 83.222.30.102:13566
Source: global traffic	TCP traffic: 192.168.2.14:51144 -> 83.222.253.191:13566
Source: global traffic	TCP traffic: 192.168.2.14:40460 -> 83.222.247.99:13566
Source: global traffic	TCP traffic: 192.168.2.14:33462 -> 83.222.78.255:13566
Source: global traffic	TCP traffic: 192.168.2.14:59430 -> 83.222.183.191:13566
Source: global traffic	TCP traffic: 192.168.2.14:47846 -> 83.222.20.159:13566
Source: global traffic	TCP traffic: 192.168.2.14:59784 -> 83.222.102.197:13566
Source: global traffic	TCP traffic: 192.168.2.14:46378 -> 83.222.119.244:13566
Source: global traffic	TCP traffic: 192.168.2.14:33394 -> 83.222.60.31:13566
Source: global traffic	TCP traffic: 192.168.2.14:38040 -> 83.222.220.144:13566
Source: global traffic	TCP traffic: 192.168.2.14:53294 -> 83.222.185.171:13566
Source: global traffic	TCP traffic: 192.168.2.14:40246 -> 83.222.180.66:13566
Source: global traffic	TCP traffic: 192.168.2.14:39430 -> 83.222.248.104:13566
Source: global traffic	TCP traffic: 192.168.2.14:33800 -> 83.222.18.64:13566
Source: global traffic	TCP traffic: 192.168.2.14:38118 -> 83.222.222.96:13566
Source: global traffic	TCP traffic: 192.168.2.14:39634 -> 83.222.135.253:13566
Source: global traffic	TCP traffic: 192.168.2.14:55108 -> 83.222.198.133:13566
Source: global traffic	TCP traffic: 192.168.2.14:42466 -> 83.222.188.189:13566
Source: global traffic	TCP traffic: 192.168.2.14:54044 -> 83.222.232.11:13566
Source: global traffic	TCP traffic: 192.168.2.14:56670 -> 83.222.188.159:13566
Source: global traffic	TCP traffic: 192.168.2.14:59214 -> 83.222.202.209:13566
Source: global traffic	TCP traffic: 192.168.2.14:58820 -> 83.222.63.48:13566
Source: global traffic	TCP traffic: 192.168.2.14:33604 -> 83.222.150.182:13566
Source: global traffic	TCP traffic: 192.168.2.14:51704 -> 83.222.36.210:13566
Source: global traffic	TCP traffic: 192.168.2.14:44798 -> 83.222.213.1:13566
Source: global traffic	TCP traffic: 192.168.2.14:49278 -> 83.222.99.142:13566
Source: global traffic	TCP traffic: 192.168.2.14:53028 -> 83.222.172.23:13566
Source: global traffic	TCP traffic: 192.168.2.14:53876 -> 83.222.209.164:13566
Source: global traffic	TCP traffic: 192.168.2.14:41084 -> 83.222.127.227:13566
Source: global traffic	TCP traffic: 192.168.2.14:46988 -> 83.222.229.93:13566
Source: global traffic	TCP traffic: 192.168.2.14:57528 -> 83.222.67.108:13566
Source: global traffic	TCP traffic: 192.168.2.14:58522 -> 83.222.90.10:13566
Source: global traffic	TCP traffic: 192.168.2.14:42706 -> 83.222.241.23:13566
Source: global traffic	TCP traffic: 192.168.2.14:42270 -> 83.222.199.217:13566
Source: global traffic	TCP traffic: 192.168.2.14:39462 -> 83.222.34.132:13566
Source: global traffic	TCP traffic: 192.168.2.14:42200 -> 83.222.121.236:13566
Source: global traffic	TCP traffic: 192.168.2.14:52510 -> 83.222.85.184:13566
Source: global traffic	TCP traffic: 192.168.2.14:55604 -> 83.222.28.235:13566
Source: global traffic	TCP traffic: 192.168.2.14:40516 -> 83.222.110.64:13566
Source: global traffic	TCP traffic: 192.168.2.14:32918 -> 83.222.189.67:13566
Source: global traffic	TCP traffic: 192.168.2.14:34592 -> 83.222.65.32:13566
Source: global traffic	TCP traffic: 192.168.2.14:36596 -> 83.222.210.238:13566
Source: global traffic	TCP traffic: 192.168.2.14:59904 -> 83.222.55.163:13566
Source: global traffic	TCP traffic: 192.168.2.14:37258 -> 83.222.146.182:13566
Source: global traffic	TCP traffic: 192.168.2.14:53268 -> 83.222.134.119:13566
Source: global traffic	TCP traffic: 192.168.2.14:56346 -> 83.222.20.202:13566
Source: global traffic	TCP traffic: 192.168.2.14:34406 -> 83.222.228.110:13566
Source: global traffic	TCP traffic: 192.168.2.14:48978 -> 83.222.212.213:13566
Source: global traffic	TCP traffic: 192.168.2.14:59128 -> 83.222.133.155:13566
Source: global traffic	TCP traffic: 192.168.2.14:37866 -> 83.222.175.167:13566
Source: global traffic	TCP traffic: 192.168.2.14:60352 -> 83.222.31.40:13566
Source: global traffic	TCP traffic: 192.168.2.14:41908 -> 83.222.147.116:13566
Source: global traffic	TCP traffic: 192.168.2.14:47650 -> 83.222.224.175:13566
Source: global traffic	TCP traffic: 192.168.2.14:52666 -> 83.222.95.78:13566
Source: global traffic	TCP traffic: 192.168.2.14:50818 -> 83.222.240.29:13566
Source: global traffic	TCP traffic: 192.168.2.14:57928 -> 83.222.145.49:13566
Source: global traffic	TCP traffic: 192.168.2.14:35086 -> 83.222.61.99:13566
Source: global traffic	TCP traffic: 192.168.2.14:58042 -> 83.222.31.117:13566
Source: global traffic	TCP traffic: 192.168.2.14:44840 -> 83.222.6.178:13566
Source: global traffic	TCP traffic: 192.168.2.14:52878 -> 83.222.43.141:13566
Source: global traffic	TCP traffic: 192.168.2.14:43902 -> 83.222.41.63:13566
Source: global traffic	TCP traffic: 192.168.2.14:42048 -> 83.222.87.13:13566
Source: global traffic	TCP traffic: 192.168.2.14:49316 -> 83.222.174.43:13566
Source: global traffic	TCP traffic: 192.168.2.14:32838 -> 83.222.227.51:13566
Source: global traffic	TCP traffic: 192.168.2.14:34144 -> 83.222.198.146:13566
Source: global traffic	TCP traffic: 192.168.2.14:53264 -> 83.222.219.230:13566
Source: global traffic	TCP traffic: 192.168.2.14:38748 -> 83.222.186.110:13566
Source: global traffic	TCP traffic: 192.168.2.14:33400 -> 83.222.90.154:13566
Source: global traffic	TCP traffic: 192.168.2.14:34148 -> 83.222.30.186:13566
Source: global traffic	TCP traffic: 192.168.2.14:49190 -> 83.222.232.14:13566
Source: global traffic	TCP traffic: 192.168.2.14:54802 -> 83.222.215.121:13566
Source: global traffic	TCP traffic: 192.168.2.14:34810 -> 83.222.63.20:13566
Source: global traffic	TCP traffic: 192.168.2.14:59696 -> 83.222.221.95:13566
Source: global traffic	TCP traffic: 192.168.2.14:42594 -> 83.222.137.227:13566
Source: global traffic	TCP traffic: 192.168.2.14:33550 -> 83.222.17.181:13566
Source: global traffic	TCP traffic: 192.168.2.14:42884 -> 83.222.112.58:13566
Source: global traffic	TCP traffic: 192.168.2.14:47794 -> 83.222.244.199:13566
Source: global traffic	TCP traffic: 192.168.2.14:56782 -> 83.222.72.162:13566
Source: global traffic	TCP traffic: 192.168.2.14:56666 -> 83.222.242.43:13566
Source: global traffic	TCP traffic: 192.168.2.14:56518 -> 83.222.214.185:13566
Source: global traffic	TCP traffic: 192.168.2.14:44704 -> 83.222.189.177:13566
Source: global traffic	TCP traffic: 192.168.2.14:35712 -> 83.222.159.119:13566
Source: global traffic	TCP traffic: 192.168.2.14:36058 -> 83.222.31.249:13566
Source: global traffic	TCP traffic: 192.168.2.14:33866 -> 83.222.17.61:13566
Source: global traffic	TCP traffic: 192.168.2.14:39108 -> 83.222.179.249:13566
Source: global traffic	TCP traffic: 192.168.2.14:53216 -> 83.222.75.138:13566
Source: global traffic	TCP traffic: 192.168.2.14:42374 -> 83.222.114.139:13566
Source: global traffic	TCP traffic: 192.168.2.14:44078 -> 83.222.159.79:13566
Source: global traffic	TCP traffic: 192.168.2.14:37048 -> 83.222.234.40:13566
Source: global traffic	TCP traffic: 192.168.2.14:48842 -> 83.222.51.251:13566
Source: global traffic	TCP traffic: 192.168.2.14:51414 -> 83.222.221.163:13566
Source: global traffic	TCP traffic: 192.168.2.14:55770 -> 83.222.53.210:13566
Source: global traffic	TCP traffic: 192.168.2.14:52344 -> 83.222.107.125:13566
Source: global traffic	TCP traffic: 192.168.2.14:53166 -> 83.222.116.93:13566
Source: global traffic	TCP traffic: 192.168.2.14:46856 -> 83.222.168.74:13566
Source: global traffic	TCP traffic: 192.168.2.14:36084 -> 83.222.22.101:13566
Source: global traffic	TCP traffic: 192.168.2.14:32890 -> 83.222.251.181:13566
Source: global traffic	TCP traffic: 192.168.2.14:59122 -> 83.222.220.27:13566
Source: global traffic	TCP traffic: 192.168.2.14:56576 -> 83.222.175.237:13566
Source: global traffic	TCP traffic: 192.168.2.14:53052 -> 83.222.88.98:13566
Source: global traffic	TCP traffic: 192.168.2.14:35754 -> 83.222.230.164:13566
Source: global traffic	TCP traffic: 192.168.2.14:40390 -> 83.222.237.89:13566
Source: global traffic	TCP traffic: 192.168.2.14:57058 -> 83.222.47.140:13566
Source: global traffic	TCP traffic: 192.168.2.14:47924 -> 83.222.168.25:13566
Source: global traffic	TCP traffic: 192.168.2.14:56566 -> 83.222.191.90:13566

