Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1527369
MD5:	3559c2707f62c1f865580cee7b3171cd
SHA1:	66eca3476f4dfc614509816801949071f77b71ca
SHA256:	03f22c5d73c3cf11b65b6cfa90fbfc2571e76f9b3e8e0443685d739cf1002d8f
Tags:	elfSupershelluser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Suricata IDS alerts for network traffic

Machine Learning detection for sample

Sample is packed with UPX

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527369
Start date and time:	2024-10-06 23:02:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal56.evad.linELF@0/0@2/0

Runtime Messages

Command:	/tmp/na.elf
PID:	5541
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	2024/10/06 16:03:12 Forking 2024/10/06 16:03:12 Connecting to 111.229.211.161:3232 2024/10/06 16:03:16 Successfully connnected 111.229.211.161:3232 2024/10/06 16:03:16 [client] INFO ??:1 BoFsrOtr() : Handling channel: jump 2024/10/06 16:03:19 [ws://111.229.211.161:3232/ws] INFO ??:1 () : New SSH connection, version SSH-2.0-paramiko_3.0.0 2024/10/06 16:03:20 [ws://111.229.211.161:3232/ws] INFO ??:1 BoFsrOtr() : Handling channel: session 2024/10/06 16:03:21 [ws://111.229.211.161:3232/ws] INFO ??:1 BoFsrOtr() : Handling channel: session 2024/10/06 16:03:21 [ws://111.229.211.161:3232/ws] INFO ??:1 IFu6thF7() : Session got request: "exec" 2024/10/06 16:03:22 [ws://111.229.211.161:3232/ws] INFO ??:3 IFu6thF7() : Session disconnected 2024/10/06 16:03:22 [ws://111.229.211.161:3232/ws] INFO ??:6 IFu6thF7() : Session disconnected 2024/10/06 16:03:22 [client] ERROR ??:1 () : Channel call back error: connection terminated

Process Tree

system is lnxubuntu20

na.elf (PID: 5541, Parent: 5469, MD5: 3559c2707f62c1f865580cee7b3171cd) Arguments: /tmp/na.elf

na.elf New Fork (PID: 5546, Parent: 5541)

exe (PID: 5546, Parent: 5541, MD5: 3559c2707f62c1f865580cee7b3171cd) Arguments: /proc/self/exe

exe New Fork (PID: 5554, Parent: 5546)

whoami (PID: 5554, Parent: 5546, MD5: dbc1888ae50bb5d4d9a7a210d51be710) Arguments: whoami

cleanup

Suricata Signatures

ETPRO JA3 Hash - Possible Ligolo Server/Golang Binary Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T23:03:14.946044+0200	2850023	1	A Network Trojan was detected	111.229.211.161	3232	192.168.2.15	51342	TCP

Stderr: 2024/10/06 16:03:12 Forking2024/10/06 16:03:12 Connecting to 111.229.211.161:32322024/10/06 16:03:16 Successfully connnected 111.229.211.161:32322024/10/06 16:03:16 [client] INFO ??:1 BoFsrOtr() : Handling channel: jump2024/10/06 16:03:19 [ws://111.229.211.161:3232/ws] INFO ??:1 () : New SSH connection, version SSH-2.0-paramiko_3.0.02024/10/06 16:03:20 [ws://111.229.211.161:3232/ws] INFO ??:1 BoFsrOtr() : Handling channel: session2024/10/06 16:03:21 [ws://111.229.211.161:3232/ws] INFO ??:1 BoFsrOtr() : Handling channel: session2024/10/06 16:03:21 [ws://111.229.211.161:3232/ws] INFO ??:1 IFu6thF7() : Session got request: "exec"2024/10/06 16:03:22 [ws://111.229.211.161:3232/ws] INFO ??:3 IFu6thF7() : Session disconnected2024/10/06 16:03:22 [ws://111.229.211.161:3232/ws] INFO ??:6 IFu6thF7() : Session disconnected2024/10/06 16:03:22 [client] ERROR ??:1 () : Channel call back error: connection terminated: exit code = 0

Source: na.elf

Submission file: segment LOAD with 7.8854 entropy (max. 8.0)

Source: /proc/self/exe (PID: 5546)

Queries kernel information via 'uname':

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
na.elf	17%	ReversingLabs	Linux.Trojan.Generic
na.elf	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.25	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	na.elf	true	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
111.229.211.161	unknown	China		45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	true

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	na.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	na.elf	Get hash	malicious	Mirai	Browse	162.213.35.25

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	na.elf	Get hash	malicious	Unknown	Browse	152.136.107.163
	ofR1Hd4NPM.exe	Get hash	malicious	RunningRAT	Browse	119.29.18.61
	na.elf	Get hash	malicious	Mirai	Browse	106.55.42.255
	na.elf	Get hash	malicious	Mirai	Browse	129.28.238.208
	na.elf	Get hash	malicious	Mirai	Browse	62.234.235.129
	na.elf	Get hash	malicious	Mirai	Browse	109.244.173.155
	gSmGRFmE0C.exe	Get hash	malicious	Metasploit, Meterpreter	Browse	62.234.81.85
	novo.arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	134.175.9.149
	SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf	Get hash	malicious	Mirai	Browse	42.194.216.24
	8Vh32fbVGc.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	122.51.22.201

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.885343477707851
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	na.elf
File size:	4'741'256 bytes
MD5:	3559c2707f62c1f865580cee7b3171cd
SHA1:	66eca3476f4dfc614509816801949071f77b71ca
SHA256:	03f22c5d73c3cf11b65b6cfa90fbfc2571e76f9b3e8e0443685d739cf1002d8f
SHA512:	8a711b41ce9fc5a16b28e7966d955b7814a9b59997b5f55834a1f15c118756599549c2b58db83e92a4d5751769c8e9de205d133cc3844b1285b0e5cdb966b822
SSDEEP:	98304:/Fhc9QsDxuNnV+rIcsEP4wTEOFh8h/ClUp5pSP89r5pnDCzE+pLv8:TsYVoIcsELSP5w8lDCoJ
TLSH:	912633141261F377B8C86BD8F53B1184EEC6746820F8573B6E25E127A3B4EDB4B421B6
File Content Preview:	.ELF..............>......N......@...................@.8...@.......................@.......@......XH......XH..............................`.......`..............0.z.............Q.td.....................................................>U.UPX!...............

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x884e90
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	64
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x400000	0x400000	0x485808	0x485808	7.8854	0x5	R E	0x1000
LOAD	0x0	0x886000	0x886000	0x0	0x7ae630	0.0000	0x6	RW	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-06T23:03:14.946044+0200	2850023	ETPRO JA3 Hash - Possible Ligolo Server/Golang Binary Response	1	111.229.211.161	3232	192.168.2.15	51342	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 23:03:14.017580986 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:14.022664070 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:14.022731066 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:14.024485111 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:14.031603098 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:14.934986115 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:14.935022116 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:14.935163021 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:14.935163021 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:14.941225052 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:14.943892956 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:14.946043968 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:14.951196909 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:15.526432037 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:15.526653051 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:15.530422926 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:15.535267115 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:15.851161003 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:15.851485014 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:15.890229940 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:15.895232916 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:15.984711885 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:15.984812975 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:15.989064932 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:15.993890047 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:16.476469994 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:16.480299950 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:16.483779907 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:16.485157013 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:16.488590002 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:16.575886011 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:16.617522955 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:17.065151930 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:17.065327883 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:17.070683002 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:17.075607061 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:17.391819954 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:17.392031908 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:17.398756027 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:17.404062033 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:17.720268965 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:17.720495939 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:17.726619005 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:17.732469082 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:18.048975945 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:18.089600086 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:18.186011076 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:18.186211109 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:18.192601919 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:18.197696924 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:18.278894901 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:18.279047966 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:18.286304951 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:18.288558960 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:18.292419910 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:18.294667959 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:18.778330088 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:18.778747082 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:18.916620016 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:18.916661978 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:18.916805029 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:18.916805983 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:18.922884941 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:18.926698923 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:18.927966118 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:18.931986094 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:19.509222031 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:19.549474955 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:19.640631914 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:19.641050100 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:19.646641016 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:19.651495934 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:19.652631998 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:19.657136917 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:19.657613993 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:19.660780907 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:19.662230015 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:19.666225910 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:20.234225035 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:20.234602928 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:20.364708900 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:20.364820004 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:20.369544029 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:20.372602940 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:20.374483109 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:20.377832890 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:20.955234051 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:20.955410957 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:21.092890024 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:21.093015909 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:21.098664999 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:21.104368925 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:21.105150938 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:21.110490084 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:21.705137968 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:21.745359898 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:21.844647884 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:21.844912052 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:21.850560904 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:21.856173038 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:21.859491110 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:21.863740921 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:22.436094999 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:22.436384916 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:22.568613052 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:22.568728924 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:22.572206020 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:22.576827049 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:22.577167034 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:22.581943035 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:23.166081905 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:23.166306019 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:23.297007084 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:23.297240973 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:23.302339077 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:23.307111979 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:23.308080912 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:23.312817097 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:23.356021881 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:23.360445976 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:23.361198902 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:23.365358114 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:23.514240026 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:23.517748117 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:23.523443937 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:23.739464998 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:23.781270027 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:23.872592926 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:23.872700930 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:23.876564980 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:23.881500959 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:28.888606071 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:28.888884068 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:28.893135071 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:29.096982002 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:34.412457943 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:34.412754059 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:34.418515921 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:34.423348904 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:39.747531891 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:39.752873898 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:39.757839918 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:45.063834906 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:45.069853067 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:45.074807882 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:50.477937937 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:50.484674931 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:50.489903927 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:55.796309948 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:03:55.802911043 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:03:55.808034897 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:01.110635996 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:01.117765903 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:04:01.123718023 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:06.426553011 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:06.434813023 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:04:06.440134048 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:11.743648052 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:11.754667997 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:04:11.759948015 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:17.066793919 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:17.077624083 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:04:17.083619118 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:22.386507988 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:22.396476030 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:04:22.401900053 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:27.705445051 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:27.715938091 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:04:27.721154928 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:33.024256945 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:33.034653902 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:04:33.040105104 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:38.342924118 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:38.352132082 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:04:38.357129097 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:43.919512033 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:43.920011044 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:43.920460939 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:04:43.928925991 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:04:43.934910059 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:49.246413946 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:49.246823072 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:04:49.254909992 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:04:49.260241985 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:54.563313961 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:54.563935995 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:04:54.572464943 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:04:54.577965975 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:59.880773067 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:04:59.890347004 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:04:59.895451069 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:05.212436914 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:05.223325968 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:05:05.228578091 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:10.900731087 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:10.900827885 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:10.901164055 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:05:10.910938978 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:05:10.916134119 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:16.214575052 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:16.215140104 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:05:16.224592924 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:05:16.230078936 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:21.518341064 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:21.518698931 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:05:21.528636932 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:05:21.534419060 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:26.822935104 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:26.832575083 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:05:26.837884903 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:32.127192020 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:32.136313915 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:05:32.141381025 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:37.444214106 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:37.455065966 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:05:37.460325956 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:42.754103899 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:42.763515949 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:05:42.768670082 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:48.057280064 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:48.064984083 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:05:48.070024967 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:53.373445988 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:53.384449005 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:05:53.389674902 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:58.692301989 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:05:58.698443890 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:05:58.703636885 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:04.006356001 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:04.013051987 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:06:04.018584967 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:09.505577087 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:09.512655020 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:06:09.518681049 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:14.820971012 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:14.829461098 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:06:14.834394932 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:20.139106989 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:20.145339966 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:06:20.150301933 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:25.455809116 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:25.462403059 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:06:25.467354059 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:30.763824940 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:30.769174099 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:06:30.774038076 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:36.079734087 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:36.088846922 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:06:36.094372988 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:41.399847984 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:41.406773090 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:06:41.411783934 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:46.714505911 CEST	3232	51342	111.229.211.161	192.168.2.15
Oct 6, 2024 23:06:46.721520901 CEST	51342	3232	192.168.2.15	111.229.211.161
Oct 6, 2024 23:06:46.728451967 CEST	3232	51342	111.229.211.161	192.168.2.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 23:06:00.342959881 CEST	38227	53	192.168.2.15	1.1.1.1
Oct 6, 2024 23:06:00.342959881 CEST	49069	53	192.168.2.15	1.1.1.1
Oct 6, 2024 23:06:00.350936890 CEST	53	38227	1.1.1.1	192.168.2.15
Oct 6, 2024 23:06:00.350996017 CEST	53	49069	1.1.1.1	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 6, 2024 23:06:00.342959881 CEST	192.168.2.15	1.1.1.1	0xff2a	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Oct 6, 2024 23:06:00.342959881 CEST	192.168.2.15	1.1.1.1	0x5e7e	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 6, 2024 23:06:00.350936890 CEST	1.1.1.1	192.168.2.15	0xff2a	No error (0)	daisy.ubuntu.com		162.213.35.25	A (IP address)	IN (0x0001)	false
Oct 6, 2024 23:06:00.350936890 CEST	1.1.1.1	192.168.2.15	0xff2a	No error (0)	daisy.ubuntu.com		162.213.35.24	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: na.elf PID: 5541, Parent PID: 5469

General

Start time (UTC):	21:03:12
Start date (UTC):	06/10/2024
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	4741256 bytes
MD5 hash:	3559c2707f62c1f865580cee7b3171cd

Start time (UTC):	21:03:12
Start date (UTC):	06/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4741256 bytes
MD5 hash:	3559c2707f62c1f865580cee7b3171cd

Start time (UTC):	21:03:12
Start date (UTC):	06/10/2024
Path:	/proc/self/exe
Arguments:	/proc/self/exe
File size:	4741256 bytes
MD5 hash:	3559c2707f62c1f865580cee7b3171cd

Start time (UTC):	21:03:22
Start date (UTC):	06/10/2024
Path:	/proc/self/exe
Arguments:	-
File size:	4741256 bytes
MD5 hash:	3559c2707f62c1f865580cee7b3171cd

Start time (UTC):	21:03:22
Start date (UTC):	06/10/2024
Path:	/usr/bin/whoami
Arguments:	whoami
File size:	39256 bytes
MD5 hash:	dbc1888ae50bb5d4d9a7a210d51be710

Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown	TCP traffic detected without corresponding DNS query: 111.229.211.161

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.96 Copyright (C) 1996-2020 the UPX Team. All Rights Reserved. $

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: na.elf PID: 5541, Parent PID: 5469

General

Chronological Activities

Analysis Process: na.elf PID: 5546, Parent PID: 5541

General

Chronological Activities

Analysis Process: exe PID: 5546, Parent PID: 5541

General

Chronological Activities

Analysis Process: exe PID: 5554, Parent PID: 5546

General

Chronological Activities

Analysis Process: whoami PID: 5554, Parent PID: 5546

General

Chronological Activities

Linux Analysis Report
na.elf