Edit tour

Linux Analysis Report
AkV7DALWTe.elf

Overview

General Information

Sample name:	AkV7DALWTe.elf renamed because original name is a hash value
Original sample name:	7b844888f864698c835723076d6731a0.elf
Analysis ID:	1427652
MD5:	7b844888f864698c835723076d6731a0
SHA1:	8216c1d44e0cfb92f20158e144c56b405a2bf27c
SHA256:	0e7aa35748eebf6df567c22f7dc492bfbd4b84f4666e63f90979ea18aa41894c
Tags:	32elfintelmirai
Infos:

Detection

Mirai

Score:	88
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Queries the IP of a very long domain name

Sample deletes itself

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427652
Start date and time:	2024-04-17 23:11:58 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	AkV7DALWTe.elf renamed because original name is a hash value
Original Sample Name:	7b844888f864698c835723076d6731a0.elf
Detection:	MAL
Classification:	mal88.troj.evad.linELF@0/0@26/0

Warnings

VT rate limit hit for: AkV7DALWTe.elf

Runtime Messages

Command:	/tmp/AkV7DALWTe.elf
PID:	5460
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	about to cum inside a femboy btw
Standard Error:

Process Tree

system is lnxubuntu20

AkV7DALWTe.elf (PID: 5460, Parent: 5379, MD5: 7b844888f864698c835723076d6731a0) Arguments: /tmp/AkV7DALWTe.elf

AkV7DALWTe.elf New Fork (PID: 5461, Parent: 5460)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
AkV7DALWTe.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
AkV7DALWTe.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xc4f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc50c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc520:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc534:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc548:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc55c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc570:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc584:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc598:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc610:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc624:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc638:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc64c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc660:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc674:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc688:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
AkV7DALWTe.elf	Linux_Trojan_Mirai_268aac0b	unknown	unknown	0x5f2f:$a: 24 18 0F B7 44 24 20 8B 54 24 1C 83 F9 01 8B 7E 0C 89 04 24 8B
AkV7DALWTe.elf	Linux_Trojan_Mirai_0cb1699c	unknown	unknown	0x5ee2:$a: DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 10 0F B7 02 83 E9 02 83
AkV7DALWTe.elf	Linux_Trojan_Mirai_70ef58f1	unknown	unknown	0x747d:$a: 89 D0 8B 19 01 D8 0F B6 5C 24 10 30 18 89 D0 8B 19 01 D8 0F B6 5C 0x751d:$a: 89 D0 8B 19 01 D8 0F B6 5C 24 10 30 18 89 D0 8B 19 01 D8 0F B6 5C
AkV7DALWTe.elf	Linux_Trojan_Mirai_3a85a418	unknown	unknown	0x4927:$a: 01 D8 66 C1 C8 08 C1 C8 10 66 C1 C8 08 66 83 7C 24 2C FF 89
AkV7DALWTe.elf	Linux_Trojan_Mirai_2e3f67a9	unknown	unknown	0x522:$a: 53 83 EC 04 0F B6 74 24 14 8B 5C 24 18 8B 7C 24 20 0F B6 44 0x582:$a: 53 83 EC 04 0F B6 74 24 14 8B 5C 24 18 8B 7C 24 20 0F B6 44
AkV7DALWTe.elf	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x79b2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
AkV7DALWTe.elf	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x8e98:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
5460.1.0000000008048000.0000000008057000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5460.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xc4f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc50c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc520:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc534:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc548:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc55c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc570:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc584:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc598:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc610:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc624:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc638:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc64c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc660:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc674:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc688:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5460.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Mirai_268aac0b	unknown	unknown	0x5f2f:$a: 24 18 0F B7 44 24 20 8B 54 24 1C 83 F9 01 8B 7E 0C 89 04 24 8B
5460.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Mirai_0cb1699c	unknown	unknown	0x5ee2:$a: DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 10 0F B7 02 83 E9 02 83
5460.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Mirai_70ef58f1	unknown	unknown	0x747d:$a: 89 D0 8B 19 01 D8 0F B6 5C 24 10 30 18 89 D0 8B 19 01 D8 0F B6 5C 0x751d:$a: 89 D0 8B 19 01 D8 0F B6 5C 24 10 30 18 89 D0 8B 19 01 D8 0F B6 5C
5460.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Mirai_3a85a418	unknown	unknown	0x4927:$a: 01 D8 66 C1 C8 08 C1 C8 10 66 C1 C8 08 66 83 7C 24 2C FF 89
5460.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Mirai_2e3f67a9	unknown	unknown	0x522:$a: 53 83 EC 04 0F B6 74 24 14 8B 5C 24 18 8B 7C 24 20 0F B6 44 0x582:$a: 53 83 EC 04 0F B6 74 24 14 8B 5C 24 18 8B 7C 24 20 0F B6 44
5460.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x79b2:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5460.1.0000000008048000.0000000008057000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0x8e98:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
Process Memory Space: AkV7DALWTe.elf PID: 5460	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x538:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x54c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x560:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x574:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x588:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x59c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x600:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x614:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x628:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x63c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x650:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x664:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x678:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x68c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 5 entries

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: AkV7DALWTe.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: AkV7DALWTe.elf

ReversingLabs: Detection: 44%

Machine Learning detection for sample

Source: AkV7DALWTe.elf

Joe Sandbox ML: detected

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: kovey.mezo-api.xyz

Queries the IP of a very long domain name

Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.T; f66a/PV!E(95"dCT; fOOPV!a/EAT@@
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.U; fb66a/PV!E(:%5CU; fOOPV!a/EAY@@
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.U; f66a/PV!E(vw:75CU; fOOPV!a/EA_@@
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.U; f?66a/PV!E(&(:5CU; fsOOPV!a/EAp@@v
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.U; f66a/PV!E(958NCU; fJJPV!a/E<:@@
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.v; fI66a/PV!E(Z8:S5l "=v; fKOOPV!a/EA@@O
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.v; f66a/PV!E(59y-5,`"=v; fOOPV!a/EA@@E
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.v; fz66a/PV!E(9k9u5"=v; fC{OOPV!a/EA@@A
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.v; fD66a/PV!E(:d5"=v; fOOPV!a/EA@@+
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.v; f66a/PV!E(:;5"=v; fTJJPV!a/E<N@@
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.; f3A66a/PV!E(ij5(H; f!BOOPV!a/EA@@d
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.; fq66a/PV!E($j[594; fmOOPV!a/EA@@b
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.; fr66a/PV!E(:i5Z; ftOOPV!a/EA@@S
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.; f66a/PV!E(Ni9`5; fPOOPV!a/EA@@G
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.; fd66a/PV!E(c:5c?; fdJJPV!a/E<l @@n
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.; fh66a/PV!E(o@:>5CyQ; fiOOPV!a/EA\|@@j
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.; f66a/PV!E(9?5@Q; f?OOPV!a/EA@@_
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.; f66a/PV!E(95Q; f_OOPV!a/EA@@T
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.; f866a/PV!E(fj5zQ; f~8OOPV!a/EA@@P
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.; fj66a/PV!E(:P5DQ; fJJPV!a/E<{@@-
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.; fIZ66a/PV!E(!:5; f[OOPV!a/EA,@@
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.; f66a/PV!E(&:5C; fOOPV!a/EA1@@
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.; fJ66a/PV!E(j5OXv; fLOOPV!a/EAI@@
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.; f66a/PV!E(W95l; f\OOPV!a/EA_@@
Source: unknown	DNS traffic detected: query: kovey.mezo-api.xyz.; f~66a/PV!E(95]; f~JJPV!a/E<@@

Source: global traffic

TCP traffic: 192.168.2.13:44672 -> 45.131.111.219:33966

Source: global traffic

TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26

Source: unknown

DNS traffic detected: queries for: kovey.mezo-api.xyz

Source: unknown

Network traffic detected: HTTP traffic on port 48202 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: AkV7DALWTe.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: AkV7DALWTe.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_268aac0b Author: unknown
Source: AkV7DALWTe.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_0cb1699c Author: unknown
Source: AkV7DALWTe.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_70ef58f1 Author: unknown
Source: AkV7DALWTe.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_3a85a418 Author: unknown
Source: AkV7DALWTe.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_2e3f67a9 Author: unknown
Source: AkV7DALWTe.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: AkV7DALWTe.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_268aac0b Author: unknown
Source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_0cb1699c Author: unknown
Source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_70ef58f1 Author: unknown
Source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_3a85a418 Author: unknown
Source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_2e3f67a9 Author: unknown
Source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: Process Memory Space: AkV7DALWTe.elf PID: 5460, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: AkV7DALWTe.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: AkV7DALWTe.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_268aac0b reference_sample = 49c94d184d7e387c3efe34ae6f021e011c3046ae631c9733ab0a230d5fe28ead, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 9c581721bf82af7dc6482a2c41af5fb3404e01c82545c7b2b29230f707014781, id = 268aac0b-c5c7-4035-8381-4e182de91e32, last_modified = 2021-09-16
Source: AkV7DALWTe.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_0cb1699c reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6e44c68bba8c9fb53ac85080b9ad765579f027cabfea5055a0bb3a85b8671089, id = 0cb1699c-9a08-4885-aa7f-0f1ee2543cac, last_modified = 2021-09-16
Source: AkV7DALWTe.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_70ef58f1 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c46eac9185e5f396456004d1e0c42b54a9318e0450f797c55703122cfb8fea89, id = 70ef58f1-ac74-4e33-ae03-e68d1d5a4379, last_modified = 2021-09-16
Source: AkV7DALWTe.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_3a85a418 reference_sample = 86a43b39b157f47ab12e9dc1013b4eec0e1792092d4cef2772a21a9bf4fc518a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 554aff5770bfe8fdeae94f5f5a0fd7f7786340a95633433d8e686af1c25b8cec, id = 3a85a418-2bd9-445a-86cb-657ca7edf566, last_modified = 2021-09-16
Source: AkV7DALWTe.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_2e3f67a9 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6a06815f3d2e5f1a7a67f4264953dbb2e9d14e5f3486b178da845eab5b922d4f, id = 2e3f67a9-6fd5-4457-a626-3a9015bdb401, last_modified = 2021-09-16
Source: AkV7DALWTe.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: AkV7DALWTe.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_268aac0b reference_sample = 49c94d184d7e387c3efe34ae6f021e011c3046ae631c9733ab0a230d5fe28ead, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 9c581721bf82af7dc6482a2c41af5fb3404e01c82545c7b2b29230f707014781, id = 268aac0b-c5c7-4035-8381-4e182de91e32, last_modified = 2021-09-16
Source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_0cb1699c reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6e44c68bba8c9fb53ac85080b9ad765579f027cabfea5055a0bb3a85b8671089, id = 0cb1699c-9a08-4885-aa7f-0f1ee2543cac, last_modified = 2021-09-16
Source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_70ef58f1 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c46eac9185e5f396456004d1e0c42b54a9318e0450f797c55703122cfb8fea89, id = 70ef58f1-ac74-4e33-ae03-e68d1d5a4379, last_modified = 2021-09-16
Source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_3a85a418 reference_sample = 86a43b39b157f47ab12e9dc1013b4eec0e1792092d4cef2772a21a9bf4fc518a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 554aff5770bfe8fdeae94f5f5a0fd7f7786340a95633433d8e686af1c25b8cec, id = 3a85a418-2bd9-445a-86cb-657ca7edf566, last_modified = 2021-09-16
Source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_2e3f67a9 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6a06815f3d2e5f1a7a67f4264953dbb2e9d14e5f3486b178da845eab5b922d4f, id = 2e3f67a9-6fd5-4457-a626-3a9015bdb401, last_modified = 2021-09-16
Source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: Process Memory Space: AkV7DALWTe.elf PID: 5460, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal88.troj.evad.linELF@0/0@26/0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/AkV7DALWTe.elf (PID: 5461)

