Edit tour

Linux Analysis Report
mips.elf

Overview

General Information

Sample name:	mips.elf
Analysis ID:	1649607
MD5:	6e7311ae5648ac9c161f204032258d35
SHA1:	74dd4f2d73a98cd34355f93f8949f7bbf181c868
SHA256:	fba7bebf259ea5904705b2ce98b73a7ef017b7cf64565779a1afdfc437a46ef0
Tags:	elfuser-abuse_ch
Infos:
Errors No or unstable Internet during analysis

Detection

Score:	60
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1649607
Start date and time:	2025-03-26 23:41:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	mips.elf
Detection:	MAL
Classification:	mal60.troj.linELF@0/2@0/0

Errors

No or unstable Internet during analysis

Warnings

Excluded IPs from analysis (whitelisted): 8.8.8.8

Runtime Messages

Command:	/tmp/mips.elf
PID:	5833
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	For God so loved the world
Standard Error:

Process Tree

system is lnxubuntu20

mips.elf (PID: 5833, Parent: 5759, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/mips.elf

mips.elf New Fork (PID: 5836, Parent: 5833)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Persistence and Installation Behavior
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mips.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: mips.elf

ReversingLabs: Detection: 19%

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 156.244.44.239 ports 44859,35086,40217,0,1,2,26141,4,7
Source: global traffic	TCP traffic: 216.146.26.30 ports 50749,0,4,5,7,9,12016
Source: global traffic	TCP traffic: 154.205.155.243 ports 29486,2,4,6,8,9
Source: global traffic	TCP traffic: 156.244.14.93 ports 50749,56190,0,4,5,7,9
Source: global traffic	TCP traffic: 104.245.241.61 ports 41763,1,3,4,6,7,52962

Source: global traffic	TCP traffic: 192.168.2.15:55948 -> 156.244.45.113:7679
Source: global traffic	TCP traffic: 192.168.2.15:42664 -> 156.244.14.93:50749
Source: global traffic	TCP traffic: 192.168.2.15:33364 -> 216.146.26.30:50749
Source: global traffic	TCP traffic: 192.168.2.15:38426 -> 154.205.155.243:29486
Source: global traffic	TCP traffic: 192.168.2.15:39584 -> 156.244.44.239:40217
Source: global traffic	TCP traffic: 192.168.2.15:36398 -> 104.245.241.61:41763

Source: /tmp/mips.elf (PID: 5836)

Socket: 127.0.0.1:22448

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 216.146.26.30
Source: unknown	TCP traffic detected without corresponding DNS query: 216.146.26.30
Source: unknown	TCP traffic detected without corresponding DNS query: 216.146.26.30
Source: unknown	TCP traffic detected without corresponding DNS query: 216.146.26.30
Source: unknown	TCP traffic detected without corresponding DNS query: 216.146.26.30
Source: unknown	TCP traffic detected without corresponding DNS query: 216.146.26.30
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.45.113
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 216.146.26.30
Source: unknown	TCP traffic detected without corresponding DNS query: 216.146.26.30

Source: mips.elf, 5833.1.00007fb488456000.00007fb488460000.rw-.sdmp

String found in binary or memory: http://0/t/wget.sh

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal60.troj.linELF@0/2@0/0

Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/5818/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/1333/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/1695/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/911/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/3753/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/1591/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/1/maps	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/1585/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/5820/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/804/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/3407/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/1484/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/133/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/1479/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/931/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/1595/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/812/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/933/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/3419/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/35/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/3310/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/260/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/261/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/262/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/142/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/263/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/264/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/265/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/145/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/266/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/267/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/268/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/3303/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/269/cmdline	Jump to behavior
Source: /tmp/mips.elf (PID: 5833)	File opened: /proc/1486/cmdline	Jump to behavior

Source: /tmp/mips.elf (PID: 5833)

Queries kernel information via 'uname':

Jump to behavior

Source: mips.elf, 5833.1.00007fb488456000.00007fb488460000.rw-.sdmp	Binary or memory string: vmwarem
Source: mips.elf, 5833.1.000056544f33b000.000056544f3e2000.rw-.sdmp	Binary or memory string: 5OTV 5OTV!/etc/qemu-binfmt/mips
Source: mips.elf, 5833.1.00007fb488456000.00007fb488460000.rw-.sdmp	Binary or memory string: vmware
Source: mips.elf, 5833.1.00007fb488456000.00007fb488460000.rw-.sdmp	Binary or memory string: qemu-arm2QB
Source: mips.elf, 5833.1.00007fb488456000.00007fb488460000.rw-.sdmp	Binary or memory string: qemu-arm
Source: mips.elf, 5833.1.000056544f33b000.000056544f3e2000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: mips.elf, 5833.1.00007fff806e2000.00007fff80703000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mips.elf
Source: mips.elf, 5833.1.00007fff806e2000.00007fff80703000.rw-.sdmp	Binary or memory string: %s/qemu-op
Source: mips.elf, 5833.1.00007fff806e2000.00007fff80703000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: mips.elf, 5833.1.00007fff806e2000.00007fff80703000.rw-.sdmp	Binary or memory string: KTV/tmp/qemu-open.do8eLe\
Source: mips.elf, 5833.1.00007fff806e2000.00007fff80703000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.do8eLe
Source: mips.elf, 5833.1.00007fff806e2000.00007fff80703000.rw-.sdmp	Binary or memory string: MPDIR%s/qemu-op

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mips.elf	19%	ReversingLabs	Linux.Trojan.Mirai
mips.elf	100%	Avira	EXP/ELF.Agent.J.8

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://0/t/wget.sh	mips.elf, 5833.1.00007fb488456000.00007fb488460000.rw-.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.146.26.30	unknown	Reserved	11915	US-TELEPACIFICUS	true
156.244.45.113	unknown	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
154.205.155.243	unknown	Seychelles	26484	IKGUL-26484US	true
156.244.14.93	unknown	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
104.245.241.61	unknown	United States	8100	ASN-QUADRANET-GLOBALUS	true
156.244.44.239	unknown	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
216.146.26.30	kmips.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CXE.14004.27270.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
156.244.45.113	aarch64.elf	Get hash	malicious	Unknown	Browse
	kmips.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
154.205.155.243	ppc.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CXE.14004.27270.elf	Get hash	malicious	Unknown	Browse
	aarch64.elf	Get hash	malicious	Unknown	Browse
	nimips.elf	Get hash	malicious	Unknown	Browse
156.244.14.93	ppc.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	kmips.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	aarch64.elf	Get hash	malicious	Unknown	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
	nimips.elf	Get hash	malicious	Unknown	Browse
	arm6.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
IKGUL-26484US	ppc.elf	Get hash	malicious	Unknown	Browse	154.205.155.97
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	156.238.135.139
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	156.251.85.203
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	156.251.85.209
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	156.251.85.206
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	156.249.132.40
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	156.238.135.154
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	156.238.135.196
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	156.238.135.163
	sh4.elf	Get hash	malicious	Unknown	Browse	154.205.155.97
POWERLINE-AS-APPOWERLINEDATACENTERHK	ppc.elf	Get hash	malicious	Unknown	Browse	156.244.14.93
	arm.elf	Get hash	malicious	Unknown	Browse	156.244.14.93
	UuhANT$345432.exe	Get hash	malicious	FormBook	Browse	202.165.121.125
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	156.251.7.178
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	156.242.206.58
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	156.251.3.5
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	156.242.206.57
	aarch64.elf	Get hash	malicious	Unknown	Browse	156.244.45.113
	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	156.251.7.175
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	156.242.206.23
US-TELEPACIFICUS	kmips.elf	Get hash	malicious	Unknown	Browse	216.146.26.30
	mips.elf	Get hash	malicious	Unknown	Browse	216.146.26.30
	byte.mips.elf	Get hash	malicious	Okiru	Browse	64.140.24.148
	ppc.elf	Get hash	malicious	Unknown	Browse	69.178.148.199
	SecuriteInfo.com.ELF.Mirai-CXE.14004.27270.elf	Get hash	malicious	Unknown	Browse	216.146.26.30
	arm5.elf	Get hash	malicious	Unknown	Browse	216.146.26.30
	cbr.x86.elf	Get hash	malicious	Mirai	Browse	65.60.78.35
	jklmips.elf	Get hash	malicious	Unknown	Browse	66.81.80.166
	nklmips.elf	Get hash	malicious	Unknown	Browse	64.60.67.186
	jklm68k.elf	Get hash	malicious	Unknown	Browse	216.146.25.253

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/tmp/qemu-open.do8eLe (deleted)

