Linux
Analysis Report
XfUkJyh9A3.elf
Overview
General Information
Detection
Mirai
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Yara detected Mirai
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Connects to many ports of the same IP (likely port scanning)
Uses known network protocols on non-standard ports
Passes username and password via HTTP get
Sample tries to kill multiple processes (SIGKILL)
Yara signature match
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample has stripped symbol table
HTTP GET or POST without a user agent
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Classification
Analysis Advice
Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior. |
Static ELF header machine description suggests that the sample might not execute correctly on this machine. |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 713880 |
Start date and time: | 2022-10-01 05:04:53 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 37s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | XfUkJyh9A3.elf |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
Analysis Mode: | default |
Detection: | MAL |
Classification: | mal88.spre.troj.linELF@0/0@1/0 |
- Report size exceeded maximum capacity and may have missing network information.
- VT rate limit hit for: XfUkJyh9A3.elf
Command: | /tmp/XfUkJyh9A3.elf |
PID: | 6232 |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | unstable_is_the_history_of_universe |
Standard Error: |
- system is lnxubuntu20
- XfUkJyh9A3.elf New Fork (PID: 6238, Parent: 6232)
- XfUkJyh9A3.elf New Fork (PID: 6240, Parent: 6238)
- XfUkJyh9A3.elf New Fork (PID: 6241, Parent: 6238)
- XfUkJyh9A3.elf New Fork (PID: 6243, Parent: 6238)
- XfUkJyh9A3.elf New Fork (PID: 6245, Parent: 6238)
- XfUkJyh9A3.elf New Fork (PID: 6247, Parent: 6238)
- XfUkJyh9A3.elf New Fork (PID: 6250, Parent: 6238)
- xfce4-panel New Fork (PID: 6256, Parent: 2063)
- xfce4-panel New Fork (PID: 6257, Parent: 2063)
- xfce4-panel New Fork (PID: 6258, Parent: 2063)
- xfce4-panel New Fork (PID: 6259, Parent: 2063)
- xfce4-panel New Fork (PID: 6260, Parent: 2063)
- xfce4-panel New Fork (PID: 6261, Parent: 2063)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_XORed_Mozilla | Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key. | Florian Roth |
| |
MAL_ELF_LNX_Mirai_Oct10_1 | Detects ELF Mirai variant | Florian Roth |
| |
JoeSecurity_Mirai_8 | Yara detected Mirai | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Mirai_12 | Yara detected Mirai | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_XORed_Mozilla | Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key. | Florian Roth |
| |
SUSP_XORed_Mozilla | Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key. | Florian Roth |
| |
MAL_ELF_LNX_Mirai_Oct10_1 | Detects ELF Mirai variant | Florian Roth |
| |
JoeSecurity_Mirai_8 | Yara detected Mirai | Joe Security | ||
SUSP_XORed_Mozilla | Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key. | Florian Roth |
| |
Click to see the 5 entries |
Timestamp: | 192.168.2.2343.128.203.13936220802030092 10/01/22-05:06:04.058903 |
SID: | 2030092 |
Source Port: | 36220 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23197.246.194.24160866372152835222 10/01/22-05:05:58.857823 |
SID: | 2835222 |
Source Port: | 60866 |
Destination Port: | 37215 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.235.39.91.2354212802030092 10/01/22-05:06:09.620765 |
SID: | 2030092 |
Source Port: | 54212 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2335.227.249.20353150802030092 10/01/22-05:06:02.263286 |
SID: | 2030092 |
Source Port: | 53150 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23221.147.77.14237324802030092 10/01/22-05:06:02.820281 |
SID: | 2030092 |
Source Port: | 37324 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2352.212.41.20237594802030092 10/01/22-05:05:57.547584 |
SID: | 2030092 |
Source Port: | 37594 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2364.156.195.25042658802030092 10/01/22-05:05:59.747009 |
SID: | 2030092 |
Source Port: | 42658 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23185.191.145.17737632802030092 10/01/22-05:06:02.242022 |
SID: | 2030092 |
Source Port: | 37632 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23120.226.149.6647530802030092 10/01/22-05:05:55.479389 |
SID: | 2030092 |
Source Port: | 47530 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2334.149.101.17640946802030092 10/01/22-05:05:57.571004 |
SID: | 2030092 |
Source Port: | 40946 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2323.4.160.12044302802030092 10/01/22-05:05:58.113269 |
SID: | 2030092 |
Source Port: | 44302 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23103.61.21.9751128802030092 10/01/22-05:06:06.713722 |
SID: | 2030092 |
Source Port: | 51128 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2327.147.230.21448894802030092 10/01/22-05:06:09.791917 |
SID: | 2030092 |
Source Port: | 48894 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23113.31.164.4755170802030092 10/01/22-05:05:52.124145 |
SID: | 2030092 |
Source Port: | 55170 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2323.38.181.14046812802030092 10/01/22-05:05:52.788276 |
SID: | 2030092 |
Source Port: | 46812 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2372.183.242.19334388802030092 10/01/22-05:06:09.363676 |
SID: | 2030092 |
Source Port: | 34388 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2331.45.203.3743728802030092 10/01/22-05:06:09.005252 |
SID: | 2030092 |
Source Port: | 43728 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2345.127.235.2038606802030092 10/01/22-05:06:03.995743 |
SID: | 2030092 |
Source Port: | 38606 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2376.74.230.9754746802030092 10/01/22-05:05:59.574789 |
SID: | 2030092 |
Source Port: | 54746 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2323.197.19.21448764802030092 10/01/22-05:05:52.756775 |
SID: | 2030092 |
Source Port: | 48764 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23185.88.146.12638718802030092 10/01/22-05:05:59.417830 |
SID: | 2030092 |
Source Port: | 38718 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23163.172.42.8148100802030092 10/01/22-05:05:51.800204 |
SID: | 2030092 |
Source Port: | 48100 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23162.55.177.14654628802030092 10/01/22-05:06:06.319501 |
SID: | 2030092 |
Source Port: | 54628 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2374.50.125.4039718802030092 10/01/22-05:06:09.077642 |
SID: | 2030092 |
Source Port: | 39718 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23213.90.126.13141736802030092 10/01/22-05:06:09.632729 |
SID: | 2030092 |
Source Port: | 41736 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23185.149.103.14245974802030092 10/01/22-05:06:02.302630 |
SID: | 2030092 |
Source Port: | 45974 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2383.4.23.19351112802030092 10/01/22-05:06:02.461135 |
SID: | 2030092 |
Source Port: | 51112 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23195.54.161.4636408802030092 10/01/22-05:06:09.034054 |
SID: | 2030092 |
Source Port: | 36408 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2313.248.174.14051772802030092 10/01/22-05:05:51.768381 |
SID: | 2030092 |
Source Port: | 51772 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23154.91.61.2137454802030092 10/01/22-05:05:55.644894 |
SID: | 2030092 |
Source Port: | 37454 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23206.72.201.18460954802030092 10/01/22-05:05:57.598661 |
SID: | 2030092 |
Source Port: | 60954 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2345.145.73.17033178802030092 10/01/22-05:06:02.707680 |
SID: | 2030092 |
Source Port: | 33178 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23197.12.237.16252280802030092 10/01/22-05:06:09.033818 |
SID: | 2030092 |
Source Port: | 52280 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2323.199.1.20043916802030092 10/01/22-05:05:51.971656 |
SID: | 2030092 |
Source Port: | 43916 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23192.199.252.3539528802030092 10/01/22-05:06:09.089245 |
SID: | 2030092 |
Source Port: | 39528 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2364.13.198.20833956802030092 10/01/22-05:05:57.669230 |
SID: | 2030092 |
Source Port: | 33956 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23138.19.146.10648506802030092 10/01/22-05:06:04.024159 |
SID: | 2030092 |
Source Port: | 48506 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23185.248.171.10347206802030092 10/01/22-05:05:59.510384 |
SID: | 2030092 |
Source Port: | 47206 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23213.194.135.11535800802030092 10/01/22-05:05:51.864156 |
SID: | 2030092 |
Source Port: | 35800 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2354.217.20.20343614802030092 10/01/22-05:05:55.250841 |
SID: | 2030092 |
Source Port: | 43614 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23216.10.232.19041202802030092 10/01/22-05:06:09.769264 |
SID: | 2030092 |
Source Port: | 41202 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.235.2.85.24550234802030092 10/01/22-05:06:02.277864 |
SID: | 2030092 |
Source Port: | 50234 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2340.78.19.9453130802030092 10/01/22-05:06:06.632077 |
SID: | 2030092 |
Source Port: | 53130 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2354.88.126.6933338802030092 10/01/22-05:05:59.534661 |
SID: | 2030092 |
Source Port: | 33338 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23194.184.21.1234634802030092 10/01/22-05:06:06.408129 |
SID: | 2030092 |
Source Port: | 34634 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2323.199.208.22256126802030092 10/01/22-05:05:59.441690 |
SID: | 2030092 |
Source Port: | 56126 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2335.74.125.8842826802030092 10/01/22-05:06:09.871950 |
SID: | 2030092 |
Source Port: | 42826 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23165.231.105.22936186802030092 10/01/22-05:06:02.248319 |
SID: | 2030092 |
Source Port: | 36186 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23103.18.246.5548458802030092 10/01/22-05:05:59.940056 |
SID: | 2030092 |
Source Port: | 48458 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23200.36.158.1542806802030092 10/01/22-05:06:09.869533 |
SID: | 2030092 |
Source Port: | 42806 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2389.107.188.3358556802030092 10/01/22-05:05:59.420905 |
SID: | 2030092 |
Source Port: | 58556 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23118.67.133.12451218802030092 10/01/22-05:05:52.416441 |
SID: | 2030092 |
Source Port: | 51218 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23115.22.193.5042868802030092 10/01/22-05:06:06.551375 |
SID: | 2030092 |
Source Port: | 42868 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2350.193.73.20041224802030092 10/01/22-05:05:57.667874 |
SID: | 2030092 |
Source Port: | 41224 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23108.61.215.24549028802030092 10/01/22-05:06:06.401526 |
SID: | 2030092 |
Source Port: | 49028 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23150.217.71.20547582802030092 10/01/22-05:06:06.331702 |
SID: | 2030092 |
Source Port: | 47582 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23120.125.126.6756962802030092 10/01/22-05:05:59.633543 |
SID: | 2030092 |
Source Port: | 56962 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2358.215.37.4041466802030092 10/01/22-05:06:06.780492 |
SID: | 2030092 |
Source Port: | 41466 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2365.122.70.13546274802030092 10/01/22-05:06:06.698938 |
SID: | 2030092 |
Source Port: | 46274 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2337.59.148.21653474802030092 10/01/22-05:06:02.249939 |
SID: | 2030092 |
Source Port: | 53474 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2335.187.38.14250400802030092 10/01/22-05:05:51.806258 |
SID: | 2030092 |
Source Port: | 50400 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23209.130.155.15438772802030092 10/01/22-05:06:08.992987 |
SID: | 2030092 |
Source Port: | 38772 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23192.74.241.1951990802030092 10/01/22-05:06:06.624300 |
SID: | 2030092 |
Source Port: | 51990 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23200.37.166.14647868802030092 10/01/22-05:05:57.900424 |
SID: | 2030092 |
Source Port: | 47868 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23104.126.187.13233314802030092 10/01/22-05:06:03.820254 |
SID: | 2030092 |
Source Port: | 33314 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2335.81.110.12936668802030092 10/01/22-05:05:59.828035 |
SID: | 2030092 |
Source Port: | 36668 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2314.44.111.6550460802030092 10/01/22-05:06:02.941350 |
SID: | 2030092 |
Source Port: | 50460 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23114.129.204.17848180802030092 10/01/22-05:05:58.108647 |
SID: | 2030092 |
Source Port: | 48180 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23210.140.124.1955380802030092 10/01/22-05:06:02.814133 |
SID: | 2030092 |
Source Port: | 55380 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2369.12.95.5950186802030092 10/01/22-05:06:03.863162 |
SID: | 2030092 |
Source Port: | 50186 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2371.62.230.1148276802030092 10/01/22-05:05:57.624513 |
SID: | 2030092 |
Source Port: | 48276 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23202.101.47.4043616802030092 10/01/22-05:06:04.041500 |
SID: | 2030092 |
Source Port: | 43616 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23118.39.237.10855010802030092 10/01/22-05:05:52.918401 |
SID: | 2030092 |
Source Port: | 55010 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2352.197.86.21240750802030092 10/01/22-05:06:02.811064 |
SID: | 2030092 |
Source Port: | 40750 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23156.224.22.2552610372152835222 10/01/22-05:06:08.599944 |
SID: | 2835222 |
Source Port: | 52610 |
Destination Port: | 37215 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.23124.70.5.3645680802030092 10/01/22-05:05:57.710442 |
SID: | 2030092 |
Source Port: | 45680 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2376.97.190.12855302802030092 10/01/22-05:06:02.522943 |
SID: | 2030092 |
Source Port: | 55302 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2399.84.242.25243104802030092 10/01/22-05:06:06.592939 |
SID: | 2030092 |
Source Port: | 43104 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2352.10.241.17651334802030092 10/01/22-05:06:06.475710 |
SID: | 2030092 |
Source Port: | 51334 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23124.221.181.1843914802030092 10/01/22-05:05:55.430623 |
SID: | 2030092 |
Source Port: | 43914 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23103.91.189.6352606802030092 10/01/22-05:06:04.030351 |
SID: | 2030092 |
Source Port: | 52606 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23103.242.119.2948586802030092 10/01/22-05:05:55.799225 |
SID: | 2030092 |
Source Port: | 48586 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2389.106.129.4256054802030092 10/01/22-05:06:02.249578 |
SID: | 2030092 |
Source Port: | 56054 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2377.56.52.4444564802030092 10/01/22-05:05:51.745309 |
SID: | 2030092 |
Source Port: | 44564 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2350.63.242.18246658802030092 10/01/22-05:05:55.643445 |
SID: | 2030092 |
Source Port: | 46658 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23106.243.1.10747002802030092 10/01/22-05:05:52.373753 |
SID: | 2030092 |
Source Port: | 47002 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23179.126.69.22654254802030092 10/01/22-05:05:57.761698 |
SID: | 2030092 |
Source Port: | 54254 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23156.220.254.9049948802030092 10/01/22-05:06:03.555316 |
SID: | 2030092 |
Source Port: | 49948 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23104.121.119.24651958802030092 10/01/22-05:06:03.689824 |
SID: | 2030092 |
Source Port: | 51958 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23158.228.146.11550230802030092 10/01/22-05:06:02.451459 |
SID: | 2030092 |
Source Port: | 50230 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2354.176.185.24543966802030092 10/01/22-05:05:55.790102 |
SID: | 2030092 |
Source Port: | 43966 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.2352.201.37.20737982802030092 10/01/22-05:06:03.862648 |
SID: | 2030092 |
Source Port: | 37982 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23137.184.133.10337052802030092 10/01/22-05:05:57.733681 |
SID: | 2030092 |
Source Port: | 37052 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23190.11.157.21441478802030092 10/01/22-05:05:56.083892 |
SID: | 2030092 |
Source Port: | 41478 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23184.51.235.8442886802030092 10/01/22-05:05:59.436974 |
SID: | 2030092 |
Source Port: | 42886 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23198.46.87.17847804802030092 10/01/22-05:06:02.448557 |
SID: | 2030092 |
Source Port: | 47804 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
Timestamp: | 192.168.2.23173.255.162.17341438802030092 10/01/22-05:06:09.045891 |
SID: | 2030092 |
Source Port: | 41438 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Web Application Attack |
- • Networking
- • System Summary
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
Show All Signature Results
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | TCP traffic: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP get: |