Edit tour

Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf

Overview

General Information

Sample name:	SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf
Analysis ID:	1528451
MD5:	2529af837c02e20afc93f1db9271f557
SHA1:	5c89b7195224f28298eccec9cc20643f67c14975
SHA256:	dd391a5deea666189ac083c113d197e6a85036992e11af7ec04ad18a854bc89d
Tags:	elf
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Connects to many ports of the same IP (likely port scanning)

Opens /sys/class/net/* files useful for querying network interface information

Performs DNS TXT record lookups

Sample deletes itself

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528451
Start date and time:	2024-10-07 22:52:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf
Detection:	MAL
Classification:	mal56.troj.spyw.evad.linELF@0/0@1/0

Warnings

VT rate limit hit for: SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf

Runtime Messages

Command:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf
PID:	6217
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Firmware update in progress
Standard Error:

Process Tree

system is lnxubuntu20

SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf (PID: 6217, Parent: 6133, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf

SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf New Fork (PID: 6219, Parent: 6217)

SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf New Fork (PID: 6221, Parent: 6219)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 5.230.122.80 ports 7000,6036,0,3,27014,6
Source: global traffic	TCP traffic: 5.230.228.23 ports 7000,0,1,4,5,10554
Source: global traffic	TCP traffic: 5.230.229.83 ports 19153,34567,3,4,5,6,7,10001

Opens /sys/class/net/* files useful for querying network interface information

Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf (PID: 6219)	Opens: /sys/class/net/	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf (PID: 6219)	Opens: /sys/class/net/ens160/address	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf (PID: 6219)	Opens: /sys/class/net/ens160/flags	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf (PID: 6219)	Opens: /sys/class/net/ens160/carrier	Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:37026 -> 185.248.144.209:4444
Source: global traffic	TCP traffic: 192.168.2.23:54458 -> 94.131.118.154:9000
Source: global traffic	TCP traffic: 192.168.2.23:38850 -> 5.230.228.23:10554
Source: global traffic	TCP traffic: 192.168.2.23:38350 -> 5.230.229.83:34567
Source: global traffic	TCP traffic: 192.168.2.23:38800 -> 194.156.98.15:2222
Source: global traffic	TCP traffic: 192.168.2.23:36178 -> 5.230.171.9:19153
Source: global traffic	TCP traffic: 192.168.2.23:33410 -> 5.230.228.46:10001
Source: global traffic	TCP traffic: 192.168.2.23:34238 -> 5.230.122.80:6036
Source: global traffic	TCP traffic: 192.168.2.23:37234 -> 5.230.228.45:554
Source: global traffic	TCP traffic: 192.168.2.23:44360 -> 5.230.122.82:18004
Source: global traffic	TCP traffic: 192.168.2.23:59868 -> 5.230.171.8:35000
Source: global traffic	TCP traffic: 192.168.2.23:57996 -> 5.230.228.42:9000
Source: global traffic	TCP traffic: 192.168.2.23:38772 -> 5.230.122.81:7777
Source: global traffic	TCP traffic: 192.168.2.23:33738 -> 5.230.118.247:37777

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.83
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.83
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.83
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.83
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.83
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.83
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.83
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.83
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.83
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.83
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.83

Source: global traffic

DNS traffic detected: DNS query: iranistrash.libre

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal56.troj.spyw.evad.linELF@0/0@1/0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf (PID: 6217)

File: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf

Jump to behavior

Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf (PID: 6217)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf (PID: 6219)	Queries kernel information via 'uname':			Jump to behavior

Source: SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf, 6217.1.000055a0fb00a000.000055a0fb091000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips
Source: SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf, 6217.1.000055a0fb00a000.000055a0fb091000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf, 6217.1.00007ffdbc5a2000.00007ffdbc5c3000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf, 6217.1.00007ffdbc5a2000.00007ffdbc5c3000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf

HIPS / PFW / Operating System Protection Evasion

Performs DNS TXT record lookups

Source: Traffic

DNS traffic detected: queries for: iranistrash.libre

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf	5%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
iranistrash.libre	unknown	unknown	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.230.171.9	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.171.8	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.122.81	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.122.82	unknown	Germany	12586	ASGHOSTNETDE	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
5.230.122.80	unknown	Germany	12586	ASGHOSTNETDE	true
172.217.192.127	unknown	United States	15169	GOOGLEUS	false
5.230.228.46	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.228.42	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.228.23	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.228.45	unknown	Germany	12586	ASGHOSTNETDE	false
94.131.118.154	unknown	Ukraine	29632	NASSIST-ASGI	false
185.248.144.209	unknown	France	31531	POINT-ASUA	false
5.230.229.83	unknown	Germany	12586	ASGHOSTNETDE	true
194.156.98.15	unknown	Russian Federation	135330	ADCDATACOM-AS-APADCDATACOMHK	false
5.230.118.247	unknown	Germany	12586	ASGHOSTNETDE	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5.230.171.9	SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
5.230.171.8	SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse
5.230.122.81	SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse
5.230.122.82	SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
5.230.122.80	SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASGHOSTNETDE	SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
ASGHOSTNETDE	SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
ASGHOSTNETDE	SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
ASGHOSTNETDE	SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.420045728451403
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf
File size:	88'252 bytes
MD5:	2529af837c02e20afc93f1db9271f557
SHA1:	5c89b7195224f28298eccec9cc20643f67c14975
SHA256:	dd391a5deea666189ac083c113d197e6a85036992e11af7ec04ad18a854bc89d
SHA512:	ed4f09579e1631a3406fd263339700c977b117972f555ad78e384689e825d2cc87b6ee8ea5be5fe6b78d5c60eec5a3509b715502f7f1254e845119590e3af28d
SSDEEP:	1536:tgvPoDULEntoUZvjkbAz2oczaScQVuTMw3vB6sQgjI/heV:WtLutnZrvz2oczaSdVcMw356s9I/UV
TLSH:	8E83C84E6E158F6CF7ED86310BB79E26974C27C737A1C681D26CE6002E6424E245FFA4
File Content Preview:	.ELF.....................@.`...4..V......4. ...(.............@...@....J...J...............P..EP..EP.......*.........dt.Q............................<...'..,...!'.......................<...'......!... ....'9... ......................<...'......!........'9B

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	87772
Section Header Size:	40
Number of Section Headers:	12
Header String Table Index:	11

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x141a0	0x0	0x6	AX	16
.fini	PROGBITS	0x4142c0	0x142c0	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x414320	0x14320	0x7a0	0x0	0x2	A	16
.ctors	PROGBITS	0x455000	0x15000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x455008	0x15008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x455020	0x15020	0x1a8	0x0	0x3	WA	16
.got	PROGBITS	0x4551d0	0x151d0	0x4c0	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x455690	0x15690	0x8	0x0	0x10000003	WAp	4
.bss	NOBITS	0x4556a0	0x15690	0x2454	0x0	0x3	WA	16
.shstrtab	STRTAB	0x0	0x15690	0x49	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x14ac0	0x14ac0	5.4980	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x15000	0x455000	0x455000	0x690	0x2af4	3.4374	0x6	RW	0x10000	.ctors .dtors .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:52:57.146228075 CEST	43928	443	192.168.2.23	91.189.91.42
Oct 7, 2024 22:52:58.498629093 CEST	37026	4444	192.168.2.23	185.248.144.209
Oct 7, 2024 22:52:58.503676891 CEST	4444	37026	185.248.144.209	192.168.2.23
Oct 7, 2024 22:52:58.506028891 CEST	37026	4444	192.168.2.23	185.248.144.209
Oct 7, 2024 22:52:58.531002045 CEST	37026	4444	192.168.2.23	185.248.144.209
Oct 7, 2024 22:52:58.623111963 CEST	4444	37026	185.248.144.209	192.168.2.23
Oct 7, 2024 22:53:00.180021048 CEST	4444	37026	185.248.144.209	192.168.2.23
Oct 7, 2024 22:53:00.180567980 CEST	37026	4444	192.168.2.23	185.248.144.209
Oct 7, 2024 22:53:00.190228939 CEST	4444	37026	185.248.144.209	192.168.2.23
Oct 7, 2024 22:53:02.777482033 CEST	42836	443	192.168.2.23	91.189.91.43
Oct 7, 2024 22:53:03.182291031 CEST	54458	9000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:53:03.187777996 CEST	9000	54458	94.131.118.154	192.168.2.23
Oct 7, 2024 22:53:03.187992096 CEST	54458	9000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:53:03.187992096 CEST	54458	9000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:53:03.193274021 CEST	9000	54458	94.131.118.154	192.168.2.23
Oct 7, 2024 22:53:04.057401896 CEST	42516	80	192.168.2.23	109.202.202.202
Oct 7, 2024 22:53:04.797069073 CEST	9000	54458	94.131.118.154	192.168.2.23
Oct 7, 2024 22:53:04.797646046 CEST	54458	9000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:53:04.803344965 CEST	9000	54458	94.131.118.154	192.168.2.23
Oct 7, 2024 22:53:07.799005032 CEST	38850	10554	192.168.2.23	5.230.228.23
Oct 7, 2024 22:53:07.806741953 CEST	10554	38850	5.230.228.23	192.168.2.23
Oct 7, 2024 22:53:07.806843996 CEST	38850	10554	192.168.2.23	5.230.228.23
Oct 7, 2024 22:53:07.806868076 CEST	38850	10554	192.168.2.23	5.230.228.23
Oct 7, 2024 22:53:07.811990976 CEST	10554	38850	5.230.228.23	192.168.2.23
Oct 7, 2024 22:53:09.554037094 CEST	10554	38850	5.230.228.23	192.168.2.23
Oct 7, 2024 22:53:09.554503918 CEST	38850	10554	192.168.2.23	5.230.228.23
Oct 7, 2024 22:53:09.559432983 CEST	10554	38850	5.230.228.23	192.168.2.23
Oct 7, 2024 22:53:12.555769920 CEST	44536	37777	192.168.2.23	185.248.144.209
Oct 7, 2024 22:53:12.560956001 CEST	37777	44536	185.248.144.209	192.168.2.23
Oct 7, 2024 22:53:12.561186075 CEST	44536	37777	192.168.2.23	185.248.144.209
Oct 7, 2024 22:53:12.561186075 CEST	44536	37777	192.168.2.23	185.248.144.209
Oct 7, 2024 22:53:12.566421032 CEST	37777	44536	185.248.144.209	192.168.2.23
Oct 7, 2024 22:53:14.254616976 CEST	37777	44536	185.248.144.209	192.168.2.23
Oct 7, 2024 22:53:14.255522966 CEST	44536	37777	192.168.2.23	185.248.144.209
Oct 7, 2024 22:53:14.261033058 CEST	37777	44536	185.248.144.209	192.168.2.23
Oct 7, 2024 22:53:15.259183884 CEST	38350	34567	192.168.2.23	5.230.229.83
Oct 7, 2024 22:53:15.264946938 CEST	34567	38350	5.230.229.83	192.168.2.23
Oct 7, 2024 22:53:15.265161037 CEST	38350	34567	192.168.2.23	5.230.229.83
Oct 7, 2024 22:53:15.265161991 CEST	38350	34567	192.168.2.23	5.230.229.83
Oct 7, 2024 22:53:15.270401001 CEST	34567	38350	5.230.229.83	192.168.2.23
Oct 7, 2024 22:53:17.112817049 CEST	34567	38350	5.230.229.83	192.168.2.23
Oct 7, 2024 22:53:17.113415956 CEST	38350	34567	192.168.2.23	5.230.229.83
Oct 7, 2024 22:53:17.323643923 CEST	38350	34567	192.168.2.23	5.230.229.83
Oct 7, 2024 22:53:17.502580881 CEST	34567	38350	5.230.229.83	192.168.2.23
Oct 7, 2024 22:53:17.502672911 CEST	34567	38350	5.230.229.83	192.168.2.23
Oct 7, 2024 22:53:17.502989054 CEST	38350	34567	192.168.2.23	5.230.229.83
Oct 7, 2024 22:53:17.502990007 CEST	38350	34567	192.168.2.23	5.230.229.83
Oct 7, 2024 22:53:17.503312111 CEST	34567	38350	5.230.229.83	192.168.2.23
Oct 7, 2024 22:53:17.503341913 CEST	34567	38350	5.230.229.83	192.168.2.23
Oct 7, 2024 22:53:17.503431082 CEST	38350	34567	192.168.2.23	5.230.229.83
Oct 7, 2024 22:53:18.135472059 CEST	43928	443	192.168.2.23	91.189.91.42
Oct 7, 2024 22:53:19.116750956 CEST	38800	2222	192.168.2.23	194.156.98.15
Oct 7, 2024 22:53:19.122143984 CEST	2222	38800	194.156.98.15	192.168.2.23
Oct 7, 2024 22:53:19.122237921 CEST	38800	2222	192.168.2.23	194.156.98.15
Oct 7, 2024 22:53:19.122410059 CEST	38800	2222	192.168.2.23	194.156.98.15
Oct 7, 2024 22:53:19.128504038 CEST	2222	38800	194.156.98.15	192.168.2.23
Oct 7, 2024 22:53:21.106139898 CEST	2222	38800	194.156.98.15	192.168.2.23
Oct 7, 2024 22:53:21.107429981 CEST	38800	2222	192.168.2.23	194.156.98.15
Oct 7, 2024 22:53:21.112715960 CEST	2222	38800	194.156.98.15	192.168.2.23
Oct 7, 2024 22:53:23.110016108 CEST	36178	19153	192.168.2.23	5.230.171.9
Oct 7, 2024 22:53:23.115556955 CEST	19153	36178	5.230.171.9	192.168.2.23
Oct 7, 2024 22:53:23.115708113 CEST	36178	19153	192.168.2.23	5.230.171.9
Oct 7, 2024 22:53:23.115778923 CEST	36178	19153	192.168.2.23	5.230.171.9
Oct 7, 2024 22:53:23.120620012 CEST	19153	36178	5.230.171.9	192.168.2.23
Oct 7, 2024 22:53:25.132981062 CEST	19153	36178	5.230.171.9	192.168.2.23
Oct 7, 2024 22:53:25.133805037 CEST	36178	19153	192.168.2.23	5.230.171.9
Oct 7, 2024 22:53:25.139034986 CEST	19153	36178	5.230.171.9	192.168.2.23
Oct 7, 2024 22:53:28.136483908 CEST	54470	9000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:53:28.251602888 CEST	9000	54470	94.131.118.154	192.168.2.23
Oct 7, 2024 22:53:28.252222061 CEST	54470	9000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:53:28.252331018 CEST	54470	9000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:53:28.257154942 CEST	9000	54470	94.131.118.154	192.168.2.23
Oct 7, 2024 22:53:28.374075890 CEST	42836	443	192.168.2.23	91.189.91.43
Oct 7, 2024 22:53:29.901272058 CEST	9000	54470	94.131.118.154	192.168.2.23
Oct 7, 2024 22:53:29.901825905 CEST	54470	9000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:53:29.902089119 CEST	54470	9000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:53:29.906821012 CEST	9000	54470	94.131.118.154	192.168.2.23
Oct 7, 2024 22:53:32.903750896 CEST	37042	4444	192.168.2.23	185.248.144.209
Oct 7, 2024 22:53:32.908874989 CEST	4444	37042	185.248.144.209	192.168.2.23
Oct 7, 2024 22:53:32.908988953 CEST	37042	4444	192.168.2.23	185.248.144.209
Oct 7, 2024 22:53:32.909014940 CEST	37042	4444	192.168.2.23	185.248.144.209
Oct 7, 2024 22:53:32.913852930 CEST	4444	37042	185.248.144.209	192.168.2.23
Oct 7, 2024 22:53:34.517204046 CEST	42516	80	192.168.2.23	109.202.202.202
Oct 7, 2024 22:53:34.567537069 CEST	4444	37042	185.248.144.209	192.168.2.23
Oct 7, 2024 22:53:34.568070889 CEST	37042	4444	192.168.2.23	185.248.144.209
Oct 7, 2024 22:53:34.573031902 CEST	4444	37042	185.248.144.209	192.168.2.23
Oct 7, 2024 22:53:36.570250034 CEST	50050	19153	192.168.2.23	5.230.229.83
Oct 7, 2024 22:53:36.575680971 CEST	19153	50050	5.230.229.83	192.168.2.23
Oct 7, 2024 22:53:36.575768948 CEST	50050	19153	192.168.2.23	5.230.229.83
Oct 7, 2024 22:53:36.575826883 CEST	50050	19153	192.168.2.23	5.230.229.83
Oct 7, 2024 22:53:36.580988884 CEST	19153	50050	5.230.229.83	192.168.2.23
Oct 7, 2024 22:53:38.254405975 CEST	19153	50050	5.230.229.83	192.168.2.23
Oct 7, 2024 22:53:38.254998922 CEST	50050	19153	192.168.2.23	5.230.229.83
Oct 7, 2024 22:53:38.259840965 CEST	19153	50050	5.230.229.83	192.168.2.23
Oct 7, 2024 22:53:39.257364988 CEST	35314	9001	192.168.2.23	194.156.98.15
Oct 7, 2024 22:53:39.429166079 CEST	9001	35314	194.156.98.15	192.168.2.23
Oct 7, 2024 22:53:39.429436922 CEST	35314	9001	192.168.2.23	194.156.98.15
Oct 7, 2024 22:53:39.429574966 CEST	35314	9001	192.168.2.23	194.156.98.15
Oct 7, 2024 22:53:39.434695959 CEST	9001	35314	194.156.98.15	192.168.2.23
Oct 7, 2024 22:53:41.437971115 CEST	9001	35314	194.156.98.15	192.168.2.23
Oct 7, 2024 22:53:41.438625097 CEST	35314	9001	192.168.2.23	194.156.98.15
Oct 7, 2024 22:53:41.443542004 CEST	9001	35314	194.156.98.15	192.168.2.23
Oct 7, 2024 22:53:42.441379070 CEST	44724	5000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:53:42.446260929 CEST	5000	44724	94.131.118.154	192.168.2.23
Oct 7, 2024 22:53:42.446372986 CEST	44724	5000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:53:42.446429014 CEST	44724	5000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:53:42.451405048 CEST	5000	44724	94.131.118.154	192.168.2.23
Oct 7, 2024 22:53:44.058734894 CEST	5000	44724	94.131.118.154	192.168.2.23
Oct 7, 2024 22:53:44.059309959 CEST	44724	5000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:53:44.064110041 CEST	5000	44724	94.131.118.154	192.168.2.23
Oct 7, 2024 22:53:46.062758923 CEST	47566	10001	192.168.2.23	5.230.229.83
Oct 7, 2024 22:53:46.067655087 CEST	10001	47566	5.230.229.83	192.168.2.23
Oct 7, 2024 22:53:46.067715883 CEST	47566	10001	192.168.2.23	5.230.229.83
Oct 7, 2024 22:53:46.067773104 CEST	47566	10001	192.168.2.23	5.230.229.83
Oct 7, 2024 22:53:46.072559118 CEST	10001	47566	5.230.229.83	192.168.2.23
Oct 7, 2024 22:53:47.777002096 CEST	10001	47566	5.230.229.83	192.168.2.23
Oct 7, 2024 22:53:47.777582884 CEST	47566	10001	192.168.2.23	5.230.229.83
Oct 7, 2024 22:53:47.782530069 CEST	10001	47566	5.230.229.83	192.168.2.23
Oct 7, 2024 22:53:50.779299974 CEST	33410	10001	192.168.2.23	5.230.228.46
Oct 7, 2024 22:53:50.785450935 CEST	10001	33410	5.230.228.46	192.168.2.23
Oct 7, 2024 22:53:50.785526991 CEST	33410	10001	192.168.2.23	5.230.228.46
Oct 7, 2024 22:53:50.785561085 CEST	33410	10001	192.168.2.23	5.230.228.46
Oct 7, 2024 22:53:50.790544033 CEST	10001	33410	5.230.228.46	192.168.2.23
Oct 7, 2024 22:53:59.089874029 CEST	43928	443	192.168.2.23	91.189.91.42
Oct 7, 2024 22:54:00.785830021 CEST	33410	10001	192.168.2.23	5.230.228.46
Oct 7, 2024 22:54:00.835956097 CEST	10001	33410	5.230.228.46	192.168.2.23
Oct 7, 2024 22:54:02.788165092 CEST	34238	6036	192.168.2.23	5.230.122.80
Oct 7, 2024 22:54:02.889656067 CEST	6036	34238	5.230.122.80	192.168.2.23
Oct 7, 2024 22:54:02.889964104 CEST	34238	6036	192.168.2.23	5.230.122.80
Oct 7, 2024 22:54:02.890091896 CEST	34238	6036	192.168.2.23	5.230.122.80
Oct 7, 2024 22:54:02.898682117 CEST	6036	34238	5.230.122.80	192.168.2.23
Oct 7, 2024 22:54:04.418117046 CEST	10001	33410	5.230.228.46	192.168.2.23
Oct 7, 2024 22:54:04.418553114 CEST	33410	10001	192.168.2.23	5.230.228.46
Oct 7, 2024 22:54:05.292442083 CEST	6036	34238	5.230.122.80	192.168.2.23
Oct 7, 2024 22:54:05.293065071 CEST	34238	6036	192.168.2.23	5.230.122.80
Oct 7, 2024 22:54:05.293256044 CEST	34238	6036	192.168.2.23	5.230.122.80
Oct 7, 2024 22:54:05.298185110 CEST	6036	34238	5.230.122.80	192.168.2.23
Oct 7, 2024 22:54:06.295249939 CEST	37234	554	192.168.2.23	5.230.228.45
Oct 7, 2024 22:54:06.300215960 CEST	554	37234	5.230.228.45	192.168.2.23
Oct 7, 2024 22:54:06.300318956 CEST	37234	554	192.168.2.23	5.230.228.45
Oct 7, 2024 22:54:06.300383091 CEST	37234	554	192.168.2.23	5.230.228.45
Oct 7, 2024 22:54:06.305296898 CEST	554	37234	5.230.228.45	192.168.2.23
Oct 7, 2024 22:54:07.949275970 CEST	554	37234	5.230.228.45	192.168.2.23
Oct 7, 2024 22:54:07.949915886 CEST	37234	554	192.168.2.23	5.230.228.45
Oct 7, 2024 22:54:07.954992056 CEST	554	37234	5.230.228.45	192.168.2.23
Oct 7, 2024 22:54:08.952342987 CEST	44360	18004	192.168.2.23	5.230.122.82
Oct 7, 2024 22:54:08.957627058 CEST	18004	44360	5.230.122.82	192.168.2.23
Oct 7, 2024 22:54:08.957971096 CEST	44360	18004	192.168.2.23	5.230.122.82
Oct 7, 2024 22:54:08.958012104 CEST	44360	18004	192.168.2.23	5.230.122.82
Oct 7, 2024 22:54:08.964210987 CEST	18004	44360	5.230.122.82	192.168.2.23
Oct 7, 2024 22:54:11.097557068 CEST	18004	44360	5.230.122.82	192.168.2.23
Oct 7, 2024 22:54:11.098427057 CEST	44360	18004	192.168.2.23	5.230.122.82
Oct 7, 2024 22:54:11.103451967 CEST	18004	44360	5.230.122.82	192.168.2.23
Oct 7, 2024 22:54:14.099736929 CEST	59868	35000	192.168.2.23	5.230.171.8
Oct 7, 2024 22:54:14.104846001 CEST	35000	59868	5.230.171.8	192.168.2.23
Oct 7, 2024 22:54:14.104933977 CEST	59868	35000	192.168.2.23	5.230.171.8
Oct 7, 2024 22:54:14.104975939 CEST	59868	35000	192.168.2.23	5.230.171.8
Oct 7, 2024 22:54:14.109921932 CEST	35000	59868	5.230.171.8	192.168.2.23
Oct 7, 2024 22:54:16.177227020 CEST	35000	59868	5.230.171.8	192.168.2.23
Oct 7, 2024 22:54:16.177628994 CEST	59868	35000	192.168.2.23	5.230.171.8
Oct 7, 2024 22:54:16.180105925 CEST	35000	59868	5.230.171.8	192.168.2.23
Oct 7, 2024 22:54:16.180159092 CEST	59868	35000	192.168.2.23	5.230.171.8
Oct 7, 2024 22:54:16.182559013 CEST	35000	59868	5.230.171.8	192.168.2.23
Oct 7, 2024 22:54:17.179429054 CEST	57996	9000	192.168.2.23	5.230.228.42
Oct 7, 2024 22:54:17.184642076 CEST	9000	57996	5.230.228.42	192.168.2.23
Oct 7, 2024 22:54:17.184825897 CEST	57996	9000	192.168.2.23	5.230.228.42
Oct 7, 2024 22:54:17.185106993 CEST	57996	9000	192.168.2.23	5.230.228.42
Oct 7, 2024 22:54:17.190020084 CEST	9000	57996	5.230.228.42	192.168.2.23
Oct 7, 2024 22:54:18.821909904 CEST	9000	57996	5.230.228.42	192.168.2.23
Oct 7, 2024 22:54:18.822355032 CEST	57996	9000	192.168.2.23	5.230.228.42
Oct 7, 2024 22:54:18.827559948 CEST	9000	57996	5.230.228.42	192.168.2.23
Oct 7, 2024 22:54:19.567127943 CEST	42836	443	192.168.2.23	91.189.91.43
Oct 7, 2024 22:54:20.824439049 CEST	58222	7000	192.168.2.23	5.230.228.23
Oct 7, 2024 22:54:20.829842091 CEST	7000	58222	5.230.228.23	192.168.2.23
Oct 7, 2024 22:54:20.829946995 CEST	58222	7000	192.168.2.23	5.230.228.23
Oct 7, 2024 22:54:20.830033064 CEST	58222	7000	192.168.2.23	5.230.228.23
Oct 7, 2024 22:54:20.834952116 CEST	7000	58222	5.230.228.23	192.168.2.23
Oct 7, 2024 22:54:22.478522062 CEST	7000	58222	5.230.228.23	192.168.2.23
Oct 7, 2024 22:54:22.479176044 CEST	58222	7000	192.168.2.23	5.230.228.23
Oct 7, 2024 22:54:22.484085083 CEST	7000	58222	5.230.228.23	192.168.2.23
Oct 7, 2024 22:54:23.481470108 CEST	38772	7777	192.168.2.23	5.230.122.81
Oct 7, 2024 22:54:23.486567974 CEST	7777	38772	5.230.122.81	192.168.2.23
Oct 7, 2024 22:54:23.486725092 CEST	38772	7777	192.168.2.23	5.230.122.81
Oct 7, 2024 22:54:23.487000942 CEST	38772	7777	192.168.2.23	5.230.122.81
Oct 7, 2024 22:54:23.491936922 CEST	7777	38772	5.230.122.81	192.168.2.23
Oct 7, 2024 22:54:25.967715979 CEST	7777	38772	5.230.122.81	192.168.2.23
Oct 7, 2024 22:54:25.968379021 CEST	38772	7777	192.168.2.23	5.230.122.81
Oct 7, 2024 22:54:25.969063997 CEST	7777	38772	5.230.122.81	192.168.2.23
Oct 7, 2024 22:54:25.969124079 CEST	38772	7777	192.168.2.23	5.230.122.81
Oct 7, 2024 22:54:25.973822117 CEST	7777	38772	5.230.122.81	192.168.2.23
Oct 7, 2024 22:54:26.971441031 CEST	43122	7000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:54:26.976423025 CEST	7000	43122	94.131.118.154	192.168.2.23
Oct 7, 2024 22:54:26.976525068 CEST	43122	7000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:54:26.976591110 CEST	43122	7000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:54:26.981398106 CEST	7000	43122	94.131.118.154	192.168.2.23
Oct 7, 2024 22:54:28.610560894 CEST	7000	43122	94.131.118.154	192.168.2.23
Oct 7, 2024 22:54:28.611438036 CEST	43122	7000	192.168.2.23	94.131.118.154
Oct 7, 2024 22:54:28.616774082 CEST	7000	43122	94.131.118.154	192.168.2.23
Oct 7, 2024 22:54:31.613728046 CEST	33738	37777	192.168.2.23	5.230.118.247
Oct 7, 2024 22:54:31.619206905 CEST	37777	33738	5.230.118.247	192.168.2.23
Oct 7, 2024 22:54:31.619815111 CEST	33738	37777	192.168.2.23	5.230.118.247
Oct 7, 2024 22:54:31.620039940 CEST	33738	37777	192.168.2.23	5.230.118.247
Oct 7, 2024 22:54:31.624964952 CEST	37777	33738	5.230.118.247	192.168.2.23
Oct 7, 2024 22:54:33.468229055 CEST	37777	33738	5.230.118.247	192.168.2.23
Oct 7, 2024 22:54:33.468776941 CEST	33738	37777	192.168.2.23	5.230.118.247
Oct 7, 2024 22:54:33.473747015 CEST	37777	33738	5.230.118.247	192.168.2.23
Oct 7, 2024 22:54:34.471915960 CEST	48924	35000	192.168.2.23	5.230.122.81
Oct 7, 2024 22:54:34.627300024 CEST	35000	48924	5.230.122.81	192.168.2.23
Oct 7, 2024 22:54:34.627490044 CEST	48924	35000	192.168.2.23	5.230.122.81
Oct 7, 2024 22:54:34.627604961 CEST	48924	35000	192.168.2.23	5.230.122.81
Oct 7, 2024 22:54:34.632514954 CEST	35000	48924	5.230.122.81	192.168.2.23
Oct 7, 2024 22:54:36.792881966 CEST	35000	48924	5.230.122.81	192.168.2.23
Oct 7, 2024 22:54:36.793373108 CEST	48924	35000	192.168.2.23	5.230.122.81
Oct 7, 2024 22:54:36.798496008 CEST	35000	48924	5.230.122.81	192.168.2.23
Oct 7, 2024 22:54:39.795681953 CEST	48166	3074	192.168.2.23	5.230.122.81
Oct 7, 2024 22:54:39.939795017 CEST	3074	48166	5.230.122.81	192.168.2.23
Oct 7, 2024 22:54:39.940023899 CEST	48166	3074	192.168.2.23	5.230.122.81
Oct 7, 2024 22:54:39.940211058 CEST	48166	3074	192.168.2.23	5.230.122.81
Oct 7, 2024 22:54:39.945487976 CEST	3074	48166	5.230.122.81	192.168.2.23
Oct 7, 2024 22:54:42.126058102 CEST	3074	48166	5.230.122.81	192.168.2.23
Oct 7, 2024 22:54:42.126787901 CEST	48166	3074	192.168.2.23	5.230.122.81
Oct 7, 2024 22:54:42.134464979 CEST	3074	48166	5.230.122.81	192.168.2.23
Oct 7, 2024 22:54:45.130292892 CEST	43400	995	192.168.2.23	5.230.228.42
Oct 7, 2024 22:54:45.135574102 CEST	995	43400	5.230.228.42	192.168.2.23
Oct 7, 2024 22:54:45.135669947 CEST	43400	995	192.168.2.23	5.230.228.42
Oct 7, 2024 22:54:45.135735989 CEST	43400	995	192.168.2.23	5.230.228.42
Oct 7, 2024 22:54:45.140681028 CEST	995	43400	5.230.228.42	192.168.2.23
Oct 7, 2024 22:54:46.794429064 CEST	995	43400	5.230.228.42	192.168.2.23
Oct 7, 2024 22:54:46.795290947 CEST	43400	995	192.168.2.23	5.230.228.42
Oct 7, 2024 22:54:46.800226927 CEST	995	43400	5.230.228.42	192.168.2.23
Oct 7, 2024 22:54:48.798800945 CEST	34576	3074	192.168.2.23	5.230.171.8
Oct 7, 2024 22:54:48.924432039 CEST	3074	34576	5.230.171.8	192.168.2.23
Oct 7, 2024 22:54:48.924773932 CEST	34576	3074	192.168.2.23	5.230.171.8
Oct 7, 2024 22:54:48.924984932 CEST	34576	3074	192.168.2.23	5.230.171.8
Oct 7, 2024 22:54:48.931282997 CEST	3074	34576	5.230.171.8	192.168.2.23
Oct 7, 2024 22:54:51.223531008 CEST	3074	34576	5.230.171.8	192.168.2.23
Oct 7, 2024 22:54:51.224493980 CEST	34576	3074	192.168.2.23	5.230.171.8
Oct 7, 2024 22:54:51.230201006 CEST	3074	34576	5.230.171.8	192.168.2.23
Oct 7, 2024 22:54:54.227777004 CEST	48682	7000	192.168.2.23	5.230.122.80
Oct 7, 2024 22:54:54.277626991 CEST	7000	48682	5.230.122.80	192.168.2.23
Oct 7, 2024 22:54:54.277896881 CEST	48682	7000	192.168.2.23	5.230.122.80
Oct 7, 2024 22:54:54.277896881 CEST	48682	7000	192.168.2.23	5.230.122.80
Oct 7, 2024 22:54:54.282952070 CEST	7000	48682	5.230.122.80	192.168.2.23
Oct 7, 2024 22:54:56.624694109 CEST	7000	48682	5.230.122.80	192.168.2.23
Oct 7, 2024 22:54:56.625004053 CEST	48682	7000	192.168.2.23	5.230.122.80
Oct 7, 2024 22:54:56.629930019 CEST	7000	48682	5.230.122.80	192.168.2.23
Oct 7, 2024 22:54:59.626948118 CEST	44572	6036	192.168.2.23	5.230.228.42
Oct 7, 2024 22:54:59.632320881 CEST	6036	44572	5.230.228.42	192.168.2.23
Oct 7, 2024 22:54:59.632400036 CEST	44572	6036	192.168.2.23	5.230.228.42
Oct 7, 2024 22:54:59.632488012 CEST	44572	6036	192.168.2.23	5.230.228.42
Oct 7, 2024 22:54:59.637312889 CEST	6036	44572	5.230.228.42	192.168.2.23
Oct 7, 2024 22:55:01.295598030 CEST	6036	44572	5.230.228.42	192.168.2.23
Oct 7, 2024 22:55:01.296412945 CEST	44572	6036	192.168.2.23	5.230.228.42
Oct 7, 2024 22:55:01.302131891 CEST	6036	44572	5.230.228.42	192.168.2.23
Oct 7, 2024 22:55:02.301352024 CEST	45168	27014	192.168.2.23	5.230.122.80
Oct 7, 2024 22:55:02.306525946 CEST	27014	45168	5.230.122.80	192.168.2.23
Oct 7, 2024 22:55:02.306622982 CEST	45168	27014	192.168.2.23	5.230.122.80
Oct 7, 2024 22:55:02.306921959 CEST	45168	27014	192.168.2.23	5.230.122.80
Oct 7, 2024 22:55:02.311870098 CEST	27014	45168	5.230.122.80	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:52:57.884598017 CEST	50707	3478	192.168.2.23	172.217.192.127
Oct 7, 2024 22:52:58.439768076 CEST	3478	50707	172.217.192.127	192.168.2.23
Oct 7, 2024 22:52:58.452858925 CEST	36241	53	192.168.2.23	37.252.191.197
Oct 7, 2024 22:52:58.473252058 CEST	53	36241	37.252.191.197	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 22:52:58.452858925 CEST	192.168.2.23	37.252.191.197	0x530d	Standard query (0)	iranistrash.libre	16	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 22:52:58.473252058 CEST	37.252.191.197	192.168.2.23	0x530d	No error (0)	iranistrash.libre			TXT (Text strings)	IN (0x0001)	false

System Behavior

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf PID: 6217, Parent PID: 6133

General

Start time (UTC):	20:52:55
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf
Arguments:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf PID: 6219, Parent PID: 6217

General

Start time (UTC):	20:52:56
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf PID: 6221, Parent PID: 6219

General

Start time (UTC):	20:52:57
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf PID: 6217, Parent PID: 6133

General

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf PID: 6219, Parent PID: 6217

General

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf PID: 6221, Parent PID: 6219

General

Chronological Activities

Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-CVD.31968.3467.elf