Edit tour

Linux Analysis Report
bot.x86_64.elf

Overview

General Information

Sample name:bot.x86_64.elf
Analysis ID:1647206
MD5:d8980db0043c7d1c698af29a9c999695
SHA1:1cb54a3e70e1c9fd5863799e750927a4323891f0
SHA256:556cf3c44cf8e435b8f718795f7064779d7a8cdec4d916fdd6021dde343388f5
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai, Gafgyt, Okiru
Score:100
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Detected Mirai
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Gafgyt
Yara detected Mirai
Yara detected Okiru
Connects to many ports of the same IP (likely port scanning)
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample tries to kill a process (SIGKILL)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1647206
Start date and time:2025-03-24 16:18:57 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 22s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:bot.x86_64.elf
Detection:MAL
Classification:mal100.troj.linELF@0/0@21/0
Command:/tmp/bot.x86_64.elf
PID:5514
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
done.
Standard Error:
  • system is lnxubuntu20
  • dash New Fork (PID: 5517, Parent: 3673)
  • rm (PID: 5517, Parent: 3673, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.SsxKKzZGv8 /tmp/tmp.r5rynL22i1 /tmp/tmp.ABcUrusLk3
  • dash New Fork (PID: 5518, Parent: 3673)
  • rm (PID: 5518, Parent: 3673, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.SsxKKzZGv8 /tmp/tmp.r5rynL22i1 /tmp/tmp.ABcUrusLk3
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
NameDescriptionAttributionBlogpost URLsLink
Bashlite, GafgytBashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
SourceRuleDescriptionAuthorStrings
bot.x86_64.elfJoeSecurity_GafgytYara detected GafgytJoe Security
    bot.x86_64.elfJoeSecurity_OkiruYara detected OkiruJoe Security
      bot.x86_64.elfJoeSecurity_Mirai_3Yara detected MiraiJoe Security
        bot.x86_64.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          bot.x86_64.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0x17480:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17494:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x174a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x174bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x174d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x174e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x174f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1750c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17520:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17534:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17548:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1755c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17570:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17584:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17598:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x175ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x175c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x175d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x175e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x175fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17610:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          Click to see the 15 entries
          SourceRuleDescriptionAuthorStrings
          5514.1.0000000000400000.000000000041b000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
            5514.1.0000000000400000.000000000041b000.r-x.sdmpJoeSecurity_OkiruYara detected OkiruJoe Security
              5514.1.0000000000400000.000000000041b000.r-x.sdmpJoeSecurity_Mirai_3Yara detected MiraiJoe Security
                5514.1.0000000000400000.000000000041b000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
                  5514.1.0000000000400000.000000000041b000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
                  • 0x17480:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x17494:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x174a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x174bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x174d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x174e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x174f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x1750c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x17520:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x17534:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x17548:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x1755c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x17570:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x17584:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x17598:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x175ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x175c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x175d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x175e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x175fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  • 0x17610:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
                  Click to see the 20 entries
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-24T16:19:39.977108+010020304901Malware Command and Control Activity Detected192.168.2.1540056103.135.45.11047925TCP
                  2025-03-24T16:19:43.545963+010020304901Malware Command and Control Activity Detected192.168.2.1540058103.135.45.11047925TCP
                  2025-03-24T16:19:51.054102+010020304901Malware Command and Control Activity Detected192.168.2.1540060103.135.45.11047925TCP
                  2025-03-24T16:19:54.572071+010020304901Malware Command and Control Activity Detected192.168.2.1540062103.135.45.11047925TCP
                  2025-03-24T16:19:56.132917+010020304901Malware Command and Control Activity Detected192.168.2.1540064103.135.45.11047925TCP
                  2025-03-24T16:20:02.653081+010020304901Malware Command and Control Activity Detected192.168.2.1540066103.135.45.11047925TCP
                  2025-03-24T16:20:08.178681+010020304901Malware Command and Control Activity Detected192.168.2.1540068103.135.45.11047925TCP
                  2025-03-24T16:20:14.679213+010020304901Malware Command and Control Activity Detected192.168.2.1540070103.135.45.11047925TCP
                  2025-03-24T16:20:25.182902+010020304901Malware Command and Control Activity Detected192.168.2.1540072103.135.45.11047925TCP
                  2025-03-24T16:20:34.749144+010020304901Malware Command and Control Activity Detected192.168.2.1540074103.135.45.11047925TCP
                  2025-03-24T16:20:37.280772+010020304901Malware Command and Control Activity Detected192.168.2.1540076103.135.45.11047925TCP
                  2025-03-24T16:20:38.765578+010020304901Malware Command and Control Activity Detected192.168.2.1540078103.135.45.11047925TCP
                  2025-03-24T16:20:49.229818+010020304901Malware Command and Control Activity Detected192.168.2.1540080103.135.45.11047925TCP
                  2025-03-24T16:20:53.674774+010020304901Malware Command and Control Activity Detected192.168.2.1540082103.135.45.11047925TCP
                  2025-03-24T16:20:55.139347+010020304901Malware Command and Control Activity Detected192.168.2.1540084103.135.45.11047925TCP
                  2025-03-24T16:21:04.600294+010020304901Malware Command and Control Activity Detected192.168.2.1540086103.135.45.11047925TCP
                  2025-03-24T16:21:12.068027+010020304901Malware Command and Control Activity Detected192.168.2.1540088103.135.45.11047925TCP
                  2025-03-24T16:21:15.524668+010020304901Malware Command and Control Activity Detected192.168.2.1540090103.135.45.11047925TCP
                  2025-03-24T16:21:23.977412+010020304901Malware Command and Control Activity Detected192.168.2.1540092103.135.45.11047925TCP
                  2025-03-24T16:21:31.437355+010020304901Malware Command and Control Activity Detected192.168.2.1540094103.135.45.11047925TCP
                  2025-03-24T16:21:37.899924+010020304901Malware Command and Control Activity Detected192.168.2.1540096103.135.45.11047925TCP

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: bot.x86_64.elfAvira: detected
                  Source: bot.x86_64.elfVirustotal: Detection: 55%Perma Link
                  Source: bot.x86_64.elfReversingLabs: Detection: 58%
                  Source: bot.x86_64.elfString: HTTP/1.1 200 OKtop1hbt.armtop1hbt.arm5top1hbt.arm6top1hbt.arm7top1hbt.mipstop1hbt.mpsltop1hbt.x86_64top1hbt.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f

                  Networking

                  barindex
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40074 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40058 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40072 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40070 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40090 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40064 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40062 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40088 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40076 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40082 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40094 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40060 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40092 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40066 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40080 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40086 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40096 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40078 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40056 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40068 -> 103.135.45.110:47925
                  Source: Network trafficSuricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:40084 -> 103.135.45.110:47925
                  Source: global trafficTCP traffic: 103.135.45.110 ports 47925,2,4,5,7,9
                  Source: global trafficTCP traffic: 192.168.2.15:40056 -> 103.135.45.110:47925
                  Source: global trafficDNS traffic detected: DNS query: bot.dstats.org

                  System Summary

                  barindex
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
                  Source: Process Memory Space: bot.x86_64.elf PID: 5514, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
                  Source: Process Memory Space: bot.x86_64.elf PID: 5514, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
                  Source: Initial sampleString containing 'busybox' found: /bin/busybox
                  Source: Initial sampleString containing 'busybox' found: HTTP/1.1 200 OKtop1hbt.armtop1hbt.arm5top1hbt.arm6top1hbt.arm7top1hbt.mipstop1hbt.mpsltop1hbt.x86_64top1hbt.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f
                  Source: ELF static info symbol of initial sample.symtab present: no
                  Source: /tmp/bot.x86_64.elf (PID: 5516)SIGKILL sent: pid: 3775, result: successfulJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)SIGKILL sent: pid: 3801, result: successfulJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)SIGKILL sent: pid: 3802, result: successfulJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)SIGKILL sent: pid: 3803, result: successfulJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)SIGKILL sent: pid: 3804, result: successfulJump to behavior
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
                  Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
                  Source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
                  Source: Process Memory Space: bot.x86_64.elf PID: 5514, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
                  Source: Process Memory Space: bot.x86_64.elf PID: 5514, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
                  Source: classification engineClassification label: mal100.troj.linELF@0/0@21/0
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/110/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/231/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/111/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/112/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/233/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/113/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/114/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/235/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/115/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/1333/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/116/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/1695/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/117/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/118/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/119/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/911/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/914/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/10/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/917/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/11/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/12/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/13/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/14/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/15/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/16/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/17/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/18/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/19/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/1591/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/120/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/121/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/1/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/122/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/243/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/2/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/123/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/3/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/124/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/1588/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/125/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/4/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/246/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/126/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/5/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/127/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/6/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/1585/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/128/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/7/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/129/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/8/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/800/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/9/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/802/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/803/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/804/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/20/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/21/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/3407/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/22/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/23/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/24/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/25/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/26/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/27/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/28/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/29/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/1484/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/490/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/250/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/130/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/251/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/131/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/132/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/133/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/1479/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/378/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/258/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/259/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/931/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/1595/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/812/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/933/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/3775/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/30/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/3419/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/35/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/3673/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/3310/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/260/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/261/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/262/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/142/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/263/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/264/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/265/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/145/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/266/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/267/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/268/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/3303/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/269/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/1486/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/1806/cmdlineJump to behavior
                  Source: /tmp/bot.x86_64.elf (PID: 5516)File opened: /proc/3440/cmdlineJump to behavior
                  Source: /usr/bin/dash (PID: 5517)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.SsxKKzZGv8 /tmp/tmp.r5rynL22i1 /tmp/tmp.ABcUrusLk3Jump to behavior
                  Source: /usr/bin/dash (PID: 5518)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.SsxKKzZGv8 /tmp/tmp.r5rynL22i1 /tmp/tmp.ABcUrusLk3Jump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: bot.x86_64.elf, type: SAMPLE
                  Source: Yara matchFile source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY
                  Source: Yara matchFile source: bot.x86_64.elf, type: SAMPLE
                  Source: Yara matchFile source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bot.x86_64.elf PID: 5514, type: MEMORYSTR
                  Source: Yara matchFile source: bot.x86_64.elf, type: SAMPLE
                  Source: Yara matchFile source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bot.x86_64.elf PID: 5514, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
                  Source: Yara matchFile source: bot.x86_64.elf, type: SAMPLE
                  Source: Yara matchFile source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY
                  Source: Yara matchFile source: bot.x86_64.elf, type: SAMPLE
                  Source: Yara matchFile source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bot.x86_64.elf PID: 5514, type: MEMORYSTR
                  Source: Yara matchFile source: bot.x86_64.elf, type: SAMPLE
                  Source: Yara matchFile source: 5514.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bot.x86_64.elf PID: 5514, type: MEMORYSTR
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting
                  Valid AccountsWindows Management Instrumentation1
                  Scripting
                  Path Interception1
                  File Deletion
                  1
                  OS Credential Dumping
                  System Service DiscoveryRemote ServicesData from Local System1
                  Non-Standard Port
                  Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
                  Non-Application Layer Protocol
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol
                  Automated ExfiltrationData Encrypted for Impact
                  No configs have been found
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Number of created Files
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1647206 Sample: bot.x86_64.elf Startdate: 24/03/2025 Architecture: LINUX Score: 100 18 bot.dstats.org 103.135.45.110, 40056, 40058, 40060 IISPL-AS-APIJInternetServicesPVTLimitedPK Pakistan 2->18 20 Suricata IDS alerts for network traffic 2->20 22 Malicious sample detected (through community Yara rule) 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 6 other signatures 2->26 8 bot.x86_64.elf 2->8         started        10 dash rm 2->10         started        12 dash rm 2->12         started        signatures3 process4 process5 14 bot.x86_64.elf 8->14         started        process6 16 bot.x86_64.elf 14->16         started       

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  bot.x86_64.elf55%VirustotalBrowse
                  bot.x86_64.elf58%ReversingLabsLinux.Backdoor.Mirai
                  bot.x86_64.elf100%AviraEXP/ELF.Mirai.Z.A
                  No Antivirus matches
                  No Antivirus matches
                  No Antivirus matches

