Edit tour

Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf

Overview

General Information

Sample name:	SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf
Analysis ID:	1528448
MD5:	8b9271e97511d016923b7b5cda550be4
SHA1:	2c6311e0011326299798f5c4db044694e5cc55b9
SHA256:	82f6378b7d0a0849566db8a5e28462ff623952666bfb1eb507937cc5f41edcc4
Tags:	elf
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Opens /sys/class/net/* files useful for querying network interface information

Performs DNS TXT record lookups

Sample deletes itself

Sample scans a subnet

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528448
Start date and time:	2024-10-07 22:49:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf
Detection:	MAL
Classification:	mal68.spre.troj.spyw.evad.linELF@0/0@1/0

Warnings

VT rate limit hit for: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf

Runtime Messages

Command:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf
PID:	5433
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Firmware update in progress
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 5420, Parent: 3584)

rm (PID: 5420, Parent: 3584, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.8XdmNNwT1M /tmp/tmp.tOkt8QfLSy /tmp/tmp.BFzqVQDLVz

dash New Fork (PID: 5421, Parent: 3584)

rm (PID: 5421, Parent: 3584, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.8XdmNNwT1M /tmp/tmp.tOkt8QfLSy /tmp/tmp.BFzqVQDLVz

SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5433, Parent: 5355, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf

SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf New Fork (PID: 5435, Parent: 5433)

SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf New Fork (PID: 5439, Parent: 5435)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf

ReversingLabs: Detection: 18%

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 5.230.171.8 ports 6036,0,1,2,4,27014,995,7,2222
Source: global traffic	TCP traffic: 5.230.122.82 ports 0,1,2,5,27015,7
Source: global traffic	TCP traffic: 5.230.228.62 ports 7000,25565,2022,0,7,6666
Source: global traffic	TCP traffic: 5.230.229.84 ports 7000,22022,19153,1,3,5,9

Opens /sys/class/net/* files useful for querying network interface information

Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5435)	Opens: /sys/class/net/	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5435)	Opens: /sys/class/net/lo/address	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5435)	Opens: /sys/class/net/ens160/address	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5435)	Opens: /sys/class/net/ens160/flags	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5435)	Opens: /sys/class/net/ens160/carrier	Jump to behavior

Sample scans a subnet

Source: ip traffic

Subnet 5.230.228.0/24: 5.230.228.47, 5.230.228.42, 5.230.228.23, 5.230.228.45, 5.230.228.44, 5.230.228.62

Source: global traffic	TCP traffic: 192.168.2.13:39220 -> 5.230.228.62:7000
Source: global traffic	TCP traffic: 192.168.2.13:33802 -> 5.230.171.9:2222
Source: global traffic	TCP traffic: 192.168.2.13:39254 -> 5.230.229.84:19153
Source: global traffic	TCP traffic: 192.168.2.13:41774 -> 5.230.228.23:3389
Source: global traffic	TCP traffic: 192.168.2.13:49070 -> 5.230.122.81:4444
Source: global traffic	TCP traffic: 192.168.2.13:38068 -> 5.230.228.47:7000
Source: global traffic	TCP traffic: 192.168.2.13:43234 -> 5.230.122.82:27015
Source: global traffic	TCP traffic: 192.168.2.13:37380 -> 5.230.228.44:10001
Source: global traffic	TCP traffic: 192.168.2.13:49598 -> 5.230.228.42:3544
Source: global traffic	TCP traffic: 192.168.2.13:50856 -> 5.230.228.45:995
Source: global traffic	TCP traffic: 192.168.2.13:35088 -> 5.230.118.247:2022
Source: global traffic	TCP traffic: 192.168.2.13:58884 -> 185.248.144.209:5222
Source: global traffic	TCP traffic: 192.168.2.13:53086 -> 5.230.171.8:27014
Source: global traffic	TCP traffic: 192.168.2.13:43070 -> 5.230.122.80:6036
Source: global traffic	TCP traffic: 192.168.2.13:50858 -> 5.230.229.83:3074
Source: global traffic	TCP traffic: 192.168.2.13:58134 -> 94.131.118.154:27050

Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.47
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.47
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.47
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.47
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.45
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.45
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.45
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.45

Source: global traffic

DNS traffic detected: DNS query: iranistrash.libre

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal68.spre.troj.spyw.evad.linELF@0/0@1/0

Source: /usr/bin/dash (PID: 5420)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.8XdmNNwT1M /tmp/tmp.tOkt8QfLSy /tmp/tmp.BFzqVQDLVz			Jump to behavior
Source: /usr/bin/dash (PID: 5421)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.8XdmNNwT1M /tmp/tmp.tOkt8QfLSy /tmp/tmp.BFzqVQDLVz			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5433)

File: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf

Jump to behavior

Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5433)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5435)	Queries kernel information via 'uname':			Jump to behavior

Source: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf, 5433.1.00005639e3c60000.00005639e3dae000.rw-.sdmp	Binary or memory string: 9V!/etc/qemu-binfmt/arm
Source: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf, 5433.1.00005639e3c60000.00005639e3dae000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf, 5433.1.00007ffc2a66d000.00007ffc2a68e000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf, 5433.1.00007ffc2a66d000.00007ffc2a68e000.rw-.sdmp	Binary or memory string: #x86_64/usr/bin/qemu-arm/tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf

HIPS / PFW / Operating System Protection Evasion

Performs DNS TXT record lookups

Source: Traffic

DNS traffic detected: queries for: iranistrash.libre

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Network Service Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf	18%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
iranistrash.libre	unknown	unknown	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.230.171.9	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.171.8	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.122.81	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.122.82	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.122.80	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.228.47	unknown	Germany	12586	ASGHOSTNETDE	true
172.217.192.127	unknown	United States	15169	GOOGLEUS	false
5.230.228.42	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.228.23	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.228.45	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.228.44	unknown	Germany	12586	ASGHOSTNETDE	true
94.131.118.154	unknown	Ukraine	29632	NASSIST-ASGI	false
185.248.144.209	unknown	France	31531	POINT-ASUA	false
5.230.229.83	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.228.62	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.229.84	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.118.247	unknown	Germany	12586	ASGHOSTNETDE	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
5.230.228.42	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse
5.230.171.9	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
5.230.171.8	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse
5.230.122.81	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse
5.230.122.82	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse
5.230.122.82	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
5.230.122.80	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse
5.230.228.47	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASGHOSTNETDE	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
	Untitled.bash_rc.elf	Get hash	malicious	Unknown	Browse	91.238.181.239
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	193.187.23.249
ASGHOSTNETDE	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
	Untitled.bash_rc.elf	Get hash	malicious	Unknown	Browse	91.238.181.239
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	193.187.23.249
ASGHOSTNETDE	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
	Untitled.bash_rc.elf	Get hash	malicious	Unknown	Browse	91.238.181.239
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	193.187.23.249
ASGHOSTNETDE	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
	Untitled.bash_rc.elf	Get hash	malicious	Unknown	Browse	91.238.181.239
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	193.187.23.249

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.096786456678482
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf
File size:	75'904 bytes
MD5:	8b9271e97511d016923b7b5cda550be4
SHA1:	2c6311e0011326299798f5c4db044694e5cc55b9
SHA256:	82f6378b7d0a0849566db8a5e28462ff623952666bfb1eb507937cc5f41edcc4
SHA512:	c66793718a3bece516d717f6d60feb639bfb6991488edf2782f07767a3a607b0d0688faa974eba2177af9984caba5c9b17c657bc235c0a390ad2d26cba7f84a3
SSDEEP:	1536:/enyiRoUIJE/Xf2EcysmdKIknb9Q95pPT1PdMrjPZmbPMDimyjRYI1u:gAE/Ot/R3xIddAr5yjRYI1u
TLSH:	F3732A5A7D818B21C8D5227AFA1E11CD332357B8E3DF72229D105F2877CA92B0E77A51
File Content Preview:	.ELF..............(.....T...4...x&......4. ...(......................#...#...............#...#...#..H...4I..........Q.td..................................-...L..................@-.,@...0....S..... 0....S.........../..0...0...@..../..&.......#....-.@0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8154
Flags:	0x4000002
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	75384
Section Header Size:	40
Number of Section Headers:	13
Header String Table Index:	12

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x10	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x11b98	0x0	0x6	AX	16
.fini	PROGBITS	0x19c48	0x11c48	0x10	0x0	0x6	AX	4
.rodata	PROGBITS	0x19c58	0x11c58	0x760	0x0	0x2	A	4
.eh_frame	PROGBITS	0x223b8	0x123b8	0x4	0x0	0x3	WA	4
.init_array	INIT_ARRAY	0x223bc	0x123bc	0x4	0x0	0x3	WA	4
.fini_array	FINI_ARRAY	0x223c0	0x123c0	0x4	0x0	0x3	WA	4
.got	PROGBITS	0x223c8	0x123c8	0x74	0x4	0x3	WA	4
.data	PROGBITS	0x2243c	0x1243c	0x1c4	0x0	0x3	WA	4
.bss	NOBITS	0x22600	0x12600	0x46ec	0x0	0x3	WA	4
.ARM.attributes	ARM_ATTRIBUTES	0x0	0x12600	0x10	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x12610	0x67	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x123b8	0x123b8	6.1201	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x123b8	0x223b8	0x223b8	0x248	0x4934	2.6008	0x6	RW	0x8000	.eh_frame .init_array .fini_array .got .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:50:12.382985115 CEST	39220	7000	192.168.2.13	5.230.228.62
Oct 7, 2024 22:50:12.388278961 CEST	7000	39220	5.230.228.62	192.168.2.13
Oct 7, 2024 22:50:12.388369083 CEST	39220	7000	192.168.2.13	5.230.228.62
Oct 7, 2024 22:50:12.393359900 CEST	39220	7000	192.168.2.13	5.230.228.62
Oct 7, 2024 22:50:12.398360014 CEST	7000	39220	5.230.228.62	192.168.2.13
Oct 7, 2024 22:50:14.065103054 CEST	7000	39220	5.230.228.62	192.168.2.13
Oct 7, 2024 22:50:14.067846060 CEST	39220	7000	192.168.2.13	5.230.228.62
Oct 7, 2024 22:50:14.072967052 CEST	7000	39220	5.230.228.62	192.168.2.13
Oct 7, 2024 22:50:17.070951939 CEST	33802	2222	192.168.2.13	5.230.171.9
Oct 7, 2024 22:50:17.076266050 CEST	2222	33802	5.230.171.9	192.168.2.13
Oct 7, 2024 22:50:17.076483965 CEST	33802	2222	192.168.2.13	5.230.171.9
Oct 7, 2024 22:50:17.076528072 CEST	33802	2222	192.168.2.13	5.230.171.9
Oct 7, 2024 22:50:17.082020044 CEST	2222	33802	5.230.171.9	192.168.2.13
Oct 7, 2024 22:50:19.466622114 CEST	2222	33802	5.230.171.9	192.168.2.13
Oct 7, 2024 22:50:19.466706038 CEST	2222	33802	5.230.171.9	192.168.2.13
Oct 7, 2024 22:50:19.466922998 CEST	2222	33802	5.230.171.9	192.168.2.13
Oct 7, 2024 22:50:19.466924906 CEST	33802	2222	192.168.2.13	5.230.171.9
Oct 7, 2024 22:50:19.467098951 CEST	33802	2222	192.168.2.13	5.230.171.9
Oct 7, 2024 22:50:19.467098951 CEST	33802	2222	192.168.2.13	5.230.171.9
Oct 7, 2024 22:50:19.472934008 CEST	2222	33802	5.230.171.9	192.168.2.13
Oct 7, 2024 22:50:21.468877077 CEST	39254	19153	192.168.2.13	5.230.229.84
Oct 7, 2024 22:50:21.474289894 CEST	19153	39254	5.230.229.84	192.168.2.13
Oct 7, 2024 22:50:21.474364042 CEST	39254	19153	192.168.2.13	5.230.229.84
Oct 7, 2024 22:50:21.474397898 CEST	39254	19153	192.168.2.13	5.230.229.84
Oct 7, 2024 22:50:21.479633093 CEST	19153	39254	5.230.229.84	192.168.2.13
Oct 7, 2024 22:50:23.643353939 CEST	19153	39254	5.230.229.84	192.168.2.13
Oct 7, 2024 22:50:23.643855095 CEST	39254	19153	192.168.2.13	5.230.229.84
Oct 7, 2024 22:50:23.648957014 CEST	19153	39254	5.230.229.84	192.168.2.13
Oct 7, 2024 22:50:26.646972895 CEST	41774	3389	192.168.2.13	5.230.228.23
Oct 7, 2024 22:50:26.652390003 CEST	3389	41774	5.230.228.23	192.168.2.13
Oct 7, 2024 22:50:26.652586937 CEST	41774	3389	192.168.2.13	5.230.228.23
Oct 7, 2024 22:50:26.652789116 CEST	41774	3389	192.168.2.13	5.230.228.23
Oct 7, 2024 22:50:26.658094883 CEST	3389	41774	5.230.228.23	192.168.2.13
Oct 7, 2024 22:50:28.337641001 CEST	3389	41774	5.230.228.23	192.168.2.13
Oct 7, 2024 22:50:28.338692904 CEST	41774	3389	192.168.2.13	5.230.228.23
Oct 7, 2024 22:50:28.344073057 CEST	3389	41774	5.230.228.23	192.168.2.13
Oct 7, 2024 22:50:29.342442989 CEST	49720	7000	192.168.2.13	5.230.229.84
Oct 7, 2024 22:50:29.348136902 CEST	7000	49720	5.230.229.84	192.168.2.13
Oct 7, 2024 22:50:29.348290920 CEST	49720	7000	192.168.2.13	5.230.229.84
Oct 7, 2024 22:50:29.348385096 CEST	49720	7000	192.168.2.13	5.230.229.84
Oct 7, 2024 22:50:29.353867054 CEST	7000	49720	5.230.229.84	192.168.2.13
Oct 7, 2024 22:50:31.525101900 CEST	7000	49720	5.230.229.84	192.168.2.13
Oct 7, 2024 22:50:31.525528908 CEST	49720	7000	192.168.2.13	5.230.229.84
Oct 7, 2024 22:50:31.531092882 CEST	7000	49720	5.230.229.84	192.168.2.13
Oct 7, 2024 22:50:34.527679920 CEST	49070	4444	192.168.2.13	5.230.122.81
Oct 7, 2024 22:50:34.532964945 CEST	4444	49070	5.230.122.81	192.168.2.13
Oct 7, 2024 22:50:34.533147097 CEST	49070	4444	192.168.2.13	5.230.122.81
Oct 7, 2024 22:50:34.533224106 CEST	49070	4444	192.168.2.13	5.230.122.81
Oct 7, 2024 22:50:34.538085938 CEST	4444	49070	5.230.122.81	192.168.2.13
Oct 7, 2024 22:50:36.675236940 CEST	4444	49070	5.230.122.81	192.168.2.13
Oct 7, 2024 22:50:36.675977945 CEST	49070	4444	192.168.2.13	5.230.122.81
Oct 7, 2024 22:50:36.681199074 CEST	4444	49070	5.230.122.81	192.168.2.13
Oct 7, 2024 22:50:39.678631067 CEST	38068	7000	192.168.2.13	5.230.228.47
Oct 7, 2024 22:50:39.684076071 CEST	7000	38068	5.230.228.47	192.168.2.13
Oct 7, 2024 22:50:39.684267998 CEST	38068	7000	192.168.2.13	5.230.228.47
Oct 7, 2024 22:50:39.684684038 CEST	38068	7000	192.168.2.13	5.230.228.47
Oct 7, 2024 22:50:39.689908981 CEST	7000	38068	5.230.228.47	192.168.2.13
Oct 7, 2024 22:50:41.527187109 CEST	7000	38068	5.230.228.47	192.168.2.13
Oct 7, 2024 22:50:41.528336048 CEST	38068	7000	192.168.2.13	5.230.228.47
Oct 7, 2024 22:50:41.533586025 CEST	7000	38068	5.230.228.47	192.168.2.13
Oct 7, 2024 22:50:44.534539938 CEST	43234	27015	192.168.2.13	5.230.122.82
Oct 7, 2024 22:50:44.540457010 CEST	27015	43234	5.230.122.82	192.168.2.13
Oct 7, 2024 22:50:44.540868044 CEST	43234	27015	192.168.2.13	5.230.122.82
Oct 7, 2024 22:50:44.540982962 CEST	43234	27015	192.168.2.13	5.230.122.82
Oct 7, 2024 22:50:44.546360970 CEST	27015	43234	5.230.122.82	192.168.2.13
Oct 7, 2024 22:50:46.692081928 CEST	27015	43234	5.230.122.82	192.168.2.13
Oct 7, 2024 22:50:46.692599058 CEST	43234	27015	192.168.2.13	5.230.122.82
Oct 7, 2024 22:50:46.699537992 CEST	27015	43234	5.230.122.82	192.168.2.13
Oct 7, 2024 22:50:49.695270061 CEST	37380	10001	192.168.2.13	5.230.228.44
Oct 7, 2024 22:50:49.700649023 CEST	10001	37380	5.230.228.44	192.168.2.13
Oct 7, 2024 22:50:49.700735092 CEST	37380	10001	192.168.2.13	5.230.228.44
Oct 7, 2024 22:50:49.700759888 CEST	37380	10001	192.168.2.13	5.230.228.44
Oct 7, 2024 22:50:49.705646992 CEST	10001	37380	5.230.228.44	192.168.2.13
Oct 7, 2024 22:50:51.348103046 CEST	10001	37380	5.230.228.44	192.168.2.13
Oct 7, 2024 22:50:51.348818064 CEST	37380	10001	192.168.2.13	5.230.228.44
Oct 7, 2024 22:50:51.354845047 CEST	10001	37380	5.230.228.44	192.168.2.13
Oct 7, 2024 22:50:53.351887941 CEST	49598	3544	192.168.2.13	5.230.228.42
Oct 7, 2024 22:50:53.357073069 CEST	3544	49598	5.230.228.42	192.168.2.13
Oct 7, 2024 22:50:53.358324051 CEST	49598	3544	192.168.2.13	5.230.228.42
Oct 7, 2024 22:50:53.358417988 CEST	49598	3544	192.168.2.13	5.230.228.42
Oct 7, 2024 22:50:53.364905119 CEST	3544	49598	5.230.228.42	192.168.2.13
Oct 7, 2024 22:50:54.990854979 CEST	3544	49598	5.230.228.42	192.168.2.13
Oct 7, 2024 22:50:54.991837978 CEST	49598	3544	192.168.2.13	5.230.228.42
Oct 7, 2024 22:50:54.997222900 CEST	3544	49598	5.230.228.42	192.168.2.13
Oct 7, 2024 22:50:55.995918036 CEST	37164	6666	192.168.2.13	5.230.228.62
Oct 7, 2024 22:50:56.001003027 CEST	6666	37164	5.230.228.62	192.168.2.13
Oct 7, 2024 22:50:56.001090050 CEST	37164	6666	192.168.2.13	5.230.228.62
Oct 7, 2024 22:50:56.001159906 CEST	37164	6666	192.168.2.13	5.230.228.62
Oct 7, 2024 22:50:56.007224083 CEST	6666	37164	5.230.228.62	192.168.2.13
Oct 7, 2024 22:50:57.673701048 CEST	6666	37164	5.230.228.62	192.168.2.13
Oct 7, 2024 22:50:57.674540997 CEST	37164	6666	192.168.2.13	5.230.228.62
Oct 7, 2024 22:50:57.679718971 CEST	6666	37164	5.230.228.62	192.168.2.13
Oct 7, 2024 22:51:00.677208900 CEST	50856	995	192.168.2.13	5.230.228.45
Oct 7, 2024 22:51:00.709465027 CEST	995	50856	5.230.228.45	192.168.2.13
Oct 7, 2024 22:51:00.709747076 CEST	50856	995	192.168.2.13	5.230.228.45
Oct 7, 2024 22:51:00.709841013 CEST	50856	995	192.168.2.13	5.230.228.45
Oct 7, 2024 22:51:00.714711905 CEST	995	50856	5.230.228.45	192.168.2.13
Oct 7, 2024 22:51:02.348011017 CEST	995	50856	5.230.228.45	192.168.2.13
Oct 7, 2024 22:51:02.348489046 CEST	50856	995	192.168.2.13	5.230.228.45
Oct 7, 2024 22:51:02.353493929 CEST	995	50856	5.230.228.45	192.168.2.13
Oct 7, 2024 22:51:05.351042986 CEST	54766	25565	192.168.2.13	5.230.228.62
Oct 7, 2024 22:51:06.235114098 CEST	25565	54766	5.230.228.62	192.168.2.13
Oct 7, 2024 22:51:06.235378027 CEST	54766	25565	192.168.2.13	5.230.228.62
Oct 7, 2024 22:51:06.235594988 CEST	54766	25565	192.168.2.13	5.230.228.62
Oct 7, 2024 22:51:06.241127968 CEST	25565	54766	5.230.228.62	192.168.2.13
Oct 7, 2024 22:51:07.911068916 CEST	25565	54766	5.230.228.62	192.168.2.13
Oct 7, 2024 22:51:07.911386967 CEST	54766	25565	192.168.2.13	5.230.228.62
Oct 7, 2024 22:51:07.916553020 CEST	25565	54766	5.230.228.62	192.168.2.13
Oct 7, 2024 22:51:09.913921118 CEST	35088	2022	192.168.2.13	5.230.118.247
Oct 7, 2024 22:51:09.921092987 CEST	2022	35088	5.230.118.247	192.168.2.13
Oct 7, 2024 22:51:09.921312094 CEST	35088	2022	192.168.2.13	5.230.118.247
Oct 7, 2024 22:51:09.921312094 CEST	35088	2022	192.168.2.13	5.230.118.247
Oct 7, 2024 22:51:09.928150892 CEST	2022	35088	5.230.118.247	192.168.2.13
Oct 7, 2024 22:51:11.759012938 CEST	2022	35088	5.230.118.247	192.168.2.13
Oct 7, 2024 22:51:11.760118961 CEST	35088	2022	192.168.2.13	5.230.118.247
Oct 7, 2024 22:51:11.765230894 CEST	2022	35088	5.230.118.247	192.168.2.13
Oct 7, 2024 22:51:13.763525009 CEST	40710	6666	192.168.2.13	5.230.171.9
Oct 7, 2024 22:51:13.768923044 CEST	6666	40710	5.230.171.9	192.168.2.13
Oct 7, 2024 22:51:13.769171953 CEST	40710	6666	192.168.2.13	5.230.171.9
Oct 7, 2024 22:51:13.769171953 CEST	40710	6666	192.168.2.13	5.230.171.9
Oct 7, 2024 22:51:13.774307966 CEST	6666	40710	5.230.171.9	192.168.2.13
Oct 7, 2024 22:51:15.624094009 CEST	6666	40710	5.230.171.9	192.168.2.13
Oct 7, 2024 22:51:15.624699116 CEST	40710	6666	192.168.2.13	5.230.171.9
Oct 7, 2024 22:51:15.631025076 CEST	6666	40710	5.230.171.9	192.168.2.13
Oct 7, 2024 22:51:17.628021002 CEST	52266	3074	192.168.2.13	5.230.171.9
Oct 7, 2024 22:51:17.633625031 CEST	3074	52266	5.230.171.9	192.168.2.13
Oct 7, 2024 22:51:17.633882046 CEST	52266	3074	192.168.2.13	5.230.171.9
Oct 7, 2024 22:51:17.633963108 CEST	52266	3074	192.168.2.13	5.230.171.9
Oct 7, 2024 22:51:17.639882088 CEST	3074	52266	5.230.171.9	192.168.2.13
Oct 7, 2024 22:51:19.518176079 CEST	3074	52266	5.230.171.9	192.168.2.13
Oct 7, 2024 22:51:19.518976927 CEST	52266	3074	192.168.2.13	5.230.171.9
Oct 7, 2024 22:51:19.523998022 CEST	3074	52266	5.230.171.9	192.168.2.13
Oct 7, 2024 22:51:21.522727013 CEST	58884	5222	192.168.2.13	185.248.144.209
Oct 7, 2024 22:51:21.528879881 CEST	5222	58884	185.248.144.209	192.168.2.13
Oct 7, 2024 22:51:21.528985977 CEST	58884	5222	192.168.2.13	185.248.144.209
Oct 7, 2024 22:51:21.529047012 CEST	58884	5222	192.168.2.13	185.248.144.209
Oct 7, 2024 22:51:21.534400940 CEST	5222	58884	185.248.144.209	192.168.2.13
Oct 7, 2024 22:51:23.221841097 CEST	5222	58884	185.248.144.209	192.168.2.13
Oct 7, 2024 22:51:23.222601891 CEST	58884	5222	192.168.2.13	185.248.144.209
Oct 7, 2024 22:51:23.228770971 CEST	5222	58884	185.248.144.209	192.168.2.13
Oct 7, 2024 22:51:24.226116896 CEST	52510	5000	192.168.2.13	5.230.228.45
Oct 7, 2024 22:51:24.231488943 CEST	5000	52510	5.230.228.45	192.168.2.13
Oct 7, 2024 22:51:24.231590033 CEST	52510	5000	192.168.2.13	5.230.228.45
Oct 7, 2024 22:51:24.231664896 CEST	52510	5000	192.168.2.13	5.230.228.45
Oct 7, 2024 22:51:24.236731052 CEST	5000	52510	5.230.228.45	192.168.2.13
Oct 7, 2024 22:51:25.870687008 CEST	5000	52510	5.230.228.45	192.168.2.13
Oct 7, 2024 22:51:25.871203899 CEST	52510	5000	192.168.2.13	5.230.228.45
Oct 7, 2024 22:51:25.876774073 CEST	5000	52510	5.230.228.45	192.168.2.13
Oct 7, 2024 22:51:27.874259949 CEST	39186	2022	192.168.2.13	5.230.228.62
Oct 7, 2024 22:51:27.879956961 CEST	2022	39186	5.230.228.62	192.168.2.13
Oct 7, 2024 22:51:27.880086899 CEST	39186	2022	192.168.2.13	5.230.228.62
Oct 7, 2024 22:51:27.880160093 CEST	39186	2022	192.168.2.13	5.230.228.62
Oct 7, 2024 22:51:27.885807037 CEST	2022	39186	5.230.228.62	192.168.2.13
Oct 7, 2024 22:51:29.552479982 CEST	2022	39186	5.230.228.62	192.168.2.13
Oct 7, 2024 22:51:29.553188086 CEST	39186	2022	192.168.2.13	5.230.228.62
Oct 7, 2024 22:51:29.560024023 CEST	2022	39186	5.230.228.62	192.168.2.13
Oct 7, 2024 22:51:31.556440115 CEST	39594	19153	192.168.2.13	5.230.228.23
Oct 7, 2024 22:51:31.561880112 CEST	19153	39594	5.230.228.23	192.168.2.13
Oct 7, 2024 22:51:31.561965942 CEST	39594	19153	192.168.2.13	5.230.228.23
Oct 7, 2024 22:51:31.562030077 CEST	39594	19153	192.168.2.13	5.230.228.23
Oct 7, 2024 22:51:31.568506002 CEST	19153	39594	5.230.228.23	192.168.2.13
Oct 7, 2024 22:51:33.243345022 CEST	19153	39594	5.230.228.23	192.168.2.13
Oct 7, 2024 22:51:33.244312048 CEST	39594	19153	192.168.2.13	5.230.228.23
Oct 7, 2024 22:51:33.249849081 CEST	19153	39594	5.230.228.23	192.168.2.13
Oct 7, 2024 22:51:36.250075102 CEST	53086	27014	192.168.2.13	5.230.171.8
Oct 7, 2024 22:51:36.255793095 CEST	27014	53086	5.230.171.8	192.168.2.13
Oct 7, 2024 22:51:36.255922079 CEST	53086	27014	192.168.2.13	5.230.171.8
Oct 7, 2024 22:51:36.255976915 CEST	53086	27014	192.168.2.13	5.230.171.8
Oct 7, 2024 22:51:36.261105061 CEST	27014	53086	5.230.171.8	192.168.2.13
Oct 7, 2024 22:51:38.107928038 CEST	27014	53086	5.230.171.8	192.168.2.13
Oct 7, 2024 22:51:38.108655930 CEST	53086	27014	192.168.2.13	5.230.171.8
Oct 7, 2024 22:51:38.114320040 CEST	27014	53086	5.230.171.8	192.168.2.13
Oct 7, 2024 22:51:41.112349987 CEST	37916	6036	192.168.2.13	5.230.171.8
Oct 7, 2024 22:51:41.117712975 CEST	6036	37916	5.230.171.8	192.168.2.13
Oct 7, 2024 22:51:41.117801905 CEST	37916	6036	192.168.2.13	5.230.171.8
Oct 7, 2024 22:51:41.117875099 CEST	37916	6036	192.168.2.13	5.230.171.8
Oct 7, 2024 22:51:41.123344898 CEST	6036	37916	5.230.171.8	192.168.2.13
Oct 7, 2024 22:51:42.987083912 CEST	6036	37916	5.230.171.8	192.168.2.13
Oct 7, 2024 22:51:42.987556934 CEST	37916	6036	192.168.2.13	5.230.171.8
Oct 7, 2024 22:51:42.994070053 CEST	6036	37916	5.230.171.8	192.168.2.13
Oct 7, 2024 22:51:44.990807056 CEST	43070	6036	192.168.2.13	5.230.122.80
Oct 7, 2024 22:51:44.995915890 CEST	6036	43070	5.230.122.80	192.168.2.13
Oct 7, 2024 22:51:44.996041059 CEST	43070	6036	192.168.2.13	5.230.122.80
Oct 7, 2024 22:51:44.996104956 CEST	43070	6036	192.168.2.13	5.230.122.80
Oct 7, 2024 22:51:45.000952959 CEST	6036	43070	5.230.122.80	192.168.2.13
Oct 7, 2024 22:51:47.168091059 CEST	6036	43070	5.230.122.80	192.168.2.13
Oct 7, 2024 22:51:47.168868065 CEST	43070	6036	192.168.2.13	5.230.122.80
Oct 7, 2024 22:51:47.174060106 CEST	6036	43070	5.230.122.80	192.168.2.13
Oct 7, 2024 22:51:48.171382904 CEST	38530	2222	192.168.2.13	185.248.144.209
Oct 7, 2024 22:51:48.177884102 CEST	2222	38530	185.248.144.209	192.168.2.13
Oct 7, 2024 22:51:48.177948952 CEST	38530	2222	192.168.2.13	185.248.144.209
Oct 7, 2024 22:51:48.177994013 CEST	38530	2222	192.168.2.13	185.248.144.209
Oct 7, 2024 22:51:48.184169054 CEST	2222	38530	185.248.144.209	192.168.2.13
Oct 7, 2024 22:51:49.883470058 CEST	2222	38530	185.248.144.209	192.168.2.13
Oct 7, 2024 22:51:49.884145975 CEST	38530	2222	192.168.2.13	185.248.144.209
Oct 7, 2024 22:51:49.888995886 CEST	2222	38530	185.248.144.209	192.168.2.13
Oct 7, 2024 22:51:50.886403084 CEST	50486	27014	192.168.2.13	5.230.122.80
Oct 7, 2024 22:51:50.892553091 CEST	27014	50486	5.230.122.80	192.168.2.13
Oct 7, 2024 22:51:50.892642975 CEST	50486	27014	192.168.2.13	5.230.122.80
Oct 7, 2024 22:51:50.892682076 CEST	50486	27014	192.168.2.13	5.230.122.80
Oct 7, 2024 22:51:50.898400068 CEST	27014	50486	5.230.122.80	192.168.2.13
Oct 7, 2024 22:51:53.036880016 CEST	27014	50486	5.230.122.80	192.168.2.13
Oct 7, 2024 22:51:53.037313938 CEST	50486	27014	192.168.2.13	5.230.122.80
Oct 7, 2024 22:51:53.037314892 CEST	50486	27014	192.168.2.13	5.230.122.80
Oct 7, 2024 22:51:53.043778896 CEST	27014	50486	5.230.122.80	192.168.2.13
Oct 7, 2024 22:51:55.041033030 CEST	53464	22022	192.168.2.13	5.230.229.84
Oct 7, 2024 22:51:55.046648026 CEST	22022	53464	5.230.229.84	192.168.2.13
Oct 7, 2024 22:51:55.046777010 CEST	53464	22022	192.168.2.13	5.230.229.84
Oct 7, 2024 22:51:55.046845913 CEST	53464	22022	192.168.2.13	5.230.229.84
Oct 7, 2024 22:51:55.052767992 CEST	22022	53464	5.230.229.84	192.168.2.13
Oct 7, 2024 22:51:57.213648081 CEST	22022	53464	5.230.229.84	192.168.2.13
Oct 7, 2024 22:51:57.214031935 CEST	53464	22022	192.168.2.13	5.230.229.84
Oct 7, 2024 22:51:57.220503092 CEST	22022	53464	5.230.229.84	192.168.2.13
Oct 7, 2024 22:51:59.217041016 CEST	50858	3074	192.168.2.13	5.230.229.83
Oct 7, 2024 22:51:59.222196102 CEST	3074	50858	5.230.229.83	192.168.2.13
Oct 7, 2024 22:51:59.222285032 CEST	50858	3074	192.168.2.13	5.230.229.83
Oct 7, 2024 22:51:59.222440004 CEST	50858	3074	192.168.2.13	5.230.229.83
Oct 7, 2024 22:51:59.227411032 CEST	3074	50858	5.230.229.83	192.168.2.13
Oct 7, 2024 22:52:00.913417101 CEST	3074	50858	5.230.229.83	192.168.2.13
Oct 7, 2024 22:52:00.914577961 CEST	50858	3074	192.168.2.13	5.230.229.83
Oct 7, 2024 22:52:00.920463085 CEST	3074	50858	5.230.229.83	192.168.2.13
Oct 7, 2024 22:52:03.918802023 CEST	58134	27050	192.168.2.13	94.131.118.154
Oct 7, 2024 22:52:03.924132109 CEST	27050	58134	94.131.118.154	192.168.2.13
Oct 7, 2024 22:52:03.924699068 CEST	58134	27050	192.168.2.13	94.131.118.154
Oct 7, 2024 22:52:03.924804926 CEST	58134	27050	192.168.2.13	94.131.118.154
Oct 7, 2024 22:52:03.929940939 CEST	27050	58134	94.131.118.154	192.168.2.13
Oct 7, 2024 22:52:05.560586929 CEST	27050	58134	94.131.118.154	192.168.2.13
Oct 7, 2024 22:52:05.561378002 CEST	58134	27050	192.168.2.13	94.131.118.154
Oct 7, 2024 22:52:05.561500072 CEST	58134	27050	192.168.2.13	94.131.118.154
Oct 7, 2024 22:52:05.566559076 CEST	27050	58134	94.131.118.154	192.168.2.13
Oct 7, 2024 22:52:07.566922903 CEST	50866	2222	192.168.2.13	5.230.171.8
Oct 7, 2024 22:52:07.572312117 CEST	2222	50866	5.230.171.8	192.168.2.13
Oct 7, 2024 22:52:07.572727919 CEST	50866	2222	192.168.2.13	5.230.171.8
Oct 7, 2024 22:52:07.573040009 CEST	50866	2222	192.168.2.13	5.230.171.8
Oct 7, 2024 22:52:07.578099012 CEST	2222	50866	5.230.171.8	192.168.2.13
Oct 7, 2024 22:52:09.420166969 CEST	2222	50866	5.230.171.8	192.168.2.13
Oct 7, 2024 22:52:09.420960903 CEST	50866	2222	192.168.2.13	5.230.171.8
Oct 7, 2024 22:52:09.426100016 CEST	2222	50866	5.230.171.8	192.168.2.13
Oct 7, 2024 22:52:12.426353931 CEST	48830	995	192.168.2.13	5.230.171.8
Oct 7, 2024 22:52:12.431428909 CEST	995	48830	5.230.171.8	192.168.2.13
Oct 7, 2024 22:52:12.431541920 CEST	48830	995	192.168.2.13	5.230.171.8
Oct 7, 2024 22:52:12.431593895 CEST	48830	995	192.168.2.13	5.230.171.8
Oct 7, 2024 22:52:12.436465979 CEST	995	48830	5.230.171.8	192.168.2.13
Oct 7, 2024 22:52:14.300368071 CEST	995	48830	5.230.171.8	192.168.2.13
Oct 7, 2024 22:52:14.301134109 CEST	48830	995	192.168.2.13	5.230.171.8
Oct 7, 2024 22:52:14.306133986 CEST	995	48830	5.230.171.8	192.168.2.13
Oct 7, 2024 22:52:16.304511070 CEST	46366	2222	192.168.2.13	5.230.228.44
Oct 7, 2024 22:52:16.364661932 CEST	2222	46366	5.230.228.44	192.168.2.13
Oct 7, 2024 22:52:16.364902020 CEST	46366	2222	192.168.2.13	5.230.228.44
Oct 7, 2024 22:52:16.364902973 CEST	46366	2222	192.168.2.13	5.230.228.44
Oct 7, 2024 22:52:16.373761892 CEST	2222	46366	5.230.228.44	192.168.2.13

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:50:11.803849936 CEST	32411	3478	192.168.2.13	172.217.192.127
Oct 7, 2024 22:50:12.354305983 CEST	3478	32411	172.217.192.127	192.168.2.13
Oct 7, 2024 22:50:12.364784002 CEST	46565	53	192.168.2.13	202.61.197.122
Oct 7, 2024 22:50:12.375216007 CEST	53	46565	202.61.197.122	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 22:50:12.364784002 CEST	192.168.2.13	202.61.197.122	0xd7b8	Standard query (0)	iranistrash.libre	16	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 22:50:12.375216007 CEST	202.61.197.122	192.168.2.13	0xd7b8	No error (0)	iranistrash.libre			TXT (Text strings)	IN (0x0001)	false

System Behavior

Analysis Process: dash PID: 5420, Parent PID: 3584

General

Start time (UTC):	20:49:58
Start date (UTC):	07/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5420, Parent PID: 3584

General

Start time (UTC):	20:49:58
Start date (UTC):	07/10/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.8XdmNNwT1M /tmp/tmp.tOkt8QfLSy /tmp/tmp.BFzqVQDLVz
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 5421, Parent PID: 3584

General

Start time (UTC):	20:49:58
Start date (UTC):	07/10/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5421, Parent PID: 3584

General

Start time (UTC):	20:49:58
Start date (UTC):	07/10/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.8XdmNNwT1M /tmp/tmp.tOkt8QfLSy /tmp/tmp.BFzqVQDLVz
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf PID: 5433, Parent PID: 5355

General

Start time (UTC):	20:50:07
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf
Arguments:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf PID: 5435, Parent PID: 5433

General

Start time (UTC):	20:50:10
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf PID: 5439, Parent PID: 5435

General

Start time (UTC):	20:50:11
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.
Tactics:	Discovery
Data Sources:	Cloud Service: Cloud Service Enumeration, Command: Command Execution, Network Traffic: Network Traffic Flow
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: dash PID: 5420, Parent PID: 3584

General

Chronological Activities

Analysis Process: rm PID: 5420, Parent PID: 3584

General

Chronological Activities

Analysis Process: dash PID: 5421, Parent PID: 3584

General

Chronological Activities

Analysis Process: rm PID: 5421, Parent PID: 3584

General

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf PID: 5433, Parent PID: 5355

General

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf PID: 5435, Parent PID: 5433

General

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf PID: 5439, Parent PID: 5435

General

Chronological Activities

Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf