Play interactive tour

Edit tour

Linux Analysis Report arm5

Overview

General Information

Sample Name:	arm5
Analysis ID:	518272
MD5:	70988ec41b6eddb41ec1bc3222f8fab8
SHA1:	60af6f0fee0df7ff9e51c0f9f6070ba102f430a8
SHA256:	1d91574bc880dfb70eb8aaa3d3bc75d906bdb7b87f8ee3d3467a2ed3267e1047
Tags:	Mirai
Infos:

Detection

Mirai

Score:	96
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample deletes itself

Uses known network protocols on non-standard ports

Yara signature match

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	518272
Start date:	09.11.2021
Start time:	09:48:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	arm5
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal96.troj.evad.lin@0/0@1/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing network information. TCP Packets have been reduced to 100

Process Tree

system is lnxubuntu20

arm5 (PID: 5246, Parent: 5120, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm5

arm5 New Fork (PID: 5248, Parent: 5246)

arm5 New Fork (PID: 5250, Parent: 5248)

arm5 New Fork (PID: 5252, Parent: 5248)

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
arm5	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x12308:$x1: POST /cdn-cgi/ 0x11940:$x3: /dev/watchdog 0x11a74:$s1: LCOGQGPTGP 0x124a4:$s3: CFOKLKQVPCVMP 0x12488:$s4: QWRGPTKQMP 0x125ac:$s5: HWCLVGAJ
arm5	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x12308:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
arm5	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
arm5	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
5246.1.000000006d4b7060.0000000092f9e265.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x12308:$x1: POST /cdn-cgi/ 0x11940:$x3: /dev/watchdog 0x11a74:$s1: LCOGQGPTGP 0x124a4:$s3: CFOKLKQVPCVMP 0x12488:$s4: QWRGPTKQMP 0x125ac:$s5: HWCLVGAJ
5246.1.000000006d4b7060.0000000092f9e265.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x12308:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
5246.1.000000006d4b7060.0000000092f9e265.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5246.1.000000006d4b7060.0000000092f9e265.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: arm5

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: arm5

ReversingLabs: Detection: 40%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 156.96.62.207:55650 -> 192.168.2.23:58066
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.165.242.134:23 -> 192.168.2.23:56784
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.165.242.134:23 -> 192.168.2.23:56800
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.165.242.134:23 -> 192.168.2.23:56808
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.165.242.134:23 -> 192.168.2.23:56810
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.165.242.134:23 -> 192.168.2.23:56812
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.165.242.134:23 -> 192.168.2.23:56814
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.165.242.134:23 -> 192.168.2.23:56818
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.165.242.134:23 -> 192.168.2.23:56842
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.165.242.134:23 -> 192.168.2.23:56846
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.165.242.134:23 -> 192.168.2.23:56850
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.33.252.195:23 -> 192.168.2.23:45768
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.33.252.195:23 -> 192.168.2.23:45768
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.33.252.195:23 -> 192.168.2.23:45822
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.33.252.195:23 -> 192.168.2.23:45822
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.3.78:23 -> 192.168.2.23:40670
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.3.78:23 -> 192.168.2.23:40672
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.3.78:23 -> 192.168.2.23:40674
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.3.78:23 -> 192.168.2.23:40676
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.3.78:23 -> 192.168.2.23:40680
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.3.78:23 -> 192.168.2.23:40682
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.3.78:23 -> 192.168.2.23:40686
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.3.78:23 -> 192.168.2.23:40692
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.3.78:23 -> 192.168.2.23:40698
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.3.78:23 -> 192.168.2.23:40704
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.33.252.195:23 -> 192.168.2.23:45862
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.33.252.195:23 -> 192.168.2.23:45862

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46636
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46638
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46640
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46642
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46644
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46646
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46648
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46650
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46652
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46654

