Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
AXMdzuyn1m.elf

Overview

General Information

Sample name:AXMdzuyn1m.elf
renamed because original name is a hash value
Original sample name:d16b61e028d33909019b5b7871e3e291.elf
Analysis ID:1428200
MD5:d16b61e028d33909019b5b7871e3e291
SHA1:c0934180daae4b77ecac7704154c44b11ebaa196
SHA256:cf9259b6a78642be0495d041bde41bec828b4429e09d316861e74e295deb670d
Tags:32elfintelmirai
Infos:

Detection

Mirai, Okiru
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Detected Mirai
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Mirai
Yara detected Okiru
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Yara signature match

Classification

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1428200
Start date and time:2024-04-18 16:35:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 20s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:AXMdzuyn1m.elf
renamed because original name is a hash value
Original Sample Name:d16b61e028d33909019b5b7871e3e291.elf
Detection:MAL
Classification:mal100.troj.linELF@0/0@18/0

Warnings

  • VT rate limit hit for: AXMdzuyn1m.elf

Runtime Messages

Command:/tmp/AXMdzuyn1m.elf
PID:5525
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
done.
Standard Error:

Process Tree

  • system is lnxubuntu20
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
AXMdzuyn1m.elfJoeSecurity_OkiruYara detected OkiruJoe Security
    AXMdzuyn1m.elfJoeSecurity_Mirai_3Yara detected MiraiJoe Security
      AXMdzuyn1m.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0xf6b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf6cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf6e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf6f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf708:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf71c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf730:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf744:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf758:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf76c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf780:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf794:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf7a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf7bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf7d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf7e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf7f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf80c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf820:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf834:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf848:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      AXMdzuyn1m.elfLinux_Trojan_Mirai_b14f4c5dunknownunknown
      • 0x32f0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
      AXMdzuyn1m.elfLinux_Trojan_Mirai_5f7b67b8unknownunknown
      • 0x8655:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
      Click to see the 4 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      5525.1.0000000008048000.000000000805a000.r-x.sdmpJoeSecurity_OkiruYara detected OkiruJoe Security
        5525.1.0000000008048000.000000000805a000.r-x.sdmpJoeSecurity_Mirai_3Yara detected MiraiJoe Security
          5525.1.0000000008048000.000000000805a000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0xf6b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf6cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf6e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf6f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf708:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf71c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf730:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf744:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf758:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf76c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf780:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf794:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf7a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf7bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf7d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf7e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf7f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf80c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf820:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf834:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf848:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          5525.1.0000000008048000.000000000805a000.r-x.sdmpLinux_Trojan_Mirai_b14f4c5dunknownunknown
          • 0x32f0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
          5525.1.0000000008048000.000000000805a000.r-x.sdmpLinux_Trojan_Mirai_5f7b67b8unknownunknown
          • 0x8655:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
          Click to see the 7 entries

          Snort Signatures

          Timestamp:04/18/24-16:37:39.484173
          SID:2030490
          Source Port:33562
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:37:01.721748
          SID:2030490
          Source Port:33550
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:37:05.711312
          SID:2030490
          Source Port:33552
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:35:48.607861
          SID:2030490
          Source Port:33530
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:37:31.486623
          SID:2030490
          Source Port:33560
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:37:49.511329
          SID:2030490
          Source Port:33564
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:36:27.126335
          SID:2030490
          Source Port:33542
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:36:24.137046
          SID:2030490
          Source Port:33540
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:36:54.744288
          SID:2030490
          Source Port:33548
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:37:27.579114
          SID:2030490
          Source Port:33558
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:36:11.201178
          SID:2030490
          Source Port:33536
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:36:19.109664
          SID:2030490
          Source Port:33538
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:36:45.852107
          SID:2030490
          Source Port:33546
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:37:09.688897
          SID:2030490
          Source Port:33554
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:37:16.718851
          SID:2030490
          Source Port:33556
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:35:53.526573
          SID:2030490
          Source Port:33532
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:36:02.347604
          SID:2030490
          Source Port:33534
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/18/24-16:36:39.027420
          SID:2030490
          Source Port:33544
          Destination Port:43957
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: AXMdzuyn1m.elfAvira: detected
          Multi AV Scanner detection for submitted file
          Source: AXMdzuyn1m.elfReversingLabs: Detection: 65%
          Machine Learning detection for sample
          Source: AXMdzuyn1m.elfJoe Sandbox ML: detected
          Source: AXMdzuyn1m.elfString: HTTP/1.1 200 OKbot.armbot.arm5bot.arm6bot.arm7bot.mipsbot.mpslbot.x86_64bot.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33530 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33532 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33534 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33536 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33538 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33540 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33542 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33544 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33546 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33548 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33550 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33552 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33554 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33556 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33558 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33560 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33562 -> 103.167.88.226:43957
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.15:33564 -> 103.167.88.226:43957
          Connects to many ports of the same IP (likely port scanning)
          Source: global trafficTCP traffic: 103.167.88.226 ports 43957,3,4,5,7,9
          Source: global trafficTCP traffic: 192.168.2.15:33530 -> 103.167.88.226:43957
          Source: unknownDNS traffic detected: queries for: bn.networkbn.click

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: AXMdzuyn1m.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: AXMdzuyn1m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
          Source: AXMdzuyn1m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
          Source: AXMdzuyn1m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
          Source: AXMdzuyn1m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
          Source: AXMdzuyn1m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
          Source: AXMdzuyn1m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
          Source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
          Source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
          Source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
          Source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
          Source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
          Source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
          Source: Process Memory Space: AXMdzuyn1m.elf PID: 5525, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Initial sampleString containing 'busybox' found: /bin/busybox
          Source: Initial sampleString containing 'busybox' found: HTTP/1.1 200 OKbot.armbot.arm5bot.arm6bot.arm7bot.mipsbot.mpslbot.x86_64bot.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f
          Source: ELF static info symbol of initial sample.symtab present: no
          Source: AXMdzuyn1m.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: AXMdzuyn1m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
          Source: AXMdzuyn1m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
          Source: AXMdzuyn1m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
          Source: AXMdzuyn1m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
          Source: AXMdzuyn1m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
          Source: AXMdzuyn1m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
          Source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
          Source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
          Source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
          Source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
          Source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
          Source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
          Source: Process Memory Space: AXMdzuyn1m.elf PID: 5525, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: classification engineClassification label: mal100.troj.linELF@0/0@18/0
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/110/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/231/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/111/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/112/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/233/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/113/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/114/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/235/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/115/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/1333/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/116/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/1695/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/117/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/118/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/119/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/911/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/914/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/10/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/917/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/11/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/12/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/13/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/14/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/15/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/16/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/17/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/18/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/19/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/1591/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/120/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/121/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/1/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/122/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/243/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/2/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/123/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/3/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/124/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/1588/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/125/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/4/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/246/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/126/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/5/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/127/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/6/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/1585/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/128/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/7/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/129/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/8/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/800/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/9/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/802/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/803/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/804/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/20/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/21/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/3407/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/22/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/23/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/24/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/25/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/26/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/27/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/28/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/29/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/1484/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/490/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/250/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/130/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/251/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/131/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/132/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/133/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/1479/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/378/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/258/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/259/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/931/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/1595/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/812/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/933/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/30/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/3419/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/35/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/3310/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/260/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/261/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/262/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/142/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/263/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/264/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/265/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/145/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/266/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/267/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/268/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/3303/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/269/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/1486/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/1806/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/3682/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/3440/cmdlineJump to behavior
          Source: /tmp/AXMdzuyn1m.elf (PID: 5527)File opened: /proc/270/cmdlineJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Mirai
          Source: Yara matchFile source: AXMdzuyn1m.elf, type: SAMPLE
          Source: Yara matchFile source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AXMdzuyn1m.elf PID: 5525, type: MEMORYSTR
          Yara detected Okiru
          Source: Yara matchFile source: AXMdzuyn1m.elf, type: SAMPLE
          Source: Yara matchFile source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AXMdzuyn1m.elf PID: 5525, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Detected Mirai
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Yara detected Mirai
          Source: Yara matchFile source: AXMdzuyn1m.elf, type: SAMPLE
          Source: Yara matchFile source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AXMdzuyn1m.elf PID: 5525, type: MEMORYSTR
          Yara detected Okiru
          Source: Yara matchFile source: AXMdzuyn1m.elf, type: SAMPLE
          Source: Yara matchFile source: 5525.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AXMdzuyn1m.elf PID: 5525, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		Valid AccountsWindows Management Instrumentation1
          Scripting          		Path InterceptionDirect Volume Access1
          OS Credential Dumping          		System Service DiscoveryRemote ServicesData from Local System1
          Non-Standard Port          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact

          Malware Configuration

          No configs have been found

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Number of created Files
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          AXMdzuyn1m.elf66%ReversingLabsLinux.Trojan.Mirai
          AXMdzuyn1m.elf100%AviraEXP/ELF.Mirai.Z.A
          AXMdzuyn1m.elf100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          bn.networkbn.click
          		103.167.88.226
          		truetrue
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            103.167.88.226
            		bn.networkbn.clickunknown
            		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            103.167.88.226c1N1s54Xz4.elfGet hashmaliciousMirai, OkiruBrowse
              sNUnKpshtR.elfGet hashmaliciousMirai, OkiruBrowse
                c3S6vyQXOw.elfGet hashmaliciousMirai, OkiruBrowse
                  MQ9rEJYn2l.elfGet hashmaliciousMirai, OkiruBrowse

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    bn.networkbn.clickc1N1s54Xz4.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.167.88.226
                    sNUnKpshtR.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.167.88.226
                    c3S6vyQXOw.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.167.88.226
                    MQ9rEJYn2l.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.167.88.226
                    n7h2Ze4ezf.elfGet hashmaliciousMiraiBrowse
                    • 103.237.86.195
                    bot.x86-20240414-2238.elfGet hashmaliciousMiraiBrowse
                    • 103.237.86.195
                    bot.x86_64-20240413-0230.elfGet hashmaliciousMiraiBrowse
                    • 103.237.86.195
                    bot.arm-20240413-0230.elfGet hashmaliciousMiraiBrowse
                    • 103.237.86.195
                    bot.x86-20240413-0230.elfGet hashmaliciousMiraiBrowse
                    • 103.237.86.195
                    bot.arm7-20240413-0230.elfGet hashmaliciousMiraiBrowse
                    • 103.237.86.195

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    AARNET-AS-APAustralianAcademicandResearchNetworkAARNec1N1s54Xz4.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.167.88.226
                    sNUnKpshtR.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.167.88.226
                    c3S6vyQXOw.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.167.88.226
                    MQ9rEJYn2l.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.167.88.226
                    E3kpuuuOfy.elfGet hashmaliciousMiraiBrowse
                    • 130.56.210.55
                    Yui1pUgieI.elfGet hashmaliciousMiraiBrowse
                    • 203.1.230.101
                    QXeoSsX87R.elfGet hashmaliciousGafgyt, MiraiBrowse
                    • 139.230.83.226
                    https://site24x7.comGet hashmaliciousUnknownBrowse
                    • 103.163.152.67
                    QFR4Qsnm6y.elfGet hashmaliciousMiraiBrowse
                    • 150.203.66.12
                    0Ox8zezLAz.elfGet hashmaliciousMiraiBrowse
                    • 103.190.121.35

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    No created / dropped files found

                    Static File Info

                    General

                    File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
                    Entropy (8bit):5.71210358456968
                    TrID:
                    • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                    • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                    File name:AXMdzuyn1m.elf
                    File size:89'544 bytes
                    MD5:d16b61e028d33909019b5b7871e3e291
                    SHA1:c0934180daae4b77ecac7704154c44b11ebaa196
                    SHA256:cf9259b6a78642be0495d041bde41bec828b4429e09d316861e74e295deb670d
                    SHA512:47844ed2033a82cf95d31fcd88ec3e3f43b0f6b545e0a67bf68d221b56094f38bc967864a92ac960b20a6c94878c706f4fa1a034d702cd437b9f42d3c8452d2d
                    SSDEEP:1536:0pG2cWAcCghsZcecJmR8TbDCFms8CasdPIYWdgtaEoSGtA6u0xZ:0pG3WrCEjecCIbDC0ls9ZWCt718u0x
                    TLSH:01937DD1F743D4F5E89705B1513AAB335B33F0B92019EA43C7795A32EC92510DA1ABAC
                    File Content Preview:.ELF....................d...4...8\......4. ...(.....................p...p...............t...t...t....G..8...........Q.td............................U..S........#...h........[]...$.............U......=.....t..5...................u........t....hp...........

                    Static ELF Info

                    ELF header

                    Class:ELF32
                    Data:2's complement, little endian
                    Version:1 (current)
                    Machine:Intel 80386
                    Version Number:0x1
                    Type:EXEC (Executable file)
                    OS/ABI:UNIX - System V
                    ABI Version:0
                    Entry Point Address:0x8048164
                    Flags:0x0
                    ELF Header Size:52
                    Program Header Offset:52
                    Program Header Size:32
                    Number of Program Headers:3
                    Section Header Offset:89144
                    Section Header Size:40
                    Number of Section Headers:10
                    Header String Table Index:9

                    Sections

                    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                    NULL0x00x00x00x00x0000
                    .initPROGBITS0x80480940x940x1c0x00x6AX001
                    .textPROGBITS0x80480b00xb00xf1360x00x6AX0016
                    .finiPROGBITS0x80571e60xf1e60x170x00x6AX001
                    .rodataPROGBITS0x80572000xf2000x22700x00x2A0032
                    .ctorsPROGBITS0x805a4740x114740xc0x00x3WA004
                    .dtorsPROGBITS0x805a4800x114800x80x00x3WA004
                    .dataPROGBITS0x805a4a00x114a00x47580x00x3WA0032
                    .bssNOBITS0x805ec000x15bf80x49ac0x00x3WA0032
                    .shstrtabSTRTAB0x00x15bf80x3e0x00x0001

                    Program Segments

                    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                    LOAD0x00x80480000x80480000x114700x114706.58630x5R E0x1000.init .text .fini .rodata
                    LOAD0x114740x805a4740x805a4740x47840x91380.36520x6RW 0x1000.ctors .dtors .data .bss
                    GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                    Network Behavior

                    Snort IDS Alerts

                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    04/18/24-16:37:39.484173TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3356243957192.168.2.15103.167.88.226
                    04/18/24-16:37:01.721748TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3355043957192.168.2.15103.167.88.226
                    04/18/24-16:37:05.711312TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3355243957192.168.2.15103.167.88.226
                    04/18/24-16:35:48.607861TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3353043957192.168.2.15103.167.88.226
                    04/18/24-16:37:31.486623TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3356043957192.168.2.15103.167.88.226
                    04/18/24-16:37:49.511329TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3356443957192.168.2.15103.167.88.226
                    04/18/24-16:36:27.126335TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3354243957192.168.2.15103.167.88.226
                    04/18/24-16:36:24.137046TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3354043957192.168.2.15103.167.88.226
                    04/18/24-16:36:54.744288TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3354843957192.168.2.15103.167.88.226
                    04/18/24-16:37:27.579114TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3355843957192.168.2.15103.167.88.226
                    04/18/24-16:36:11.201178TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3353643957192.168.2.15103.167.88.226
                    04/18/24-16:36:19.109664TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3353843957192.168.2.15103.167.88.226
                    04/18/24-16:36:45.852107TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3354643957192.168.2.15103.167.88.226
                    04/18/24-16:37:09.688897TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3355443957192.168.2.15103.167.88.226
                    04/18/24-16:37:16.718851TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3355643957192.168.2.15103.167.88.226
                    04/18/24-16:35:53.526573TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3353243957192.168.2.15103.167.88.226
                    04/18/24-16:36:02.347604TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3353443957192.168.2.15103.167.88.226
                    04/18/24-16:36:39.027420TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3354443957192.168.2.15103.167.88.226