Source: /tmp/Kloki.x86_64.elf (PID: 5514)

Socket: 127.0.0.1:14435

Jump to behavior

Source: Network traffic

Suricata IDS: 2500036 - Severity 2 - ET COMPROMISED Known Compromised or Hostile Host Traffic group 19 : 83.222.191.90:13566 -> 192.168.2.14:56566

Source: global traffic

TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.176.215
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.176.215
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.142.119
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.142.119
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.168.232
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.84.153
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.207.35
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.168.232
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.137.76
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.84.153
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.180.208
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.207.35
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.72.118
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.137.76
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.77.71
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.180.208
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.30.102
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.72.118
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.253.191
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.77.71
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.247.99
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.30.102
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.78.255
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.253.191
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.247.99
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.183.191
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.20.159
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.78.255
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.183.191
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.20.159
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.20.159
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.102.197
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.119.244
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.20.159
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.102.197
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.119.244
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.60.31
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.220.144
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.185.171
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.60.31
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.180.66
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.220.144
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.248.104
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.185.171
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.18.64
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.180.66
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.248.104
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.18.64
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.18.64
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.18.64

Source: global traffic

DNS traffic detected: DNS query: secure-network-rebirthltd.ru

Source: unknown

Network traffic detected: HTTP traffic on port 46540 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 917, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 928, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 940, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 1444, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 1610, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 1639, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 3094, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 3268, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 3420, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 5491, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 5518, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 5538, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 5540, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 5541, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 5542, result: successful	Jump to behavior

Source: LOAD without section mappings

Program segment: 0x400000

Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 917, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 928, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 940, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 1444, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 1610, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 1639, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 3094, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 3268, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 3420, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 5491, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 5518, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 5538, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 5540, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 5541, result: successful	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5517)	SIGKILL sent: pid: 5542, result: successful	Jump to behavior

Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
Source: 5514.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
Source: 5516.1.0000000000400000.000000000040f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16

Source: classification engine

Classification label: mal64.spre.linELF@0/0@1/0

Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5543/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3244/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3120/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3361/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3239/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/1299/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3235/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5533/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5534/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5535/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5536/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/2946/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3134/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/1593/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3011/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3094/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3406/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/2955/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3129/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/1588/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3402/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3125/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3246/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3245/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/767/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/888/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5544/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/801/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/769/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/803/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/806/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/807/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/2956/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/490/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3142/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3139/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3412/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3398/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3392/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/780/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/661/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/782/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3304/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3425/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/785/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/940/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3147/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3701/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/2991/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/791/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/2986/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/794/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/795/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/797/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/2983/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3159/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3157/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3319/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5351/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3178/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3172/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3171/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3329/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/2999/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3847/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3207/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/2997/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/1300/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/725/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/726/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/1309/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5520/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5521/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3189/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3188/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3187/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3341/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3184/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3183/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/1712/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5519/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3218/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3337/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3215/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/853/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3213/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3212/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5492/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3190/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5530/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5531/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5532/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3353/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/3193/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/1289/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5522/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5523/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5524/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5525/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5526/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5527/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5528/status	Jump to behavior
Source: /tmp/Kloki.x86_64.elf (PID: 5516)	File opened: /proc/5529/status	Jump to behavior

Source: Kloki.x86_64.elf	Submission file: segment LOAD with 7.8108 entropy (max. 8.0)
Source: Kloki.x86_64.elf	Submission file: segment LOAD with 7.9518 entropy (max. 8.0)

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Kloki.x86_64.elf	18%	ReversingLabs	Linux.Backdoor.Mirai
Kloki.x86_64.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
secure-network-rebirthltd.ru	83.222.191.90	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
83.222.232.11	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.172.23	unknown	Bulgaria	49040	KIG-UNISAT-TVBG	false
83.222.232.14	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.88.98	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.202.209	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.212.213	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.55.163	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.28.235	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.114.139	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.220.27	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.214.185	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.85.184	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.176.215	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.20.202	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.102.197	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.145.49	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.43.141	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.229.93	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.174.43	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.227.51	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.168.232	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.119.244	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.51.251	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.188.189	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.213.1	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.240.29	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.78.255	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.110.64	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.72.118	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.127.227	unknown	Russian Federation	47328	TRI-ASTrueRecordsIncES	false
83.222.186.110	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.242.43	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.99.142	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.207.35	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.175.237	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.237.89	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.168.25	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.251.181	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.253.191	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.133.155	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.53.210	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.84.153	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.63.48	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.189.177	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.185.171	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.36.210	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.215.121	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.220.144	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.121.236	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.134.119	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.147.116	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.191.90	secure-network-rebirthltd.ru	Bulgaria	43561	NET1-ASBG	false
83.222.95.78	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.17.61	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.20.159	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.61.99	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.180.208	unknown	Bulgaria	205872	EXTRANET-ASBG	false
83.222.183.191	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.228.110	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.90.10	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.188.159	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.150.182	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.72.162	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.189.67	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.18.64	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.31.40	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.6.178	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.75.138	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.63.20	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.60.31	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.17.181	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.219.230	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.168.74	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.210.238	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.179.249	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.142.119	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.221.163	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.247.99	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.222.96	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.107.125	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.90.154	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.34.132	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.146.182	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.135.253	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.65.32	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.30.102	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.198.146	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.180.66	unknown	Bulgaria	205872	EXTRANET-ASBG	false
83.222.159.119	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.22.101	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.112.58	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.241.23	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.31.117	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.221.95	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.30.186	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
185.125.190.26	unknown	United Kingdom	41231	CANONICAL-ASGB	false
83.222.87.13	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.116.93	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.47.140	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.137.76	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
secure-network-rebirthltd.ru	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.191.90

