Edit tour

Linux Analysis Report
kmips.elf

Overview

General Information

Sample name:	kmips.elf
Analysis ID:	1647996
MD5:	e0ee1e0bf964ac7510a3344879e14f63
SHA1:	658551a36a21c375e77f907152ca2d26fe17ae86
SHA256:	16e2a3121bebded41767de961a17d4833bd70f5e31ca7e3cb1f92cb9ce40477a
Tags:	elfuser-abuse_ch
Infos:

Errors No or unstable Internet during analysis

Detection

Score:	60
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1647996
Start date and time:	2025-03-25 13:28:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	kmips.elf
Detection:	MAL
Classification:	mal60.troj.linELF@0/2@0/0

Errors

No or unstable Internet during analysis

Warnings

Excluded IPs from analysis (whitelisted): 8.8.8.8

Runtime Messages

Command:	/tmp/kmips.elf
PID:	5562
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	For God so loved the world
Standard Error:

Process Tree

system is lnxubuntu20

kmips.elf (PID: 5562, Parent: 5474, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/kmips.elf

kmips.elf New Fork (PID: 5566, Parent: 5562)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Persistence and Installation Behavior
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: kmips.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: kmips.elf

ReversingLabs: Detection: 13%

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 156.244.45.113 ports 50749,45229,2,4,5,9
Source: global traffic	TCP traffic: 216.73.156.19 ports 45229,2,5,6,9,52962
Source: global traffic	TCP traffic: 216.146.26.30 ports 3,4,5,6,7,47563
Source: global traffic	TCP traffic: 104.245.241.61 ports 40237,40217,0,29486,1,2,4,7
Source: global traffic	TCP traffic: 154.205.155.97 ports 44859,29486,4,5,8,9

Source: global traffic	TCP traffic: 192.168.2.14:35994 -> 156.244.44.239:50464
Source: global traffic	TCP traffic: 192.168.2.14:46850 -> 216.73.156.19:52962
Source: global traffic	TCP traffic: 192.168.2.14:50852 -> 156.244.14.93:45229
Source: global traffic	TCP traffic: 192.168.2.14:48142 -> 216.146.26.30:47563
Source: global traffic	TCP traffic: 192.168.2.14:43058 -> 156.244.45.113:45229
Source: global traffic	TCP traffic: 192.168.2.14:39270 -> 154.205.155.97:44859
Source: global traffic	TCP traffic: 192.168.2.14:38282 -> 104.245.241.61:40217

Source: /tmp/kmips.elf (PID: 5566)

Socket: 127.0.0.1:22448

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknown	TCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknown	TCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknown	TCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknown	TCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknown	TCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknown	TCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 216.146.26.30
Source: unknown	TCP traffic detected without corresponding DNS query: 216.146.26.30
Source: unknown	TCP traffic detected without corresponding DNS query: 216.146.26.30
Source: unknown	TCP traffic detected without corresponding DNS query: 216.146.26.30
Source: unknown	TCP traffic detected without corresponding DNS query: 216.146.26.30
Source: unknown	TCP traffic detected without corresponding DNS query: 216.146.26.30
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61

Source: kmips.elf, 5562.1.00007f5240456000.00007f5240460000.rw-.sdmp

String found in binary or memory: http://0/t/wget.sh

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal60.troj.linELF@0/2@0/0

Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/3760/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/1583/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/2672/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/3759/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/1577/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/3757/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/3758/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/5393/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/1593/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/3094/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/3406/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/1589/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/3402/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/801/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/806/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/807/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/928/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/135/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/1599/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/3412/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/35/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/1371/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/260/cmdline	Jump to behavior
Source: /tmp/kmips.elf (PID: 5562)	File opened: /proc/261/cmdline	Jump to behavior

Source: /tmp/kmips.elf (PID: 5562)

Queries kernel information via 'uname':

Jump to behavior

Source: kmips.elf, 5562.1.00007fffdbf26000.00007fffdbf47000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.VNSRfK
Source: kmips.elf, 5562.1.00007f5240456000.00007f5240460000.rw-.sdmp	Binary or memory string: vmwarem
Source: kmips.elf, 5562.1.00007fffdbf26000.00007fffdbf47000.rw-.sdmp	Binary or memory string: U/tmp/qemu-open.VNSRfK\
Source: kmips.elf, 5562.1.00007f5240456000.00007f5240460000.rw-.sdmp	Binary or memory string: vmware
Source: kmips.elf, 5562.1.00007f5240456000.00007f5240460000.rw-.sdmp	Binary or memory string: qemu-arm2QB
Source: kmips.elf, 5562.1.00007f5240456000.00007f5240460000.rw-.sdmp	Binary or memory string: qemu-arm
Source: kmips.elf, 5562.1.000055fb06e3c000.000055fb06ee3000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips
Source: kmips.elf, 5562.1.000055fb06e3c000.000055fb06ee3000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: kmips.elf, 5562.1.00007fffdbf26000.00007fffdbf47000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/kmips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/kmips.elf
Source: kmips.elf, 5562.1.00007fffdbf26000.00007fffdbf47000.rw-.sdmp	Binary or memory string: %s/qemu-op
Source: kmips.elf, 5562.1.00007fffdbf26000.00007fffdbf47000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: kmips.elf, 5562.1.00007fffdbf26000.00007fffdbf47000.rw-.sdmp	Binary or memory string: MPDIR%s/qemu-op

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
kmips.elf	14%	ReversingLabs	Linux.Trojan.Mirai
kmips.elf	100%	Avira	EXP/ELF.Agent.J.8

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://0/t/wget.sh	kmips.elf, 5562.1.00007f5240456000.00007f5240460000.rw-.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.146.26.30	unknown	Reserved	11915	US-TELEPACIFICUS	true
156.244.45.113	unknown	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
216.73.156.19	unknown	United States	7029	WINDSTREAMUS	true
156.244.14.93	unknown	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
104.245.241.61	unknown	United States	8100	ASN-QUADRANET-GLOBALUS	true
154.205.155.97	unknown	Seychelles	26484	IKGUL-26484US	true
156.244.44.239	unknown	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
216.146.26.30	mips.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CXE.14004.27270.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
156.244.45.113	mips.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
216.73.156.19	mips.elf	Get hash	malicious	Unknown	Browse
156.244.14.93	mpsl.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	aarch64.elf	Get hash	malicious	Unknown	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
	nimips.elf	Get hash	malicious	Unknown	Browse
	arm6.elf	Get hash	malicious	Unknown	Browse
104.245.241.61	arm7.elf	Get hash	malicious	Unknown	Browse
104.245.241.61	mips.elf	Get hash	malicious	Unknown	Browse
154.205.155.97	mips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	arm6.elf	Get hash	malicious	Unknown	Browse
	nimips.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
156.244.44.239	mips.elf	Get hash	malicious	Unknown	Browse
	nimips.elf	Get hash	malicious	Unknown	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	mpsl.elf	Get hash	malicious	Unknown	Browse	156.244.14.93
	payment slip$34566.exe	Get hash	malicious	FormBook	Browse	202.165.121.125
	DHL_AWB#6078538091.exe	Get hash	malicious	FormBook	Browse	45.202.215.236
	mips.elf	Get hash	malicious	Unknown	Browse	156.244.44.239
	mips.elf	Get hash	malicious	Mirai	Browse	156.251.7.171
	dlr.x86.elf	Get hash	malicious	Unknown	Browse	156.253.227.12
	dlr.mpsl.elf	Get hash	malicious	Unknown	Browse	156.253.227.12
	dlr.arm6.elf	Get hash	malicious	Unknown	Browse	156.253.227.12
	dlr.mips.elf	Get hash	malicious	Unknown	Browse	156.253.227.12
	hoho.sparc.elf	Get hash	malicious	Unknown	Browse	45.202.220.126
POWERLINE-AS-APPOWERLINEDATACENTERHK	mpsl.elf	Get hash	malicious	Unknown	Browse	156.244.14.93
	payment slip$34566.exe	Get hash	malicious	FormBook	Browse	202.165.121.125
	DHL_AWB#6078538091.exe	Get hash	malicious	FormBook	Browse	45.202.215.236
	mips.elf	Get hash	malicious	Unknown	Browse	156.244.44.239
	mips.elf	Get hash	malicious	Mirai	Browse	156.251.7.171
	dlr.x86.elf	Get hash	malicious	Unknown	Browse	156.253.227.12
	dlr.mpsl.elf	Get hash	malicious	Unknown	Browse	156.253.227.12
	dlr.arm6.elf	Get hash	malicious	Unknown	Browse	156.253.227.12
	dlr.mips.elf	Get hash	malicious	Unknown	Browse	156.253.227.12
	hoho.sparc.elf	Get hash	malicious	Unknown	Browse	45.202.220.126
WINDSTREAMUS	g4za.mips.elf	Get hash	malicious	Mirai	Browse	66.19.208.111
	g4za.arm.elf	Get hash	malicious	Mirai	Browse	207.94.133.229
	g4za.spc.elf	Get hash	malicious	Mirai	Browse	206.252.166.188
	g4za.x86.elf	Get hash	malicious	Unknown	Browse	68.143.234.232
	g4za.ppc.elf	Get hash	malicious	Mirai	Browse	66.217.147.19
	arm.fkunigr.elf	Get hash	malicious	Mirai	Browse	209.231.102.19
	mips.elf	Get hash	malicious	Unknown	Browse	216.73.156.19
	owari.spc.elf	Get hash	malicious	Unknown	Browse	66.147.120.234
	owari.arm5.elf	Get hash	malicious	Unknown	Browse	66.217.112.244
	owari.i486.elf	Get hash	malicious	Unknown	Browse	70.46.105.191
US-TELEPACIFICUS	mips.elf	Get hash	malicious	Unknown	Browse	216.146.26.30
	byte.mips.elf	Get hash	malicious	Okiru	Browse	64.140.24.148
	ppc.elf	Get hash	malicious	Unknown	Browse	69.178.148.199
	SecuriteInfo.com.ELF.Mirai-CXE.14004.27270.elf	Get hash	malicious	Unknown	Browse	216.146.26.30
	arm5.elf	Get hash	malicious	Unknown	Browse	216.146.26.30
	cbr.x86.elf	Get hash	malicious	Mirai	Browse	65.60.78.35
	jklmips.elf	Get hash	malicious	Unknown	Browse	66.81.80.166
	nklmips.elf	Get hash	malicious	Unknown	Browse	64.60.67.186
	jklm68k.elf	Get hash	malicious	Unknown	Browse	216.146.25.253
	nabmpsl.elf	Get hash	malicious	Unknown	Browse	208.57.85.236

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/tmp/qemu-open.VNSRfK (deleted)

Download File

Process:	/tmp/kmips.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	15
Entropy (8bit):	3.5068905956085192
Encrypted:	false
SSDEEP:	3:TgnPCn:TgPC
MD5:	6FB1605EBC2A92CEDFE73B9B290AFE9C
SHA1:	BFD35FBD4EA921668F0FEA9EF6FF3DD7C022C42D
SHA-256:	DBF56F8F11BC960F054D68E3ACD7DF83A76BA74A6A30FE8EAAB453DC72D63809
SHA-512:	33A5778A558988E98FC92703D836D1BE02B8BBBACCD25E4E6F2451561BC1A6380EBCF63551B5EE7D2E336D81D16541A5EE874C57059E9BC679E946C8F1407E5F
Malicious:	false
Reputation:	low
Preview:	/tmp/kmips.elf.

/tmp/qemu-open.jidVcM (deleted)

Download File

Process:	/tmp/kmips.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	15
Entropy (8bit):	3.5068905956085192
Encrypted:	false
SSDEEP:	3:TgnPCn:TgPC
MD5:	6FB1605EBC2A92CEDFE73B9B290AFE9C
SHA1:	BFD35FBD4EA921668F0FEA9EF6FF3DD7C022C42D
SHA-256:	DBF56F8F11BC960F054D68E3ACD7DF83A76BA74A6A30FE8EAAB453DC72D63809
SHA-512:	33A5778A558988E98FC92703D836D1BE02B8BBBACCD25E4E6F2451561BC1A6380EBCF63551B5EE7D2E336D81D16541A5EE874C57059E9BC679E946C8F1407E5F
Malicious:	false
Reputation:	low
Preview:	/tmp/kmips.elf.

