Edit tour

Linux Analysis Report
debug.dbg.elf

Overview

General Information

Sample name:	debug.dbg.elf
Analysis ID:	1634284
MD5:	994546ec709cd259d26572c6c648ff3c
SHA1:	14eb6fb10abc34568901ed6dc5a8100cad229639
SHA256:	3a87f9a9f0ac2407e7b413926cc23d47c5e17d4ab554bcbb221661dbc0feab9a
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Uses dynamic DNS services

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes the "rm" command used to delete files or directories

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1634284
Start date and time:	2025-03-10 21:36:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	debug.dbg.elf
Detection:	MAL
Classification:	mal76.troj.linELF@0/0@20/0

Runtime Messages

Command:	/tmp/debug.dbg.elf
PID:	5424
Exit Code:
Exit Code Info:
Killed:	True
Standard Output:	unstable_is_the_history_of_universe [magician] debug mode, pid: 5424 [magician] we are the only process on this system! [magician] attempting to connect to cnc (unstable/resolver) got response from select (unstable/resolver) found ipv4 address: 98f5bfa0 (unstable/resolver) resolved huyhoangluvnhi.duckdns.org to 1 ipv4 addresses [magician] resolved domain [magician] connected to cnc successfully [magician] attempting to connect to cnc (unstable/resolver) got response from select (unstable/resolver) found ipv4 address: 98f5bfa0 (unstable/resolver) resolved huyhoangluvnhi.duckdns.org to 1 ipv4 addresses [magician] resolved domain [magician] connected to cnc successfully [magician] attempting to connect to cnc (unstable/resolver) got response from select (unstable/resolver) found ipv4 address: 98f5bfa0 (unstable/resolver) resolved huyhoangluvnhi.duckdns.org to 1 ipv4 addresses [magician] resolved domain [magician] connected to cnc successfully [magician] attempting to connect to cnc (unstable/resolver) got response from select (unstable/resolver) found ipv4 address: 98f5bfa0 (unstable/resolver) resolved huyhoangluvnhi.duckdns.org to 1 ipv4 addresses [magician] resolved domain [magician] connected to cnc successfully [magician] attempting to connect to cnc (unstable/resolver) got response from select (unstable/resolver) found ipv4 address: 98f5bfa0 (unstable/resolver) resolved huyhoangluvnhi.duckdns.org to 1 ipv4 addresses [magician] resolved domain [magician] connected to cnc successfully [magician] attempting to connect to cnc (unstable/resolver) got response from select (unstable/resolver) found ipv4 address: 98f5bfa0 (unstable/resolver) resolved huyhoangluvnhi.duckdns.org to 1 ipv4 addresses [magician] resolved domain [magician] connected to cnc successfully [magician] attempting to connect to cnc (unstable/resolver) got response from select (unstable/resolver) found ipv4 address: 98f5bfa0 (unstable/resolver) resolved huyhoangluvnhi.duckdns.org to 1 ipv4 addresses [magician] resolved domain [magician] connected to cnc successfully [magician] attempting to connect to cnc (unstable/resolver) got response from select (unstable/resolver) found ipv4 address: 98f5bfa0 (unstable/resolver) resolved huyhoangluvnhi.duckdns.org to 1 ipv4 addresses [magician] resolved domain [magician] connected to cnc successfully [magician] attempting to connect to cnc (unstable/resolver) got response from select (unstable/resolver) found ipv4 address: 98f5bfa0 (unstable/resolver) resolved huyhoangluvnhi.duckdns.org to 1 ipv4 addresses [magician] resolved domain [magician] connected to cnc successfully [magician] attempting to connect to cnc (unstable/resolver) got response from select (unstable/resolver) found ipv4 address: 98f5bfa0 (unstable/resolver) resolved huyhoangluvnhi.duckdns.org to 1 ipv4 addresses [magician] resolved domain [magician] connected to cnc successfully [magician] attempting to connect to cnc (unstable/resolver) got response from select (unstable/resolver) found ipv4 address: 98f5bfa0 (unstable/resolver) resolved huyhoangluvnhi.duckdns.org to 1 ipv4 addresses [magician] resolved domain [magician] connected to cnc successfully [magician] attempting to connect to cnc (unstable/resolver) got response from select (unstable/resolver) found ipv4 address: 98f5bfa0 (unstable/resolver) resolved huyhoangluvnhi.duckdns.org to 1 ipv4 addresses [magician] resolved domain [magician] connected to cnc successfully [magician] attempting to connect to cnc (unstable/resolver) got response from select (unstable/resolver) found ipv4 address: 98f5bfa0 (unstable/resolver) resolved huyhoangluvnhi.duckdns.org to 1 ipv4 addresses [magician] resolved domain [magician] connected to cnc successfully [magician] attempting to connect to cnc (unstable/resolver) got response from select (unstable/resolver) found ipv4 address: 98f5bfa0 (unstable/resolver) resolved huyhoangluvnhi.duckdns.org to 1 ipv4 addresses [magician] resolved domain [magician] connected to cnc successfully [magician] attempting to connect to cnc (unstable/resolver) got response from select
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 5409, Parent: 3577)

rm (PID: 5409, Parent: 3577, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.RBPxToCMAw /tmp/tmp.N9R1GNEKsk /tmp/tmp.8YRKlJ9iR2

dash New Fork (PID: 5410, Parent: 3577)

rm (PID: 5410, Parent: 3577, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.RBPxToCMAw /tmp/tmp.N9R1GNEKsk /tmp/tmp.8YRKlJ9iR2

debug.dbg.elf (PID: 5424, Parent: 5347, MD5: 994546ec709cd259d26572c6c648ff3c) Arguments: /tmp/debug.dbg.elf

debug.dbg.elf New Fork (PID: 5425, Parent: 5424)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
debug.dbg.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
debug.dbg.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xb294:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb30c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb320:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb334:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb348:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb35c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb370:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb384:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb398:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb3ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb3c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb3d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb3e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb3fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb410:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb424:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
debug.dbg.elf	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x44d0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
debug.dbg.elf	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x65d2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
debug.dbg.elf	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x9534:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
debug.dbg.elf	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x7feb:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
debug.dbg.elf	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x65a2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
5424.1.0000000008048000.0000000008056000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5424.1.0000000008048000.0000000008056000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xb294:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb30c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb320:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb334:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb348:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb35c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb370:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb384:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb398:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb3ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb3c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb3d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb3e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb3fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb410:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb424:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5424.1.0000000008048000.0000000008056000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x44d0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5424.1.0000000008048000.0000000008056000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x65d2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5424.1.0000000008048000.0000000008056000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x9534:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5424.1.0000000008048000.0000000008056000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x7feb:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5424.1.0000000008048000.0000000008056000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x65a2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Process Memory Space: debug.dbg.elf PID: 5424	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xf6d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf81:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf95:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfa9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfbd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xff9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x100d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1021:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1035:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1049:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x105d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1071:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1085:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1099:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10ad:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10c1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10d5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10e9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10fd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 3 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Persistence and Installation Behavior
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: debug.dbg.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: debug.dbg.elf	ReversingLabs: Detection: 52%
Source: debug.dbg.elf	Virustotal: Detection: 54%			Perma Link

Networking

Uses dynamic DNS services

Source: unknown

DNS query: name: huyhoangluvnhi.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.13:45070 -> 160.191.245.152:56999

Source: global traffic

TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: huyhoangluvnhi.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

Source: unknown

Network traffic detected: HTTP traffic on port 48202 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5424.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5424.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5424.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5424.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5424.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5424.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: Process Memory Space: debug.dbg.elf PID: 5424, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: debug.dbg.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5424.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5424.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5424.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5424.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5424.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5424.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: Process Memory Space: debug.dbg.elf PID: 5424, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal76.troj.linELF@0/0@20/0

Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/5262/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/238/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/239/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/3632/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/3095/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/241/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/1906/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/1482/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/1480/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/371/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/1238/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/134/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/3413/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/1475/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/936/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/debug.dbg.elf (PID: 5425)	File opened: /proc/816/cmdline	Jump to behavior

Source: /usr/bin/dash (PID: 5409)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.RBPxToCMAw /tmp/tmp.N9R1GNEKsk /tmp/tmp.8YRKlJ9iR2			Jump to behavior
Source: /usr/bin/dash (PID: 5410)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.RBPxToCMAw /tmp/tmp.N9R1GNEKsk /tmp/tmp.8YRKlJ9iR2			Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: debug.dbg.elf, type: SAMPLE
Source: Yara match	File source: 5424.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: debug.dbg.elf, type: SAMPLE
Source: Yara match	File source: 5424.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
debug.dbg.elf	53%	ReversingLabs	Linux.Trojan.Mirai
debug.dbg.elf	55%	Virustotal		Browse
debug.dbg.elf	100%	Avira	EXP/ELF.Mirai.Z.A

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.24	true	false		high
huyhoangluvnhi.duckdns.org	160.191.245.152	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
160.191.245.152	huyhoangluvnhi.duckdns.org	unknown		2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
185.125.190.26	unknown	United Kingdom		41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
160.191.245.152	blah.x86.elf	Get hash	malicious	Unknown	Browse
	blah.mips.elf	Get hash	malicious	Unknown	Browse
	blah.m68k.elf	Get hash	malicious	Unknown	Browse
	blah.arm7.elf	Get hash	malicious	Mirai	Browse
	blah.ppc.elf	Get hash	malicious	Unknown	Browse
	blah.x86_64.elf	Get hash	malicious	Unknown	Browse
	blah.arm.elf	Get hash	malicious	Unknown	Browse
	blah.mpsl.elf	Get hash	malicious	Unknown	Browse
	blah.spc.elf	Get hash	malicious	Unknown	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
185.125.190.26	na.elf	Get hash	malicious	Prometei	Browse
	zerspc.elf	Get hash	malicious	Unknown	Browse
	6j272sSkTN.elf	Get hash	malicious	Fog	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	aarch64.elf	Get hash	malicious	Mirai	Browse
	x-8.6-.opticus.elf	Get hash	malicious	Gafgyt	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	.i.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	sshd.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	162.213.35.24
	arm5.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	arm6.elf	Get hash	malicious	Mirai, Moobot	Browse	162.213.35.24
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	162.213.35.24
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	162.213.35.24
	gif.elf	Get hash	malicious	Xmrig	Browse	162.213.35.24
	gif.elf	Get hash	malicious	Xmrig	Browse	162.213.35.25
huyhoangluvnhi.duckdns.org	blah.x86.elf	Get hash	malicious	Unknown	Browse	160.191.245.152
	blah.mips.elf	Get hash	malicious	Unknown	Browse	160.191.245.152
	blah.m68k.elf	Get hash	malicious	Unknown	Browse	160.191.245.152
	blah.arm7.elf	Get hash	malicious	Mirai	Browse	160.191.245.152
	blah.ppc.elf	Get hash	malicious	Unknown	Browse	160.191.245.152
	blah.x86_64.elf	Get hash	malicious	Unknown	Browse	160.191.245.152
	blah.arm.elf	Get hash	malicious	Unknown	Browse	160.191.245.152
	blah.mpsl.elf	Get hash	malicious	Unknown	Browse	160.191.245.152
	blah.spc.elf	Get hash	malicious	Unknown	Browse	160.191.245.152
	sh4.elf	Get hash	malicious	Unknown	Browse	160.191.245.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	gif.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
SINET-ASResearchOrganizationofInformationandSystemsN	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	133.222.255.170
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	133.17.34.91
	nklmips.elf	Get hash	malicious	Unknown	Browse	160.247.95.208
	nklsh4.elf	Get hash	malicious	Unknown	Browse	202.243.177.47
	nklarm5.elf	Get hash	malicious	Unknown	Browse	202.236.130.196
	nabmpsl.elf	Get hash	malicious	Unknown	Browse	163.209.90.177
	jklm68k.elf	Get hash	malicious	Unknown	Browse	133.38.251.37
	jklppc.elf	Get hash	malicious	Unknown	Browse	202.13.34.166
	jklsh4.elf	Get hash	malicious	Unknown	Browse	160.31.211.108
	jklarm5.elf	Get hash	malicious	Unknown	Browse	160.14.239.126

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.542475008334571
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	debug.dbg.elf
File size:	55'504 bytes
MD5:	994546ec709cd259d26572c6c648ff3c
SHA1:	14eb6fb10abc34568901ed6dc5a8100cad229639
SHA256:	3a87f9a9f0ac2407e7b413926cc23d47c5e17d4ab554bcbb221661dbc0feab9a
SHA512:	b56b64cad9c3401fc173970f61705abcae5d58fa33ab6af3dff3407c75084c5fb6778a10662dae69eb749e3653ed7fa8609c200270cc89ba91df207c7ade02fe
SSDEEP:	1536:uITW3WsRUK1ZgQohZGvSM0vTwGF5TTSlai:uIK3lRUK1ZgH/GvSVvMaTUH
TLSH:	FB436CD4E643D8F5D8071AB1113AF7375E31F1F92218EA93D3A4EA32BC53641E546A8C
File Content Preview:	.ELF....................d...4...@.......4. ...(.....................\|...\|....................d...d.......'..........Q.td............................U..S............h........[]...$.............U......=.g...t..5.....d......d......u........t....h\|T..........

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048164
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	55104
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0xaef6	0x0	0x6	AX	16
.fini	PROGBITS	0x8052fa6	0xafa6	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x8052fc0	0xafc0	0x24bc	0x0	0x2	A	32
.ctors	PROGBITS	0x8056480	0xd480	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x8056488	0xd488	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x80564a0	0xd4a0	0x260	0x0	0x3	WA	32
.bss	NOBITS	0x8056700	0xd700	0x2480	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0xd700	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0xd47c	0xd47c	6.5803	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0xd480	0x8056480	0x8056480	0x280	0x2700	3.4890	0x6	RW	0x1000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 134
• 56999 undefined
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 21:36:48.820678949 CET	45070	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:48.825539112 CET	56999	45070	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:48.825592041 CET	45070	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:48.825624943 CET	45070	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:48.831299067 CET	56999	45070	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:48.831358910 CET	45070	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:48.836724997 CET	56999	45070	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:49.773530006 CET	56999	45070	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:49.773658037 CET	45070	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:49.773658037 CET	45070	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:49.780960083 CET	45072	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:49.785861969 CET	56999	45072	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:49.785940886 CET	45072	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:49.785940886 CET	45072	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:49.790839911 CET	56999	45072	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:49.794131994 CET	45072	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:49.799014091 CET	56999	45072	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:50.740382910 CET	56999	45072	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:50.740515947 CET	45072	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:50.743666887 CET	45072	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:50.838113070 CET	45074	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:50.842983007 CET	56999	45074	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:50.843947887 CET	45074	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:50.843947887 CET	45074	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:50.848750114 CET	56999	45074	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:50.848833084 CET	45074	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:50.853741884 CET	56999	45074	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:51.780983925 CET	56999	45074	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:51.781192064 CET	45074	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:51.781275034 CET	45074	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:51.878019094 CET	45076	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:51.882900000 CET	56999	45076	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:51.882949114 CET	45076	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:51.882962942 CET	45076	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:51.887818098 CET	56999	45076	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:51.887865067 CET	45076	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:51.892736912 CET	56999	45076	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:53.266194105 CET	56999	45076	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:53.266448021 CET	45076	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:53.266474009 CET	45076	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:53.267654896 CET	56999	45076	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:53.267710924 CET	45076	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:53.269931078 CET	56999	45076	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:53.269975901 CET	45076	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:53.365411043 CET	45078	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:53.370249033 CET	56999	45078	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:53.370379925 CET	45078	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:53.370395899 CET	45078	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:53.375191927 CET	56999	45078	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:53.375247955 CET	45078	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:53.380042076 CET	56999	45078	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:54.348808050 CET	56999	45078	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:54.348942041 CET	45078	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:54.348942041 CET	45078	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:56.447351933 CET	45080	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:56.452444077 CET	56999	45080	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:56.452569962 CET	45080	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:56.452611923 CET	45080	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:56.457442999 CET	56999	45080	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:56.457506895 CET	45080	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:56.463300943 CET	56999	45080	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:57.404176950 CET	56999	45080	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:57.404325962 CET	45080	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:57.404365063 CET	45080	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:57.512315989 CET	45082	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:57.517163038 CET	56999	45082	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:57.517227888 CET	45082	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:57.517256975 CET	45082	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:57.522021055 CET	56999	45082	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:57.522067070 CET	45082	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:57.526807070 CET	56999	45082	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:58.494503975 CET	56999	45082	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:58.494824886 CET	45082	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:58.494826078 CET	45082	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:58.501774073 CET	45084	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:58.506580114 CET	56999	45084	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:58.506669998 CET	45084	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:58.506728888 CET	45084	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:58.511477947 CET	56999	45084	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:58.511533022 CET	45084	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:58.517364025 CET	56999	45084	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:59.371402025 CET	48202	443	192.168.2.13	185.125.190.26
Mar 10, 2025 21:36:59.437571049 CET	56999	45084	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:59.437704086 CET	45084	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:59.437815905 CET	45084	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:59.446747065 CET	45086	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:59.451992989 CET	56999	45086	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:59.452059031 CET	45086	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:59.452131033 CET	45086	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:59.457305908 CET	56999	45086	160.191.245.152	192.168.2.13
Mar 10, 2025 21:36:59.457357883 CET	45086	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:36:59.462177038 CET	56999	45086	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:00.386605978 CET	56999	45086	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:00.386723995 CET	45086	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:00.386765957 CET	45086	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:00.394311905 CET	45088	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:00.399133921 CET	56999	45088	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:00.399188995 CET	45088	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:00.399225950 CET	45088	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:00.404025078 CET	56999	45088	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:00.404072046 CET	45088	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:00.408898115 CET	56999	45088	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:01.331213951 CET	56999	45088	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:01.331356049 CET	45088	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:01.331394911 CET	45088	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:01.338485956 CET	45090	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:01.343456030 CET	56999	45090	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:01.343569040 CET	45090	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:01.343569040 CET	45090	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:01.348417997 CET	56999	45090	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:01.348481894 CET	45090	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:01.353266954 CET	56999	45090	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:02.277445078 CET	56999	45090	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:02.277695894 CET	45090	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:02.277765989 CET	45090	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:02.284898043 CET	45092	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:02.289766073 CET	56999	45092	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:02.289877892 CET	45092	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:02.289947033 CET	45092	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:02.294761896 CET	56999	45092	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:02.294862032 CET	45092	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:02.299631119 CET	56999	45092	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:03.263415098 CET	56999	45092	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:03.263534069 CET	45092	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:03.263571978 CET	45092	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:03.270904064 CET	45094	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:03.275789976 CET	56999	45094	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:03.275883913 CET	45094	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:03.275907993 CET	45094	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:03.280744076 CET	56999	45094	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:03.280798912 CET	45094	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:03.288104057 CET	56999	45094	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:04.230654955 CET	56999	45094	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:04.230783939 CET	45094	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:04.230812073 CET	45094	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:04.238226891 CET	45096	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:04.243033886 CET	56999	45096	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:04.243232965 CET	45096	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:04.243232965 CET	45096	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:04.258558989 CET	56999	45096	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:04.258673906 CET	45096	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:04.263575077 CET	56999	45096	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:05.239974976 CET	56999	45096	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:05.240087986 CET	45096	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:05.240144014 CET	45096	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:05.340162992 CET	45098	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:05.345112085 CET	56999	45098	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:05.345227957 CET	45098	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:05.345227957 CET	45098	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:05.350111008 CET	56999	45098	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:05.350168943 CET	45098	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:05.354983091 CET	56999	45098	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:06.282017946 CET	56999	45098	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:06.282255888 CET	45098	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:06.282288074 CET	45098	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:06.290775061 CET	45100	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:06.297566891 CET	56999	45100	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:06.297669888 CET	45100	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:06.297669888 CET	45100	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:06.302556992 CET	56999	45100	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:06.302628994 CET	45100	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:06.307739019 CET	56999	45100	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:07.280450106 CET	56999	45100	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:07.280721903 CET	45100	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:07.280775070 CET	45100	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:07.288376093 CET	45102	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:07.293308020 CET	56999	45102	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:07.293399096 CET	45102	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:07.293486118 CET	45102	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:07.299511909 CET	56999	45102	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:07.299593925 CET	45102	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:07.304399014 CET	56999	45102	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:08.239826918 CET	56999	45102	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:08.239998102 CET	45102	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:08.240052938 CET	45102	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:08.247631073 CET	45104	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:08.252473116 CET	56999	45104	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:08.252542019 CET	45104	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:08.252593040 CET	45104	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:08.257406950 CET	56999	45104	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:08.257473946 CET	45104	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:08.262269974 CET	56999	45104	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:18.262754917 CET	45104	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:18.267817974 CET	56999	45104	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:18.602377892 CET	56999	45104	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:18.602570057 CET	45104	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:31.627315998 CET	48202	443	192.168.2.13	185.125.190.26
Mar 10, 2025 21:37:32.711920977 CET	45104	56999	192.168.2.13	160.191.245.152
Mar 10, 2025 21:37:32.717159033 CET	56999	45104	160.191.245.152	192.168.2.13
Mar 10, 2025 21:37:32.717232943 CET	45104	56999	192.168.2.13	160.191.245.152

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 21:36:48.723958969 CET	51390	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:36:48.820571899 CET	53	51390	8.8.8.8	192.168.2.13
Mar 10, 2025 21:36:49.773809910 CET	51719	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:36:49.780771971 CET	53	51719	8.8.8.8	192.168.2.13
Mar 10, 2025 21:36:50.740580082 CET	36036	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:36:50.837979078 CET	53	36036	8.8.8.8	192.168.2.13
Mar 10, 2025 21:36:51.781439066 CET	50022	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:36:51.877886057 CET	53	50022	8.8.8.8	192.168.2.13
Mar 10, 2025 21:36:53.266530991 CET	60797	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:36:53.365124941 CET	53	60797	8.8.8.8	192.168.2.13
Mar 10, 2025 21:36:54.348995924 CET	59332	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:36:56.447132111 CET	53	59332	8.8.8.8	192.168.2.13
Mar 10, 2025 21:36:57.404371023 CET	44040	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:36:57.512002945 CET	53	44040	8.8.8.8	192.168.2.13
Mar 10, 2025 21:36:58.494873047 CET	40812	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:36:58.501646042 CET	53	40812	8.8.8.8	192.168.2.13
Mar 10, 2025 21:36:59.438122034 CET	49041	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:36:59.446614981 CET	53	49041	8.8.8.8	192.168.2.13
Mar 10, 2025 21:37:00.386821032 CET	52737	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:37:00.394227982 CET	53	52737	8.8.8.8	192.168.2.13
Mar 10, 2025 21:37:01.331430912 CET	49432	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:37:01.338395119 CET	53	49432	8.8.8.8	192.168.2.13
Mar 10, 2025 21:37:02.277841091 CET	57761	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:37:02.284676075 CET	53	57761	8.8.8.8	192.168.2.13
Mar 10, 2025 21:37:03.263632059 CET	49473	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:37:03.270797014 CET	53	49473	8.8.8.8	192.168.2.13
Mar 10, 2025 21:37:04.230870008 CET	42301	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:37:04.238018990 CET	53	42301	8.8.8.8	192.168.2.13
Mar 10, 2025 21:37:05.240211010 CET	43022	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:37:05.337013006 CET	53	43022	8.8.8.8	192.168.2.13
Mar 10, 2025 21:37:06.282329082 CET	46606	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:37:06.290694952 CET	53	46606	8.8.8.8	192.168.2.13
Mar 10, 2025 21:37:07.280911922 CET	36691	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:37:07.288216114 CET	53	36691	8.8.8.8	192.168.2.13
Mar 10, 2025 21:37:08.240154028 CET	40280	53	192.168.2.13	8.8.8.8
Mar 10, 2025 21:37:08.247486115 CET	53	40280	8.8.8.8	192.168.2.13
Mar 10, 2025 21:39:33.502722025 CET	57441	53	192.168.2.13	1.1.1.1
Mar 10, 2025 21:39:33.502791882 CET	38583	53	192.168.2.13	1.1.1.1
Mar 10, 2025 21:39:33.509700060 CET	53	57441	1.1.1.1	192.168.2.13
Mar 10, 2025 21:39:33.509955883 CET	53	38583	1.1.1.1	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 10, 2025 21:36:48.723958969 CET	192.168.2.13	8.8.8.8	0x4403	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:36:49.773809910 CET	192.168.2.13	8.8.8.8	0x8636	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:36:50.740580082 CET	192.168.2.13	8.8.8.8	0x856b	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:36:51.781439066 CET	192.168.2.13	8.8.8.8	0xfc7d	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:36:53.266530991 CET	192.168.2.13	8.8.8.8	0x45d6	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:36:54.348995924 CET	192.168.2.13	8.8.8.8	0xaabf	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:36:57.404371023 CET	192.168.2.13	8.8.8.8	0x9430	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:36:58.494873047 CET	192.168.2.13	8.8.8.8	0xf1c7	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:36:59.438122034 CET	192.168.2.13	8.8.8.8	0xb01d	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:00.386821032 CET	192.168.2.13	8.8.8.8	0xc024	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:01.331430912 CET	192.168.2.13	8.8.8.8	0x7398	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:02.277841091 CET	192.168.2.13	8.8.8.8	0x3e9b	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:03.263632059 CET	192.168.2.13	8.8.8.8	0xcaf7	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:04.230870008 CET	192.168.2.13	8.8.8.8	0x572a	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:05.240211010 CET	192.168.2.13	8.8.8.8	0xd6a9	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:06.282329082 CET	192.168.2.13	8.8.8.8	0xc2de	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:07.280911922 CET	192.168.2.13	8.8.8.8	0x9ea7	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:08.240154028 CET	192.168.2.13	8.8.8.8	0x41e3	Standard query (0)	huyhoangluvnhi.duckdns.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:39:33.502722025 CET	192.168.2.13	1.1.1.1	0x3710	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:39:33.502791882 CET	192.168.2.13	1.1.1.1	0xf5dd	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 10, 2025 21:36:48.820571899 CET	8.8.8.8	192.168.2.13	0x4403	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:36:49.780771971 CET	8.8.8.8	192.168.2.13	0x8636	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:36:50.837979078 CET	8.8.8.8	192.168.2.13	0x856b	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:36:51.877886057 CET	8.8.8.8	192.168.2.13	0xfc7d	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:36:53.365124941 CET	8.8.8.8	192.168.2.13	0x45d6	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:36:56.447132111 CET	8.8.8.8	192.168.2.13	0xaabf	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:36:57.512002945 CET	8.8.8.8	192.168.2.13	0x9430	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:36:58.501646042 CET	8.8.8.8	192.168.2.13	0xf1c7	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:36:59.446614981 CET	8.8.8.8	192.168.2.13	0xb01d	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:00.394227982 CET	8.8.8.8	192.168.2.13	0xc024	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:01.338395119 CET	8.8.8.8	192.168.2.13	0x7398	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:02.284676075 CET	8.8.8.8	192.168.2.13	0x3e9b	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:03.270797014 CET	8.8.8.8	192.168.2.13	0xcaf7	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:04.238018990 CET	8.8.8.8	192.168.2.13	0x572a	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:05.337013006 CET	8.8.8.8	192.168.2.13	0xd6a9	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:06.290694952 CET	8.8.8.8	192.168.2.13	0xc2de	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:07.288216114 CET	8.8.8.8	192.168.2.13	0x9ea7	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:37:08.247486115 CET	8.8.8.8	192.168.2.13	0x41e3	No error (0)	huyhoangluvnhi.duckdns.org	160.191.245.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:39:33.509700060 CET	1.1.1.1	192.168.2.13	0x3710	No error (0)	daisy.ubuntu.com	162.213.35.24	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:39:33.509700060 CET	1.1.1.1	192.168.2.13	0x3710	No error (0)	daisy.ubuntu.com	162.213.35.25	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: dash PID: 5409, Parent PID: 3577

General

Start time (UTC):	20:36:37
Start date (UTC):	10/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 5409, Parent PID: 3577

General

Start time (UTC):	20:36:37
Start date (UTC):	10/03/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.RBPxToCMAw /tmp/tmp.N9R1GNEKsk /tmp/tmp.8YRKlJ9iR2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5410, Parent PID: 3577

General

Start time (UTC):	20:36:37
Start date (UTC):	10/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 5410, Parent PID: 3577

General

Start time (UTC):	20:36:37
Start date (UTC):	10/03/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.RBPxToCMAw /tmp/tmp.N9R1GNEKsk /tmp/tmp.8YRKlJ9iR2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: debug.dbg.elf PID: 5424, Parent PID: 5347

General

Start time (UTC):	20:36:46
Start date (UTC):	10/03/2025
Path:	/tmp/debug.dbg.elf
Arguments:	/tmp/debug.dbg.elf
File size:	55504 bytes
MD5 hash:	994546ec709cd259d26572c6c648ff3c

Process Activities

Process Forked

Prctl Requested

Thread Sleep

Chronological Activities

Analysis Process: debug.dbg.elf PID: 5425, Parent PID: 5424

General

Start time (UTC):	20:36:47
Start date (UTC):	10/03/2025
Path:	/tmp/debug.dbg.elf
Arguments:	-
File size:	55504 bytes
MD5 hash:	994546ec709cd259d26572c6c648ff3c

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report debug.dbg.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: dash PID: 5409, Parent PID: 3577

General

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 5409, Parent PID: 3577

General

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5410, Parent PID: 3577

General

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 5410, Parent PID: 3577

General

File Activities

File Opened

Linux Analysis Report
debug.dbg.elf