Download File

Process:	/tmp/mips.elf
File Type:	data
Category:	dropped
Size (bytes):	14
Entropy (8bit):	3.378783493486176
Encrypted:	false
SSDEEP:	3:TgaLGn:TgAG
MD5:	640E98E7A87EC50F267F24DBC141D4DD
SHA1:	BC19B1CF25759386125D933665A8B429D9AE7E26
SHA-256:	6976993806B7CE05EA0AAA6BC975462833B19CF0D6DD4C9480F26FBAF66AF31D
SHA-512:	3887FBDFA33FF58EF35DDD9B1A2C9BDD611208904D8D371B2AFFE6E97F4C2EDA7A5BAA9786BDD3857AB6B31FE933CBE7290E7D9223671670A9BC739D457D4BA9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	/tmp/mips.elf.

/tmp/qemu-open.hkP4Wf (deleted)

Download File

Process:	/tmp/mips.elf
File Type:	data
Category:	dropped
Size (bytes):	14
Entropy (8bit):	3.378783493486176
Encrypted:	false
SSDEEP:	3:TgaLGn:TgAG
MD5:	640E98E7A87EC50F267F24DBC141D4DD
SHA1:	BC19B1CF25759386125D933665A8B429D9AE7E26
SHA-256:	6976993806B7CE05EA0AAA6BC975462833B19CF0D6DD4C9480F26FBAF66AF31D
SHA-512:	3887FBDFA33FF58EF35DDD9B1A2C9BDD611208904D8D371B2AFFE6E97F4C2EDA7A5BAA9786BDD3857AB6B31FE933CBE7290E7D9223671670A9BC739D457D4BA9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	/tmp/mips.elf.

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.527375229379303
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	mips.elf
File size:	89'956 bytes
MD5:	6e7311ae5648ac9c161f204032258d35
SHA1:	74dd4f2d73a98cd34355f93f8949f7bbf181c868
SHA256:	fba7bebf259ea5904705b2ce98b73a7ef017b7cf64565779a1afdfc437a46ef0
SHA512:	058a3fd7870bcfbb24ce687c22aab2ef5148ce17b094412e61a6f3d08586c9751c22e229332b6531381be3efccd3e39216c92fc8d5480cd95f3acb768e8b3739
SSDEEP:	1536:vVBgYjZ1KHfakBPjwFW1r0/1Rq8+znTray7WeGKdNc2:vVBZjGHfakBkFW1B8+znj7BdD
TLSH:	B193D74E2E75CFADF369C33447B74A31A3A923C522E1C685D2ACD1151F7024EA41FBA8
File Content Preview:	.ELF.....................@.`...4..]......4. ...(.............@...@....R...R...............R..ER..ER....T..l@........dt.Q............................<...'......!'.......................<...'..x...!... ....'9... ......................<...'..H...!........'99

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	89476
Section Header Size:	40
Number of Section Headers:	12
Header String Table Index:	11

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x138a0	0x0	0x6	AX	16
.fini	PROGBITS	0x4139c0	0x139c0	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x413a20	0x13a20	0x18c0	0x0	0x2	A	16
.ctors	PROGBITS	0x4552e4	0x152e4	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x4552ec	0x152ec	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x455300	0x15300	0x440	0x0	0x3	WA	16
.got	PROGBITS	0x455740	0x15740	0x5f8	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x455d38	0x15d38	0x1c	0x0	0x10000003	WAp	4
.bss	NOBITS	0x455d60	0x15d38	0x61c4	0x0	0x3	WA	16
.shstrtab	STRTAB	0x0	0x15d38	0x49	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x152e0	0x152e0	5.5621	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x152e4	0x4552e4	0x4552e4	0xa54	0x6c40	3.6929	0x6	RW	0x10000	.ctors .dtors .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 26, 2025 23:42:54.728703976 CET	55948	7679	192.168.2.15	156.244.45.113
Mar 26, 2025 23:42:54.885998964 CET	7679	55948	156.244.45.113	192.168.2.15
Mar 26, 2025 23:42:54.886076927 CET	55948	7679	192.168.2.15	156.244.45.113
Mar 26, 2025 23:42:55.043667078 CET	7679	55948	156.244.45.113	192.168.2.15
Mar 26, 2025 23:42:55.043971062 CET	55948	7679	192.168.2.15	156.244.45.113
Mar 26, 2025 23:42:55.201464891 CET	7679	55948	156.244.45.113	192.168.2.15
Mar 26, 2025 23:42:55.201864004 CET	55948	7679	192.168.2.15	156.244.45.113
Mar 26, 2025 23:43:01.903973103 CET	55948	7679	192.168.2.15	156.244.45.113
Mar 26, 2025 23:43:02.061362982 CET	7679	55948	156.244.45.113	192.168.2.15
Mar 26, 2025 23:43:02.061394930 CET	7679	55948	156.244.45.113	192.168.2.15
Mar 26, 2025 23:43:02.061846972 CET	55948	7679	192.168.2.15	156.244.45.113
Mar 26, 2025 23:43:02.221658945 CET	7679	55948	156.244.45.113	192.168.2.15
Mar 26, 2025 23:43:03.064368010 CET	42664	50749	192.168.2.15	156.244.14.93
Mar 26, 2025 23:43:03.223440886 CET	50749	42664	156.244.14.93	192.168.2.15
Mar 26, 2025 23:43:03.223885059 CET	42664	50749	192.168.2.15	156.244.14.93
Mar 26, 2025 23:43:03.383402109 CET	50749	42664	156.244.14.93	192.168.2.15
Mar 26, 2025 23:43:03.383640051 CET	42664	50749	192.168.2.15	156.244.14.93
Mar 26, 2025 23:43:03.544037104 CET	50749	42664	156.244.14.93	192.168.2.15
Mar 26, 2025 23:43:03.544178009 CET	42664	50749	192.168.2.15	156.244.14.93
Mar 26, 2025 23:43:10.233547926 CET	42664	50749	192.168.2.15	156.244.14.93
Mar 26, 2025 23:43:10.395262003 CET	50749	42664	156.244.14.93	192.168.2.15
Mar 26, 2025 23:43:10.395328045 CET	50749	42664	156.244.14.93	192.168.2.15
Mar 26, 2025 23:43:10.395639896 CET	42664	50749	192.168.2.15	156.244.14.93
Mar 26, 2025 23:43:10.557399988 CET	50749	42664	156.244.14.93	192.168.2.15
Mar 26, 2025 23:43:11.398881912 CET	33364	50749	192.168.2.15	216.146.26.30
Mar 26, 2025 23:43:11.907267094 CET	50749	33364	216.146.26.30	192.168.2.15
Mar 26, 2025 23:43:11.907463074 CET	33364	50749	192.168.2.15	216.146.26.30
Mar 26, 2025 23:43:12.416418076 CET	50749	33364	216.146.26.30	192.168.2.15
Mar 26, 2025 23:43:12.416737080 CET	33364	50749	192.168.2.15	216.146.26.30
Mar 26, 2025 23:43:12.926847935 CET	50749	33364	216.146.26.30	192.168.2.15
Mar 26, 2025 23:43:12.927026987 CET	33364	50749	192.168.2.15	216.146.26.30
Mar 26, 2025 23:43:18.915134907 CET	33364	50749	192.168.2.15	216.146.26.30
Mar 26, 2025 23:43:19.424338102 CET	50749	33364	216.146.26.30	192.168.2.15
Mar 26, 2025 23:43:19.424371004 CET	50749	33364	216.146.26.30	192.168.2.15
Mar 26, 2025 23:43:19.424967051 CET	33364	50749	192.168.2.15	216.146.26.30
Mar 26, 2025 23:43:19.939029932 CET	50749	33364	216.146.26.30	192.168.2.15
Mar 26, 2025 23:43:20.428719044 CET	38426	29486	192.168.2.15	154.205.155.243
Mar 26, 2025 23:43:20.588051081 CET	29486	38426	154.205.155.243	192.168.2.15
Mar 26, 2025 23:43:20.588323116 CET	38426	29486	192.168.2.15	154.205.155.243
Mar 26, 2025 23:43:20.747797966 CET	29486	38426	154.205.155.243	192.168.2.15
Mar 26, 2025 23:43:20.748054981 CET	38426	29486	192.168.2.15	154.205.155.243
Mar 26, 2025 23:43:20.908318996 CET	29486	38426	154.205.155.243	192.168.2.15
Mar 26, 2025 23:43:20.908617973 CET	38426	29486	192.168.2.15	154.205.155.243
Mar 26, 2025 23:43:27.597690105 CET	38426	29486	192.168.2.15	154.205.155.243
Mar 26, 2025 23:43:27.756694078 CET	29486	38426	154.205.155.243	192.168.2.15
Mar 26, 2025 23:43:27.756719112 CET	29486	38426	154.205.155.243	192.168.2.15
Mar 26, 2025 23:43:27.757066965 CET	38426	29486	192.168.2.15	154.205.155.243
Mar 26, 2025 23:43:27.916224957 CET	29486	38426	154.205.155.243	192.168.2.15
Mar 26, 2025 23:43:28.762232065 CET	59706	35086	192.168.2.15	156.244.45.113
Mar 26, 2025 23:43:28.921164989 CET	35086	59706	156.244.45.113	192.168.2.15
Mar 26, 2025 23:43:28.921479940 CET	59706	35086	192.168.2.15	156.244.45.113
Mar 26, 2025 23:43:29.080447912 CET	35086	59706	156.244.45.113	192.168.2.15
Mar 26, 2025 23:43:29.080782890 CET	59706	35086	192.168.2.15	156.244.45.113
Mar 26, 2025 23:43:29.239200115 CET	35086	59706	156.244.45.113	192.168.2.15
Mar 26, 2025 23:43:29.239645004 CET	59706	35086	192.168.2.15	156.244.45.113
Mar 26, 2025 23:43:35.933760881 CET	59706	35086	192.168.2.15	156.244.45.113
Mar 26, 2025 23:43:36.092403889 CET	35086	59706	156.244.45.113	192.168.2.15
Mar 26, 2025 23:43:36.092437029 CET	35086	59706	156.244.45.113	192.168.2.15
Mar 26, 2025 23:43:36.092978001 CET	59706	35086	192.168.2.15	156.244.45.113
Mar 26, 2025 23:43:36.251559973 CET	35086	59706	156.244.45.113	192.168.2.15
Mar 26, 2025 23:43:37.098130941 CET	39584	40217	192.168.2.15	156.244.44.239
Mar 26, 2025 23:43:37.257586002 CET	40217	39584	156.244.44.239	192.168.2.15
Mar 26, 2025 23:43:37.257833958 CET	39584	40217	192.168.2.15	156.244.44.239
Mar 26, 2025 23:43:37.417252064 CET	40217	39584	156.244.44.239	192.168.2.15
Mar 26, 2025 23:43:37.417392969 CET	39584	40217	192.168.2.15	156.244.44.239
Mar 26, 2025 23:43:37.576670885 CET	40217	39584	156.244.44.239	192.168.2.15
Mar 26, 2025 23:43:37.576961994 CET	39584	40217	192.168.2.15	156.244.44.239
Mar 26, 2025 23:43:44.266957045 CET	39584	40217	192.168.2.15	156.244.44.239
Mar 26, 2025 23:43:44.426707983 CET	40217	39584	156.244.44.239	192.168.2.15
Mar 26, 2025 23:43:44.426754951 CET	40217	39584	156.244.44.239	192.168.2.15
Mar 26, 2025 23:43:44.427516937 CET	39584	40217	192.168.2.15	156.244.44.239
Mar 26, 2025 23:43:44.586909056 CET	40217	39584	156.244.44.239	192.168.2.15
Mar 26, 2025 23:43:45.434916973 CET	36398	41763	192.168.2.15	104.245.241.61
Mar 26, 2025 23:43:45.832554102 CET	41763	36398	104.245.241.61	192.168.2.15
Mar 26, 2025 23:43:45.833175898 CET	36398	41763	192.168.2.15	104.245.241.61
Mar 26, 2025 23:43:46.232450008 CET	41763	36398	104.245.241.61	192.168.2.15
Mar 26, 2025 23:43:46.232618093 CET	36398	41763	192.168.2.15	104.245.241.61
Mar 26, 2025 23:43:46.630223989 CET	41763	36398	104.245.241.61	192.168.2.15
Mar 26, 2025 23:43:46.630665064 CET	36398	41763	192.168.2.15	104.245.241.61
Mar 26, 2025 23:43:52.846031904 CET	36398	41763	192.168.2.15	104.245.241.61
Mar 26, 2025 23:43:53.243508101 CET	41763	36398	104.245.241.61	192.168.2.15
Mar 26, 2025 23:43:53.243558884 CET	41763	36398	104.245.241.61	192.168.2.15
Mar 26, 2025 23:43:53.244188070 CET	36398	41763	192.168.2.15	104.245.241.61
Mar 26, 2025 23:43:53.641294956 CET	41763	36398	104.245.241.61	192.168.2.15
Mar 26, 2025 23:43:54.250494957 CET	44476	56190	192.168.2.15	156.244.14.93
Mar 26, 2025 23:43:54.410640001 CET	56190	44476	156.244.14.93	192.168.2.15
Mar 26, 2025 23:43:54.410996914 CET	44476	56190	192.168.2.15	156.244.14.93
Mar 26, 2025 23:43:54.569989920 CET	56190	44476	156.244.14.93	192.168.2.15
Mar 26, 2025 23:43:54.570389986 CET	44476	56190	192.168.2.15	156.244.14.93
Mar 26, 2025 23:43:54.729429007 CET	56190	44476	156.244.14.93	192.168.2.15
Mar 26, 2025 23:43:54.729840994 CET	44476	56190	192.168.2.15	156.244.14.93
Mar 26, 2025 23:44:01.424505949 CET	44476	56190	192.168.2.15	156.244.14.93
Mar 26, 2025 23:44:01.583610058 CET	56190	44476	156.244.14.93	192.168.2.15
Mar 26, 2025 23:44:01.583635092 CET	56190	44476	156.244.14.93	192.168.2.15
Mar 26, 2025 23:44:01.584217072 CET	44476	56190	192.168.2.15	156.244.14.93
Mar 26, 2025 23:44:01.744683027 CET	56190	44476	156.244.14.93	192.168.2.15
Mar 26, 2025 23:44:02.589586020 CET	46732	12016	192.168.2.15	216.146.26.30
Mar 26, 2025 23:44:03.086661100 CET	12016	46732	216.146.26.30	192.168.2.15
Mar 26, 2025 23:44:03.087066889 CET	46732	12016	192.168.2.15	216.146.26.30
Mar 26, 2025 23:44:03.583992958 CET	12016	46732	216.146.26.30	192.168.2.15
Mar 26, 2025 23:44:03.584378004 CET	46732	12016	192.168.2.15	216.146.26.30
Mar 26, 2025 23:44:04.080696106 CET	12016	46732	216.146.26.30	192.168.2.15
Mar 26, 2025 23:44:04.081078053 CET	46732	12016	192.168.2.15	216.146.26.30
Mar 26, 2025 23:44:08.647301912 CET	12016	46732	216.146.26.30	192.168.2.15
Mar 26, 2025 23:44:08.647702932 CET	46732	12016	192.168.2.15	216.146.26.30
Mar 26, 2025 23:44:10.097963095 CET	46732	12016	192.168.2.15	216.146.26.30
Mar 26, 2025 23:44:10.594285011 CET	12016	46732	216.146.26.30	192.168.2.15
Mar 26, 2025 23:44:10.594611883 CET	46732	12016	192.168.2.15	216.146.26.30
Mar 26, 2025 23:44:25.115266085 CET	33490	52962	192.168.2.15	104.245.241.61
Mar 26, 2025 23:44:25.507771969 CET	52962	33490	104.245.241.61	192.168.2.15
Mar 26, 2025 23:44:25.508284092 CET	33490	52962	192.168.2.15	104.245.241.61
Mar 26, 2025 23:44:25.900991917 CET	52962	33490	104.245.241.61	192.168.2.15
Mar 26, 2025 23:44:25.901281118 CET	33490	52962	192.168.2.15	104.245.241.61
Mar 26, 2025 23:44:26.294784069 CET	52962	33490	104.245.241.61	192.168.2.15
Mar 26, 2025 23:44:26.295032024 CET	33490	52962	192.168.2.15	104.245.241.61
Mar 26, 2025 23:44:32.519563913 CET	33490	52962	192.168.2.15	104.245.241.61
Mar 26, 2025 23:44:32.912312984 CET	52962	33490	104.245.241.61	192.168.2.15
Mar 26, 2025 23:44:32.912379026 CET	52962	33490	104.245.241.61	192.168.2.15
Mar 26, 2025 23:44:32.912986994 CET	33490	52962	192.168.2.15	104.245.241.61
Mar 26, 2025 23:44:33.305638075 CET	52962	33490	104.245.241.61	192.168.2.15
Mar 26, 2025 23:44:33.920221090 CET	41336	26141	192.168.2.15	156.244.44.239
Mar 26, 2025 23:44:34.078593969 CET	26141	41336	156.244.44.239	192.168.2.15
Mar 26, 2025 23:44:34.079140902 CET	41336	26141	192.168.2.15	156.244.44.239
Mar 26, 2025 23:44:34.236901045 CET	26141	41336	156.244.44.239	192.168.2.15
Mar 26, 2025 23:44:34.237392902 CET	41336	26141	192.168.2.15	156.244.44.239
Mar 26, 2025 23:44:34.395004988 CET	26141	41336	156.244.44.239	192.168.2.15
Mar 26, 2025 23:44:34.395416975 CET	41336	26141	192.168.2.15	156.244.44.239
Mar 26, 2025 23:44:41.091449976 CET	41336	26141	192.168.2.15	156.244.44.239
Mar 26, 2025 23:44:41.250171900 CET	26141	41336	156.244.44.239	192.168.2.15
Mar 26, 2025 23:44:41.250684977 CET	26141	41336	156.244.44.239	192.168.2.15
Mar 26, 2025 23:44:41.251090050 CET	41336	26141	192.168.2.15	156.244.44.239
Mar 26, 2025 23:44:41.408488035 CET	26141	41336	156.244.44.239	192.168.2.15
Mar 26, 2025 23:44:42.255589008 CET	59720	35086	192.168.2.15	156.244.45.113
Mar 26, 2025 23:44:42.414190054 CET	35086	59720	156.244.45.113	192.168.2.15
Mar 26, 2025 23:44:42.414747000 CET	59720	35086	192.168.2.15	156.244.45.113
Mar 26, 2025 23:44:42.573384047 CET	35086	59720	156.244.45.113	192.168.2.15
Mar 26, 2025 23:44:42.573977947 CET	59720	35086	192.168.2.15	156.244.45.113
Mar 26, 2025 23:44:42.733549118 CET	35086	59720	156.244.45.113	192.168.2.15
Mar 26, 2025 23:44:42.734154940 CET	59720	35086	192.168.2.15	156.244.45.113
Mar 26, 2025 23:44:49.426646948 CET	59720	35086	192.168.2.15	156.244.45.113
Mar 26, 2025 23:44:49.585236073 CET	35086	59720	156.244.45.113	192.168.2.15
Mar 26, 2025 23:44:49.585283995 CET	35086	59720	156.244.45.113	192.168.2.15
Mar 26, 2025 23:44:49.586071014 CET	59720	35086	192.168.2.15	156.244.45.113
Mar 26, 2025 23:44:49.744685888 CET	35086	59720	156.244.45.113	192.168.2.15
Mar 26, 2025 23:44:50.592206001 CET	48410	35086	192.168.2.15	156.244.44.239
Mar 26, 2025 23:44:50.751580000 CET	35086	48410	156.244.44.239	192.168.2.15
Mar 26, 2025 23:44:50.751929045 CET	48410	35086	192.168.2.15	156.244.44.239
Mar 26, 2025 23:44:50.911425114 CET	35086	48410	156.244.44.239	192.168.2.15
Mar 26, 2025 23:44:50.911680937 CET	48410	35086	192.168.2.15	156.244.44.239
Mar 26, 2025 23:44:51.070628881 CET	35086	48410	156.244.44.239	192.168.2.15
Mar 26, 2025 23:44:51.070966005 CET	48410	35086	192.168.2.15	156.244.44.239
Mar 26, 2025 23:44:57.764691114 CET	48410	35086	192.168.2.15	156.244.44.239
Mar 26, 2025 23:44:57.923832893 CET	35086	48410	156.244.44.239	192.168.2.15
Mar 26, 2025 23:44:57.923865080 CET	35086	48410	156.244.44.239	192.168.2.15
Mar 26, 2025 23:44:57.924606085 CET	48410	35086	192.168.2.15	156.244.44.239
Mar 26, 2025 23:44:58.083606958 CET	35086	48410	156.244.44.239	192.168.2.15
Mar 26, 2025 23:44:58.929074049 CET	46406	44859	192.168.2.15	156.244.44.239
Mar 26, 2025 23:44:59.088063955 CET	44859	46406	156.244.44.239	192.168.2.15
Mar 26, 2025 23:44:59.088454008 CET	46406	44859	192.168.2.15	156.244.44.239
Mar 26, 2025 23:44:59.247992992 CET	44859	46406	156.244.44.239	192.168.2.15
Mar 26, 2025 23:44:59.248259068 CET	46406	44859	192.168.2.15	156.244.44.239
Mar 26, 2025 23:44:59.407603979 CET	44859	46406	156.244.44.239	192.168.2.15
Mar 26, 2025 23:44:59.407763004 CET	46406	44859	192.168.2.15	156.244.44.239

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 26, 2025 23:42:57.893579006 CET	39695	53	192.168.2.15	208.67.222.222
Mar 26, 2025 23:42:59.895884037 CET	55414	53	192.168.2.15	8.8.4.4
Mar 26, 2025 23:43:04.226950884 CET	41123	53	192.168.2.15	208.67.220.220
Mar 26, 2025 23:43:06.229341984 CET	44320	53	192.168.2.15	8.8.4.4
Mar 26, 2025 23:43:08.231439114 CET	59452	53	192.168.2.15	208.67.222.222
Mar 26, 2025 23:43:14.912617922 CET	42637	53	192.168.2.15	8.8.4.4
Mar 26, 2025 23:43:16.912847996 CET	32920	53	192.168.2.15	208.67.222.222
Mar 26, 2025 23:43:21.590353966 CET	34510	53	192.168.2.15	8.8.4.4
Mar 26, 2025 23:43:23.592611074 CET	39317	53	192.168.2.15	8.8.4.4
Mar 26, 2025 23:43:29.926527977 CET	48660	53	192.168.2.15	208.67.222.222
Mar 26, 2025 23:43:31.929013968 CET	33125	53	192.168.2.15	208.67.222.222
Mar 26, 2025 23:43:38.261544943 CET	44568	53	192.168.2.15	208.67.222.222
Mar 26, 2025 23:43:40.263981104 CET	54691	53	192.168.2.15	208.67.222.222
Mar 26, 2025 23:43:42.264324903 CET	40929	53	192.168.2.15	208.67.222.222
Mar 26, 2025 23:43:46.838907957 CET	51443	53	192.168.2.15	208.67.222.222
Mar 26, 2025 23:43:48.841423988 CET	56151	53	192.168.2.15	208.67.222.222
Mar 26, 2025 23:43:55.417262077 CET	45502	53	192.168.2.15	208.67.220.220
Mar 26, 2025 23:43:57.419816971 CET	55852	53	192.168.2.15	8.8.4.4
Mar 26, 2025 23:43:59.421962976 CET	55926	53	192.168.2.15	8.8.4.4
Mar 26, 2025 23:44:06.094038010 CET	42821	53	192.168.2.15	8.8.4.4
Mar 26, 2025 23:44:26.512605906 CET	57274	53	192.168.2.15	208.67.220.220
Mar 26, 2025 23:44:35.084455013 CET	51077	53	192.168.2.15	8.8.4.4
Mar 26, 2025 23:44:37.086973906 CET	46813	53	192.168.2.15	208.67.222.222
Mar 26, 2025 23:44:43.419655085 CET	55282	53	192.168.2.15	208.67.222.222
Mar 26, 2025 23:44:47.424252987 CET	53256	53	192.168.2.15	208.67.222.222
Mar 26, 2025 23:44:53.759989023 CET	35631	53	192.168.2.15	208.67.222.222
Mar 26, 2025 23:44:55.762342930 CET	34615	53	192.168.2.15	8.8.4.4

System Behavior

Analysis Process: mips.elf PID: 5833, Parent PID: 5759

General

Start time (UTC):	22:42:52
Start date (UTC):	26/03/2025
Path:	/tmp/mips.elf
Arguments:	/tmp/mips.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

File Activities

File Opened

File Deleted

File Read

File Written

File Moved

Directory Enumerated

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: mips.elf PID: 5836, Parent PID: 5833

General

Start time (UTC):	22:42:53
Start date (UTC):	26/03/2025
Path:	/tmp/mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report mips.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Errors

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/tmp/qemu-open.do8eLe (deleted)

/tmp/qemu-open.hkP4Wf (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

System Behavior

Analysis Process: mips.elf PID: 5833, Parent PID: 5759

General

File Activities

File Opened

File Deleted

File Read

File Written

File Moved

Directory Enumerated

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: mips.elf PID: 5836, Parent PID: 5833

General

Process Activities

Linux Analysis Report
mips.elf