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.68.210
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.73.212
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.89.90
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.64.159
	skid.x86.elf	Get hash	malicious	Moobot	Browse	83.222.64.191
	XfUkJyh9A3.elf	Get hash	malicious	Mirai	Browse	37.209.228.199
	nSQgTX0uEc.dll	Get hash	malicious	Wannacry	Browse	213.141.249.89
	e7N7Kz9Bar	Get hash	malicious	Unknown	Browse	37.209.226.155
	G2JJHi7jyh	Get hash	malicious	Mirai	Browse	212.75.151.147
	KiDRFl2BaN	Get hash	malicious	Mirai	Browse	212.75.129.46
COGECO-PEER1CA	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.231.59
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.253.28
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.225.208
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.237.30
	http://plnbl.io/review/VdCYQSoKp54z	Get hash	malicious	HTMLPhisher	Browse	66.33.60.194
	miori.sh4.elf	Get hash	malicious	Unknown	Browse	209.35.191.178
	https://bawarq.org/r.php?id=YoExsdlTj9ej3sIxs1X7aZn3DzYWS8OQ2	Get hash	malicious	Unknown	Browse	162.254.38.37
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	69.90.254.78
	https://app.saner.ai/shared/notes/7353e5ae-dd5f-410b-92c3-210c9e88052a	Get hash	malicious	HTMLPhisher	Browse	66.33.60.194
	https://u43161309.ct.sendgrid.net/ls/click?upn=u001.L9-2FCbhkaoUACh7As3yZ8i4iABGphfl-2FJgS6Xiu1aw6I-3DgXpA_qO4VbBWAKg4gLfGs-2BfuSyZki3gKzG4I1DrYN15Q8fD7JV1twLeLo1AFs1GBSG3ZgA22dFJdXJloKc56aXDeV3olJKTBJd8NprednZ2LeXdX-2BkcSQE-2F2FRwgBng5RbUCLfjS8-2FI3mrpwyYu9lRatIB62qUwPSax-2Fhh2c7R-2B7pT3Kos0wK0SEJGj4ZMkgOGYhEniKYT7Kn7jN25xFz2sFdtPlVQkIdCFKwDNWmq-2BrAxerZE2GuKgfkuf3l1UY4J42sOOltybAAVyLhV-2BXfmbuQpN4NpshXRIuhta8ho3ChcTA5NtgjludQThyLtwhGns-2ByLqSbpO1Bhhc-2FCgdgP-2BAOxYrGHvKHjVYRr6-2BiryADxfM-3D	Get hash	malicious	HTMLPhisher	Browse	66.33.60.35
COGECO-PEER1CA	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.231.59
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.253.28
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.225.208
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.237.30
	http://plnbl.io/review/VdCYQSoKp54z	Get hash	malicious	HTMLPhisher	Browse	66.33.60.194
	miori.sh4.elf	Get hash	malicious	Unknown	Browse	209.35.191.178
	https://bawarq.org/r.php?id=YoExsdlTj9ej3sIxs1X7aZn3DzYWS8OQ2	Get hash	malicious	Unknown	Browse	162.254.38.37
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	69.90.254.78
	https://app.saner.ai/shared/notes/7353e5ae-dd5f-410b-92c3-210c9e88052a	Get hash	malicious	HTMLPhisher	Browse	66.33.60.194
	https://u43161309.ct.sendgrid.net/ls/click?upn=u001.L9-2FCbhkaoUACh7As3yZ8i4iABGphfl-2FJgS6Xiu1aw6I-3DgXpA_qO4VbBWAKg4gLfGs-2BfuSyZki3gKzG4I1DrYN15Q8fD7JV1twLeLo1AFs1GBSG3ZgA22dFJdXJloKc56aXDeV3olJKTBJd8NprednZ2LeXdX-2BkcSQE-2F2FRwgBng5RbUCLfjS8-2FI3mrpwyYu9lRatIB62qUwPSax-2Fhh2c7R-2B7pT3Kos0wK0SEJGj4ZMkgOGYhEniKYT7Kn7jN25xFz2sFdtPlVQkIdCFKwDNWmq-2BrAxerZE2GuKgfkuf3l1UY4J42sOOltybAAVyLhV-2BXfmbuQpN4NpshXRIuhta8ho3ChcTA5NtgjludQThyLtwhGns-2ByLqSbpO1Bhhc-2FCgdgP-2BAOxYrGHvKHjVYRr6-2BiryADxfM-3D	Get hash	malicious	HTMLPhisher	Browse	66.33.60.35
KIG-UNISAT-TVBG	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.172.149
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.170.68
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.167.126
	z3hir.arm	Get hash	malicious	Mirai	Browse	93.155.171.211
	wQANfs9Ewk	Get hash	malicious	Gafgyt Mirai	Browse	109.160.88.15

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.949349022384545
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Kloki.x86_64.elf
File size:	32'448 bytes
MD5:	87a674a1cd303c58d819270cddd7fc63
SHA1:	c3d59d459d603e8affd3450090e2b1a9619ace5a
SHA256:	192dc6e6726aaa9cce13eaaf812b070d7aa9b4824c2b1dee17e680e3d75284f7
SHA512:	7be9f913879aec7e28bd151501964b6c944abf02c797923988a835a33ff86e0d6c37908f1f83521c2b244c8515c9d18a6cd7b2cdb6adae4683422dbdeb773180
SSDEEP:	768:T4HhLfM7WvNg3biwzEki/pYrqMuBgKxzIRd:sHhfM7WK+kNOMWgK+Rd
TLSH:	09E2E1C3711BD1F8E5FB583B051D4B24F63220821A2B9B29096D6BAF4C75A9E1CD0B73
File Content Preview:	.ELF..............>......k`.....@...................@.8...@.......................@.......@.............h-................................`.......`......}.......}..............Q.td....................................................;..Vsfga........`......

