Edit tour

Linux Analysis Report
qIEANK2huJ.elf

Overview

General Information

Sample name:	qIEANK2huJ.elf renamed because original name is a hash value
Original sample name:	ea43929d4909e3e587276556a147b594.elf
Analysis ID:	1428673
MD5:	ea43929d4909e3e587276556a147b594
SHA1:	4d6282015ca7a645c01571f9c8d8456a2f50fc23
SHA256:	51ec23564f60188b7a2d834d6a3438bbd104e6ebc931036fa70013be854b46ee
Tags:	64elfmirai
Infos:

Detection

Mirai, Moobot, Okiru

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Detected Mirai

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Mirai

Yara detected Moobot

Yara detected Okiru

Machine Learning detection for sample

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428673
Start date and time:	2024-04-19 11:42:31 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	qIEANK2huJ.elf renamed because original name is a hash value
Original Sample Name:	ea43929d4909e3e587276556a147b594.elf
Detection:	MAL
Classification:	mal100.troj.linELF@0/0@19/0

Runtime Messages

Command:	/tmp/qIEANK2huJ.elf
PID:	5489
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	done.
Standard Error:

Process Tree

system is lnxubuntu20

qIEANK2huJ.elf (PID: 5489, Parent: 5413, MD5: ea43929d4909e3e587276556a147b594) Arguments: /tmp/qIEANK2huJ.elf

qIEANK2huJ.elf New Fork (PID: 5490, Parent: 5489)

qIEANK2huJ.elf New Fork (PID: 5491, Parent: 5490)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Name	Description	Attribution	Blogpost URLs	Link
MooBot		No Attribution	https://blog.netlab.360.com/ddos-botnet-moobot-en/ https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/ https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-RUSSIAN-ACTORS-USE-ROUTERS-FACILITATE-CYBER_OPERATIONS.PDF https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b	https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
qIEANK2huJ.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
qIEANK2huJ.elf	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
qIEANK2huJ.elf	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
qIEANK2huJ.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x18038:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1804c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18060:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18074:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18088:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1809c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x180b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x180c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x180d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x180ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18100:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18114:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18128:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1813c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18150:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18164:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18178:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1818c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x181a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x181b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x181c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
qIEANK2huJ.elf	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0xe820:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
qIEANK2huJ.elf	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0xefef:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
qIEANK2huJ.elf	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0xbac6:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x10f00:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
qIEANK2huJ.elf	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x11bfe:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
qIEANK2huJ.elf	Linux_Trojan_Gafgyt_d0c57a2e	unknown	unknown	0x17176:$a: 07 0F B6 57 01 C1 E0 08 09 D0 89 06 0F BE 47 02 C1 E8 1F 89
qIEANK2huJ.elf	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0xebaf:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
qIEANK2huJ.elf	Linux_Trojan_Gafgyt_0cd591cd	unknown	unknown	0x15196:$a: 4E F8 48 8D 4E D8 49 8D 42 E0 48 83 C7 03 EB 6B 4C 8B 46 F8 48 8D
qIEANK2huJ.elf	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0xee7a:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
qIEANK2huJ.elf	Linux_Trojan_Gafgyt_a33a8363	unknown	unknown	0x1538f:$a: 41 88 02 48 85 D2 75 ED 5A 5B 5D 41 5C 41 5D 4C 89 F0 41 5E
qIEANK2huJ.elf	Linux_Trojan_Mirai_1e0c5ce0	unknown	unknown	0x23c8:$a: 4C 24 54 31 F6 41 B8 04 00 00 00 BA 03 00 00 00 C7 44 24 54 01 00
qIEANK2huJ.elf	Linux_Trojan_Mirai_520deeb8	unknown	unknown	0x4ea:$a: ED 48 89 44 24 30 44 89 6C 24 10 7E 47 48 89 C1 44 89 E8 44
qIEANK2huJ.elf	Linux_Trojan_Mirai_6a77af0f	unknown	unknown	0x675f:$a: 31 D1 89 0F 48 83 C7 04 85 F6 7E 3B 44 89 C8 45 89 D1 45 89 C2 41
qIEANK2huJ.elf	Linux_Trojan_Mirai_01e4a728	unknown	unknown	0x5ed:$a: 44 24 23 48 8B 6C 24 28 83 F9 01 4A 8D 14 20 0F B6 02 88 45 08
qIEANK2huJ.elf	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x4c62:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Click to see the 13 entries

