Play interactive tour

Edit tour

Linux Analysis Report Rpl2Twyrts

Overview

General Information

Sample Name:	Rpl2Twyrts
Analysis ID:	507421
MD5:	4635e3761f10a21d01fec0df9fa36e2f
SHA1:	a33d4b91fc25603b0ed98b17381f6a6e017f6c32
SHA256:	91ccea41a26fce7feab89f9b17c889b9f7c37f29b5b5a9390a7d3f2990f43cfa
Tags:	32elfmipsmirai
Infos:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Sample tries to kill many processes (SIGKILL)

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	507421
Start date:	22.10.2021
Start time:	08:36:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 36s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Rpl2Twyrts
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal72.spre.troj.lin@0/2@0/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing network information. TCP Packets have been reduced to 100

Process Tree

system is lnxubuntu20

Rpl2Twyrts (PID: 5246, Parent: 5121, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/Rpl2Twyrts

Rpl2Twyrts New Fork (PID: 5248, Parent: 5246)

Rpl2Twyrts New Fork (PID: 5249, Parent: 5246)

Rpl2Twyrts New Fork (PID: 5252, Parent: 5246)

Rpl2Twyrts New Fork (PID: 5254, Parent: 5252)

Rpl2Twyrts New Fork (PID: 5255, Parent: 5252)

Rpl2Twyrts New Fork (PID: 5257, Parent: 5252)

systemd New Fork (PID: 5287, Parent: 1)

sshd (PID: 5287, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t

systemd New Fork (PID: 5290, Parent: 1)

sshd (PID: 5290, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D

cleanup

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Rpl2Twyrts	Virustotal: Detection: 50%			Perma Link
Source: Rpl2Twyrts	ReversingLabs: Detection: 53%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.105.51.241:23 -> 192.168.2.23:33338
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.105.51.241:23 -> 192.168.2.23:33338
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 115.218.14.34:23 -> 192.168.2.23:41338
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34618
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34618
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 115.218.14.34:23 -> 192.168.2.23:41376
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 92.34.49.134: -> 192.168.2.23:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34686
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34686
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43666
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43694
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43696
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43730
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34742
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34742
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43736
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43746
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43752
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.105.51.241:23 -> 192.168.2.23:33544
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.105.51.241:23 -> 192.168.2.23:33544
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43762
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:34908
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43772
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43782
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34832
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34832
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:41952
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:41952
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:34954
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34874
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34874
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:42000
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:42000
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35004
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35022
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.155.111.226:23 -> 192.168.2.23:43856
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34940
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34940
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.105.51.241:23 -> 192.168.2.23:33688
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.105.51.241:23 -> 192.168.2.23:33688
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:42056
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:42056
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.155.111.226:23 -> 192.168.2.23:43856
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35044
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.155.111.226:23 -> 192.168.2.23:43872
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 79.134.5.70:23 -> 192.168.2.23:51930
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 79.134.5.70:23 -> 192.168.2.23:51930
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.118.117.166:23 -> 192.168.2.23:59234
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34968
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34968
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35074
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 111.118.117.166:23 -> 192.168.2.23:59234
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 111.118.117.166:23 -> 192.168.2.23:59234
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:42094
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:42094
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.155.111.226:23 -> 192.168.2.23:43872
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.155.111.226:23 -> 192.168.2.23:43920
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 79.134.5.70:23 -> 192.168.2.23:51964
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 79.134.5.70:23 -> 192.168.2.23:51964
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:35000
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:35000
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.118.117.166:23 -> 192.168.2.23:59358
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35152
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.155.111.226:23 -> 192.168.2.23:43920
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.190.249.90:23 -> 192.168.2.23:53378
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:42210
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:42210
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 111.118.117.166:23 -> 192.168.2.23:59358
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 111.118.117.166:23 -> 192.168.2.23:59358
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.190.249.90:23 -> 192.168.2.23:53378
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.155.111.226:23 -> 192.168.2.23:44042
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 79.134.5.70:23 -> 192.168.2.23:52076
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 79.134.5.70:23 -> 192.168.2.23:52076
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.190.249.90:23 -> 192.168.2.23:53420
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:35136
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:35136
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.190.249.90:23 -> 192.168.2.23:53420
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.155.111.226:23 -> 192.168.2.23:44042
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.105.51.241:23 -> 192.168.2.23:33888
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.105.51.241:23 -> 192.168.2.23:33888
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 181.114.224.143:23 -> 192.168.2.23:60320
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 181.114.224.143:23 -> 192.168.2.23:60320
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35240
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.190.249.90:23 -> 192.168.2.23:53434
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.118.117.166:23 -> 192.168.2.23:59424
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.190.249.90:23 -> 192.168.2.23:53434
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:42274
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:42274
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.190.249.90:23 -> 192.168.2.23:53446
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 79.134.5.70:23 -> 192.168.2.23:52138
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 79.134.5.70:23 -> 192.168.2.23:52138

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47736
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47744
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47750
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47754
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47760
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47764
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47770
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47778

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: global traffic

TCP traffic: 192.168.2.23:44200 -> 176.126.175.188:1312

Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::0
Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::23
Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::53413
Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::80
Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::52869
Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::37215
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::0
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::23
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::53413
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::80
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::52869
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::37215
Source: /usr/sbin/sshd (PID: 5290)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 5290)	Socket: [::]::22

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 176.126.175.188
Source: unknown	TCP traffic detected without corresponding DNS query: 99.22.166.11
Source: unknown	TCP traffic detected without corresponding DNS query: 63.165.84.11
Source: unknown	TCP traffic detected without corresponding DNS query: 223.195.0.116
Source: unknown	TCP traffic detected without corresponding DNS query: 35.118.13.8
Source: unknown	TCP traffic detected without corresponding DNS query: 149.182.9.19
Source: unknown	TCP traffic detected without corresponding DNS query: 24.8.223.69
Source: unknown	TCP traffic detected without corresponding DNS query: 182.145.206.142
Source: unknown	TCP traffic detected without corresponding DNS query: 9.67.65.67
Source: unknown	TCP traffic detected without corresponding DNS query: 240.16.115.86
Source: unknown	TCP traffic detected without corresponding DNS query: 12.43.212.21
Source: unknown	TCP traffic detected without corresponding DNS query: 108.55.127.139
Source: unknown	TCP traffic detected without corresponding DNS query: 201.247.47.135
Source: unknown	TCP traffic detected without corresponding DNS query: 9.169.231.174
Source: unknown	TCP traffic detected without corresponding DNS query: 223.11.182.21
Source: unknown	TCP traffic detected without corresponding DNS query: 175.215.68.114
Source: unknown	TCP traffic detected without corresponding DNS query: 76.131.185.195
Source: unknown	TCP traffic detected without corresponding DNS query: 204.186.55.14
Source: unknown	TCP traffic detected without corresponding DNS query: 104.42.93.127
Source: unknown	TCP traffic detected without corresponding DNS query: 91.185.36.65
Source: unknown	TCP traffic detected without corresponding DNS query: 73.185.144.44
Source: unknown	TCP traffic detected without corresponding DNS query: 46.44.202.14
Source: unknown	TCP traffic detected without corresponding DNS query: 146.90.157.91
Source: unknown	TCP traffic detected without corresponding DNS query: 207.19.164.238
Source: unknown	TCP traffic detected without corresponding DNS query: 2.5.107.224
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.217.140
Source: unknown	TCP traffic detected without corresponding DNS query: 193.187.14.64
Source: unknown	TCP traffic detected without corresponding DNS query: 72.239.120.156
Source: unknown	TCP traffic detected without corresponding DNS query: 164.30.143.68
Source: unknown	TCP traffic detected without corresponding DNS query: 155.206.205.161
Source: unknown	TCP traffic detected without corresponding DNS query: 19.156.56.61
Source: unknown	TCP traffic detected without corresponding DNS query: 51.5.236.88
Source: unknown	TCP traffic detected without corresponding DNS query: 206.22.155.20
Source: unknown	TCP traffic detected without corresponding DNS query: 170.182.30.23
Source: unknown	TCP traffic detected without corresponding DNS query: 66.95.128.129
Source: unknown	TCP traffic detected without corresponding DNS query: 67.85.248.138
Source: unknown	TCP traffic detected without corresponding DNS query: 209.218.75.6
Source: unknown	TCP traffic detected without corresponding DNS query: 104.187.122.215
Source: unknown	TCP traffic detected without corresponding DNS query: 218.248.90.54
Source: unknown	TCP traffic detected without corresponding DNS query: 218.93.181.123
Source: unknown	TCP traffic detected without corresponding DNS query: 76.42.25.135
Source: unknown	TCP traffic detected without corresponding DNS query: 211.104.2.117
Source: unknown	TCP traffic detected without corresponding DNS query: 203.176.253.233
Source: unknown	TCP traffic detected without corresponding DNS query: 149.176.173.143
Source: unknown	TCP traffic detected without corresponding DNS query: 170.185.42.8
Source: unknown	TCP traffic detected without corresponding DNS query: 187.248.51.123
Source: unknown	TCP traffic detected without corresponding DNS query: 125.220.33.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.187.68.56
Source: unknown	TCP traffic detected without corresponding DNS query: 211.170.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 117.189.183.121

System Summary:

Sample tries to kill many processes (SIGKILL)

Show sources

Source: /tmp/Rpl2Twyrts (PID: 5248)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 5248, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 847, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1860, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2097, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2180, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2191, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2208, result: successful

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/Rpl2Twyrts (PID: 5248)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 5248, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 847, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1860, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2097, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2180, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2191, result: successful
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2208, result: successful

Source: classification engine

Classification label: mal72.spre.troj.lin@0/2@0/0

Source: Rpl2Twyrts

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5268/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2033/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2033/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2033/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1582/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1582/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1582/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2275/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2275/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1612/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1612/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1612/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1579/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1579/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1579/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1699/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1699/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1699/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1335/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1335/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1335/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1698/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1698/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1698/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2028/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2028/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2028/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1334/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1334/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1334/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1576/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1576/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1576/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2302/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2302/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/3236/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/3236/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2025/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2025/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2025/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2146/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2146/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2146/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/910/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/912/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/912/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/912/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/759/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/759/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/759/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/517/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2307/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2307/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/918/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/918/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/918/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5272/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5273/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5274/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5275/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5276/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5277/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5278/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5279/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1594/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1594/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1594/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2285/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2285/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2281/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2281/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5270/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5271/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1349/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1349/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1349/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1623/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1623/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1623/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/761/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/761/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/761/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1622/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1622/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1622/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/884/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/884/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/884/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1983/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1983/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1983/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2038/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2038/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2038/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1586/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1586/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1586/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1465/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1465/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1465/exe
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1344/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1344/fd
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1344/exe

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47736
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47744
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47750
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47754
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47760
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47764
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47770
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47778

Source: /tmp/Rpl2Twyrts (PID: 5246)

Queries kernel information via 'uname':

Source: Rpl2Twyrts, 5246.1.00000000e46a4f04.0000000018f5b09c.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: Rpl2Twyrts, 5246.1.00000000e46a4f04.0000000018f5b09c.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/mipsel
Source: Rpl2Twyrts, 5246.1.000000006915b6a7.0000000099a0e5b4.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/Rpl2TwyrtsSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Rpl2Twyrts
Source: Rpl2Twyrts, 5246.1.000000006915b6a7.0000000099a0e5b4.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping1	Security Software Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Rpl2Twyrts	50%	Virustotal		Browse
Rpl2Twyrts	53%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
39.203.104.226	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
190.89.152.5	unknown	unknown	270374	KINGTELECOMUNICACOESBR	false
160.248.184.59	unknown	Japan	2514	INFOSPHERENTTPCCommunicationsIncJP	false
86.237.87.136	unknown	France	3215	FranceTelecom-OrangeFR	false
159.178.169.160	unknown	United States	6356	NERDCNETUS	false
198.117.113.163	unknown	United States	297	AS297US	false
170.131.168.48	unknown	United States	13954	STAPLESUS	false
77.152.117.114	unknown	France	15557	LDCOMNETFR	false
187.196.136.136	unknown	Mexico	8151	UninetSAdeCVMX	false
183.206.48.83	unknown	China	56046	CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN	false
155.93.197.94	unknown	South Africa	37680	COOL-IDEASZA	false
118.155.201.133	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
65.37.101.238	unknown	United States	5650	FRONTIER-FRTRUS	false
42.21.33.100	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
45.226.163.131	unknown	Brazil	267045	EASYCONNECTTECNOLOGIAJACILTDABR	false
153.233.14.113	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
98.23.53.159	unknown	United States	7029	WINDSTREAMUS	false
64.253.255.224	unknown	United States	20428	GLOWPOINT-ASUS	false
160.199.79.178	unknown	Japan	7679	QTNETQTnetIncJP	false
93.249.80.159	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
74.217.215.131	unknown	United States	12182	INTERNAP-2BLKUS	false
88.74.255.198	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
58.21.123.207	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
70.63.62.155	unknown	United States	10796	TWC-10796-MIDWESTUS	false
200.138.172.31	unknown	Brazil	8167	BrasilTelecomSA-FilialDistritoFederalBR	false
161.249.2.143	unknown	United States	396269	BPL-ASNUS	false
158.34.189.234	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
84.38.119.247	unknown	Austria	43939	INTERNETIA_ETTH2-ASNoc-BialystokPL	false
8.156.46.207	unknown	Singapore	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
211.11.169.244	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
12.121.131.53	unknown	United States	7018	ATT-INTERNET4US	false
179.73.32.17	unknown	Brazil	26615	TIMSABR	false
75.203.112.61	unknown	United States	22394	CELLCOUS	false
82.174.187.190	unknown	Netherlands	13127	VERSATELASfortheTrans-EuropeanTele2IPTransportbackbo	false
186.57.123.203	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
115.136.104.95	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
110.144.98.170	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
105.118.219.175	unknown	Nigeria	36873	VNL1-ASNG	false
19.180.211.252	unknown	United States	3	MIT-GATEWAYSUS	false
100.15.26.7	unknown	United States	701	UUNETUS	false
158.47.217.111	unknown	Italy	12551	AS-ENEL-IT	false
251.36.138.169	unknown	Reserved	unknown	unknown	false
84.50.15.196	unknown	Estonia	3249	ESTPAKEE	false
251.246.87.35	unknown	Reserved	unknown	unknown	false
80.194.99.5	unknown	United Kingdom	5089	NTLGB	false
162.195.248.48	unknown	United States	7018	ATT-INTERNET4US	false
190.40.159.241	unknown	Peru	6147	TelefonicadelPeruSAAPE	false
31.18.171.187	unknown	Germany	31334	KABELDEUTSCHLAND-ASDE	false
87.204.237.150	unknown	Poland	12741	AS-NETIAWarszawa02-822PL	false
27.12.141.82	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
58.250.84.179	unknown	China	17623	CNCGROUP-SZChinaUnicomShenzennetworkCN	false
149.212.83.51	unknown	Denmark	8386	KOCNETTR	false
37.52.64.35	unknown	Ukraine	6849	UKRTELNETUA	false
191.96.28.113	unknown	Chile	61317	ASDETUKhttpwwwheficedcomGB	false
104.186.4.233	unknown	United States	7018	ATT-INTERNET4US	false
124.181.3.104	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
242.153.131.112	unknown	Reserved	unknown	unknown	false
198.101.133.16	unknown	United States	19994	RACKSPACEUS	false
125.113.41.119	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
112.99.82.219	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
103.146.47.155	unknown	unknown	139848	SHIPL-AS-APSAFEGUARDHOMEIMPROVEMENTSPTYLTDAU	false
182.26.120.99	unknown	Indonesia	4795	INDOSATM2-IDINDOSATM2ASNID	false
120.21.19.134	unknown	Australia	133612	VODAFONE-AS-APVodafoneAustraliaPtyLtdAU	false
90.78.51.144	unknown	France	3215	FranceTelecom-OrangeFR	false
108.22.114.219	unknown	United States	701	UUNETUS	false
42.222.34.226	unknown	China	4249	LILLY-ASUS	false
19.146.221.131	unknown	United States	3	MIT-GATEWAYSUS	false
170.244.191.219	unknown	Argentina	265630	COMISSODANTEANIBALAR	false
187.111.50.119	unknown	Brazil	262711	TURBOMAXTELECOMUNICACOESLTDABR	false
70.196.121.123	unknown	United States	6167	CELLCO-PARTUS	false
247.151.111.14	unknown	Reserved	unknown	unknown	false
37.11.20.196	unknown	Spain	12479	UNI2-ASES	false
209.146.99.63	unknown	United States	395753	KKRUS	false
87.48.91.173	unknown	Denmark	3292	TDCTDCASDK	false
91.228.76.149	unknown	Russian Federation	56864	WELLSERVER-ASRU	false
146.93.13.52	unknown	United States	18709	BOTWUS	false
71.219.170.252	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
23.235.61.72	unknown	United States	64252	ATSIUS	false
141.216.159.236	unknown	United States	394769	UMF-7-ASUS	false
111.146.116.201	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
192.232.122.104	unknown	United States	5647	ASN-KODAKUS	false
95.36.120.123	unknown	Netherlands	15670	BBNED-AS1NL	false
103.187.81.173	unknown	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	false
97.223.137.109	unknown	United States	6167	CELLCO-PARTUS	false
133.167.242.237	unknown	Japan	9371	SAKURA-CSAKURAInternetIncJP	false
95.183.142.160	unknown	Turkey	8517	ULAKNETTR	false
159.28.99.182	unknown	Japan	2527	SO-NETSo-netEntertainmentCorporationJP	false
241.198.25.193	unknown	Reserved	unknown	unknown	false
251.102.148.138	unknown	Reserved	unknown	unknown	false
83.106.59.198	unknown	United Kingdom	2529	DEMON-INTERNETNowmaintainedbyCableWirelessWorldwide	false
138.244.67.215	unknown	Germany	12816	MWN-ASDE	false
43.88.162.92	unknown	Japan	4249	LILLY-ASUS	false
162.30.154.204	unknown	United States	46483	RGHSUS	false
90.95.34.132	unknown	France	8953	ASN-ORANGE-ROMANIARO	false
82.47.8.178	unknown	United Kingdom	5089	NTLGB	false
43.99.42.139	unknown	Japan	4249	LILLY-ASUS	false
180.87.26.156	unknown	India	6453	AS6453US	false
115.163.218.70	unknown	Japan	2527	SO-NETSo-netEntertainmentCorporationJP	false
244.243.93.7	unknown	Reserved	unknown	unknown	false
19.30.92.146	unknown	United States	3	MIT-GATEWAYSUS	false

Runtime Messages

Command:	/tmp/Rpl2Twyrts
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
70.63.62.155	raCyB7pYpd	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	zYMp3detVO	Get hash	malicious	Browse	182.10.78.173
	ggtS1fKIqX	Get hash	malicious	Browse	39.208.68.184
	oH6qNmnFRP	Get hash	malicious	Browse	182.8.245.170
	b3astmode.arm7	Get hash	malicious	Browse	39.205.24.41
	PFD33mzc5l	Get hash	malicious	Browse	39.210.152.58
	hNsTaM2BAu	Get hash	malicious	Browse	39.211.166.212
	x86	Get hash	malicious	Browse	39.210.152.36
	8jfOcvTqQA	Get hash	malicious	Browse	182.9.38.56
	jQCJldg3pv	Get hash	malicious	Browse	39.198.157.101
	jMJ8Uz4Mhk	Get hash	malicious	Browse	39.216.238.64
	ATc5uxXlTp	Get hash	malicious	Browse	39.239.5.147
	IN7REq0Jv5	Get hash	malicious	Browse	182.3.113.176
	pandora.x86	Get hash	malicious	Browse	39.221.131.173
	pandora.arm	Get hash	malicious	Browse	182.2.171.171
	KEgx4lC3Ni	Get hash	malicious	Browse	39.221.113.150
	Qfx7rFWkI5	Get hash	malicious	Browse	39.232.121.185
	OcO4KUSfwn	Get hash	malicious	Browse	39.195.240.250
	DGTm0edISX	Get hash	malicious	Browse	39.237.138.116
	1WL2kQmrNk	Get hash	malicious	Browse	182.12.155.124
	1Mwzgsrx9C	Get hash	malicious	Browse	114.126.201.55

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/proc/5290/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	high, very likely benign file
Preview:	-1000.

/run/sshd.pid Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:Ckvn:Cm
MD5:	3FD0BF07C83F464293873F94C4FEBF64
SHA1:	A10B2D66A4BA43FC3B81098BD761343051789CC0
SHA-256:	CD46DE89F7C34FEBE64A548F2A948CC6B9E8AF9724A496B28331DBE09769F79E
SHA-512:	A5E78FBF75B7232D1F0F65FA9D791953E29152D2C7C520CCCC1536337216754CB9C6C8BB6B66C6BE14B81C1CF33126E94EE015BC721EB77C0F5A120E2AF99D3A
Malicious:	false
Reputation:	low
Preview:	5290.

Static File Info

General
File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.425468889262933
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Rpl2Twyrts
File size:	71764
MD5:	4635e3761f10a21d01fec0df9fa36e2f
SHA1:	a33d4b91fc25603b0ed98b17381f6a6e017f6c32
SHA256:	91ccea41a26fce7feab89f9b17c889b9f7c37f29b5b5a9390a7d3f2990f43cfa
SHA512:	96722d00ad0e84259b5a93ee5a1226af820855fe20889a2782b5fad7dae45555def4877628f610e8ab375ea9581ac7d84b1cb37de7d25808063ee131f05ab0a5
SSDEEP:	768:YU6bhcgHSIJWB+cHlfD2wLX3YEwja6PN1oAg5oRKxeU3hVpxedxAxePx28szI2Zx:YU6bh1HkV2wEVjZPzgj1GCK2dFsTcJ
File Content Preview:	.ELF....................`.@.4...L.......4. ...(...............@...@...........................E...E.................Q.td...............................<...'!......'.......................<...'!... .........9'.. ........................<...'!.............9

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	71244
Section Header Size:	40
Number of Section Headers:	13
Header String Table Index:	12

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x10710	0x0	0x6	AX	16
.fini	PROGBITS	0x410830	0x10830	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x410890	0x10890	0x660	0x0	0x2	A	16
.ctors	PROGBITS	0x451000	0x11000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x451008	0x11008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x451020	0x11020	0x190	0x0	0x3	WA	16
.got	PROGBITS	0x4511b0	0x111b0	0x444	0x4	0x10000003	WA	16
.sbss	NOBITS	0x4515f4	0x115f4	0x24	0x0	0x10000003	WA	4
.bss	NOBITS	0x451620	0x115f4	0x2a0	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0x72c	0x115f4	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x115f4	0x57	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x10ef0	0x10ef0	3.3609	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x11000	0x451000	0x451000	0x5f4	0x8c0	1.7941	0x6	RW	0x10000	.ctors .dtors .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 22, 2021 08:37:08.866673946 CEST	44200	1312	192.168.2.23	176.126.175.188
Oct 22, 2021 08:37:08.898858070 CEST	57707	23	192.168.2.23	99.22.166.11
Oct 22, 2021 08:37:08.898920059 CEST	57707	23	192.168.2.23	63.165.84.11
Oct 22, 2021 08:37:08.898957014 CEST	57707	23	192.168.2.23	223.195.0.116
Oct 22, 2021 08:37:08.898957014 CEST	57707	23	192.168.2.23	35.118.13.8
Oct 22, 2021 08:37:08.899002075 CEST	57707	23	192.168.2.23	149.182.9.19
Oct 22, 2021 08:37:08.899029016 CEST	57707	23	192.168.2.23	24.8.223.69
Oct 22, 2021 08:37:08.899036884 CEST	57707	23	192.168.2.23	182.145.206.142
Oct 22, 2021 08:37:08.899046898 CEST	57707	23	192.168.2.23	9.67.65.67
Oct 22, 2021 08:37:08.899064064 CEST	57707	23	192.168.2.23	240.16.115.86
Oct 22, 2021 08:37:08.899066925 CEST	57707	23	192.168.2.23	12.43.212.21
Oct 22, 2021 08:37:08.899081945 CEST	57707	23	192.168.2.23	108.55.127.139
Oct 22, 2021 08:37:08.899095058 CEST	57707	23	192.168.2.23	201.247.47.135
Oct 22, 2021 08:37:08.899102926 CEST	57707	23	192.168.2.23	9.169.231.174
Oct 22, 2021 08:37:08.899102926 CEST	57707	23	192.168.2.23	223.11.182.21
Oct 22, 2021 08:37:08.899106979 CEST	57707	23	192.168.2.23	175.215.68.114
Oct 22, 2021 08:37:08.899137020 CEST	57707	23	192.168.2.23	76.131.185.195
Oct 22, 2021 08:37:08.899144888 CEST	57707	23	192.168.2.23	204.186.55.14
Oct 22, 2021 08:37:08.899197102 CEST	57707	23	192.168.2.23	104.42.93.127
Oct 22, 2021 08:37:08.899223089 CEST	57707	23	192.168.2.23	91.185.36.65
Oct 22, 2021 08:37:08.899245024 CEST	57707	23	192.168.2.23	73.185.144.44
Oct 22, 2021 08:37:08.899246931 CEST	57707	23	192.168.2.23	46.44.202.14
Oct 22, 2021 08:37:08.899293900 CEST	57707	23	192.168.2.23	146.90.157.91
Oct 22, 2021 08:37:08.899318933 CEST	57707	23	192.168.2.23	207.19.164.238
Oct 22, 2021 08:37:08.899334908 CEST	57707	23	192.168.2.23	2.5.107.224
Oct 22, 2021 08:37:08.899342060 CEST	57707	23	192.168.2.23	65.109.217.140
Oct 22, 2021 08:37:08.899362087 CEST	57707	23	192.168.2.23	193.187.14.64
Oct 22, 2021 08:37:08.899368048 CEST	57707	23	192.168.2.23	72.239.120.156
Oct 22, 2021 08:37:08.899394035 CEST	57707	23	192.168.2.23	164.30.143.68
Oct 22, 2021 08:37:08.899445057 CEST	57707	23	192.168.2.23	155.206.205.161
Oct 22, 2021 08:37:08.899458885 CEST	57707	23	192.168.2.23	19.156.56.61
Oct 22, 2021 08:37:08.899499893 CEST	57707	23	192.168.2.23	51.5.236.88
Oct 22, 2021 08:37:08.899523973 CEST	57707	23	192.168.2.23	206.22.155.20
Oct 22, 2021 08:37:08.899558067 CEST	57707	23	192.168.2.23	170.182.30.23
Oct 22, 2021 08:37:08.899560928 CEST	57707	23	192.168.2.23	66.95.128.129
Oct 22, 2021 08:37:08.899574041 CEST	57707	23	192.168.2.23	67.85.248.138
Oct 22, 2021 08:37:08.899636984 CEST	57707	23	192.168.2.23	209.218.75.6
Oct 22, 2021 08:37:08.899660110 CEST	57707	23	192.168.2.23	54.122.110.174
Oct 22, 2021 08:37:08.899678946 CEST	57707	23	192.168.2.23	104.187.122.215
Oct 22, 2021 08:37:08.899679899 CEST	57707	23	192.168.2.23	218.248.90.54
Oct 22, 2021 08:37:08.899703026 CEST	57707	23	192.168.2.23	39.110.210.111
Oct 22, 2021 08:37:08.899720907 CEST	57707	23	192.168.2.23	218.93.181.123
Oct 22, 2021 08:37:08.899725914 CEST	57707	23	192.168.2.23	76.42.25.135
Oct 22, 2021 08:37:08.899729967 CEST	57707	23	192.168.2.23	211.104.2.117
Oct 22, 2021 08:37:08.899753094 CEST	57707	23	192.168.2.23	203.176.253.233
Oct 22, 2021 08:37:08.899756908 CEST	57707	23	192.168.2.23	149.176.173.143
Oct 22, 2021 08:37:08.899770021 CEST	57707	23	192.168.2.23	170.185.42.8
Oct 22, 2021 08:37:08.899775028 CEST	57707	23	192.168.2.23	187.248.51.123
Oct 22, 2021 08:37:08.899785995 CEST	57707	23	192.168.2.23	125.220.33.131
Oct 22, 2021 08:37:08.899846077 CEST	57707	23	192.168.2.23	147.187.68.56
Oct 22, 2021 08:37:08.899861097 CEST	57707	23	192.168.2.23	211.170.82.218
Oct 22, 2021 08:37:08.899883032 CEST	57707	23	192.168.2.23	117.189.183.121
Oct 22, 2021 08:37:08.899885893 CEST	57707	23	192.168.2.23	202.193.171.122
Oct 22, 2021 08:37:08.899899006 CEST	57707	23	192.168.2.23	62.67.202.193
Oct 22, 2021 08:37:08.899905920 CEST	57707	23	192.168.2.23	240.84.21.215
Oct 22, 2021 08:37:08.899909019 CEST	57707	23	192.168.2.23	145.137.197.209
Oct 22, 2021 08:37:08.899920940 CEST	57707	23	192.168.2.23	220.49.56.252
Oct 22, 2021 08:37:08.899931908 CEST	57707	23	192.168.2.23	61.186.174.108
Oct 22, 2021 08:37:08.899941921 CEST	57707	23	192.168.2.23	255.100.215.106
Oct 22, 2021 08:37:08.899945974 CEST	57707	23	192.168.2.23	133.15.47.51
Oct 22, 2021 08:37:08.899956942 CEST	57707	23	192.168.2.23	202.160.173.85
Oct 22, 2021 08:37:08.900018930 CEST	57707	23	192.168.2.23	150.147.162.125
Oct 22, 2021 08:37:08.900026083 CEST	57707	23	192.168.2.23	217.165.190.167
Oct 22, 2021 08:37:08.900053978 CEST	57707	23	192.168.2.23	37.147.202.141
Oct 22, 2021 08:37:08.900062084 CEST	57707	23	192.168.2.23	92.232.189.47
Oct 22, 2021 08:37:08.900062084 CEST	57707	23	192.168.2.23	58.56.231.92
Oct 22, 2021 08:37:08.900077105 CEST	57707	23	192.168.2.23	166.149.82.25
Oct 22, 2021 08:37:08.900104046 CEST	57707	23	192.168.2.23	185.27.116.38
Oct 22, 2021 08:37:08.900120020 CEST	57707	23	192.168.2.23	184.129.97.204
Oct 22, 2021 08:37:08.900146961 CEST	57707	23	192.168.2.23	154.205.244.168
Oct 22, 2021 08:37:08.900149107 CEST	57707	23	192.168.2.23	116.161.205.12
Oct 22, 2021 08:37:08.900158882 CEST	57707	23	192.168.2.23	223.194.91.75
Oct 22, 2021 08:37:08.900161982 CEST	57707	23	192.168.2.23	113.141.186.71
Oct 22, 2021 08:37:08.900176048 CEST	57707	23	192.168.2.23	164.239.149.53
Oct 22, 2021 08:37:08.900187969 CEST	57707	23	192.168.2.23	255.178.79.189
Oct 22, 2021 08:37:08.900196075 CEST	57707	23	192.168.2.23	149.151.30.56
Oct 22, 2021 08:37:08.900202036 CEST	57707	23	192.168.2.23	41.127.77.255
Oct 22, 2021 08:37:08.900234938 CEST	57707	23	192.168.2.23	168.189.196.248
Oct 22, 2021 08:37:08.900244951 CEST	57707	23	192.168.2.23	136.112.114.252
Oct 22, 2021 08:37:08.900278091 CEST	57707	23	192.168.2.23	107.168.125.68
Oct 22, 2021 08:37:08.900290012 CEST	57707	23	192.168.2.23	125.251.9.175
Oct 22, 2021 08:37:08.900295973 CEST	57707	23	192.168.2.23	186.201.189.212
Oct 22, 2021 08:37:08.900301933 CEST	57707	23	192.168.2.23	193.187.77.25
Oct 22, 2021 08:37:08.900301933 CEST	57707	23	192.168.2.23	255.206.191.14
Oct 22, 2021 08:37:08.900331974 CEST	57707	23	192.168.2.23	160.164.194.118
Oct 22, 2021 08:37:08.900357008 CEST	57707	23	192.168.2.23	24.231.76.137
Oct 22, 2021 08:37:08.900384903 CEST	57707	23	192.168.2.23	177.47.132.74
Oct 22, 2021 08:37:08.900403023 CEST	57707	23	192.168.2.23	186.126.128.246
Oct 22, 2021 08:37:08.900403976 CEST	57707	23	192.168.2.23	255.78.194.123
Oct 22, 2021 08:37:08.900405884 CEST	57707	23	192.168.2.23	81.40.254.24
Oct 22, 2021 08:37:08.900429964 CEST	57707	23	192.168.2.23	152.59.248.225
Oct 22, 2021 08:37:08.900466919 CEST	57707	23	192.168.2.23	157.229.198.104
Oct 22, 2021 08:37:08.900489092 CEST	57707	23	192.168.2.23	216.185.245.138
Oct 22, 2021 08:37:08.900490046 CEST	57707	23	192.168.2.23	112.178.121.155
Oct 22, 2021 08:37:08.900497913 CEST	57707	23	192.168.2.23	180.126.139.170
Oct 22, 2021 08:37:08.900520086 CEST	57707	23	192.168.2.23	37.29.158.168
Oct 22, 2021 08:37:08.900527954 CEST	57707	23	192.168.2.23	58.28.2.36
Oct 22, 2021 08:37:08.900532961 CEST	57707	23	192.168.2.23	195.250.169.11
Oct 22, 2021 08:37:08.900533915 CEST	57707	23	192.168.2.23	182.18.164.188
Oct 22, 2021 08:37:08.900543928 CEST	57707	23	192.168.2.23	197.165.59.250

System Behavior

Analysis Process: Rpl2Twyrts PID: 5246 Parent PID: 5121

General

Start time:	08:37:07
Start date:	22/10/2021
Path:	/tmp/Rpl2Twyrts
Arguments:	/tmp/Rpl2Twyrts
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: Rpl2Twyrts PID: 5248 Parent PID: 5246

General

Start time:	08:37:07
Start date:	22/10/2021
Path:	/tmp/Rpl2Twyrts
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: Rpl2Twyrts PID: 5249 Parent PID: 5246

General

Start time:	08:37:07
Start date:	22/10/2021
Path:	/tmp/Rpl2Twyrts
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: Rpl2Twyrts PID: 5252 Parent PID: 5246

General

Start time:	08:37:07
Start date:	22/10/2021
Path:	/tmp/Rpl2Twyrts
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: Rpl2Twyrts PID: 5254 Parent PID: 5252

General

Start time:	08:37:08
Start date:	22/10/2021
Path:	/tmp/Rpl2Twyrts
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: Rpl2Twyrts PID: 5255 Parent PID: 5252

General

Start time:	08:37:08
Start date:	22/10/2021
Path:	/tmp/Rpl2Twyrts
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: Rpl2Twyrts PID: 5257 Parent PID: 5252

General

Start time:	08:37:08
Start date:	22/10/2021
Path:	/tmp/Rpl2Twyrts
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: systemd PID: 5287 Parent PID: 1

General

Start time:	08:37:21
Start date:	22/10/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5287 Parent PID: 1

General

Start time:	08:37:21
Start date:	22/10/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -t
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5290 Parent PID: 1

General

Start time:	08:37:21
Start date:	22/10/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5290 Parent PID: 1

General

Start time:	08:37:21
Start date:	22/10/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report Rpl2Twyrts

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

PCAP (Network Traffic)

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: Rpl2Twyrts PID: 5246 Parent PID: 5121

General

Analysis Process: Rpl2Twyrts PID: 5248 Parent PID: 5246

General

Analysis Process: Rpl2Twyrts PID: 5249 Parent PID: 5246

General

Analysis Process: Rpl2Twyrts PID: 5252 Parent PID: 5246

General

Analysis Process: Rpl2Twyrts PID: 5254 Parent PID: 5252

General

Analysis Process: Rpl2Twyrts PID: 5255 Parent PID: 5252

General

Analysis Process: Rpl2Twyrts PID: 5257 Parent PID: 5252

General

Analysis Process: systemd PID: 5287 Parent PID: 1

General

Analysis Process: sshd PID: 5287 Parent PID: 1

General

Analysis Process: systemd PID: 5290 Parent PID: 1

General

Analysis Process: sshd PID: 5290 Parent PID: 1

General