Edit tour

Linux Analysis Report
9j7cNZuGBt.elf

Overview

General Information

Sample name:	9j7cNZuGBt.elf renamed because original name is a hash value
Original sample name:	98d55377310fd5d430c800d59c97112a.elf
Analysis ID:	1417488
MD5:	98d55377310fd5d430c800d59c97112a
SHA1:	ba5e5458f6af66f1d8b86d2166a83435bb74403b
SHA256:	d246880f2ab4b4f69d56cf261b07689c22359618f2811ed83026b395a05f23ad
Tags:	32elfintelmirai
Infos:

Detection

Mirai

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Detected Mirai

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Mirai

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Yara signature match

Classification

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417488
Start date and time:	2024-03-29 12:59:51 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	9j7cNZuGBt.elf renamed because original name is a hash value
Original Sample Name:	98d55377310fd5d430c800d59c97112a.elf
Detection:	MAL
Classification:	mal100.troj.linELF@0/0@17/0

Runtime Messages

Command:	/tmp/9j7cNZuGBt.elf
PID:	5485
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	done.
Standard Error:

Process Tree

system is lnxubuntu20

9j7cNZuGBt.elf (PID: 5485, Parent: 5403, MD5: 98d55377310fd5d430c800d59c97112a) Arguments: /tmp/9j7cNZuGBt.elf

9j7cNZuGBt.elf New Fork (PID: 5486, Parent: 5485)

9j7cNZuGBt.elf New Fork (PID: 5487, Parent: 5486)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
9j7cNZuGBt.elf	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
9j7cNZuGBt.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
9j7cNZuGBt.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10704:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10718:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1072c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10740:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10754:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10768:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1077c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10790:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10808:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1081c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10830:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10844:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10858:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1086c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10880:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10894:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
9j7cNZuGBt.elf	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x105e4:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
9j7cNZuGBt.elf	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4040:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
9j7cNZuGBt.elf	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x93a5:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
9j7cNZuGBt.elf	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x5cb2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
9j7cNZuGBt.elf	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0x192:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
9j7cNZuGBt.elf	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xc378:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
9j7cNZuGBt.elf	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xac19:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
9j7cNZuGBt.elf	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x5c82:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
5485.1.0000000008048000.000000000805b000.r-x.sdmp	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
5485.1.0000000008048000.000000000805b000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5485.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10704:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10718:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1072c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10740:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10754:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10768:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1077c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10790:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x107f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10808:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1081c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10830:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10844:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10858:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1086c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10880:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10894:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5485.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x105e4:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
5485.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4040:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5485.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x93a5:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
5485.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x5cb2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5485.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0x192:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
5485.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xc378:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5485.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xac19:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5485.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x5c82:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Process Memory Space: 9j7cNZuGBt.elf PID: 5485	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Process Memory Space: 9j7cNZuGBt.elf PID: 5485	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x956:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x96a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x97e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x992:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9a6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9ba:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9ce:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9e2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9f6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa0a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa1e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa32:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa46:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa5a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa6e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa82:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa96:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xaaa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xabe:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xad2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xae6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: 9j7cNZuGBt.elf PID: 5485	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x840:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Click to see the 9 entries

Snort Signatures

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:02:42.928581
SID:	2030490
Source Port:	54218
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:01:59.128607
SID:	2030490
Source Port:	54206
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:02:00.762642
SID:	2030490
Source Port:	54208
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:01:37.590326
SID:	2030490
Source Port:	54198
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:02:38.294699
SID:	2030490
Source Port:	54216
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:01:33.953773
SID:	2030490
Source Port:	54196
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:00:47.693813
SID:	2030490
Source Port:	54186
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:01:13.691338
SID:	2030490
Source Port:	54192
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:02:11.393752
SID:	2030490
Source Port:	54210
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:01:42.227728
SID:	2030490
Source Port:	54200
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:01:02.965732
SID:	2030490
Source Port:	54190
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:01:23.325093
SID:	2030490
Source Port:	54194
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:02:18.024375
SID:	2030490
Source Port:	54212
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:02:28.660170
SID:	2030490
Source Port:	54214
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:01:43.861241
SID:	2030490
Source Port:	54202
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:01:50.495664
SID:	2030490
Source Port:	54204
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 103.173.178.208

Timestamp:	03/29/24-13:00:54.331956
SID:	2030490
Source Port:	54188
Destination Port:	43957
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 9j7cNZuGBt.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: 9j7cNZuGBt.elf	Virustotal: Detection: 48%			Perma Link
Source: 9j7cNZuGBt.elf	ReversingLabs: Detection: 60%

Machine Learning detection for sample

Source: 9j7cNZuGBt.elf

Joe Sandbox ML: detected

Source: 9j7cNZuGBt.elf

String: HTTP/1.1 200 OKtop1hbt.armtop1hbt.arm5top1hbt.arm6top1hbt.arm7top1hbt.mipstop1hbt.mpsltop1hbt.x86_64top1hbt.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54186 -> 103.173.178.208:43957
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54188 -> 103.173.178.208:43957
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54190 -> 103.173.178.208:43957
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54192 -> 103.173.178.208:43957
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54194 -> 103.173.178.208:43957
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54196 -> 103.173.178.208:43957
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54198 -> 103.173.178.208:43957
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54200 -> 103.173.178.208:43957
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54202 -> 103.173.178.208:43957
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54204 -> 103.173.178.208:43957
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54206 -> 103.173.178.208:43957
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54208 -> 103.173.178.208:43957
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54210 -> 103.173.178.208:43957
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54212 -> 103.173.178.208:43957
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54214 -> 103.173.178.208:43957
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54216 -> 103.173.178.208:43957
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:54218 -> 103.173.178.208:43957

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 103.173.178.208 ports 43957,3,4,5,7,9

Source: global traffic

TCP traffic: 192.168.2.13:54186 -> 103.173.178.208:43957

Source: unknown

DNS traffic detected: queries for: ap.akdns.top

System Summary

Malicious sample detected (through community Yara rule)

Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: Process Memory Space: 9j7cNZuGBt.elf PID: 5485, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 9j7cNZuGBt.elf PID: 5485, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: HTTP/1.1 200 OKtop1hbt.armtop1hbt.arm5top1hbt.arm6top1hbt.arm7top1hbt.mipstop1hbt.mpsltop1hbt.x86_64top1hbt.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f

Source: ELF static info symbol of initial sample

.symtab present: no

Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 9j7cNZuGBt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: Process Memory Space: 9j7cNZuGBt.elf PID: 5485, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 9j7cNZuGBt.elf PID: 5485, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal100.troj.linELF@0/0@17/0

Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/238/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/239/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/3631/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/3095/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/241/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/1906/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/1482/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/1480/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/371/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/1238/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/134/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/3413/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/1475/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/936/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/816/cmdline	Jump to behavior
Source: /tmp/9j7cNZuGBt.elf (PID: 5487)	File opened: /proc/35/cmdline	Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 9j7cNZuGBt.elf, type: SAMPLE
Source: Yara match	File source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9j7cNZuGBt.elf PID: 5485, type: MEMORYSTR

Remote Access Functionality

Detected Mirai

Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Yara detected Mirai

Source: Yara match	File source: 9j7cNZuGBt.elf, type: SAMPLE
Source: Yara match	File source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9j7cNZuGBt.elf PID: 5485, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	Direct Volume Access	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
9j7cNZuGBt.elf	48%	Virustotal		Browse
9j7cNZuGBt.elf	61%	ReversingLabs	Linux.Trojan.Mirai
9j7cNZuGBt.elf	100%	Avira	EXP/ELF.Mirai.Z.A
9j7cNZuGBt.elf	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ap.akdns.top	103.173.178.208	true	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.173.178.208	ap.akdns.top	unknown		7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
103.173.178.208	0FsVELdYxY.elf	Get hash	malicious	Mirai	Browse
	2IS7hqlz6b.elf	Get hash	malicious	Mirai	Browse
	vKJEMWrTHL.elf	Get hash	malicious	Mirai	Browse
	xX2te0Hn5o.elf	Get hash	malicious	Mirai	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ap.akdns.top	0FsVELdYxY.elf	Get hash	malicious	Mirai	Browse	103.173.178.208
	2IS7hqlz6b.elf	Get hash	malicious	Mirai	Browse	103.173.178.208
	vKJEMWrTHL.elf	Get hash	malicious	Mirai	Browse	103.173.178.208
	xX2te0Hn5o.elf	Get hash	malicious	Mirai	Browse	103.173.178.208

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	0FsVELdYxY.elf	Get hash	malicious	Mirai	Browse	103.173.178.208
	2IS7hqlz6b.elf	Get hash	malicious	Mirai	Browse	103.173.178.208
	vKJEMWrTHL.elf	Get hash	malicious	Mirai	Browse	103.173.178.208
	xX2te0Hn5o.elf	Get hash	malicious	Mirai	Browse	103.173.178.208
	p8F35SRiO8.elf	Get hash	malicious	Mirai	Browse	103.0.78.243
	7JP4pajFXr.elf	Get hash	malicious	Mirai	Browse	103.176.106.52
	bot.arm7-20240327-1054.elf	Get hash	malicious	Mirai	Browse	103.188.244.189
	Whj7PiS4fK.elf	Get hash	malicious	Mirai, Okiru	Browse	144.205.100.69
	F7u5JkRhpi.elf	Get hash	malicious	Mirai, Okiru	Browse	132.234.242.205
	bot.arm7-20240327-0852.elf	Get hash	malicious	Mirai	Browse	103.188.244.189

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.772282940599994
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	9j7cNZuGBt.elf
File size:	93'768 bytes
MD5:	98d55377310fd5d430c800d59c97112a
SHA1:	ba5e5458f6af66f1d8b86d2166a83435bb74403b
SHA256:	d246880f2ab4b4f69d56cf261b07689c22359618f2811ed83026b395a05f23ad
SHA512:	fbc774d7e6115737ef413ba448927b2d85f4d1a39d34260a7eb1e9c15ac8862a7f7013b82b10fab305fd0444481dd5b8c2a897e5f2effbefacaa00a2dc2f1ef0
SSDEEP:	1536:oFd1IRgCXUzx7t0fM6ltg0Eiyhcg6vnK72wPZnWhZS5xtY+z:oFdmR9XUzxh0fMQtg0Eimcn/Adew5bz
TLSH:	CD936BC4F643E5F1EC8709B16137EB374B32F0BA111AEA43C7699972DCA2541DA06B9C
File Content Preview:	.ELF....................d...4....l......4. ...(......................$...$...............$...........G..8...........Q.td............................U..S.......o4...h....c...[]...$.............U......=.....t..5....$......$.......u........t....h............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048164
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	93368
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0xfe86	0x0	0x6	AX	16
.fini	PROGBITS	0x8057f36	0xff36	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x8057f60	0xff60	0x2590	0x0	0x2	A	32
.ctors	PROGBITS	0x805b4f4	0x124f4	0xc	0x0	0x3	WA	4
.dtors	PROGBITS	0x805b500	0x12500	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x805b520	0x12520	0x4758	0x0	0x3	WA	32
.bss	NOBITS	0x805fc80	0x16c78	0x49ac	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x16c78	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0x124f0	0x124f0	6.6051	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0x124f4	0x805b4f4	0x805b4f4	0x4784	0x9138	0.3642	0x6	RW	0x1000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/29/24-13:02:42.928581	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54218	43957	192.168.2.13	103.173.178.208
03/29/24-13:01:59.128607	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54206	43957	192.168.2.13	103.173.178.208
03/29/24-13:02:00.762642	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54208	43957	192.168.2.13	103.173.178.208
03/29/24-13:01:37.590326	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54198	43957	192.168.2.13	103.173.178.208
03/29/24-13:02:38.294699	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54216	43957	192.168.2.13	103.173.178.208
03/29/24-13:01:33.953773	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54196	43957	192.168.2.13	103.173.178.208
03/29/24-13:00:47.693813	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54186	43957	192.168.2.13	103.173.178.208
03/29/24-13:01:13.691338	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54192	43957	192.168.2.13	103.173.178.208
03/29/24-13:02:11.393752	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54210	43957	192.168.2.13	103.173.178.208
03/29/24-13:01:42.227728	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54200	43957	192.168.2.13	103.173.178.208
03/29/24-13:01:02.965732	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54190	43957	192.168.2.13	103.173.178.208
03/29/24-13:01:23.325093	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54194	43957	192.168.2.13	103.173.178.208
03/29/24-13:02:18.024375	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54212	43957	192.168.2.13	103.173.178.208
03/29/24-13:02:28.660170	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54214	43957	192.168.2.13	103.173.178.208
03/29/24-13:01:43.861241	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54202	43957	192.168.2.13	103.173.178.208
03/29/24-13:01:50.495664	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54204	43957	192.168.2.13	103.173.178.208
03/29/24-13:00:54.331956	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	54188	43957	192.168.2.13	103.173.178.208

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 13:00:47.427862883 CET	54186	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:00:47.693633080 CET	43957	54186	103.173.178.208	192.168.2.13
Mar 29, 2024 13:00:47.693737984 CET	54186	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:00:47.693813086 CET	54186	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:00:47.959430933 CET	43957	54186	103.173.178.208	192.168.2.13
Mar 29, 2024 13:00:47.959459066 CET	43957	54186	103.173.178.208	192.168.2.13
Mar 29, 2024 13:00:47.959537983 CET	54186	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:00:48.224777937 CET	43957	54186	103.173.178.208	192.168.2.13
Mar 29, 2024 13:00:54.069936037 CET	54188	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:00:54.331727982 CET	43957	54188	103.173.178.208	192.168.2.13
Mar 29, 2024 13:00:54.331955910 CET	54188	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:00:54.331955910 CET	54188	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:00:54.590013981 CET	43957	54188	103.173.178.208	192.168.2.13
Mar 29, 2024 13:00:54.590034962 CET	43957	54188	103.173.178.208	192.168.2.13
Mar 29, 2024 13:00:54.590275049 CET	54188	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:00:54.848213911 CET	43957	54188	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:02.700233936 CET	54190	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:02.965581894 CET	43957	54190	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:02.965698004 CET	54190	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:02.965732098 CET	54190	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:03.230947018 CET	43957	54190	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:03.231072903 CET	43957	54190	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:03.231241941 CET	54190	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:03.496608019 CET	43957	54190	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:13.425492048 CET	54192	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:13.691205978 CET	43957	54192	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:13.691303968 CET	54192	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:13.691338062 CET	54192	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:13.956594944 CET	43957	54192	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:13.956612110 CET	43957	54192	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:13.956701994 CET	54192	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:14.221935987 CET	43957	54192	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:23.066814899 CET	54194	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:23.324892044 CET	43957	54194	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:23.325092077 CET	54194	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:23.325093031 CET	54194	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:23.583411932 CET	43957	54194	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:23.583442926 CET	43957	54194	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:33.691930056 CET	54196	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:33.953603029 CET	43957	54196	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:33.953742981 CET	54196	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:33.953773022 CET	54196	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:34.215437889 CET	43957	54196	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:34.215455055 CET	43957	54196	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:37.324980974 CET	54198	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:37.590187073 CET	43957	54198	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:37.590296984 CET	54198	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:37.590326071 CET	54198	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:37.855602026 CET	43957	54198	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:37.855622053 CET	43957	54198	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:37.855720043 CET	54198	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:38.121038914 CET	43957	54198	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:41.965913057 CET	54200	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:42.227400064 CET	43957	54200	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:42.227689028 CET	54200	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:42.227727890 CET	54200	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:42.489537954 CET	43957	54200	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:42.489576101 CET	43957	54200	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:42.489715099 CET	54200	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:42.751372099 CET	43957	54200	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:43.599138975 CET	54202	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:43.860883951 CET	43957	54202	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:43.861191988 CET	54202	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:43.861241102 CET	54202	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:44.122792006 CET	43957	54202	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:44.122814894 CET	43957	54202	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:44.123078108 CET	54202	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:44.384679079 CET	43957	54202	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:50.233597040 CET	54204	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:50.495507956 CET	43957	54204	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:50.495615005 CET	54204	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:50.495663881 CET	54204	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:50.757920027 CET	43957	54204	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:50.757949114 CET	43957	54204	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:50.758038998 CET	54204	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:51.019824982 CET	43957	54204	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:58.866736889 CET	54206	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:59.128370047 CET	43957	54206	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:59.128572941 CET	54206	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:59.128607035 CET	54206	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:59.390311003 CET	43957	54206	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:59.390372038 CET	43957	54206	103.173.178.208	192.168.2.13
Mar 29, 2024 13:01:59.390464067 CET	54206	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:01:59.652086973 CET	43957	54206	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:00.500689983 CET	54208	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:00.762343884 CET	43957	54208	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:00.762639999 CET	54208	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:00.762641907 CET	54208	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:01.024166107 CET	43957	54208	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:01.024184942 CET	43957	54208	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:01.024329901 CET	54208	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:01.286228895 CET	43957	54208	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:11.135482073 CET	54210	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:11.393615961 CET	43957	54210	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:11.393716097 CET	54210	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:11.393752098 CET	54210	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:11.651705980 CET	43957	54210	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:11.651834011 CET	43957	54210	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:11.651993990 CET	54210	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:11.910114050 CET	43957	54210	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:17.762425900 CET	54212	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:18.024178028 CET	43957	54212	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:18.024358988 CET	54212	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:18.024374962 CET	54212	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:18.286253929 CET	43957	54212	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:18.286295891 CET	43957	54212	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:28.398361921 CET	54214	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:28.660048008 CET	43957	54214	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:28.660131931 CET	54214	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:28.660170078 CET	54214	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:28.921926022 CET	43957	54214	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:28.921947002 CET	43957	54214	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:28.922039032 CET	54214	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:29.183645964 CET	43957	54214	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:38.032846928 CET	54216	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:38.294483900 CET	43957	54216	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:38.294615030 CET	54216	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:38.294698954 CET	54216	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:38.556586027 CET	43957	54216	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:38.556607962 CET	43957	54216	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:42.666682959 CET	54218	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:42.928325891 CET	43957	54218	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:42.928448915 CET	54218	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:42.928580999 CET	54218	43957	192.168.2.13	103.173.178.208
Mar 29, 2024 13:02:43.191258907 CET	43957	54218	103.173.178.208	192.168.2.13
Mar 29, 2024 13:02:43.191334009 CET	43957	54218	103.173.178.208	192.168.2.13

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 13:00:47.317327976 CET	47399	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:00:47.427694082 CET	53	47399	8.8.8.8	192.168.2.13
Mar 29, 2024 13:00:53.959881067 CET	39765	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:00:54.069787979 CET	53	39765	8.8.8.8	192.168.2.13
Mar 29, 2024 13:01:02.590410948 CET	42662	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:01:02.700093985 CET	53	42662	8.8.8.8	192.168.2.13
Mar 29, 2024 13:01:13.231618881 CET	41689	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:01:13.425347090 CET	53	41689	8.8.8.8	192.168.2.13
Mar 29, 2024 13:01:22.957083941 CET	37271	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:01:23.066621065 CET	53	37271	8.8.8.8	192.168.2.13
Mar 29, 2024 13:01:33.583920956 CET	51265	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:01:33.691740036 CET	53	51265	8.8.8.8	192.168.2.13
Mar 29, 2024 13:01:37.215820074 CET	37388	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:01:37.324713945 CET	53	37388	8.8.8.8	192.168.2.13
Mar 29, 2024 13:01:41.855875969 CET	41696	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:01:41.965754986 CET	53	41696	8.8.8.8	192.168.2.13
Mar 29, 2024 13:01:43.489855051 CET	42493	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:01:43.598979950 CET	53	42493	8.8.8.8	192.168.2.13
Mar 29, 2024 13:01:50.123258114 CET	58616	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:01:50.233361006 CET	53	58616	8.8.8.8	192.168.2.13
Mar 29, 2024 13:01:58.758253098 CET	59524	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:01:58.866607904 CET	53	59524	8.8.8.8	192.168.2.13
Mar 29, 2024 13:02:00.390639067 CET	50404	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:02:00.500452995 CET	53	50404	8.8.8.8	192.168.2.13
Mar 29, 2024 13:02:11.024647951 CET	36126	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:02:11.135334015 CET	53	36126	8.8.8.8	192.168.2.13
Mar 29, 2024 13:02:17.652189970 CET	57247	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:02:17.762320995 CET	53	57247	8.8.8.8	192.168.2.13
Mar 29, 2024 13:02:28.286551952 CET	34347	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:02:28.398222923 CET	53	34347	8.8.8.8	192.168.2.13
Mar 29, 2024 13:02:37.922220945 CET	57343	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:02:38.032597065 CET	53	57343	8.8.8.8	192.168.2.13
Mar 29, 2024 13:02:42.556991100 CET	36896	53	192.168.2.13	8.8.8.8
Mar 29, 2024 13:02:42.666498899 CET	53	36896	8.8.8.8	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 29, 2024 13:00:47.317327976 CET	192.168.2.13	8.8.8.8	0x404	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:00:53.959881067 CET	192.168.2.13	8.8.8.8	0xe10d	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:02.590410948 CET	192.168.2.13	8.8.8.8	0x28dc	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:13.231618881 CET	192.168.2.13	8.8.8.8	0x5ef	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:22.957083941 CET	192.168.2.13	8.8.8.8	0x8c05	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:33.583920956 CET	192.168.2.13	8.8.8.8	0xa377	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:37.215820074 CET	192.168.2.13	8.8.8.8	0x87a3	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:41.855875969 CET	192.168.2.13	8.8.8.8	0xa554	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:43.489855051 CET	192.168.2.13	8.8.8.8	0x20a	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:50.123258114 CET	192.168.2.13	8.8.8.8	0x3b60	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:58.758253098 CET	192.168.2.13	8.8.8.8	0x8b3a	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:02:00.390639067 CET	192.168.2.13	8.8.8.8	0xc530	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:02:11.024647951 CET	192.168.2.13	8.8.8.8	0x15ad	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:02:17.652189970 CET	192.168.2.13	8.8.8.8	0xa0e3	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:02:28.286551952 CET	192.168.2.13	8.8.8.8	0x946f	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:02:37.922220945 CET	192.168.2.13	8.8.8.8	0x34ec	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:02:42.556991100 CET	192.168.2.13	8.8.8.8	0x2323	Standard query (0)	ap.akdns.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 29, 2024 13:00:47.427694082 CET	8.8.8.8	192.168.2.13	0x404	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:00:54.069787979 CET	8.8.8.8	192.168.2.13	0xe10d	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:02.700093985 CET	8.8.8.8	192.168.2.13	0x28dc	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:13.425347090 CET	8.8.8.8	192.168.2.13	0x5ef	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:23.066621065 CET	8.8.8.8	192.168.2.13	0x8c05	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:33.691740036 CET	8.8.8.8	192.168.2.13	0xa377	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:37.324713945 CET	8.8.8.8	192.168.2.13	0x87a3	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:41.965754986 CET	8.8.8.8	192.168.2.13	0xa554	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:43.598979950 CET	8.8.8.8	192.168.2.13	0x20a	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:50.233361006 CET	8.8.8.8	192.168.2.13	0x3b60	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:01:58.866607904 CET	8.8.8.8	192.168.2.13	0x8b3a	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:02:00.500452995 CET	8.8.8.8	192.168.2.13	0xc530	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:02:11.135334015 CET	8.8.8.8	192.168.2.13	0x15ad	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:02:17.762320995 CET	8.8.8.8	192.168.2.13	0xa0e3	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:02:28.398222923 CET	8.8.8.8	192.168.2.13	0x946f	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:02:38.032597065 CET	8.8.8.8	192.168.2.13	0x34ec	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false
Mar 29, 2024 13:02:42.666498899 CET	8.8.8.8	192.168.2.13	0x2323	No error (0)	ap.akdns.top	103.173.178.208	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: 9j7cNZuGBt.elf PID: 5485, Parent PID: 5403

General

Start time (UTC):	12:00:46
Start date (UTC):	29/03/2024
Path:	/tmp/9j7cNZuGBt.elf
Arguments:	/tmp/9j7cNZuGBt.elf
File size:	93768 bytes
MD5 hash:	98d55377310fd5d430c800d59c97112a

Start time (UTC):	12:00:46
Start date (UTC):	29/03/2024
Path:	/tmp/9j7cNZuGBt.elf
Arguments:	-
File size:	93768 bytes
MD5 hash:	98d55377310fd5d430c800d59c97112a

Start time (UTC):	12:00:46
Start date (UTC):	29/03/2024
Path:	/tmp/9j7cNZuGBt.elf
Arguments:	-
File size:	93768 bytes
MD5 hash:	98d55377310fd5d430c800d59c97112a

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report 9j7cNZuGBt.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: 9j7cNZuGBt.elf PID: 5485, Parent PID: 5403

General

Chronological Activities

Analysis Process: 9j7cNZuGBt.elf PID: 5486, Parent PID: 5485

General

Chronological Activities

Analysis Process: 9j7cNZuGBt.elf PID: 5487, Parent PID: 5486

General

Chronological Activities

Linux Analysis Report
9j7cNZuGBt.elf