Edit tour

Linux Analysis Report
Kloki.arm4.elf

Overview

General Information

Sample name:	Kloki.arm4.elf
Analysis ID:	1594506
MD5:	cdb33d02d278650cf9471987e8381ed1
SHA1:	c9c031a687931d46bf7f826ada46708a85b8656c
SHA256:	81fa7637ba78c674c4742411f3aece085bb8b3452a9b9ac8fcbd4d86472b333e
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sample tries to kill multiple processes (SIGKILL)

Detected TCP or UDP traffic on non-standard ports

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Suricata IDS alerts with low severity for network traffic

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1594506
Start date and time:	2025-01-19 03:51:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Kloki.arm4.elf
Detection:	MAL
Classification:	mal60.spre.linELF@0/0@1/0

Runtime Messages

Command:	/tmp/Kloki.arm4.elf
PID:	6269
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	suka
Standard Error:

Process Tree

system is lnxubuntu20

Kloki.arm4.elf (PID: 6269, Parent: 6190, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/Kloki.arm4.elf

Kloki.arm4.elf New Fork (PID: 6271, Parent: 6269)

Kloki.arm4.elf New Fork (PID: 6273, Parent: 6269)

Kloki.arm4.elf New Fork (PID: 6275, Parent: 6273)

gnome-session-binary New Fork (PID: 6297, Parent: 1477)

sh (PID: 6297, Parent: 1477, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing

gsd-sharing (PID: 6297, Parent: 1477, MD5: e29d9025d98590fbb69f89fdbd4438b3) Arguments: /usr/libexec/gsd-sharing

gnome-session-binary New Fork (PID: 6299, Parent: 1477)

sh (PID: 6299, Parent: 1477, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell

gnome-session-binary New Fork (PID: 6301, Parent: 1477)

sh (PID: 6301, Parent: 1477, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications

gsd-print-notifications (PID: 6301, Parent: 1477, MD5: 71539698aa691718cee775d6b9450ae2) Arguments: /usr/libexec/gsd-print-notifications

gnome-session-binary New Fork (PID: 6302, Parent: 1477)

sh (PID: 6302, Parent: 1477, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

gdm3 New Fork (PID: 6305, Parent: 1320)

Default (PID: 6305, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6306, Parent: 1320)

Default (PID: 6306, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

cleanup

Suricata Signatures

ET COMPROMISED Known Compromised or Hostile Host Traffic group 18

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-19T03:52:25.208492+0100	2500034	2	Misc Attack	83.222.191.90	13566	192.168.2.23	42666	TCP

Joe Sandbox Signatures

• AV Detection
• Spreading
• Networking
• System Summary
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Kloki.arm4.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: Kloki.arm4.elf

Virustotal: Detection: 38%

Perma Link

Source: Kloki.arm4.elf

String: ppid/proc/net/tcp/proc/self/exe/proc//status/fd//dev/null/dev/consolesocket05/proc/%d/exepkillkillkillallechowgetcurlpsbusyboxiptablesrebootshutdownhaltpoweroffinitsystemctltelinitcatgrepshashbashzshcshkshdashfish

Source: global traffic	TCP traffic: 192.168.2.23:51792 -> 83.222.251.105:13566
Source: global traffic	TCP traffic: 192.168.2.23:41942 -> 83.222.52.36:13566
Source: global traffic	TCP traffic: 192.168.2.23:56814 -> 83.222.175.31:13566
Source: global traffic	TCP traffic: 192.168.2.23:47794 -> 83.222.255.142:13566
Source: global traffic	TCP traffic: 192.168.2.23:47886 -> 83.222.162.242:13566
Source: global traffic	TCP traffic: 192.168.2.23:42100 -> 83.222.9.187:13566
Source: global traffic	TCP traffic: 192.168.2.23:53900 -> 83.222.164.6:13566
Source: global traffic	TCP traffic: 192.168.2.23:41096 -> 83.222.80.148:13566
Source: global traffic	TCP traffic: 192.168.2.23:36022 -> 83.222.206.8:13566
Source: global traffic	TCP traffic: 192.168.2.23:36996 -> 83.222.163.195:13566
Source: global traffic	TCP traffic: 192.168.2.23:48536 -> 83.222.69.29:13566
Source: global traffic	TCP traffic: 192.168.2.23:53818 -> 83.222.199.151:13566
Source: global traffic	TCP traffic: 192.168.2.23:49040 -> 83.222.112.184:13566
Source: global traffic	TCP traffic: 192.168.2.23:49630 -> 83.222.171.53:13566
Source: global traffic	TCP traffic: 192.168.2.23:47014 -> 83.222.149.134:13566
Source: global traffic	TCP traffic: 192.168.2.23:52028 -> 83.222.253.144:13566
Source: global traffic	TCP traffic: 192.168.2.23:54016 -> 83.222.240.49:13566
Source: global traffic	TCP traffic: 192.168.2.23:58248 -> 83.222.180.159:13566
Source: global traffic	TCP traffic: 192.168.2.23:39632 -> 83.222.80.179:13566
Source: global traffic	TCP traffic: 192.168.2.23:52934 -> 83.222.45.242:13566
Source: global traffic	TCP traffic: 192.168.2.23:37852 -> 83.222.165.55:13566
Source: global traffic	TCP traffic: 192.168.2.23:38578 -> 83.222.173.73:13566
Source: global traffic	TCP traffic: 192.168.2.23:39060 -> 83.222.61.253:13566
Source: global traffic	TCP traffic: 192.168.2.23:50816 -> 83.222.222.12:13566
Source: global traffic	TCP traffic: 192.168.2.23:37168 -> 83.222.6.129:13566
Source: global traffic	TCP traffic: 192.168.2.23:57616 -> 83.222.207.75:13566
Source: global traffic	TCP traffic: 192.168.2.23:46602 -> 83.222.158.150:13566
Source: global traffic	TCP traffic: 192.168.2.23:55848 -> 83.222.226.14:13566
Source: global traffic	TCP traffic: 192.168.2.23:41186 -> 83.222.78.142:13566
Source: global traffic	TCP traffic: 192.168.2.23:39742 -> 83.222.68.227:13566
Source: global traffic	TCP traffic: 192.168.2.23:58198 -> 83.222.20.65:13566
Source: global traffic	TCP traffic: 192.168.2.23:51724 -> 83.222.116.4:13566
Source: global traffic	TCP traffic: 192.168.2.23:36030 -> 83.222.114.40:13566
Source: global traffic	TCP traffic: 192.168.2.23:33484 -> 83.222.163.194:13566
Source: global traffic	TCP traffic: 192.168.2.23:46334 -> 83.222.220.209:13566
Source: global traffic	TCP traffic: 192.168.2.23:48646 -> 83.222.180.129:13566
Source: global traffic	TCP traffic: 192.168.2.23:34484 -> 83.222.8.97:13566
Source: global traffic	TCP traffic: 192.168.2.23:53500 -> 83.222.203.69:13566
Source: global traffic	TCP traffic: 192.168.2.23:55874 -> 83.222.95.169:13566
Source: global traffic	TCP traffic: 192.168.2.23:49306 -> 83.222.81.101:13566
Source: global traffic	TCP traffic: 192.168.2.23:38758 -> 83.222.42.32:13566
Source: global traffic	TCP traffic: 192.168.2.23:58324 -> 83.222.176.201:13566
Source: global traffic	TCP traffic: 192.168.2.23:49234 -> 83.222.183.146:13566
Source: global traffic	TCP traffic: 192.168.2.23:51476 -> 83.222.215.5:13566
Source: global traffic	TCP traffic: 192.168.2.23:52508 -> 83.222.32.27:13566
Source: global traffic	TCP traffic: 192.168.2.23:60404 -> 83.222.233.53:13566
Source: global traffic	TCP traffic: 192.168.2.23:42506 -> 83.222.92.93:13566
Source: global traffic	TCP traffic: 192.168.2.23:56520 -> 83.222.57.206:13566
Source: global traffic	TCP traffic: 192.168.2.23:55628 -> 83.222.133.221:13566
Source: global traffic	TCP traffic: 192.168.2.23:43072 -> 83.222.144.97:13566
Source: global traffic	TCP traffic: 192.168.2.23:36576 -> 83.222.174.68:13566
Source: global traffic	TCP traffic: 192.168.2.23:54438 -> 83.222.227.182:13566
Source: global traffic	TCP traffic: 192.168.2.23:37320 -> 83.222.166.174:13566
Source: global traffic	TCP traffic: 192.168.2.23:58710 -> 83.222.251.5:13566
Source: global traffic	TCP traffic: 192.168.2.23:42666 -> 83.222.191.90:13566

Source: /tmp/Kloki.arm4.elf (PID: 6269)

Socket: 127.0.0.1:14435

Jump to behavior

Source: Network traffic

Suricata IDS: 2500034 - Severity 2 - ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 : 83.222.191.90:13566 -> 192.168.2.23:42666

Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.251.105
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.251.105
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.52.36
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.52.36
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.52.36
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.52.36
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.175.31
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.255.142
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.175.31
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.255.142
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.255.142
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.255.142
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.162.242
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.9.187
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.164.6
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.162.242
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.9.187
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.80.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.164.6
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.206.8
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.80.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.163.195
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.206.8
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.69.29
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.163.195
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.199.151
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.69.29
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.112.184
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.199.151
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.171.53
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.112.184
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.149.134
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.171.53
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.253.144
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.149.134
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.240.49
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.180.159
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.253.144
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.240.49
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.180.159
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.80.179
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.45.242
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.165.55
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.80.179
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.45.242
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.165.55
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.173.73
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.173.73
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.173.73
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.61.253

Source: global traffic

DNS traffic detected: DNS query: secure-network-rebirthltd.ru

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39258
Source: unknown	Network traffic detected: HTTP traffic on port 39258 -> 443

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 912, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 918, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 1532, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 1622, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 1633, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 2146, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 2302, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 4331, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 6250, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 6297, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 6299, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 6301, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 6302, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 6306, result: successful	Jump to behavior

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: ppid/proc/net/tcp/proc/self/exe/proc//status/fd//dev/null/dev/consolesocket05/proc/%d/exepkillkillkillallechowgetcurlpsbusyboxiptablesrebootshutdownhaltpoweroffinitsystemctltelinitcatgrepshashbashzshcshkshdashfish

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 912, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 918, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 1532, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 1622, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 1633, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 2146, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 2302, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 4331, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 6250, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 6297, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 6299, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 6301, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 6302, result: successful	Jump to behavior
Source: /tmp/Kloki.arm4.elf (PID: 6275)	SIGKILL sent: pid: 6306, result: successful	Jump to behavior

Source: classification engine

Classification label: mal60.spre.linELF@0/0@1/0

Source: /tmp/Kloki.arm4.elf (PID: 6269)

Queries kernel information via 'uname':

Jump to behavior

Source: Kloki.arm4.elf, 6269.1.00007ffdcfc93000.00007ffdcfcb4000.rw-.sdmp, Kloki.arm4.elf, 6271.1.00007ffdcfc93000.00007ffdcfcb4000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/Kloki.arm4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Kloki.arm4.elf
Source: Kloki.arm4.elf, 6269.1.000055d29601d000.000055d296192000.rw-.sdmp, Kloki.arm4.elf, 6271.1.000055d29601d000.000055d29614b000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: Kloki.arm4.elf, 6269.1.000055d29601d000.000055d296192000.rw-.sdmp, Kloki.arm4.elf, 6271.1.000055d29601d000.000055d29614b000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: Kloki.arm4.elf, 6269.1.00007ffdcfc93000.00007ffdcfcb4000.rw-.sdmp, Kloki.arm4.elf, 6271.1.00007ffdcfc93000.00007ffdcfcb4000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Kloki.arm4.elf	38%	Virustotal		Browse
Kloki.arm4.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
secure-network-rebirthltd.ru	83.222.191.90	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
83.222.171.53	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.20.65	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.166.174	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.226.14	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.78.142	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.149.134	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.165.55	unknown	Bulgaria	31037	WAVENETLB	false
83.222.206.8	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.180.159	unknown	Bulgaria	205872	EXTRANET-ASBG	false
83.222.116.4	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.173.73	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.68.227	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false
83.222.251.5	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.163.194	unknown	Bulgaria	31037	WAVENETLB	false
83.222.163.195	unknown	Bulgaria	31037	WAVENETLB	false
83.222.69.29	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.233.53	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.203.69	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.9.187	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.6.129	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.220.209	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.215.5	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.255.142	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.199.151	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.164.6	unknown	Bulgaria	31037	WAVENETLB	false
83.222.80.148	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.222.12	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.133.221	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.81.101	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.174.68	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.42.32	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.227.182	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.112.184	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.207.75	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.92.93	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.95.169	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.253.144	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.52.36	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.144.97	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.61.253	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.158.150	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.80.179	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
34.249.145.219	unknown	United States	16509	AMAZON-02US	false
83.222.32.27	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.175.31	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.45.242	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.183.146	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.191.90	secure-network-rebirthltd.ru	Bulgaria	43561	NET1-ASBG	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
83.222.162.242	unknown	Bulgaria	31037	WAVENETLB	false
83.222.240.49	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.251.105	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.8.97	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.114.40	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.57.206	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.176.201	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.180.129	unknown	Bulgaria	205872	EXTRANET-ASBG	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
83.222.199.151	Kloki.spc.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	Kloki.arm6.elf	Get hash	malicious	Unknown	Browse
	loki.x86.elf	Get hash	malicious	Unknown	Browse
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse
	loki.arm7.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	loki.arc.elf	Get hash	malicious	Unknown	Browse
	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse
	Kloki.arm7.elf	Get hash	malicious	Mirai	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
secure-network-rebirthltd.ru	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.191.90
	Kloki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.mpsl.elf	Get hash	malicious	Unknown	Browse	83.222.191.90

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GCN-ASGCNAD-SofiaBulgariaBG	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.176.96
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.177.55
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.177.55
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.174.216
	loki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.175.167
	Kloki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.176.33
	loki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.177.157
	Kloki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.173.11
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.166.158
	loki.mpsl.elf	Get hash	malicious	Unknown	Browse	83.222.169.136
GCN-ASGCNAD-SofiaBulgariaBG	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.176.96
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.177.55
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.177.55
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.174.216
	loki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.175.167
	Kloki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.176.33
	loki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.177.157
	Kloki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.173.11
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.166.158
	loki.mpsl.elf	Get hash	malicious	Unknown	Browse	83.222.169.136
MASTERHOST-ASMoscowRussiaRU	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.20.238
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.23.89
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.23.89
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.31.69
	loki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.9.65
	Kloki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.28.56
	loki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.9.29
	Kloki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.15.96
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.17.204
	loki.mpsl.elf	Get hash	malicious	Unknown	Browse	83.222.5.145

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.058865395639803
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Kloki.arm4.elf
File size:	66'908 bytes
MD5:	cdb33d02d278650cf9471987e8381ed1
SHA1:	c9c031a687931d46bf7f826ada46708a85b8656c
SHA256:	81fa7637ba78c674c4742411f3aece085bb8b3452a9b9ac8fcbd4d86472b333e
SHA512:	7cd136a23fb25da336564fc73b96d2c0f3b50dbbb70d779cb57d57fbf76ab00602e13b1240e823e6f4162392b09be615c02573b7c539444035aeb925f39c511f
SSDEEP:	1536:4oW+Gx/9AHr6IfuW3WS7YdL/QzyEwSK8vnL:pW+GFIfn3F7YdkDwinL
TLSH:	57632981BD815A17C6D412BBFB6E428C372723A8D2DB7217DD226F11378A92F0D77642
File Content Preview:	.ELF...a..........(.........4...........4. ...(..........................................................5..........Q.td..................................-...L."...b:..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	66508
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0xe9c0	0x0	0x6	AX	16
.fini	PROGBITS	0x16a70	0xea70	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x16a84	0xea84	0x1320	0x0	0x2	A	4
.ctors	PROGBITS	0x18000	0x10000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x18008	0x10008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x18014	0x10014	0x378	0x0	0x3	WA	4
.bss	NOBITS	0x1838c	0x1038c	0x3174	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x1038c	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0xfda4	0xfda4	6.1233	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x10000	0x18000	0x18000	0x38c	0x3500	2.8004	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-19T03:52:25.208492+0100	2500034	ET COMPROMISED Known Compromised or Hostile Host Traffic group 18	2	83.222.191.90	13566	192.168.2.23	42666	TCP

Network Port Distribution

Total Packets: 136
• 13566 undefined
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2025 03:52:24.872473955 CET	51792	13566	192.168.2.23	83.222.251.105
Jan 19, 2025 03:52:24.877542973 CET	13566	51792	83.222.251.105	192.168.2.23
Jan 19, 2025 03:52:24.877618074 CET	51792	13566	192.168.2.23	83.222.251.105
Jan 19, 2025 03:52:24.877837896 CET	41942	13566	192.168.2.23	83.222.52.36
Jan 19, 2025 03:52:24.882673979 CET	13566	41942	83.222.52.36	192.168.2.23
Jan 19, 2025 03:52:24.882725954 CET	41942	13566	192.168.2.23	83.222.52.36
Jan 19, 2025 03:52:24.886008024 CET	41942	13566	192.168.2.23	83.222.52.36
Jan 19, 2025 03:52:24.890846014 CET	13566	41942	83.222.52.36	192.168.2.23
Jan 19, 2025 03:52:24.891000032 CET	41942	13566	192.168.2.23	83.222.52.36
Jan 19, 2025 03:52:24.904104948 CET	56814	13566	192.168.2.23	83.222.175.31
Jan 19, 2025 03:52:24.907350063 CET	47794	13566	192.168.2.23	83.222.255.142
Jan 19, 2025 03:52:24.908962011 CET	13566	56814	83.222.175.31	192.168.2.23
Jan 19, 2025 03:52:24.909012079 CET	56814	13566	192.168.2.23	83.222.175.31
Jan 19, 2025 03:52:24.912256002 CET	13566	47794	83.222.255.142	192.168.2.23
Jan 19, 2025 03:52:24.912339926 CET	47794	13566	192.168.2.23	83.222.255.142
Jan 19, 2025 03:52:24.922178984 CET	47794	13566	192.168.2.23	83.222.255.142
Jan 19, 2025 03:52:24.927011013 CET	13566	47794	83.222.255.142	192.168.2.23
Jan 19, 2025 03:52:24.927025080 CET	13566	47794	83.222.255.142	192.168.2.23
Jan 19, 2025 03:52:24.927066088 CET	47794	13566	192.168.2.23	83.222.255.142
Jan 19, 2025 03:52:24.948527098 CET	47886	13566	192.168.2.23	83.222.162.242
Jan 19, 2025 03:52:24.950326920 CET	42100	13566	192.168.2.23	83.222.9.187
Jan 19, 2025 03:52:24.952213049 CET	53900	13566	192.168.2.23	83.222.164.6
Jan 19, 2025 03:52:24.953437090 CET	13566	47886	83.222.162.242	192.168.2.23
Jan 19, 2025 03:52:24.953496933 CET	47886	13566	192.168.2.23	83.222.162.242
Jan 19, 2025 03:52:24.955208063 CET	13566	42100	83.222.9.187	192.168.2.23
Jan 19, 2025 03:52:24.955260992 CET	42100	13566	192.168.2.23	83.222.9.187
Jan 19, 2025 03:52:24.955837011 CET	41096	13566	192.168.2.23	83.222.80.148
Jan 19, 2025 03:52:24.957076073 CET	13566	53900	83.222.164.6	192.168.2.23
Jan 19, 2025 03:52:24.957128048 CET	53900	13566	192.168.2.23	83.222.164.6
Jan 19, 2025 03:52:24.959120989 CET	36022	13566	192.168.2.23	83.222.206.8
Jan 19, 2025 03:52:24.960822105 CET	13566	41096	83.222.80.148	192.168.2.23
Jan 19, 2025 03:52:24.960891008 CET	41096	13566	192.168.2.23	83.222.80.148
Jan 19, 2025 03:52:24.962544918 CET	36996	13566	192.168.2.23	83.222.163.195
Jan 19, 2025 03:52:24.964000940 CET	13566	36022	83.222.206.8	192.168.2.23
Jan 19, 2025 03:52:24.964055061 CET	36022	13566	192.168.2.23	83.222.206.8
Jan 19, 2025 03:52:24.965857029 CET	48536	13566	192.168.2.23	83.222.69.29
Jan 19, 2025 03:52:24.967407942 CET	13566	36996	83.222.163.195	192.168.2.23
Jan 19, 2025 03:52:24.967463017 CET	36996	13566	192.168.2.23	83.222.163.195
Jan 19, 2025 03:52:24.969419956 CET	53818	13566	192.168.2.23	83.222.199.151
Jan 19, 2025 03:52:24.970741987 CET	13566	48536	83.222.69.29	192.168.2.23
Jan 19, 2025 03:52:24.970791101 CET	48536	13566	192.168.2.23	83.222.69.29
Jan 19, 2025 03:52:24.972165108 CET	49040	13566	192.168.2.23	83.222.112.184
Jan 19, 2025 03:52:24.974307060 CET	13566	53818	83.222.199.151	192.168.2.23
Jan 19, 2025 03:52:24.974361897 CET	53818	13566	192.168.2.23	83.222.199.151
Jan 19, 2025 03:52:24.976465940 CET	49630	13566	192.168.2.23	83.222.171.53
Jan 19, 2025 03:52:24.977154016 CET	13566	49040	83.222.112.184	192.168.2.23
Jan 19, 2025 03:52:24.977202892 CET	49040	13566	192.168.2.23	83.222.112.184
Jan 19, 2025 03:52:24.980680943 CET	47014	13566	192.168.2.23	83.222.149.134
Jan 19, 2025 03:52:24.981283903 CET	13566	49630	83.222.171.53	192.168.2.23
Jan 19, 2025 03:52:24.981336117 CET	49630	13566	192.168.2.23	83.222.171.53
Jan 19, 2025 03:52:24.983352900 CET	52028	13566	192.168.2.23	83.222.253.144
Jan 19, 2025 03:52:24.985532999 CET	13566	47014	83.222.149.134	192.168.2.23
Jan 19, 2025 03:52:24.985589981 CET	47014	13566	192.168.2.23	83.222.149.134
Jan 19, 2025 03:52:24.985773087 CET	54016	13566	192.168.2.23	83.222.240.49
Jan 19, 2025 03:52:24.987670898 CET	58248	13566	192.168.2.23	83.222.180.159
Jan 19, 2025 03:52:24.988219976 CET	13566	52028	83.222.253.144	192.168.2.23
Jan 19, 2025 03:52:24.988274097 CET	52028	13566	192.168.2.23	83.222.253.144
Jan 19, 2025 03:52:24.990603924 CET	13566	54016	83.222.240.49	192.168.2.23
Jan 19, 2025 03:52:24.990674019 CET	54016	13566	192.168.2.23	83.222.240.49
Jan 19, 2025 03:52:24.992676020 CET	13566	58248	83.222.180.159	192.168.2.23
Jan 19, 2025 03:52:24.992734909 CET	58248	13566	192.168.2.23	83.222.180.159
Jan 19, 2025 03:52:24.993937969 CET	39632	13566	192.168.2.23	83.222.80.179
Jan 19, 2025 03:52:24.995594025 CET	52934	13566	192.168.2.23	83.222.45.242
Jan 19, 2025 03:52:24.996824026 CET	37852	13566	192.168.2.23	83.222.165.55
Jan 19, 2025 03:52:24.998838902 CET	13566	39632	83.222.80.179	192.168.2.23
Jan 19, 2025 03:52:24.998953104 CET	39632	13566	192.168.2.23	83.222.80.179
Jan 19, 2025 03:52:25.000466108 CET	13566	52934	83.222.45.242	192.168.2.23
Jan 19, 2025 03:52:25.000574112 CET	52934	13566	192.168.2.23	83.222.45.242
Jan 19, 2025 03:52:25.001679897 CET	13566	37852	83.222.165.55	192.168.2.23
Jan 19, 2025 03:52:25.001766920 CET	37852	13566	192.168.2.23	83.222.165.55
Jan 19, 2025 03:52:25.004606009 CET	38578	13566	192.168.2.23	83.222.173.73
Jan 19, 2025 03:52:25.009834051 CET	13566	38578	83.222.173.73	192.168.2.23
Jan 19, 2025 03:52:25.009897947 CET	38578	13566	192.168.2.23	83.222.173.73
Jan 19, 2025 03:52:25.014877081 CET	38578	13566	192.168.2.23	83.222.173.73
Jan 19, 2025 03:52:25.015252113 CET	39060	13566	192.168.2.23	83.222.61.253
Jan 19, 2025 03:52:25.016130924 CET	50816	13566	192.168.2.23	83.222.222.12
Jan 19, 2025 03:52:25.019762993 CET	13566	38578	83.222.173.73	192.168.2.23
Jan 19, 2025 03:52:25.019823074 CET	38578	13566	192.168.2.23	83.222.173.73
Jan 19, 2025 03:52:25.020061970 CET	13566	39060	83.222.61.253	192.168.2.23
Jan 19, 2025 03:52:25.020139933 CET	39060	13566	192.168.2.23	83.222.61.253
Jan 19, 2025 03:52:25.020994902 CET	13566	50816	83.222.222.12	192.168.2.23
Jan 19, 2025 03:52:25.021044970 CET	50816	13566	192.168.2.23	83.222.222.12
Jan 19, 2025 03:52:25.032804012 CET	37168	13566	192.168.2.23	83.222.6.129
Jan 19, 2025 03:52:25.033679008 CET	57616	13566	192.168.2.23	83.222.207.75
Jan 19, 2025 03:52:25.034744024 CET	46602	13566	192.168.2.23	83.222.158.150
Jan 19, 2025 03:52:25.035636902 CET	55848	13566	192.168.2.23	83.222.226.14
Jan 19, 2025 03:52:25.036642075 CET	41186	13566	192.168.2.23	83.222.78.142
Jan 19, 2025 03:52:25.037655115 CET	13566	37168	83.222.6.129	192.168.2.23
Jan 19, 2025 03:52:25.037714005 CET	37168	13566	192.168.2.23	83.222.6.129
Jan 19, 2025 03:52:25.037946939 CET	39742	13566	192.168.2.23	83.222.68.227
Jan 19, 2025 03:52:25.038588047 CET	13566	57616	83.222.207.75	192.168.2.23
Jan 19, 2025 03:52:25.038640976 CET	57616	13566	192.168.2.23	83.222.207.75
Jan 19, 2025 03:52:25.039602041 CET	13566	46602	83.222.158.150	192.168.2.23
Jan 19, 2025 03:52:25.039654970 CET	46602	13566	192.168.2.23	83.222.158.150
Jan 19, 2025 03:52:25.039938927 CET	58198	13566	192.168.2.23	83.222.20.65
Jan 19, 2025 03:52:25.040489912 CET	13566	55848	83.222.226.14	192.168.2.23
Jan 19, 2025 03:52:25.040546894 CET	55848	13566	192.168.2.23	83.222.226.14
Jan 19, 2025 03:52:25.042479038 CET	13566	41186	83.222.78.142	192.168.2.23
Jan 19, 2025 03:52:25.042612076 CET	41186	13566	192.168.2.23	83.222.78.142
Jan 19, 2025 03:52:25.043443918 CET	13566	39742	83.222.68.227	192.168.2.23
Jan 19, 2025 03:52:25.043500900 CET	39742	13566	192.168.2.23	83.222.68.227
Jan 19, 2025 03:52:25.044719934 CET	13566	58198	83.222.20.65	192.168.2.23
Jan 19, 2025 03:52:25.044806004 CET	58198	13566	192.168.2.23	83.222.20.65
Jan 19, 2025 03:52:25.044836998 CET	58198	13566	192.168.2.23	83.222.20.65
Jan 19, 2025 03:52:25.045377970 CET	51724	13566	192.168.2.23	83.222.116.4
Jan 19, 2025 03:52:25.047287941 CET	36030	13566	192.168.2.23	83.222.114.40
Jan 19, 2025 03:52:25.049860001 CET	13566	58198	83.222.20.65	192.168.2.23
Jan 19, 2025 03:52:25.049916983 CET	58198	13566	192.168.2.23	83.222.20.65
Jan 19, 2025 03:52:25.050255060 CET	13566	51724	83.222.116.4	192.168.2.23
Jan 19, 2025 03:52:25.050379038 CET	51724	13566	192.168.2.23	83.222.116.4
Jan 19, 2025 03:52:25.052167892 CET	13566	36030	83.222.114.40	192.168.2.23
Jan 19, 2025 03:52:25.052232027 CET	36030	13566	192.168.2.23	83.222.114.40
Jan 19, 2025 03:52:25.076719999 CET	33484	13566	192.168.2.23	83.222.163.194
Jan 19, 2025 03:52:25.081656933 CET	13566	33484	83.222.163.194	192.168.2.23
Jan 19, 2025 03:52:25.081731081 CET	33484	13566	192.168.2.23	83.222.163.194
Jan 19, 2025 03:52:25.085426092 CET	46334	13566	192.168.2.23	83.222.220.209
Jan 19, 2025 03:52:25.090270042 CET	13566	46334	83.222.220.209	192.168.2.23
Jan 19, 2025 03:52:25.090326071 CET	46334	13566	192.168.2.23	83.222.220.209
Jan 19, 2025 03:52:25.090682983 CET	46334	13566	192.168.2.23	83.222.220.209
Jan 19, 2025 03:52:25.092812061 CET	48646	13566	192.168.2.23	83.222.180.129
Jan 19, 2025 03:52:25.093123913 CET	39258	443	192.168.2.23	34.249.145.219
Jan 19, 2025 03:52:25.095555067 CET	13566	46334	83.222.220.209	192.168.2.23
Jan 19, 2025 03:52:25.095616102 CET	46334	13566	192.168.2.23	83.222.220.209
Jan 19, 2025 03:52:25.097728968 CET	13566	48646	83.222.180.129	192.168.2.23
Jan 19, 2025 03:52:25.097800970 CET	48646	13566	192.168.2.23	83.222.180.129
Jan 19, 2025 03:52:25.110728979 CET	48646	13566	192.168.2.23	83.222.180.129
Jan 19, 2025 03:52:25.115633965 CET	13566	48646	83.222.180.129	192.168.2.23
Jan 19, 2025 03:52:25.115708113 CET	48646	13566	192.168.2.23	83.222.180.129
Jan 19, 2025 03:52:25.130090952 CET	34484	13566	192.168.2.23	83.222.8.97
Jan 19, 2025 03:52:25.133135080 CET	53500	13566	192.168.2.23	83.222.203.69
Jan 19, 2025 03:52:25.135071039 CET	13566	34484	83.222.8.97	192.168.2.23
Jan 19, 2025 03:52:25.135139942 CET	34484	13566	192.168.2.23	83.222.8.97
Jan 19, 2025 03:52:25.138011932 CET	13566	53500	83.222.203.69	192.168.2.23
Jan 19, 2025 03:52:25.138070107 CET	53500	13566	192.168.2.23	83.222.203.69
Jan 19, 2025 03:52:25.138967991 CET	443	39258	34.249.145.219	192.168.2.23
Jan 19, 2025 03:52:25.142231941 CET	55874	13566	192.168.2.23	83.222.95.169
Jan 19, 2025 03:52:25.145289898 CET	49306	13566	192.168.2.23	83.222.81.101
Jan 19, 2025 03:52:25.147084951 CET	13566	55874	83.222.95.169	192.168.2.23
Jan 19, 2025 03:52:25.147134066 CET	55874	13566	192.168.2.23	83.222.95.169
Jan 19, 2025 03:52:25.147329092 CET	38758	13566	192.168.2.23	83.222.42.32
Jan 19, 2025 03:52:25.149277925 CET	58324	13566	192.168.2.23	83.222.176.201
Jan 19, 2025 03:52:25.150109053 CET	13566	49306	83.222.81.101	192.168.2.23
Jan 19, 2025 03:52:25.150152922 CET	49306	13566	192.168.2.23	83.222.81.101
Jan 19, 2025 03:52:25.151361942 CET	49234	13566	192.168.2.23	83.222.183.146
Jan 19, 2025 03:52:25.152211905 CET	13566	38758	83.222.42.32	192.168.2.23
Jan 19, 2025 03:52:25.152262926 CET	38758	13566	192.168.2.23	83.222.42.32
Jan 19, 2025 03:52:25.153505087 CET	51476	13566	192.168.2.23	83.222.215.5
Jan 19, 2025 03:52:25.154180050 CET	13566	58324	83.222.176.201	192.168.2.23
Jan 19, 2025 03:52:25.154221058 CET	58324	13566	192.168.2.23	83.222.176.201
Jan 19, 2025 03:52:25.155220032 CET	52508	13566	192.168.2.23	83.222.32.27
Jan 19, 2025 03:52:25.156255007 CET	13566	49234	83.222.183.146	192.168.2.23
Jan 19, 2025 03:52:25.156315088 CET	49234	13566	192.168.2.23	83.222.183.146
Jan 19, 2025 03:52:25.156992912 CET	60404	13566	192.168.2.23	83.222.233.53
Jan 19, 2025 03:52:25.158318043 CET	13566	51476	83.222.215.5	192.168.2.23
Jan 19, 2025 03:52:25.158365965 CET	51476	13566	192.168.2.23	83.222.215.5
Jan 19, 2025 03:52:25.160010099 CET	13566	52508	83.222.32.27	192.168.2.23
Jan 19, 2025 03:52:25.160067081 CET	52508	13566	192.168.2.23	83.222.32.27
Jan 19, 2025 03:52:25.161784887 CET	13566	60404	83.222.233.53	192.168.2.23
Jan 19, 2025 03:52:25.161842108 CET	60404	13566	192.168.2.23	83.222.233.53
Jan 19, 2025 03:52:25.162614107 CET	42506	13566	192.168.2.23	83.222.92.93
Jan 19, 2025 03:52:25.164938927 CET	56520	13566	192.168.2.23	83.222.57.206
Jan 19, 2025 03:52:25.167512894 CET	13566	42506	83.222.92.93	192.168.2.23
Jan 19, 2025 03:52:25.167572021 CET	42506	13566	192.168.2.23	83.222.92.93
Jan 19, 2025 03:52:25.169743061 CET	13566	56520	83.222.57.206	192.168.2.23
Jan 19, 2025 03:52:25.169792891 CET	56520	13566	192.168.2.23	83.222.57.206
Jan 19, 2025 03:52:25.171066999 CET	55628	13566	192.168.2.23	83.222.133.221
Jan 19, 2025 03:52:25.175962925 CET	13566	55628	83.222.133.221	192.168.2.23
Jan 19, 2025 03:52:25.176024914 CET	55628	13566	192.168.2.23	83.222.133.221
Jan 19, 2025 03:52:25.176373959 CET	43072	13566	192.168.2.23	83.222.144.97
Jan 19, 2025 03:52:25.178447962 CET	36576	13566	192.168.2.23	83.222.174.68
Jan 19, 2025 03:52:25.181197882 CET	13566	43072	83.222.144.97	192.168.2.23
Jan 19, 2025 03:52:25.181215048 CET	54438	13566	192.168.2.23	83.222.227.182
Jan 19, 2025 03:52:25.181248903 CET	43072	13566	192.168.2.23	83.222.144.97
Jan 19, 2025 03:52:25.183296919 CET	13566	36576	83.222.174.68	192.168.2.23
Jan 19, 2025 03:52:25.183342934 CET	36576	13566	192.168.2.23	83.222.174.68
Jan 19, 2025 03:52:25.183703899 CET	37320	13566	192.168.2.23	83.222.166.174
Jan 19, 2025 03:52:25.185789108 CET	58710	13566	192.168.2.23	83.222.251.5
Jan 19, 2025 03:52:25.186075926 CET	13566	54438	83.222.227.182	192.168.2.23
Jan 19, 2025 03:52:25.186125994 CET	54438	13566	192.168.2.23	83.222.227.182
Jan 19, 2025 03:52:25.188524961 CET	13566	37320	83.222.166.174	192.168.2.23
Jan 19, 2025 03:52:25.188575983 CET	37320	13566	192.168.2.23	83.222.166.174
Jan 19, 2025 03:52:25.190644979 CET	13566	58710	83.222.251.5	192.168.2.23
Jan 19, 2025 03:52:25.190706968 CET	58710	13566	192.168.2.23	83.222.251.5
Jan 19, 2025 03:52:25.203547001 CET	42666	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:52:25.208492041 CET	13566	42666	83.222.191.90	192.168.2.23
Jan 19, 2025 03:52:25.208563089 CET	42666	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:52:25.214273930 CET	42666	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:52:25.219173908 CET	13566	42666	83.222.191.90	192.168.2.23
Jan 19, 2025 03:52:25.219228983 CET	42666	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:52:25.224085093 CET	13566	42666	83.222.191.90	192.168.2.23
Jan 19, 2025 03:52:35.222944975 CET	42666	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:52:35.228728056 CET	13566	42666	83.222.191.90	192.168.2.23
Jan 19, 2025 03:52:35.434390068 CET	13566	42666	83.222.191.90	192.168.2.23
Jan 19, 2025 03:52:35.434568882 CET	42666	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:52:35.809431076 CET	13566	42666	83.222.191.90	192.168.2.23
Jan 19, 2025 03:52:35.809494972 CET	42666	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:52:37.067358971 CET	443	39258	34.249.145.219	192.168.2.23
Jan 19, 2025 03:52:37.067528009 CET	39258	443	192.168.2.23	34.249.145.219
Jan 19, 2025 03:52:41.026026011 CET	42516	80	192.168.2.23	109.202.202.202
Jan 19, 2025 03:52:43.073879957 CET	43928	443	192.168.2.23	91.189.91.42
Jan 19, 2025 03:53:24.027992964 CET	43928	443	192.168.2.23	91.189.91.42
Jan 19, 2025 03:53:35.854701042 CET	42666	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:53:35.861358881 CET	13566	42666	83.222.191.90	192.168.2.23
Jan 19, 2025 03:53:36.053762913 CET	13566	42666	83.222.191.90	192.168.2.23
Jan 19, 2025 03:53:36.054265976 CET	42666	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 03:53:36.809412003 CET	13566	42666	83.222.191.90	192.168.2.23
Jan 19, 2025 03:53:36.809848070 CET	42666	13566	192.168.2.23	83.222.191.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2025 03:52:25.191862106 CET	50287	53	192.168.2.23	8.8.8.8
Jan 19, 2025 03:52:25.201950073 CET	53	50287	8.8.8.8	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 19, 2025 03:52:25.191862106 CET	192.168.2.23	8.8.8.8	0x82b2	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 19, 2025 03:52:25.201950073 CET	8.8.8.8	192.168.2.23	0x82b2	No error (0)	secure-network-rebirthltd.ru		83.222.191.90	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: Kloki.arm4.elf PID: 6269, Parent PID: 6190

General

Start time (UTC):	02:52:24
Start date (UTC):	19/01/2025
Path:	/tmp/Kloki.arm4.elf
Arguments:	/tmp/Kloki.arm4.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

File Activities

File Opened

File Read

File Moved

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: Kloki.arm4.elf PID: 6271, Parent PID: 6269

General

Start time (UTC):	02:52:24
Start date (UTC):	19/01/2025
Path:	/tmp/Kloki.arm4.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

File Activities

File Opened

File Read

Process Activities

Prctl Requested

Thread Sleep

Chronological Activities

Analysis Process: Kloki.arm4.elf PID: 6273, Parent PID: 6269

General

Start time (UTC):	02:52:24
Start date (UTC):	19/01/2025
Path:	/tmp/Kloki.arm4.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Process Activities

Process Forked

Thread Sleep

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: Kloki.arm4.elf PID: 6275, Parent PID: 6273

General

Start time (UTC):	02:52:24
Start date (UTC):	19/01/2025
Path:	/tmp/Kloki.arm4.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

File Activities

File Opened

Directory Enumerated

Process Activities

Signal Sent

Thread Sleep

Chronological Activities

Analysis Process: gnome-session-binary PID: 6297, Parent PID: 1477

General

Start time (UTC):	02:52:24
Start date (UTC):	19/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6297, Parent PID: 1477

General

Start time (UTC):	02:52:24
Start date (UTC):	19/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sharing
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gsd-sharing PID: 6297, Parent PID: 1477

General

Start time (UTC):	02:52:24
Start date (UTC):	19/01/2025
Path:	/usr/libexec/gsd-sharing
Arguments:	/usr/libexec/gsd-sharing
File size:	35424 bytes
MD5 hash:	e29d9025d98590fbb69f89fdbd4438b3

File Activities

File Opened

Chronological Activities

Analysis Process: gnome-session-binary PID: 6299, Parent PID: 1477

General

Start time (UTC):	02:52:24
Start date (UTC):	19/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6299, Parent PID: 1477

General

Start time (UTC):	02:52:24
Start date (UTC):	19/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/bin/gnome-shell
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: gnome-session-binary PID: 6301, Parent PID: 1477

General

Start time (UTC):	02:52:24
Start date (UTC):	19/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6301, Parent PID: 1477

General

Start time (UTC):	02:52:24
Start date (UTC):	19/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gsd-print-notifications PID: 6301, Parent PID: 1477

General

Start time (UTC):	02:52:24
Start date (UTC):	19/01/2025
Path:	/usr/libexec/gsd-print-notifications
Arguments:	/usr/libexec/gsd-print-notifications
File size:	51840 bytes
MD5 hash:	71539698aa691718cee775d6b9450ae2

File Activities

File Opened

Chronological Activities

Analysis Process: gnome-session-binary PID: 6302, Parent PID: 1477

General

Start time (UTC):	02:52:24
Start date (UTC):	19/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 6302, Parent PID: 1477

General

Start time (UTC):	02:52:24
Start date (UTC):	19/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: gdm3 PID: 6305, Parent PID: 1320

General

Start time (UTC):	02:52:25
Start date (UTC):	19/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: Default PID: 6305, Parent PID: 1320

General

Start time (UTC):	02:52:25
Start date (UTC):	19/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: gdm3 PID: 6306, Parent PID: 1320

General

Start time (UTC):	02:52:25
Start date (UTC):	19/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: Default PID: 6306, Parent PID: 1320

General

Start time (UTC):	02:52:25
Start date (UTC):	19/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Kloki.arm4.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: Kloki.arm4.elf PID: 6269, Parent PID: 6190

General

File Activities

File Opened

File Read

File Moved

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: Kloki.arm4.elf PID: 6271, Parent PID: 6269

General

File Activities

File Opened

File Read

Process Activities

Prctl Requested

Linux Analysis Report
Kloki.arm4.elf