Edit tour

Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf

Overview

General Information

Sample name:	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf
Analysis ID:	1528447
MD5:	468e241a4d92c7b0acf08e22aeade191
SHA1:	aeba3559c418dd927296b60b0d7664d9454f3602
SHA256:	da30d60ce393511207a46b67b9af039d25cd78311b958d8745df937cbacb6328
Tags:	elf
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Connects to many ports of the same IP (likely port scanning)

Opens /sys/class/net/* files useful for querying network interface information

Performs DNS TXT record lookups

Sample deletes itself

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528447
Start date and time:	2024-10-07 22:48:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf
Detection:	MAL
Classification:	mal56.troj.spyw.evad.linELF@0/0@1/0

Warnings

VT rate limit hit for: SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf

Runtime Messages

Command:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf
PID:	6254
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Firmware update in progress
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 6242, Parent: 4333)

rm (PID: 6242, Parent: 4333, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.Duf7dMRnM8 /tmp/tmp.Pp0WR8WFhI /tmp/tmp.W7DJxaUg61

dash New Fork (PID: 6243, Parent: 4333)

rm (PID: 6243, Parent: 4333, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.Duf7dMRnM8 /tmp/tmp.Pp0WR8WFhI /tmp/tmp.W7DJxaUg61

SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf (PID: 6254, Parent: 6176, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf

SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf New Fork (PID: 6256, Parent: 6254)

SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf New Fork (PID: 6260, Parent: 6256)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 5.230.122.81 ports 5222,5223,2,3544,2222,3724
Source: global traffic	TCP traffic: 5.230.228.46 ports 25565,2,993,5,6,27050
Source: global traffic	TCP traffic: 5.230.228.23 ports 2022,0,2,5,7,27050
Source: global traffic	TCP traffic: 5.230.229.84 ports 18004,2022,3074,0,1,4,5,7777,10554

Opens /sys/class/net/* files useful for querying network interface information

Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf (PID: 6256)	Opens: /sys/class/net/	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf (PID: 6256)	Opens: /sys/class/net/ens160/address	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf (PID: 6256)	Opens: /sys/class/net/ens160/flags	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf (PID: 6256)	Opens: /sys/class/net/ens160/carrier	Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:36296 -> 5.230.229.84:10554
Source: global traffic	TCP traffic: 192.168.2.23:47532 -> 5.230.228.46:25565
Source: global traffic	TCP traffic: 192.168.2.23:36256 -> 5.230.228.23:27050
Source: global traffic	TCP traffic: 192.168.2.23:55324 -> 94.131.118.154:7777
Source: global traffic	TCP traffic: 192.168.2.23:58124 -> 5.230.228.62:37777
Source: global traffic	TCP traffic: 192.168.2.23:57602 -> 5.230.122.81:2222
Source: global traffic	TCP traffic: 192.168.2.23:45770 -> 5.230.171.9:3544
Source: global traffic	TCP traffic: 192.168.2.23:40398 -> 5.230.118.247:7000
Source: global traffic	TCP traffic: 192.168.2.23:45116 -> 5.230.171.8:5222
Source: global traffic	TCP traffic: 192.168.2.23:34586 -> 5.230.228.44:18004
Source: global traffic	TCP traffic: 192.168.2.23:51920 -> 5.230.122.82:6666
Source: global traffic	TCP traffic: 192.168.2.23:48686 -> 5.230.122.80:7000

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81

Source: global traffic

DNS traffic detected: DNS query: iranistrash.libre

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55022
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal56.troj.spyw.evad.linELF@0/0@1/0

Source: /usr/bin/dash (PID: 6242)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Duf7dMRnM8 /tmp/tmp.Pp0WR8WFhI /tmp/tmp.W7DJxaUg61			Jump to behavior
Source: /usr/bin/dash (PID: 6243)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Duf7dMRnM8 /tmp/tmp.Pp0WR8WFhI /tmp/tmp.W7DJxaUg61			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf (PID: 6254)

File: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf

Jump to behavior

Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf (PID: 6254)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf (PID: 6256)	Queries kernel information via 'uname':			Jump to behavior

Source: SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf, 6254.1.0000558cdaac3000.0000558cdab4a000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf, 6254.1.00007ffe92dbc000.00007ffe92ddd000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf
Source: SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf, 6254.1.0000558cdaac3000.0000558cdab4a000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf, 6254.1.00007ffe92dbc000.00007ffe92ddd000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

