Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1527370
MD5:	01fe3ad934fa66a72120acfb88bad44c
SHA1:	93514ae76cc5ac7b2c5fb77ef74f8b9b48ee8724
SHA256:	ab20b8c733d2f1a34b837a37800b2bbcd48c80243f3cf1795bda8245c18ad6fb
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Machine Learning detection for sample

Sample is packed with UPX

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Reads the 'hosts' file potentially containing internal network hosts

Sample contains only a LOAD segment without any section mappings

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527370
Start date and time:	2024-10-06 23:02:51 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal48.evad.linELF@0/0@4/0

Runtime Messages

Command:	/tmp/na.elf
PID:	5456
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	2024/10/06 16:03:44 Forking 2024/10/06 16:03:45 Connecting to ssh.updategoogle.cc:3232 2024/10/06 16:03:48 Successfully connnected ssh.updategoogle.cc:3232 2024/10/06 16:03:48 [client] INFO ??:1 Its_ubl() : Handling channel: jump 2024/10/06 16:03:51 [103.212.49.88:3232] INFO ??:1 () : New SSH connection, version SSH-2.0-paramiko_3.0.0 2024/10/06 16:03:52 [103.212.49.88:3232] INFO ??:1 Its_ubl() : Handling channel: session 2024/10/06 16:03:53 [103.212.49.88:3232] INFO ??:1 Its_ubl() : Handling channel: session 2024/10/06 16:03:53 [103.212.49.88:3232] INFO ??:1 DIEtEm() : Session got request: "exec" 2024/10/06 16:03:54 [103.212.49.88:3232] INFO ??:3 DIEtEm() : Session disconnected 2024/10/06 16:03:54 [103.212.49.88:3232] INFO ??:6 DIEtEm() : Session disconnected 2024/10/06 16:03:54 [client] ERROR ??:1 () : Channel call back error: connection terminated

Process Tree

system is lnxubuntu20

na.elf (PID: 5456, Parent: 5376, MD5: 01fe3ad934fa66a72120acfb88bad44c) Arguments: /tmp/na.elf

na.elf New Fork (PID: 5461, Parent: 5456)

exe (PID: 5461, Parent: 5456, MD5: 01fe3ad934fa66a72120acfb88bad44c) Arguments: /proc/self/exe

exe New Fork (PID: 5470, Parent: 5461)

whoami (PID: 5470, Parent: 5461, MD5: dbc1888ae50bb5d4d9a7a210d51be710) Arguments: whoami

cleanup

Stderr: 2024/10/06 16:03:44 Forking2024/10/06 16:03:45 Connecting to ssh.updategoogle.cc:32322024/10/06 16:03:48 Successfully connnected ssh.updategoogle.cc:32322024/10/06 16:03:48 [client] INFO ??:1 Its_ubl() : Handling channel: jump2024/10/06 16:03:51 [103.212.49.88:3232] INFO ??:1 () : New SSH connection, version SSH-2.0-paramiko_3.0.02024/10/06 16:03:52 [103.212.49.88:3232] INFO ??:1 Its_ubl() : Handling channel: session2024/10/06 16:03:53 [103.212.49.88:3232] INFO ??:1 Its_ubl() : Handling channel: session2024/10/06 16:03:53 [103.212.49.88:3232] INFO ??:1 DIEtEm() : Session got request: "exec"2024/10/06 16:03:54 [103.212.49.88:3232] INFO ??:3 DIEtEm() : Session disconnected2024/10/06 16:03:54 [103.212.49.88:3232] INFO ??:6 DIEtEm() : Session disconnected2024/10/06 16:03:54 [client] ERROR ??:1 () : Channel call back error: connection terminated: exit code = 0

Source: na.elf

Submission file: segment LOAD with 7.8868 entropy (max. 8.0)

Source: /proc/self/exe (PID: 5461)

Queries kernel information via 'uname':

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
na.elf	17%	ReversingLabs	Linux.PUA.Generic
na.elf	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.25	true	false		unknown
ssh.updategoogle.cc	103.212.49.88	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	na.elf	true	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.125.190.26	unknown	United Kingdom		41231	CANONICAL-ASGB	false
103.212.49.88	ssh.updategoogle.cc	China		55933	CLOUDIE-AS-APCloudieLimitedHK	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.125.190.26	na.elf	Get hash	malicious	Moobot	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Mirai, Moobot	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Mirai, Moobot	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	na.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDIE-AS-APCloudieLimitedHK	novo.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	191.96.215.15
	H1pXo79CPd	Get hash	malicious	GhostRat	Browse	103.118.253.78
	SOA.exe	Get hash	malicious	FormBook	Browse	103.59.102.59
	http://telegsramc.club/	Get hash	malicious	Telegram Phisher	Browse	103.76.84.225
	https://www.shopapptime.xyz/	Get hash	malicious	Unknown	Browse	45.153.129.178
	https://tosigos.com/	Get hash	malicious	Unknown	Browse	202.181.24.16
	https://aomzsmaszs.com/index/ap/register	Get hash	malicious	Unknown	Browse	93.177.76.90
	http://timihref.com/	Get hash	malicious	Unknown	Browse	202.181.26.245
	http://www.telegraxms.club/	Get hash	malicious	Telegram Phisher	Browse	103.76.84.225
	http://telegirams.club/	Get hash	malicious	Telegram Phisher	Browse	103.140.127.114
CANONICAL-ASGB	na.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	na.elf	Get hash	malicious	Moobot	Browse	185.125.190.26
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.886813803801719
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	na.elf
File size:	4'129'976 bytes
MD5:	01fe3ad934fa66a72120acfb88bad44c
SHA1:	93514ae76cc5ac7b2c5fb77ef74f8b9b48ee8724
SHA256:	ab20b8c733d2f1a34b837a37800b2bbcd48c80243f3cf1795bda8245c18ad6fb
SHA512:	83fb45736d3500708e724c1012780d3c1e26d31389b3b3b1fd64bc16d7739197a01bdc4eefa3054dc70907276e71aa9833d66c9f4df6bde7b811e94b0db14d07
SSDEEP:	98304:MXnCLL2Sw1rW66dX2k5m9tf7uy/C5YNyQpWny3M:AnCLLHw5WprEuyKONKYM
TLSH:	FE163342D5CBA62B49E88265AF7522A3E18C900FDD509351FF11E36B2E38F926739371
File Content Preview:	.ELF....................H{C.4...........4. ...(.....................=.?.=.?...................C...C......8y.........Q.td............................='pZUPX!............................w....ELF........".{....4../. ...(..>..]w..........Q.U......6.b.o...n..?

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x8437b48
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8048000	0x8048000	0x3f043d	0x3f043d	7.8868	0x5	R E	0x1000
LOAD	0x0	0x8439000	0x8439000	0x0	0x79380c	0.0000	0x6	RW	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 23:03:46.429670095 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:46.434715033 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:46.434788942 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:46.435986996 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:46.440975904 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:47.358993053 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:47.359255075 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:47.424245119 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:47.429146051 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:47.492461920 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:47.492578030 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:47.500058889 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:47.504914999 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:47.985251904 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:47.985409975 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:47.998205900 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:48.003215075 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:48.093902111 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:48.093992949 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:48.100809097 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:48.106199026 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:48.557461023 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:48.562812090 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:48.567924976 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:48.890840054 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:48.895656109 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:48.900599003 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:49.302970886 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:49.307996035 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:49.313195944 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:49.738599062 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:49.779375076 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:49.893840075 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:49.894088030 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:49.901940107 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:49.907299042 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:50.009303093 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:50.009639025 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:50.024781942 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:50.029392004 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:50.030570984 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:50.034740925 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:50.540805101 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:50.541171074 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:50.672996044 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:50.673041105 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:50.673340082 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:50.673340082 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:50.678996086 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:50.684879065 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:50.685452938 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:50.691356897 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:51.240021944 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:51.283400059 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:51.372605085 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:51.372770071 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:51.377008915 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:51.381899118 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:51.383430004 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:51.386895895 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:51.388468027 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:51.390551090 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:51.391869068 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:51.395498991 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:51.974709988 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:51.975316048 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:52.108608007 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:52.108803034 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:52.114342928 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:52.119668007 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:52.119667053 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:52.124691010 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:52.715262890 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:52.715801001 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:52.852058887 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:52.852396965 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:52.857827902 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:52.863018990 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:52.864031076 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:52.869154930 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:53.459697962 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:53.503470898 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:53.593844891 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:53.593975067 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:53.599072933 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:53.604077101 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:53.607103109 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:53.612427950 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:54.158891916 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:54.159146070 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:54.296618938 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:54.296781063 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:54.300879955 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:54.306123972 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:54.306457996 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:54.311497927 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:54.903094053 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:54.903377056 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:55.036562920 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:55.036693096 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:55.042481899 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:55.047382116 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:55.050035954 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:55.055052996 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:55.105496883 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:55.110340118 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:55.110532045 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:55.115287066 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:55.251630068 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:55.257703066 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:55.263048887 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:55.483220100 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:55.527400017 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:55.555443048 CEST	48202	443	192.168.2.13	185.125.190.26
Oct 6, 2024 23:03:55.616826057 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:03:55.616925955 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:55.620600939 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:03:55.625701904 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:00.601834059 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:00.602169991 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:00.605976105 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:00.611574888 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:05.934772968 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:05.935009956 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:05.942536116 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:05.947709084 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:11.271029949 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:11.283432007 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:11.288784981 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:16.615061998 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:16.625566006 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:16.631191969 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:21.958178043 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:21.965437889 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:21.970923901 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:27.295242071 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:27.306006908 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:27.311604023 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:27.811464071 CEST	48202	443	192.168.2.13	185.125.190.26
Oct 6, 2024 23:04:32.634879112 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:32.643822908 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:32.649736881 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:37.972492933 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:37.979167938 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:37.984256983 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:43.919416904 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:43.919492006 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:43.919533014 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:43.919933081 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:43.919933081 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:43.929517984 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:43.935592890 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:49.259478092 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:49.259813070 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:49.267648935 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:49.273598909 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:54.597372055 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:54.597668886 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:54.606450081 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:54.611850977 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:59.935184002 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:04:59.943828106 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:04:59.949348927 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:05.272597075 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:05.281914949 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:05:05.287120104 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:10.900794983 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:10.900856972 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:10.901279926 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:05:10.911333084 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:05:10.916436911 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:16.243913889 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:16.244216919 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:05:16.252728939 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:05:16.258188963 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:21.581991911 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:21.582185984 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:05:21.588269949 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:05:21.594392061 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:26.918229103 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:26.928100109 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:05:26.933773041 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:32.257437944 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:32.265542030 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:05:32.271328926 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:37.593882084 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:37.601579905 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:05:37.607413054 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:42.929814100 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:42.937563896 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:05:42.942734003 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:48.266814947 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:48.274631023 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:05:48.279560089 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:53.603579998 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:53.613051891 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:05:53.618923903 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:58.941637039 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:05:58.949700117 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:05:58.955096960 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:04.278295040 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:04.286830902 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:06:04.292419910 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:09.616010904 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:09.624735117 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:06:09.630306005 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:14.953182936 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:14.960174084 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:06:14.965323925 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:20.288945913 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:20.298544884 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:06:20.303582907 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:25.628168106 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:25.635865927 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:06:25.640732050 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:30.963845015 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:30.974234104 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:06:30.979018927 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:36.302757025 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:36.307410955 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:06:36.314227104 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:41.637258053 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:41.642019987 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:06:41.648730040 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:46.971667051 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:46.980753899 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:06:46.986035109 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:52.308581114 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:52.315650940 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:06:52.320724964 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:57.643681049 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:06:57.651755095 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:06:57.656935930 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:07:02.980587006 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:07:02.985582113 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:07:02.990428925 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:07:08.323321104 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:07:08.329442978 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:07:08.334847927 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:07:13.658209085 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:07:13.667586088 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:07:13.672683954 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:07:18.996568918 CEST	3232	33588	103.212.49.88	192.168.2.13
Oct 6, 2024 23:07:19.006160975 CEST	33588	3232	192.168.2.13	103.212.49.88
Oct 6, 2024 23:07:19.011362076 CEST	3232	33588	103.212.49.88	192.168.2.13

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 23:03:46.184278965 CEST	34409	53	192.168.2.13	1.1.1.1
Oct 6, 2024 23:03:46.185723066 CEST	33105	53	192.168.2.13	1.1.1.1
Oct 6, 2024 23:03:46.425405025 CEST	53	33105	1.1.1.1	192.168.2.13
Oct 6, 2024 23:03:46.425456047 CEST	53	34409	1.1.1.1	192.168.2.13
Oct 6, 2024 23:06:30.284709930 CEST	47268	53	192.168.2.13	1.1.1.1
Oct 6, 2024 23:06:30.284765005 CEST	39761	53	192.168.2.13	1.1.1.1
Oct 6, 2024 23:06:30.291914940 CEST	53	39761	1.1.1.1	192.168.2.13
Oct 6, 2024 23:06:30.292738914 CEST	53	47268	1.1.1.1	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 6, 2024 23:03:46.184278965 CEST	192.168.2.13	1.1.1.1	0x7b70	Standard query (0)	ssh.updategoogle.cc	28	IN (0x0001)	false
Oct 6, 2024 23:03:46.185723066 CEST	192.168.2.13	1.1.1.1	0x1b3b	Standard query (0)	ssh.updategoogle.cc	A (IP address)	IN (0x0001)	false
Oct 6, 2024 23:06:30.284709930 CEST	192.168.2.13	1.1.1.1	0x3cd3	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Oct 6, 2024 23:06:30.284765005 CEST	192.168.2.13	1.1.1.1	0xa6d2	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 6, 2024 23:03:46.425405025 CEST	1.1.1.1	192.168.2.13	0x1b3b	No error (0)	ssh.updategoogle.cc	103.212.49.88	A (IP address)	IN (0x0001)	false
Oct 6, 2024 23:06:30.292738914 CEST	1.1.1.1	192.168.2.13	0x3cd3	No error (0)	daisy.ubuntu.com	162.213.35.25	A (IP address)	IN (0x0001)	false
Oct 6, 2024 23:06:30.292738914 CEST	1.1.1.1	192.168.2.13	0x3cd3	No error (0)	daisy.ubuntu.com	162.213.35.24	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: na.elf PID: 5456, Parent PID: 5376

General

Start time (UTC):	21:03:44
Start date (UTC):	06/10/2024
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	4129976 bytes
MD5 hash:	01fe3ad934fa66a72120acfb88bad44c

Start time (UTC):	21:03:44
Start date (UTC):	06/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4129976 bytes
MD5 hash:	01fe3ad934fa66a72120acfb88bad44c

Start time (UTC):	21:03:44
Start date (UTC):	06/10/2024
Path:	/proc/self/exe
Arguments:	/proc/self/exe
File size:	4129976 bytes
MD5 hash:	01fe3ad934fa66a72120acfb88bad44c

Start time (UTC):	21:03:53
Start date (UTC):	06/10/2024
Path:	/proc/self/exe
Arguments:	-
File size:	4129976 bytes
MD5 hash:	01fe3ad934fa66a72120acfb88bad44c

Start time (UTC):	21:03:53
Start date (UTC):	06/10/2024
Path:	/usr/bin/whoami
Arguments:	whoami
File size:	39256 bytes
MD5 hash:	dbc1888ae50bb5d4d9a7a210d51be710

Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: ssh.updategoogle.cc
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.96 Copyright (C) 1996-2020 the UPX Team. All Rights Reserved. $

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: na.elf PID: 5456, Parent PID: 5376

General

Chronological Activities

Analysis Process: na.elf PID: 5461, Parent PID: 5456

General

Chronological Activities

Analysis Process: exe PID: 5461, Parent PID: 5456

General

Chronological Activities

Analysis Process: exe PID: 5470, Parent PID: 5461

General

Chronological Activities

Analysis Process: whoami PID: 5470, Parent PID: 5461

General

Chronological Activities

Linux Analysis Report
na.elf