Edit tour

Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf

Overview

General Information

Sample name:	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf
Analysis ID:	1528444
MD5:	c01e10e582965bf67489c6dde16ce070
SHA1:	dbc8d3db80f8c673bbfbcb7313f38e76d897d5c3
SHA256:	483f83f5af615b216c475681e1773a348d491e0a69f10b7223cd387f2f889e72
Tags:	elf
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Connects to many ports of the same IP (likely port scanning)

Opens /sys/class/net/* files useful for querying network interface information

Performs DNS TXT record lookups

Sample deletes itself

Sample scans a subnet

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528444
Start date and time:	2024-10-07 22:44:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf
Detection:	MAL
Classification:	mal60.spre.troj.spyw.evad.linELF@0/0@1/0

Warnings

VT rate limit hit for: SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf

Runtime Messages

Command:	/tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf
PID:	5429
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Firmware update in progress
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 5416, Parent: 3585)

rm (PID: 5416, Parent: 3585, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.iU1SEy0i9P /tmp/tmp.G57otRedo4 /tmp/tmp.sO0jyoNh1s

dash New Fork (PID: 5417, Parent: 3585)

rm (PID: 5417, Parent: 3585, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.iU1SEy0i9P /tmp/tmp.G57otRedo4 /tmp/tmp.sO0jyoNh1s

SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5429, Parent: 5348, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf

SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf New Fork (PID: 5433, Parent: 5429)

SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf New Fork (PID: 5441, Parent: 5433)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 5.230.228.42 ports 34567,3,4,5,6,7
Source: global traffic	TCP traffic: 5.230.228.44 ports 4443,0,1,2,5,27015,995,7
Source: global traffic	TCP traffic: 5.230.228.62 ports 34567,3,993,4,5,6,3389,7

Opens /sys/class/net/* files useful for querying network interface information

Source: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5433)	Opens: /sys/class/net/	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5433)	Opens: /sys/class/net/lo/address	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5433)	Opens: /sys/class/net/ens160/address	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5433)	Opens: /sys/class/net/ens160/flags	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5433)	Opens: /sys/class/net/ens160/carrier	Jump to behavior

Sample scans a subnet

Source: ip traffic

Subnet 5.230.228.0/24: 5.230.228.46, 5.230.228.42, 5.230.228.23, 5.230.228.45, 5.230.228.44, 5.230.228.62

Source: global traffic	TCP traffic: 192.168.2.13:38288 -> 185.248.144.209:25565
Source: global traffic	TCP traffic: 192.168.2.13:48038 -> 194.156.98.15:7777
Source: global traffic	TCP traffic: 192.168.2.13:33492 -> 94.131.118.154:25565
Source: global traffic	TCP traffic: 192.168.2.13:49060 -> 5.230.228.46:3478
Source: global traffic	TCP traffic: 192.168.2.13:57152 -> 5.230.228.62:34567
Source: global traffic	TCP traffic: 192.168.2.13:58606 -> 5.230.122.80:3389
Source: global traffic	TCP traffic: 192.168.2.13:48480 -> 5.230.228.42:34567
Source: global traffic	TCP traffic: 192.168.2.13:48798 -> 5.230.228.23:35000
Source: global traffic	TCP traffic: 192.168.2.13:60062 -> 5.230.228.44:27015
Source: global traffic	TCP traffic: 192.168.2.13:51152 -> 5.230.229.84:10001
Source: global traffic	TCP traffic: 192.168.2.13:37862 -> 5.230.228.45:18004
Source: global traffic	TCP traffic: 192.168.2.13:58962 -> 5.230.118.247:10001
Source: global traffic	TCP traffic: 192.168.2.13:46966 -> 5.230.171.8:6666

Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23

Source: global traffic

DNS traffic detected: DNS query: iranistrash.libre

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal60.spre.troj.spyw.evad.linELF@0/0@1/0

Source: /usr/bin/dash (PID: 5416)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.iU1SEy0i9P /tmp/tmp.G57otRedo4 /tmp/tmp.sO0jyoNh1s			Jump to behavior
Source: /usr/bin/dash (PID: 5417)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.iU1SEy0i9P /tmp/tmp.G57otRedo4 /tmp/tmp.sO0jyoNh1s			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5429)

File: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf

Jump to behavior

Source: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5429)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5433)	Queries kernel information via 'uname':			Jump to behavior