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 199.34.42.51:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 203.118.78.144:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 52.2.115.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 135.87.189.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 112.73.152.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 114.42.109.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 178.12.252.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 107.95.196.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 97.74.49.198:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 107.189.140.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 142.172.145.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 78.25.76.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 9.172.119.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 110.83.82.57:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 136.31.95.184:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 212.94.254.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:58066 -> 156.96.62.207:55650
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 163.57.140.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 47.22.41.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 34.27.95.123:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 169.16.1.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 93.90.35.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 178.149.152.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 160.224.129.202:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 211.206.97.107:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 207.30.225.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 158.83.224.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 27.242.112.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 73.238.91.85:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 163.144.123.244:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 2.183.185.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 177.131.127.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 145.66.49.28:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 139.106.34.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 179.95.95.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 14.155.228.67:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 196.3.194.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 173.75.214.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 114.49.194.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 157.55.179.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 131.162.173.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 218.89.221.241:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 98.233.224.108:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 12.92.215.78:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 48.25.186.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 110.164.81.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 35.204.221.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 150.41.23.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 69.38.172.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 116.179.161.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 116.172.163.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 219.233.185.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 118.19.66.160:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 71.10.249.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 24.167.95.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 206.91.149.112:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 123.179.73.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 89.216.115.200:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 37.93.87.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 149.171.76.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 167.102.26.72:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 152.59.89.115:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 175.158.199.89:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 131.177.241.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 178.99.140.6:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 58.30.217.25:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 205.210.24.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 102.13.133.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 76.192.107.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 39.197.116.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 126.13.37.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 113.94.137.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 111.45.227.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 185.253.143.212:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 102.112.248.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 166.154.188.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 149.157.91.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 132.147.213.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 180.121.105.25:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 20.224.107.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 205.25.175.186:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 5.34.186.57:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 159.156.69.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 31.40.230.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 119.28.78.160:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 150.89.13.150:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 139.23.155.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 169.244.157.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 149.94.114.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 137.89.42.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 216.163.3.106:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 66.107.125.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 213.136.103.161:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 211.250.111.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 37.71.34.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 125.67.205.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 194.183.242.30:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 73.127.239.82:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 41.85.167.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 187.93.165.89:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 147.45.232.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 99.20.57.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 176.179.21.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 2.45.205.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 174.133.81.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 102.32.24.57:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 32.82.68.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 154.51.85.77:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 193.69.131.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 77.62.253.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 132.122.220.213:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 79.166.226.67:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 84.134.122.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 125.183.107.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 190.59.219.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 99.224.73.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 67.232.160.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 156.184.175.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 115.1.243.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 44.100.52.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 220.230.95.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 44.211.18.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 5.253.214.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 156.164.194.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 211.222.169.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 191.121.11.195:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 184.241.28.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 32.55.48.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 188.231.160.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 99.85.142.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 158.13.56.35:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 84.127.183.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 119.107.36.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 165.241.214.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 157.210.251.4:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 142.121.185.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 57.134.182.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 164.184.11.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 112.233.77.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 95.15.190.26:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 83.64.8.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 40.9.213.171:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 154.210.248.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 36.92.206.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 125.20.107.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 182.143.231.62:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 134.167.172.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 206.195.177.117:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 2.93.197.62:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 42.81.244.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 182.91.195.46:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 80.43.104.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 59.90.129.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 116.2.127.43:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 32.241.220.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 187.176.160.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 171.79.106.92:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 194.146.36.241:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 208.44.174.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 218.111.136.184:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 106.159.207.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 79.207.63.4:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 73.108.211.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 154.242.188.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 202.172.137.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 157.12.53.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 154.114.95.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 66.74.47.135:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 59.212.183.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 9.174.243.9:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 147.57.35.114:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 23.78.250.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 169.12.169.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 191.65.218.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 66.3.35.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 147.53.215.21:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 43.49.55.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 180.31.32.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 100.138.123.206:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 9.80.30.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 211.153.83.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 193.82.36.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 25.239.161.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 177.207.171.135:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 187.4.45.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 203.131.231.114:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 65.62.126.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 130.95.67.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 119.130.188.51:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 211.181.251.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 52.1.238.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 209.126.110.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 78.88.160.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 97.160.173.195:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 25.225.48.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 67.3.9.38:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 137.196.182.57:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 74.127.40.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 128.199.206.218:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 151.205.217.6:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 218.63.87.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 99.31.179.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 13.246.169.63:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 180.10.236.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 115.169.180.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 115.200.30.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 67.158.231.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 164.185.181.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 49.16.43.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 94.240.110.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 164.21.88.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 46.117.88.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 153.222.114.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 222.219.61.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 54.245.187.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 184.134.71.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 154.132.65.202:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 64.103.50.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 41.109.36.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 156.139.10.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 1.249.5.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 206.173.169.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 19.83.179.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 101.139.170.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 36.206.97.135:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 84.60.147.211:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 81.46.165.224:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 85.127.10.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 158.179.224.77:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 202.242.77.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 196.101.228.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 208.193.58.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 32.199.244.35:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 171.84.83.4:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 161.177.185.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 132.173.224.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 62.46.9.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 72.233.220.171:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 185.255.74.4:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 138.32.22.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 136.112.93.120:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 101.100.86.131:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 184.222.122.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 41.243.91.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 130.106.38.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 4.220.96.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 105.118.111.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 42.171.187.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 50.146.168.141:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 159.221.207.40:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 72.246.57.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 98.101.145.200:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 14.29.246.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 34.238.197.25:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 217.37.156.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 117.153.52.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 135.187.245.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 151.61.248.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 158.22.53.172:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 17.197.88.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 25.121.165.237:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 107.229.88.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 108.215.124.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 188.32.213.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 183.226.122.109:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 207.235.10.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 130.2.38.191:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 137.208.51.160:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 205.237.126.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 149.252.242.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 180.47.196.24:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 138.202.231.199:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 115.102.210.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 212.68.99.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 137.95.195.11:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 43.109.155.216:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 52.197.231.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 183.244.136.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 97.189.105.198:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 5.181.29.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 132.73.195.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 223.83.201.200:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 60.228.164.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 92.205.154.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 130.165.223.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 9.209.129.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 77.23.178.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 143.70.13.46:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 78.244.10.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 118.6.204.95:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 134.16.105.217:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 37.126.12.109:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 19.51.142.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 187.66.73.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 91.59.4.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 136.222.123.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 20.181.156.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 217.47.10.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 223.73.215.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 93.236.206.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 140.227.95.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 206.112.34.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 67.126.72.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 189.208.4.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 121.57.143.202:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 14.204.89.35:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 195.129.24.112:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 122.58.147.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 71.123.57.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 105.212.105.81:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 212.25.209.120:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 165.34.228.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 66.111.69.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 128.57.45.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 189.253.100.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 176.71.22.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 25.113.103.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 82.86.111.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 137.248.96.74:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 108.90.238.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 128.193.126.41:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 166.159.7.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 193.30.180.166:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 9.155.210.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 5.41.73.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 152.175.157.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 207.3.202.89:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 77.67.56.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 132.156.98.237:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 198.253.169.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 152.121.240.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 218.74.77.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 151.225.195.168:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 104.244.138.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 67.253.122.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 203.248.198.188:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 20.171.255.49:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 112.27.81.222:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 154.251.82.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 27.115.40.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 152.212.210.171:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 201.191.27.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 74.45.79.216:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 120.13.134.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 37.111.210.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 145.151.148.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 42.90.242.28:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 101.3.219.235:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 218.99.251.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 94.66.53.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 160.25.142.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 111.140.24.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 82.249.225.77:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 91.172.190.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 23.191.82.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 97.130.101.107:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 221.165.0.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 203.31.73.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 105.208.225.32:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 53.18.104.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 5.125.134.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 48.53.171.6:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 205.92.145.245:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 154.151.201.24:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 146.57.131.92:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 167.187.202.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 201.230.24.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 207.103.131.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 24.218.5.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 25.91.230.19:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 97.116.46.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 176.176.85.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 180.210.162.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 51.142.145.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 126.250.62.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 170.100.207.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 102.80.151.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 186.192.115.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 166.95.252.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 191.114.98.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 23.20.123.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 84.82.83.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 4.8.160.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 64.202.216.67:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 61.179.237.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 111.156.173.6:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 53.101.36.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 145.41.218.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 76.10.70.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 217.78.241.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 190.217.73.67:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 18.31.253.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 199.132.161.57:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 53.54.29.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 8.81.234.199:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 185.39.182.244:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 205.7.176.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 117.193.191.67:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 143.160.107.168:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 126.74.153.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 17.122.56.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 103.218.71.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 120.135.3.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 223.63.183.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 73.26.91.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 211.218.219.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 159.11.121.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 157.109.33.150:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 97.106.110.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 88.245.169.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 146.73.188.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 147.237.85.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 53.117.161.213:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 104.135.187.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 151.210.5.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 120.111.203.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 14.46.103.77:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 98.182.18.166:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 221.32.43.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 183.81.204.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 65.85.118.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 66.47.30.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 94.31.17.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 97.171.21.244:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 92.165.124.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 165.125.102.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 185.68.199.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 51.163.14.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 62.187.255.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 181.55.118.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 141.188.212.244:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 178.55.186.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 53.112.112.237:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 31.165.130.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 68.207.135.6:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 35.132.83.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 1.183.2.46:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 64.124.244.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 212.81.116.178:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 1.217.99.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 80.4.171.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 156.70.250.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 146.186.112.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 80.52.230.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 86.115.179.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 90.86.204.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 79.78.143.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 176.167.124.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 188.136.39.229:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 47.117.8.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 45.235.140.40:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 72.20.130.244:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 187.154.227.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 137.193.106.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 49.160.19.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 135.9.196.51:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 141.94.171.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 70.82.212.15:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 106.239.67.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 101.32.63.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 62.115.34.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 148.253.18.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 89.89.238.49:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 128.209.144.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 105.29.107.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 130.108.198.171:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 68.80.129.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 183.196.150.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 161.220.88.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 63.155.197.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 222.90.147.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 161.33.62.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 165.214.148.191:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 69.17.88.244:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 132.19.206.217:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 167.67.99.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 146.28.106.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 176.54.121.227:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 112.234.6.46:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 110.164.5.222:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 44.187.188.146:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 45.228.69.107:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 118.122.141.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 83.90.129.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 27.172.85.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 199.137.54.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 92.122.25.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 46.165.108.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 205.251.238.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 213.20.144.15:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 183.92.172.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 188.103.87.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 8.37.7.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 98.132.177.120:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 13.50.16.55:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 217.131.214.35:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 14.227.238.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 202.250.198.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 136.47.244.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:12694 -> 52.12.60.5:2323

Source: /tmp/arm5 (PID: 5246)

Socket: 127.0.0.1::1124

Source: unknown

DNS traffic detected: queries for: arcticboatz.cz

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 199.34.42.51
Source: unknown	TCP traffic detected without corresponding DNS query: 82.144.153.51
Source: unknown	TCP traffic detected without corresponding DNS query: 12.165.249.204
Source: unknown	TCP traffic detected without corresponding DNS query: 61.124.206.205
Source: unknown	TCP traffic detected without corresponding DNS query: 161.117.65.127
Source: unknown	TCP traffic detected without corresponding DNS query: 48.182.31.52
Source: unknown	TCP traffic detected without corresponding DNS query: 128.180.138.227
Source: unknown	TCP traffic detected without corresponding DNS query: 133.20.108.83
Source: unknown	TCP traffic detected without corresponding DNS query: 202.74.73.171
Source: unknown	TCP traffic detected without corresponding DNS query: 203.118.78.144
Source: unknown	TCP traffic detected without corresponding DNS query: 93.199.116.209
Source: unknown	TCP traffic detected without corresponding DNS query: 211.170.230.50
Source: unknown	TCP traffic detected without corresponding DNS query: 64.142.62.94
Source: unknown	TCP traffic detected without corresponding DNS query: 159.111.89.205
Source: unknown	TCP traffic detected without corresponding DNS query: 195.141.240.19
Source: unknown	TCP traffic detected without corresponding DNS query: 173.96.87.175
Source: unknown	TCP traffic detected without corresponding DNS query: 140.25.88.20
Source: unknown	TCP traffic detected without corresponding DNS query: 199.40.126.131
Source: unknown	TCP traffic detected without corresponding DNS query: 174.233.93.3
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.222.118
Source: unknown	TCP traffic detected without corresponding DNS query: 52.2.115.39
Source: unknown	TCP traffic detected without corresponding DNS query: 187.232.45.4
Source: unknown	TCP traffic detected without corresponding DNS query: 196.195.43.56
Source: unknown	TCP traffic detected without corresponding DNS query: 169.44.4.176
Source: unknown	TCP traffic detected without corresponding DNS query: 142.167.23.100
Source: unknown	TCP traffic detected without corresponding DNS query: 13.238.158.11
Source: unknown	TCP traffic detected without corresponding DNS query: 194.236.34.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.166.58.226
Source: unknown	TCP traffic detected without corresponding DNS query: 168.201.3.69
Source: unknown	TCP traffic detected without corresponding DNS query: 203.157.61.144
Source: unknown	TCP traffic detected without corresponding DNS query: 135.87.189.208
Source: unknown	TCP traffic detected without corresponding DNS query: 162.4.161.178
Source: unknown	TCP traffic detected without corresponding DNS query: 163.89.129.21
Source: unknown	TCP traffic detected without corresponding DNS query: 125.100.190.32
Source: unknown	TCP traffic detected without corresponding DNS query: 144.247.228.110
Source: unknown	TCP traffic detected without corresponding DNS query: 95.174.174.209
Source: unknown	TCP traffic detected without corresponding DNS query: 196.227.4.245
Source: unknown	TCP traffic detected without corresponding DNS query: 36.224.181.53
Source: unknown	TCP traffic detected without corresponding DNS query: 60.20.194.64
Source: unknown	TCP traffic detected without corresponding DNS query: 112.73.152.122
Source: unknown	TCP traffic detected without corresponding DNS query: 163.244.204.30
Source: unknown	TCP traffic detected without corresponding DNS query: 144.59.180.31
Source: unknown	TCP traffic detected without corresponding DNS query: 2.200.187.211
Source: unknown	TCP traffic detected without corresponding DNS query: 155.196.66.51
Source: unknown	TCP traffic detected without corresponding DNS query: 41.222.114.122
Source: unknown	TCP traffic detected without corresponding DNS query: 207.82.46.119
Source: unknown	TCP traffic detected without corresponding DNS query: 14.72.135.97
Source: unknown	TCP traffic detected without corresponding DNS query: 221.228.123.170
Source: unknown	TCP traffic detected without corresponding DNS query: 114.42.109.169
Source: unknown	TCP traffic detected without corresponding DNS query: 208.91.20.63

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: arm5, type: SAMPLE	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: arm5, type: SAMPLE	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5246.1.000000006d4b7060.0000000092f9e265.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5246.1.000000006d4b7060.0000000092f9e265.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Source: arm5, type: SAMPLE	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: arm5, type: SAMPLE	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5246.1.000000006d4b7060.0000000092f9e265.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5246.1.000000006d4b7060.0000000092f9e265.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal96.troj.evad.lin@0/0@1/0

Source: arm5

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2033/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1582/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2275/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1612/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1579/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1699/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1335/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1698/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2028/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1334/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1576/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2302/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/3236/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2025/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2146/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/912/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/759/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2307/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/918/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1594/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2285/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2281/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1349/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1623/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/761/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/761/cmdline
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1622/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/884/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1983/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2038/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1586/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1465/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1344/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1860/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1463/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2156/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/800/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/801/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1629/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1627/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1900/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/5202/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/491/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2294/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2050/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/5040/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1877/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/772/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1633/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1599/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1632/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1477/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/774/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1476/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1872/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2048/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1475/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2289/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/777/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/658/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/936/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/936/cmdline
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1639/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1638/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2208/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2180/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/4486/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1809/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1494/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1890/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2063/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2062/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1888/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1886/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1489/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/785/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1642/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/788/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/789/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/5203/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1648/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2191/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/5223/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/5224/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2078/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2077/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2074/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2195/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/793/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1656/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1654/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2226/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/1532/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/796/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/797/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2069/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2102/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2223/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/799/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/2080/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/5230/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/5231/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/5232/fd
Source: /tmp/arm5 (PID: 5252)	File opened: /proc/5233/fd

Hooking and other Techniques for Hiding and Protection:

Sample deletes itself

Show sources

Source: /tmp/arm5 (PID: 5246)

File: /tmp/arm5

Jump to behavior

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46636
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46638
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46640
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46642
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46644
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46646
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46648
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46650
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46652
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46654

Source: /tmp/arm5 (PID: 5246)

Queries kernel information via 'uname':

Source: arm5, 5246.1.00000000b7797230.00000000eff5af91.rw-.sdmp	Binary or memory string: +OV!/etc/qemu-binfmt/arm
Source: arm5, 5246.1.00000000b7797230.00000000eff5af91.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: arm5, 5246.1.00000000aa01c970.0000000075930ec0.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm5SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm5
Source: arm5, 5246.1.00000000aa01c970.0000000075930ec0.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information:

Yara detected Mirai

Show sources

Source: Yara match	File source: arm5, type: SAMPLE
Source: Yara match	File source: 5246.1.000000006d4b7060.0000000092f9e265.r-x.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Mirai

Show sources

Source: Yara match	File source: arm5, type: SAMPLE
Source: Yara match	File source: 5246.1.000000006d4b7060.0000000092f9e265.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	File Deletion1	OS Credential Dumping1	Security Software Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
arm5	40%	ReversingLabs	Linux.Trojan.Mirai
arm5	100%	Avira	LINUX/Mirai.bonb

Dropped Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
arcticboatz.cz	1%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
arcticboatz.cz	156.96.62.207	true	true	1%, Virustotal, Browse	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.135.187.226	unknown	United States	36384	GOOGLE-ITUS	false
181.206.182.194	unknown	Colombia	27831	ColombiaMovilCO	false
205.105.248.57	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
24.80.107.102	unknown	Canada	6327	SHAWCA	false
145.55.136.81	unknown	United Kingdom	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
176.65.156.36	unknown	Germany	12975	PALTEL-ASPALTELAutonomousSystemPS	false
147.197.175.135	unknown	United Kingdom	786	JANETJiscServicesLimitedGB	false
125.194.170.24	unknown	Japan	2518	BIGLOBEBIGLOBEIncJP	false
148.134.167.57	unknown	United States	19113	DUKE-ENERGYUS	false
85.89.50.115	unknown	Estonia	3249	ESTPAKEE	false
208.8.240.71	unknown	United States	1239	SPRINTLINKUS	false
185.147.110.118	unknown	United Kingdom	39875	W3ZGB	false
60.213.130.181	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
207.96.101.22	unknown	United States	6079	RCN-ASUS	false
146.55.106.179	unknown	United States	1483	DNIC-AS-01483US	false
153.162.160.177	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
42.211.12.113	unknown	China	4249	LILLY-ASUS	false
195.212.106.195	unknown	European Union	2686	ATGS-MMD-ASUS	false
83.147.173.205	unknown	Ireland	31122	DIGIWEB-ASIE	false
207.54.208.193	unknown	United States	17327	TSTC-ASUS	false
135.212.234.61	unknown	United States	14962	NCR-252US	false
89.76.227.225	unknown	Poland	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
151.30.121.245	unknown	Italy	1267	ASN-WINDTREIUNETEU	false
190.208.152.163	unknown	Chile	6535	TelmexServiciosEmpresarialesSACL	false
68.157.177.173	unknown	United States	7018	ATT-INTERNET4US	false
141.170.46.168	unknown	United Kingdom	33920	AQLGB	false
114.238.102.79	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
198.111.4.221	unknown	United States	237	MERIT-AS-14US	false
54.133.167.10	unknown	United States	14618	AMAZON-AESUS	false
116.179.161.1	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
140.132.219.138	unknown	Taiwan; Republic of China (ROC)	1659	ERX-TANET-ASN1TaiwanAcademicNetworkTANetInformationC	false
122.148.149.229	unknown	Australia	9443	VOCUS-RETAIL-AUVocusRetailAU	false
63.155.197.137	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
172.57.247.170	unknown	United States	21928	T-MOBILE-AS21928US	false
222.105.112.87	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
176.94.185.164	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
80.7.112.162	unknown	United Kingdom	5089	NTLGB	false
190.11.161.12	unknown	Argentina	13585	PowerVTSAAR	false
162.223.220.198	unknown	United States	55193	LRC-EV-ASNUS	false
73.162.72.27	unknown	United States	7922	COMCAST-7922US	false
104.191.76.16	unknown	United States	7018	ATT-INTERNET4US	false
105.51.135.23	unknown	Kenya	33771	SAFARICOM-LIMITEDKE	false
91.202.135.49	unknown	Ukraine	44686	SETI-KR-ASUA	false
79.223.11.65	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
144.21.119.168	unknown	Sweden	43894	ORCL-LON-OPC1GB	false
188.51.210.128	unknown	Saudi Arabia	25019	SAUDINETSTC-ASSA	false
89.69.52.32	unknown	Poland	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
20.121.188.50	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
67.112.215.224	unknown	United States	7018	ATT-INTERNET4US	false
74.134.117.69	unknown	United States	10796	TWC-10796-MIDWESTUS	false
101.100.86.131	unknown	New Zealand	17492	VECTOR-COMMUNICATIONS-ASVectorCommunicationsLTDNZ	false
220.242.93.217	unknown	China	7545	TPG-INTERNET-APTPGTelecomLimitedAU	false
80.16.103.39	unknown	Italy	3269	ASN-IBSNAZIT	false
210.134.248.240	unknown	Japan	2512	TCP-NETTCPIncJP	false
206.112.34.148	unknown	United States	701	UUNETUS	false
110.177.120.171	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
210.80.246.120	unknown	Japan	703	UUNETUS	false
189.12.139.117	unknown	Brazil	7738	TelemarNorteLesteSABR	false
52.46.216.113	unknown	United States	16509	AMAZON-02US	false
53.45.213.229	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
49.251.156.123	unknown	Japan	9617	ZAQJupiterTelecommunicationsCoLtdJP	false
218.99.251.246	unknown	China	17966	CIBNChinaInformationBroadcastNetworkLtdCoCN	false
107.164.229.1	unknown	United States	18779	EGIHOSTINGUS	false
156.191.191.174	unknown	Egypt	36992	ETISALAT-MISREG	false
14.190.39.89	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
70.80.242.95	unknown	Canada	5769	VIDEOTRONCA	false
108.220.13.87	unknown	United States	7018	ATT-INTERNET4US	false
82.117.30.135	unknown	Liechtenstein	35223	HOI-ASLI	false
48.161.123.249	unknown	United States	2686	ATGS-MMD-ASUS	false
103.92.222.136	unknown	Australia	59362	KSNETWORK-AS-APKSNetworkLimitedBD	false
162.137.210.24	unknown	United States	35893	ACPCA	false
155.166.228.100	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
192.236.209.63	unknown	United States	54290	HOSTWINDSUS	false
51.188.186.25	unknown	United States	2686	ATGS-MMD-ASUS	false
169.31.110.75	unknown	United States	37611	AfrihostZA	false
187.46.7.181	unknown	Brazil	26615	TIMSABR	false
147.14.174.55	unknown	Sweden	41076	POSTDK-ASDK	false
39.113.92.254	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
126.250.62.250	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
193.184.243.21	unknown	Finland	719	ELISA-ASHelsinkiFinlandEU	false
52.85.81.84	unknown	United States	16509	AMAZON-02US	false
130.188.48.244	unknown	Finland	565	VTT-ASVTTautonomoussystemFI	false
132.110.95.166	unknown	United States	306	DNIC-ASBLK-00306-00371US	false
59.180.132.79	unknown	India	17813	MTNL-APMahanagarTelephoneNigamLimitedIN	false
44.182.104.79	unknown	United States	58247	NETVEILLANCERO	false
164.54.69.130	unknown	United States	683	ARGONNE-ASUS	false
222.203.192.190	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
42.146.84.216	unknown	Japan	9824	JTCL-JP-ASJupiterTelecommunicationCoLtdJP	false
202.128.6.77	unknown	Guam	3605	ERX-KUENTOS-ASGuamCablevisionLLCGU	false
179.66.21.100	unknown	Brazil	7738	TelemarNorteLesteSABR	false
122.78.96.93	unknown	China	63711	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
179.186.80.236	unknown	Brazil	18881	TELEFONICABRASILSABR	false
107.229.88.133	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
221.127.190.120	unknown	Hong Kong	9304	HUTCHISON-AS-APHGCGlobalCommunicationsLimitedHK	false
175.65.29.176	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
81.222.205.171	unknown	Russian Federation	20597	ELTEL-ASRU	false
134.16.105.217	unknown	United States	385	AFCONC-BLOCK1-ASUS	false
167.181.125.128	unknown	United States	59447	SAYFANETTR	false
195.201.97.179	unknown	Germany	24940	HETZNER-ASDE	false
31.168.46.82	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	false

Runtime Messages

Command:	/tmp/arm5
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	qazwsxedc
Standard Error:

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
arcticboatz.cz	mipsel	Get hash	malicious	Browse	156.96.156.212
	arm-20211102-0937	Get hash	malicious	Browse	156.96.156.212
	mips-20211102-0937	Get hash	malicious	Browse	156.96.156.212
	arm5-20211102-0937	Get hash	malicious	Browse	156.96.156.212
	arm7	Get hash	malicious	Browse	156.96.156.212
	x86_64	Get hash	malicious	Browse	156.96.156.212
	arm	Get hash	malicious	Browse	156.96.156.212
	x86_64	Get hash	malicious	Browse	156.96.156.212
	mips	Get hash	malicious	Browse	156.96.156.212
	arm6	Get hash	malicious	Browse	156.96.156.212
	arm7	Get hash	malicious	Browse	156.96.156.212
	arm5	Get hash	malicious	Browse	156.96.156.212

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLE-ITUS	B94t90Yyoz	Get hash	malicious	Browse	104.135.140.227
	H9pX0VKTN5	Get hash	malicious	Browse	104.134.26.50
	WZ4DVF29Pb	Get hash	malicious	Browse	104.133.236.16
	dark.arm	Get hash	malicious	Browse	104.133.236.10
	1u1hBVyy1i	Get hash	malicious	Browse	104.132.49.89
	h8RVQktJXr	Get hash	malicious	Browse	104.135.213.96
	x86	Get hash	malicious	Browse	104.132.50.73
	b3astmode.arm-20211011-1850	Get hash	malicious	Browse	104.132.49.83
	4oihqZr8ZO	Get hash	malicious	Browse	104.132.98.38
	sora.arm	Get hash	malicious	Browse	104.134.126.113
	v17c18jKB5	Get hash	malicious	Browse	104.132.49.98
	TwlnaihoCK	Get hash	malicious	Browse	104.134.3.160
	L5KEcDLI8h	Get hash	malicious	Browse	104.133.200.93
	3oIJHpiKNe	Get hash	malicious	Browse	104.132.49.84
	TDiJdXdD3P	Get hash	malicious	Browse	104.135.239.184
	fhDiUHnkzb	Get hash	malicious	Browse	104.132.49.86
	ImxKJKBtj2	Get hash	malicious	Browse	104.135.3.18
	dark.x86	Get hash	malicious	Browse	104.133.42.167
	gaxq7wN4q8	Get hash	malicious	Browse	104.132.98.31
	ICNMnez5oh	Get hash	malicious	Browse	104.132.49.77
ColombiaMovilCO	qgxgn5fQU1	Get hash	malicious	Browse	181.207.246.79
	fMGehkjmPv	Get hash	malicious	Browse	179.14.232.136
	mktkJhN1Fd	Get hash	malicious	Browse	181.205.49.119
	FAuA0G2obM	Get hash	malicious	Browse	191.89.251.32
	WcBBoVjwRf	Get hash	malicious	Browse	186.97.100.240
	7L38cWaJpW	Get hash	malicious	Browse	177.252.114.31
	NEaRhAVeo9	Get hash	malicious	Browse	186.181.194.128
	mRQwOz6Oit	Get hash	malicious	Browse	191.88.9.118
	pTF1iICUEm	Get hash	malicious	Browse	179.12.77.61
	yJOZ3EeESV	Get hash	malicious	Browse	186.181.194.104
	apep.x86	Get hash	malicious	Browse	181.204.131.151
	LpX6muTZ4z.exe	Get hash	malicious	Browse	191.91.177.6
	en94piXmL6	Get hash	malicious	Browse	181.71.150.166
	wRmHCEnowI	Get hash	malicious	Browse	181.207.212.149
	pwFaKVCXrY	Get hash	malicious	Browse	181.204.131.145
	eImb49ofup	Get hash	malicious	Browse	181.204.131.153
	HCyigyiCAH	Get hash	malicious	Browse	181.71.150.145
	apep.x86	Get hash	malicious	Browse	181.205.208.46
	yOtRXukeq9	Get hash	malicious	Browse	181.204.131.157
	SecuriteInfo.com.Linux.Mirai.1429.15365.3177	Get hash	malicious	Browse	181.204.131.169

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.145315108312535
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	arm5
File size:	80604
MD5:	70988ec41b6eddb41ec1bc3222f8fab8
SHA1:	60af6f0fee0df7ff9e51c0f9f6070ba102f430a8
SHA256:	1d91574bc880dfb70eb8aaa3d3bc75d906bdb7b87f8ee3d3467a2ed3267e1047
SHA512:	ca6d8462fadcfc0e8f23f9546282b8239f9aef68c9bf26bcd4de9ba766c855819c7bcca13e491eb0d6bccaf96eb8ead396b79c1300b0653b9323aac400800e69
SSDEEP:	1536:At/1/M1UUI6MdbCfysm4mhtVTh2nt+WP+IMZqXkhAiSaSderwbZn9:AtxS8dWfs4mVh2nXPbGqXk/RSmwbZn9
File Content Preview:	.ELF...a..........(.........4...L9......4. ...(......................5...5...............5...5...5..p....&..........Q.td..................................-...L."....F..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x2
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	80204
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x11844	0x0	0x6	AX	16
.fini	PROGBITS	0x198f4	0x118f4	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x19908	0x11908	0x1c90	0x0	0x2	A	4
.ctors	PROGBITS	0x2359c	0x1359c	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x235a4	0x135a4	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x235b0	0x135b0	0x35c	0x0	0x3	WA	4
.bss	NOBITS	0x2390c	0x1390c	0x2358	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x1390c	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x13598	0x13598	3.4378	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x1359c	0x2359c	0x2359c	0x370	0x26c8	1.6461	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 9, 2021 09:49:04.008440018 CET	12694	2323	192.168.2.23	199.34.42.51
Nov 9, 2021 09:49:04.008563042 CET	12694	23	192.168.2.23	82.144.153.51
Nov 9, 2021 09:49:04.008586884 CET	12694	23	192.168.2.23	12.165.249.204
Nov 9, 2021 09:49:04.008610010 CET	12694	23	192.168.2.23	61.124.206.205
Nov 9, 2021 09:49:04.008621931 CET	12694	23	192.168.2.23	161.117.65.127
Nov 9, 2021 09:49:04.008635044 CET	12694	23	192.168.2.23	48.182.31.52
Nov 9, 2021 09:49:04.008649111 CET	12694	23	192.168.2.23	128.180.138.227
Nov 9, 2021 09:49:04.008682013 CET	12694	23	192.168.2.23	133.20.108.83
Nov 9, 2021 09:49:04.008708000 CET	12694	23	192.168.2.23	202.74.73.171
Nov 9, 2021 09:49:04.008753061 CET	12694	2323	192.168.2.23	203.118.78.144
Nov 9, 2021 09:49:04.009026051 CET	12694	23	192.168.2.23	93.199.116.209
Nov 9, 2021 09:49:04.009047985 CET	12694	23	192.168.2.23	211.170.230.50
Nov 9, 2021 09:49:04.009076118 CET	12694	23	192.168.2.23	64.142.62.94
Nov 9, 2021 09:49:04.009095907 CET	12694	23	192.168.2.23	159.111.89.205
Nov 9, 2021 09:49:04.009100914 CET	12694	23	192.168.2.23	195.141.240.19
Nov 9, 2021 09:49:04.009113073 CET	12694	23	192.168.2.23	173.96.87.175
Nov 9, 2021 09:49:04.009134054 CET	12694	23	192.168.2.23	140.25.88.20
Nov 9, 2021 09:49:04.009154081 CET	12694	23	192.168.2.23	199.40.126.131
Nov 9, 2021 09:49:04.009195089 CET	12694	23	192.168.2.23	174.233.93.3
Nov 9, 2021 09:49:04.009206057 CET	12694	23	192.168.2.23	20.104.222.118
Nov 9, 2021 09:49:04.009207010 CET	12694	2323	192.168.2.23	52.2.115.39
Nov 9, 2021 09:49:04.009215117 CET	12694	23	192.168.2.23	187.232.45.4
Nov 9, 2021 09:49:04.009232998 CET	12694	23	192.168.2.23	196.195.43.56
Nov 9, 2021 09:49:04.009255886 CET	12694	23	192.168.2.23	169.44.4.176
Nov 9, 2021 09:49:04.009278059 CET	12694	23	192.168.2.23	142.167.23.100
Nov 9, 2021 09:49:04.009339094 CET	12694	23	192.168.2.23	13.238.158.11
Nov 9, 2021 09:49:04.009341002 CET	12694	23	192.168.2.23	194.236.34.26
Nov 9, 2021 09:49:04.009349108 CET	12694	23	192.168.2.23	62.166.58.226
Nov 9, 2021 09:49:04.009366989 CET	12694	23	192.168.2.23	168.201.3.69
Nov 9, 2021 09:49:04.009373903 CET	12694	23	192.168.2.23	203.157.61.144
Nov 9, 2021 09:49:04.009396076 CET	12694	2323	192.168.2.23	135.87.189.208
Nov 9, 2021 09:49:04.009419918 CET	12694	23	192.168.2.23	212.210.129.112
Nov 9, 2021 09:49:04.009428978 CET	12694	23	192.168.2.23	162.4.161.178
Nov 9, 2021 09:49:04.009433985 CET	12694	23	192.168.2.23	163.89.129.21
Nov 9, 2021 09:49:04.009442091 CET	12694	23	192.168.2.23	125.100.190.32
Nov 9, 2021 09:49:04.009455919 CET	12694	23	192.168.2.23	144.247.228.110
Nov 9, 2021 09:49:04.009480953 CET	12694	23	192.168.2.23	95.174.174.209
Nov 9, 2021 09:49:04.009510040 CET	12694	23	192.168.2.23	196.227.4.245
Nov 9, 2021 09:49:04.009519100 CET	12694	23	192.168.2.23	36.224.181.53
Nov 9, 2021 09:49:04.009547949 CET	12694	23	192.168.2.23	60.20.194.64
Nov 9, 2021 09:49:04.009563923 CET	12694	2323	192.168.2.23	112.73.152.122
Nov 9, 2021 09:49:04.009583950 CET	12694	23	192.168.2.23	163.244.204.30
Nov 9, 2021 09:49:04.009599924 CET	12694	23	192.168.2.23	144.59.180.31
Nov 9, 2021 09:49:04.009618044 CET	12694	23	192.168.2.23	2.200.187.211
Nov 9, 2021 09:49:04.009635925 CET	12694	23	192.168.2.23	155.196.66.51
Nov 9, 2021 09:49:04.009654045 CET	12694	23	192.168.2.23	210.10.47.206
Nov 9, 2021 09:49:04.009673119 CET	12694	23	192.168.2.23	41.222.114.122
Nov 9, 2021 09:49:04.009696960 CET	12694	23	192.168.2.23	207.82.46.119
Nov 9, 2021 09:49:04.009721041 CET	12694	23	192.168.2.23	14.72.135.97
Nov 9, 2021 09:49:04.009732962 CET	12694	23	192.168.2.23	221.228.123.170
Nov 9, 2021 09:49:04.009747028 CET	12694	2323	192.168.2.23	114.42.109.169
Nov 9, 2021 09:49:04.009762049 CET	12694	23	192.168.2.23	208.91.20.63
Nov 9, 2021 09:49:04.009778976 CET	12694	23	192.168.2.23	169.217.29.245
Nov 9, 2021 09:49:04.009799004 CET	12694	23	192.168.2.23	202.249.140.159
Nov 9, 2021 09:49:04.009823084 CET	12694	23	192.168.2.23	126.51.85.171
Nov 9, 2021 09:49:04.009848118 CET	12694	23	192.168.2.23	23.100.173.142
Nov 9, 2021 09:49:04.009890079 CET	12694	23	192.168.2.23	76.17.158.207
Nov 9, 2021 09:49:04.009893894 CET	12694	23	192.168.2.23	69.185.40.130
Nov 9, 2021 09:49:04.009905100 CET	12694	23	192.168.2.23	90.114.38.224
Nov 9, 2021 09:49:04.009919882 CET	12694	23	192.168.2.23	156.71.146.134
Nov 9, 2021 09:49:04.009946108 CET	12694	2323	192.168.2.23	178.12.252.239
Nov 9, 2021 09:49:04.009984016 CET	12694	23	192.168.2.23	147.182.61.73
Nov 9, 2021 09:49:04.010001898 CET	12694	23	192.168.2.23	204.92.160.141
Nov 9, 2021 09:49:04.010025978 CET	12694	23	192.168.2.23	143.115.230.50
Nov 9, 2021 09:49:04.010037899 CET	12694	23	192.168.2.23	158.68.87.191
Nov 9, 2021 09:49:04.010071993 CET	12694	23	192.168.2.23	105.78.24.118
Nov 9, 2021 09:49:04.010077000 CET	12694	23	192.168.2.23	222.203.192.190
Nov 9, 2021 09:49:04.010091066 CET	12694	23	192.168.2.23	221.28.242.178
Nov 9, 2021 09:49:04.010109901 CET	12694	23	192.168.2.23	90.174.168.104
Nov 9, 2021 09:49:04.010133028 CET	12694	23	192.168.2.23	174.69.227.219
Nov 9, 2021 09:49:04.010138035 CET	12694	2323	192.168.2.23	107.95.196.148
Nov 9, 2021 09:49:04.010148048 CET	12694	23	192.168.2.23	53.177.72.209
Nov 9, 2021 09:49:04.010154009 CET	12694	23	192.168.2.23	31.123.8.64
Nov 9, 2021 09:49:04.010163069 CET	12694	23	192.168.2.23	39.146.10.68
Nov 9, 2021 09:49:04.010165930 CET	12694	23	192.168.2.23	149.252.159.1
Nov 9, 2021 09:49:04.010191917 CET	12694	23	192.168.2.23	161.193.132.46
Nov 9, 2021 09:49:04.010219097 CET	12694	23	192.168.2.23	192.158.185.87
Nov 9, 2021 09:49:04.010240078 CET	12694	23	192.168.2.23	143.29.82.41
Nov 9, 2021 09:49:04.010252953 CET	12694	23	192.168.2.23	194.125.158.85
Nov 9, 2021 09:49:04.010267019 CET	12694	23	192.168.2.23	93.102.47.210
Nov 9, 2021 09:49:04.010291100 CET	12694	2323	192.168.2.23	97.74.49.198
Nov 9, 2021 09:49:04.010312080 CET	12694	23	192.168.2.23	67.159.27.251
Nov 9, 2021 09:49:04.010329008 CET	12694	23	192.168.2.23	53.70.86.237
Nov 9, 2021 09:49:04.010345936 CET	12694	23	192.168.2.23	76.146.35.224
Nov 9, 2021 09:49:04.010370970 CET	12694	23	192.168.2.23	69.68.144.221
Nov 9, 2021 09:49:04.010380030 CET	12694	23	192.168.2.23	206.208.179.201
Nov 9, 2021 09:49:04.010385990 CET	12694	23	192.168.2.23	71.229.47.196
Nov 9, 2021 09:49:04.010415077 CET	12694	23	192.168.2.23	211.67.15.245
Nov 9, 2021 09:49:04.010430098 CET	12694	23	192.168.2.23	32.44.246.134
Nov 9, 2021 09:49:04.010461092 CET	12694	2323	192.168.2.23	107.189.140.71
Nov 9, 2021 09:49:04.010462046 CET	12694	23	192.168.2.23	57.213.220.82
Nov 9, 2021 09:49:04.010468960 CET	12694	23	192.168.2.23	34.154.242.115
Nov 9, 2021 09:49:04.010505915 CET	12694	23	192.168.2.23	114.45.40.45
Nov 9, 2021 09:49:04.010523081 CET	12694	23	192.168.2.23	96.208.74.35
Nov 9, 2021 09:49:04.010572910 CET	12694	23	192.168.2.23	88.158.203.225
Nov 9, 2021 09:49:04.010581017 CET	12694	23	192.168.2.23	14.53.62.150
Nov 9, 2021 09:49:04.010601044 CET	12694	23	192.168.2.23	210.3.121.133
Nov 9, 2021 09:49:04.010615110 CET	12694	23	192.168.2.23	73.138.126.16
Nov 9, 2021 09:49:04.010634899 CET	12694	23	192.168.2.23	158.188.100.142
Nov 9, 2021 09:49:04.010649920 CET	12694	2323	192.168.2.23	142.172.145.103

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 9, 2021 09:49:04.040237904 CET	192.168.2.23	8.8.8.8	0x67b	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 9, 2021 09:49:04.069693089 CET	8.8.8.8	192.168.2.23	0x67b	No error (0)	arcticboatz.cz		156.96.62.207	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: arm5 PID: 5246 Parent PID: 5120

General

Start time:	09:49:02
Start date:	09/11/2021
Path:	/tmp/arm5
Arguments:	/tmp/arm5
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: arm5 PID: 5248 Parent PID: 5246

General

Start time:	09:49:03
Start date:	09/11/2021
Path:	/tmp/arm5
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: arm5 PID: 5250 Parent PID: 5248

General

Start time:	09:49:03
Start date:	09/11/2021
Path:	/tmp/arm5
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: arm5 PID: 5252 Parent PID: 5248

General

Start time:	09:49:03
Start date:	09/11/2021
Path:	/tmp/arm5
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report arm5

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

Initial Sample

Memory Dumps

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: arm5 PID: 5246 Parent PID: 5120

General

Analysis Process: arm5 PID: 5248 Parent PID: 5246

General

Analysis Process: arm5 PID: 5250 Parent PID: 5248

General

Analysis Process: arm5 PID: 5252 Parent PID: 5248

General