Edit tour
Linux
Analysis Report
SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Connects to many ports of the same IP (likely port scanning)
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Sample scans a subnet
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Classification
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1528444 |
Start date and time: | 2024-10-07 22:44:10 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 45s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
Analysis Mode: | default |
Sample name: | SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf |
Detection: | MAL |
Classification: | mal60.spre.troj.spyw.evad.linELF@0/0@1/0 |
- VT rate limit hit for: SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf
Command: | /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf |
PID: | 5429 |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | Firmware update in progress |
Standard Error: |
- system is lnxubuntu20
- dash New Fork (PID: 5416, Parent: 3585)
- dash New Fork (PID: 5417, Parent: 3585)
- SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf New Fork (PID: 5433, Parent: 5429)
- SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf New Fork (PID: 5441, Parent: 5433)
- cleanup
⊘No yara matches
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Networking |
---|
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | Opens: | Jump to behavior | ||
Source: | Opens: | Jump to behavior | ||
Source: | Opens: | Jump to behavior | ||
Source: | Opens: | Jump to behavior | ||
Source: | Opens: | Jump to behavior |
Source: | Subnet 5.230.228.0/24: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | .symtab present: |
Source: | Classification label: |
Source: | Rm executable: | Jump to behavior | ||
Source: | Rm executable: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File: | Jump to behavior |
Source: | Queries kernel information via 'uname': | Jump to behavior | ||
Source: | Queries kernel information via 'uname': | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | DNS traffic detected: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 11 File Deletion | OS Credential Dumping | 11 Security Software Discovery | Remote Services | Data from Local System | 1 Non-Standard Port | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 Network Service Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
⊘No configs have been found
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
11% | ReversingLabs | Linux.Trojan.Mirai |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
iranistrash.libre | unknown | unknown | true | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
5.230.171.9 | unknown | Germany | 12586 | ASGHOSTNETDE | false | |
5.230.171.8 | unknown | Germany | 12586 | ASGHOSTNETDE | false | |
