Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1528789
MD5:	11c85865d23eaa177bf542834dd881c6
SHA1:	781d12d9c15b1290198de53d5f2b91567ca88cec
SHA256:	0183f3e4897805961bad3ade6ed9d34b1b9a441916a5311f2cbaf6eb12527cb1
Tags:	elfMiraiuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Reads system version information

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528789
Start date and time:	2024-10-08 10:57:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal56.troj.linELF@0/0@47/0

Runtime Messages

Command:	/tmp/na.elf
PID:	5730
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	thIs wEek on xLaB lEarNs nOthinG xd
Standard Error:

Process Tree

system is lnxubuntu20

na.elf (PID: 5730, Parent: 5528, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/na.elf

na.elf New Fork (PID: 5732, Parent: 5730)

na.elf New Fork (PID: 5735, Parent: 5730)

systemd New Fork (PID: 5774, Parent: 1)

snap-failure (PID: 5774, Parent: 1, MD5: 69136a7d575731ce62349f2e4d3e5c36) Arguments: /usr/lib/snapd/snap-failure snapd

snap-failure New Fork (PID: 5787, Parent: 5774)

systemctl (PID: 5787, Parent: 5774, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop snapd.socket

snap-failure New Fork (PID: 5788, Parent: 5774)

cleanup

String: /proc//exewgetashinitcurltftp/fdsocketproc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//bin/

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 154.205.144.234 ports 61543,54123,2,3,4,8,9,38429
Source: global traffic	TCP traffic: 154.90.62.142 ports 2,3,6,7,8,32876
Source: global traffic	TCP traffic: 154.223.21.228 ports 61543,3,4,6,7,9,42061,49376,38429,15987
Source: global traffic	TCP traffic: 38.60.249.66 ports 46852,23789,2,4,5,6,8,49376

Sends malformed DNS queries

Source: global traffic	DNS traffic detected: malformed DNS query: kr3ddnsnet1.indy. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: 75cents.libre. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: 2joints.libre. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: kr2ddnsnet.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: krddnsnet.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: fortyfivehundred.dyn. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: nineteen.libre. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: imaverygoodbadboy.libre. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: r3racegame.indy. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: 21savage.dyn. [malformed]

Source: global traffic	TCP traffic: 192.168.2.13:37004 -> 154.223.21.228:49376
Source: global traffic	TCP traffic: 192.168.2.13:57840 -> 154.205.144.234:38429
Source: global traffic	TCP traffic: 192.168.2.13:37786 -> 38.60.249.66:46852
Source: global traffic	TCP traffic: 192.168.2.13:47116 -> 154.90.62.142:32876

Source: /tmp/na.elf (PID: 5730)

Socket: 127.0.0.1:1234

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 185.84.81.194
Source: unknown	UDP traffic detected without corresponding DNS query: 54.36.111.116
Source: unknown	UDP traffic detected without corresponding DNS query: 130.61.64.122
Source: unknown	UDP traffic detected without corresponding DNS query: 130.61.64.122
Source: unknown	UDP traffic detected without corresponding DNS query: 63.231.92.27
Source: unknown	UDP traffic detected without corresponding DNS query: 162.243.19.47
Source: unknown	UDP traffic detected without corresponding DNS query: 185.84.81.194
Source: unknown	UDP traffic detected without corresponding DNS query: 130.61.64.122
Source: unknown	UDP traffic detected without corresponding DNS query: 161.97.219.84
Source: unknown	UDP traffic detected without corresponding DNS query: 162.243.19.47
Source: unknown	UDP traffic detected without corresponding DNS query: 185.84.81.194
Source: unknown	UDP traffic detected without corresponding DNS query: 130.61.69.123
Source: unknown	UDP traffic detected without corresponding DNS query: 130.61.64.122
Source: unknown	UDP traffic detected without corresponding DNS query: 54.36.111.116
Source: unknown	UDP traffic detected without corresponding DNS query: 130.61.64.122
Source: unknown	UDP traffic detected without corresponding DNS query: 192.3.165.37
Source: unknown	UDP traffic detected without corresponding DNS query: 116.203.104.203
Source: unknown	UDP traffic detected without corresponding DNS query: 116.203.104.203
Source: unknown	UDP traffic detected without corresponding DNS query: 162.243.19.47
Source: unknown	UDP traffic detected without corresponding DNS query: 130.61.64.122
Source: unknown	UDP traffic detected without corresponding DNS query: 162.243.19.47
Source: unknown	UDP traffic detected without corresponding DNS query: 130.61.69.123
Source: unknown	UDP traffic detected without corresponding DNS query: 161.97.219.84
Source: unknown	UDP traffic detected without corresponding DNS query: 63.231.92.27
Source: unknown	UDP traffic detected without corresponding DNS query: 54.36.111.116
Source: unknown	UDP traffic detected without corresponding DNS query: 130.61.64.122
Source: unknown	UDP traffic detected without corresponding DNS query: 54.36.111.116
Source: unknown	UDP traffic detected without corresponding DNS query: 192.3.165.37
Source: unknown	UDP traffic detected without corresponding DNS query: 161.97.219.84
Source: unknown	UDP traffic detected without corresponding DNS query: 116.203.104.203
Source: unknown	UDP traffic detected without corresponding DNS query: 192.3.165.37
Source: unknown	UDP traffic detected without corresponding DNS query: 162.243.19.47
Source: unknown	UDP traffic detected without corresponding DNS query: 162.243.19.47
Source: unknown	UDP traffic detected without corresponding DNS query: 116.203.104.203
Source: unknown	UDP traffic detected without corresponding DNS query: 116.203.104.203
Source: unknown	UDP traffic detected without corresponding DNS query: 192.3.165.37
Source: unknown	UDP traffic detected without corresponding DNS query: 63.231.92.27
Source: unknown	UDP traffic detected without corresponding DNS query: 192.3.165.37
Source: unknown	UDP traffic detected without corresponding DNS query: 116.203.104.203
Source: unknown	UDP traffic detected without corresponding DNS query: 162.243.19.47
Source: unknown	UDP traffic detected without corresponding DNS query: 116.203.104.203
Source: unknown	UDP traffic detected without corresponding DNS query: 185.84.81.194
Source: unknown	UDP traffic detected without corresponding DNS query: 116.203.104.203
Source: unknown	UDP traffic detected without corresponding DNS query: 130.61.64.122
Source: unknown	UDP traffic detected without corresponding DNS query: 185.84.81.194
Source: unknown	UDP traffic detected without corresponding DNS query: 192.3.165.37
Source: unknown	UDP traffic detected without corresponding DNS query: 116.203.104.203
Source: unknown	UDP traffic detected without corresponding DNS query: 63.231.92.27
Source: unknown	UDP traffic detected without corresponding DNS query: 162.243.19.47
Source: unknown	UDP traffic detected without corresponding DNS query: 54.36.111.116

Source: global traffic	DNS traffic detected: DNS query: subcarrace.indy
Source: global traffic	DNS traffic detected: DNS query: kr3ddnsnet1.indy. [malformed]
Source: global traffic	DNS traffic detected: DNS query: 75cents.libre. [malformed]
Source: global traffic	DNS traffic detected: DNS query: fortyfivehundred.dyn
Source: global traffic	DNS traffic detected: DNS query: imaverygoodbadboy.libre
Source: global traffic	DNS traffic detected: DNS query: 2joints.libre. [malformed]
Source: global traffic	DNS traffic detected: DNS query: kr2ddnsnet.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: r3racegame.indy
Source: global traffic	DNS traffic detected: DNS query: krddnsnet.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: eighteen.pirate
Source: global traffic	DNS traffic detected: DNS query: fortyfivehundred.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: nineteen.libre. [malformed]
Source: global traffic	DNS traffic detected: DNS query: kr3ddnsnet1.indy
Source: global traffic	DNS traffic detected: DNS query: kr2ddnsnet.dyn
Source: global traffic	DNS traffic detected: DNS query: imaverygoodbadboy.libre. [malformed]
Source: global traffic	DNS traffic detected: DNS query: r3racegame.indy. [malformed]
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com
Source: global traffic	DNS traffic detected: DNS query: 21savage.dyn. [malformed]
Source: global traffic	DNS traffic detected: DNS query: nineteen.libre

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal56.troj.linELF@0/0@47/0

Source: /tmp/na.elf (PID: 5730)	File opened: /proc/11/maps	Jump to behavior
Source: /tmp/na.elf (PID: 5730)	File opened: /proc/22/maps	Jump to behavior
Source: /tmp/na.elf (PID: 5730)	File opened: /proc/55/maps	Jump to behavior
Source: /tmp/na.elf (PID: 5730)	File opened: /proc/66/maps	Jump to behavior
Source: /tmp/na.elf (PID: 5730)	File opened: /proc/88/maps	Jump to behavior
Source: /tmp/na.elf (PID: 5730)	File opened: /proc/99/maps	Jump to behavior
Source: /tmp/na.elf (PID: 5730)	File opened: /proc/111/maps	Jump to behavior
Source: /tmp/na.elf (PID: 5730)	File opened: /proc/222/maps	Jump to behavior
Source: /tmp/na.elf (PID: 5730)	File opened: /proc/333/maps	Jump to behavior
Source: /tmp/na.elf (PID: 5730)	File opened: /proc/777/maps	Jump to behavior
Source: /tmp/na.elf (PID: 5730)	File opened: /proc/888/maps	Jump to behavior
Source: /tmp/na.elf (PID: 5730)	File opened: /proc/11111/maps	Jump to behavior
Source: /tmp/na.elf (PID: 5730)	File opened: /proc/999/maps	Jump to behavior

Source: /usr/lib/snapd/snap-failure (PID: 5787)

Systemctl executable: /usr/bin/systemctl -> systemctl stop snapd.socket

Jump to behavior

Source: /usr/lib/snapd/snap-failure (PID: 5774)

Reads version info: /proc/version

Jump to behavior

Source: /tmp/na.elf (PID: 5730)

Queries kernel information via 'uname':

Jump to behavior

Source: na.elf, 5730.1.00007ffc4ce16000.00007ffc4ce37000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5730.1.000055c9923b1000.000055c992500000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: na.elf, 5730.1.000055c9923b1000.000055c992500000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: na.elf, 5730.1.00007ffc4ce16000.00007ffc4ce37000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Systemd Service	1 Systemd Service	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
na.elf	37%	ReversingLabs	Linux.Backdoor.Mirai
na.elf	14%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
daisy.ubuntu.com	0%	Virustotal		Browse
kr2ddnsnet.dyn	0%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nineteen.libre	38.60.249.66	true	true		unknown
daisy.ubuntu.com	162.213.35.24	true	false	0%, Virustotal, Browse	unknown
r3racegame.indy	154.223.21.228	true	true		unknown
eighteen.pirate	38.60.249.66	true	true		unknown
kr3ddnsnet1.indy	154.223.21.228	true	true		unknown
kr2ddnsnet.dyn	154.90.62.142	true	true	0%, Virustotal, Browse	unknown
imaverygoodbadboy.libre	154.205.144.234	true	true		unknown
subcarrace.indy	154.223.21.228	true	true		unknown
nineteen.libre. [malformed]	unknown	unknown	true		unknown
imaverygoodbadboy.libre. [malformed]	unknown	unknown	true		unknown
fortyfivehundred.dyn. [malformed]	unknown	unknown	true		unknown
kr3ddnsnet1.indy. [malformed]	unknown	unknown	true		unknown
75cents.libre. [malformed]	unknown	unknown	true		unknown
2joints.libre. [malformed]	unknown	unknown	true		unknown
kr2ddnsnet.dyn. [malformed]	unknown	unknown	true		unknown
r3racegame.indy. [malformed]	unknown	unknown	true		unknown
fortyfivehundred.dyn	unknown	unknown	true		unknown
krddnsnet.dyn. [malformed]	unknown	unknown	true		unknown
21savage.dyn. [malformed]	unknown	unknown	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
154.205.144.234	imaverygoodbadboy.libre	Seychelles	26484	IKGUL-26484US	true
154.90.62.142	kr2ddnsnet.dyn	Seychelles	40065	CNSERVERSUS	true
154.223.21.228	r3racegame.indy	Seychelles	134705	ITACE-AS-APItaceInternationalLimitedHK	true
38.60.249.66	nineteen.libre	United States	174	COGENT-174US	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
154.90.62.142	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
154.223.21.228	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
38.60.249.66	na.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nineteen.libre	na.elf	Get hash	malicious	Unknown	Browse	38.60.249.66
daisy.ubuntu.com	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	na.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
kr3ddnsnet1.indy	na.elf	Get hash	malicious	Unknown	Browse	154.223.21.228
kr3ddnsnet1.indy	na.elf	Get hash	malicious	Unknown	Browse	154.223.21.228
eighteen.pirate	SecuriteInfo.com.Linux.Mirai.5660.5605.13970.elf	Get hash	malicious	Unknown	Browse	154.205.155.43

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
IKGUL-26484US	na.elf	Get hash	malicious	Mirai	Browse	156.252.161.152
	SOA SEPT 2024.exe	Get hash	malicious	FormBook	Browse	198.44.251.203
	na.elf	Get hash	malicious	Mirai	Browse	154.219.20.183
	na.elf	Get hash	malicious	Mirai	Browse	156.249.231.145
	na.elf	Get hash	malicious	Mirai	Browse	156.249.132.19
	na.elf	Get hash	malicious	Mirai	Browse	156.249.231.136
	gmpsl.elf	Get hash	malicious	Mirai	Browse	156.238.135.134
	mips.elf	Get hash	malicious	Mirai	Browse	156.231.181.90
	x86_64.elf	Get hash	malicious	Mirai	Browse	156.249.231.175
	Order.exe	Get hash	malicious	FormBook	Browse	198.44.251.51
CNSERVERSUS	na.elf	Get hash	malicious	Unknown	Browse	154.90.62.142
	na.elf	Get hash	malicious	Unknown	Browse	154.90.62.142
	na.elf	Get hash	malicious	Mirai	Browse	23.225.54.61
	Products Order Catalogs20242.exe	Get hash	malicious	FormBook	Browse	156.227.17.86
	xd.arm.elf	Get hash	malicious	Mirai	Browse	154.86.22.243
	Proforma szamla csatolva.exe	Get hash	malicious	FormBook	Browse	198.16.50.171
	na.elf	Get hash	malicious	Unknown	Browse	154.90.62.142
	na.elf	Get hash	malicious	Unknown	Browse	154.90.62.142
	na.elf	Get hash	malicious	Unknown	Browse	154.90.62.142
	na.elf	Get hash	malicious	Mirai	Browse	156.251.245.87
ITACE-AS-APItaceInternationalLimitedHK	na.elf	Get hash	malicious	Unknown	Browse	154.223.21.228
	na.elf	Get hash	malicious	Unknown	Browse	156.235.45.157
	na.elf	Get hash	malicious	Unknown	Browse	154.223.21.228
	na.elf	Get hash	malicious	Unknown	Browse	154.223.21.228
	gmpsl.elf	Get hash	malicious	Mirai	Browse	156.230.199.3
	mpsl.elf	Get hash	malicious	Mirai	Browse	156.235.45.169
	http://v884.cc/	Get hash	malicious	Unknown	Browse	45.204.81.228
	SecuriteInfo.com.Linux.Siggen.9999.3716.19012.elf	Get hash	malicious	Mirai	Browse	156.235.45.160
	https://57365oo.cc/	Get hash	malicious	Phisher	Browse	154.91.229.63
	dGW8v2LEzX.exe	Get hash	malicious	BlackMoon	Browse	103.117.121.32

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.985730285835167
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	na.elf
File size:	72'256 bytes
MD5:	11c85865d23eaa177bf542834dd881c6
SHA1:	781d12d9c15b1290198de53d5f2b91567ca88cec
SHA256:	0183f3e4897805961bad3ade6ed9d34b1b9a441916a5311f2cbaf6eb12527cb1
SHA512:	e062731acb5f2b0829bea8c5a16bb56e16ef10aa059a3247704dada711f74bef1b1866479b7536ac88997128dbb0bc84a8f1c453ce10962feab883e1e5be048b
SSDEEP:	1536:4kn1ERPL58ctQcXARyEAcRjFKiT/ztsQcpWHl2Di7kgKR:dEPL58ctXAZ9UiT/ztsQ6Wkgy
TLSH:	AD631849F9819F15D9D522BEFE0E018D33636B6CE3EE7212DD205F2527CA95B0A77802
File Content Preview:	.ELF..............(.........4...........4. ...(........p............................................................................t...hs..........................................Q.td..................................-...L..................@-.,@...0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8194
Flags:	0x4000002
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	5
Section Header Offset:	71656
Section Header Size:	40
Number of Section Headers:	15
Header String Table Index:	14

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0
.init	PROGBITS	0x80d4	0xd4	0x10	0x0	0x6	AX	0	4
.text	PROGBITS	0x80f0	0xf0	0x107c8	0x0	0x6	AX	0	16
.fini	PROGBITS	0x188b8	0x108b8	0x10	0x0	0x6	AX	0	4
.rodata	PROGBITS	0x188c8	0x108c8	0xa08	0x0	0x2	A	0	4
.ARM.extab	PROGBITS	0x192d0	0x112d0	0x18	0x0	0x2	A	0	4
.ARM.exidx	ARM_EXIDX	0x192e8	0x112e8	0x118	0x0	0x82	AL	2	4
.eh_frame	PROGBITS	0x21400	0x11400	0x4	0x0	0x3	WA	0	4
.tbss	NOBITS	0x21404	0x11404	0x8	0x0	0x403	WAT	0	4
.init_array	INIT_ARRAY	0x21404	0x11404	0x4	0x0	0x3	WA	0	4
.fini_array	FINI_ARRAY	0x21408	0x11408	0x4	0x0	0x3	WA	0	4
.got	PROGBITS	0x21410	0x11410	0xa8	0x4	0x3	WA	0	4
.data	PROGBITS	0x214b8	0x114b8	0x2bc	0x0	0x3	WA	0	4
.bss	NOBITS	0x21774	0x11774	0x6ff4	0x0	0x3	WA	0	4
.shstrtab	STRTAB	0x0	0x11774	0x73	0x0	0x0		0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
EXIDX	0x112e8	0x192e8	0x192e8	0x118	0x118	4.4270	0x4	R	0x4	.ARM.exidx
LOAD	0x0	0x8000	0x8000	0x11400	0x11400	6.0009	0x5	R E	0x8000	.init .text .fini .rodata .ARM.extab .ARM.exidx
LOAD	0x11400	0x21400	0x21400	0x374	0x7368	4.3521	0x6	RW	0x8000	.eh_frame .tbss .init_array .fini_array .got .data .bss
TLS	0x11404	0x21404	0x21404	0x0	0x8	0.0000	0x4	R	0x4	.tbss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 10:59:15.929565907 CEST	37004	49376	192.168.2.13	154.223.21.228
Oct 8, 2024 10:59:15.934947968 CEST	49376	37004	154.223.21.228	192.168.2.13
Oct 8, 2024 10:59:15.935017109 CEST	37004	49376	192.168.2.13	154.223.21.228
Oct 8, 2024 10:59:15.940208912 CEST	49376	37004	154.223.21.228	192.168.2.13
Oct 8, 2024 10:59:15.943351030 CEST	37004	49376	192.168.2.13	154.223.21.228
Oct 8, 2024 10:59:15.943646908 CEST	37004	49376	192.168.2.13	154.223.21.228
Oct 8, 2024 10:59:15.948340893 CEST	49376	37004	154.223.21.228	192.168.2.13
Oct 8, 2024 10:59:15.948530912 CEST	49376	37004	154.223.21.228	192.168.2.13
Oct 8, 2024 10:59:32.041402102 CEST	57840	38429	192.168.2.13	154.205.144.234
Oct 8, 2024 10:59:32.046540976 CEST	38429	57840	154.205.144.234	192.168.2.13
Oct 8, 2024 10:59:32.046602011 CEST	57840	38429	192.168.2.13	154.205.144.234
Oct 8, 2024 10:59:32.046618938 CEST	57840	38429	192.168.2.13	154.205.144.234
Oct 8, 2024 10:59:32.051784992 CEST	38429	57840	154.205.144.234	192.168.2.13
Oct 8, 2024 10:59:32.051934958 CEST	57840	38429	192.168.2.13	154.205.144.234
Oct 8, 2024 10:59:32.052006960 CEST	38429	57840	154.205.144.234	192.168.2.13
Oct 8, 2024 10:59:32.056864977 CEST	38429	57840	154.205.144.234	192.168.2.13
Oct 8, 2024 10:59:33.065732002 CEST	57842	38429	192.168.2.13	154.205.144.234
Oct 8, 2024 10:59:33.071094990 CEST	38429	57842	154.205.144.234	192.168.2.13
Oct 8, 2024 10:59:33.071155071 CEST	57842	38429	192.168.2.13	154.205.144.234
Oct 8, 2024 10:59:33.071156025 CEST	57842	38429	192.168.2.13	154.205.144.234
Oct 8, 2024 10:59:33.076913118 CEST	38429	57842	154.205.144.234	192.168.2.13
Oct 8, 2024 10:59:33.096348047 CEST	38429	57842	154.205.144.234	192.168.2.13
Oct 8, 2024 10:59:49.123207092 CEST	55142	61543	192.168.2.13	154.205.144.234
Oct 8, 2024 10:59:49.128320932 CEST	61543	55142	154.205.144.234	192.168.2.13
Oct 8, 2024 10:59:49.128410101 CEST	55142	61543	192.168.2.13	154.205.144.234
Oct 8, 2024 10:59:49.128457069 CEST	55142	61543	192.168.2.13	154.205.144.234
Oct 8, 2024 10:59:49.133260012 CEST	61543	55142	154.205.144.234	192.168.2.13
Oct 8, 2024 10:59:49.134016037 CEST	61543	55142	154.205.144.234	192.168.2.13
Oct 8, 2024 11:00:05.713968992 CEST	57422	15987	192.168.2.13	154.223.21.228
Oct 8, 2024 11:00:05.718848944 CEST	15987	57422	154.223.21.228	192.168.2.13
Oct 8, 2024 11:00:05.718955994 CEST	57422	15987	192.168.2.13	154.223.21.228
Oct 8, 2024 11:00:05.719007969 CEST	57422	15987	192.168.2.13	154.223.21.228
Oct 8, 2024 11:00:05.723850012 CEST	15987	57422	154.223.21.228	192.168.2.13
Oct 8, 2024 11:00:05.724216938 CEST	15987	57422	154.223.21.228	192.168.2.13
Oct 8, 2024 11:00:21.766124010 CEST	36536	54123	192.168.2.13	154.205.144.234
Oct 8, 2024 11:00:21.770942926 CEST	54123	36536	154.205.144.234	192.168.2.13
Oct 8, 2024 11:00:21.771017075 CEST	36536	54123	192.168.2.13	154.205.144.234
Oct 8, 2024 11:00:21.771063089 CEST	36536	54123	192.168.2.13	154.205.144.234
Oct 8, 2024 11:00:21.775899887 CEST	54123	36536	154.205.144.234	192.168.2.13
Oct 8, 2024 11:00:21.776247025 CEST	54123	36536	154.205.144.234	192.168.2.13
Oct 8, 2024 11:00:48.109174013 CEST	37786	46852	192.168.2.13	38.60.249.66
Oct 8, 2024 11:00:48.114109039 CEST	46852	37786	38.60.249.66	192.168.2.13
Oct 8, 2024 11:00:48.114176035 CEST	37786	46852	192.168.2.13	38.60.249.66
Oct 8, 2024 11:00:48.114203930 CEST	37786	46852	192.168.2.13	38.60.249.66
Oct 8, 2024 11:00:48.119010925 CEST	46852	37786	38.60.249.66	192.168.2.13
Oct 8, 2024 11:00:48.119350910 CEST	46852	37786	38.60.249.66	192.168.2.13
Oct 8, 2024 11:01:14.322014093 CEST	44578	38429	192.168.2.13	154.223.21.228
Oct 8, 2024 11:01:14.326905012 CEST	38429	44578	154.223.21.228	192.168.2.13
Oct 8, 2024 11:01:14.326960087 CEST	44578	38429	192.168.2.13	154.223.21.228
Oct 8, 2024 11:01:14.326975107 CEST	44578	38429	192.168.2.13	154.223.21.228
Oct 8, 2024 11:01:14.331809998 CEST	38429	44578	154.223.21.228	192.168.2.13
Oct 8, 2024 11:01:14.332169056 CEST	38429	44578	154.223.21.228	192.168.2.13
Oct 8, 2024 11:01:25.357733965 CEST	47116	32876	192.168.2.13	154.90.62.142
Oct 8, 2024 11:01:25.362675905 CEST	32876	47116	154.90.62.142	192.168.2.13
Oct 8, 2024 11:01:25.362771034 CEST	47116	32876	192.168.2.13	154.90.62.142
Oct 8, 2024 11:01:25.362827063 CEST	47116	32876	192.168.2.13	154.90.62.142
Oct 8, 2024 11:01:25.369023085 CEST	32876	47116	154.90.62.142	192.168.2.13
Oct 8, 2024 11:01:25.369329929 CEST	32876	47116	154.90.62.142	192.168.2.13
Oct 8, 2024 11:01:26.473359108 CEST	45872	23789	192.168.2.13	38.60.249.66
Oct 8, 2024 11:01:26.479290962 CEST	23789	45872	38.60.249.66	192.168.2.13
Oct 8, 2024 11:01:26.479408979 CEST	45872	23789	192.168.2.13	38.60.249.66
Oct 8, 2024 11:01:26.479429007 CEST	45872	23789	192.168.2.13	38.60.249.66
Oct 8, 2024 11:01:26.484386921 CEST	23789	45872	38.60.249.66	192.168.2.13
Oct 8, 2024 11:01:26.484658003 CEST	23789	45872	38.60.249.66	192.168.2.13
Oct 8, 2024 11:01:32.898464918 CEST	33650	49376	192.168.2.13	38.60.249.66
Oct 8, 2024 11:01:32.903908014 CEST	49376	33650	38.60.249.66	192.168.2.13
Oct 8, 2024 11:01:32.904006958 CEST	33650	49376	192.168.2.13	38.60.249.66
Oct 8, 2024 11:01:32.904026985 CEST	33650	49376	192.168.2.13	38.60.249.66
Oct 8, 2024 11:01:32.908844948 CEST	49376	33650	38.60.249.66	192.168.2.13
Oct 8, 2024 11:01:32.909178972 CEST	49376	33650	38.60.249.66	192.168.2.13
Oct 8, 2024 11:01:39.135612965 CEST	59640	42061	192.168.2.13	154.223.21.228
Oct 8, 2024 11:01:39.141096115 CEST	42061	59640	154.223.21.228	192.168.2.13
Oct 8, 2024 11:01:39.141179085 CEST	59640	42061	192.168.2.13	154.223.21.228
Oct 8, 2024 11:01:39.141257048 CEST	59640	42061	192.168.2.13	154.223.21.228
Oct 8, 2024 11:01:39.146703959 CEST	42061	59640	154.223.21.228	192.168.2.13
Oct 8, 2024 11:01:39.146734953 CEST	42061	59640	154.223.21.228	192.168.2.13
Oct 8, 2024 11:01:57.396297932 CEST	34828	53	192.168.2.13	8.8.8.8
Oct 8, 2024 11:01:57.401041985 CEST	53	34828	8.8.8.8	192.168.2.13
Oct 8, 2024 11:01:57.401103020 CEST	34828	53	192.168.2.13	8.8.8.8
Oct 8, 2024 11:01:57.401145935 CEST	34828	53	192.168.2.13	8.8.8.8
Oct 8, 2024 11:01:57.401159048 CEST	34828	53	192.168.2.13	8.8.8.8
Oct 8, 2024 11:01:57.405988932 CEST	53	34828	8.8.8.8	192.168.2.13
Oct 8, 2024 11:01:57.406002045 CEST	53	34828	8.8.8.8	192.168.2.13
Oct 8, 2024 11:01:57.406343937 CEST	53	34828	8.8.8.8	192.168.2.13
Oct 8, 2024 11:01:57.406506062 CEST	34830	53	192.168.2.13	8.8.8.8
Oct 8, 2024 11:01:57.411408901 CEST	53	34830	8.8.8.8	192.168.2.13
Oct 8, 2024 11:01:57.411494017 CEST	34830	53	192.168.2.13	8.8.8.8
Oct 8, 2024 11:01:57.411511898 CEST	34830	53	192.168.2.13	8.8.8.8
Oct 8, 2024 11:01:57.416389942 CEST	53	34830	8.8.8.8	192.168.2.13
Oct 8, 2024 11:01:57.416795015 CEST	53	34830	8.8.8.8	192.168.2.13
Oct 8, 2024 11:02:15.701662064 CEST	44592	38429	192.168.2.13	154.223.21.228
Oct 8, 2024 11:02:15.707048893 CEST	38429	44592	154.223.21.228	192.168.2.13
Oct 8, 2024 11:02:15.707103968 CEST	44592	38429	192.168.2.13	154.223.21.228
Oct 8, 2024 11:02:15.707129002 CEST	44592	38429	192.168.2.13	154.223.21.228
Oct 8, 2024 11:02:15.713946104 CEST	38429	44592	154.223.21.228	192.168.2.13
Oct 8, 2024 11:02:15.714143038 CEST	38429	44592	154.223.21.228	192.168.2.13
Oct 8, 2024 11:02:21.832966089 CEST	42616	61543	192.168.2.13	154.223.21.228
Oct 8, 2024 11:02:21.837927103 CEST	61543	42616	154.223.21.228	192.168.2.13
Oct 8, 2024 11:02:21.838023901 CEST	42616	61543	192.168.2.13	154.223.21.228
Oct 8, 2024 11:02:21.838134050 CEST	42616	61543	192.168.2.13	154.223.21.228
Oct 8, 2024 11:02:21.843029022 CEST	61543	42616	154.223.21.228	192.168.2.13
Oct 8, 2024 11:02:21.843306065 CEST	61543	42616	154.223.21.228	192.168.2.13
Oct 8, 2024 11:02:33.157241106 CEST	37806	46852	192.168.2.13	38.60.249.66
Oct 8, 2024 11:02:33.163033009 CEST	46852	37806	38.60.249.66	192.168.2.13
Oct 8, 2024 11:02:33.163115978 CEST	37806	46852	192.168.2.13	38.60.249.66
Oct 8, 2024 11:02:33.163162947 CEST	37806	46852	192.168.2.13	38.60.249.66
Oct 8, 2024 11:02:33.170403957 CEST	46852	37806	38.60.249.66	192.168.2.13
Oct 8, 2024 11:02:33.170599937 CEST	46852	37806	38.60.249.66	192.168.2.13
Oct 8, 2024 11:02:49.495203972 CEST	45888	23789	192.168.2.13	38.60.249.66
Oct 8, 2024 11:02:49.500128984 CEST	23789	45888	38.60.249.66	192.168.2.13
Oct 8, 2024 11:02:49.500219107 CEST	45888	23789	192.168.2.13	38.60.249.66
Oct 8, 2024 11:02:49.500269890 CEST	45888	23789	192.168.2.13	38.60.249.66
Oct 8, 2024 11:02:49.505145073 CEST	23789	45888	38.60.249.66	192.168.2.13
Oct 8, 2024 11:02:49.505480051 CEST	23789	45888	38.60.249.66	192.168.2.13

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 10:59:15.858530998 CEST	42691	53	192.168.2.13	185.84.81.194
Oct 8, 2024 10:59:15.869194031 CEST	53	42691	185.84.81.194	192.168.2.13
Oct 8, 2024 10:59:16.967469931 CEST	54757	5353	192.168.2.13	54.36.111.116
Oct 8, 2024 10:59:21.968847036 CEST	51832	53	192.168.2.13	130.61.64.122
Oct 8, 2024 10:59:21.975805998 CEST	53	51832	130.61.64.122	192.168.2.13
Oct 8, 2024 10:59:21.976844072 CEST	60472	53	192.168.2.13	130.61.64.122
Oct 8, 2024 10:59:21.983776093 CEST	53	60472	130.61.64.122	192.168.2.13
Oct 8, 2024 10:59:21.984771013 CEST	51096	53	192.168.2.13	63.231.92.27
Oct 8, 2024 10:59:26.991166115 CEST	53381	5353	192.168.2.13	162.243.19.47
Oct 8, 2024 10:59:31.996440887 CEST	34275	53	192.168.2.13	185.84.81.194
Oct 8, 2024 10:59:32.041038990 CEST	53	34275	185.84.81.194	192.168.2.13
Oct 8, 2024 10:59:33.057658911 CEST	56975	53	192.168.2.13	130.61.64.122
Oct 8, 2024 10:59:33.064780951 CEST	53	56975	130.61.64.122	192.168.2.13
Oct 8, 2024 10:59:34.101810932 CEST	50608	5353	192.168.2.13	161.97.219.84
Oct 8, 2024 10:59:39.106060982 CEST	60996	5353	192.168.2.13	162.243.19.47
Oct 8, 2024 10:59:44.109415054 CEST	45227	5353	192.168.2.13	185.84.81.194
Oct 8, 2024 10:59:49.114914894 CEST	39537	53	192.168.2.13	130.61.69.123
Oct 8, 2024 10:59:49.121944904 CEST	53	39537	130.61.69.123	192.168.2.13
Oct 8, 2024 10:59:50.137840033 CEST	45342	5353	192.168.2.13	130.61.64.122
Oct 8, 2024 10:59:55.142266035 CEST	57299	5353	192.168.2.13	54.36.111.116
Oct 8, 2024 11:00:00.145829916 CEST	52219	53	192.168.2.13	130.61.64.122
Oct 8, 2024 11:00:00.152765036 CEST	53	52219	130.61.64.122	192.168.2.13
Oct 8, 2024 11:00:00.154038906 CEST	42859	5353	192.168.2.13	192.3.165.37
Oct 8, 2024 11:00:00.676029921 CEST	5353	42859	192.3.165.37	192.168.2.13
Oct 8, 2024 11:00:00.678021908 CEST	50516	53	192.168.2.13	116.203.104.203
Oct 8, 2024 11:00:00.689341068 CEST	53	50516	116.203.104.203	192.168.2.13
Oct 8, 2024 11:00:00.690831900 CEST	59354	53	192.168.2.13	116.203.104.203
Oct 8, 2024 11:00:00.701328039 CEST	53	59354	116.203.104.203	192.168.2.13
Oct 8, 2024 11:00:00.702711105 CEST	49305	5353	192.168.2.13	162.243.19.47
Oct 8, 2024 11:00:05.705758095 CEST	39665	53	192.168.2.13	130.61.64.122
Oct 8, 2024 11:00:05.713243008 CEST	53	39665	130.61.64.122	192.168.2.13
Oct 8, 2024 11:00:06.726416111 CEST	53321	5353	192.168.2.13	162.243.19.47
Oct 8, 2024 11:00:11.730163097 CEST	37642	53	192.168.2.13	130.61.69.123
Oct 8, 2024 11:00:11.736984015 CEST	53	37642	130.61.69.123	192.168.2.13
Oct 8, 2024 11:00:11.738470078 CEST	60271	5353	192.168.2.13	161.97.219.84
Oct 8, 2024 11:00:16.745151997 CEST	34813	53	192.168.2.13	63.231.92.27
Oct 8, 2024 11:00:21.751787901 CEST	44489	53	192.168.2.13	54.36.111.116
Oct 8, 2024 11:00:21.758389950 CEST	38631	53	192.168.2.13	130.61.64.122
Oct 8, 2024 11:00:21.765355110 CEST	53	38631	130.61.64.122	192.168.2.13
Oct 8, 2024 11:00:22.778590918 CEST	43521	5353	192.168.2.13	54.36.111.116
Oct 8, 2024 11:00:27.782619953 CEST	55297	53	192.168.2.13	192.3.165.37
Oct 8, 2024 11:00:27.886667967 CEST	53	55297	192.3.165.37	192.168.2.13
Oct 8, 2024 11:00:27.889072895 CEST	36824	53	192.168.2.13	161.97.219.84
Oct 8, 2024 11:00:28.076123953 CEST	53	36824	161.97.219.84	192.168.2.13
Oct 8, 2024 11:00:28.077961922 CEST	42609	5353	192.168.2.13	116.203.104.203
Oct 8, 2024 11:00:33.082554102 CEST	40421	5353	192.168.2.13	192.3.165.37
Oct 8, 2024 11:00:38.086091995 CEST	47057	5353	192.168.2.13	162.243.19.47
Oct 8, 2024 11:00:43.093581915 CEST	47473	5353	192.168.2.13	162.243.19.47
Oct 8, 2024 11:00:48.098321915 CEST	43280	53	192.168.2.13	116.203.104.203
Oct 8, 2024 11:00:48.108365059 CEST	53	43280	116.203.104.203	192.168.2.13
Oct 8, 2024 11:00:49.121931076 CEST	48806	5353	192.168.2.13	116.203.104.203
Oct 8, 2024 11:00:54.126566887 CEST	53152	5353	192.168.2.13	192.3.165.37
Oct 8, 2024 11:00:59.132802963 CEST	40960	53	192.168.2.13	63.231.92.27
Oct 8, 2024 11:00:59.277915955 CEST	53	40960	63.231.92.27	192.168.2.13
Oct 8, 2024 11:00:59.279511929 CEST	57728	5353	192.168.2.13	192.3.165.37
Oct 8, 2024 11:01:04.282350063 CEST	54279	53	192.168.2.13	116.203.104.203
Oct 8, 2024 11:01:04.294223070 CEST	53	54279	116.203.104.203	192.168.2.13
Oct 8, 2024 11:01:04.295644045 CEST	50170	5353	192.168.2.13	162.243.19.47
Oct 8, 2024 11:01:09.297843933 CEST	49398	5353	192.168.2.13	116.203.104.203
Oct 8, 2024 11:01:14.301953077 CEST	52029	53	192.168.2.13	185.84.81.194
Oct 8, 2024 11:01:14.321525097 CEST	53	52029	185.84.81.194	192.168.2.13
Oct 8, 2024 11:01:15.333857059 CEST	34353	5353	192.168.2.13	116.203.104.203
Oct 8, 2024 11:01:20.340353966 CEST	34369	5353	192.168.2.13	130.61.64.122
Oct 8, 2024 11:01:25.346447945 CEST	38945	53	192.168.2.13	185.84.81.194
Oct 8, 2024 11:01:25.357104063 CEST	53	38945	185.84.81.194	192.168.2.13
Oct 8, 2024 11:01:26.371840954 CEST	52518	53	192.168.2.13	192.3.165.37
Oct 8, 2024 11:01:26.472420931 CEST	53	52518	192.3.165.37	192.168.2.13
Oct 8, 2024 11:01:27.486666918 CEST	60957	53	192.168.2.13	116.203.104.203
Oct 8, 2024 11:01:27.543505907 CEST	53	60957	116.203.104.203	192.168.2.13
Oct 8, 2024 11:01:27.544744015 CEST	53582	53	192.168.2.13	63.231.92.27
Oct 8, 2024 11:01:27.689469099 CEST	53	53582	63.231.92.27	192.168.2.13
Oct 8, 2024 11:01:27.691077948 CEST	54321	53	192.168.2.13	162.243.19.47
Oct 8, 2024 11:01:27.782845020 CEST	53	54321	162.243.19.47	192.168.2.13
Oct 8, 2024 11:01:27.784034967 CEST	56556	5353	192.168.2.13	54.36.111.116
Oct 8, 2024 11:01:32.790425062 CEST	47438	53	192.168.2.13	162.243.19.47
Oct 8, 2024 11:01:32.875287056 CEST	53	47438	162.243.19.47	192.168.2.13
Oct 8, 2024 11:01:32.876682997 CEST	52607	53	192.168.2.13	185.84.81.194
Oct 8, 2024 11:01:32.886908054 CEST	53	52607	185.84.81.194	192.168.2.13
Oct 8, 2024 11:01:32.887954950 CEST	50392	53	192.168.2.13	116.203.104.203
Oct 8, 2024 11:01:32.898077011 CEST	53	50392	116.203.104.203	192.168.2.13
Oct 8, 2024 11:01:33.912195921 CEST	38396	5353	192.168.2.13	116.203.104.203
Oct 8, 2024 11:01:38.919152975 CEST	36585	53	192.168.2.13	192.3.165.37
Oct 8, 2024 11:01:39.017618895 CEST	53	36585	192.3.165.37	192.168.2.13
Oct 8, 2024 11:01:39.019489050 CEST	36677	53	192.168.2.13	54.36.111.116
Oct 8, 2024 11:01:39.026046991 CEST	47517	53	192.168.2.13	192.3.165.37
Oct 8, 2024 11:01:39.134597063 CEST	53	47517	192.3.165.37	192.168.2.13
Oct 8, 2024 11:01:40.149669886 CEST	46446	5353	192.168.2.13	130.61.64.122
Oct 8, 2024 11:01:45.156666994 CEST	33822	53	192.168.2.13	116.203.104.203
Oct 8, 2024 11:01:45.658046961 CEST	53	33822	116.203.104.203	192.168.2.13
Oct 8, 2024 11:01:45.659157038 CEST	55330	5353	192.168.2.13	192.3.165.37
Oct 8, 2024 11:01:50.662601948 CEST	41981	5353	192.168.2.13	130.61.69.123
Oct 8, 2024 11:01:55.669256926 CEST	54610	5353	192.168.2.13	130.61.69.123
Oct 8, 2024 11:01:57.406469107 CEST	59279	53	192.168.2.13	1.1.1.1
Oct 8, 2024 11:01:57.414047003 CEST	53	59279	1.1.1.1	192.168.2.13
Oct 8, 2024 11:01:57.416881084 CEST	46446	53	192.168.2.13	1.1.1.1
Oct 8, 2024 11:01:57.424880981 CEST	53	46446	1.1.1.1	192.168.2.13
Oct 8, 2024 11:02:00.674654961 CEST	58335	5353	192.168.2.13	162.243.19.47
Oct 8, 2024 11:02:05.678989887 CEST	43138	5353	192.168.2.13	130.61.69.123
Oct 8, 2024 11:02:10.686239004 CEST	41769	5353	192.168.2.13	130.61.64.122
Oct 8, 2024 11:02:15.690776110 CEST	58813	53	192.168.2.13	185.84.81.194
Oct 8, 2024 11:02:15.701101065 CEST	53	58813	185.84.81.194	192.168.2.13
Oct 8, 2024 11:02:16.717972040 CEST	56449	5353	192.168.2.13	130.61.64.122
Oct 8, 2024 11:02:21.723447084 CEST	33927	53	192.168.2.13	192.3.165.37
Oct 8, 2024 11:02:21.823518991 CEST	53	33927	192.3.165.37	192.168.2.13
Oct 8, 2024 11:02:21.825352907 CEST	40507	53	192.168.2.13	130.61.64.122
Oct 8, 2024 11:02:21.832218885 CEST	53	40507	130.61.64.122	192.168.2.13
Oct 8, 2024 11:02:22.846743107 CEST	39442	53	192.168.2.13	116.203.104.203
Oct 8, 2024 11:02:22.857048035 CEST	53	39442	116.203.104.203	192.168.2.13
Oct 8, 2024 11:02:22.858402967 CEST	38321	5353	192.168.2.13	161.97.219.84
Oct 8, 2024 11:02:27.861294031 CEST	55252	5353	192.168.2.13	63.231.92.27
Oct 8, 2024 11:02:32.868252993 CEST	44284	53	192.168.2.13	116.203.104.203
Oct 8, 2024 11:02:33.156251907 CEST	53	44284	116.203.104.203	192.168.2.13
Oct 8, 2024 11:02:34.173991919 CEST	41495	53	192.168.2.13	130.61.69.123
Oct 8, 2024 11:02:34.181627035 CEST	53	41495	130.61.69.123	192.168.2.13
Oct 8, 2024 11:02:34.183274031 CEST	38886	5353	192.168.2.13	185.84.81.194
Oct 8, 2024 11:02:39.190208912 CEST	52339	5353	192.168.2.13	54.36.111.116
Oct 8, 2024 11:02:44.195240974 CEST	34580	53	192.168.2.13	161.97.219.84
Oct 8, 2024 11:02:44.380104065 CEST	53	34580	161.97.219.84	192.168.2.13
Oct 8, 2024 11:02:44.381880999 CEST	54405	53	192.168.2.13	192.3.165.37
Oct 8, 2024 11:02:44.481692076 CEST	53	54405	192.3.165.37	192.168.2.13
Oct 8, 2024 11:02:44.482814074 CEST	47396	5353	192.168.2.13	185.84.81.194
Oct 8, 2024 11:02:49.487138987 CEST	60100	53	192.168.2.13	130.61.69.123
Oct 8, 2024 11:02:49.494661093 CEST	53	60100	130.61.69.123	192.168.2.13

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Oct 8, 2024 11:00:21.757155895 CEST	54.36.111.116	192.168.2.13	6584	(Port unreachable)	Destination Unreachable
Oct 8, 2024 11:01:39.024661064 CEST	54.36.111.116	192.168.2.13	6584	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 10:59:15.858530998 CEST	192.168.2.13	185.84.81.194	0x21af	Standard query (0)	subcarrace.indy	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:59:21.968847036 CEST	192.168.2.13	130.61.64.122	0x62ce	Standard query (0)	kr3ddnsnet1.indy. [malformed]	256	361	false
Oct 8, 2024 10:59:21.976844072 CEST	192.168.2.13	130.61.64.122	0x3701	Standard query (0)	75cents.libre. [malformed]	256	361	false
Oct 8, 2024 10:59:21.984771013 CEST	192.168.2.13	63.231.92.27	0xae8	Standard query (0)	fortyfivehundred.dyn	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:59:31.996440887 CEST	192.168.2.13	185.84.81.194	0x9d68	Standard query (0)	imaverygoodbadboy.libre	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:59:33.057658911 CEST	192.168.2.13	130.61.64.122	0xa40e	Standard query (0)	imaverygoodbadboy.libre	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:59:49.114914894 CEST	192.168.2.13	130.61.69.123	0x5d50	Standard query (0)	imaverygoodbadboy.libre	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:00:00.145829916 CEST	192.168.2.13	130.61.64.122	0x42f9	Standard query (0)	2joints.libre. [malformed]	256	400	false
Oct 8, 2024 11:00:00.678021908 CEST	192.168.2.13	116.203.104.203	0x4de3	Standard query (0)	kr3ddnsnet1.indy. [malformed]	256	400	false
Oct 8, 2024 11:00:00.690831900 CEST	192.168.2.13	116.203.104.203	0x46ee	Standard query (0)	kr2ddnsnet.dyn. [malformed]	256	400	false
Oct 8, 2024 11:00:05.705758095 CEST	192.168.2.13	130.61.64.122	0xf562	Standard query (0)	r3racegame.indy	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:00:11.730163097 CEST	192.168.2.13	130.61.69.123	0x4df4	Standard query (0)	kr2ddnsnet.dyn. [malformed]	256	411	false
Oct 8, 2024 11:00:16.745151997 CEST	192.168.2.13	63.231.92.27	0xf18a	Standard query (0)	fortyfivehundred.dyn	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:00:21.751787901 CEST	192.168.2.13	54.36.111.116	0x987f	Standard query (0)	krddnsnet.dyn. [malformed]	256	421	false
Oct 8, 2024 11:00:21.758389950 CEST	192.168.2.13	130.61.64.122	0x6dd0	Standard query (0)	imaverygoodbadboy.libre	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:00:27.782619953 CEST	192.168.2.13	192.3.165.37	0x9b2a	Standard query (0)	krddnsnet.dyn. [malformed]	256	427	false
Oct 8, 2024 11:00:27.889072895 CEST	192.168.2.13	161.97.219.84	0xa1cc	Standard query (0)	krddnsnet.dyn. [malformed]	256	428	false
Oct 8, 2024 11:00:48.098321915 CEST	192.168.2.13	116.203.104.203	0x8822	Standard query (0)	eighteen.pirate	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:00:59.132802963 CEST	192.168.2.13	63.231.92.27	0x3fad	Standard query (0)	fortyfivehundred.dyn. [malformed]	256	459	false
Oct 8, 2024 11:01:04.282350063 CEST	192.168.2.13	116.203.104.203	0xb86a	Standard query (0)	nineteen.libre. [malformed]	256	464	false
Oct 8, 2024 11:01:14.301953077 CEST	192.168.2.13	185.84.81.194	0x8cf0	Standard query (0)	kr3ddnsnet1.indy	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:01:25.346447945 CEST	192.168.2.13	185.84.81.194	0x2286	Standard query (0)	kr2ddnsnet.dyn	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:01:26.371840954 CEST	192.168.2.13	192.3.165.37	0xe851	Standard query (0)	eighteen.pirate	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:01:27.486666918 CEST	192.168.2.13	116.203.104.203	0x61e3	Standard query (0)	kr2ddnsnet.dyn. [malformed]	256	487	false
Oct 8, 2024 11:01:27.544744015 CEST	192.168.2.13	63.231.92.27	0x7d3	Standard query (0)	nineteen.libre. [malformed]	256	487	false
Oct 8, 2024 11:01:27.691077948 CEST	192.168.2.13	162.243.19.47	0x14ba	Standard query (0)	75cents.libre. [malformed]	256	487	false
Oct 8, 2024 11:01:32.790425062 CEST	192.168.2.13	162.243.19.47	0xfa65	Standard query (0)	imaverygoodbadboy.libre. [malformed]	256	492	false
Oct 8, 2024 11:01:32.876682997 CEST	192.168.2.13	185.84.81.194	0xcd81	Standard query (0)	kr2ddnsnet.dyn. [malformed]	256	492	false
Oct 8, 2024 11:01:32.887954950 CEST	192.168.2.13	116.203.104.203	0xbb5	Standard query (0)	eighteen.pirate	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:01:38.919152975 CEST	192.168.2.13	192.3.165.37	0xa67f	Standard query (0)	r3racegame.indy. [malformed]	256	499	false
Oct 8, 2024 11:01:39.019489050 CEST	192.168.2.13	54.36.111.116	0xbd19	Standard query (0)	2joints.libre. [malformed]	256	499	false
Oct 8, 2024 11:01:39.026046991 CEST	192.168.2.13	192.3.165.37	0xeb48	Standard query (0)	subcarrace.indy	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:01:45.156666994 CEST	192.168.2.13	116.203.104.203	0x896a	Standard query (0)	75cents.libre. [malformed]	256	505	false
Oct 8, 2024 11:01:57.401145935 CEST	192.168.2.13	8.8.8.8	0x270f	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:01:57.401159048 CEST	192.168.2.13	8.8.8.8	0xfc47	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Oct 8, 2024 11:01:57.406469107 CEST	192.168.2.13	1.1.1.1	0xfc47	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false
Oct 8, 2024 11:01:57.411511898 CEST	192.168.2.13	8.8.8.8	0x270f	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:01:57.416881084 CEST	192.168.2.13	1.1.1.1	0x270f	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:02:15.690776110 CEST	192.168.2.13	185.84.81.194	0x11d4	Standard query (0)	r3racegame.indy	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:02:21.723447084 CEST	192.168.2.13	192.3.165.37	0x8628	Standard query (0)	2joints.libre. [malformed]	256	285	false
Oct 8, 2024 11:02:21.825352907 CEST	192.168.2.13	130.61.64.122	0x72f	Standard query (0)	r3racegame.indy	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:02:22.846743107 CEST	192.168.2.13	116.203.104.203	0x1d68	Standard query (0)	21savage.dyn. [malformed]	256	286	false
Oct 8, 2024 11:02:32.868252993 CEST	192.168.2.13	116.203.104.203	0x5c4e	Standard query (0)	nineteen.libre	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:02:34.173991919 CEST	192.168.2.13	130.61.69.123	0x6574	Standard query (0)	krddnsnet.dyn. [malformed]	256	298	false
Oct 8, 2024 11:02:44.195240974 CEST	192.168.2.13	161.97.219.84	0xfa83	Standard query (0)	21savage.dyn. [malformed]	256	308	false
Oct 8, 2024 11:02:44.381880999 CEST	192.168.2.13	192.3.165.37	0x7a3d	Standard query (0)	fortyfivehundred.dyn. [malformed]	256	308	false
Oct 8, 2024 11:02:49.487138987 CEST	192.168.2.13	130.61.69.123	0xd640	Standard query (0)	eighteen.pirate	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 10:59:15.869194031 CEST	185.84.81.194	192.168.2.13	0x21af	No error (0)	subcarrace.indy	154.223.21.228	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:59:32.041038990 CEST	185.84.81.194	192.168.2.13	0x9d68	No error (0)	imaverygoodbadboy.libre	154.205.144.234	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:59:33.064780951 CEST	130.61.64.122	192.168.2.13	0xa40e	No error (0)	imaverygoodbadboy.libre	154.205.144.234	A (IP address)	IN (0x0001)	false
Oct 8, 2024 10:59:49.121944904 CEST	130.61.69.123	192.168.2.13	0x5d50	No error (0)	imaverygoodbadboy.libre	154.205.144.234	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:00:05.713243008 CEST	130.61.64.122	192.168.2.13	0xf562	No error (0)	r3racegame.indy	154.223.21.228	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:00:21.765355110 CEST	130.61.64.122	192.168.2.13	0x6dd0	No error (0)	imaverygoodbadboy.libre	154.205.144.234	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:00:48.108365059 CEST	116.203.104.203	192.168.2.13	0x8822	No error (0)	eighteen.pirate	38.60.249.66	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:01:14.321525097 CEST	185.84.81.194	192.168.2.13	0x8cf0	No error (0)	kr3ddnsnet1.indy	154.223.21.228	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:01:25.357104063 CEST	185.84.81.194	192.168.2.13	0x2286	No error (0)	kr2ddnsnet.dyn	154.90.62.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:01:26.472420931 CEST	192.3.165.37	192.168.2.13	0xe851	No error (0)	eighteen.pirate	38.60.249.66	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:01:32.898077011 CEST	116.203.104.203	192.168.2.13	0xbb5	No error (0)	eighteen.pirate	38.60.249.66	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:01:39.134597063 CEST	192.3.165.37	192.168.2.13	0xeb48	No error (0)	subcarrace.indy	154.223.21.228	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:01:57.424880981 CEST	1.1.1.1	192.168.2.13	0x270f	No error (0)	daisy.ubuntu.com	162.213.35.24	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:01:57.424880981 CEST	1.1.1.1	192.168.2.13	0x270f	No error (0)	daisy.ubuntu.com	162.213.35.25	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:02:15.701101065 CEST	185.84.81.194	192.168.2.13	0x11d4	No error (0)	r3racegame.indy	154.223.21.228	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:02:21.832218885 CEST	130.61.64.122	192.168.2.13	0x72f	No error (0)	r3racegame.indy	154.223.21.228	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:02:33.156251907 CEST	116.203.104.203	192.168.2.13	0x5c4e	No error (0)	nineteen.libre	38.60.249.66	A (IP address)	IN (0x0001)	false
Oct 8, 2024 11:02:49.494661093 CEST	130.61.69.123	192.168.2.13	0xd640	No error (0)	eighteen.pirate	38.60.249.66	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: na.elf PID: 5730, Parent PID: 5528

General

Start time (UTC):	08:59:13
Start date (UTC):	08/10/2024
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: na.elf PID: 5732, Parent PID: 5730

General

Start time (UTC):	08:59:14
Start date (UTC):	08/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: na.elf PID: 5735, Parent PID: 5730

General

Start time (UTC):	08:59:14
Start date (UTC):	08/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: systemd PID: 5774, Parent PID: 1

General

Start time (UTC):	08:59:51
Start date (UTC):	08/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snap-failure PID: 5774, Parent PID: 1

General

Start time (UTC):	08:59:51
Start date (UTC):	08/10/2024
Path:	/usr/lib/snapd/snap-failure
Arguments:	/usr/lib/snapd/snap-failure snapd
File size:	4764904 bytes
MD5 hash:	69136a7d575731ce62349f2e4d3e5c36

Chronological Activities

Analysis Process: snap-failure PID: 5787, Parent PID: 5774

General

Start time (UTC):	08:59:51
Start date (UTC):	08/10/2024
Path:	/usr/lib/snapd/snap-failure
Arguments:	-
File size:	4764904 bytes
MD5 hash:	69136a7d575731ce62349f2e4d3e5c36

Chronological Activities

Analysis Process: systemctl PID: 5787, Parent PID: 5774

General

Start time (UTC):	08:59:51
Start date (UTC):	08/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl stop snapd.socket
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: snap-failure PID: 5788, Parent PID: 5774

General

Start time (UTC):	08:59:51
Start date (UTC):	08/10/2024
Path:	/usr/lib/snapd/snap-failure
Arguments:	-
File size:	4764904 bytes
MD5 hash:	69136a7d575731ce62349f2e4d3e5c36

Source: na.elf	ReversingLabs: Detection: 36%
Source: na.elf	Virustotal: Detection: 14%			Perma Link

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: na.elf PID: 5730, Parent PID: 5528

General

Chronological Activities

Analysis Process: na.elf PID: 5732, Parent PID: 5730

General

Chronological Activities

Analysis Process: na.elf PID: 5735, Parent PID: 5730

General

Chronological Activities

Analysis Process: systemd PID: 5774, Parent PID: 1

General

Chronological Activities

Analysis Process: snap-failure PID: 5774, Parent PID: 1

General

Chronological Activities

Analysis Process: snap-failure PID: 5787, Parent PID: 5774

General

Chronological Activities

Analysis Process: systemctl PID: 5787, Parent PID: 5774

General

Chronological Activities

Analysis Process: snap-failure PID: 5788, Parent PID: 5774

Linux Analysis Report
na.elf