Edit tour

Linux Analysis Report
bot.x86.elf

Overview

General Information

Sample name:	bot.x86.elf
Analysis ID:	1647202
MD5:	16eedcd50d268dc0649de66d7c5d9a51
SHA1:	3caf59c6f4b10619b9227399ca118fb5901620ae
SHA256:	e7582daa9ae1cf7d9ead083ddd932a3222265a28156cb4fc43f0741987e5a562
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Okiru

Score:	100
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Detected Mirai

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Mirai

Yara detected Okiru

Connects to many ports of the same IP (likely port scanning)

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes the "rm" command used to delete files or directories

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample tries to kill a process (SIGKILL)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1647202
Start date and time:	2025-03-24 16:14:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	bot.x86.elf
Detection:	MAL
Classification:	mal100.troj.linELF@0/0@22/0

Runtime Messages

Command:	/tmp/bot.x86.elf
PID:	5512
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	done.
Standard Error:

Process Tree

system is lnxubuntu20

bot.x86.elf (PID: 5512, Parent: 5436, MD5: 16eedcd50d268dc0649de66d7c5d9a51) Arguments: /tmp/bot.x86.elf

bot.x86.elf New Fork (PID: 5513, Parent: 5512)

bot.x86.elf New Fork (PID: 5514, Parent: 5513)

dash New Fork (PID: 5515, Parent: 3671)

rm (PID: 5515, Parent: 3671, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.ZnXAROhRAn /tmp/tmp.8aUYyTSrpf /tmp/tmp.czQIKME71C

dash New Fork (PID: 5516, Parent: 3671)

rm (PID: 5516, Parent: 3671, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.ZnXAROhRAn /tmp/tmp.8aUYyTSrpf /tmp/tmp.czQIKME71C

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
bot.x86.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
bot.x86.elf	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
bot.x86.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
bot.x86.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10704:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10718:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1072c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10740:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10754:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10768:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1077c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10790:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10808:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1081c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10830:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10844:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10858:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1086c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10880:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10894:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
bot.x86.elf	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x105e4:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
bot.x86.elf	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4040:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
bot.x86.elf	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x93a5:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
bot.x86.elf	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x5cb2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
bot.x86.elf	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0x192:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
bot.x86.elf	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xc378:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
bot.x86.elf	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xac19:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
bot.x86.elf	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x5c82:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author	Strings
5512.1.0000000008048000.000000000805b000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
5512.1.0000000008048000.000000000805b000.r-x.sdmp	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
5512.1.0000000008048000.000000000805b000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5512.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10704:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10718:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1072c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10740:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10754:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10768:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1077c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10790:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10808:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1081c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10830:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10844:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10858:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1086c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10880:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10894:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5512.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x105e4:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
5512.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4040:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5512.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x93a5:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
5512.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x5cb2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5512.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0x192:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
5512.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xc378:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5512.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xac19:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5512.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x5c82:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Process Memory Space: bot.x86.elf PID: 5512	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: bot.x86.elf PID: 5512	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Process Memory Space: bot.x86.elf PID: 5512	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: bot.x86.elf PID: 5512	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xcab:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcbf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcd3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcfb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd0f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd23:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd37:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd4b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd73:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd87:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd9b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xdaf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xdc3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xdd7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xdeb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xdff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe13:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe27:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe3b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: bot.x86.elf PID: 5512	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0xb95:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Click to see the 12 entries

Suricata Signatures

ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-24T16:14:47.673611+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40056	103.135.45.110	47925	TCP
2025-03-24T16:14:51.122709+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40058	103.135.45.110	47925	TCP
2025-03-24T16:14:52.576107+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40060	103.135.45.110	47925	TCP
2025-03-24T16:14:58.030903+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40062	103.135.45.110	47925	TCP
2025-03-24T16:15:08.501000+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40064	103.135.45.110	47925	TCP
2025-03-24T16:15:15.957011+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40066	103.135.45.110	47925	TCP
2025-03-24T16:15:21.402268+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40068	103.135.45.110	47925	TCP
2025-03-24T16:15:25.864397+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40070	103.135.45.110	47925	TCP
2025-03-24T16:15:32.322883+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40072	103.135.45.110	47925	TCP
2025-03-24T16:15:41.792681+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40074	103.135.45.110	47925	TCP
2025-03-24T16:15:43.254609+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40076	103.135.45.110	47925	TCP
2025-03-24T16:15:51.723904+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40078	103.135.45.110	47925	TCP
2025-03-24T16:15:55.221133+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40080	103.135.45.110	47925	TCP
2025-03-24T16:16:00.695117+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40082	103.135.45.110	47925	TCP
2025-03-24T16:16:16.174675+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40084	103.135.45.110	47925	TCP
2025-03-24T16:16:25.677143+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40086	103.135.45.110	47925	TCP
2025-03-24T16:16:34.231819+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40088	103.135.45.110	47925	TCP
2025-03-24T16:16:34.871859+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40088	103.135.45.110	47925	TCP
2025-03-24T16:16:43.435101+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40090	103.135.45.110	47925	TCP
2025-03-24T16:16:48.991264+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40092	103.135.45.110	47925	TCP
2025-03-24T16:16:49.631250+0100	2030490	1	Malware Command and Control Activity Detected	192.168.2.15	40092	103.135.45.110	47925	TCP

String: HTTP/1.1 200 OKtop1hbt.armtop1hbt.arm5top1hbt.arm6top1hbt.arm7top1hbt.mipstop1hbt.mpsltop1hbt.x86_64top1hbt.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40074 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40064 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40078 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40072 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40056 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40062 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40058 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40088 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40076 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40068 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40084 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40066 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40082 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40070 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40080 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40086 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40060 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40092 -> 103.135.45.110:47925
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40090 -> 103.135.45.110:47925

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 103.135.45.110 ports 47925,2,4,5,7,9

Source: global traffic

TCP traffic: 192.168.2.15:40056 -> 103.135.45.110:47925

Source: global traffic

TCP traffic: 192.168.2.15:36178 -> 34.243.160.129:443

Source: unknown

TCP traffic detected without corresponding DNS query: 34.243.160.129

Source: global traffic

DNS traffic detected: DNS query: bot.dstats.org

Source: unknown

Network traffic detected: HTTP traffic on port 36178 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: Process Memory Space: bot.x86.elf PID: 5512, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: bot.x86.elf PID: 5512, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: HTTP/1.1 200 OKtop1hbt.armtop1hbt.arm5top1hbt.arm6top1hbt.arm7top1hbt.mipstop1hbt.mpsltop1hbt.x86_64top1hbt.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/bot.x86.elf (PID: 5514)	SIGKILL sent: pid: 3769, result: successful	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	SIGKILL sent: pid: 3799, result: successful	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	SIGKILL sent: pid: 3800, result: successful	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	SIGKILL sent: pid: 3801, result: successful	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	SIGKILL sent: pid: 3802, result: successful	Jump to behavior

Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: bot.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: Process Memory Space: bot.x86.elf PID: 5512, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: bot.x86.elf PID: 5512, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal100.troj.linELF@0/0@22/0

Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/1333/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/1695/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/911/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/1591/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/1585/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/804/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/3407/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/3769/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/1484/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/133/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/1479/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/931/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/1595/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/812/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/933/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/3419/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/35/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/3671/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/3310/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/260/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/261/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/262/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/142/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/263/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/264/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/265/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/145/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/266/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/267/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/268/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/3303/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/269/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/1486/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/1806/cmdline	Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5514)	File opened: /proc/3440/cmdline	Jump to behavior

Source: /usr/bin/dash (PID: 5515)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.ZnXAROhRAn /tmp/tmp.8aUYyTSrpf /tmp/tmp.czQIKME71C			Jump to behavior
Source: /usr/bin/dash (PID: 5516)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.ZnXAROhRAn /tmp/tmp.8aUYyTSrpf /tmp/tmp.czQIKME71C			Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: bot.x86.elf, type: SAMPLE
Source: Yara match	File source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bot.x86.elf PID: 5512, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: bot.x86.elf, type: SAMPLE
Source: Yara match	File source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bot.x86.elf PID: 5512, type: MEMORYSTR

Remote Access Functionality

Detected Mirai

Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Yara detected Mirai

Source: Yara match	File source: bot.x86.elf, type: SAMPLE
Source: Yara match	File source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bot.x86.elf PID: 5512, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: bot.x86.elf, type: SAMPLE
Source: Yara match	File source: 5512.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bot.x86.elf PID: 5512, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 File Deletion	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bot.x86.elf	62%	Virustotal		Browse
bot.x86.elf	67%	ReversingLabs	Linux.Backdoor.Mirai
bot.x86.elf	100%	Avira	EXP/ELF.Mirai.Z.A

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bot.dstats.org	103.135.45.110	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.135.45.110	bot.dstats.org	Pakistan		138640	IISPL-AS-APIJInternetServicesPVTLimitedPK	false
34.243.160.129	unknown	United States		16509	AMAZON-02US	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
103.135.45.110	bot.mpsl.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	bot.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	bot.sh4.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
34.243.160.129	arm.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	ppc.fkunigr.elf	Get hash	malicious	Mirai	Browse
	mips.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	wget.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	miner.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bot.dstats.org	bot.mpsl.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	103.135.45.110
	bot.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	103.135.45.110
	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	103.135.45.110
	bot.sh4.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	103.135.45.110

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://teqaloki.site/gasnasalk/hagshaisn/xxx/ZXdlbi5jYWlybnNAZm9zdGVyLWdhbWtvLmNvbQ==	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	3.168.73.40
	inventory list.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	na.elf	Get hash	malicious	Prometei	Browse	52.212.150.54
	na.elf	Get hash	malicious	Prometei	Browse	34.249.145.219
	em_XsVM4WZh_installer_Win7-Win11_x86_x64.msi	Get hash	malicious	Unknown	Browse	18.157.52.237
	FT-51050458.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	na.elf	Get hash	malicious	Prometei	Browse	52.212.150.54
	65W20 mokapto Siparisi.pdf.exe	Get hash	malicious	GuLoader	Browse	52.11.240.239
	na.elf	Get hash	malicious	Prometei	Browse	52.212.150.54
	na.elf	Get hash	malicious	Prometei	Browse	54.171.230.55
IISPL-AS-APIJInternetServicesPVTLimitedPK	bot.mpsl.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	103.135.45.110
	bot.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	103.135.45.110
	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	103.135.45.110
	bot.sh4.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	103.135.45.110
	aKDVvCx8ni.exe	Get hash	malicious	FormBook	Browse	103.135.45.76

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.7722422595198895
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	bot.x86.elf
File size:	93'768 bytes
MD5:	16eedcd50d268dc0649de66d7c5d9a51
SHA1:	3caf59c6f4b10619b9227399ca118fb5901620ae
SHA256:	e7582daa9ae1cf7d9ead083ddd932a3222265a28156cb4fc43f0741987e5a562
SHA512:	89c155ab26b0fc8fc009613b0bb6e284e2e363c967bf967a9f20548d81fc299f0211eb75e78f7fa7e1a1dcfa66ab1f4422840f4455a8d148a6f91bae98ae9c44
SSDEEP:	1536:oFd1IRgCXUzx7t0fMqlmgQEiyhcg+7ju72wPZnWhZS5xtY+c:oFdmR9XUzxh0fMgmgQEimEjLAdew5bc
TLSH:	6E936BC4F643E5F1EC8709B16137EB374B32F0BA111AEA43C76999729CA2541DA06B9C
File Content Preview:	.ELF....................d...4....l......4. ...(......................$...$...............$...........G..8...........Q.td............................U..S.......o4...h....c...[]...$.............U......=.....t..5....$......$.......u........t....h............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048164
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	93368
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0xfe86	0x0	0x6	AX	16
.fini	PROGBITS	0x8057f36	0xff36	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x8057f60	0xff60	0x2590	0x0	0x2	A	32
.ctors	PROGBITS	0x805b4f4	0x124f4	0xc	0x0	0x3	WA	4
.dtors	PROGBITS	0x805b500	0x12500	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x805b520	0x12520	0x4758	0x0	0x3	WA	32
.bss	NOBITS	0x805fc80	0x16c78	0x49ac	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x16c78	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0x124f0	0x124f0	6.6050	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0x124f4	0x805b4f4	0x805b4f4	0x4784	0x9138	0.3642	0x6	RW	0x1000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-24T16:14:47.673611+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40056	103.135.45.110	47925	TCP
2025-03-24T16:14:51.122709+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40058	103.135.45.110	47925	TCP
2025-03-24T16:14:52.576107+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40060	103.135.45.110	47925	TCP
2025-03-24T16:14:58.030903+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40062	103.135.45.110	47925	TCP
2025-03-24T16:15:08.501000+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40064	103.135.45.110	47925	TCP
2025-03-24T16:15:15.957011+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40066	103.135.45.110	47925	TCP
2025-03-24T16:15:21.402268+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40068	103.135.45.110	47925	TCP
2025-03-24T16:15:25.864397+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40070	103.135.45.110	47925	TCP
2025-03-24T16:15:32.322883+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40072	103.135.45.110	47925	TCP
2025-03-24T16:15:41.792681+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40074	103.135.45.110	47925	TCP
2025-03-24T16:15:43.254609+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40076	103.135.45.110	47925	TCP
2025-03-24T16:15:51.723904+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40078	103.135.45.110	47925	TCP
2025-03-24T16:15:55.221133+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40080	103.135.45.110	47925	TCP
2025-03-24T16:16:00.695117+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40082	103.135.45.110	47925	TCP
2025-03-24T16:16:16.174675+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40084	103.135.45.110	47925	TCP
2025-03-24T16:16:25.677143+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40086	103.135.45.110	47925	TCP
2025-03-24T16:16:34.231819+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40088	103.135.45.110	47925	TCP
2025-03-24T16:16:34.871859+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40088	103.135.45.110	47925	TCP
2025-03-24T16:16:43.435101+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40090	103.135.45.110	47925	TCP
2025-03-24T16:16:48.991264+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40092	103.135.45.110	47925	TCP
2025-03-24T16:16:49.631250+0100	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.15	40092	103.135.45.110	47925	TCP

Network Port Distribution

Total Packets: 88
• 47925 undefined
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 24, 2025 16:14:46.849190950 CET	36178	443	192.168.2.15	34.243.160.129
Mar 24, 2025 16:14:47.497962952 CET	40056	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:14:47.673459053 CET	47925	40056	103.135.45.110	192.168.2.15
Mar 24, 2025 16:14:47.673540115 CET	40056	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:14:47.673610926 CET	40056	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:14:47.850183964 CET	47925	40056	103.135.45.110	192.168.2.15
Mar 24, 2025 16:14:47.850405931 CET	47925	40056	103.135.45.110	192.168.2.15
Mar 24, 2025 16:14:50.951342106 CET	40058	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:14:51.122543097 CET	47925	40058	103.135.45.110	192.168.2.15
Mar 24, 2025 16:14:51.122636080 CET	40058	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:14:51.122709036 CET	40058	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:14:51.291960955 CET	47925	40058	103.135.45.110	192.168.2.15
Mar 24, 2025 16:14:51.291984081 CET	47925	40058	103.135.45.110	192.168.2.15
Mar 24, 2025 16:14:52.401957989 CET	40060	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:14:52.575972080 CET	47925	40060	103.135.45.110	192.168.2.15
Mar 24, 2025 16:14:52.576044083 CET	40060	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:14:52.576107025 CET	40060	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:14:52.751419067 CET	47925	40060	103.135.45.110	192.168.2.15
Mar 24, 2025 16:14:52.751516104 CET	47925	40060	103.135.45.110	192.168.2.15
Mar 24, 2025 16:14:57.861211061 CET	40062	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:14:58.030734062 CET	47925	40062	103.135.45.110	192.168.2.15
Mar 24, 2025 16:14:58.030867100 CET	40062	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:14:58.030903101 CET	40062	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:14:58.212006092 CET	47925	40062	103.135.45.110	192.168.2.15
Mar 24, 2025 16:14:58.212057114 CET	47925	40062	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:08.322310925 CET	40064	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:08.500845909 CET	47925	40064	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:08.500962019 CET	40064	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:08.500999928 CET	40064	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:08.676675081 CET	47925	40064	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:08.676701069 CET	47925	40064	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:08.676815033 CET	40064	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:08.855298042 CET	47925	40064	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:15.785168886 CET	40066	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:15.956588984 CET	47925	40066	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:15.957010984 CET	40066	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:15.957010984 CET	40066	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:16.127962112 CET	47925	40066	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:16.128048897 CET	47925	40066	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:16.128348112 CET	40066	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:16.297583103 CET	47925	40066	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:21.232656002 CET	40068	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:21.402065992 CET	47925	40068	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:21.402185917 CET	40068	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:21.402267933 CET	40068	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:21.570477962 CET	47925	40068	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:21.570528030 CET	47925	40068	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:21.570626020 CET	40068	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:21.740770102 CET	47925	40068	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:25.681932926 CET	40070	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:25.864255905 CET	47925	40070	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:25.864367962 CET	40070	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:25.864397049 CET	40070	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:26.042499065 CET	47925	40070	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:26.042526007 CET	47925	40070	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:32.156038046 CET	40072	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:32.322721004 CET	47925	40072	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:32.322819948 CET	40072	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:32.322882891 CET	40072	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:32.503953934 CET	47925	40072	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:32.504123926 CET	47925	40072	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:32.504215002 CET	40072	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:32.673162937 CET	47925	40072	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:41.616465092 CET	40074	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:41.792360067 CET	47925	40074	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:41.792644024 CET	40074	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:41.792680979 CET	40074	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:41.962856054 CET	47925	40074	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:41.962956905 CET	47925	40074	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:43.075660944 CET	40076	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:43.254422903 CET	47925	40076	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:43.254568100 CET	40076	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:43.254609108 CET	40076	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:43.433717012 CET	47925	40076	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:43.433954000 CET	47925	40076	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:51.550381899 CET	40078	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:51.723611116 CET	47925	40078	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:51.723810911 CET	40078	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:51.723903894 CET	40078	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:51.896502972 CET	47925	40078	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:51.896593094 CET	47925	40078	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:55.043055058 CET	40080	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:55.220896006 CET	47925	40080	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:55.221093893 CET	40080	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:55.221132994 CET	40080	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:15:55.394579887 CET	47925	40080	103.135.45.110	192.168.2.15
Mar 24, 2025 16:15:55.394738913 CET	47925	40080	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:00.521403074 CET	40082	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:00.694974899 CET	47925	40082	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:00.695075989 CET	40082	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:00.695116997 CET	40082	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:00.871092081 CET	47925	40082	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:00.871121883 CET	47925	40082	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:15.994776964 CET	40084	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:16.174495935 CET	47925	40084	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:16.174638033 CET	40084	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:16.174674988 CET	40084	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:16.352487087 CET	47925	40084	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:16.352508068 CET	47925	40084	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:16.352644920 CET	40084	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:16.526469946 CET	47925	40084	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:25.501426935 CET	40086	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:25.676979065 CET	47925	40086	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:25.677090883 CET	40086	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:25.677143097 CET	40086	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:25.881989956 CET	47925	40086	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:25.882342100 CET	47925	40086	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:25.882466078 CET	40086	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:26.096038103 CET	47925	40086	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:34.029172897 CET	40088	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:34.231628895 CET	47925	40088	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:34.231818914 CET	40088	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:34.231818914 CET	40088	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:34.871859074 CET	40088	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:35.083632946 CET	47925	40088	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:43.221725941 CET	40090	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:43.432629108 CET	47925	40090	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:43.435101032 CET	40090	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:43.435101032 CET	40090	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:43.637479067 CET	47925	40090	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:43.637499094 CET	47925	40090	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:48.785130024 CET	40092	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:48.991096973 CET	47925	40092	103.135.45.110	192.168.2.15
Mar 24, 2025 16:16:48.991221905 CET	40092	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:48.991264105 CET	40092	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:49.631249905 CET	40092	47925	192.168.2.15	103.135.45.110
Mar 24, 2025 16:16:49.825220108 CET	47925	40092	103.135.45.110	192.168.2.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 24, 2025 16:14:47.388593912 CET	55427	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:14:47.497829914 CET	53	55427	8.8.8.8	192.168.2.15
Mar 24, 2025 16:14:50.853507996 CET	47882	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:14:50.951209068 CET	53	47882	8.8.8.8	192.168.2.15
Mar 24, 2025 16:14:52.295577049 CET	34711	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:14:52.401818991 CET	53	34711	8.8.8.8	192.168.2.15
Mar 24, 2025 16:14:57.755470991 CET	38145	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:14:57.861067057 CET	53	38145	8.8.8.8	192.168.2.15
Mar 24, 2025 16:15:08.218403101 CET	51532	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:15:08.322145939 CET	53	51532	8.8.8.8	192.168.2.15
Mar 24, 2025 16:15:15.682261944 CET	55701	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:15:15.784890890 CET	53	55701	8.8.8.8	192.168.2.15
Mar 24, 2025 16:15:21.132498026 CET	51292	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:15:21.232456923 CET	53	51292	8.8.8.8	192.168.2.15
Mar 24, 2025 16:15:25.573712111 CET	51595	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:15:25.681776047 CET	53	51595	8.8.8.8	192.168.2.15
Mar 24, 2025 16:15:32.047032118 CET	41758	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:15:32.155797958 CET	53	41758	8.8.8.8	192.168.2.15
Mar 24, 2025 16:15:41.510580063 CET	38153	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:15:41.615967035 CET	53	38153	8.8.8.8	192.168.2.15
Mar 24, 2025 16:15:42.965183020 CET	54604	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:15:43.075418949 CET	53	54604	8.8.8.8	192.168.2.15
Mar 24, 2025 16:15:51.439372063 CET	37087	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:15:51.550184965 CET	53	37087	8.8.8.8	192.168.2.15
Mar 24, 2025 16:15:54.899336100 CET	39123	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:15:55.042850018 CET	53	39123	8.8.8.8	192.168.2.15
Mar 24, 2025 16:16:00.398619890 CET	55121	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:16:00.521132946 CET	53	55121	8.8.8.8	192.168.2.15
Mar 24, 2025 16:16:10.877657890 CET	35342	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:16:15.882396936 CET	39006	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:16:15.994585037 CET	53	39006	8.8.8.8	192.168.2.15
Mar 24, 2025 16:16:25.359006882 CET	55184	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:16:25.501125097 CET	53	55184	8.8.8.8	192.168.2.15
Mar 24, 2025 16:16:28.885487080 CET	50411	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:16:33.893275976 CET	46338	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:16:34.028891087 CET	53	46338	8.8.8.8	192.168.2.15
Mar 24, 2025 16:16:43.089355946 CET	59341	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:16:43.221558094 CET	53	59341	8.8.8.8	192.168.2.15
Mar 24, 2025 16:16:48.641712904 CET	40863	53	192.168.2.15	8.8.8.8
Mar 24, 2025 16:16:48.784965992 CET	53	40863	8.8.8.8	192.168.2.15
Mar 24, 2025 16:16:50.827294111 CET	52450	53	192.168.2.15	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 24, 2025 16:14:47.388593912 CET	192.168.2.15	8.8.8.8	0x4e7c	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:14:50.853507996 CET	192.168.2.15	8.8.8.8	0xcd89	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:14:52.295577049 CET	192.168.2.15	8.8.8.8	0x8021	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:14:57.755470991 CET	192.168.2.15	8.8.8.8	0xe3cb	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:08.218403101 CET	192.168.2.15	8.8.8.8	0x75dd	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:15.682261944 CET	192.168.2.15	8.8.8.8	0xc73	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:21.132498026 CET	192.168.2.15	8.8.8.8	0x1be	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:25.573712111 CET	192.168.2.15	8.8.8.8	0x9a4	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:32.047032118 CET	192.168.2.15	8.8.8.8	0xfcaa	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:41.510580063 CET	192.168.2.15	8.8.8.8	0xd3cb	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:42.965183020 CET	192.168.2.15	8.8.8.8	0xac45	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:51.439372063 CET	192.168.2.15	8.8.8.8	0x947e	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:54.899336100 CET	192.168.2.15	8.8.8.8	0xaf38	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:16:00.398619890 CET	192.168.2.15	8.8.8.8	0xf759	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:16:10.877657890 CET	192.168.2.15	8.8.8.8	0xb824	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:16:15.882396936 CET	192.168.2.15	8.8.8.8	0xb824	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:16:25.359006882 CET	192.168.2.15	8.8.8.8	0x1569	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:16:28.885487080 CET	192.168.2.15	8.8.8.8	0x4f4e	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:16:33.893275976 CET	192.168.2.15	8.8.8.8	0x4f4e	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:16:43.089355946 CET	192.168.2.15	8.8.8.8	0x514	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:16:48.641712904 CET	192.168.2.15	8.8.8.8	0x3545	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:16:50.827294111 CET	192.168.2.15	8.8.8.8	0x40d6	Standard query (0)	bot.dstats.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 24, 2025 16:14:47.497829914 CET	8.8.8.8	192.168.2.15	0x4e7c	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:14:50.951209068 CET	8.8.8.8	192.168.2.15	0xcd89	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:14:52.401818991 CET	8.8.8.8	192.168.2.15	0x8021	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:14:57.861067057 CET	8.8.8.8	192.168.2.15	0xe3cb	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:08.322145939 CET	8.8.8.8	192.168.2.15	0x75dd	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:15.784890890 CET	8.8.8.8	192.168.2.15	0xc73	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:21.232456923 CET	8.8.8.8	192.168.2.15	0x1be	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:25.681776047 CET	8.8.8.8	192.168.2.15	0x9a4	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:32.155797958 CET	8.8.8.8	192.168.2.15	0xfcaa	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:41.615967035 CET	8.8.8.8	192.168.2.15	0xd3cb	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:43.075418949 CET	8.8.8.8	192.168.2.15	0xac45	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:51.550184965 CET	8.8.8.8	192.168.2.15	0x947e	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:15:55.042850018 CET	8.8.8.8	192.168.2.15	0xaf38	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:16:00.521132946 CET	8.8.8.8	192.168.2.15	0xf759	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:16:15.994585037 CET	8.8.8.8	192.168.2.15	0xb824	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:16:25.501125097 CET	8.8.8.8	192.168.2.15	0x1569	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:16:34.028891087 CET	8.8.8.8	192.168.2.15	0x4f4e	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:16:43.221558094 CET	8.8.8.8	192.168.2.15	0x514	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false
Mar 24, 2025 16:16:48.784965992 CET	8.8.8.8	192.168.2.15	0x3545	No error (0)	bot.dstats.org	103.135.45.110	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: bot.x86.elf PID: 5512, Parent PID: 5436

General

Start time (UTC):	15:14:46
Start date (UTC):	24/03/2025
Path:	/tmp/bot.x86.elf
Arguments:	/tmp/bot.x86.elf
File size:	93768 bytes
MD5 hash:	16eedcd50d268dc0649de66d7c5d9a51

Start time (UTC):	15:14:46
Start date (UTC):	24/03/2025
Path:	/tmp/bot.x86.elf
Arguments:	-
File size:	93768 bytes
MD5 hash:	16eedcd50d268dc0649de66d7c5d9a51

Start time (UTC):	15:14:46
Start date (UTC):	24/03/2025
Path:	/tmp/bot.x86.elf
Arguments:	-
File size:	93768 bytes
MD5 hash:	16eedcd50d268dc0649de66d7c5d9a51

Start time (UTC):	15:14:47
Start date (UTC):	24/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	15:14:47
Start date (UTC):	24/03/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.ZnXAROhRAn /tmp/tmp.8aUYyTSrpf /tmp/tmp.czQIKME71C
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time (UTC):	15:14:47
Start date (UTC):	24/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	15:14:47
Start date (UTC):	24/03/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.ZnXAROhRAn /tmp/tmp.8aUYyTSrpf /tmp/tmp.czQIKME71C
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Source: bot.x86.elf	Virustotal: Detection: 61%			Perma Link
Source: bot.x86.elf	ReversingLabs: Detection: 66%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report bot.x86.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: bot.x86.elf PID: 5512, Parent PID: 5436

General

File Activities

File Deleted

Process Activities

Process Forked

Prctl Requested

Chronological Activities

Analysis Process: bot.x86.elf PID: 5513, Parent PID: 5512

General

Process Activities

Process Forked

Thread Sleep

Chronological Activities

Analysis Process: bot.x86.elf PID: 5514, Parent PID: 5513

General

Linux Analysis Report
bot.x86.elf