Play interactive tour

Edit tour

Linux Analysis Report gL6zNW1uNj

Overview

General Information

Sample Name:	gL6zNW1uNj
Analysis ID:	519630
MD5:	deee0487e17b20a74a1757f36e92a240
SHA1:	865c8c7d1b4d725220d58075839e1429820e3465
SHA256:	9ad0477757b6e3b5808cb2ef7b0a53c58823ab63339d8575f454341446bf2b14
Tags:	32elfmiraisparc
Infos:
Most interesting Screenshot:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Sample tries to kill many processes (SIGKILL)

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	519630
Start date:	10.11.2021
Start time:	23:51:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	gL6zNW1uNj
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal72.spre.troj.lin@0/4@0/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing network information. TCP Packets have been reduced to 100

Process Tree

system is lnxubuntu20

gL6zNW1uNj (PID: 5239, Parent: 5117, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/gL6zNW1uNj

gL6zNW1uNj New Fork (PID: 5241, Parent: 5239)

gL6zNW1uNj New Fork (PID: 5271, Parent: 5241)

gL6zNW1uNj New Fork (PID: 5273, Parent: 5241)

gL6zNW1uNj New Fork (PID: 5275, Parent: 5273)

gL6zNW1uNj New Fork (PID: 5278, Parent: 5275)

gL6zNW1uNj New Fork (PID: 5281, Parent: 5275)

gL6zNW1uNj New Fork (PID: 5277, Parent: 5273)

gL6zNW1uNj New Fork (PID: 5280, Parent: 5273)

gL6zNW1uNj New Fork (PID: 5242, Parent: 5239)

gL6zNW1uNj New Fork (PID: 5244, Parent: 5239)

gL6zNW1uNj New Fork (PID: 5247, Parent: 5244)

gL6zNW1uNj New Fork (PID: 5298, Parent: 5247)

gL6zNW1uNj New Fork (PID: 5299, Parent: 5247)

gL6zNW1uNj New Fork (PID: 5248, Parent: 5244)

gL6zNW1uNj New Fork (PID: 5250, Parent: 5244)

systemd New Fork (PID: 5270, Parent: 1)

sshd (PID: 5270, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t

systemd New Fork (PID: 5286, Parent: 1)

sshd (PID: 5286, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D

systemd New Fork (PID: 5297, Parent: 1)

sshd (PID: 5297, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t

systemd New Fork (PID: 5304, Parent: 1)

sshd (PID: 5304, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D

cleanup

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: gL6zNW1uNj	Virustotal: Detection: 49%			Perma Link
Source: gL6zNW1uNj	ReversingLabs: Detection: 55%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.28.78.146:23 -> 192.168.2.23:36426
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58354
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58362
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58366
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58390
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58396
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58404
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58408
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58414
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58418
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58424
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37474
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37482
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37490
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37496
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 170.39.121.45:23 -> 192.168.2.23:50994
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 170.39.121.45:23 -> 192.168.2.23:50994
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37510
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37530
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:54818
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:54818
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:54824
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:54824
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:54832
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:54832
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37550
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:54858
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:54858
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37580
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:54894
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:54894
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37620
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37662
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 170.39.121.45:23 -> 192.168.2.23:51202
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 170.39.121.45:23 -> 192.168.2.23:51202
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:55030
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:55030
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:55034
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:55034
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:55046
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:55046
Source: Traffic	Snort IDS: 716 INFO TELNET access 179.92.78.179:23 -> 192.168.2.23:36676
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 68.115.186.41:23 -> 192.168.2.23:43838
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 68.115.186.41:23 -> 192.168.2.23:43838
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 179.92.78.179:23 -> 192.168.2.23:36676
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 179.92.78.179:23 -> 192.168.2.23:36676
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:55096
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:55096
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.113.244.20:23 -> 192.168.2.23:49610
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.113.244.20:23 -> 192.168.2.23:49610
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:55134
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:55134

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39944
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39948
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39958
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39976
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39978
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39982
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39984
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39986
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54608
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54610
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54612
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54614
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54620
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54622
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54628
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54630
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54634
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54636
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56724
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56730
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56736
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56742
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56746
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56748
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56750
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56752

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:44384 -> 86.126.191.187:1312

Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::0
Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::23
Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::53413
Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::80
Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::52869
Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::37215
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::0
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::23
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::53413
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::80
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::52869
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::37215
Source: /usr/sbin/sshd (PID: 5286)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 5286)	Socket: [::]::22
Source: /usr/sbin/sshd (PID: 5304)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 5304)	Socket: [::]::22

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 86.126.191.187
Source: unknown	TCP traffic detected without corresponding DNS query: 154.206.38.139
Source: unknown	TCP traffic detected without corresponding DNS query: 101.130.129.147
Source: unknown	TCP traffic detected without corresponding DNS query: 8.204.194.128
Source: unknown	TCP traffic detected without corresponding DNS query: 47.125.240.84
Source: unknown	TCP traffic detected without corresponding DNS query: 57.8.81.223
Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.220.217
Source: unknown	TCP traffic detected without corresponding DNS query: 73.46.136.207
Source: unknown	TCP traffic detected without corresponding DNS query: 192.89.191.6
Source: unknown	TCP traffic detected without corresponding DNS query: 60.64.228.232
Source: unknown	TCP traffic detected without corresponding DNS query: 75.203.207.217
Source: unknown	TCP traffic detected without corresponding DNS query: 163.88.47.71
Source: unknown	TCP traffic detected without corresponding DNS query: 42.237.32.248
Source: unknown	TCP traffic detected without corresponding DNS query: 150.221.199.109
Source: unknown	TCP traffic detected without corresponding DNS query: 19.0.217.207
Source: unknown	TCP traffic detected without corresponding DNS query: 250.16.28.79
Source: unknown	TCP traffic detected without corresponding DNS query: 107.252.94.222
Source: unknown	TCP traffic detected without corresponding DNS query: 192.50.222.74
Source: unknown	TCP traffic detected without corresponding DNS query: 107.117.147.93
Source: unknown	TCP traffic detected without corresponding DNS query: 169.138.96.213
Source: unknown	TCP traffic detected without corresponding DNS query: 18.96.158.1
Source: unknown	TCP traffic detected without corresponding DNS query: 116.67.244.33
Source: unknown	TCP traffic detected without corresponding DNS query: 57.244.27.55
Source: unknown	TCP traffic detected without corresponding DNS query: 184.217.61.34
Source: unknown	TCP traffic detected without corresponding DNS query: 252.137.132.179
Source: unknown	TCP traffic detected without corresponding DNS query: 118.232.80.207
Source: unknown	TCP traffic detected without corresponding DNS query: 18.182.98.193
Source: unknown	TCP traffic detected without corresponding DNS query: 192.9.42.7
Source: unknown	TCP traffic detected without corresponding DNS query: 205.187.71.176
Source: unknown	TCP traffic detected without corresponding DNS query: 252.97.60.34
Source: unknown	TCP traffic detected without corresponding DNS query: 178.239.202.195
Source: unknown	TCP traffic detected without corresponding DNS query: 18.169.214.44
Source: unknown	TCP traffic detected without corresponding DNS query: 54.118.2.114
Source: unknown	TCP traffic detected without corresponding DNS query: 248.61.246.8
Source: unknown	TCP traffic detected without corresponding DNS query: 141.234.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 77.48.99.254
Source: unknown	TCP traffic detected without corresponding DNS query: 174.251.29.219
Source: unknown	TCP traffic detected without corresponding DNS query: 87.1.84.37
Source: unknown	TCP traffic detected without corresponding DNS query: 125.240.72.254
Source: unknown	TCP traffic detected without corresponding DNS query: 173.0.147.247
Source: unknown	TCP traffic detected without corresponding DNS query: 116.223.177.216
Source: unknown	TCP traffic detected without corresponding DNS query: 8.222.84.87
Source: unknown	TCP traffic detected without corresponding DNS query: 194.198.169.176
Source: unknown	TCP traffic detected without corresponding DNS query: 150.84.116.130
Source: unknown	TCP traffic detected without corresponding DNS query: 162.165.39.78
Source: unknown	TCP traffic detected without corresponding DNS query: 249.204.91.17
Source: unknown	TCP traffic detected without corresponding DNS query: 191.49.123.189
Source: unknown	TCP traffic detected without corresponding DNS query: 184.250.54.229
Source: unknown	TCP traffic detected without corresponding DNS query: 133.148.41.181
Source: unknown	TCP traffic detected without corresponding DNS query: 120.97.159.124

System Summary:

Sample tries to kill many processes (SIGKILL)

Show sources

Source: /tmp/gL6zNW1uNj (PID: 5241)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5273, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5275, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 847, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1860, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2097, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2180, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2191, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2208, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2275, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2281, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2285, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2289, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2294, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5250, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5280, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5281, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5286, result: successful

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/gL6zNW1uNj (PID: 5241)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5273, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5275, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 847, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1860, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2097, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2180, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2191, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2208, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2275, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2281, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2285, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2289, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2294, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5250, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5280, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5281, result: successful
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5286, result: successful

Source: classification engine

Classification label: mal72.spre.troj.lin@0/4@0/0

Source: gL6zNW1uNj

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/491/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/793/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/772/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/796/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/774/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/797/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/777/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/799/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/658/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/912/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/759/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/936/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/918/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/1/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/761/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/785/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/884/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/720/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/721/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/788/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/789/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/800/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/801/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/847/fd
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/904/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5261/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5261/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5261/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5262/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5262/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5262/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5263/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5263/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5263/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5264/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5264/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5264/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5265/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5265/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5265/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5266/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5266/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5266/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5145/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5267/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5267/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5267/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5268/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5268/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5268/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2033/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2033/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2033/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1582/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1582/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1582/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2275/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2275/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2275/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/3088/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5260/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5260/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5260/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1612/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1612/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1612/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1579/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1579/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1579/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1699/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1699/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1699/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1335/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1335/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1335/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1698/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1698/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1698/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2028/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2028/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2028/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1334/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1334/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1334/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1576/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1576/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1576/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2302/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2302/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2302/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/3236/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/3236/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/3236/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2025/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2025/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2025/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2146/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2146/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2146/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5258/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5258/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5258/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/910/exe
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5259/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5259/fd
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5259/exe

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39944
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39948
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39958
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39976
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39978
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39982
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39984
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39986
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54608
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54610
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54612
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54614
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54620
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54622
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54628
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54630
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54634
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54636
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56724
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56730
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56736
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56742
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56746
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56748
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56750
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56752

Source: /tmp/gL6zNW1uNj (PID: 5239)

Queries kernel information via 'uname':

Source: gL6zNW1uNj, 5239.1.00000000b1d99cf5.00000000f91ff669.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: gL6zNW1uNj, 5239.1.00000000b1d99cf5.00000000f91ff669.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/sparc
Source: gL6zNW1uNj, 5298.1.00000000b1d99cf5.00000000f91ff669.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: gL6zNW1uNj, 5239.1.0000000082bb98ad.00000000d33cd321.rw-.sdmp	Binary or memory string: {wx86_64/usr/bin/qemu-sparc/tmp/gL6zNW1uNjSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/gL6zNW1uNj
Source: gL6zNW1uNj, 5298.1.00000000f91ff669.000000003459bf12.rw-.sdmp	Binary or memory string: U/sparc/10 /usr/bin/qemu-sparc!/proc/5268/fd/111
Source: gL6zNW1uNj, 5239.1.0000000082bb98ad.00000000d33cd321.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc
Source: gL6zNW1uNj, 5298.1.00000000b1d99cf5.00000000f91ff669.rw-.sdmp	Binary or memory string: U1/usr/bin/vmtoolsdparc/10!/proc/1890/fd/48!/proc/1642/exeP

Stealing of Sensitive Information:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping1	Security Software Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
gL6zNW1uNj	49%	Virustotal		Browse
gL6zNW1uNj	56%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
197.153.61.25	unknown	Morocco	36925	ASMediMA	false
151.86.44.187	unknown	Italy	8217	ASN-ENIIT	false
107.18.149.250	unknown	United States	14654	WAYPORTUS	false
243.122.7.203	unknown	Reserved	unknown	unknown	false
83.81.157.142	unknown	Netherlands	33915	TNF-ASNL	false
170.201.71.125	unknown	United States	10995	PNCBANKUS	false
160.242.103.111	unknown	Namibia	33763	Paratus-TelecomNA	false
152.88.139.42	unknown	Switzerland	559	SWITCHPeeringrequestspeeringswitchchEU	false
88.73.217.49	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
191.85.197.196	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
195.161.24.251	unknown	Russian Federation	8342	RTCOMM-ASRU	false
34.154.113.0	unknown	United States	2686	ATGS-MMD-ASUS	false
27.104.108.182	unknown	Singapore	4773	MOBILEONELTD-AS-APMobileOneLtdMobileInternetServicePr	false
204.189.141.189	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
85.248.170.96	unknown	Slovakia (SLOVAK Republic)	5578	AS-BENESTRABratislavaSlovakRepublicSK	false
81.43.97.163	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
9.99.10.49	unknown	United States	3356	LEVEL3US	false
193.18.64.58	unknown	Germany	41099	GLOBALREACHGB	false
78.143.58.128	unknown	Germany	34309	LINK11Link11GmbHDE	false
159.142.240.78	unknown	United States	2714	GSA-GOVUS	false
83.195.47.1	unknown	France	3215	FranceTelecom-OrangeFR	false
100.39.34.187	unknown	United States	5650	FRONTIER-FRTRUS	false
35.155.144.153	unknown	United States	16509	AMAZON-02US	false
89.82.103.245	unknown	France	5410	BOUYGTEL-ISPFR	false
206.156.198.155	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
63.15.73.8	unknown	United States	701	UUNETUS	false
102.248.204.116	unknown	South Africa	5713	SAIX-NETZA	false
247.105.76.221	unknown	Reserved	unknown	unknown	false
248.44.16.163	unknown	Reserved	unknown	unknown	false
135.205.234.119	unknown	United States	6431	ATT-RESEARCHUS	false
87.1.84.37	unknown	Italy	3269	ASN-IBSNAZIT	false
241.35.160.0	unknown	Reserved	unknown	unknown	false
246.89.40.146	unknown	Reserved	unknown	unknown	false
168.82.87.233	unknown	United States	8103	STATE-OF-FLAUS	false
65.33.229.36	unknown	United States	33363	BHN-33363US	false
5.247.253.74	unknown	Saudi Arabia	34400	ASN-ETTIHADETISALATSA	false
157.138.8.249	unknown	Italy	137	ASGARRConsortiumGARREU	false
216.202.137.20	unknown	United States	3356	LEVEL3US	false
80.248.16.53	unknown	Iceland	29689	ORIGO-ASIS	false
24.93.166.148	unknown	United States	10796	TWC-10796-MIDWESTUS	false
18.160.223.44	unknown	United States	3	MIT-GATEWAYSUS	false
157.222.204.52	unknown	United States	4704	SANNETRakutenMobileIncJP	false
213.60.172.111	unknown	Spain	12334	Galicia-SpainES	false
75.223.213.59	unknown	United States	22394	CELLCOUS	false
111.243.11.20	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
162.239.12.7	unknown	United States	7018	ATT-INTERNET4US	false
14.185.213.79	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
211.200.115.186	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
177.244.147.186	unknown	Mexico	13999	MegaCableSAdeCVMX	false
173.81.96.181	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	false
114.159.61.103	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
169.156.132.11	unknown	United States	6189	EPFL-ASUS	false
110.26.118.12	unknown	Taiwan; Republic of China (ROC)	9674	FET-TWFarEastToneTelecommunicationCoLtdTW	false
216.189.140.106	unknown	United States	21902	WCTAUS	false
122.109.133.175	unknown	Australia	4804	MPX-ASMicroplexPTYLTDAU	false
179.161.68.206	unknown	Brazil	26599	TELEFONICABRASILSABR	false
95.39.201.172	unknown	Spain	12357	COMUNITELSPAINES	false
221.190.17.112	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
142.14.127.103	unknown	Canada	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
241.207.254.214	unknown	Reserved	unknown	unknown	false
169.86.62.36	unknown	United States	37611	AfrihostZA	false
207.123.43.254	unknown	United States	3356	LEVEL3US	false
122.224.85.220	unknown	China	58461	CT-HANGZHOU-IDCNo288Fu-chunRoadCN	false
193.146.135.162	unknown	Spain	766	REDIRISRedIRISAutonomousSystemES	false
244.39.205.7	unknown	Reserved	unknown	unknown	false
18.40.249.230	unknown	United States	3	MIT-GATEWAYSUS	false
202.93.232.234	unknown	Indonesia	38758	HYPERNET-AS-IDPTHIPERNETINDODATAID	false
155.199.164.179	unknown	United States	786	JANETJiscServicesLimitedGB	false
220.195.123.67	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
119.159.35.25	unknown	Pakistan	45595	PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK	false
101.208.151.88	unknown	India	58519	CHINATELECOM-CTCLOUDCloudComputingCorporationCN	false
91.18.128.136	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
194.52.199.122	unknown	Sweden	31529	DENIC-ANYCAST-ASDNSanycastASobjectforDEDNSservice	false
23.50.220.217	unknown	United States	16625	AKAMAI-ASUS	false
98.146.118.80	unknown	United States	10838	OCEANIC-INTERNET-RRUS	false
203.168.187.234	unknown	Hong Kong	9908	HKCABLE2-HK-APHKCableTVLtdHK	false
176.212.43.225	unknown	Russian Federation	57378	ROSTOV-ASRU	false
48.38.254.123	unknown	United States	2686	ATGS-MMD-ASUS	false
53.176.103.106	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
152.223.201.108	unknown	United States	30313	IRSUS	false
102.55.170.247	unknown	Morocco	6713	IAM-ASMA	false
114.123.47.5	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
61.55.8.196	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
251.25.189.68	unknown	Reserved	unknown	unknown	false
14.120.104.110	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
68.147.7.93	unknown	Canada	6327	SHAWCA	false
97.20.172.125	unknown	United States	22394	CELLCOUS	false
41.152.76.227	unknown	Egypt	36992	ETISALAT-MISREG	false
48.131.158.196	unknown	United States	2686	ATGS-MMD-ASUS	false
106.26.169.88	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
130.252.51.239	unknown	United States	14365	ADOBE-NETUS	false
155.54.253.41	unknown	Spain	766	REDIRISRedIRISAutonomousSystemES	false
8.2.139.206	unknown	United States	3356	LEVEL3US	false
75.235.78.135	unknown	United States	22394	CELLCOUS	false
36.131.159.191	unknown	China	56044	CMNET-AS-LIAONINGChinaMobilecommunicationscorporationC	false
100.49.35.79	unknown	United States	701	UUNETUS	false
166.14.24.193	unknown	Switzerland	11798	ACEDATACENTERS-AS-1US	false
246.125.194.19	unknown	Reserved	unknown	unknown	false
223.218.222.111	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
103.140.138.184	unknown	Malaysia	133936	X86NETWORK-AS-APX86NetworkSdnBhdMY	false

Runtime Messages

Command:	/tmp/gL6zNW1uNj
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASN-ENIIT	HwcNrhNfZg	Get hash	malicious	Browse	151.98.27.212
	sora.arm	Get hash	malicious	Browse	151.96.119.3
	WhFNix8BoE	Get hash	malicious	Browse	151.98.75.125
	xd.x86	Get hash	malicious	Browse	151.96.214.151
	re2.arm7	Get hash	malicious	Browse	151.98.75.126
	QcXQmNSaSp	Get hash	malicious	Browse	151.98.27.220
	Darknet.x86	Get hash	malicious	Browse	151.98.75.124
	sora.arm	Get hash	malicious	Browse	151.86.219.27
	j1zDAEIWib	Get hash	malicious	Browse	151.98.75.136
	c0k7KpL89r	Get hash	malicious	Browse	151.96.108.147
ASMediMA	3ObdCtruss	Get hash	malicious	Browse	102.103.39.117
	DVHEnaPp2d	Get hash	malicious	Browse	105.188.238.148
	x86	Get hash	malicious	Browse	196.127.145.158
	fZ9Y8XVXDH	Get hash	malicious	Browse	45.219.30.154
	SQFoFeC1jQ	Get hash	malicious	Browse	197.153.85.54
	xd.x86	Get hash	malicious	Browse	41.93.16.194
	sora.mpsl	Get hash	malicious	Browse	41.87.150.68
	MePwVTNRoA	Get hash	malicious	Browse	45.219.30.100
	eFsSvDKams	Get hash	malicious	Browse	41.92.37.100
	Hilix.arm7	Get hash	malicious	Browse	45.219.30.118
	Hilix.x86	Get hash	malicious	Browse	45.219.30.106
	aTQ4RalkUs	Get hash	malicious	Browse	41.214.134.111
	8PRjJeUifB	Get hash	malicious	Browse	45.216.221.197
	t7WU0JjLAR	Get hash	malicious	Browse	41.92.113.34
	FGVOkw9did	Get hash	malicious	Browse	197.247.118.67
	arm7-20211101-1513	Get hash	malicious	Browse	196.126.207.163
	mxHkqAIYT0	Get hash	malicious	Browse	41.87.150.73
	Antisocial.x86	Get hash	malicious	Browse	45.219.30.151
	w66OTKGVFv	Get hash	malicious	Browse	45.219.30.100
	ydZLm6GD56	Get hash	malicious	Browse	45.219.30.146
WAYPORTUS	8fVDxGRR8S	Get hash	malicious	Browse	216.12.242.81
	P8NtIPe7f0	Get hash	malicious	Browse	206.59.196.119
	3AlyfRnHRd	Get hash	malicious	Browse	100.47.222.235
	YYcy9gLbBC	Get hash	malicious	Browse	107.19.227.149
	rMwxCtXmuJ	Get hash	malicious	Browse	107.25.250.38
	b3astmode.arm	Get hash	malicious	Browse	107.18.150.164
	6A9RyJXCd7	Get hash	malicious	Browse	100.46.121.11
	1Y2rsDBP9s	Get hash	malicious	Browse	107.28.67.253
	lYmYPlzghQ	Get hash	malicious	Browse	107.28.67.222
	gbk4XWulUo	Get hash	malicious	Browse	184.49.234.70
	INsMwWSMeh	Get hash	malicious	Browse	184.49.234.47
	WnhlYWJ5C5	Get hash	malicious	Browse	107.18.150.166
	1S80No4PTV	Get hash	malicious	Browse	107.28.20.236
	apep.x86	Get hash	malicious	Browse	107.18.224.74
	6NzbU4oW61	Get hash	malicious	Browse	107.18.200.92
	sora.arm	Get hash	malicious	Browse	107.18.39.9
	wL8CswnbUJ	Get hash	malicious	Browse	107.25.249.96
	JWCIQ6dmiX	Get hash	malicious	Browse	107.16.234.110
	DT5DNY63Rp	Get hash	malicious	Browse	107.18.102.202
	eUjl39mhBT	Get hash	malicious	Browse	107.25.121.193

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/proc/5286/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	high, very likely benign file
Preview:	-1000.

/proc/5304/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	high, very likely benign file
Preview:	-1000.

/run/sshd.pid Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:DVRv:JRv
MD5:	C20A7ECD1C53AD9522EEDDA05994E0FF
SHA1:	4C58A470A925D0778306B17AF553D80D949DD3DD
SHA-256:	4FA6BD7EB31F8EFFFE3EFAE78A995D530EB82462034F575AAF8163F46920EA78
SHA-512:	AC700633B219F0FC8BAADF5CA1B007794B7B2264ACC514CF4C55CE470993EC7B851D464D04A90302B91DAEB505FEE0F6E14669F2DB36B2DD7770FC4C42727CA1
Malicious:	false
Reputation:	low
Preview:	5304.

Static File Info

General
File type:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.035636042849447
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	gL6zNW1uNj
File size:	60412
MD5:	deee0487e17b20a74a1757f36e92a240
SHA1:	865c8c7d1b4d725220d58075839e1429820e3465
SHA256:	9ad0477757b6e3b5808cb2ef7b0a53c58823ab63339d8575f454341446bf2b14
SHA512:	94ea25eb83484a1f32249847cedff76bb149cf4f7b7d36f60b70ca057bf57407b381be6826734fba85cd4313a2b46f5fce4baae1373c174f2df99ff83c810c4d
SSDEEP:	768:eLobAxU6q9Hfymp0xginuYvCkLB6WsTwIC1DQdszoDaS0O+DCDp:eL0AxvSHfymp0xgunvCkV6vTMDaue
File Content Preview:	.ELF...........................4...l.....4. ...(.......................................................x............dt.Q................................@..(....@.8R................#.....b0..`.....!..... ...@.....".........`......$ ... ...@...........`....

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	Sparc
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x101a4
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	60012
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10094	0x94	0x1c	0x0	0x6	AX	4
.text	PROGBITS	0x100b0	0xb0	0xe180	0x0	0x6	AX	4
.fini	PROGBITS	0x1e230	0xe230	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x1e248	0xe248	0x668	0x0	0x2	A	8
.ctors	PROGBITS	0x2e8b4	0xe8b4	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x2e8bc	0xe8bc	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x2e8c8	0xe8c8	0x164	0x0	0x3	WA	8
.bss	NOBITS	0x2ea30	0xea2c	0x288	0x0	0x3	WA	8
.shstrtab	STRTAB	0x0	0xea2c	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000	0x10000	0xe8b0	0xe8b0	3.3884	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xe8b4	0x2e8b4	0x2e8b4	0x178	0x404	0.3183	0x6	RW	0x10000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 10, 2021 23:51:51.843924999 CET	44384	1312	192.168.2.23	86.126.191.187
Nov 10, 2021 23:51:51.859568119 CET	46858	23	192.168.2.23	154.206.38.139
Nov 10, 2021 23:51:51.859600067 CET	46858	23	192.168.2.23	101.130.129.147
Nov 10, 2021 23:51:51.859610081 CET	46858	23	192.168.2.23	8.204.194.128
Nov 10, 2021 23:51:51.859730959 CET	46858	23	192.168.2.23	47.125.240.84
Nov 10, 2021 23:51:51.859765053 CET	46858	23	192.168.2.23	57.8.81.223
Nov 10, 2021 23:51:51.859764099 CET	46858	23	192.168.2.23	23.50.220.217
Nov 10, 2021 23:51:51.859771967 CET	46858	23	192.168.2.23	73.46.136.207
Nov 10, 2021 23:51:51.859837055 CET	46858	23	192.168.2.23	192.89.191.6
Nov 10, 2021 23:51:51.859843016 CET	46858	23	192.168.2.23	60.64.228.232
Nov 10, 2021 23:51:51.859885931 CET	46858	23	192.168.2.23	75.203.207.217
Nov 10, 2021 23:51:51.859934092 CET	46858	23	192.168.2.23	163.88.47.71
Nov 10, 2021 23:51:51.860040903 CET	46858	23	192.168.2.23	42.237.32.248
Nov 10, 2021 23:51:51.860090971 CET	46858	23	192.168.2.23	150.221.199.109
Nov 10, 2021 23:51:51.860116005 CET	46858	23	192.168.2.23	19.0.217.207
Nov 10, 2021 23:51:51.860124111 CET	46858	23	192.168.2.23	250.16.28.79
Nov 10, 2021 23:51:51.860204935 CET	46858	23	192.168.2.23	107.252.94.222
Nov 10, 2021 23:51:51.860215902 CET	46858	23	192.168.2.23	192.50.222.74
Nov 10, 2021 23:51:51.860243082 CET	46858	23	192.168.2.23	107.117.147.93
Nov 10, 2021 23:51:51.860269070 CET	46858	23	192.168.2.23	169.138.96.213
Nov 10, 2021 23:51:51.860287905 CET	46858	23	192.168.2.23	18.96.158.1
Nov 10, 2021 23:51:51.860313892 CET	46858	23	192.168.2.23	116.67.244.33
Nov 10, 2021 23:51:51.860333920 CET	46858	23	192.168.2.23	57.244.27.55
Nov 10, 2021 23:51:51.860343933 CET	46858	23	192.168.2.23	184.217.61.34
Nov 10, 2021 23:51:51.860359907 CET	46858	23	192.168.2.23	252.137.132.179
Nov 10, 2021 23:51:51.860363007 CET	46858	23	192.168.2.23	118.232.80.207
Nov 10, 2021 23:51:51.860367060 CET	46858	23	192.168.2.23	18.182.98.193
Nov 10, 2021 23:51:51.860444069 CET	46858	23	192.168.2.23	192.9.42.7
Nov 10, 2021 23:51:51.860553026 CET	46858	23	192.168.2.23	205.187.71.176
Nov 10, 2021 23:51:51.860555887 CET	46858	23	192.168.2.23	252.97.60.34
Nov 10, 2021 23:51:51.860599041 CET	46858	23	192.168.2.23	178.239.202.195
Nov 10, 2021 23:51:51.860630035 CET	46858	23	192.168.2.23	18.169.214.44
Nov 10, 2021 23:51:51.860641003 CET	46858	23	192.168.2.23	54.118.2.114
Nov 10, 2021 23:51:51.860656023 CET	46858	23	192.168.2.23	248.61.246.8
Nov 10, 2021 23:51:51.860662937 CET	46858	23	192.168.2.23	141.234.1.205
Nov 10, 2021 23:51:51.860706091 CET	46858	23	192.168.2.23	77.48.99.254
Nov 10, 2021 23:51:51.861448050 CET	46858	23	192.168.2.23	174.251.29.219
Nov 10, 2021 23:51:51.861450911 CET	46858	23	192.168.2.23	87.1.84.37
Nov 10, 2021 23:51:51.861465931 CET	46858	23	192.168.2.23	125.240.72.254
Nov 10, 2021 23:51:51.861481905 CET	46858	23	192.168.2.23	173.0.147.247
Nov 10, 2021 23:51:51.861515999 CET	46858	23	192.168.2.23	116.223.177.216
Nov 10, 2021 23:51:51.861525059 CET	46858	23	192.168.2.23	8.222.84.87
Nov 10, 2021 23:51:51.861598969 CET	46858	23	192.168.2.23	85.110.243.120
Nov 10, 2021 23:51:51.861598969 CET	46858	23	192.168.2.23	194.198.169.176
Nov 10, 2021 23:51:51.861602068 CET	46858	23	192.168.2.23	150.84.116.130
Nov 10, 2021 23:51:51.861649036 CET	46858	23	192.168.2.23	162.165.39.78
Nov 10, 2021 23:51:51.861659050 CET	46858	23	192.168.2.23	249.204.91.17
Nov 10, 2021 23:51:51.861676931 CET	46858	23	192.168.2.23	191.49.123.189
Nov 10, 2021 23:51:51.861679077 CET	46858	23	192.168.2.23	184.250.54.229
Nov 10, 2021 23:51:51.861689091 CET	46858	23	192.168.2.23	133.148.41.181
Nov 10, 2021 23:51:51.861716986 CET	46858	23	192.168.2.23	191.102.210.3
Nov 10, 2021 23:51:51.861745119 CET	46858	23	192.168.2.23	120.97.159.124
Nov 10, 2021 23:51:51.861763954 CET	46858	23	192.168.2.23	136.246.50.137
Nov 10, 2021 23:51:51.861804008 CET	46858	23	192.168.2.23	161.107.153.53
Nov 10, 2021 23:51:51.861831903 CET	46858	23	192.168.2.23	23.120.22.234
Nov 10, 2021 23:51:51.861843109 CET	46858	23	192.168.2.23	249.8.7.244
Nov 10, 2021 23:51:51.861865044 CET	46858	23	192.168.2.23	4.114.50.95
Nov 10, 2021 23:51:51.861876965 CET	46858	23	192.168.2.23	250.238.23.116
Nov 10, 2021 23:51:51.861949921 CET	46858	23	192.168.2.23	66.218.9.85
Nov 10, 2021 23:51:51.861963034 CET	46858	23	192.168.2.23	201.36.148.253
Nov 10, 2021 23:51:51.861973047 CET	46858	23	192.168.2.23	172.139.78.139
Nov 10, 2021 23:51:51.862056017 CET	46858	23	192.168.2.23	146.29.209.89
Nov 10, 2021 23:51:51.862080097 CET	46858	23	192.168.2.23	183.138.134.175
Nov 10, 2021 23:51:51.862104893 CET	46858	23	192.168.2.23	70.72.184.27
Nov 10, 2021 23:51:51.862132072 CET	46858	23	192.168.2.23	20.10.252.55
Nov 10, 2021 23:51:51.862135887 CET	46858	23	192.168.2.23	167.178.18.202
Nov 10, 2021 23:51:51.862143993 CET	46858	23	192.168.2.23	133.103.70.51
Nov 10, 2021 23:51:51.862149954 CET	46858	23	192.168.2.23	123.5.159.197
Nov 10, 2021 23:51:51.862164021 CET	46858	23	192.168.2.23	44.155.86.25
Nov 10, 2021 23:51:51.862175941 CET	46858	23	192.168.2.23	16.119.213.67
Nov 10, 2021 23:51:51.862224102 CET	46858	23	192.168.2.23	63.110.82.139
Nov 10, 2021 23:51:51.862226009 CET	46858	23	192.168.2.23	221.47.134.53
Nov 10, 2021 23:51:51.862282991 CET	46858	23	192.168.2.23	45.7.80.58
Nov 10, 2021 23:51:51.862299919 CET	46858	23	192.168.2.23	87.83.165.254
Nov 10, 2021 23:51:51.862325907 CET	46858	23	192.168.2.23	57.34.122.27
Nov 10, 2021 23:51:51.862334013 CET	46858	23	192.168.2.23	17.41.207.222
Nov 10, 2021 23:51:51.862346888 CET	46858	23	192.168.2.23	212.222.173.252
Nov 10, 2021 23:51:51.862390995 CET	46858	23	192.168.2.23	94.189.3.124
Nov 10, 2021 23:51:51.862437010 CET	46858	23	192.168.2.23	203.176.95.157
Nov 10, 2021 23:51:51.862472057 CET	46858	23	192.168.2.23	94.196.203.172
Nov 10, 2021 23:51:51.862482071 CET	46858	23	192.168.2.23	218.103.180.43
Nov 10, 2021 23:51:51.862586975 CET	46858	23	192.168.2.23	159.42.39.166
Nov 10, 2021 23:51:51.862629890 CET	46858	23	192.168.2.23	206.78.188.247
Nov 10, 2021 23:51:51.862632990 CET	46858	23	192.168.2.23	166.114.166.97
Nov 10, 2021 23:51:51.862652063 CET	46858	23	192.168.2.23	121.150.44.160
Nov 10, 2021 23:51:51.862659931 CET	46858	23	192.168.2.23	207.125.245.15
Nov 10, 2021 23:51:51.862673998 CET	46858	23	192.168.2.23	245.75.180.140
Nov 10, 2021 23:51:51.863677025 CET	46858	23	192.168.2.23	212.221.199.76
Nov 10, 2021 23:51:51.863678932 CET	46858	23	192.168.2.23	95.176.68.15
Nov 10, 2021 23:51:51.863689899 CET	46858	23	192.168.2.23	200.62.2.204
Nov 10, 2021 23:51:51.863706112 CET	46858	23	192.168.2.23	8.23.132.21
Nov 10, 2021 23:51:51.863708973 CET	46858	23	192.168.2.23	247.133.146.255
Nov 10, 2021 23:51:51.863712072 CET	46858	23	192.168.2.23	163.79.145.69
Nov 10, 2021 23:51:51.863722086 CET	46858	23	192.168.2.23	1.40.112.189
Nov 10, 2021 23:51:51.863724947 CET	46858	23	192.168.2.23	251.86.5.44
Nov 10, 2021 23:51:51.863785982 CET	46858	23	192.168.2.23	99.223.216.218
Nov 10, 2021 23:51:51.863791943 CET	46858	23	192.168.2.23	27.158.15.125
Nov 10, 2021 23:51:51.863801003 CET	46858	23	192.168.2.23	181.57.188.3
Nov 10, 2021 23:51:51.863806963 CET	46858	23	192.168.2.23	245.38.220.243
Nov 10, 2021 23:51:51.863841057 CET	46858	23	192.168.2.23	69.57.21.172

System Behavior

Analysis Process: gL6zNW1uNj PID: 5239 Parent PID: 5117

General

Start time:	23:51:50
Start date:	10/11/2021
Path:	/tmp/gL6zNW1uNj
Arguments:	/tmp/gL6zNW1uNj
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: gL6zNW1uNj PID: 5241 Parent PID: 5239

General

Start time:	23:51:50
Start date:	10/11/2021
Path:	/tmp/gL6zNW1uNj
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: gL6zNW1uNj PID: 5271 Parent PID: 5241

General

Start time:	23:51:59
Start date:	10/11/2021
Path:	/tmp/gL6zNW1uNj
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: gL6zNW1uNj PID: 5273 Parent PID: 5241

General

Start time:	23:51:59
Start date:	10/11/2021
Path:	/tmp/gL6zNW1uNj
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: gL6zNW1uNj PID: 5275 Parent PID: 5273

General

Start time:	23:51:59
Start date:	10/11/2021
Path:	/tmp/gL6zNW1uNj
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: gL6zNW1uNj PID: 5278 Parent PID: 5275

General

Start time:	23:51:59
Start date:	10/11/2021
Path:	/tmp/gL6zNW1uNj
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: gL6zNW1uNj PID: 5281 Parent PID: 5275

General

Start time:	23:51:59
Start date:	10/11/2021
Path:	/tmp/gL6zNW1uNj
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: gL6zNW1uNj PID: 5277 Parent PID: 5273

General

Start time:	23:51:59
Start date:	10/11/2021
Path:	/tmp/gL6zNW1uNj
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: gL6zNW1uNj PID: 5280 Parent PID: 5273

General

Start time:	23:51:59
Start date:	10/11/2021
Path:	/tmp/gL6zNW1uNj
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: gL6zNW1uNj PID: 5242 Parent PID: 5239

General

Start time:	23:51:50
Start date:	10/11/2021
Path:	/tmp/gL6zNW1uNj
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: gL6zNW1uNj PID: 5244 Parent PID: 5239

General

Start time:	23:51:50
Start date:	10/11/2021
Path:	/tmp/gL6zNW1uNj
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: gL6zNW1uNj PID: 5247 Parent PID: 5244

General

Start time:	23:51:50
Start date:	10/11/2021
Path:	/tmp/gL6zNW1uNj
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: gL6zNW1uNj PID: 5298 Parent PID: 5247

General

Start time:	23:52:04
Start date:	10/11/2021
Path:	/tmp/gL6zNW1uNj
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: gL6zNW1uNj PID: 5299 Parent PID: 5247

General

Start time:	23:52:04
Start date:	10/11/2021
Path:	/tmp/gL6zNW1uNj
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: gL6zNW1uNj PID: 5248 Parent PID: 5244

General

Start time:	23:51:50
Start date:	10/11/2021
Path:	/tmp/gL6zNW1uNj
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: gL6zNW1uNj PID: 5250 Parent PID: 5244

General

Start time:	23:51:51
Start date:	10/11/2021
Path:	/tmp/gL6zNW1uNj
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: systemd PID: 5270 Parent PID: 1

General

Start time:	23:51:58
Start date:	10/11/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5270 Parent PID: 1

General

Start time:	23:51:58
Start date:	10/11/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -t
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5286 Parent PID: 1

General

Start time:	23:51:59
Start date:	10/11/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5286 Parent PID: 1

General

Start time:	23:51:59
Start date:	10/11/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5297 Parent PID: 1

General

Start time:	23:52:04
Start date:	10/11/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5297 Parent PID: 1

General

Start time:	23:52:04
Start date:	10/11/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -t
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5304 Parent PID: 1

General

Start time:	23:52:05
Start date:	10/11/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5304 Parent PID: 1

General

Start time:	23:52:05
Start date:	10/11/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report gL6zNW1uNj

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

PCAP (Network Traffic)

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: gL6zNW1uNj PID: 5239 Parent PID: 5117

General

Analysis Process: gL6zNW1uNj PID: 5241 Parent PID: 5239

General

Analysis Process: gL6zNW1uNj PID: 5271 Parent PID: 5241

General

Analysis Process: gL6zNW1uNj PID: 5273 Parent PID: 5241

General

Analysis Process: gL6zNW1uNj PID: 5275 Parent PID: 5273

General

Analysis Process: gL6zNW1uNj PID: 5278 Parent PID: 5275

General

Analysis Process: gL6zNW1uNj PID: 5281 Parent PID: 5275

General

Analysis Process: gL6zNW1uNj PID: 5277 Parent PID: 5273

General

Analysis Process: gL6zNW1uNj PID: 5280 Parent PID: 5273

General

Analysis Process: gL6zNW1uNj PID: 5242 Parent PID: 5239

General

Analysis Process: gL6zNW1uNj PID: 5244 Parent PID: 5239