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Apr 18, 2024 16:35:48.182207108 CEST3353043957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:35:48.607693911 CEST4395733530103.167.88.226192.168.2.15
                    Apr 18, 2024 16:35:48.607774019 CEST3353043957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:35:48.607861042 CEST3353043957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:35:49.042494059 CEST4395733530103.167.88.226192.168.2.15
                    Apr 18, 2024 16:35:49.042522907 CEST4395733530103.167.88.226192.168.2.15
                    Apr 18, 2024 16:35:53.147567034 CEST3353243957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:35:53.526393890 CEST4395733532103.167.88.226192.168.2.15
                    Apr 18, 2024 16:35:53.526509047 CEST3353243957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:35:53.526572943 CEST3353243957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:35:53.889705896 CEST4395733532103.167.88.226192.168.2.15
                    Apr 18, 2024 16:35:53.889777899 CEST4395733532103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:01.994879007 CEST3353443957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:02.347373009 CEST4395733534103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:02.347604036 CEST3353443957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:02.347604036 CEST3353443957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:02.717062950 CEST4395733534103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:02.717118025 CEST4395733534103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:10.828335047 CEST3353643957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:11.200988054 CEST4395733536103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:11.201131105 CEST3353643957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:11.201178074 CEST3353643957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:11.579168081 CEST4395733536103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:11.579288006 CEST4395733536103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:18.684935093 CEST3353843957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:19.109513044 CEST4395733538103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:19.109632015 CEST3353843957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:19.109663963 CEST3353843957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:20.174789906 CEST3353843957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:20.604146957 CEST4395733538103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:23.709425926 CEST3354043957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:24.136907101 CEST4395733540103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:24.137046099 CEST3354043957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:24.137046099 CEST3354043957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:24.560703993 CEST4395733540103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:24.560750008 CEST4395733540103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:26.665925026 CEST3354243957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:27.126137972 CEST4395733542103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:27.126334906 CEST3354243957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:27.126334906 CEST3354243957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:27.564471006 CEST4395733542103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:27.564538002 CEST4395733542103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:37.669565916 CEST3354443957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:38.670332909 CEST3354443957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:39.027101994 CEST4395733544103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:39.027271986 CEST3354443957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:39.027420044 CEST3354443957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:39.385977030 CEST4395733544103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:39.386039019 CEST4395733544103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:45.491728067 CEST3354643957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:45.851913929 CEST4395733546103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:45.852066040 CEST3354643957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:45.852107048 CEST3354643957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:46.213869095 CEST4395733546103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:46.213907957 CEST4395733546103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:54.319211960 CEST3354843957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:54.744052887 CEST4395733548103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:54.744246960 CEST3354843957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:54.744287968 CEST3354843957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:36:55.187484026 CEST4395733548103.167.88.226192.168.2.15
                    Apr 18, 2024 16:36:55.187517881 CEST4395733548103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:01.292934895 CEST3355043957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:01.721579075 CEST4395733550103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:01.721723080 CEST3355043957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:01.721748114 CEST3355043957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:02.156703949 CEST4395733550103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:02.156742096 CEST4395733550103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:05.266779900 CEST3355243957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:05.711009979 CEST4395733552103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:05.711208105 CEST3355243957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:05.711312056 CEST3355243957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:06.150456905 CEST4395733552103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:06.150515079 CEST4395733552103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:09.255791903 CEST3355443957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:09.688724041 CEST4395733554103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:09.688896894 CEST3355443957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:09.688896894 CEST3355443957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:10.765486002 CEST3355443957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:11.061028957 CEST4395733554103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:11.061176062 CEST3355443957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:11.213140965 CEST4395733554103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:11.213269949 CEST4395733554103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:11.503696918 CEST4395733554103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:16.318433046 CEST3355643957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:16.718693972 CEST4395733556103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:16.718851089 CEST3355643957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:16.718851089 CEST3355643957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:17.111248016 CEST4395733556103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:17.111685038 CEST4395733556103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:27.217567921 CEST3355843957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:27.578875065 CEST4395733558103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:27.579113960 CEST3355843957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:27.579113960 CEST3355843957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:27.943237066 CEST4395733558103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:27.943274975 CEST4395733558103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:31.048315048 CEST3356043957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:31.486430883 CEST4395733560103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:31.486622095 CEST3356043957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:31.486623049 CEST3356043957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:31.925765038 CEST4395733560103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:31.925813913 CEST4395733560103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:39.031058073 CEST3356243957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:39.483891964 CEST4395733562103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:39.484172106 CEST3356243957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:39.484173059 CEST3356243957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:39.943006039 CEST4395733562103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:39.943041086 CEST4395733562103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:39.943191051 CEST3356243957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:40.347959995 CEST4395733562103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:49.051767111 CEST3356443957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:49.511073112 CEST4395733564103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:49.511291981 CEST3356443957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:49.511328936 CEST3356443957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:49.972042084 CEST4395733564103.167.88.226192.168.2.15
                    Apr 18, 2024 16:37:49.972302914 CEST3356443957192.168.2.15103.167.88.226
                    Apr 18, 2024 16:37:50.424722910 CEST4395733564103.167.88.226192.168.2.15

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Apr 18, 2024 16:35:48.077099085 CEST4448753192.168.2.158.8.8.8
                    Apr 18, 2024 16:35:48.181955099 CEST53444878.8.8.8192.168.2.15
                    Apr 18, 2024 16:35:53.042655945 CEST6030753192.168.2.158.8.8.8
                    Apr 18, 2024 16:35:53.147423029 CEST53603078.8.8.8192.168.2.15
                    Apr 18, 2024 16:36:01.889796019 CEST4878653192.168.2.158.8.8.8
                    Apr 18, 2024 16:36:01.994743109 CEST53487868.8.8.8192.168.2.15
                    Apr 18, 2024 16:36:10.717256069 CEST5493353192.168.2.158.8.8.8
                    Apr 18, 2024 16:36:10.828149080 CEST53549338.8.8.8192.168.2.15
                    Apr 18, 2024 16:36:18.579579115 CEST5717153192.168.2.158.8.8.8
                    Apr 18, 2024 16:36:18.684766054 CEST53571718.8.8.8192.168.2.15
                    Apr 18, 2024 16:36:23.604475021 CEST3813453192.168.2.158.8.8.8
                    Apr 18, 2024 16:36:23.709283113 CEST53381348.8.8.8192.168.2.15
                    Apr 18, 2024 16:36:26.560929060 CEST4922953192.168.2.158.8.8.8
                    Apr 18, 2024 16:36:26.665787935 CEST53492298.8.8.8192.168.2.15
                    Apr 18, 2024 16:36:37.564544916 CEST4881853192.168.2.158.8.8.8
                    Apr 18, 2024 16:36:37.669404030 CEST53488188.8.8.8192.168.2.15
                    Apr 18, 2024 16:36:45.386246920 CEST4580153192.168.2.158.8.8.8
                    Apr 18, 2024 16:36:45.491558075 CEST53458018.8.8.8192.168.2.15
                    Apr 18, 2024 16:36:54.213977098 CEST4196253192.168.2.158.8.8.8
                    Apr 18, 2024 16:36:54.319050074 CEST53419628.8.8.8192.168.2.15
                    Apr 18, 2024 16:37:01.187628984 CEST5922253192.168.2.158.8.8.8
                    Apr 18, 2024 16:37:01.292706013 CEST53592228.8.8.8192.168.2.15
                    Apr 18, 2024 16:37:05.156951904 CEST5103153192.168.2.158.8.8.8
                    Apr 18, 2024 16:37:05.266602039 CEST53510318.8.8.8192.168.2.15
                    Apr 18, 2024 16:37:09.150681019 CEST5312253192.168.2.158.8.8.8
                    Apr 18, 2024 16:37:09.255547047 CEST53531228.8.8.8192.168.2.15
                    Apr 18, 2024 16:37:16.213510036 CEST3586353192.168.2.158.8.8.8
                    Apr 18, 2024 16:37:16.318264961 CEST53358638.8.8.8192.168.2.15
                    Apr 18, 2024 16:37:27.111752987 CEST3731253192.168.2.158.8.8.8
                    Apr 18, 2024 16:37:27.217215061 CEST53373128.8.8.8192.168.2.15
                    Apr 18, 2024 16:37:30.943542004 CEST4687253192.168.2.158.8.8.8
                    Apr 18, 2024 16:37:31.048120975 CEST53468728.8.8.8192.168.2.15
                    Apr 18, 2024 16:37:38.926023006 CEST4201153192.168.2.158.8.8.8
                    Apr 18, 2024 16:37:39.030611992 CEST53420118.8.8.8192.168.2.15
                    Apr 18, 2024 16:37:48.943224907 CEST4697353192.168.2.158.8.8.8
                    Apr 18, 2024 16:37:49.051467896 CEST53469738.8.8.8192.168.2.15

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Apr 18, 2024 16:35:48.077099085 CEST192.168.2.158.8.8.80x52cfStandard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:35:53.042655945 CEST192.168.2.158.8.8.80xf4dcStandard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:36:01.889796019 CEST192.168.2.158.8.8.80x47ecStandard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:36:10.717256069 CEST192.168.2.158.8.8.80x8a34Standard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:36:18.579579115 CEST192.168.2.158.8.8.80xaa79Standard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:36:23.604475021 CEST192.168.2.158.8.8.80xef0dStandard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:36:26.560929060 CEST192.168.2.158.8.8.80x2b53Standard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:36:37.564544916 CEST192.168.2.158.8.8.80x6f3fStandard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:36:45.386246920 CEST192.168.2.158.8.8.80xc42Standard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:36:54.213977098 CEST192.168.2.158.8.8.80x83a7Standard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:37:01.187628984 CEST192.168.2.158.8.8.80x231cStandard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:37:05.156951904 CEST192.168.2.158.8.8.80x796aStandard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:37:09.150681019 CEST192.168.2.158.8.8.80x3c2Standard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:37:16.213510036 CEST192.168.2.158.8.8.80xa9f0Standard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:37:27.111752987 CEST192.168.2.158.8.8.80xb791Standard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:37:30.943542004 CEST192.168.2.158.8.8.80xd8f2Standard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:37:38.926023006 CEST192.168.2.158.8.8.80xd28Standard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false
                    Apr 18, 2024 16:37:48.943224907 CEST192.168.2.158.8.8.80x4928Standard query (0)bn.networkbn.clickA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Apr 18, 2024 16:35:48.181955099 CEST8.8.8.8192.168.2.150x52cfNo error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:35:53.147423029 CEST8.8.8.8192.168.2.150xf4dcNo error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:36:01.994743109 CEST8.8.8.8192.168.2.150x47ecNo error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:36:10.828149080 CEST8.8.8.8192.168.2.150x8a34No error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:36:18.684766054 CEST8.8.8.8192.168.2.150xaa79No error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:36:23.709283113 CEST8.8.8.8192.168.2.150xef0dNo error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:36:26.665787935 CEST8.8.8.8192.168.2.150x2b53No error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:36:37.669404030 CEST8.8.8.8192.168.2.150x6f3fNo error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:36:45.491558075 CEST8.8.8.8192.168.2.150xc42No error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:36:54.319050074 CEST8.8.8.8192.168.2.150x83a7No error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:37:01.292706013 CEST8.8.8.8192.168.2.150x231cNo error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:37:05.266602039 CEST8.8.8.8192.168.2.150x796aNo error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:37:09.255547047 CEST8.8.8.8192.168.2.150x3c2No error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:37:16.318264961 CEST8.8.8.8192.168.2.150xa9f0No error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:37:27.217215061 CEST8.8.8.8192.168.2.150xb791No error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:37:31.048120975 CEST8.8.8.8192.168.2.150xd8f2No error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:37:39.030611992 CEST8.8.8.8192.168.2.150xd28No error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false
                    Apr 18, 2024 16:37:49.051467896 CEST8.8.8.8192.168.2.150x4928No error (0)bn.networkbn.click103.167.88.226A (IP address)IN (0x0001)false

                    System Behavior

                    General

                    Start time (UTC):14:35:46
                    Start date (UTC):18/04/2024
                    Path:/tmp/AXMdzuyn1m.elf
                    Arguments:/tmp/AXMdzuyn1m.elf
                    File size:89544 bytes
                    MD5 hash:d16b61e028d33909019b5b7871e3e291

                    Chronological Activities


                    General

                    Start time (UTC):14:35:46
                    Start date (UTC):18/04/2024
                    Path:/tmp/AXMdzuyn1m.elf
                    Arguments:-
                    File size:89544 bytes
                    MD5 hash:d16b61e028d33909019b5b7871e3e291

                    Chronological Activities


                    General

                    Start time (UTC):14:35:46
                    Start date (UTC):18/04/2024
                    Path:/tmp/AXMdzuyn1m.elf
                    Arguments:-
                    File size:89544 bytes
                    MD5 hash:d16b61e028d33909019b5b7871e3e291

                    Chronological Activities