Edit tour

Linux Analysis Report
dbg.x86.elf

Overview

General Information

Sample name:	dbg.x86.elf
Analysis ID:	1594241
MD5:	9f2c1c92152f3013559fee6e6ecfb565
SHA1:	c206b616b5cd97a9384ee6915aa6109b8a248683
SHA256:	b30831201a3c2fe4f0562bef572dae187194a7be81c5eff47c07a6102325fe33
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Sample contains only a LOAD segment without any section mappings

Suricata IDS alerts with low severity for network traffic

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1594241
Start date and time:	2025-01-18 17:07:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	dbg.x86.elf
Detection:	MAL
Classification:	mal60.linELF@0/0@3/0

Runtime Messages

Command:	/tmp/dbg.x86.elf
PID:	5489
Exit Code:
Exit Code Info:
Killed:	True
Standard Output:	suka
Standard Error:

Process Tree

system is lnxubuntu20

dbg.x86.elf (PID: 5489, Parent: 5412, MD5: 9f2c1c92152f3013559fee6e6ecfb565) Arguments: /tmp/dbg.x86.elf

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
5489.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4a40:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5489.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x8bad:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
5489.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_449937aa	unknown	unknown	0xf4ba:$a: 00 00 5B 72 65 73 6F 6C 76 5D 20 46 6F 75 6E 64 20 49 50 20
5489.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x6652:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5489.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xb5b8:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5489.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x9e74:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5489.1.0000000008048000.0000000008059000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x6622:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 2 entries

Suricata Signatures

ET COMPROMISED Known Compromised or Hostile Host Traffic group 18

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-18T17:08:03.266588+0100	2500034	2	Misc Attack	83.222.191.90	13566	192.168.2.14	56490	TCP

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: dbg.x86.elf	Virustotal: Detection: 18%			Perma Link
Source: dbg.x86.elf	ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: dbg.x86.elf

Joe Sandbox ML: detected

Source: global traffic	TCP traffic: 192.168.2.14:36682 -> 83.222.54.96:13566
Source: global traffic	TCP traffic: 192.168.2.14:34796 -> 83.222.76.86:13566
Source: global traffic	TCP traffic: 192.168.2.14:35546 -> 83.222.134.84:13566
Source: global traffic	TCP traffic: 192.168.2.14:35022 -> 83.222.238.151:13566
Source: global traffic	TCP traffic: 192.168.2.14:33898 -> 83.222.100.147:13566
Source: global traffic	TCP traffic: 192.168.2.14:49760 -> 83.222.232.215:13566
Source: global traffic	TCP traffic: 192.168.2.14:40996 -> 83.222.225.236:13566
Source: global traffic	TCP traffic: 192.168.2.14:54754 -> 83.222.222.240:13566
Source: global traffic	TCP traffic: 192.168.2.14:46450 -> 83.222.9.41:13566
Source: global traffic	TCP traffic: 192.168.2.14:32884 -> 83.222.238.142:13566
Source: global traffic	TCP traffic: 192.168.2.14:35040 -> 83.222.201.183:13566
Source: global traffic	TCP traffic: 192.168.2.14:36548 -> 83.222.138.44:13566
Source: global traffic	TCP traffic: 192.168.2.14:48518 -> 83.222.67.120:13566
Source: global traffic	TCP traffic: 192.168.2.14:56804 -> 83.222.131.104:13566
Source: global traffic	TCP traffic: 192.168.2.14:46900 -> 83.222.186.121:13566
Source: global traffic	TCP traffic: 192.168.2.14:40038 -> 83.222.216.6:13566
Source: global traffic	TCP traffic: 192.168.2.14:56642 -> 83.222.221.86:13566
Source: global traffic	TCP traffic: 192.168.2.14:51076 -> 83.222.21.142:13566
Source: global traffic	TCP traffic: 192.168.2.14:52556 -> 83.222.77.121:13566
Source: global traffic	TCP traffic: 192.168.2.14:45126 -> 83.222.177.247:13566
Source: global traffic	TCP traffic: 192.168.2.14:35350 -> 83.222.217.218:13566
Source: global traffic	TCP traffic: 192.168.2.14:60212 -> 83.222.207.192:13566
Source: global traffic	TCP traffic: 192.168.2.14:33984 -> 83.222.16.235:13566
Source: global traffic	TCP traffic: 192.168.2.14:41268 -> 83.222.34.59:13566
Source: global traffic	TCP traffic: 192.168.2.14:57394 -> 83.222.226.225:13566
Source: global traffic	TCP traffic: 192.168.2.14:51594 -> 83.222.250.187:13566
Source: global traffic	TCP traffic: 192.168.2.14:45476 -> 83.222.187.125:13566
Source: global traffic	TCP traffic: 192.168.2.14:57576 -> 83.222.169.102:13566
Source: global traffic	TCP traffic: 192.168.2.14:40846 -> 83.222.189.100:13566
Source: global traffic	TCP traffic: 192.168.2.14:39014 -> 83.222.223.149:13566
Source: global traffic	TCP traffic: 192.168.2.14:35958 -> 83.222.106.175:13566
Source: global traffic	TCP traffic: 192.168.2.14:54384 -> 83.222.242.242:13566
Source: global traffic	TCP traffic: 192.168.2.14:48600 -> 83.222.216.209:13566
Source: global traffic	TCP traffic: 192.168.2.14:53612 -> 83.222.86.72:13566
Source: global traffic	TCP traffic: 192.168.2.14:37870 -> 83.222.35.69:13566
Source: global traffic	TCP traffic: 192.168.2.14:52718 -> 83.222.5.107:13566
Source: global traffic	TCP traffic: 192.168.2.14:40628 -> 83.222.214.82:13566
Source: global traffic	TCP traffic: 192.168.2.14:49378 -> 83.222.228.248:13566
Source: global traffic	TCP traffic: 192.168.2.14:49592 -> 83.222.142.245:13566
Source: global traffic	TCP traffic: 192.168.2.14:43142 -> 83.222.228.128:13566
Source: global traffic	TCP traffic: 192.168.2.14:54996 -> 83.222.231.188:13566
Source: global traffic	TCP traffic: 192.168.2.14:48750 -> 83.222.81.201:13566
Source: global traffic	TCP traffic: 192.168.2.14:43890 -> 83.222.157.76:13566
Source: global traffic	TCP traffic: 192.168.2.14:50862 -> 83.222.133.88:13566
Source: global traffic	TCP traffic: 192.168.2.14:45592 -> 83.222.201.168:13566
Source: global traffic	TCP traffic: 192.168.2.14:39380 -> 83.222.158.115:13566
Source: global traffic	TCP traffic: 192.168.2.14:45780 -> 83.222.215.238:13566
Source: global traffic	TCP traffic: 192.168.2.14:47080 -> 83.222.15.91:13566
Source: global traffic	TCP traffic: 192.168.2.14:58338 -> 83.222.241.65:13566
Source: global traffic	TCP traffic: 192.168.2.14:50492 -> 83.222.157.71:13566
Source: global traffic	TCP traffic: 192.168.2.14:39766 -> 83.222.137.162:13566
Source: global traffic	TCP traffic: 192.168.2.14:44098 -> 83.222.178.96:13566
Source: global traffic	TCP traffic: 192.168.2.14:46304 -> 83.222.245.150:13566
Source: global traffic	TCP traffic: 192.168.2.14:38810 -> 83.222.88.131:13566
Source: global traffic	TCP traffic: 192.168.2.14:44834 -> 83.222.139.60:13566
Source: global traffic	TCP traffic: 192.168.2.14:52936 -> 83.222.3.114:13566
Source: global traffic	TCP traffic: 192.168.2.14:53332 -> 83.222.248.85:13566
Source: global traffic	TCP traffic: 192.168.2.14:33238 -> 83.222.60.149:13566
Source: global traffic	TCP traffic: 192.168.2.14:49370 -> 83.222.161.193:13566
Source: global traffic	TCP traffic: 192.168.2.14:49420 -> 83.222.105.140:13566
Source: global traffic	TCP traffic: 192.168.2.14:50666 -> 83.222.238.106:13566
Source: global traffic	TCP traffic: 192.168.2.14:59838 -> 83.222.231.180:13566
Source: global traffic	TCP traffic: 192.168.2.14:44884 -> 83.222.221.120:13566
Source: global traffic	TCP traffic: 192.168.2.14:56626 -> 83.222.103.216:13566
Source: global traffic	TCP traffic: 192.168.2.14:60728 -> 83.222.246.4:13566
Source: global traffic	TCP traffic: 192.168.2.14:57038 -> 83.222.31.127:13566
Source: global traffic	TCP traffic: 192.168.2.14:56490 -> 83.222.191.90:13566

Source: Network traffic

Suricata IDS: 2500034 - Severity 2 - ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 : 83.222.191.90:13566 -> 192.168.2.14:56490

Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.54.96
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.76.86
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.134.84
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.238.151
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.100.147
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.232.215
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.225.236
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.222.240
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.9.41
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.238.142
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.138.44
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.67.120
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.131.104
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.186.121
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.216.6
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.221.86
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.21.142
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.77.121
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.177.247
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.217.218
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.207.192
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.16.235
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.34.59
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.226.225
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.250.187
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.187.125
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.169.102
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.189.100
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.223.149
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.106.175
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.242.242
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.216.209
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.86.72
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.35.69
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.5.107
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.214.82
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.228.248
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.142.245
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.228.128
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.231.188
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.81.201
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.157.76
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.133.88
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.201.168
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.158.115
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.215.238
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.15.91
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.241.65
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.157.71

Source: global traffic	DNS traffic detected: DNS query: secure-network-rebirthltd.ru
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

System Summary

Malicious sample detected (through community Yara rule)

Source: 5489.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5489.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 5489.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_449937aa Author: unknown
Source: 5489.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5489.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5489.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5489.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Source: LOAD without section mappings

Program segment: 0x8048000

Source: 5489.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5489.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 5489.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_449937aa reference_sample = 6f27766534445cffb097c7c52db1fca53b2210c1b10b75594f77c34dc8b994fe, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = cf2c6b86830099f039b41aeaafbffedfb8294a1124c499e99a11f48a06cd1dfd, id = 449937aa-682a-4906-89ab-80d7127e461e, last_modified = 2021-09-16
Source: 5489.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5489.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5489.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5489.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: classification engine

Classification label: mal60.linELF@0/0@3/0

Source: dbg.x86.elf	Submission file: segment LOAD with 7.8959 entropy (max. 8.0)
Source: dbg.x86.elf	Submission file: segment LOAD with 7.9646 entropy (max. 8.0)

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dbg.x86.elf	19%	Virustotal		Browse
dbg.x86.elf	21%	ReversingLabs	Linux.Packed.Mirai
dbg.x86.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.25	true	false		high
secure-network-rebirthltd.ru	83.222.191.90	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
83.222.106.175	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.201.168	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.81.201	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.223.149	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.231.188	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.228.248	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.60.149	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.225.236	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.86.72	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.228.128	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.246.4	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.169.102	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.100.147	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.238.142	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.67.120	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.131.104	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.216.209	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.221.120	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.157.71	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.76.86	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.137.162	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.221.86	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.133.88	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.226.225	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.161.193	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.207.192	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.139.60	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.238.106	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.231.180	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.189.100	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.9.41	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.232.215	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.157.76	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.21.142	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.177.247	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.142.245	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.158.115	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.222.240	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.217.218	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.201.183	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.15.91	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.238.151	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.103.216	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.186.121	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.214.82	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.241.65	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.187.125	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.77.121	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.138.44	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.105.140	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.134.84	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.88.131	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.250.187	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.215.238	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.191.90	secure-network-rebirthltd.ru	Bulgaria	43561	NET1-ASBG	false
83.222.242.242	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.54.96	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.216.6	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.35.69	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.34.59	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.245.150	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.31.127	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.248.85	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.16.235	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.178.96	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.3.114	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.5.107	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
83.222.67.120	Kloki.spc.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
secure-network-rebirthltd.ru	loki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.191.90
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
daisy.ubuntu.com	I586.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	ARMV4L.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	ARMV6L.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	MIPSEL.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	ARMV5L.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	sshd.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	.i.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	armv7l.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	armv6l.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	arm7.elf	Get hash	malicious	Mirai	Browse	162.213.35.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MNOGOBYTE-ASMoscowRussiaRU	loki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.109.99
	loki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.120.85
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.99.213
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.113.214
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.118.111
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.96.0
	Kloki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.122.221
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.115.97
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.101.124
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.99.171
SYNTERRA-ASRU	loki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.209.207
	loki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.195.90
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.206.35
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.204.120
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.197.216
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.196.227
	Kloki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.202.81
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.209.206
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.198.182
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.198.132
ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	loki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.64.68
	loki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.67.220
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.85.46
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.86.49
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.69.178
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.80.120
	Kloki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.69.49
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.72.213
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.73.253
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.94.114
SONICDUO-ASRU	loki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.214.205
	loki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.212.78
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.223.232
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.220.113
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.219.64
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.212.74
	Kloki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.213.75
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.212.208
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.222.77
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.219.215

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.962272139947051
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	dbg.x86.elf
File size:	37'484 bytes
MD5:	9f2c1c92152f3013559fee6e6ecfb565
SHA1:	c206b616b5cd97a9384ee6915aa6109b8a248683
SHA256:	b30831201a3c2fe4f0562bef572dae187194a7be81c5eff47c07a6102325fe33
SHA512:	8858d35ec9ed1ac36d244b8ea08fa3700be857cce9aa80709ed16162f43353cd2cbcd10aae48e5fc33c67cc7818d88280b55c87cf443557988819a138ae19642
SSDEEP:	768:3WVYzxXEK9/fmBPTJoMHivqMRlv51G2n68N0qHjH4QMsBxFnbcuyD7UoURe:3WVIEK9/+BCMCvdv5tnFN0cj/v/Fnou6
TLSH:	DBF2E15DABCD5F61E97FB3B704FEA7000D217356C59D4A96F6C8051D36207883A21AC7
File Content Preview:	.ELF....................0...4...........4. ...(.........................l.................... ... ..i...i...........Q.td.............................j=.sfgaD........X...X......V..........?..k.I/.j....\.d*nlz.eB"[bx.\|"\|M.`...S....T[.N.........8 ...'.b.B?..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x8069f30
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8048000	0x8048000	0x1000	0x19f6c	7.8959	0x6	RW	0x1000
LOAD	0x0	0x8062000	0x8062000	0x9169	0x9169	7.9646	0x5	R E	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-18T17:08:03.266588+0100	2500034	ET COMPROMISED Known Compromised or Hostile Host Traffic group 18	2	83.222.191.90	13566	192.168.2.14	56490	TCP

Network Port Distribution

Total Packets: 144
• 13566 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 18, 2025 17:08:03.234124899 CET	36682	13566	192.168.2.14	83.222.54.96
Jan 18, 2025 17:08:03.234124899 CET	34796	13566	192.168.2.14	83.222.76.86
Jan 18, 2025 17:08:03.234149933 CET	35546	13566	192.168.2.14	83.222.134.84
Jan 18, 2025 17:08:03.234163046 CET	35022	13566	192.168.2.14	83.222.238.151
Jan 18, 2025 17:08:03.234175920 CET	33898	13566	192.168.2.14	83.222.100.147
Jan 18, 2025 17:08:03.234181881 CET	49760	13566	192.168.2.14	83.222.232.215
Jan 18, 2025 17:08:03.234181881 CET	40996	13566	192.168.2.14	83.222.225.236
Jan 18, 2025 17:08:03.234191895 CET	54754	13566	192.168.2.14	83.222.222.240
Jan 18, 2025 17:08:03.234193087 CET	46450	13566	192.168.2.14	83.222.9.41
Jan 18, 2025 17:08:03.234200001 CET	32884	13566	192.168.2.14	83.222.238.142
Jan 18, 2025 17:08:03.234205008 CET	35040	13566	192.168.2.14	83.222.201.183
Jan 18, 2025 17:08:03.234225988 CET	36548	13566	192.168.2.14	83.222.138.44
Jan 18, 2025 17:08:03.234225988 CET	48518	13566	192.168.2.14	83.222.67.120
Jan 18, 2025 17:08:03.234232903 CET	56804	13566	192.168.2.14	83.222.131.104
Jan 18, 2025 17:08:03.234235048 CET	46900	13566	192.168.2.14	83.222.186.121
Jan 18, 2025 17:08:03.234237909 CET	40038	13566	192.168.2.14	83.222.216.6
Jan 18, 2025 17:08:03.234252930 CET	56642	13566	192.168.2.14	83.222.221.86
Jan 18, 2025 17:08:03.234252930 CET	51076	13566	192.168.2.14	83.222.21.142
Jan 18, 2025 17:08:03.234265089 CET	52556	13566	192.168.2.14	83.222.77.121
Jan 18, 2025 17:08:03.234270096 CET	45126	13566	192.168.2.14	83.222.177.247
Jan 18, 2025 17:08:03.234266996 CET	35350	13566	192.168.2.14	83.222.217.218
Jan 18, 2025 17:08:03.234267950 CET	60212	13566	192.168.2.14	83.222.207.192
Jan 18, 2025 17:08:03.234277010 CET	33984	13566	192.168.2.14	83.222.16.235
Jan 18, 2025 17:08:03.234307051 CET	41268	13566	192.168.2.14	83.222.34.59
Jan 18, 2025 17:08:03.234307051 CET	57394	13566	192.168.2.14	83.222.226.225
Jan 18, 2025 17:08:03.234307051 CET	51594	13566	192.168.2.14	83.222.250.187
Jan 18, 2025 17:08:03.234319925 CET	45476	13566	192.168.2.14	83.222.187.125
Jan 18, 2025 17:08:03.234330893 CET	57576	13566	192.168.2.14	83.222.169.102
Jan 18, 2025 17:08:03.234338999 CET	40846	13566	192.168.2.14	83.222.189.100
Jan 18, 2025 17:08:03.234342098 CET	39014	13566	192.168.2.14	83.222.223.149
Jan 18, 2025 17:08:03.234349012 CET	35958	13566	192.168.2.14	83.222.106.175
Jan 18, 2025 17:08:03.234360933 CET	54384	13566	192.168.2.14	83.222.242.242
Jan 18, 2025 17:08:03.234360933 CET	48600	13566	192.168.2.14	83.222.216.209
Jan 18, 2025 17:08:03.234364033 CET	53612	13566	192.168.2.14	83.222.86.72
Jan 18, 2025 17:08:03.234361887 CET	37870	13566	192.168.2.14	83.222.35.69
Jan 18, 2025 17:08:03.234369993 CET	52718	13566	192.168.2.14	83.222.5.107
Jan 18, 2025 17:08:03.234378099 CET	40628	13566	192.168.2.14	83.222.214.82
Jan 18, 2025 17:08:03.234392881 CET	49378	13566	192.168.2.14	83.222.228.248
Jan 18, 2025 17:08:03.234395027 CET	49592	13566	192.168.2.14	83.222.142.245
Jan 18, 2025 17:08:03.234406948 CET	43142	13566	192.168.2.14	83.222.228.128
Jan 18, 2025 17:08:03.234416962 CET	54996	13566	192.168.2.14	83.222.231.188
Jan 18, 2025 17:08:03.234431982 CET	48750	13566	192.168.2.14	83.222.81.201
Jan 18, 2025 17:08:03.234435081 CET	43890	13566	192.168.2.14	83.222.157.76
Jan 18, 2025 17:08:03.234446049 CET	50862	13566	192.168.2.14	83.222.133.88
Jan 18, 2025 17:08:03.234455109 CET	45592	13566	192.168.2.14	83.222.201.168
Jan 18, 2025 17:08:03.234472990 CET	39380	13566	192.168.2.14	83.222.158.115
Jan 18, 2025 17:08:03.234472990 CET	45780	13566	192.168.2.14	83.222.215.238
Jan 18, 2025 17:08:03.234476089 CET	47080	13566	192.168.2.14	83.222.15.91
Jan 18, 2025 17:08:03.234484911 CET	58338	13566	192.168.2.14	83.222.241.65
Jan 18, 2025 17:08:03.234488010 CET	50492	13566	192.168.2.14	83.222.157.71
Jan 18, 2025 17:08:03.234508038 CET	39766	13566	192.168.2.14	83.222.137.162
Jan 18, 2025 17:08:03.234508991 CET	44098	13566	192.168.2.14	83.222.178.96
Jan 18, 2025 17:08:03.234518051 CET	46304	13566	192.168.2.14	83.222.245.150
Jan 18, 2025 17:08:03.234522104 CET	38810	13566	192.168.2.14	83.222.88.131
Jan 18, 2025 17:08:03.234538078 CET	44834	13566	192.168.2.14	83.222.139.60
Jan 18, 2025 17:08:03.234541893 CET	52936	13566	192.168.2.14	83.222.3.114
Jan 18, 2025 17:08:03.234556913 CET	53332	13566	192.168.2.14	83.222.248.85
Jan 18, 2025 17:08:03.234572887 CET	33238	13566	192.168.2.14	83.222.60.149
Jan 18, 2025 17:08:03.234572887 CET	49370	13566	192.168.2.14	83.222.161.193
Jan 18, 2025 17:08:03.234579086 CET	49420	13566	192.168.2.14	83.222.105.140
Jan 18, 2025 17:08:03.234582901 CET	50666	13566	192.168.2.14	83.222.238.106
Jan 18, 2025 17:08:03.234596014 CET	59838	13566	192.168.2.14	83.222.231.180
Jan 18, 2025 17:08:03.234597921 CET	44884	13566	192.168.2.14	83.222.221.120
Jan 18, 2025 17:08:03.234611034 CET	56626	13566	192.168.2.14	83.222.103.216
Jan 18, 2025 17:08:03.234613895 CET	60728	13566	192.168.2.14	83.222.246.4
Jan 18, 2025 17:08:03.234625101 CET	57038	13566	192.168.2.14	83.222.31.127
Jan 18, 2025 17:08:03.250891924 CET	13566	36682	83.222.54.96	192.168.2.14
Jan 18, 2025 17:08:03.250948906 CET	13566	34796	83.222.76.86	192.168.2.14
Jan 18, 2025 17:08:03.250971079 CET	36682	13566	192.168.2.14	83.222.54.96
Jan 18, 2025 17:08:03.250983000 CET	34796	13566	192.168.2.14	83.222.76.86
Jan 18, 2025 17:08:03.250998020 CET	13566	35022	83.222.238.151	192.168.2.14
Jan 18, 2025 17:08:03.251029968 CET	13566	35546	83.222.134.84	192.168.2.14
Jan 18, 2025 17:08:03.251040936 CET	35022	13566	192.168.2.14	83.222.238.151
Jan 18, 2025 17:08:03.251061916 CET	13566	49760	83.222.232.215	192.168.2.14
Jan 18, 2025 17:08:03.251070023 CET	35546	13566	192.168.2.14	83.222.134.84
Jan 18, 2025 17:08:03.251091003 CET	13566	40996	83.222.225.236	192.168.2.14
Jan 18, 2025 17:08:03.251106977 CET	49760	13566	192.168.2.14	83.222.232.215
Jan 18, 2025 17:08:03.251121998 CET	40996	13566	192.168.2.14	83.222.225.236
Jan 18, 2025 17:08:03.251130104 CET	13566	35040	83.222.201.183	192.168.2.14
Jan 18, 2025 17:08:03.251161098 CET	13566	54754	83.222.222.240	192.168.2.14
Jan 18, 2025 17:08:03.251172066 CET	35040	13566	192.168.2.14	83.222.201.183
Jan 18, 2025 17:08:03.251189947 CET	13566	46450	83.222.9.41	192.168.2.14
Jan 18, 2025 17:08:03.251199007 CET	54754	13566	192.168.2.14	83.222.222.240
Jan 18, 2025 17:08:03.251225948 CET	46450	13566	192.168.2.14	83.222.9.41
Jan 18, 2025 17:08:03.251231909 CET	13566	32884	83.222.238.142	192.168.2.14
Jan 18, 2025 17:08:03.251275063 CET	32884	13566	192.168.2.14	83.222.238.142
Jan 18, 2025 17:08:03.255705118 CET	13566	56804	83.222.131.104	192.168.2.14
Jan 18, 2025 17:08:03.255737066 CET	13566	46900	83.222.186.121	192.168.2.14
Jan 18, 2025 17:08:03.255748987 CET	56804	13566	192.168.2.14	83.222.131.104
Jan 18, 2025 17:08:03.255767107 CET	13566	40038	83.222.216.6	192.168.2.14
Jan 18, 2025 17:08:03.255773067 CET	46900	13566	192.168.2.14	83.222.186.121
Jan 18, 2025 17:08:03.255798101 CET	13566	36548	83.222.138.44	192.168.2.14
Jan 18, 2025 17:08:03.255803108 CET	40038	13566	192.168.2.14	83.222.216.6
Jan 18, 2025 17:08:03.255827904 CET	13566	48518	83.222.67.120	192.168.2.14
Jan 18, 2025 17:08:03.255836964 CET	36548	13566	192.168.2.14	83.222.138.44
Jan 18, 2025 17:08:03.255857944 CET	13566	33898	83.222.100.147	192.168.2.14
Jan 18, 2025 17:08:03.255866051 CET	48518	13566	192.168.2.14	83.222.67.120
Jan 18, 2025 17:08:03.255887032 CET	13566	56642	83.222.221.86	192.168.2.14
Jan 18, 2025 17:08:03.255904913 CET	33898	13566	192.168.2.14	83.222.100.147
Jan 18, 2025 17:08:03.255917072 CET	13566	51076	83.222.21.142	192.168.2.14
Jan 18, 2025 17:08:03.255920887 CET	56642	13566	192.168.2.14	83.222.221.86
Jan 18, 2025 17:08:03.255954027 CET	51076	13566	192.168.2.14	83.222.21.142
Jan 18, 2025 17:08:03.255970001 CET	13566	52556	83.222.77.121	192.168.2.14
Jan 18, 2025 17:08:03.256000042 CET	13566	33984	83.222.16.235	192.168.2.14
Jan 18, 2025 17:08:03.256005049 CET	52556	13566	192.168.2.14	83.222.77.121
Jan 18, 2025 17:08:03.256028891 CET	13566	35350	83.222.217.218	192.168.2.14
Jan 18, 2025 17:08:03.256031990 CET	33984	13566	192.168.2.14	83.222.16.235
Jan 18, 2025 17:08:03.256058931 CET	13566	60212	83.222.207.192	192.168.2.14
Jan 18, 2025 17:08:03.256088018 CET	13566	41268	83.222.34.59	192.168.2.14
Jan 18, 2025 17:08:03.256088018 CET	35350	13566	192.168.2.14	83.222.217.218
Jan 18, 2025 17:08:03.256110907 CET	60212	13566	192.168.2.14	83.222.207.192
Jan 18, 2025 17:08:03.256115913 CET	13566	45476	83.222.187.125	192.168.2.14
Jan 18, 2025 17:08:03.256131887 CET	41268	13566	192.168.2.14	83.222.34.59
Jan 18, 2025 17:08:03.256145000 CET	13566	57394	83.222.226.225	192.168.2.14
Jan 18, 2025 17:08:03.256153107 CET	45476	13566	192.168.2.14	83.222.187.125
Jan 18, 2025 17:08:03.256172895 CET	13566	51594	83.222.250.187	192.168.2.14
Jan 18, 2025 17:08:03.256181955 CET	57394	13566	192.168.2.14	83.222.226.225
Jan 18, 2025 17:08:03.256201982 CET	13566	57576	83.222.169.102	192.168.2.14
Jan 18, 2025 17:08:03.256211042 CET	51594	13566	192.168.2.14	83.222.250.187
Jan 18, 2025 17:08:03.256231070 CET	13566	45126	83.222.177.247	192.168.2.14
Jan 18, 2025 17:08:03.256238937 CET	57576	13566	192.168.2.14	83.222.169.102
Jan 18, 2025 17:08:03.256259918 CET	13566	39014	83.222.223.149	192.168.2.14
Jan 18, 2025 17:08:03.256278038 CET	45126	13566	192.168.2.14	83.222.177.247
Jan 18, 2025 17:08:03.256289005 CET	13566	40846	83.222.189.100	192.168.2.14
Jan 18, 2025 17:08:03.256294012 CET	39014	13566	192.168.2.14	83.222.223.149
Jan 18, 2025 17:08:03.256318092 CET	13566	35958	83.222.106.175	192.168.2.14
Jan 18, 2025 17:08:03.256334066 CET	40846	13566	192.168.2.14	83.222.189.100
Jan 18, 2025 17:08:03.256349087 CET	35958	13566	192.168.2.14	83.222.106.175
Jan 18, 2025 17:08:03.256359100 CET	13566	53612	83.222.86.72	192.168.2.14
Jan 18, 2025 17:08:03.256400108 CET	53612	13566	192.168.2.14	83.222.86.72
Jan 18, 2025 17:08:03.256412983 CET	13566	52718	83.222.5.107	192.168.2.14
Jan 18, 2025 17:08:03.256444931 CET	52718	13566	192.168.2.14	83.222.5.107
Jan 18, 2025 17:08:03.256449938 CET	13566	40628	83.222.214.82	192.168.2.14
Jan 18, 2025 17:08:03.256460905 CET	13566	54384	83.222.242.242	192.168.2.14
Jan 18, 2025 17:08:03.256470919 CET	13566	48600	83.222.216.209	192.168.2.14
Jan 18, 2025 17:08:03.256479979 CET	13566	37870	83.222.35.69	192.168.2.14
Jan 18, 2025 17:08:03.256484985 CET	40628	13566	192.168.2.14	83.222.214.82
Jan 18, 2025 17:08:03.256489038 CET	13566	49592	83.222.142.245	192.168.2.14
Jan 18, 2025 17:08:03.256511927 CET	54384	13566	192.168.2.14	83.222.242.242
Jan 18, 2025 17:08:03.256511927 CET	48600	13566	192.168.2.14	83.222.216.209
Jan 18, 2025 17:08:03.256511927 CET	37870	13566	192.168.2.14	83.222.35.69
Jan 18, 2025 17:08:03.256519079 CET	13566	49378	83.222.228.248	192.168.2.14
Jan 18, 2025 17:08:03.256532907 CET	49592	13566	192.168.2.14	83.222.142.245
Jan 18, 2025 17:08:03.256547928 CET	13566	43142	83.222.228.128	192.168.2.14
Jan 18, 2025 17:08:03.256567955 CET	49378	13566	192.168.2.14	83.222.228.248
Jan 18, 2025 17:08:03.256587029 CET	43142	13566	192.168.2.14	83.222.228.128
Jan 18, 2025 17:08:03.256587982 CET	13566	54996	83.222.231.188	192.168.2.14
Jan 18, 2025 17:08:03.256618023 CET	13566	48750	83.222.81.201	192.168.2.14
Jan 18, 2025 17:08:03.256628036 CET	54996	13566	192.168.2.14	83.222.231.188
Jan 18, 2025 17:08:03.256645918 CET	13566	43890	83.222.157.76	192.168.2.14
Jan 18, 2025 17:08:03.256653070 CET	48750	13566	192.168.2.14	83.222.81.201
Jan 18, 2025 17:08:03.256675005 CET	13566	50862	83.222.133.88	192.168.2.14
Jan 18, 2025 17:08:03.256680012 CET	43890	13566	192.168.2.14	83.222.157.76
Jan 18, 2025 17:08:03.256705999 CET	13566	45592	83.222.201.168	192.168.2.14
Jan 18, 2025 17:08:03.256711960 CET	50862	13566	192.168.2.14	83.222.133.88
Jan 18, 2025 17:08:03.256716967 CET	13566	39380	83.222.158.115	192.168.2.14
Jan 18, 2025 17:08:03.256726980 CET	13566	47080	83.222.15.91	192.168.2.14
Jan 18, 2025 17:08:03.256736994 CET	45592	13566	192.168.2.14	83.222.201.168
Jan 18, 2025 17:08:03.256750107 CET	39380	13566	192.168.2.14	83.222.158.115
Jan 18, 2025 17:08:03.256755114 CET	13566	45780	83.222.215.238	192.168.2.14
Jan 18, 2025 17:08:03.256767988 CET	47080	13566	192.168.2.14	83.222.15.91
Jan 18, 2025 17:08:03.256784916 CET	13566	58338	83.222.241.65	192.168.2.14
Jan 18, 2025 17:08:03.256792068 CET	45780	13566	192.168.2.14	83.222.215.238
Jan 18, 2025 17:08:03.256814003 CET	13566	50492	83.222.157.71	192.168.2.14
Jan 18, 2025 17:08:03.256824970 CET	58338	13566	192.168.2.14	83.222.241.65
Jan 18, 2025 17:08:03.256850004 CET	50492	13566	192.168.2.14	83.222.157.71
Jan 18, 2025 17:08:03.256860018 CET	13566	44098	83.222.178.96	192.168.2.14
Jan 18, 2025 17:08:03.256894112 CET	44098	13566	192.168.2.14	83.222.178.96
Jan 18, 2025 17:08:03.256922960 CET	13566	39766	83.222.137.162	192.168.2.14
Jan 18, 2025 17:08:03.256953955 CET	13566	46304	83.222.245.150	192.168.2.14
Jan 18, 2025 17:08:03.256958961 CET	39766	13566	192.168.2.14	83.222.137.162
Jan 18, 2025 17:08:03.256963015 CET	13566	38810	83.222.88.131	192.168.2.14
Jan 18, 2025 17:08:03.256984949 CET	46304	13566	192.168.2.14	83.222.245.150
Jan 18, 2025 17:08:03.256993055 CET	13566	52936	83.222.3.114	192.168.2.14
Jan 18, 2025 17:08:03.257000923 CET	38810	13566	192.168.2.14	83.222.88.131
Jan 18, 2025 17:08:03.257021904 CET	13566	44834	83.222.139.60	192.168.2.14
Jan 18, 2025 17:08:03.257028103 CET	52936	13566	192.168.2.14	83.222.3.114
Jan 18, 2025 17:08:03.257050991 CET	13566	53332	83.222.248.85	192.168.2.14
Jan 18, 2025 17:08:03.257070065 CET	44834	13566	192.168.2.14	83.222.139.60
Jan 18, 2025 17:08:03.257088900 CET	53332	13566	192.168.2.14	83.222.248.85
Jan 18, 2025 17:08:03.257092953 CET	13566	49420	83.222.105.140	192.168.2.14
Jan 18, 2025 17:08:03.257122040 CET	13566	50666	83.222.238.106	192.168.2.14
Jan 18, 2025 17:08:03.257149935 CET	13566	33238	83.222.60.149	192.168.2.14
Jan 18, 2025 17:08:03.257150888 CET	49420	13566	192.168.2.14	83.222.105.140
Jan 18, 2025 17:08:03.257159948 CET	50666	13566	192.168.2.14	83.222.238.106
Jan 18, 2025 17:08:03.257179022 CET	13566	49370	83.222.161.193	192.168.2.14
Jan 18, 2025 17:08:03.257196903 CET	33238	13566	192.168.2.14	83.222.60.149
Jan 18, 2025 17:08:03.257219076 CET	13566	59838	83.222.231.180	192.168.2.14
Jan 18, 2025 17:08:03.257220984 CET	49370	13566	192.168.2.14	83.222.161.193
Jan 18, 2025 17:08:03.257246971 CET	13566	44884	83.222.221.120	192.168.2.14
Jan 18, 2025 17:08:03.257261992 CET	59838	13566	192.168.2.14	83.222.231.180
Jan 18, 2025 17:08:03.257275105 CET	13566	56626	83.222.103.216	192.168.2.14
Jan 18, 2025 17:08:03.257285118 CET	44884	13566	192.168.2.14	83.222.221.120
Jan 18, 2025 17:08:03.257309914 CET	56626	13566	192.168.2.14	83.222.103.216
Jan 18, 2025 17:08:03.257312059 CET	13566	57038	83.222.31.127	192.168.2.14
Jan 18, 2025 17:08:03.257319927 CET	13566	60728	83.222.246.4	192.168.2.14
Jan 18, 2025 17:08:03.257348061 CET	57038	13566	192.168.2.14	83.222.31.127
Jan 18, 2025 17:08:03.257354021 CET	60728	13566	192.168.2.14	83.222.246.4
Jan 18, 2025 17:08:03.261723995 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 18, 2025 17:08:03.266587973 CET	13566	56490	83.222.191.90	192.168.2.14
Jan 18, 2025 17:08:03.266650915 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 18, 2025 17:08:03.266710043 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 18, 2025 17:08:03.271599054 CET	13566	56490	83.222.191.90	192.168.2.14
Jan 18, 2025 17:08:03.271646976 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 18, 2025 17:08:03.276509047 CET	13566	56490	83.222.191.90	192.168.2.14
Jan 18, 2025 17:08:13.272944927 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 18, 2025 17:08:13.277968884 CET	13566	56490	83.222.191.90	192.168.2.14
Jan 18, 2025 17:08:13.475294113 CET	13566	56490	83.222.191.90	192.168.2.14
Jan 18, 2025 17:08:13.475485086 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 18, 2025 17:08:13.842721939 CET	13566	56490	83.222.191.90	192.168.2.14
Jan 18, 2025 17:08:13.842946053 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 18, 2025 17:08:48.231350899 CET	56490	13566	192.168.2.14	83.222.191.90
Jan 18, 2025 17:08:48.236921072 CET	13566	56490	83.222.191.90	192.168.2.14
Jan 18, 2025 17:08:48.237071991 CET	56490	13566	192.168.2.14	83.222.191.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 18, 2025 17:08:03.234644890 CET	56378	53	192.168.2.14	8.8.8.8
Jan 18, 2025 17:08:03.261552095 CET	53	56378	8.8.8.8	192.168.2.14
Jan 18, 2025 17:10:47.297169924 CET	51250	53	192.168.2.14	1.1.1.1
Jan 18, 2025 17:10:47.297271967 CET	40899	53	192.168.2.14	1.1.1.1
Jan 18, 2025 17:10:47.304843903 CET	53	40899	1.1.1.1	192.168.2.14
Jan 18, 2025 17:10:47.304877996 CET	53	51250	1.1.1.1	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 18, 2025 17:08:03.234644890 CET	192.168.2.14	8.8.8.8	0xb3fe	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Jan 18, 2025 17:10:47.297169924 CET	192.168.2.14	1.1.1.1	0x3f68	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Jan 18, 2025 17:10:47.297271967 CET	192.168.2.14	1.1.1.1	0xde48	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 18, 2025 17:08:03.261552095 CET	8.8.8.8	192.168.2.14	0xb3fe	No error (0)	secure-network-rebirthltd.ru	83.222.191.90	A (IP address)	IN (0x0001)	false
Jan 18, 2025 17:10:47.304877996 CET	1.1.1.1	192.168.2.14	0x3f68	No error (0)	daisy.ubuntu.com	162.213.35.25	A (IP address)	IN (0x0001)	false
Jan 18, 2025 17:10:47.304877996 CET	1.1.1.1	192.168.2.14	0x3f68	No error (0)	daisy.ubuntu.com	162.213.35.24	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: dbg.x86.elf PID: 5489, Parent PID: 5412

General

Start time (UTC):	16:08:02
Start date (UTC):	18/01/2025
Path:	/tmp/dbg.x86.elf
Arguments:	/tmp/dbg.x86.elf
File size:	37484 bytes
MD5 hash:	9f2c1c92152f3013559fee6e6ecfb565

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report dbg.x86.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: dbg.x86.elf PID: 5489, Parent PID: 5412

General

File Activities

File Opened

File Moved

Process Activities

Prctl Requested

Chronological Activities

Linux Analysis Report
dbg.x86.elf