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.506623369613711
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	kmips.elf
File size:	89'244 bytes
MD5:	e0ee1e0bf964ac7510a3344879e14f63
SHA1:	658551a36a21c375e77f907152ca2d26fe17ae86
SHA256:	16e2a3121bebded41767de961a17d4833bd70f5e31ca7e3cb1f92cb9ce40477a
SHA512:	dd21d2e988542c24beab9ea9976b8b0ab49260957607f6452a24b20bf7bffb4512b4c07009fcad9b63043b13329e41adf06a9ced47d9fc28a666d60ab3f196d5
SSDEEP:	1536:CSpVLUdBwb8qcaSKY8vhQ0K1XCfdbVkD3oICUJCxIbKytQa177XhDwSsPZ8C/y6g:CSpVLUdBwb8qcAYMhJfdbVkD3oICUJCi
TLSH:	C393D94F2E35CFADF26DC33447B74A31A7A923C622E1C685D26CD1151F6024EA45FBA8
File Content Preview:	.ELF.....................@.`...4..Z......4. ...(.............@...@....N ..N ..............P..EP..EP....p..lT........dt.Q............................<...'......!'.......................<...'......!... ....'9... ......................<...'..h...!........'94

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	88764
Section Header Size:	40
Number of Section Headers:	12
Header String Table Index:	11

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x133a0	0x0	0x6	AX	16
.fini	PROGBITS	0x4134c0	0x134c0	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x413520	0x13520	0x1900	0x0	0x2	A	16
.ctors	PROGBITS	0x455000	0x15000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x455008	0x15008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x455020	0x15020	0x440	0x0	0x3	WA	16
.got	PROGBITS	0x455460	0x15460	0x610	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x455a70	0x15a70	0x1c	0x0	0x10000003	WAp	4
.bss	NOBITS	0x455a90	0x15a70	0x61c4	0x0	0x3	WA	16
.shstrtab	STRTAB	0x0	0x15a70	0x49	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x14e20	0x14e20	5.5645	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x15000	0x455000	0x455000	0xa70	0x6c54	3.6048	0x6	RW	0x10000	.ctors .dtors .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 25, 2025 13:29:46.844547987 CET	35994	50464	192.168.2.14	156.244.44.239
Mar 25, 2025 13:29:47.003969908 CET	50464	35994	156.244.44.239	192.168.2.14
Mar 25, 2025 13:29:47.004039049 CET	35994	50464	192.168.2.14	156.244.44.239
Mar 25, 2025 13:29:47.160908937 CET	50464	35994	156.244.44.239	192.168.2.14
Mar 25, 2025 13:29:47.160995960 CET	35994	50464	192.168.2.14	156.244.44.239
Mar 25, 2025 13:29:47.317661047 CET	50464	35994	156.244.44.239	192.168.2.14
Mar 25, 2025 13:29:47.317859888 CET	35994	50464	192.168.2.14	156.244.44.239
Mar 25, 2025 13:29:54.016697884 CET	35994	50464	192.168.2.14	156.244.44.239
Mar 25, 2025 13:29:54.180527925 CET	50464	35994	156.244.44.239	192.168.2.14
Mar 25, 2025 13:29:54.181097031 CET	35994	50464	192.168.2.14	156.244.44.239
Mar 25, 2025 13:29:54.183283091 CET	50464	35994	156.244.44.239	192.168.2.14
Mar 25, 2025 13:29:54.183340073 CET	35994	50464	192.168.2.14	156.244.44.239
Mar 25, 2025 13:29:54.337487936 CET	50464	35994	156.244.44.239	192.168.2.14
Mar 25, 2025 13:29:55.182876110 CET	46850	52962	192.168.2.14	216.73.156.19
Mar 25, 2025 13:29:55.344408035 CET	52962	46850	216.73.156.19	192.168.2.14
Mar 25, 2025 13:29:55.344789028 CET	46850	52962	192.168.2.14	216.73.156.19
Mar 25, 2025 13:29:55.505234957 CET	52962	46850	216.73.156.19	192.168.2.14
Mar 25, 2025 13:29:55.505381107 CET	46850	52962	192.168.2.14	216.73.156.19
Mar 25, 2025 13:29:55.664376974 CET	52962	46850	216.73.156.19	192.168.2.14
Mar 25, 2025 13:29:55.664480925 CET	46850	52962	192.168.2.14	216.73.156.19
Mar 25, 2025 13:30:02.352634907 CET	46850	52962	192.168.2.14	216.73.156.19
Mar 25, 2025 13:30:02.511259079 CET	52962	46850	216.73.156.19	192.168.2.14
Mar 25, 2025 13:30:02.511286020 CET	52962	46850	216.73.156.19	192.168.2.14
Mar 25, 2025 13:30:02.511466980 CET	46850	52962	192.168.2.14	216.73.156.19
Mar 25, 2025 13:30:02.670414925 CET	52962	46850	216.73.156.19	192.168.2.14
Mar 25, 2025 13:30:03.513744116 CET	50852	45229	192.168.2.14	156.244.14.93
Mar 25, 2025 13:30:03.670211077 CET	45229	50852	156.244.14.93	192.168.2.14
Mar 25, 2025 13:30:03.670541048 CET	50852	45229	192.168.2.14	156.244.14.93
Mar 25, 2025 13:30:03.826860905 CET	45229	50852	156.244.14.93	192.168.2.14
Mar 25, 2025 13:30:03.827069998 CET	50852	45229	192.168.2.14	156.244.14.93
Mar 25, 2025 13:30:03.986196041 CET	45229	50852	156.244.14.93	192.168.2.14
Mar 25, 2025 13:30:03.986485004 CET	50852	45229	192.168.2.14	156.244.14.93
Mar 25, 2025 13:30:10.677314043 CET	50852	45229	192.168.2.14	156.244.14.93
Mar 25, 2025 13:30:10.832622051 CET	45229	50852	156.244.14.93	192.168.2.14
Mar 25, 2025 13:30:10.832644939 CET	45229	50852	156.244.14.93	192.168.2.14
Mar 25, 2025 13:30:10.832818031 CET	50852	45229	192.168.2.14	156.244.14.93
Mar 25, 2025 13:30:10.988051891 CET	45229	50852	156.244.14.93	192.168.2.14
Mar 25, 2025 13:30:11.836193085 CET	48142	47563	192.168.2.14	216.146.26.30
Mar 25, 2025 13:30:12.333035946 CET	47563	48142	216.146.26.30	192.168.2.14
Mar 25, 2025 13:30:12.333142042 CET	48142	47563	192.168.2.14	216.146.26.30
Mar 25, 2025 13:30:12.828381062 CET	47563	48142	216.146.26.30	192.168.2.14
Mar 25, 2025 13:30:12.828475952 CET	48142	47563	192.168.2.14	216.146.26.30
Mar 25, 2025 13:30:13.324837923 CET	47563	48142	216.146.26.30	192.168.2.14
Mar 25, 2025 13:30:13.324963093 CET	48142	47563	192.168.2.14	216.146.26.30
Mar 25, 2025 13:30:19.341007948 CET	48142	47563	192.168.2.14	216.146.26.30
Mar 25, 2025 13:30:19.838654041 CET	47563	48142	216.146.26.30	192.168.2.14
Mar 25, 2025 13:30:19.838712931 CET	47563	48142	216.146.26.30	192.168.2.14
Mar 25, 2025 13:30:19.838898897 CET	48142	47563	192.168.2.14	216.146.26.30
Mar 25, 2025 13:30:20.335700035 CET	47563	48142	216.146.26.30	192.168.2.14
Mar 25, 2025 13:30:20.841777086 CET	43058	45229	192.168.2.14	156.244.45.113
Mar 25, 2025 13:30:21.000432014 CET	45229	43058	156.244.45.113	192.168.2.14
Mar 25, 2025 13:30:21.000662088 CET	43058	45229	192.168.2.14	156.244.45.113
Mar 25, 2025 13:30:21.163260937 CET	45229	43058	156.244.45.113	192.168.2.14
Mar 25, 2025 13:30:21.163511038 CET	43058	45229	192.168.2.14	156.244.45.113
Mar 25, 2025 13:30:21.324502945 CET	45229	43058	156.244.45.113	192.168.2.14
Mar 25, 2025 13:30:21.324765921 CET	43058	45229	192.168.2.14	156.244.45.113
Mar 25, 2025 13:30:28.009025097 CET	43058	45229	192.168.2.14	156.244.45.113
Mar 25, 2025 13:30:28.168040037 CET	45229	43058	156.244.45.113	192.168.2.14
Mar 25, 2025 13:30:28.168086052 CET	45229	43058	156.244.45.113	192.168.2.14
Mar 25, 2025 13:30:28.168302059 CET	43058	45229	192.168.2.14	156.244.45.113
Mar 25, 2025 13:30:28.325037956 CET	45229	43058	156.244.45.113	192.168.2.14
Mar 25, 2025 13:30:29.170443058 CET	39270	44859	192.168.2.14	154.205.155.97
Mar 25, 2025 13:30:29.327714920 CET	44859	39270	154.205.155.97	192.168.2.14
Mar 25, 2025 13:30:29.327864885 CET	39270	44859	192.168.2.14	154.205.155.97
Mar 25, 2025 13:30:29.486331940 CET	44859	39270	154.205.155.97	192.168.2.14
Mar 25, 2025 13:30:29.486475945 CET	39270	44859	192.168.2.14	154.205.155.97
Mar 25, 2025 13:30:29.643809080 CET	44859	39270	154.205.155.97	192.168.2.14
Mar 25, 2025 13:30:29.643968105 CET	39270	44859	192.168.2.14	154.205.155.97
Mar 25, 2025 13:30:36.334784985 CET	39270	44859	192.168.2.14	154.205.155.97
Mar 25, 2025 13:30:36.490688086 CET	44859	39270	154.205.155.97	192.168.2.14
Mar 25, 2025 13:30:36.490750074 CET	44859	39270	154.205.155.97	192.168.2.14
Mar 25, 2025 13:30:36.490852118 CET	39270	44859	192.168.2.14	154.205.155.97
Mar 25, 2025 13:30:36.984251022 CET	39270	44859	192.168.2.14	154.205.155.97
Mar 25, 2025 13:30:37.143106937 CET	44859	39270	154.205.155.97	192.168.2.14
Mar 25, 2025 13:30:37.494067907 CET	38282	40217	192.168.2.14	104.245.241.61
Mar 25, 2025 13:30:37.892537117 CET	40217	38282	104.245.241.61	192.168.2.14
Mar 25, 2025 13:30:37.892888069 CET	38282	40217	192.168.2.14	104.245.241.61
Mar 25, 2025 13:30:38.290021896 CET	40217	38282	104.245.241.61	192.168.2.14
Mar 25, 2025 13:30:38.290344000 CET	38282	40217	192.168.2.14	104.245.241.61
Mar 25, 2025 13:30:38.689172983 CET	40217	38282	104.245.241.61	192.168.2.14
Mar 25, 2025 13:30:38.689498901 CET	38282	40217	192.168.2.14	104.245.241.61
Mar 25, 2025 13:30:44.900450945 CET	38282	40217	192.168.2.14	104.245.241.61
Mar 25, 2025 13:30:45.325298071 CET	40217	38282	104.245.241.61	192.168.2.14
Mar 25, 2025 13:30:45.325330973 CET	40217	38282	104.245.241.61	192.168.2.14
Mar 25, 2025 13:30:45.325522900 CET	38282	40217	192.168.2.14	104.245.241.61
Mar 25, 2025 13:30:45.728895903 CET	40217	38282	104.245.241.61	192.168.2.14
Mar 25, 2025 13:30:46.327260971 CET	35464	40237	192.168.2.14	104.245.241.61
Mar 25, 2025 13:30:46.729414940 CET	40237	35464	104.245.241.61	192.168.2.14
Mar 25, 2025 13:30:46.729561090 CET	35464	40237	192.168.2.14	104.245.241.61
Mar 25, 2025 13:30:47.137428999 CET	40237	35464	104.245.241.61	192.168.2.14
Mar 25, 2025 13:30:47.137641907 CET	35464	40237	192.168.2.14	104.245.241.61
Mar 25, 2025 13:30:47.535381079 CET	40237	35464	104.245.241.61	192.168.2.14
Mar 25, 2025 13:30:47.536278009 CET	35464	40237	192.168.2.14	104.245.241.61
Mar 25, 2025 13:30:53.736737967 CET	35464	40237	192.168.2.14	104.245.241.61
Mar 25, 2025 13:30:54.775644064 CET	35464	40237	192.168.2.14	104.245.241.61
Mar 25, 2025 13:30:55.992289066 CET	35464	40237	192.168.2.14	104.245.241.61
Mar 25, 2025 13:30:58.423377991 CET	35464	40237	192.168.2.14	104.245.241.61
Mar 25, 2025 13:30:58.821639061 CET	40237	35464	104.245.241.61	192.168.2.14
Mar 25, 2025 13:30:58.821669102 CET	40237	35464	104.245.241.61	192.168.2.14
Mar 25, 2025 13:30:58.822035074 CET	35464	40237	192.168.2.14	104.245.241.61
Mar 25, 2025 13:30:59.221270084 CET	40237	35464	104.245.241.61	192.168.2.14
Mar 25, 2025 13:30:59.824505091 CET	49236	50749	192.168.2.14	156.244.45.113
Mar 25, 2025 13:30:59.980393887 CET	50749	49236	156.244.45.113	192.168.2.14
Mar 25, 2025 13:30:59.980621099 CET	49236	50749	192.168.2.14	156.244.45.113
Mar 25, 2025 13:31:00.136583090 CET	50749	49236	156.244.45.113	192.168.2.14
Mar 25, 2025 13:31:00.136743069 CET	49236	50749	192.168.2.14	156.244.45.113
Mar 25, 2025 13:31:00.291878939 CET	50749	49236	156.244.45.113	192.168.2.14
Mar 25, 2025 13:31:00.292354107 CET	49236	50749	192.168.2.14	156.244.45.113
Mar 25, 2025 13:31:06.989685059 CET	49236	50749	192.168.2.14	156.244.45.113
Mar 25, 2025 13:31:07.199640036 CET	50749	49236	156.244.45.113	192.168.2.14
Mar 25, 2025 13:31:07.199671984 CET	50749	49236	156.244.45.113	192.168.2.14
Mar 25, 2025 13:31:07.200047970 CET	49236	50749	192.168.2.14	156.244.45.113
Mar 25, 2025 13:31:07.703053951 CET	49236	50749	192.168.2.14	156.244.45.113
Mar 25, 2025 13:31:07.883933067 CET	50749	49236	156.244.45.113	192.168.2.14
Mar 25, 2025 13:31:08.202327967 CET	55892	29486	192.168.2.14	154.205.155.97
Mar 25, 2025 13:31:08.358733892 CET	29486	55892	154.205.155.97	192.168.2.14
Mar 25, 2025 13:31:08.358900070 CET	55892	29486	192.168.2.14	154.205.155.97
Mar 25, 2025 13:31:08.516326904 CET	29486	55892	154.205.155.97	192.168.2.14
Mar 25, 2025 13:31:08.516521931 CET	55892	29486	192.168.2.14	154.205.155.97
Mar 25, 2025 13:31:08.672934055 CET	29486	55892	154.205.155.97	192.168.2.14
Mar 25, 2025 13:31:08.673105001 CET	55892	29486	192.168.2.14	154.205.155.97
Mar 25, 2025 13:31:15.367538929 CET	55892	29486	192.168.2.14	154.205.155.97
Mar 25, 2025 13:31:15.523921967 CET	29486	55892	154.205.155.97	192.168.2.14
Mar 25, 2025 13:31:15.523951054 CET	29486	55892	154.205.155.97	192.168.2.14
Mar 25, 2025 13:31:15.524139881 CET	55892	29486	192.168.2.14	154.205.155.97
Mar 25, 2025 13:31:15.681482077 CET	29486	55892	154.205.155.97	192.168.2.14
Mar 25, 2025 13:31:16.526462078 CET	43976	29486	192.168.2.14	104.245.241.61
Mar 25, 2025 13:31:16.926640034 CET	29486	43976	104.245.241.61	192.168.2.14
Mar 25, 2025 13:31:16.926848888 CET	43976	29486	192.168.2.14	104.245.241.61
Mar 25, 2025 13:31:17.328069925 CET	29486	43976	104.245.241.61	192.168.2.14
Mar 25, 2025 13:31:17.328280926 CET	43976	29486	192.168.2.14	104.245.241.61
Mar 25, 2025 13:31:17.728961945 CET	29486	43976	104.245.241.61	192.168.2.14
Mar 25, 2025 13:31:17.729178905 CET	43976	29486	192.168.2.14	104.245.241.61
Mar 25, 2025 13:31:23.443677902 CET	29486	43976	104.245.241.61	192.168.2.14
Mar 25, 2025 13:31:23.443797112 CET	43976	29486	192.168.2.14	104.245.241.61
Mar 25, 2025 13:31:23.934956074 CET	43976	29486	192.168.2.14	104.245.241.61
Mar 25, 2025 13:31:24.344326973 CET	29486	43976	104.245.241.61	192.168.2.14
Mar 25, 2025 13:31:24.344436884 CET	43976	29486	192.168.2.14	104.245.241.61
Mar 25, 2025 13:31:38.950761080 CET	49242	50749	192.168.2.14	156.244.45.113
Mar 25, 2025 13:31:39.106345892 CET	50749	49242	156.244.45.113	192.168.2.14
Mar 25, 2025 13:31:39.106667995 CET	49242	50749	192.168.2.14	156.244.45.113
Mar 25, 2025 13:31:39.263746977 CET	50749	49242	156.244.45.113	192.168.2.14
Mar 25, 2025 13:31:39.263906002 CET	49242	50749	192.168.2.14	156.244.45.113
Mar 25, 2025 13:31:39.420466900 CET	50749	49242	156.244.45.113	192.168.2.14
Mar 25, 2025 13:31:39.420762062 CET	49242	50749	192.168.2.14	156.244.45.113
Mar 25, 2025 13:31:46.111885071 CET	49242	50749	192.168.2.14	156.244.45.113
Mar 25, 2025 13:31:46.271254063 CET	50749	49242	156.244.45.113	192.168.2.14
Mar 25, 2025 13:31:46.271281958 CET	50749	49242	156.244.45.113	192.168.2.14
Mar 25, 2025 13:31:46.271467924 CET	49242	50749	192.168.2.14	156.244.45.113
Mar 25, 2025 13:31:46.428200960 CET	50749	49242	156.244.45.113	192.168.2.14
Mar 25, 2025 13:31:47.273885965 CET	55860	45229	192.168.2.14	216.73.156.19
Mar 25, 2025 13:31:47.448424101 CET	45229	55860	216.73.156.19	192.168.2.14
Mar 25, 2025 13:31:47.448846102 CET	55860	45229	192.168.2.14	216.73.156.19
Mar 25, 2025 13:31:47.611140966 CET	45229	55860	216.73.156.19	192.168.2.14
Mar 25, 2025 13:31:47.611562014 CET	55860	45229	192.168.2.14	216.73.156.19
Mar 25, 2025 13:31:47.782105923 CET	45229	55860	216.73.156.19	192.168.2.14
Mar 25, 2025 13:31:47.782263041 CET	55860	45229	192.168.2.14	216.73.156.19

System Behavior

Analysis Process: kmips.elf PID: 5562, Parent PID: 5474

General

Start time (UTC):	12:29:43
Start date (UTC):	25/03/2025
Path:	/tmp/kmips.elf
Arguments:	/tmp/kmips.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

File Activities

File Opened

File Deleted

File Read

File Written

File Moved

Directory Enumerated

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: kmips.elf PID: 5566, Parent PID: 5562

General

Start time (UTC):	12:29:45
Start date (UTC):	25/03/2025
Path:	/tmp/kmips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report kmips.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Errors

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/tmp/qemu-open.VNSRfK (deleted)

/tmp/qemu-open.jidVcM (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: kmips.elf PID: 5562, Parent PID: 5474

General

File Activities

File Opened

File Deleted

File Read

File Written

File Moved

Directory Enumerated

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: kmips.elf PID: 5566, Parent PID: 5562

General

Linux Analysis Report
kmips.elf