5.230.122.80 | unknown | Germany | 12586 | ASGHOSTNETDE | false | |
172.217.192.127 | unknown | United States | 15169 | GOOGLEUS | false | |
5.230.228.46 | unknown | Germany | 12586 | ASGHOSTNETDE | true | |
5.230.228.42 | unknown | Germany | 12586 | ASGHOSTNETDE | true | |
5.230.228.23 | unknown | Germany | 12586 | ASGHOSTNETDE | true | |
5.230.228.45 | unknown | Germany | 12586 | ASGHOSTNETDE | true | |
94.131.118.154 | unknown | Ukraine | 29632 | NASSIST-ASGI | false | |
5.230.228.44 | unknown | Germany | 12586 | ASGHOSTNETDE | true | |
185.248.144.209 | unknown | France | 31531 | POINT-ASUA | false | |
5.230.228.62 | unknown | Germany | 12586 | ASGHOSTNETDE | true | |
5.230.229.84 | unknown | Germany | 12586 | ASGHOSTNETDE | false | |
194.156.98.15 | unknown | Russian Federation | 135330 | ADCDATACOM-AS-APADCDATACOMHK | false | |
5.230.118.247 | unknown | Germany | 12586 | ASGHOSTNETDE | false |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
185.248.144.209 | Get hash | malicious | Unknown | Browse | ||
5.230.228.62 | Get hash | malicious | Unknown | Browse | ||
5.230.229.84 | Get hash | malicious | Unknown | Browse | ||
194.156.98.15 | Get hash | malicious | Unknown | Browse | ||
5.230.118.247 | Get hash | malicious | Unknown | Browse | ||
5.230.228.46 | Get hash | malicious | Unknown | Browse |
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ASGHOSTNETDE | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Phisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
ASGHOSTNETDE | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Phisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
File type: | |
Entropy (8bit): | 6.038660688090042 |
TrID: |
|
File name: | SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf |
File size: | 66'400 bytes |
MD5: | c01e10e582965bf67489c6dde16ce070 |
SHA1: | dbc8d3db80f8c673bbfbcb7313f38e76d897d5c3 |
SHA256: | 483f83f5af615b216c475681e1773a348d491e0a69f10b7223cd387f2f889e72 |
SHA512: | 6255dd3b0ef921c3731676185e0b885ccee1c7434bce23c2e73c6f703b648651dc7340ea6e3eac632eb3877e6f9d8a23b07edec5c36c28e35d934d3b280efd03 |
SSDEEP: | 1536:GAotq2yoo6kC7sxes/S/oNh9fAKQahUX:GLudCbCvB+ |
TLSH: | 17532885BD818A12C5E4337AFB2E56CD3351A7E8E2EA3213CD225F51778AC2B0D77641 |
File Content Preview: | .ELF...a..........(.........4...........4. ...(.....................H...H................................%..........Q.td..................................-...L."...Y=..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S |
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | 0 |
Entry Point Address: | |
Flags: | |
ELF Header Size: | 52 |
Program Header Offset: | 52 |
Program Header Size: | 32 |
Number of Program Headers: | 3 |
Section Header Offset: | 66000 |
Section Header Size: | 40 |
Number of Section Headers: | 10 |
Header String Table Index: | 9 |
Name | Type | Address | Offset | Size | EntSize | Flags | Flags Description | Link | Info | Align |
---|---|---|---|---|---|---|---|---|---|---|
NULL | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0 | 0 | 0 | ||
.init | PROGBITS | 0x8094 | 0x94 | 0x18 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.text | PROGBITS | 0x80b0 | 0xb0 | 0xf59c | 0x0 | 0x6 | AX | 0 | 0 | 16 |
.fini | PROGBITS | 0x1764c | 0xf64c | 0x14 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.rodata | PROGBITS | 0x17660 | 0xf660 | 0x6e8 | 0x0 | 0x2 | A | 0 | 0 | 4 |
.ctors | PROGBITS | 0x18000 | 0x10000 | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.dtors | PROGBITS | 0x18008 | 0x10008 | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.data | PROGBITS | 0x18014 | 0x10014 | 0x17c | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.bss | NOBITS | 0x18190 | 0x10190 | 0x2418 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.shstrtab | STRTAB | 0x0 | 0x10190 | 0x3e | 0x0 | 0x0 | 0 | 0 | 1 |
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|---|
LOAD | 0x0 | 0x8000 | 0x8000 | 0xfd48 | 0xfd48 | 6.1003 | 0x5 | R E | 0x8000 | .init .text .fini .rodata | |
LOAD | 0x10000 | 0x18000 | 0x18000 | 0x190 | 0x25a8 | 1.2179 | 0x6 | RW | 0x8000 | .ctors .dtors .data .bss | |
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0.0000 | 0x7 | RWE | 0x4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 7, 2024 22:45:05.802011967 CEST | 38288 | 25565 | 192.168.2.13 | 185.248.144.209 |
Oct 7, 2024 22:45:05.807730913 CEST | 25565 | 38288 | 185.248.144.209 | 192.168.2.13 |
Oct 7, 2024 22:45:05.807802916 CEST | 38288 | 25565 | 192.168.2.13 | 185.248.144.209 |
Oct 7, 2024 22:45:05.854513884 CEST | 38288 | 25565 | 192.168.2.13 | 185.248.144.209 |
Oct 7, 2024 22:45:05.859564066 CEST | 25565 | 38288 | 185.248.144.209 | 192.168.2.13 |
Oct 7, 2024 22:45:07.474392891 CEST | 25565 | 38288 | 185.248.144.209 | 192.168.2.13 |
Oct 7, 2024 22:45:07.474864960 CEST | 38288 | 25565 | 192.168.2.13 | 185.248.144.209 |
Oct 7, 2024 22:45:07.479717970 CEST | 25565 | 38288 | 185.248.144.209 | 192.168.2.13 |
Oct 7, 2024 22:45:09.477643013 CEST | 48038 | 7777 | 192.168.2.13 | 194.156.98.15 |
Oct 7, 2024 22:45:09.482567072 CEST | 7777 | 48038 | 194.156.98.15 | 192.168.2.13 |
Oct 7, 2024 22:45:09.482723951 CEST | 48038 | 7777 | 192.168.2.13 | 194.156.98.15 |
Oct 7, 2024 22:45:09.482769012 CEST | 48038 | 7777 | 192.168.2.13 | 194.156.98.15 |
Oct 7, 2024 22:45:09.487610102 CEST | 7777 | 48038 | 194.156.98.15 | 192.168.2.13 |
Oct 7, 2024 22:45:11.497368097 CEST | 7777 | 48038 | 194.156.98.15 | 192.168.2.13 |
Oct 7, 2024 22:45:11.497685909 CEST | 48038 | 7777 | 192.168.2.13 | 194.156.98.15 |
Oct 7, 2024 22:45:11.502645016 CEST | 7777 | 48038 | 194.156.98.15 | 192.168.2.13 |
Oct 7, 2024 22:45:12.499726057 CEST | 33492 | 25565 | 192.168.2.13 | 94.131.118.154 |
Oct 7, 2024 22:45:12.504586935 CEST | 25565 | 33492 | 94.131.118.154 | 192.168.2.13 |
Oct 7, 2024 22:45:12.504654884 CEST | 33492 | 25565 | 192.168.2.13 | 94.131.118.154 |
Oct 7, 2024 22:45:12.504683018 CEST | 33492 | 25565 | 192.168.2.13 | 94.131.118.154 |
Oct 7, 2024 22:45:12.509485006 CEST | 25565 | 33492 | 94.131.118.154 | 192.168.2.13 |
Oct 7, 2024 22:45:14.110280991 CEST | 25565 | 33492 | 94.131.118.154 | 192.168.2.13 |
Oct 7, 2024 22:45:14.110656977 CEST | 33492 | 25565 | 192.168.2.13 | 94.131.118.154 |
Oct 7, 2024 22:45:14.115653038 CEST | 25565 | 33492 | 94.131.118.154 | 192.168.2.13 |
Oct 7, 2024 22:45:15.113504887 CEST | 34396 | 5223 | 192.168.2.13 | 5.230.171.9 |
Oct 7, 2024 22:45:15.119199991 CEST | 5223 | 34396 | 5.230.171.9 | 192.168.2.13 |
Oct 7, 2024 22:45:15.119326115 CEST | 34396 | 5223 | 192.168.2.13 | 5.230.171.9 |
Oct 7, 2024 22:45:15.119391918 CEST | 34396 | 5223 | 192.168.2.13 | 5.230.171.9 |
Oct 7, 2024 22:45:15.124469995 CEST | 5223 | 34396 | 5.230.171.9 | 192.168.2.13 |
Oct 7, 2024 22:45:17.483304024 CEST | 5223 | 34396 | 5.230.171.9 | 192.168.2.13 |
Oct 7, 2024 22:45:17.484061003 CEST | 34396 | 5223 | 192.168.2.13 | 5.230.171.9 |
Oct 7, 2024 22:45:17.485111952 CEST | 5223 | 34396 | 5.230.171.9 | 192.168.2.13 |
Oct 7, 2024 22:45:17.485166073 CEST | 34396 | 5223 | 192.168.2.13 | 5.230.171.9 |
Oct 7, 2024 22:45:17.486665010 CEST | 5223 | 34396 | 5.230.171.9 | 192.168.2.13 |
Oct 7, 2024 22:45:17.486723900 CEST | 34396 | 5223 | 192.168.2.13 | 5.230.171.9 |
Oct 7, 2024 22:45:17.492438078 CEST | 5223 | 34396 | 5.230.171.9 | 192.168.2.13 |
Oct 7, 2024 22:45:19.486510992 CEST | 34398 | 5223 | 192.168.2.13 | 5.230.171.9 |
Oct 7, 2024 22:45:19.493932009 CEST | 5223 | 34398 | 5.230.171.9 | 192.168.2.13 |
Oct 7, 2024 22:45:19.494044065 CEST | 34398 | 5223 | 192.168.2.13 | 5.230.171.9 |
Oct 7, 2024 22:45:19.494075060 CEST | 34398 | 5223 | 192.168.2.13 | 5.230.171.9 |
Oct 7, 2024 22:45:19.501832008 CEST | 5223 | 34398 | 5.230.171.9 | 192.168.2.13 |
Oct 7, 2024 22:45:21.367784023 CEST | 5223 | 34398 | 5.230.171.9 | 192.168.2.13 |
Oct 7, 2024 22:45:21.368469954 CEST | 34398 | 5223 | 192.168.2.13 | 5.230.171.9 |
Oct 7, 2024 22:45:21.368649006 CEST | 34398 | 5223 | 192.168.2.13 | 5.230.171.9 |
Oct 7, 2024 22:45:21.373522997 CEST | 5223 | 34398 | 5.230.171.9 | 192.168.2.13 |
Oct 7, 2024 22:45:22.372332096 CEST | 49060 | 3478 | 192.168.2.13 | 5.230.228.46 |
Oct 7, 2024 22:45:22.377481937 CEST | 3478 | 49060 | 5.230.228.46 | 192.168.2.13 |
Oct 7, 2024 22:45:22.377688885 CEST | 49060 | 3478 | 192.168.2.13 | 5.230.228.46 |
Oct 7, 2024 22:45:22.377688885 CEST | 49060 | 3478 | 192.168.2.13 | 5.230.228.46 |
Oct 7, 2024 22:45:22.382704020 CEST | 3478 | 49060 | 5.230.228.46 | 192.168.2.13 |
Oct 7, 2024 22:45:24.103285074 CEST | 3478 | 49060 | 5.230.228.46 | 192.168.2.13 |
Oct 7, 2024 22:45:24.104245901 CEST | 49060 | 3478 | 192.168.2.13 | 5.230.228.46 |
Oct 7, 2024 22:45:24.109530926 CEST | 3478 | 49060 | 5.230.228.46 | 192.168.2.13 |
Oct 7, 2024 22:45:25.107575893 CEST | 57152 | 34567 | 192.168.2.13 | 5.230.228.62 |
Oct 7, 2024 22:45:25.112746954 CEST | 34567 | 57152 | 5.230.228.62 | 192.168.2.13 |
Oct 7, 2024 22:45:25.112873077 CEST | 57152 | 34567 | 192.168.2.13 | 5.230.228.62 |
Oct 7, 2024 22:45:25.112919092 CEST | 57152 | 34567 | 192.168.2.13 | 5.230.228.62 |
Oct 7, 2024 22:45:25.118463993 CEST | 34567 | 57152 | 5.230.228.62 | 192.168.2.13 |
Oct 7, 2024 22:45:26.793565989 CEST | 34567 | 57152 | 5.230.228.62 | 192.168.2.13 |
Oct 7, 2024 22:45:26.794315100 CEST | 57152 | 34567 | 192.168.2.13 | 5.230.228.62 |
Oct 7, 2024 22:45:26.799343109 CEST | 34567 | 57152 | 5.230.228.62 | 192.168.2.13 |
Oct 7, 2024 22:45:28.796720982 CEST | 58606 | 3389 | 192.168.2.13 | 5.230.122.80 |
Oct 7, 2024 22:45:28.802747011 CEST | 3389 | 58606 | 5.230.122.80 | 192.168.2.13 |
Oct 7, 2024 22:45:28.802843094 CEST | 58606 | 3389 | 192.168.2.13 | 5.230.122.80 |
Oct 7, 2024 22:45:28.802926064 CEST | 58606 | 3389 | 192.168.2.13 | 5.230.122.80 |
Oct 7, 2024 22:45:28.808168888 CEST | 3389 | 58606 | 5.230.122.80 | 192.168.2.13 |
Oct 7, 2024 22:45:30.968240023 CEST | 3389 | 58606 | 5.230.122.80 | 192.168.2.13 |
Oct 7, 2024 22:45:30.968409061 CEST | 58606 | 3389 | 192.168.2.13 | 5.230.122.80 |
Oct 7, 2024 22:45:30.968570948 CEST | 58606 | 3389 | 192.168.2.13 | 5.230.122.80 |
Oct 7, 2024 22:45:30.973448992 CEST | 3389 | 58606 | 5.230.122.80 | 192.168.2.13 |
Oct 7, 2024 22:45:33.970829010 CEST | 52034 | 3389 | 192.168.2.13 | 5.230.228.62 |
Oct 7, 2024 22:45:33.975975990 CEST | 3389 | 52034 | 5.230.228.62 | 192.168.2.13 |
Oct 7, 2024 22:45:33.976082087 CEST | 52034 | 3389 | 192.168.2.13 | 5.230.228.62 |
Oct 7, 2024 22:45:33.976129055 CEST | 52034 | 3389 | 192.168.2.13 | 5.230.228.62 |
Oct 7, 2024 22:45:33.981372118 CEST | 3389 | 52034 | 5.230.228.62 | 192.168.2.13 |
Oct 7, 2024 22:45:35.672122955 CEST | 3389 | 52034 | 5.230.228.62 | 192.168.2.13 |
Oct 7, 2024 22:45:35.672637939 CEST | 52034 | 3389 | 192.168.2.13 | 5.230.228.62 |
Oct 7, 2024 22:45:35.673213005 CEST | 52034 | 3389 | 192.168.2.13 | 5.230.228.62 |
Oct 7, 2024 22:45:35.678083897 CEST | 3389 | 52034 | 5.230.228.62 | 192.168.2.13 |
Oct 7, 2024 22:45:38.675319910 CEST | 48480 | 34567 | 192.168.2.13 | 5.230.228.42 |
Oct 7, 2024 22:45:38.682240963 CEST | 34567 | 48480 | 5.230.228.42 | 192.168.2.13 |
Oct 7, 2024 22:45:38.682420969 CEST | 48480 | 34567 | 192.168.2.13 | 5.230.228.42 |
Oct 7, 2024 22:45:38.682488918 CEST | 48480 | 34567 | 192.168.2.13 | 5.230.228.42 |
Oct 7, 2024 22:45:38.688469887 CEST | 34567 | 48480 | 5.230.228.42 | 192.168.2.13 |
Oct 7, 2024 22:45:48.692898989 CEST | 48480 | 34567 | 192.168.2.13 | 5.230.228.42 |
Oct 7, 2024 22:45:48.698400974 CEST | 34567 | 48480 | 5.230.228.42 | 192.168.2.13 |
Oct 7, 2024 22:45:48.698453903 CEST | 48480 | 34567 | 192.168.2.13 | 5.230.228.42 |
Oct 7, 2024 22:45:50.694969893 CEST | 48798 | 35000 | 192.168.2.13 | 5.230.228.23 |
Oct 7, 2024 22:45:50.700042009 CEST | 35000 | 48798 | 5.230.228.23 | 192.168.2.13 |
Oct 7, 2024 22:45:50.700145006 CEST | 48798 | 35000 | 192.168.2.13 | 5.230.228.23 |
Oct 7, 2024 22:45:50.700310946 CEST | 48798 | 35000 | 192.168.2.13 | 5.230.228.23 |
Oct 7, 2024 22:45:50.705174923 CEST | 35000 | 48798 | 5.230.228.23 | 192.168.2.13 |
Oct 7, 2024 22:46:00.710527897 CEST | 48798 | 35000 | 192.168.2.13 | 5.230.228.23 |
Oct 7, 2024 22:46:00.716003895 CEST | 35000 | 48798 | 5.230.228.23 | 192.168.2.13 |
Oct 7, 2024 22:46:00.716073990 CEST | 48798 | 35000 | 192.168.2.13 | 5.230.228.23 |
Oct 7, 2024 22:46:03.712858915 CEST | 60062 | 27015 | 192.168.2.13 | 5.230.228.44 |
Oct 7, 2024 22:46:03.718688011 CEST | 27015 | 60062 | 5.230.228.44 | 192.168.2.13 |
Oct 7, 2024 22:46:03.718771935 CEST | 60062 | 27015 | 192.168.2.13 | 5.230.228.44 |
Oct 7, 2024 22:46:03.718787909 CEST | 60062 | 27015 | 192.168.2.13 | 5.230.228.44 |
Oct 7, 2024 22:46:03.724009037 CEST | 27015 | 60062 | 5.230.228.44 | 192.168.2.13 |
Oct 7, 2024 22:46:13.728965998 CEST | 60062 | 27015 | 192.168.2.13 | 5.230.228.44 |
Oct 7, 2024 22:46:13.734446049 CEST | 27015 | 60062 | 5.230.228.44 | 192.168.2.13 |
Oct 7, 2024 22:46:13.734513998 CEST | 60062 | 27015 | 192.168.2.13 | 5.230.228.44 |
Oct 7, 2024 22:46:15.730875969 CEST | 45112 | 993 | 192.168.2.13 | 5.230.228.62 |
Oct 7, 2024 22:46:15.737150908 CEST | 993 | 45112 | 5.230.228.62 | 192.168.2.13 |
Oct 7, 2024 22:46:15.737237930 CEST | 45112 | 993 | 192.168.2.13 | 5.230.228.62 |
Oct 7, 2024 22:46:15.737272024 CEST | 45112 | 993 | 192.168.2.13 | 5.230.228.62 |
Oct 7, 2024 22:46:15.743275881 CEST | 993 | 45112 | 5.230.228.62 | 192.168.2.13 |
Oct 7, 2024 22:46:17.418808937 CEST | 993 | 45112 | 5.230.228.62 | 192.168.2.13 |
Oct 7, 2024 22:46:17.419182062 CEST | 45112 | 993 | 192.168.2.13 | 5.230.228.62 |
Oct 7, 2024 22:46:17.426090956 CEST | 993 | 45112 | 5.230.228.62 | 192.168.2.13 |
Oct 7, 2024 22:46:19.421463013 CEST | 51152 | 10001 | 192.168.2.13 | 5.230.229.84 |
Oct 7, 2024 22:46:19.429029942 CEST | 10001 | 51152 | 5.230.229.84 | 192.168.2.13 |
Oct 7, 2024 22:46:19.429193974 CEST | 51152 | 10001 | 192.168.2.13 | 5.230.229.84 |
Oct 7, 2024 22:46:19.429256916 CEST | 51152 | 10001 | 192.168.2.13 | 5.230.229.84 |
Oct 7, 2024 22:46:19.436505079 CEST | 10001 | 51152 | 5.230.229.84 | 192.168.2.13 |
Oct 7, 2024 22:46:21.557260990 CEST | 10001 | 51152 | 5.230.229.84 | 192.168.2.13 |
Oct 7, 2024 22:46:21.557724953 CEST | 51152 | 10001 | 192.168.2.13 | 5.230.229.84 |
Oct 7, 2024 22:46:21.563189030 CEST | 10001 | 51152 | 5.230.229.84 | 192.168.2.13 |
Oct 7, 2024 22:46:24.559631109 CEST | 37862 | 18004 | 192.168.2.13 | 5.230.228.45 |
Oct 7, 2024 22:46:25.385730982 CEST | 18004 | 37862 | 5.230.228.45 | 192.168.2.13 |
Oct 7, 2024 22:46:25.385838032 CEST | 37862 | 18004 | 192.168.2.13 | 5.230.228.45 |
Oct 7, 2024 22:46:25.385901928 CEST | 37862 | 18004 | 192.168.2.13 | 5.230.228.45 |
Oct 7, 2024 22:46:25.391057968 CEST | 18004 | 37862 | 5.230.228.45 | 192.168.2.13 |
Oct 7, 2024 22:46:35.396177053 CEST | 37862 | 18004 | 192.168.2.13 | 5.230.228.45 |
Oct 7, 2024 22:46:35.401590109 CEST | 18004 | 37862 | 5.230.228.45 | 192.168.2.13 |
Oct 7, 2024 22:46:35.401652098 CEST | 37862 | 18004 | 192.168.2.13 | 5.230.228.45 |
Oct 7, 2024 22:46:37.398123980 CEST | 41790 | 3389 | 192.168.2.13 | 5.230.228.23 |
Oct 7, 2024 22:46:37.406002045 CEST | 3389 | 41790 | 5.230.228.23 | 192.168.2.13 |
Oct 7, 2024 22:46:37.406110048 CEST | 41790 | 3389 | 192.168.2.13 | 5.230.228.23 |
Oct 7, 2024 22:46:37.406191111 CEST | 41790 | 3389 | 192.168.2.13 | 5.230.228.23 |
Oct 7, 2024 22:46:37.411158085 CEST | 3389 | 41790 | 5.230.228.23 | 192.168.2.13 |
Oct 7, 2024 22:46:47.416341066 CEST | 41790 | 3389 | 192.168.2.13 | 5.230.228.23 |
Oct 7, 2024 22:46:47.423749924 CEST | 3389 | 41790 | 5.230.228.23 | 192.168.2.13 |
Oct 7, 2024 22:46:47.423821926 CEST | 41790 | 3389 | 192.168.2.13 | 5.230.228.23 |
Oct 7, 2024 22:46:50.418803930 CEST | 58962 | 10001 | 192.168.2.13 | 5.230.118.247 |
Oct 7, 2024 22:46:50.424051046 CEST | 10001 | 58962 | 5.230.118.247 | 192.168.2.13 |
Oct 7, 2024 22:46:50.424141884 CEST | 58962 | 10001 | 192.168.2.13 | 5.230.118.247 |
Oct 7, 2024 22:46:50.424155951 CEST | 58962 | 10001 | 192.168.2.13 | 5.230.118.247 |
Oct 7, 2024 22:46:50.429075956 CEST | 10001 | 58962 | 5.230.118.247 | 192.168.2.13 |
Oct 7, 2024 22:46:52.269556046 CEST | 10001 | 58962 | 5.230.118.247 | 192.168.2.13 |
Oct 7, 2024 22:46:52.270020962 CEST | 58962 | 10001 | 192.168.2.13 | 5.230.118.247 |
Oct 7, 2024 22:46:52.275491953 CEST | 10001 | 58962 | 5.230.118.247 | 192.168.2.13 |
Oct 7, 2024 22:46:54.272648096 CEST | 46966 | 6666 | 192.168.2.13 | 5.230.171.8 |
Oct 7, 2024 22:46:54.277936935 CEST | 6666 | 46966 | 5.230.171.8 | 192.168.2.13 |
Oct 7, 2024 22:46:54.278033018 CEST | 46966 | 6666 | 192.168.2.13 | 5.230.171.8 |
Oct 7, 2024 22:46:54.278090000 CEST | 46966 | 6666 | 192.168.2.13 | 5.230.171.8 |
Oct 7, 2024 22:46:54.283543110 CEST | 6666 | 46966 | 5.230.171.8 | 192.168.2.13 |
Oct 7, 2024 22:46:56.136797905 CEST | 6666 | 46966 | 5.230.171.8 | 192.168.2.13 |
Oct 7, 2024 22:46:56.137636900 CEST | 46966 | 6666 | 192.168.2.13 | 5.230.171.8 |
Oct 7, 2024 22:46:56.142724037 CEST | 6666 | 46966 | 5.230.171.8 | 192.168.2.13 |
Oct 7, 2024 22:46:58.140763998 CEST | 57920 | 4443 | 192.168.2.13 | 5.230.228.44 |
Oct 7, 2024 22:46:58.146121979 CEST | 4443 | 57920 | 5.230.228.44 | 192.168.2.13 |
Oct 7, 2024 22:46:58.146234989 CEST | 57920 | 4443 | 192.168.2.13 | 5.230.228.44 |
Oct 7, 2024 22:46:58.146292925 CEST | 57920 | 4443 | 192.168.2.13 | 5.230.228.44 |
Oct 7, 2024 22:46:58.151432037 CEST | 4443 | 57920 | 5.230.228.44 | 192.168.2.13 |
Oct 7, 2024 22:47:08.148107052 CEST | 57920 | 4443 | 192.168.2.13 | 5.230.228.44 |
Oct 7, 2024 22:47:08.153239965 CEST | 4443 | 57920 | 5.230.228.44 | 192.168.2.13 |
Oct 7, 2024 22:47:08.153315067 CEST | 57920 | 4443 | 192.168.2.13 | 5.230.228.44 |
Oct 7, 2024 22:47:09.149851084 CEST | 55226 | 995 | 192.168.2.13 | 5.230.228.44 |
Oct 7, 2024 22:47:09.155157089 CEST | 995 | 55226 | 5.230.228.44 | 192.168.2.13 |
Oct 7, 2024 22:47:09.155236959 CEST | 55226 | 995 | 192.168.2.13 | 5.230.228.44 |
Oct 7, 2024 22:47:09.155318975 CEST | 55226 | 995 | 192.168.2.13 | 5.230.228.44 |
Oct 7, 2024 22:47:09.160263062 CEST | 995 | 55226 | 5.230.228.44 | 192.168.2.13 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 7, 2024 22:45:05.127958059 CEST | 55383 | 3478 | 192.168.2.13 | 172.217.192.127 |
Oct 7, 2024 22:45:05.706069946 CEST | 3478 | 55383 | 172.217.192.127 | 192.168.2.13 |
Oct 7, 2024 22:45:05.714112043 CEST | 33695 | 53 | 192.168.2.13 | 37.252.191.197 |
Oct 7, 2024 22:45:05.734472036 CEST | 53 | 33695 | 37.252.191.197 | 192.168.2.13 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Oct 7, 2024 22:45:05.714112043 CEST | 192.168.2.13 | 37.252.191.197 | 0x2994 | Standard query (0) | 16 | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Oct 7, 2024 22:45:05.734472036 CEST | 37.252.191.197 | 192.168.2.13 | 0x2994 | No error (0) | TXT (Text strings) | IN (0x0001) | false |
System Behavior
Start time (UTC): | 20:44:49 |
Start date (UTC): | 07/10/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 20:44:49 |
Start date (UTC): | 07/10/2024 |
Path: | /usr/bin/rm |
Arguments: | rm -f /tmp/tmp.iU1SEy0i9P /tmp/tmp.G57otRedo4 /tmp/tmp.sO0jyoNh1s |
File size: | 72056 bytes |
MD5 hash: | aa2b5496fdbfd88e38791ab81f90b95b |
Start time (UTC): | 20:44:49 |
Start date (UTC): | 07/10/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 20:44:49 |
Start date (UTC): | 07/10/2024 |
Path: | /usr/bin/rm |
Arguments: | rm -f /tmp/tmp.iU1SEy0i9P /tmp/tmp.G57otRedo4 /tmp/tmp.sO0jyoNh1s |
File size: | 72056 bytes |
MD5 hash: | aa2b5496fdbfd88e38791ab81f90b95b |
Start time (UTC): | 20:45:00 |
Start date (UTC): | 07/10/2024 |
Path: | /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf |
Arguments: | /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
Start time (UTC): | 20:45:04 |
Start date (UTC): | 07/10/2024 |
Path: | /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf |
Arguments: | - |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
Start time (UTC): | 20:45:04 |
Start date (UTC): | 07/10/2024 |
Path: | /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf |
Arguments: | - |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |