Edit tour

Linux Analysis Report
KGkoLgvOGp.elf

Overview

General Information

Sample Name:	KGkoLgvOGp.elf
Original Sample Name:	24b923862a5e92038b93fbb6055d47ea.elf
Analysis ID:	858973
MD5:	24b923862a5e92038b93fbb6055d47ea
SHA1:	f82fdcd4f27fc3ac895b0b20262793d06cdceb99
SHA256:	920f0d8be6f53b0cf95f393664d99288af0fafca06a826f520c1d77160b7c5f6
Tags:	64elfgafgytMirai
Infos:

Detection

Moobot

Score:	88
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Moobot

Snort IDS alert for network traffic

Machine Learning detection for sample

Uses dynamic DNS services

Yara signature match

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	858973
Start date and time:	2023-05-04 12:41:42 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample file name:	KGkoLgvOGp.elf
Original Sample Name:	24b923862a5e92038b93fbb6055d47ea.elf
Detection:	MAL
Classification:	mal88.troj.linELF@0/0@1/0

Warnings

VT rate limit hit for: lkavsjdnbah.ddns.net

Runtime Messages

Command:	/tmp/KGkoLgvOGp.elf
PID:	6230
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	listening to tun0
Standard Error:

Process Tree

system is lnxubuntu20

KGkoLgvOGp.elf (PID: 6230, Parent: 6125, MD5: 24b923862a5e92038b93fbb6055d47ea) Arguments: /tmp/KGkoLgvOGp.elf

KGkoLgvOGp.elf New Fork (PID: 6231, Parent: 6230)

KGkoLgvOGp.elf New Fork (PID: 6232, Parent: 6230)

udisksd New Fork (PID: 6241, Parent: 799)

dumpe2fs (PID: 6241, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
MooBot		No Attribution	https://blog.netlab.360.com/ddos-botnet-moobot-en/ https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/ https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b https://unit42.paloaltonetworks.com/moobot-d-link-devices/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
KGkoLgvOGp.elf	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth (Nextron Systems)	0x10d08:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x10d78:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x10de8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x10e58:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x10ec8:$xo1: oMXKNNC\x0D\x17\x0C\x12
KGkoLgvOGp.elf	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
KGkoLgvOGp.elf	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0xc8c0:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
KGkoLgvOGp.elf	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0xd0af:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
KGkoLgvOGp.elf	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x103e0:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
KGkoLgvOGp.elf	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x9e12:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x9f4c:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
KGkoLgvOGp.elf	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0xf83e:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
KGkoLgvOGp.elf	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0xcc6f:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
KGkoLgvOGp.elf	Linux_Trojan_Gafgyt_0cd591cd	unknown	unknown	0xc212:$a: 4E F8 48 8D 4E D8 49 8D 42 E0 48 83 C7 03 EB 6B 4C 8B 46 F8 48 8D
KGkoLgvOGp.elf	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0xcf3a:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
KGkoLgvOGp.elf	Linux_Trojan_Gafgyt_a33a8363	unknown	unknown	0xc40b:$a: 41 88 02 48 85 D2 75 ED 5A 5B 5D 41 5C 41 5D 4C 89 F0 41 5E
KGkoLgvOGp.elf	Linux_Trojan_Mirai_1e0c5ce0	unknown	unknown	0x34e0:$a: 4C 24 54 31 F6 41 B8 04 00 00 00 BA 03 00 00 00 C7 44 24 54 01 00
KGkoLgvOGp.elf	Linux_Trojan_Mirai_520deeb8	unknown	unknown	0x39a:$a: ED 48 89 44 24 30 44 89 6C 24 10 7E 47 48 89 C1 44 89 E8 44
KGkoLgvOGp.elf	Linux_Trojan_Mirai_6a77af0f	unknown	unknown	0x875f:$a: 31 D1 89 0F 48 83 C7 04 85 F6 7E 3B 44 89 C8 45 89 D1 45 89 C2 41
KGkoLgvOGp.elf	Linux_Trojan_Mirai_01e4a728	unknown	unknown	0x49d:$a: 44 24 23 48 8B 6C 24 28 83 F9 01 4A 8D 14 20 0F B6 02 88 45 08
KGkoLgvOGp.elf	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x73b2:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Click to see the 11 entries

Memory Dumps

Source	Rule	Description	Author	Strings
6230.1.0000000000c6c000.0000000000c6e000.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth (Nextron Systems)	0x6f0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x770:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x7f0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x870:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x8f0:$xo1: oMXKNNC\x0D\x17\x0C\x12
6230.1.0000000000400000.0000000000413000.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth (Nextron Systems)	0x10d08:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x10d78:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x10de8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x10e58:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x10ec8:$xo1: oMXKNNC\x0D\x17\x0C\x12
6230.1.0000000000400000.0000000000413000.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
6230.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0xc8c0:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
6230.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0xd0af:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
6230.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x103e0:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
6230.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0x9e12:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x9f4c:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
6230.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0xf83e:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
6230.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0xcc6f:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
6230.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_0cd591cd	unknown	unknown	0xc212:$a: 4E F8 48 8D 4E D8 49 8D 42 E0 48 83 C7 03 EB 6B 4C 8B 46 F8 48 8D
6230.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0xcf3a:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
6230.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Gafgyt_a33a8363	unknown	unknown	0xc40b:$a: 41 88 02 48 85 D2 75 ED 5A 5B 5D 41 5C 41 5D 4C 89 F0 41 5E
6230.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Mirai_1e0c5ce0	unknown	unknown	0x34e0:$a: 4C 24 54 31 F6 41 B8 04 00 00 00 BA 03 00 00 00 C7 44 24 54 01 00
6230.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Mirai_520deeb8	unknown	unknown	0x39a:$a: ED 48 89 44 24 30 44 89 6C 24 10 7E 47 48 89 C1 44 89 E8 44
6230.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Mirai_6a77af0f	unknown	unknown	0x875f:$a: 31 D1 89 0F 48 83 C7 04 85 F6 7E 3B 44 89 C8 45 89 D1 45 89 C2 41
6230.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Mirai_01e4a728	unknown	unknown	0x49d:$a: 44 24 23 48 8B 6C 24 28 83 F9 01 4A 8D 14 20 0F B6 02 88 45 08
6230.1.0000000000400000.0000000000413000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x73b2:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Process Memory Space: KGkoLgvOGp.elf PID: 6230	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
Process Memory Space: KGkoLgvOGp.elf PID: 6230	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0xd76:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Click to see the 14 entries

Snort Signatures

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.23 - Destination IP: 205.185.123.50

Timestamp:	192.168.2.23205.185.123.504799862852030490 05/04/23-12:42:30.302977
SID:	2030490
Source Port:	47998
Destination Port:	6285
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response - Source IP: 205.185.123.50 - Destination IP: 192.168.2.23

Timestamp:	205.185.123.50192.168.2.236285479982030489 05/04/23-12:45:56.495659
SID:	2030489
Source Port:	6285
Destination Port:	47998
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Malware Analysis System Evasion
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: KGkoLgvOGp.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: KGkoLgvOGp.elf	ReversingLabs: Detection: 64%
Source: KGkoLgvOGp.elf	Virustotal: Detection: 61%			Perma Link

Machine Learning detection for sample

Source: KGkoLgvOGp.elf

Joe Sandbox ML: detected

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.23:47998 -> 205.185.123.50:6285
Source: Traffic	Snort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 205.185.123.50:6285 -> 192.168.2.23:47998

Uses dynamic DNS services

Source: unknown

DNS query: name: lkavsjdnbah.ddns.net

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:47998 -> 205.185.123.50:6285

Source: /tmp/KGkoLgvOGp.elf (PID: 6230)

Socket: 127.0.0.1::6628

Jump to behavior

Source: unknown

DNS traffic detected: queries for: lkavsjdnbah.ddns.net

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

System Summary

Malicious sample detected (through community Yara rule)

Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: Process Memory Space: KGkoLgvOGp.elf PID: 6230, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth (Nextron Systems), description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
Source: KGkoLgvOGp.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 6230.1.0000000000c6c000.0000000000c6e000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth (Nextron Systems), description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth (Nextron Systems), description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
Source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: Process Memory Space: KGkoLgvOGp.elf PID: 6230, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: ELF static info symbol of initial sample

.symtab present: no

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: /proc/self/exe/bin/busybox/proc/%d/etc/dosbotcantkill//proc/%sjx3k9zqo7h/lib/systemd/usr/lib/systemd/systemd/usr/lib/openssh/sftp-server/sys/system/dvr/main/usr/mnt/mtd/org/userfs/home/process/net_process/var/tmp/sonia/usr/sbin/usr/bin/mnt/gm/bin/var/Sofia/usr/sbin/sshd/usr/sbin/ntpd/usr/sbin/cupsd/usr/lib/apt/methods/http/usr/sbin/crond/usr/sbin/rsyslogd/usr/sbin/inetd/usr/sbin/dnsmasq/usr/bin/DVRServer/usr/bin/DVRShell/usr/bin/DVRControl/usr/bin/DVRRemoteAgent/usr/bin/DVRNetService/usr/libexec/openssh/sftp-serverM

Source: classification engine

Classification label: mal88.troj.linELF@0/0@1/0

Source: /tmp/KGkoLgvOGp.elf (PID: 6232)

Queries kernel information via 'uname':

Jump to behavior

Stealing of Sensitive Information

Yara detected Moobot

Source: Yara match	File source: KGkoLgvOGp.elf, type: SAMPLE
Source: Yara match	File source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KGkoLgvOGp.elf PID: 6230, type: MEMORYSTR

Remote Access Functionality

Yara detected Moobot

Source: Yara match	File source: KGkoLgvOGp.elf, type: SAMPLE
Source: Yara match	File source: 6230.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KGkoLgvOGp.elf PID: 6230, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
KGkoLgvOGp.elf	65%	ReversingLabs	Linux.Trojan.Mirai
KGkoLgvOGp.elf	61%	Virustotal		Browse
KGkoLgvOGp.elf	100%	Avira	EXP/ELF.Gafgyt.Gen.I
KGkoLgvOGp.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
lkavsjdnbah.ddns.net	205.185.123.50	true	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
205.185.123.50	lkavsjdnbah.ddns.net	United States	53667	PONYNETUS	true
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
205.185.123.50	UGIl9GEfZ8.elf	Get hash	malicious	Moobot	Browse
109.202.202.202	UGIl9GEfZ8.elf	Get hash	malicious	Moobot	Browse
	SecuriteInfo.com.ELF.Mirai-CDA.16672.15430.elf	Get hash	malicious	Unknown	Browse
	Ra1ixhHhPo.elf	Get hash	malicious	Unknown	Browse
	fixrTE1tEH.elf	Get hash	malicious	Unknown	Browse
	R1l4QyoHAs.elf	Get hash	malicious	Unknown	Browse
	XL67blcDWh.elf	Get hash	malicious	Unknown	Browse
	ohV78wh8AQ.elf	Get hash	malicious	Unknown	Browse
	4G1y865GFg.elf	Get hash	malicious	Unknown	Browse
	TW12EHHuzt.elf	Get hash	malicious	Mirai	Browse
	kxbGfVfLyW.elf	Get hash	malicious	Mirai	Browse
	0smo0BlzPm.elf	Get hash	malicious	Unknown	Browse
	yKtufapSlG.elf	Get hash	malicious	Mirai	Browse
	9PYy188mtA.elf	Get hash	malicious	Unknown	Browse
	LQ6nA8yvZo.elf	Get hash	malicious	Unknown	Browse
	rOpXBFSUYZ.elf	Get hash	malicious	Unknown	Browse
	hidq5TmFsF.elf	Get hash	malicious	Unknown	Browse
	W4WrVROd45.elf	Get hash	malicious	Unknown	Browse
	HWcgrdgfba.elf	Get hash	malicious	Unknown	Browse
	x6JdQINStZ.elf	Get hash	malicious	Unknown	Browse
	lava.x86_64.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lkavsjdnbah.ddns.net	UGIl9GEfZ8.elf	Get hash	malicious	Moobot	Browse	205.185.123.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PONYNETUS	UGIl9GEfZ8.elf	Get hash	malicious	Moobot	Browse	205.185.123.50
	https://r20.rs6.net/tn.jsp?f=001OEpvye9gwARBAbLt7Vf1EU1Yl_hX1FWX6SThguHY7PN6nAm8cvEbwYGzFeeO9XamgT8kGBW_Kg44XFBhCxVKrMPatnlBie4toQjVi-C1fk7IFGObZt9UTCwD7CM13gNH44uhgtj4n8U=&c=kpPxQ7IIqKpcV_lz3HYx5pWKQpxSQl6atlL3jMRSjHShyxWSz77o6A==&ch=0yah6N9fqubKFLpqVrNcxk82ZRnvx1NaC4dbMvZmrEp4YTfKMfvtGA==&__=?e=bG9yZXR0YS5rZWFuWUBhcmNhZGlhLmlv	Get hash	malicious	Captcha Phish	Browse	205.185.126.3
	DHL_2017128_Receipt_Document,pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.251.89.66
	DHL_2017128_Receipt_Document,pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.251.89.66
	DHL_2017128_Receipt_Document,pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.251.89.66
	Ksrj8b01A4.exe	Get hash	malicious	Eternity Clipper	Browse	198.251.84.49
	https://r20.rs6.net/tn.jsp?f=001xHyZrR72Hidzq8vQJJfXXcupqF34If7bNua9sfMos1st7eh0nWN7csmgunZYNG8wtON9b5HvZr_5n4itBRezz60blGmW4LNeIz6nESyIZJ-1Bw4nJ1XZq12gHgFI7tJocXJYzWoKKcSTAIH9tR0qZQ==&c=Q36P3YFW__J-XpVjNzvlOJdbGtq5OwP4S805IHzgm91Smwxq2wcnUQ==&ch=kV1or1zo9OkAqqH-53i9eXTuOndWOP47P7qPQ7xSizd7XTj9PeskEA==&__=?rPD6OAE=YnNhbmR2aWdAdnFjaGVlc2UuY29t	Get hash	malicious	Captcha Phish	Browse	209.141.60.219
	SecuriteInfo.com.Trojan.Mardom.ON.24.25444.6656.exe	Get hash	malicious	Gurcu Stealer	Browse	198.251.88.130
	jH6YKOsqK0.elf	Get hash	malicious	Moobot	Browse	205.185.118.82
	rBbDsuIbiS.elf	Get hash	malicious	Moobot	Browse	205.185.118.82
	eWuf0e99R8.elf	Get hash	malicious	Moobot	Browse	205.185.118.82
	vzYcMFIGyG.elf	Get hash	malicious	Moobot	Browse	205.185.118.82
	QjC9ks0zMz.elf	Get hash	malicious	Moobot	Browse	205.185.118.82
	WGwwrQ2hm6.elf	Get hash	malicious	Moobot	Browse	205.185.118.82
	R1vUZccNsx.elf	Get hash	malicious	Moobot	Browse	205.185.118.82
	mqtg8NbRhW.elf	Get hash	malicious	Mirai, Moobot	Browse	205.185.118.82
	b6wZjdMZog.elf	Get hash	malicious	Moobot	Browse	205.185.118.82
	IRiSrvb5oH.elf	Get hash	malicious	Moobot	Browse	205.185.118.82
	uvepyRSMZ4.elf	Get hash	malicious	Mirai	Browse	144.172.99.68
	https://canton-texas.mykajabi.com/cantontx	Get hash	malicious	HTMLPhisher	Browse	107.189.3.124

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.292751719693222
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	KGkoLgvOGp.elf
File size:	76960
MD5:	24b923862a5e92038b93fbb6055d47ea
SHA1:	f82fdcd4f27fc3ac895b0b20262793d06cdceb99
SHA256:	920f0d8be6f53b0cf95f393664d99288af0fafca06a826f520c1d77160b7c5f6
SHA512:	5124d7908f9a70ff9c18a373fd9c969fb96f60129da97caba285a0ad71c89eca2ad736083a7a5ab907a90cfe8496fee036545f31b5a4815e1dfe1306e8083d55
SSDEEP:	1536:HosfX5Z+J75f5CHOQCDdZAkNbU5moHkmOuiqi3AN52bhVx:I4+J7XyxCLAkNEkEji3+2bhVx
TLSH:	CD734B07B681C1FCC459C1784B6BB23AD53275BE0239B2AAA7D8FF232C09E605F1D955
File Content Preview:	.ELF..............>.......@.....@....... *..........@.8...@.......................@.......@......$.......$.......................$.......$Q......$Q..............1..............Q.td....................................................H...._....j...H........

Static ELF Info

ELF header
Class:
Data:
Version:
Machine:
Version Number:
Type:
OS/ABI:
ABI Version:
Entry Point Address:
Flags:
ELF Header Size:
Program Header Offset:
Program Header Size:
Number of Program Headers:
Section Header Offset:
Section Header Size:
Number of Section Headers:
Header String Table Index:

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x4000e8	0xe8	0x13	0x0	0x6	AX	1
.text	PROGBITS	0x400100	0x100	0xfb96	0x0	0x6	AX	16
.fini	PROGBITS	0x40fc96	0xfc96	0xe	0x0	0x6	AX	1
.rodata	PROGBITS	0x40fcc0	0xfcc0	0x2830	0x0	0x2	A	32
.ctors	PROGBITS	0x5124f8	0x124f8	0x10	0x0	0x3	WA	8
.dtors	PROGBITS	0x512508	0x12508	0x10	0x0	0x3	WA	8
.data	PROGBITS	0x512520	0x12520	0x4c0	0x0	0x3	WA	32
.bss	NOBITS	0x5129e0	0x129e0	0x2ce8	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x129e0	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x124f0	0x124f0	6.3598	0x5	R E	0x100000	.init .text .fini .rodata
LOAD	0x124f8	0x5124f8	0x5124f8	0x4e8	0x31d0	2.3580	0x6	RW	0x100000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Network Behavior

Download Network PCAP: filtered – full

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.23205.185.123.504799862852030490 05/04/23-12:42:30.302977	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	47998	6285	192.168.2.23	205.185.123.50
205.185.123.50192.168.2.236285479982030489 05/04/23-12:45:56.495659	TCP	2030489	ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response	6285	47998	205.185.123.50	192.168.2.23

Network Port Distribution

Total Packets: 26
• 6285 undefined
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2023 12:42:29.136131048 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:42:29.294893026 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:42:29.295064926 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:42:29.408655882 CEST	42836	443	192.168.2.23	91.189.91.43
May 4, 2023 12:42:29.664746046 CEST	42516	80	192.168.2.23	109.202.202.202
May 4, 2023 12:42:30.144589901 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:42:30.302589893 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:42:30.302848101 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:42:30.302977085 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:42:30.460685015 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:42:30.462133884 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:42:30.462270021 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:42:36.464133978 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:42:36.464324951 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:42:45.791831970 CEST	43928	443	192.168.2.23	91.189.91.42
May 4, 2023 12:42:46.464499950 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:42:46.665045023 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:42:56.031234026 CEST	42836	443	192.168.2.23	91.189.91.43
May 4, 2023 12:42:56.467291117 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:42:56.467447042 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:43:00.127125978 CEST	42516	80	192.168.2.23	109.202.202.202
May 4, 2023 12:43:16.470521927 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:43:16.470673084 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:43:26.749744892 CEST	43928	443	192.168.2.23	91.189.91.42
May 4, 2023 12:43:36.475596905 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:43:36.475876093 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:43:56.478730917 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:43:56.479420900 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:44:16.479707003 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:44:16.479909897 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:44:36.483279943 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:44:36.483428955 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:44:46.489909887 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:44:46.647944927 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:44:56.486581087 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:44:56.486813068 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:45:16.489567995 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:45:16.489790916 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:45:36.494667053 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:45:36.494878054 CEST	47998	6285	192.168.2.23	205.185.123.50
May 4, 2023 12:45:56.495659113 CEST	6285	47998	205.185.123.50	192.168.2.23
May 4, 2023 12:45:56.495834112 CEST	47998	6285	192.168.2.23	205.185.123.50

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2023 12:42:29.106312037 CEST	41744	53	192.168.2.23	8.8.8.8
May 4, 2023 12:42:29.135960102 CEST	53	41744	8.8.8.8	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 4, 2023 12:42:29.106312037 CEST	192.168.2.23	8.8.8.8	0x832c	Standard query (0)	lkavsjdnbah.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 4, 2023 12:42:29.135960102 CEST	8.8.8.8	192.168.2.23	0x832c	No error (0)	lkavsjdnbah.ddns.net		205.185.123.50	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: KGkoLgvOGp.elf PID: 6230, Parent PID: 6125

General

Start time:	12:42:28
Start date:	04/05/2023
Path:	/tmp/KGkoLgvOGp.elf
Arguments:	/tmp/KGkoLgvOGp.elf
File size:	76960 bytes
MD5 hash:	24b923862a5e92038b93fbb6055d47ea

File Activities

File Opened

Process Activities

Process Forked

Prctl Requested

Network Activities

Socket starts Listening

Chronological Activities

Analysis Process: KGkoLgvOGp.elf PID: 6231, Parent PID: 6230

General

Start time:	12:42:28
Start date:	04/05/2023
Path:	/tmp/KGkoLgvOGp.elf
Arguments:	n/a
File size:	76960 bytes
MD5 hash:	24b923862a5e92038b93fbb6055d47ea

File Activities

File Opened

Directory Enumerated

Chronological Activities

Analysis Process: KGkoLgvOGp.elf PID: 6232, Parent PID: 6230

General

Start time:	12:42:28
Start date:	04/05/2023
Path:	/tmp/KGkoLgvOGp.elf
Arguments:	n/a
File size:	76960 bytes
MD5 hash:	24b923862a5e92038b93fbb6055d47ea

File Activities

File Opened

Directory Created

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: udisksd PID: 6241, Parent PID: 799

General

Start time:	12:42:28
Start date:	04/05/2023
Path:	/usr/lib/udisks2/udisksd
Arguments:	n/a
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Process Activities

Process Overlayed (Execve)

Chronological Activities

Analysis Process: dumpe2fs PID: 6241, Parent PID: 799

General

Start time:	12:42:28
Start date:	04/05/2023
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report KGkoLgvOGp.elf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: KGkoLgvOGp.elf PID: 6230, Parent PID: 6125

General

File Activities

File Opened

Process Activities

Process Forked

Prctl Requested

Network Activities

Socket starts Listening

Chronological Activities

Analysis Process: KGkoLgvOGp.elf PID: 6231, Parent PID: 6230

General

File Activities

File Opened

Directory Enumerated

Chronological Activities

Analysis Process: KGkoLgvOGp.elf PID: 6232, Parent PID: 6230

Linux Analysis Report
KGkoLgvOGp.elf