Edit tour

Linux Analysis Report
vwkjebwi686.elf

Overview

General Information

Sample name:	vwkjebwi686.elf
Analysis ID:	1541232
MD5:	27003f9fb179560f2e11332739d43e99
SHA1:	c3931743b3e3519b3a0791990179475592340ddd
SHA256:	98ece0b04ea95bccb968941630f024879207d8e9d4cb4491211ed6d3104c95eb
Tags:	user-elfdigest
Infos:

Detection

Mirai, Okiru

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Yara detected Mirai

Yara detected Okiru

Machine Learning detection for sample

Sample deletes itself

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541232
Start date and time:	2024-10-24 15:41:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	vwkjebwi686.elf
Detection:	MAL
Classification:	mal84.troj.evad.linELF@0/0@26/0

Runtime Messages

Command:	/tmp/vwkjebwi686.elf
PID:	6265
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	about to cum inside a femboy btw
Standard Error:

Process Tree

system is lnxubuntu20

vwkjebwi686.elf (PID: 6265, Parent: 6188, MD5: 27003f9fb179560f2e11332739d43e99) Arguments: /tmp/vwkjebwi686.elf

vwkjebwi686.elf New Fork (PID: 6266, Parent: 6265)

vwkjebwi686.elf New Fork (PID: 6267, Parent: 6266)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
vwkjebwi686.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
vwkjebwi686.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
vwkjebwi686.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x13328:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1333c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13350:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13364:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13378:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1338c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x133a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x133b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x133c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x133dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x133f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13404:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13418:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1342c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13440:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13454:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13468:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1347c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13490:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x134a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x134b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
vwkjebwi686.elf	Linux_Trojan_Mirai_268aac0b	unknown	unknown	0x6caf:$a: 24 18 0F B7 44 24 20 8B 54 24 1C 83 F9 01 8B 7E 0C 89 04 24 8B
vwkjebwi686.elf	Linux_Trojan_Mirai_0cb1699c	unknown	unknown	0x6c62:$a: DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 10 0F B7 02 83 E9 02 83
vwkjebwi686.elf	Linux_Trojan_Mirai_70ef58f1	unknown	unknown	0x85fd:$a: 89 D0 8B 19 01 D8 0F B6 5C 24 10 30 18 89 D0 8B 19 01 D8 0F B6 5C 0x869d:$a: 89 D0 8B 19 01 D8 0F B6 5C 24 10 30 18 89 D0 8B 19 01 D8 0F B6 5C
vwkjebwi686.elf	Linux_Trojan_Mirai_2e3f67a9	unknown	unknown	0x582:$a: 53 83 EC 04 0F B6 74 24 14 8B 5C 24 18 8B 7C 24 20 0F B6 44 0x5e2:$a: 53 83 EC 04 0F B6 74 24 14 8B 5C 24 18 8B 7C 24 20 0F B6 44
vwkjebwi686.elf	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x8b32:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
vwkjebwi686.elf	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xd8ad:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
6265.1.0000000008048000.000000000805e000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6265.1.0000000008048000.000000000805e000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6265.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x13328:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1333c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13350:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13364:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13378:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1338c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x133a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x133b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x133c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x133dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x133f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13404:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13418:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1342c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13440:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13454:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13468:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1347c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13490:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x134a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x134b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6265.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_268aac0b	unknown	unknown	0x6caf:$a: 24 18 0F B7 44 24 20 8B 54 24 1C 83 F9 01 8B 7E 0C 89 04 24 8B
6265.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_0cb1699c	unknown	unknown	0x6c62:$a: DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 10 0F B7 02 83 E9 02 83
6265.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_70ef58f1	unknown	unknown	0x85fd:$a: 89 D0 8B 19 01 D8 0F B6 5C 24 10 30 18 89 D0 8B 19 01 D8 0F B6 5C 0x869d:$a: 89 D0 8B 19 01 D8 0F B6 5C 24 10 30 18 89 D0 8B 19 01 D8 0F B6 5C
6265.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_2e3f67a9	unknown	unknown	0x582:$a: 53 83 EC 04 0F B6 74 24 14 8B 5C 24 18 8B 7C 24 20 0F B6 44 0x5e2:$a: 53 83 EC 04 0F B6 74 24 14 8B 5C 24 18 8B 7C 24 20 0F B6 44
6265.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x8b32:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6265.1.0000000008048000.000000000805e000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xd8ad:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
Process Memory Space: vwkjebwi686.elf PID: 6265	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: vwkjebwi686.elf PID: 6265	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: vwkjebwi686.elf PID: 6265	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x66d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x681:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x695:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6bd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6d1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6e5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6f9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x70d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x721:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x735:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x749:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x75d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x771:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x785:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x799:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7ad:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7c1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7d5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7e9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7fd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 7 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: vwkjebwi686.elf

Avira: detected

Machine Learning detection for sample

Source: vwkjebwi686.elf

Joe Sandbox ML: detected

Source: vwkjebwi686.elf

String: /proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverraw.eye-network.ruabcdefghijklmnopqrstuvwxyz/proc/%d/proc/self/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbin/poweroff/usr/bin/poweroff/usr/sbin/halt/usr/bin/halt

Networking

Sends malformed DNS queries

Source: global traffic

DNS traffic detected: malformed DNS query: raw.eye-network.ru. [malformed]

Source: global traffic

TCP traffic: 192.168.2.23:59020 -> 213.232.235.18:33966

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: global traffic	DNS traffic detected: DNS query: raw.eye-network.ru
Source: global traffic	DNS traffic detected: DNS query: raw.eye-network.ru. [malformed]

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: vwkjebwi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: vwkjebwi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_268aac0b Author: unknown
Source: vwkjebwi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_0cb1699c Author: unknown
Source: vwkjebwi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_70ef58f1 Author: unknown
Source: vwkjebwi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_2e3f67a9 Author: unknown
Source: vwkjebwi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: vwkjebwi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_268aac0b Author: unknown
Source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_0cb1699c Author: unknown
Source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_70ef58f1 Author: unknown
Source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_2e3f67a9 Author: unknown
Source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: Process Memory Space: vwkjebwi686.elf PID: 6265, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: /proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverraw.eye-network.ruabcdefghijklmnopqrstuvwxyz/proc/%d/proc/self/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbin/poweroff/usr/bin/poweroff/usr/sbin/halt/usr/bin/halt

Source: ELF static info symbol of initial sample

.symtab present: no

Source: vwkjebwi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: vwkjebwi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_268aac0b reference_sample = 49c94d184d7e387c3efe34ae6f021e011c3046ae631c9733ab0a230d5fe28ead, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 9c581721bf82af7dc6482a2c41af5fb3404e01c82545c7b2b29230f707014781, id = 268aac0b-c5c7-4035-8381-4e182de91e32, last_modified = 2021-09-16
Source: vwkjebwi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_0cb1699c reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6e44c68bba8c9fb53ac85080b9ad765579f027cabfea5055a0bb3a85b8671089, id = 0cb1699c-9a08-4885-aa7f-0f1ee2543cac, last_modified = 2021-09-16
Source: vwkjebwi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_70ef58f1 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c46eac9185e5f396456004d1e0c42b54a9318e0450f797c55703122cfb8fea89, id = 70ef58f1-ac74-4e33-ae03-e68d1d5a4379, last_modified = 2021-09-16
Source: vwkjebwi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_2e3f67a9 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6a06815f3d2e5f1a7a67f4264953dbb2e9d14e5f3486b178da845eab5b922d4f, id = 2e3f67a9-6fd5-4457-a626-3a9015bdb401, last_modified = 2021-09-16
Source: vwkjebwi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: vwkjebwi686.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_268aac0b reference_sample = 49c94d184d7e387c3efe34ae6f021e011c3046ae631c9733ab0a230d5fe28ead, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 9c581721bf82af7dc6482a2c41af5fb3404e01c82545c7b2b29230f707014781, id = 268aac0b-c5c7-4035-8381-4e182de91e32, last_modified = 2021-09-16
Source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_0cb1699c reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6e44c68bba8c9fb53ac85080b9ad765579f027cabfea5055a0bb3a85b8671089, id = 0cb1699c-9a08-4885-aa7f-0f1ee2543cac, last_modified = 2021-09-16
Source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_70ef58f1 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c46eac9185e5f396456004d1e0c42b54a9318e0450f797c55703122cfb8fea89, id = 70ef58f1-ac74-4e33-ae03-e68d1d5a4379, last_modified = 2021-09-16
Source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_2e3f67a9 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6a06815f3d2e5f1a7a67f4264953dbb2e9d14e5f3486b178da845eab5b922d4f, id = 2e3f67a9-6fd5-4457-a626-3a9015bdb401, last_modified = 2021-09-16
Source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: Process Memory Space: vwkjebwi686.elf PID: 6265, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal84.troj.evad.linELF@0/0@26/0

Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/910/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/912/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/918/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1344/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1465/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1586/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1463/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/801/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1900/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/491/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/4509/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1599/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1477/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/379/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1476/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/1475/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/6249/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/6248/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/4502/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/936/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/2208/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/4506/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/35/cmdline	Jump to behavior
Source: /tmp/vwkjebwi686.elf (PID: 6267)	File opened: /proc/6267/cmdline	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/vwkjebwi686.elf (PID: 6266)

File: /tmp/vwkjebwi686.elf

Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: vwkjebwi686.elf, type: SAMPLE
Source: Yara match	File source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vwkjebwi686.elf PID: 6265, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: vwkjebwi686.elf, type: SAMPLE
Source: Yara match	File source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vwkjebwi686.elf PID: 6265, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: vwkjebwi686.elf, type: SAMPLE
Source: Yara match	File source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vwkjebwi686.elf PID: 6265, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: vwkjebwi686.elf, type: SAMPLE
Source: Yara match	File source: 6265.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vwkjebwi686.elf PID: 6265, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 File Deletion	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
vwkjebwi686.elf	100%	Avira	EXP/ELF.Mirai.Z.A
vwkjebwi686.elf	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
raw.eye-network.ru	213.232.235.18	true	true		unknown
raw.eye-network.ru. [malformed]	unknown	unknown	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
213.232.235.18	raw.eye-network.ru	Russian Federation	39824	ALMANET-ASKZ	true
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
213.232.235.18	dvwkja7.elf	Get hash	malicious	Mirai, Okiru	Browse
	wheiuwa4.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse
	qkbfi86.elf	Get hash	malicious	Mirai, Okiru	Browse
	vsbeps.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse
	qkbfi86.elf	Get hash	malicious	Mirai	Browse
	vsbeps.elf	Get hash	malicious	Mirai	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	arm7.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	mozi.m.elf	Get hash	malicious	Unknown	Browse
	tftp.elf	Get hash	malicious	Unknown	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	i486.elf	Get hash	malicious	Unknown	Browse
	boatnet.arm5.elf	Get hash	malicious	Mirai	Browse
	nsharm6.elf	Get hash	malicious	Mirai	Browse
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse
91.189.91.42	arm7.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	mozi.m.elf	Get hash	malicious	Unknown	Browse
	tftp.elf	Get hash	malicious	Unknown	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	i486.elf	Get hash	malicious	Unknown	Browse
	boatnet.arm5.elf	Get hash	malicious	Mirai	Browse
	nsharm6.elf	Get hash	malicious	Mirai	Browse
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.eye-network.ru	vsbeps.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse	213.232.235.18
	vsbeps.elf	Get hash	malicious	Mirai	Browse	213.232.235.18
	mhmdm9Hb6i.elf	Get hash	malicious	Mirai	Browse	213.130.144.69

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	arm7.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	mozi.m.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	tftp.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	i686.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	185.125.190.26
	i486.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	boatnet.arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
CANONICAL-ASGB	arm7.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	mozi.m.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	tftp.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	i686.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	185.125.190.26
	i486.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	boatnet.arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
ALMANET-ASKZ	dvwkja7.elf	Get hash	malicious	Mirai, Okiru	Browse	213.232.235.18
	wheiuwa4.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse	213.232.235.18
	qkbfi86.elf	Get hash	malicious	Mirai, Okiru	Browse	213.232.235.18
	vsbeps.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse	213.232.235.18
	qkbfi86.elf	Get hash	malicious	Mirai	Browse	213.232.235.18
	vsbeps.elf	Get hash	malicious	Mirai	Browse	213.232.235.18
	192.142.103.80-x86-2024-08-09T11_47_41.elf	Get hash	malicious	Unknown	Browse	185.102.119.37
	WE4VRokml7.elf	Get hash	malicious	Mirai, Moobot	Browse	185.100.226.244
	SecuriteInfo.com.Trojan.DownLoader46.58639.512.14557.exe	Get hash	malicious	PureLog Stealer	Browse	213.232.235.96
INIT7CH	arm7.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	mpsl.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	ppc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	mozi.m.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	tftp.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	i486.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	boatnet.arm5.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	nsharm6.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	109.202.202.202

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.770865465340361
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	vwkjebwi686.elf
File size:	105'832 bytes
MD5:	27003f9fb179560f2e11332739d43e99
SHA1:	c3931743b3e3519b3a0791990179475592340ddd
SHA256:	98ece0b04ea95bccb968941630f024879207d8e9d4cb4491211ed6d3104c95eb
SHA512:	2835f8e51a72503cf79b5e5193854a6f707e3596095c24e893246509b08a18c40438fb679f17c9042d460b664344ffb9dc2a40394eb471a7d2def6d11b3d654e
SSDEEP:	1536:wRIKmlINCBZNjhju7+B0BVaBg32beHbXWiKlWcOAgJ31Vxvr:weKmqNCZdy7tVaBg32SqFlWcOAQr
TLSH:	6CA349C0F547C1F6D483493101AAF73FDE31D4694071DA6EEF69AF36EA27882920A65C
File Content Preview:	.ELF....................h...4...........4. ...(......................S...S...............S...........G..............Q.td............................U..S.......3c...h.....*..[]...$.............U......=.+...t..1...................u........t...$............+

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048168
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	105432
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0x12ae1	0x0	0x6	AX	16
.fini	PROGBITS	0x805ab91	0x12b91	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x805abc0	0x12bc0	0x27f3	0x0	0x2	A	32
.ctors	PROGBITS	0x805e3b8	0x153b8	0xc	0x0	0x3	WA	4
.dtors	PROGBITS	0x805e3c4	0x153c4	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x805e3e0	0x153e0	0x47b8	0x0	0x3	WA	32
.bss	NOBITS	0x8062ba0	0x19b98	0x49ec	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x19b98	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0x153b3	0x153b3	6.4795	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0x153b8	0x805e3b8	0x805e3b8	0x47e0	0x91d4	0.4191	0x6	RW	0x1000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 15:42:04.086604118 CEST	43928	443	192.168.2.23	91.189.91.42
Oct 24, 2024 15:42:05.544476986 CEST	59020	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:05.549870014 CEST	33966	59020	213.232.235.18	192.168.2.23
Oct 24, 2024 15:42:05.549931049 CEST	59020	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:05.549952030 CEST	59020	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:05.555236101 CEST	33966	59020	213.232.235.18	192.168.2.23
Oct 24, 2024 15:42:05.555290937 CEST	59020	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:05.560868979 CEST	33966	59020	213.232.235.18	192.168.2.23
Oct 24, 2024 15:42:06.646291018 CEST	42516	80	192.168.2.23	109.202.202.202
Oct 24, 2024 15:42:09.717804909 CEST	42836	443	192.168.2.23	91.189.91.43
Oct 24, 2024 15:42:24.307833910 CEST	43928	443	192.168.2.23	91.189.91.42
Oct 24, 2024 15:42:25.361548901 CEST	33966	59020	213.232.235.18	192.168.2.23
Oct 24, 2024 15:42:25.361689091 CEST	59020	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:25.367089033 CEST	33966	59020	213.232.235.18	192.168.2.23
Oct 24, 2024 15:42:26.511265993 CEST	59022	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:26.518426895 CEST	33966	59022	213.232.235.18	192.168.2.23
Oct 24, 2024 15:42:26.518558979 CEST	59022	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:26.518558979 CEST	59022	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:26.523930073 CEST	33966	59022	213.232.235.18	192.168.2.23
Oct 24, 2024 15:42:26.524022102 CEST	59022	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:26.532761097 CEST	33966	59022	213.232.235.18	192.168.2.23
Oct 24, 2024 15:42:27.419969082 CEST	33966	59022	213.232.235.18	192.168.2.23
Oct 24, 2024 15:42:27.420130968 CEST	59022	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:27.420180082 CEST	59022	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:27.492925882 CEST	59024	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:27.498282909 CEST	33966	59024	213.232.235.18	192.168.2.23
Oct 24, 2024 15:42:27.498337984 CEST	59024	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:27.498363018 CEST	59024	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:27.503990889 CEST	33966	59024	213.232.235.18	192.168.2.23
Oct 24, 2024 15:42:27.504034996 CEST	59024	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:27.509497881 CEST	33966	59024	213.232.235.18	192.168.2.23
Oct 24, 2024 15:42:28.383930922 CEST	33966	59024	213.232.235.18	192.168.2.23
Oct 24, 2024 15:42:28.384063959 CEST	59024	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:28.384063959 CEST	59024	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:28.462004900 CEST	59026	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:28.467633009 CEST	33966	59026	213.232.235.18	192.168.2.23
Oct 24, 2024 15:42:28.467690945 CEST	59026	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:28.467715979 CEST	59026	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:28.473167896 CEST	33966	59026	213.232.235.18	192.168.2.23
Oct 24, 2024 15:42:28.473229885 CEST	59026	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:42:28.478650093 CEST	33966	59026	213.232.235.18	192.168.2.23
Oct 24, 2024 15:42:36.594084978 CEST	42516	80	192.168.2.23	109.202.202.202
Oct 24, 2024 15:42:36.594109058 CEST	42836	443	192.168.2.23	91.189.91.43
Oct 24, 2024 15:43:05.262276888 CEST	43928	443	192.168.2.23	91.189.91.42
Oct 24, 2024 15:43:28.507014036 CEST	59026	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:43:28.512722969 CEST	33966	59026	213.232.235.18	192.168.2.23
Oct 24, 2024 15:43:38.513530970 CEST	59026	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:43:38.519241095 CEST	33966	59026	213.232.235.18	192.168.2.23
Oct 24, 2024 15:43:52.052391052 CEST	33966	59026	213.232.235.18	192.168.2.23
Oct 24, 2024 15:43:52.052793026 CEST	59026	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:43:52.058316946 CEST	33966	59026	213.232.235.18	192.168.2.23
Oct 24, 2024 15:43:53.133949995 CEST	59028	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:43:53.140069008 CEST	33966	59028	213.232.235.18	192.168.2.23
Oct 24, 2024 15:43:53.140152931 CEST	59028	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:43:53.140208960 CEST	59028	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:43:53.146203041 CEST	33966	59028	213.232.235.18	192.168.2.23
Oct 24, 2024 15:43:53.146275997 CEST	59028	33966	192.168.2.23	213.232.235.18
Oct 24, 2024 15:43:53.152270079 CEST	33966	59028	213.232.235.18	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 15:42:05.497639894 CEST	56691	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:05.508690119 CEST	53	56691	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:05.508780003 CEST	37024	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:05.515980005 CEST	53	37024	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:05.516056061 CEST	43686	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:05.523073912 CEST	53	43686	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:05.523133993 CEST	49652	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:05.530002117 CEST	53	49652	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:05.530062914 CEST	52264	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:05.537489891 CEST	53	52264	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:05.537550926 CEST	33569	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:05.544410944 CEST	53	33569	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:26.363091946 CEST	35386	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:26.434578896 CEST	53	35386	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:26.434743881 CEST	54489	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:26.445259094 CEST	53	54489	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:26.445404053 CEST	52707	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:26.452487946 CEST	53	52707	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:26.452580929 CEST	38706	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:26.461374044 CEST	53	38706	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:26.461464882 CEST	36643	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:26.468734980 CEST	53	36643	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:26.468875885 CEST	47371	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:26.475742102 CEST	53	47371	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:26.475831032 CEST	41690	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:26.483196974 CEST	53	41690	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:26.483283997 CEST	49341	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:26.492512941 CEST	53	49341	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:26.492600918 CEST	55454	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:26.502217054 CEST	53	55454	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:26.502296925 CEST	48302	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:26.511172056 CEST	53	48302	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:27.420289040 CEST	57576	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:27.428196907 CEST	53	57576	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:27.428296089 CEST	33817	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:27.435921907 CEST	53	33817	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:27.436117887 CEST	52569	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:27.443536997 CEST	53	52569	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:27.443614960 CEST	60349	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:27.450474977 CEST	53	60349	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:27.450546980 CEST	56378	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:27.457184076 CEST	53	56378	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:27.457298994 CEST	39939	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:27.464252949 CEST	53	39939	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:27.464339018 CEST	44400	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:27.471676111 CEST	53	44400	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:27.471745968 CEST	51836	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:27.478800058 CEST	53	51836	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:27.478871107 CEST	37401	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:27.485830069 CEST	53	37401	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:27.485903025 CEST	34190	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:27.492854118 CEST	53	34190	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:28.384218931 CEST	43449	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:28.391105890 CEST	53	43449	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:28.391385078 CEST	45017	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:28.398694992 CEST	53	45017	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:28.398890018 CEST	60998	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:28.405899048 CEST	53	60998	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:28.406142950 CEST	49672	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:28.414158106 CEST	53	49672	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:28.414246082 CEST	35959	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:28.423661947 CEST	53	35959	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:28.423875093 CEST	44714	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:28.432977915 CEST	53	44714	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:28.433064938 CEST	54008	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:28.440138102 CEST	53	54008	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:28.440205097 CEST	36220	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:28.447581053 CEST	53	36220	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:28.447645903 CEST	46280	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:28.454968929 CEST	53	46280	8.8.8.8	192.168.2.23
Oct 24, 2024 15:42:28.455034018 CEST	58997	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:42:28.461882114 CEST	53	58997	8.8.8.8	192.168.2.23
Oct 24, 2024 15:43:53.055133104 CEST	35578	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:43:53.062809944 CEST	53	35578	8.8.8.8	192.168.2.23
Oct 24, 2024 15:43:53.062969923 CEST	48467	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:43:53.070493937 CEST	53	48467	8.8.8.8	192.168.2.23
Oct 24, 2024 15:43:53.070620060 CEST	38792	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:43:53.080923080 CEST	53	38792	8.8.8.8	192.168.2.23
Oct 24, 2024 15:43:53.081156015 CEST	39294	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:43:53.088239908 CEST	53	39294	8.8.8.8	192.168.2.23
Oct 24, 2024 15:43:53.088345051 CEST	47807	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:43:53.095776081 CEST	53	47807	8.8.8.8	192.168.2.23
Oct 24, 2024 15:43:53.095882893 CEST	47224	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:43:53.102754116 CEST	53	47224	8.8.8.8	192.168.2.23
Oct 24, 2024 15:43:53.102864981 CEST	42491	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:43:53.110608101 CEST	53	42491	8.8.8.8	192.168.2.23
Oct 24, 2024 15:43:53.110704899 CEST	60221	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:43:53.118431091 CEST	53	60221	8.8.8.8	192.168.2.23
Oct 24, 2024 15:43:53.118532896 CEST	48365	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:43:53.126080036 CEST	53	48365	8.8.8.8	192.168.2.23
Oct 24, 2024 15:43:53.126177073 CEST	59475	53	192.168.2.23	8.8.8.8
Oct 24, 2024 15:43:53.133824110 CEST	53	59475	8.8.8.8	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 15:42:05.497639894 CEST	192.168.2.23	8.8.8.8	0xb1f7	Standard query (0)	raw.eye-network.ru	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:42:05.508780003 CEST	192.168.2.23	8.8.8.8	0x3a1	Standard query (0)	raw.eye-network.ru. [malformed]	256	429	false
Oct 24, 2024 15:42:05.516056061 CEST	192.168.2.23	8.8.8.8	0x3a1	Standard query (0)	raw.eye-network.ru. [malformed]	256	429	false
Oct 24, 2024 15:42:05.523133993 CEST	192.168.2.23	8.8.8.8	0x3a1	Standard query (0)	raw.eye-network.ru. [malformed]	256	429	false
Oct 24, 2024 15:42:05.530062914 CEST	192.168.2.23	8.8.8.8	0x3a1	Standard query (0)	raw.eye-network.ru. [malformed]	256	429	false
Oct 24, 2024 15:42:05.537550926 CEST	192.168.2.23	8.8.8.8	0x3a1	Standard query (0)	raw.eye-network.ru. [malformed]	256	429	false
Oct 24, 2024 15:42:26.468875885 CEST	192.168.2.23	8.8.8.8	0x633f	Standard query (0)	raw.eye-network.ru. [malformed]	256	450	false
Oct 24, 2024 15:42:26.475831032 CEST	192.168.2.23	8.8.8.8	0x633f	Standard query (0)	raw.eye-network.ru. [malformed]	256	450	false
Oct 24, 2024 15:42:26.483283997 CEST	192.168.2.23	8.8.8.8	0x633f	Standard query (0)	raw.eye-network.ru. [malformed]	256	450	false
Oct 24, 2024 15:42:26.492600918 CEST	192.168.2.23	8.8.8.8	0x633f	Standard query (0)	raw.eye-network.ru. [malformed]	256	450	false
Oct 24, 2024 15:42:26.502296925 CEST	192.168.2.23	8.8.8.8	0x633f	Standard query (0)	raw.eye-network.ru. [malformed]	256	450	false
Oct 24, 2024 15:42:27.457298994 CEST	192.168.2.23	8.8.8.8	0xa0ec	Standard query (0)	raw.eye-network.ru. [malformed]	256	451	false
Oct 24, 2024 15:42:27.464339018 CEST	192.168.2.23	8.8.8.8	0xa0ec	Standard query (0)	raw.eye-network.ru. [malformed]	256	451	false
Oct 24, 2024 15:42:27.471745968 CEST	192.168.2.23	8.8.8.8	0xa0ec	Standard query (0)	raw.eye-network.ru. [malformed]	256	451	false
Oct 24, 2024 15:42:27.478871107 CEST	192.168.2.23	8.8.8.8	0xa0ec	Standard query (0)	raw.eye-network.ru. [malformed]	256	451	false
Oct 24, 2024 15:42:27.485903025 CEST	192.168.2.23	8.8.8.8	0xa0ec	Standard query (0)	raw.eye-network.ru. [malformed]	256	451	false
Oct 24, 2024 15:42:28.423875093 CEST	192.168.2.23	8.8.8.8	0x7015	Standard query (0)	raw.eye-network.ru. [malformed]	256	452	false
Oct 24, 2024 15:42:28.433064938 CEST	192.168.2.23	8.8.8.8	0x7015	Standard query (0)	raw.eye-network.ru. [malformed]	256	452	false
Oct 24, 2024 15:42:28.440205097 CEST	192.168.2.23	8.8.8.8	0x7015	Standard query (0)	raw.eye-network.ru. [malformed]	256	452	false
Oct 24, 2024 15:42:28.447645903 CEST	192.168.2.23	8.8.8.8	0x7015	Standard query (0)	raw.eye-network.ru. [malformed]	256	452	false
Oct 24, 2024 15:42:28.455034018 CEST	192.168.2.23	8.8.8.8	0x7015	Standard query (0)	raw.eye-network.ru. [malformed]	256	452	false
Oct 24, 2024 15:43:53.095882893 CEST	192.168.2.23	8.8.8.8	0x33c2	Standard query (0)	raw.eye-network.ru. [malformed]	256	281	false
Oct 24, 2024 15:43:53.102864981 CEST	192.168.2.23	8.8.8.8	0x33c2	Standard query (0)	raw.eye-network.ru. [malformed]	256	281	false
Oct 24, 2024 15:43:53.110704899 CEST	192.168.2.23	8.8.8.8	0x33c2	Standard query (0)	raw.eye-network.ru. [malformed]	256	281	false
Oct 24, 2024 15:43:53.118532896 CEST	192.168.2.23	8.8.8.8	0x33c2	Standard query (0)	raw.eye-network.ru. [malformed]	256	281	false
Oct 24, 2024 15:43:53.126177073 CEST	192.168.2.23	8.8.8.8	0x33c2	Standard query (0)	raw.eye-network.ru. [malformed]	256	281	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 15:42:05.508690119 CEST	8.8.8.8	192.168.2.23	0xb1f7	No error (0)	raw.eye-network.ru		213.232.235.18	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: vwkjebwi686.elf PID: 6265, Parent PID: 6188

General

Start time (UTC):	13:42:04
Start date (UTC):	24/10/2024
Path:	/tmp/vwkjebwi686.elf
Arguments:	/tmp/vwkjebwi686.elf
File size:	105832 bytes
MD5 hash:	27003f9fb179560f2e11332739d43e99

Start time (UTC):	13:42:04
Start date (UTC):	24/10/2024
Path:	/tmp/vwkjebwi686.elf
Arguments:	-
File size:	105832 bytes
MD5 hash:	27003f9fb179560f2e11332739d43e99

Start time (UTC):	13:42:04
Start date (UTC):	24/10/2024
Path:	/tmp/vwkjebwi686.elf
Arguments:	-
File size:	105832 bytes
MD5 hash:	27003f9fb179560f2e11332739d43e99

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report vwkjebwi686.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: vwkjebwi686.elf PID: 6265, Parent PID: 6188

General

Chronological Activities

Analysis Process: vwkjebwi686.elf PID: 6266, Parent PID: 6265

General

Chronological Activities

Analysis Process: vwkjebwi686.elf PID: 6267, Parent PID: 6266

General

Chronological Activities

Linux Analysis Report
vwkjebwi686.elf