Edit tour

Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf

Overview

General Information

Sample name:	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf
Analysis ID:	1528446
MD5:	5d959c2b7278b8c8b2c4a3f1554bb96e
SHA1:	a2ff0e2fd22b31f16f2b3bcc7a3e5ac61c03f5d0
SHA256:	727d897cbf2466bc6390ec82e4056aa5047597390719fd1c556fef01303d91bd
Tags:	elf
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Connects to many ports of the same IP (likely port scanning)

Opens /sys/class/net/* files useful for querying network interface information

Performs DNS TXT record lookups

Sample deletes itself

Sample scans a subnet

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528446
Start date and time:	2024-10-07 22:44:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf
Detection:	MAL
Classification:	mal60.spre.troj.spyw.evad.linELF@0/0@1/0

Warnings

VT rate limit hit for: SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf

Runtime Messages

Command:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf
PID:	5624
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Firmware update in progress
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 5605, Parent: 3678)

rm (PID: 5605, Parent: 3678, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.O4CuIEpsBu /tmp/tmp.vVFwAXA4E6 /tmp/tmp.brf0F1ZgS2

dash New Fork (PID: 5606, Parent: 3678)

rm (PID: 5606, Parent: 3678, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.O4CuIEpsBu /tmp/tmp.vVFwAXA4E6 /tmp/tmp.brf0F1ZgS2

SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf (PID: 5624, Parent: 5537, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf

SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf New Fork (PID: 5628, Parent: 5624)

SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf New Fork (PID: 5630, Parent: 5628)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 5.230.171.8 ports 22022,3,4,3478,3544,7,8
Source: global traffic	TCP traffic: 5.230.122.80 ports 7000,34567,3,4,5,6,3389,7
Source: global traffic	TCP traffic: 94.131.118.154 ports 35000,0,1,2,4,27014,7

Opens /sys/class/net/* files useful for querying network interface information

Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf (PID: 5628)	Opens: /sys/class/net/	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf (PID: 5628)	Opens: /sys/class/net/ens160/address	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf (PID: 5628)	Opens: /sys/class/net/ens160/flags	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf (PID: 5628)	Opens: /sys/class/net/ens160/carrier	Jump to behavior

Sample scans a subnet

Source: ip traffic

Subnet 5.230.228.0/24: 5.230.228.47, 5.230.228.46, 5.230.228.42, 5.230.228.44, 5.230.228.62

Source: global traffic	TCP traffic: 192.168.2.15:34592 -> 185.248.144.209:7000
Source: global traffic	TCP traffic: 192.168.2.15:56206 -> 5.230.171.8:3478
Source: global traffic	TCP traffic: 192.168.2.15:60560 -> 5.230.228.44:10001
Source: global traffic	TCP traffic: 192.168.2.15:49554 -> 5.230.171.9:7777
Source: global traffic	TCP traffic: 192.168.2.15:45434 -> 194.156.98.15:993
Source: global traffic	TCP traffic: 192.168.2.15:39694 -> 5.230.228.47:2022
Source: global traffic	TCP traffic: 192.168.2.15:55080 -> 5.230.122.80:34567
Source: global traffic	TCP traffic: 192.168.2.15:50404 -> 5.230.228.46:2022
Source: global traffic	TCP traffic: 192.168.2.15:60072 -> 5.230.122.82:3389
Source: global traffic	TCP traffic: 192.168.2.15:33758 -> 5.230.228.62:993
Source: global traffic	TCP traffic: 192.168.2.15:37800 -> 94.131.118.154:27014
Source: global traffic	TCP traffic: 192.168.2.15:41856 -> 5.230.228.42:19153
Source: global traffic	TCP traffic: 192.168.2.15:50728 -> 5.230.118.247:9000

Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.47
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.47
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.47
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.47
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46

Source: global traffic

DNS traffic detected: DNS query: iranistrash.libre

Source: unknown	Network traffic detected: HTTP traffic on port 60874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60874

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal60.spre.troj.spyw.evad.linELF@0/0@1/0

Source: /usr/bin/dash (PID: 5605)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.O4CuIEpsBu /tmp/tmp.vVFwAXA4E6 /tmp/tmp.brf0F1ZgS2			Jump to behavior
Source: /usr/bin/dash (PID: 5606)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.O4CuIEpsBu /tmp/tmp.vVFwAXA4E6 /tmp/tmp.brf0F1ZgS2			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf (PID: 5624)

File: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf

Jump to behavior

Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf (PID: 5624)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf (PID: 5628)	Queries kernel information via 'uname':			Jump to behavior

Source: SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf, 5624.1.000055bd1bb5c000.000055bd1bbc1000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf, 5624.1.000055bd1bb5c000.000055bd1bbc1000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/sparc
Source: SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf, 5624.1.00007ffd67511000.00007ffd67532000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf
Source: SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf, 5624.1.00007ffd67511000.00007ffd67532000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc

HIPS / PFW / Operating System Protection Evasion

Performs DNS TXT record lookups

Source: Traffic

DNS traffic detected: queries for: iranistrash.libre

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Network Service Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	3%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
iranistrash.libre	unknown	unknown	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.230.171.9	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.171.8	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.122.82	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.122.80	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.228.47	unknown	Germany	12586	ASGHOSTNETDE	true
172.217.192.127	unknown	United States	15169	GOOGLEUS	false
5.230.228.46	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.228.42	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.228.44	unknown	Germany	12586	ASGHOSTNETDE	true
94.131.118.154	unknown	Ukraine	29632	NASSIST-ASGI	true
185.248.144.209	unknown	France	31531	POINT-ASUA	false
5.230.228.62	unknown	Germany	12586	ASGHOSTNETDE	true
194.156.98.15	unknown	Russian Federation	135330	ADCDATACOM-AS-APADCDATACOMHK	false
5.230.118.247	unknown	Germany	12586	ASGHOSTNETDE	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.248.144.209	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse
5.230.228.62	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse
194.156.98.15	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse
5.230.118.247	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse
5.230.228.46	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASGHOSTNETDE	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
	Untitled.bash_rc.elf	Get hash	malicious	Unknown	Browse	91.238.181.239
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	193.187.23.249
	RzsCe9RTg9.exe	Get hash	malicious	RedLine	Browse	77.90.44.31
	yWGzX7xR3D.dll	Get hash	malicious	Unknown	Browse	5.230.73.188
	yWGzX7xR3D.dll	Get hash	malicious	Unknown	Browse	5.230.73.188
	aqyhDUWrLW.msi	Get hash	malicious	Unknown	Browse	5.230.73.188
	botx.mips.elf	Get hash	malicious	Mirai	Browse	5.175.194.100
ASGHOSTNETDE	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
	Untitled.bash_rc.elf	Get hash	malicious	Unknown	Browse	91.238.181.239
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	193.187.23.249
	RzsCe9RTg9.exe	Get hash	malicious	RedLine	Browse	77.90.44.31
	yWGzX7xR3D.dll	Get hash	malicious	Unknown	Browse	5.230.73.188
	yWGzX7xR3D.dll	Get hash	malicious	Unknown	Browse	5.230.73.188
	aqyhDUWrLW.msi	Get hash	malicious	Unknown	Browse	5.230.73.188
	botx.mips.elf	Get hash	malicious	Mirai	Browse	5.175.194.100

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.050195297376419
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf
File size:	83'180 bytes
MD5:	5d959c2b7278b8c8b2c4a3f1554bb96e
SHA1:	a2ff0e2fd22b31f16f2b3bcc7a3e5ac61c03f5d0
SHA256:	727d897cbf2466bc6390ec82e4056aa5047597390719fd1c556fef01303d91bd
SHA512:	de5aa96b74ef67dd27511a83e34e3455dcaa0e750eb89d51a4f958d1fc77503c533429586e0cb185d0ad1104b98627376825b41792da897a157da4242ff096eb
SSDEEP:	1536:7wFKWWnCCgFmieKTImRoqQA1LJVNcCWSt5cbhd:7GKWWnSmiePANZ8SIbX
TLSH:	F6834B21BA761E27C0D0B57921F7432AF2F5464918A8CA1F7E710E8EFF6556032137B9
File Content Preview:	.ELF...........................4..C......4. ...(......................?...?...............@...@...@.......I.........dt.Q................................@..(....@.M.................#.....b...`.....!..... ...@.....".........`......$ ... ...@...........`....

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	Sparc
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x101a4
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	82700
Section Header Size:	40
Number of Section Headers:	12
Header String Table Index:	11

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10094	0x94	0x1c	0x0	0x6	AX	4
.text	PROGBITS	0x100b0	0xb0	0x1370c	0x0	0x6	AX	4
.fini	PROGBITS	0x237bc	0x137bc	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x237d0	0x137d0	0x7d8	0x0	0x2	A	8
.eh_frame	PROGBITS	0x34000	0x14000	0x4	0x0	0x3	WA	4
.ctors	PROGBITS	0x34004	0x14004	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x3400c	0x1400c	0x8	0x0	0x3	WA	4
.got	PROGBITS	0x34018	0x14018	0xd4	0x4	0x3	WA	4
.data	PROGBITS	0x340f0	0x140f0	0x1cc	0x0	0x3	WA	8
.bss	NOBITS	0x342c0	0x142bc	0x46f0	0x0	0x3	WA	8
.shstrtab	STRTAB	0x0	0x142bc	0x4d	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000	0x10000	0x13fa8	0x13fa8	6.0743	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x14000	0x34000	0x34000	0x2bc	0x49b0	3.0650	0x6	RW	0x10000	.eh_frame .ctors .dtors .got .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:45:07.188383102 CEST	34592	7000	192.168.2.15	185.248.144.209
Oct 7, 2024 22:45:07.193567038 CEST	7000	34592	185.248.144.209	192.168.2.15
Oct 7, 2024 22:45:07.193918943 CEST	34592	7000	192.168.2.15	185.248.144.209
Oct 7, 2024 22:45:07.203037977 CEST	34592	7000	192.168.2.15	185.248.144.209
Oct 7, 2024 22:45:07.207962990 CEST	7000	34592	185.248.144.209	192.168.2.15
Oct 7, 2024 22:45:08.872001886 CEST	7000	34592	185.248.144.209	192.168.2.15
Oct 7, 2024 22:45:08.872457027 CEST	34592	7000	192.168.2.15	185.248.144.209
Oct 7, 2024 22:45:08.877463102 CEST	7000	34592	185.248.144.209	192.168.2.15
Oct 7, 2024 22:45:11.874357939 CEST	56206	3478	192.168.2.15	5.230.171.8
Oct 7, 2024 22:45:11.879374981 CEST	3478	56206	5.230.171.8	192.168.2.15
Oct 7, 2024 22:45:11.879461050 CEST	56206	3478	192.168.2.15	5.230.171.8
Oct 7, 2024 22:45:11.879487991 CEST	56206	3478	192.168.2.15	5.230.171.8
Oct 7, 2024 22:45:11.884280920 CEST	3478	56206	5.230.171.8	192.168.2.15
Oct 7, 2024 22:45:13.725682020 CEST	3478	56206	5.230.171.8	192.168.2.15
Oct 7, 2024 22:45:13.726005077 CEST	56206	3478	192.168.2.15	5.230.171.8
Oct 7, 2024 22:45:13.731193066 CEST	3478	56206	5.230.171.8	192.168.2.15
Oct 7, 2024 22:45:14.729933023 CEST	60560	10001	192.168.2.15	5.230.228.44
Oct 7, 2024 22:45:14.734900951 CEST	10001	60560	5.230.228.44	192.168.2.15
Oct 7, 2024 22:45:14.735002995 CEST	60560	10001	192.168.2.15	5.230.228.44
Oct 7, 2024 22:45:14.735112906 CEST	60560	10001	192.168.2.15	5.230.228.44
Oct 7, 2024 22:45:14.740021944 CEST	10001	60560	5.230.228.44	192.168.2.15
Oct 7, 2024 22:45:16.389075041 CEST	10001	60560	5.230.228.44	192.168.2.15
Oct 7, 2024 22:45:16.389484882 CEST	60560	10001	192.168.2.15	5.230.228.44
Oct 7, 2024 22:45:16.395875931 CEST	10001	60560	5.230.228.44	192.168.2.15
Oct 7, 2024 22:45:19.392002106 CEST	49554	7777	192.168.2.15	5.230.171.9
Oct 7, 2024 22:45:19.400295019 CEST	7777	49554	5.230.171.9	192.168.2.15
Oct 7, 2024 22:45:19.400413990 CEST	49554	7777	192.168.2.15	5.230.171.9
Oct 7, 2024 22:45:19.400525093 CEST	49554	7777	192.168.2.15	5.230.171.9
Oct 7, 2024 22:45:19.408274889 CEST	7777	49554	5.230.171.9	192.168.2.15
Oct 7, 2024 22:45:21.288559914 CEST	7777	49554	5.230.171.9	192.168.2.15
Oct 7, 2024 22:45:21.289382935 CEST	49554	7777	192.168.2.15	5.230.171.9
Oct 7, 2024 22:45:21.294334888 CEST	7777	49554	5.230.171.9	192.168.2.15
Oct 7, 2024 22:45:24.291877031 CEST	49308	995	192.168.2.15	5.230.171.9
Oct 7, 2024 22:45:24.296950102 CEST	995	49308	5.230.171.9	192.168.2.15
Oct 7, 2024 22:45:24.297023058 CEST	49308	995	192.168.2.15	5.230.171.9
Oct 7, 2024 22:45:24.297080994 CEST	49308	995	192.168.2.15	5.230.171.9
Oct 7, 2024 22:45:24.302409887 CEST	995	49308	5.230.171.9	192.168.2.15
Oct 7, 2024 22:45:26.147627115 CEST	995	49308	5.230.171.9	192.168.2.15
Oct 7, 2024 22:45:26.148053885 CEST	49308	995	192.168.2.15	5.230.171.9
Oct 7, 2024 22:45:26.152861118 CEST	995	49308	5.230.171.9	192.168.2.15
Oct 7, 2024 22:45:27.150372982 CEST	45434	993	192.168.2.15	194.156.98.15
Oct 7, 2024 22:45:27.156049967 CEST	993	45434	194.156.98.15	192.168.2.15
Oct 7, 2024 22:45:27.156187057 CEST	45434	993	192.168.2.15	194.156.98.15
Oct 7, 2024 22:45:27.156223059 CEST	45434	993	192.168.2.15	194.156.98.15
Oct 7, 2024 22:45:27.161056042 CEST	993	45434	194.156.98.15	192.168.2.15
Oct 7, 2024 22:45:29.167356968 CEST	993	45434	194.156.98.15	192.168.2.15
Oct 7, 2024 22:45:29.167749882 CEST	45434	993	192.168.2.15	194.156.98.15
Oct 7, 2024 22:45:29.172693014 CEST	993	45434	194.156.98.15	192.168.2.15
Oct 7, 2024 22:45:32.169759989 CEST	53896	3544	192.168.2.15	5.230.171.8
Oct 7, 2024 22:45:32.174757004 CEST	3544	53896	5.230.171.8	192.168.2.15
Oct 7, 2024 22:45:32.174850941 CEST	53896	3544	192.168.2.15	5.230.171.8
Oct 7, 2024 22:45:32.174945116 CEST	53896	3544	192.168.2.15	5.230.171.8
Oct 7, 2024 22:45:32.179891109 CEST	3544	53896	5.230.171.8	192.168.2.15
Oct 7, 2024 22:45:34.027929068 CEST	3544	53896	5.230.171.8	192.168.2.15
Oct 7, 2024 22:45:34.028666973 CEST	53896	3544	192.168.2.15	5.230.171.8
Oct 7, 2024 22:45:34.033500910 CEST	3544	53896	5.230.171.8	192.168.2.15
Oct 7, 2024 22:45:35.030998945 CEST	39694	2022	192.168.2.15	5.230.228.47
Oct 7, 2024 22:45:35.037638903 CEST	2022	39694	5.230.228.47	192.168.2.15
Oct 7, 2024 22:45:35.037735939 CEST	39694	2022	192.168.2.15	5.230.228.47
Oct 7, 2024 22:45:35.037770033 CEST	39694	2022	192.168.2.15	5.230.228.47
Oct 7, 2024 22:45:35.046998024 CEST	2022	39694	5.230.228.47	192.168.2.15
Oct 7, 2024 22:45:36.714616060 CEST	2022	39694	5.230.228.47	192.168.2.15
Oct 7, 2024 22:45:36.715045929 CEST	39694	2022	192.168.2.15	5.230.228.47
Oct 7, 2024 22:45:36.720031023 CEST	2022	39694	5.230.228.47	192.168.2.15
Oct 7, 2024 22:45:37.717205048 CEST	55080	34567	192.168.2.15	5.230.122.80
Oct 7, 2024 22:45:37.722060919 CEST	34567	55080	5.230.122.80	192.168.2.15
Oct 7, 2024 22:45:37.722141981 CEST	55080	34567	192.168.2.15	5.230.122.80
Oct 7, 2024 22:45:37.722218037 CEST	55080	34567	192.168.2.15	5.230.122.80
Oct 7, 2024 22:45:37.727144957 CEST	34567	55080	5.230.122.80	192.168.2.15
Oct 7, 2024 22:45:39.893624067 CEST	34567	55080	5.230.122.80	192.168.2.15
Oct 7, 2024 22:45:39.893970013 CEST	55080	34567	192.168.2.15	5.230.122.80
Oct 7, 2024 22:45:39.899157047 CEST	34567	55080	5.230.122.80	192.168.2.15
Oct 7, 2024 22:45:41.896759033 CEST	56310	22022	192.168.2.15	5.230.171.8
Oct 7, 2024 22:45:41.903009892 CEST	22022	56310	5.230.171.8	192.168.2.15
Oct 7, 2024 22:45:41.903090954 CEST	56310	22022	192.168.2.15	5.230.171.8
Oct 7, 2024 22:45:41.903155088 CEST	56310	22022	192.168.2.15	5.230.171.8
Oct 7, 2024 22:45:41.908184052 CEST	22022	56310	5.230.171.8	192.168.2.15
Oct 7, 2024 22:45:43.779917002 CEST	22022	56310	5.230.171.8	192.168.2.15
Oct 7, 2024 22:45:43.780607939 CEST	56310	22022	192.168.2.15	5.230.171.8
Oct 7, 2024 22:45:43.788393974 CEST	22022	56310	5.230.171.8	192.168.2.15
Oct 7, 2024 22:45:46.782798052 CEST	60228	27014	192.168.2.15	185.248.144.209
Oct 7, 2024 22:45:46.787926912 CEST	27014	60228	185.248.144.209	192.168.2.15
Oct 7, 2024 22:45:46.788002014 CEST	60228	27014	192.168.2.15	185.248.144.209
Oct 7, 2024 22:45:46.788090944 CEST	60228	27014	192.168.2.15	185.248.144.209
Oct 7, 2024 22:45:46.792999029 CEST	27014	60228	185.248.144.209	192.168.2.15
Oct 7, 2024 22:45:48.601628065 CEST	27014	60228	185.248.144.209	192.168.2.15
Oct 7, 2024 22:45:48.601957083 CEST	60228	27014	192.168.2.15	185.248.144.209
Oct 7, 2024 22:45:48.607090950 CEST	27014	60228	185.248.144.209	192.168.2.15
Oct 7, 2024 22:45:50.603199005 CEST	43676	10001	192.168.2.15	194.156.98.15
Oct 7, 2024 22:45:50.608184099 CEST	10001	43676	194.156.98.15	192.168.2.15
Oct 7, 2024 22:45:50.608246088 CEST	43676	10001	192.168.2.15	194.156.98.15
Oct 7, 2024 22:45:50.608268976 CEST	43676	10001	192.168.2.15	194.156.98.15
Oct 7, 2024 22:45:50.613221884 CEST	10001	43676	194.156.98.15	192.168.2.15
Oct 7, 2024 22:45:52.600181103 CEST	10001	43676	194.156.98.15	192.168.2.15
Oct 7, 2024 22:45:52.600425005 CEST	43676	10001	192.168.2.15	194.156.98.15
Oct 7, 2024 22:45:52.605659008 CEST	10001	43676	194.156.98.15	192.168.2.15
Oct 7, 2024 22:45:55.602165937 CEST	50404	2022	192.168.2.15	5.230.228.46
Oct 7, 2024 22:45:55.607817888 CEST	2022	50404	5.230.228.46	192.168.2.15
Oct 7, 2024 22:45:55.607912064 CEST	50404	2022	192.168.2.15	5.230.228.46
Oct 7, 2024 22:45:55.607981920 CEST	50404	2022	192.168.2.15	5.230.228.46
Oct 7, 2024 22:45:55.612915039 CEST	2022	50404	5.230.228.46	192.168.2.15
Oct 7, 2024 22:45:57.298851967 CEST	2022	50404	5.230.228.46	192.168.2.15
Oct 7, 2024 22:45:57.299170971 CEST	50404	2022	192.168.2.15	5.230.228.46
Oct 7, 2024 22:45:57.304086924 CEST	2022	50404	5.230.228.46	192.168.2.15
Oct 7, 2024 22:45:59.301059008 CEST	60072	3389	192.168.2.15	5.230.122.82
Oct 7, 2024 22:45:59.306245089 CEST	3389	60072	5.230.122.82	192.168.2.15
Oct 7, 2024 22:45:59.306339979 CEST	60072	3389	192.168.2.15	5.230.122.82
Oct 7, 2024 22:45:59.306410074 CEST	60072	3389	192.168.2.15	5.230.122.82
Oct 7, 2024 22:45:59.311357021 CEST	3389	60072	5.230.122.82	192.168.2.15
Oct 7, 2024 22:46:01.474301100 CEST	3389	60072	5.230.122.82	192.168.2.15
Oct 7, 2024 22:46:01.474801064 CEST	60072	3389	192.168.2.15	5.230.122.82
Oct 7, 2024 22:46:01.479921103 CEST	3389	60072	5.230.122.82	192.168.2.15
Oct 7, 2024 22:46:04.476174116 CEST	34888	2222	192.168.2.15	5.230.228.44
Oct 7, 2024 22:46:04.481296062 CEST	2222	34888	5.230.228.44	192.168.2.15
Oct 7, 2024 22:46:04.481429100 CEST	34888	2222	192.168.2.15	5.230.228.44
Oct 7, 2024 22:46:04.481512070 CEST	34888	2222	192.168.2.15	5.230.228.44
Oct 7, 2024 22:46:04.486762047 CEST	2222	34888	5.230.228.44	192.168.2.15
Oct 7, 2024 22:46:14.491472960 CEST	34888	2222	192.168.2.15	5.230.228.44
Oct 7, 2024 22:46:14.496908903 CEST	2222	34888	5.230.228.44	192.168.2.15
Oct 7, 2024 22:46:14.496978045 CEST	34888	2222	192.168.2.15	5.230.228.44
Oct 7, 2024 22:46:15.494837046 CEST	33758	993	192.168.2.15	5.230.228.62
Oct 7, 2024 22:46:15.499943972 CEST	993	33758	5.230.228.62	192.168.2.15
Oct 7, 2024 22:46:15.500050068 CEST	33758	993	192.168.2.15	5.230.228.62
Oct 7, 2024 22:46:15.500103951 CEST	33758	993	192.168.2.15	5.230.228.62
Oct 7, 2024 22:46:15.505861998 CEST	993	33758	5.230.228.62	192.168.2.15
Oct 7, 2024 22:46:17.189742088 CEST	993	33758	5.230.228.62	192.168.2.15
Oct 7, 2024 22:46:17.190145969 CEST	33758	993	192.168.2.15	5.230.228.62
Oct 7, 2024 22:46:17.195076942 CEST	993	33758	5.230.228.62	192.168.2.15
Oct 7, 2024 22:46:19.193985939 CEST	48688	9001	192.168.2.15	5.230.228.62
Oct 7, 2024 22:46:19.199255943 CEST	9001	48688	5.230.228.62	192.168.2.15
Oct 7, 2024 22:46:19.199320078 CEST	48688	9001	192.168.2.15	5.230.228.62
Oct 7, 2024 22:46:19.199374914 CEST	48688	9001	192.168.2.15	5.230.228.62
Oct 7, 2024 22:46:19.204322100 CEST	9001	48688	5.230.228.62	192.168.2.15
Oct 7, 2024 22:46:20.871710062 CEST	9001	48688	5.230.228.62	192.168.2.15
Oct 7, 2024 22:46:20.871941090 CEST	48688	9001	192.168.2.15	5.230.228.62
Oct 7, 2024 22:46:20.872077942 CEST	48688	9001	192.168.2.15	5.230.228.62
Oct 7, 2024 22:46:20.876972914 CEST	9001	48688	5.230.228.62	192.168.2.15
Oct 7, 2024 22:46:22.874669075 CEST	37800	27014	192.168.2.15	94.131.118.154
Oct 7, 2024 22:46:22.879882097 CEST	27014	37800	94.131.118.154	192.168.2.15
Oct 7, 2024 22:46:22.879968882 CEST	37800	27014	192.168.2.15	94.131.118.154
Oct 7, 2024 22:46:22.880031109 CEST	37800	27014	192.168.2.15	94.131.118.154
Oct 7, 2024 22:46:22.885389090 CEST	27014	37800	94.131.118.154	192.168.2.15
Oct 7, 2024 22:46:32.889940977 CEST	37800	27014	192.168.2.15	94.131.118.154
Oct 7, 2024 22:46:32.896892071 CEST	27014	37800	94.131.118.154	192.168.2.15
Oct 7, 2024 22:46:32.896960974 CEST	37800	27014	192.168.2.15	94.131.118.154
Oct 7, 2024 22:46:33.891735077 CEST	52656	3389	192.168.2.15	5.230.122.80
Oct 7, 2024 22:46:33.896961927 CEST	3389	52656	5.230.122.80	192.168.2.15
Oct 7, 2024 22:46:33.897144079 CEST	52656	3389	192.168.2.15	5.230.122.80
Oct 7, 2024 22:46:33.897172928 CEST	52656	3389	192.168.2.15	5.230.122.80
Oct 7, 2024 22:46:33.903338909 CEST	3389	52656	5.230.122.80	192.168.2.15
Oct 7, 2024 22:46:36.080957890 CEST	3389	52656	5.230.122.80	192.168.2.15
Oct 7, 2024 22:46:36.081717968 CEST	52656	3389	192.168.2.15	5.230.122.80
Oct 7, 2024 22:46:36.086596012 CEST	3389	52656	5.230.122.80	192.168.2.15
Oct 7, 2024 22:46:37.084598064 CEST	41856	19153	192.168.2.15	5.230.228.42
Oct 7, 2024 22:46:37.089818001 CEST	19153	41856	5.230.228.42	192.168.2.15
Oct 7, 2024 22:46:37.089987040 CEST	41856	19153	192.168.2.15	5.230.228.42
Oct 7, 2024 22:46:37.090032101 CEST	41856	19153	192.168.2.15	5.230.228.42
Oct 7, 2024 22:46:37.094995975 CEST	19153	41856	5.230.228.42	192.168.2.15
Oct 7, 2024 22:46:47.099941969 CEST	41856	19153	192.168.2.15	5.230.228.42
Oct 7, 2024 22:46:47.109190941 CEST	19153	41856	5.230.228.42	192.168.2.15
Oct 7, 2024 22:46:47.109281063 CEST	41856	19153	192.168.2.15	5.230.228.42
Oct 7, 2024 22:46:50.101708889 CEST	40044	35000	192.168.2.15	94.131.118.154
Oct 7, 2024 22:46:50.109599113 CEST	35000	40044	94.131.118.154	192.168.2.15
Oct 7, 2024 22:46:50.109674931 CEST	40044	35000	192.168.2.15	94.131.118.154
Oct 7, 2024 22:46:50.109697104 CEST	40044	35000	192.168.2.15	94.131.118.154
Oct 7, 2024 22:46:50.114567041 CEST	35000	40044	94.131.118.154	192.168.2.15
Oct 7, 2024 22:47:00.119574070 CEST	40044	35000	192.168.2.15	94.131.118.154
Oct 7, 2024 22:47:00.125353098 CEST	35000	40044	94.131.118.154	192.168.2.15
Oct 7, 2024 22:47:00.125423908 CEST	40044	35000	192.168.2.15	94.131.118.154
Oct 7, 2024 22:47:01.125874996 CEST	58822	7777	192.168.2.15	5.230.228.46
Oct 7, 2024 22:47:01.130959988 CEST	7777	58822	5.230.228.46	192.168.2.15
Oct 7, 2024 22:47:01.131042957 CEST	58822	7777	192.168.2.15	5.230.228.46
Oct 7, 2024 22:47:01.131093025 CEST	58822	7777	192.168.2.15	5.230.228.46
Oct 7, 2024 22:47:01.136037111 CEST	7777	58822	5.230.228.46	192.168.2.15
Oct 7, 2024 22:47:02.849390984 CEST	7777	58822	5.230.228.46	192.168.2.15
Oct 7, 2024 22:47:02.849769115 CEST	58822	7777	192.168.2.15	5.230.228.46
Oct 7, 2024 22:47:02.854784012 CEST	7777	58822	5.230.228.46	192.168.2.15
Oct 7, 2024 22:47:03.852173090 CEST	50728	9000	192.168.2.15	5.230.118.247
Oct 7, 2024 22:47:03.857291937 CEST	9000	50728	5.230.118.247	192.168.2.15
Oct 7, 2024 22:47:03.857423067 CEST	50728	9000	192.168.2.15	5.230.118.247
Oct 7, 2024 22:47:03.857484102 CEST	50728	9000	192.168.2.15	5.230.118.247
Oct 7, 2024 22:47:03.862431049 CEST	9000	50728	5.230.118.247	192.168.2.15
Oct 7, 2024 22:47:05.709356070 CEST	9000	50728	5.230.118.247	192.168.2.15
Oct 7, 2024 22:47:05.709680080 CEST	50728	9000	192.168.2.15	5.230.118.247
Oct 7, 2024 22:47:05.714895010 CEST	9000	50728	5.230.118.247	192.168.2.15
Oct 7, 2024 22:47:08.711426020 CEST	60874	443	192.168.2.15	5.230.228.46
Oct 7, 2024 22:47:08.711487055 CEST	443	60874	5.230.228.46	192.168.2.15
Oct 7, 2024 22:47:08.711541891 CEST	60874	443	192.168.2.15	5.230.228.46
Oct 7, 2024 22:47:08.711891890 CEST	60874	443	192.168.2.15	5.230.228.46
Oct 7, 2024 22:47:08.711918116 CEST	443	60874	5.230.228.46	192.168.2.15
Oct 7, 2024 22:47:08.711973906 CEST	443	60874	5.230.228.46	192.168.2.15
Oct 7, 2024 22:47:10.715348959 CEST	53626	7000	192.168.2.15	5.230.122.80
Oct 7, 2024 22:47:10.720458984 CEST	7000	53626	5.230.122.80	192.168.2.15
Oct 7, 2024 22:47:10.720742941 CEST	53626	7000	192.168.2.15	5.230.122.80
Oct 7, 2024 22:47:10.720779896 CEST	53626	7000	192.168.2.15	5.230.122.80
Oct 7, 2024 22:47:10.725609064 CEST	7000	53626	5.230.122.80	192.168.2.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:45:06.464057922 CEST	55741	3478	192.168.2.15	172.217.192.127
Oct 7, 2024 22:45:07.022897959 CEST	3478	55741	172.217.192.127	192.168.2.15
Oct 7, 2024 22:45:07.109447956 CEST	57766	53	192.168.2.15	217.160.70.42
Oct 7, 2024 22:45:07.136672020 CEST	53	57766	217.160.70.42	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 22:45:07.109447956 CEST	192.168.2.15	217.160.70.42	0x161c	Standard query (0)	iranistrash.libre	16	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 22:45:07.136672020 CEST	217.160.70.42	192.168.2.15	0x161c	No error (0)	iranistrash.libre			TXT (Text strings)	IN (0x0001)	false