HIPS / PFW / Operating System Protection Evasion

Performs DNS TXT record lookups

Source: Traffic

DNS traffic detected: queries for: iranistrash.libre

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	5%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
iranistrash.libre	unknown	unknown	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.230.171.9	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.171.8	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.122.81	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.122.82	unknown	Germany	12586	ASGHOSTNETDE	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
5.230.122.80	unknown	Germany	12586	ASGHOSTNETDE	false
172.217.192.127	unknown	United States	15169	GOOGLEUS	false
5.230.228.46	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.228.23	unknown	Germany	12586	ASGHOSTNETDE	true
94.131.118.154	unknown	Ukraine	29632	NASSIST-ASGI	false
5.230.228.44	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.229.84	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.228.62	unknown	Germany	12586	ASGHOSTNETDE	false
194.156.98.15	unknown	Russian Federation	135330	ADCDATACOM-AS-APADCDATACOMHK	false
5.230.118.247	unknown	Germany	12586	ASGHOSTNETDE	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5.230.171.9	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
5.230.171.8	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
5.230.171.8	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse
5.230.122.81	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse
5.230.122.82	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
5.230.122.80	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse
5.230.228.46	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASGHOSTNETDE	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
	Untitled.bash_rc.elf	Get hash	malicious	Unknown	Browse	91.238.181.239
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	193.187.23.249
	RzsCe9RTg9.exe	Get hash	malicious	RedLine	Browse	77.90.44.31
ASGHOSTNETDE	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
	Untitled.bash_rc.elf	Get hash	malicious	Unknown	Browse	91.238.181.239
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	193.187.23.249
	RzsCe9RTg9.exe	Get hash	malicious	RedLine	Browse	77.90.44.31
ASGHOSTNETDE	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
	Untitled.bash_rc.elf	Get hash	malicious	Unknown	Browse	91.238.181.239
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	193.187.23.249
	RzsCe9RTg9.exe	Get hash	malicious	RedLine	Browse	77.90.44.31
ASGHOSTNETDE	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
	Untitled.bash_rc.elf	Get hash	malicious	Unknown	Browse	91.238.181.239
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	193.187.23.249
	RzsCe9RTg9.exe	Get hash	malicious	RedLine	Browse	77.90.44.31

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.378383995629161
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf
File size:	92'348 bytes
MD5:	468e241a4d92c7b0acf08e22aeade191
SHA1:	aeba3559c418dd927296b60b0d7664d9454f3602
SHA256:	da30d60ce393511207a46b67b9af039d25cd78311b958d8745df937cbacb6328
SHA512:	159105fab294c200a7a438dff1e0da6d65ea1bf232c3720bb626c7d50f3e50cdbd35df9b15a591a12d9481444103009a18c9ff84fb6aca17db59a25ea384533a
SSDEEP:	1536:GQkItelRcqhALNMaXes2Trdz5JHetZZsFqI6x/zgCsDX:GQrScqGMaXeDdzPLX
TLSH:	8393E70ABF510FB7E86FCD3749E91B05258D591A22F93F367A34E918F64B60B09D3860
File Content Preview:	.ELF....................`.@.4....f......4. ...(...............@...@.pV..pV...............`...`E..`E......*..........Q.td...............................<,..'!......'.......................<...'!... .........9'.. ........................<...'!............N9

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	91868
Section Header Size:	40
Number of Section Headers:	12
Header String Table Index:	11

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x14d50	0x0	0x6	AX	16
.fini	PROGBITS	0x414e70	0x14e70	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x414ed0	0x14ed0	0x7a0	0x0	0x2	A	16
.ctors	PROGBITS	0x456000	0x16000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x456008	0x16008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x456020	0x16020	0x1a8	0x0	0x3	WA	16
.got	PROGBITS	0x4561d0	0x161d0	0x4c0	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x456690	0x16690	0x8	0x0	0x10000003	WAp	4
.bss	NOBITS	0x4566a0	0x16690	0x2454	0x0	0x3	WA	16
.shstrtab	STRTAB	0x0	0x16690	0x49	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x15670	0x15670	5.4967	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x16000	0x456000	0x456000	0x690	0x2af4	3.4604	0x6	RW	0x10000	.ctors .dtors .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:49:06.261842966 CEST	42836	443	192.168.2.23	91.189.91.43
Oct 7, 2024 22:49:06.704886913 CEST	36296	10554	192.168.2.23	5.230.229.84
Oct 7, 2024 22:49:06.710179090 CEST	10554	36296	5.230.229.84	192.168.2.23
Oct 7, 2024 22:49:06.711055040 CEST	36296	10554	192.168.2.23	5.230.229.84
Oct 7, 2024 22:49:06.711431980 CEST	36296	10554	192.168.2.23	5.230.229.84
Oct 7, 2024 22:49:06.716336012 CEST	10554	36296	5.230.229.84	192.168.2.23
Oct 7, 2024 22:49:07.029591084 CEST	42516	80	192.168.2.23	109.202.202.202
Oct 7, 2024 22:49:08.884092093 CEST	10554	36296	5.230.229.84	192.168.2.23
Oct 7, 2024 22:49:08.884819984 CEST	36296	10554	192.168.2.23	5.230.229.84
Oct 7, 2024 22:49:08.889760017 CEST	10554	36296	5.230.229.84	192.168.2.23
Oct 7, 2024 22:49:11.887531996 CEST	47532	25565	192.168.2.23	5.230.228.46
Oct 7, 2024 22:49:11.892858028 CEST	25565	47532	5.230.228.46	192.168.2.23
Oct 7, 2024 22:49:11.892924070 CEST	47532	25565	192.168.2.23	5.230.228.46
Oct 7, 2024 22:49:11.892950058 CEST	47532	25565	192.168.2.23	5.230.228.46
Oct 7, 2024 22:49:11.898044109 CEST	25565	47532	5.230.228.46	192.168.2.23
Oct 7, 2024 22:49:13.600163937 CEST	25565	47532	5.230.228.46	192.168.2.23
Oct 7, 2024 22:49:13.600409985 CEST	47532	25565	192.168.2.23	5.230.228.46
Oct 7, 2024 22:49:13.600610971 CEST	47532	25565	192.168.2.23	5.230.228.46
Oct 7, 2024 22:49:13.606276989 CEST	25565	47532	5.230.228.46	192.168.2.23
Oct 7, 2024 22:49:16.602307081 CEST	36256	27050	192.168.2.23	5.230.228.23
Oct 7, 2024 22:49:16.719018936 CEST	27050	36256	5.230.228.23	192.168.2.23
Oct 7, 2024 22:49:16.719181061 CEST	36256	27050	192.168.2.23	5.230.228.23
Oct 7, 2024 22:49:16.719485044 CEST	36256	27050	192.168.2.23	5.230.228.23
Oct 7, 2024 22:49:16.724842072 CEST	27050	36256	5.230.228.23	192.168.2.23
Oct 7, 2024 22:49:21.363765955 CEST	43928	443	192.168.2.23	91.189.91.42
Oct 7, 2024 22:49:26.728512049 CEST	36256	27050	192.168.2.23	5.230.228.23
Oct 7, 2024 22:49:26.734358072 CEST	27050	36256	5.230.228.23	192.168.2.23
Oct 7, 2024 22:49:26.734472036 CEST	36256	27050	192.168.2.23	5.230.228.23
Oct 7, 2024 22:49:28.730963945 CEST	55324	7777	192.168.2.23	94.131.118.154
Oct 7, 2024 22:49:28.735985041 CEST	7777	55324	94.131.118.154	192.168.2.23
Oct 7, 2024 22:49:28.736145973 CEST	55324	7777	192.168.2.23	94.131.118.154
Oct 7, 2024 22:49:28.736177921 CEST	55324	7777	192.168.2.23	94.131.118.154
Oct 7, 2024 22:49:28.741106033 CEST	7777	55324	94.131.118.154	192.168.2.23
Oct 7, 2024 22:49:33.649719954 CEST	42836	443	192.168.2.23	91.189.91.43
Oct 7, 2024 22:49:37.745286942 CEST	42516	80	192.168.2.23	109.202.202.202
Oct 7, 2024 22:49:38.744982958 CEST	55324	7777	192.168.2.23	94.131.118.154
Oct 7, 2024 22:49:38.757812023 CEST	7777	55324	94.131.118.154	192.168.2.23
Oct 7, 2024 22:49:38.757908106 CEST	55324	7777	192.168.2.23	94.131.118.154
Oct 7, 2024 22:49:40.747037888 CEST	58124	37777	192.168.2.23	5.230.228.62
Oct 7, 2024 22:49:40.753706932 CEST	37777	58124	5.230.228.62	192.168.2.23
Oct 7, 2024 22:49:40.753909111 CEST	58124	37777	192.168.2.23	5.230.228.62
Oct 7, 2024 22:49:40.753967047 CEST	58124	37777	192.168.2.23	5.230.228.62
Oct 7, 2024 22:49:40.761066914 CEST	37777	58124	5.230.228.62	192.168.2.23
Oct 7, 2024 22:49:42.444086075 CEST	37777	58124	5.230.228.62	192.168.2.23
Oct 7, 2024 22:49:42.444472075 CEST	58124	37777	192.168.2.23	5.230.228.62
Oct 7, 2024 22:49:42.449758053 CEST	37777	58124	5.230.228.62	192.168.2.23
Oct 7, 2024 22:49:43.446585894 CEST	37006	993	192.168.2.23	5.230.228.46
Oct 7, 2024 22:49:43.452022076 CEST	993	37006	5.230.228.46	192.168.2.23
Oct 7, 2024 22:49:43.452114105 CEST	37006	993	192.168.2.23	5.230.228.46
Oct 7, 2024 22:49:43.452147961 CEST	37006	993	192.168.2.23	5.230.228.46
Oct 7, 2024 22:49:43.457041979 CEST	993	37006	5.230.228.46	192.168.2.23
Oct 7, 2024 22:49:45.132492065 CEST	993	37006	5.230.228.46	192.168.2.23
Oct 7, 2024 22:49:45.133265972 CEST	37006	993	192.168.2.23	5.230.228.46
Oct 7, 2024 22:49:45.138480902 CEST	993	37006	5.230.228.46	192.168.2.23
Oct 7, 2024 22:49:48.134849072 CEST	57602	2222	192.168.2.23	5.230.122.81
Oct 7, 2024 22:49:48.140105963 CEST	2222	57602	5.230.122.81	192.168.2.23
Oct 7, 2024 22:49:48.140233040 CEST	57602	2222	192.168.2.23	5.230.122.81
Oct 7, 2024 22:49:48.140290976 CEST	57602	2222	192.168.2.23	5.230.122.81
Oct 7, 2024 22:49:48.145313978 CEST	2222	57602	5.230.122.81	192.168.2.23
Oct 7, 2024 22:49:50.284581900 CEST	2222	57602	5.230.122.81	192.168.2.23
Oct 7, 2024 22:49:50.284861088 CEST	57602	2222	192.168.2.23	5.230.122.81
Oct 7, 2024 22:49:50.289915085 CEST	2222	57602	5.230.122.81	192.168.2.23
Oct 7, 2024 22:49:51.286698103 CEST	46178	3544	192.168.2.23	5.230.122.81
Oct 7, 2024 22:49:51.292202950 CEST	3544	46178	5.230.122.81	192.168.2.23
Oct 7, 2024 22:49:51.292268038 CEST	46178	3544	192.168.2.23	5.230.122.81
Oct 7, 2024 22:49:51.292295933 CEST	46178	3544	192.168.2.23	5.230.122.81
Oct 7, 2024 22:49:51.297276974 CEST	3544	46178	5.230.122.81	192.168.2.23
Oct 7, 2024 22:49:53.459602118 CEST	3544	46178	5.230.122.81	192.168.2.23
Oct 7, 2024 22:49:53.460220098 CEST	46178	3544	192.168.2.23	5.230.122.81
Oct 7, 2024 22:49:53.465174913 CEST	3544	46178	5.230.122.81	192.168.2.23
Oct 7, 2024 22:49:56.462260962 CEST	53484	5222	192.168.2.23	5.230.122.81
Oct 7, 2024 22:49:56.467355013 CEST	5222	53484	5.230.122.81	192.168.2.23
Oct 7, 2024 22:49:56.467521906 CEST	53484	5222	192.168.2.23	5.230.122.81
Oct 7, 2024 22:49:56.467554092 CEST	53484	5222	192.168.2.23	5.230.122.81
Oct 7, 2024 22:49:56.472590923 CEST	5222	53484	5.230.122.81	192.168.2.23
Oct 7, 2024 22:49:58.648612022 CEST	5222	53484	5.230.122.81	192.168.2.23
Oct 7, 2024 22:49:58.649159908 CEST	53484	5222	192.168.2.23	5.230.122.81
Oct 7, 2024 22:49:58.654361963 CEST	5222	53484	5.230.122.81	192.168.2.23
Oct 7, 2024 22:50:00.651223898 CEST	58034	22022	192.168.2.23	94.131.118.154
Oct 7, 2024 22:50:00.656810999 CEST	22022	58034	94.131.118.154	192.168.2.23
Oct 7, 2024 22:50:00.656893015 CEST	58034	22022	192.168.2.23	94.131.118.154
Oct 7, 2024 22:50:00.656923056 CEST	58034	22022	192.168.2.23	94.131.118.154
Oct 7, 2024 22:50:00.662111998 CEST	22022	58034	94.131.118.154	192.168.2.23
Oct 7, 2024 22:50:02.310523987 CEST	22022	58034	94.131.118.154	192.168.2.23
Oct 7, 2024 22:50:02.311175108 CEST	58034	22022	192.168.2.23	94.131.118.154
Oct 7, 2024 22:50:02.316550970 CEST	22022	58034	94.131.118.154	192.168.2.23
Oct 7, 2024 22:50:02.317750931 CEST	43928	443	192.168.2.23	91.189.91.42
Oct 7, 2024 22:50:03.313986063 CEST	49768	5223	192.168.2.23	5.230.122.81
Oct 7, 2024 22:50:03.319556952 CEST	5223	49768	5.230.122.81	192.168.2.23
Oct 7, 2024 22:50:03.319672108 CEST	49768	5223	192.168.2.23	5.230.122.81
Oct 7, 2024 22:50:03.319746971 CEST	49768	5223	192.168.2.23	5.230.122.81
Oct 7, 2024 22:50:03.324660063 CEST	5223	49768	5.230.122.81	192.168.2.23
Oct 7, 2024 22:50:05.508771896 CEST	5223	49768	5.230.122.81	192.168.2.23
Oct 7, 2024 22:50:05.509000063 CEST	49768	5223	192.168.2.23	5.230.122.81
Oct 7, 2024 22:50:05.514039040 CEST	5223	49768	5.230.122.81	192.168.2.23
Oct 7, 2024 22:50:06.519257069 CEST	55022	443	192.168.2.23	194.156.98.15
Oct 7, 2024 22:50:06.519304037 CEST	443	55022	194.156.98.15	192.168.2.23
Oct 7, 2024 22:50:06.519403934 CEST	55022	443	192.168.2.23	194.156.98.15
Oct 7, 2024 22:50:06.523256063 CEST	55022	443	192.168.2.23	194.156.98.15
Oct 7, 2024 22:50:06.523286104 CEST	443	55022	194.156.98.15	192.168.2.23
Oct 7, 2024 22:50:06.523458958 CEST	443	55022	194.156.98.15	192.168.2.23
Oct 7, 2024 22:50:08.529957056 CEST	45770	3544	192.168.2.23	5.230.171.9
Oct 7, 2024 22:50:08.538604975 CEST	3544	45770	5.230.171.9	192.168.2.23
Oct 7, 2024 22:50:08.539382935 CEST	45770	3544	192.168.2.23	5.230.171.9
Oct 7, 2024 22:50:08.539383888 CEST	45770	3544	192.168.2.23	5.230.171.9
Oct 7, 2024 22:50:08.545125961 CEST	3544	45770	5.230.171.9	192.168.2.23
Oct 7, 2024 22:50:10.404669046 CEST	3544	45770	5.230.171.9	192.168.2.23
Oct 7, 2024 22:50:10.405133009 CEST	45770	3544	192.168.2.23	5.230.171.9
Oct 7, 2024 22:50:10.410104990 CEST	3544	45770	5.230.171.9	192.168.2.23
Oct 7, 2024 22:50:12.407411098 CEST	40398	7000	192.168.2.23	5.230.118.247
Oct 7, 2024 22:50:12.412357092 CEST	7000	40398	5.230.118.247	192.168.2.23
Oct 7, 2024 22:50:12.412456989 CEST	40398	7000	192.168.2.23	5.230.118.247
Oct 7, 2024 22:50:12.412498951 CEST	40398	7000	192.168.2.23	5.230.118.247
Oct 7, 2024 22:50:12.417346954 CEST	7000	40398	5.230.118.247	192.168.2.23
Oct 7, 2024 22:50:14.284553051 CEST	7000	40398	5.230.118.247	192.168.2.23
Oct 7, 2024 22:50:14.285406113 CEST	40398	7000	192.168.2.23	5.230.118.247
Oct 7, 2024 22:50:14.290371895 CEST	7000	40398	5.230.118.247	192.168.2.23
Oct 7, 2024 22:50:17.287102938 CEST	50882	27050	192.168.2.23	5.230.228.46
Oct 7, 2024 22:50:17.292376041 CEST	27050	50882	5.230.228.46	192.168.2.23
Oct 7, 2024 22:50:17.292465925 CEST	50882	27050	192.168.2.23	5.230.228.46
Oct 7, 2024 22:50:17.292505026 CEST	50882	27050	192.168.2.23	5.230.228.46
Oct 7, 2024 22:50:17.297486067 CEST	27050	50882	5.230.228.46	192.168.2.23
Oct 7, 2024 22:50:19.466674089 CEST	27050	50882	5.230.228.46	192.168.2.23
Oct 7, 2024 22:50:19.466739893 CEST	27050	50882	5.230.228.46	192.168.2.23
Oct 7, 2024 22:50:19.466952085 CEST	27050	50882	5.230.228.46	192.168.2.23
Oct 7, 2024 22:50:19.467029095 CEST	50882	27050	192.168.2.23	5.230.228.46
Oct 7, 2024 22:50:19.467164040 CEST	50882	27050	192.168.2.23	5.230.228.46
Oct 7, 2024 22:50:19.467459917 CEST	50882	27050	192.168.2.23	5.230.228.46
Oct 7, 2024 22:50:19.472965956 CEST	27050	50882	5.230.228.46	192.168.2.23
Oct 7, 2024 22:50:22.471143961 CEST	33662	7777	192.168.2.23	5.230.229.84
Oct 7, 2024 22:50:22.527040005 CEST	7777	33662	5.230.229.84	192.168.2.23
Oct 7, 2024 22:50:22.527138948 CEST	33662	7777	192.168.2.23	5.230.229.84
Oct 7, 2024 22:50:22.527237892 CEST	33662	7777	192.168.2.23	5.230.229.84
Oct 7, 2024 22:50:22.532260895 CEST	7777	33662	5.230.229.84	192.168.2.23
Oct 7, 2024 22:50:24.670634985 CEST	7777	33662	5.230.229.84	192.168.2.23
Oct 7, 2024 22:50:24.671360970 CEST	33662	7777	192.168.2.23	5.230.229.84
Oct 7, 2024 22:50:24.676444054 CEST	7777	33662	5.230.229.84	192.168.2.23
Oct 7, 2024 22:50:25.674273014 CEST	52592	2022	192.168.2.23	5.230.228.23
Oct 7, 2024 22:50:25.798302889 CEST	2022	52592	5.230.228.23	192.168.2.23
Oct 7, 2024 22:50:25.798898935 CEST	52592	2022	192.168.2.23	5.230.228.23
Oct 7, 2024 22:50:25.798954964 CEST	52592	2022	192.168.2.23	5.230.228.23
Oct 7, 2024 22:50:25.803992033 CEST	2022	52592	5.230.228.23	192.168.2.23
Oct 7, 2024 22:50:27.445369005 CEST	2022	52592	5.230.228.23	192.168.2.23
Oct 7, 2024 22:50:27.446187019 CEST	52592	2022	192.168.2.23	5.230.228.23
Oct 7, 2024 22:50:27.451622009 CEST	2022	52592	5.230.228.23	192.168.2.23
Oct 7, 2024 22:50:29.449558973 CEST	50248	18004	192.168.2.23	5.230.229.84
Oct 7, 2024 22:50:29.455147028 CEST	18004	50248	5.230.229.84	192.168.2.23
Oct 7, 2024 22:50:29.455259085 CEST	50248	18004	192.168.2.23	5.230.229.84
Oct 7, 2024 22:50:29.455327034 CEST	50248	18004	192.168.2.23	5.230.229.84
Oct 7, 2024 22:50:29.460401058 CEST	18004	50248	5.230.229.84	192.168.2.23
Oct 7, 2024 22:50:31.616895914 CEST	18004	50248	5.230.229.84	192.168.2.23
Oct 7, 2024 22:50:31.617297888 CEST	50248	18004	192.168.2.23	5.230.229.84
Oct 7, 2024 22:50:31.622796059 CEST	18004	50248	5.230.229.84	192.168.2.23
Oct 7, 2024 22:50:34.619957924 CEST	45116	5222	192.168.2.23	5.230.171.8
Oct 7, 2024 22:50:34.625313997 CEST	5222	45116	5.230.171.8	192.168.2.23
Oct 7, 2024 22:50:34.625468969 CEST	45116	5222	192.168.2.23	5.230.171.8
Oct 7, 2024 22:50:34.625507116 CEST	45116	5222	192.168.2.23	5.230.171.8
Oct 7, 2024 22:50:34.630501032 CEST	5222	45116	5.230.171.8	192.168.2.23
Oct 7, 2024 22:50:36.482538939 CEST	5222	45116	5.230.171.8	192.168.2.23
Oct 7, 2024 22:50:36.483469009 CEST	45116	5222	192.168.2.23	5.230.171.8
Oct 7, 2024 22:50:36.488869905 CEST	5222	45116	5.230.171.8	192.168.2.23
Oct 7, 2024 22:50:37.486816883 CEST	34586	18004	192.168.2.23	5.230.228.44
Oct 7, 2024 22:50:37.492474079 CEST	18004	34586	5.230.228.44	192.168.2.23
Oct 7, 2024 22:50:37.492630005 CEST	34586	18004	192.168.2.23	5.230.228.44
Oct 7, 2024 22:50:37.492671013 CEST	34586	18004	192.168.2.23	5.230.228.44
Oct 7, 2024 22:50:37.498594046 CEST	18004	34586	5.230.228.44	192.168.2.23
Oct 7, 2024 22:50:39.145024061 CEST	18004	34586	5.230.228.44	192.168.2.23
Oct 7, 2024 22:50:39.145590067 CEST	34586	18004	192.168.2.23	5.230.228.44
Oct 7, 2024 22:50:39.150702000 CEST	18004	34586	5.230.228.44	192.168.2.23
Oct 7, 2024 22:50:40.150214911 CEST	48526	2022	192.168.2.23	5.230.229.84
Oct 7, 2024 22:50:40.156073093 CEST	2022	48526	5.230.229.84	192.168.2.23
Oct 7, 2024 22:50:40.156287909 CEST	48526	2022	192.168.2.23	5.230.229.84
Oct 7, 2024 22:50:40.156451941 CEST	48526	2022	192.168.2.23	5.230.229.84
Oct 7, 2024 22:50:40.161581993 CEST	2022	48526	5.230.229.84	192.168.2.23
Oct 7, 2024 22:50:42.320728064 CEST	2022	48526	5.230.229.84	192.168.2.23
Oct 7, 2024 22:50:42.321639061 CEST	48526	2022	192.168.2.23	5.230.229.84
Oct 7, 2024 22:50:42.328243017 CEST	2022	48526	5.230.229.84	192.168.2.23
Oct 7, 2024 22:50:45.325253963 CEST	45868	3724	192.168.2.23	5.230.122.81
Oct 7, 2024 22:50:45.330789089 CEST	3724	45868	5.230.122.81	192.168.2.23
Oct 7, 2024 22:50:45.331043005 CEST	45868	3724	192.168.2.23	5.230.122.81
Oct 7, 2024 22:50:45.331043005 CEST	45868	3724	192.168.2.23	5.230.122.81
Oct 7, 2024 22:50:45.336328983 CEST	3724	45868	5.230.122.81	192.168.2.23
Oct 7, 2024 22:50:47.492871046 CEST	3724	45868	5.230.122.81	192.168.2.23
Oct 7, 2024 22:50:47.493552923 CEST	45868	3724	192.168.2.23	5.230.122.81
Oct 7, 2024 22:50:47.498527050 CEST	3724	45868	5.230.122.81	192.168.2.23
Oct 7, 2024 22:50:48.496042967 CEST	51920	6666	192.168.2.23	5.230.122.82
Oct 7, 2024 22:50:48.501781940 CEST	6666	51920	5.230.122.82	192.168.2.23
Oct 7, 2024 22:50:48.501913071 CEST	51920	6666	192.168.2.23	5.230.122.82
Oct 7, 2024 22:50:48.501982927 CEST	51920	6666	192.168.2.23	5.230.122.82
Oct 7, 2024 22:50:48.507282019 CEST	6666	51920	5.230.122.82	192.168.2.23
Oct 7, 2024 22:50:50.662873983 CEST	6666	51920	5.230.122.82	192.168.2.23
Oct 7, 2024 22:50:50.663311005 CEST	51920	6666	192.168.2.23	5.230.122.82
Oct 7, 2024 22:50:50.663737059 CEST	51920	6666	192.168.2.23	5.230.122.82
Oct 7, 2024 22:50:50.668709993 CEST	6666	51920	5.230.122.82	192.168.2.23
Oct 7, 2024 22:50:52.666496038 CEST	59654	2022	192.168.2.23	5.230.171.8
Oct 7, 2024 22:50:52.671916962 CEST	2022	59654	5.230.171.8	192.168.2.23
Oct 7, 2024 22:50:52.672024012 CEST	59654	2022	192.168.2.23	5.230.171.8
Oct 7, 2024 22:50:52.672094107 CEST	59654	2022	192.168.2.23	5.230.171.8
Oct 7, 2024 22:50:52.677269936 CEST	2022	59654	5.230.171.8	192.168.2.23
Oct 7, 2024 22:50:54.552208900 CEST	2022	59654	5.230.171.8	192.168.2.23
Oct 7, 2024 22:50:54.552800894 CEST	59654	2022	192.168.2.23	5.230.171.8
Oct 7, 2024 22:50:54.557692051 CEST	2022	59654	5.230.171.8	192.168.2.23
Oct 7, 2024 22:50:55.555941105 CEST	36300	27050	192.168.2.23	5.230.228.23
Oct 7, 2024 22:50:55.561176062 CEST	27050	36300	5.230.228.23	192.168.2.23
Oct 7, 2024 22:50:55.561291933 CEST	36300	27050	192.168.2.23	5.230.228.23
Oct 7, 2024 22:50:55.561347961 CEST	36300	27050	192.168.2.23	5.230.228.23
Oct 7, 2024 22:50:55.566214085 CEST	27050	36300	5.230.228.23	192.168.2.23
Oct 7, 2024 22:50:57.191555977 CEST	27050	36300	5.230.228.23	192.168.2.23
Oct 7, 2024 22:50:57.192413092 CEST	36300	27050	192.168.2.23	5.230.228.23
Oct 7, 2024 22:50:57.197536945 CEST	27050	36300	5.230.228.23	192.168.2.23
Oct 7, 2024 22:50:58.194875956 CEST	37806	34567	192.168.2.23	5.230.118.247
Oct 7, 2024 22:50:58.466016054 CEST	34567	37806	5.230.118.247	192.168.2.23
Oct 7, 2024 22:50:58.466147900 CEST	37806	34567	192.168.2.23	5.230.118.247
Oct 7, 2024 22:50:58.466377974 CEST	37806	34567	192.168.2.23	5.230.118.247
Oct 7, 2024 22:50:58.472774029 CEST	34567	37806	5.230.118.247	192.168.2.23
Oct 7, 2024 22:51:00.306171894 CEST	34567	37806	5.230.118.247	192.168.2.23
Oct 7, 2024 22:51:00.306984901 CEST	37806	34567	192.168.2.23	5.230.118.247
Oct 7, 2024 22:51:00.312649012 CEST	34567	37806	5.230.118.247	192.168.2.23
Oct 7, 2024 22:51:02.309097052 CEST	54752	3074	192.168.2.23	5.230.229.84
Oct 7, 2024 22:51:02.314279079 CEST	3074	54752	5.230.229.84	192.168.2.23
Oct 7, 2024 22:51:02.314388990 CEST	54752	3074	192.168.2.23	5.230.229.84
Oct 7, 2024 22:51:02.314459085 CEST	54752	3074	192.168.2.23	5.230.229.84
Oct 7, 2024 22:51:02.319581985 CEST	3074	54752	5.230.229.84	192.168.2.23
Oct 7, 2024 22:51:04.476382971 CEST	3074	54752	5.230.229.84	192.168.2.23
Oct 7, 2024 22:51:04.476686954 CEST	54752	3074	192.168.2.23	5.230.229.84
Oct 7, 2024 22:51:04.481877089 CEST	3074	54752	5.230.229.84	192.168.2.23
Oct 7, 2024 22:51:05.478419065 CEST	48686	7000	192.168.2.23	5.230.122.80
Oct 7, 2024 22:51:06.235168934 CEST	7000	48686	5.230.122.80	192.168.2.23
Oct 7, 2024 22:51:06.235373020 CEST	48686	7000	192.168.2.23	5.230.122.80
Oct 7, 2024 22:51:06.235476971 CEST	48686	7000	192.168.2.23	5.230.122.80
Oct 7, 2024 22:51:06.241074085 CEST	7000	48686	5.230.122.80	192.168.2.23
Oct 7, 2024 22:51:08.444658995 CEST	7000	48686	5.230.122.80	192.168.2.23
Oct 7, 2024 22:51:08.445375919 CEST	48686	7000	192.168.2.23	5.230.122.80
Oct 7, 2024 22:51:08.451061010 CEST	7000	48686	5.230.122.80	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:49:06.117692947 CEST	57154	3478	192.168.2.23	172.217.192.127
Oct 7, 2024 22:49:06.666106939 CEST	3478	57154	172.217.192.127	192.168.2.23
Oct 7, 2024 22:49:06.675726891 CEST	59942	53	192.168.2.23	217.160.70.42
Oct 7, 2024 22:49:06.702955008 CEST	53	59942	217.160.70.42	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 22:49:06.675726891 CEST	192.168.2.23	217.160.70.42	0x5b86	Standard query (0)	iranistrash.libre	16	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 22:49:06.702955008 CEST	217.160.70.42	192.168.2.23	0x5b86	No error (0)	iranistrash.libre			TXT (Text strings)	IN (0x0001)	false

System Behavior

Analysis Process: dash PID: 6242, Parent PID: 4333

General

Start time (UTC):	20:48:54
Start date (UTC):	07/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6242, Parent PID: 4333

General

Start time (UTC):	20:48:54
Start date (UTC):	07/10/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.Duf7dMRnM8 /tmp/tmp.Pp0WR8WFhI /tmp/tmp.W7DJxaUg61
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 6243, Parent PID: 4333

General

Start time (UTC):	20:48:54
Start date (UTC):	07/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6243, Parent PID: 4333

General

Start time (UTC):	20:48:54
Start date (UTC):	07/10/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.Duf7dMRnM8 /tmp/tmp.Pp0WR8WFhI /tmp/tmp.W7DJxaUg61
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf PID: 6254, Parent PID: 6176

General

Start time (UTC):	20:49:02
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf
Arguments:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf PID: 6256, Parent PID: 6254

General

Start time (UTC):	20:49:04
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf PID: 6260, Parent PID: 6256

General

Start time (UTC):	20:49:05
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: dash PID: 6242, Parent PID: 4333

General

Chronological Activities

Analysis Process: rm PID: 6242, Parent PID: 4333

General

Chronological Activities

Analysis Process: dash PID: 6243, Parent PID: 4333

General

Chronological Activities

Analysis Process: rm PID: 6243, Parent PID: 4333

General

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf PID: 6254, Parent PID: 6176

General

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf PID: 6256, Parent PID: 6254

General

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf PID: 6260, Parent PID: 6256

General

Chronological Activities

Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf