Edit tour

Linux Analysis Report
.i.elf

Overview

General Information

Sample name:.i.elf
Analysis ID:1669005
MD5:4e6cf38ca04c64bbbc0de39518340fa3
SHA1:b43aa81c8fe3f4b520a1c53557c8e477100530e1
SHA256:a625601d8fe1f59102fcec617bbf4afa1f81ee305d5e8b93822541a65f7ea498
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:76
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Executes the "iptables" command to insert, remove and/or manipulate rules
Opens /proc/net/* files useful for finding connected devices and routers
Sample deletes itself
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "iptables" command used for managing IP filtering and manipulation
Reads the 'hosts' file potentially containing internal network hosts
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1669005
Start date and time:2025-04-19 04:09:24 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 13s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:.i.elf
Detection:MAL
Classification:mal76.spre.troj.evad.linELF@0/1@4/0
  • Excluded IPs from analysis (whitelisted): 209.51.161.238, 23.141.40.123, 23.168.136.132, 129.146.193.200
  • Excluded domains from analysis (whitelisted): pool.ntp.org
Command:/tmp/.i.elf
PID:5414
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:iptables v1.8.4 (legacy): Couldn't load target `CWMP_CR':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
  • system is lnxubuntu20
  • .i.elf (PID: 5414, Parent: 5337, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/.i.elf
    • .i.elf New Fork (PID: 5416, Parent: 5414)
      • .i.elf New Fork (PID: 5418, Parent: 5416)
      • sh (PID: 5418, Parent: 5416, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
        • sh New Fork (PID: 5424, Parent: 5418)
        • iptables (PID: 5424, Parent: 5418, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -p tcp --destination-port 23 -j DROP
      • .i.elf New Fork (PID: 5430, Parent: 5416)
      • sh (PID: 5430, Parent: 5416, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
        • sh New Fork (PID: 5435, Parent: 5430)
        • iptables (PID: 5435, Parent: 5430, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -p tcp --destination-port 7547 -j DROP
      • .i.elf New Fork (PID: 5436, Parent: 5416)
      • sh (PID: 5436, Parent: 5416, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
        • sh New Fork (PID: 5441, Parent: 5436)
        • iptables (PID: 5441, Parent: 5436, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -p tcp --destination-port 5555 -j DROP
      • .i.elf New Fork (PID: 5442, Parent: 5416)
      • sh (PID: 5442, Parent: 5416, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
        • sh New Fork (PID: 5447, Parent: 5442)
        • iptables (PID: 5447, Parent: 5442, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -p tcp --destination-port 5358 -j DROP
      • .i.elf New Fork (PID: 5450, Parent: 5416)
      • sh (PID: 5450, Parent: 5416, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -D INPUT -j CWMP_CR"
        • sh New Fork (PID: 5455, Parent: 5450)
        • iptables (PID: 5455, Parent: 5450, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -D INPUT -j CWMP_CR
      • .i.elf New Fork (PID: 5456, Parent: 5416)
      • sh (PID: 5456, Parent: 5416, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -X CWMP_CR"
        • sh New Fork (PID: 5461, Parent: 5456)
        • iptables (PID: 5461, Parent: 5456, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -X CWMP_CR
      • .i.elf New Fork (PID: 5462, Parent: 5416)
      • sh (PID: 5462, Parent: 5416, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -I INPUT -p udp --dport 11002 -j ACCEPT"
        • sh New Fork (PID: 5467, Parent: 5462)
        • iptables (PID: 5467, Parent: 5462, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p udp --dport 11002 -j ACCEPT
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
5414.1.00007fc83c400000.00007fc83c434000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
    No Suricata rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: .i.elfAvira: detected
    Source: .i.elfVirustotal: Detection: 53%Perma Link
    Source: .i.elfReversingLabs: Detection: 50%

    Spreading

    barindex
    Source: /tmp/.i.elf (PID: 5414)Opens: /proc/net/routeJump to behavior

    Networking

    barindex
    Source: /bin/sh (PID: 5424)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROPJump to behavior
    Source: /bin/sh (PID: 5435)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROPJump to behavior
    Source: /bin/sh (PID: 5441)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROPJump to behavior
    Source: /bin/sh (PID: 5447)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROPJump to behavior
    Source: /bin/sh (PID: 5455)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CRJump to behavior
    Source: /bin/sh (PID: 5461)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -X CWMP_CRJump to behavior
    Source: /bin/sh (PID: 5467)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPTJump to behavior
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 82.221.103.244:6881
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 67.215.246.10:6881
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 79.140.117.203:4093
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 5.3.252.254:26761
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 77.172.35.225:27542
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 14.192.214.208:12423
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 80.11.235.118:6881
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 181.42.46.105:37746
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 190.193.152.141:45956
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 190.240.69.24:55604
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 189.139.172.241:37982
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 103.199.205.126:53324
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 177.52.82.94:12999
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 117.24.165.173:25324
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 117.24.165.65:36141
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 124.91.148.108:33676
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 119.34.160.228:12298
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 58.241.139.153:6887
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 2.103.108.201:55642
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 81.101.129.89:27596
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 112.118.83.13:11018
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 148.71.121.183:6881
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 178.247.145.191:23759
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 188.255.55.114:6881
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 109.94.85.146:62788
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 91.192.20.140:5889
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 211.48.88.198:33231
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 78.85.4.135:4609
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 213.94.41.136:22535
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 41.193.87.152:26584
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 201.188.189.46:51145
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 195.98.68.52:1313
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 91.175.39.237:25921
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 91.239.227.43:1797
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 99.240.197.244:61706
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 45.238.183.98:8983
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 79.177.128.82:1793
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 68.226.67.22:54102
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 190.56.32.232:50639
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 98.209.107.208:47204
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 90.201.53.148:56521
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 82.39.237.234:6881
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 83.222.166.141:20550
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 213.80.212.27:6881
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 54.70.174.84:6881
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 199.45.219.152:16495
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 179.96.135.23:23860
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 92.16.182.203:36939
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 144.76.166.157:50000
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 189.129.211.64:47778
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 187.190.166.141:1642
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 198.162.193.189:63259
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 177.52.48.235:3476
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 82.50.89.36:6881
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 188.2.115.47:35216
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 188.65.232.39:50118
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 2.183.108.235:42399
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 190.101.84.250:6881
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 176.226.202.11:26359
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 113.148.125.188:7777
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 91.121.7.132:51413
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 79.190.191.74:38004
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 94.68.18.162:53262
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 189.196.45.102:4124
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 31.60.104.7:6026
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 113.26.87.94:35380
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 113.89.244.83:6881
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 79.185.46.91:46886
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 175.204.168.7:40736
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 144.217.181.115:63949
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 222.187.254.73:17207
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 54.77.218.23:6992
    Source: global trafficUDP traffic: 192.168.2.13:11002 -> 106.14.195.230:11159
    Source: /bin/sh (PID: 5424)Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROPJump to behavior
    Source: /bin/sh (PID: 5435)Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROPJump to behavior
    Source: /bin/sh (PID: 5441)Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROPJump to behavior
    Source: /bin/sh (PID: 5447)Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROPJump to behavior
    Source: /bin/sh (PID: 5455)Iptables executable: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CRJump to behavior
    Source: /bin/sh (PID: 5461)Iptables executable: /usr/sbin/iptables -> iptables -X CWMP_CRJump to behavior
    Source: /bin/sh (PID: 5467)Iptables executable: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPTJump to behavior
    Source: /tmp/.i.elf (PID: 5416)Reads hosts file: /etc/hostsJump to behavior
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 79.140.117.203
    Source: unknownUDP traffic detected without corresponding DNS query: 5.3.252.254
    Source: unknownUDP traffic detected without corresponding DNS query: 77.172.35.225
    Source: unknownUDP traffic detected without corresponding DNS query: 14.192.214.208
    Source: unknownUDP traffic detected without corresponding DNS query: 77.172.35.225
    Source: unknownUDP traffic detected without corresponding DNS query: 80.11.235.118
    Source: unknownUDP traffic detected without corresponding DNS query: 181.42.46.105
    Source: unknownUDP traffic detected without corresponding DNS query: 190.193.152.141
    Source: unknownUDP traffic detected without corresponding DNS query: 5.3.252.254
    Source: unknownUDP traffic detected without corresponding DNS query: 190.240.69.24
    Source: unknownUDP traffic detected without corresponding DNS query: 189.139.172.241
    Source: unknownUDP traffic detected without corresponding DNS query: 103.199.205.126
    Source: unknownUDP traffic detected without corresponding DNS query: 190.240.69.24
    Source: unknownUDP traffic detected without corresponding DNS query: 177.52.82.94
    Source: unknownUDP traffic detected without corresponding DNS query: 117.24.165.173
    Source: unknownUDP traffic detected without corresponding DNS query: 117.24.165.65
    Source: unknownUDP traffic detected without corresponding DNS query: 124.91.148.108
    Source: unknownUDP traffic detected without corresponding DNS query: 119.34.160.228
    Source: unknownUDP traffic detected without corresponding DNS query: 58.241.139.153
    Source: unknownUDP traffic detected without corresponding DNS query: 2.103.108.201
    Source: unknownUDP traffic detected without corresponding DNS query: 81.101.129.89
    Source: unknownUDP traffic detected without corresponding DNS query: 112.118.83.13
    Source: unknownUDP traffic detected without corresponding DNS query: 148.71.121.183
    Source: unknownUDP traffic detected without corresponding DNS query: 178.247.145.191
    Source: unknownUDP traffic detected without corresponding DNS query: 188.255.55.114
    Source: unknownUDP traffic detected without corresponding DNS query: 109.94.85.146
    Source: unknownUDP traffic detected without corresponding DNS query: 91.192.20.140
    Source: unknownUDP traffic detected without corresponding DNS query: 211.48.88.198
    Source: unknownUDP traffic detected without corresponding DNS query: 78.85.4.135
    Source: unknownUDP traffic detected without corresponding DNS query: 213.94.41.136
    Source: unknownUDP traffic detected without corresponding DNS query: 41.193.87.152
    Source: unknownUDP traffic detected without corresponding DNS query: 201.188.189.46
    Source: unknownUDP traffic detected without corresponding DNS query: 195.98.68.52
    Source: unknownUDP traffic detected without corresponding DNS query: 80.11.235.118
    Source: unknownUDP traffic detected without corresponding DNS query: 91.175.39.237
    Source: unknownUDP traffic detected without corresponding DNS query: 91.239.227.43
    Source: unknownUDP traffic detected without corresponding DNS query: 99.240.197.244
    Source: unknownUDP traffic detected without corresponding DNS query: 45.238.183.98
    Source: unknownUDP traffic detected without corresponding DNS query: 79.177.128.82
    Source: unknownUDP traffic detected without corresponding DNS query: 68.226.67.22
    Source: unknownUDP traffic detected without corresponding DNS query: 190.56.32.232
    Source: unknownUDP traffic detected without corresponding DNS query: 77.172.35.225
    Source: unknownUDP traffic detected without corresponding DNS query: 98.209.107.208
    Source: unknownUDP traffic detected without corresponding DNS query: 14.192.214.208
    Source: unknownUDP traffic detected without corresponding DNS query: 90.201.53.148
    Source: unknownUDP traffic detected without corresponding DNS query: 82.39.237.234
    Source: unknownUDP traffic detected without corresponding DNS query: 79.140.117.203
    Source: unknownUDP traffic detected without corresponding DNS query: 195.98.68.52
    Source: global trafficDNS traffic detected: DNS query: router.utorrent.com
    Source: global trafficDNS traffic detected: DNS query: router.bittorrent.com
    Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
    Source: LOAD without section mappingsProgram segment: 0x100000
    Source: classification engineClassification label: mal76.spre.troj.evad.linELF@0/1@4/0

    Persistence and Installation Behavior

    barindex
    Source: /bin/sh (PID: 5424)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROPJump to behavior
    Source: /bin/sh (PID: 5435)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROPJump to behavior
    Source: /bin/sh (PID: 5441)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROPJump to behavior
    Source: /bin/sh (PID: 5447)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROPJump to behavior
    Source: /bin/sh (PID: 5455)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CRJump to behavior
    Source: /bin/sh (PID: 5461)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -X CWMP_CRJump to behavior
    Source: /bin/sh (PID: 5467)Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPTJump to behavior
    Source: /tmp/.i.elf (PID: 5416)Directory: /tmp/.pJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/230/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/231/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/110/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/232/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/111/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/233/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/112/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/234/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/113/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/235/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/114/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/236/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/115/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/237/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/116/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/238/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/117/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/239/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/118/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/119/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/914/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/914/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/917/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/917/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/10/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/11/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/12/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/13/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/14/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/15/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/16/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/17/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/18/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/19/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/3095/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/3095/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/240/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/241/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/120/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/242/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/121/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/243/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/122/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/1/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/1/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/244/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/123/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/2/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/1588/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/1588/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/245/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/124/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/3/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/246/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/125/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/4/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/247/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/126/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/5/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/248/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/127/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/6/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/249/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/128/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/7/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/800/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/800/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/129/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/8/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/1906/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/1906/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/9/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/802/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/802/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/803/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/803/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/20/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/21/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/22/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/23/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/24/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/25/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/26/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/27/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/28/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/29/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/3420/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/3420/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/1482/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/1482/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/490/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/490/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/1480/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/1480/fdJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/371/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/250/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/251/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/130/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/252/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/131/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/253/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/132/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/1238/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/254/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5416)File opened: /proc/255/cmdlineJump to behavior
    Source: /tmp/.i.elf (PID: 5418)Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"Jump to behavior
    Source: /tmp/.i.elf (PID: 5430)Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"Jump to behavior
    Source: /tmp/.i.elf (PID: 5436)Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"Jump to behavior
    Source: /tmp/.i.elf (PID: 5442)Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"Jump to behavior
    Source: /tmp/.i.elf (PID: 5450)Shell command executed: sh -c "iptables -D INPUT -j CWMP_CR"Jump to behavior
    Source: /tmp/.i.elf (PID: 5456)Shell command executed: sh -c "iptables -X CWMP_CR"Jump to behavior
    Source: /tmp/.i.elf (PID: 5462)Shell command executed: sh -c "iptables -I INPUT -p udp --dport 11002 -j ACCEPT"Jump to behavior
    Source: /bin/sh (PID: 5424)Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROPJump to behavior
    Source: /bin/sh (PID: 5435)Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROPJump to behavior
    Source: /bin/sh (PID: 5441)Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROPJump to behavior
    Source: /bin/sh (PID: 5447)Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROPJump to behavior
    Source: /bin/sh (PID: 5455)Iptables executable: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CRJump to behavior
    Source: /bin/sh (PID: 5461)Iptables executable: /usr/sbin/iptables -> iptables -X CWMP_CRJump to behavior
    Source: /bin/sh (PID: 5467)Iptables executable: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPTJump to behavior
    Source: submitted sampleStderr: iptables v1.8.4 (legacy): Couldn't load target `CWMP_CR':No such file or directoryTry `iptables -h' or 'iptables --help' for more information.iptables: No chain/target/match by that name.: exit code = 0

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: /tmp/.i.elf (PID: 5416)File: /tmp/.i.elfJump to behavior
    Source: .i.elfSubmission file: segment LOAD with 7.9807 entropy (max. 8.0)
    Source: /tmp/.i.elf (PID: 5414)Queries kernel information via 'uname': Jump to behavior
    Source: .i.elf, 5414.1.0000563b0cac9000.0000563b0cb70000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
    Source: .i.elf, 5414.1.0000563b0cac9000.0000563b0cb70000.rw-.sdmpBinary or memory string: ;V!/etc/qemu-binfmt/mipsel
    Source: .i.elf, 5414.1.00007ffeac542000.00007ffeac563000.rw-.sdmpBinary or memory string: 3x86_64/usr/bin/qemu-mipsel/tmp/.i.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/.i.elf
    Source: .i.elf, 5414.1.00007ffeac542000.00007ffeac563000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: 5414.1.00007fc83c400000.00007fc83c434000.r-x.sdmp, type: MEMORY

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: 5414.1.00007fc83c400000.00007fc83c434000.r-x.sdmp, type: MEMORY
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information1
    Scripting
    Valid AccountsWindows Management Instrumentation1
    Scripting
    Path Interception1
    Hidden Files and Directories
    1
    OS Credential Dumping
    11
    Security Software Discovery
    Remote ServicesData from Local System1
    Non-Standard Port
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Obfuscated Files or Information
    LSASS Memory1
    File and Directory Discovery
    Remote Desktop ProtocolData from Removable Media1
    Non-Application Layer Protocol
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    File Deletion
    Security Account Manager1
    Remote System Discovery
    SMB/Windows Admin SharesData from Network Shared Drive1
    Application Layer Protocol
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
    System Network Configuration Discovery
    Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    No configs have been found
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1669005 Sample: .i.elf Startdate: 19/04/2025 Architecture: LINUX Score: 76 38 198.162.193.189, 63259 WATCHCOMM-INUS United States 2->38 40 41.193.87.152, 11002, 26584 Vox-TelecomZA South Africa 2->40 42 72 other IPs or domains 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Mirai 2->48 9 .i.elf 2->9         started        signatures3 process4 signatures5 52 Opens /proc/net/* files useful for finding connected devices and routers 9->52 12 .i.elf 9->12         started        process6 signatures7 54 Sample deletes itself 12->54 15 .i.elf sh 12->15         started        17 .i.elf sh 12->17         started        19 .i.elf sh 12->19         started        21 4 other processes 12->21 process8 process9 23 sh iptables 15->23         started        26 sh iptables 17->26         started        28 sh iptables 19->28         started        30 sh iptables 21->30         started        32 sh iptables 21->32         started        34 sh iptables 21->34         started        36 sh iptables 21->36         started        signatures10 50 Executes the "iptables" command to insert, remove and/or manipulate rules 23->50

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    .i.elf54%VirustotalBrowse
    .i.elf50%ReversingLabsLinux.Trojan.Hajime
    .i.elf100%AviraLINUX/Hajime.woltx
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches

    Download Network PCAP: filteredfull

    NameIPActiveMaliciousAntivirus DetectionReputation
    daisy.ubuntu.com
    162.213.35.24
    truefalse
      high
      router.bittorrent.com
      67.215.246.10
      truefalse
        high
        router.utorrent.com
        82.221.103.244
        truefalse
          high
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          119.34.160.228
          unknownChina
          17622CNCGROUP-GZChinaUnicomGuangzhounetworkCNfalse
          189.129.211.64
          unknownMexico
          8151UninetSAdeCVMXfalse
          189.139.172.241
          unknownMexico
          8151UninetSAdeCVMXfalse
          181.42.46.105
          unknownChile
          27651ENTELCHILESACLfalse
          195.98.68.52
          unknownRussian Federation
          6856IC-VORONEZH-ASInformsvyaz-ChernozemyeRUfalse
          31.60.104.7
          unknownPoland
          5617TPNETPLfalse
          99.240.197.244
          unknownCanada
          812ROGERS-COMMUNICATIONSCAfalse
          78.85.4.135
          unknownRussian Federation
          12389ROSTELECOM-ASRUfalse
          14.192.214.208
          unknownMalaysia
          9534MAXIS-AS1-APBinariangBerhadMYfalse
          80.11.235.118
          unknownFrance
          3215FranceTelecom-OrangeFRfalse
          187.190.166.141
          unknownMexico
          17072TOTALPLAYTELECOMUNICACIONESSADECVMXfalse
          177.52.82.94
          unknownBrazil
          262439JARDNETINFORMATICALTDA-EPPBRfalse
          79.190.191.74
          unknownPoland
          5617TPNETPLfalse
          77.172.35.225
          unknownNetherlands
          1136KPNKPNNationalEUfalse
          190.56.32.232
          unknownGuatemala
          14754TelguaGTfalse
          199.45.219.152
          unknownUnited States
          2379CENTURYLINK-LEGACY-EMBARQ-WNPKUSfalse
          58.241.139.153
          unknownChina
          4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
          190.101.84.250
          unknownChile
          22047VTRBANDAANCHASACLfalse
          41.193.87.152
          unknownSouth Africa
          11845Vox-TelecomZAfalse
          5.3.252.254
          unknownRussian Federation
          50543SARATOV-ASRUfalse
          79.177.128.82
          unknownIsrael
          8551BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneILfalse
          222.187.254.73
          unknownChina
          4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
          81.101.129.89
          unknownUnited Kingdom
          5089NTLGBfalse
          113.148.125.188
          unknownJapan2516KDDIKDDICORPORATIONJPfalse
          144.217.181.115
          unknownCanada
          16276OVHFRfalse
          109.94.85.146
          unknownRussian Federation
          50060ANNETRUfalse
          190.240.69.24
          unknownColombia
          13489EPMTelecomunicacionesSAESPCOfalse
          190.193.152.141
          unknownArgentina
          10481TelecomArgentinaSAARfalse
          117.24.165.173
          unknownChina
          133776CHINATELECOM-FUJIAN-QUANZHOU-IDC1QuanzhouCNfalse
          179.96.135.23
          unknownBrazil
          28634LifeTecnologiaLtdaBRfalse
          82.221.103.244
          router.utorrent.comIceland
          50613THORDC-ASISfalse
          113.89.244.83
          unknownChina
          4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
          188.2.115.47
          unknownSerbia
          31042SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemrezefalse
          148.71.121.183
          unknownPortugal
          12353VODAFONE-PTVodafonePortugalPTfalse
          54.70.174.84
          unknownUnited States
          16509AMAZON-02USfalse
          198.162.193.189
          unknownUnited States
          46231WATCHCOMM-INUSfalse
          79.185.46.91
          unknownPoland
          5617TPNETPLfalse
          176.226.202.11
          unknownRussian Federation
          8369INTERSVYAZ-AS38-BKomsomolskyprospektRUfalse
          92.16.182.203
          unknownUnited Kingdom
          13285OPALTELECOM-ASTalkTalkCommunicationsLimitedGBfalse
          117.24.165.65
          unknownChina
          133776CHINATELECOM-FUJIAN-QUANZHOU-IDC1QuanzhouCNfalse
          177.52.48.235
          unknownBrazil
          28198IsimplesTelecomeHardwareLtdaBRfalse
          91.192.20.140
          unknownRussian Federation
          42291ISTRANET-ASIstranetLLCASRUfalse
          91.121.7.132
          unknownFrance
          16276OVHFRfalse
          2.103.108.201
          unknownUnited Kingdom
          13285OPALTELECOM-ASTalkTalkCommunicationsLimitedGBfalse
          45.238.183.98
          unknownColombia
          266860CONEXIONDIGITALEXPRESSSASCOfalse
          82.39.237.234
          unknownUnited Kingdom
          5089NTLGBfalse
          68.226.67.22
          unknownUnited States
          22773ASN-CXA-ALL-CCI-22773-RDCUSfalse
          213.94.41.136
          unknownSpain
          3313INET-ASITfalse
          189.196.45.102
          unknownMexico
          13999MegaCableSAdeCVMXfalse
          175.204.168.7
          unknownKorea Republic of
          4766KIXS-AS-KRKoreaTelecomKRfalse
          54.77.218.23
          unknownUnited States
          16509AMAZON-02USfalse
          144.76.166.157
          unknownGermany
          24940HETZNER-ASDEfalse
          113.26.87.94
          unknownChina
          4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
          79.140.117.203
          unknownGermany
          15366DNSNETGermanInternetServiceProvidersDEfalse
          201.188.189.46
          unknownChile
          7418TELEFONICACHILESACLfalse
          213.80.212.27
          unknownRussian Federation
          15974VTT-ASISPSaratovRussiaRUfalse
          124.91.148.108
          unknownChina
          4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
          211.48.88.198
          unknownKorea Republic of
          4766KIXS-AS-KRKoreaTelecomKRfalse
          67.215.246.10
          router.bittorrent.comUnited States
          8100ASN-QUADRANET-GLOBALUSfalse
          83.222.166.141
          unknownBulgaria
          12615GCN-ASGCNAD-SofiaBulgariaBGfalse
          91.175.39.237
          unknownFrance
          12322PROXADFRfalse
          103.199.205.126
          unknownIndia
          9829BSNL-NIBNationalInternetBackboneINfalse
          106.14.195.230
          unknownChina
          37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
          112.118.83.13
          unknownHong Kong
          4760HKTIMS-APHKTLimitedHKfalse
          91.239.227.43
          unknownunknown
          14576HOSTING-SOLUTIONSUSfalse
          178.247.145.191
          unknownTurkey
          16135TURKCELL-ASTurkcellASTRfalse
          98.209.107.208
          unknownUnited States
          7922COMCAST-7922USfalse
          82.50.89.36
          unknownItaly
          3269ASN-IBSNAZITfalse
          94.68.18.162
          unknownGreece
          6799OTENET-GRAthens-GreeceGRfalse
          2.183.108.235
          unknownIran (ISLAMIC Republic Of)
          58224TCIIRfalse
          90.201.53.148
          unknownUnited Kingdom
          5607BSKYB-BROADBAND-ASGBfalse
          188.65.232.39
          unknownRussian Federation
          38984M9COM-ASRUfalse
          188.255.55.114
          unknownRussian Federation
          42610NCNET-ASRUfalse
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          82.221.103.244i.elfGet hashmaliciousMiraiBrowse
            utorrent_installer.exeGet hashmaliciousUnknownBrowse
              utorrent_installer.exeGet hashmaliciousUnknownBrowse
                utorrent_installer.exeGet hashmaliciousUnknownBrowse
                  utorrent_installer.exeGet hashmaliciousUnknownBrowse
                    .i.elfGet hashmaliciousMiraiBrowse
                      na.elfGet hashmaliciousUnknownBrowse
                        BitTorrent-7.6.exeGet hashmaliciousUnknownBrowse
                          BitTorrent-7.6.exeGet hashmaliciousUnknownBrowse
                            SecuriteInfo.com.Adware.Downware.20091.8549.2837.exeGet hashmaliciousUnknownBrowse
                              190.193.152.141la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                router.bittorrent.comi.elfGet hashmaliciousMiraiBrowse
                                • 67.215.246.10
                                .i.elfGet hashmaliciousHTMLPhisher, MiraiBrowse
                                • 67.215.246.10
                                .i.elfGet hashmaliciousMiraiBrowse
                                • 67.215.246.10
                                .i.elfGet hashmaliciousMiraiBrowse
                                • 67.215.246.10
                                .i.elfGet hashmaliciousMiraiBrowse
                                • 67.215.246.10
                                router.utorrent.comi.elfGet hashmaliciousMiraiBrowse
                                • 82.221.103.244
                                .i.elfGet hashmaliciousHTMLPhisher, MiraiBrowse
                                • 82.221.103.244
                                .i.elfGet hashmaliciousMiraiBrowse
                                • 82.221.103.244
                                .i.elfGet hashmaliciousMiraiBrowse
                                • 82.221.103.244
                                .i.elfGet hashmaliciousMiraiBrowse
                                • 82.221.103.244
                                daisy.ubuntu.comxd.arc.elfGet hashmaliciousUnknownBrowse
                                • 162.213.35.25
                                xd.arm6.elfGet hashmaliciousUnknownBrowse
                                • 162.213.35.25
                                vision.arm5.elfGet hashmaliciousUnknownBrowse
                                • 162.213.35.24
                                vision.arm6.elfGet hashmaliciousMiraiBrowse
                                • 162.213.35.24
                                boatnet.arm5.elfGet hashmaliciousUnknownBrowse
                                • 162.213.35.25
                                morte.arm5.elfGet hashmaliciousUnknownBrowse
                                • 162.213.35.24
                                morte.arm5.elfGet hashmaliciousUnknownBrowse
                                • 162.213.35.25
                                meihao.ppc.elfGet hashmaliciousUnknownBrowse
                                • 162.213.35.24
                                meihao.mpsl.elfGet hashmaliciousUnknownBrowse
                                • 162.213.35.24
                                meihao.mips.elfGet hashmaliciousUnknownBrowse
                                • 162.213.35.25
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                CNCGROUP-GZChinaUnicomGuangzhounetworkCNxd.m68k.elfGet hashmaliciousMiraiBrowse
                                • 220.198.199.198
                                sora.arm.elfGet hashmaliciousMiraiBrowse
                                • 112.94.220.103
                                mpsl.elfGet hashmaliciousMiraiBrowse
                                • 58.255.129.205
                                splx86.elfGet hashmaliciousUnknownBrowse
                                • 119.32.159.172
                                nabmips.elfGet hashmaliciousUnknownBrowse
                                • 112.94.220.120
                                arm7.elfGet hashmaliciousMiraiBrowse
                                • 58.248.228.177
                                splarm7.elfGet hashmaliciousUnknownBrowse
                                • 112.94.79.45
                                resgod.arm.elfGet hashmaliciousMiraiBrowse
                                • 112.96.62.151
                                resgod.arm5.elfGet hashmaliciousMiraiBrowse
                                • 157.61.249.173
                                resgod.arm.elfGet hashmaliciousMiraiBrowse
                                • 157.122.60.18
                                UninetSAdeCVMXmeihao.sh4.elfGet hashmaliciousMiraiBrowse
                                • 187.206.80.129
                                nemil.mpsl.elfGet hashmaliciousMiraiBrowse
                                • 189.244.146.184
                                nemil.arm7.elfGet hashmaliciousMiraiBrowse
                                • 187.250.72.146
                                nemil.mips.elfGet hashmaliciousMiraiBrowse
                                • 201.135.206.221
                                meihao.mpsl.elfGet hashmaliciousMiraiBrowse
                                • 187.172.109.86
                                meihao.arm.elfGet hashmaliciousMiraiBrowse
                                • 148.227.200.203
                                xd.arm5.elfGet hashmaliciousMiraiBrowse
                                • 189.137.234.65
                                sora.arm.elfGet hashmaliciousMiraiBrowse
                                • 187.232.26.175
                                sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                • 189.232.46.39
                                mqml.elfGet hashmaliciousMiraiBrowse
                                • 187.225.153.22
                                UninetSAdeCVMXmeihao.sh4.elfGet hashmaliciousMiraiBrowse
                                • 187.206.80.129
                                nemil.mpsl.elfGet hashmaliciousMiraiBrowse
                                • 189.244.146.184
                                nemil.arm7.elfGet hashmaliciousMiraiBrowse
                                • 187.250.72.146
                                nemil.mips.elfGet hashmaliciousMiraiBrowse
                                • 201.135.206.221
                                meihao.mpsl.elfGet hashmaliciousMiraiBrowse
                                • 187.172.109.86
                                meihao.arm.elfGet hashmaliciousMiraiBrowse
                                • 148.227.200.203
                                xd.arm5.elfGet hashmaliciousMiraiBrowse
                                • 189.137.234.65
                                sora.arm.elfGet hashmaliciousMiraiBrowse
                                • 187.232.26.175
                                sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                • 189.232.46.39
                                mqml.elfGet hashmaliciousMiraiBrowse
                                • 187.225.153.22
                                ENTELCHILESACLxd.arm7.elfGet hashmaliciousMiraiBrowse
                                • 181.43.42.87
                                xd.i686.elfGet hashmaliciousMiraiBrowse
                                • 181.43.17.96
                                nklmpsl.elfGet hashmaliciousUnknownBrowse
                                • 164.77.128.140
                                resgod.mips.elfGet hashmaliciousMiraiBrowse
                                • 181.43.42.28
                                resgod.m68k.elfGet hashmaliciousMiraiBrowse
                                • 181.43.123.130
                                resgod.arm5.elfGet hashmaliciousMiraiBrowse
                                • 181.43.123.157
                                arm.elfGet hashmaliciousUnknownBrowse
                                • 181.43.42.40
                                resgod.arm7.elfGet hashmaliciousMiraiBrowse
                                • 181.42.27.52
                                splsh4.elfGet hashmaliciousUnknownBrowse
                                • 181.43.42.96
                                jklppc.elfGet hashmaliciousUnknownBrowse
                                • 181.43.42.90
                                No context
                                No context
                                Process:/tmp/.i.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):12
                                Entropy (8bit):3.2516291673878226
                                Encrypted:false
                                SSDEEP:3:TgLxl:TgLj
                                MD5:E4B87097E4B36E14500B9CE57C45EA25
                                SHA1:DE3D58C12CA45D58E41455D0B693AF835D7F7361
                                SHA-256:7AD8A46FA4EADA251D0628721EEA0DE6EA917EC6B820146172179FFA68FC44A8
                                SHA-512:53CD8469E5F84281D446318E05BBA7B4A0D93FBF7567B663E875E9BBE95453E83E1C233140DBEBFC50C64F981CF1C007A1A573C508AE676BBE78F07C38DA4D43
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:/tmp/.i.elf.
                                File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
                                Entropy (8bit):7.981094611090621
                                TrID:
                                • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                File name:.i.elf
                                File size:84'960 bytes
                                MD5:4e6cf38ca04c64bbbc0de39518340fa3
                                SHA1:b43aa81c8fe3f4b520a1c53557c8e477100530e1
                                SHA256:a625601d8fe1f59102fcec617bbf4afa1f81ee305d5e8b93822541a65f7ea498
                                SHA512:aae55dffe4e5a803d0b392202581f6ffa6c78dc84afcd092b847cf218020c6146959bc522485a2ee2d3dc031bd1b63fac801fc89b6b3efbd357eb2b4a261d27d
                                SSDEEP:1536:m3LqE6rUQWzVQR7iAGEcUT5PIi7pLqBNs4LOjcwf4nB6XuzGNy+iSc7tNUZN:mOE6PWo1T5bz4LVMXuzVNScWN
                                TLSH:438312CFA4598B66EC79CDF809DB59004D46621E738B75EF630C959C6038B862C8E92F
                                File Content Preview:.ELF.................... /..4...........4. ...(......................A...A....................G...G...................}l........................_..........?.E.h;....#....3.FR..gcpC....2.*..]8v. .....'..pw...rW.U.S.....(.|W.H..?#.$0......m.r...U....:...&..

                                ELF header

                                Class:ELF32
                                Data:2's complement, little endian
                                Version:1 (current)
                                Machine:MIPS R3000
                                Version Number:0x1
                                Type:EXEC (Executable file)
                                OS/ABI:UNIX - System V
                                ABI Version:0
                                Entry Point Address:0x112f20
                                Flags:0x1007
                                ELF Header Size:52
                                Program Header Offset:52
                                Program Header Size:32
                                Number of Program Headers:2
                                Section Header Offset:0
                                Section Header Size:40
                                Number of Section Headers:0
                                Header String Table Index:0
                                TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                LOAD0x00x1000000x1000000x141950x141957.98070x5R E0x10000
                                LOAD0xa5a00x47a5a00x47a5a00x00x00.00000x6RW 0x10000

                                Download Network PCAP: filteredfull

                                • Total Packets: 128
                                • 52 Ports have been hidden.
                                • 53 (DNS)
                                • 1313 undefined
                                • 1642 undefined
                                • 1793 undefined
                                • 1797 undefined
                                • 3476 undefined
                                • 4093 undefined
                                • 4124 undefined
                                • 4609 undefined
                                • 6026 undefined
                                TimestampSource PortDest PortSource IPDest IP
                                Apr 19, 2025 04:10:15.952626944 CEST3324653192.168.2.131.1.1.1
                                Apr 19, 2025 04:10:16.056447029 CEST53332461.1.1.1192.168.2.13
                                Apr 19, 2025 04:10:16.057236910 CEST110026881192.168.2.1382.221.103.244
                                Apr 19, 2025 04:10:16.060806036 CEST4554153192.168.2.131.1.1.1
                                Apr 19, 2025 04:10:16.165128946 CEST53455411.1.1.1192.168.2.13
                                Apr 19, 2025 04:10:16.165416956 CEST110026881192.168.2.1367.215.246.10
                                Apr 19, 2025 04:10:16.316452980 CEST68811100267.215.246.10192.168.2.13
                                Apr 19, 2025 04:10:28.821393013 CEST110026881192.168.2.1367.215.246.10
                                Apr 19, 2025 04:10:28.972541094 CEST68811100267.215.246.10192.168.2.13
                                Apr 19, 2025 04:10:28.973229885 CEST110024093192.168.2.1379.140.117.203
                                Apr 19, 2025 04:10:28.973470926 CEST1100226761192.168.2.135.3.252.254
                                Apr 19, 2025 04:10:36.817925930 CEST1100227542192.168.2.1377.172.35.225
                                Apr 19, 2025 04:10:56.836416960 CEST1100212423192.168.2.1314.192.214.208
                                Apr 19, 2025 04:11:06.829751968 CEST1100227542192.168.2.1377.172.35.225
                                Apr 19, 2025 04:11:11.824273109 CEST110026881192.168.2.1382.221.103.244
                                Apr 19, 2025 04:11:11.827050924 CEST110026881192.168.2.1367.215.246.10
                                Apr 19, 2025 04:11:11.978363037 CEST68811100267.215.246.10192.168.2.13
                                Apr 19, 2025 04:11:13.837199926 CEST110026881192.168.2.1380.11.235.118
                                Apr 19, 2025 04:11:13.837557077 CEST1100237746192.168.2.13181.42.46.105
                                Apr 19, 2025 04:11:13.837620020 CEST1100245956192.168.2.13190.193.152.141
                                Apr 19, 2025 04:11:14.102586031 CEST4595611002190.193.152.141192.168.2.13
                                Apr 19, 2025 04:11:14.103755951 CEST1100226761192.168.2.135.3.252.254
                                Apr 19, 2025 04:11:14.103993893 CEST1100255604192.168.2.13190.240.69.24
                                Apr 19, 2025 04:11:14.104041100 CEST1100237982192.168.2.13189.139.172.241
                                Apr 19, 2025 04:11:14.104155064 CEST1100253324192.168.2.13103.199.205.126
                                Apr 19, 2025 04:11:14.104362965 CEST1100255604192.168.2.13190.240.69.24
                                Apr 19, 2025 04:11:14.269282103 CEST3774611002181.42.46.105192.168.2.13
                                Apr 19, 2025 04:11:14.269747019 CEST1100212999192.168.2.13177.52.82.94
                                Apr 19, 2025 04:11:14.353575945 CEST3798211002189.139.172.241192.168.2.13
                                Apr 19, 2025 04:11:22.807239056 CEST5560411002190.240.69.24192.168.2.13
                                Apr 19, 2025 04:11:22.811876059 CEST5560411002190.240.69.24192.168.2.13
                                Apr 19, 2025 04:11:22.812293053 CEST1100225324192.168.2.13117.24.165.173
                                Apr 19, 2025 04:11:23.177470922 CEST2532411002117.24.165.173192.168.2.13
                                Apr 19, 2025 04:11:23.177874088 CEST1100236141192.168.2.13117.24.165.65
                                Apr 19, 2025 04:11:23.541089058 CEST3614111002117.24.165.65192.168.2.13
                                Apr 19, 2025 04:11:23.541846037 CEST1100233676192.168.2.13124.91.148.108
                                Apr 19, 2025 04:11:23.858941078 CEST3367611002124.91.148.108192.168.2.13
                                Apr 19, 2025 04:11:23.859200954 CEST1100212298192.168.2.13119.34.160.228
                                Apr 19, 2025 04:11:24.225239992 CEST1229811002119.34.160.228192.168.2.13
                                Apr 19, 2025 04:11:24.225754976 CEST110026887192.168.2.1358.241.139.153
                                Apr 19, 2025 04:11:24.561433077 CEST68871100258.241.139.153192.168.2.13
                                Apr 19, 2025 04:11:24.561995983 CEST1100255642192.168.2.132.103.108.201
                                Apr 19, 2025 04:11:24.779799938 CEST55642110022.103.108.201192.168.2.13
                                Apr 19, 2025 04:11:24.780297995 CEST1100227596192.168.2.1381.101.129.89
                                Apr 19, 2025 04:11:24.999911070 CEST275961100281.101.129.89192.168.2.13
                                Apr 19, 2025 04:11:25.000396967 CEST1100211018192.168.2.13112.118.83.13
                                Apr 19, 2025 04:11:25.291387081 CEST1101811002112.118.83.13192.168.2.13
                                Apr 19, 2025 04:11:25.291934967 CEST110026881192.168.2.13148.71.121.183
                                Apr 19, 2025 04:11:25.513098001 CEST688111002148.71.121.183192.168.2.13
                                Apr 19, 2025 04:11:25.513509035 CEST1100223759192.168.2.13178.247.145.191
                                Apr 19, 2025 04:11:25.895029068 CEST2375911002178.247.145.191192.168.2.13
                                Apr 19, 2025 04:11:25.895442963 CEST110026881192.168.2.13188.255.55.114
                                Apr 19, 2025 04:11:26.117170095 CEST688111002188.255.55.114192.168.2.13
                                Apr 19, 2025 04:11:26.118089914 CEST1100262788192.168.2.13109.94.85.146
                                Apr 19, 2025 04:11:26.366674900 CEST6278811002109.94.85.146192.168.2.13
                                Apr 19, 2025 04:11:26.367181063 CEST110025889192.168.2.1391.192.20.140
                                Apr 19, 2025 04:11:26.610910892 CEST58891100291.192.20.140192.168.2.13
                                Apr 19, 2025 04:11:26.611325979 CEST1100233231192.168.2.13211.48.88.198
                                Apr 19, 2025 04:11:26.891079903 CEST3323111002211.48.88.198192.168.2.13
                                Apr 19, 2025 04:11:26.891633034 CEST110024609192.168.2.1378.85.4.135
                                Apr 19, 2025 04:11:27.150685072 CEST46091100278.85.4.135192.168.2.13
                                Apr 19, 2025 04:11:27.151371956 CEST1100222535192.168.2.13213.94.41.136
                                Apr 19, 2025 04:11:27.387276888 CEST2253511002213.94.41.136192.168.2.13
                                Apr 19, 2025 04:11:27.387873888 CEST1100226584192.168.2.1341.193.87.152
                                Apr 19, 2025 04:11:27.704854965 CEST265841100241.193.87.152192.168.2.13
                                Apr 19, 2025 04:11:27.705176115 CEST1100251145192.168.2.13201.188.189.46
                                Apr 19, 2025 04:11:27.828964949 CEST110021313192.168.2.13195.98.68.52
                                Apr 19, 2025 04:11:27.994362116 CEST5114511002201.188.189.46192.168.2.13
                                Apr 19, 2025 04:11:27.994707108 CEST110026881192.168.2.1380.11.235.118
                                Apr 19, 2025 04:11:27.994816065 CEST1100225921192.168.2.1391.175.39.237
                                Apr 19, 2025 04:11:28.206842899 CEST259211100291.175.39.237192.168.2.13
                                Apr 19, 2025 04:11:28.207190990 CEST110021797192.168.2.1391.239.227.43
                                Apr 19, 2025 04:11:28.496103048 CEST17971100291.239.227.43192.168.2.13
                                Apr 19, 2025 04:11:28.496565104 CEST1100261706192.168.2.1399.240.197.244
                                Apr 19, 2025 04:11:28.653723001 CEST617061100299.240.197.244192.168.2.13
                                Apr 19, 2025 04:11:28.654252052 CEST110028983192.168.2.1345.238.183.98
                                Apr 19, 2025 04:11:28.855885983 CEST89831100245.238.183.98192.168.2.13
                                Apr 19, 2025 04:11:28.856153965 CEST110021793192.168.2.1379.177.128.82
                                Apr 19, 2025 04:11:29.821762085 CEST1100254102192.168.2.1368.226.67.22
                                Apr 19, 2025 04:11:29.997320890 CEST541021100268.226.67.22192.168.2.13
                                Apr 19, 2025 04:11:29.997514963 CEST1100250639192.168.2.13190.56.32.232
                                Apr 19, 2025 04:11:29.997525930 CEST1100227542192.168.2.1377.172.35.225
                                Apr 19, 2025 04:11:29.997555971 CEST1100247204192.168.2.1398.209.107.208
                                Apr 19, 2025 04:11:29.997566938 CEST1100212423192.168.2.1314.192.214.208
                                Apr 19, 2025 04:11:29.997575998 CEST1100256521192.168.2.1390.201.53.148
                                Apr 19, 2025 04:11:29.997658014 CEST110026881192.168.2.1382.39.237.234
                                Apr 19, 2025 04:11:29.997658014 CEST110024093192.168.2.1379.140.117.203
                                Apr 19, 2025 04:11:30.222234964 CEST68811100282.39.237.234192.168.2.13
                                Apr 19, 2025 04:11:30.263525963 CEST472041100298.209.107.208192.168.2.13
                                Apr 19, 2025 04:11:30.330301046 CEST565211100290.201.53.148192.168.2.13
                                Apr 19, 2025 04:11:30.835170984 CEST110021313192.168.2.13195.98.68.52
                                Apr 19, 2025 04:11:30.879590988 CEST5560411002190.240.69.24192.168.2.13
                                Apr 19, 2025 04:11:30.883054018 CEST1100255604192.168.2.13190.240.69.24
                                Apr 19, 2025 04:11:31.828768969 CEST1100220550192.168.2.1383.222.166.141
                                Apr 19, 2025 04:11:31.828769922 CEST110026881192.168.2.13213.80.212.27
                                Apr 19, 2025 04:11:31.828768969 CEST110026881192.168.2.1354.70.174.84
                                Apr 19, 2025 04:11:33.303220987 CEST68811100254.70.174.84192.168.2.13
                                Apr 19, 2025 04:11:33.303652048 CEST1100226761192.168.2.135.3.252.254
                                Apr 19, 2025 04:11:33.303708076 CEST1100216495192.168.2.13199.45.219.152
                                Apr 19, 2025 04:11:33.420347929 CEST1649511002199.45.219.152192.168.2.13
                                Apr 19, 2025 04:11:33.420659065 CEST1100253324192.168.2.13103.199.205.126
                                Apr 19, 2025 04:11:33.420892000 CEST1100223860192.168.2.13179.96.135.23
                                Apr 19, 2025 04:11:33.829616070 CEST5332411002103.199.205.126192.168.2.13
                                Apr 19, 2025 04:11:34.966257095 CEST3798211002189.139.172.241192.168.2.13
                                Apr 19, 2025 04:11:34.966557980 CEST1100237982192.168.2.13189.139.172.241
                                Apr 19, 2025 04:11:39.823450089 CEST1100236939192.168.2.1392.16.182.203
                                Apr 19, 2025 04:11:42.826087952 CEST1100236939192.168.2.1392.16.182.203
                                Apr 19, 2025 04:11:47.825993061 CEST1100256521192.168.2.1390.201.53.148
                                Apr 19, 2025 04:11:48.148854971 CEST565211100290.201.53.148192.168.2.13
                                Apr 19, 2025 04:11:48.149305105 CEST1100250000192.168.2.13144.76.166.157
                                Apr 19, 2025 04:11:48.149307013 CEST1100250639192.168.2.13190.56.32.232
                                Apr 19, 2025 04:11:48.149347067 CEST1100212423192.168.2.1314.192.214.208
                                Apr 19, 2025 04:11:48.149348021 CEST110024093192.168.2.1379.140.117.203
                                Apr 19, 2025 04:11:48.357132912 CEST5000011002144.76.166.157192.168.2.13
                                Apr 19, 2025 04:11:50.836604118 CEST110026881192.168.2.13213.80.212.27
                                Apr 19, 2025 04:11:50.836613894 CEST1100247778192.168.2.13189.129.211.64
                                Apr 19, 2025 04:11:50.836621046 CEST110021642192.168.2.13187.190.166.141
                                Apr 19, 2025 04:11:51.824296951 CEST1100263259192.168.2.13198.162.193.189
                                Apr 19, 2025 04:11:54.842845917 CEST1100263259192.168.2.13198.162.193.189
                                Apr 19, 2025 04:11:55.828182936 CEST1100250000192.168.2.13144.76.166.157
                                Apr 19, 2025 04:11:56.036103010 CEST5000011002144.76.166.157192.168.2.13
                                Apr 19, 2025 04:12:03.828242064 CEST110023476192.168.2.13177.52.48.235
                                Apr 19, 2025 04:12:06.832129955 CEST110023476192.168.2.13177.52.48.235
                                Apr 19, 2025 04:12:07.818834066 CEST1100247778192.168.2.13189.129.211.64
                                Apr 19, 2025 04:12:07.818833113 CEST110021642192.168.2.13187.190.166.141
                                Apr 19, 2025 04:12:07.818840027 CEST110026881192.168.2.13213.80.212.27
                                Apr 19, 2025 04:12:07.818881035 CEST1100212423192.168.2.1314.192.214.208
                                Apr 19, 2025 04:12:07.818963051 CEST110026881192.168.2.1382.50.89.36
                                Apr 19, 2025 04:12:13.833345890 CEST110024093192.168.2.1379.140.117.203
                                Apr 19, 2025 04:12:15.825669050 CEST1100235216192.168.2.13188.2.115.47
                                Apr 19, 2025 04:12:18.827795982 CEST1100235216192.168.2.13188.2.115.47
                                Apr 19, 2025 04:12:24.830338955 CEST1100247778192.168.2.13189.129.211.64
                                Apr 19, 2025 04:12:24.830424070 CEST110021642192.168.2.13187.190.166.141
                                Apr 19, 2025 04:12:24.830449104 CEST110026881192.168.2.1354.70.174.84
                                Apr 19, 2025 04:12:25.011116028 CEST68811100254.70.174.84192.168.2.13
                                Apr 19, 2025 04:12:25.011698008 CEST1100223860192.168.2.13179.96.135.23
                                Apr 19, 2025 04:12:27.831864119 CEST1100250118192.168.2.13188.65.232.39
                                Apr 19, 2025 04:12:30.850469112 CEST1100250118192.168.2.13188.65.232.39
                                Apr 19, 2025 04:12:35.827383041 CEST110024093192.168.2.1379.140.117.203
                                Apr 19, 2025 04:12:39.834692001 CEST1100242399192.168.2.132.183.108.235
                                Apr 19, 2025 04:12:42.836419106 CEST1100242399192.168.2.132.183.108.235
                                Apr 19, 2025 04:12:46.824215889 CEST110026881192.168.2.1354.70.174.84
                                Apr 19, 2025 04:12:46.824273109 CEST1100220550192.168.2.1383.222.166.141
                                Apr 19, 2025 04:12:46.824321985 CEST110026881192.168.2.13190.101.84.250
                                Apr 19, 2025 04:12:47.010868073 CEST68811100254.70.174.84192.168.2.13
                                Apr 19, 2025 04:12:47.011132002 CEST1100223860192.168.2.13179.96.135.23
                                Apr 19, 2025 04:12:51.827801943 CEST1100226359192.168.2.13176.226.202.11
                                Apr 19, 2025 04:12:53.822525978 CEST1100250000192.168.2.13144.76.166.157
                                Apr 19, 2025 04:12:54.030244112 CEST5000011002144.76.166.157192.168.2.13
                                Apr 19, 2025 04:12:54.030464888 CEST1100250639192.168.2.13190.56.32.232
                                Apr 19, 2025 04:12:54.030491114 CEST110027777192.168.2.13113.148.125.188
                                Apr 19, 2025 04:12:54.030530930 CEST1100251413192.168.2.1391.121.7.132
                                Apr 19, 2025 04:12:54.228950977 CEST514131100291.121.7.132192.168.2.13
                                Apr 19, 2025 04:12:54.287508965 CEST777711002113.148.125.188192.168.2.13
                                Apr 19, 2025 04:12:54.831908941 CEST1100226359192.168.2.13176.226.202.11
                                Apr 19, 2025 04:12:57.534353971 CEST5453953192.168.2.131.1.1.1
                                Apr 19, 2025 04:12:57.534353971 CEST5193553192.168.2.131.1.1.1
                                Apr 19, 2025 04:12:57.639065981 CEST53545391.1.1.1192.168.2.13
                                Apr 19, 2025 04:12:57.665714025 CEST53519351.1.1.1192.168.2.13
                                Apr 19, 2025 04:13:03.817977905 CEST1100238004192.168.2.1379.190.191.74
                                Apr 19, 2025 04:13:03.817981005 CEST1100254102192.168.2.1368.226.67.22
                                Apr 19, 2025 04:13:03.978985071 CEST541021100268.226.67.22192.168.2.13
                                Apr 19, 2025 04:13:04.822791100 CEST1100253262192.168.2.1394.68.18.162
                                Apr 19, 2025 04:13:04.822792053 CEST1100220550192.168.2.1383.222.166.141
                                Apr 19, 2025 04:13:04.822793007 CEST110026881192.168.2.13190.101.84.250
                                Apr 19, 2025 04:13:06.830307007 CEST1100238004192.168.2.1379.190.191.74
                                Apr 19, 2025 04:13:15.834472895 CEST110024124192.168.2.13189.196.45.102
                                Apr 19, 2025 04:13:18.836452007 CEST110024124192.168.2.13189.196.45.102
                                Apr 19, 2025 04:13:20.835269928 CEST110026881192.168.2.13190.101.84.250
                                Apr 19, 2025 04:13:20.835319996 CEST1100253262192.168.2.1394.68.18.162
                                Apr 19, 2025 04:13:20.835371017 CEST110026026192.168.2.1331.60.104.7
                                Apr 19, 2025 04:13:27.836966991 CEST110027777192.168.2.13113.148.125.188
                                Apr 19, 2025 04:13:27.837249994 CEST1100235380192.168.2.13113.26.87.94
                                Apr 19, 2025 04:13:28.094536066 CEST777711002113.148.125.188192.168.2.13
                                Apr 19, 2025 04:13:28.094922066 CEST110026881192.168.2.13113.89.244.83
                                Apr 19, 2025 04:13:30.849471092 CEST1100235380192.168.2.13113.26.87.94
                                Apr 19, 2025 04:13:39.829931021 CEST1100246886192.168.2.1379.185.46.91
                                Apr 19, 2025 04:13:41.821784019 CEST1100253262192.168.2.1394.68.18.162
                                Apr 19, 2025 04:13:41.821801901 CEST110026026192.168.2.1331.60.104.7
                                Apr 19, 2025 04:13:41.821810961 CEST1100240736192.168.2.13175.204.168.7
                                Apr 19, 2025 04:13:42.100171089 CEST4073611002175.204.168.7192.168.2.13
                                Apr 19, 2025 04:13:42.100569963 CEST110026881192.168.2.1380.11.235.118
                                Apr 19, 2025 04:13:42.101239920 CEST1100263949192.168.2.13144.217.181.115
                                Apr 19, 2025 04:13:42.282850027 CEST6394911002144.217.181.115192.168.2.13
                                Apr 19, 2025 04:13:42.283056021 CEST1100217207192.168.2.13222.187.254.73
                                Apr 19, 2025 04:13:42.667357922 CEST1720711002222.187.254.73192.168.2.13
                                Apr 19, 2025 04:13:42.667530060 CEST110026992192.168.2.1354.77.218.23
                                Apr 19, 2025 04:13:42.848156929 CEST1100246886192.168.2.1379.185.46.91
                                Apr 19, 2025 04:13:42.885468960 CEST69921100254.77.218.23192.168.2.13
                                Apr 19, 2025 04:13:42.885575056 CEST1100211159192.168.2.13106.14.195.230
                                TimestampSource IPDest IPChecksumCodeType
                                Apr 19, 2025 04:10:37.021043062 CEST77.172.35.225192.168.2.13cd88(Unknown)Destination Unreachable
                                Apr 19, 2025 04:11:07.033250093 CEST77.172.35.225192.168.2.132f89(Unknown)Destination Unreachable
                                Apr 19, 2025 04:11:28.076100111 CEST195.98.68.52192.168.2.13c780(Port unreachable)Destination Unreachable
                                Apr 19, 2025 04:11:30.199826956 CEST77.172.35.225192.168.2.135252(Unknown)Destination Unreachable
                                Apr 19, 2025 04:11:31.082314968 CEST195.98.68.52192.168.2.13c780(Port unreachable)Destination Unreachable
                                Apr 19, 2025 04:11:51.981739998 CEST198.162.193.189192.168.2.13484a(Port unreachable)Destination Unreachable
                                Apr 19, 2025 04:11:54.983516932 CEST198.162.193.189192.168.2.13484a(Port unreachable)Destination Unreachable
                                Apr 19, 2025 04:12:04.063796043 CEST177.52.48.235192.168.2.13a209(Port unreachable)Destination Unreachable
                                Apr 19, 2025 04:12:07.068116903 CEST177.52.48.235192.168.2.13a209(Port unreachable)Destination Unreachable
                                Apr 19, 2025 04:12:40.139062881 CEST2.183.108.235192.168.2.132f8c(Port unreachable)Destination Unreachable
                                Apr 19, 2025 04:12:43.138067007 CEST2.183.108.235192.168.2.132f8c(Port unreachable)Destination Unreachable
                                Apr 19, 2025 04:13:04.071635008 CEST79.190.191.74192.168.2.13cef2(Port unreachable)Destination Unreachable
                                Apr 19, 2025 04:13:07.084460020 CEST79.190.191.74192.168.2.13cef2(Port unreachable)Destination Unreachable
                                Apr 19, 2025 04:13:15.994328022 CEST189.196.45.102192.168.2.13ab14(Port unreachable)Destination Unreachable
                                Apr 19, 2025 04:13:18.996287107 CEST189.196.45.102192.168.2.13ab14(Port unreachable)Destination Unreachable
                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Apr 19, 2025 04:10:15.952626944 CEST192.168.2.131.1.1.10x6737Standard query (0)router.utorrent.comA (IP address)IN (0x0001)false
                                Apr 19, 2025 04:10:16.060806036 CEST192.168.2.131.1.1.10x3d33Standard query (0)router.bittorrent.comA (IP address)IN (0x0001)false
                                Apr 19, 2025 04:12:57.534353971 CEST192.168.2.131.1.1.10xe0c0Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                Apr 19, 2025 04:12:57.534353971 CEST192.168.2.131.1.1.10x9712Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Apr 19, 2025 04:10:16.056447029 CEST1.1.1.1192.168.2.130x6737No error (0)router.utorrent.com82.221.103.244A (IP address)IN (0x0001)false
                                Apr 19, 2025 04:10:16.165128946 CEST1.1.1.1192.168.2.130x3d33No error (0)router.bittorrent.com67.215.246.10A (IP address)IN (0x0001)false
                                Apr 19, 2025 04:12:57.639065981 CEST1.1.1.1192.168.2.130xe0c0No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                                Apr 19, 2025 04:12:57.639065981 CEST1.1.1.1192.168.2.130xe0c0No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                                System Behavior

                                Start time (UTC):02:10:10
                                Start date (UTC):19/04/2025
                                Path:/tmp/.i.elf
                                Arguments:/tmp/.i.elf
                                File size:5773336 bytes
                                MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/tmp/.i.elf
                                Arguments:-
                                File size:5773336 bytes
                                MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/bin/sh
                                Arguments:sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/bin/sh
                                Arguments:-
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/usr/sbin/iptables
                                Arguments:iptables -A INPUT -p tcp --destination-port 23 -j DROP
                                File size:99296 bytes
                                MD5 hash:1ab05fef765b6342cdfadaa5275b33af

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/tmp/.i.elf
                                Arguments:-
                                File size:5773336 bytes
                                MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/bin/sh
                                Arguments:sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/bin/sh
                                Arguments:-
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/usr/sbin/iptables
                                Arguments:iptables -A INPUT -p tcp --destination-port 7547 -j DROP
                                File size:99296 bytes
                                MD5 hash:1ab05fef765b6342cdfadaa5275b33af

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/tmp/.i.elf
                                Arguments:-
                                File size:5773336 bytes
                                MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/bin/sh
                                Arguments:sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/bin/sh
                                Arguments:-
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/usr/sbin/iptables
                                Arguments:iptables -A INPUT -p tcp --destination-port 5555 -j DROP
                                File size:99296 bytes
                                MD5 hash:1ab05fef765b6342cdfadaa5275b33af

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/tmp/.i.elf
                                Arguments:-
                                File size:5773336 bytes
                                MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/bin/sh
                                Arguments:sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/bin/sh
                                Arguments:-
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/usr/sbin/iptables
                                Arguments:iptables -A INPUT -p tcp --destination-port 5358 -j DROP
                                File size:99296 bytes
                                MD5 hash:1ab05fef765b6342cdfadaa5275b33af

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/tmp/.i.elf
                                Arguments:-
                                File size:5773336 bytes
                                MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/bin/sh
                                Arguments:sh -c "iptables -D INPUT -j CWMP_CR"
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/bin/sh
                                Arguments:-
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/usr/sbin/iptables
                                Arguments:iptables -D INPUT -j CWMP_CR
                                File size:99296 bytes
                                MD5 hash:1ab05fef765b6342cdfadaa5275b33af

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/tmp/.i.elf
                                Arguments:-
                                File size:5773336 bytes
                                MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/bin/sh
                                Arguments:sh -c "iptables -X CWMP_CR"
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/bin/sh
                                Arguments:-
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/usr/sbin/iptables
                                Arguments:iptables -X CWMP_CR
                                File size:99296 bytes
                                MD5 hash:1ab05fef765b6342cdfadaa5275b33af

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/tmp/.i.elf
                                Arguments:-
                                File size:5773336 bytes
                                MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                                Start time (UTC):02:10:14
                                Start date (UTC):19/04/2025
                                Path:/bin/sh
                                Arguments:sh -c "iptables -I INPUT -p udp --dport 11002 -j ACCEPT"
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Start time (UTC):02:10:15
                                Start date (UTC):19/04/2025
                                Path:/bin/sh
                                Arguments:-
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Start time (UTC):02:10:15
                                Start date (UTC):19/04/2025
                                Path:/usr/sbin/iptables
                                Arguments:iptables -I INPUT -p udp --dport 11002 -j ACCEPT
                                File size:99296 bytes
                                MD5 hash:1ab05fef765b6342cdfadaa5275b33af