Edit tour

Linux Analysis Report
debug.dbg.elf

Overview

General Information

Sample name:	debug.dbg.elf
Analysis ID:	1590778
MD5:	af8e209a53a3fde3d3dda2e113621b46
SHA1:	23d7da7ad9f9e6138eb978e040c0adcab0ba4fcc
SHA256:	ea778e0edc6d14d9bc2aeca2eaf2fa5d2054ce43562c1f13061167f2782db80d
Tags:	elfMiraiuser-abuse_ch
Infos:

Detection

Mirai, Moobot

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Detected Mirai

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Mirai

Yara detected Moobot

Machine Learning detection for sample

Sample deletes itself

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590778
Start date and time:	2025-01-14 16:30:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	debug.dbg.elf
Detection:	MAL
Classification:	mal100.troj.evad.linELF@0/0@1/0

Runtime Messages

Command:	/tmp/debug.dbg.elf
PID:	6230
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	done.
Standard Error:

Process Tree

system is lnxubuntu20

debug.dbg.elf (PID: 6230, Parent: 6154, MD5: af8e209a53a3fde3d3dda2e113621b46) Arguments: /tmp/debug.dbg.elf

debug.dbg.elf New Fork (PID: 6231, Parent: 6230)

debug.dbg.elf New Fork (PID: 6232, Parent: 6231)

debug.dbg.elf New Fork (PID: 6233, Parent: 6231)

debug.dbg.elf New Fork (PID: 6234, Parent: 6233)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Name	Description	Attribution	Blogpost URLs	Link
MooBot		No Attribution	https://blog.netlab.360.com/ddos-botnet-moobot-en/ https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/ https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-RUSSIAN-ACTORS-USE-ROUTERS-FACILITATE-CYBER_OPERATIONS.PDF https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b	https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
debug.dbg.elf	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
debug.dbg.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
debug.dbg.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xc61c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc630:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc644:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc658:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc66c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc680:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc694:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc6a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc6bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc6d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc6e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc6f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc70c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc720:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc734:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc748:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc75c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc770:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc784:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc798:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc7ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
debug.dbg.elf	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4b60:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
debug.dbg.elf	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x76f2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
debug.dbg.elf	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xa6c1:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
debug.dbg.elf	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x91b4:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
debug.dbg.elf	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x76c2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
6230.1.0000000008048000.0000000008057000.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
6230.1.0000000008048000.0000000008057000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6230.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xc61c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc630:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc644:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc658:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc66c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc680:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc694:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc6a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc6bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc6d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc6e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc6f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc70c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc720:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc734:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc748:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc75c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc770:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc784:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc798:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc7ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6230.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4b60:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6230.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x76f2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6230.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xa6c1:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
6230.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x91b4:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6230.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x76c2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Process Memory Space: debug.dbg.elf PID: 6230	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: debug.dbg.elf PID: 6230	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x99c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa3c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xaa0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xab4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xac8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xadc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xaf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 5 entries

Suricata Signatures

ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T16:31:06.512970+0100	2030491	1	Malware Command and Control Activity Detected	192.168.2.23	43962	107.189.3.214	30242	TCP

ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T16:31:07.046620+0100	2030489	1	Malware Command and Control Activity Detected	107.189.3.214	30242	192.168.2.23	43962	TCP
2025-01-14T16:31:09.271769+0100	2030489	1	Malware Command and Control Activity Detected	107.189.3.214	30242	192.168.2.23	43962	TCP
2025-01-14T16:31:29.274707+0100	2030489	1	Malware Command and Control Activity Detected	107.189.3.214	30242	192.168.2.23	43962	TCP
2025-01-14T16:31:49.277873+0100	2030489	1	Malware Command and Control Activity Detected	107.189.3.214	30242	192.168.2.23	43962	TCP
2025-01-14T16:32:09.280846+0100	2030489	1	Malware Command and Control Activity Detected	107.189.3.214	30242	192.168.2.23	43962	TCP
2025-01-14T16:32:29.283637+0100	2030489	1	Malware Command and Control Activity Detected	107.189.3.214	30242	192.168.2.23	43962	TCP
2025-01-14T16:32:49.286622+0100	2030489	1	Malware Command and Control Activity Detected	107.189.3.214	30242	192.168.2.23	43962	TCP
2025-01-14T16:33:09.291877+0100	2030489	1	Malware Command and Control Activity Detected	107.189.3.214	30242	192.168.2.23	43962	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: debug.dbg.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: debug.dbg.elf	Virustotal: Detection: 56%			Perma Link
Source: debug.dbg.elf	ReversingLabs: Detection: 50%

Machine Learning detection for sample

Source: debug.dbg.elf

Joe Sandbox ML: detected

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2030491 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+) : 192.168.2.23:43962 -> 107.189.3.214:30242
Source: Network traffic	Suricata IDS: 2030489 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response : 107.189.3.214:30242 -> 192.168.2.23:43962

Source: global traffic

TCP traffic: 192.168.2.23:43962 -> 107.189.3.214:30242

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: global traffic

DNS traffic detected: DNS query: bot.tianyadd.top

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6230.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6230.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6230.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6230.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6230.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6230.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: Process Memory Space: debug.dbg.elf PID: 6230, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6230.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6230.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6230.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6230.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6230.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6230.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: Process Memory Space: debug.dbg.elf PID: 6230, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal100.troj.evad.linELF@0/0@1/0

Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/6234/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/6233/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/910/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/912/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/918/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1344/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1465/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1586/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1463/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/801/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1900/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/491/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1599/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1477/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/379/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1476/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1475/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/4501/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/936/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/4503/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/2208/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/35/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1809/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 6232)	File opened: /proc/1494/cmdline	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/debug.dbg.elf (PID: 6230)

File: /tmp/debug.dbg.elf

Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: debug.dbg.elf, type: SAMPLE
Source: Yara match	File source: 6230.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: debug.dbg.elf PID: 6230, type: MEMORYSTR

Yara detected Moobot

Source: Yara match	File source: debug.dbg.elf, type: SAMPLE
Source: Yara match	File source: 6230.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Detected Mirai

Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response

Yara detected Mirai

Source: Yara match	File source: debug.dbg.elf, type: SAMPLE
Source: Yara match	File source: 6230.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: debug.dbg.elf PID: 6230, type: MEMORYSTR

Yara detected Moobot

Source: Yara match	File source: debug.dbg.elf, type: SAMPLE
Source: Yara match	File source: 6230.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
debug.dbg.elf	56%	Virustotal		Browse
debug.dbg.elf	50%	ReversingLabs	Linux.Trojan.Mirai
debug.dbg.elf	100%	Avira	EXP/ELF.Mirai.Z.A
debug.dbg.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bot.tianyadd.top	107.189.3.214	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
107.189.3.214	bot.tianyadd.top	United States	53667	PONYNETUS	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
107.189.3.214	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	m-p.s-l.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	x-3.2-.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	rebirth.i686.elf	Get hash	malicious	Gafgyt	Browse
	arm6.elf	Get hash	malicious	Mirai, Moobot	Browse
	meth12.elf	Get hash	malicious	Mirai	Browse
	rebirth.ppc.elf	Get hash	malicious	Gafgyt	Browse
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse
	p-p.c-.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	rebirth.arm5.elf	Get hash	malicious	Gafgyt	Browse
	Aqua.i686.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	m-p.s-l.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	x-3.2-.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	rebirth.i686.elf	Get hash	malicious	Gafgyt	Browse
	arm6.elf	Get hash	malicious	Mirai, Moobot	Browse
	meth12.elf	Get hash	malicious	Mirai	Browse
	rebirth.ppc.elf	Get hash	malicious	Gafgyt	Browse
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse
	p-p.c-.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	rebirth.arm5.elf	Get hash	malicious	Gafgyt	Browse
	Aqua.i686.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bot.tianyadd.top	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.3.214
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.3.214
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.3.214
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.3.214
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.3.214
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.3.214
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.3.214
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.3.214

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	m-p.s-l.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	x-3.2-.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	rebirth.i686.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	arm6.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	meth12.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	185.125.190.26
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	185.125.190.26
	rebirth.ppc.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	p-p.c-.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
CANONICAL-ASGB	m-p.s-l.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	x-3.2-.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	rebirth.i686.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	arm6.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	meth12.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	185.125.190.26
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	185.125.190.26
	rebirth.ppc.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	p-p.c-.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
PONYNETUS	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.3.214
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.3.214
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.3.214
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.3.214
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.3.214
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.3.214
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.3.214
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.3.214
	https://clients.dedicatedservicesusa.com	Get hash	malicious	Unknown	Browse	198.98.59.241
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	107.189.4.201
INIT7CH	m-p.s-l.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
	x-3.2-.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
	rebirth.i686.elf	Get hash	malicious	Gafgyt	Browse	109.202.202.202
	arm6.elf	Get hash	malicious	Mirai, Moobot	Browse	109.202.202.202
	meth12.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	rebirth.ppc.elf	Get hash	malicious	Gafgyt	Browse	109.202.202.202
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	109.202.202.202
	p-p.c-.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
	rebirth.arm5.elf	Get hash	malicious	Gafgyt	Browse	109.202.202.202
	Aqua.i686.elf	Get hash	malicious	Unknown	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.582797089770973
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	debug.dbg.elf
File size:	60'080 bytes
MD5:	af8e209a53a3fde3d3dda2e113621b46
SHA1:	23d7da7ad9f9e6138eb978e040c0adcab0ba4fcc
SHA256:	ea778e0edc6d14d9bc2aeca2eaf2fa5d2054ce43562c1f13061167f2782db80d
SHA512:	52c94ca70ae4271092f3e506d2d12b843e7fb3360304d8e45f1d910c82ffd174e5237c149c115cf3ea977b7fa0aee1b9d411c3d340ba8c6fd6667b3865f19f18
SSDEEP:	1536:DIqD1xfYqyDgZtmYXw8pJcpJoC2TwY5ts0Aj+ISeWYesu:DIqDXfYqykZ4YXwIJcp+1wytzG+MWYeb
TLSH:	10436DC6D143D8F6E80B0570602BE72BAE71E4EA2219FF47C768D631FC86641A5179DC
File Content Preview:	.ELF....................d...4... .......4. ...(.....................\...\...............`...`v..`v.......'..........Q.td............................U..S............h....S...[]...$.............U......=.x...t..5.....v......v......u........t....h\f..........

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048164
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	59680
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0xc176	0x0	0x6	AX	16
.fini	PROGBITS	0x8054226	0xc226	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x8054240	0xc240	0x241c	0x0	0x2	A	32
.ctors	PROGBITS	0x8057660	0xe660	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x8057668	0xe668	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x8057680	0xe680	0x260	0x0	0x3	WA	32
.bss	NOBITS	0x80578e0	0xe8e0	0x2520	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0xe8e0	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0xe65c	0xe65c	6.6184	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0xe660	0x8057660	0x8057660	0x280	0x27a0	3.4442	0x6	RW	0x1000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T16:31:06.512970+0100	2030491	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+)	1	192.168.2.23	43962	107.189.3.214	30242	TCP
2025-01-14T16:31:07.046620+0100	2030489	ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response	1	107.189.3.214	30242	192.168.2.23	43962	TCP
2025-01-14T16:31:09.271769+0100	2030489	ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response	1	107.189.3.214	30242	192.168.2.23	43962	TCP
2025-01-14T16:31:29.274707+0100	2030489	ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response	1	107.189.3.214	30242	192.168.2.23	43962	TCP
2025-01-14T16:31:49.277873+0100	2030489	ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response	1	107.189.3.214	30242	192.168.2.23	43962	TCP
2025-01-14T16:32:09.280846+0100	2030489	ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response	1	107.189.3.214	30242	192.168.2.23	43962	TCP
2025-01-14T16:32:29.283637+0100	2030489	ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response	1	107.189.3.214	30242	192.168.2.23	43962	TCP
2025-01-14T16:32:49.286622+0100	2030489	ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response	1	107.189.3.214	30242	192.168.2.23	43962	TCP
2025-01-14T16:33:09.291877+0100	2030489	ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response	1	107.189.3.214	30242	192.168.2.23	43962	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:31:03.627011061 CET	43928	443	192.168.2.23	91.189.91.42
Jan 14, 2025 16:31:06.507875919 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.512820959 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.512908936 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.512969971 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.517736912 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.518481016 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.523509026 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.532653093 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.537506104 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.549555063 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.554326057 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.565347910 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.570182085 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.594273090 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.599998951 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.602911949 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.607856989 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.608843088 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.613699913 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.613760948 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.618720055 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.618779898 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.623579979 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.623640060 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.628468037 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.628535986 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.633382082 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.633436918 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.638422012 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.641299963 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.646586895 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.648075104 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.652971029 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.653037071 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.657928944 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.657980919 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.662791014 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.662847042 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.667676926 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.667726040 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.672492981 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.672550917 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.677369118 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.677438021 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.682256937 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.682307959 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.687145948 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.687189102 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.692029953 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.692122936 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.696970940 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:06.697082043 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:06.702053070 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.046619892 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.046773911 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.047595978 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.052381992 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.052431107 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.057197094 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.057240963 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.062026024 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.062067986 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.066828012 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.066890001 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.071716070 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.071772099 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.076533079 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.076587915 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.081357002 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.081409931 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.086189032 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.086245060 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.090990067 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.091048002 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.095889091 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.095932007 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.100646973 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.100697994 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.105452061 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.105504990 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.110285997 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.110358000 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.115140915 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.115185022 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.119899035 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.119941950 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.124658108 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.124699116 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.129492998 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:07.129554033 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:07.134326935 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.002216101 CET	42836	443	192.168.2.23	91.189.91.43
Jan 14, 2025 16:31:09.271769047 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.272080898 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.273158073 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.277916908 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.277964115 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.282720089 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.282771111 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.287528038 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.287584066 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.292377949 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.292443991 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.301862955 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.301917076 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.306701899 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.306765079 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.311505079 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.311570883 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.316881895 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.316931009 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.321676016 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.321722031 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.326556921 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.326616049 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.331363916 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.331403971 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.336179972 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.336225033 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.341068029 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.341118097 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.345865011 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.345911980 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.350707054 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.350752115 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.355576992 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.355628014 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.360903025 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:09.360987902 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:09.366081953 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:10.794142008 CET	42516	80	192.168.2.23	109.202.202.202
Jan 14, 2025 16:31:19.364566088 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:19.369409084 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:24.871934891 CET	43928	443	192.168.2.23	91.189.91.42
Jan 14, 2025 16:31:29.274707079 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.274879932 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.275851965 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.280659914 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.280710936 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.285523891 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.285569906 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.290420055 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.290474892 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.295352936 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.295399904 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.300244093 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.300296068 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.305210114 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.305258989 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.310121059 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.310158014 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.315066099 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.315140009 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.320019007 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.320082903 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.324953079 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.325018883 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.329894066 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.329948902 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.334814072 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.334887981 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.339756966 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.339812040 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.344728947 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.344786882 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.349621058 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.349669933 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.354569912 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.354621887 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.359761953 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.359833956 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.364757061 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.364825964 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.370906115 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:29.371059895 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:29.375963926 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:35.110501051 CET	42836	443	192.168.2.23	91.189.91.43
Jan 14, 2025 16:31:41.253621101 CET	42516	80	192.168.2.23	109.202.202.202
Jan 14, 2025 16:31:49.277873039 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.279886961 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.284708977 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.284796953 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.289583921 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.289634943 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.294472933 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.294517040 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.299248934 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.299463034 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.304212093 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.308602095 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.313391924 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.316725016 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.321458101 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.321505070 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.326318979 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.326358080 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.331088066 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.331152916 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.335980892 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.336024046 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.340766907 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.340830088 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.345621109 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.345676899 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.350471020 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.350512981 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.355249882 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.355293989 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.360042095 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.360085964 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.364844084 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.364890099 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.369668007 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.369709969 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.374528885 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.374593973 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.380120993 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.380167961 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.384924889 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.384965897 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.389758110 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.389822960 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.456897974 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.480355024 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.606093884 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.606110096 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.606118917 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.606164932 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.618469954 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.618530035 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.623506069 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.623543978 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.628479004 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.628634930 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.633433104 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.633502960 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.638421059 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:31:49.638473034 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:31:49.643246889 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:05.826174974 CET	43928	443	192.168.2.23	91.189.91.42
Jan 14, 2025 16:32:09.280846119 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.281699896 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.286597013 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.286649942 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.291507006 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.291548967 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.296376944 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.296410084 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.301258087 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.301368952 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.306216002 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.306256056 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.311069012 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.311105967 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.315912962 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.315949917 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.320874929 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.320913076 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.325695038 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.325736046 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.330570936 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.330611944 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.335485935 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.335521936 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.340368986 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.340400934 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.345251083 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.345294952 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.350085020 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.350130081 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.354994059 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.355037928 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.359999895 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.360038996 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.364871979 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.364914894 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.369741917 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.369785070 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.375425100 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.375462055 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.380312920 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.380359888 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.385216951 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.385261059 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.390125036 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.390168905 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.395042896 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.395090103 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.399930954 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.399985075 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.404855967 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:09.404917002 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:09.409722090 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:26.303248882 CET	42836	443	192.168.2.23	91.189.91.43
Jan 14, 2025 16:32:29.283637047 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.284900904 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.289686918 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.289751053 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.294579983 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.294629097 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.299340963 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.299396992 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.304157972 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.304202080 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.308924913 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.308968067 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.313723087 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.313774109 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.318593979 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.318633080 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.323431015 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.323460102 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.328289032 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.328325987 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.333089113 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.333131075 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.337893009 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.337934017 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.342699051 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.342746973 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.347475052 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.347570896 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.352298021 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.352349997 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.357151031 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.357187986 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.361974955 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.362018108 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.366767883 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.366805077 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.371649981 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.371691942 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.376449108 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:29.376493931 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:29.381330967 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.286622047 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.287688017 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.292448044 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.292478085 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.297220945 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.297250986 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.302004099 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.302045107 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.306833982 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.306862116 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.311660051 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.311697006 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.316451073 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.316481113 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.321233988 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.321266890 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.326035023 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.326075077 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.330842972 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.330874920 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.335617065 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.335647106 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.340411901 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.340445042 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.346141100 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.346173048 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.351068020 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.351098061 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.358853102 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.358887911 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.364407063 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.364444017 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.369204044 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.369239092 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.376986027 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:32:49.377041101 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:32:49.382230997 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.291877031 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.293179035 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.298083067 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.298130035 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.302923918 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.302963972 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.307718992 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.307758093 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.312511921 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.312553883 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.317404985 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.317460060 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.322211027 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.322258949 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.327034950 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.327074051 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.331914902 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.331952095 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.336699963 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.336760998 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.341543913 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.341584921 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.346694946 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.346729994 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.351468086 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.351505041 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.356275082 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.356311083 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.361042976 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.361078024 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.365888119 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.365935087 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.370768070 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.370805979 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.375628948 CET	30242	43962	107.189.3.214	192.168.2.23
Jan 14, 2025 16:33:09.375682116 CET	43962	30242	192.168.2.23	107.189.3.214
Jan 14, 2025 16:33:09.380474091 CET	30242	43962	107.189.3.214	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:31:04.825575113 CET	57038	53	192.168.2.23	8.8.8.8
Jan 14, 2025 16:31:06.035572052 CET	53	57038	8.8.8.8	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 16:31:04.825575113 CET	192.168.2.23	8.8.8.8	0xf42f	Standard query (0)	bot.tianyadd.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 16:31:06.035572052 CET	8.8.8.8	192.168.2.23	0xf42f	No error (0)	bot.tianyadd.top		107.189.3.214	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: debug.dbg.elf PID: 6230, Parent PID: 6154

General

Start time (UTC):	15:31:04
Start date (UTC):	14/01/2025
Path:	/tmp/debug.dbg.elf
Arguments:	/tmp/debug.dbg.elf
File size:	60080 bytes
MD5 hash:	af8e209a53a3fde3d3dda2e113621b46

Chronological Activities

Analysis Process: debug.dbg.elf PID: 6231, Parent PID: 6230

General

Start time (UTC):	15:31:04
Start date (UTC):	14/01/2025
Path:	/tmp/debug.dbg.elf
Arguments:	-
File size:	60080 bytes
MD5 hash:	af8e209a53a3fde3d3dda2e113621b46

Chronological Activities

Analysis Process: debug.dbg.elf PID: 6232, Parent PID: 6231

General

Start time (UTC):	15:31:04
Start date (UTC):	14/01/2025
Path:	/tmp/debug.dbg.elf
Arguments:	-
File size:	60080 bytes
MD5 hash:	af8e209a53a3fde3d3dda2e113621b46

Chronological Activities

Analysis Process: debug.dbg.elf PID: 6233, Parent PID: 6231

General

Start time (UTC):	15:31:04
Start date (UTC):	14/01/2025
Path:	/tmp/debug.dbg.elf
Arguments:	-
File size:	60080 bytes
MD5 hash:	af8e209a53a3fde3d3dda2e113621b46

Chronological Activities

Analysis Process: debug.dbg.elf PID: 6234, Parent PID: 6233

General

Start time (UTC):	15:31:04
Start date (UTC):	14/01/2025
Path:	/tmp/debug.dbg.elf
Arguments:	-
File size:	60080 bytes
MD5 hash:	af8e209a53a3fde3d3dda2e113621b46

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report debug.dbg.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: debug.dbg.elf PID: 6230, Parent PID: 6154

General

Chronological Activities

Analysis Process: debug.dbg.elf PID: 6231, Parent PID: 6230

General

Chronological Activities

Analysis Process: debug.dbg.elf PID: 6232, Parent PID: 6231

General

Chronological Activities

Analysis Process: debug.dbg.elf PID: 6233, Parent PID: 6231

General

Chronological Activities

Analysis Process: debug.dbg.elf PID: 6234, Parent PID: 6233

General

Chronological Activities

Linux Analysis Report
debug.dbg.elf