Source: SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf, 5429.1.000055ebf0853000.000055ebf0981000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf, 5429.1.000055ebf0853000.000055ebf0981000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf, 5429.1.00007fffa67a0000.00007fffa67c1000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf, 5429.1.00007fffa67a0000.00007fffa67c1000.rw-.sdmp	Binary or memory string: Hx86_64/usr/bin/qemu-arm/tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf

HIPS / PFW / Operating System Protection Evasion

Performs DNS TXT record lookups

Source: Traffic

DNS traffic detected: queries for: iranistrash.libre

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Network Service Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	11%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
iranistrash.libre	unknown	unknown	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.230.171.9	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.171.8	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.122.80	unknown	Germany	12586	ASGHOSTNETDE	false
172.217.192.127	unknown	United States	15169	GOOGLEUS	false
5.230.228.46	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.228.42	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.228.23	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.228.45	unknown	Germany	12586	ASGHOSTNETDE	true
94.131.118.154	unknown	Ukraine	29632	NASSIST-ASGI	false
5.230.228.44	unknown	Germany	12586	ASGHOSTNETDE	true
185.248.144.209	unknown	France	31531	POINT-ASUA	false
5.230.228.62	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.229.84	unknown	Germany	12586	ASGHOSTNETDE	false
194.156.98.15	unknown	Russian Federation	135330	ADCDATACOM-AS-APADCDATACOMHK	false
5.230.118.247	unknown	Germany	12586	ASGHOSTNETDE	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.248.144.209	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse
5.230.228.62	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse
5.230.229.84	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse
194.156.98.15	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse
5.230.118.247	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse
5.230.228.46	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASGHOSTNETDE	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
	Untitled.bash_rc.elf	Get hash	malicious	Unknown	Browse	91.238.181.239
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	193.187.23.249
	RzsCe9RTg9.exe	Get hash	malicious	RedLine	Browse	77.90.44.31
	yWGzX7xR3D.dll	Get hash	malicious	Unknown	Browse	5.230.73.188
	yWGzX7xR3D.dll	Get hash	malicious	Unknown	Browse	5.230.73.188
	aqyhDUWrLW.msi	Get hash	malicious	Unknown	Browse	5.230.73.188
	botx.mips.elf	Get hash	malicious	Mirai	Browse	5.175.194.100
ASGHOSTNETDE	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
	Untitled.bash_rc.elf	Get hash	malicious	Unknown	Browse	91.238.181.239
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	193.187.23.249
	RzsCe9RTg9.exe	Get hash	malicious	RedLine	Browse	77.90.44.31
	yWGzX7xR3D.dll	Get hash	malicious	Unknown	Browse	5.230.73.188
	yWGzX7xR3D.dll	Get hash	malicious	Unknown	Browse	5.230.73.188
	aqyhDUWrLW.msi	Get hash	malicious	Unknown	Browse	5.230.73.188
	botx.mips.elf	Get hash	malicious	Mirai	Browse	5.175.194.100

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.038660688090042
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf
File size:	66'400 bytes
MD5:	c01e10e582965bf67489c6dde16ce070
SHA1:	dbc8d3db80f8c673bbfbcb7313f38e76d897d5c3
SHA256:	483f83f5af615b216c475681e1773a348d491e0a69f10b7223cd387f2f889e72
SHA512:	6255dd3b0ef921c3731676185e0b885ccee1c7434bce23c2e73c6f703b648651dc7340ea6e3eac632eb3877e6f9d8a23b07edec5c36c28e35d934d3b280efd03
SSDEEP:	1536:GAotq2yoo6kC7sxes/S/oNh9fAKQahUX:GLudCbCvB+
TLSH:	17532885BD818A12C5E4337AFB2E56CD3351A7E8E2EA3213CD225F51778AC2B0D77641
File Content Preview:	.ELF...a..........(.........4...........4. ...(.....................H...H................................%..........Q.td..................................-...L."...Y=..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	66000
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0xf59c	0x0	0x6	AX	16
.fini	PROGBITS	0x1764c	0xf64c	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x17660	0xf660	0x6e8	0x0	0x2	A	4
.ctors	PROGBITS	0x18000	0x10000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x18008	0x10008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x18014	0x10014	0x17c	0x0	0x3	WA	4
.bss	NOBITS	0x18190	0x10190	0x2418	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x10190	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0xfd48	0xfd48	6.1003	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x10000	0x18000	0x18000	0x190	0x25a8	1.2179	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:45:05.802011967 CEST	38288	25565	192.168.2.13	185.248.144.209
Oct 7, 2024 22:45:05.807730913 CEST	25565	38288	185.248.144.209	192.168.2.13
Oct 7, 2024 22:45:05.807802916 CEST	38288	25565	192.168.2.13	185.248.144.209
Oct 7, 2024 22:45:05.854513884 CEST	38288	25565	192.168.2.13	185.248.144.209
Oct 7, 2024 22:45:05.859564066 CEST	25565	38288	185.248.144.209	192.168.2.13
Oct 7, 2024 22:45:07.474392891 CEST	25565	38288	185.248.144.209	192.168.2.13
Oct 7, 2024 22:45:07.474864960 CEST	38288	25565	192.168.2.13	185.248.144.209
Oct 7, 2024 22:45:07.479717970 CEST	25565	38288	185.248.144.209	192.168.2.13
Oct 7, 2024 22:45:09.477643013 CEST	48038	7777	192.168.2.13	194.156.98.15
Oct 7, 2024 22:45:09.482567072 CEST	7777	48038	194.156.98.15	192.168.2.13
Oct 7, 2024 22:45:09.482723951 CEST	48038	7777	192.168.2.13	194.156.98.15
Oct 7, 2024 22:45:09.482769012 CEST	48038	7777	192.168.2.13	194.156.98.15
Oct 7, 2024 22:45:09.487610102 CEST	7777	48038	194.156.98.15	192.168.2.13
Oct 7, 2024 22:45:11.497368097 CEST	7777	48038	194.156.98.15	192.168.2.13
Oct 7, 2024 22:45:11.497685909 CEST	48038	7777	192.168.2.13	194.156.98.15
Oct 7, 2024 22:45:11.502645016 CEST	7777	48038	194.156.98.15	192.168.2.13
Oct 7, 2024 22:45:12.499726057 CEST	33492	25565	192.168.2.13	94.131.118.154
Oct 7, 2024 22:45:12.504586935 CEST	25565	33492	94.131.118.154	192.168.2.13
Oct 7, 2024 22:45:12.504654884 CEST	33492	25565	192.168.2.13	94.131.118.154
Oct 7, 2024 22:45:12.504683018 CEST	33492	25565	192.168.2.13	94.131.118.154
Oct 7, 2024 22:45:12.509485006 CEST	25565	33492	94.131.118.154	192.168.2.13
Oct 7, 2024 22:45:14.110280991 CEST	25565	33492	94.131.118.154	192.168.2.13
Oct 7, 2024 22:45:14.110656977 CEST	33492	25565	192.168.2.13	94.131.118.154
Oct 7, 2024 22:45:14.115653038 CEST	25565	33492	94.131.118.154	192.168.2.13
Oct 7, 2024 22:45:15.113504887 CEST	34396	5223	192.168.2.13	5.230.171.9
Oct 7, 2024 22:45:15.119199991 CEST	5223	34396	5.230.171.9	192.168.2.13
Oct 7, 2024 22:45:15.119326115 CEST	34396	5223	192.168.2.13	5.230.171.9
Oct 7, 2024 22:45:15.119391918 CEST	34396	5223	192.168.2.13	5.230.171.9
Oct 7, 2024 22:45:15.124469995 CEST	5223	34396	5.230.171.9	192.168.2.13
Oct 7, 2024 22:45:17.483304024 CEST	5223	34396	5.230.171.9	192.168.2.13
Oct 7, 2024 22:45:17.484061003 CEST	34396	5223	192.168.2.13	5.230.171.9
Oct 7, 2024 22:45:17.485111952 CEST	5223	34396	5.230.171.9	192.168.2.13
Oct 7, 2024 22:45:17.485166073 CEST	34396	5223	192.168.2.13	5.230.171.9
Oct 7, 2024 22:45:17.486665010 CEST	5223	34396	5.230.171.9	192.168.2.13
Oct 7, 2024 22:45:17.486723900 CEST	34396	5223	192.168.2.13	5.230.171.9
Oct 7, 2024 22:45:17.492438078 CEST	5223	34396	5.230.171.9	192.168.2.13
Oct 7, 2024 22:45:19.486510992 CEST	34398	5223	192.168.2.13	5.230.171.9
Oct 7, 2024 22:45:19.493932009 CEST	5223	34398	5.230.171.9	192.168.2.13
Oct 7, 2024 22:45:19.494044065 CEST	34398	5223	192.168.2.13	5.230.171.9
Oct 7, 2024 22:45:19.494075060 CEST	34398	5223	192.168.2.13	5.230.171.9
Oct 7, 2024 22:45:19.501832008 CEST	5223	34398	5.230.171.9	192.168.2.13
Oct 7, 2024 22:45:21.367784023 CEST	5223	34398	5.230.171.9	192.168.2.13
Oct 7, 2024 22:45:21.368469954 CEST	34398	5223	192.168.2.13	5.230.171.9
Oct 7, 2024 22:45:21.368649006 CEST	34398	5223	192.168.2.13	5.230.171.9
Oct 7, 2024 22:45:21.373522997 CEST	5223	34398	5.230.171.9	192.168.2.13
Oct 7, 2024 22:45:22.372332096 CEST	49060	3478	192.168.2.13	5.230.228.46
Oct 7, 2024 22:45:22.377481937 CEST	3478	49060	5.230.228.46	192.168.2.13
Oct 7, 2024 22:45:22.377688885 CEST	49060	3478	192.168.2.13	5.230.228.46
Oct 7, 2024 22:45:22.377688885 CEST	49060	3478	192.168.2.13	5.230.228.46
Oct 7, 2024 22:45:22.382704020 CEST	3478	49060	5.230.228.46	192.168.2.13
Oct 7, 2024 22:45:24.103285074 CEST	3478	49060	5.230.228.46	192.168.2.13
Oct 7, 2024 22:45:24.104245901 CEST	49060	3478	192.168.2.13	5.230.228.46
Oct 7, 2024 22:45:24.109530926 CEST	3478	49060	5.230.228.46	192.168.2.13
Oct 7, 2024 22:45:25.107575893 CEST	57152	34567	192.168.2.13	5.230.228.62
Oct 7, 2024 22:45:25.112746954 CEST	34567	57152	5.230.228.62	192.168.2.13
Oct 7, 2024 22:45:25.112873077 CEST	57152	34567	192.168.2.13	5.230.228.62
Oct 7, 2024 22:45:25.112919092 CEST	57152	34567	192.168.2.13	5.230.228.62
Oct 7, 2024 22:45:25.118463993 CEST	34567	57152	5.230.228.62	192.168.2.13
Oct 7, 2024 22:45:26.793565989 CEST	34567	57152	5.230.228.62	192.168.2.13
Oct 7, 2024 22:45:26.794315100 CEST	57152	34567	192.168.2.13	5.230.228.62
Oct 7, 2024 22:45:26.799343109 CEST	34567	57152	5.230.228.62	192.168.2.13
Oct 7, 2024 22:45:28.796720982 CEST	58606	3389	192.168.2.13	5.230.122.80
Oct 7, 2024 22:45:28.802747011 CEST	3389	58606	5.230.122.80	192.168.2.13
Oct 7, 2024 22:45:28.802843094 CEST	58606	3389	192.168.2.13	5.230.122.80
Oct 7, 2024 22:45:28.802926064 CEST	58606	3389	192.168.2.13	5.230.122.80
Oct 7, 2024 22:45:28.808168888 CEST	3389	58606	5.230.122.80	192.168.2.13
Oct 7, 2024 22:45:30.968240023 CEST	3389	58606	5.230.122.80	192.168.2.13
Oct 7, 2024 22:45:30.968409061 CEST	58606	3389	192.168.2.13	5.230.122.80
Oct 7, 2024 22:45:30.968570948 CEST	58606	3389	192.168.2.13	5.230.122.80
Oct 7, 2024 22:45:30.973448992 CEST	3389	58606	5.230.122.80	192.168.2.13
Oct 7, 2024 22:45:33.970829010 CEST	52034	3389	192.168.2.13	5.230.228.62
Oct 7, 2024 22:45:33.975975990 CEST	3389	52034	5.230.228.62	192.168.2.13
Oct 7, 2024 22:45:33.976082087 CEST	52034	3389	192.168.2.13	5.230.228.62
Oct 7, 2024 22:45:33.976129055 CEST	52034	3389	192.168.2.13	5.230.228.62
Oct 7, 2024 22:45:33.981372118 CEST	3389	52034	5.230.228.62	192.168.2.13
Oct 7, 2024 22:45:35.672122955 CEST	3389	52034	5.230.228.62	192.168.2.13
Oct 7, 2024 22:45:35.672637939 CEST	52034	3389	192.168.2.13	5.230.228.62
Oct 7, 2024 22:45:35.673213005 CEST	52034	3389	192.168.2.13	5.230.228.62
Oct 7, 2024 22:45:35.678083897 CEST	3389	52034	5.230.228.62	192.168.2.13
Oct 7, 2024 22:45:38.675319910 CEST	48480	34567	192.168.2.13	5.230.228.42
Oct 7, 2024 22:45:38.682240963 CEST	34567	48480	5.230.228.42	192.168.2.13
Oct 7, 2024 22:45:38.682420969 CEST	48480	34567	192.168.2.13	5.230.228.42
Oct 7, 2024 22:45:38.682488918 CEST	48480	34567	192.168.2.13	5.230.228.42
Oct 7, 2024 22:45:38.688469887 CEST	34567	48480	5.230.228.42	192.168.2.13
Oct 7, 2024 22:45:48.692898989 CEST	48480	34567	192.168.2.13	5.230.228.42
Oct 7, 2024 22:45:48.698400974 CEST	34567	48480	5.230.228.42	192.168.2.13
Oct 7, 2024 22:45:48.698453903 CEST	48480	34567	192.168.2.13	5.230.228.42
Oct 7, 2024 22:45:50.694969893 CEST	48798	35000	192.168.2.13	5.230.228.23
Oct 7, 2024 22:45:50.700042009 CEST	35000	48798	5.230.228.23	192.168.2.13
Oct 7, 2024 22:45:50.700145006 CEST	48798	35000	192.168.2.13	5.230.228.23
Oct 7, 2024 22:45:50.700310946 CEST	48798	35000	192.168.2.13	5.230.228.23
Oct 7, 2024 22:45:50.705174923 CEST	35000	48798	5.230.228.23	192.168.2.13
Oct 7, 2024 22:46:00.710527897 CEST	48798	35000	192.168.2.13	5.230.228.23
Oct 7, 2024 22:46:00.716003895 CEST	35000	48798	5.230.228.23	192.168.2.13
Oct 7, 2024 22:46:00.716073990 CEST	48798	35000	192.168.2.13	5.230.228.23
Oct 7, 2024 22:46:03.712858915 CEST	60062	27015	192.168.2.13	5.230.228.44
Oct 7, 2024 22:46:03.718688011 CEST	27015	60062	5.230.228.44	192.168.2.13
Oct 7, 2024 22:46:03.718771935 CEST	60062	27015	192.168.2.13	5.230.228.44
Oct 7, 2024 22:46:03.718787909 CEST	60062	27015	192.168.2.13	5.230.228.44
Oct 7, 2024 22:46:03.724009037 CEST	27015	60062	5.230.228.44	192.168.2.13
Oct 7, 2024 22:46:13.728965998 CEST	60062	27015	192.168.2.13	5.230.228.44
Oct 7, 2024 22:46:13.734446049 CEST	27015	60062	5.230.228.44	192.168.2.13
Oct 7, 2024 22:46:13.734513998 CEST	60062	27015	192.168.2.13	5.230.228.44
Oct 7, 2024 22:46:15.730875969 CEST	45112	993	192.168.2.13	5.230.228.62
Oct 7, 2024 22:46:15.737150908 CEST	993	45112	5.230.228.62	192.168.2.13
Oct 7, 2024 22:46:15.737237930 CEST	45112	993	192.168.2.13	5.230.228.62
Oct 7, 2024 22:46:15.737272024 CEST	45112	993	192.168.2.13	5.230.228.62
Oct 7, 2024 22:46:15.743275881 CEST	993	45112	5.230.228.62	192.168.2.13
Oct 7, 2024 22:46:17.418808937 CEST	993	45112	5.230.228.62	192.168.2.13
Oct 7, 2024 22:46:17.419182062 CEST	45112	993	192.168.2.13	5.230.228.62
Oct 7, 2024 22:46:17.426090956 CEST	993	45112	5.230.228.62	192.168.2.13
Oct 7, 2024 22:46:19.421463013 CEST	51152	10001	192.168.2.13	5.230.229.84
Oct 7, 2024 22:46:19.429029942 CEST	10001	51152	5.230.229.84	192.168.2.13
Oct 7, 2024 22:46:19.429193974 CEST	51152	10001	192.168.2.13	5.230.229.84
Oct 7, 2024 22:46:19.429256916 CEST	51152	10001	192.168.2.13	5.230.229.84
Oct 7, 2024 22:46:19.436505079 CEST	10001	51152	5.230.229.84	192.168.2.13
Oct 7, 2024 22:46:21.557260990 CEST	10001	51152	5.230.229.84	192.168.2.13
Oct 7, 2024 22:46:21.557724953 CEST	51152	10001	192.168.2.13	5.230.229.84
Oct 7, 2024 22:46:21.563189030 CEST	10001	51152	5.230.229.84	192.168.2.13
Oct 7, 2024 22:46:24.559631109 CEST	37862	18004	192.168.2.13	5.230.228.45
Oct 7, 2024 22:46:25.385730982 CEST	18004	37862	5.230.228.45	192.168.2.13
Oct 7, 2024 22:46:25.385838032 CEST	37862	18004	192.168.2.13	5.230.228.45
Oct 7, 2024 22:46:25.385901928 CEST	37862	18004	192.168.2.13	5.230.228.45
Oct 7, 2024 22:46:25.391057968 CEST	18004	37862	5.230.228.45	192.168.2.13
Oct 7, 2024 22:46:35.396177053 CEST	37862	18004	192.168.2.13	5.230.228.45
Oct 7, 2024 22:46:35.401590109 CEST	18004	37862	5.230.228.45	192.168.2.13
Oct 7, 2024 22:46:35.401652098 CEST	37862	18004	192.168.2.13	5.230.228.45
Oct 7, 2024 22:46:37.398123980 CEST	41790	3389	192.168.2.13	5.230.228.23
Oct 7, 2024 22:46:37.406002045 CEST	3389	41790	5.230.228.23	192.168.2.13
Oct 7, 2024 22:46:37.406110048 CEST	41790	3389	192.168.2.13	5.230.228.23
Oct 7, 2024 22:46:37.406191111 CEST	41790	3389	192.168.2.13	5.230.228.23
Oct 7, 2024 22:46:37.411158085 CEST	3389	41790	5.230.228.23	192.168.2.13
Oct 7, 2024 22:46:47.416341066 CEST	41790	3389	192.168.2.13	5.230.228.23
Oct 7, 2024 22:46:47.423749924 CEST	3389	41790	5.230.228.23	192.168.2.13
Oct 7, 2024 22:46:47.423821926 CEST	41790	3389	192.168.2.13	5.230.228.23
Oct 7, 2024 22:46:50.418803930 CEST	58962	10001	192.168.2.13	5.230.118.247
Oct 7, 2024 22:46:50.424051046 CEST	10001	58962	5.230.118.247	192.168.2.13
Oct 7, 2024 22:46:50.424141884 CEST	58962	10001	192.168.2.13	5.230.118.247
Oct 7, 2024 22:46:50.424155951 CEST	58962	10001	192.168.2.13	5.230.118.247
Oct 7, 2024 22:46:50.429075956 CEST	10001	58962	5.230.118.247	192.168.2.13
Oct 7, 2024 22:46:52.269556046 CEST	10001	58962	5.230.118.247	192.168.2.13
Oct 7, 2024 22:46:52.270020962 CEST	58962	10001	192.168.2.13	5.230.118.247
Oct 7, 2024 22:46:52.275491953 CEST	10001	58962	5.230.118.247	192.168.2.13
Oct 7, 2024 22:46:54.272648096 CEST	46966	6666	192.168.2.13	5.230.171.8
Oct 7, 2024 22:46:54.277936935 CEST	6666	46966	5.230.171.8	192.168.2.13
Oct 7, 2024 22:46:54.278033018 CEST	46966	6666	192.168.2.13	5.230.171.8
Oct 7, 2024 22:46:54.278090000 CEST	46966	6666	192.168.2.13	5.230.171.8
Oct 7, 2024 22:46:54.283543110 CEST	6666	46966	5.230.171.8	192.168.2.13
Oct 7, 2024 22:46:56.136797905 CEST	6666	46966	5.230.171.8	192.168.2.13
Oct 7, 2024 22:46:56.137636900 CEST	46966	6666	192.168.2.13	5.230.171.8
Oct 7, 2024 22:46:56.142724037 CEST	6666	46966	5.230.171.8	192.168.2.13
Oct 7, 2024 22:46:58.140763998 CEST	57920	4443	192.168.2.13	5.230.228.44
Oct 7, 2024 22:46:58.146121979 CEST	4443	57920	5.230.228.44	192.168.2.13
Oct 7, 2024 22:46:58.146234989 CEST	57920	4443	192.168.2.13	5.230.228.44
Oct 7, 2024 22:46:58.146292925 CEST	57920	4443	192.168.2.13	5.230.228.44
Oct 7, 2024 22:46:58.151432037 CEST	4443	57920	5.230.228.44	192.168.2.13
Oct 7, 2024 22:47:08.148107052 CEST	57920	4443	192.168.2.13	5.230.228.44
Oct 7, 2024 22:47:08.153239965 CEST	4443	57920	5.230.228.44	192.168.2.13
Oct 7, 2024 22:47:08.153315067 CEST	57920	4443	192.168.2.13	5.230.228.44
Oct 7, 2024 22:47:09.149851084 CEST	55226	995	192.168.2.13	5.230.228.44
Oct 7, 2024 22:47:09.155157089 CEST	995	55226	5.230.228.44	192.168.2.13
Oct 7, 2024 22:47:09.155236959 CEST	55226	995	192.168.2.13	5.230.228.44
Oct 7, 2024 22:47:09.155318975 CEST	55226	995	192.168.2.13	5.230.228.44
Oct 7, 2024 22:47:09.160263062 CEST	995	55226	5.230.228.44	192.168.2.13

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:45:05.127958059 CEST	55383	3478	192.168.2.13	172.217.192.127
Oct 7, 2024 22:45:05.706069946 CEST	3478	55383	172.217.192.127	192.168.2.13
Oct 7, 2024 22:45:05.714112043 CEST	33695	53	192.168.2.13	37.252.191.197
Oct 7, 2024 22:45:05.734472036 CEST	53	33695	37.252.191.197	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 22:45:05.714112043 CEST	192.168.2.13	37.252.191.197	0x2994	Standard query (0)	iranistrash.libre	16	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 22:45:05.734472036 CEST	37.252.191.197	192.168.2.13	0x2994	No error (0)	iranistrash.libre			TXT (Text strings)	IN (0x0001)	false

System Behavior

Analysis Process: dash PID: 5416, Parent PID: 3585

General

Start time (UTC):	20:44:49
Start date (UTC):	07/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5416, Parent PID: 3585

General

Start time (UTC):	20:44:49
Start date (UTC):	07/10/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.iU1SEy0i9P /tmp/tmp.G57otRedo4 /tmp/tmp.sO0jyoNh1s
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 5417, Parent PID: 3585

General

Start time (UTC):	20:44:49
Start date (UTC):	07/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5417, Parent PID: 3585

General

Start time (UTC):	20:44:49
Start date (UTC):	07/10/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.iU1SEy0i9P /tmp/tmp.G57otRedo4 /tmp/tmp.sO0jyoNh1s
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf PID: 5429, Parent PID: 5348

General

Start time (UTC):	20:45:00
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf
Arguments:	/tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf PID: 5433, Parent PID: 5429

General

Start time (UTC):	20:45:04
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf PID: 5441, Parent PID: 5433

General

Start time (UTC):	20:45:04
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.
Tactics:	Discovery
Data Sources:	Cloud Service: Cloud Service Enumeration, Command: Command Execution, Network Traffic: Network Traffic Flow
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: dash PID: 5416, Parent PID: 3585

General

Chronological Activities

Analysis Process: rm PID: 5416, Parent PID: 3585

General

Chronological Activities

Analysis Process: dash PID: 5417, Parent PID: 3585

General

Chronological Activities

Analysis Process: rm PID: 5417, Parent PID: 3585

General

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf PID: 5429, Parent PID: 5348

General

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf PID: 5433, Parent PID: 5429

General

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf PID: 5441, Parent PID: 5433

General

Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf