Play interactive tour

Edit tour

Linux Analysis Report mipsel

Overview

General Information

Sample Name:	mipsel
Analysis ID:	513619
MD5:	04b94c63425607f5f58ebd51578dd8e8
SHA1:	a2165f05ecfce4f95f6afc61574361e6db9b2a43
SHA256:	4fddb7884d4855b8b1864825992139fd2b29d46c198b4366ec33e2beb0a2f1e2
Tags:	Mirai
Infos:

Detection

Mirai

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample deletes itself

Uses known network protocols on non-standard ports

Yara signature match

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	513619
Start date:	02.11.2021
Start time:	11:45:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	mipsel
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal100.troj.evad.lin@0/0@1/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing network information. TCP Packets have been reduced to 100 VT rate limit hit for: /opt/package/joesandbox/database/analysis/513619/sample/mipsel

Process Tree

system is lnxubuntu20

mipsel (PID: 5233, Parent: 5108, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/mipsel

mipsel New Fork (PID: 5235, Parent: 5233)

mipsel New Fork (PID: 5237, Parent: 5235)

mipsel New Fork (PID: 5238, Parent: 5235)

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
mipsel	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x1d818:$x1: POST /cdn-cgi/ 0x1cf60:$x3: /dev/watchdog 0x1f793:$x5: .mdebug.abi32 0x1ff07:$x5: .mdebug.abi32 0x1d094:$s1: LCOGQGPTGP
mipsel	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x1d818:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
mipsel	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
mipsel	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
mipsel	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
5233.1.00000000e211a54b.00000000ea571adb.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x1d818:$x1: POST /cdn-cgi/ 0x1cf60:$x3: /dev/watchdog 0x1f793:$x5: .mdebug.abi32 0x1ff07:$x5: .mdebug.abi32 0x1d094:$s1: LCOGQGPTGP
5233.1.00000000e211a54b.00000000ea571adb.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x1d818:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
5233.1.00000000e211a54b.00000000ea571adb.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5233.1.00000000e211a54b.00000000ea571adb.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5233.1.00000000e211a54b.00000000ea571adb.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: mipsel

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: mipsel	Metadefender: Detection: 28%			Perma Link
Source: mipsel	ReversingLabs: Detection: 65%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.22.64:23 -> 192.168.2.23:46062
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 200.123.216.56:23 -> 192.168.2.23:55664
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 200.123.216.56:23 -> 192.168.2.23:55664
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.22.64:23 -> 192.168.2.23:46084
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.22.64:23 -> 192.168.2.23:46086
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.22.64:23 -> 192.168.2.23:46088
Source: Traffic	Snort IDS: 716 INFO TELNET access 185.239.57.22:23 -> 192.168.2.23:49690
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.77.127.14:23 -> 192.168.2.23:36702
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.219.122:23 -> 192.168.2.23:43404
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.77.127.14:23 -> 192.168.2.23:36702
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.77.127.14:23 -> 192.168.2.23:36702
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.43.124.73:23 -> 192.168.2.23:41016
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.219.122:23 -> 192.168.2.23:43416
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 185.239.57.22:23 -> 192.168.2.23:49690
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 185.239.57.22:23 -> 192.168.2.23:49690
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.219.122:23 -> 192.168.2.23:43478
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 200.123.216.56:23 -> 192.168.2.23:55808
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 200.123.216.56:23 -> 192.168.2.23:55808
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.22.64:23 -> 192.168.2.23:46230
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:46230 -> 77.40.22.64:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 210.172.4.223:23 -> 192.168.2.23:47738
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.22.64:23 -> 192.168.2.23:46238
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.22.64:23 -> 192.168.2.23:46256
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.219.122:23 -> 192.168.2.23:43520
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.77.127.14:23 -> 192.168.2.23:36848
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.43.124.73:23 -> 192.168.2.23:41182
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:41182 -> 177.43.124.73:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.77.127.14:23 -> 192.168.2.23:36848
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.77.127.14:23 -> 192.168.2.23:36848
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.249.138.247:23 -> 192.168.2.23:43830
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 188.150.249.151: -> 192.168.2.23:
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.219.122:23 -> 192.168.2.23:43618
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.31.39.138:23 -> 192.168.2.23:37166
Source: Traffic	Snort IDS: 716 INFO TELNET access 185.239.57.22:23 -> 192.168.2.23:49968
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.31.39.138:23 -> 192.168.2.23:37182
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.31.39.138:23 -> 192.168.2.23:37210
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.31.39.138:23 -> 192.168.2.23:37260
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.219.122:23 -> 192.168.2.23:43752
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 185.239.57.22:23 -> 192.168.2.23:49968
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 185.239.57.22:23 -> 192.168.2.23:49968
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.31.39.138:23 -> 192.168.2.23:37288
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 200.123.216.56:23 -> 192.168.2.23:56094
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 200.123.216.56:23 -> 192.168.2.23:56094
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.31.39.138:23 -> 192.168.2.23:37308
Source: Traffic	Snort IDS: 716 INFO TELNET access 210.172.4.223:23 -> 192.168.2.23:48014
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.31.39.138:23 -> 192.168.2.23:37318
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.31.39.138:23 -> 192.168.2.23:37330
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.22.64:23 -> 192.168.2.23:46538
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.219.122:23 -> 192.168.2.23:43824
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.127.17.54:23 -> 192.168.2.23:34412
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.22.64:23 -> 192.168.2.23:46568
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.40.22.64:23 -> 192.168.2.23:46576
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.31.39.138:23 -> 192.168.2.23:37344
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.43.124.73:23 -> 192.168.2.23:41480
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.77.127.14:23 -> 192.168.2.23:37180
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.31.39.138:23 -> 192.168.2.23:37408
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 62.141.106.224:23 -> 192.168.2.23:59696
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 62.141.106.224:23 -> 192.168.2.23:59702
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 62.141.106.224:23 -> 192.168.2.23:59706
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 62.141.106.224:23 -> 192.168.2.23:59710
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.219.122:23 -> 192.168.2.23:43902
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 119.77.127.14:23 -> 192.168.2.23:37180
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 119.77.127.14:23 -> 192.168.2.23:37180
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 62.141.106.224:23 -> 192.168.2.23:59716
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.219.122:23 -> 192.168.2.23:43960
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 200.123.216.56:23 -> 192.168.2.23:56296
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 200.123.216.56:23 -> 192.168.2.23:56296
Source: Traffic	Snort IDS: 716 INFO TELNET access 210.172.4.223:23 -> 192.168.2.23:48228
Source: Traffic	Snort IDS: 716 INFO TELNET access 185.239.57.22:23 -> 192.168.2.23:50292
Source: Traffic	Snort IDS: 716 INFO TELNET access 89.127.32.88:23 -> 192.168.2.23:55324
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.219.122:23 -> 192.168.2.23:44038
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.127.17.54:23 -> 192.168.2.23:34622

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36714
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36720
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36726
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36734
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36736
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36738
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36740
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36742

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic	TCP traffic: 192.168.2.23:54948 -> 156.96.156.212:55650
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 210.101.74.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 182.18.121.150:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 126.112.115.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 181.35.27.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 32.159.247.166:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 34.139.197.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 14.183.74.85:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 163.5.90.206:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 92.208.29.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 175.152.234.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 168.238.43.89:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 160.194.45.229:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 24.178.195.46:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 61.175.107.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 167.112.11.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 169.61.161.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 186.10.159.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 170.229.3.21:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 9.86.117.222:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 120.92.45.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 112.46.189.144:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 83.94.210.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 76.10.33.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 142.223.221.188:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 136.133.122.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 162.186.103.120:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 63.183.240.212:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 9.248.255.74:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 12.36.26.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 2.48.177.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 211.255.253.150:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 139.129.5.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 123.162.103.163:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 31.52.188.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 184.87.168.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 211.204.52.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 139.45.161.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 160.240.218.123:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 59.54.237.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 50.87.99.81:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 13.10.230.119:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 116.31.108.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 218.254.181.15:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 201.209.12.224:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 109.90.87.119:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 164.134.52.211:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 217.247.205.112:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 145.71.58.191:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 108.33.130.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 96.152.28.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 150.109.192.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 8.20.120.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 114.217.10.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 86.128.167.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 103.63.210.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 135.170.166.217:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 177.240.197.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 157.174.68.53:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 8.9.56.218:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 154.249.91.107:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 114.129.38.117:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 177.220.191.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 107.158.1.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 111.188.141.141:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 36.163.17.81:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 117.3.36.19:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 90.158.209.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 92.27.137.81:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 120.189.136.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 145.67.27.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 43.139.235.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 184.89.218.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 199.141.200.198:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 150.24.22.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 160.254.104.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 223.155.87.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 149.111.18.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 5.86.43.218:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 203.80.106.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 194.96.13.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 198.160.155.161:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 99.173.161.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 92.115.218.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 195.9.166.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 92.74.108.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 78.81.246.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 167.19.186.146:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 17.253.114.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 18.89.182.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 84.101.29.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 65.185.137.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 97.177.23.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 157.52.94.95:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 110.108.231.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 64.234.88.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 144.204.90.252:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 205.92.203.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 164.11.86.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 152.40.55.253:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 159.51.179.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 193.159.236.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 169.49.128.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 168.219.103.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 180.69.111.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 99.103.229.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 177.193.5.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 49.102.30.174:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 221.52.102.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 84.252.116.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 1.52.73.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 193.88.147.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 173.14.71.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 112.81.138.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 112.74.244.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 160.212.127.213:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 89.129.252.178:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 155.57.181.131:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 177.190.152.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 160.138.252.253:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 87.39.28.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 110.138.81.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 38.67.105.72:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 217.85.51.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 66.230.203.186:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 159.177.193.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 12.80.100.168:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 52.185.23.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 119.168.197.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 101.45.93.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 95.31.131.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 171.152.113.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 25.152.218.160:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 118.74.34.135:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 196.69.100.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 27.166.15.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 144.254.158.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 136.68.89.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 117.118.196.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 181.137.242.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 54.168.108.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 183.125.143.38:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 115.168.175.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 111.33.64.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 67.68.159.108:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 87.113.190.60:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 177.140.61.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 19.177.80.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 177.167.162.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 84.122.140.241:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 46.142.166.252:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 117.32.181.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 18.72.61.184:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 188.115.87.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 186.78.109.82:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 205.253.62.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 170.220.51.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 81.50.222.85:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 111.213.95.60:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 111.122.153.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 121.28.141.120:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 173.204.207.60:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 184.57.221.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 120.63.3.78:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 205.19.221.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 144.98.225.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 92.113.92.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 111.22.101.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 164.41.45.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 38.203.56.131:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 69.158.210.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 110.186.197.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 211.225.88.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 89.213.155.229:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 188.108.192.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 174.140.90.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 196.70.254.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 125.64.123.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 157.116.189.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 64.211.190.145:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 107.96.160.218:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 77.243.211.146:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 24.235.228.40:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 122.243.251.245:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 117.49.228.195:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 47.84.50.30:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 50.37.117.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 124.113.51.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 57.16.217.192:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 93.56.69.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 118.99.72.198:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 74.215.191.168:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 180.5.43.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 106.6.2.158:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 156.128.10.55:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 209.168.60.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 69.147.162.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 161.9.179.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 174.255.198.144:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 180.182.196.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 191.239.248.19:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 101.191.108.30:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 119.77.10.171:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 37.13.140.213:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 118.109.87.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 135.203.84.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 31.108.248.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 158.71.198.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 213.23.140.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 164.208.21.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 177.173.174.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 43.64.69.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 210.58.235.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 123.156.245.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 216.216.67.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 32.161.30.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 37.234.240.120:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 200.53.103.202:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 100.135.244.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 120.191.146.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 73.126.240.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 218.179.247.4:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 145.25.98.220:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 105.209.212.235:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 90.80.37.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 53.143.42.49:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 219.165.213.106:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 115.28.58.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 158.113.217.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 166.239.33.145:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 191.231.126.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 219.15.125.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 4.68.168.172:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 149.161.142.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 89.70.125.191:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 77.59.93.144:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 193.138.216.108:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 113.218.161.145:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 111.58.80.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 184.203.106.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 142.178.244.114:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 223.53.201.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 193.15.159.171:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 213.216.112.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 206.130.60.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 146.30.236.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 213.53.181.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 12.101.148.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 66.116.11.237:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 50.60.18.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 147.100.21.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 200.189.72.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 200.99.60.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 216.13.205.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 205.166.124.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 86.180.29.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 35.140.205.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 204.107.24.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 166.218.147.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 205.145.185.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 65.197.167.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 37.37.101.192:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 110.231.89.9:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 93.112.41.167:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 81.187.16.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 40.228.146.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 218.181.190.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 45.67.27.26:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 117.186.144.200:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 130.136.120.198:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 125.219.188.199:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 135.240.145.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 203.242.21.87:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 209.222.100.128:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 74.108.75.178:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 101.20.18.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 211.42.229.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 108.63.104.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 202.93.1.135:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 38.7.212.200:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 113.116.54.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 180.10.220.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 77.135.245.43:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 9.163.52.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 131.13.237.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 39.92.186.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 212.132.47.177:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 144.236.45.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 48.210.57.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 135.92.0.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 131.181.97.186:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 35.114.147.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 146.172.105.60:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 151.114.80.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 128.61.103.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 148.121.104.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 34.167.18.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 178.189.38.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 136.157.150.46:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 78.169.72.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 155.1.43.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 34.119.44.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 177.53.161.74:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 196.35.255.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 14.15.137.114:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 107.246.184.6:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 113.60.43.168:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 154.233.35.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 67.250.35.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 149.46.172.74:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 24.206.91.117:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 137.115.143.211:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 110.53.232.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 102.81.242.11:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 59.138.224.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 48.0.87.192:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 165.188.149.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 38.135.214.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 112.39.160.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 5.162.96.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 54.189.124.131:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 80.135.192.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 166.26.148.220:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 48.105.38.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 183.12.96.85:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 191.136.171.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 174.233.255.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 73.45.76.44:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 63.55.183.150:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 90.147.195.180:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 174.177.247.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 115.17.229.115:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 184.85.29.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 125.15.122.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 156.48.90.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 81.66.113.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 175.217.22.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 121.120.105.200:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 82.246.230.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 2.87.79.78:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 135.213.3.252:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 53.146.80.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 63.192.62.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 193.219.22.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 197.171.198.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 72.93.110.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 138.1.157.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 208.119.15.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 114.218.0.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 119.50.164.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 212.114.11.163:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 125.85.134.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 88.30.248.222:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 150.85.200.89:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 25.207.62.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 219.19.92.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 130.182.148.161:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 142.13.62.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 83.0.147.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 75.206.42.57:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 207.177.108.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 95.131.46.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 47.166.181.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 91.250.147.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 221.108.207.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 218.244.176.11:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 154.198.252.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 23.6.154.30:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 99.171.31.199:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 71.154.14.72:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 49.13.241.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 43.56.25.168:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 39.107.211.9:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 73.132.10.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 209.202.138.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 19.240.213.38:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 188.145.2.106:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 67.124.24.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 135.60.84.46:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 159.211.120.186:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 219.253.209.128:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 145.153.59.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 19.19.210.119:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 169.37.75.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 106.243.103.102:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 203.138.8.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 110.249.70.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 195.66.144.62:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 188.91.150.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 108.187.62.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 180.80.238.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 35.10.43.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 23.138.48.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 90.128.214.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 137.240.45.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 193.222.56.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 161.61.20.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 117.108.94.63:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 39.236.5.117:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 14.201.4.162:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 124.201.224.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 207.72.62.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 160.135.123.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 206.231.205.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 39.100.234.107:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 167.116.61.41:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 182.86.182.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 204.136.99.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 78.76.121.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 82.24.124.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 190.124.100.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 2.238.35.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 202.248.150.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 96.202.122.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 77.140.229.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 133.164.78.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 175.35.45.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 217.187.152.199:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 177.107.27.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 89.111.219.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 99.227.227.53:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 204.45.110.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 81.119.38.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 213.224.150.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 102.106.95.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 50.26.89.145:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 67.132.69.67:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 79.124.131.186:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 143.111.27.67:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 95.40.72.172:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 204.146.137.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 88.242.125.253:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 117.65.63.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 31.92.152.92:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 186.84.149.144:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 191.224.243.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 178.119.30.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 123.120.173.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 23.180.99.222:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 112.168.215.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 79.232.68.202:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 188.193.35.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 212.97.135.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 66.119.36.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 164.95.230.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 108.76.37.193:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 109.246.201.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 123.187.246.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 213.123.108.188:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 106.103.80.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 84.97.57.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 163.45.249.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 132.137.73.198:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 116.87.250.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 111.55.20.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 173.205.255.89:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 48.56.0.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 128.141.7.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 161.42.5.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 140.174.96.177:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 52.125.29.78:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 193.73.186.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 200.28.182.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 194.177.153.206:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 114.240.213.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 205.217.184.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 64.210.31.43:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 99.158.186.171:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 220.221.72.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 14.119.88.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 205.160.23.166:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 138.152.194.109:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 118.14.75.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 132.217.105.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 140.240.160.58:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 47.147.51.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 14.136.94.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 62.145.233.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 75.231.243.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 213.209.150.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 161.104.227.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 99.77.91.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 53.42.222.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 221.177.43.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 43.221.93.200:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 202.135.227.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 194.237.219.77:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 196.223.181.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 82.148.88.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 96.51.177.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 175.164.142.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 49.165.74.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 206.228.91.195:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 12.152.78.112:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 145.87.53.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 164.83.70.131:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 104.179.37.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 102.222.151.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 34.51.145.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:32554 -> 18.79.71.33:2323

Source: /tmp/mipsel (PID: 5233)

Socket: 127.0.0.1::1124

Source: unknown

DNS traffic detected: queries for: arcticboatz.cz

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 86.39.206.104
Source: unknown	TCP traffic detected without corresponding DNS query: 159.123.66.105
Source: unknown	TCP traffic detected without corresponding DNS query: 95.94.197.228
Source: unknown	TCP traffic detected without corresponding DNS query: 88.94.8.146
Source: unknown	TCP traffic detected without corresponding DNS query: 169.52.122.144
Source: unknown	TCP traffic detected without corresponding DNS query: 109.189.178.23
Source: unknown	TCP traffic detected without corresponding DNS query: 182.18.121.150
Source: unknown	TCP traffic detected without corresponding DNS query: 190.196.95.226
Source: unknown	TCP traffic detected without corresponding DNS query: 173.19.73.5
Source: unknown	TCP traffic detected without corresponding DNS query: 68.17.52.150
Source: unknown	TCP traffic detected without corresponding DNS query: 174.252.132.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.131.178.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.126.80.103
Source: unknown	TCP traffic detected without corresponding DNS query: 109.253.252.137
Source: unknown	TCP traffic detected without corresponding DNS query: 64.14.175.12
Source: unknown	TCP traffic detected without corresponding DNS query: 17.65.47.188
Source: unknown	TCP traffic detected without corresponding DNS query: 155.136.129.234
Source: unknown	TCP traffic detected without corresponding DNS query: 186.252.1.210
Source: unknown	TCP traffic detected without corresponding DNS query: 204.28.106.19
Source: unknown	TCP traffic detected without corresponding DNS query: 158.143.25.34
Source: unknown	TCP traffic detected without corresponding DNS query: 24.40.42.84
Source: unknown	TCP traffic detected without corresponding DNS query: 126.112.115.52
Source: unknown	TCP traffic detected without corresponding DNS query: 156.163.106.228
Source: unknown	TCP traffic detected without corresponding DNS query: 24.104.21.201
Source: unknown	TCP traffic detected without corresponding DNS query: 112.167.52.9
Source: unknown	TCP traffic detected without corresponding DNS query: 177.136.245.176
Source: unknown	TCP traffic detected without corresponding DNS query: 181.35.27.125
Source: unknown	TCP traffic detected without corresponding DNS query: 66.158.252.83
Source: unknown	TCP traffic detected without corresponding DNS query: 46.124.196.135
Source: unknown	TCP traffic detected without corresponding DNS query: 60.117.107.80
Source: unknown	TCP traffic detected without corresponding DNS query: 52.158.121.230
Source: unknown	TCP traffic detected without corresponding DNS query: 76.120.137.198
Source: unknown	TCP traffic detected without corresponding DNS query: 161.96.182.157
Source: unknown	TCP traffic detected without corresponding DNS query: 41.85.33.128
Source: unknown	TCP traffic detected without corresponding DNS query: 115.147.120.61
Source: unknown	TCP traffic detected without corresponding DNS query: 44.243.19.229
Source: unknown	TCP traffic detected without corresponding DNS query: 32.159.247.166
Source: unknown	TCP traffic detected without corresponding DNS query: 211.149.218.170
Source: unknown	TCP traffic detected without corresponding DNS query: 106.86.30.44
Source: unknown	TCP traffic detected without corresponding DNS query: 146.13.181.184
Source: unknown	TCP traffic detected without corresponding DNS query: 51.109.159.140
Source: unknown	TCP traffic detected without corresponding DNS query: 189.207.59.251
Source: unknown	TCP traffic detected without corresponding DNS query: 128.83.231.183
Source: unknown	TCP traffic detected without corresponding DNS query: 40.250.220.121
Source: unknown	TCP traffic detected without corresponding DNS query: 160.91.82.176
Source: unknown	TCP traffic detected without corresponding DNS query: 89.251.167.59
Source: unknown	TCP traffic detected without corresponding DNS query: 62.174.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 43.206.72.34
Source: unknown	TCP traffic detected without corresponding DNS query: 96.170.114.187
Source: unknown	TCP traffic detected without corresponding DNS query: 197.106.45.223

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: mipsel, type: SAMPLE	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: mipsel, type: SAMPLE	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5233.1.00000000e211a54b.00000000ea571adb.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5233.1.00000000e211a54b.00000000ea571adb.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Source: mipsel, type: SAMPLE	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: mipsel, type: SAMPLE	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5233.1.00000000e211a54b.00000000ea571adb.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5233.1.00000000e211a54b.00000000ea571adb.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal100.troj.evad.lin@0/0@1/0

Source: mipsel

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2033/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1582/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2275/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1612/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1579/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1699/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1335/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1698/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2028/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1334/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1576/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2302/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/3236/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2025/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2146/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/912/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/759/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2307/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/918/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/5030/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1594/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2285/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2281/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1349/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1623/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/761/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/761/cmdline
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1622/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/884/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1983/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2038/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1586/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1465/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1344/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1860/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1463/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2156/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/800/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/801/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1629/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1627/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1900/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/491/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2294/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2050/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1877/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/772/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1633/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1599/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1632/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1477/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/774/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1476/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1872/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2048/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1475/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2289/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/777/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/658/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/936/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/936/cmdline
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1639/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1638/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2208/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2180/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1809/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1494/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1890/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2063/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2062/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1888/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1886/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1489/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/785/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1642/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/788/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/789/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1648/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2191/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2078/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2077/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2074/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2195/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/4490/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/793/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1656/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1654/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2226/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/1532/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/796/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/797/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2069/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2102/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2223/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/799/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2080/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/5110/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/5235/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/5235/cmdline
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2242/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2084/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/2083/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/5193/fd
Source: /tmp/mipsel (PID: 5238)	File opened: /proc/5194/fd

Hooking and other Techniques for Hiding and Protection:

Sample deletes itself

Show sources

Source: /tmp/mipsel (PID: 5233)

File: /tmp/mipsel

Jump to behavior

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36714
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36720
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36726
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36734
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36736
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36738
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36740
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36742

Source: /tmp/mipsel (PID: 5233)

Queries kernel information via 'uname':

Source: mipsel, 5233.1.00000000e91062d0.0000000089bb831f.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: mipsel, 5233.1.00000000890da8ff.000000004edb4864.rw-.sdmp	Binary or memory string: Mx86_64/usr/bin/qemu-mipsel/tmp/mipselSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mipsel
Source: mipsel, 5233.1.00000000e91062d0.0000000089bb831f.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: mipsel, 5233.1.00000000890da8ff.000000004edb4864.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information:

Yara detected Mirai

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: mipsel, type: SAMPLE
Source: Yara match	File source: 5233.1.00000000e211a54b.00000000ea571adb.r-x.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Mirai

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: mipsel, type: SAMPLE
Source: Yara match	File source: 5233.1.00000000e211a54b.00000000ea571adb.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	File Deletion1	OS Credential Dumping1	Security Software Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mipsel	29%	Metadefender		Browse
mipsel	65%	ReversingLabs	Linux.Trojan.Mirai
mipsel	100%	Avira	LINUX/Mirai.bonb

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
arcticboatz.cz	156.96.156.212	true	false		unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
126.150.44.151	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
90.81.217.79	unknown	France	3215	FranceTelecom-OrangeFR	false
32.220.190.62	unknown	United States	46690	SNET-FCCUS	false
180.142.37.227	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
206.157.228.118	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
157.102.254.167	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
78.95.246.243	unknown	Saudi Arabia	39891	ALJAWWALSTC-ASSA	false
99.31.241.203	unknown	United States	7018	ATT-INTERNET4US	false
205.34.171.117	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
185.146.23.53	unknown	United States	55293	A2HOSTINGUS	false
25.138.111.88	unknown	United Kingdom	7922	COMCAST-7922US	false
92.55.152.37	unknown	Romania	39737	PRIME-TELECOM-ASRO	false
203.1.229.214	unknown	Australia	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	false
17.32.131.11	unknown	United States	714	APPLE-ENGINEERINGUS	false
52.13.176.234	unknown	United States	16509	AMAZON-02US	false
186.205.151.110	unknown	Brazil	28573	CLAROSABR	false
5.75.234.246	unknown	Germany	24940	HETZNER-ASDE	false
102.118.234.57	unknown	Mauritius	23889	MauritiusTelecomMU	false
111.134.166.239	unknown	China	24138	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
40.65.53.51	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
90.240.252.117	unknown	United Kingdom	5378	VodafoneGB	false
108.139.242.206	unknown	United States	16509	AMAZON-02US	false
32.190.163.250	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
44.36.244.222	unknown	United States	63479	HAMWANUS	false
142.91.37.47	unknown	United States	7203	LEASEWEB-USA-SFO-12US	false
161.96.213.124	unknown	Japan	7582	UMAC-AS-APUniversityofMacauMO	false
57.240.42.211	unknown	Belgium	2686	ATGS-MMD-ASUS	false
108.54.36.41	unknown	United States	701	UUNETUS	false
44.39.237.252	unknown	United States	7377	UCSDUS	false
72.155.240.173	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
213.51.218.89	unknown	Netherlands	33915	TNF-ASNL	false
126.74.201.174	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
134.90.40.201	unknown	Georgia	20771	CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE	false
8.20.120.86	unknown	United States	13832	AS13832US	false
131.217.159.45	unknown	Australia	7573	UTASTheUniversityofTasmaniaAU	false
90.176.158.155	unknown	Czech Republic	5610	O2-CZECH-REPUBLICCZ	false
131.39.50.0	unknown	United States	385	AFCONC-BLOCK1-ASUS	false
50.144.231.57	unknown	United States	7922	COMCAST-7922US	false
195.172.155.96	unknown	United Kingdom	4589	EASYNETEasynetGlobalServicesEU	false
186.253.51.2	unknown	Brazil	26615	TIMSABR	false
98.61.107.109	unknown	United States	7922	COMCAST-7922US	false
134.229.178.148	unknown	United States	27066	DNIC-ASBLK-27032-27159US	false
203.239.13.14	unknown	Korea Republic of	9848	SEJONGTELECOM-AS-KRSejongTelecomKR	false
159.38.64.81	unknown	Sweden	19399	SLLNETEU	false
107.130.250.92	unknown	United States	7018	ATT-INTERNET4US	false
17.57.239.119	unknown	United States	714	APPLE-ENGINEERINGUS	false
111.61.56.107	unknown	China	24547	CMNET-V4HEBEI-AS-APHebeiMobileCommunicationCompanyLimit	false
85.64.123.47	unknown	Israel	1680	NV-ASNCELLCOMltdIL	false
116.188.238.135	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
129.154.242.2	unknown	United States	7160	NETDYNAMICSUS	false
122.57.38.135	unknown	New Zealand	4771	SPARKNZSparkNewZealandTradingLtdNZ	false
190.187.141.157	unknown	Peru	19180	AMERICATELPERUSAPE	false
110.9.24.108	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
154.134.132.111	unknown	Egypt	37069	MOBINILEG	false
89.127.32.88	unknown	Ireland	25441	IBIS-ASImagineGroupLtdIE	true
185.213.254.236	unknown	Israel	205564	INFINIDATIL	false
48.185.111.80	unknown	United States	2686	ATGS-MMD-ASUS	false
105.244.205.35	unknown	South Africa	36994	Vodacom-VBZA	false
103.236.165.144	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
134.184.14.239	unknown	Belgium	2611	BELNETBE	false
155.48.84.66	unknown	United States	16481	BABSON-GNETUS	false
143.16.48.49	unknown	United States	264008	LANCAMANTOANISERVICOSDEINFORMATICALTDA-MEBR	false
183.88.253.138	unknown	Thailand	45758	TRIPLETNET-AS-APTripleTInternetTripleTBroadbandTH	false
61.214.172.207	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
73.69.38.23	unknown	United States	7922	COMCAST-7922US	false
207.90.126.112	unknown	United States	7321	LNET-ASNUS	false
42.76.124.102	unknown	Taiwan; Republic of China (ROC)	17421	EMOME-NETMobileBusinessGroupTW	false
124.144.158.102	unknown	Japan	9824	JTCL-JP-ASJupiterTelecommunicationCoLtdJP	false
84.103.32.251	unknown	France	15557	LDCOMNETFR	false
171.43.62.146	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
45.255.61.36	unknown	China	132116	ANINETWORK-INAniNetworkPvtLtdIN	false
147.132.235.1	unknown	Australia	9650	CITEC-AU-APQLDGovernmentBusinessITAU	false
89.19.50.206	unknown	United Kingdom	61317	ASDETUKhttpwwwheficedcomGB	false
12.79.50.235	unknown	United States	7018	ATT-INTERNET4US	false
117.33.176.38	unknown	China	134768	CHINANET-SHAANXI-CLOUD-BASECHINANETSHAANXIprovinceCloud	false
106.178.155.250	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
40.65.77.63	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
198.84.178.65	unknown	Canada	5645	TEKSAVVYCA	false
52.203.21.38	unknown	United States	14618	AMAZON-AESUS	false
129.111.117.191	unknown	United States	26971	UTHSCSA-ASUS	false
89.107.90.194	unknown	Italy	39808	FONTELIT	false
197.16.212.62	unknown	Tunisia	37693	TUNISIANATN	false
95.144.4.23	unknown	United Kingdom	12576	EELtdGB	false
121.177.161.98	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
170.249.52.241	unknown	Canada	46618	DERYTELECOMCA	false
193.77.13.181	unknown	Slovenia	5603	SIOL-NETTelekomSlovenijeddSI	false
206.133.109.184	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
150.40.81.17	unknown	Japan	9991	SHUDO-UHiroshimaShudoUniversityJP	false
96.254.22.112	unknown	United States	5650	FRONTIER-FRTRUS	false
168.153.203.148	unknown	Australia	2764	AAPTAAPTLimitedAU	false
129.164.153.209	unknown	United States	297	AS297US	false
150.185.168.226	unknown	Venezuela	23007	UniversidaddeLosAndesVE	false
32.252.141.152	unknown	United States	2686	ATGS-MMD-ASUS	false
110.243.246.254	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
179.34.244.156	unknown	Brazil	26615	TIMSABR	false
178.9.146.143	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
178.229.218.209	unknown	Netherlands	31615	TMO-NL-ASNL	false
9.120.138.185	unknown	United States	3356	LEVEL3US	false
221.72.28.138	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
199.143.223.121	unknown	United States	4152	USDA-1US	false

Runtime Messages

Command:	/tmp/mipsel
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	qazwsxedc
Standard Error:

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
44.36.244.222	mipsel	Get hash	malicious	Browse
111.134.166.239	PTn4GPy1jh	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
arcticboatz.cz	arm-20211102-0937	Get hash	malicious	Browse	156.96.156.212
	mips-20211102-0937	Get hash	malicious	Browse	156.96.156.212
	arm5-20211102-0937	Get hash	malicious	Browse	156.96.156.212
	arm7	Get hash	malicious	Browse	156.96.156.212
	x86_64	Get hash	malicious	Browse	156.96.156.212
	arm	Get hash	malicious	Browse	156.96.156.212
	x86_64	Get hash	malicious	Browse	156.96.156.212
	mips	Get hash	malicious	Browse	156.96.156.212
	arm6	Get hash	malicious	Browse	156.96.156.212
	arm7	Get hash	malicious	Browse	156.96.156.212
	arm5	Get hash	malicious	Browse	156.96.156.212

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GIGAINFRASoftbankBBCorpJP	arm-20211102-0937	Get hash	malicious	Browse	219.19.55.98
	sora.mpsl	Get hash	malicious	Browse	221.24.188.7
	sora.arm7	Get hash	malicious	Browse	60.156.178.255
	sora.x86	Get hash	malicious	Browse	219.55.17.249
	arm5-20211102-0937	Get hash	malicious	Browse	126.13.86.242
	zJk9UEOnQ7	Get hash	malicious	Browse	126.11.178.137
	MkyxPXGeTq	Get hash	malicious	Browse	126.59.74.157
	TlhOKlVSwf	Get hash	malicious	Browse	60.112.223.214
	Hilix.arm	Get hash	malicious	Browse	219.56.220.39
	BsXhIyIHzC	Get hash	malicious	Browse	220.50.151.236
	L831wSjET5	Get hash	malicious	Browse	112.136.40.250
	JVHk2b1Yd5	Get hash	malicious	Browse	219.54.86.103
	vRjXKh3l4n	Get hash	malicious	Browse	221.49.205.112
	WhFNix8BoE	Get hash	malicious	Browse	219.209.169.141
	aTQ4RalkUs	Get hash	malicious	Browse	219.56.219.26
	RPov9E0iot	Get hash	malicious	Browse	60.93.119.210
	8VANaS473t	Get hash	malicious	Browse	218.130.99.202
	yVbcX1sEtS	Get hash	malicious	Browse	221.55.216.106
	oiHTZaiKnI	Get hash	malicious	Browse	126.225.223.207
	SZAYTvvY9Y	Get hash	malicious	Browse	126.28.125.143
SNET-FCCUS	Ko84iLip1u	Get hash	malicious	Browse	32.221.121.104
	st2AAeCXsR	Get hash	malicious	Browse	32.219.214.98
	b3astmode.x86	Get hash	malicious	Browse	32.217.213.72
	8jfOcvTqQA	Get hash	malicious	Browse	32.212.157.51
	pandora.x86	Get hash	malicious	Browse	32.215.59.28
	hoho.arm	Get hash	malicious	Browse	32.212.164.173
	jew.x86	Get hash	malicious	Browse	32.217.201.238
	FbdUX5aU1N	Get hash	malicious	Browse	32.209.63.199
	G5vJ46b8cw	Get hash	malicious	Browse	32.221.121.129
	8h5TwcAsZi	Get hash	malicious	Browse	32.218.103.129
	Mun376v3Zy	Get hash	malicious	Browse	32.217.12.22
	rLGunciziY	Get hash	malicious	Browse	32.217.237.22
	wXGm2SnAnh	Get hash	malicious	Browse	32.219.9.75
	sSQ2BB4tyb	Get hash	malicious	Browse	32.223.212.248
	EKDuLCqKpg.dll	Get hash	malicious	Browse	32.213.40.128
	22693dBj8t	Get hash	malicious	Browse	32.212.116.201
	8kYSWVCyyy	Get hash	malicious	Browse	32.220.131.207
	0sf31umxYW	Get hash	malicious	Browse	32.213.34.91
	b3astmode.arm	Get hash	malicious	Browse	32.216.146.6
	mips	Get hash	malicious	Browse	32.211.0.224
FranceTelecom-OrangeFR	sora.arm7	Get hash	malicious	Browse	90.33.138.8
	sora.x86	Get hash	malicious	Browse	90.15.207.49
	sora.mips	Get hash	malicious	Browse	90.35.131.168
	sora.arm5	Get hash	malicious	Browse	90.117.147.103
	mips-20211102-0937	Get hash	malicious	Browse	109.218.10.134
	MkyxPXGeTq	Get hash	malicious	Browse	163.114.42.115
	TlhOKlVSwf	Get hash	malicious	Browse	83.114.43.82
	Hilix.arm	Get hash	malicious	Browse	90.70.5.162
	L831wSjET5	Get hash	malicious	Browse	90.65.125.251
	JVHk2b1Yd5	Get hash	malicious	Browse	90.40.164.3
	WhFNix8BoE	Get hash	malicious	Browse	86.222.195.131
	Hilix.x86	Get hash	malicious	Browse	83.195.96.18
	o6aMoZKsIK	Get hash	malicious	Browse	90.126.70.98
	yVbcX1sEtS	Get hash	malicious	Browse	92.163.220.65
	Ko84iLip1u	Get hash	malicious	Browse	90.67.227.39
	arH2Af5qoc	Get hash	malicious	Browse	90.22.85.198
	t7WU0JjLAR	Get hash	malicious	Browse	83.114.112.88
	FGVOkw9did	Get hash	malicious	Browse	86.229.55.251
	I5A5LzSAql	Get hash	malicious	Browse	62.160.230.46
	P8AVd483d7	Get hash	malicious	Browse	81.48.247.242

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.601050973810184
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	mipsel
File size:	146516
MD5:	04b94c63425607f5f58ebd51578dd8e8
SHA1:	a2165f05ecfce4f95f6afc61574361e6db9b2a43
SHA256:	4fddb7884d4855b8b1864825992139fd2b29d46c198b4366ec33e2beb0a2f1e2
SHA512:	4924a4b7fb9b8d5cfe823bca0bd0b6b126e999607b45095a7e8658d4e2fe7d16ccb0171ef4c9ba39e1626b9a2fe7c64431021e8c14a0e73249795bbc09d6f31c
SSDEEP:	3072:g8GGdBiE2+IUJ0PbzCwbZnV+6nTmzWfiPklK:u+BipQ0PbmwRVnTmzWTK
File Content Preview:	.ELF....................`.@.4...L:......4. ...(...............@...@..$...$...............0...0F..0F.....p-..........Q.td...............................<...'!......'.......................<...'!... .........9'.. ........................<h..'!...........`.9

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	145996
Section Header Size:	40
Number of Section Headers:	13
Header String Table Index:	12

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x1cdb0	0x0	0x6	AX	16
.fini	PROGBITS	0x41ced0	0x1ced0	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x41cf30	0x1cf30	0x5580	0x0	0x2	A	16
.ctors	PROGBITS	0x463000	0x23000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x463008	0x23008	0x8	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x463014	0x23014	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x463020	0x23020	0x540	0x0	0x3	WA	16
.got	PROGBITS	0x463560	0x23560	0x494	0x4	0x10000003	WA	16
.sbss	NOBITS	0x4639f4	0x239f4	0x2c	0x0	0x10000003	WA	4
.bss	NOBITS	0x463a20	0x239f4	0x2350	0x0	0x3	WA	16
.shstrtab	STRTAB	0x0	0x239f4	0x56	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x224b0	0x224b0	3.6825	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x23000	0x463000	0x463000	0x9f4	0x2d70	2.6821	0x6	RW	0x10000	.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2021 11:45:58.830200911 CET	54948	55650	192.168.2.23	156.96.156.212
Nov 2, 2021 11:45:58.864748955 CET	32554	2323	192.168.2.23	210.101.74.113
Nov 2, 2021 11:45:58.864820957 CET	32554	23	192.168.2.23	86.39.206.104
Nov 2, 2021 11:45:58.864840984 CET	32554	23	192.168.2.23	159.123.66.105
Nov 2, 2021 11:45:58.864840984 CET	32554	23	192.168.2.23	95.94.197.228
Nov 2, 2021 11:45:58.864852905 CET	32554	23	192.168.2.23	88.94.8.146
Nov 2, 2021 11:45:58.864895105 CET	32554	23	192.168.2.23	169.52.122.144
Nov 2, 2021 11:45:58.864913940 CET	32554	23	192.168.2.23	109.189.178.23
Nov 2, 2021 11:45:58.864918947 CET	32554	2323	192.168.2.23	182.18.121.150
Nov 2, 2021 11:45:58.864959002 CET	32554	23	192.168.2.23	190.196.95.226
Nov 2, 2021 11:45:58.864968061 CET	32554	23	192.168.2.23	173.19.73.5
Nov 2, 2021 11:45:58.864973068 CET	32554	23	192.168.2.23	68.17.52.150
Nov 2, 2021 11:45:58.864975929 CET	32554	23	192.168.2.23	174.252.132.179
Nov 2, 2021 11:45:58.864979982 CET	32554	23	192.168.2.23	104.131.178.200
Nov 2, 2021 11:45:58.864981890 CET	32554	23	192.168.2.23	131.126.80.103
Nov 2, 2021 11:45:58.864984035 CET	32554	23	192.168.2.23	109.253.252.137
Nov 2, 2021 11:45:58.864986897 CET	32554	23	192.168.2.23	64.14.175.12
Nov 2, 2021 11:45:58.864989042 CET	32554	23	192.168.2.23	17.65.47.188
Nov 2, 2021 11:45:58.864994049 CET	32554	23	192.168.2.23	155.136.129.234
Nov 2, 2021 11:45:58.864995003 CET	32554	23	192.168.2.23	186.252.1.210
Nov 2, 2021 11:45:58.865010023 CET	32554	23	192.168.2.23	204.28.106.19
Nov 2, 2021 11:45:58.865012884 CET	32554	23	192.168.2.23	158.143.25.34
Nov 2, 2021 11:45:58.865017891 CET	32554	23	192.168.2.23	24.40.42.84
Nov 2, 2021 11:45:58.865025043 CET	32554	2323	192.168.2.23	126.112.115.52
Nov 2, 2021 11:45:58.865029097 CET	32554	23	192.168.2.23	156.163.106.228
Nov 2, 2021 11:45:58.865031958 CET	32554	23	192.168.2.23	24.104.21.201
Nov 2, 2021 11:45:58.865034103 CET	32554	23	192.168.2.23	112.167.52.9
Nov 2, 2021 11:45:58.865036964 CET	32554	23	192.168.2.23	177.136.245.176
Nov 2, 2021 11:45:58.865039110 CET	32554	23	192.168.2.23	210.240.61.44
Nov 2, 2021 11:45:58.865046978 CET	32554	2323	192.168.2.23	181.35.27.125
Nov 2, 2021 11:45:58.865051985 CET	32554	23	192.168.2.23	66.158.252.83
Nov 2, 2021 11:45:58.865052938 CET	32554	23	192.168.2.23	46.124.196.135
Nov 2, 2021 11:45:58.865055084 CET	32554	23	192.168.2.23	60.117.107.80
Nov 2, 2021 11:45:58.865065098 CET	32554	23	192.168.2.23	52.158.121.230
Nov 2, 2021 11:45:58.865067005 CET	32554	23	192.168.2.23	181.234.210.121
Nov 2, 2021 11:45:58.865082979 CET	32554	23	192.168.2.23	76.120.137.198
Nov 2, 2021 11:45:58.865092039 CET	32554	23	192.168.2.23	161.96.182.157
Nov 2, 2021 11:45:58.865096092 CET	32554	23	192.168.2.23	41.85.33.128
Nov 2, 2021 11:45:58.865103960 CET	32554	23	192.168.2.23	115.147.120.61
Nov 2, 2021 11:45:58.865120888 CET	32554	23	192.168.2.23	44.243.19.229
Nov 2, 2021 11:45:58.865129948 CET	32554	2323	192.168.2.23	32.159.247.166
Nov 2, 2021 11:45:58.865144968 CET	32554	23	192.168.2.23	211.149.218.170
Nov 2, 2021 11:45:58.865147114 CET	32554	23	192.168.2.23	106.86.30.44
Nov 2, 2021 11:45:58.865158081 CET	32554	23	192.168.2.23	146.13.181.184
Nov 2, 2021 11:45:58.865159035 CET	32554	23	192.168.2.23	51.109.159.140
Nov 2, 2021 11:45:58.865165949 CET	32554	23	192.168.2.23	189.207.59.251
Nov 2, 2021 11:45:58.865169048 CET	32554	23	192.168.2.23	128.83.231.183
Nov 2, 2021 11:45:58.865170956 CET	32554	23	192.168.2.23	40.250.220.121
Nov 2, 2021 11:45:58.865173101 CET	32554	23	192.168.2.23	160.91.82.176
Nov 2, 2021 11:45:58.865187883 CET	32554	23	192.168.2.23	89.251.167.59
Nov 2, 2021 11:45:58.865195036 CET	32554	23	192.168.2.23	62.174.200.35
Nov 2, 2021 11:45:58.865201950 CET	32554	23	192.168.2.23	43.206.72.34
Nov 2, 2021 11:45:58.865206957 CET	32554	23	192.168.2.23	96.170.114.187
Nov 2, 2021 11:45:58.865226030 CET	32554	23	192.168.2.23	197.106.45.223
Nov 2, 2021 11:45:58.865226984 CET	32554	2323	192.168.2.23	34.139.197.29
Nov 2, 2021 11:45:58.865228891 CET	32554	23	192.168.2.23	73.254.13.120
Nov 2, 2021 11:45:58.865243912 CET	32554	23	192.168.2.23	23.142.209.42
Nov 2, 2021 11:45:58.865256071 CET	32554	23	192.168.2.23	177.23.233.154
Nov 2, 2021 11:45:58.865257025 CET	32554	23	192.168.2.23	216.147.44.177
Nov 2, 2021 11:45:58.865262985 CET	32554	23	192.168.2.23	222.74.232.201
Nov 2, 2021 11:45:58.865276098 CET	32554	23	192.168.2.23	108.58.227.95
Nov 2, 2021 11:45:58.865278006 CET	32554	23	192.168.2.23	219.71.114.114
Nov 2, 2021 11:45:58.865288019 CET	32554	23	192.168.2.23	46.232.6.217
Nov 2, 2021 11:45:58.865293980 CET	32554	23	192.168.2.23	106.68.64.242
Nov 2, 2021 11:45:58.865308046 CET	32554	23	192.168.2.23	52.49.35.5
Nov 2, 2021 11:45:58.865314007 CET	32554	2323	192.168.2.23	14.183.74.85
Nov 2, 2021 11:45:58.865320921 CET	32554	23	192.168.2.23	216.91.196.180
Nov 2, 2021 11:45:58.865322113 CET	32554	23	192.168.2.23	181.91.174.78
Nov 2, 2021 11:45:58.865324020 CET	32554	23	192.168.2.23	208.60.121.228
Nov 2, 2021 11:45:58.865330935 CET	32554	23	192.168.2.23	187.30.122.2
Nov 2, 2021 11:45:58.865343094 CET	32554	2323	192.168.2.23	163.5.90.206
Nov 2, 2021 11:45:58.865345001 CET	32554	23	192.168.2.23	38.229.45.240
Nov 2, 2021 11:45:58.865364075 CET	32554	23	192.168.2.23	97.39.192.176
Nov 2, 2021 11:45:58.865372896 CET	32554	23	192.168.2.23	85.133.173.204
Nov 2, 2021 11:45:58.865375996 CET	32554	23	192.168.2.23	95.180.215.141
Nov 2, 2021 11:45:58.865377903 CET	32554	23	192.168.2.23	27.22.87.153
Nov 2, 2021 11:45:58.865396023 CET	32554	23	192.168.2.23	194.71.24.103
Nov 2, 2021 11:45:58.865401030 CET	32554	23	192.168.2.23	72.192.37.126
Nov 2, 2021 11:45:58.865411043 CET	32554	23	192.168.2.23	163.133.47.250
Nov 2, 2021 11:45:58.865422010 CET	32554	23	192.168.2.23	87.12.241.234
Nov 2, 2021 11:45:58.865425110 CET	32554	2323	192.168.2.23	92.208.29.230
Nov 2, 2021 11:45:58.865428925 CET	32554	23	192.168.2.23	200.143.240.219
Nov 2, 2021 11:45:58.865447998 CET	32554	23	192.168.2.23	204.1.142.68
Nov 2, 2021 11:45:58.865459919 CET	32554	23	192.168.2.23	107.56.54.248
Nov 2, 2021 11:45:58.865467072 CET	32554	23	192.168.2.23	154.182.136.152
Nov 2, 2021 11:45:58.865468025 CET	32554	23	192.168.2.23	92.99.50.123
Nov 2, 2021 11:45:58.865469933 CET	32554	23	192.168.2.23	17.196.33.45
Nov 2, 2021 11:45:58.865477085 CET	32554	23	192.168.2.23	194.203.66.127
Nov 2, 2021 11:45:58.865480900 CET	32554	23	192.168.2.23	133.227.58.68
Nov 2, 2021 11:45:58.865489006 CET	32554	23	192.168.2.23	167.66.173.211
Nov 2, 2021 11:45:58.865489006 CET	32554	23	192.168.2.23	219.154.73.62
Nov 2, 2021 11:45:58.865514040 CET	32554	2323	192.168.2.23	175.152.234.2
Nov 2, 2021 11:45:58.865523100 CET	32554	23	192.168.2.23	191.173.134.110
Nov 2, 2021 11:45:58.865523100 CET	32554	23	192.168.2.23	147.204.44.114
Nov 2, 2021 11:45:58.865525961 CET	32554	23	192.168.2.23	202.169.55.197
Nov 2, 2021 11:45:58.865546942 CET	32554	23	192.168.2.23	5.120.57.246
Nov 2, 2021 11:45:58.865550041 CET	32554	23	192.168.2.23	134.241.91.130
Nov 2, 2021 11:45:58.865562916 CET	32554	23	192.168.2.23	120.232.247.118
Nov 2, 2021 11:45:58.865569115 CET	32554	23	192.168.2.23	203.90.170.189
Nov 2, 2021 11:45:58.865576029 CET	32554	2323	192.168.2.23	168.238.43.89

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 2, 2021 11:45:58.809940100 CET	192.168.2.23	8.8.8.8	0x78b0	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 2, 2021 11:45:58.829411983 CET	8.8.8.8	192.168.2.23	0x78b0	No error (0)	arcticboatz.cz		156.96.156.212	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: mipsel PID: 5233 Parent PID: 5108

General

Start time:	11:45:57
Start date:	02/11/2021
Path:	/tmp/mipsel
Arguments:	/tmp/mipsel
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: mipsel PID: 5235 Parent PID: 5233

General

Start time:	11:45:57
Start date:	02/11/2021
Path:	/tmp/mipsel
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: mipsel PID: 5237 Parent PID: 5235

General

Start time:	11:45:57
Start date:	02/11/2021
Path:	/tmp/mipsel
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: mipsel PID: 5238 Parent PID: 5235

General

Start time:	11:45:57
Start date:	02/11/2021
Path:	/tmp/mipsel
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report mipsel

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: mipsel PID: 5233 Parent PID: 5108

General

Analysis Process: mipsel PID: 5235 Parent PID: 5233

General

Analysis Process: mipsel PID: 5237 Parent PID: 5235

General

Analysis Process: mipsel PID: 5238 Parent PID: 5235

General