Edit tour

Linux Analysis Report
Kloki.x86.elf

Overview

General Information

Sample name:	Kloki.x86.elf
Analysis ID:	1591049
MD5:	9c0cf500a75080a480c04b5ab4af863a
SHA1:	cea9e6df251020d298935228cb1fed36c6263994
SHA256:	fc81007d717f418b7542faff1bb8a716003b4338809b6b6f1fae407a22e8808e
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Sample tries to kill multiple processes (SIGKILL)

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Executes the "rm" command used to delete files or directories

Sample contains only a LOAD segment without any section mappings

Sample tries to kill a process (SIGKILL)

Suricata IDS alerts with low severity for network traffic

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591049
Start date and time:	2025-01-14 17:15:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Kloki.x86.elf
Detection:	MAL
Classification:	mal64.spre.linELF@0/0@1/0

Runtime Messages

Command:	/tmp/Kloki.x86.elf
PID:	5503
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	suka
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 5491, Parent: 3635)

rm (PID: 5491, Parent: 3635, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.fHLZqw1TN3 /tmp/tmp.ow2JfsB4Wn /tmp/tmp.FCcwH7Zebc

dash New Fork (PID: 5492, Parent: 3635)

rm (PID: 5492, Parent: 3635, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.fHLZqw1TN3 /tmp/tmp.ow2JfsB4Wn /tmp/tmp.FCcwH7Zebc

Kloki.x86.elf (PID: 5503, Parent: 5425, MD5: 9c0cf500a75080a480c04b5ab4af863a) Arguments: /tmp/Kloki.x86.elf

Kloki.x86.elf New Fork (PID: 5504, Parent: 5503)

Kloki.x86.elf New Fork (PID: 5505, Parent: 5504)

Kloki.x86.elf New Fork (PID: 5506, Parent: 5504)

gnome-session-binary New Fork (PID: 5507, Parent: 1383)

sh (PID: 5507, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications

gsd-print-notifications (PID: 5507, Parent: 1383, MD5: 71539698aa691718cee775d6b9450ae2) Arguments: /usr/libexec/gsd-print-notifications

gnome-session-binary New Fork (PID: 5526, Parent: 1383)

sh (PID: 5526, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell

gnome-shell (PID: 5526, Parent: 1383, MD5: da7a257239677622fe4b3a65972c9e87) Arguments: /usr/bin/gnome-shell

gnome-session-binary New Fork (PID: 5530, Parent: 1383)

sh (PID: 5530, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

gsd-rfkill (PID: 5530, Parent: 1383, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill

gnome-session-binary New Fork (PID: 5531, Parent: 1383)

sh (PID: 5531, Parent: 1383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing

gsd-sharing (PID: 5531, Parent: 1383, MD5: e29d9025d98590fbb69f89fdbd4438b3) Arguments: /usr/libexec/gsd-sharing

gdm3 New Fork (PID: 5532, Parent: 1289)

Default (PID: 5532, Parent: 1289, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 5533, Parent: 1289)

Default (PID: 5533, Parent: 1289, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 5544, Parent: 1)

systemd-user-runtime-dir (PID: 5544, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 127

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
5503.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4840:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5503.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x92d6:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
5503.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x6cd2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5503.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xbca0:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5503.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xa496:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5505.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4840:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5505.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x92d6:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
5505.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x6cd2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5505.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xbca0:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5505.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xa496:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5505.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x6ca2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
5503.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x6ca2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 7 entries

Suricata Signatures

ET COMPROMISED Known Compromised or Hostile Host Traffic group 18

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T17:16:13.482183+0100	2500034	2	Misc Attack	83.222.191.90	13566	192.168.2.14	56490	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Kloki.x86.elf	Virustotal: Detection: 15%			Perma Link
Source: Kloki.x86.elf	ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: Kloki.x86.elf

Joe Sandbox ML: detected

Source: global traffic	TCP traffic: 192.168.2.14:45470 -> 83.222.5.109:13566
Source: global traffic	TCP traffic: 192.168.2.14:50934 -> 83.222.74.139:13566
Source: global traffic	TCP traffic: 192.168.2.14:41380 -> 83.222.111.180:13566
Source: global traffic	TCP traffic: 192.168.2.14:47328 -> 83.222.118.245:13566
Source: global traffic	TCP traffic: 192.168.2.14:56454 -> 83.222.240.132:13566
Source: global traffic	TCP traffic: 192.168.2.14:35130 -> 83.222.109.108:13566
Source: global traffic	TCP traffic: 192.168.2.14:59386 -> 83.222.60.121:13566
Source: global traffic	TCP traffic: 192.168.2.14:34332 -> 83.222.139.30:13566
Source: global traffic	TCP traffic: 192.168.2.14:53760 -> 83.222.191.153:13566
Source: global traffic	TCP traffic: 192.168.2.14:51598 -> 83.222.66.227:13566
Source: global traffic	TCP traffic: 192.168.2.14:59868 -> 83.222.83.194:13566
Source: global traffic	TCP traffic: 192.168.2.14:50980 -> 83.222.52.155:13566
Source: global traffic	TCP traffic: 192.168.2.14:37356 -> 83.222.194.181:13566
Source: global traffic	TCP traffic: 192.168.2.14:36740 -> 83.222.206.87:13566
Source: global traffic	TCP traffic: 192.168.2.14:45182 -> 83.222.29.71:13566
Source: global traffic	TCP traffic: 192.168.2.14:60476 -> 83.222.91.34:13566
Source: global traffic	TCP traffic: 192.168.2.14:49522 -> 83.222.174.36:13566
Source: global traffic	TCP traffic: 192.168.2.14:38054 -> 83.222.180.165:13566
Source: global traffic	TCP traffic: 192.168.2.14:35624 -> 83.222.25.74:13566
Source: global traffic	TCP traffic: 192.168.2.14:54766 -> 83.222.90.36:13566
Source: global traffic	TCP traffic: 192.168.2.14:58002 -> 83.222.168.135:13566
Source: global traffic	TCP traffic: 192.168.2.14:50256 -> 83.222.0.66:13566
Source: global traffic	TCP traffic: 192.168.2.14:50456 -> 83.222.183.229:13566
Source: global traffic	TCP traffic: 192.168.2.14:48930 -> 83.222.3.191:13566
Source: global traffic	TCP traffic: 192.168.2.14:40098 -> 83.222.220.69:13566
Source: global traffic	TCP traffic: 192.168.2.14:36896 -> 83.222.7.215:13566
Source: global traffic	TCP traffic: 192.168.2.14:35536 -> 83.222.202.201:13566
Source: global traffic	TCP traffic: 192.168.2.14:50022 -> 83.222.140.152:13566
Source: global traffic	TCP traffic: 192.168.2.14:47102 -> 83.222.32.169:13566
Source: global traffic	TCP traffic: 192.168.2.14:35948 -> 83.222.163.47:13566
Source: global traffic	TCP traffic: 192.168.2.14:44360 -> 83.222.224.124:13566
Source: global traffic	TCP traffic: 192.168.2.14:38126 -> 83.222.204.148:13566
Source: global traffic	TCP traffic: 192.168.2.14:50312 -> 83.222.33.122:13566
Source: global traffic	TCP traffic: 192.168.2.14:40938 -> 83.222.184.123:13566
Source: global traffic	TCP traffic: 192.168.2.14:38238 -> 83.222.158.210:13566
Source: global traffic	TCP traffic: 192.168.2.14:45162 -> 83.222.89.125:13566
Source: global traffic	TCP traffic: 192.168.2.14:57164 -> 83.222.44.89:13566
Source: global traffic	TCP traffic: 192.168.2.14:50710 -> 83.222.191.47:13566
Source: global traffic	TCP traffic: 192.168.2.14:35358 -> 83.222.116.188:13566
Source: global traffic	TCP traffic: 192.168.2.14:36894 -> 83.222.25.155:13566
Source: global traffic	TCP traffic: 192.168.2.14:57450 -> 83.222.202.123:13566
Source: global traffic	TCP traffic: 192.168.2.14:32812 -> 83.222.147.148:13566
Source: global traffic	TCP traffic: 192.168.2.14:54690 -> 83.222.68.31:13566
Source: global traffic	TCP traffic: 192.168.2.14:49592 -> 83.222.45.101:13566
Source: global traffic	TCP traffic: 192.168.2.14:50490 -> 83.222.200.13:13566
Source: global traffic	TCP traffic: 192.168.2.14:54916 -> 83.222.225.148:13566
Source: global traffic	TCP traffic: 192.168.2.14:36858 -> 83.222.14.90:13566
Source: global traffic	TCP traffic: 192.168.2.14:60910 -> 83.222.161.2:13566
Source: global traffic	TCP traffic: 192.168.2.14:47318 -> 83.222.126.173:13566
Source: global traffic	TCP traffic: 192.168.2.14:46298 -> 83.222.198.71:13566
Source: global traffic	TCP traffic: 192.168.2.14:60436 -> 83.222.44.68:13566
Source: global traffic	TCP traffic: 192.168.2.14:49778 -> 83.222.244.133:13566
Source: global traffic	TCP traffic: 192.168.2.14:49166 -> 83.222.193.32:13566
Source: global traffic	TCP traffic: 192.168.2.14:38860 -> 83.222.222.128:13566
Source: global traffic	TCP traffic: 192.168.2.14:33906 -> 83.222.79.247:13566
Source: global traffic	TCP traffic: 192.168.2.14:34908 -> 83.222.28.195:13566
Source: global traffic	TCP traffic: 192.168.2.14:40272 -> 83.222.179.230:13566
Source: global traffic	TCP traffic: 192.168.2.14:48212 -> 83.222.62.70:13566
Source: global traffic	TCP traffic: 192.168.2.14:55064 -> 83.222.123.130:13566
Source: global traffic	TCP traffic: 192.168.2.14:35204 -> 83.222.101.168:13566
Source: global traffic	TCP traffic: 192.168.2.14:55022 -> 83.222.231.46:13566
Source: global traffic	TCP traffic: 192.168.2.14:47728 -> 83.222.181.200:13566
Source: global traffic	TCP traffic: 192.168.2.14:58478 -> 83.222.203.209:13566
Source: global traffic	TCP traffic: 192.168.2.14:34042 -> 83.222.194.86:13566
Source: global traffic	TCP traffic: 192.168.2.14:60028 -> 83.222.176.73:13566
Source: global traffic	TCP traffic: 192.168.2.14:49638 -> 83.222.126.220:13566
Source: global traffic	TCP traffic: 192.168.2.14:49386 -> 83.222.141.114:13566
Source: global traffic	TCP traffic: 192.168.2.14:50454 -> 83.222.97.78:13566
Source: global traffic	TCP traffic: 192.168.2.14:56752 -> 83.222.146.64:13566
Source: global traffic	TCP traffic: 192.168.2.14:58622 -> 83.222.206.225:13566
Source: global traffic	TCP traffic: 192.168.2.14:37894 -> 83.222.55.234:13566
Source: global traffic	TCP traffic: 192.168.2.14:57386 -> 83.222.164.235:13566
Source: global traffic	TCP traffic: 192.168.2.14:50578 -> 83.222.209.226:13566
Source: global traffic	TCP traffic: 192.168.2.14:47370 -> 83.222.49.76:13566
Source: global traffic	TCP traffic: 192.168.2.14:56490 -> 83.222.191.90:13566

Source: Network traffic

Suricata IDS: 2500034 - Severity 2 - ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 : 83.222.191.90:13566 -> 192.168.2.14:56490

Source: global traffic

TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.5.109
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.74.139
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.111.180
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.118.245
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.240.132
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.109.108
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.60.121
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.139.30
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.191.153
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.66.227
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.83.194
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.52.155
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.194.181
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.206.87
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.29.71
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.91.34
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.174.36
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.180.165
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.25.74
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.90.36
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.168.135
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.0.66
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.183.229
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.3.191
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.220.69
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.7.215
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.202.201
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.140.152
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.32.169
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.163.47
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.224.124
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.204.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.33.122
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.184.123
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.158.210
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.89.125
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.44.89
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.191.47
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.116.188
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.25.155
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.202.123
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.147.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.68.31
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.45.101
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.200.13
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.225.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.14.90
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.161.2
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.126.173
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.198.71

Source: global traffic

DNS traffic detected: DNS query: secure-network-rebirthltd.ru

Source: unknown

Network traffic detected: HTTP traffic on port 46540 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 5503.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5503.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 5503.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5503.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5503.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5505.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5505.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 5505.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5505.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5505.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5505.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5503.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 917, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 928, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 940, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 1444, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 1610, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 1639, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 3094, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 3268, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 3420, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 5484, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 5507, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 5526, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 5530, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 5531, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 5533, result: successful	Jump to behavior

Source: LOAD without section mappings

Program segment: 0x8048000

Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 917, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 928, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 940, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 1444, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 1610, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 1639, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 3094, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 3268, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 3420, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 5484, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 5507, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 5526, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 5530, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 5531, result: successful	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5506)	SIGKILL sent: pid: 5533, result: successful	Jump to behavior

Source: 5503.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5503.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 5503.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5503.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5503.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5505.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5505.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 5505.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5505.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5505.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5505.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5503.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: classification engine

Classification label: mal64.spre.linELF@0/0@1/0

Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3244/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3120/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3361/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3239/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/1299/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3235/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/2946/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3134/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/1593/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3011/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3094/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3406/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/2955/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3129/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/1588/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3402/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3807/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3125/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3246/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3245/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/767/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/888/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/801/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/769/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/803/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/806/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/807/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/2956/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/490/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3142/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3139/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3412/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3398/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3392/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/780/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/661/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/782/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3304/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3425/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/785/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/940/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3147/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5342/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/2991/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/791/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/2986/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/794/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/795/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/797/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/2983/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3159/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3157/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3711/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3319/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5510/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3178/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3172/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3171/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3329/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/2999/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5508/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3207/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5509/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/2997/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/1300/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/725/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/726/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/1309/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5485/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5520/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5521/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3189/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3188/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3187/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3341/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3184/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3183/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/1712/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5519/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3218/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3337/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3215/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/853/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3213/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3212/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5511/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5512/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5513/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5514/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5515/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5516/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5517/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5518/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3190/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3353/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/3193/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/1289/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5522/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5523/status	Jump to behavior
Source: /tmp/Kloki.x86.elf (PID: 5505)	File opened: /proc/5524/status	Jump to behavior

Source: /usr/bin/dash (PID: 5491)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.fHLZqw1TN3 /tmp/tmp.ow2JfsB4Wn /tmp/tmp.FCcwH7Zebc			Jump to behavior
Source: /usr/bin/dash (PID: 5492)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.fHLZqw1TN3 /tmp/tmp.ow2JfsB4Wn /tmp/tmp.FCcwH7Zebc			Jump to behavior

Source: Kloki.x86.elf	Submission file: segment LOAD with 7.8883 entropy (max. 8.0)
Source: Kloki.x86.elf	Submission file: segment LOAD with 7.9615 entropy (max. 8.0)

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File Deletion	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Kloki.x86.elf	16%	Virustotal		Browse
Kloki.x86.elf	21%	ReversingLabs	Win32.Trojan.Generic
Kloki.x86.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
secure-network-rebirthltd.ru	83.222.191.90	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
83.222.206.87	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.179.230	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.231.46	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.109.108	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.158.210	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.28.195	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.180.165	unknown	Bulgaria	205872	EXTRANET-ASBG	false
83.222.123.130	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.220.69	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.74.139	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.139.30	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.0.66	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.126.220	unknown	Russian Federation	47328	TRI-ASTrueRecordsIncES	false
83.222.202.201	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.202.123	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.206.225	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.244.133	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.146.64	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.174.36	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.44.68	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.14.90	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.45.101	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.225.148	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.97.78	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.209.226	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.79.247	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.194.181	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.25.155	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.55.234	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.116.188	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.184.123	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.203.209	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.83.194	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.191.153	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.147.148	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.198.71	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.111.180	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.222.128	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.90.36	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.3.191	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.33.122	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.141.114	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.118.245	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.224.124	unknown	United Kingdom	13768	COGECO-PEER1CA	false
185.125.190.26	unknown	United Kingdom	41231	CANONICAL-ASGB	false
83.222.191.47	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.68.31	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.49.76	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.60.121	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.62.70	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.44.89	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.194.86	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.32.169	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.191.90	secure-network-rebirthltd.ru	Bulgaria	43561	NET1-ASBG	false
83.222.89.125	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.101.168	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.168.135	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.200.13	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.164.235	unknown	Bulgaria	31037	WAVENETLB	false
83.222.183.229	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.240.132	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.91.34	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.66.227	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.163.47	unknown	Bulgaria	31037	WAVENETLB	false
83.222.52.155	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.140.152	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.126.173	unknown	Russian Federation	47328	TRI-ASTrueRecordsIncES	false
83.222.181.200	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.7.215	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.161.2	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.29.71	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.176.73	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.193.32	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.204.148	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.5.109	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.25.74	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
secure-network-rebirthltd.ru	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SYNTERRA-ASRU	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.208.135
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.205.130
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.199.83
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.197.220
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.206.214
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.196.94
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.198.146
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.202.198
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.209.249
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.211.212
GCN-ASGCNAD-SofiaBulgariaBG	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.166.87
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.174.140
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.176.30
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.174.1
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.181.243
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.169.127
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.179.249
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.181.63
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.173.21
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.181.68
COGECO-PEER1CA	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.234.102
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.239.3
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.245.236
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.252.225
	http://guard-x-tech.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	64.29.17.65
	meth9.elf	Get hash	malicious	Mirai	Browse	64.65.21.26
	http://aicenterr.vercel.app/asd.com.html	Get hash	malicious	HTMLPhisher	Browse	64.29.17.129
	https://eb-ri18.vercel.app/verset.html	Get hash	malicious	HTMLPhisher	Browse	64.29.17.65
	http://inform-customer-sale.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	64.29.17.129
	https://jaffeusacanna-9646.vercel.app/zqh.heups/	Get hash	malicious	HTMLPhisher	Browse	64.29.17.1
MNOGOBYTE-ASMoscowRussiaRU	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.98.76
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.97.189
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.115.53
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.120.121
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.107.74
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.111.94
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.116.93
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.101.212
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.110.86
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.112.137

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.959187181871756
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	Kloki.x86.elf
File size:	38'312 bytes
MD5:	9c0cf500a75080a480c04b5ab4af863a
SHA1:	cea9e6df251020d298935228cb1fed36c6263994
SHA256:	fc81007d717f418b7542faff1bb8a716003b4338809b6b6f1fae407a22e8808e
SHA512:	f44f278d5468753749252a6122f1f52a835d2cbc7f76314c51d8de7939733e0423b83d986771215f5b428c641837441259cab1438d19cc138d598ab0dd83b61c
SSDEEP:	768:DOHPkureU8rirKpbN5vygzBvykN05/bSPs8eEQX3rXzu3915QnbcuyD7UoUR0:qHMliOFNEgz9FNaiCbXzaEnouy82
TLSH:	FF03E133BAA908C6C1A610365DDF3FE5250183DF1846A52AC86CF07D5E49FCA7A2D366
File Content Preview:	.ELF....................p...4...........4. ...(.........................l....................0...0..................Q.td.............................j=.sfgaD........X...X......V..........?..k.I/.j....\.d*nlz.eB"[bx.\|"\|M.`...S....] ..Y..\|..x.b[.G...w...x.p

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x806b270
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8048000	0x8048000	0x1000	0x1af6c	7.8883	0x6	RW	0x1000
LOAD	0x0	0x8063000	0x8063000	0x94a9	0x94a9	7.9615	0x5	R E	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T17:16:13.482183+0100	2500034	ET COMPROMISED Known Compromised or Hostile Host Traffic group 18	2	83.222.191.90	13566	192.168.2.14	56490	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 17:16:13.464518070 CET	45470	13566	192.168.2.14	83.222.5.109
Jan 14, 2025 17:16:13.464540958 CET	50934	13566	192.168.2.14	83.222.74.139
Jan 14, 2025 17:16:13.464560032 CET	41380	13566	192.168.2.14	83.222.111.180
Jan 14, 2025 17:16:13.464576006 CET	47328	13566	192.168.2.14	83.222.118.245
Jan 14, 2025 17:16:13.464595079 CET	56454	13566	192.168.2.14	83.222.240.132
Jan 14, 2025 17:16:13.464595079 CET	35130	13566	192.168.2.14	83.222.109.108
Jan 14, 2025 17:16:13.464603901 CET	59386	13566	192.168.2.14	83.222.60.121
Jan 14, 2025 17:16:13.464615107 CET	34332	13566	192.168.2.14	83.222.139.30
Jan 14, 2025 17:16:13.464639902 CET	53760	13566	192.168.2.14	83.222.191.153
Jan 14, 2025 17:16:13.464679956 CET	51598	13566	192.168.2.14	83.222.66.227
Jan 14, 2025 17:16:13.464683056 CET	59868	13566	192.168.2.14	83.222.83.194
Jan 14, 2025 17:16:13.464692116 CET	50980	13566	192.168.2.14	83.222.52.155
Jan 14, 2025 17:16:13.464708090 CET	37356	13566	192.168.2.14	83.222.194.181
Jan 14, 2025 17:16:13.464714050 CET	36740	13566	192.168.2.14	83.222.206.87
Jan 14, 2025 17:16:13.464726925 CET	45182	13566	192.168.2.14	83.222.29.71
Jan 14, 2025 17:16:13.464746952 CET	60476	13566	192.168.2.14	83.222.91.34
Jan 14, 2025 17:16:13.464746952 CET	49522	13566	192.168.2.14	83.222.174.36
Jan 14, 2025 17:16:13.464760065 CET	38054	13566	192.168.2.14	83.222.180.165
Jan 14, 2025 17:16:13.464787960 CET	35624	13566	192.168.2.14	83.222.25.74
Jan 14, 2025 17:16:13.464796066 CET	54766	13566	192.168.2.14	83.222.90.36
Jan 14, 2025 17:16:13.464801073 CET	58002	13566	192.168.2.14	83.222.168.135
Jan 14, 2025 17:16:13.464816093 CET	50256	13566	192.168.2.14	83.222.0.66
Jan 14, 2025 17:16:13.464817047 CET	50456	13566	192.168.2.14	83.222.183.229
Jan 14, 2025 17:16:13.464817047 CET	48930	13566	192.168.2.14	83.222.3.191
Jan 14, 2025 17:16:13.464843035 CET	40098	13566	192.168.2.14	83.222.220.69
Jan 14, 2025 17:16:13.465373993 CET	36896	13566	192.168.2.14	83.222.7.215
Jan 14, 2025 17:16:13.465373993 CET	35536	13566	192.168.2.14	83.222.202.201
Jan 14, 2025 17:16:13.465394974 CET	50022	13566	192.168.2.14	83.222.140.152
Jan 14, 2025 17:16:13.465408087 CET	47102	13566	192.168.2.14	83.222.32.169
Jan 14, 2025 17:16:13.465409994 CET	35948	13566	192.168.2.14	83.222.163.47
Jan 14, 2025 17:16:13.465409994 CET	44360	13566	192.168.2.14	83.222.224.124
Jan 14, 2025 17:16:13.465434074 CET	38126	13566	192.168.2.14	83.222.204.148
Jan 14, 2025 17:16:13.465439081 CET	50312	13566	192.168.2.14	83.222.33.122
Jan 14, 2025 17:16:13.465445042 CET	40938	13566	192.168.2.14	83.222.184.123
Jan 14, 2025 17:16:13.465460062 CET	38238	13566	192.168.2.14	83.222.158.210
Jan 14, 2025 17:16:13.465488911 CET	45162	13566	192.168.2.14	83.222.89.125
Jan 14, 2025 17:16:13.465507030 CET	57164	13566	192.168.2.14	83.222.44.89
Jan 14, 2025 17:16:13.465534925 CET	50710	13566	192.168.2.14	83.222.191.47
Jan 14, 2025 17:16:13.465553045 CET	35358	13566	192.168.2.14	83.222.116.188
Jan 14, 2025 17:16:13.465554953 CET	36894	13566	192.168.2.14	83.222.25.155
Jan 14, 2025 17:16:13.465554953 CET	57450	13566	192.168.2.14	83.222.202.123
Jan 14, 2025 17:16:13.465570927 CET	32812	13566	192.168.2.14	83.222.147.148
Jan 14, 2025 17:16:13.465579033 CET	54690	13566	192.168.2.14	83.222.68.31
Jan 14, 2025 17:16:13.465589046 CET	49592	13566	192.168.2.14	83.222.45.101
Jan 14, 2025 17:16:13.465610981 CET	50490	13566	192.168.2.14	83.222.200.13
Jan 14, 2025 17:16:13.465610981 CET	54916	13566	192.168.2.14	83.222.225.148
Jan 14, 2025 17:16:13.465640068 CET	36858	13566	192.168.2.14	83.222.14.90
Jan 14, 2025 17:16:13.465645075 CET	60910	13566	192.168.2.14	83.222.161.2
Jan 14, 2025 17:16:13.465646982 CET	47318	13566	192.168.2.14	83.222.126.173
Jan 14, 2025 17:16:13.465648890 CET	46298	13566	192.168.2.14	83.222.198.71
Jan 14, 2025 17:16:13.465648890 CET	60436	13566	192.168.2.14	83.222.44.68
Jan 14, 2025 17:16:13.465667963 CET	49778	13566	192.168.2.14	83.222.244.133
Jan 14, 2025 17:16:13.465687037 CET	49166	13566	192.168.2.14	83.222.193.32
Jan 14, 2025 17:16:13.465692997 CET	38860	13566	192.168.2.14	83.222.222.128
Jan 14, 2025 17:16:13.465718985 CET	33906	13566	192.168.2.14	83.222.79.247
Jan 14, 2025 17:16:13.465733051 CET	34908	13566	192.168.2.14	83.222.28.195
Jan 14, 2025 17:16:13.465744972 CET	40272	13566	192.168.2.14	83.222.179.230
Jan 14, 2025 17:16:13.465764046 CET	48212	13566	192.168.2.14	83.222.62.70
Jan 14, 2025 17:16:13.465770006 CET	55064	13566	192.168.2.14	83.222.123.130
Jan 14, 2025 17:16:13.465781927 CET	35204	13566	192.168.2.14	83.222.101.168
Jan 14, 2025 17:16:13.465801001 CET	55022	13566	192.168.2.14	83.222.231.46
Jan 14, 2025 17:16:13.465814114 CET	47728	13566	192.168.2.14	83.222.181.200
Jan 14, 2025 17:16:13.465828896 CET	58478	13566	192.168.2.14	83.222.203.209
Jan 14, 2025 17:16:13.465836048 CET	34042	13566	192.168.2.14	83.222.194.86
Jan 14, 2025 17:16:13.465841055 CET	60028	13566	192.168.2.14	83.222.176.73
Jan 14, 2025 17:16:13.465857983 CET	49638	13566	192.168.2.14	83.222.126.220
Jan 14, 2025 17:16:13.465874910 CET	49386	13566	192.168.2.14	83.222.141.114
Jan 14, 2025 17:16:13.465893984 CET	50454	13566	192.168.2.14	83.222.97.78
Jan 14, 2025 17:16:13.465903997 CET	56752	13566	192.168.2.14	83.222.146.64
Jan 14, 2025 17:16:13.465915918 CET	58622	13566	192.168.2.14	83.222.206.225
Jan 14, 2025 17:16:13.465918064 CET	37894	13566	192.168.2.14	83.222.55.234
Jan 14, 2025 17:16:13.465929031 CET	57386	13566	192.168.2.14	83.222.164.235
Jan 14, 2025 17:16:13.465939045 CET	50578	13566	192.168.2.14	83.222.209.226
Jan 14, 2025 17:16:13.465985060 CET	47370	13566	192.168.2.14	83.222.49.76
Jan 14, 2025 17:16:13.469463110 CET	13566	45470	83.222.5.109	192.168.2.14
Jan 14, 2025 17:16:13.469522953 CET	45470	13566	192.168.2.14	83.222.5.109
Jan 14, 2025 17:16:13.469644070 CET	13566	41380	83.222.111.180	192.168.2.14
Jan 14, 2025 17:16:13.469657898 CET	13566	50934	83.222.74.139	192.168.2.14
Jan 14, 2025 17:16:13.469669104 CET	13566	47328	83.222.118.245	192.168.2.14
Jan 14, 2025 17:16:13.469679117 CET	13566	59386	83.222.60.121	192.168.2.14
Jan 14, 2025 17:16:13.469688892 CET	41380	13566	192.168.2.14	83.222.111.180
Jan 14, 2025 17:16:13.469691038 CET	13566	56454	83.222.240.132	192.168.2.14
Jan 14, 2025 17:16:13.469696999 CET	47328	13566	192.168.2.14	83.222.118.245
Jan 14, 2025 17:16:13.469703913 CET	13566	35130	83.222.109.108	192.168.2.14
Jan 14, 2025 17:16:13.469715118 CET	13566	34332	83.222.139.30	192.168.2.14
Jan 14, 2025 17:16:13.469722986 CET	50934	13566	192.168.2.14	83.222.74.139
Jan 14, 2025 17:16:13.469731092 CET	56454	13566	192.168.2.14	83.222.240.132
Jan 14, 2025 17:16:13.469739914 CET	59386	13566	192.168.2.14	83.222.60.121
Jan 14, 2025 17:16:13.469754934 CET	35130	13566	192.168.2.14	83.222.109.108
Jan 14, 2025 17:16:13.469758987 CET	34332	13566	192.168.2.14	83.222.139.30
Jan 14, 2025 17:16:13.470014095 CET	13566	53760	83.222.191.153	192.168.2.14
Jan 14, 2025 17:16:13.470026970 CET	13566	51598	83.222.66.227	192.168.2.14
Jan 14, 2025 17:16:13.470037937 CET	13566	59868	83.222.83.194	192.168.2.14
Jan 14, 2025 17:16:13.470047951 CET	13566	50980	83.222.52.155	192.168.2.14
Jan 14, 2025 17:16:13.470057011 CET	53760	13566	192.168.2.14	83.222.191.153
Jan 14, 2025 17:16:13.470057011 CET	51598	13566	192.168.2.14	83.222.66.227
Jan 14, 2025 17:16:13.470057964 CET	13566	37356	83.222.194.181	192.168.2.14
Jan 14, 2025 17:16:13.470077991 CET	50980	13566	192.168.2.14	83.222.52.155
Jan 14, 2025 17:16:13.470078945 CET	59868	13566	192.168.2.14	83.222.83.194
Jan 14, 2025 17:16:13.470089912 CET	13566	36740	83.222.206.87	192.168.2.14
Jan 14, 2025 17:16:13.470102072 CET	13566	45182	83.222.29.71	192.168.2.14
Jan 14, 2025 17:16:13.470113039 CET	13566	38054	83.222.180.165	192.168.2.14
Jan 14, 2025 17:16:13.470124006 CET	13566	60476	83.222.91.34	192.168.2.14
Jan 14, 2025 17:16:13.470124006 CET	36740	13566	192.168.2.14	83.222.206.87
Jan 14, 2025 17:16:13.470138073 CET	38054	13566	192.168.2.14	83.222.180.165
Jan 14, 2025 17:16:13.470139027 CET	13566	49522	83.222.174.36	192.168.2.14
Jan 14, 2025 17:16:13.470149994 CET	13566	35624	83.222.25.74	192.168.2.14
Jan 14, 2025 17:16:13.470154047 CET	60476	13566	192.168.2.14	83.222.91.34
Jan 14, 2025 17:16:13.470163107 CET	49522	13566	192.168.2.14	83.222.174.36
Jan 14, 2025 17:16:13.470163107 CET	13566	58002	83.222.168.135	192.168.2.14
Jan 14, 2025 17:16:13.470172882 CET	13566	50256	83.222.0.66	192.168.2.14
Jan 14, 2025 17:16:13.470180988 CET	13566	50456	83.222.183.229	192.168.2.14
Jan 14, 2025 17:16:13.470182896 CET	35624	13566	192.168.2.14	83.222.25.74
Jan 14, 2025 17:16:13.470191002 CET	58002	13566	192.168.2.14	83.222.168.135
Jan 14, 2025 17:16:13.470191956 CET	13566	54766	83.222.90.36	192.168.2.14
Jan 14, 2025 17:16:13.470199108 CET	50256	13566	192.168.2.14	83.222.0.66
Jan 14, 2025 17:16:13.470204115 CET	13566	48930	83.222.3.191	192.168.2.14
Jan 14, 2025 17:16:13.470211983 CET	50456	13566	192.168.2.14	83.222.183.229
Jan 14, 2025 17:16:13.470213890 CET	13566	40098	83.222.220.69	192.168.2.14
Jan 14, 2025 17:16:13.470228910 CET	45182	13566	192.168.2.14	83.222.29.71
Jan 14, 2025 17:16:13.470236063 CET	48930	13566	192.168.2.14	83.222.3.191
Jan 14, 2025 17:16:13.470259905 CET	40098	13566	192.168.2.14	83.222.220.69
Jan 14, 2025 17:16:13.470320940 CET	13566	36896	83.222.7.215	192.168.2.14
Jan 14, 2025 17:16:13.470360994 CET	54766	13566	192.168.2.14	83.222.90.36
Jan 14, 2025 17:16:13.470361948 CET	37356	13566	192.168.2.14	83.222.194.181
Jan 14, 2025 17:16:13.470382929 CET	36896	13566	192.168.2.14	83.222.7.215
Jan 14, 2025 17:16:13.470809937 CET	13566	35536	83.222.202.201	192.168.2.14
Jan 14, 2025 17:16:13.470822096 CET	13566	50022	83.222.140.152	192.168.2.14
Jan 14, 2025 17:16:13.470832109 CET	13566	47102	83.222.32.169	192.168.2.14
Jan 14, 2025 17:16:13.470843077 CET	13566	35948	83.222.163.47	192.168.2.14
Jan 14, 2025 17:16:13.470843077 CET	35536	13566	192.168.2.14	83.222.202.201
Jan 14, 2025 17:16:13.470854044 CET	13566	44360	83.222.224.124	192.168.2.14
Jan 14, 2025 17:16:13.470855951 CET	50022	13566	192.168.2.14	83.222.140.152
Jan 14, 2025 17:16:13.470868111 CET	47102	13566	192.168.2.14	83.222.32.169
Jan 14, 2025 17:16:13.470869064 CET	13566	38126	83.222.204.148	192.168.2.14
Jan 14, 2025 17:16:13.470880032 CET	13566	50312	83.222.33.122	192.168.2.14
Jan 14, 2025 17:16:13.470890045 CET	13566	40938	83.222.184.123	192.168.2.14
Jan 14, 2025 17:16:13.470906973 CET	50312	13566	192.168.2.14	83.222.33.122
Jan 14, 2025 17:16:13.470906019 CET	38126	13566	192.168.2.14	83.222.204.148
Jan 14, 2025 17:16:13.470916033 CET	40938	13566	192.168.2.14	83.222.184.123
Jan 14, 2025 17:16:13.470917940 CET	13566	38238	83.222.158.210	192.168.2.14
Jan 14, 2025 17:16:13.470930099 CET	13566	45162	83.222.89.125	192.168.2.14
Jan 14, 2025 17:16:13.470940113 CET	13566	57164	83.222.44.89	192.168.2.14
Jan 14, 2025 17:16:13.470949888 CET	13566	50710	83.222.191.47	192.168.2.14
Jan 14, 2025 17:16:13.470954895 CET	38238	13566	192.168.2.14	83.222.158.210
Jan 14, 2025 17:16:13.470958948 CET	45162	13566	192.168.2.14	83.222.89.125
Jan 14, 2025 17:16:13.470959902 CET	13566	35358	83.222.116.188	192.168.2.14
Jan 14, 2025 17:16:13.470968962 CET	57164	13566	192.168.2.14	83.222.44.89
Jan 14, 2025 17:16:13.470979929 CET	50710	13566	192.168.2.14	83.222.191.47
Jan 14, 2025 17:16:13.470988989 CET	13566	36894	83.222.25.155	192.168.2.14
Jan 14, 2025 17:16:13.470993996 CET	35358	13566	192.168.2.14	83.222.116.188
Jan 14, 2025 17:16:13.470998049 CET	35948	13566	192.168.2.14	83.222.163.47
Jan 14, 2025 17:16:13.470998049 CET	44360	13566	192.168.2.14	83.222.224.124
Jan 14, 2025 17:16:13.471000910 CET	13566	57450	83.222.202.123	192.168.2.14
Jan 14, 2025 17:16:13.471012115 CET	13566	32812	83.222.147.148	192.168.2.14
Jan 14, 2025 17:16:13.471023083 CET	13566	54690	83.222.68.31	192.168.2.14
Jan 14, 2025 17:16:13.471028090 CET	36894	13566	192.168.2.14	83.222.25.155
Jan 14, 2025 17:16:13.471028090 CET	57450	13566	192.168.2.14	83.222.202.123
Jan 14, 2025 17:16:13.471034050 CET	13566	49592	83.222.45.101	192.168.2.14
Jan 14, 2025 17:16:13.471050024 CET	54690	13566	192.168.2.14	83.222.68.31
Jan 14, 2025 17:16:13.471069098 CET	32812	13566	192.168.2.14	83.222.147.148
Jan 14, 2025 17:16:13.471074104 CET	49592	13566	192.168.2.14	83.222.45.101
Jan 14, 2025 17:16:13.471451044 CET	13566	50490	83.222.200.13	192.168.2.14
Jan 14, 2025 17:16:13.471462965 CET	13566	54916	83.222.225.148	192.168.2.14
Jan 14, 2025 17:16:13.471472979 CET	13566	36858	83.222.14.90	192.168.2.14
Jan 14, 2025 17:16:13.471483946 CET	13566	60910	83.222.161.2	192.168.2.14
Jan 14, 2025 17:16:13.471489906 CET	50490	13566	192.168.2.14	83.222.200.13
Jan 14, 2025 17:16:13.471489906 CET	54916	13566	192.168.2.14	83.222.225.148
Jan 14, 2025 17:16:13.471494913 CET	13566	47318	83.222.126.173	192.168.2.14
Jan 14, 2025 17:16:13.471507072 CET	36858	13566	192.168.2.14	83.222.14.90
Jan 14, 2025 17:16:13.471517086 CET	60910	13566	192.168.2.14	83.222.161.2
Jan 14, 2025 17:16:13.471518040 CET	13566	46298	83.222.198.71	192.168.2.14
Jan 14, 2025 17:16:13.471529007 CET	47318	13566	192.168.2.14	83.222.126.173
Jan 14, 2025 17:16:13.471533060 CET	13566	49778	83.222.244.133	192.168.2.14
Jan 14, 2025 17:16:13.471554995 CET	13566	60436	83.222.44.68	192.168.2.14
Jan 14, 2025 17:16:13.471565962 CET	13566	49166	83.222.193.32	192.168.2.14
Jan 14, 2025 17:16:13.471575975 CET	13566	38860	83.222.222.128	192.168.2.14
Jan 14, 2025 17:16:13.471577883 CET	49778	13566	192.168.2.14	83.222.244.133
Jan 14, 2025 17:16:13.471586943 CET	13566	33906	83.222.79.247	192.168.2.14
Jan 14, 2025 17:16:13.471596956 CET	49166	13566	192.168.2.14	83.222.193.32
Jan 14, 2025 17:16:13.471599102 CET	13566	34908	83.222.28.195	192.168.2.14
Jan 14, 2025 17:16:13.471609116 CET	38860	13566	192.168.2.14	83.222.222.128
Jan 14, 2025 17:16:13.471609116 CET	13566	40272	83.222.179.230	192.168.2.14
Jan 14, 2025 17:16:13.471610069 CET	33906	13566	192.168.2.14	83.222.79.247
Jan 14, 2025 17:16:13.471618891 CET	13566	55064	83.222.123.130	192.168.2.14
Jan 14, 2025 17:16:13.471630096 CET	34908	13566	192.168.2.14	83.222.28.195
Jan 14, 2025 17:16:13.471630096 CET	13566	35204	83.222.101.168	192.168.2.14
Jan 14, 2025 17:16:13.471642971 CET	13566	48212	83.222.62.70	192.168.2.14
Jan 14, 2025 17:16:13.471648932 CET	40272	13566	192.168.2.14	83.222.179.230
Jan 14, 2025 17:16:13.471648932 CET	55064	13566	192.168.2.14	83.222.123.130
Jan 14, 2025 17:16:13.471659899 CET	13566	55022	83.222.231.46	192.168.2.14
Jan 14, 2025 17:16:13.471659899 CET	35204	13566	192.168.2.14	83.222.101.168
Jan 14, 2025 17:16:13.471669912 CET	13566	47728	83.222.181.200	192.168.2.14
Jan 14, 2025 17:16:13.471673012 CET	46298	13566	192.168.2.14	83.222.198.71
Jan 14, 2025 17:16:13.471674919 CET	48212	13566	192.168.2.14	83.222.62.70
Jan 14, 2025 17:16:13.471673012 CET	60436	13566	192.168.2.14	83.222.44.68
Jan 14, 2025 17:16:13.471682072 CET	13566	58478	83.222.203.209	192.168.2.14
Jan 14, 2025 17:16:13.471689939 CET	55022	13566	192.168.2.14	83.222.231.46
Jan 14, 2025 17:16:13.471693039 CET	13566	34042	83.222.194.86	192.168.2.14
Jan 14, 2025 17:16:13.471703053 CET	47728	13566	192.168.2.14	83.222.181.200
Jan 14, 2025 17:16:13.471705914 CET	13566	60028	83.222.176.73	192.168.2.14
Jan 14, 2025 17:16:13.471715927 CET	13566	49638	83.222.126.220	192.168.2.14
Jan 14, 2025 17:16:13.471719027 CET	58478	13566	192.168.2.14	83.222.203.209
Jan 14, 2025 17:16:13.471740961 CET	60028	13566	192.168.2.14	83.222.176.73
Jan 14, 2025 17:16:13.471744061 CET	34042	13566	192.168.2.14	83.222.194.86
Jan 14, 2025 17:16:13.471759081 CET	49638	13566	192.168.2.14	83.222.126.220
Jan 14, 2025 17:16:13.471842051 CET	13566	49386	83.222.141.114	192.168.2.14
Jan 14, 2025 17:16:13.471853018 CET	13566	50454	83.222.97.78	192.168.2.14
Jan 14, 2025 17:16:13.471863031 CET	13566	56752	83.222.146.64	192.168.2.14
Jan 14, 2025 17:16:13.471877098 CET	49386	13566	192.168.2.14	83.222.141.114
Jan 14, 2025 17:16:13.471882105 CET	50454	13566	192.168.2.14	83.222.97.78
Jan 14, 2025 17:16:13.471894026 CET	13566	58622	83.222.206.225	192.168.2.14
Jan 14, 2025 17:16:13.471899986 CET	56752	13566	192.168.2.14	83.222.146.64
Jan 14, 2025 17:16:13.471904039 CET	13566	57386	83.222.164.235	192.168.2.14
Jan 14, 2025 17:16:13.471914053 CET	13566	37894	83.222.55.234	192.168.2.14
Jan 14, 2025 17:16:13.471924067 CET	13566	50578	83.222.209.226	192.168.2.14
Jan 14, 2025 17:16:13.471925974 CET	58622	13566	192.168.2.14	83.222.206.225
Jan 14, 2025 17:16:13.471931934 CET	57386	13566	192.168.2.14	83.222.164.235
Jan 14, 2025 17:16:13.471934080 CET	13566	47370	83.222.49.76	192.168.2.14
Jan 14, 2025 17:16:13.471952915 CET	50578	13566	192.168.2.14	83.222.209.226
Jan 14, 2025 17:16:13.471961975 CET	37894	13566	192.168.2.14	83.222.55.234
Jan 14, 2025 17:16:13.471961975 CET	47370	13566	192.168.2.14	83.222.49.76
Jan 14, 2025 17:16:13.477343082 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:16:13.482182980 CET	13566	56490	83.222.191.90	192.168.2.14
Jan 14, 2025 17:16:13.482228994 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:16:13.482261896 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:16:13.487199068 CET	13566	56490	83.222.191.90	192.168.2.14
Jan 14, 2025 17:16:13.487232924 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:16:13.492149115 CET	13566	56490	83.222.191.90	192.168.2.14
Jan 14, 2025 17:16:23.490004063 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:16:23.494848013 CET	13566	56490	83.222.191.90	192.168.2.14
Jan 14, 2025 17:16:23.622124910 CET	46540	443	192.168.2.14	185.125.190.26
Jan 14, 2025 17:16:23.697230101 CET	13566	56490	83.222.191.90	192.168.2.14
Jan 14, 2025 17:16:23.697366953 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:16:24.078908920 CET	13566	56490	83.222.191.90	192.168.2.14
Jan 14, 2025 17:16:24.078969002 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:16:54.340832949 CET	46540	443	192.168.2.14	185.125.190.26
Jan 14, 2025 17:17:24.137701988 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:17:24.142622948 CET	13566	56490	83.222.191.90	192.168.2.14
Jan 14, 2025 17:17:24.345388889 CET	13566	56490	83.222.191.90	192.168.2.14
Jan 14, 2025 17:17:24.345508099 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 14, 2025 17:17:25.078016996 CET	13566	56490	83.222.191.90	192.168.2.14
Jan 14, 2025 17:17:25.078155994 CET	56490	13566	192.168.2.14	83.222.191.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 17:16:13.466006041 CET	48832	53	192.168.2.14	8.8.8.8
Jan 14, 2025 17:16:13.477266073 CET	53	48832	8.8.8.8	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 17:16:13.466006041 CET	192.168.2.14	8.8.8.8	0x2161	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 17:16:13.477266073 CET	8.8.8.8	192.168.2.14	0x2161	No error (0)	secure-network-rebirthltd.ru		83.222.191.90	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: dash PID: 5491, Parent PID: 3635

General

Start time (UTC):	16:16:05
Start date (UTC):	14/01/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5491, Parent PID: 3635

General

Start time (UTC):	16:16:05
Start date (UTC):	14/01/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.fHLZqw1TN3 /tmp/tmp.ow2JfsB4Wn /tmp/tmp.FCcwH7Zebc
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 5492, Parent PID: 3635

General

Start time (UTC):	16:16:05
Start date (UTC):	14/01/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5492, Parent PID: 3635

General

Start time (UTC):	16:16:05
Start date (UTC):	14/01/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.fHLZqw1TN3 /tmp/tmp.ow2JfsB4Wn /tmp/tmp.FCcwH7Zebc
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: Kloki.x86.elf PID: 5503, Parent PID: 5425

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/tmp/Kloki.x86.elf
Arguments:	/tmp/Kloki.x86.elf
File size:	38312 bytes
MD5 hash:	9c0cf500a75080a480c04b5ab4af863a

Chronological Activities

Analysis Process: Kloki.x86.elf PID: 5504, Parent PID: 5503

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/tmp/Kloki.x86.elf
Arguments:	-
File size:	38312 bytes
MD5 hash:	9c0cf500a75080a480c04b5ab4af863a

Chronological Activities

Analysis Process: Kloki.x86.elf PID: 5505, Parent PID: 5504

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/tmp/Kloki.x86.elf
Arguments:	-
File size:	38312 bytes
MD5 hash:	9c0cf500a75080a480c04b5ab4af863a

Chronological Activities

Analysis Process: Kloki.x86.elf PID: 5506, Parent PID: 5504

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/tmp/Kloki.x86.elf
Arguments:	-
File size:	38312 bytes
MD5 hash:	9c0cf500a75080a480c04b5ab4af863a

Chronological Activities

Analysis Process: gnome-session-binary PID: 5507, Parent PID: 1383

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5507, Parent PID: 1383

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-print-notifications PID: 5507, Parent PID: 1383

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gsd-print-notifications
Arguments:	/usr/libexec/gsd-print-notifications
File size:	51840 bytes
MD5 hash:	71539698aa691718cee775d6b9450ae2

Chronological Activities

Analysis Process: gnome-session-binary PID: 5526, Parent PID: 1383

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5526, Parent PID: 1383

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gnome-shell PID: 5526, Parent PID: 1383

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/usr/bin/gnome-shell
Arguments:	/usr/bin/gnome-shell
File size:	23168 bytes
MD5 hash:	da7a257239677622fe4b3a65972c9e87

Chronological Activities

Analysis Process: gnome-session-binary PID: 5530, Parent PID: 1383

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5530, Parent PID: 1383

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-rfkill PID: 5530, Parent PID: 1383

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gsd-rfkill
Arguments:	/usr/libexec/gsd-rfkill
File size:	51808 bytes
MD5 hash:	88a16a3c0aba1759358c06215ecfb5cc

Chronological Activities

Analysis Process: gnome-session-binary PID: 5531, Parent PID: 1383

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5531, Parent PID: 1383

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-sharing PID: 5531, Parent PID: 1383

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/usr/libexec/gsd-sharing
Arguments:	/usr/libexec/gsd-sharing
File size:	35424 bytes
MD5 hash:	e29d9025d98590fbb69f89fdbd4438b3

Chronological Activities

Analysis Process: gdm3 PID: 5532, Parent PID: 1289

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5532, Parent PID: 1289

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gdm3 PID: 5533, Parent PID: 1289

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5533, Parent PID: 1289

General

Start time (UTC):	16:16:13
Start date (UTC):	14/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemd PID: 5544, Parent PID: 1

General

Start time (UTC):	16:16:23
Start date (UTC):	14/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-user-runtime-dir PID: 5544, Parent PID: 1

General

Start time (UTC):	16:16:23
Start date (UTC):	14/01/2025
Path:	/lib/systemd/systemd-user-runtime-dir
Arguments:	/lib/systemd/systemd-user-runtime-dir stop 127
File size:	22672 bytes
MD5 hash:	d55f4b0847f88131dbcfb07435178e54

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Kloki.x86.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: dash PID: 5491, Parent PID: 3635

General

Chronological Activities

Analysis Process: rm PID: 5491, Parent PID: 3635

General

Chronological Activities

Analysis Process: dash PID: 5492, Parent PID: 3635

General

Chronological Activities

Analysis Process: rm PID: 5492, Parent PID: 3635

General

Chronological Activities

Analysis Process: Kloki.x86.elf PID: 5503, Parent PID: 5425

General

Chronological Activities

Analysis Process: Kloki.x86.elf PID: 5504, Parent PID: 5503

General

Chronological Activities

Analysis Process: Kloki.x86.elf PID: 5505, Parent PID: 5504

General

Chronological Activities

Analysis Process: Kloki.x86.elf PID: 5506, Parent PID: 5504

General

Linux Analysis Report
Kloki.x86.elf