Edit tour

Linux Analysis Report
.i.elf

Overview

General Information

Sample name:.i.elf
Analysis ID:1639808
MD5:1f9d836bf7e3d6e6ff4739bcf9635c61
SHA1:1dff81aeb69bd0deb26fdf4e0312b2502a786980
SHA256:79e9d1b8cad843713309a972616d65f40e8077d755629d1b4532abe9708c65f9
Tags:elfuser-abuse_ch
Infos:
Errors
  • No or unstable Internet during analysis

Detection

Mirai
Score:76
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Executes the "iptables" command to insert, remove and/or manipulate rules
Opens /proc/net/* files useful for finding connected devices and routers
Sample deletes itself
Creates hidden files and/or directories
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "iptables" command used for managing IP filtering and manipulation
Reads the 'hosts' file potentially containing internal network hosts
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1639808
Start date and time:2025-03-16 09:27:23 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 52s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:.i.elf
Detection:MAL
Classification:mal76.spre.troj.evad.linELF@0/1@58/0
  • No or unstable Internet during analysis
  • Excluded IPs from analysis (whitelisted): 62.75.236.38, 62.225.132.250, 129.70.132.33, 193.203.3.171
  • Excluded domains from analysis (whitelisted): pool.ntp.org
Command:/tmp/.i.elf
PID:5429
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:iptables v1.8.4 (legacy): Couldn't load target `CWMP_CR':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
  • system is lnxubuntu20
  • .i.elf (PID: 5429, Parent: 5354, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/.i.elf
    • .i.elf New Fork (PID: 5431, Parent: 5429)
      • .i.elf New Fork (PID: 5435, Parent: 5431)
      • sh (PID: 5435, Parent: 5431, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
        • sh New Fork (PID: 5441, Parent: 5435)
        • iptables (PID: 5441, Parent: 5435, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -p tcp --destination-port 23 -j DROP
      • .i.elf New Fork (PID: 5447, Parent: 5431)
      • sh (PID: 5447, Parent: 5431, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
        • sh New Fork (PID: 5452, Parent: 5447)
        • iptables (PID: 5452, Parent: 5447, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -p tcp --destination-port 7547 -j DROP
      • .i.elf New Fork (PID: 5453, Parent: 5431)
      • sh (PID: 5453, Parent: 5431, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
        • sh New Fork (PID: 5458, Parent: 5453)
        • iptables (PID: 5458, Parent: 5453, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -p tcp --destination-port 5555 -j DROP
      • .i.elf New Fork (PID: 5459, Parent: 5431)
      • sh (PID: 5459, Parent: 5431, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
        • sh New Fork (PID: 5464, Parent: 5459)
        • iptables (PID: 5464, Parent: 5459, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -p tcp --destination-port 5358 -j DROP
      • .i.elf New Fork (PID: 5465, Parent: 5431)
      • sh (PID: 5465, Parent: 5431, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -D INPUT -j CWMP_CR"
        • sh New Fork (PID: 5470, Parent: 5465)
        • iptables (PID: 5470, Parent: 5465, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -D INPUT -j CWMP_CR
      • .i.elf New Fork (PID: 5471, Parent: 5431)
      • sh (PID: 5471, Parent: 5431, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -X CWMP_CR"
        • sh New Fork (PID: 5476, Parent: 5471)
        • iptables (PID: 5476, Parent: 5471, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -X CWMP_CR
      • .i.elf New Fork (PID: 5477, Parent: 5431)
      • sh (PID: 5477, Parent: 5431, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -I INPUT -p udp --dport 11002 -j ACCEPT"
        • sh New Fork (PID: 5482, Parent: 5477)
        • iptables (PID: 5482, Parent: 5477, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p udp --dport 11002 -j ACCEPT
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
5429.1.00007fee18400000.00007fee18434000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
    No Suricata rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: .i.elfAvira: detected
    Source: .i.elfVirustotal: Detection: 66%Perma Link
    Source: .i.elfReversingLabs: Detection: 55%

    Spreading

    barindex
    Source: /tmp/.i.elf (PID: 5429)Opens: /proc/net/routeJump to behavior

    Networking

    barindex
    Source: /bin/sh (PID: 5441)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROPJump to behavior
    Source: /bin/sh (PID: 5452)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROPJump to behavior
    Source: /bin/sh (PID: 5458)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROPJump to behavior
    Source: /bin/sh (PID: 5464)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROPJump to behavior
    Source: /bin/sh (PID: 5470)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CRJump to behavior
    Source: /bin/sh (PID: 5476)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -X CWMP_CRJump to behavior
    Source: /bin/sh (PID: 5482)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPTJump to behavior
    Source: /bin/sh (PID: 5441)Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROPJump to behavior
    Source: /bin/sh (PID: 5452)Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROPJump to behavior
    Source: /bin/sh (PID: 5458)Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROPJump to behavior
    Source: /bin/sh (PID: 5464)Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROPJump to behavior
    Source: /bin/sh (PID: 5470)Iptables executable: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CRJump to behavior
    Source: /bin/sh (PID: 5476)Iptables executable: /usr/sbin/iptables -> iptables -X CWMP_CRJump to behavior
    Source: /bin/sh (PID: 5482)Iptables executable: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPTJump to behavior
    Source: /tmp/.i.elf (PID: 5431)Reads hosts file: /etc/hostsJump to behavior
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 127.0.0.1
    Source: unknownUDP traffic detected without corresponding DNS query: 127.0.0.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 127.0.0.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 127.0.0.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 127.0.0.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 127.0.0.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 127.0.0.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 127.0.0.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: router.utorrent.com
    Source: global trafficDNS traffic detected: DNS query: router.bittorrent.com
    Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
    Source: LOAD without section mappingsProgram segment: 0x100000
    Source: classification engineClassification label: mal76.spre.troj.evad.linELF@0/1@58/0

    Persistence and Installation Behavior

    barindex
    Source: /bin/sh (PID: 5441)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROPJump to behavior
    Source: /bin/sh (PID: 5452)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROPJump to behavior
    Source: /bin/sh (PID: 5458)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROPJump to behavior
    Source: /bin/sh (PID: 5464)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROPJump to behavior
    Source: /bin/sh (PID: 5470)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CRJump to behavior
    Source: /bin/sh (PID: 5476)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -X CWMP_CRJump to behavior
    Source: /bin/sh (PID: 5482)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPTJump to behavior
    Source: /tmp/.i.elf (PID: 5431)Directory: /tmp/.pJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/230/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/231/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/110/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/232/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/111/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/233/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/112/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/234/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/113/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/235/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/114/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/236/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/115/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/237/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/116/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/238/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/117/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/239/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/118/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/119/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/3633/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/3633/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/914/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/914/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/917/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/917/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/10/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/11/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/12/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/13/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/14/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/15/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/16/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/17/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/18/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/19/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/3095/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/3095/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/240/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/5271/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/5271/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/241/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/120/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/242/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/121/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/243/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/122/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/1/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/1/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/244/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/123/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/2/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/1588/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/1588/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/245/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/124/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/3/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/246/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/125/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/4/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/247/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/126/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/5/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/248/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/127/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/6/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/249/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/128/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/7/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/800/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/800/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/129/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/8/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/1906/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/1906/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/9/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/802/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/802/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/803/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/803/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/20/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/21/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/22/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/23/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/24/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/25/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/26/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/27/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/28/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/29/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/3420/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/3420/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/1482/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/1482/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/490/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/490/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/1480/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/1480/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/371/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/250/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/251/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/130/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/252/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/131/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5431)File opened: /proc/253/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5435)Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"Jump to behavior
    Source: /tmp/.i.elf (PID: 5447)Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"Jump to behavior
    Source: /tmp/.i.elf (PID: 5453)Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"Jump to behavior
    Source: /tmp/.i.elf (PID: 5459)Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"Jump to behavior
    Source: /tmp/.i.elf (PID: 5465)Shell command executed: sh -c "iptables -D INPUT -j CWMP_CR"Jump to behavior
    Source: /tmp/.i.elf (PID: 5471)Shell command executed: sh -c "iptables -X CWMP_CR"Jump to behavior
    Source: /tmp/.i.elf (PID: 5477)Shell command executed: sh -c "iptables -I INPUT -p udp --dport 11002 -j ACCEPT"Jump to behavior
    Source: /bin/sh (PID: 5441)Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROPJump to behavior
    Source: /bin/sh (PID: 5452)Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROPJump to behavior
    Source: /bin/sh (PID: 5458)Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROPJump to behavior
    Source: /bin/sh (PID: 5464)Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROPJump to behavior
    Source: /bin/sh (PID: 5470)Iptables executable: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CRJump to behavior
    Source: /bin/sh (PID: 5476)Iptables executable: /usr/sbin/iptables -> iptables -X CWMP_CRJump to behavior
    Source: /bin/sh (PID: 5482)Iptables executable: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPTJump to behavior
    Source: submitted sampleStderr: iptables v1.8.4 (legacy): Couldn't load target `CWMP_CR':No such file or directoryTry `iptables -h' or 'iptables --help' for more information.iptables: No chain/target/match by that name.: exit code = 0

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: /tmp/.i.elf (PID: 5431)File: /tmp/.i.elfJump to behavior
    Source: .i.elfSubmission file: segment LOAD with 7.9807 entropy (max. 8.0)
    Source: /tmp/.i.elf (PID: 5429)Queries kernel information via 'uname': Jump to behavior
    Source: .i.elf, 5429.1.0000557eb0dc3000.0000557eb0e6a000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
    Source: .i.elf, 5429.1.00007ffda93ea000.00007ffda940b000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/.i.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/.i.elf
    Source: .i.elf, 5429.1.00007ffda93ea000.00007ffda940b000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel
    Source: .i.elf, 5429.1.0000557eb0dc3000.0000557eb0e6a000.rw-.sdmpBinary or memory string: ~U!/etc/qemu-binfmt/mipsel

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: 5429.1.00007fee18400000.00007fee18434000.r-x.sdmp, type: MEMORY

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: 5429.1.00007fee18400000.00007fee18434000.r-x.sdmp, type: MEMORY
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information1
    Scripting
    Valid AccountsWindows Management Instrumentation1
    Scripting
    Path Interception1
    Hidden Files and Directories
    1
    OS Credential Dumping
    11
    Security Software Discovery
    Remote ServicesData from Local System1
    Non-Application Layer Protocol
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Obfuscated Files or Information
    LSASS Memory1
    File and Directory Discovery
    Remote Desktop ProtocolData from Removable Media1
    Application Layer Protocol
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    File Deletion
    Security Account Manager1
    Remote System Discovery
    SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
    System Network Configuration Discovery
    Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    No configs have been found
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639808 Sample: .i.elf Startdate: 16/03/2025 Architecture: LINUX Score: 76 38 router.utorrent.com 2->38 40 router.bittorrent.com 2->40 42 daisy.ubuntu.com 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Mirai 2->48 9 .i.elf 2->9         started        signatures3 process4 signatures5 52 Opens /proc/net/* files useful for finding connected devices and routers 9->52 12 .i.elf 9->12         started        process6 signatures7 54 Sample deletes itself 12->54 15 .i.elf sh 12->15         started        17 .i.elf sh 12->17         started        19 .i.elf sh 12->19         started        21 4 other processes 12->21 process8 process9 23 sh iptables 15->23         started        26 sh iptables 17->26         started        28 sh iptables 19->28         started        30 sh iptables 21->30         started        32 sh iptables 21->32         started        34 sh iptables 21->34         started        36 sh iptables 21->36         started        signatures10 50 Executes the "iptables" command to insert, remove and/or manipulate rules 23->50
    SourceDetectionScannerLabelLink
    .i.elf67%VirustotalBrowse
    .i.elf56%ReversingLabsLinux.Trojan.Hajime
    .i.elf100%AviraLINUX/Hajime.smpwy
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches

    Download Network PCAP: filteredfull

    NameIPActiveMaliciousAntivirus DetectionReputation
    daisy.ubuntu.com
    162.213.35.25
    truefalse
      high
      router.bittorrent.com
      unknown
      unknownfalse
        high
        router.utorrent.com
        unknown
        unknownfalse
          high
          No contacted IP infos
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          daisy.ubuntu.com.i.elfGet hashmaliciousUnknownBrowse
          • 162.213.35.24
          yakuza.ppc.elfGet hashmaliciousUnknownBrowse
          • 162.213.35.25
          sora.mpsl.elfGet hashmaliciousMiraiBrowse
          • 162.213.35.25
          sora.sh4.elfGet hashmaliciousMiraiBrowse
          • 162.213.35.24
          sora.arm7.elfGet hashmaliciousMiraiBrowse
          • 162.213.35.25
          sora.spc.elfGet hashmaliciousMiraiBrowse
          • 162.213.35.24
          sora.m68k.elfGet hashmaliciousMiraiBrowse
          • 162.213.35.24
          sora.mips.elfGet hashmaliciousMiraiBrowse
          • 162.213.35.25
          sora.x86.elfGet hashmaliciousMiraiBrowse
          • 162.213.35.24
          hgfs.arm5.elfGet hashmaliciousUnknownBrowse
          • 162.213.35.24
          No context
          No context
          No context
          Process:/tmp/.i.elf
          File Type:data
          Category:dropped
          Size (bytes):12
          Entropy (8bit):3.2516291673878226
          Encrypted:false
          SSDEEP:3:TgLxl:TgLj
          MD5:E4B87097E4B36E14500B9CE57C45EA25
          SHA1:DE3D58C12CA45D58E41455D0B693AF835D7F7361
          SHA-256:7AD8A46FA4EADA251D0628721EEA0DE6EA917EC6B820146172179FFA68FC44A8
          SHA-512:53CD8469E5F84281D446318E05BBA7B4A0D93FBF7567B663E875E9BBE95453E83E1C233140DBEBFC50C64F981CF1C007A1A573C508AE676BBE78F07C38DA4D43
          Malicious:false
          Reputation:low
          Preview:/tmp/.i.elf.
          File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
          Entropy (8bit):7.9802141500426576
          TrID:
          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
          File name:.i.elf
          File size:82'536 bytes
          MD5:1f9d836bf7e3d6e6ff4739bcf9635c61
          SHA1:1dff81aeb69bd0deb26fdf4e0312b2502a786980
          SHA256:79e9d1b8cad843713309a972616d65f40e8077d755629d1b4532abe9708c65f9
          SHA512:3672b63d0ee3cde0632040c2f56d027ca86af711d0957dcc057df87e51537f5dd6165543f5ae1fd16c44f4b8e655de4fb9e9618019412e3e22b95ec6524f83cf
          SSDEEP:1536:m3LqE6rUQWzVQR7iAGEcUT5PIi7pLqBNs4LOjcwf4nB6XuzGNy+iSc7Z:mOE6PWo1T5bz4LVMXuzVNScN
          TLSH:568312CFA8598B66EC7DCDFC09DA99044D83615E728B71EF530C959C2038B861C8E96F
          File Content Preview:.ELF.................... /..4...........4. ...(......................A...A....................G...G...................}l........................_..........?.E.h;....#....3.FR..gcpC....2.*..]8v. .....'..pw...rW.U.S.....(.|W.H..?#.$0......m.r...U....:...&..

          ELF header

          Class:ELF32
          Data:2's complement, little endian
          Version:1 (current)
          Machine:MIPS R3000
          Version Number:0x1
          Type:EXEC (Executable file)
          OS/ABI:UNIX - System V
          ABI Version:0
          Entry Point Address:0x112f20
          Flags:0x1007
          ELF Header Size:52
          Program Header Offset:52
          Program Header Size:32
          Number of Program Headers:2
          Section Header Offset:0
          Section Header Size:40
          Number of Section Headers:0
          Header String Table Index:0
          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
          LOAD0x00x1000000x1000000x141950x141957.98070x5R E0x10000
          LOAD0xa5a00x47a5a00x47a5a00x00x00.00000x6RW 0x10000

          Download Network PCAP: filteredfull

          TimestampSource PortDest PortSource IPDest IP
          Mar 16, 2025 09:28:14.632761002 CET3998753192.168.2.138.8.8.8
          Mar 16, 2025 09:28:19.815380096 CET5436453192.168.2.131.1.1.1
          Mar 16, 2025 09:28:25.065313101 CET5898653192.168.2.138.8.8.8
          Mar 16, 2025 09:28:30.315299034 CET3924853192.168.2.131.1.1.1
          Mar 16, 2025 09:28:35.565324068 CET5641353192.168.2.138.8.8.8
          Mar 16, 2025 09:28:40.815331936 CET6099653192.168.2.131.1.1.1
          Mar 16, 2025 09:28:44.658083916 CET4229353192.168.2.13127.0.0.1
          Mar 16, 2025 09:28:46.065397024 CET4398953192.168.2.138.8.8.8
          Mar 16, 2025 09:28:49.664167881 CET3906853192.168.2.13127.0.0.1
          Mar 16, 2025 09:28:51.315371037 CET4551953192.168.2.131.1.1.1
          Mar 16, 2025 09:28:54.672437906 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:28:56.565571070 CET4439553192.168.2.138.8.8.8
          Mar 16, 2025 09:28:59.815305948 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:29:01.815321922 CET4439553192.168.2.138.8.8.8
          Mar 16, 2025 09:29:05.065380096 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:29:07.065280914 CET4439553192.168.2.138.8.8.8
          Mar 16, 2025 09:29:10.315774918 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:29:12.315318108 CET4439553192.168.2.138.8.8.8
          Mar 16, 2025 09:29:15.565361977 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:29:17.565402985 CET4439553192.168.2.138.8.8.8
          Mar 16, 2025 09:29:20.815318108 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:29:22.815541983 CET4439553192.168.2.138.8.8.8
          Mar 16, 2025 09:29:24.704695940 CET3679453192.168.2.13127.0.0.1
          Mar 16, 2025 09:29:26.065474033 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:29:28.065489054 CET4439553192.168.2.138.8.8.8
          Mar 16, 2025 09:29:29.710911036 CET5532053192.168.2.13127.0.0.1
          Mar 16, 2025 09:29:31.315437078 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:29:33.315397978 CET4439553192.168.2.138.8.8.8
          Mar 16, 2025 09:29:36.565419912 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:29:38.565428019 CET4439553192.168.2.138.8.8.8
          Mar 16, 2025 09:29:41.815491915 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:29:43.815344095 CET4439553192.168.2.138.8.8.8
          Mar 16, 2025 09:29:47.065437078 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:29:49.065385103 CET4439553192.168.2.138.8.8.8
          Mar 16, 2025 09:29:52.315427065 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:29:54.315557957 CET4439553192.168.2.138.8.8.8
          Mar 16, 2025 09:29:57.565383911 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:29:59.565391064 CET4439553192.168.2.138.8.8.8
          Mar 16, 2025 09:30:02.815393925 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:30:04.772484064 CET5229953192.168.2.13127.0.0.1
          Mar 16, 2025 09:30:04.815361023 CET4439553192.168.2.138.8.8.8
          Mar 16, 2025 09:30:08.065366983 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:30:09.778366089 CET5692453192.168.2.13127.0.0.1
          Mar 16, 2025 09:30:10.065351963 CET4439553192.168.2.138.8.8.8
          Mar 16, 2025 09:30:13.315560102 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:30:15.315532923 CET4439553192.168.2.138.8.8.8
          Mar 16, 2025 09:30:18.565376043 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:30:23.815428019 CET4069253192.168.2.131.1.1.1
          Mar 16, 2025 09:30:29.065444946 CET3483153192.168.2.138.8.8.8
          Mar 16, 2025 09:30:34.316066980 CET5838553192.168.2.131.1.1.1
          Mar 16, 2025 09:30:39.565664053 CET4215653192.168.2.138.8.8.8
          Mar 16, 2025 09:30:44.813730001 CET5876453192.168.2.13127.0.0.1
          Mar 16, 2025 09:30:44.815572023 CET5706053192.168.2.131.1.1.1
          Mar 16, 2025 09:30:49.819645882 CET3980253192.168.2.13127.0.0.1
          Mar 16, 2025 09:30:50.065516949 CET4333653192.168.2.138.8.8.8
          Mar 16, 2025 09:30:54.603631020 CET5896653192.168.2.138.8.8.8
          Mar 16, 2025 09:30:54.603699923 CET5718353192.168.2.138.8.8.8
          Mar 16, 2025 09:30:54.609908104 CET53571838.8.8.8192.168.2.13
          Mar 16, 2025 09:30:54.609925032 CET53589668.8.8.8192.168.2.13
          Mar 16, 2025 09:30:55.315313101 CET5674853192.168.2.131.1.1.1
          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Mar 16, 2025 09:28:14.632761002 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:28:19.815380096 CET192.168.2.131.1.1.10x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:28:25.065313101 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:28:30.315299034 CET192.168.2.131.1.1.10x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:28:35.565324068 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:28:40.815331936 CET192.168.2.131.1.1.10x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:28:44.658083916 CET192.168.2.13127.0.0.10xb5a5Standard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:28:46.065397024 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:28:49.664167881 CET192.168.2.13127.0.0.10xb5a5Standard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:28:51.315371037 CET192.168.2.131.1.1.10x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:28:54.672437906 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:28:56.565571070 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:28:59.815305948 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:01.815321922 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:05.065380096 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:07.065280914 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:10.315774918 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:12.315318108 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:15.565361977 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:17.565402985 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:20.815318108 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:22.815541983 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:24.704695940 CET192.168.2.13127.0.0.10xa05aStandard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:26.065474033 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:28.065489054 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:29.710911036 CET192.168.2.13127.0.0.10xa05aStandard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:31.315437078 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:33.315397978 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:36.565419912 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:38.565428019 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:41.815491915 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:43.815344095 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:47.065437078 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:49.065385103 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:52.315427065 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:54.315557957 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:57.565383911 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:29:59.565391064 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:02.815393925 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:04.772484064 CET192.168.2.13127.0.0.10x128eStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:04.815361023 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:08.065366983 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:09.778366089 CET192.168.2.13127.0.0.10x128eStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:10.065351963 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:13.315560102 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:15.315532923 CET192.168.2.138.8.8.80x8caeStandard query (0)router.utorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:18.565376043 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:23.815428019 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:29.065444946 CET192.168.2.138.8.8.80x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:34.316066980 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:39.565664053 CET192.168.2.138.8.8.80x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:44.813730001 CET192.168.2.13127.0.0.10x498aStandard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:44.815572023 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:49.819645882 CET192.168.2.13127.0.0.10x498aStandard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:50.065516949 CET192.168.2.138.8.8.80x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:54.603631020 CET192.168.2.138.8.8.80xf28fStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:54.603699923 CET192.168.2.138.8.8.80x2a2dStandard query (0)daisy.ubuntu.com28IN (0x0001)false
          Mar 16, 2025 09:30:55.315313101 CET192.168.2.131.1.1.10x3812Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Mar 16, 2025 09:30:54.609925032 CET8.8.8.8192.168.2.130xf28fNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
          Mar 16, 2025 09:30:54.609925032 CET8.8.8.8192.168.2.130xf28fNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

          System Behavior

          Start time (UTC):08:28:08
          Start date (UTC):16/03/2025
          Path:/tmp/.i.elf
          Arguments:/tmp/.i.elf
          File size:5773336 bytes
          MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

          Start time (UTC):08:28:12
          Start date (UTC):16/03/2025
          Path:/tmp/.i.elf
          Arguments:-
          File size:5773336 bytes
          MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

          Start time (UTC):08:28:12
          Start date (UTC):16/03/2025
          Path:/bin/sh
          Arguments:sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

          Start time (UTC):08:28:12
          Start date (UTC):16/03/2025
          Path:/bin/sh
          Arguments:-
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

          Start time (UTC):08:28:12
          Start date (UTC):16/03/2025
          Path:/usr/sbin/iptables
          Arguments:iptables -A INPUT -p tcp --destination-port 23 -j DROP
          File size:99296 bytes
          MD5 hash:1ab05fef765b6342cdfadaa5275b33af

          Start time (UTC):08:28:12
          Start date (UTC):16/03/2025
          Path:/tmp/.i.elf
          Arguments:-
          File size:5773336 bytes
          MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

          Start time (UTC):08:28:12
          Start date (UTC):16/03/2025
          Path:/bin/sh
          Arguments:sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

          Start time (UTC):08:28:12
          Start date (UTC):16/03/2025
          Path:/bin/sh
          Arguments:-
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

          Start time (UTC):08:28:12
          Start date (UTC):16/03/2025
          Path:/usr/sbin/iptables
          Arguments:iptables -A INPUT -p tcp --destination-port 7547 -j DROP
          File size:99296 bytes
          MD5 hash:1ab05fef765b6342cdfadaa5275b33af

          Start time (UTC):08:28:12
          Start date (UTC):16/03/2025
          Path:/tmp/.i.elf
          Arguments:-
          File size:5773336 bytes
          MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

          Start time (UTC):08:28:12
          Start date (UTC):16/03/2025
          Path:/bin/sh
          Arguments:sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

          Start time (UTC):08:28:12
          Start date (UTC):16/03/2025
          Path:/bin/sh
          Arguments:-
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

          Start time (UTC):08:28:12
          Start date (UTC):16/03/2025
          Path:/usr/sbin/iptables
          Arguments:iptables -A INPUT -p tcp --destination-port 5555 -j DROP
          File size:99296 bytes
          MD5 hash:1ab05fef765b6342cdfadaa5275b33af

          Start time (UTC):08:28:12
          Start date (UTC):16/03/2025
          Path:/tmp/.i.elf
          Arguments:-
          File size:5773336 bytes
          MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

          Start time (UTC):08:28:12
          Start date (UTC):16/03/2025
          Path:/bin/sh
          Arguments:sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

          Start time (UTC):08:28:12
          Start date (UTC):16/03/2025
          Path:/bin/sh
          Arguments:-
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

          Start time (UTC):08:28:12
          Start date (UTC):16/03/2025
          Path:/usr/sbin/iptables
          Arguments:iptables -A INPUT -p tcp --destination-port 5358 -j DROP
          File size:99296 bytes
          MD5 hash:1ab05fef765b6342cdfadaa5275b33af

          Start time (UTC):08:28:13
          Start date (UTC):16/03/2025
          Path:/tmp/.i.elf
          Arguments:-
          File size:5773336 bytes
          MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

          Start time (UTC):08:28:13
          Start date (UTC):16/03/2025
          Path:/bin/sh
          Arguments:sh -c "iptables -D INPUT -j CWMP_CR"
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

          Start time (UTC):08:28:13
          Start date (UTC):16/03/2025
          Path:/bin/sh
          Arguments:-
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

          Start time (UTC):08:28:13
          Start date (UTC):16/03/2025
          Path:/usr/sbin/iptables
          Arguments:iptables -D INPUT -j CWMP_CR
          File size:99296 bytes
          MD5 hash:1ab05fef765b6342cdfadaa5275b33af

          Start time (UTC):08:28:13
          Start date (UTC):16/03/2025
          Path:/tmp/.i.elf
          Arguments:-
          File size:5773336 bytes
          MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

          Start time (UTC):08:28:13
          Start date (UTC):16/03/2025
          Path:/bin/sh
          Arguments:sh -c "iptables -X CWMP_CR"
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

          Start time (UTC):08:28:13
          Start date (UTC):16/03/2025
          Path:/bin/sh
          Arguments:-
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

          Start time (UTC):08:28:13
          Start date (UTC):16/03/2025
          Path:/usr/sbin/iptables
          Arguments:iptables -X CWMP_CR
          File size:99296 bytes
          MD5 hash:1ab05fef765b6342cdfadaa5275b33af

          Start time (UTC):08:28:13
          Start date (UTC):16/03/2025
          Path:/tmp/.i.elf
          Arguments:-
          File size:5773336 bytes
          MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

          Start time (UTC):08:28:13
          Start date (UTC):16/03/2025
          Path:/bin/sh
          Arguments:sh -c "iptables -I INPUT -p udp --dport 11002 -j ACCEPT"
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

          Start time (UTC):08:28:13
          Start date (UTC):16/03/2025
          Path:/bin/sh
          Arguments:-
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

          Start time (UTC):08:28:13
          Start date (UTC):16/03/2025
          Path:/usr/sbin/iptables
          Arguments:iptables -I INPUT -p udp --dport 11002 -j ACCEPT
          File size:99296 bytes
          MD5 hash:1ab05fef765b6342cdfadaa5275b33af