Memory Dumps

Source	Rule	Description	Author	Strings
5489.1.0000000000400000.000000000041b000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
5489.1.0000000000400000.000000000041b000.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
5489.1.0000000000400000.000000000041b000.r-x.sdmp	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
5489.1.0000000000400000.000000000041b000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x18038:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1804c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18060:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18074:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18088:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1809c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x180b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x180c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x180d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x180ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18100:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18114:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18128:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1813c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18150:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18164:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18178:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1818c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x181a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x181b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x181c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5489.1.0000000000400000.000000000041b000.r-x.sdmp	Linux_Trojan_Gafgyt_9e9530a7	unknown	unknown	0xe820:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
5489.1.0000000000400000.000000000041b000.r-x.sdmp	Linux_Trojan_Gafgyt_807911a2	unknown	unknown	0xefef:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
5489.1.0000000000400000.000000000041b000.r-x.sdmp	Linux_Trojan_Gafgyt_d4227dbf	unknown	unknown	0xbac6:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00 0x10f00:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
5489.1.0000000000400000.000000000041b000.r-x.sdmp	Linux_Trojan_Gafgyt_d996d335	unknown	unknown	0x11bfe:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
5489.1.0000000000400000.000000000041b000.r-x.sdmp	Linux_Trojan_Gafgyt_d0c57a2e	unknown	unknown	0x17176:$a: 07 0F B6 57 01 C1 E0 08 09 D0 89 06 0F BE 47 02 C1 E8 1F 89
5489.1.0000000000400000.000000000041b000.r-x.sdmp	Linux_Trojan_Gafgyt_620087b9	unknown	unknown	0xebaf:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
5489.1.0000000000400000.000000000041b000.r-x.sdmp	Linux_Trojan_Gafgyt_0cd591cd	unknown	unknown	0x15196:$a: 4E F8 48 8D 4E D8 49 8D 42 E0 48 83 C7 03 EB 6B 4C 8B 46 F8 48 8D
5489.1.0000000000400000.000000000041b000.r-x.sdmp	Linux_Trojan_Gafgyt_33b4111a	unknown	unknown	0xee7a:$a: C1 83 E1 0F 74 1A B8 10 00 00 00 48 29 C8 48 8D 0C 02 48 89 DA 48
5489.1.0000000000400000.000000000041b000.r-x.sdmp	Linux_Trojan_Gafgyt_a33a8363	unknown	unknown	0x1538f:$a: 41 88 02 48 85 D2 75 ED 5A 5B 5D 41 5C 41 5D 4C 89 F0 41 5E
5489.1.0000000000400000.000000000041b000.r-x.sdmp	Linux_Trojan_Mirai_1e0c5ce0	unknown	unknown	0x23c8:$a: 4C 24 54 31 F6 41 B8 04 00 00 00 BA 03 00 00 00 C7 44 24 54 01 00
5489.1.0000000000400000.000000000041b000.r-x.sdmp	Linux_Trojan_Mirai_520deeb8	unknown	unknown	0x4ea:$a: ED 48 89 44 24 30 44 89 6C 24 10 7E 47 48 89 C1 44 89 E8 44
5489.1.0000000000400000.000000000041b000.r-x.sdmp	Linux_Trojan_Mirai_6a77af0f	unknown	unknown	0x675f:$a: 31 D1 89 0F 48 83 C7 04 85 F6 7E 3B 44 89 C8 45 89 D1 45 89 C2 41
5489.1.0000000000400000.000000000041b000.r-x.sdmp	Linux_Trojan_Mirai_01e4a728	unknown	unknown	0x5ed:$a: 44 24 23 48 8B 6C 24 28 83 F9 01 4A 8D 14 20 0F B6 02 88 45 08
5489.1.0000000000400000.000000000041b000.r-x.sdmp	Linux_Trojan_Mirai_e0cf29e2	unknown	unknown	0x4c62:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C2 83 FE 01
Process Memory Space: qIEANK2huJ.elf PID: 5489	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: qIEANK2huJ.elf PID: 5489	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
Process Memory Space: qIEANK2huJ.elf PID: 5489	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Process Memory Space: qIEANK2huJ.elf PID: 5489	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1315:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1329:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x133d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1351:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1365:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1379:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x138d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13a1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13b5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13c9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13dd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x13f1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1405:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1419:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x142d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1441:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1455:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1469:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x147d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1491:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14a5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 17 entries

