Edit tour

Linux Analysis Report
.i.elf

Overview

General Information

Sample name:	.i.elf
Analysis ID:	1669005
MD5:	4e6cf38ca04c64bbbc0de39518340fa3
SHA1:	b43aa81c8fe3f4b520a1c53557c8e477100530e1
SHA256:	a625601d8fe1f59102fcec617bbf4afa1f81ee305d5e8b93822541a65f7ea498
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Mirai

Executes the "iptables" command to insert, remove and/or manipulate rules

Opens /proc/net/* files useful for finding connected devices and routers

Sample deletes itself

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "iptables" command used for managing IP filtering and manipulation

Reads the 'hosts' file potentially containing internal network hosts

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1669005
Start date and time:	2025-04-19 04:09:24 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	.i.elf
Detection:	MAL
Classification:	mal76.spre.troj.evad.linELF@0/1@4/0

Warnings

Excluded IPs from analysis (whitelisted): 209.51.161.238, 23.141.40.123, 23.168.136.132, 129.146.193.200
Excluded domains from analysis (whitelisted): pool.ntp.org

Runtime Messages

Command:	/tmp/.i.elf
PID:	5414
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	iptables v1.8.4 (legacy): Couldn't load target `CWMP_CR':No such file or directory Try `iptables -h' or 'iptables --help' for more information. iptables: No chain/target/match by that name.

Process Tree

system is lnxubuntu20

.i.elf (PID: 5414, Parent: 5337, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/.i.elf

.i.elf New Fork (PID: 5416, Parent: 5414)

.i.elf New Fork (PID: 5418, Parent: 5416)

sh (PID: 5418, Parent: 5416, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"

sh New Fork (PID: 5424, Parent: 5418)

iptables (PID: 5424, Parent: 5418, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -p tcp --destination-port 23 -j DROP

.i.elf New Fork (PID: 5430, Parent: 5416)

sh (PID: 5430, Parent: 5416, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"

sh New Fork (PID: 5435, Parent: 5430)

iptables (PID: 5435, Parent: 5430, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -p tcp --destination-port 7547 -j DROP

.i.elf New Fork (PID: 5436, Parent: 5416)

sh (PID: 5436, Parent: 5416, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"

sh New Fork (PID: 5441, Parent: 5436)

iptables (PID: 5441, Parent: 5436, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -p tcp --destination-port 5555 -j DROP

.i.elf New Fork (PID: 5442, Parent: 5416)

sh (PID: 5442, Parent: 5416, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"

sh New Fork (PID: 5447, Parent: 5442)

iptables (PID: 5447, Parent: 5442, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -p tcp --destination-port 5358 -j DROP

.i.elf New Fork (PID: 5450, Parent: 5416)

sh (PID: 5450, Parent: 5416, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -D INPUT -j CWMP_CR"

sh New Fork (PID: 5455, Parent: 5450)

iptables (PID: 5455, Parent: 5450, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -D INPUT -j CWMP_CR

.i.elf New Fork (PID: 5456, Parent: 5416)

sh (PID: 5456, Parent: 5416, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -X CWMP_CR"

sh New Fork (PID: 5461, Parent: 5456)

iptables (PID: 5461, Parent: 5456, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -X CWMP_CR

.i.elf New Fork (PID: 5462, Parent: 5416)

sh (PID: 5462, Parent: 5416, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -I INPUT -p udp --dport 11002 -j ACCEPT"

sh New Fork (PID: 5467, Parent: 5462)

iptables (PID: 5467, Parent: 5462, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p udp --dport 11002 -j ACCEPT

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
5414.1.00007fc83c400000.00007fc83c434000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security

Stderr: iptables v1.8.4 (legacy): Couldn't load target `CWMP_CR':No such file or directoryTry `iptables -h' or 'iptables --help' for more information.iptables: No chain/target/match by that name.: exit code = 0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/.i.elf (PID: 5416)

File: /tmp/.i.elf

Jump to behavior

Source: .i.elf

Submission file: segment LOAD with 7.9807 entropy (max. 8.0)

Source: /tmp/.i.elf (PID: 5414)

Queries kernel information via 'uname':

Jump to behavior

Source: .i.elf, 5414.1.0000563b0cac9000.0000563b0cb70000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: .i.elf, 5414.1.0000563b0cac9000.0000563b0cb70000.rw-.sdmp	Binary or memory string: ;V!/etc/qemu-binfmt/mipsel
Source: .i.elf, 5414.1.00007ffeac542000.00007ffeac563000.rw-.sdmp	Binary or memory string: 3x86_64/usr/bin/qemu-mipsel/tmp/.i.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/.i.elf
Source: .i.elf, 5414.1.00007ffeac542000.00007ffeac563000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: 5414.1.00007fc83c400000.00007fc83c434000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: 5414.1.00007fc83c400000.00007fc83c434000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 Hidden Files and Directories	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
.i.elf	54%	Virustotal		Browse
.i.elf	50%	ReversingLabs	Linux.Trojan.Hajime
.i.elf	100%	Avira	LINUX/Hajime.woltx

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
daisy.ubuntu.com	162.213.35.24	true	false	high
router.bittorrent.com	67.215.246.10	true	false	high
router.utorrent.com	82.221.103.244	true	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
119.34.160.228	unknown	China	17622	CNCGROUP-GZChinaUnicomGuangzhounetworkCN	false
189.129.211.64	unknown	Mexico	8151	UninetSAdeCVMX	false
189.139.172.241	unknown	Mexico	8151	UninetSAdeCVMX	false
181.42.46.105	unknown	Chile	27651	ENTELCHILESACL	false
195.98.68.52	unknown	Russian Federation	6856	IC-VORONEZH-ASInformsvyaz-ChernozemyeRU	false
31.60.104.7	unknown	Poland	5617	TPNETPL	false
99.240.197.244	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
78.85.4.135	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
14.192.214.208	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	false
80.11.235.118	unknown	France	3215	FranceTelecom-OrangeFR	false
187.190.166.141	unknown	Mexico	17072	TOTALPLAYTELECOMUNICACIONESSADECVMX	false
177.52.82.94	unknown	Brazil	262439	JARDNETINFORMATICALTDA-EPPBR	false
79.190.191.74	unknown	Poland	5617	TPNETPL	false
77.172.35.225	unknown	Netherlands	1136	KPNKPNNationalEU	false
190.56.32.232	unknown	Guatemala	14754	TelguaGT	false
199.45.219.152	unknown	United States	2379	CENTURYLINK-LEGACY-EMBARQ-WNPKUS	false
58.241.139.153	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
190.101.84.250	unknown	Chile	22047	VTRBANDAANCHASACL	false
41.193.87.152	unknown	South Africa	11845	Vox-TelecomZA	false
5.3.252.254	unknown	Russian Federation	50543	SARATOV-ASRU	false
79.177.128.82	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	false
222.187.254.73	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
81.101.129.89	unknown	United Kingdom	5089	NTLGB	false
113.148.125.188	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
144.217.181.115	unknown	Canada	16276	OVHFR	false
109.94.85.146	unknown	Russian Federation	50060	ANNETRU	false
190.240.69.24	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	false
190.193.152.141	unknown	Argentina	10481	TelecomArgentinaSAAR	false
117.24.165.173	unknown	China	133776	CHINATELECOM-FUJIAN-QUANZHOU-IDC1QuanzhouCN	false
179.96.135.23	unknown	Brazil	28634	LifeTecnologiaLtdaBR	false
82.221.103.244	router.utorrent.com	Iceland	50613	THORDC-ASIS	false
113.89.244.83	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
188.2.115.47	unknown	Serbia	31042	SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemreze	false
148.71.121.183	unknown	Portugal	12353	VODAFONE-PTVodafonePortugalPT	false
54.70.174.84	unknown	United States	16509	AMAZON-02US	false
198.162.193.189	unknown	United States	46231	WATCHCOMM-INUS	false
79.185.46.91	unknown	Poland	5617	TPNETPL	false
176.226.202.11	unknown	Russian Federation	8369	INTERSVYAZ-AS38-BKomsomolskyprospektRU	false
92.16.182.203	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	false
117.24.165.65	unknown	China	133776	CHINATELECOM-FUJIAN-QUANZHOU-IDC1QuanzhouCN	false
177.52.48.235	unknown	Brazil	28198	IsimplesTelecomeHardwareLtdaBR	false
91.192.20.140	unknown	Russian Federation	42291	ISTRANET-ASIstranetLLCASRU	false
91.121.7.132	unknown	France	16276	OVHFR	false
2.103.108.201	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	false
45.238.183.98	unknown	Colombia	266860	CONEXIONDIGITALEXPRESSSASCO	false
82.39.237.234	unknown	United Kingdom	5089	NTLGB	false
68.226.67.22	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
213.94.41.136	unknown	Spain	3313	INET-ASIT	false
189.196.45.102	unknown	Mexico	13999	MegaCableSAdeCVMX	false
175.204.168.7	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
54.77.218.23	unknown	United States	16509	AMAZON-02US	false
144.76.166.157	unknown	Germany	24940	HETZNER-ASDE	false
113.26.87.94	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
79.140.117.203	unknown	Germany	15366	DNSNETGermanInternetServiceProvidersDE	false
201.188.189.46	unknown	Chile	7418	TELEFONICACHILESACL	false
213.80.212.27	unknown	Russian Federation	15974	VTT-ASISPSaratovRussiaRU	false
124.91.148.108	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
211.48.88.198	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
67.215.246.10	router.bittorrent.com	United States	8100	ASN-QUADRANET-GLOBALUS	false
83.222.166.141	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
91.175.39.237	unknown	France	12322	PROXADFR	false
103.199.205.126	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
106.14.195.230	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
112.118.83.13	unknown	Hong Kong	4760	HKTIMS-APHKTLimitedHK	false
91.239.227.43	unknown	unknown	14576	HOSTING-SOLUTIONSUS	false
178.247.145.191	unknown	Turkey	16135	TURKCELL-ASTurkcellASTR	false
98.209.107.208	unknown	United States	7922	COMCAST-7922US	false
82.50.89.36	unknown	Italy	3269	ASN-IBSNAZIT	false
94.68.18.162	unknown	Greece	6799	OTENET-GRAthens-GreeceGR	false
2.183.108.235	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
90.201.53.148	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
188.65.232.39	unknown	Russian Federation	38984	M9COM-ASRU	false
188.255.55.114	unknown	Russian Federation	42610	NCNET-ASRU	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
82.221.103.244	i.elf	Get hash	malicious	Mirai	Browse
	utorrent_installer.exe	Get hash	malicious	Unknown	Browse
	utorrent_installer.exe	Get hash	malicious	Unknown	Browse
	utorrent_installer.exe	Get hash	malicious	Unknown	Browse
	utorrent_installer.exe	Get hash	malicious	Unknown	Browse
	.i.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Adware.Downware.20091.8549.2837.exe	Get hash	malicious	Unknown	Browse
190.193.152.141	la.bot.arm.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
router.bittorrent.com	i.elf	Get hash	malicious	Mirai	Browse	67.215.246.10
	.i.elf	Get hash	malicious	HTMLPhisher, Mirai	Browse	67.215.246.10
	.i.elf	Get hash	malicious	Mirai	Browse	67.215.246.10
	.i.elf	Get hash	malicious	Mirai	Browse	67.215.246.10
	.i.elf	Get hash	malicious	Mirai	Browse	67.215.246.10
router.utorrent.com	i.elf	Get hash	malicious	Mirai	Browse	82.221.103.244
	.i.elf	Get hash	malicious	HTMLPhisher, Mirai	Browse	82.221.103.244
	.i.elf	Get hash	malicious	Mirai	Browse	82.221.103.244
	.i.elf	Get hash	malicious	Mirai	Browse	82.221.103.244
	.i.elf	Get hash	malicious	Mirai	Browse	82.221.103.244
daisy.ubuntu.com	xd.arc.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	xd.arm6.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	vision.arm5.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	vision.arm6.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	boatnet.arm5.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	morte.arm5.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	morte.arm5.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	meihao.ppc.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	meihao.mpsl.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	meihao.mips.elf	Get hash	malicious	Unknown	Browse	162.213.35.25

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNCGROUP-GZChinaUnicomGuangzhounetworkCN	xd.m68k.elf	Get hash	malicious	Mirai	Browse	220.198.199.198
	sora.arm.elf	Get hash	malicious	Mirai	Browse	112.94.220.103
	mpsl.elf	Get hash	malicious	Mirai	Browse	58.255.129.205
	splx86.elf	Get hash	malicious	Unknown	Browse	119.32.159.172
	nabmips.elf	Get hash	malicious	Unknown	Browse	112.94.220.120
	arm7.elf	Get hash	malicious	Mirai	Browse	58.248.228.177
	splarm7.elf	Get hash	malicious	Unknown	Browse	112.94.79.45
	resgod.arm.elf	Get hash	malicious	Mirai	Browse	112.96.62.151
	resgod.arm5.elf	Get hash	malicious	Mirai	Browse	157.61.249.173
	resgod.arm.elf	Get hash	malicious	Mirai	Browse	157.122.60.18
UninetSAdeCVMX	meihao.sh4.elf	Get hash	malicious	Mirai	Browse	187.206.80.129
	nemil.mpsl.elf	Get hash	malicious	Mirai	Browse	189.244.146.184
	nemil.arm7.elf	Get hash	malicious	Mirai	Browse	187.250.72.146
	nemil.mips.elf	Get hash	malicious	Mirai	Browse	201.135.206.221
	meihao.mpsl.elf	Get hash	malicious	Mirai	Browse	187.172.109.86
	meihao.arm.elf	Get hash	malicious	Mirai	Browse	148.227.200.203
	xd.arm5.elf	Get hash	malicious	Mirai	Browse	189.137.234.65
	sora.arm.elf	Get hash	malicious	Mirai	Browse	187.232.26.175
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	189.232.46.39
	mqml.elf	Get hash	malicious	Mirai	Browse	187.225.153.22
UninetSAdeCVMX	meihao.sh4.elf	Get hash	malicious	Mirai	Browse	187.206.80.129
	nemil.mpsl.elf	Get hash	malicious	Mirai	Browse	189.244.146.184
	nemil.arm7.elf	Get hash	malicious	Mirai	Browse	187.250.72.146
	nemil.mips.elf	Get hash	malicious	Mirai	Browse	201.135.206.221
	meihao.mpsl.elf	Get hash	malicious	Mirai	Browse	187.172.109.86
	meihao.arm.elf	Get hash	malicious	Mirai	Browse	148.227.200.203
	xd.arm5.elf	Get hash	malicious	Mirai	Browse	189.137.234.65
	sora.arm.elf	Get hash	malicious	Mirai	Browse	187.232.26.175
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	189.232.46.39
	mqml.elf	Get hash	malicious	Mirai	Browse	187.225.153.22
ENTELCHILESACL	xd.arm7.elf	Get hash	malicious	Mirai	Browse	181.43.42.87
	xd.i686.elf	Get hash	malicious	Mirai	Browse	181.43.17.96
	nklmpsl.elf	Get hash	malicious	Unknown	Browse	164.77.128.140
	resgod.mips.elf	Get hash	malicious	Mirai	Browse	181.43.42.28
	resgod.m68k.elf	Get hash	malicious	Mirai	Browse	181.43.123.130
	resgod.arm5.elf	Get hash	malicious	Mirai	Browse	181.43.123.157
	arm.elf	Get hash	malicious	Unknown	Browse	181.43.42.40
	resgod.arm7.elf	Get hash	malicious	Mirai	Browse	181.42.27.52
	splsh4.elf	Get hash	malicious	Unknown	Browse	181.43.42.96
	jklppc.elf	Get hash	malicious	Unknown	Browse	181.43.42.90

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/tmp/qemu-open.FTTWRK (deleted)

Download File

Process:	/tmp/.i.elf
File Type:	data
Category:	dropped
Size (bytes):	12
Entropy (8bit):	3.2516291673878226
Encrypted:	false
SSDEEP:	3:TgLxl:TgLj
MD5:	E4B87097E4B36E14500B9CE57C45EA25
SHA1:	DE3D58C12CA45D58E41455D0B693AF835D7F7361
SHA-256:	7AD8A46FA4EADA251D0628721EEA0DE6EA917EC6B820146172179FFA68FC44A8
SHA-512:	53CD8469E5F84281D446318E05BBA7B4A0D93FBF7567B663E875E9BBE95453E83E1C233140DBEBFC50C64F981CF1C007A1A573C508AE676BBE78F07C38DA4D43
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	/tmp/.i.elf.

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.981094611090621
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	.i.elf
File size:	84'960 bytes
MD5:	4e6cf38ca04c64bbbc0de39518340fa3
SHA1:	b43aa81c8fe3f4b520a1c53557c8e477100530e1
SHA256:	a625601d8fe1f59102fcec617bbf4afa1f81ee305d5e8b93822541a65f7ea498
SHA512:	aae55dffe4e5a803d0b392202581f6ffa6c78dc84afcd092b847cf218020c6146959bc522485a2ee2d3dc031bd1b63fac801fc89b6b3efbd357eb2b4a261d27d
SSDEEP:	1536:m3LqE6rUQWzVQR7iAGEcUT5PIi7pLqBNs4LOjcwf4nB6XuzGNy+iSc7tNUZN:mOE6PWo1T5bz4LVMXuzVNScWN
TLSH:	438312CFA4598B66EC79CDF809DB59004D46621E738B75EF630C959C6038B862C8E92F
File Content Preview:	.ELF.................... /..4...........4. ...(......................A...A....................G...G...................}l........................_..........?.E.h;....#....3.FR..gcpC....2.*..]8v. .....'..pw...rW.U.S.....(.\|W.H..?#.$0......m.r...U....:...&..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x112f20
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0x14195	0x14195	7.9807	0x5	R E	0x10000
LOAD	0xa5a0	0x47a5a0	0x47a5a0	0x0	0x0	0.0000	0x6	RW	0x10000

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2025 04:10:15.952626944 CEST	33246	53	192.168.2.13	1.1.1.1
Apr 19, 2025 04:10:16.056447029 CEST	53	33246	1.1.1.1	192.168.2.13
Apr 19, 2025 04:10:16.057236910 CEST	11002	6881	192.168.2.13	82.221.103.244
Apr 19, 2025 04:10:16.060806036 CEST	45541	53	192.168.2.13	1.1.1.1
Apr 19, 2025 04:10:16.165128946 CEST	53	45541	1.1.1.1	192.168.2.13
Apr 19, 2025 04:10:16.165416956 CEST	11002	6881	192.168.2.13	67.215.246.10
Apr 19, 2025 04:10:16.316452980 CEST	6881	11002	67.215.246.10	192.168.2.13
Apr 19, 2025 04:10:28.821393013 CEST	11002	6881	192.168.2.13	67.215.246.10
Apr 19, 2025 04:10:28.972541094 CEST	6881	11002	67.215.246.10	192.168.2.13
Apr 19, 2025 04:10:28.973229885 CEST	11002	4093	192.168.2.13	79.140.117.203
Apr 19, 2025 04:10:28.973470926 CEST	11002	26761	192.168.2.13	5.3.252.254
Apr 19, 2025 04:10:36.817925930 CEST	11002	27542	192.168.2.13	77.172.35.225
Apr 19, 2025 04:10:56.836416960 CEST	11002	12423	192.168.2.13	14.192.214.208
Apr 19, 2025 04:11:06.829751968 CEST	11002	27542	192.168.2.13	77.172.35.225
Apr 19, 2025 04:11:11.824273109 CEST	11002	6881	192.168.2.13	82.221.103.244
Apr 19, 2025 04:11:11.827050924 CEST	11002	6881	192.168.2.13	67.215.246.10
Apr 19, 2025 04:11:11.978363037 CEST	6881	11002	67.215.246.10	192.168.2.13
Apr 19, 2025 04:11:13.837199926 CEST	11002	6881	192.168.2.13	80.11.235.118
Apr 19, 2025 04:11:13.837557077 CEST	11002	37746	192.168.2.13	181.42.46.105
Apr 19, 2025 04:11:13.837620020 CEST	11002	45956	192.168.2.13	190.193.152.141
Apr 19, 2025 04:11:14.102586031 CEST	45956	11002	190.193.152.141	192.168.2.13
Apr 19, 2025 04:11:14.103755951 CEST	11002	26761	192.168.2.13	5.3.252.254
Apr 19, 2025 04:11:14.103993893 CEST	11002	55604	192.168.2.13	190.240.69.24
Apr 19, 2025 04:11:14.104041100 CEST	11002	37982	192.168.2.13	189.139.172.241
Apr 19, 2025 04:11:14.104155064 CEST	11002	53324	192.168.2.13	103.199.205.126
Apr 19, 2025 04:11:14.104362965 CEST	11002	55604	192.168.2.13	190.240.69.24
Apr 19, 2025 04:11:14.269282103 CEST	37746	11002	181.42.46.105	192.168.2.13
Apr 19, 2025 04:11:14.269747019 CEST	11002	12999	192.168.2.13	177.52.82.94
Apr 19, 2025 04:11:14.353575945 CEST	37982	11002	189.139.172.241	192.168.2.13
Apr 19, 2025 04:11:22.807239056 CEST	55604	11002	190.240.69.24	192.168.2.13
Apr 19, 2025 04:11:22.811876059 CEST	55604	11002	190.240.69.24	192.168.2.13
Apr 19, 2025 04:11:22.812293053 CEST	11002	25324	192.168.2.13	117.24.165.173
Apr 19, 2025 04:11:23.177470922 CEST	25324	11002	117.24.165.173	192.168.2.13
Apr 19, 2025 04:11:23.177874088 CEST	11002	36141	192.168.2.13	117.24.165.65
Apr 19, 2025 04:11:23.541089058 CEST	36141	11002	117.24.165.65	192.168.2.13
Apr 19, 2025 04:11:23.541846037 CEST	11002	33676	192.168.2.13	124.91.148.108
Apr 19, 2025 04:11:23.858941078 CEST	33676	11002	124.91.148.108	192.168.2.13
Apr 19, 2025 04:11:23.859200954 CEST	11002	12298	192.168.2.13	119.34.160.228
Apr 19, 2025 04:11:24.225239992 CEST	12298	11002	119.34.160.228	192.168.2.13
Apr 19, 2025 04:11:24.225754976 CEST	11002	6887	192.168.2.13	58.241.139.153
Apr 19, 2025 04:11:24.561433077 CEST	6887	11002	58.241.139.153	192.168.2.13
Apr 19, 2025 04:11:24.561995983 CEST	11002	55642	192.168.2.13	2.103.108.201
Apr 19, 2025 04:11:24.779799938 CEST	55642	11002	2.103.108.201	192.168.2.13
Apr 19, 2025 04:11:24.780297995 CEST	11002	27596	192.168.2.13	81.101.129.89
Apr 19, 2025 04:11:24.999911070 CEST	27596	11002	81.101.129.89	192.168.2.13
Apr 19, 2025 04:11:25.000396967 CEST	11002	11018	192.168.2.13	112.118.83.13
Apr 19, 2025 04:11:25.291387081 CEST	11018	11002	112.118.83.13	192.168.2.13
Apr 19, 2025 04:11:25.291934967 CEST	11002	6881	192.168.2.13	148.71.121.183
Apr 19, 2025 04:11:25.513098001 CEST	6881	11002	148.71.121.183	192.168.2.13
Apr 19, 2025 04:11:25.513509035 CEST	11002	23759	192.168.2.13	178.247.145.191
Apr 19, 2025 04:11:25.895029068 CEST	23759	11002	178.247.145.191	192.168.2.13
Apr 19, 2025 04:11:25.895442963 CEST	11002	6881	192.168.2.13	188.255.55.114
Apr 19, 2025 04:11:26.117170095 CEST	6881	11002	188.255.55.114	192.168.2.13
Apr 19, 2025 04:11:26.118089914 CEST	11002	62788	192.168.2.13	109.94.85.146
Apr 19, 2025 04:11:26.366674900 CEST	62788	11002	109.94.85.146	192.168.2.13
Apr 19, 2025 04:11:26.367181063 CEST	11002	5889	192.168.2.13	91.192.20.140
Apr 19, 2025 04:11:26.610910892 CEST	5889	11002	91.192.20.140	192.168.2.13
Apr 19, 2025 04:11:26.611325979 CEST	11002	33231	192.168.2.13	211.48.88.198
Apr 19, 2025 04:11:26.891079903 CEST	33231	11002	211.48.88.198	192.168.2.13
Apr 19, 2025 04:11:26.891633034 CEST	11002	4609	192.168.2.13	78.85.4.135
Apr 19, 2025 04:11:27.150685072 CEST	4609	11002	78.85.4.135	192.168.2.13
Apr 19, 2025 04:11:27.151371956 CEST	11002	22535	192.168.2.13	213.94.41.136
Apr 19, 2025 04:11:27.387276888 CEST	22535	11002	213.94.41.136	192.168.2.13
Apr 19, 2025 04:11:27.387873888 CEST	11002	26584	192.168.2.13	41.193.87.152
Apr 19, 2025 04:11:27.704854965 CEST	26584	11002	41.193.87.152	192.168.2.13
Apr 19, 2025 04:11:27.705176115 CEST	11002	51145	192.168.2.13	201.188.189.46
Apr 19, 2025 04:11:27.828964949 CEST	11002	1313	192.168.2.13	195.98.68.52
Apr 19, 2025 04:11:27.994362116 CEST	51145	11002	201.188.189.46	192.168.2.13
Apr 19, 2025 04:11:27.994707108 CEST	11002	6881	192.168.2.13	80.11.235.118
Apr 19, 2025 04:11:27.994816065 CEST	11002	25921	192.168.2.13	91.175.39.237
Apr 19, 2025 04:11:28.206842899 CEST	25921	11002	91.175.39.237	192.168.2.13
Apr 19, 2025 04:11:28.207190990 CEST	11002	1797	192.168.2.13	91.239.227.43
Apr 19, 2025 04:11:28.496103048 CEST	1797	11002	91.239.227.43	192.168.2.13
Apr 19, 2025 04:11:28.496565104 CEST	11002	61706	192.168.2.13	99.240.197.244
Apr 19, 2025 04:11:28.653723001 CEST	61706	11002	99.240.197.244	192.168.2.13
Apr 19, 2025 04:11:28.654252052 CEST	11002	8983	192.168.2.13	45.238.183.98
Apr 19, 2025 04:11:28.855885983 CEST	8983	11002	45.238.183.98	192.168.2.13
Apr 19, 2025 04:11:28.856153965 CEST	11002	1793	192.168.2.13	79.177.128.82
Apr 19, 2025 04:11:29.821762085 CEST	11002	54102	192.168.2.13	68.226.67.22
Apr 19, 2025 04:11:29.997320890 CEST	54102	11002	68.226.67.22	192.168.2.13
Apr 19, 2025 04:11:29.997514963 CEST	11002	50639	192.168.2.13	190.56.32.232
Apr 19, 2025 04:11:29.997525930 CEST	11002	27542	192.168.2.13	77.172.35.225
Apr 19, 2025 04:11:29.997555971 CEST	11002	47204	192.168.2.13	98.209.107.208
Apr 19, 2025 04:11:29.997566938 CEST	11002	12423	192.168.2.13	14.192.214.208
Apr 19, 2025 04:11:29.997575998 CEST	11002	56521	192.168.2.13	90.201.53.148
Apr 19, 2025 04:11:29.997658014 CEST	11002	6881	192.168.2.13	82.39.237.234
Apr 19, 2025 04:11:29.997658014 CEST	11002	4093	192.168.2.13	79.140.117.203
Apr 19, 2025 04:11:30.222234964 CEST	6881	11002	82.39.237.234	192.168.2.13
Apr 19, 2025 04:11:30.263525963 CEST	47204	11002	98.209.107.208	192.168.2.13
Apr 19, 2025 04:11:30.330301046 CEST	56521	11002	90.201.53.148	192.168.2.13
Apr 19, 2025 04:11:30.835170984 CEST	11002	1313	192.168.2.13	195.98.68.52
Apr 19, 2025 04:11:30.879590988 CEST	55604	11002	190.240.69.24	192.168.2.13
Apr 19, 2025 04:11:30.883054018 CEST	11002	55604	192.168.2.13	190.240.69.24
Apr 19, 2025 04:11:31.828768969 CEST	11002	20550	192.168.2.13	83.222.166.141
Apr 19, 2025 04:11:31.828769922 CEST	11002	6881	192.168.2.13	213.80.212.27
Apr 19, 2025 04:11:31.828768969 CEST	11002	6881	192.168.2.13	54.70.174.84
Apr 19, 2025 04:11:33.303220987 CEST	6881	11002	54.70.174.84	192.168.2.13
Apr 19, 2025 04:11:33.303652048 CEST	11002	26761	192.168.2.13	5.3.252.254
Apr 19, 2025 04:11:33.303708076 CEST	11002	16495	192.168.2.13	199.45.219.152
Apr 19, 2025 04:11:33.420347929 CEST	16495	11002	199.45.219.152	192.168.2.13
Apr 19, 2025 04:11:33.420659065 CEST	11002	53324	192.168.2.13	103.199.205.126
Apr 19, 2025 04:11:33.420892000 CEST	11002	23860	192.168.2.13	179.96.135.23
Apr 19, 2025 04:11:33.829616070 CEST	53324	11002	103.199.205.126	192.168.2.13
Apr 19, 2025 04:11:34.966257095 CEST	37982	11002	189.139.172.241	192.168.2.13
Apr 19, 2025 04:11:34.966557980 CEST	11002	37982	192.168.2.13	189.139.172.241
Apr 19, 2025 04:11:39.823450089 CEST	11002	36939	192.168.2.13	92.16.182.203
Apr 19, 2025 04:11:42.826087952 CEST	11002	36939	192.168.2.13	92.16.182.203
Apr 19, 2025 04:11:47.825993061 CEST	11002	56521	192.168.2.13	90.201.53.148
Apr 19, 2025 04:11:48.148854971 CEST	56521	11002	90.201.53.148	192.168.2.13
Apr 19, 2025 04:11:48.149305105 CEST	11002	50000	192.168.2.13	144.76.166.157
Apr 19, 2025 04:11:48.149307013 CEST	11002	50639	192.168.2.13	190.56.32.232
Apr 19, 2025 04:11:48.149347067 CEST	11002	12423	192.168.2.13	14.192.214.208
Apr 19, 2025 04:11:48.149348021 CEST	11002	4093	192.168.2.13	79.140.117.203
Apr 19, 2025 04:11:48.357132912 CEST	50000	11002	144.76.166.157	192.168.2.13
Apr 19, 2025 04:11:50.836604118 CEST	11002	6881	192.168.2.13	213.80.212.27
Apr 19, 2025 04:11:50.836613894 CEST	11002	47778	192.168.2.13	189.129.211.64
Apr 19, 2025 04:11:50.836621046 CEST	11002	1642	192.168.2.13	187.190.166.141
Apr 19, 2025 04:11:51.824296951 CEST	11002	63259	192.168.2.13	198.162.193.189
Apr 19, 2025 04:11:54.842845917 CEST	11002	63259	192.168.2.13	198.162.193.189
Apr 19, 2025 04:11:55.828182936 CEST	11002	50000	192.168.2.13	144.76.166.157
Apr 19, 2025 04:11:56.036103010 CEST	50000	11002	144.76.166.157	192.168.2.13
Apr 19, 2025 04:12:03.828242064 CEST	11002	3476	192.168.2.13	177.52.48.235
Apr 19, 2025 04:12:06.832129955 CEST	11002	3476	192.168.2.13	177.52.48.235
Apr 19, 2025 04:12:07.818834066 CEST	11002	47778	192.168.2.13	189.129.211.64
Apr 19, 2025 04:12:07.818833113 CEST	11002	1642	192.168.2.13	187.190.166.141
Apr 19, 2025 04:12:07.818840027 CEST	11002	6881	192.168.2.13	213.80.212.27
Apr 19, 2025 04:12:07.818881035 CEST	11002	12423	192.168.2.13	14.192.214.208
Apr 19, 2025 04:12:07.818963051 CEST	11002	6881	192.168.2.13	82.50.89.36
Apr 19, 2025 04:12:13.833345890 CEST	11002	4093	192.168.2.13	79.140.117.203
Apr 19, 2025 04:12:15.825669050 CEST	11002	35216	192.168.2.13	188.2.115.47
Apr 19, 2025 04:12:18.827795982 CEST	11002	35216	192.168.2.13	188.2.115.47
Apr 19, 2025 04:12:24.830338955 CEST	11002	47778	192.168.2.13	189.129.211.64
Apr 19, 2025 04:12:24.830424070 CEST	11002	1642	192.168.2.13	187.190.166.141
Apr 19, 2025 04:12:24.830449104 CEST	11002	6881	192.168.2.13	54.70.174.84
Apr 19, 2025 04:12:25.011116028 CEST	6881	11002	54.70.174.84	192.168.2.13
Apr 19, 2025 04:12:25.011698008 CEST	11002	23860	192.168.2.13	179.96.135.23
Apr 19, 2025 04:12:27.831864119 CEST	11002	50118	192.168.2.13	188.65.232.39
Apr 19, 2025 04:12:30.850469112 CEST	11002	50118	192.168.2.13	188.65.232.39
Apr 19, 2025 04:12:35.827383041 CEST	11002	4093	192.168.2.13	79.140.117.203
Apr 19, 2025 04:12:39.834692001 CEST	11002	42399	192.168.2.13	2.183.108.235
Apr 19, 2025 04:12:42.836419106 CEST	11002	42399	192.168.2.13	2.183.108.235
Apr 19, 2025 04:12:46.824215889 CEST	11002	6881	192.168.2.13	54.70.174.84
Apr 19, 2025 04:12:46.824273109 CEST	11002	20550	192.168.2.13	83.222.166.141
Apr 19, 2025 04:12:46.824321985 CEST	11002	6881	192.168.2.13	190.101.84.250
Apr 19, 2025 04:12:47.010868073 CEST	6881	11002	54.70.174.84	192.168.2.13
Apr 19, 2025 04:12:47.011132002 CEST	11002	23860	192.168.2.13	179.96.135.23
Apr 19, 2025 04:12:51.827801943 CEST	11002	26359	192.168.2.13	176.226.202.11
Apr 19, 2025 04:12:53.822525978 CEST	11002	50000	192.168.2.13	144.76.166.157
Apr 19, 2025 04:12:54.030244112 CEST	50000	11002	144.76.166.157	192.168.2.13
Apr 19, 2025 04:12:54.030464888 CEST	11002	50639	192.168.2.13	190.56.32.232
Apr 19, 2025 04:12:54.030491114 CEST	11002	7777	192.168.2.13	113.148.125.188
Apr 19, 2025 04:12:54.030530930 CEST	11002	51413	192.168.2.13	91.121.7.132
Apr 19, 2025 04:12:54.228950977 CEST	51413	11002	91.121.7.132	192.168.2.13
Apr 19, 2025 04:12:54.287508965 CEST	7777	11002	113.148.125.188	192.168.2.13
Apr 19, 2025 04:12:54.831908941 CEST	11002	26359	192.168.2.13	176.226.202.11
Apr 19, 2025 04:12:57.534353971 CEST	54539	53	192.168.2.13	1.1.1.1
Apr 19, 2025 04:12:57.534353971 CEST	51935	53	192.168.2.13	1.1.1.1
Apr 19, 2025 04:12:57.639065981 CEST	53	54539	1.1.1.1	192.168.2.13
Apr 19, 2025 04:12:57.665714025 CEST	53	51935	1.1.1.1	192.168.2.13
Apr 19, 2025 04:13:03.817977905 CEST	11002	38004	192.168.2.13	79.190.191.74
Apr 19, 2025 04:13:03.817981005 CEST	11002	54102	192.168.2.13	68.226.67.22
Apr 19, 2025 04:13:03.978985071 CEST	54102	11002	68.226.67.22	192.168.2.13
Apr 19, 2025 04:13:04.822791100 CEST	11002	53262	192.168.2.13	94.68.18.162
Apr 19, 2025 04:13:04.822792053 CEST	11002	20550	192.168.2.13	83.222.166.141
Apr 19, 2025 04:13:04.822793007 CEST	11002	6881	192.168.2.13	190.101.84.250
Apr 19, 2025 04:13:06.830307007 CEST	11002	38004	192.168.2.13	79.190.191.74
Apr 19, 2025 04:13:15.834472895 CEST	11002	4124	192.168.2.13	189.196.45.102
Apr 19, 2025 04:13:18.836452007 CEST	11002	4124	192.168.2.13	189.196.45.102
Apr 19, 2025 04:13:20.835269928 CEST	11002	6881	192.168.2.13	190.101.84.250
Apr 19, 2025 04:13:20.835319996 CEST	11002	53262	192.168.2.13	94.68.18.162
Apr 19, 2025 04:13:20.835371017 CEST	11002	6026	192.168.2.13	31.60.104.7
Apr 19, 2025 04:13:27.836966991 CEST	11002	7777	192.168.2.13	113.148.125.188
Apr 19, 2025 04:13:27.837249994 CEST	11002	35380	192.168.2.13	113.26.87.94
Apr 19, 2025 04:13:28.094536066 CEST	7777	11002	113.148.125.188	192.168.2.13
Apr 19, 2025 04:13:28.094922066 CEST	11002	6881	192.168.2.13	113.89.244.83
Apr 19, 2025 04:13:30.849471092 CEST	11002	35380	192.168.2.13	113.26.87.94
Apr 19, 2025 04:13:39.829931021 CEST	11002	46886	192.168.2.13	79.185.46.91
Apr 19, 2025 04:13:41.821784019 CEST	11002	53262	192.168.2.13	94.68.18.162
Apr 19, 2025 04:13:41.821801901 CEST	11002	6026	192.168.2.13	31.60.104.7
Apr 19, 2025 04:13:41.821810961 CEST	11002	40736	192.168.2.13	175.204.168.7
Apr 19, 2025 04:13:42.100171089 CEST	40736	11002	175.204.168.7	192.168.2.13
Apr 19, 2025 04:13:42.100569963 CEST	11002	6881	192.168.2.13	80.11.235.118
Apr 19, 2025 04:13:42.101239920 CEST	11002	63949	192.168.2.13	144.217.181.115
Apr 19, 2025 04:13:42.282850027 CEST	63949	11002	144.217.181.115	192.168.2.13
Apr 19, 2025 04:13:42.283056021 CEST	11002	17207	192.168.2.13	222.187.254.73
Apr 19, 2025 04:13:42.667357922 CEST	17207	11002	222.187.254.73	192.168.2.13
Apr 19, 2025 04:13:42.667530060 CEST	11002	6992	192.168.2.13	54.77.218.23
Apr 19, 2025 04:13:42.848156929 CEST	11002	46886	192.168.2.13	79.185.46.91
Apr 19, 2025 04:13:42.885468960 CEST	6992	11002	54.77.218.23	192.168.2.13
Apr 19, 2025 04:13:42.885575056 CEST	11002	11159	192.168.2.13	106.14.195.230

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Apr 19, 2025 04:10:37.021043062 CEST	77.172.35.225	192.168.2.13	cd88	(Unknown)	Destination Unreachable
Apr 19, 2025 04:11:07.033250093 CEST	77.172.35.225	192.168.2.13	2f89	(Unknown)	Destination Unreachable
Apr 19, 2025 04:11:28.076100111 CEST	195.98.68.52	192.168.2.13	c780	(Port unreachable)	Destination Unreachable
Apr 19, 2025 04:11:30.199826956 CEST	77.172.35.225	192.168.2.13	5252	(Unknown)	Destination Unreachable
Apr 19, 2025 04:11:31.082314968 CEST	195.98.68.52	192.168.2.13	c780	(Port unreachable)	Destination Unreachable
Apr 19, 2025 04:11:51.981739998 CEST	198.162.193.189	192.168.2.13	484a	(Port unreachable)	Destination Unreachable
Apr 19, 2025 04:11:54.983516932 CEST	198.162.193.189	192.168.2.13	484a	(Port unreachable)	Destination Unreachable
Apr 19, 2025 04:12:04.063796043 CEST	177.52.48.235	192.168.2.13	a209	(Port unreachable)	Destination Unreachable
Apr 19, 2025 04:12:07.068116903 CEST	177.52.48.235	192.168.2.13	a209	(Port unreachable)	Destination Unreachable
Apr 19, 2025 04:12:40.139062881 CEST	2.183.108.235	192.168.2.13	2f8c	(Port unreachable)	Destination Unreachable
Apr 19, 2025 04:12:43.138067007 CEST	2.183.108.235	192.168.2.13	2f8c	(Port unreachable)	Destination Unreachable
Apr 19, 2025 04:13:04.071635008 CEST	79.190.191.74	192.168.2.13	cef2	(Port unreachable)	Destination Unreachable
Apr 19, 2025 04:13:07.084460020 CEST	79.190.191.74	192.168.2.13	cef2	(Port unreachable)	Destination Unreachable
Apr 19, 2025 04:13:15.994328022 CEST	189.196.45.102	192.168.2.13	ab14	(Port unreachable)	Destination Unreachable
Apr 19, 2025 04:13:18.996287107 CEST	189.196.45.102	192.168.2.13	ab14	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 19, 2025 04:10:15.952626944 CEST	192.168.2.13	1.1.1.1	0x6737	Standard query (0)	router.utorrent.com	A (IP address)	IN (0x0001)	false
Apr 19, 2025 04:10:16.060806036 CEST	192.168.2.13	1.1.1.1	0x3d33	Standard query (0)	router.bittorrent.com	A (IP address)	IN (0x0001)	false
Apr 19, 2025 04:12:57.534353971 CEST	192.168.2.13	1.1.1.1	0xe0c0	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Apr 19, 2025 04:12:57.534353971 CEST	192.168.2.13	1.1.1.1	0x9712	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 19, 2025 04:10:16.056447029 CEST	1.1.1.1	192.168.2.13	0x6737	No error (0)	router.utorrent.com	82.221.103.244	A (IP address)	IN (0x0001)	false
Apr 19, 2025 04:10:16.165128946 CEST	1.1.1.1	192.168.2.13	0x3d33	No error (0)	router.bittorrent.com	67.215.246.10	A (IP address)	IN (0x0001)	false
Apr 19, 2025 04:12:57.639065981 CEST	1.1.1.1	192.168.2.13	0xe0c0	No error (0)	daisy.ubuntu.com	162.213.35.24	A (IP address)	IN (0x0001)	false
Apr 19, 2025 04:12:57.639065981 CEST	1.1.1.1	192.168.2.13	0xe0c0	No error (0)	daisy.ubuntu.com	162.213.35.25	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: .i.elf PID: 5414, Parent PID: 5337

General

Start time (UTC):	02:10:10
Start date (UTC):	19/04/2025
Path:	/tmp/.i.elf
Arguments:	/tmp/.i.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

File Activities

File Opened

File Read

Process Activities

Process Forked

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: .i.elf PID: 5416, Parent PID: 5414

General

Start time (UTC):	02:10:10
Start date (UTC):	19/04/2025
Path:	/tmp/.i.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

File Activities

File Opened

File Deleted

File Read

File Written

Directory Enumerated

Directory Created

Directory Deleted

Process Activities

Process Forked

Prctl Requested

Thread Sleep

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: .i.elf PID: 5418, Parent PID: 5416

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/tmp/.i.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Process Activities

Process Overlayed (Exec)

Thread Sleep

Chronological Activities

Analysis Process: sh PID: 5418, Parent PID: 5416

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/bin/sh
Arguments:	sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5424, Parent PID: 5418

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: iptables PID: 5424, Parent PID: 5418

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/usr/sbin/iptables
Arguments:	iptables -A INPUT -p tcp --destination-port 23 -j DROP
File size:	99296 bytes
MD5 hash:	1ab05fef765b6342cdfadaa5275b33af

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: .i.elf PID: 5430, Parent PID: 5416

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/tmp/.i.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Process Activities

Process Overlayed (Exec)

Thread Sleep

Chronological Activities

Analysis Process: sh PID: 5430, Parent PID: 5416

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/bin/sh
Arguments:	sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5435, Parent PID: 5430

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: iptables PID: 5435, Parent PID: 5430

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/usr/sbin/iptables
Arguments:	iptables -A INPUT -p tcp --destination-port 7547 -j DROP
File size:	99296 bytes
MD5 hash:	1ab05fef765b6342cdfadaa5275b33af

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: .i.elf PID: 5436, Parent PID: 5416

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/tmp/.i.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Process Activities

Process Overlayed (Exec)

Thread Sleep

Chronological Activities

Analysis Process: sh PID: 5436, Parent PID: 5416

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/bin/sh
Arguments:	sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5441, Parent PID: 5436

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: iptables PID: 5441, Parent PID: 5436

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/usr/sbin/iptables
Arguments:	iptables -A INPUT -p tcp --destination-port 5555 -j DROP
File size:	99296 bytes
MD5 hash:	1ab05fef765b6342cdfadaa5275b33af

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: .i.elf PID: 5442, Parent PID: 5416

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/tmp/.i.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Process Activities

Process Overlayed (Exec)

Thread Sleep

Chronological Activities

Analysis Process: sh PID: 5442, Parent PID: 5416

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/bin/sh
Arguments:	sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5447, Parent PID: 5442

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: iptables PID: 5447, Parent PID: 5442

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/usr/sbin/iptables
Arguments:	iptables -A INPUT -p tcp --destination-port 5358 -j DROP
File size:	99296 bytes
MD5 hash:	1ab05fef765b6342cdfadaa5275b33af

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: .i.elf PID: 5450, Parent PID: 5416

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/tmp/.i.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Process Activities

Process Overlayed (Exec)

Thread Sleep

Chronological Activities

Analysis Process: sh PID: 5450, Parent PID: 5416

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/bin/sh
Arguments:	sh -c "iptables -D INPUT -j CWMP_CR"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5455, Parent PID: 5450

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: iptables PID: 5455, Parent PID: 5450

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/usr/sbin/iptables
Arguments:	iptables -D INPUT -j CWMP_CR
File size:	99296 bytes
MD5 hash:	1ab05fef765b6342cdfadaa5275b33af

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: .i.elf PID: 5456, Parent PID: 5416

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/tmp/.i.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Process Activities

Process Overlayed (Exec)

Thread Sleep

Chronological Activities

Analysis Process: sh PID: 5456, Parent PID: 5416

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/bin/sh
Arguments:	sh -c "iptables -X CWMP_CR"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5461, Parent PID: 5456

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: iptables PID: 5461, Parent PID: 5456

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/usr/sbin/iptables
Arguments:	iptables -X CWMP_CR
File size:	99296 bytes
MD5 hash:	1ab05fef765b6342cdfadaa5275b33af

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: .i.elf PID: 5462, Parent PID: 5416

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/tmp/.i.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Process Activities

Process Overlayed (Exec)

Thread Sleep

Chronological Activities

Analysis Process: sh PID: 5462, Parent PID: 5416

General

Start time (UTC):	02:10:14
Start date (UTC):	19/04/2025
Path:	/bin/sh
Arguments:	sh -c "iptables -I INPUT -p udp --dport 11002 -j ACCEPT"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5467, Parent PID: 5462

General

Start time (UTC):	02:10:15
Start date (UTC):	19/04/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: iptables PID: 5467, Parent PID: 5462

General

Start time (UTC):	02:10:15
Start date (UTC):	19/04/2025
Path:	/usr/sbin/iptables
Arguments:	iptables -I INPUT -p udp --dport 11002 -j ACCEPT
File size:	99296 bytes
MD5 hash:	1ab05fef765b6342cdfadaa5275b33af

Source: .i.elf	Virustotal: Detection: 53%			Perma Link
Source: .i.elf	ReversingLabs: Detection: 50%

Source: /bin/sh (PID: 5424)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5435)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5441)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5447)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5455)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5461)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -X CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5467)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPT	Jump to behavior

Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 82.221.103.244:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 67.215.246.10:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 79.140.117.203:4093
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 5.3.252.254:26761
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 77.172.35.225:27542
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 14.192.214.208:12423
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 80.11.235.118:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 181.42.46.105:37746
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 190.193.152.141:45956
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 190.240.69.24:55604
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 189.139.172.241:37982
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 103.199.205.126:53324
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 177.52.82.94:12999
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 117.24.165.173:25324
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 117.24.165.65:36141
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 124.91.148.108:33676
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 119.34.160.228:12298
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 58.241.139.153:6887
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 2.103.108.201:55642
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 81.101.129.89:27596
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 112.118.83.13:11018
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 148.71.121.183:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 178.247.145.191:23759
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 188.255.55.114:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 109.94.85.146:62788
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 91.192.20.140:5889
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 211.48.88.198:33231
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 78.85.4.135:4609
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 213.94.41.136:22535
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 41.193.87.152:26584
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 201.188.189.46:51145
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 195.98.68.52:1313
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 91.175.39.237:25921
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 91.239.227.43:1797
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 99.240.197.244:61706
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 45.238.183.98:8983
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 79.177.128.82:1793
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 68.226.67.22:54102
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 190.56.32.232:50639
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 98.209.107.208:47204
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 90.201.53.148:56521
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 82.39.237.234:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 83.222.166.141:20550
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 213.80.212.27:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 54.70.174.84:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 199.45.219.152:16495
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 179.96.135.23:23860
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 92.16.182.203:36939
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 144.76.166.157:50000
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 189.129.211.64:47778
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 187.190.166.141:1642
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 198.162.193.189:63259
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 177.52.48.235:3476
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 82.50.89.36:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 188.2.115.47:35216
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 188.65.232.39:50118
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 2.183.108.235:42399
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 190.101.84.250:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 176.226.202.11:26359
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 113.148.125.188:7777
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 91.121.7.132:51413
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 79.190.191.74:38004
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 94.68.18.162:53262
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 189.196.45.102:4124
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 31.60.104.7:6026
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 113.26.87.94:35380
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 113.89.244.83:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 79.185.46.91:46886
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 175.204.168.7:40736
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 144.217.181.115:63949
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 222.187.254.73:17207
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 54.77.218.23:6992
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 106.14.195.230:11159

Source: /bin/sh (PID: 5424)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5435)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5441)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5447)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5455)	Iptables executable: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5461)	Iptables executable: /usr/sbin/iptables -> iptables -X CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5467)	Iptables executable: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPT	Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 79.140.117.203
Source: unknown	UDP traffic detected without corresponding DNS query: 5.3.252.254
Source: unknown	UDP traffic detected without corresponding DNS query: 77.172.35.225
Source: unknown	UDP traffic detected without corresponding DNS query: 14.192.214.208
Source: unknown	UDP traffic detected without corresponding DNS query: 77.172.35.225
Source: unknown	UDP traffic detected without corresponding DNS query: 80.11.235.118
Source: unknown	UDP traffic detected without corresponding DNS query: 181.42.46.105
Source: unknown	UDP traffic detected without corresponding DNS query: 190.193.152.141
Source: unknown	UDP traffic detected without corresponding DNS query: 5.3.252.254
Source: unknown	UDP traffic detected without corresponding DNS query: 190.240.69.24
Source: unknown	UDP traffic detected without corresponding DNS query: 189.139.172.241
Source: unknown	UDP traffic detected without corresponding DNS query: 103.199.205.126
Source: unknown	UDP traffic detected without corresponding DNS query: 190.240.69.24
Source: unknown	UDP traffic detected without corresponding DNS query: 177.52.82.94
Source: unknown	UDP traffic detected without corresponding DNS query: 117.24.165.173
Source: unknown	UDP traffic detected without corresponding DNS query: 117.24.165.65
Source: unknown	UDP traffic detected without corresponding DNS query: 124.91.148.108
Source: unknown	UDP traffic detected without corresponding DNS query: 119.34.160.228
Source: unknown	UDP traffic detected without corresponding DNS query: 58.241.139.153
Source: unknown	UDP traffic detected without corresponding DNS query: 2.103.108.201
Source: unknown	UDP traffic detected without corresponding DNS query: 81.101.129.89
Source: unknown	UDP traffic detected without corresponding DNS query: 112.118.83.13
Source: unknown	UDP traffic detected without corresponding DNS query: 148.71.121.183
Source: unknown	UDP traffic detected without corresponding DNS query: 178.247.145.191
Source: unknown	UDP traffic detected without corresponding DNS query: 188.255.55.114
Source: unknown	UDP traffic detected without corresponding DNS query: 109.94.85.146
Source: unknown	UDP traffic detected without corresponding DNS query: 91.192.20.140
Source: unknown	UDP traffic detected without corresponding DNS query: 211.48.88.198
Source: unknown	UDP traffic detected without corresponding DNS query: 78.85.4.135
Source: unknown	UDP traffic detected without corresponding DNS query: 213.94.41.136
Source: unknown	UDP traffic detected without corresponding DNS query: 41.193.87.152
Source: unknown	UDP traffic detected without corresponding DNS query: 201.188.189.46
Source: unknown	UDP traffic detected without corresponding DNS query: 195.98.68.52
Source: unknown	UDP traffic detected without corresponding DNS query: 80.11.235.118
Source: unknown	UDP traffic detected without corresponding DNS query: 91.175.39.237
Source: unknown	UDP traffic detected without corresponding DNS query: 91.239.227.43
Source: unknown	UDP traffic detected without corresponding DNS query: 99.240.197.244
Source: unknown	UDP traffic detected without corresponding DNS query: 45.238.183.98
Source: unknown	UDP traffic detected without corresponding DNS query: 79.177.128.82
Source: unknown	UDP traffic detected without corresponding DNS query: 68.226.67.22
Source: unknown	UDP traffic detected without corresponding DNS query: 190.56.32.232
Source: unknown	UDP traffic detected without corresponding DNS query: 77.172.35.225
Source: unknown	UDP traffic detected without corresponding DNS query: 98.209.107.208
Source: unknown	UDP traffic detected without corresponding DNS query: 14.192.214.208
Source: unknown	UDP traffic detected without corresponding DNS query: 90.201.53.148
Source: unknown	UDP traffic detected without corresponding DNS query: 82.39.237.234
Source: unknown	UDP traffic detected without corresponding DNS query: 79.140.117.203
Source: unknown	UDP traffic detected without corresponding DNS query: 195.98.68.52

Source: global traffic	DNS traffic detected: DNS query: router.utorrent.com
Source: global traffic	DNS traffic detected: DNS query: router.bittorrent.com
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/238/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/239/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/914/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/917/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/3095/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/3095/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/241/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1588/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1906/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1906/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/802/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/803/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/3420/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1482/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1482/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/490/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1480/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1480/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/371/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1238/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/255/cmdline	Jump to behavior

Source: /tmp/.i.elf (PID: 5418)	Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"	Jump to behavior
Source: /tmp/.i.elf (PID: 5430)	Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"	Jump to behavior
Source: /tmp/.i.elf (PID: 5436)	Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"	Jump to behavior
Source: /tmp/.i.elf (PID: 5442)	Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"	Jump to behavior
Source: /tmp/.i.elf (PID: 5450)	Shell command executed: sh -c "iptables -D INPUT -j CWMP_CR"	Jump to behavior
Source: /tmp/.i.elf (PID: 5456)	Shell command executed: sh -c "iptables -X CWMP_CR"	Jump to behavior
Source: /tmp/.i.elf (PID: 5462)	Shell command executed: sh -c "iptables -I INPUT -p udp --dport 11002 -j ACCEPT"	Jump to behavior

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report .i.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/tmp/qemu-open.FTTWRK (deleted)

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: .i.elf PID: 5414, Parent PID: 5337

General

File Activities

File Opened

File Read

Process Activities

Process Forked

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: .i.elf PID: 5416, Parent PID: 5414

General

Linux Analysis Report
.i.elf