Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
aisuru.i586.elf

Overview

General Information

Sample name:aisuru.i586.elf
Analysis ID:1502206
MD5:71d43172c1fda38a716425df67592187
SHA1:3620c8e08707effd0e05be1ba3ad898f7caa1f33
SHA256:1fc1035b6d2c0516837354056416dccf319b3bf5d658f5f0de63c7198ec1d614
Tags:aisuruelf
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample has stripped symbol table
Yara signature match

Classification

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1502206
Start date and time:2024-08-31 14:52:27 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 36s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:aisuru.i586.elf
Detection:MAL
Classification:mal48.linELF@0/0@1/0

Runtime Messages

Command:/tmp/aisuru.i586.elf
PID:5505
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:Segmentation fault

Process Tree

  • system is lnxubuntu20
  • udisksd New Fork (PID: 5515, Parent: 802)
  • dumpe2fs (PID: 5515, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0
  • udisksd New Fork (PID: 5549, Parent: 802)
  • dumpe2fs (PID: 5549, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
aisuru.i586.elfLinux_Trojan_Mirai_dab39a25unknownunknown
  • 0x876e:$a: 0E 75 20 50 6A 00 6A 00 6A 00 53 6A 0E FF 74 24 48 68 DD 00

Memory Dumps

SourceRuleDescriptionAuthorStrings
5505.1.0000000008048000.0000000008058000.r-x.sdmpLinux_Trojan_Mirai_dab39a25unknownunknown
  • 0x876e:$a: 0E 75 20 50 6A 00 6A 00 6A 00 53 6A 0E FF 74 24 48 68 DD 00

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: global trafficTCP traffic: 192.168.2.13:41882 -> 92.38.160.13:2348
Source: global trafficDNS traffic detected: DNS query: b.francoanddosbot.fun

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: aisuru.i586.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown
Source: 5505.1.0000000008048000.0000000008058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown
Source: ELF static info symbol of initial sample.symtab present: no
Source: aisuru.i586.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26
Source: 5505.1.0000000008048000.0000000008058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26
Source: classification engineClassification label: mal48.linELF@0/0@1/0
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/230/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/230/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/110/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/110/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/231/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/231/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/111/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/111/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/232/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/232/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/112/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/112/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/233/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/233/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/113/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/113/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/234/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/234/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/114/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/114/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/235/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/235/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/115/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/115/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/236/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/236/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/116/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/116/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/237/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/237/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/117/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/117/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/238/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/238/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/118/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/118/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/239/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/239/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/119/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/119/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/914/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/10/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/10/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/917/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/11/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/11/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/12/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/12/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/13/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/13/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/14/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/14/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/15/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/15/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/16/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/16/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/17/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/17/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/18/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/18/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/19/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/19/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/240/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/240/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/3095/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/120/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/120/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/241/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/241/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/121/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/121/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/242/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/242/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/1/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/122/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/122/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/243/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/243/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/2/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/2/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/123/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/123/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/244/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/244/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/3/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/3/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/124/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/124/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/245/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/245/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/1588/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/125/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/125/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/4/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/4/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/246/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/246/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/126/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/126/cmdlineJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/5/mapsJump to behavior
Source: /tmp/aisuru.i586.elf (PID: 5522)File opened: /proc/5/cmdlineJump to behavior
Source: submitted sampleStderr: Segmentation fault: exit code = 0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
OS Credential Dumping		System Service DiscoveryRemote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502206 Sample: aisuru.i586.elf Startdate: 31/08/2024 Architecture: LINUX Score: 48 18 92.38.160.13, 2348, 41882 GCOREAT Austria 2->18 20 b.francoanddosbot.fun 2->20 22 Malicious sample detected (through community Yara rule) 2->22 8 aisuru.i586.elf 2->8         started        10 udisksd dumpe2fs 2->10         started        12 udisksd dumpe2fs 2->12         started        signatures3 process4 process5 14 aisuru.i586.elf 8->14         started        process6 16 aisuru.i586.elf 14->16         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
aisuru.i586.elf5%ReversingLabsLinux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
b.francoanddosbot.fun
92.223.30.117
truefalse
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    92.38.160.13
    		unknownAustria
    		199524GCOREATfalse

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    GCOREATbotnt.arm5.elfGet hashmaliciousUnknownBrowse
    • 92.38.135.247
    http://techcrunchabc.homesGet hashmaliciousUnknownBrowse
    • 92.223.97.97
    https://eu5qwt3o.beauty/offer/4?imp=amakyvlljhftr1723918476202&rurl=https%3A%2F%2Fgentlyrevitalizedarchitect.com%2F%3Fa%3D103098%26c%3D143007%26s1%3D79%26s2%3Damakyvlljhftr1723918476202%26s3%3Dwww.foxnews.comGet hashmaliciousUnknownBrowse
    • 92.223.21.23
    https://fwealthm.comGet hashmaliciousUnknownBrowse
    • 92.223.127.156
    https://www.globalepic.co.kr/view.php?ud=202408011057515744edd3030223_29Get hashmaliciousUnknownBrowse
    • 92.38.168.190
    SLL8zVmaGj.elfGet hashmaliciousUnknownBrowse
    • 92.38.145.145
    cJTpn6cF6x.elfGet hashmaliciousUnknownBrowse
    • 92.38.145.126
    FcMd5XxxZ0.elfGet hashmaliciousMiraiBrowse
    • 5.8.68.127
    http://url7525.miamiadvisors.com/ls/click?upn=u001.wJ6z96nUyPZ-2FP3pZYKQ4grlWRA-2BI-2F1rqfNlBRYAOK617ycFr5ImTLyXCmxLJcv6yLgMV_ILgzAGh9pPX7AoSafK9Gs8M95O4IkW7nxJpWXnZg2bNLwLz1rEKfmulLU5eU2IirbR6maz-2FOZfMUy-2BVMayO5oF0VxEf9RkpuvjpEWS917JL-2FlEdZLcy0N2moO5kBZyyWhfQeoUYQPbgRy3uWBpJdT4j9-2F407DT7CERAfdu0Wr9UIAsPY80QOswLOO9LadRo7o9vTiRpEd3AFhdViJcbk78c3ObscDblx2YbYK370JiDJPOfWBXXkAUnEm2Wq1PAUFMy2RL1TLrpX-2BYOCyu7UVmosfks-2FJaeND37qWXN7DjKocYXqRw8VBcV-2FZ7Xg3jhU5i-2B-2FDbjqlm7brQEoCUMUF7jEkYCjnKmcLdnbXpPH40uORTZdzy7gL13vFbnK72rl0v05q1jJgNfU3GOafg1xS3KJXhmpkNx2tJEKjWveC9jHtKw8ToyuE8jCy2wmMEMNC8vwpFbJBhk3VFkb7Td02PVhoad-2BCAnQPF2zfzGH9Goj2yCsgv1q-2BY6ye6NIj2q-2BU3Z92rukjRCCduWWpPYw1CBSWRNYRPd5-2BNdjauwjm6cGkzjt8mEiiMOnPDGoqado8m6xxiX1UhT6mSHKSrtbCKh1BBWUObYrPHzLD38q9li2rTZzkBQDmIjJ6Z0vV0cU74Yu-2B7r3oIQRd5r3Ak6qWyLDqsZjmXneZ1H9YvUwSWayHYysIY8FbSfpiYd1-2BRgOweM89t0nlR2ZLjDPI5zSLLu-2FPeaTD-2BxJZEFIHsedZkjl1H7pjD-2B-2FpEmiC2KWlGRJXBJKvc2oEJOMug91loOprYIUMulBGJzHGpHAe9nq4-2B87dsS3cDnjA4MQYiXWyp-2FXhk5WFIxiGlR5IqHdGDHxUeU5UDGAHJgWMcGhkV2blFM-3DGet hashmaliciousUnknownBrowse
    • 92.223.97.97
    https://cutt.ly/Netz3TGLGet hashmaliciousUnknownBrowse
    • 92.223.124.62

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
    Entropy (8bit):6.313745529866953
    TrID:
    • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
    • ELF Executable and Linkable format (generic) (4004/1) 49.84%
    File name:aisuru.i586.elf
    File size:66'640 bytes
    MD5:71d43172c1fda38a716425df67592187
    SHA1:3620c8e08707effd0e05be1ba3ad898f7caa1f33
    SHA256:1fc1035b6d2c0516837354056416dccf319b3bf5d658f5f0de63c7198ec1d614
    SHA512:019e2199498f349581f3816b664df612ae3a3d194e1df10eb299fff34b456380137cda6f93fcbfc24c1f2c539ab891d9ec809a5caae7ab313ce84c1648c84072
    SSDEEP:1536:WWgrbVMLlVz/ZqjsOzMaBy9kt5vtgCKA8Uo31s6ojqA+r:dgrbVML79MsOQaBKkLvt3K1+Xw
    TLSH:F7535B48E797D4F0E9070275116BE73B5376DA254170EE7FCB88EE72AD22A12916B30C
    File Content Preview:.ELF....................T...4...H.......4. ...(.....................................................................Q.td................................d....?..................U......=.....t..5...................u........t....h........................&...

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:Intel 80386
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x8048154
    Flags:0x0
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:3
    Section Header Offset:66120
    Section Header Size:40
    Number of Section Headers:13
    Header String Table Index:12

    Sections

    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
    NULL0x00x00x00x00x0000
    .initPROGBITS0x80480940x940x110x00x6AX001
    .textPROGBITS0x80480b00xb00xe5570x00x6AX0016
    .finiPROGBITS0x80566070xe6070xc0x00x6AX001
    .rodataPROGBITS0x80566140xe6140xdb80x00x2A004
    .eh_framePROGBITS0x80580000x100000x740x00x3WA004
    .ctorsPROGBITS0x80580740x100740x80x00x3WA004
    .dtorsPROGBITS0x805807c0x1007c0x80x00x3WA004
    .jcrPROGBITS0x80580840x100840x40x00x3WA004
    .got.pltPROGBITS0x80580880x100880xc0x40x3WA004
    .dataPROGBITS0x80580a00x100a00x1500x00x3WA0032
    .bssNOBITS0x80582000x101f00x1be80x00x3WA0032
    .shstrtabSTRTAB0x00x101f00x560x00x0001

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x80480000x80480000xf3cc0xf3cc6.53150x5R E0x1000.init .text .fini .rodata
    LOAD0x100000x80580000x80580000x1f00x1de83.15530x6RW 0x1000.eh_frame .ctors .dtors .jcr .got.plt .data .bss
    GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Aug 31, 2024 14:53:34.016077042 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:53:34.020891905 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:53:34.020941019 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:53:34.020941019 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:53:34.025773048 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:53:35.358306885 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:53:35.358397961 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:53:35.358398914 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:53:35.363276958 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:53:35.941764116 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:53:35.941854954 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:53:35.941854954 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:53:35.946727991 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:53:36.527039051 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:53:36.527235985 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:53:36.527287960 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:53:36.532108068 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:53:36.532272100 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:53:36.539450884 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:53:38.529326916 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:53:38.534225941 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:53:39.113876104 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:53:39.155283928 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:53:51.126218081 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:53:51.131735086 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:53:51.710731030 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:53:51.711009026 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:54:03.721278906 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:54:03.726174116 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:54:04.304944992 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:54:04.305011034 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:54:16.317287922 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:54:16.322257996 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:54:16.921483040 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:54:16.921550035 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:54:28.933325052 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:54:29.143193960 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:54:29.355195045 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:54:29.453994989 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:54:29.454006910 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:54:29.454018116 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:54:30.036058903 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:54:30.036119938 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:54:42.047336102 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:54:42.052201033 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:54:42.631234884 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:54:42.631331921 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:54:54.643533945 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:54:54.648515940 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:54:55.228177071 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:54:55.228354931 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:55:07.240695000 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:55:07.248433113 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:55:08.742713928 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:55:08.742794991 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:55:08.742814064 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:55:08.742849112 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:55:08.743031979 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:55:08.743072033 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:55:08.743534088 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:55:08.743572950 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:55:20.753211021 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:55:21.055175066 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:55:21.567178965 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:55:21.601859093 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:55:22.196530104 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:55:22.196634054 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:55:34.207170963 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:55:34.527118921 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:55:35.007204056 CEST418822348192.168.2.1392.38.160.13
    Aug 31, 2024 14:55:35.041402102 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:55:35.634679079 CEST23484188292.38.160.13192.168.2.13
    Aug 31, 2024 14:55:35.634845018 CEST418822348192.168.2.1392.38.160.13

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Aug 31, 2024 14:53:34.003529072 CEST4985353192.168.2.138.8.8.8
    Aug 31, 2024 14:53:34.014981985 CEST53498538.8.8.8192.168.2.13

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Aug 31, 2024 14:53:34.003529072 CEST192.168.2.138.8.8.80x59ffStandard query (0)b.francoanddosbot.funA (IP address)IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Aug 31, 2024 14:53:34.014981985 CEST8.8.8.8192.168.2.130x59ffNo error (0)b.francoanddosbot.fun92.223.30.117A (IP address)IN (0x0001)false
    Aug 31, 2024 14:53:34.014981985 CEST8.8.8.8192.168.2.130x59ffNo error (0)b.francoanddosbot.fun34.97.142.97A (IP address)IN (0x0001)false
    Aug 31, 2024 14:53:34.014981985 CEST8.8.8.8192.168.2.130x59ffNo error (0)b.francoanddosbot.fun194.190.152.105A (IP address)IN (0x0001)false
    Aug 31, 2024 14:53:34.014981985 CEST8.8.8.8192.168.2.130x59ffNo error (0)b.francoanddosbot.fun92.38.160.13A (IP address)IN (0x0001)false
    Aug 31, 2024 14:53:34.014981985 CEST8.8.8.8192.168.2.130x59ffNo error (0)b.francoanddosbot.fun92.223.30.25A (IP address)IN (0x0001)false
    Aug 31, 2024 14:53:34.014981985 CEST8.8.8.8192.168.2.130x59ffNo error (0)b.francoanddosbot.fun172.234.244.28A (IP address)IN (0x0001)false
    Aug 31, 2024 14:53:34.014981985 CEST8.8.8.8192.168.2.130x59ffNo error (0)b.francoanddosbot.fun5.8.33.179A (IP address)IN (0x0001)false
    Aug 31, 2024 14:53:34.014981985 CEST8.8.8.8192.168.2.130x59ffNo error (0)b.francoanddosbot.fun185.255.178.242A (IP address)IN (0x0001)false
    Aug 31, 2024 14:53:34.014981985 CEST8.8.8.8192.168.2.130x59ffNo error (0)b.francoanddosbot.fun5.8.33.163A (IP address)IN (0x0001)false
    Aug 31, 2024 14:53:34.014981985 CEST8.8.8.8192.168.2.130x59ffNo error (0)b.francoanddosbot.fun35.219.254.219A (IP address)IN (0x0001)false

    System Behavior

    General

    Start time (UTC):12:53:33
    Start date (UTC):31/08/2024
    Path:/tmp/aisuru.i586.elf
    Arguments:/tmp/aisuru.i586.elf
    File size:66640 bytes
    MD5 hash:71d43172c1fda38a716425df67592187

    Chronological Activities


    General

    Start time (UTC):12:53:33
    Start date (UTC):31/08/2024
    Path:/tmp/aisuru.i586.elf
    Arguments:-
    File size:66640 bytes
    MD5 hash:71d43172c1fda38a716425df67592187

    Chronological Activities


    General

    Start time (UTC):12:53:33
    Start date (UTC):31/08/2024
    Path:/tmp/aisuru.i586.elf
    Arguments:-
    File size:66640 bytes
    MD5 hash:71d43172c1fda38a716425df67592187

    Chronological Activities


    General

    Start time (UTC):12:53:33
    Start date (UTC):31/08/2024
    Path:/usr/lib/udisks2/udisksd
    Arguments:-
    File size:483056 bytes
    MD5 hash:1d7ae439cc3d82fa6b127671ce037a24

    Chronological Activities


    General

    Start time (UTC):12:53:33
    Start date (UTC):31/08/2024
    Path:/usr/sbin/dumpe2fs
    Arguments:dumpe2fs -h /dev/dm-0
    File size:31112 bytes
    MD5 hash:5c66f7d8f7681a40562cf049ad4b72b4

    Chronological Activities


    General

    Start time (UTC):12:53:33
    Start date (UTC):31/08/2024
    Path:/usr/lib/udisks2/udisksd
    Arguments:-
    File size:483056 bytes
    MD5 hash:1d7ae439cc3d82fa6b127671ce037a24

    Chronological Activities


    General

    Start time (UTC):12:53:33
    Start date (UTC):31/08/2024
    Path:/usr/sbin/dumpe2fs
    Arguments:dumpe2fs -h /dev/dm-0
    File size:31112 bytes
    MD5 hash:5c66f7d8f7681a40562cf049ad4b72b4

    Chronological Activities