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x606bc0
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	64
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x400000	0x400000	0x1000	0x112d68	7.8108	0x6	RW	0x100000
LOAD	0x0	0x600000	0x600000	0x7dbb	0x7dbb	7.9518	0x5	R E	0x100000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T19:51:05.258590+0100	2500036	ET COMPROMISED Known Compromised or Hostile Host Traffic group 19	2	83.222.191.90	13566	192.168.2.14	56566	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 19:51:04.963408947 CET	54890	13566	192.168.2.14	83.222.176.215
Jan 8, 2025 19:51:04.968525887 CET	13566	54890	83.222.176.215	192.168.2.14
Jan 8, 2025 19:51:04.968590975 CET	54890	13566	192.168.2.14	83.222.176.215
Jan 8, 2025 19:51:04.968699932 CET	40004	13566	192.168.2.14	83.222.142.119
Jan 8, 2025 19:51:04.973532915 CET	13566	40004	83.222.142.119	192.168.2.14
Jan 8, 2025 19:51:04.973577976 CET	40004	13566	192.168.2.14	83.222.142.119
Jan 8, 2025 19:51:04.973834991 CET	54804	13566	192.168.2.14	83.222.168.232
Jan 8, 2025 19:51:04.975545883 CET	57106	13566	192.168.2.14	83.222.84.153
Jan 8, 2025 19:51:04.977916002 CET	49962	13566	192.168.2.14	83.222.207.35
Jan 8, 2025 19:51:04.978698015 CET	13566	54804	83.222.168.232	192.168.2.14
Jan 8, 2025 19:51:04.978773117 CET	54804	13566	192.168.2.14	83.222.168.232
Jan 8, 2025 19:51:04.979614019 CET	32964	13566	192.168.2.14	83.222.137.76
Jan 8, 2025 19:51:04.980309010 CET	13566	57106	83.222.84.153	192.168.2.14
Jan 8, 2025 19:51:04.980381966 CET	57106	13566	192.168.2.14	83.222.84.153
Jan 8, 2025 19:51:04.981235027 CET	56292	13566	192.168.2.14	83.222.180.208
Jan 8, 2025 19:51:04.982775927 CET	13566	49962	83.222.207.35	192.168.2.14
Jan 8, 2025 19:51:04.982819080 CET	49962	13566	192.168.2.14	83.222.207.35
Jan 8, 2025 19:51:04.983191967 CET	33584	13566	192.168.2.14	83.222.72.118
Jan 8, 2025 19:51:04.984486103 CET	13566	32964	83.222.137.76	192.168.2.14
Jan 8, 2025 19:51:04.984524012 CET	32964	13566	192.168.2.14	83.222.137.76
Jan 8, 2025 19:51:04.985105991 CET	57460	13566	192.168.2.14	83.222.77.71
Jan 8, 2025 19:51:04.986092091 CET	13566	56292	83.222.180.208	192.168.2.14
Jan 8, 2025 19:51:04.986124992 CET	56292	13566	192.168.2.14	83.222.180.208
Jan 8, 2025 19:51:04.987008095 CET	57814	13566	192.168.2.14	83.222.30.102
Jan 8, 2025 19:51:04.987956047 CET	13566	33584	83.222.72.118	192.168.2.14
Jan 8, 2025 19:51:04.988012075 CET	33584	13566	192.168.2.14	83.222.72.118
Jan 8, 2025 19:51:04.988595009 CET	51144	13566	192.168.2.14	83.222.253.191
Jan 8, 2025 19:51:04.989957094 CET	13566	57460	83.222.77.71	192.168.2.14
Jan 8, 2025 19:51:04.990004063 CET	57460	13566	192.168.2.14	83.222.77.71
Jan 8, 2025 19:51:04.990868092 CET	40460	13566	192.168.2.14	83.222.247.99
Jan 8, 2025 19:51:04.991780043 CET	13566	57814	83.222.30.102	192.168.2.14
Jan 8, 2025 19:51:04.991815090 CET	57814	13566	192.168.2.14	83.222.30.102
Jan 8, 2025 19:51:04.993217945 CET	33462	13566	192.168.2.14	83.222.78.255
Jan 8, 2025 19:51:04.993918896 CET	13566	51144	83.222.253.191	192.168.2.14
Jan 8, 2025 19:51:04.993966103 CET	51144	13566	192.168.2.14	83.222.253.191
Jan 8, 2025 19:51:04.996232986 CET	13566	40460	83.222.247.99	192.168.2.14
Jan 8, 2025 19:51:04.996278048 CET	40460	13566	192.168.2.14	83.222.247.99
Jan 8, 2025 19:51:04.996597052 CET	59430	13566	192.168.2.14	83.222.183.191
Jan 8, 2025 19:51:04.998279095 CET	47846	13566	192.168.2.14	83.222.20.159
Jan 8, 2025 19:51:04.998732090 CET	13566	33462	83.222.78.255	192.168.2.14
Jan 8, 2025 19:51:04.998780012 CET	33462	13566	192.168.2.14	83.222.78.255
Jan 8, 2025 19:51:05.002181053 CET	13566	59430	83.222.183.191	192.168.2.14
Jan 8, 2025 19:51:05.002227068 CET	59430	13566	192.168.2.14	83.222.183.191
Jan 8, 2025 19:51:05.003782034 CET	13566	47846	83.222.20.159	192.168.2.14
Jan 8, 2025 19:51:05.003834963 CET	47846	13566	192.168.2.14	83.222.20.159
Jan 8, 2025 19:51:05.010998964 CET	47846	13566	192.168.2.14	83.222.20.159
Jan 8, 2025 19:51:05.011894941 CET	59784	13566	192.168.2.14	83.222.102.197
Jan 8, 2025 19:51:05.013322115 CET	46378	13566	192.168.2.14	83.222.119.244
Jan 8, 2025 19:51:05.016064882 CET	13566	47846	83.222.20.159	192.168.2.14
Jan 8, 2025 19:51:05.016124010 CET	47846	13566	192.168.2.14	83.222.20.159
Jan 8, 2025 19:51:05.016817093 CET	13566	59784	83.222.102.197	192.168.2.14
Jan 8, 2025 19:51:05.016911983 CET	59784	13566	192.168.2.14	83.222.102.197
Jan 8, 2025 19:51:05.018098116 CET	13566	46378	83.222.119.244	192.168.2.14
Jan 8, 2025 19:51:05.018172979 CET	46378	13566	192.168.2.14	83.222.119.244
Jan 8, 2025 19:51:05.018291950 CET	33394	13566	192.168.2.14	83.222.60.31
Jan 8, 2025 19:51:05.020153999 CET	38040	13566	192.168.2.14	83.222.220.144
Jan 8, 2025 19:51:05.022757053 CET	53294	13566	192.168.2.14	83.222.185.171
Jan 8, 2025 19:51:05.023096085 CET	13566	33394	83.222.60.31	192.168.2.14
Jan 8, 2025 19:51:05.023143053 CET	33394	13566	192.168.2.14	83.222.60.31
Jan 8, 2025 19:51:05.024785042 CET	40246	13566	192.168.2.14	83.222.180.66
Jan 8, 2025 19:51:05.024975061 CET	13566	38040	83.222.220.144	192.168.2.14
Jan 8, 2025 19:51:05.025037050 CET	38040	13566	192.168.2.14	83.222.220.144
Jan 8, 2025 19:51:05.027158976 CET	39430	13566	192.168.2.14	83.222.248.104
Jan 8, 2025 19:51:05.027597904 CET	13566	53294	83.222.185.171	192.168.2.14
Jan 8, 2025 19:51:05.027642012 CET	53294	13566	192.168.2.14	83.222.185.171
Jan 8, 2025 19:51:05.028984070 CET	33800	13566	192.168.2.14	83.222.18.64
Jan 8, 2025 19:51:05.029644966 CET	13566	40246	83.222.180.66	192.168.2.14
Jan 8, 2025 19:51:05.029687881 CET	40246	13566	192.168.2.14	83.222.180.66
Jan 8, 2025 19:51:05.032135010 CET	13566	39430	83.222.248.104	192.168.2.14
Jan 8, 2025 19:51:05.032175064 CET	39430	13566	192.168.2.14	83.222.248.104
Jan 8, 2025 19:51:05.033786058 CET	13566	33800	83.222.18.64	192.168.2.14
Jan 8, 2025 19:51:05.033853054 CET	33800	13566	192.168.2.14	83.222.18.64
Jan 8, 2025 19:51:05.034759998 CET	33800	13566	192.168.2.14	83.222.18.64
Jan 8, 2025 19:51:05.039959908 CET	13566	33800	83.222.18.64	192.168.2.14
Jan 8, 2025 19:51:05.040015936 CET	33800	13566	192.168.2.14	83.222.18.64
Jan 8, 2025 19:51:05.042875051 CET	38118	13566	192.168.2.14	83.222.222.96
Jan 8, 2025 19:51:05.047656059 CET	13566	38118	83.222.222.96	192.168.2.14
Jan 8, 2025 19:51:05.047722101 CET	38118	13566	192.168.2.14	83.222.222.96
Jan 8, 2025 19:51:05.048573971 CET	39634	13566	192.168.2.14	83.222.135.253
Jan 8, 2025 19:51:05.050379992 CET	55108	13566	192.168.2.14	83.222.198.133
Jan 8, 2025 19:51:05.052577972 CET	42466	13566	192.168.2.14	83.222.188.189
Jan 8, 2025 19:51:05.053383112 CET	13566	39634	83.222.135.253	192.168.2.14
Jan 8, 2025 19:51:05.053427935 CET	39634	13566	192.168.2.14	83.222.135.253
Jan 8, 2025 19:51:05.054126024 CET	54044	13566	192.168.2.14	83.222.232.11
Jan 8, 2025 19:51:05.055150986 CET	13566	55108	83.222.198.133	192.168.2.14
Jan 8, 2025 19:51:05.055210114 CET	55108	13566	192.168.2.14	83.222.198.133
Jan 8, 2025 19:51:05.056369066 CET	56670	13566	192.168.2.14	83.222.188.159
Jan 8, 2025 19:51:05.057413101 CET	13566	42466	83.222.188.189	192.168.2.14
Jan 8, 2025 19:51:05.057450056 CET	42466	13566	192.168.2.14	83.222.188.189
Jan 8, 2025 19:51:05.058917046 CET	13566	54044	83.222.232.11	192.168.2.14
Jan 8, 2025 19:51:05.058954954 CET	54044	13566	192.168.2.14	83.222.232.11
Jan 8, 2025 19:51:05.059607029 CET	59214	13566	192.168.2.14	83.222.202.209
Jan 8, 2025 19:51:05.061131954 CET	13566	56670	83.222.188.159	192.168.2.14
Jan 8, 2025 19:51:05.061172962 CET	56670	13566	192.168.2.14	83.222.188.159
Jan 8, 2025 19:51:05.061606884 CET	58820	13566	192.168.2.14	83.222.63.48
Jan 8, 2025 19:51:05.063703060 CET	33604	13566	192.168.2.14	83.222.150.182
Jan 8, 2025 19:51:05.064340115 CET	13566	59214	83.222.202.209	192.168.2.14
Jan 8, 2025 19:51:05.064378977 CET	59214	13566	192.168.2.14	83.222.202.209
Jan 8, 2025 19:51:05.065793037 CET	51704	13566	192.168.2.14	83.222.36.210
Jan 8, 2025 19:51:05.066381931 CET	13566	58820	83.222.63.48	192.168.2.14
Jan 8, 2025 19:51:05.066435099 CET	58820	13566	192.168.2.14	83.222.63.48
Jan 8, 2025 19:51:05.067461967 CET	44798	13566	192.168.2.14	83.222.213.1
Jan 8, 2025 19:51:05.068460941 CET	13566	33604	83.222.150.182	192.168.2.14
Jan 8, 2025 19:51:05.068497896 CET	33604	13566	192.168.2.14	83.222.150.182
Jan 8, 2025 19:51:05.069509029 CET	49278	13566	192.168.2.14	83.222.99.142
Jan 8, 2025 19:51:05.070601940 CET	13566	51704	83.222.36.210	192.168.2.14
Jan 8, 2025 19:51:05.070647001 CET	51704	13566	192.168.2.14	83.222.36.210
Jan 8, 2025 19:51:05.071274042 CET	53028	13566	192.168.2.14	83.222.172.23
Jan 8, 2025 19:51:05.072232962 CET	13566	44798	83.222.213.1	192.168.2.14
Jan 8, 2025 19:51:05.072263002 CET	44798	13566	192.168.2.14	83.222.213.1
Jan 8, 2025 19:51:05.072896957 CET	53876	13566	192.168.2.14	83.222.209.164
Jan 8, 2025 19:51:05.074336052 CET	13566	49278	83.222.99.142	192.168.2.14
Jan 8, 2025 19:51:05.074378967 CET	49278	13566	192.168.2.14	83.222.99.142
Jan 8, 2025 19:51:05.076018095 CET	13566	53028	83.222.172.23	192.168.2.14
Jan 8, 2025 19:51:05.076066971 CET	53028	13566	192.168.2.14	83.222.172.23
Jan 8, 2025 19:51:05.077198029 CET	41084	13566	192.168.2.14	83.222.127.227
Jan 8, 2025 19:51:05.077745914 CET	13566	53876	83.222.209.164	192.168.2.14
Jan 8, 2025 19:51:05.077797890 CET	53876	13566	192.168.2.14	83.222.209.164
Jan 8, 2025 19:51:05.082835913 CET	13566	41084	83.222.127.227	192.168.2.14
Jan 8, 2025 19:51:05.082870960 CET	41084	13566	192.168.2.14	83.222.127.227
Jan 8, 2025 19:51:05.083033085 CET	46988	13566	192.168.2.14	83.222.229.93
Jan 8, 2025 19:51:05.084438086 CET	57528	13566	192.168.2.14	83.222.67.108
Jan 8, 2025 19:51:05.086170912 CET	58522	13566	192.168.2.14	83.222.90.10
Jan 8, 2025 19:51:05.087573051 CET	42706	13566	192.168.2.14	83.222.241.23
Jan 8, 2025 19:51:05.089040995 CET	13566	46988	83.222.229.93	192.168.2.14
Jan 8, 2025 19:51:05.089092016 CET	46988	13566	192.168.2.14	83.222.229.93
Jan 8, 2025 19:51:05.089293003 CET	42270	13566	192.168.2.14	83.222.199.217
Jan 8, 2025 19:51:05.090186119 CET	13566	57528	83.222.67.108	192.168.2.14
Jan 8, 2025 19:51:05.090240955 CET	57528	13566	192.168.2.14	83.222.67.108
Jan 8, 2025 19:51:05.090754986 CET	39462	13566	192.168.2.14	83.222.34.132
Jan 8, 2025 19:51:05.091815948 CET	13566	58522	83.222.90.10	192.168.2.14
Jan 8, 2025 19:51:05.091851950 CET	58522	13566	192.168.2.14	83.222.90.10
Jan 8, 2025 19:51:05.092449903 CET	42200	13566	192.168.2.14	83.222.121.236
Jan 8, 2025 19:51:05.093444109 CET	13566	42706	83.222.241.23	192.168.2.14
Jan 8, 2025 19:51:05.093488932 CET	42706	13566	192.168.2.14	83.222.241.23
Jan 8, 2025 19:51:05.093579054 CET	52510	13566	192.168.2.14	83.222.85.184
Jan 8, 2025 19:51:05.094810009 CET	55604	13566	192.168.2.14	83.222.28.235
Jan 8, 2025 19:51:05.095094919 CET	13566	42270	83.222.199.217	192.168.2.14
Jan 8, 2025 19:51:05.095144033 CET	42270	13566	192.168.2.14	83.222.199.217
Jan 8, 2025 19:51:05.095858097 CET	40516	13566	192.168.2.14	83.222.110.64
Jan 8, 2025 19:51:05.096263885 CET	13566	39462	83.222.34.132	192.168.2.14
Jan 8, 2025 19:51:05.096332073 CET	39462	13566	192.168.2.14	83.222.34.132
Jan 8, 2025 19:51:05.096987009 CET	32918	13566	192.168.2.14	83.222.189.67
Jan 8, 2025 19:51:05.097964048 CET	13566	42200	83.222.121.236	192.168.2.14
Jan 8, 2025 19:51:05.098001957 CET	42200	13566	192.168.2.14	83.222.121.236
Jan 8, 2025 19:51:05.098289967 CET	34592	13566	192.168.2.14	83.222.65.32
Jan 8, 2025 19:51:05.099558115 CET	13566	52510	83.222.85.184	192.168.2.14
Jan 8, 2025 19:51:05.099627972 CET	52510	13566	192.168.2.14	83.222.85.184
Jan 8, 2025 19:51:05.099837065 CET	36596	13566	192.168.2.14	83.222.210.238
Jan 8, 2025 19:51:05.100704908 CET	13566	55604	83.222.28.235	192.168.2.14
Jan 8, 2025 19:51:05.100744963 CET	55604	13566	192.168.2.14	83.222.28.235
Jan 8, 2025 19:51:05.101365089 CET	59904	13566	192.168.2.14	83.222.55.163
Jan 8, 2025 19:51:05.101816893 CET	13566	40516	83.222.110.64	192.168.2.14
Jan 8, 2025 19:51:05.101864100 CET	40516	13566	192.168.2.14	83.222.110.64
Jan 8, 2025 19:51:05.102996111 CET	13566	32918	83.222.189.67	192.168.2.14
Jan 8, 2025 19:51:05.103044987 CET	32918	13566	192.168.2.14	83.222.189.67
Jan 8, 2025 19:51:05.104026079 CET	13566	34592	83.222.65.32	192.168.2.14
Jan 8, 2025 19:51:05.104079962 CET	34592	13566	192.168.2.14	83.222.65.32
Jan 8, 2025 19:51:05.104226112 CET	37258	13566	192.168.2.14	83.222.146.182
Jan 8, 2025 19:51:05.105026960 CET	13566	36596	83.222.210.238	192.168.2.14
Jan 8, 2025 19:51:05.105083942 CET	36596	13566	192.168.2.14	83.222.210.238
Jan 8, 2025 19:51:05.106149912 CET	13566	59904	83.222.55.163	192.168.2.14
Jan 8, 2025 19:51:05.106198072 CET	59904	13566	192.168.2.14	83.222.55.163
Jan 8, 2025 19:51:05.106256962 CET	53268	13566	192.168.2.14	83.222.134.119
Jan 8, 2025 19:51:05.109051943 CET	13566	37258	83.222.146.182	192.168.2.14
Jan 8, 2025 19:51:05.109090090 CET	37258	13566	192.168.2.14	83.222.146.182
Jan 8, 2025 19:51:05.109271049 CET	56346	13566	192.168.2.14	83.222.20.202
Jan 8, 2025 19:51:05.111033916 CET	13566	53268	83.222.134.119	192.168.2.14
Jan 8, 2025 19:51:05.111068964 CET	53268	13566	192.168.2.14	83.222.134.119
Jan 8, 2025 19:51:05.111087084 CET	34406	13566	192.168.2.14	83.222.228.110
Jan 8, 2025 19:51:05.113440037 CET	48978	13566	192.168.2.14	83.222.212.213
Jan 8, 2025 19:51:05.114031076 CET	13566	56346	83.222.20.202	192.168.2.14
Jan 8, 2025 19:51:05.114078045 CET	56346	13566	192.168.2.14	83.222.20.202
Jan 8, 2025 19:51:05.115159035 CET	59128	13566	192.168.2.14	83.222.133.155
Jan 8, 2025 19:51:05.115912914 CET	13566	34406	83.222.228.110	192.168.2.14
Jan 8, 2025 19:51:05.115947008 CET	34406	13566	192.168.2.14	83.222.228.110
Jan 8, 2025 19:51:05.117101908 CET	37866	13566	192.168.2.14	83.222.175.167
Jan 8, 2025 19:51:05.118236065 CET	13566	48978	83.222.212.213	192.168.2.14
Jan 8, 2025 19:51:05.118283987 CET	48978	13566	192.168.2.14	83.222.212.213
Jan 8, 2025 19:51:05.118516922 CET	60352	13566	192.168.2.14	83.222.31.40
Jan 8, 2025 19:51:05.120018959 CET	13566	59128	83.222.133.155	192.168.2.14
Jan 8, 2025 19:51:05.120071888 CET	59128	13566	192.168.2.14	83.222.133.155
Jan 8, 2025 19:51:05.120698929 CET	41908	13566	192.168.2.14	83.222.147.116