Snort Signatures

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:43:25.789821
SID:	2030490
Source Port:	33862
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:45:11.132803
SID:	2030490
Source Port:	33894
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:44:38.942356
SID:	2030490
Source Port:	33884
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:45:01.275253
SID:	2030490
Source Port:	33892
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:43:48.110552
SID:	2030490
Source Port:	33870
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:44:04.809232
SID:	2030490
Source Port:	33874
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:43:17.946698
SID:	2030490
Source Port:	33860
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:43:43.283441
SID:	2030490
Source Port:	33868
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:44:32.101241
SID:	2030490
Source Port:	33882
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:43:56.946679
SID:	2030490
Source Port:	33872
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:43:13.088628
SID:	2030490
Source Port:	33858
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:44:15.459459
SID:	2030490
Source Port:	33878
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:43:38.464567
SID:	2030490
Source Port:	33866
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:44:56.449396
SID:	2030490
Source Port:	33890
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:44:24.263485
SID:	2030490
Source Port:	33880
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:44:49.614793
SID:	2030490
Source Port:	33888
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:43:29.629925
SID:	2030490
Source Port:	33864
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:44:44.772695
SID:	2030490
Source Port:	33886
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.14 - Destination IP: 103.174.73.85

Timestamp:	04/19/24-11:44:12.640433
SID:	2030490
Source Port:	33876
Destination Port:	29989
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: qIEANK2huJ.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: qIEANK2huJ.elf	Virustotal: Detection: 39%			Perma Link
Source: qIEANK2huJ.elf	ReversingLabs: Detection: 63%

Machine Learning detection for sample

Source: qIEANK2huJ.elf

Joe Sandbox ML: detected

Source: qIEANK2huJ.elf

String: HTTP/1.1 200 OKbulus.armbulus.arm5bulus.arm6bulus.arm7bulus.mipsbulus.mpslbulus.x86_64bulus.sh4abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZanko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-server/proc/%d/exe/tmp/%s%s%c/proc/self/cmdline/proc/%d/proc/self/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofia/var/Bulusshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/3f

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33858 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33860 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33862 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33864 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33866 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33868 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33870 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33872 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33874 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33876 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33878 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33880 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33882 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33884 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33886 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33888 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33890 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33892 -> 103.174.73.85:29989
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:33894 -> 103.174.73.85:29989

Source: global traffic

TCP traffic: 192.168.2.14:33858 -> 103.174.73.85:29989

Source: global traffic

TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26

Source: unknown

DNS traffic detected: queries for: proxy.heleh.vn

Source: unknown

Network traffic detected: HTTP traffic on port 46540 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: Process Memory Space: qIEANK2huJ.elf PID: 5489, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: HTTP/1.1 200 OKbulus.armbulus.arm5bulus.arm6bulus.arm7bulus.mipsbulus.mpslbulus.x86_64bulus.sh4abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZanko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-server/proc/%d/exe/tmp/%s%s%c/proc/self/cmdline/proc/%d/proc/self/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofia/var/Bulusshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/3f

Source: ELF static info symbol of initial sample

.symtab present: no

Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
Source: qIEANK2huJ.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
Source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: Process Memory Space: qIEANK2huJ.elf PID: 5489, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal100.troj.linELF@0/0@19/0

Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/1583/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/2672/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/1577/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/1593/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/3094/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/3406/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/1589/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/3402/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/801/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/806/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/807/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/928/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/135/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/1599/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/3412/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/35/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/3672/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/1371/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/260/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/261/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/262/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/142/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/263/cmdline	Jump to behavior
Source: /tmp/qIEANK2huJ.elf (PID: 5491)	File opened: /proc/264/cmdline	Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: qIEANK2huJ.elf, type: SAMPLE
Source: Yara match	File source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qIEANK2huJ.elf PID: 5489, type: MEMORYSTR

Yara detected Moobot

Source: Yara match	File source: qIEANK2huJ.elf, type: SAMPLE
Source: Yara match	File source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qIEANK2huJ.elf PID: 5489, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: qIEANK2huJ.elf, type: SAMPLE
Source: Yara match	File source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qIEANK2huJ.elf PID: 5489, type: MEMORYSTR

Remote Access Functionality

Detected Mirai

Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)

Yara detected Mirai

Source: Yara match	File source: qIEANK2huJ.elf, type: SAMPLE
Source: Yara match	File source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qIEANK2huJ.elf PID: 5489, type: MEMORYSTR

Yara detected Moobot

Source: Yara match	File source: qIEANK2huJ.elf, type: SAMPLE
Source: Yara match	File source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qIEANK2huJ.elf PID: 5489, type: MEMORYSTR

Yara detected Okiru

Source: Yara match	File source: qIEANK2huJ.elf, type: SAMPLE
Source: Yara match	File source: 5489.1.0000000000400000.000000000041b000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qIEANK2huJ.elf PID: 5489, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	Direct Volume Access	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Source	Detection	Scanner	Label	Link
qIEANK2huJ.elf	39%	Virustotal		Browse
qIEANK2huJ.elf	63%	ReversingLabs	Linux.Trojan.Mirai
qIEANK2huJ.elf	100%	Avira	EXP/ELF.Mirai.Z.A
qIEANK2huJ.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
proxy.heleh.vn	3%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
proxy.heleh.vn	103.174.73.85	true	true	3%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.174.73.85	proxy.heleh.vn	unknown		7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true
185.125.190.26	unknown	United Kingdom		41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
103.174.73.85	evYVOXt11H.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse
	BxEMaAYhqP.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse
	9PYUxFx9pK.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse
	bulus.arm7.elf	Get hash	malicious	Mirai	Browse
	bulus.arm5.elf	Get hash	malicious	Mirai	Browse
	bulus.arm.elf	Get hash	malicious	Mirai	Browse
	bulus.x86.elf	Get hash	malicious	Mirai	Browse
185.125.190.26	PN9QHDmpS1.elf	Get hash	malicious	Mirai, Okiru	Browse
	eGjHpgUwlt.elf	Get hash	malicious	Mirai, Okiru	Browse
	9PYUxFx9pK.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse
	vlxx.arm7-20240418-1854.elf	Get hash	malicious	Mirai, Okiru	Browse
	vlxx.x86_64-20240418-1853.elf	Get hash	malicious	Mirai, Okiru	Browse
	G9J8ic1utC.elf	Get hash	malicious	Unknown	Browse
	Ja84Oghm6q.elf	Get hash	malicious	Mirai, Okiru	Browse
	QpHMHEg6OQ.elf	Get hash	malicious	Chaos	Browse
	c1N1s54Xz4.elf	Get hash	malicious	Mirai, Okiru	Browse
	sNUnKpshtR.elf	Get hash	malicious	Mirai, Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
proxy.heleh.vn	evYVOXt11H.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	103.174.73.85
	BxEMaAYhqP.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	103.174.73.85
	9PYUxFx9pK.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	103.174.73.85

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	FZqYclxRiu.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	PN9QHDmpS1.elf	Get hash	malicious	Mirai, Okiru	Browse	185.125.190.26
	eGjHpgUwlt.elf	Get hash	malicious	Mirai, Okiru	Browse	185.125.190.26
	qlt52dfogC.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	9PYUxFx9pK.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	185.125.190.26
	46t2vW6nO9.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	l1uxT537eS.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	4wngRroxli.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	XioVUcbE3G.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	85x5rW00VC.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	evYVOXt11H.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	103.174.73.85
	BxEMaAYhqP.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	103.174.73.85
	9PYUxFx9pK.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	103.174.73.85
	BzmhHwFpCV.elf	Get hash	malicious	Mirai	Browse	103.189.218.40
	Gq7FlDf6cE.elf	Get hash	malicious	Mirai	Browse	103.183.144.21
	XY2I8rWLkM.exe	Get hash	malicious	Remcos, DBatLoader	Browse	103.186.117.171
	2020.xls	Get hash	malicious	Remcos, DBatLoader	Browse	103.186.117.171
	Ja84Oghm6q.elf	Get hash	malicious	Mirai, Okiru	Browse	103.167.88.226
	eHFldFkJF4.elf	Get hash	malicious	Mirai, Okiru	Browse	103.167.88.226

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.2927805502529655
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	qIEANK2huJ.elf
File size:	146'904 bytes
MD5:	ea43929d4909e3e587276556a147b594
SHA1:	4d6282015ca7a645c01571f9c8d8456a2f50fc23
SHA256:	51ec23564f60188b7a2d834d6a3438bbd104e6ebc931036fa70013be854b46ee
SHA512:	6b31f5dbe1371bdb9850bb82dfb36f75707a77b0fc8afdf9dbad16e0b004c9d717876715c04b57ee5d46464d0c50a9dc12880ef2eb59f8b1226f51b9ea459bb6
SSDEEP:	3072:rJaDjzXRdr5Hy2Y0hXWotW7t9IvYmdQV+eFvCd7zfHOUWxub:rJaDjzXRddueULvCBOub
TLSH:	51E33A07B5C184FDC4DAC1B44B9BF53ADD31F0981238F26B27C8AA261E8EE215F5DA54
File Content Preview:	.ELF..............>.......@.....@.......X;..........@.8...@.......................@.......@...............................................Q.......Q.....p.......................Q.td....................................................H...._.....y..H........

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400194
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	146264
Section Header Size:	64
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x4000e8	0xe8	0x13	0x0	0x6	AX	1
.text	PROGBITS	0x400100	0x100	0x179e6	0x0	0x6	AX	16
.fini	PROGBITS	0x417ae6	0x17ae6	0xe	0x0	0x6	AX	1
.rodata	PROGBITS	0x417b00	0x17b00	0x31a0	0x0	0x2	A	32
.ctors	PROGBITS	0x51aca8	0x1aca8	0x18	0x0	0x3	WA	8
.dtors	PROGBITS	0x51acc0	0x1acc0	0x10	0x0	0x3	WA	8
.data	PROGBITS	0x51ace0	0x1ace0	0x8e38	0x0	0x3	WA	32
.bss	NOBITS	0x523b20	0x23b18	0x72a0	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x23b18	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x1aca0	0x1aca0	6.3958	0x5	R E	0x100000	.init .text .fini .rodata
LOAD	0x1aca8	0x51aca8	0x51aca8	0x8e70	0x10118	0.2285	0x6	RW	0x100000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/19/24-11:43:25.789821	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33862	29989	192.168.2.14	103.174.73.85
04/19/24-11:45:11.132803	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33894	29989	192.168.2.14	103.174.73.85
04/19/24-11:44:38.942356	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33884	29989	192.168.2.14	103.174.73.85
04/19/24-11:45:01.275253	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33892	29989	192.168.2.14	103.174.73.85
04/19/24-11:43:48.110552	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33870	29989	192.168.2.14	103.174.73.85
04/19/24-11:44:04.809232	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33874	29989	192.168.2.14	103.174.73.85
04/19/24-11:43:17.946698	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33860	29989	192.168.2.14	103.174.73.85
04/19/24-11:43:43.283441	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33868	29989	192.168.2.14	103.174.73.85
04/19/24-11:44:32.101241	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33882	29989	192.168.2.14	103.174.73.85
04/19/24-11:43:56.946679	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33872	29989	192.168.2.14	103.174.73.85
04/19/24-11:43:13.088628	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33858	29989	192.168.2.14	103.174.73.85
04/19/24-11:44:15.459459	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33878	29989	192.168.2.14	103.174.73.85
04/19/24-11:43:38.464567	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33866	29989	192.168.2.14	103.174.73.85
04/19/24-11:44:56.449396	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33890	29989	192.168.2.14	103.174.73.85
04/19/24-11:44:24.263485	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33880	29989	192.168.2.14	103.174.73.85
04/19/24-11:44:49.614793	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33888	29989	192.168.2.14	103.174.73.85
04/19/24-11:43:29.629925	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33864	29989	192.168.2.14	103.174.73.85
04/19/24-11:44:44.772695	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33886	29989	192.168.2.14	103.174.73.85
04/19/24-11:44:12.640433	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	33876	29989	192.168.2.14	103.174.73.85

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 11:43:12.724200010 CEST	33858	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:13.088493109 CEST	29989	33858	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:13.088555098 CEST	33858	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:13.088628054 CEST	33858	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:13.453591108 CEST	29989	33858	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:13.453619957 CEST	29989	33858	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:13.453701019 CEST	33858	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:13.821602106 CEST	29989	33858	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:17.559082031 CEST	33860	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:17.946537971 CEST	29989	33860	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:17.946697950 CEST	33860	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:17.946697950 CEST	33860	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:18.327483892 CEST	29989	33860	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:18.327539921 CEST	29989	33860	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:18.327660084 CEST	33860	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:18.709070921 CEST	29989	33860	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:21.244667053 CEST	46540	443	192.168.2.14	185.125.190.26
Apr 19, 2024 11:43:25.432941914 CEST	33862	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:25.789611101 CEST	29989	33862	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:25.789732933 CEST	33862	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:25.789820910 CEST	33862	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:26.146998882 CEST	29989	33862	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:26.147067070 CEST	29989	33862	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:26.147178888 CEST	33862	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:26.504025936 CEST	29989	33862	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:29.252522945 CEST	33864	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:29.629554987 CEST	29989	33864	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:29.629720926 CEST	33864	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:29.629925013 CEST	33864	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:30.006874084 CEST	29989	33864	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:30.006900072 CEST	29989	33864	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:38.112827063 CEST	33866	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:38.464241028 CEST	29989	33866	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:38.464483023 CEST	33866	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:38.464566946 CEST	33866	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:38.816557884 CEST	29989	33866	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:38.816623926 CEST	29989	33866	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:38.816905975 CEST	33866	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:39.168215990 CEST	29989	33866	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:42.922288895 CEST	33868	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:43.283204079 CEST	29989	33868	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:43.283363104 CEST	33868	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:43.283441067 CEST	33868	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:43.644448042 CEST	29989	33868	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:43.644642115 CEST	33868	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:43.645654917 CEST	29989	33868	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:44.007049084 CEST	29989	33868	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:47.750577927 CEST	33870	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:48.110322952 CEST	29989	33870	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:48.110501051 CEST	33870	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:48.110552073 CEST	33870	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:48.471185923 CEST	29989	33870	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:48.471218109 CEST	29989	33870	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:48.471369028 CEST	33870	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:48.831150055 CEST	29989	33870	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:52.219463110 CEST	46540	443	192.168.2.14	185.125.190.26
Apr 19, 2024 11:43:56.576366901 CEST	33872	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:56.946508884 CEST	29989	33872	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:56.946640015 CEST	33872	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:56.946679115 CEST	33872	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:57.317478895 CEST	29989	33872	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:57.317572117 CEST	29989	33872	103.174.73.85	192.168.2.14
Apr 19, 2024 11:43:57.317725897 CEST	33872	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:43:57.687920094 CEST	29989	33872	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:03.423755884 CEST	33874	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:04.443001032 CEST	33874	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:04.808965921 CEST	29989	33874	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:04.809143066 CEST	33874	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:04.809231997 CEST	33874	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:05.173723936 CEST	29989	33874	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:05.173887968 CEST	29989	33874	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:05.174062014 CEST	33874	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:05.538703918 CEST	29989	33874	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:12.279362917 CEST	33876	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:12.640183926 CEST	29989	33876	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:12.640433073 CEST	33876	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:12.640433073 CEST	33876	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:12.999819040 CEST	29989	33876	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:12.999862909 CEST	29989	33876	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:13.000149012 CEST	33876	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:13.358267069 CEST	29989	33876	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:15.105397940 CEST	33878	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:15.459202051 CEST	29989	33878	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:15.459388018 CEST	33878	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:15.459459066 CEST	33878	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:15.812536001 CEST	29989	33878	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:15.812587976 CEST	29989	33878	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:15.812752962 CEST	33878	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:16.166337013 CEST	29989	33878	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:23.918390036 CEST	33880	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:24.263173103 CEST	29989	33880	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:24.263386011 CEST	33880	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:24.263484955 CEST	33880	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:24.607346058 CEST	29989	33880	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:24.608362913 CEST	29989	33880	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:24.608607054 CEST	33880	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:24.950685978 CEST	29989	33880	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:30.713773012 CEST	33882	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:31.738009930 CEST	33882	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:32.100961924 CEST	29989	33882	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:32.101095915 CEST	33882	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:32.101241112 CEST	33882	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:32.108963966 CEST	29989	33882	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:32.109035015 CEST	33882	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:32.472320080 CEST	29989	33882	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:32.472363949 CEST	29989	33882	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:32.472547054 CEST	33882	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:32.843615055 CEST	29989	33882	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:38.577933073 CEST	33884	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:38.942030907 CEST	29989	33884	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:38.942289114 CEST	33884	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:38.942356110 CEST	33884	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:39.307466984 CEST	29989	33884	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:39.307501078 CEST	29989	33884	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:39.307670116 CEST	33884	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:39.671627045 CEST	29989	33884	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:44.413073063 CEST	33886	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:44.772452116 CEST	29989	33886	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:44.772607088 CEST	33886	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:44.772695065 CEST	33886	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:45.132818937 CEST	29989	33886	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:45.132879019 CEST	29989	33886	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:45.133040905 CEST	33886	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:46.073496103 CEST	33886	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:46.433670044 CEST	29989	33886	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:49.238615990 CEST	33888	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:49.614434004 CEST	29989	33888	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:49.614793062 CEST	33888	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:49.614793062 CEST	33888	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:49.990971088 CEST	29989	33888	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:49.991179943 CEST	29989	33888	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:49.991451025 CEST	33888	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:50.366899967 CEST	29989	33888	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:56.096395969 CEST	33890	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:56.449105024 CEST	29989	33890	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:56.449320078 CEST	33890	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:56.449395895 CEST	33890	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:56.802879095 CEST	29989	33890	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:56.802948952 CEST	29989	33890	103.174.73.85	192.168.2.14
Apr 19, 2024 11:44:56.803164959 CEST	33890	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:44:57.156075001 CEST	29989	33890	103.174.73.85	192.168.2.14
Apr 19, 2024 11:45:00.912048101 CEST	33892	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:45:01.274947882 CEST	29989	33892	103.174.73.85	192.168.2.14
Apr 19, 2024 11:45:01.275120974 CEST	33892	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:45:01.275253057 CEST	33892	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:45:01.637595892 CEST	29989	33892	103.174.73.85	192.168.2.14
Apr 19, 2024 11:45:01.637665987 CEST	29989	33892	103.174.73.85	192.168.2.14
Apr 19, 2024 11:45:01.637789011 CEST	33892	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:45:01.999730110 CEST	29989	33892	103.174.73.85	192.168.2.14
Apr 19, 2024 11:45:10.742659092 CEST	33894	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:45:11.132606030 CEST	29989	33894	103.174.73.85	192.168.2.14
Apr 19, 2024 11:45:11.132802963 CEST	33894	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:45:11.132802963 CEST	33894	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:45:11.522138119 CEST	29989	33894	103.174.73.85	192.168.2.14
Apr 19, 2024 11:45:11.522177935 CEST	29989	33894	103.174.73.85	192.168.2.14
Apr 19, 2024 11:45:11.522417068 CEST	33894	29989	192.168.2.14	103.174.73.85
Apr 19, 2024 11:45:11.912370920 CEST	29989	33894	103.174.73.85	192.168.2.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 11:43:12.618792057 CEST	45788	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:43:12.723866940 CEST	53	45788	8.8.8.8	192.168.2.14
Apr 19, 2024 11:43:17.453682899 CEST	43128	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:43:17.558814049 CEST	53	43128	8.8.8.8	192.168.2.14
Apr 19, 2024 11:43:25.327558994 CEST	36823	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:43:25.432802916 CEST	53	36823	8.8.8.8	192.168.2.14
Apr 19, 2024 11:43:29.147330046 CEST	44501	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:43:29.252336025 CEST	53	44501	8.8.8.8	192.168.2.14
Apr 19, 2024 11:43:38.007075071 CEST	39961	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:43:38.112550974 CEST	53	39961	8.8.8.8	192.168.2.14
Apr 19, 2024 11:43:42.816909075 CEST	33793	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:43:42.922005892 CEST	53	33793	8.8.8.8	192.168.2.14
Apr 19, 2024 11:43:47.644846916 CEST	55072	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:43:47.750328064 CEST	53	55072	8.8.8.8	192.168.2.14
Apr 19, 2024 11:43:56.471287966 CEST	47062	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:43:56.576196909 CEST	53	47062	8.8.8.8	192.168.2.14
Apr 19, 2024 11:44:03.317712069 CEST	42298	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:44:03.423546076 CEST	53	42298	8.8.8.8	192.168.2.14
Apr 19, 2024 11:44:12.174050093 CEST	39929	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:44:12.279026985 CEST	53	39929	8.8.8.8	192.168.2.14
Apr 19, 2024 11:44:15.000186920 CEST	43664	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:44:15.105170012 CEST	53	43664	8.8.8.8	192.168.2.14
Apr 19, 2024 11:44:23.812866926 CEST	58104	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:44:23.918045998 CEST	53	58104	8.8.8.8	192.168.2.14
Apr 19, 2024 11:44:30.608407974 CEST	54085	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:44:30.713524103 CEST	53	54085	8.8.8.8	192.168.2.14
Apr 19, 2024 11:44:38.472518921 CEST	56895	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:44:38.577632904 CEST	53	56895	8.8.8.8	192.168.2.14
Apr 19, 2024 11:44:44.307732105 CEST	45393	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:44:44.412899017 CEST	53	45393	8.8.8.8	192.168.2.14
Apr 19, 2024 11:44:49.133162022 CEST	59676	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:44:49.238435030 CEST	53	59676	8.8.8.8	192.168.2.14
Apr 19, 2024 11:44:55.991396904 CEST	60016	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:44:56.096182108 CEST	53	60016	8.8.8.8	192.168.2.14
Apr 19, 2024 11:45:00.803287029 CEST	56131	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:45:00.911747932 CEST	53	56131	8.8.8.8	192.168.2.14
Apr 19, 2024 11:45:10.637712002 CEST	44777	53	192.168.2.14	8.8.8.8
Apr 19, 2024 11:45:10.742415905 CEST	53	44777	8.8.8.8	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 19, 2024 11:43:12.618792057 CEST	192.168.2.14	8.8.8.8	0x98fb	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:43:17.453682899 CEST	192.168.2.14	8.8.8.8	0xcf04	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:43:25.327558994 CEST	192.168.2.14	8.8.8.8	0x91bd	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:43:29.147330046 CEST	192.168.2.14	8.8.8.8	0x2d28	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:43:38.007075071 CEST	192.168.2.14	8.8.8.8	0x74b7	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:43:42.816909075 CEST	192.168.2.14	8.8.8.8	0x27c7	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:43:47.644846916 CEST	192.168.2.14	8.8.8.8	0x1193	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:43:56.471287966 CEST	192.168.2.14	8.8.8.8	0xb567	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:03.317712069 CEST	192.168.2.14	8.8.8.8	0x313c	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:12.174050093 CEST	192.168.2.14	8.8.8.8	0x27cc	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:15.000186920 CEST	192.168.2.14	8.8.8.8	0x1a0f	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:23.812866926 CEST	192.168.2.14	8.8.8.8	0xf98c	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:30.608407974 CEST	192.168.2.14	8.8.8.8	0xb8ea	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:38.472518921 CEST	192.168.2.14	8.8.8.8	0xccdd	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:44.307732105 CEST	192.168.2.14	8.8.8.8	0x9d1b	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:49.133162022 CEST	192.168.2.14	8.8.8.8	0x83e2	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:55.991396904 CEST	192.168.2.14	8.8.8.8	0xe551	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:45:00.803287029 CEST	192.168.2.14	8.8.8.8	0xfddc	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:45:10.637712002 CEST	192.168.2.14	8.8.8.8	0xff08	Standard query (0)	proxy.heleh.vn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 19, 2024 11:43:12.723866940 CEST	8.8.8.8	192.168.2.14	0x98fb	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:43:17.558814049 CEST	8.8.8.8	192.168.2.14	0xcf04	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:43:25.432802916 CEST	8.8.8.8	192.168.2.14	0x91bd	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:43:29.252336025 CEST	8.8.8.8	192.168.2.14	0x2d28	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:43:38.112550974 CEST	8.8.8.8	192.168.2.14	0x74b7	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:43:42.922005892 CEST	8.8.8.8	192.168.2.14	0x27c7	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:43:47.750328064 CEST	8.8.8.8	192.168.2.14	0x1193	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:43:56.576196909 CEST	8.8.8.8	192.168.2.14	0xb567	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:03.423546076 CEST	8.8.8.8	192.168.2.14	0x313c	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:12.279026985 CEST	8.8.8.8	192.168.2.14	0x27cc	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:15.105170012 CEST	8.8.8.8	192.168.2.14	0x1a0f	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:23.918045998 CEST	8.8.8.8	192.168.2.14	0xf98c	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:30.713524103 CEST	8.8.8.8	192.168.2.14	0xb8ea	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:38.577632904 CEST	8.8.8.8	192.168.2.14	0xccdd	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:44.412899017 CEST	8.8.8.8	192.168.2.14	0x9d1b	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:49.238435030 CEST	8.8.8.8	192.168.2.14	0x83e2	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:44:56.096182108 CEST	8.8.8.8	192.168.2.14	0xe551	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:45:00.911747932 CEST	8.8.8.8	192.168.2.14	0xfddc	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false
Apr 19, 2024 11:45:10.742415905 CEST	8.8.8.8	192.168.2.14	0xff08	No error (0)	proxy.heleh.vn	103.174.73.85	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: qIEANK2huJ.elf PID: 5489, Parent PID: 5413

General

Start time (UTC):	09:43:11
Start date (UTC):	19/04/2024
Path:	/tmp/qIEANK2huJ.elf
Arguments:	/tmp/qIEANK2huJ.elf
File size:	146904 bytes
MD5 hash:	ea43929d4909e3e587276556a147b594

Start time (UTC):	09:43:11
Start date (UTC):	19/04/2024
Path:	/tmp/qIEANK2huJ.elf
Arguments:	-
File size:	146904 bytes
MD5 hash:	ea43929d4909e3e587276556a147b594

Start time (UTC):	09:43:11
Start date (UTC):	19/04/2024
Path:	/tmp/qIEANK2huJ.elf
Arguments:	-
File size:	146904 bytes
MD5 hash:	ea43929d4909e3e587276556a147b594

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report qIEANK2huJ.elf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: qIEANK2huJ.elf PID: 5489, Parent PID: 5413

General

Chronological Activities

Analysis Process: qIEANK2huJ.elf PID: 5490, Parent PID: 5489

General

Chronological Activities

Analysis Process: qIEANK2huJ.elf PID: 5491, Parent PID: 5490

General

Chronological Activities

Linux Analysis Report
qIEANK2huJ.elf