System Behavior

Analysis Process: dash PID: 5605, Parent PID: 3678

General

Start time (UTC):	20:44:51
Start date (UTC):	07/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5605, Parent PID: 3678

General

Start time (UTC):	20:44:51
Start date (UTC):	07/10/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.O4CuIEpsBu /tmp/tmp.vVFwAXA4E6 /tmp/tmp.brf0F1ZgS2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 5606, Parent PID: 3678

General

Start time (UTC):	20:44:51
Start date (UTC):	07/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5606, Parent PID: 3678

General

Start time (UTC):	20:44:51
Start date (UTC):	07/10/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.O4CuIEpsBu /tmp/tmp.vVFwAXA4E6 /tmp/tmp.brf0F1ZgS2
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf PID: 5624, Parent PID: 5537

General

Start time (UTC):	20:45:01
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf
Arguments:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf PID: 5628, Parent PID: 5624

General

Start time (UTC):	20:45:05
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf PID: 5630, Parent PID: 5628

General

Start time (UTC):	20:45:05
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.
Tactics:	Discovery
Data Sources:	Cloud Service: Cloud Service Enumeration, Command: Command Execution, Network Traffic: Network Traffic Flow
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: dash PID: 5605, Parent PID: 3678

General

Chronological Activities

Analysis Process: rm PID: 5605, Parent PID: 3678

General

Chronological Activities

Analysis Process: dash PID: 5606, Parent PID: 3678

General

Chronological Activities

Analysis Process: rm PID: 5606, Parent PID: 3678

General

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf PID: 5624, Parent PID: 5537

General

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf PID: 5628, Parent PID: 5624

General

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf PID: 5630, Parent PID: 5628

General

Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf