Edit tour

Linux Analysis Report
dbg.x86.elf

Overview

General Information

Sample name:	dbg.x86.elf
Analysis ID:	1594540
MD5:	2280f52b2b40424d0a9fec0670ee06c5
SHA1:	9e2f7d98dd4fe048bffb843b1bd76aa1e37aad4d
SHA256:	9790ae1ce87543c28c70365f2cdef970f5d426aee8cc24756f20a771123f9274
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Suricata IDS alerts with low severity for network traffic

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1594540
Start date and time:	2025-01-19 06:02:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	dbg.x86.elf
Detection:	MAL
Classification:	mal60.linELF@0/0@1/0

Runtime Messages

Command:	/tmp/dbg.x86.elf
PID:	6233
Exit Code:
Exit Code Info:
Killed:	True
Standard Output:	suka
Standard Error:

Process Tree

system is lnxubuntu20

dbg.x86.elf (PID: 6233, Parent: 6159, MD5: 2280f52b2b40424d0a9fec0670ee06c5) Arguments: /tmp/dbg.x86.elf

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
dbg.x86.elf	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4a40:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
dbg.x86.elf	Linux_Trojan_Mirai_449937aa	unknown	unknown	0xb8fa:$a: 00 00 5B 72 65 73 6F 6C 76 5D 20 46 6F 75 6E 64 20 49 50 20
dbg.x86.elf	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x6652:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
dbg.x86.elf	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x96fe:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
dbg.x86.elf	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x8059:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
dbg.x86.elf	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x6622:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
6233.1.0000000008048000.0000000008055000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4a40:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6233.1.0000000008048000.0000000008055000.r-x.sdmp	Linux_Trojan_Mirai_449937aa	unknown	unknown	0xb8fa:$a: 00 00 5B 72 65 73 6F 6C 76 5D 20 46 6F 75 6E 64 20 49 50 20
6233.1.0000000008048000.0000000008055000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x6652:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6233.1.0000000008048000.0000000008055000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x96fe:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
6233.1.0000000008048000.0000000008055000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x8059:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6233.1.0000000008048000.0000000008055000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x6622:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 1 entries

Suricata Signatures

ET COMPROMISED Known Compromised or Hostile Host Traffic group 18

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-19T06:02:56.644016+0100	2500034	2	Misc Attack	83.222.191.90	13566	192.168.2.23	42660	TCP

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: dbg.x86.elf

ReversingLabs: Detection: 28%

Machine Learning detection for sample

Source: dbg.x86.elf

Joe Sandbox ML: detected

Source: global traffic	TCP traffic: 192.168.2.23:40460 -> 83.222.206.100:13566
Source: global traffic	TCP traffic: 192.168.2.23:40844 -> 83.222.167.34:13566
Source: global traffic	TCP traffic: 192.168.2.23:52604 -> 83.222.132.243:13566
Source: global traffic	TCP traffic: 192.168.2.23:52986 -> 83.222.199.28:13566
Source: global traffic	TCP traffic: 192.168.2.23:41996 -> 83.222.110.84:13566
Source: global traffic	TCP traffic: 192.168.2.23:41762 -> 83.222.31.67:13566
Source: global traffic	TCP traffic: 192.168.2.23:54718 -> 83.222.242.183:13566
Source: global traffic	TCP traffic: 192.168.2.23:34044 -> 83.222.213.24:13566
Source: global traffic	TCP traffic: 192.168.2.23:33198 -> 83.222.93.228:13566
Source: global traffic	TCP traffic: 192.168.2.23:45950 -> 83.222.39.108:13566
Source: global traffic	TCP traffic: 192.168.2.23:33162 -> 83.222.24.252:13566
Source: global traffic	TCP traffic: 192.168.2.23:55886 -> 83.222.111.126:13566
Source: global traffic	TCP traffic: 192.168.2.23:48440 -> 83.222.4.90:13566
Source: global traffic	TCP traffic: 192.168.2.23:34670 -> 83.222.190.70:13566
Source: global traffic	TCP traffic: 192.168.2.23:47366 -> 83.222.235.251:13566
Source: global traffic	TCP traffic: 192.168.2.23:52754 -> 83.222.96.67:13566
Source: global traffic	TCP traffic: 192.168.2.23:49112 -> 83.222.8.82:13566
Source: global traffic	TCP traffic: 192.168.2.23:39544 -> 83.222.251.119:13566
Source: global traffic	TCP traffic: 192.168.2.23:41964 -> 83.222.166.26:13566
Source: global traffic	TCP traffic: 192.168.2.23:54714 -> 83.222.186.43:13566
Source: global traffic	TCP traffic: 192.168.2.23:47274 -> 83.222.13.130:13566
Source: global traffic	TCP traffic: 192.168.2.23:46790 -> 83.222.71.125:13566
Source: global traffic	TCP traffic: 192.168.2.23:46312 -> 83.222.156.230:13566
Source: global traffic	TCP traffic: 192.168.2.23:37324 -> 83.222.0.75:13566
Source: global traffic	TCP traffic: 192.168.2.23:57670 -> 83.222.100.52:13566
Source: global traffic	TCP traffic: 192.168.2.23:39900 -> 83.222.185.34:13566
Source: global traffic	TCP traffic: 192.168.2.23:41632 -> 83.222.122.164:13566
Source: global traffic	TCP traffic: 192.168.2.23:41118 -> 83.222.16.53:13566
Source: global traffic	TCP traffic: 192.168.2.23:42648 -> 83.222.158.172:13566
Source: global traffic	TCP traffic: 192.168.2.23:56192 -> 83.222.215.213:13566
Source: global traffic	TCP traffic: 192.168.2.23:52406 -> 83.222.29.162:13566
Source: global traffic	TCP traffic: 192.168.2.23:33630 -> 83.222.27.254:13566
Source: global traffic	TCP traffic: 192.168.2.23:47482 -> 83.222.239.36:13566
Source: global traffic	TCP traffic: 192.168.2.23:43916 -> 83.222.80.234:13566
Source: global traffic	TCP traffic: 192.168.2.23:41996 -> 83.222.155.246:13566
Source: global traffic	TCP traffic: 192.168.2.23:57484 -> 83.222.5.85:13566
Source: global traffic	TCP traffic: 192.168.2.23:46504 -> 83.222.33.18:13566
Source: global traffic	TCP traffic: 192.168.2.23:60560 -> 83.222.215.105:13566
Source: global traffic	TCP traffic: 192.168.2.23:56270 -> 83.222.143.215:13566
Source: global traffic	TCP traffic: 192.168.2.23:41292 -> 83.222.180.102:13566
Source: global traffic	TCP traffic: 192.168.2.23:34098 -> 83.222.172.24:13566
Source: global traffic	TCP traffic: 192.168.2.23:44754 -> 83.222.154.101:13566
Source: global traffic	TCP traffic: 192.168.2.23:43502 -> 83.222.58.21:13566
Source: global traffic	TCP traffic: 192.168.2.23:55292 -> 83.222.9.88:13566
Source: global traffic	TCP traffic: 192.168.2.23:49932 -> 83.222.183.25:13566
Source: global traffic	TCP traffic: 192.168.2.23:36440 -> 83.222.141.85:13566
Source: global traffic	TCP traffic: 192.168.2.23:43412 -> 83.222.197.169:13566
Source: global traffic	TCP traffic: 192.168.2.23:52702 -> 83.222.83.181:13566
Source: global traffic	TCP traffic: 192.168.2.23:49346 -> 83.222.205.163:13566
Source: global traffic	TCP traffic: 192.168.2.23:35368 -> 83.222.159.104:13566
Source: global traffic	TCP traffic: 192.168.2.23:55526 -> 83.222.153.164:13566
Source: global traffic	TCP traffic: 192.168.2.23:55242 -> 83.222.189.187:13566
Source: global traffic	TCP traffic: 192.168.2.23:55586 -> 83.222.183.149:13566
Source: global traffic	TCP traffic: 192.168.2.23:38634 -> 83.222.36.70:13566
Source: global traffic	TCP traffic: 192.168.2.23:59024 -> 83.222.108.216:13566
Source: global traffic	TCP traffic: 192.168.2.23:46068 -> 83.222.173.25:13566
Source: global traffic	TCP traffic: 192.168.2.23:42660 -> 83.222.191.90:13566

Source: Network traffic

Suricata IDS: 2500034 - Severity 2 - ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 : 83.222.191.90:13566 -> 192.168.2.23:42660

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.206.100
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.167.34
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.132.243
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.199.28
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.242.183
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.213.24
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.93.228
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.39.108
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.24.252
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.111.126
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.4.90
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.190.70
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.235.251
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.96.67
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.8.82
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.166.26
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.186.43
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.13.130
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.71.125
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.156.230
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.0.75
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.100.52
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.185.34
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.122.164
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.16.53
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.158.172
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.215.213
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.29.162
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.239.36
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.80.234
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.155.246
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.5.85
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.33.18
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.215.105
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.143.215
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.180.102
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.172.24
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.154.101
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.58.21
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.9.88
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.183.25
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.141.85
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.197.169
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.83.181
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.205.163
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.159.104
Source: unknown	TCP traffic detected without corresponding DNS query: 83.222.153.164

Source: global traffic

DNS traffic detected: DNS query: secure-network-rebirthltd.ru

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: dbg.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: dbg.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_449937aa Author: unknown
Source: dbg.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: dbg.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: dbg.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: dbg.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6233.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6233.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_449937aa Author: unknown
Source: 6233.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6233.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6233.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6233.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: dbg.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: dbg.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_449937aa reference_sample = 6f27766534445cffb097c7c52db1fca53b2210c1b10b75594f77c34dc8b994fe, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = cf2c6b86830099f039b41aeaafbffedfb8294a1124c499e99a11f48a06cd1dfd, id = 449937aa-682a-4906-89ab-80d7127e461e, last_modified = 2021-09-16
Source: dbg.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: dbg.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: dbg.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: dbg.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6233.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6233.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_449937aa reference_sample = 6f27766534445cffb097c7c52db1fca53b2210c1b10b75594f77c34dc8b994fe, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = cf2c6b86830099f039b41aeaafbffedfb8294a1124c499e99a11f48a06cd1dfd, id = 449937aa-682a-4906-89ab-80d7127e461e, last_modified = 2021-09-16
Source: 6233.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6233.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6233.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6233.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: classification engine

Classification label: mal60.linELF@0/0@1/0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dbg.x86.elf	29%	ReversingLabs	Linux.Backdoor.Gafgyt
dbg.x86.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
secure-network-rebirthltd.ru	83.222.191.90	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
83.222.206.100	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.172.24	unknown	Bulgaria	49040	KIG-UNISAT-TVBG	false
83.222.100.52	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.167.34	unknown	Bulgaria	49040	KIG-UNISAT-TVBG	false
83.222.141.85	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.24.252	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.155.246	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.158.172	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.80.234	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.166.26	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.33.18	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.122.164	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.215.105	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.251.119	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.199.28	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false
83.222.173.25	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.8.82	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.153.164	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.96.67	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.183.25	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.186.43	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.93.228	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.185.34	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.39.108	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.156.230	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.197.169	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.159.104	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.71.125	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.239.36	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.9.88	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.213.24	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.215.213	unknown	Russian Federation	25159	SONICDUO-ASRU	false
83.222.0.75	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.111.126	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.5.85	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.189.187	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.36.70	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.180.102	unknown	Bulgaria	205872	EXTRANET-ASBG	false
83.222.190.70	unknown	Bulgaria	43561	NET1-ASBG	false
83.222.58.21	unknown	Luxembourg	8632	LOL-ASluLU	false
83.222.205.163	unknown	Russian Federation	6854	SYNTERRA-ASRU	false
83.222.27.254	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.242.183	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.16.53	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.183.149	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
83.222.235.251	unknown	United Kingdom	13768	COGECO-PEER1CA	false
83.222.13.130	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.191.90	secure-network-rebirthltd.ru	Bulgaria	43561	NET1-ASBG	false
83.222.29.162	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.132.243	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
83.222.83.181	unknown	Russian Federation	16285	ASN-UMNTechnicheskayaStr18bYekaterinburgRussiaRU	false
83.222.31.67	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.154.101	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false
83.222.110.84	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.108.216	unknown	Russian Federation	42632	MNOGOBYTE-ASMoscowRussiaRU	false
83.222.4.90	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	false
83.222.143.215	unknown	Switzerland	31736	SENSELAN-ASsenseLANGmbHCH	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
83.222.96.67	Kloki.i686.elf	Get hash	malicious	Unknown	Browse
83.222.96.67	loki.x86.elf	Get hash	malicious	Unknown	Browse
91.189.91.43	mips.elf	Get hash	malicious	Unknown	Browse
	spc.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	45.11.229.95-boatnet.arc-2025-01-19T02_22_30.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	Kloki.mpsl.elf	Get hash	malicious	Unknown	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	Kloki.arm6.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	mips.elf	Get hash	malicious	Unknown	Browse
	spc.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	45.11.229.95-boatnet.x86-2025-01-19T02_22_29.elf	Get hash	malicious	Mirai	Browse
	45.11.229.95-boatnet.arc-2025-01-19T02_22_30.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	Kloki.mpsl.elf	Get hash	malicious	Unknown	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
secure-network-rebirthltd.ru	Kloki.mpsl.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.191.90

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MNOGOBYTE-ASMoscowRussiaRU	Kloki.mpsl.elf	Get hash	malicious	Unknown	Browse	83.222.102.164
	loki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.123.142
	loki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.99.79
	loki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.123.192
	loki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.106.184
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.114.40
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.100.166
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.114.84
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.117.151
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.105.103
SYNTERRA-ASRU	Kloki.mpsl.elf	Get hash	malicious	Unknown	Browse	83.222.211.141
	loki.arm5.elf	Get hash	malicious	Unknown	Browse	83.222.192.164
	loki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.203.223
	loki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.192.64
	loki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.195.117
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.207.75
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.192.22
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.204.106
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.204.106
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.210.211
KIG-UNISAT-TVBG	loki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.170.80
	loki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.172.206
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.167.50
	Kloki.i686.elf	Get hash	malicious	Unknown	Browse	83.222.160.160
	loki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.160.160
	Kloki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.170.174
	loki.mips.elf	Get hash	malicious	Unknown	Browse	83.222.172.220
	Kloki.sh4.elf	Get hash	malicious	Unknown	Browse	83.222.170.87
	loki.arm7.elf	Get hash	malicious	Mirai	Browse	83.222.160.209
	Kloki.ppc.elf	Get hash	malicious	Unknown	Browse	83.222.160.195

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.449727581119564
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	dbg.x86.elf
File size:	54'416 bytes
MD5:	2280f52b2b40424d0a9fec0670ee06c5
SHA1:	9e2f7d98dd4fe048bffb843b1bd76aa1e37aad4d
SHA256:	9790ae1ce87543c28c70365f2cdef970f5d426aee8cc24756f20a771123f9274
SHA512:	5274f1f18e4d841d4486225fe72df5f0138b66ad5d3eaef2629dc76037f9c8a1f835ba391595546fd61c01e31204a1f8e1fbb0e9e8cbc5136f4d022ea6ff27f8
SSDEEP:	1536:Dil8aOO2vwFTvapPSp5el5HzMVFnB7V6E8xdSm1f:DiWTO2vKvFp5evT2FB7kEMSSf
TLSH:	E1336CC19743D4F6EC5B09715037F3739AB2E03E0268DA93C3A9D632F853A51E61A28C
File Content Preview:	.ELF....................d...4...........4. ...(..............................................P...P.......'..........Q.td............................U..S.......w....h........[]...$.............U......=.R...t..5....$P.....$P......u........t....h.L..........

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048164
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	54016
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0xb106	0x0	0x6	AX	16
.fini	PROGBITS	0x80531b6	0xb1b6	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x80531e0	0xb1e0	0x1adc	0x0	0x2	A	32
.ctors	PROGBITS	0x8055000	0xd000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x8055008	0xd008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x8055020	0xd020	0x2a0	0x0	0x3	WA	32
.bss	NOBITS	0x80552c0	0xd2c0	0x24c0	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0xd2c0	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0xccbc	0xccbc	6.5482	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0xd000	0x8055000	0x8055000	0x2c0	0x2780	3.5088	0x6	RW	0x1000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-19T06:02:56.644016+0100	2500034	ET COMPROMISED Known Compromised or Hostile Host Traffic group 18	2	83.222.191.90	13566	192.168.2.23	42660	TCP

Network Port Distribution

Total Packets: 128
• 13566 undefined
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2025 06:02:56.628407001 CET	40460	13566	192.168.2.23	83.222.206.100
Jan 19, 2025 06:02:56.628428936 CET	40844	13566	192.168.2.23	83.222.167.34
Jan 19, 2025 06:02:56.628467083 CET	52604	13566	192.168.2.23	83.222.132.243
Jan 19, 2025 06:02:56.628470898 CET	52986	13566	192.168.2.23	83.222.199.28
Jan 19, 2025 06:02:56.628468990 CET	41996	13566	192.168.2.23	83.222.110.84
Jan 19, 2025 06:02:56.628468990 CET	41762	13566	192.168.2.23	83.222.31.67
Jan 19, 2025 06:02:56.628519058 CET	54718	13566	192.168.2.23	83.222.242.183
Jan 19, 2025 06:02:56.628523111 CET	34044	13566	192.168.2.23	83.222.213.24
Jan 19, 2025 06:02:56.628525972 CET	33198	13566	192.168.2.23	83.222.93.228
Jan 19, 2025 06:02:56.628571033 CET	45950	13566	192.168.2.23	83.222.39.108
Jan 19, 2025 06:02:56.628571033 CET	33162	13566	192.168.2.23	83.222.24.252
Jan 19, 2025 06:02:56.628567934 CET	55886	13566	192.168.2.23	83.222.111.126
Jan 19, 2025 06:02:56.628585100 CET	48440	13566	192.168.2.23	83.222.4.90
Jan 19, 2025 06:02:56.628585100 CET	34670	13566	192.168.2.23	83.222.190.70
Jan 19, 2025 06:02:56.628585100 CET	47366	13566	192.168.2.23	83.222.235.251
Jan 19, 2025 06:02:56.628603935 CET	52754	13566	192.168.2.23	83.222.96.67
Jan 19, 2025 06:02:56.628612995 CET	49112	13566	192.168.2.23	83.222.8.82
Jan 19, 2025 06:02:56.628637075 CET	39544	13566	192.168.2.23	83.222.251.119
Jan 19, 2025 06:02:56.628637075 CET	41964	13566	192.168.2.23	83.222.166.26
Jan 19, 2025 06:02:56.628654957 CET	54714	13566	192.168.2.23	83.222.186.43
Jan 19, 2025 06:02:56.628673077 CET	47274	13566	192.168.2.23	83.222.13.130
Jan 19, 2025 06:02:56.628679037 CET	46790	13566	192.168.2.23	83.222.71.125
Jan 19, 2025 06:02:56.628683090 CET	46312	13566	192.168.2.23	83.222.156.230
Jan 19, 2025 06:02:56.628694057 CET	37324	13566	192.168.2.23	83.222.0.75
Jan 19, 2025 06:02:56.628726959 CET	57670	13566	192.168.2.23	83.222.100.52
Jan 19, 2025 06:02:56.628731966 CET	39900	13566	192.168.2.23	83.222.185.34
Jan 19, 2025 06:02:56.628745079 CET	41632	13566	192.168.2.23	83.222.122.164
Jan 19, 2025 06:02:56.628777981 CET	41118	13566	192.168.2.23	83.222.16.53
Jan 19, 2025 06:02:56.628802061 CET	42648	13566	192.168.2.23	83.222.158.172
Jan 19, 2025 06:02:56.628802061 CET	56192	13566	192.168.2.23	83.222.215.213
Jan 19, 2025 06:02:56.628802061 CET	52406	13566	192.168.2.23	83.222.29.162
Jan 19, 2025 06:02:56.628806114 CET	33630	13566	192.168.2.23	83.222.27.254
Jan 19, 2025 06:02:56.628829002 CET	47482	13566	192.168.2.23	83.222.239.36
Jan 19, 2025 06:02:56.628833055 CET	43916	13566	192.168.2.23	83.222.80.234
Jan 19, 2025 06:02:56.628839970 CET	41996	13566	192.168.2.23	83.222.155.246
Jan 19, 2025 06:02:56.628866911 CET	57484	13566	192.168.2.23	83.222.5.85
Jan 19, 2025 06:02:56.628874063 CET	46504	13566	192.168.2.23	83.222.33.18
Jan 19, 2025 06:02:56.628882885 CET	60560	13566	192.168.2.23	83.222.215.105
Jan 19, 2025 06:02:56.628896952 CET	56270	13566	192.168.2.23	83.222.143.215
Jan 19, 2025 06:02:56.628920078 CET	41292	13566	192.168.2.23	83.222.180.102
Jan 19, 2025 06:02:56.628925085 CET	34098	13566	192.168.2.23	83.222.172.24
Jan 19, 2025 06:02:56.628931046 CET	44754	13566	192.168.2.23	83.222.154.101
Jan 19, 2025 06:02:56.628958941 CET	43502	13566	192.168.2.23	83.222.58.21
Jan 19, 2025 06:02:56.628959894 CET	55292	13566	192.168.2.23	83.222.9.88
Jan 19, 2025 06:02:56.628984928 CET	49932	13566	192.168.2.23	83.222.183.25
Jan 19, 2025 06:02:56.628985882 CET	36440	13566	192.168.2.23	83.222.141.85
Jan 19, 2025 06:02:56.628998041 CET	43412	13566	192.168.2.23	83.222.197.169
Jan 19, 2025 06:02:56.629014969 CET	52702	13566	192.168.2.23	83.222.83.181
Jan 19, 2025 06:02:56.629030943 CET	49346	13566	192.168.2.23	83.222.205.163
Jan 19, 2025 06:02:56.629046917 CET	35368	13566	192.168.2.23	83.222.159.104
Jan 19, 2025 06:02:56.629055023 CET	55526	13566	192.168.2.23	83.222.153.164
Jan 19, 2025 06:02:56.629077911 CET	55242	13566	192.168.2.23	83.222.189.187
Jan 19, 2025 06:02:56.629081964 CET	55586	13566	192.168.2.23	83.222.183.149
Jan 19, 2025 06:02:56.629111052 CET	38634	13566	192.168.2.23	83.222.36.70
Jan 19, 2025 06:02:56.629117012 CET	59024	13566	192.168.2.23	83.222.108.216
Jan 19, 2025 06:02:56.629125118 CET	46068	13566	192.168.2.23	83.222.173.25
Jan 19, 2025 06:02:56.633671045 CET	13566	52986	83.222.199.28	192.168.2.23
Jan 19, 2025 06:02:56.633688927 CET	13566	40460	83.222.206.100	192.168.2.23
Jan 19, 2025 06:02:56.633703947 CET	13566	52604	83.222.132.243	192.168.2.23
Jan 19, 2025 06:02:56.633725882 CET	13566	40844	83.222.167.34	192.168.2.23
Jan 19, 2025 06:02:56.633735895 CET	52986	13566	192.168.2.23	83.222.199.28
Jan 19, 2025 06:02:56.633740902 CET	13566	33198	83.222.93.228	192.168.2.23
Jan 19, 2025 06:02:56.633761883 CET	13566	41996	83.222.110.84	192.168.2.23
Jan 19, 2025 06:02:56.633765936 CET	40844	13566	192.168.2.23	83.222.167.34
Jan 19, 2025 06:02:56.633776903 CET	13566	41762	83.222.31.67	192.168.2.23
Jan 19, 2025 06:02:56.633790970 CET	13566	54718	83.222.242.183	192.168.2.23
Jan 19, 2025 06:02:56.633805037 CET	13566	34044	83.222.213.24	192.168.2.23
Jan 19, 2025 06:02:56.633805990 CET	41996	13566	192.168.2.23	83.222.110.84
Jan 19, 2025 06:02:56.633817911 CET	13566	45950	83.222.39.108	192.168.2.23
Jan 19, 2025 06:02:56.633831978 CET	34044	13566	192.168.2.23	83.222.213.24
Jan 19, 2025 06:02:56.633867979 CET	33198	13566	192.168.2.23	83.222.93.228
Jan 19, 2025 06:02:56.633888006 CET	41762	13566	192.168.2.23	83.222.31.67
Jan 19, 2025 06:02:56.633883953 CET	40460	13566	192.168.2.23	83.222.206.100
Jan 19, 2025 06:02:56.633884907 CET	54718	13566	192.168.2.23	83.222.242.183
Jan 19, 2025 06:02:56.633953094 CET	52604	13566	192.168.2.23	83.222.132.243
Jan 19, 2025 06:02:56.633953094 CET	45950	13566	192.168.2.23	83.222.39.108
Jan 19, 2025 06:02:56.634160995 CET	13566	33162	83.222.24.252	192.168.2.23
Jan 19, 2025 06:02:56.634176016 CET	13566	55886	83.222.111.126	192.168.2.23
Jan 19, 2025 06:02:56.634191036 CET	13566	48440	83.222.4.90	192.168.2.23
Jan 19, 2025 06:02:56.634200096 CET	33162	13566	192.168.2.23	83.222.24.252
Jan 19, 2025 06:02:56.634203911 CET	13566	34670	83.222.190.70	192.168.2.23
Jan 19, 2025 06:02:56.634211063 CET	13566	49112	83.222.8.82	192.168.2.23
Jan 19, 2025 06:02:56.634217024 CET	13566	47366	83.222.235.251	192.168.2.23
Jan 19, 2025 06:02:56.634222984 CET	55886	13566	192.168.2.23	83.222.111.126
Jan 19, 2025 06:02:56.634231091 CET	13566	52754	83.222.96.67	192.168.2.23
Jan 19, 2025 06:02:56.634252071 CET	49112	13566	192.168.2.23	83.222.8.82
Jan 19, 2025 06:02:56.634253025 CET	34670	13566	192.168.2.23	83.222.190.70
Jan 19, 2025 06:02:56.634258032 CET	13566	39544	83.222.251.119	192.168.2.23
Jan 19, 2025 06:02:56.634253025 CET	48440	13566	192.168.2.23	83.222.4.90
Jan 19, 2025 06:02:56.634253025 CET	47366	13566	192.168.2.23	83.222.235.251
Jan 19, 2025 06:02:56.634274960 CET	52754	13566	192.168.2.23	83.222.96.67
Jan 19, 2025 06:02:56.634278059 CET	13566	41964	83.222.166.26	192.168.2.23
Jan 19, 2025 06:02:56.634291887 CET	13566	54714	83.222.186.43	192.168.2.23
Jan 19, 2025 06:02:56.634305954 CET	13566	47274	83.222.13.130	192.168.2.23
Jan 19, 2025 06:02:56.634315014 CET	39544	13566	192.168.2.23	83.222.251.119
Jan 19, 2025 06:02:56.634315014 CET	41964	13566	192.168.2.23	83.222.166.26
Jan 19, 2025 06:02:56.634320974 CET	13566	46790	83.222.71.125	192.168.2.23
Jan 19, 2025 06:02:56.634335995 CET	13566	37324	83.222.0.75	192.168.2.23
Jan 19, 2025 06:02:56.634336948 CET	54714	13566	192.168.2.23	83.222.186.43
Jan 19, 2025 06:02:56.634341002 CET	47274	13566	192.168.2.23	83.222.13.130
Jan 19, 2025 06:02:56.634351015 CET	13566	46312	83.222.156.230	192.168.2.23
Jan 19, 2025 06:02:56.634356022 CET	46790	13566	192.168.2.23	83.222.71.125
Jan 19, 2025 06:02:56.634365082 CET	13566	57670	83.222.100.52	192.168.2.23
Jan 19, 2025 06:02:56.634371042 CET	37324	13566	192.168.2.23	83.222.0.75
Jan 19, 2025 06:02:56.634381056 CET	13566	39900	83.222.185.34	192.168.2.23
Jan 19, 2025 06:02:56.634390116 CET	46312	13566	192.168.2.23	83.222.156.230
Jan 19, 2025 06:02:56.634401083 CET	13566	41632	83.222.122.164	192.168.2.23
Jan 19, 2025 06:02:56.634411097 CET	57670	13566	192.168.2.23	83.222.100.52
Jan 19, 2025 06:02:56.634418964 CET	39900	13566	192.168.2.23	83.222.185.34
Jan 19, 2025 06:02:56.634424925 CET	13566	41118	83.222.16.53	192.168.2.23
Jan 19, 2025 06:02:56.634438038 CET	13566	33630	83.222.27.254	192.168.2.23
Jan 19, 2025 06:02:56.634443045 CET	41632	13566	192.168.2.23	83.222.122.164
Jan 19, 2025 06:02:56.634453058 CET	13566	42648	83.222.158.172	192.168.2.23
Jan 19, 2025 06:02:56.634466887 CET	41118	13566	192.168.2.23	83.222.16.53
Jan 19, 2025 06:02:56.634474039 CET	33630	13566	192.168.2.23	83.222.27.254
Jan 19, 2025 06:02:56.634480953 CET	13566	56192	83.222.215.213	192.168.2.23
Jan 19, 2025 06:02:56.634495020 CET	13566	52406	83.222.29.162	192.168.2.23
Jan 19, 2025 06:02:56.634507895 CET	13566	43916	83.222.80.234	192.168.2.23
Jan 19, 2025 06:02:56.634507895 CET	42648	13566	192.168.2.23	83.222.158.172
Jan 19, 2025 06:02:56.634522915 CET	56192	13566	192.168.2.23	83.222.215.213
Jan 19, 2025 06:02:56.634522915 CET	52406	13566	192.168.2.23	83.222.29.162
Jan 19, 2025 06:02:56.634535074 CET	13566	47482	83.222.239.36	192.168.2.23
Jan 19, 2025 06:02:56.634548903 CET	13566	41996	83.222.155.246	192.168.2.23
Jan 19, 2025 06:02:56.634558916 CET	43916	13566	192.168.2.23	83.222.80.234
Jan 19, 2025 06:02:56.634565115 CET	13566	46504	83.222.33.18	192.168.2.23
Jan 19, 2025 06:02:56.634568930 CET	47482	13566	192.168.2.23	83.222.239.36
Jan 19, 2025 06:02:56.634577036 CET	41996	13566	192.168.2.23	83.222.155.246
Jan 19, 2025 06:02:56.634594917 CET	13566	57484	83.222.5.85	192.168.2.23
Jan 19, 2025 06:02:56.634602070 CET	46504	13566	192.168.2.23	83.222.33.18
Jan 19, 2025 06:02:56.634608984 CET	13566	60560	83.222.215.105	192.168.2.23
Jan 19, 2025 06:02:56.634624004 CET	13566	56270	83.222.143.215	192.168.2.23
Jan 19, 2025 06:02:56.634635925 CET	57484	13566	192.168.2.23	83.222.5.85
Jan 19, 2025 06:02:56.634639025 CET	13566	41292	83.222.180.102	192.168.2.23
Jan 19, 2025 06:02:56.634646893 CET	60560	13566	192.168.2.23	83.222.215.105
Jan 19, 2025 06:02:56.634653091 CET	13566	44754	83.222.154.101	192.168.2.23
Jan 19, 2025 06:02:56.634658098 CET	56270	13566	192.168.2.23	83.222.143.215
Jan 19, 2025 06:02:56.634665966 CET	13566	34098	83.222.172.24	192.168.2.23
Jan 19, 2025 06:02:56.634676933 CET	41292	13566	192.168.2.23	83.222.180.102
Jan 19, 2025 06:02:56.634680033 CET	13566	55292	83.222.9.88	192.168.2.23
Jan 19, 2025 06:02:56.634685040 CET	44754	13566	192.168.2.23	83.222.154.101
Jan 19, 2025 06:02:56.634695053 CET	13566	43502	83.222.58.21	192.168.2.23
Jan 19, 2025 06:02:56.634701967 CET	34098	13566	192.168.2.23	83.222.172.24
Jan 19, 2025 06:02:56.634710073 CET	13566	36440	83.222.141.85	192.168.2.23
Jan 19, 2025 06:02:56.634713888 CET	55292	13566	192.168.2.23	83.222.9.88
Jan 19, 2025 06:02:56.634723902 CET	13566	49932	83.222.183.25	192.168.2.23
Jan 19, 2025 06:02:56.634737015 CET	43502	13566	192.168.2.23	83.222.58.21
Jan 19, 2025 06:02:56.634738922 CET	13566	43412	83.222.197.169	192.168.2.23
Jan 19, 2025 06:02:56.634742022 CET	36440	13566	192.168.2.23	83.222.141.85
Jan 19, 2025 06:02:56.634752035 CET	13566	52702	83.222.83.181	192.168.2.23
Jan 19, 2025 06:02:56.634759903 CET	49932	13566	192.168.2.23	83.222.183.25
Jan 19, 2025 06:02:56.634767056 CET	13566	49346	83.222.205.163	192.168.2.23
Jan 19, 2025 06:02:56.634771109 CET	43412	13566	192.168.2.23	83.222.197.169
Jan 19, 2025 06:02:56.634779930 CET	13566	35368	83.222.159.104	192.168.2.23
Jan 19, 2025 06:02:56.634790897 CET	52702	13566	192.168.2.23	83.222.83.181
Jan 19, 2025 06:02:56.634793997 CET	13566	55526	83.222.153.164	192.168.2.23
Jan 19, 2025 06:02:56.634807110 CET	13566	55586	83.222.183.149	192.168.2.23
Jan 19, 2025 06:02:56.634819031 CET	49346	13566	192.168.2.23	83.222.205.163
Jan 19, 2025 06:02:56.634819031 CET	35368	13566	192.168.2.23	83.222.159.104
Jan 19, 2025 06:02:56.634834051 CET	13566	55242	83.222.189.187	192.168.2.23
Jan 19, 2025 06:02:56.634835005 CET	55526	13566	192.168.2.23	83.222.153.164
Jan 19, 2025 06:02:56.634835005 CET	55586	13566	192.168.2.23	83.222.183.149
Jan 19, 2025 06:02:56.634849072 CET	13566	59024	83.222.108.216	192.168.2.23
Jan 19, 2025 06:02:56.634865046 CET	13566	38634	83.222.36.70	192.168.2.23
Jan 19, 2025 06:02:56.634875059 CET	55242	13566	192.168.2.23	83.222.189.187
Jan 19, 2025 06:02:56.634880066 CET	59024	13566	192.168.2.23	83.222.108.216
Jan 19, 2025 06:02:56.634891033 CET	13566	46068	83.222.173.25	192.168.2.23
Jan 19, 2025 06:02:56.634907961 CET	38634	13566	192.168.2.23	83.222.36.70
Jan 19, 2025 06:02:56.634922981 CET	46068	13566	192.168.2.23	83.222.173.25
Jan 19, 2025 06:02:56.639130116 CET	42660	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 06:02:56.644016027 CET	13566	42660	83.222.191.90	192.168.2.23
Jan 19, 2025 06:02:56.644078970 CET	42660	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 06:02:56.644112110 CET	42660	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 06:02:56.648942947 CET	13566	42660	83.222.191.90	192.168.2.23
Jan 19, 2025 06:02:56.648994923 CET	42660	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 06:02:56.653811932 CET	13566	42660	83.222.191.90	192.168.2.23
Jan 19, 2025 06:02:59.467628956 CET	42836	443	192.168.2.23	91.189.91.43
Jan 19, 2025 06:03:00.235387087 CET	42516	80	192.168.2.23	109.202.202.202
Jan 19, 2025 06:03:06.650204897 CET	42660	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 06:03:06.655555010 CET	13566	42660	83.222.191.90	192.168.2.23
Jan 19, 2025 06:03:06.858498096 CET	13566	42660	83.222.191.90	192.168.2.23
Jan 19, 2025 06:03:06.858799934 CET	42660	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 06:03:07.239099026 CET	13566	42660	83.222.191.90	192.168.2.23
Jan 19, 2025 06:03:07.239358902 CET	42660	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 06:03:15.593333006 CET	43928	443	192.168.2.23	91.189.91.42
Jan 19, 2025 06:03:25.831928968 CET	42836	443	192.168.2.23	91.189.91.43
Jan 19, 2025 06:03:29.927190065 CET	42516	80	192.168.2.23	109.202.202.202
Jan 19, 2025 06:03:41.615077019 CET	42660	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 06:03:41.622569084 CET	13566	42660	83.222.191.90	192.168.2.23
Jan 19, 2025 06:03:41.622663021 CET	42660	13566	192.168.2.23	83.222.191.90
Jan 19, 2025 06:03:56.547600031 CET	43928	443	192.168.2.23	91.189.91.42

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2025 06:02:56.629162073 CET	37730	53	192.168.2.23	8.8.8.8
Jan 19, 2025 06:02:56.639035940 CET	53	37730	8.8.8.8	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 19, 2025 06:02:56.629162073 CET	192.168.2.23	8.8.8.8	0xacc	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 19, 2025 06:02:56.639035940 CET	8.8.8.8	192.168.2.23	0xacc	No error (0)	secure-network-rebirthltd.ru		83.222.191.90	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: dbg.x86.elf PID: 6233, Parent PID: 6159

General

Start time (UTC):	05:02:55
Start date (UTC):	19/01/2025
Path:	/tmp/dbg.x86.elf
Arguments:	/tmp/dbg.x86.elf
File size:	54416 bytes
MD5 hash:	2280f52b2b40424d0a9fec0670ee06c5

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report dbg.x86.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: dbg.x86.elf PID: 6233, Parent PID: 6159

General

File Activities

File Moved

Process Activities

Prctl Requested

Chronological Activities

Linux Analysis Report
dbg.x86.elf