File: /tmp/AkV7DALWTe.elf

Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: AkV7DALWTe.elf, type: SAMPLE
Source: Yara match	File source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: AkV7DALWTe.elf, type: SAMPLE
Source: Yara match	File source: 5460.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
AkV7DALWTe.elf	45%	ReversingLabs	Linux.Trojan.Mirai
AkV7DALWTe.elf	100%	Avira	EXP/ELF.Mirai.Z.A
AkV7DALWTe.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
kovey.mezo-api.xyz	45.131.111.219	true	true	unknown
kovey.mezo-api.xyz.; fJ66a/PV!E(j5OXv; fLOOPV!a/EAI@@	unknown	unknown	true	low
kovey.mezo-api.xyz.; f66a/PV!E(W95l; f\OOPV!a/EA_@@	unknown	unknown	true	low
kovey.mezo-api.xyz.U; f66a/PV!E(958NCU; fJJPV!a/E<:@@	unknown	unknown	true	low
kovey.mezo-api.xyz.; fh66a/PV!E(o@:>5CyQ; fiOOPV!a/EA\|@@j	unknown	unknown	true	low
kovey.mezo-api.xyz.U; f?66a/PV!E(&(:5CU; fsOOPV!a/EAp@@v	unknown	unknown	true	low
kovey.mezo-api.xyz.; fIZ66a/PV!E(!:5; f[OOPV!a/EA,@@	unknown	unknown	true	low
kovey.mezo-api.xyz.U; f66a/PV!E(vw:75CU; fOOPV!a/EA_@@	unknown	unknown	true	low
kovey.mezo-api.xyz.v; f66a/PV!E(59y-5,`"=v; fOOPV!a/EA@@E	unknown	unknown	true	low
kovey.mezo-api.xyz.; fd66a/PV!E(c:5c?; fdJJPV!a/E<l @@n	unknown	unknown	true	low
kovey.mezo-api.xyz.; f3A66a/PV!E(ij5(H; f!BOOPV!a/EA@@d	unknown	unknown	true	low
kovey.mezo-api.xyz.; f866a/PV!E(fj5zQ; f~8OOPV!a/EA@@P	unknown	unknown	true	low
kovey.mezo-api.xyz.; f66a/PV!E(Ni9`5; fPOOPV!a/EA@@G	unknown	unknown	true	low
kovey.mezo-api.xyz.; fr66a/PV!E(:i5Z; ftOOPV!a/EA@@S	unknown	unknown	true	low
kovey.mezo-api.xyz.; f66a/PV!E(9?5@Q; f?OOPV!a/EA@@_	unknown	unknown	true	low
kovey.mezo-api.xyz.; fj66a/PV!E(:P5DQ; fJJPV!a/E<{@@-	unknown	unknown	true	low
kovey.mezo-api.xyz.v; fD66a/PV!E(:d5"=v; fOOPV!a/EA@@+	unknown	unknown	true	low
kovey.mezo-api.xyz.; fq66a/PV!E($j[594; fmOOPV!a/EA@@b	unknown	unknown	true	low
kovey.mezo-api.xyz.; f~66a/PV!E(95]; f~JJPV!a/E<@@	unknown	unknown	true	low
kovey.mezo-api.xyz.v; fI66a/PV!E(Z8:S5l "=v; fKOOPV!a/EA@@O	unknown	unknown	true	low
kovey.mezo-api.xyz.; f66a/PV!E(95Q; f_OOPV!a/EA@@T	unknown	unknown	true	low
kovey.mezo-api.xyz.; f66a/PV!E(&:5C; fOOPV!a/EA1@@	unknown	unknown	true	low
kovey.mezo-api.xyz.v; fz66a/PV!E(9k9u5"=v; fC{OOPV!a/EA@@A	unknown	unknown	true	low
kovey.mezo-api.xyz.T; f66a/PV!E(95"dCT; fOOPV!a/EAT@@	unknown	unknown	true	low
kovey.mezo-api.xyz.v; f66a/PV!E(:;5"=v; fTJJPV!a/E<N@@	unknown	unknown	true	low
kovey.mezo-api.xyz.U; fb66a/PV!E(:%5CU; fOOPV!a/EAY@@	unknown	unknown	true	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.131.111.219	kovey.mezo-api.xyz	Germany		398373	SERVERDESTROYERSUS	true
185.125.190.26	unknown	United Kingdom		41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
45.131.111.219	6pZSqZEAa2.elf	Get hash	malicious	Mirai	Browse
	FwLad7Fxwv.elf	Get hash	malicious	Mirai	Browse
	LPXP6wFUyX.elf	Get hash	malicious	Mirai	Browse
	dvxuxG34sk.elf	Get hash	malicious	Mirai	Browse
	aNeRrtorRm.elf	Get hash	malicious	Mirai	Browse
	KxTpfpJzPK.elf	Get hash	malicious	Mirai	Browse
	MhV593RNl7.elf	Get hash	malicious	Mirai	Browse
185.125.190.26	n3l6rOHrCy.elf	Get hash	malicious	Mirai	Browse
	f0OnF0zQl1.elf	Get hash	malicious	Mirai	Browse
	MP364bXXBM.elf	Get hash	malicious	Mirai	Browse
	MCKV8ZxDFs.elf	Get hash	malicious	Mirai	Browse
	5kPAYNJulv.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	yRXn4O3AgO.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	SecuriteInfo.com.Linux.Kaiji.16.13149.10467.elf	Get hash	malicious	Chaos	Browse
	SecuriteInfo.com.ELF.Agent-BSR.23757.4302.elf	Get hash	malicious	Chaos	Browse
	SecuriteInfo.com.Linux.Siggen.9999.7988.1041.elf	Get hash	malicious	Unknown	Browse
	B7cl2k3l7y.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
kovey.mezo-api.xyz	FwLad7Fxwv.elf	Get hash	malicious	Mirai	Browse	45.131.111.219
	dvxuxG34sk.elf	Get hash	malicious	Mirai	Browse	45.131.111.219
	aNeRrtorRm.elf	Get hash	malicious	Mirai	Browse	45.131.111.219
	MhV593RNl7.elf	Get hash	malicious	Mirai	Browse	45.131.111.219

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	FwLad7Fxwv.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	n3l6rOHrCy.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	aNeRrtorRm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	8BNqPPgBFn.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	f0OnF0zQl1.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	yVsyTd2tDQ.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	nD1z4HgXaM.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	MP364bXXBM.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	wUxE90cdjt.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	MCKV8ZxDFs.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
SERVERDESTROYERSUS	6pZSqZEAa2.elf	Get hash	malicious	Mirai	Browse	45.131.111.219
	FwLad7Fxwv.elf	Get hash	malicious	Mirai	Browse	45.131.111.219
	LPXP6wFUyX.elf	Get hash	malicious	Mirai	Browse	45.131.111.219
	dvxuxG34sk.elf	Get hash	malicious	Mirai	Browse	45.131.111.219
	aNeRrtorRm.elf	Get hash	malicious	Mirai	Browse	45.131.111.219
	KxTpfpJzPK.elf	Get hash	malicious	Mirai	Browse	45.131.111.219
	MhV593RNl7.elf	Get hash	malicious	Mirai	Browse	45.131.111.219
	lzTrp2wJQy.elf	Get hash	malicious	Gafgyt, Mirai	Browse	45.131.111.159
	l0fPUtuT9M.elf	Get hash	malicious	Gafgyt, Mirai	Browse	45.131.111.159
	dF300rMf4v.elf	Get hash	malicious	Gafgyt, Mirai	Browse	45.131.111.159

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.355917816487784
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	AkV7DALWTe.elf
File size:	58'704 bytes
MD5:	7b844888f864698c835723076d6731a0
SHA1:	8216c1d44e0cfb92f20158e144c56b405a2bf27c
SHA256:	0e7aa35748eebf6df567c22f7dc492bfbd4b84f4666e63f90979ea18aa41894c
SHA512:	106358b02799e0aed98eaee8ebd53f72302dd519977305633485b3e783e80aad513f3b7ed66b383a0cf53d76e5c30d55490eb7de4d6d6c132a0a4d4cd49863b8
SSDEEP:	1536:0RgWI56uIi0hTtcTNcTyV0ULBvdDLTjOWmCAM3e0/vHj67FQQR:0Rgd56ViLTNcTyV1LBvdDLTzl1O0/PjS
TLSH:	FD4319C1F58B44FAD05B093081A7FB3FDE31D5A84270D76EEFD99A36DA635038612A48
File Content Preview:	.ELF....................h...4...........4. ...(..............................................p...p.......(..........Q.td............................U..S............h........[]...$.............U......=.s...t..1.....p......p......u........t...$.`..........s

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048168
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	58304
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0xbcb1	0x0	0x6	AX	16
.fini	PROGBITS	0x8053d61	0xbd61	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x8053d80	0xbd80	0x231c	0x0	0x2	A	32
.ctors	PROGBITS	0x80570a0	0xe0a0	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x80570a8	0xe0a8	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x80570c0	0xe0c0	0x2c0	0x0	0x3	WA	32
.bss	NOBITS	0x8057380	0xe380	0x2520	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0xe380	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0xe09c	0xe09c	6.3874	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0xe0a0	0x80570a0	0x80570a0	0x2e0	0x2800	3.9558	0x6	RW	0x1000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 23:12:53.373663902 CEST	44672	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:12:53.579695940 CEST	33966	44672	45.131.111.219	192.168.2.13
Apr 17, 2024 23:12:53.579900980 CEST	44672	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:12:53.580136061 CEST	44672	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:12:53.786056042 CEST	33966	44672	45.131.111.219	192.168.2.13
Apr 17, 2024 23:12:53.786216974 CEST	44672	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:12:53.992433071 CEST	33966	44672	45.131.111.219	192.168.2.13
Apr 17, 2024 23:13:02.846235037 CEST	48202	443	192.168.2.13	185.125.190.26
Apr 17, 2024 23:13:08.994786978 CEST	33966	44672	45.131.111.219	192.168.2.13
Apr 17, 2024 23:13:08.995057106 CEST	44672	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:13:24.202672958 CEST	33966	44672	45.131.111.219	192.168.2.13
Apr 17, 2024 23:13:24.202887058 CEST	44672	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:13:24.382405043 CEST	33966	44672	45.131.111.219	192.168.2.13
Apr 17, 2024 23:13:24.382589102 CEST	44672	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:13:24.588480949 CEST	33966	44672	45.131.111.219	192.168.2.13
Apr 17, 2024 23:13:26.437076092 CEST	44674	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:13:26.646409988 CEST	33966	44674	45.131.111.219	192.168.2.13
Apr 17, 2024 23:13:26.646576881 CEST	44674	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:13:26.646650076 CEST	44674	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:13:26.855885029 CEST	33966	44674	45.131.111.219	192.168.2.13
Apr 17, 2024 23:13:26.856041908 CEST	44674	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:13:27.065273046 CEST	33966	44674	45.131.111.219	192.168.2.13
Apr 17, 2024 23:13:34.589777946 CEST	48202	443	192.168.2.13	185.125.190.26
Apr 17, 2024 23:13:42.067527056 CEST	33966	44674	45.131.111.219	192.168.2.13
Apr 17, 2024 23:13:42.067748070 CEST	44674	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:13:57.279361010 CEST	33966	44674	45.131.111.219	192.168.2.13
Apr 17, 2024 23:13:57.279547930 CEST	44674	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:14:06.678333998 CEST	44674	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:14:06.887960911 CEST	33966	44674	45.131.111.219	192.168.2.13
Apr 17, 2024 23:14:08.044281960 CEST	33966	44674	45.131.111.219	192.168.2.13
Apr 17, 2024 23:14:10.091344118 CEST	44676	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:14:10.294547081 CEST	33966	44676	45.131.111.219	192.168.2.13
Apr 17, 2024 23:14:10.294740915 CEST	44676	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:14:10.294825077 CEST	44676	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:14:10.497997999 CEST	33966	44676	45.131.111.219	192.168.2.13
Apr 17, 2024 23:14:10.498191118 CEST	44676	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:14:10.701420069 CEST	33966	44676	45.131.111.219	192.168.2.13
Apr 17, 2024 23:14:20.304920912 CEST	44676	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:14:20.508143902 CEST	33966	44676	45.131.111.219	192.168.2.13
Apr 17, 2024 23:14:28.921673059 CEST	33966	44676	45.131.111.219	192.168.2.13
Apr 17, 2024 23:14:30.970989943 CEST	44678	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:14:31.179406881 CEST	33966	44678	45.131.111.219	192.168.2.13
Apr 17, 2024 23:14:35.229118109 CEST	44680	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:14:35.435530901 CEST	33966	44680	45.131.111.219	192.168.2.13
Apr 17, 2024 23:14:35.435705900 CEST	44680	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:14:35.435833931 CEST	44680	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:14:35.642213106 CEST	33966	44680	45.131.111.219	192.168.2.13
Apr 17, 2024 23:14:35.642343044 CEST	44680	33966	192.168.2.13	45.131.111.219
Apr 17, 2024 23:14:35.848639011 CEST	33966	44680	45.131.111.219	192.168.2.13
Apr 17, 2024 23:14:50.852081060 CEST	33966	44680	45.131.111.219	192.168.2.13
Apr 17, 2024 23:14:50.852319956 CEST	44680	33966	192.168.2.13	45.131.111.219

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 23:12:52.739965916 CEST	34336	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:12:52.849937916 CEST	53	34336	8.8.8.8	192.168.2.13
Apr 17, 2024 23:12:52.850111961 CEST	46370	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:12:52.954540968 CEST	53	46370	8.8.8.8	192.168.2.13
Apr 17, 2024 23:12:52.954818964 CEST	36599	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:12:53.059233904 CEST	53	36599	8.8.8.8	192.168.2.13
Apr 17, 2024 23:12:53.059585094 CEST	33206	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:12:53.163989067 CEST	53	33206	8.8.8.8	192.168.2.13
Apr 17, 2024 23:12:53.164364100 CEST	37537	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:12:53.268606901 CEST	53	37537	8.8.8.8	192.168.2.13
Apr 17, 2024 23:12:53.268914938 CEST	53816	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:12:53.373446941 CEST	53	53816	8.8.8.8	192.168.2.13
Apr 17, 2024 23:13:25.382821083 CEST	57756	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:13:25.487603903 CEST	53	57756	8.8.8.8	192.168.2.13
Apr 17, 2024 23:13:25.487839937 CEST	58548	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:13:25.592298985 CEST	53	58548	8.8.8.8	192.168.2.13
Apr 17, 2024 23:13:25.592608929 CEST	60826	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:13:25.705552101 CEST	53	60826	8.8.8.8	192.168.2.13
Apr 17, 2024 23:13:25.705805063 CEST	47399	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:13:25.810102940 CEST	53	47399	8.8.8.8	192.168.2.13
Apr 17, 2024 23:13:25.810292959 CEST	49764	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:13:25.914535046 CEST	53	49764	8.8.8.8	192.168.2.13
Apr 17, 2024 23:13:25.914710999 CEST	57964	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:13:26.018863916 CEST	53	57964	8.8.8.8	192.168.2.13
Apr 17, 2024 23:13:26.019211054 CEST	43052	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:13:26.123420000 CEST	53	43052	8.8.8.8	192.168.2.13
Apr 17, 2024 23:13:26.123629093 CEST	60106	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:13:26.227979898 CEST	53	60106	8.8.8.8	192.168.2.13
Apr 17, 2024 23:13:26.228163004 CEST	44500	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:13:26.332355976 CEST	53	44500	8.8.8.8	192.168.2.13
Apr 17, 2024 23:13:26.332518101 CEST	37022	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:13:26.436892033 CEST	53	37022	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:09.044774055 CEST	58707	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:09.148953915 CEST	53	58707	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:09.149337053 CEST	47137	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:09.253781080 CEST	53	47137	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:09.254007101 CEST	52531	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:09.358289957 CEST	53	52531	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:09.358534098 CEST	57495	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:09.462963104 CEST	53	57495	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:09.463162899 CEST	47973	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:09.567508936 CEST	53	47973	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:09.567744017 CEST	35368	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:09.672050953 CEST	53	35368	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:09.672288895 CEST	40249	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:09.776561022 CEST	53	40249	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:09.776813030 CEST	59601	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:09.881298065 CEST	53	59601	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:09.881690979 CEST	48915	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:09.986342907 CEST	53	48915	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:09.986704111 CEST	37475	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:10.091159105 CEST	53	37475	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:29.922327042 CEST	40899	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:30.026834011 CEST	53	40899	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:30.027301073 CEST	47740	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:30.131848097 CEST	53	47740	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:30.132205963 CEST	38886	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:30.237211943 CEST	53	38886	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:30.237622023 CEST	48313	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:30.341850042 CEST	53	48313	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:30.341957092 CEST	59120	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:30.446439981 CEST	53	59120	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:30.446604967 CEST	57411	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:30.551064014 CEST	53	57411	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:30.551184893 CEST	34499	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:30.655543089 CEST	53	34499	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:30.655678988 CEST	34576	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:30.760792017 CEST	53	34576	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:30.760926962 CEST	57118	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:30.866319895 CEST	53	57118	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:30.866430044 CEST	44612	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:30.970858097 CEST	53	44612	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:34.179807901 CEST	34539	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:34.284162998 CEST	53	34539	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:34.284442902 CEST	37884	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:34.390197039 CEST	53	37884	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:34.390479088 CEST	45721	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:34.494806051 CEST	53	45721	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:34.495028019 CEST	59032	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:34.600393057 CEST	53	59032	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:34.600656033 CEST	48018	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:34.704905987 CEST	53	48018	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:34.705296993 CEST	33308	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:34.809545040 CEST	53	33308	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:34.809868097 CEST	34115	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:34.914416075 CEST	53	34115	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:34.914571047 CEST	49999	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:35.019125938 CEST	53	49999	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:35.019591093 CEST	44793	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:35.124072075 CEST	53	44793	8.8.8.8	192.168.2.13
Apr 17, 2024 23:14:35.124507904 CEST	48618	53	192.168.2.13	8.8.8.8
Apr 17, 2024 23:14:35.228874922 CEST	53	48618	8.8.8.8	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 17, 2024 23:12:52.739965916 CEST	192.168.2.13	8.8.8.8	0x35c9	Standard query (0)	kovey.mezo-api.xyz	A (IP address)	IN (0x0001)	false
Apr 17, 2024 23:12:52.850111961 CEST	192.168.2.13	8.8.8.8	0x1743	Standard query (0)	kovey.mezo-api.xyz.T; f66a/PV!E(95"dCT; fOOPV!a/EAT@@	525	2056	false
Apr 17, 2024 23:12:52.954818964 CEST	192.168.2.13	8.8.8.8	0x1743	Standard query (0)	kovey.mezo-api.xyz.U; fb66a/PV!E(:%5CU; fOOPV!a/EAY@@	525	2056	false
Apr 17, 2024 23:12:53.059585094 CEST	192.168.2.13	8.8.8.8	0x1743	Standard query (0)	kovey.mezo-api.xyz.U; f66a/PV!E(vw:75CU; fOOPV!a/EA_@@	525	2056	false
Apr 17, 2024 23:12:53.164364100 CEST	192.168.2.13	8.8.8.8	0x1743	Standard query (0)	kovey.mezo-api.xyz.U; f?66a/PV!E(&(:5CU; fsOOPV!a/EAp@@v	525	2056	false
Apr 17, 2024 23:12:53.268914938 CEST	192.168.2.13	8.8.8.8	0x1743	Standard query (0)	kovey.mezo-api.xyz.U; f66a/PV!E(958NCU; fJJPV!a/E<:@@	525	11651	false
Apr 17, 2024 23:13:25.914710999 CEST	192.168.2.13	8.8.8.8	0x223d	Standard query (0)	kovey.mezo-api.xyz.v; fI66a/PV!E(Z8:S5l "=v; fKOOPV!a/EA@@O	525	2056	false
Apr 17, 2024 23:13:26.019211054 CEST	192.168.2.13	8.8.8.8	0x223d	Standard query (0)	kovey.mezo-api.xyz.v; f66a/PV!E(59y-5,`"=v; fOOPV!a/EA@@E	525	2056	false
Apr 17, 2024 23:13:26.123629093 CEST	192.168.2.13	8.8.8.8	0x223d	Standard query (0)	kovey.mezo-api.xyz.v; fz66a/PV!E(9k9u5"=v; fC{OOPV!a/EA@@A	525	2056	false
Apr 17, 2024 23:13:26.228163004 CEST	192.168.2.13	8.8.8.8	0x223d	Standard query (0)	kovey.mezo-api.xyz.v; fD66a/PV!E(:d5"=v; fOOPV!a/EA@@+	525	2056	false
Apr 17, 2024 23:13:26.332518101 CEST	192.168.2.13	8.8.8.8	0x223d	Standard query (0)	kovey.mezo-api.xyz.v; f66a/PV!E(:;5"=v; fTJJPV!a/E<N@@	525	11651	false
Apr 17, 2024 23:14:09.567744017 CEST	192.168.2.13	8.8.8.8	0xd99d	Standard query (0)	kovey.mezo-api.xyz.; f3A66a/PV!E(ij5(H; f!BOOPV!a/EA@@d	525	2056	false
Apr 17, 2024 23:14:09.672288895 CEST	192.168.2.13	8.8.8.8	0xd99d	Standard query (0)	kovey.mezo-api.xyz.; fq66a/PV!E($j[594; fmOOPV!a/EA@@b	525	2056	false
Apr 17, 2024 23:14:09.776813030 CEST	192.168.2.13	8.8.8.8	0xd99d	Standard query (0)	kovey.mezo-api.xyz.; fr66a/PV!E(:i5Z; ftOOPV!a/EA@@S	525	2056	false
Apr 17, 2024 23:14:09.881690979 CEST	192.168.2.13	8.8.8.8	0xd99d	Standard query (0)	kovey.mezo-api.xyz.; f66a/PV!E(Ni9`5; fPOOPV!a/EA@@G	525	2056	false
Apr 17, 2024 23:14:09.986704111 CEST	192.168.2.13	8.8.8.8	0xd99d	Standard query (0)	kovey.mezo-api.xyz.; fd66a/PV!E(c:5c?; fdJJPV!a/E<l @@n	525	11651	false
Apr 17, 2024 23:14:30.446604967 CEST	192.168.2.13	8.8.8.8	0x51c6	Standard query (0)	kovey.mezo-api.xyz.; fh66a/PV!E(o@:>5CyQ; fiOOPV!a/EA\|@@j	525	2056	false
Apr 17, 2024 23:14:30.551184893 CEST	192.168.2.13	8.8.8.8	0x51c6	Standard query (0)	kovey.mezo-api.xyz.; f66a/PV!E(9?5@Q; f?OOPV!a/EA@@_	525	2056	false
Apr 17, 2024 23:14:30.655678988 CEST	192.168.2.13	8.8.8.8	0x51c6	Standard query (0)	kovey.mezo-api.xyz.; f66a/PV!E(95Q; f_OOPV!a/EA@@T	525	2056	false
Apr 17, 2024 23:14:30.760926962 CEST	192.168.2.13	8.8.8.8	0x51c6	Standard query (0)	kovey.mezo-api.xyz.; f866a/PV!E(fj5zQ; f~8OOPV!a/EA@@P	525	2056	false
Apr 17, 2024 23:14:30.866430044 CEST	192.168.2.13	8.8.8.8	0x51c6	Standard query (0)	kovey.mezo-api.xyz.; fj66a/PV!E(:P5DQ; fJJPV!a/E<{@@-	525	11651	false
Apr 17, 2024 23:14:34.705296993 CEST	192.168.2.13	8.8.8.8	0x9004	Standard query (0)	kovey.mezo-api.xyz.; fIZ66a/PV!E(!:5; f[OOPV!a/EA,@@	525	2056	false
Apr 17, 2024 23:14:34.809868097 CEST	192.168.2.13	8.8.8.8	0x9004	Standard query (0)	kovey.mezo-api.xyz.; f66a/PV!E(&:5C; fOOPV!a/EA1@@	525	2056	false
Apr 17, 2024 23:14:34.914571047 CEST	192.168.2.13	8.8.8.8	0x9004	Standard query (0)	kovey.mezo-api.xyz.; fJ66a/PV!E(j5OXv; fLOOPV!a/EAI@@	525	2056	false
Apr 17, 2024 23:14:35.019591093 CEST	192.168.2.13	8.8.8.8	0x9004	Standard query (0)	kovey.mezo-api.xyz.; f66a/PV!E(W95l; f\OOPV!a/EA_@@	525	2056	false
Apr 17, 2024 23:14:35.124507904 CEST	192.168.2.13	8.8.8.8	0x9004	Standard query (0)	kovey.mezo-api.xyz.; f~66a/PV!E(95]; f~JJPV!a/E<@@	525	11651	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 17, 2024 23:12:52.849937916 CEST	8.8.8.8	192.168.2.13	0x35c9	No error (0)	kovey.mezo-api.xyz		45.131.111.219	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: AkV7DALWTe.elf PID: 5460, Parent PID: 5379

General

Start time (UTC):	21:12:52
Start date (UTC):	17/04/2024
Path:	/tmp/AkV7DALWTe.elf
Arguments:	/tmp/AkV7DALWTe.elf
File size:	58704 bytes
MD5 hash:	7b844888f864698c835723076d6731a0

Chronological Activities

Analysis Process: AkV7DALWTe.elf PID: 5461, Parent PID: 5460

General

Start time (UTC):	21:12:52
Start date (UTC):	17/04/2024
Path:	/tmp/AkV7DALWTe.elf
Arguments:	-
File size:	58704 bytes
MD5 hash:	7b844888f864698c835723076d6731a0

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report AkV7DALWTe.elf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: AkV7DALWTe.elf PID: 5460, Parent PID: 5379

General

Chronological Activities

Analysis Process: AkV7DALWTe.elf PID: 5461, Parent PID: 5460

General

Chronological Activities

Linux Analysis Report
AkV7DALWTe.elf