Play interactive tour

Edit tour

Linux Analysis Report z0x3n.x86

Overview

General Information

Sample Name:	z0x3n.x86
Analysis ID:	512619
MD5:	c2c1c54bbc5f372df082aebc0d983716
SHA1:	2c9ebbad068ea09d2fcf7cfff48608a8abdf4337
SHA256:	dd9c8a7d71f944ded984394fcc021043403e3a39ef424d70d2a3a18c3b58b69d
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Yara signature match

Sample has stripped symbol table

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	512619
Start date:	01.11.2021
Start time:	08:54:01
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 48s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	z0x3n.x86
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal68.troj.linX86@0/0@1/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing network information. TCP Packets have been reduced to 100

Process Tree

system is lnxubuntu20

z0x3n.x86 (PID: 5231, Parent: 5116, MD5: c2c1c54bbc5f372df082aebc0d983716) Arguments: /tmp/z0x3n.x86

z0x3n.x86 New Fork (PID: 5232, Parent: 5231)

z0x3n.x86 New Fork (PID: 5233, Parent: 5231)

z0x3n.x86 New Fork (PID: 5234, Parent: 5233)

z0x3n.x86 New Fork (PID: 5235, Parent: 5233)

z0x3n.x86 New Fork (PID: 5236, Parent: 5233)

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
z0x3n.x86	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xedc8:$xo1: Dfs`eeh&<'9 0xee40:$xo1: Dfs`eeh&<'9 0xeeb4:$xo1: Dfs`eeh&<'9 0xef24:$xo1: Dfs`eeh&<'9 0xef70:$xo1: Dfs`eeh&<'9

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
5231.1.0000000019671de5.00000000c7254e12.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x6d0:$xo1: Dfs`eeh&<'9 0x750:$xo1: Dfs`eeh&<'9 0x7c8:$xo1: Dfs`eeh&<'9 0x840:$xo1: Dfs`eeh&<'9 0x890:$xo1: Dfs`eeh&<'9
5234.1.0000000019671de5.00000000c7254e12.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x6d0:$xo1: Dfs`eeh&<'9 0x750:$xo1: Dfs`eeh&<'9 0x7c8:$xo1: Dfs`eeh&<'9 0x840:$xo1: Dfs`eeh&<'9 0x890:$xo1: Dfs`eeh&<'9
5232.1.0000000019671de5.00000000c7254e12.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x6d0:$xo1: Dfs`eeh&<'9 0x750:$xo1: Dfs`eeh&<'9 0x7c8:$xo1: Dfs`eeh&<'9 0x840:$xo1: Dfs`eeh&<'9 0x890:$xo1: Dfs`eeh&<'9
5232.1.000000001a887bdc.00000000328ec990.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xedc8:$xo1: Dfs`eeh&<'9 0xee40:$xo1: Dfs`eeh&<'9 0xeeb4:$xo1: Dfs`eeh&<'9 0xef24:$xo1: Dfs`eeh&<'9 0xef70:$xo1: Dfs`eeh&<'9
5231.1.000000001a887bdc.00000000328ec990.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xedc8:$xo1: Dfs`eeh&<'9 0xee40:$xo1: Dfs`eeh&<'9 0xeeb4:$xo1: Dfs`eeh&<'9 0xef24:$xo1: Dfs`eeh&<'9 0xef70:$xo1: Dfs`eeh&<'9
5234.1.000000001a887bdc.00000000328ec990.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xedc8:$xo1: Dfs`eeh&<'9 0xee40:$xo1: Dfs`eeh&<'9 0xeeb4:$xo1: Dfs`eeh&<'9 0xef24:$xo1: Dfs`eeh&<'9 0xef70:$xo1: Dfs`eeh&<'9
Click to see the 1 entries

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: z0x3n.x86

Virustotal: Detection: 41%

Perma Link

Machine Learning detection for sample

Show sources

Source: z0x3n.x86

Joe Sandbox ML: detected

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:46804
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:46812
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:46814
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:46816
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:46820
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:46868
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:46908
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:46918
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.242.254.71:23 -> 192.168.2.23:42324
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.242.254.71:23 -> 192.168.2.23:42324
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:46936
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:46954
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:46990
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:47048
Source: Traffic	Snort IDS: 2025080 ET EXPLOIT Actiontec C1000A backdoor account M1 192.168.2.23:47048 -> 177.126.89.178:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:47088
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:47128
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:47168
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:47188
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.242.254.71:23 -> 192.168.2.23:42604
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.242.254.71:23 -> 192.168.2.23:42604
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:47198
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:47206
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:47214
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:47222
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:47228
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:47236
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:47282
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:47332
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:47342
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.242.254.71:23 -> 192.168.2.23:42760
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.242.254.71:23 -> 192.168.2.23:42760
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:47356
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 103.192.76.235:23 -> 192.168.2.23:43346
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.126.89.178:23 -> 192.168.2.23:47364

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 47.1.101.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 125.229.138.235:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 105.13.231.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 213.147.72.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 37.37.20.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 181.70.39.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 68.190.30.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 156.58.60.49:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 169.159.209.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 86.0.55.109:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 159.44.145.109:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 208.121.47.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 23.227.190.114:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 80.126.58.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 70.246.158.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:60692 -> 37.0.10.67:11199
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 221.33.62.172:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 92.9.54.150:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 88.169.66.145:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 184.107.27.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 188.78.150.57:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 158.92.133.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 168.220.47.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 67.216.157.112:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 47.94.166.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 161.141.44.53:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 90.34.76.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 219.165.130.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 142.22.31.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 23.90.136.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 13.169.44.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 87.135.162.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 79.161.77.178:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 202.230.104.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 185.245.106.102:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 66.170.200.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 141.88.84.199:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 168.195.222.222:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 111.13.221.95:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 93.188.18.248:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 37.81.180.160:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 171.99.64.49:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 44.149.111.58:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 5.36.233.166:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 208.13.104.108:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 47.147.64.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 163.71.180.150:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 37.22.251.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 108.110.47.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 200.107.192.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 152.245.254.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 96.236.225.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 109.232.170.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 85.196.240.26:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 142.122.73.229:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 181.49.62.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 58.230.50.112:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 125.199.112.237:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 114.187.246.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 201.67.77.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 46.17.125.114:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 103.51.108.85:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 145.24.171.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 72.140.85.180:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 104.68.237.32:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 93.161.152.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 175.79.101.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 216.197.142.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 143.253.25.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 4.231.190.15:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 119.155.48.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 141.167.46.146:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 89.12.160.184:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 109.85.221.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 60.15.174.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 197.239.79.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 147.32.196.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 197.140.54.82:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 96.185.139.77:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 87.248.84.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 66.177.116.44:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 125.145.186.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 179.67.250.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 157.139.215.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 221.67.167.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 83.73.29.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 166.118.94.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 188.183.116.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 76.154.80.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 169.165.32.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 2.5.99.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 146.190.65.92:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 118.226.196.4:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 98.140.74.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 84.164.182.25:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 75.22.228.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 166.241.67.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 38.145.157.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 173.91.115.87:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 146.34.11.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 217.19.45.107:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 8.80.25.192:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 122.184.234.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 102.31.192.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 8.214.20.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 96.241.91.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 188.83.6.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 109.43.136.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 123.74.18.60:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 208.91.202.229:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 212.114.152.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 218.140.168.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 61.181.112.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 17.119.83.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 213.181.249.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 42.150.225.67:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 4.234.100.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 1.12.34.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 168.240.84.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 80.75.125.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 61.93.211.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 178.185.39.32:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 178.225.49.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 68.201.245.6:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 125.177.181.195:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 36.98.187.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 94.242.48.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 129.8.101.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 149.194.60.241:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 48.118.100.206:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 186.225.134.161:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 110.52.205.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 155.63.4.150:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 185.206.56.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 42.208.172.95:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 217.30.37.44:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 13.127.5.82:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 195.143.165.237:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 102.46.144.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 190.127.105.161:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 142.29.163.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 59.124.112.217:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 63.251.42.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 95.83.19.180:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 91.101.137.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 67.155.200.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 105.171.41.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 154.199.17.55:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 13.161.22.60:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 39.58.182.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 5.128.25.11:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 94.31.35.220:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 217.18.124.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 108.100.149.245:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 145.254.198.244:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 171.52.71.216:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 151.193.135.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 115.99.234.95:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 97.133.53.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 200.200.172.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 109.140.73.235:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 220.10.92.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 69.90.181.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 213.128.81.144:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 221.225.149.92:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 210.210.209.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 18.33.216.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 158.205.147.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 188.110.183.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 221.59.94.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 121.229.132.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 148.14.93.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 68.1.152.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 42.232.21.67:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 80.52.205.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 102.95.95.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 1.29.156.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 142.248.75.211:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 89.243.243.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 111.4.255.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 217.113.110.19:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 180.145.44.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 221.152.196.44:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 209.137.225.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 93.237.29.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 184.98.75.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 12.186.163.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 181.113.181.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 93.41.25.163:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 112.43.103.87:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 219.176.105.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 74.20.29.184:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 124.32.46.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 196.67.219.161:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 200.117.53.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 151.73.95.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 218.161.230.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 109.40.58.102:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 91.190.253.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 178.98.139.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 89.39.90.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 60.253.15.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 182.117.8.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 108.76.175.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 113.3.137.131:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 223.221.20.174:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 86.31.225.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 80.162.93.174:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 197.60.176.11:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 13.79.59.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 81.90.105.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 69.245.252.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 101.59.251.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 196.205.220.172:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 40.126.29.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 182.36.117.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 112.243.228.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 211.157.150.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 102.173.156.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 176.1.204.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 135.141.0.227:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 120.70.217.62:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 70.140.2.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 8.77.29.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 57.44.137.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 96.102.62.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 116.119.175.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 119.40.45.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 189.11.34.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 83.103.17.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 72.177.18.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 73.14.90.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 113.71.46.193:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 115.185.152.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 169.165.211.222:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 174.236.86.95:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 180.120.47.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 9.191.85.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 106.88.129.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 31.105.253.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 213.163.28.172:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 1.115.111.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 164.14.148.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 82.210.60.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 182.145.103.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 83.79.229.112:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 19.198.251.192:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 158.29.176.53:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 147.213.127.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 173.40.194.135:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 38.102.155.211:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 130.223.218.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 153.55.168.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 88.156.149.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 168.10.226.32:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 184.56.137.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 162.245.157.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 136.139.187.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 180.123.247.167:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 125.106.132.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 151.9.68.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 2.0.172.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 197.252.140.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 174.169.241.218:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 93.104.195.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 94.100.163.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 149.192.217.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 39.107.252.74:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 65.200.82.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 154.130.142.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 102.121.90.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 141.140.17.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 39.219.49.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 167.87.231.102:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 99.202.69.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 126.24.131.43:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 54.122.83.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 4.211.37.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 70.199.97.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 12.205.77.41:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 208.13.203.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 163.17.54.135:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 1.93.103.168:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 124.218.81.216:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 37.91.237.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 41.210.7.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 4.253.74.135:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 97.111.15.106:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 146.117.25.115:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 209.73.10.117:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 87.99.174.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 126.196.148.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 108.134.228.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 91.153.164.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 115.92.32.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 47.13.156.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 113.217.205.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 194.21.223.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 73.141.45.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 103.30.225.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 157.163.80.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 147.206.96.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 20.194.249.51:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 193.104.57.72:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 114.43.35.224:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 23.205.105.57:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 146.30.215.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 202.31.210.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 136.52.96.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 161.55.110.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 169.80.206.188:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 54.62.168.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 37.227.154.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 98.145.169.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 66.52.215.128:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 188.230.28.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 80.149.40.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 167.236.190.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 103.190.220.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 202.141.255.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 38.64.38.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 101.152.104.163:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 111.5.229.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 59.58.176.217:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 37.117.228.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 159.166.177.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 96.241.59.168:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 46.147.185.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 123.246.37.11:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 109.31.128.63:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 86.234.159.117:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 194.141.131.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 23.39.223.78:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 114.253.241.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 159.217.22.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 220.51.111.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 62.243.169.172:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 184.130.204.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 112.185.94.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 76.76.26.211:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 117.170.226.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 107.45.166.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 107.224.50.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 43.5.182.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 219.183.241.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 201.134.125.178:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 60.104.42.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 8.25.90.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 206.205.232.19:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 113.170.18.30:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 216.216.124.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 41.133.114.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 148.118.118.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 152.33.10.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 44.161.70.15:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 177.88.230.150:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 23.65.13.179:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 14.151.27.96:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 182.43.242.21:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 178.196.21.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 2.240.46.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 207.212.80.220:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 1.207.147.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 184.119.22.82:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 12.77.182.74:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 114.35.80.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 219.61.152.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 207.116.56.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 222.184.178.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 45.181.53.218:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 153.207.55.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 91.70.95.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 95.93.11.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 119.133.116.108:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 165.206.138.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 204.121.184.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 87.30.195.219:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 42.69.163.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 2.158.72.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 90.116.127.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 100.221.213.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 152.9.94.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 219.72.214.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 220.23.201.21:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 65.149.204.119:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 220.206.145.128:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 47.105.234.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 208.75.107.158:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 78.54.211.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 142.241.227.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 46.229.251.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 79.172.103.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 57.147.191.171:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 175.84.244.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 202.124.111.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 114.4.108.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 98.126.231.117:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 198.127.110.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 97.169.146.123:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 194.245.162.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 107.219.54.211:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 43.110.33.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 106.44.67.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 185.79.220.92:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 188.30.128.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 146.18.196.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 157.26.23.219:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 170.27.217.85:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 157.210.103.141:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 142.44.79.177:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 65.159.255.161:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 183.68.221.241:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 60.79.203.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 27.169.24.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 142.99.161.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 196.255.81.253:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 14.169.2.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 196.9.143.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 93.37.38.117:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 70.138.151.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 109.118.145.30:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 102.220.166.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 105.82.82.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 121.196.27.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 194.110.150.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 68.71.24.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 34.98.22.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 53.187.127.107:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 13.69.21.40:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 41.20.66.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 62.4.185.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 42.144.122.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 212.254.213.89:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 153.53.150.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 95.29.250.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 60.128.141.112:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 223.236.3.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 20.118.235.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 87.110.177.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 220.117.148.24:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 158.184.49.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 173.230.70.117:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 65.31.20.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 61.2.243.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 210.215.231.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 125.55.87.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 5.16.140.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 98.183.103.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 195.81.195.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 126.118.108.135:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 41.68.221.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 201.199.15.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 112.77.17.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 73.101.218.101:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 223.201.126.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 31.230.227.131:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 193.58.153.166:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 58.210.71.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 124.132.216.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 201.109.52.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 80.10.251.178:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 173.233.194.174:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 156.154.198.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 112.183.211.95:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 203.242.2.40:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 72.34.73.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 61.90.55.26:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 168.103.254.222:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 4.115.182.219:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 221.175.48.178:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 92.24.86.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 12.101.89.192:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 164.128.223.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 37.86.107.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 83.38.116.131:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 212.152.43.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 189.162.9.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 101.210.143.60:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 193.135.133.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 117.41.17.199:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 125.82.4.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 94.46.144.186:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 161.110.163.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 188.194.79.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 200.45.158.72:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 20.173.48.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 96.217.230.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 207.74.116.123:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 108.170.91.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 182.125.255.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 180.187.214.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 84.70.233.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 135.254.189.244:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 66.160.67.63:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 44.190.26.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 183.157.170.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 207.179.219.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 211.167.230.188:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 202.159.48.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:23086 -> 155.158.127.144:2323

Source: unknown

DNS traffic detected: queries for: z0x3n.cf

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 103.61.176.109
Source: unknown	TCP traffic detected without corresponding DNS query: 47.1.101.157
Source: unknown	TCP traffic detected without corresponding DNS query: 182.193.240.200
Source: unknown	TCP traffic detected without corresponding DNS query: 84.203.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 149.100.205.117
Source: unknown	TCP traffic detected without corresponding DNS query: 36.119.11.175
Source: unknown	TCP traffic detected without corresponding DNS query: 125.229.138.235
Source: unknown	TCP traffic detected without corresponding DNS query: 77.163.249.232
Source: unknown	TCP traffic detected without corresponding DNS query: 196.101.75.42
Source: unknown	TCP traffic detected without corresponding DNS query: 54.128.144.224
Source: unknown	TCP traffic detected without corresponding DNS query: 95.44.64.51
Source: unknown	TCP traffic detected without corresponding DNS query: 62.169.67.211
Source: unknown	TCP traffic detected without corresponding DNS query: 87.194.59.225
Source: unknown	TCP traffic detected without corresponding DNS query: 67.228.183.69
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.179.71
Source: unknown	TCP traffic detected without corresponding DNS query: 102.71.3.185
Source: unknown	TCP traffic detected without corresponding DNS query: 91.111.19.201
Source: unknown	TCP traffic detected without corresponding DNS query: 57.236.55.216
Source: unknown	TCP traffic detected without corresponding DNS query: 166.150.88.190
Source: unknown	TCP traffic detected without corresponding DNS query: 94.231.7.73
Source: unknown	TCP traffic detected without corresponding DNS query: 114.112.47.159
Source: unknown	TCP traffic detected without corresponding DNS query: 117.90.192.120
Source: unknown	TCP traffic detected without corresponding DNS query: 135.2.225.206
Source: unknown	TCP traffic detected without corresponding DNS query: 168.144.25.169
Source: unknown	TCP traffic detected without corresponding DNS query: 71.158.19.146
Source: unknown	TCP traffic detected without corresponding DNS query: 208.151.213.102
Source: unknown	TCP traffic detected without corresponding DNS query: 81.95.135.55
Source: unknown	TCP traffic detected without corresponding DNS query: 169.26.177.164
Source: unknown	TCP traffic detected without corresponding DNS query: 99.11.81.41
Source: unknown	TCP traffic detected without corresponding DNS query: 105.13.231.165
Source: unknown	TCP traffic detected without corresponding DNS query: 90.180.225.184
Source: unknown	TCP traffic detected without corresponding DNS query: 213.147.72.17
Source: unknown	TCP traffic detected without corresponding DNS query: 88.133.77.153
Source: unknown	TCP traffic detected without corresponding DNS query: 13.144.12.20
Source: unknown	TCP traffic detected without corresponding DNS query: 9.113.2.215
Source: unknown	TCP traffic detected without corresponding DNS query: 192.182.27.143
Source: unknown	TCP traffic detected without corresponding DNS query: 93.147.13.9
Source: unknown	TCP traffic detected without corresponding DNS query: 157.248.119.132
Source: unknown	TCP traffic detected without corresponding DNS query: 41.244.119.157
Source: unknown	TCP traffic detected without corresponding DNS query: 38.231.100.31
Source: unknown	TCP traffic detected without corresponding DNS query: 177.126.89.178
Source: unknown	TCP traffic detected without corresponding DNS query: 175.29.25.120
Source: unknown	TCP traffic detected without corresponding DNS query: 168.96.135.118
Source: unknown	TCP traffic detected without corresponding DNS query: 79.144.135.159
Source: unknown	TCP traffic detected without corresponding DNS query: 192.39.107.5
Source: unknown	TCP traffic detected without corresponding DNS query: 207.200.60.116
Source: unknown	TCP traffic detected without corresponding DNS query: 106.9.22.179
Source: unknown	TCP traffic detected without corresponding DNS query: 168.188.118.67
Source: unknown	TCP traffic detected without corresponding DNS query: 172.101.143.80
Source: unknown	TCP traffic detected without corresponding DNS query: 90.36.198.213

Source: z0x3n.x86, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5231.1.0000000019671de5.00000000c7254e12.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5234.1.0000000019671de5.00000000c7254e12.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5232.1.0000000019671de5.00000000c7254e12.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5232.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5231.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5234.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal68.troj.linX86@0/0@1/0

Source: z0x3n.x86

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1582/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2033/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1612/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1579/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1699/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1335/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1698/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2028/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1334/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1576/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2025/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2146/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/910/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/912/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/517/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/759/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/918/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1594/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1349/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1623/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/761/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1622/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/884/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1983/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2038/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1344/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1465/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1586/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1860/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1463/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/800/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/801/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1629/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1627/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1900/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/491/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2050/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1877/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/772/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1633/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1599/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1632/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/774/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1477/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/654/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/896/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1476/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1872/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2048/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/655/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1475/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/656/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/777/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/657/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/658/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/419/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/936/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1639/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1638/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1809/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1494/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1890/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2063/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2062/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1888/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1886/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/420/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1489/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/785/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1642/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/788/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/667/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/789/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1648/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2078/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2077/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2074/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/670/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/793/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1656/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1654/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/674/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1532/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/796/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/675/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/797/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/676/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/677/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2069/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2102/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/799/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2080/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2084/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2083/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1668/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1664/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1389/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/720/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2114/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/721/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/1661/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2079/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/847/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2097/maps
Source: /tmp/z0x3n.x86 (PID: 5235)	File opened: /proc/2096/maps

Stealing of Sensitive Information:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping1	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
z0x3n.x86	42%	Virustotal		Browse
z0x3n.x86	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
z0x3n.cf	37.0.10.67	true	false		unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
111.12.128.239	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
8.102.49.78	unknown	United States	3356	LEVEL3US	false
192.77.169.162	unknown	United States	394008	DBI-ASUS	false
57.111.236.183	unknown	Belgium	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
191.255.128.161	unknown	Brazil	27699	TELEFONICABRASILSABR	false
178.22.52.188	unknown	Russian Federation	44943	RAMNET-ASInternetServiceProviderRamNetRU	false
91.156.163.171	unknown	Finland	719	ELISA-ASHelsinkiFinlandEU	false
179.67.250.16	unknown	Brazil	7738	TelemarNorteLesteSABR	false
113.133.36.115	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
195.89.233.144	unknown	United Kingdom	1273	CWVodafoneGroupPLCEU	false
130.223.218.209	unknown	Switzerland	559	SWITCHPeeringrequestspeeringswitchchEU	false
106.44.67.176	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
181.28.71.103	unknown	Argentina	10318	TelecomArgentinaSAAR	false
112.246.77.240	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
73.180.82.168	unknown	United States	7922	COMCAST-7922US	false
213.202.53.40	unknown	Switzerland	21466	ASQUICKNETKabelfernsehnBoedeliinInterlakenSwitzerland	false
146.190.146.173	unknown	United States	702	UUNETUS	false
89.27.99.244	unknown	Finland	16086	DNAFI	false
20.73.200.192	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
169.64.152.199	unknown	United States	37611	AfrihostZA	false
210.200.107.2	unknown	Taiwan; Republic of China (ROC)	9311	HITRON-AS-APHITRONTECHNOLOGYINCTW	false
200.64.54.219	unknown	Mexico	8151	UninetSAdeCVMX	false
173.225.75.100	unknown	United States	26878	TWRS-NYCUS	false
94.43.140.207	unknown	Georgia	35805	SILKNET-ASGE	false
111.253.7.151	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
1.81.74.63	unknown	China	134768	CHINANET-SHAANXI-CLOUD-BASECHINANETSHAANXIprovinceCloud	false
98.225.187.150	unknown	United States	7922	COMCAST-7922US	false
183.91.246.58	unknown	Korea Republic of	9976	ICNDP-AS-KRNamincheonBrodcastingCoLtdKR	false
200.98.94.223	unknown	Brazil	7162	UniversoOnlineSABR	false
177.247.199.47	unknown	Mexico	13999	MegaCableSAdeCVMX	false
125.51.30.130	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
185.151.99.5	unknown	Iran (ISLAMIC Republic Of)	62153	PANAIR	false
42.68.109.132	unknown	Taiwan; Republic of China (ROC)	4249	LILLY-ASUS	false
76.0.12.143	unknown	United States	18494	CENTURYLINK-LEGACY-EMBARQ-WRBGUS	false
83.80.167.254	unknown	Netherlands	33915	TNF-ASNL	false
120.20.106.82	unknown	Australia	133612	VODAFONE-AS-APVodafoneAustraliaPtyLtdAU	false
82.76.185.25	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	false
205.194.107.171	unknown	Canada	3356	LEVEL3US	false
119.63.255.29	unknown	Korea Republic of	17577	GIGAPASS-AS-KRLGHelloVisionCorpKR	false
95.19.35.69	unknown	Spain	12479	UNI2-ASES	false
169.144.15.17	unknown	United States	158	ERI-ASUS	false
8.55.105.60	unknown	United States	3356	LEVEL3US	false
107.209.55.138	unknown	United States	7018	ATT-INTERNET4US	false
202.102.100.47	unknown	China	137702	CHINATELECOM-JIANGSU-NANJING-IDCNanjingJiangsuProvince	false
161.152.120.87	unknown	Australia	9328	DATACOM-AUDATACOMSYSTEMSAUPTYLTDAU	false
54.21.179.8	unknown	United States	14618	AMAZON-AESUS	false
12.101.24.89	unknown	United States	7018	ATT-INTERNET4US	false
170.12.117.113	unknown	United States	27283	RJF-INTERNETUS	false
88.58.19.233	unknown	Italy	3269	ASN-IBSNAZIT	false
125.48.186.209	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
140.234.210.128	unknown	United States	6932	EBSCOPUBUS	false
165.245.232.222	unknown	United States	4668	LGNET-AS-KRLGCNSKR	false
171.253.42.137	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
200.7.36.227	unknown	Sint Maarten	27734	NewTechnologiesGroupNVSX	false
156.186.86.117	unknown	Egypt	36992	ETISALAT-MISREG	false
195.135.1.151	unknown	France	8399	SEWAN-FR	false
207.197.1.26	unknown	United States	3851	NSHE-NEVADANETUS	false
186.58.217.66	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
154.56.2.191	unknown	United States	174	COGENT-174US	false
62.212.29.71	unknown	Italy	9026	ULI-MAINULIIT	false
97.121.96.184	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
68.89.131.171	unknown	United States	7018	ATT-INTERNET4US	false
116.17.39.25	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
14.166.103.211	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
150.227.240.141	unknown	Sweden	3246	TDCSONGTele2BusinessTDCSwedenSE	false
91.113.151.22	unknown	Austria	8447	TELEKOM-ATA1TelekomAustriaAGAT	false
4.44.24.55	unknown	United States	3356	LEVEL3US	false
156.169.238.165	unknown	Egypt	36992	ETISALAT-MISREG	false
163.141.21.203	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
93.120.179.216	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
47.0.120.15	unknown	United States	34533	ESAMARA-ASRU	false
114.170.2.111	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
66.212.66.237	unknown	United States	21525	AS-SPLUS	false
196.80.15.132	unknown	Morocco	6713	IAM-ASMA	false
23.253.210.18	unknown	United States	19994	RACKSPACEUS	false
151.226.142.75	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
101.7.232.251	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
117.176.199.169	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
185.92.209.62	unknown	Switzerland	200879	SWISSBROTHERSCH	false
160.172.146.38	unknown	Morocco	6713	IAM-ASMA	false
39.89.15.205	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
219.17.70.121	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
168.154.89.155	unknown	Korea Republic of	10049	SKNET-ASSKCoKR	false
40.71.135.48	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
212.22.221.83	unknown	Ukraine	31148	FREENET_LLCUA	false
202.238.46.90	unknown	Japan	10001	MICSNETMicsNetworkCorporationJP	false
152.11.76.235	unknown	United States	81	NCRENUS	false
81.222.210.53	unknown	Russian Federation	20597	ELTEL-ASRU	false
192.30.221.157	unknown	United States	23275	LM-USAUS	false
74.140.211.129	unknown	United States	10796	TWC-10796-MIDWESTUS	false
97.78.71.158	unknown	United States	33363	BHN-33363US	false
184.142.114.154	unknown	United States	5778	CENTURYLINK-LEGACY-EMBARQ-RCMTUS	false
93.32.193.143	unknown	Italy	12874	FASTWEBIT	false
93.50.106.246	unknown	Italy	12874	FASTWEBIT	false
45.143.235.203	unknown	Estonia	39855	MOD-EUNL	false
72.59.167.134	unknown	United States	10507	SPCSUS	false
38.200.160.186	unknown	United States	174	COGENT-174US	false
70.131.55.48	unknown	United States	7018	ATT-INTERNET4US	false
24.194.248.225	unknown	United States	11351	TWC-11351-NORTHEASTUS	false
8.166.90.215	unknown	Singapore	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

Runtime Messages

Command:	/tmp/z0x3n.x86
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	0G0dn3t Got To Ya!
Standard Error:

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
20.73.200.192	x86	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	gbk4XWulUo	Get hash	malicious	Browse	212.167.164.218
	Tsunami.arm	Get hash	malicious	Browse	156.134.58.72
	x86	Get hash	malicious	Browse	57.111.44.42
	ivImhRZqGa	Get hash	malicious	Browse	57.111.19.90
	07xBxVsvEn	Get hash	malicious	Browse	57.79.150.70
	wTFR3LK4Mo	Get hash	malicious	Browse	57.92.163.149
	bKHI9UT0D1	Get hash	malicious	Browse	57.127.117.170
	eNrYzJWFvB	Get hash	malicious	Browse	200.240.115.57
	GQM8qzLfFs	Get hash	malicious	Browse	57.105.13.102
	sora.arm	Get hash	malicious	Browse	57.70.235.20
	Tf9ATzpdKR	Get hash	malicious	Browse	200.226.197.191
	b3astmode.arm	Get hash	malicious	Browse	57.74.72.11
	yFbmGHoONE	Get hash	malicious	Browse	156.134.58.77
	FWsCarsq8Q	Get hash	malicious	Browse	156.135.155.197
	buiodawbdawbuiopdw.x86	Get hash	malicious	Browse	62.229.123.252
	arm7	Get hash	malicious	Browse	57.99.202.79
	arm	Get hash	malicious	Browse	57.86.239.254
	arm7	Get hash	malicious	Browse	156.134.58.88
	arm	Get hash	malicious	Browse	57.84.148.190
	sora.arm	Get hash	malicious	Browse	57.117.171.166
LEVEL3US	z0x3n.arm	Get hash	malicious	Browse	4.77.193.187
	jGVlUAzDbQ	Get hash	malicious	Browse	138.12.216.235
	ev1JsPbdMA	Get hash	malicious	Browse	138.12.216.253
	QZ2CN6CUyv	Get hash	malicious	Browse	9.162.77.202
	Xs0PMn85CN	Get hash	malicious	Browse	4.7.177.40
	x86	Get hash	malicious	Browse	216.141.213.58
	KXAJjgoH22	Get hash	malicious	Browse	4.45.235.181
	Z7QqCH0bak	Get hash	malicious	Browse	157.199.162.106
	zouBbQwUTb	Get hash	malicious	Browse	9.44.191.61
	x86_64	Get hash	malicious	Browse	64.154.123.164
	U1WRbn3wOa	Get hash	malicious	Browse	9.152.52.161
	RVG73cR3DP	Get hash	malicious	Browse	4.136.211.76
	9QPGr9LMaq	Get hash	malicious	Browse	206.33.161.35
	32UX3eB2m0	Get hash	malicious	Browse	9.169.60.90
	jJ6GK5qbZt	Get hash	malicious	Browse	4.125.80.128
	x86	Get hash	malicious	Browse	166.90.237.153
	hvYTLlrdRm	Get hash	malicious	Browse	4.204.173.89
	1b5356SnwB	Get hash	malicious	Browse	75.103.49.235
	vEBWe85OY5	Get hash	malicious	Browse	8.196.29.107
	S1WMHUXAQU	Get hash	malicious	Browse	4.234.132.186
CMNET-GDGuangdongMobileCommunicationCoLtdCN	QZ2CN6CUyv	Get hash	malicious	Browse	183.224.188.131
	x86	Get hash	malicious	Browse	183.255.19.37
	ivImhRZqGa	Get hash	malicious	Browse	117.139.191.41
	Z7QqCH0bak	Get hash	malicious	Browse	36.175.118.55
	PpZvxl4DJg	Get hash	malicious	Browse	36.164.147.131
	arm7	Get hash	malicious	Browse	117.187.200.202
	U1WRbn3wOa	Get hash	malicious	Browse	112.47.118.185
	RVG73cR3DP	Get hash	malicious	Browse	39.131.235.1
	hvYTLlrdRm	Get hash	malicious	Browse	123.82.185.223
	2pPPNW1XSo	Get hash	malicious	Browse	112.50.147.80
	S1WMHUXAQU	Get hash	malicious	Browse	117.150.97.40
	st2AAeCXsR	Get hash	malicious	Browse	112.31.237.169
	OklOTajM3X.exe	Get hash	malicious	Browse	111.12.28.24
	mdyu2wtnR8	Get hash	malicious	Browse	36.167.38.135
	egd7wSpaw2	Get hash	malicious	Browse	39.133.46.94
	KfvEoN0wIw	Get hash	malicious	Browse	223.75.114.193
	Xb1sM3W7BK	Get hash	malicious	Browse	111.28.163.155
	txwaNf62fv	Get hash	malicious	Browse	122.77.200.46
	nLfUJu0kEA	Get hash	malicious	Browse	223.82.2.220
	K1fia4oWep	Get hash	malicious	Browse	111.60.197.135

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.455104594575481
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	z0x3n.x86
File size:	63664
MD5:	c2c1c54bbc5f372df082aebc0d983716
SHA1:	2c9ebbad068ea09d2fcf7cfff48608a8abdf4337
SHA256:	dd9c8a7d71f944ded984394fcc021043403e3a39ef424d70d2a3a18c3b58b69d
SHA512:	dfd1c9ad3a1da9d190717f77e407774d2b9bd68986fdeb3fd7dff3bd7d8852311d5df9eb1d0f350e4d221d9b494f00afc128e3a2ef3f96e67456020e6f73dfa2
SSDEEP:	1536:WuIDGwqmkZxXP5XM4wCadEzKC18HqmPWJBus0eD/OQAy9T:PIDsbZxf5XM4wCq0zCHqpEs5/22
File Content Preview:	.ELF....................d...4... .......4. ...(.....................................................\...\...........Q.td............................U..S............h........[]...$.............U......=.....t..5...................u........t....h.u..........

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048164
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	63264
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0xe636	0x0	0x6	AX	16
.fini	PROGBITS	0x80566e6	0xe6e6	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x8056700	0xe700	0xe80	0x0	0x2	A	32
.ctors	PROGBITS	0x8058584	0xf584	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x805858c	0xf58c	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x80585c0	0xf5c0	0x120	0x0	0x3	WA	32
.bss	NOBITS	0x80586e0	0xf6e0	0x800	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0xf6e0	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0xf580	0xf580	3.7842	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0xf584	0x8058584	0x8058584	0x15c	0x95c	2.4470	0x6	RW	0x1000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2021 08:54:44.494484901 CET	23086	23	192.168.2.23	103.61.176.109
Nov 1, 2021 08:54:44.494487047 CET	23086	2323	192.168.2.23	47.1.101.157
Nov 1, 2021 08:54:44.494514942 CET	23086	23	192.168.2.23	182.193.240.200
Nov 1, 2021 08:54:44.494519949 CET	23086	23	192.168.2.23	84.203.31.69
Nov 1, 2021 08:54:44.494525909 CET	23086	23	192.168.2.23	149.100.205.117
Nov 1, 2021 08:54:44.494533062 CET	23086	23	192.168.2.23	210.212.65.221
Nov 1, 2021 08:54:44.494535923 CET	23086	23	192.168.2.23	136.162.110.105
Nov 1, 2021 08:54:44.494556904 CET	23086	23	192.168.2.23	36.119.11.175
Nov 1, 2021 08:54:44.494566917 CET	23086	2323	192.168.2.23	125.229.138.235
Nov 1, 2021 08:54:44.494570017 CET	23086	23	192.168.2.23	77.163.249.232
Nov 1, 2021 08:54:44.494575977 CET	23086	23	192.168.2.23	196.101.75.42
Nov 1, 2021 08:54:44.494575024 CET	23086	23	192.168.2.23	54.128.144.224
Nov 1, 2021 08:54:44.494580984 CET	23086	23	192.168.2.23	95.44.64.51
Nov 1, 2021 08:54:44.494581938 CET	23086	23	192.168.2.23	62.169.67.211
Nov 1, 2021 08:54:44.494589090 CET	23086	23	192.168.2.23	87.194.59.225
Nov 1, 2021 08:54:44.494595051 CET	23086	23	192.168.2.23	67.228.183.69
Nov 1, 2021 08:54:44.494599104 CET	23086	23	192.168.2.23	17.253.179.71
Nov 1, 2021 08:54:44.494615078 CET	23086	23	192.168.2.23	102.71.3.185
Nov 1, 2021 08:54:44.494621038 CET	23086	23	192.168.2.23	91.111.19.201
Nov 1, 2021 08:54:44.494625092 CET	23086	23	192.168.2.23	57.236.55.216
Nov 1, 2021 08:54:44.494630098 CET	23086	23	192.168.2.23	166.150.88.190
Nov 1, 2021 08:54:44.494633913 CET	23086	23	192.168.2.23	94.231.7.73
Nov 1, 2021 08:54:44.494637966 CET	23086	23	192.168.2.23	114.112.47.159
Nov 1, 2021 08:54:44.494642973 CET	23086	23	192.168.2.23	117.90.192.120
Nov 1, 2021 08:54:44.494652987 CET	23086	23	192.168.2.23	135.2.225.206
Nov 1, 2021 08:54:44.494654894 CET	23086	23	192.168.2.23	168.144.25.169
Nov 1, 2021 08:54:44.494666100 CET	23086	23	192.168.2.23	71.158.19.146
Nov 1, 2021 08:54:44.494669914 CET	23086	23	192.168.2.23	208.151.213.102
Nov 1, 2021 08:54:44.494676113 CET	23086	23	192.168.2.23	81.95.135.55
Nov 1, 2021 08:54:44.494678974 CET	23086	23	192.168.2.23	169.26.177.164
Nov 1, 2021 08:54:44.494688034 CET	23086	23	192.168.2.23	99.11.81.41
Nov 1, 2021 08:54:44.494695902 CET	23086	2323	192.168.2.23	105.13.231.165
Nov 1, 2021 08:54:44.494703054 CET	23086	23	192.168.2.23	142.110.219.84
Nov 1, 2021 08:54:44.494710922 CET	23086	23	192.168.2.23	90.180.225.184
Nov 1, 2021 08:54:44.494718075 CET	23086	2323	192.168.2.23	213.147.72.17
Nov 1, 2021 08:54:44.494728088 CET	23086	23	192.168.2.23	88.133.77.153
Nov 1, 2021 08:54:44.494735956 CET	23086	23	192.168.2.23	13.144.12.20
Nov 1, 2021 08:54:44.494744062 CET	23086	23	192.168.2.23	9.113.2.215
Nov 1, 2021 08:54:44.494829893 CET	23086	2323	192.168.2.23	192.182.27.143
Nov 1, 2021 08:54:44.494848967 CET	23086	23	192.168.2.23	93.147.13.9
Nov 1, 2021 08:54:44.494860888 CET	23086	23	192.168.2.23	157.248.119.132
Nov 1, 2021 08:54:44.494879961 CET	23086	23	192.168.2.23	41.244.119.157
Nov 1, 2021 08:54:44.494893074 CET	23086	23	192.168.2.23	38.231.100.31
Nov 1, 2021 08:54:44.494894028 CET	23086	23	192.168.2.23	177.126.89.178
Nov 1, 2021 08:54:44.494899035 CET	23086	23	192.168.2.23	175.29.25.120
Nov 1, 2021 08:54:44.494900942 CET	23086	23	192.168.2.23	168.96.135.118
Nov 1, 2021 08:54:44.494904041 CET	23086	23	192.168.2.23	79.144.135.159
Nov 1, 2021 08:54:44.494908094 CET	23086	23	192.168.2.23	23.203.110.240
Nov 1, 2021 08:54:44.494913101 CET	23086	23	192.168.2.23	192.39.107.5
Nov 1, 2021 08:54:44.494920015 CET	23086	23	192.168.2.23	207.200.60.116
Nov 1, 2021 08:54:44.494921923 CET	23086	23	192.168.2.23	106.9.22.179
Nov 1, 2021 08:54:44.494925022 CET	23086	23	192.168.2.23	168.188.118.67
Nov 1, 2021 08:54:44.494931936 CET	23086	23	192.168.2.23	172.101.143.80
Nov 1, 2021 08:54:44.494940042 CET	23086	23	192.168.2.23	90.36.198.213
Nov 1, 2021 08:54:44.494940996 CET	23086	23	192.168.2.23	95.37.84.8
Nov 1, 2021 08:54:44.494944096 CET	23086	23	192.168.2.23	148.113.199.84
Nov 1, 2021 08:54:44.494947910 CET	23086	2323	192.168.2.23	37.37.20.176
Nov 1, 2021 08:54:44.494949102 CET	23086	23	192.168.2.23	211.135.191.116
Nov 1, 2021 08:54:44.494950056 CET	23086	23	192.168.2.23	43.25.49.174
Nov 1, 2021 08:54:44.494956017 CET	23086	23	192.168.2.23	220.180.220.136
Nov 1, 2021 08:54:44.494956970 CET	23086	23	192.168.2.23	144.38.62.167
Nov 1, 2021 08:54:44.494960070 CET	23086	23	192.168.2.23	206.178.246.74
Nov 1, 2021 08:54:44.494961977 CET	23086	23	192.168.2.23	204.247.180.235
Nov 1, 2021 08:54:44.494961977 CET	23086	23	192.168.2.23	91.81.206.80
Nov 1, 2021 08:54:44.494967937 CET	23086	23	192.168.2.23	173.235.156.192
Nov 1, 2021 08:54:44.494971037 CET	23086	23	192.168.2.23	181.168.181.208
Nov 1, 2021 08:54:44.494976044 CET	23086	23	192.168.2.23	194.175.77.180
Nov 1, 2021 08:54:44.494981050 CET	23086	2323	192.168.2.23	181.70.39.27
Nov 1, 2021 08:54:44.494985104 CET	23086	23	192.168.2.23	135.80.10.226
Nov 1, 2021 08:54:44.494987011 CET	23086	23	192.168.2.23	70.111.162.198
Nov 1, 2021 08:54:44.494987965 CET	23086	23	192.168.2.23	191.65.249.239
Nov 1, 2021 08:54:44.494990110 CET	23086	23	192.168.2.23	219.75.195.252
Nov 1, 2021 08:54:44.494997025 CET	23086	23	192.168.2.23	219.50.175.75
Nov 1, 2021 08:54:44.494997978 CET	23086	23	192.168.2.23	53.46.48.214
Nov 1, 2021 08:54:44.494998932 CET	23086	23	192.168.2.23	199.2.2.244
Nov 1, 2021 08:54:44.495001078 CET	23086	23	192.168.2.23	105.195.34.226
Nov 1, 2021 08:54:44.495006084 CET	23086	2323	192.168.2.23	68.190.30.118
Nov 1, 2021 08:54:44.495008945 CET	23086	2323	192.168.2.23	156.58.60.49
Nov 1, 2021 08:54:44.495011091 CET	23086	2323	192.168.2.23	169.159.209.10
Nov 1, 2021 08:54:44.495012999 CET	23086	23	192.168.2.23	159.153.1.91
Nov 1, 2021 08:54:44.495014906 CET	23086	23	192.168.2.23	130.16.13.39
Nov 1, 2021 08:54:44.495016098 CET	23086	23	192.168.2.23	84.240.21.120
Nov 1, 2021 08:54:44.495018959 CET	23086	23	192.168.2.23	202.86.191.141
Nov 1, 2021 08:54:44.495019913 CET	23086	23	192.168.2.23	113.184.232.18
Nov 1, 2021 08:54:44.495021105 CET	23086	23	192.168.2.23	96.122.148.73
Nov 1, 2021 08:54:44.495024920 CET	23086	23	192.168.2.23	169.99.97.134
Nov 1, 2021 08:54:44.495024920 CET	23086	23	192.168.2.23	118.25.39.241
Nov 1, 2021 08:54:44.495028973 CET	23086	23	192.168.2.23	80.240.39.202
Nov 1, 2021 08:54:44.495028973 CET	23086	23	192.168.2.23	151.170.136.79
Nov 1, 2021 08:54:44.495028973 CET	23086	23	192.168.2.23	209.117.244.238
Nov 1, 2021 08:54:44.495031118 CET	23086	23	192.168.2.23	213.90.218.55
Nov 1, 2021 08:54:44.495037079 CET	23086	23	192.168.2.23	89.229.157.236
Nov 1, 2021 08:54:44.495039940 CET	23086	23	192.168.2.23	197.64.130.104
Nov 1, 2021 08:54:44.495047092 CET	23086	23	192.168.2.23	95.233.233.99
Nov 1, 2021 08:54:44.495049000 CET	23086	23	192.168.2.23	161.107.177.4
Nov 1, 2021 08:54:44.495053053 CET	23086	23	192.168.2.23	145.45.101.231
Nov 1, 2021 08:54:44.495058060 CET	23086	23	192.168.2.23	17.168.180.243
Nov 1, 2021 08:54:44.495059967 CET	23086	23	192.168.2.23	138.245.62.181
Nov 1, 2021 08:54:44.495066881 CET	23086	2323	192.168.2.23	86.0.55.109
Nov 1, 2021 08:54:44.495070934 CET	23086	23	192.168.2.23	158.220.84.116

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 1, 2021 08:54:44.484302044 CET	192.168.2.23	8.8.8.8	0xee26	Standard query (0)	z0x3n.cf	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 1, 2021 08:54:44.512578011 CET	8.8.8.8	192.168.2.23	0xee26	No error (0)	z0x3n.cf		37.0.10.67	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: z0x3n.x86 PID: 5231 Parent PID: 5116

General

Start time:	08:54:44
Start date:	01/11/2021
Path:	/tmp/z0x3n.x86
Arguments:	/tmp/z0x3n.x86
File size:	63664 bytes
MD5 hash:	c2c1c54bbc5f372df082aebc0d983716

Analysis Process: z0x3n.x86 PID: 5232 Parent PID: 5231

General

Start time:	08:54:44
Start date:	01/11/2021
Path:	/tmp/z0x3n.x86
Arguments:	n/a
File size:	63664 bytes
MD5 hash:	c2c1c54bbc5f372df082aebc0d983716

Analysis Process: z0x3n.x86 PID: 5233 Parent PID: 5231

General

Start time:	08:54:44
Start date:	01/11/2021
Path:	/tmp/z0x3n.x86
Arguments:	n/a
File size:	63664 bytes
MD5 hash:	c2c1c54bbc5f372df082aebc0d983716

Analysis Process: z0x3n.x86 PID: 5234 Parent PID: 5233

General

Start time:	08:54:44
Start date:	01/11/2021
Path:	/tmp/z0x3n.x86
Arguments:	n/a
File size:	63664 bytes
MD5 hash:	c2c1c54bbc5f372df082aebc0d983716

Analysis Process: z0x3n.x86 PID: 5235 Parent PID: 5233

General

Start time:	08:54:44
Start date:	01/11/2021
Path:	/tmp/z0x3n.x86
Arguments:	n/a
File size:	63664 bytes
MD5 hash:	c2c1c54bbc5f372df082aebc0d983716

Analysis Process: z0x3n.x86 PID: 5236 Parent PID: 5233

General

Start time:	08:54:44
Start date:	01/11/2021
Path:	/tmp/z0x3n.x86
Arguments:	n/a
File size:	63664 bytes
MD5 hash:	c2c1c54bbc5f372df082aebc0d983716

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report z0x3n.x86

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: z0x3n.x86 PID: 5231 Parent PID: 5116

General

Analysis Process: z0x3n.x86 PID: 5232 Parent PID: 5231

General

Analysis Process: z0x3n.x86 PID: 5233 Parent PID: 5231

General

Analysis Process: z0x3n.x86 PID: 5234 Parent PID: 5233

General

Analysis Process: z0x3n.x86 PID: 5235 Parent PID: 5233

General

Analysis Process: z0x3n.x86 PID: 5236 Parent PID: 5233

General