                  Download Network PCAP: filteredfull

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bot.dstats.org
                  103.135.45.110
                  truefalse
                    high
                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs
                    IPDomainCountryFlagASNASN NameMalicious
                    103.135.45.110
                    bot.dstats.orgPakistan
                    138640IISPL-AS-APIJInternetServicesPVTLimitedPKfalse
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    103.135.45.110bot.x86.elfGet hashmaliciousMirai, OkiruBrowse
                      bot.mpsl.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                        bot.m68k.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                          bot.ppc.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                            bot.sh4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              bot.dstats.orgbot.x86.elfGet hashmaliciousMirai, OkiruBrowse
                              • 103.135.45.110
                              bot.mpsl.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                              • 103.135.45.110
                              bot.m68k.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                              • 103.135.45.110
                              bot.ppc.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                              • 103.135.45.110
                              bot.sh4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                              • 103.135.45.110
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              IISPL-AS-APIJInternetServicesPVTLimitedPKbot.x86.elfGet hashmaliciousMirai, OkiruBrowse
                              • 103.135.45.110
                              bot.mpsl.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                              • 103.135.45.110
                              bot.m68k.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                              • 103.135.45.110
                              bot.ppc.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                              • 103.135.45.110
                              bot.sh4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                              • 103.135.45.110
                              aKDVvCx8ni.exeGet hashmaliciousFormBookBrowse
                              • 103.135.45.76
                              No context
                              No context
                              No created / dropped files found
                              File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
                              Entropy (8bit):5.284769577721924
                              TrID:
                              • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                              File name:bot.x86_64.elf
                              File size:143'832 bytes
                              MD5:d8980db0043c7d1c698af29a9c999695
                              SHA1:1cb54a3e70e1c9fd5863799e750927a4323891f0
                              SHA256:556cf3c44cf8e435b8f718795f7064779d7a8cdec4d916fdd6021dde343388f5
                              SHA512:5df18b3585bbdbab152f2d08027d6fbf1c1fa62e85b2ba04fe4b43462a33ff87e2ae289c4617c87b966ada20baefa50268e8a09401d7b84582ef8635920ed555
                              SSDEEP:3072:mTUTfCdO6FFto6868wKhc/t/ekNaogMewcgsK027u8Ol/:mTUTfCdO6FFto6zwwQdJ/
                              TLSH:79E34A07B4C184FDC4DAC1B44B9FF53AED32B0AD1238B16B27D4AA222E59E215F1DA54
                              File Content Preview:.ELF..............>.......@.....@.......X/..........@.8...@.......................@.......@...............................................Q.......Q.....p.......................Q.td....................................................H...._....zk..H........

                              ELF header

                              Class:ELF64
                              Data:2's complement, little endian
                              Version:1 (current)
                              Machine:Advanced Micro Devices X86-64
                              Version Number:0x1
                              Type:EXEC (Executable file)
                              OS/ABI:UNIX - System V
                              ABI Version:0
                              Entry Point Address:0x400194
                              Flags:0x0
                              ELF Header Size:64
                              Program Header Offset:64
                              Program Header Size:56
                              Number of Program Headers:3
                              Section Header Offset:143192
                              Section Header Size:64
                              Number of Section Headers:10
                              Header String Table Index:9
                              NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                              NULL0x00x00x00x00x0000
                              .initPROGBITS0x4000e80xe80x130x00x6AX001
                              .textPROGBITS0x4001000x1000x16ba60x00x6AX0016
                              .finiPROGBITS0x416ca60x16ca60xe0x00x6AX001
                              .rodataPROGBITS0x416cc00x16cc00x33e00x00x2A0032
                              .ctorsPROGBITS0x51a0a80x1a0a80x180x00x3WA008
                              .dtorsPROGBITS0x51a0c00x1a0c00x100x00x3WA008
                              .dataPROGBITS0x51a0e00x1a0e00x8e380x00x3WA0032
                              .bssNOBITS0x522f200x22f180x72a00x00x3WA0032
                              .shstrtabSTRTAB0x00x22f180x3e0x00x0001
                              TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                              LOAD0x00x4000000x4000000x1a0a00x1a0a06.41930x5R E0x100000.init .text .fini .rodata
                              LOAD0x1a0a80x51a0a80x51a0a80x8e700x101180.22800x6RW 0x100000.ctors .dtors .data .bss
                              GNU_STACK0x00x00x00x00x00.00000x6RW 0x8

                              Download Network PCAP: filteredfull

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2025-03-24T16:19:39.977108+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540056103.135.45.11047925TCP
                              2025-03-24T16:19:43.545963+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540058103.135.45.11047925TCP
                              2025-03-24T16:19:51.054102+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540060103.135.45.11047925TCP
                              2025-03-24T16:19:54.572071+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540062103.135.45.11047925TCP
                              2025-03-24T16:19:56.132917+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540064103.135.45.11047925TCP
                              2025-03-24T16:20:02.653081+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540066103.135.45.11047925TCP
                              2025-03-24T16:20:08.178681+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540068103.135.45.11047925TCP
                              2025-03-24T16:20:14.679213+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540070103.135.45.11047925TCP
                              2025-03-24T16:20:25.182902+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540072103.135.45.11047925TCP
                              2025-03-24T16:20:34.749144+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540074103.135.45.11047925TCP
                              2025-03-24T16:20:37.280772+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540076103.135.45.11047925TCP
                              2025-03-24T16:20:38.765578+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540078103.135.45.11047925TCP
                              2025-03-24T16:20:49.229818+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540080103.135.45.11047925TCP
                              2025-03-24T16:20:53.674774+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540082103.135.45.11047925TCP
                              2025-03-24T16:20:55.139347+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540084103.135.45.11047925TCP
                              2025-03-24T16:21:04.600294+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540086103.135.45.11047925TCP
                              2025-03-24T16:21:12.068027+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540088103.135.45.11047925TCP
                              2025-03-24T16:21:15.524668+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540090103.135.45.11047925TCP
                              2025-03-24T16:21:23.977412+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540092103.135.45.11047925TCP
                              2025-03-24T16:21:31.437355+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540094103.135.45.11047925TCP
                              2025-03-24T16:21:37.899924+01002030490ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)1192.168.2.1540096103.135.45.11047925TCP
                              • Total Packets: 103
                              • 47925 undefined
                              • 53 (DNS)
                              TimestampSource PortDest PortSource IPDest IP
                              Mar 24, 2025 16:19:39.781559944 CET4005647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:39.975167990 CET4792540056103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:39.975241899 CET4005647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:39.977108002 CET4005647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:40.169327974 CET4792540056103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:40.169454098 CET4005647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:40.170923948 CET4792540056103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:40.361514091 CET4792540056103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:43.321968079 CET4005847925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:43.535196066 CET4792540058103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:43.535279036 CET4005847925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:43.545963049 CET4005847925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:43.742649078 CET4792540058103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:43.742741108 CET4005847925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:43.756266117 CET4792540058103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:43.952344894 CET4792540058103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:50.862322092 CET4006047925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:51.053271055 CET4792540060103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:51.053402901 CET4006047925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:51.054101944 CET4006047925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:51.233633041 CET4792540060103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:51.233649969 CET4792540060103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:51.233767986 CET4006047925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:51.413912058 CET4792540060103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:54.361557961 CET4006247925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:54.571208954 CET4792540062103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:54.571330070 CET4006247925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:54.572071075 CET4006247925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:54.786315918 CET4792540062103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:54.786412954 CET4792540062103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:54.786433935 CET4006247925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:54.990317106 CET4792540062103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:55.927580118 CET4006447925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:56.131936073 CET4792540064103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:56.132054090 CET4006447925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:56.132916927 CET4006447925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:56.342969894 CET4792540064103.135.45.110192.168.2.15
                              Mar 24, 2025 16:19:56.343122959 CET4006447925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:19:56.557787895 CET4792540064103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:02.455066919 CET4006647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:02.652129889 CET4792540066103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:02.652265072 CET4006647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:02.653080940 CET4006647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:02.849935055 CET4792540066103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:02.849968910 CET4792540066103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:07.987565041 CET4006847925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:08.177886963 CET4792540068103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:08.178008080 CET4006847925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:08.178680897 CET4006847925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:08.359747887 CET4792540068103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:08.359826088 CET4006847925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:08.360357046 CET4792540068103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:08.541862011 CET4792540068103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:14.493021965 CET4007047925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:14.678148031 CET4792540070103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:14.678277016 CET4007047925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:14.679213047 CET4007047925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:14.865509033 CET4792540070103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:14.865643024 CET4007047925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:14.865952015 CET4792540070103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:15.041120052 CET4792540070103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:24.981913090 CET4007247925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:25.181473017 CET4792540072103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:25.181583881 CET4007247925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:25.182902098 CET4007247925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:25.374789000 CET4792540072103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:25.375005960 CET4007247925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:25.375519991 CET4792540072103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:25.574997902 CET4792540072103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:34.535446882 CET4007447925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:34.747749090 CET4792540074103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:34.747888088 CET4007447925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:34.749144077 CET4007447925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:34.958668947 CET4792540074103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:34.958803892 CET4007447925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:34.959929943 CET4792540074103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:37.102256060 CET4007647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:37.279915094 CET4792540076103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:37.280030012 CET4007647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:37.280771971 CET4007647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:37.461369038 CET4792540076103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:37.461477041 CET4007647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:37.463181973 CET4792540076103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:37.634896040 CET4792540076103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:38.588922024 CET4007847925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:38.764759064 CET4792540078103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:38.764909029 CET4007847925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:38.765578032 CET4007847925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:38.937980890 CET4792540078103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:38.938040018 CET4792540078103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:38.938111067 CET4007847925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:39.114411116 CET4792540078103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:49.055640936 CET4008047925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:49.228847980 CET4792540080103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:49.229022026 CET4008047925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:49.229818106 CET4008047925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:49.400834084 CET4792540080103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:49.400959969 CET4008047925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:49.401602030 CET4792540080103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:49.574332952 CET4792540080103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:53.506170988 CET4008247925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:53.673863888 CET4792540082103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:53.674012899 CET4008247925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:53.674773932 CET4008247925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:53.847533941 CET4792540082103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:53.847702026 CET4008247925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:53.847989082 CET4792540082103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:54.024941921 CET4792540082103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:54.960855961 CET4008447925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:55.138386011 CET4792540084103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:55.138534069 CET4008447925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:55.139347076 CET4008447925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:20:55.315782070 CET4792540084103.135.45.110192.168.2.15
                              Mar 24, 2025 16:20:55.315814018 CET4792540084103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:04.426357031 CET4008647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:04.599340916 CET4792540086103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:04.599473000 CET4008647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:04.600294113 CET4008647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:04.775460958 CET4792540086103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:04.775578976 CET4008647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:04.775985956 CET4792540086103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:04.949594021 CET4792540086103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:11.892496109 CET4008847925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:12.067071915 CET4792540088103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:12.067250013 CET4008847925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:12.068027020 CET4008847925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:12.241312027 CET4792540088103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:12.241441011 CET4008847925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:12.241599083 CET4792540088103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:12.413139105 CET4792540088103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:15.350755930 CET4009047925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:15.523798943 CET4792540090103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:15.523983955 CET4009047925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:15.524667978 CET4009047925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:15.692354918 CET4792540090103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:15.692471981 CET4009047925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:15.692890882 CET4792540090103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:15.859899998 CET4792540090103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:23.802906036 CET4009247925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:23.976494074 CET4792540092103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:23.976620913 CET4009247925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:23.977411985 CET4009247925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:24.150206089 CET4792540092103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:24.150343895 CET4009247925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:24.150420904 CET4792540092103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:24.324454069 CET4792540092103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:31.261240005 CET4009447925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:31.436482906 CET4792540094103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:31.436613083 CET4009447925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:31.437355042 CET4009447925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:31.610486031 CET4792540094103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:31.610626936 CET4009447925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:31.611574888 CET4792540094103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:31.789699078 CET4792540094103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:37.724154949 CET4009647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:37.899143934 CET4792540096103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:37.899271011 CET4009647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:37.899924040 CET4009647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:38.078207016 CET4792540096103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:38.078340054 CET4009647925192.168.2.15103.135.45.110
                              Mar 24, 2025 16:21:38.078876019 CET4792540096103.135.45.110192.168.2.15
                              Mar 24, 2025 16:21:38.258680105 CET4792540096103.135.45.110192.168.2.15
                              TimestampSource PortDest PortSource IPDest IP
                              Mar 24, 2025 16:19:39.669708967 CET3408553192.168.2.158.8.8.8
                              Mar 24, 2025 16:19:39.780534029 CET53340858.8.8.8192.168.2.15
                              Mar 24, 2025 16:19:43.176593065 CET4602153192.168.2.158.8.8.8
                              Mar 24, 2025 16:19:43.320805073 CET53460218.8.8.8192.168.2.15
                              Mar 24, 2025 16:19:50.749495983 CET5038153192.168.2.158.8.8.8
                              Mar 24, 2025 16:19:50.861747026 CET53503818.8.8.8192.168.2.15
                              Mar 24, 2025 16:19:54.236905098 CET5646653192.168.2.158.8.8.8
                              Mar 24, 2025 16:19:54.361022949 CET53564668.8.8.8192.168.2.15
                              Mar 24, 2025 16:19:55.788511038 CET3731753192.168.2.158.8.8.8
                              Mar 24, 2025 16:19:55.927081108 CET53373178.8.8.8192.168.2.15
                              Mar 24, 2025 16:20:02.347789049 CET3731953192.168.2.158.8.8.8
                              Mar 24, 2025 16:20:02.454437971 CET53373198.8.8.8192.168.2.15
                              Mar 24, 2025 16:20:07.854805946 CET6053953192.168.2.158.8.8.8
                              Mar 24, 2025 16:20:07.987075090 CET53605398.8.8.8192.168.2.15
                              Mar 24, 2025 16:20:14.364865065 CET5385453192.168.2.158.8.8.8
                              Mar 24, 2025 16:20:14.492445946 CET53538548.8.8.8192.168.2.15
                              Mar 24, 2025 16:20:24.872587919 CET4855453192.168.2.158.8.8.8
                              Mar 24, 2025 16:20:24.981167078 CET53485548.8.8.8192.168.2.15
                              Mar 24, 2025 16:20:34.381973982 CET5883153192.168.2.158.8.8.8
                              Mar 24, 2025 16:20:34.534601927 CET53588318.8.8.8192.168.2.15
                              Mar 24, 2025 16:20:36.961824894 CET4967653192.168.2.158.8.8.8
                              Mar 24, 2025 16:20:37.101742029 CET53496768.8.8.8192.168.2.15
                              Mar 24, 2025 16:20:38.463602066 CET4403653192.168.2.158.8.8.8
                              Mar 24, 2025 16:20:38.588407040 CET53440368.8.8.8192.168.2.15
                              Mar 24, 2025 16:20:48.944772005 CET5794753192.168.2.158.8.8.8
                              Mar 24, 2025 16:20:49.055104971 CET53579478.8.8.8192.168.2.15
                              Mar 24, 2025 16:20:53.404654980 CET4521853192.168.2.158.8.8.8
                              Mar 24, 2025 16:20:53.505426884 CET53452188.8.8.8192.168.2.15
                              Mar 24, 2025 16:20:54.850656986 CET4210953192.168.2.158.8.8.8
                              Mar 24, 2025 16:20:54.960227013 CET53421098.8.8.8192.168.2.15
                              Mar 24, 2025 16:21:04.322208881 CET4457753192.168.2.158.8.8.8
                              Mar 24, 2025 16:21:04.425736904 CET53445778.8.8.8192.168.2.15
                              Mar 24, 2025 16:21:11.780859947 CET3944253192.168.2.158.8.8.8
                              Mar 24, 2025 16:21:11.891819000 CET53394428.8.8.8192.168.2.15
                              Mar 24, 2025 16:21:15.244710922 CET4967053192.168.2.158.8.8.8
                              Mar 24, 2025 16:21:15.350158930 CET53496708.8.8.8192.168.2.15
                              Mar 24, 2025 16:21:23.698285103 CET3926253192.168.2.158.8.8.8
                              Mar 24, 2025 16:21:23.802323103 CET53392628.8.8.8192.168.2.15
                              Mar 24, 2025 16:21:31.155848026 CET4727853192.168.2.158.8.8.8
                              Mar 24, 2025 16:21:31.260615110 CET53472788.8.8.8192.168.2.15
                              Mar 24, 2025 16:21:37.615185976 CET3972553192.168.2.158.8.8.8
                              Mar 24, 2025 16:21:37.723642111 CET53397258.8.8.8192.168.2.15
                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Mar 24, 2025 16:19:39.669708967 CET192.168.2.158.8.8.80x3e93Standard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:19:43.176593065 CET192.168.2.158.8.8.80xac97Standard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:19:50.749495983 CET192.168.2.158.8.8.80x7ee2Standard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:19:54.236905098 CET192.168.2.158.8.8.80x29d4Standard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:19:55.788511038 CET192.168.2.158.8.8.80xc0dfStandard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:02.347789049 CET192.168.2.158.8.8.80xd7e0Standard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:07.854805946 CET192.168.2.158.8.8.80xad16Standard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:14.364865065 CET192.168.2.158.8.8.80xcafcStandard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:24.872587919 CET192.168.2.158.8.8.80xbe92Standard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:34.381973982 CET192.168.2.158.8.8.80x4f46Standard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:36.961824894 CET192.168.2.158.8.8.80xa63eStandard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:38.463602066 CET192.168.2.158.8.8.80xbfd0Standard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:48.944772005 CET192.168.2.158.8.8.80x609aStandard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:53.404654980 CET192.168.2.158.8.8.80xc2ecStandard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:54.850656986 CET192.168.2.158.8.8.80xab3cStandard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:21:04.322208881 CET192.168.2.158.8.8.80x26f2Standard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:21:11.780859947 CET192.168.2.158.8.8.80x40c1Standard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:21:15.244710922 CET192.168.2.158.8.8.80xbd0Standard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:21:23.698285103 CET192.168.2.158.8.8.80xd6e2Standard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:21:31.155848026 CET192.168.2.158.8.8.80xddc0Standard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              Mar 24, 2025 16:21:37.615185976 CET192.168.2.158.8.8.80x76bfStandard query (0)bot.dstats.orgA (IP address)IN (0x0001)false
                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Mar 24, 2025 16:19:39.780534029 CET8.8.8.8192.168.2.150x3e93No error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:19:43.320805073 CET8.8.8.8192.168.2.150xac97No error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:19:50.861747026 CET8.8.8.8192.168.2.150x7ee2No error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:19:54.361022949 CET8.8.8.8192.168.2.150x29d4No error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:19:55.927081108 CET8.8.8.8192.168.2.150xc0dfNo error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:02.454437971 CET8.8.8.8192.168.2.150xd7e0No error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:07.987075090 CET8.8.8.8192.168.2.150xad16No error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:14.492445946 CET8.8.8.8192.168.2.150xcafcNo error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:24.981167078 CET8.8.8.8192.168.2.150xbe92No error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:34.534601927 CET8.8.8.8192.168.2.150x4f46No error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:37.101742029 CET8.8.8.8192.168.2.150xa63eNo error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:38.588407040 CET8.8.8.8192.168.2.150xbfd0No error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:49.055104971 CET8.8.8.8192.168.2.150x609aNo error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:53.505426884 CET8.8.8.8192.168.2.150xc2ecNo error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:20:54.960227013 CET8.8.8.8192.168.2.150xab3cNo error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:21:04.425736904 CET8.8.8.8192.168.2.150x26f2No error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:21:11.891819000 CET8.8.8.8192.168.2.150x40c1No error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:21:15.350158930 CET8.8.8.8192.168.2.150xbd0No error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:21:23.802323103 CET8.8.8.8192.168.2.150xd6e2No error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:21:31.260615110 CET8.8.8.8192.168.2.150xddc0No error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false
                              Mar 24, 2025 16:21:37.723642111 CET8.8.8.8192.168.2.150x76bfNo error (0)bot.dstats.org103.135.45.110A (IP address)IN (0x0001)false

                              System Behavior

                              Start time (UTC):15:19:39
                              Start date (UTC):24/03/2025
                              Path:/tmp/bot.x86_64.elf
                              Arguments:/tmp/bot.x86_64.elf
                              File size:143832 bytes
                              MD5 hash:d8980db0043c7d1c698af29a9c999695

                              Start time (UTC):15:19:39
                              Start date (UTC):24/03/2025
                              Path:/tmp/bot.x86_64.elf
                              Arguments:-
                              File size:143832 bytes
                              MD5 hash:d8980db0043c7d1c698af29a9c999695

                              Start time (UTC):15:19:39
                              Start date (UTC):24/03/2025
                              Path:/tmp/bot.x86_64.elf
                              Arguments:-
                              File size:143832 bytes
                              MD5 hash:d8980db0043c7d1c698af29a9c999695

                              Start time (UTC):15:19:39
                              Start date (UTC):24/03/2025
                              Path:/usr/bin/dash
                              Arguments:-
                              File size:129816 bytes
                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                              Start time (UTC):15:19:39
                              Start date (UTC):24/03/2025
                              Path:/usr/bin/rm
                              Arguments:rm -f /tmp/tmp.SsxKKzZGv8 /tmp/tmp.r5rynL22i1 /tmp/tmp.ABcUrusLk3
                              File size:72056 bytes
                              MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                              Start time (UTC):15:19:40
                              Start date (UTC):24/03/2025
                              Path:/usr/bin/dash
                              Arguments:-
                              File size:129816 bytes
                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                              Start time (UTC):15:19:40
                              Start date (UTC):24/03/2025
                              Path:/usr/bin/rm
                              Arguments:rm -f /tmp/tmp.SsxKKzZGv8 /tmp/tmp.r5rynL22i1 /tmp/tmp.ABcUrusLk3
                              File size:72056 bytes
                              MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b