Jan 8, 2025 19:51:05.121947050 CET	13566	37866	83.222.175.167	192.168.2.14
Jan 8, 2025 19:51:05.121985912 CET	37866	13566	192.168.2.14	83.222.175.167
Jan 8, 2025 19:51:05.122174025 CET	47650	13566	192.168.2.14	83.222.224.175
Jan 8, 2025 19:51:05.123327017 CET	13566	60352	83.222.31.40	192.168.2.14
Jan 8, 2025 19:51:05.123336077 CET	52666	13566	192.168.2.14	83.222.95.78
Jan 8, 2025 19:51:05.123357058 CET	60352	13566	192.168.2.14	83.222.31.40
Jan 8, 2025 19:51:05.125490904 CET	13566	41908	83.222.147.116	192.168.2.14
Jan 8, 2025 19:51:05.125523090 CET	41908	13566	192.168.2.14	83.222.147.116
Jan 8, 2025 19:51:05.125523090 CET	50818	13566	192.168.2.14	83.222.240.29
Jan 8, 2025 19:51:05.126974106 CET	13566	47650	83.222.224.175	192.168.2.14
Jan 8, 2025 19:51:05.127017021 CET	47650	13566	192.168.2.14	83.222.224.175
Jan 8, 2025 19:51:05.127207994 CET	57928	13566	192.168.2.14	83.222.145.49
Jan 8, 2025 19:51:05.128149986 CET	13566	52666	83.222.95.78	192.168.2.14
Jan 8, 2025 19:51:05.128175974 CET	52666	13566	192.168.2.14	83.222.95.78
Jan 8, 2025 19:51:05.129190922 CET	35086	13566	192.168.2.14	83.222.61.99
Jan 8, 2025 19:51:05.130311012 CET	13566	50818	83.222.240.29	192.168.2.14
Jan 8, 2025 19:51:05.130379915 CET	50818	13566	192.168.2.14	83.222.240.29
Jan 8, 2025 19:51:05.130867958 CET	58042	13566	192.168.2.14	83.222.31.117
Jan 8, 2025 19:51:05.132056952 CET	13566	57928	83.222.145.49	192.168.2.14
Jan 8, 2025 19:51:05.132086039 CET	57928	13566	192.168.2.14	83.222.145.49
Jan 8, 2025 19:51:05.132889986 CET	44840	13566	192.168.2.14	83.222.6.178
Jan 8, 2025 19:51:05.133994102 CET	13566	35086	83.222.61.99	192.168.2.14
Jan 8, 2025 19:51:05.134037971 CET	35086	13566	192.168.2.14	83.222.61.99
Jan 8, 2025 19:51:05.134556055 CET	52878	13566	192.168.2.14	83.222.43.141
Jan 8, 2025 19:51:05.135706902 CET	13566	58042	83.222.31.117	192.168.2.14
Jan 8, 2025 19:51:05.135755062 CET	58042	13566	192.168.2.14	83.222.31.117
Jan 8, 2025 19:51:05.137268066 CET	43902	13566	192.168.2.14	83.222.41.63
Jan 8, 2025 19:51:05.137674093 CET	13566	44840	83.222.6.178	192.168.2.14
Jan 8, 2025 19:51:05.137703896 CET	44840	13566	192.168.2.14	83.222.6.178
Jan 8, 2025 19:51:05.138715029 CET	42048	13566	192.168.2.14	83.222.87.13
Jan 8, 2025 19:51:05.139339924 CET	13566	52878	83.222.43.141	192.168.2.14
Jan 8, 2025 19:51:05.139379025 CET	52878	13566	192.168.2.14	83.222.43.141
Jan 8, 2025 19:51:05.139746904 CET	49316	13566	192.168.2.14	83.222.174.43
Jan 8, 2025 19:51:05.140198946 CET	32838	13566	192.168.2.14	83.222.227.51
Jan 8, 2025 19:51:05.141777039 CET	34144	13566	192.168.2.14	83.222.198.146
Jan 8, 2025 19:51:05.142061949 CET	13566	43902	83.222.41.63	192.168.2.14
Jan 8, 2025 19:51:05.142097950 CET	43902	13566	192.168.2.14	83.222.41.63
Jan 8, 2025 19:51:05.143498898 CET	13566	42048	83.222.87.13	192.168.2.14
Jan 8, 2025 19:51:05.143532991 CET	42048	13566	192.168.2.14	83.222.87.13
Jan 8, 2025 19:51:05.144517899 CET	53264	13566	192.168.2.14	83.222.219.230
Jan 8, 2025 19:51:05.144567966 CET	13566	49316	83.222.174.43	192.168.2.14
Jan 8, 2025 19:51:05.144602060 CET	49316	13566	192.168.2.14	83.222.174.43
Jan 8, 2025 19:51:05.145047903 CET	13566	32838	83.222.227.51	192.168.2.14
Jan 8, 2025 19:51:05.145081997 CET	32838	13566	192.168.2.14	83.222.227.51
Jan 8, 2025 19:51:05.146604061 CET	13566	34144	83.222.198.146	192.168.2.14
Jan 8, 2025 19:51:05.146631956 CET	34144	13566	192.168.2.14	83.222.198.146
Jan 8, 2025 19:51:05.147407055 CET	38748	13566	192.168.2.14	83.222.186.110
Jan 8, 2025 19:51:05.149374962 CET	13566	53264	83.222.219.230	192.168.2.14
Jan 8, 2025 19:51:05.149405956 CET	53264	13566	192.168.2.14	83.222.219.230
Jan 8, 2025 19:51:05.149872065 CET	33400	13566	192.168.2.14	83.222.90.154
Jan 8, 2025 19:51:05.152206898 CET	13566	38748	83.222.186.110	192.168.2.14
Jan 8, 2025 19:51:05.152244091 CET	38748	13566	192.168.2.14	83.222.186.110
Jan 8, 2025 19:51:05.152718067 CET	34148	13566	192.168.2.14	83.222.30.186
Jan 8, 2025 19:51:05.154654980 CET	13566	33400	83.222.90.154	192.168.2.14
Jan 8, 2025 19:51:05.154685020 CET	33400	13566	192.168.2.14	83.222.90.154
Jan 8, 2025 19:51:05.154918909 CET	49190	13566	192.168.2.14	83.222.232.14
Jan 8, 2025 19:51:05.157500029 CET	13566	34148	83.222.30.186	192.168.2.14
Jan 8, 2025 19:51:05.157536030 CET	34148	13566	192.168.2.14	83.222.30.186
Jan 8, 2025 19:51:05.157784939 CET	54802	13566	192.168.2.14	83.222.215.121
Jan 8, 2025 19:51:05.159694910 CET	13566	49190	83.222.232.14	192.168.2.14
Jan 8, 2025 19:51:05.159723997 CET	49190	13566	192.168.2.14	83.222.232.14
Jan 8, 2025 19:51:05.159949064 CET	34810	13566	192.168.2.14	83.222.63.20
Jan 8, 2025 19:51:05.162482977 CET	59696	13566	192.168.2.14	83.222.221.95
Jan 8, 2025 19:51:05.162540913 CET	13566	54802	83.222.215.121	192.168.2.14
Jan 8, 2025 19:51:05.162578106 CET	54802	13566	192.168.2.14	83.222.215.121
Jan 8, 2025 19:51:05.164608955 CET	42594	13566	192.168.2.14	83.222.137.227
Jan 8, 2025 19:51:05.164721966 CET	13566	34810	83.222.63.20	192.168.2.14
Jan 8, 2025 19:51:05.164752960 CET	34810	13566	192.168.2.14	83.222.63.20
Jan 8, 2025 19:51:05.167246103 CET	33550	13566	192.168.2.14	83.222.17.181
Jan 8, 2025 19:51:05.167282104 CET	13566	59696	83.222.221.95	192.168.2.14
Jan 8, 2025 19:51:05.167320013 CET	59696	13566	192.168.2.14	83.222.221.95
Jan 8, 2025 19:51:05.169418097 CET	13566	42594	83.222.137.227	192.168.2.14
Jan 8, 2025 19:51:05.169456959 CET	42594	13566	192.168.2.14	83.222.137.227
Jan 8, 2025 19:51:05.169882059 CET	42884	13566	192.168.2.14	83.222.112.58
Jan 8, 2025 19:51:05.172456026 CET	47794	13566	192.168.2.14	83.222.244.199
Jan 8, 2025 19:51:05.173341036 CET	13566	33550	83.222.17.181	192.168.2.14
Jan 8, 2025 19:51:05.173386097 CET	33550	13566	192.168.2.14	83.222.17.181
Jan 8, 2025 19:51:05.174499035 CET	56782	13566	192.168.2.14	83.222.72.162
Jan 8, 2025 19:51:05.174736977 CET	13566	42884	83.222.112.58	192.168.2.14
Jan 8, 2025 19:51:05.174773932 CET	42884	13566	192.168.2.14	83.222.112.58
Jan 8, 2025 19:51:05.177103043 CET	56666	13566	192.168.2.14	83.222.242.43
Jan 8, 2025 19:51:05.178607941 CET	13566	47794	83.222.244.199	192.168.2.14
Jan 8, 2025 19:51:05.178647995 CET	47794	13566	192.168.2.14	83.222.244.199
Jan 8, 2025 19:51:05.179306030 CET	56518	13566	192.168.2.14	83.222.214.185
Jan 8, 2025 19:51:05.180166006 CET	13566	56782	83.222.72.162	192.168.2.14
Jan 8, 2025 19:51:05.180202007 CET	56782	13566	192.168.2.14	83.222.72.162
Jan 8, 2025 19:51:05.182634115 CET	44704	13566	192.168.2.14	83.222.189.177
Jan 8, 2025 19:51:05.182934999 CET	13566	56666	83.222.242.43	192.168.2.14
Jan 8, 2025 19:51:05.182981014 CET	56666	13566	192.168.2.14	83.222.242.43
Jan 8, 2025 19:51:05.184695959 CET	35712	13566	192.168.2.14	83.222.159.119
Jan 8, 2025 19:51:05.185178995 CET	13566	56518	83.222.214.185	192.168.2.14
Jan 8, 2025 19:51:05.185262918 CET	56518	13566	192.168.2.14	83.222.214.185
Jan 8, 2025 19:51:05.187422037 CET	36058	13566	192.168.2.14	83.222.31.249
Jan 8, 2025 19:51:05.188473940 CET	13566	44704	83.222.189.177	192.168.2.14
Jan 8, 2025 19:51:05.188508987 CET	44704	13566	192.168.2.14	83.222.189.177
Jan 8, 2025 19:51:05.189450026 CET	33866	13566	192.168.2.14	83.222.17.61
Jan 8, 2025 19:51:05.190114021 CET	13566	35712	83.222.159.119	192.168.2.14
Jan 8, 2025 19:51:05.190149069 CET	35712	13566	192.168.2.14	83.222.159.119
Jan 8, 2025 19:51:05.192244053 CET	39108	13566	192.168.2.14	83.222.179.249
Jan 8, 2025 19:51:05.192928076 CET	13566	36058	83.222.31.249	192.168.2.14
Jan 8, 2025 19:51:05.192965984 CET	36058	13566	192.168.2.14	83.222.31.249
Jan 8, 2025 19:51:05.194384098 CET	53216	13566	192.168.2.14	83.222.75.138
Jan 8, 2025 19:51:05.195194006 CET	13566	33866	83.222.17.61	192.168.2.14
Jan 8, 2025 19:51:05.195226908 CET	33866	13566	192.168.2.14	83.222.17.61
Jan 8, 2025 19:51:05.197012901 CET	13566	39108	83.222.179.249	192.168.2.14
Jan 8, 2025 19:51:05.197046995 CET	39108	13566	192.168.2.14	83.222.179.249
Jan 8, 2025 19:51:05.197113991 CET	42374	13566	192.168.2.14	83.222.114.139
Jan 8, 2025 19:51:05.199131966 CET	13566	53216	83.222.75.138	192.168.2.14
Jan 8, 2025 19:51:05.199174881 CET	53216	13566	192.168.2.14	83.222.75.138
Jan 8, 2025 19:51:05.199182034 CET	44078	13566	192.168.2.14	83.222.159.79
Jan 8, 2025 19:51:05.201740980 CET	37048	13566	192.168.2.14	83.222.234.40
Jan 8, 2025 19:51:05.201891899 CET	13566	42374	83.222.114.139	192.168.2.14
Jan 8, 2025 19:51:05.201930046 CET	42374	13566	192.168.2.14	83.222.114.139
Jan 8, 2025 19:51:05.203768015 CET	48842	13566	192.168.2.14	83.222.51.251
Jan 8, 2025 19:51:05.204083920 CET	13566	44078	83.222.159.79	192.168.2.14
Jan 8, 2025 19:51:05.204118013 CET	44078	13566	192.168.2.14	83.222.159.79
Jan 8, 2025 19:51:05.206366062 CET	51414	13566	192.168.2.14	83.222.221.163
Jan 8, 2025 19:51:05.206528902 CET	13566	37048	83.222.234.40	192.168.2.14
Jan 8, 2025 19:51:05.206564903 CET	37048	13566	192.168.2.14	83.222.234.40
Jan 8, 2025 19:51:05.208458900 CET	55770	13566	192.168.2.14	83.222.53.210
Jan 8, 2025 19:51:05.208597898 CET	13566	48842	83.222.51.251	192.168.2.14
Jan 8, 2025 19:51:05.208633900 CET	48842	13566	192.168.2.14	83.222.51.251
Jan 8, 2025 19:51:05.211110115 CET	52344	13566	192.168.2.14	83.222.107.125
Jan 8, 2025 19:51:05.211129904 CET	13566	51414	83.222.221.163	192.168.2.14
Jan 8, 2025 19:51:05.211167097 CET	51414	13566	192.168.2.14	83.222.221.163
Jan 8, 2025 19:51:05.213144064 CET	53166	13566	192.168.2.14	83.222.116.93
Jan 8, 2025 19:51:05.213212013 CET	13566	55770	83.222.53.210	192.168.2.14
Jan 8, 2025 19:51:05.213248968 CET	55770	13566	192.168.2.14	83.222.53.210
Jan 8, 2025 19:51:05.215919018 CET	13566	52344	83.222.107.125	192.168.2.14
Jan 8, 2025 19:51:05.215979099 CET	52344	13566	192.168.2.14	83.222.107.125
Jan 8, 2025 19:51:05.216320038 CET	46856	13566	192.168.2.14	83.222.168.74
Jan 8, 2025 19:51:05.218046904 CET	13566	53166	83.222.116.93	192.168.2.14
Jan 8, 2025 19:51:05.218089104 CET	53166	13566	192.168.2.14	83.222.116.93
Jan 8, 2025 19:51:05.218354940 CET	36084	13566	192.168.2.14	83.222.22.101
Jan 8, 2025 19:51:05.220949888 CET	32890	13566	192.168.2.14	83.222.251.181
Jan 8, 2025 19:51:05.221046925 CET	13566	46856	83.222.168.74	192.168.2.14
Jan 8, 2025 19:51:05.221081972 CET	46856	13566	192.168.2.14	83.222.168.74
Jan 8, 2025 19:51:05.222976923 CET	59122	13566	192.168.2.14	83.222.220.27
Jan 8, 2025 19:51:05.223115921 CET	13566	36084	83.222.22.101	192.168.2.14
Jan 8, 2025 19:51:05.223149061 CET	36084	13566	192.168.2.14	83.222.22.101
Jan 8, 2025 19:51:05.225538015 CET	56576	13566	192.168.2.14	83.222.175.237
Jan 8, 2025 19:51:05.225754023 CET	13566	32890	83.222.251.181	192.168.2.14
Jan 8, 2025 19:51:05.225792885 CET	32890	13566	192.168.2.14	83.222.251.181
Jan 8, 2025 19:51:05.227600098 CET	53052	13566	192.168.2.14	83.222.88.98
Jan 8, 2025 19:51:05.227746964 CET	13566	59122	83.222.220.27	192.168.2.14
Jan 8, 2025 19:51:05.227783918 CET	59122	13566	192.168.2.14	83.222.220.27
Jan 8, 2025 19:51:05.230312109 CET	35754	13566	192.168.2.14	83.222.230.164
Jan 8, 2025 19:51:05.230418921 CET	13566	56576	83.222.175.237	192.168.2.14
Jan 8, 2025 19:51:05.230458021 CET	56576	13566	192.168.2.14	83.222.175.237
Jan 8, 2025 19:51:05.232341051 CET	13566	53052	83.222.88.98	192.168.2.14
Jan 8, 2025 19:51:05.232383966 CET	53052	13566	192.168.2.14	83.222.88.98
Jan 8, 2025 19:51:05.232470989 CET	40390	13566	192.168.2.14	83.222.237.89
Jan 8, 2025 19:51:05.235064983 CET	13566	35754	83.222.230.164	192.168.2.14
Jan 8, 2025 19:51:05.235125065 CET	35754	13566	192.168.2.14	83.222.230.164
Jan 8, 2025 19:51:05.235526085 CET	57058	13566	192.168.2.14	83.222.47.140
Jan 8, 2025 19:51:05.237236977 CET	13566	40390	83.222.237.89	192.168.2.14
Jan 8, 2025 19:51:05.237276077 CET	40390	13566	192.168.2.14	83.222.237.89
Jan 8, 2025 19:51:05.237742901 CET	47924	13566	192.168.2.14	83.222.168.25
Jan 8, 2025 19:51:05.240298986 CET	13566	57058	83.222.47.140	192.168.2.14
Jan 8, 2025 19:51:05.240344048 CET	57058	13566	192.168.2.14	83.222.47.140
Jan 8, 2025 19:51:05.242518902 CET	13566	47924	83.222.168.25	192.168.2.14
Jan 8, 2025 19:51:05.242569923 CET	47924	13566	192.168.2.14	83.222.168.25
Jan 8, 2025 19:51:05.253806114 CET	56566	13566	192.168.2.14	83.222.191.90
Jan 8, 2025 19:51:05.258589983 CET	13566	56566	83.222.191.90	192.168.2.14
Jan 8, 2025 19:51:05.258646011 CET	56566	13566	192.168.2.14	83.222.191.90
Jan 8, 2025 19:51:05.261270046 CET	56566	13566	192.168.2.14	83.222.191.90
Jan 8, 2025 19:51:05.266165972 CET	13566	56566	83.222.191.90	192.168.2.14
Jan 8, 2025 19:51:05.266202927 CET	56566	13566	192.168.2.14	83.222.191.90
Jan 8, 2025 19:51:05.270956039 CET	13566	56566	83.222.191.90	192.168.2.14
Jan 8, 2025 19:51:15.138111115 CET	46540	443	192.168.2.14	185.125.190.26
Jan 8, 2025 19:51:15.270106077 CET	56566	13566	192.168.2.14	83.222.191.90
Jan 8, 2025 19:51:15.275005102 CET	13566	56566	83.222.191.90	192.168.2.14
Jan 8, 2025 19:51:15.475770950 CET	13566	56566	83.222.191.90	192.168.2.14
Jan 8, 2025 19:51:15.475965023 CET	56566	13566	192.168.2.14	83.222.191.90
Jan 8, 2025 19:51:15.881764889 CET	13566	56566	83.222.191.90	192.168.2.14
Jan 8, 2025 19:51:15.881867886 CET	56566	13566	192.168.2.14	83.222.191.90
Jan 8, 2025 19:51:45.600895882 CET	46540	443	192.168.2.14	185.125.190.26
Jan 8, 2025 19:52:15.920268059 CET	56566	13566	192.168.2.14	83.222.191.90
Jan 8, 2025 19:52:15.925240993 CET	13566	56566	83.222.191.90	192.168.2.14
Jan 8, 2025 19:52:16.125797033 CET	13566	56566	83.222.191.90	192.168.2.14
Jan 8, 2025 19:52:16.126039982 CET	56566	13566	192.168.2.14	83.222.191.90
Jan 8, 2025 19:52:16.882232904 CET	13566	56566	83.222.191.90	192.168.2.14
Jan 8, 2025 19:52:16.882437944 CET	56566	13566	192.168.2.14	83.222.191.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 19:51:05.242109060 CET	38079	53	192.168.2.14	8.8.8.8
Jan 8, 2025 19:51:05.252356052 CET	53	38079	8.8.8.8	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 19:51:05.242109060 CET	192.168.2.14	8.8.8.8	0x5aaa	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 19:51:05.252356052 CET	8.8.8.8	192.168.2.14	0x5aaa	No error (0)	secure-network-rebirthltd.ru		83.222.191.90	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: Kloki.x86_64.elf PID: 5514, Parent PID: 5432

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/tmp/Kloki.x86_64.elf
Arguments:	/tmp/Kloki.x86_64.elf
File size:	32448 bytes
MD5 hash:	87a674a1cd303c58d819270cddd7fc63

Chronological Activities

Analysis Process: Kloki.x86_64.elf PID: 5515, Parent PID: 5514

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/tmp/Kloki.x86_64.elf
Arguments:	-
File size:	32448 bytes
MD5 hash:	87a674a1cd303c58d819270cddd7fc63

Chronological Activities

Analysis Process: Kloki.x86_64.elf PID: 5516, Parent PID: 5515

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/tmp/Kloki.x86_64.elf
Arguments:	-
File size:	32448 bytes
MD5 hash:	87a674a1cd303c58d819270cddd7fc63

Chronological Activities

Analysis Process: Kloki.x86_64.elf PID: 5517, Parent PID: 5515

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/tmp/Kloki.x86_64.elf
Arguments:	-
File size:	32448 bytes
MD5 hash:	87a674a1cd303c58d819270cddd7fc63

Chronological Activities

Analysis Process: gnome-session-binary PID: 5518, Parent PID: 1383

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5518, Parent PID: 1383

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-sharing PID: 5518, Parent PID: 1383

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/usr/libexec/gsd-sharing
Arguments:	/usr/libexec/gsd-sharing
File size:	35424 bytes
MD5 hash:	e29d9025d98590fbb69f89fdbd4438b3

Chronological Activities

Analysis Process: gnome-session-binary PID: 5538, Parent PID: 1383

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5538, Parent PID: 1383

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gnome-shell PID: 5538, Parent PID: 1383

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/usr/bin/gnome-shell
Arguments:	/usr/bin/gnome-shell
File size:	23168 bytes
MD5 hash:	da7a257239677622fe4b3a65972c9e87

Chronological Activities

Analysis Process: gnome-session-binary PID: 5540, Parent PID: 1383

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5540, Parent PID: 1383

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-print-notifications PID: 5540, Parent PID: 1383

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/usr/libexec/gsd-print-notifications
Arguments:	/usr/libexec/gsd-print-notifications
File size:	51840 bytes
MD5 hash:	71539698aa691718cee775d6b9450ae2

Chronological Activities

Analysis Process: gnome-session-binary PID: 5541, Parent PID: 1383

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5541, Parent PID: 1383

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-rfkill PID: 5541, Parent PID: 1383

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/usr/libexec/gsd-rfkill
Arguments:	/usr/libexec/gsd-rfkill
File size:	51808 bytes
MD5 hash:	88a16a3c0aba1759358c06215ecfb5cc

Chronological Activities

Analysis Process: gdm3 PID: 5542, Parent PID: 1289

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5542, Parent PID: 1289

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gdm3 PID: 5545, Parent PID: 1289

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5545, Parent PID: 1289

General

Start time (UTC):	18:51:04
Start date (UTC):	08/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemd PID: 5551, Parent PID: 1

General

Start time (UTC):	18:51:14
Start date (UTC):	08/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-user-runtime-dir PID: 5551, Parent PID: 1

General

Start time (UTC):	18:51:14
Start date (UTC):	08/01/2025
Path:	/lib/systemd/systemd-user-runtime-dir
Arguments:	/lib/systemd/systemd-user-runtime-dir stop 127
File size:	22672 bytes
MD5 hash:	d55f4b0847f88131dbcfb07435178e54

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Kloki.x86_64.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: Kloki.x86_64.elf PID: 5514, Parent PID: 5432

General

Chronological Activities

Analysis Process: Kloki.x86_64.elf PID: 5515, Parent PID: 5514

General

Chronological Activities

Analysis Process: Kloki.x86_64.elf PID: 5516, Parent PID: 5515

General

Chronological Activities

Analysis Process: Kloki.x86_64.elf PID: 5517, Parent PID: 5515

General

Chronological Activities

Analysis Process: gnome-session-binary PID: 5518, Parent PID: 1383

General

Chronological Activities

Analysis Process: sh PID: 5518, Parent PID: 1383

General

Chronological Activities

Analysis Process: gsd-sharing PID: 5518, Parent PID: 1383

General

Chronological Activities

Analysis Process: gnome-session-binary PID: 5538, Parent PID: 1383

Linux Analysis Report
Kloki.x86_64.elf