Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1527155
MD5:	b62608fc8c70ed0fe3c94d4d5f9a5e3b
SHA1:	0654354e24aa5569e186e1d1803ee89a26499620
SHA256:	572aa55da45135ec9af20112ba11837f04fba996a5abd6c0832ba24c4737fd5e
Tags:	elfMiraiuser-abuse_ch
Infos:

Detection

Mirai, Moobot

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Detected Mirai

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Moobot

Sample deletes itself

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527155
Start date and time:	2024-10-06 21:34:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal84.troj.evad.linELF@0/0@16/0

Warnings

VT rate limit hit for: na.elf

Runtime Messages

Command:	/tmp/na.elf
PID:	6228
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	listening to tun0
Standard Error:

Process Tree

system is lnxubuntu20

na.elf (PID: 6228, Parent: 6150, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/na.elf

na.elf New Fork (PID: 6232, Parent: 6228)

dash New Fork (PID: 6236, Parent: 4331)

rm (PID: 6236, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.oS3FoE8Jb0 /tmp/tmp.4mzvJzgfA7 /tmp/tmp.4d3NucQSd1

dash New Fork (PID: 6237, Parent: 4331)

cat (PID: 6237, Parent: 4331, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.oS3FoE8Jb0

dash New Fork (PID: 6238, Parent: 4331)

head (PID: 6238, Parent: 4331, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 6239, Parent: 4331)

tr (PID: 6239, Parent: 4331, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 6240, Parent: 4331)

cut (PID: 6240, Parent: 4331, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 6241, Parent: 4331)

cat (PID: 6241, Parent: 4331, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.oS3FoE8Jb0

dash New Fork (PID: 6242, Parent: 4331)

head (PID: 6242, Parent: 4331, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 6243, Parent: 4331)

tr (PID: 6243, Parent: 4331, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 6244, Parent: 4331)

cut (PID: 6244, Parent: 4331, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 6245, Parent: 4331)

rm (PID: 6245, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.oS3FoE8Jb0 /tmp/tmp.4mzvJzgfA7 /tmp/tmp.4d3NucQSd1

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Name	Description	Attribution	Blogpost URLs	Link
MooBot		No Attribution	https://blog.netlab.360.com/ddos-botnet-moobot-en/ https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/ https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-RUSSIAN-ACTORS-USE-ROUTERS-FACILITATE-CYBER_OPERATIONS.PDF https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b	https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
na.elf	JoeSecurity_Moobot	Yara detected Moobot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
6228.1.00007f2c8c37f000.00007f2c8c38b000.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
Process Memory Space: na.elf PID: 6228	JoeSecurity_Moobot	Yara detected Moobot	Joe Security

Suricata Signatures

ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T21:35:07.462181+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	39194	158.220.114.75	55650	TCP
2024-10-06T21:35:15.072793+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	39196	158.220.114.75	55650	TCP
2024-10-06T21:35:20.716404+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	39198	158.220.114.75	55650	TCP
2024-10-06T21:35:26.406642+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	39200	158.220.114.75	55650	TCP
2024-10-06T21:35:37.041572+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	39202	158.220.114.75	55650	TCP
2024-10-06T21:35:40.671372+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	39204	158.220.114.75	55650	TCP
2024-10-06T21:35:48.316492+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	39206	158.220.114.75	55650	TCP
2024-10-06T21:35:55.949278+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	39208	158.220.114.75	55650	TCP
2024-10-06T21:36:04.641419+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	39210	158.220.114.75	55650	TCP
2024-10-06T21:36:13.731409+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	39212	158.220.114.75	55650	TCP
2024-10-06T21:36:19.403568+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	39214	158.220.114.75	55650	TCP
2024-10-06T21:36:31.269637+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	39216	158.220.114.75	55650	TCP
2024-10-06T21:36:38.900624+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	39218	158.220.114.75	55650	TCP
2024-10-06T21:36:49.562204+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	39220	158.220.114.75	55650	TCP
2024-10-06T21:36:59.198461+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	39222	158.220.114.75	55650	TCP
2024-10-06T21:37:10.824477+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.23	39224	158.220.114.75	55650	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: na.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: na.elf

ReversingLabs: Detection: 70%

Source: unknown

HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33606 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:39194 -> 158.220.114.75:55650
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:39196 -> 158.220.114.75:55650
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:39218 -> 158.220.114.75:55650
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:39206 -> 158.220.114.75:55650
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:39222 -> 158.220.114.75:55650
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:39200 -> 158.220.114.75:55650
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:39210 -> 158.220.114.75:55650
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:39202 -> 158.220.114.75:55650
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:39198 -> 158.220.114.75:55650
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:39214 -> 158.220.114.75:55650
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:39212 -> 158.220.114.75:55650
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:39224 -> 158.220.114.75:55650
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:39204 -> 158.220.114.75:55650
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:39220 -> 158.220.114.75:55650
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:39208 -> 158.220.114.75:55650
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.23:39216 -> 158.220.114.75:55650

Source: global traffic

TCP traffic: 192.168.2.23:39194 -> 158.220.114.75:55650

Source: /tmp/na.elf (PID: 6228)

Socket: 192.168.2.23:55650

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: global traffic

DNS traffic detected: DNS query: dump.hduak.site

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown

HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33606 version: TLS 1.2

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal84.troj.evad.linELF@0/0@16/0

Source: /usr/bin/dash (PID: 6236)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.oS3FoE8Jb0 /tmp/tmp.4mzvJzgfA7 /tmp/tmp.4d3NucQSd1			Jump to behavior
Source: /usr/bin/dash (PID: 6245)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.oS3FoE8Jb0 /tmp/tmp.4mzvJzgfA7 /tmp/tmp.4d3NucQSd1			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/na.elf (PID: 6228)

File: /tmp/na.elf

Jump to behavior

Source: /tmp/na.elf (PID: 6228)

Queries kernel information via 'uname':

Jump to behavior

Source: na.elf, 6228.1.00007ffccf73b000.00007ffccf75c000.rw-.sdmp	Binary or memory string: Xx86_64/usr/bin/qemu-sh4/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 6228.1.00007ffccf73b000.00007ffccf75c000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: na.elf, 6228.1.0000558d7eadb000.0000558d7eb3e000.rw-.sdmp	Binary or memory string: U5!/etc/qemu-binfmt/sh4
Source: na.elf, 6228.1.0000558d7eadb000.0000558d7eb3e000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4

Stealing of Sensitive Information

Yara detected Moobot

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 6228.1.00007f2c8c37f000.00007f2c8c38b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 6228, type: MEMORYSTR

Remote Access Functionality

Detected Mirai

Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Yara detected Moobot

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 6228.1.00007f2c8c37f000.00007f2c8c38b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 6228, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
na.elf	71%	ReversingLabs	Linux.Trojan.Mirai
na.elf	100%	Avira	LINUX/Mirai.bonb

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dump.hduak.site	158.220.114.75	true	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
158.220.114.75	dump.hduak.site	Switzerland	8556	LEVANTISCH	true
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54.171.230.55	bot.mpsl.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	novo.arm5.elf	Get hash	malicious	Moobot	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	arm.nn.elf	Get hash	malicious	Okiru	Browse
	cron.elf	Get hash	malicious	Unknown	Browse
	84.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Ravencoin-B.19941.19184.elf	Get hash	malicious	Xmrig	Browse
	rebirth.arm5.elf	Get hash	malicious	Gafgyt	Browse
	rebirth.ppc.elf	Get hash	malicious	Gafgyt	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
158.220.114.75	na.elf	Get hash	malicious	Mirai, Moobot	Browse
	na.elf	Get hash	malicious	Mirai, Moobot	Browse
	na.elf	Get hash	malicious	Mirai, Moobot	Browse
	na.elf	Get hash	malicious	Mirai, Moobot	Browse
91.189.91.43	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Mirai, Moobot	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Mirai, Moobot	Browse
	na.elf	Get hash	malicious	Mirai, Moobot	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dump.hduak.site	na.elf	Get hash	malicious	Mirai, Moobot	Browse	158.220.114.75
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	158.220.114.75
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	158.220.114.75
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	158.220.114.75

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	185.125.190.26
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
LEVANTISCH	na.elf	Get hash	malicious	Mirai, Moobot	Browse	158.220.114.75
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	158.220.114.75
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	158.220.114.75
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	158.220.114.75
	aimbot.exe	Get hash	malicious	XWorm	Browse	158.220.102.17
	sora.ppc.elf	Get hash	malicious	Unknown	Browse	158.220.98.159
	LisectAVT_2403002A_280.exe	Get hash	malicious	PikaBot	Browse	158.220.95.215
	LisectAVT_2403002A_280.exe	Get hash	malicious	PikaBot	Browse	158.220.95.215
	JLJkT6Xg7I.elf	Get hash	malicious	Mirai	Browse	158.220.98.178
	1ydkC50QfI.elf	Get hash	malicious	Mirai	Browse	158.220.51.114
AMAZON-02US	https://rondoc-b7ce.lvauayt.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.224.189.17
	http://coinbassewalletextensin.gitbook.io/us	Get hash	malicious	Unknown	Browse	3.248.18.48
	https://meaoee-fc3f.elamzioehr.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.32.110.61
	na.elf	Get hash	malicious	Mirai	Browse	3.128.223.151
	https://metamaseiklogin.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	54.73.146.173
	https://mmetmask-login.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	3.160.150.33
	https://sexyboobsme.pages.dev/	Get hash	malicious	Porn Scam	Browse	13.32.99.22
	https://uni.olga.finance/	Get hash	malicious	Unknown	Browse	18.244.18.125
	na.elf	Get hash	malicious	Mirai	Browse	15.184.158.151
	na.elf	Get hash	malicious	Mirai	Browse	34.220.176.212
INIT7CH	na.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	109.202.202.202
	na.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	109.202.202.202
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	109.202.202.202
	na.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Unknown	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.799023461744131
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	na.elf
File size:	47'220 bytes
MD5:	b62608fc8c70ed0fe3c94d4d5f9a5e3b
SHA1:	0654354e24aa5569e186e1d1803ee89a26499620
SHA256:	572aa55da45135ec9af20112ba11837f04fba996a5abd6c0832ba24c4737fd5e
SHA512:	538406b6dfb8f890c85375938e69dbfa00369b48a4d409790009116db8f7af13f4ae0c0967050034ae85b78ae093413610ec3466e3a7ebe1860a06cbad9f3b72
SSDEEP:	768:0ad/hnrsPxgOH59EEvo9Nhq/lJPtsqFa/xDPzC7o+CqEprCrf:0ad/tsFZ/o9Nhs4Jvz+EhCr
TLSH:	1E239EF3C02DDD98C54902797A285E3D5723F50086272EFB5E9A86A59007EECF50A7F1
File Content Preview:	.ELF.....................@.4...........4. ...(...............@...@.x...x...............\|...\|.A.\|.A.(...0...........Q.td............................././"O.n........#.@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	<unknown>
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4001a0
Flags:	0x9
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	46820
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x30	0x0	0x6	AX	4
.text	PROGBITS	0x4000e0	0xe0	0xa9e0	0x0	0x6	AX	32
.fini	PROGBITS	0x40aac0	0xaac0	0x24	0x0	0x6	AX	4
.rodata	PROGBITS	0x40aae4	0xaae4	0x994	0x0	0x2	A	4
.ctors	PROGBITS	0x41b47c	0xb47c	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x41b484	0xb484	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x41b490	0xb490	0x214	0x0	0x3	WA	4
.bss	NOBITS	0x41b6a4	0xb6a4	0x308	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xb6a4	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0xb478	0xb478	6.8459	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xb47c	0x41b47c	0x41b47c	0x228	0x530	2.9928	0x6	RW	0x10000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-06T21:35:07.462181+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	39194	158.220.114.75	55650	TCP
2024-10-06T21:35:15.072793+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	39196	158.220.114.75	55650	TCP
2024-10-06T21:35:20.716404+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	39198	158.220.114.75	55650	TCP
2024-10-06T21:35:26.406642+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	39200	158.220.114.75	55650	TCP
2024-10-06T21:35:37.041572+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	39202	158.220.114.75	55650	TCP
2024-10-06T21:35:40.671372+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	39204	158.220.114.75	55650	TCP
2024-10-06T21:35:48.316492+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	39206	158.220.114.75	55650	TCP
2024-10-06T21:35:55.949278+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	39208	158.220.114.75	55650	TCP
2024-10-06T21:36:04.641419+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	39210	158.220.114.75	55650	TCP
2024-10-06T21:36:13.731409+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	39212	158.220.114.75	55650	TCP
2024-10-06T21:36:19.403568+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	39214	158.220.114.75	55650	TCP
2024-10-06T21:36:31.269637+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	39216	158.220.114.75	55650	TCP
2024-10-06T21:36:38.900624+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	39218	158.220.114.75	55650	TCP
2024-10-06T21:36:49.562204+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	39220	158.220.114.75	55650	TCP
2024-10-06T21:36:59.198461+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	39222	158.220.114.75	55650	TCP
2024-10-06T21:37:10.824477+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.23	39224	158.220.114.75	55650	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 21:35:00.451812983 CEST	43928	443	192.168.2.23	91.189.91.42
Oct 6, 2024 21:35:05.827069044 CEST	42836	443	192.168.2.23	91.189.91.43
Oct 6, 2024 21:35:07.362848043 CEST	42516	80	192.168.2.23	109.202.202.202
Oct 6, 2024 21:35:07.429359913 CEST	39194	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:07.434304953 CEST	55650	39194	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:07.434412956 CEST	39194	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:07.462181091 CEST	39194	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:07.467247009 CEST	55650	39194	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:09.056268930 CEST	55650	39194	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:09.056829929 CEST	39194	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:09.061703920 CEST	55650	39194	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:10.419879913 CEST	443	33606	54.171.230.55	192.168.2.23
Oct 6, 2024 21:35:10.419900894 CEST	443	33606	54.171.230.55	192.168.2.23
Oct 6, 2024 21:35:10.419913054 CEST	443	33606	54.171.230.55	192.168.2.23
Oct 6, 2024 21:35:10.420021057 CEST	33606	443	192.168.2.23	54.171.230.55
Oct 6, 2024 21:35:10.420022011 CEST	33606	443	192.168.2.23	54.171.230.55
Oct 6, 2024 21:35:10.420022011 CEST	33606	443	192.168.2.23	54.171.230.55
Oct 6, 2024 21:35:10.420795918 CEST	33606	443	192.168.2.23	54.171.230.55
Oct 6, 2024 21:35:10.425693989 CEST	443	33606	54.171.230.55	192.168.2.23
Oct 6, 2024 21:35:10.613645077 CEST	443	33606	54.171.230.55	192.168.2.23
Oct 6, 2024 21:35:10.613770008 CEST	33606	443	192.168.2.23	54.171.230.55
Oct 6, 2024 21:35:10.613954067 CEST	33606	443	192.168.2.23	54.171.230.55
Oct 6, 2024 21:35:10.618886948 CEST	443	33606	54.171.230.55	192.168.2.23
Oct 6, 2024 21:35:10.810775042 CEST	443	33606	54.171.230.55	192.168.2.23
Oct 6, 2024 21:35:10.810980082 CEST	33606	443	192.168.2.23	54.171.230.55
Oct 6, 2024 21:35:10.812105894 CEST	33606	443	192.168.2.23	54.171.230.55
Oct 6, 2024 21:35:10.817435026 CEST	443	33606	54.171.230.55	192.168.2.23
Oct 6, 2024 21:35:10.817478895 CEST	33606	443	192.168.2.23	54.171.230.55
Oct 6, 2024 21:35:15.066945076 CEST	39196	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:15.071860075 CEST	55650	39196	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:15.071935892 CEST	39196	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:15.072793007 CEST	39196	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:15.077749968 CEST	55650	39196	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:16.699542046 CEST	55650	39196	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:16.699779987 CEST	39196	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:16.704797029 CEST	55650	39196	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:20.710575104 CEST	39198	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:20.715507984 CEST	55650	39198	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:20.715652943 CEST	39198	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:20.716403961 CEST	39198	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:20.721189022 CEST	55650	39198	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:22.208900928 CEST	43928	443	192.168.2.23	91.189.91.42
Oct 6, 2024 21:35:22.336365938 CEST	55650	39198	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:22.336677074 CEST	39198	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:22.341413975 CEST	55650	39198	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:26.400934935 CEST	39200	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:26.405896902 CEST	55650	39200	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:26.405971050 CEST	39200	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:26.406641960 CEST	39200	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:26.411516905 CEST	55650	39200	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:28.025041103 CEST	55650	39200	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:28.025378942 CEST	39200	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:28.030292988 CEST	55650	39200	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:32.447551966 CEST	42836	443	192.168.2.23	91.189.91.43
Oct 6, 2024 21:35:37.035239935 CEST	39202	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:37.040131092 CEST	55650	39202	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:37.040226936 CEST	39202	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:37.041572094 CEST	39202	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:37.046411991 CEST	55650	39202	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:38.590711117 CEST	42516	80	192.168.2.23	109.202.202.202
Oct 6, 2024 21:35:38.653481960 CEST	55650	39202	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:38.653723001 CEST	39202	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:38.658720016 CEST	55650	39202	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:40.664963961 CEST	39204	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:40.669867992 CEST	55650	39204	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:40.669954062 CEST	39204	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:40.671371937 CEST	39204	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:40.676148891 CEST	55650	39204	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:42.290216923 CEST	55650	39204	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:42.290461063 CEST	39204	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:42.295361042 CEST	55650	39204	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:48.309956074 CEST	39206	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:48.315393925 CEST	55650	39206	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:48.315494061 CEST	39206	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:48.316492081 CEST	39206	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:48.321291924 CEST	55650	39206	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:49.932660103 CEST	55650	39206	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:49.932845116 CEST	39206	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:49.937835932 CEST	55650	39206	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:55.943449974 CEST	39208	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:55.948282957 CEST	55650	39208	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:55.948415041 CEST	39208	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:55.949278116 CEST	39208	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:55.954935074 CEST	55650	39208	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:57.592699051 CEST	55650	39208	158.220.114.75	192.168.2.23
Oct 6, 2024 21:35:57.592912912 CEST	39208	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:35:57.597745895 CEST	55650	39208	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:03.163170099 CEST	43928	443	192.168.2.23	91.189.91.42
Oct 6, 2024 21:36:04.635149956 CEST	39210	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:04.640055895 CEST	55650	39210	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:04.640156984 CEST	39210	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:04.641418934 CEST	39210	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:04.646270037 CEST	55650	39210	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:06.284204006 CEST	55650	39210	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:06.284632921 CEST	39210	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:06.289554119 CEST	55650	39210	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:13.725126028 CEST	39212	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:13.729964018 CEST	55650	39212	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:13.730206013 CEST	39212	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:13.731409073 CEST	39212	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:13.736234903 CEST	55650	39212	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:15.355652094 CEST	55650	39212	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:15.355860949 CEST	39212	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:15.360785007 CEST	55650	39212	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:19.397485971 CEST	39214	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:19.402462006 CEST	55650	39214	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:19.402537107 CEST	39214	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:19.403568029 CEST	39214	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:19.408385992 CEST	55650	39214	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:21.025449991 CEST	55650	39214	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:21.025712967 CEST	39214	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:21.030589104 CEST	55650	39214	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:31.263326883 CEST	39216	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:31.268421888 CEST	55650	39216	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:31.268500090 CEST	39216	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:31.269637108 CEST	39216	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:31.274451971 CEST	55650	39216	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:32.885205984 CEST	55650	39216	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:32.885387897 CEST	39216	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:32.890259027 CEST	55650	39216	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:38.894514084 CEST	39218	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:38.899584055 CEST	55650	39218	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:38.899672031 CEST	39218	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:38.900624037 CEST	39218	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:38.905533075 CEST	55650	39218	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:40.543015003 CEST	55650	39218	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:40.543282032 CEST	39218	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:40.548121929 CEST	55650	39218	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:49.556140900 CEST	39220	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:49.561119080 CEST	55650	39220	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:49.561188936 CEST	39220	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:49.562203884 CEST	39220	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:49.567049026 CEST	55650	39220	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:51.181760073 CEST	55650	39220	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:51.181996107 CEST	39220	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:51.186965942 CEST	55650	39220	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:59.191915035 CEST	39222	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:59.196885109 CEST	55650	39222	158.220.114.75	192.168.2.23
Oct 6, 2024 21:36:59.197022915 CEST	39222	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:59.198461056 CEST	39222	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:36:59.203315020 CEST	55650	39222	158.220.114.75	192.168.2.23
Oct 6, 2024 21:37:00.807594061 CEST	55650	39222	158.220.114.75	192.168.2.23
Oct 6, 2024 21:37:00.808120012 CEST	39222	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:37:00.813056946 CEST	55650	39222	158.220.114.75	192.168.2.23
Oct 6, 2024 21:37:10.818320990 CEST	39224	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:37:10.823309898 CEST	55650	39224	158.220.114.75	192.168.2.23
Oct 6, 2024 21:37:10.823432922 CEST	39224	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:37:10.824476957 CEST	39224	55650	192.168.2.23	158.220.114.75
Oct 6, 2024 21:37:10.829508066 CEST	55650	39224	158.220.114.75	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 21:35:07.390213013 CEST	44545	53	192.168.2.23	8.8.8.8
Oct 6, 2024 21:35:07.397396088 CEST	53	44545	8.8.8.8	192.168.2.23
Oct 6, 2024 21:35:15.058753014 CEST	58654	53	192.168.2.23	8.8.8.8
Oct 6, 2024 21:35:15.066023111 CEST	53	58654	8.8.8.8	192.168.2.23
Oct 6, 2024 21:35:20.702138901 CEST	46047	53	192.168.2.23	8.8.8.8
Oct 6, 2024 21:35:20.709974051 CEST	53	46047	8.8.8.8	192.168.2.23
Oct 6, 2024 21:35:26.339240074 CEST	40952	53	192.168.2.23	8.8.8.8
Oct 6, 2024 21:35:26.400208950 CEST	53	40952	8.8.8.8	192.168.2.23
Oct 6, 2024 21:35:37.027434111 CEST	35565	53	192.168.2.23	8.8.8.8
Oct 6, 2024 21:35:37.034415007 CEST	53	35565	8.8.8.8	192.168.2.23
Oct 6, 2024 21:35:40.657156944 CEST	50193	53	192.168.2.23	8.8.8.8
Oct 6, 2024 21:35:40.664371014 CEST	53	50193	8.8.8.8	192.168.2.23
Oct 6, 2024 21:35:48.293682098 CEST	46002	53	192.168.2.23	8.8.8.8
Oct 6, 2024 21:35:48.309053898 CEST	53	46002	8.8.8.8	192.168.2.23
Oct 6, 2024 21:35:55.934926987 CEST	51104	53	192.168.2.23	8.8.8.8
Oct 6, 2024 21:35:55.942770958 CEST	53	51104	8.8.8.8	192.168.2.23
Oct 6, 2024 21:36:04.595731974 CEST	51616	53	192.168.2.23	8.8.8.8
Oct 6, 2024 21:36:04.633924961 CEST	53	51616	8.8.8.8	192.168.2.23
Oct 6, 2024 21:36:13.286860943 CEST	46436	53	192.168.2.23	8.8.8.8
Oct 6, 2024 21:36:13.723704100 CEST	53	46436	8.8.8.8	192.168.2.23
Oct 6, 2024 21:36:19.357673883 CEST	51940	53	192.168.2.23	8.8.8.8
Oct 6, 2024 21:36:19.396744013 CEST	53	51940	8.8.8.8	192.168.2.23
Oct 6, 2024 21:36:31.028254986 CEST	44356	53	192.168.2.23	8.8.8.8
Oct 6, 2024 21:36:31.262442112 CEST	53	44356	8.8.8.8	192.168.2.23
Oct 6, 2024 21:36:38.887082100 CEST	45503	53	192.168.2.23	8.8.8.8
Oct 6, 2024 21:36:38.894025087 CEST	53	45503	8.8.8.8	192.168.2.23
Oct 6, 2024 21:36:49.544950008 CEST	37520	53	192.168.2.23	8.8.8.8
Oct 6, 2024 21:36:49.555378914 CEST	53	37520	8.8.8.8	192.168.2.23
Oct 6, 2024 21:36:59.184128046 CEST	40694	53	192.168.2.23	8.8.8.8
Oct 6, 2024 21:36:59.191241980 CEST	53	40694	8.8.8.8	192.168.2.23
Oct 6, 2024 21:37:10.810172081 CEST	42089	53	192.168.2.23	8.8.8.8
Oct 6, 2024 21:37:10.817651987 CEST	53	42089	8.8.8.8	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 6, 2024 21:35:07.390213013 CEST	192.168.2.23	8.8.8.8	0x8fc4	Standard query (0)	dump.hduak.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:35:15.058753014 CEST	192.168.2.23	8.8.8.8	0x82d8	Standard query (0)	dump.hduak.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:35:20.702138901 CEST	192.168.2.23	8.8.8.8	0xc683	Standard query (0)	dump.hduak.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:35:26.339240074 CEST	192.168.2.23	8.8.8.8	0x262e	Standard query (0)	dump.hduak.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:35:37.027434111 CEST	192.168.2.23	8.8.8.8	0xd4ee	Standard query (0)	dump.hduak.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:35:40.657156944 CEST	192.168.2.23	8.8.8.8	0x87cf	Standard query (0)	dump.hduak.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:35:48.293682098 CEST	192.168.2.23	8.8.8.8	0x92b9	Standard query (0)	dump.hduak.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:35:55.934926987 CEST	192.168.2.23	8.8.8.8	0xd78e	Standard query (0)	dump.hduak.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:36:04.595731974 CEST	192.168.2.23	8.8.8.8	0xb885	Standard query (0)	dump.hduak.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:36:13.286860943 CEST	192.168.2.23	8.8.8.8	0x385d	Standard query (0)	dump.hduak.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:36:19.357673883 CEST	192.168.2.23	8.8.8.8	0x7b94	Standard query (0)	dump.hduak.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:36:31.028254986 CEST	192.168.2.23	8.8.8.8	0x1425	Standard query (0)	dump.hduak.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:36:38.887082100 CEST	192.168.2.23	8.8.8.8	0x4fef	Standard query (0)	dump.hduak.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:36:49.544950008 CEST	192.168.2.23	8.8.8.8	0x5a6f	Standard query (0)	dump.hduak.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:36:59.184128046 CEST	192.168.2.23	8.8.8.8	0x17f1	Standard query (0)	dump.hduak.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:37:10.810172081 CEST	192.168.2.23	8.8.8.8	0x48ac	Standard query (0)	dump.hduak.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 6, 2024 21:35:07.397396088 CEST	8.8.8.8	192.168.2.23	0x8fc4	No error (0)	dump.hduak.site	158.220.114.75	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:35:15.066023111 CEST	8.8.8.8	192.168.2.23	0x82d8	No error (0)	dump.hduak.site	158.220.114.75	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:35:20.709974051 CEST	8.8.8.8	192.168.2.23	0xc683	No error (0)	dump.hduak.site	158.220.114.75	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:35:26.400208950 CEST	8.8.8.8	192.168.2.23	0x262e	No error (0)	dump.hduak.site	158.220.114.75	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:35:37.034415007 CEST	8.8.8.8	192.168.2.23	0xd4ee	No error (0)	dump.hduak.site	158.220.114.75	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:35:40.664371014 CEST	8.8.8.8	192.168.2.23	0x87cf	No error (0)	dump.hduak.site	158.220.114.75	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:35:48.309053898 CEST	8.8.8.8	192.168.2.23	0x92b9	No error (0)	dump.hduak.site	158.220.114.75	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:35:55.942770958 CEST	8.8.8.8	192.168.2.23	0xd78e	No error (0)	dump.hduak.site	158.220.114.75	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:36:04.633924961 CEST	8.8.8.8	192.168.2.23	0xb885	No error (0)	dump.hduak.site	158.220.114.75	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:36:13.723704100 CEST	8.8.8.8	192.168.2.23	0x385d	No error (0)	dump.hduak.site	158.220.114.75	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:36:19.396744013 CEST	8.8.8.8	192.168.2.23	0x7b94	No error (0)	dump.hduak.site	158.220.114.75	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:36:31.262442112 CEST	8.8.8.8	192.168.2.23	0x1425	No error (0)	dump.hduak.site	158.220.114.75	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:36:38.894025087 CEST	8.8.8.8	192.168.2.23	0x4fef	No error (0)	dump.hduak.site	158.220.114.75	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:36:49.555378914 CEST	8.8.8.8	192.168.2.23	0x5a6f	No error (0)	dump.hduak.site	158.220.114.75	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:36:59.191241980 CEST	8.8.8.8	192.168.2.23	0x17f1	No error (0)	dump.hduak.site	158.220.114.75	A (IP address)	IN (0x0001)	false
Oct 6, 2024 21:37:10.817651987 CEST	8.8.8.8	192.168.2.23	0x48ac	No error (0)	dump.hduak.site	158.220.114.75	A (IP address)	IN (0x0001)	false

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Oct 6, 2024 21:35:10.419913054 CEST	54.171.230.55	443	192.168.2.23	33606	CN=motd.ubuntu.com CN=R10, O=Let's Encrypt, C=US	CN=R10, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	Tue Aug 06 10:27:48 CEST 2024 Wed Mar 13 01:00:00 CET 2024	Mon Nov 04 09:27:47 CET 2024 Sat Mar 13 00:59:59 CET 2027
Oct 6, 2024 21:35:10.419913054 CEST	54.171.230.55	443	192.168.2.23	33606	CN=R10, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Wed Mar 13 01:00:00 CET 2024	Sat Mar 13 00:59:59 CET 2027

System Behavior

Analysis Process: na.elf PID: 6228, Parent PID: 6150

General

Start time (UTC):	19:34:59
Start date (UTC):	06/10/2024
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: na.elf PID: 6232, Parent PID: 6228

General

Start time (UTC):	19:35:06
Start date (UTC):	06/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: dash PID: 6236, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6236, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.oS3FoE8Jb0 /tmp/tmp.4mzvJzgfA7 /tmp/tmp.4d3NucQSd1
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 6237, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 6237, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.oS3FoE8Jb0
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: dash PID: 6238, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: head PID: 6238, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Chronological Activities

Analysis Process: dash PID: 6239, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: tr PID: 6239, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Chronological Activities

Analysis Process: dash PID: 6240, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cut PID: 6240, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Chronological Activities

Analysis Process: dash PID: 6241, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 6241, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.oS3FoE8Jb0
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: dash PID: 6242, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: head PID: 6242, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Chronological Activities

Analysis Process: dash PID: 6243, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: tr PID: 6243, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Chronological Activities

Analysis Process: dash PID: 6244, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cut PID: 6244, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Chronological Activities

Analysis Process: dash PID: 6245, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6245, Parent PID: 4331

General

Start time (UTC):	19:35:09
Start date (UTC):	06/10/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.oS3FoE8Jb0 /tmp/tmp.4mzvJzgfA7 /tmp/tmp.4d3NucQSd1
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Connections

System Behavior

Analysis Process: na.elf PID: 6228, Parent PID: 6150

General

Chronological Activities

Analysis Process: na.elf PID: 6232, Parent PID: 6228

General

Chronological Activities

Analysis Process: dash PID: 6236, Parent PID: 4331

General

Chronological Activities

Analysis Process: rm PID: 6236, Parent PID: 4331

General

Chronological Activities

Analysis Process: dash PID: 6237, Parent PID: 4331

General

Linux Analysis Report
na.elf