Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
CcsWgcYeDy.elf

Overview

General Information

Sample name:CcsWgcYeDy.elf
renamed because original name is a hash value
Original sample name:9aa40bc92960f7ac9e5c82ea281c8a4f.elf
Analysis ID:1427656
MD5:9aa40bc92960f7ac9e5c82ea281c8a4f
SHA1:b87ccfc87d111a03687c1e3876d675ce80cfa3d6
SHA256:f098d12665d98ff11f90248d91a601163e410a423bb9b2d1c4be297b8b3a00bc
Tags:32elfintelmirai
Infos:

Detection

Mirai
Score:88
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Queries the IP of a very long domain name
Sample deletes itself
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Sample has stripped symbol table
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1427656
Start date and time:2024-04-17 23:16:02 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 54s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:CcsWgcYeDy.elf
renamed because original name is a hash value
Original Sample Name:9aa40bc92960f7ac9e5c82ea281c8a4f.elf
Detection:MAL
Classification:mal88.troj.evad.linELF@0/0@21/0

Warnings

  • VT rate limit hit for: CcsWgcYeDy.elf

Runtime Messages

Command:/tmp/CcsWgcYeDy.elf
PID:5485
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
about to cum inside a femboy btw
Standard Error:

Process Tree

  • system is lnxubuntu20
  • sh (PID: 5488, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
  • gsd-rfkill (PID: 5488, Parent: 1588, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill
  • systemd New Fork (PID: 5493, Parent: 1)
  • systemd-hostnamed (PID: 5493, Parent: 1, MD5: 2cc8a5576629a2d5bd98e49a4b8bef65) Arguments: /lib/systemd/systemd-hostnamed
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
CcsWgcYeDy.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    CcsWgcYeDy.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0xff80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xff94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xffa8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xffbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xffd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xffe4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xfff8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1000c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10020:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10034:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10048:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1005c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10070:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10084:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10098:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x100ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x100c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x100d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x100e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x100fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10110:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    CcsWgcYeDy.elfLinux_Trojan_Mirai_268aac0bunknownunknown
    • 0x5f2f:$a: 24 18 0F B7 44 24 20 8B 54 24 1C 83 F9 01 8B 7E 0C 89 04 24 8B
    CcsWgcYeDy.elfLinux_Trojan_Mirai_0cb1699cunknownunknown
    • 0x5ee2:$a: DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 10 0F B7 02 83 E9 02 83
    CcsWgcYeDy.elfLinux_Trojan_Mirai_70ef58f1unknownunknown
    • 0x86ed:$a: 89 D0 8B 19 01 D8 0F B6 5C 24 10 30 18 89 D0 8B 19 01 D8 0F B6 5C
    • 0x878d:$a: 89 D0 8B 19 01 D8 0F B6 5C 24 10 30 18 89 D0 8B 19 01 D8 0F B6 5C
    Click to see the 4 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    5485.1.0000000008048000.000000000805b000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      5485.1.0000000008048000.000000000805b000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0xff80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xff94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xffa8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xffbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xffd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xffe4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xfff8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1000c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x10020:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x10034:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x10048:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1005c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x10070:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x10084:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x10098:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x100ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x100c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x100d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x100e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x100fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x10110:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      5485.1.0000000008048000.000000000805b000.r-x.sdmpLinux_Trojan_Mirai_268aac0bunknownunknown
      • 0x5f2f:$a: 24 18 0F B7 44 24 20 8B 54 24 1C 83 F9 01 8B 7E 0C 89 04 24 8B
      5485.1.0000000008048000.000000000805b000.r-x.sdmpLinux_Trojan_Mirai_0cb1699cunknownunknown
      • 0x5ee2:$a: DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 10 0F B7 02 83 E9 02 83
      5485.1.0000000008048000.000000000805b000.r-x.sdmpLinux_Trojan_Mirai_70ef58f1unknownunknown
      • 0x86ed:$a: 89 D0 8B 19 01 D8 0F B6 5C 24 10 30 18 89 D0 8B 19 01 D8 0F B6 5C
      • 0x878d:$a: 89 D0 8B 19 01 D8 0F B6 5C 24 10 30 18 89 D0 8B 19 01 D8 0F B6 5C
      Click to see the 5 entries

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: CcsWgcYeDy.elfAvira: detected
      Multi AV Scanner detection for submitted file
      Source: CcsWgcYeDy.elfReversingLabs: Detection: 44%
      Machine Learning detection for sample
      Source: CcsWgcYeDy.elfJoe Sandbox ML: detected
      Source: CcsWgcYeDy.elfString: EOF/proc//proc/%s/cmdlinewgetcurlftpechokillbashrebootshutdownhaltpoweroff/fdsocket/proc/%s/stat/proc/proc/%d/exe/proc/%d/stat%d %s %c %d/proc/%d/maps/var/run/mnt/root/var/tmp/boot/bin/sbin/../(deleted)/homedbgmpslmipselmipsarmarm4arm5arm6arm7sh4m68kx86x586x86_64i586i686ppcspc[locker] killed process: %s ;; pid: %d

      Networking

      barindex
      Performs DNS queries to domains with low reputation
      Source: DNS query: kovey.mezo-api.xyz
      Queries the IP of a very long domain name
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.R< fN66a/PV!E(0M9~5<R< faOOOPV!a/EA@@
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.R< f66a/PV!E(:A5CI<R< fOOPV!a/EA@@
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.R< f66a/PV!E(w3jM5<R< fOOOPV!a/EA@@
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.R< f'166a/PV!E(%#jX]5<R< f1OOPV!a/EA"@@
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.R< f66a/PV!E(9V5<R< fJJPV!a/E<;"@@
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.q< fQ66a/PV!E(:5q< fuOOPV!a/EA@@:
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.q< f#66a/PV!E("9951"q< f[OOPV!a/EA@@!
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.q< f]V66a/PV!E(J3:c51q< feWOOPV!a/EA@@
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.q< f66a/PV!E(:,;5'Aq< fqOOPV!a/EA@@
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.q< f66a/PV!E(9!f5Rq< fJJPV!a/E<@@@h
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.< f66a/PV!E(I95 < fKOOPV!a/EA@@
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.< fY&66a/PV!E(Pj,5- < f.(OOPV!a/EA@@
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.< fR66a/PV!E(':5f < fOOPV!a/EA @@
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.< f]66a/PV!E(|:5. < f^OOPV!a/EA:@@
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.< f~66a/PV!E(99ug5} < fVJJPV!a/E</@@
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.< f?66a/PV!E(Aj;5c#< fOOPV!a/EAh@@~
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.< f66a/PV!E(9B5M#< ftOOPV!a/EA@@f
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.< fN66a/PV!E(95/#< fOOOPV!a/EA@@d
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.< f66a/PV!E(3:5%#< fpOOPV!a/EA@@W
      Source: unknownDNS traffic detected: query: kovey.mezo-api.xyz.< fuA66a/PV!E(j~q54#< feBJJPV!a/E<c@@v
      Source: global trafficTCP traffic: 192.168.2.13:44682 -> 45.131.111.219:33966
      Source: global trafficTCP traffic: 192.168.2.13:44740 -> 89.190.156.145:7733
      Source: unknownTCP traffic detected without corresponding DNS query: 89.190.156.145
      Source: unknownTCP traffic detected without corresponding DNS query: 89.190.156.145
      Source: unknownTCP traffic detected without corresponding DNS query: 89.190.156.145
      Source: unknownTCP traffic detected without corresponding DNS query: 89.190.156.145
      Source: unknownTCP traffic detected without corresponding DNS query: 89.190.156.145
      Source: unknownTCP traffic detected without corresponding DNS query: 89.190.156.145
      Source: unknownTCP traffic detected without corresponding DNS query: 89.190.156.145
      Source: unknownDNS traffic detected: queries for: kovey.mezo-api.xyz

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: CcsWgcYeDy.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
      Source: CcsWgcYeDy.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_268aac0b Author: unknown
      Source: CcsWgcYeDy.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_0cb1699c Author: unknown
      Source: CcsWgcYeDy.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_70ef58f1 Author: unknown
      Source: CcsWgcYeDy.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_3a85a418 Author: unknown
      Source: CcsWgcYeDy.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_2e3f67a9 Author: unknown
      Source: CcsWgcYeDy.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
      Source: CcsWgcYeDy.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
      Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
      Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_268aac0b Author: unknown
      Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_0cb1699c Author: unknown
      Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_70ef58f1 Author: unknown
      Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_3a85a418 Author: unknown
      Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_2e3f67a9 Author: unknown
      Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
      Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
      Source: Process Memory Space: CcsWgcYeDy.elf PID: 5485, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
      Source: ELF static info symbol of initial sample.symtab present: no
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)SIGKILL sent: pid: 1884, result: successfulJump to behavior
      Source: CcsWgcYeDy.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
      Source: CcsWgcYeDy.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_268aac0b reference_sample = 49c94d184d7e387c3efe34ae6f021e011c3046ae631c9733ab0a230d5fe28ead, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 9c581721bf82af7dc6482a2c41af5fb3404e01c82545c7b2b29230f707014781, id = 268aac0b-c5c7-4035-8381-4e182de91e32, last_modified = 2021-09-16
      Source: CcsWgcYeDy.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_0cb1699c reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6e44c68bba8c9fb53ac85080b9ad765579f027cabfea5055a0bb3a85b8671089, id = 0cb1699c-9a08-4885-aa7f-0f1ee2543cac, last_modified = 2021-09-16
      Source: CcsWgcYeDy.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_70ef58f1 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c46eac9185e5f396456004d1e0c42b54a9318e0450f797c55703122cfb8fea89, id = 70ef58f1-ac74-4e33-ae03-e68d1d5a4379, last_modified = 2021-09-16
      Source: CcsWgcYeDy.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_3a85a418 reference_sample = 86a43b39b157f47ab12e9dc1013b4eec0e1792092d4cef2772a21a9bf4fc518a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 554aff5770bfe8fdeae94f5f5a0fd7f7786340a95633433d8e686af1c25b8cec, id = 3a85a418-2bd9-445a-86cb-657ca7edf566, last_modified = 2021-09-16
      Source: CcsWgcYeDy.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_2e3f67a9 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6a06815f3d2e5f1a7a67f4264953dbb2e9d14e5f3486b178da845eab5b922d4f, id = 2e3f67a9-6fd5-4457-a626-3a9015bdb401, last_modified = 2021-09-16
      Source: CcsWgcYeDy.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
      Source: CcsWgcYeDy.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
      Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
      Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_268aac0b reference_sample = 49c94d184d7e387c3efe34ae6f021e011c3046ae631c9733ab0a230d5fe28ead, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 9c581721bf82af7dc6482a2c41af5fb3404e01c82545c7b2b29230f707014781, id = 268aac0b-c5c7-4035-8381-4e182de91e32, last_modified = 2021-09-16
      Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_0cb1699c reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6e44c68bba8c9fb53ac85080b9ad765579f027cabfea5055a0bb3a85b8671089, id = 0cb1699c-9a08-4885-aa7f-0f1ee2543cac, last_modified = 2021-09-16
      Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_70ef58f1 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c46eac9185e5f396456004d1e0c42b54a9318e0450f797c55703122cfb8fea89, id = 70ef58f1-ac74-4e33-ae03-e68d1d5a4379, last_modified = 2021-09-16
      Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_3a85a418 reference_sample = 86a43b39b157f47ab12e9dc1013b4eec0e1792092d4cef2772a21a9bf4fc518a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 554aff5770bfe8fdeae94f5f5a0fd7f7786340a95633433d8e686af1c25b8cec, id = 3a85a418-2bd9-445a-86cb-657ca7edf566, last_modified = 2021-09-16
      Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_2e3f67a9 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6a06815f3d2e5f1a7a67f4264953dbb2e9d14e5f3486b178da845eab5b922d4f, id = 2e3f67a9-6fd5-4457-a626-3a9015bdb401, last_modified = 2021-09-16
      Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
      Source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
      Source: Process Memory Space: CcsWgcYeDy.elf PID: 5485, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
      Source: classification engineClassification label: mal88.troj.evad.linELF@0/0@21/0
      Source: /usr/libexec/gsd-rfkill (PID: 5488)Directory: <invalid fd (9)>/..Jump to behavior
      Source: /usr/libexec/gsd-rfkill (PID: 5488)Directory: <invalid fd (8)>/..Jump to behavior
      Source: /lib/systemd/systemd-hostnamed (PID: 5493)Directory: <invalid fd (10)>/..Jump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/230/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/110/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/231/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/111/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/232/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/112/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/233/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/113/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/234/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/114/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/235/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/115/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/236/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/116/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/237/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/117/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/238/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/118/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/239/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/119/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/914/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/10/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/917/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/11/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/12/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/13/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/14/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/15/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/16/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/17/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/18/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/19/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/240/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/120/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/241/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/121/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/242/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/122/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/243/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/2/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/123/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/244/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/3/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/124/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/245/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/1588/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/125/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/4/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/246/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/126/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/5/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/247/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/127/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/6/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/248/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/128/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/7/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/249/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/129/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/8/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/800/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/9/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/802/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/803/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/20/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/21/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/22/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/23/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/24/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/25/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/26/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/27/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/28/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/29/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/1482/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/490/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/1480/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/250/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/371/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/130/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/251/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/131/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/252/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/132/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/253/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/254/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/1238/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/134/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/255/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/256/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/257/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/378/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/258/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/259/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/1475/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/936/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/30/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/816/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/35/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/260/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/261/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/262/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/142/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/263/cmdlineJump to behavior
      Source: /tmp/CcsWgcYeDy.elf (PID: 5487)File opened: /proc/264/cmdlineJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Sample deletes itself
      Source: /tmp/CcsWgcYeDy.elf (PID: 5486)File: /tmp/CcsWgcYeDy.elfJump to behavior
      Source: /lib/systemd/systemd-hostnamed (PID: 5493)Queries kernel information via 'uname': Jump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected Mirai
      Source: Yara matchFile source: CcsWgcYeDy.elf, type: SAMPLE
      Source: Yara matchFile source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected Mirai
      Source: Yara matchFile source: CcsWgcYeDy.elf, type: SAMPLE
      Source: Yara matchFile source: 5485.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		Valid AccountsWindows Management Instrumentation1
      Scripting      		Path Interception1
      Hidden Files and Directories      		1
      OS Credential Dumping      		1
      Security Software Discovery      		Remote ServicesData from Local System1
      Non-Standard Port      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      File Deletion      		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive11
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact

      Malware Configuration

      No configs have been found

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      CcsWgcYeDy.elf45%ReversingLabsLinux.Trojan.Mirai
      CcsWgcYeDy.elf100%AviraEXP/ELF.Mirai.Z.A
      CcsWgcYeDy.elf100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      kovey.mezo-api.xyz
      		45.131.111.219
      		truetrue
        		unknown
        kovey.mezo-api.xyz.R< f66a/PV!E(w3jM5<R< fOOOPV!a/EA@@
        		unknown
        		unknowntrue
          		low
          kovey.mezo-api.xyz.< fY&66a/PV!E(Pj,5- < f.(OOPV!a/EA@@
          		unknown
          		unknowntrue
            		low
            kovey.mezo-api.xyz.< f?66a/PV!E(Aj;5c#< fOOPV!a/EAh@@~
            		unknown
            		unknowntrue
              		low
              kovey.mezo-api.xyz.R< fN66a/PV!E(0M9~5<R< faOOOPV!a/EA@@
              		unknown
              		unknowntrue
                		low
                kovey.mezo-api.xyz.q< f66a/PV!E(:,;5'Aq< fqOOPV!a/EA@@
                		unknown
                		unknowntrue
                  		low
                  kovey.mezo-api.xyz.< f~66a/PV!E(99ug5} < fVJJPV!a/E</@@
                  		unknown
                  		unknowntrue
                    		low
                    kovey.mezo-api.xyz.< f66a/PV!E(I95 < fKOOPV!a/EA@@
                    		unknown
                    		unknowntrue
                      		low
                      kovey.mezo-api.xyz.q< f66a/PV!E(9!f5Rq< fJJPV!a/E<@@@h
                      		unknown
                      		unknowntrue
                        		low
                        kovey.mezo-api.xyz.< f66a/PV!E(9B5M#< ftOOPV!a/EA@@f
                        		unknown
                        		unknowntrue
                          		low
                          kovey.mezo-api.xyz.< fuA66a/PV!E(j~q54#< feBJJPV!a/E<c@@v
                          		unknown
                          		unknowntrue
                            		low
                            kovey.mezo-api.xyz.q< f#66a/PV!E("9951"q< f[OOPV!a/EA@@!
                            		unknown
                            		unknowntrue
                              		low
                              kovey.mezo-api.xyz.R< f66a/PV!E(:A5CI<R< fOOPV!a/EA@@
                              		unknown
                              		unknowntrue
                                		low
                                kovey.mezo-api.xyz.R< f66a/PV!E(9V5<R< fJJPV!a/E<;"@@
                                		unknown
                                		unknowntrue
                                  		low
                                  kovey.mezo-api.xyz.q< f]V66a/PV!E(J3:c51q< feWOOPV!a/EA@@
                                  		unknown
                                  		unknowntrue
                                    		low
                                    kovey.mezo-api.xyz.< f]66a/PV!E(|:5. < f^OOPV!a/EA:@@
                                    		unknown
                                    		unknowntrue
                                      		low
                                      kovey.mezo-api.xyz.R< f'166a/PV!E(%#jX]5<R< f1OOPV!a/EA"@@
                                      		unknown
                                      		unknowntrue
                                        		low
                                        kovey.mezo-api.xyz.q< fQ66a/PV!E(:5q< fuOOPV!a/EA@@:
                                        		unknown
                                        		unknowntrue
                                          		low
                                          kovey.mezo-api.xyz.< fR66a/PV!E(':5f < fOOPV!a/EA @@
                                          		unknown
                                          		unknowntrue
                                            		low
                                            kovey.mezo-api.xyz.< fN66a/PV!E(95/#< fOOOPV!a/EA@@d
                                            		unknown
                                            		unknowntrue
                                              		low
                                              kovey.mezo-api.xyz.< f66a/PV!E(3:5%#< fpOOPV!a/EA@@W
                                              		unknown
                                              		unknowntrue
                                                		low

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                45.131.111.219
                                                		kovey.mezo-api.xyzGermany
                                                		398373SERVERDESTROYERSUStrue
                                                89.190.156.145
                                                		unknownUnited Kingdom
                                                		7489HOSTUS-GLOBAL-ASHostUSHKfalse

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                45.131.111.219Trhc0oj3L5.elfGet hashmaliciousMiraiBrowse
                                                  sMmzRMu1P6.elfGet hashmaliciousMiraiBrowse
                                                    NvmCe2XrqN.elfGet hashmaliciousMiraiBrowse
                                                      AkV7DALWTe.elfGet hashmaliciousMiraiBrowse
                                                        6pZSqZEAa2.elfGet hashmaliciousMiraiBrowse
                                                          FwLad7Fxwv.elfGet hashmaliciousMiraiBrowse
                                                            LPXP6wFUyX.elfGet hashmaliciousMiraiBrowse
                                                              dvxuxG34sk.elfGet hashmaliciousMiraiBrowse
                                                                aNeRrtorRm.elfGet hashmaliciousMiraiBrowse
                                                                  KxTpfpJzPK.elfGet hashmaliciousMiraiBrowse
                                                                    89.190.156.145Trhc0oj3L5.elfGet hashmaliciousMiraiBrowse
                                                                      sMmzRMu1P6.elfGet hashmaliciousMiraiBrowse
                                                                        aNeRrtorRm.elfGet hashmaliciousMiraiBrowse
                                                                          LiZXGg7fyH.elfGet hashmaliciousUnknownBrowse
                                                                            hW73Zv5QP8.elfGet hashmaliciousUnknownBrowse
                                                                              kb66uL4J4v.elfGet hashmaliciousUnknownBrowse
                                                                                8g1ZsLnPkT.elfGet hashmaliciousUnknownBrowse
                                                                                  3kpdYyPMQ1.elfGet hashmaliciousMiraiBrowse
                                                                                    4kubb9wtoo.elfGet hashmaliciousUnknownBrowse
                                                                                      YpYCMrKWmt.elfGet hashmaliciousUnknownBrowse

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        kovey.mezo-api.xyzTrhc0oj3L5.elfGet hashmaliciousMiraiBrowse
                                                                                        • 45.131.111.219
                                                                                        NvmCe2XrqN.elfGet hashmaliciousMiraiBrowse
                                                                                        • 45.131.111.219
                                                                                        FwLad7Fxwv.elfGet hashmaliciousMiraiBrowse
                                                                                        • 45.131.111.219
                                                                                        dvxuxG34sk.elfGet hashmaliciousMiraiBrowse
                                                                                        • 45.131.111.219
                                                                                        aNeRrtorRm.elfGet hashmaliciousMiraiBrowse
                                                                                        • 45.131.111.219

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        HOSTUS-GLOBAL-ASHostUSHKTrhc0oj3L5.elfGet hashmaliciousMiraiBrowse
                                                                                        • 89.190.156.145
                                                                                        sMmzRMu1P6.elfGet hashmaliciousMiraiBrowse
                                                                                        • 89.190.156.145
                                                                                        aNeRrtorRm.elfGet hashmaliciousMiraiBrowse
                                                                                        • 89.190.156.145
                                                                                        XoJZcyGnfc.elfGet hashmaliciousGafgytBrowse
                                                                                        • 89.190.156.227
                                                                                        5Nfro46k6z.elfGet hashmaliciousGafgytBrowse
                                                                                        • 89.190.156.227
                                                                                        rWIq0N7gR0.elfGet hashmaliciousGafgytBrowse
                                                                                        • 89.190.156.227
                                                                                        xu4uPf2rLF.elfGet hashmaliciousGafgytBrowse
                                                                                        • 89.190.156.227
                                                                                        DYQCCl3BLP.elfGet hashmaliciousGafgytBrowse
                                                                                        • 89.190.156.227
                                                                                        x86_64.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                        • 89.190.156.211
                                                                                        LiZXGg7fyH.elfGet hashmaliciousUnknownBrowse
                                                                                        • 89.190.156.145
                                                                                        SERVERDESTROYERSUSTrhc0oj3L5.elfGet hashmaliciousMiraiBrowse
                                                                                        • 45.131.111.219
                                                                                        sMmzRMu1P6.elfGet hashmaliciousMiraiBrowse
                                                                                        • 45.131.111.219
                                                                                        NvmCe2XrqN.elfGet hashmaliciousMiraiBrowse
                                                                                        • 45.131.111.219
                                                                                        AkV7DALWTe.elfGet hashmaliciousMiraiBrowse
                                                                                        • 45.131.111.219
                                                                                        6pZSqZEAa2.elfGet hashmaliciousMiraiBrowse
                                                                                        • 45.131.111.219
                                                                                        FwLad7Fxwv.elfGet hashmaliciousMiraiBrowse
                                                                                        • 45.131.111.219
                                                                                        LPXP6wFUyX.elfGet hashmaliciousMiraiBrowse
                                                                                        • 45.131.111.219
                                                                                        dvxuxG34sk.elfGet hashmaliciousMiraiBrowse
                                                                                        • 45.131.111.219
                                                                                        aNeRrtorRm.elfGet hashmaliciousMiraiBrowse
                                                                                        • 45.131.111.219
                                                                                        KxTpfpJzPK.elfGet hashmaliciousMiraiBrowse
                                                                                        • 45.131.111.219

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        No created / dropped files found

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
                                                                                        Entropy (8bit):6.422112383882069
                                                                                        TrID:
                                                                                        • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                                                                        • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                                                                        File name:CcsWgcYeDy.elf
                                                                                        File size:75'540 bytes
                                                                                        MD5:9aa40bc92960f7ac9e5c82ea281c8a4f
                                                                                        SHA1:b87ccfc87d111a03687c1e3876d675ce80cfa3d6
                                                                                        SHA256:f098d12665d98ff11f90248d91a601163e410a423bb9b2d1c4be297b8b3a00bc
                                                                                        SHA512:bdefd7a5b563fa07dfe3b6e35220a0747426e40abc432d3cc110f3de868c11aaec986029b9f72a8897cf498191c75aeef9c35cc3a22dde6e5a0c099628b31aa2
                                                                                        SSDEEP:1536:v0S+ICtDIgrusMWvyr86M5+nSIPOgCWmKjXwPcjRpSHn8jB6Y1b:v0SlCtMgSWvyrTM5+njPOepjXwPCRzj9
                                                                                        TLSH:CA7329C1FD4780F5D457483040A7F73FAE32E5E64121DA6EEF69AF32EA635029216788
                                                                                        File Content Preview:.ELF....................h...4....%......4. ...(......................!...!...............!..........x....(..........Q.td............................U..S.......C1...h....#...[]...$.............U......=`....t..1...................u........t...$...........`.

                                                                                        Static ELF Info

                                                                                        ELF header

                                                                                        Class:ELF32
                                                                                        Data:2's complement, little endian
                                                                                        Version:1 (current)
                                                                                        Machine:Intel 80386
                                                                                        Version Number:0x1
                                                                                        Type:EXEC (Executable file)
                                                                                        OS/ABI:UNIX - System V
                                                                                        ABI Version:0
                                                                                        Entry Point Address:0x8048168
                                                                                        Flags:0x0
                                                                                        ELF Header Size:52
                                                                                        Program Header Offset:52
                                                                                        Program Header Size:32
                                                                                        Number of Program Headers:3
                                                                                        Section Header Offset:75140
                                                                                        Section Header Size:40
                                                                                        Number of Section Headers:10
                                                                                        Header String Table Index:9

                                                                                        Sections

                                                                                        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                                                        NULL0x00x00x00x00x0000
                                                                                        .initPROGBITS0x80480940x940x1c0x00x6AX001
                                                                                        .textPROGBITS0x80480b00xb00xf7510x00x6AX0016
                                                                                        .finiPROGBITS0x80578010xf8010x170x00x6AX001
                                                                                        .rodataPROGBITS0x80578200xf8200x29a50x00x2A0032
                                                                                        .ctorsPROGBITS0x805b1cc0x121cc0x80x00x3WA004
                                                                                        .dtorsPROGBITS0x805b1d40x121d40x80x00x3WA004
                                                                                        .dataPROGBITS0x805b2000x122000x3440x00x3WA0032
                                                                                        .bssNOBITS0x805b5600x125440x25600x00x3WA0032
                                                                                        .shstrtabSTRTAB0x00x125440x3e0x00x0001

                                                                                        Program Segments

                                                                                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                                        LOAD0x00x80480000x80480000x121c50x121c56.44710x5R E0x1000.init .text .fini .rodata
                                                                                        LOAD0x121cc0x805b1cc0x805b1cc0x3780x28f44.19040x6RW 0x1000.ctors .dtors .data .bss
                                                                                        GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                                                                                        Network Behavior

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Apr 17, 2024 23:17:06.972240925 CEST4468233966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:17:06.972515106 CEST447407733192.168.2.1389.190.156.145
                                                                                        Apr 17, 2024 23:17:07.183835983 CEST339664468245.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:17:07.184011936 CEST4468233966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:17:07.983741045 CEST447407733192.168.2.1389.190.156.145
                                                                                        Apr 17, 2024 23:17:07.983773947 CEST4468233966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:17:08.192955971 CEST339664468245.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:17:08.193136930 CEST4468233966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:17:08.193136930 CEST4468233966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:17:08.402781963 CEST339664468245.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:17:08.403055906 CEST4468233966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:17:08.612657070 CEST339664468245.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:17:09.999814034 CEST447407733192.168.2.1389.190.156.145
                                                                                        Apr 17, 2024 23:17:14.191775084 CEST447407733192.168.2.1389.190.156.145
                                                                                        Apr 17, 2024 23:17:22.383847952 CEST447407733192.168.2.1389.190.156.145
                                                                                        Apr 17, 2024 23:17:23.612622976 CEST339664468245.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:17:23.613007069 CEST4468233966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:17:35.632405996 CEST339664468245.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:17:35.632956028 CEST4468233966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:17:35.842333078 CEST339664468245.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:17:37.700803995 CEST4468633966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:17:37.907800913 CEST339664468645.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:17:37.908051968 CEST4468633966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:17:37.908143044 CEST4468633966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:17:38.112415075 CEST339664468645.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:17:38.112699032 CEST4468633966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:17:38.318239927 CEST339664468645.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:17:38.511696100 CEST447407733192.168.2.1389.190.156.145
                                                                                        Apr 17, 2024 23:17:53.320390940 CEST339664468645.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:17:53.320620060 CEST4468633966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:18:08.528240919 CEST339664468645.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:18:08.528484106 CEST4468633966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:18:10.768026114 CEST447407733192.168.2.1389.190.156.145
                                                                                        Apr 17, 2024 23:18:23.736157894 CEST339664468645.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:18:23.736341953 CEST4468633966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:18:27.945509911 CEST4468633966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:18:28.149739981 CEST339664468645.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:18:33.928697109 CEST339664468645.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:18:35.981590033 CEST4468833966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:18:36.191157103 CEST339664468845.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:18:36.191828966 CEST4468833966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:18:36.191829920 CEST4468833966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:18:36.401643038 CEST339664468845.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:18:36.402167082 CEST4468833966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:18:36.611618042 CEST339664468845.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:18:46.201955080 CEST4468833966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:18:46.411446095 CEST339664468845.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:19:01.600301027 CEST339664468845.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:19:01.600732088 CEST4468833966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:19:02.031594992 CEST339664468845.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:19:04.082532883 CEST4469033966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:19:04.293827057 CEST339664469045.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:19:04.294042110 CEST4469033966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:19:04.294121027 CEST4469033966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:19:04.505333900 CEST339664469045.131.111.219192.168.2.13
                                                                                        Apr 17, 2024 23:19:04.505548000 CEST4469033966192.168.2.1345.131.111.219
                                                                                        Apr 17, 2024 23:19:04.721736908 CEST339664469045.131.111.219192.168.2.13

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Apr 17, 2024 23:17:06.331626892 CEST3351653192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:17:06.439349890 CEST53335168.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:17:06.439486980 CEST4646653192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:17:06.544437885 CEST53464668.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:17:06.544609070 CEST5689953192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:17:06.652237892 CEST53568998.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:17:06.652435064 CEST4709553192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:17:06.757395983 CEST53470958.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:17:06.757582903 CEST5936253192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:17:06.864551067 CEST53593628.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:17:06.864758015 CEST6009453192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:17:06.971755028 CEST53600948.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:17:36.633021116 CEST4703953192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:17:36.739018917 CEST53470398.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:17:36.739320993 CEST5954853192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:17:36.845741034 CEST53595488.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:17:36.846246958 CEST5365653192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:17:36.950745106 CEST53536568.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:17:36.951052904 CEST3998453192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:17:37.055609941 CEST53399848.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:17:37.056325912 CEST4969353192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:17:37.160639048 CEST53496938.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:17:37.161212921 CEST4224953192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:17:37.266064882 CEST53422498.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:17:37.266356945 CEST3742553192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:17:37.373282909 CEST53374258.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:17:37.373594999 CEST4142753192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:17:37.480860949 CEST53414278.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:17:37.481125116 CEST3629153192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:17:37.587223053 CEST53362918.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:17:37.587377071 CEST4590653192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:17:37.700650930 CEST53459068.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:18:34.929193020 CEST3825553192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:18:35.033651114 CEST53382558.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:18:35.034118891 CEST4855553192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:18:35.138726950 CEST53485558.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:18:35.139441013 CEST3380653192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:18:35.244344950 CEST53338068.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:18:35.244879007 CEST5212753192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:18:35.349587917 CEST53521278.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:18:35.350298882 CEST4381153192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:18:35.455044031 CEST53438118.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:18:35.455452919 CEST5469353192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:18:35.560026884 CEST53546938.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:18:35.560458899 CEST5636553192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:18:35.665177107 CEST53563658.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:18:35.665646076 CEST3939153192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:18:35.770385981 CEST53393918.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:18:35.770998955 CEST4228653192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:18:35.875785112 CEST53422868.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:18:35.876219034 CEST5951753192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:18:35.981117964 CEST53595178.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:19:03.032262087 CEST4666053192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:19:03.137051105 CEST53466608.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:19:03.137319088 CEST5822153192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:19:03.241952896 CEST53582218.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:19:03.242393017 CEST4826953192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:19:03.347059011 CEST53482698.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:19:03.347640038 CEST6000553192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:19:03.452573061 CEST53600058.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:19:03.452945948 CEST4950253192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:19:03.557706118 CEST53495028.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:19:03.558051109 CEST5053153192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:19:03.662590981 CEST53505318.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:19:03.662811041 CEST5140053192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:19:03.767385006 CEST53514008.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:19:03.767604113 CEST3563153192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:19:03.872144938 CEST53356318.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:19:03.872421980 CEST4278953192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:19:03.976891041 CEST53427898.8.8.8192.168.2.13
                                                                                        Apr 17, 2024 23:19:03.977263927 CEST4937753192.168.2.138.8.8.8
                                                                                        Apr 17, 2024 23:19:04.082293034 CEST53493778.8.8.8192.168.2.13

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Apr 17, 2024 23:17:06.331626892 CEST192.168.2.138.8.8.80x36deStandard query (0)kovey.mezo-api.xyzA (IP address)IN (0x0001)false
                                                                                        Apr 17, 2024 23:17:06.439486980 CEST192.168.2.138.8.8.80xec3cStandard query (0)kovey.mezo-api.xyz.R< fN66a/PV!E(0M9~5<R< faOOOPV!a/EA@@5252056false
                                                                                        Apr 17, 2024 23:17:06.544609070 CEST192.168.2.138.8.8.80xec3cStandard query (0)kovey.mezo-api.xyz.R< f66a/PV!E(:A5CI<R< fOOPV!a/EA@@5252056false
                                                                                        Apr 17, 2024 23:17:06.652435064 CEST192.168.2.138.8.8.80xec3cStandard query (0)kovey.mezo-api.xyz.R< f66a/PV!E(w3jM5<R< fOOOPV!a/EA@@5252056false
                                                                                        Apr 17, 2024 23:17:06.757582903 CEST192.168.2.138.8.8.80xec3cStandard query (0)kovey.mezo-api.xyz.R< f'166a/PV!E(%#jX]5<R< f1OOPV!a/EA"@@5252056false
                                                                                        Apr 17, 2024 23:17:06.864758015 CEST192.168.2.138.8.8.80xec3cStandard query (0)kovey.mezo-api.xyz.R< f66a/PV!E(9V5<R< fJJPV!a/E<;"@@52511651false
                                                                                        Apr 17, 2024 23:17:37.161212921 CEST192.168.2.138.8.8.80xf6c5Standard query (0)kovey.mezo-api.xyz.q< fQ66a/PV!E(:5q< fuOOPV!a/EA@@:5252056false
                                                                                        Apr 17, 2024 23:17:37.266356945 CEST192.168.2.138.8.8.80xf6c5Standard query (0)kovey.mezo-api.xyz.q< f#66a/PV!E("9951"q< f[OOPV!a/EA@@!5252056false
                                                                                        Apr 17, 2024 23:17:37.373594999 CEST192.168.2.138.8.8.80xf6c5Standard query (0)kovey.mezo-api.xyz.q< f]V66a/PV!E(J3:c51q< feWOOPV!a/EA@@5252056false
                                                                                        Apr 17, 2024 23:17:37.481125116 CEST192.168.2.138.8.8.80xf6c5Standard query (0)kovey.mezo-api.xyz.q< f66a/PV!E(:,;5'Aq< fqOOPV!a/EA@@5252056false
                                                                                        Apr 17, 2024 23:17:37.587377071 CEST192.168.2.138.8.8.80xf6c5Standard query (0)kovey.mezo-api.xyz.q< f66a/PV!E(9!f5Rq< fJJPV!a/E<@@@h52511651false
                                                                                        Apr 17, 2024 23:18:35.455452919 CEST192.168.2.138.8.8.80x2084Standard query (0)kovey.mezo-api.xyz.< f66a/PV!E(I95 < fKOOPV!a/EA@@5252056false
                                                                                        Apr 17, 2024 23:18:35.560458899 CEST192.168.2.138.8.8.80x2084Standard query (0)kovey.mezo-api.xyz.< fY&66a/PV!E(Pj,5- < f.(OOPV!a/EA@@5252056false
                                                                                        Apr 17, 2024 23:18:35.665646076 CEST192.168.2.138.8.8.80x2084Standard query (0)kovey.mezo-api.xyz.< fR66a/PV!E(':5f < fOOPV!a/EA @@5252056false
                                                                                        Apr 17, 2024 23:18:35.770998955 CEST192.168.2.138.8.8.80x2084Standard query (0)kovey.mezo-api.xyz.< f]66a/PV!E(|:5. < f^OOPV!a/EA:@@5252056false
                                                                                        Apr 17, 2024 23:18:35.876219034 CEST192.168.2.138.8.8.80x2084Standard query (0)kovey.mezo-api.xyz.< f~66a/PV!E(99ug5} < fVJJPV!a/E</@@52511651false
                                                                                        Apr 17, 2024 23:19:03.558051109 CEST192.168.2.138.8.8.80x23b4Standard query (0)kovey.mezo-api.xyz.< f?66a/PV!E(Aj;5c#< fOOPV!a/EAh@@~5252056false
                                                                                        Apr 17, 2024 23:19:03.662811041 CEST192.168.2.138.8.8.80x23b4Standard query (0)kovey.mezo-api.xyz.< f66a/PV!E(9B5M#< ftOOPV!a/EA@@f5252056false
                                                                                        Apr 17, 2024 23:19:03.767604113 CEST192.168.2.138.8.8.80x23b4Standard query (0)kovey.mezo-api.xyz.< fN66a/PV!E(95/#< fOOOPV!a/EA@@d5252056false
                                                                                        Apr 17, 2024 23:19:03.872421980 CEST192.168.2.138.8.8.80x23b4Standard query (0)kovey.mezo-api.xyz.< f66a/PV!E(3:5%#< fpOOPV!a/EA@@W5252056false
                                                                                        Apr 17, 2024 23:19:03.977263927 CEST192.168.2.138.8.8.80x23b4Standard query (0)kovey.mezo-api.xyz.< fuA66a/PV!E(j~q54#< feBJJPV!a/E<c@@v52511651false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Apr 17, 2024 23:17:06.439349890 CEST8.8.8.8192.168.2.130x36deNo error (0)kovey.mezo-api.xyz45.131.111.219A (IP address)IN (0x0001)false

                                                                                        System Behavior

                                                                                        General

                                                                                        Start time (UTC):21:17:05
                                                                                        Start date (UTC):17/04/2024
                                                                                        Path:/tmp/CcsWgcYeDy.elf
                                                                                        Arguments:/tmp/CcsWgcYeDy.elf
                                                                                        File size:75540 bytes
                                                                                        MD5 hash:9aa40bc92960f7ac9e5c82ea281c8a4f

                                                                                        Chronological Activities


                                                                                        General

                                                                                        Start time (UTC):21:17:05
                                                                                        Start date (UTC):17/04/2024
                                                                                        Path:/tmp/CcsWgcYeDy.elf
                                                                                        Arguments:-
                                                                                        File size:75540 bytes
                                                                                        MD5 hash:9aa40bc92960f7ac9e5c82ea281c8a4f

                                                                                        Chronological Activities


                                                                                        General

                                                                                        Start time (UTC):21:17:05
                                                                                        Start date (UTC):17/04/2024
                                                                                        Path:/tmp/CcsWgcYeDy.elf
                                                                                        Arguments:-
                                                                                        File size:75540 bytes
                                                                                        MD5 hash:9aa40bc92960f7ac9e5c82ea281c8a4f

                                                                                        Chronological Activities


                                                                                        General

                                                                                        Start time (UTC):21:17:05
                                                                                        Start date (UTC):17/04/2024
                                                                                        Path:/usr/libexec/gnome-session-binary
                                                                                        Arguments:-
                                                                                        File size:334664 bytes
                                                                                        MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

                                                                                        Chronological Activities


                                                                                        General

                                                                                        Start time (UTC):21:17:05
                                                                                        Start date (UTC):17/04/2024
                                                                                        Path:/bin/sh
                                                                                        Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
                                                                                        File size:129816 bytes
                                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                        Chronological Activities


                                                                                        General

                                                                                        Start time (UTC):21:17:05
                                                                                        Start date (UTC):17/04/2024
                                                                                        Path:/usr/libexec/gsd-rfkill
                                                                                        Arguments:/usr/libexec/gsd-rfkill
                                                                                        File size:51808 bytes
                                                                                        MD5 hash:88a16a3c0aba1759358c06215ecfb5cc

                                                                                        Chronological Activities


                                                                                        General

                                                                                        Start time (UTC):21:17:06
                                                                                        Start date (UTC):17/04/2024
                                                                                        Path:/usr/lib/systemd/systemd
                                                                                        Arguments:-
                                                                                        File size:1620224 bytes
                                                                                        MD5 hash:9b2bec7092a40488108543f9334aab75

                                                                                        Chronological Activities


                                                                                        General

                                                                                        Start time (UTC):21:17:06
                                                                                        Start date (UTC):17/04/2024
                                                                                        Path:/lib/systemd/systemd-hostnamed
                                                                                        Arguments:/lib/systemd/systemd-hostnamed
                                                                                        File size:35040 bytes
                                                                                        MD5 hash:2cc8a5576629a2d5bd98e49a4b8bef65

                                                                                        Chronological Activities