Edit tour

Linux Analysis Report
SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf

Overview

General Information

Sample name:	SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf
Analysis ID:	1430166
MD5:	05d0269acbc7a252fc62179aef3f9676
SHA1:	7b5376b5a15ade914ad1432e91d0a785435635dd
SHA256:	7501e8af6a2d3e35fa5ef5a3acab845e251bc92b2c97555ef425fbbafa63b9cb
Tags:	elf
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Queries the IP of a very long domain name

Sample deletes itself

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample tries to kill multiple processes (SIGKILL)

Connects to many different domains

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430166
Start date and time:	2024-04-23 08:36:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf
Detection:	MAL
Classification:	mal64.spre.troj.evad.linELF@0/0@81/0

Warnings

Connection to analysis system has been lost, crash info: Unknown
VT rate limit hit for: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf

Runtime Messages

Command:	/tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf
PID:	6219
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	black botnet voodoo
Standard Error:

Process Tree

system is lnxubuntu20

SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6219, Parent: 6135, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf

SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf New Fork (PID: 6221, Parent: 6219)

SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf New Fork (PID: 6223, Parent: 6221)

SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf New Fork (PID: 6224, Parent: 6221)

SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf New Fork (PID: 6226, Parent: 6221)

SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf New Fork (PID: 6229, Parent: 6221)

systemd New Fork (PID: 6231, Parent: 1)

journalctl (PID: 6231, Parent: 1, MD5: bf3a987344f3bacafc44efd882abda8b) Arguments: /usr/bin/journalctl --smart-relinquish-var

systemd New Fork (PID: 6252, Parent: 1)

dbus-daemon (PID: 6252, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

gdm3 New Fork (PID: 6265, Parent: 1320)

Default (PID: 6265, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gvfsd-fuse New Fork (PID: 6267, Parent: 2038)

fusermount (PID: 6267, Parent: 2038, MD5: 576a1b135c82bdcbc97a91acea900566) Arguments: fusermount -u -q -z -- /run/user/1000/gvfs

systemd New Fork (PID: 6268, Parent: 1)

rsyslogd (PID: 6268, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE

gdm3 New Fork (PID: 6271, Parent: 1320)

Default (PID: 6271, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 6274, Parent: 1)

systemd-journald (PID: 6274, Parent: 1, MD5: 474667ece6cecb5e04c6eb897a1d0d9e) Arguments: /lib/systemd/systemd-journald

systemd New Fork (PID: 6275, Parent: 1)

dbus-daemon (PID: 6275, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

gdm3 New Fork (PID: 6276, Parent: 1320)

Default (PID: 6276, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 6277, Parent: 1)

systemd-journald (PID: 6277, Parent: 1, MD5: 474667ece6cecb5e04c6eb897a1d0d9e) Arguments: /lib/systemd/systemd-journald

systemd New Fork (PID: 6278, Parent: 1)

rsyslogd (PID: 6278, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE

systemd New Fork (PID: 6280, Parent: 1)

dbus-daemon (PID: 6280, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

systemd New Fork (PID: 6281, Parent: 1)

systemd-journald (PID: 6281, Parent: 1, MD5: 474667ece6cecb5e04c6eb897a1d0d9e) Arguments: /lib/systemd/systemd-journald

systemd New Fork (PID: 6282, Parent: 1)

dbus-daemon (PID: 6282, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

systemd New Fork (PID: 6283, Parent: 1)

rsyslogd (PID: 6283, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE

systemd New Fork (PID: 6285, Parent: 1)

systemd-journald (PID: 6285, Parent: 1, MD5: 474667ece6cecb5e04c6eb897a1d0d9e) Arguments: /lib/systemd/systemd-journald

systemd New Fork (PID: 6286, Parent: 1)

dbus-daemon (PID: 6286, Parent: 1, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

systemd New Fork (PID: 6287, Parent: 1)

systemd-journald (PID: 6287, Parent: 1, MD5: 474667ece6cecb5e04c6eb897a1d0d9e) Arguments: /lib/systemd/systemd-journald

systemd New Fork (PID: 6288, Parent: 1)

rsyslogd (PID: 6288, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE

systemd New Fork (PID: 6292, Parent: 1)

rsyslogd (PID: 6292, Parent: 1, MD5: 0b8087fc907c42eb3c81a691db258e33) Arguments: /usr/sbin/rsyslogd -n -iNONE

cleanup

Yara Signatures

⊘No yara matches

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf

ReversingLabs: Detection: 39%

Networking

Queries the IP of a very long domain name

Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'fBBPV!PV,E4@@kmP}l0"n.6AW'fS66PV,PV!.EH(
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'fNr66PV,PV!EH(3[5LW'f*sNNPV!PV,E@"F@@
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'f,66PV,PV!EH(5U5/W'f-NNPV!PV,E@"l@@
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'f66PV,PV!EH(3T5ZW'fNNPV!PV,E@"o@@
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'f566PV,PV!EH(4)5eW'fJJPV!PV,E<l@@
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'fneJJPV!PV,E<A@WE l@@HJPINGW'f?+NNPV.PV,E@<@@V[%&5
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'f<NNPV!PV,E@@i@@R[%5,5kzadolfhitlersusW'fBB
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'fBBPV!PV,E4[@@[[*gBfP_DS;fQ!W'fyNNNPV!PV,.E@D@
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.&W'f`NNPV!PV,E@EO@@M[%5,S5kzadolfhitlersus'W'f]BB
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.'W'f]BBPV!PV,E4a@@_S[[+T>V48_i+W'frJJPV!PV,.E<D6@
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.8W'fJNNPV!PV,E@t@@Q5,KMFWkzadolfhitlersun=W'f41N
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.=W'f41NNPV!PV,E@t@@#5,4XFWkzadolfhitlersunBW'f'CN
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.BW'f'CNNPV!PV,E@y@@5,uFWkzadolfhitlersunFW'f.B
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.FW'f.BBPV!PV,E4\@@[[*gBfP_SfQGW'fTNNPV!.V,E@}@@h5,XFWkzadolfhitlersunLW'ffJ
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.LW'ffJJPV!PV,E<@@FU#LW'f`66
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.NW'f66PV,PV!E((E23;5`NW'fNNPV!PV,E@
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.NW'fB66PV,PV!E((E23;5NW'f8DNNPV!PV,E@
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.NW'f66PV,PV!E((E23;5NW'fNNPV!PV,E@
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.NW'f#66PV,PV!E((E23;5jNW'f$NNPV!PV,E@
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.OW'fR66PV,PV!E((E23;54]OW'fJSJJPV!PV,E<.@@Z3FN[b=#OW'fkK66PV,PV!E((@0FN[.QW'fLNNPV!PV,E@(@@K$5,5kz.adolfhitler.su.QW'fY66PV,PV!E((e>45$CQW'fNNPV!PV,E@.@@J5,-kzadolfhitle.sunQW'f66PV,PV!E((eM45i`QW'fNNPV!PV,E@.@@J5,Vkzadolfhitlersun.W'fa66PV,PV!E((e]55QW'fBbN.PV!PV,E@=@@JF5,kzadolfhitlersun..Q.'fm66PV,PV!E((es55FU!QW'fNNPV
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.QW'fY66PV,PV!E((e>45$CQW'fNNPV!PV,E@.@@J5,-kzadolfhitle.sunQW'f66PV,PV!E((eM45i`QW'fNNPV!PV,E@.@@J5,Vkzadolfhitlersun.W'fa66PV,PV!E((e]55QW'fBbN.PV!PV,E@=@@JF5,kzadolfhitlersun..Q.'fm66PV,PV!E((es55FU!QW'fNNPV
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.QW'f66PV,PV!E((eM45i`QW'fNNPV!PV,E@.@@J5,Vkzadolfhitlersun.W'fa66PV,PV!E((e]55QW'fBbN.PV!PV,E@=@@JF5,kzadolfhitlersun..Q.'fm66PV,PV!E((es55FU!QW'fNNPV
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.QW'fa66PV,PV!E((e]55QW'fBbNNPV!PV,E@.@@JF5,kzadolfhitlersunQW'.m66PV,PV!E((es55FU!QW'fNNPV!PV,E@A.@Jr5,kzadolfhitlersunQW'f
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.QW'fm66PV,PV!E((es55FU!QW'fNNPV!PV,E@.@@Jr5,kzadolfhitlersunQW'f
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.QW'f66PV,PV!E((e55rcQW'fJJPV!PV,E<W.@@@FqN}#QW'f66PV,PV!E((@0F.qP*SW'.NNPV!PV,E@\@@J5,MAsiegheilhitersunTW'fS-6.PV,PV!E((f465i
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.TW'fS-66PV,PV!E((f465iTW'f?NNPV!PV,E@.@@J5,hsiegheilhitersunTW'f66PV,PV!E((f4$
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.TW'f66PV,PV!E((f4$5 TW'fNNPV!PV,E@.@@J?5,XsiegheilhitersunTW'fW66PV,PV!E((g45?
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.TW'fW66PV,PV!E((g45?TW'fNNPV!PV,E@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.TW'fS66PV,PV!E((g45STW'fTNNPV!PV,E@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.TW'fD66PV,PV!E((g%45.TW'fJJPV!PV,E<.@@4F..1
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.VW'f66PV,PV!EH(v.5-VW'fnNNPV!PV,E@.@@5,kzado.fhitlersunVW'fq]66PV,PV!EH(t57VW'f^NNPV!
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.VW'fq]66PV,PV!EH(t57VW'f^NNPV!PV,E@.@@%5,ukzadolfhitle.sunVW'f66PV,PV!EH(@tm5%VW'fNNPV!PV,E@.@@5,hEkzadolfhitlersun.W'f66PV,PV!EH(kv5xVW'fNN.V!PV,E@I@@/5,[kzadolfhitlersunWW'f.%66PV,PV!EH(it5/WW'f-JJPV!PV,E
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.VW'f66PV,PV!EH(@tm5%VW'fNNPV!PV,E@.@@5,hEkzadolfhitlersun.W'f66PV,PV!EH(kv5xVW'fNN.V!PV,E@I@@/5,[kzadolfhitlersunWW'f.%66PV,PV!EH(it5/WW'f-JJPV!PV,E
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.VW'f66PV,PV!EH(kv5xVW'fNNPV!PV,E@.@@/5,[kzadolfhitlersunWW'fa%66
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.WW'fa%66PV,PV!EH(it5/WW'f-JJPV!PV,E<
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.YW'fZ66PV,PV!EH(F2>Q5XbYW'faNNPV!PV,E@
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.YW'f66PV,PV!EH(Y2>Q5}YW'fNNPV!PV,E@
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.YW'f66PV,PV!E((z.BQ5yUYW'f`NNPV!PV,E@
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.ZW'f*366PV,PV!E((.BQ5s#ZW'f\4NNPV!PV,E@
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.ZW'f66PV,PV!E((-CQ5eZW'f!JJPV!PV,E<.@@8nF-If#ZW'.66PV,PV!E((@0F.PZW'fHOBBPV!PV,E4a.@_R[[+T>V48_i\W'fVVPV
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.\W'f66PV,PV!EH(L65m\W'fVVPV!PV,EH@@
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.\W'f66PV,PV!EH(L165s\W'fVVPV!PV,EH<@@
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.\W'fk66PV,PV!EH(LD65\W'fVVPV!PV,EHR@@
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.]W'f66PV,PV!EH(Ln652~]W'fVVPV!PV,EH^@@
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.]W'f66PV,PV!EH(Lp65$]W'f:JJPV!PV,E<@@
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security._W'f)k66PV,PV!EH(g2=Q5!`h_W'fkVVPV!PV,EH@@.Q54.hsexsecure-cyber-securitys_W'f:M66PV,PV!EH(2=Q5h_W'fNV
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security._W'f:M66PV,PV!EH(2=Q5h_W'fNVVPV!PV,EH@@.Q54
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security._W'f/66PV,PV!E((.AQ5h_W'fMVVPV!PV,EH@@.jQ54
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.`W'f66PV,PV!E((.AQ5h(h`W'fVVPV!PV,EH@@.iQ54
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.`W'fAf66PV,PV!EH(2=PQ5h`W'fgJJPV!PV,E<@@.FnY:n#`W'f`66PV,PV!E((@0FnY;P+bW.f<bWWPV!PV,EIan@@Eh
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.}W'fO66PV,PV!E((/3M58}W'f<QNNPV!PV,E@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.~W'f66PV,PV!E((5/3M5*8~W'fNNPV!PV,E@.@@3M5,H8
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.~W'f-66PV,PV!E((a/3M58~W'fNNPV!PV,E@.@@3M5,o8siegheilhitersun.~.'f\|!66PV,PV!E((\|/3M58~W'f-#NNPV
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.~W'f\|!66PV,PV!E((\|/3M58~W'f-#NNPV!PV,E@.@@3M5,Q8siegheilhitersun~W'f'66PV,PV!E((.n3M58~W'fAJJ
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.~W'f'66PV,PV!E((/n3M58~W'fAJJPV!PV,E<r
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'fNNPV!PV,E@4@@[%5,=^b,kzadolfhitlersunW'f3N
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'f3NNPV!PV,E@)@@[%e5,wb,kzadolfhitlersunW'fN
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'fNNPV!PV,E@ @@[%d5,Tb,kzadolfhitlersunW'fN
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'fNNPV!PV,E@@@Q[%i5,6b,kzadolfhitlersunW'fJ
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'fJJPV!PV,E<C@@FV#W'f66

Source: unknown

Network traffic detected: DNS query count 63

Source: global traffic	TCP traffic: 192.168.2.23:55764 -> 212.70.149.14:35342
Source: global traffic	TCP traffic: 192.168.2.23:41854 -> 212.70.149.10:35342

Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6219)

Socket: 127.0.0.1::8345

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown	UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown	UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown	UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown	UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: sex.secure-cyber-security

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1 (init), result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 491, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 761, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 774, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 777, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 785, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 793, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 797, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1320, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1344, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1389, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1476, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1601, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1886, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1888, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1890, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 2009, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 2038, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 4522, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6043, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6202, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6203, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6224, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6226, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6229, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6231, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6252, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6266, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6267, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6268, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6271, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6274, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6275, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6277, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6278, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6279, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6280, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6281, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6282, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6283, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6284, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6285, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6286, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6287, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6288, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6289, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6292, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6293, result: successful	Jump to behavior

Source: LOAD without section mappings

Program segment: 0x400000

Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1 (init), result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 491, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 761, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 774, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 777, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 785, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 793, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 797, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1320, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1344, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1389, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1476, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1601, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1886, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1888, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1890, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 2009, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 2038, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 4522, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6043, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6202, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6203, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6224, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6226, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6229, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6231, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6252, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6266, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6267, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6268, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6271, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6274, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6275, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6277, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6278, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6279, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6280, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6281, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6282, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6283, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6284, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6285, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6286, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6287, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6288, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6289, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6292, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6223)	SIGKILL sent: pid: 6293, result: successful	Jump to behavior

Source: classification engine

Classification label: mal64.spre.troj.evad.linELF@0/0@81/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /usr/bin/dbus-daemon (PID: 6275)	File: /proc/6275/mounts			Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6286)	File: /proc/6286/mounts			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6219)

File: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf

Jump to behavior

Source: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf	Submission file: segment LOAD with 7.8945 entropy (max. 8.0)
Source: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf	Submission file: segment LOAD with 7.9564 entropy (max. 8.0)

Source: /tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf (PID: 6219)

Queries kernel information via 'uname':

Jump to behavior

Source: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6229.1.00007f71b844e000.00007f71b8451000.rw-.sdmp	Binary or memory string: 01!/tmp/hsperfdata_root!1/tmp/vmware-root_721-42905598891
Source: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6219.1.00005575a6142000.00005575a61f1000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6224.1.00005575a6142000.00005575a61f1000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6226.1.00005575a6142000.00005575a61f1000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6229.1.00005575a6142000.00005575a61f1000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6219.1.00007fffaeaca000.00007fffaeaeb000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6224.1.00007fffaeaca000.00007fffaeaeb000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6226.1.00007fffaeaca000.00007fffaeaeb000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6229.1.00007fffaeaca000.00007fffaeaeb000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf
Source: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6229.1.00005575a6142000.00005575a61f1000.rw-.sdmp	Binary or memory string: /tmp/vmware-root_721-4290559889
Source: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6229.1.00005575a6142000.00005575a61f1000.rw-.sdmp	Binary or memory string: p/vmware-root_72!
Source: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6229.1.00005575a6142000.00005575a61f1000.rw-.sdmp	Binary or memory string: uU/mips/p/vmware-root_72!
Source: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6229.1.00007f71b844e000.00007f71b8451000.rw-.sdmp	Binary or memory string: 1/tmp/vmware-root_721-4290559889
Source: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6219.1.00007fffaeaca000.00007fffaeaeb000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6224.1.00007fffaeaca000.00007fffaeaeb000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6226.1.00007fffaeaca000.00007fffaeaeb000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6229.1.00007fffaeaca000.00007fffaeaeb000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6219.1.00005575a6142000.00005575a61f1000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6224.1.00005575a6142000.00005575a61f1000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6226.1.00005575a6142000.00005575a61f1000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6229.1.00005575a6142000.00005575a61f1000.rw-.sdmp	Binary or memory string: uU!/etc/qemu-binfmt/mips
Source: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6229.1.00007f71b8442000.00007f71b844e000.rw-.sdmp	Binary or memory string: vmware-root_721-4290559889
Source: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf, 6229.1.00005575a6142000.00005575a61f1000.rw-.sdmp	Binary or memory string: uU1/tmp/vmware-root_721-4290559889

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File Deletion	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf	39%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
security.rebirth-network.su	212.70.149.10	true	false	unknown
siegheil.hiter.su.~W'f'66PV,PV!E((/n3M58~W'fAJJPV!PV,E<r	unknown	unknown	true	low
kz.adolfhitler.su.&W'f`NNPV!PV,E@EO@@M[%5,S5kzadolfhitlersus'W'f]BB	unknown	unknown	true	unknown
kz.adolfhitler.su.W'fNNPV!PV,E@ @@[%d5,Tb,kzadolfhitlersunW'fN	unknown	unknown	true	unknown
kz.adolfhitler.su.VW'fq]66PV,PV!EH(t57VW'f^NNPV!PV,E@.@@%5,ukzadolfhitle.sunVW'f66PV,PV!EH(@tm5%VW'fNNPV!PV,E@.@@5,hEkzadolfhitlersun.W'f66PV,PV!EH(kv5xVW'fNN.V!PV,E@I@@/5,[kzadolfhitlersunWW'f.%66PV,PV!EH(it5/WW'f-JJPV!PV,E	unknown	unknown	true	low
sex.secure-cyber-security.`W'f66PV,PV!E((.AQ5h(h`W'fVVPV!PV,EH@@.iQ54	unknown	unknown	true	unknown
kz.adolfhitler.su.W'f566PV,PV!EH(4)5eW'fJJPV!PV,E<l@@	unknown	unknown	true	unknown
sex.secure-cyber-security._W'f)k66PV,PV!EH(g2=Q5!`h_W'fkVVPV!PV,EH@@.Q54.hsexsecure-cyber-securitys_W'f:M66PV,PV!EH(2=Q5h_W'fNV	unknown	unknown	true	unknown
kz.adolfhitler.su.VW'f66PV,PV!EH(kv5xVW'fNNPV!PV,E@.@@/5,[kzadolfhitlersunWW'fa%66	unknown	unknown	true	low
kz.adolfhitler.su.8W'fJNNPV!PV,E@t@@Q5,KMFWkzadolfhitlersun=W'f41N	unknown	unknown	true	unknown
kz.adolfhitler.su.ZW'f*366PV,PV!E((.BQ5s#ZW'f\4NNPV!PV,E@	unknown	unknown	true	unknown
kz.adolfhitler.su.=W'f41NNPV!PV,E@t@@#5,4XFWkzadolfhitlersunBW'f'CN	unknown	unknown	true	unknown
sex.secure-cyber-security.`W'fAf66PV,PV!EH(2=PQ5h`W'fgJJPV!PV,E<@@.FnY:n#`W'f`66PV,PV!E((@0FnY;P+bW.f<bWWPV!PV,EIan@@Eh	unknown	unknown	true	unknown
sex.secure-cyber-security.]W'f66PV,PV!EH(Lp65$]W'f:JJPV!PV,E<@@	unknown	unknown	true	unknown
kz.adolfhitler.su.QW'fm66PV,PV!E((es55FU!QW'fNNPV!PV,E@.@@Jr5,kzadolfhitlersunQW'f	unknown	unknown	true	unknown
siegheil.hiter.su.~W'f66PV,PV!E((5/3M5*8~W'fNNPV!PV,E@.@@3M5,H8	unknown	unknown	true	low
siegheil.hiter.su.TW'fD66PV,PV!E((g%45.TW'fJJPV!PV,E<.@@4F..1	unknown	unknown	true	unknown
security.rebirth-network.su.	unknown	unknown	true	unknown
siegheil.hiter.su.TW'fS-66PV,PV!E((f465iTW'f?NNPV!PV,E@.@@J5,hsiegheilhitersunTW'f66PV,PV!E((f4$	unknown	unknown	true	unknown
sex.secure-cyber-security._W'f/66PV,PV!E((.AQ5h_W'fMVVPV!PV,EH@@.jQ54	unknown	unknown	true	low
kz.adolfhitler.su.W'fNr66PV,PV!EH(3[5LW'f*sNNPV!PV,E@"F@@	unknown	unknown	true	unknown
kz.adolfhitler.su.WW'fa%66PV,PV!EH(it5/WW'f-JJPV!PV,E<	unknown	unknown	true	low
sex.secure-cyber-security.]W'f66PV,PV!EH(Ln652~]W'fVVPV!PV,EH^@@	unknown	unknown	true	unknown
kz.adolfhitler.su.W'f,66PV,PV!EH(5U5/W'f-NNPV!PV,E@"l@@	unknown	unknown	true	low
kz.adolfhitler.su.QW'f66PV,PV!E((e55rcQW'fJJPV!PV,E<W.@@@FqN}#QW'f66PV,PV!E((@0F.qP*SW'.NNPV!PV,E@\@@J5,MAsiegheilhitersunTW'fS-6.PV,PV!E((f465i	unknown	unknown	true	unknown
kz.adolfhitler.su.VW'f66PV,PV!EH(v.5-VW'fnNNPV!PV,E@.@@5,kzado.fhitlersunVW'fq]66PV,PV!EH(t57VW'f^NNPV!	unknown	unknown	true	unknown
siegheil.hiter.su.}W'fO66PV,PV!E((/3M58}W'f<QNNPV!PV,E@	unknown	unknown	true	low
siegheil.hiter.su.TW'fS66PV,PV!E((g45STW'fTNNPV!PV,E@	unknown	unknown	true	unknown
sex.secure-cyber-security.\W'f66PV,PV!EH(L165s\W'fVVPV!PV,EH<@@	unknown	unknown	true	unknown
siegheil.hiter.su.~W'f\|!66PV,PV!E((\|/3M58~W'f-#NNPV!PV,E@.@@3M5,Q8siegheilhitersun~W'f'66PV,PV!E((.n3M58~W'fAJJ	unknown	unknown	true	low
siegheil.hiter.su.TW'fW66PV,PV!E((g45?TW'fNNPV!PV,E@	unknown	unknown	true	unknown
kz.adolfhitler.su.NW'f66PV,PV!E((E23;5`NW'fNNPV!PV,E@	unknown	unknown	true	unknown
kz.adolfhitler.su.NW'f#66PV,PV!E((E23;5jNW'f$NNPV!PV,E@	unknown	unknown	true	unknown
sex.secure-cyber-security.\W'fk66PV,PV!EH(LD65\W'fVVPV!PV,EHR@@	unknown	unknown	true	unknown
kz.adolfhitler.su.QW'fY66PV,PV!E((e>45$CQW'fNNPV!PV,E@.@@J5,-kzadolfhitle.sunQW'f66PV,PV!E((eM45i`QW'fNNPV!PV,E@.@@J5,Vkzadolfhitlersun.W'fa66PV,PV!E((e]55QW'fBbN.PV!PV,E@=@@JF5,kzadolfhitlersun..Q.'fm66PV,PV!E((es55FU!QW'fNNPV	unknown	unknown	true	unknown
kz.adolfhitler.su.YW'f66PV,PV!EH(Y2>Q5}YW'fNNPV!PV,E@	unknown	unknown	true	unknown
kz.adolfhitler.su.W'f66PV,PV!EH(3T5ZW'fNNPV!PV,E@"o@@	unknown	unknown	true	unknown
kz.adolfhitler.su.W'fBBPV!PV,E4[@@[[*gBfP_DS;fQ!W'fyNNNPV!PV,.E@D@	unknown	unknown	true	unknown
kz.adolfhitler.su.W'fneJJPV!PV,E<A@WE l@@HJPINGW'f?+NNPV.PV,E@<@@V[%&5	unknown	unknown	true	unknown
kz.adolfhitler.su.BW'f'CNNPV!PV,E@y@@5,uFWkzadolfhitlersunFW'f.B	unknown	unknown	true	unknown
kz.adolfhitler.su.W'fNNPV!PV,E@4@@[%5,=^b,kzadolfhitlersunW'f3N	unknown	unknown	true	unknown
kz.adolfhitler.su.QW'f66PV,PV!E((eM45i`QW'fNNPV!PV,E@.@@J5,Vkzadolfhitlersun.W'fa66PV,PV!E((e]55QW'fBbN.PV!PV,E@=@@JF5,kzadolfhitlersun..Q.'fm66PV,PV!E((es55FU!QW'fNNPV	unknown	unknown	true	unknown
kz.adolfhitler.su.LW'ffJJPV!PV,E<@@FU#LW'f`66	unknown	unknown	true	unknown
siegheil.hiter.su.TW'f66PV,PV!E((f4$5 TW'fNNPV!PV,E@.@@J?5,XsiegheilhitersunTW'fW66PV,PV!E((g45?	unknown	unknown	true	unknown
kz.adolfhitler.su.NW'f66PV,PV!E((E23;5NW'fNNPV!PV,E@	unknown	unknown	true	unknown
kz.adolfhitler.su.OW'fR66PV,PV!E((E23;54]OW'fJSJJPV!PV,E<.@@Z3FN[b=#OW'fkK66PV,PV!E((@0FN[.QW'fLNNPV!PV,E@(@@K$5,5kz.adolfhitler.su.QW'fY66PV,PV!E((e>45$CQW'fNNPV!PV,E@.@@J5,-kzadolfhitle.sunQW'f66PV,PV!E((eM45i`QW'fNNPV!PV,E@.@@J5,Vkzadolfhitlersun.W'fa66PV,PV!E((e]55QW'fBbN.PV!PV,E@=@@JF5,kzadolfhitlersun..Q.'fm66PV,PV!E((es55FU!QW'fNNPV	unknown	unknown	true	unknown
siegheil.hiter.su.~W'f-66PV,PV!E((a/3M58~W'fNNPV!PV,E@.@@3M5,o8siegheilhitersun.~.'f\|!66PV,PV!E((\|/3M58~W'f-#NNPV	unknown	unknown	true	low
kz.adolfhitler.su.W'fNNPV!PV,E@@@Q[%i5,6b,kzadolfhitlersunW'fJ	unknown	unknown	true	unknown
kz.adolfhitler.su.FW'f.BBPV!PV,E4\@@[[*gBfP_SfQGW'fTNNPV!.V,E@}@@h5,XFWkzadolfhitlersunLW'ffJ	unknown	unknown	true	unknown
kz.adolfhitler.su.W'fJJPV!PV,E<C@@FV#W'f66	unknown	unknown	true	unknown
kz.adolfhitler.su.QW'fa66PV,PV!E((e]55QW'fBbNNPV!PV,E@.@@JF5,kzadolfhitlersunQW'.m66PV,PV!E((es55FU!QW'fNNPV!PV,E@A.@Jr5,kzadolfhitlersunQW'f	unknown	unknown	true	unknown
sex.secure-cyber-security.\W'f66PV,PV!EH(L65m\W'fVVPV!PV,EH@@	unknown	unknown	true	unknown
kz.adolfhitler.su.'W'f]BBPV!PV,E4a@@_S[[+T>V48_i+W'frJJPV!PV,.E<D6@	unknown	unknown	true	unknown
kz.adolfhitler.su.YW'f66PV,PV!E((z.BQ5yUYW'f`NNPV!PV,E@	unknown	unknown	true	unknown
kz.adolfhitler.su.YW'fZ66PV,PV!EH(F2>Q5XbYW'faNNPV!PV,E@	unknown	unknown	true	unknown
kz.adolfhitler.su.W'f<NNPV!PV,E@@i@@R[%5,5kzadolfhitlersusW'fBB	unknown	unknown	true	unknown
kz.adolfhitler.su.W'f3NNPV!PV,E@)@@[%e5,wb,kzadolfhitlersunW'fN	unknown	unknown	true	unknown
sex.secure-cyber-security	unknown	unknown	true	unknown
kz.adolfhitler.su.W'fBBPV!PV,E4@@kmP}l0"n.6AW'fS66PV,PV!.EH(	unknown	unknown	true	unknown
kz.adolfhitler.su.ZW'f66PV,PV!E((-CQ5eZW'f!JJPV!PV,E<.@@8nF-If#ZW'.66PV,PV!E((@0F.PZW'fHOBBPV!PV,E4a.@_R[[+T>V48_i\W'fVVPV	unknown	unknown	true	unknown
sex.secure-cyber-security._W'f:M66PV,PV!EH(2=Q5h_W'fNVVPV!PV,EH@@.Q54	unknown	unknown	true	unknown
kz.adolfhitler.su.VW'f66PV,PV!EH(@tm5%VW'fNNPV!PV,E@.@@5,hEkzadolfhitlersun.W'f66PV,PV!EH(kv5xVW'fNN.V!PV,E@I@@/5,[kzadolfhitlersunWW'f.%66PV,PV!EH(it5/WW'f-JJPV!PV,E	unknown	unknown	true	low
kz.adolfhitler.su.NW'fB66PV,PV!E((E23;5NW'f8DNNPV!PV,E@	unknown	unknown	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
212.70.149.14	unknown	Bulgaria	208410	INTERNET-HOSTINGBG	false
212.70.149.10	security.rebirth-network.su	Bulgaria	208410	INTERNET-HOSTINGBG	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
212.70.149.14	UOt98MEVJw.elf	Get hash	malicious	Unknown	Browse	/arm6
	XtpqFYYOsk.elf	Get hash	malicious	Unknown	Browse	/arm7
	M5JK7Pf4NO.elf	Get hash	malicious	Unknown	Browse	/mips
	aIIxWKK5Cm.elf	Get hash	malicious	Unknown	Browse	/mpsl
	Y8ahzapm43.elf	Get hash	malicious	Unknown	Browse	/arm5
212.70.149.10	SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Linux.DownLoader.533.23350.4113.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Linux.Siggen.9999.7014.17279.elf	Get hash	malicious	Mirai	Browse
	SecuriteInfo.com.Linux.DownLoader.523.26836.26051.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Linux.Siggen.9999.26640.11404.elf	Get hash	malicious	Mirai	Browse
	NLgD8SSCOD.elf	Get hash	malicious	Gafgyt	Browse
	.Sarm7.elf	Get hash	malicious	Unknown	Browse
	arm6.elf	Get hash	malicious	Unknown	Browse
	oahFOiuDO1.elf	Get hash	malicious	Unknown	Browse
91.189.91.43	SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Linux.DownLoader.533.23350.4113.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Linux.Siggen.9999.7014.17279.elf	Get hash	malicious	Mirai	Browse
	SecuriteInfo.com.Linux.Siggen.9999.26640.11404.elf	Get hash	malicious	Mirai	Browse
	NLgD8SSCOD.elf	Get hash	malicious	Gafgyt	Browse
	.Sarm7.elf	Get hash	malicious	Unknown	Browse
	arm6.elf	Get hash	malicious	Unknown	Browse
	oahFOiuDO1.elf	Get hash	malicious	Unknown	Browse
	vXahA76yEa.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Linux.DownLoader.533.23350.4113.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Linux.Siggen.9999.7014.17279.elf	Get hash	malicious	Mirai	Browse
	SecuriteInfo.com.Linux.DownLoader.523.26836.26051.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Linux.Siggen.9999.26640.11404.elf	Get hash	malicious	Mirai	Browse
	NLgD8SSCOD.elf	Get hash	malicious	Gafgyt	Browse
	.Sarm7.elf	Get hash	malicious	Unknown	Browse
	arm6.elf	Get hash	malicious	Unknown	Browse
	oahFOiuDO1.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
security.rebirth-network.su	SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf	Get hash	malicious	Unknown	Browse	212.70.149.10
security.rebirth-network.su	ul5RjxwWTK.elf	Get hash	malicious	Unknown	Browse	212.70.149.10

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	SecuriteInfo.com.Linux.DownLoader.533.23350.4113.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	SecuriteInfo.com.Linux.Siggen.9999.7014.17279.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	SecuriteInfo.com.Linux.DownLoader.523.26836.26051.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	SecuriteInfo.com.Linux.Siggen.9999.26640.11404.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	NLgD8SSCOD.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	jdsfl.arm7.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	.Sarm7.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
CANONICAL-ASGB	SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	SecuriteInfo.com.Linux.DownLoader.533.23350.4113.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	SecuriteInfo.com.Linux.Siggen.9999.7014.17279.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	SecuriteInfo.com.Linux.DownLoader.523.26836.26051.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	SecuriteInfo.com.Linux.Siggen.9999.26640.11404.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	NLgD8SSCOD.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	jdsfl.arm7.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	.Sarm7.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
INIT7CH	SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	SecuriteInfo.com.Linux.DownLoader.533.23350.4113.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	SecuriteInfo.com.Linux.Siggen.9999.7014.17279.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	SecuriteInfo.com.Linux.DownLoader.523.26836.26051.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	SecuriteInfo.com.Linux.Siggen.9999.26640.11404.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	NLgD8SSCOD.elf	Get hash	malicious	Gafgyt	Browse	109.202.202.202
	.Sarm7.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	arm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	oahFOiuDO1.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
INTERNET-HOSTINGBG	SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf	Get hash	malicious	Mirai	Browse	212.70.149.14
	SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf	Get hash	malicious	Unknown	Browse	212.70.149.10
	SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf	Get hash	malicious	Unknown	Browse	212.70.149.14
	UOt98MEVJw.elf	Get hash	malicious	Unknown	Browse	212.70.149.14
	XtpqFYYOsk.elf	Get hash	malicious	Unknown	Browse	212.70.149.14
	M5JK7Pf4NO.elf	Get hash	malicious	Unknown	Browse	212.70.149.14
	aIIxWKK5Cm.elf	Get hash	malicious	Unknown	Browse	212.70.149.14
	Y8ahzapm43.elf	Get hash	malicious	Unknown	Browse	212.70.149.14
	CT9oaKX3q3.elf	Get hash	malicious	Unknown	Browse	87.246.7.66
	FPzq69vduv.elf	Get hash	malicious	Unknown	Browse	87.246.7.66
INTERNET-HOSTINGBG	SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf	Get hash	malicious	Mirai	Browse	212.70.149.14
	SecuriteInfo.com.Linux.Siggen.7228.11695.14684.elf	Get hash	malicious	Unknown	Browse	212.70.149.10
	SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf	Get hash	malicious	Unknown	Browse	212.70.149.14
	UOt98MEVJw.elf	Get hash	malicious	Unknown	Browse	212.70.149.14
	XtpqFYYOsk.elf	Get hash	malicious	Unknown	Browse	212.70.149.14
	M5JK7Pf4NO.elf	Get hash	malicious	Unknown	Browse	212.70.149.14
	aIIxWKK5Cm.elf	Get hash	malicious	Unknown	Browse	212.70.149.14
	Y8ahzapm43.elf	Get hash	malicious	Unknown	Browse	212.70.149.14
	CT9oaKX3q3.elf	Get hash	malicious	Unknown	Browse	87.246.7.66
	FPzq69vduv.elf	Get hash	malicious	Unknown	Browse	87.246.7.66

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.9546741082044505
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf
File size:	52'128 bytes
MD5:	05d0269acbc7a252fc62179aef3f9676
SHA1:	7b5376b5a15ade914ad1432e91d0a785435635dd
SHA256:	7501e8af6a2d3e35fa5ef5a3acab845e251bc92b2c97555ef425fbbafa63b9cb
SHA512:	d56b34490d264cade3352b770ad258943d58977c42f0a134cd67eb1238098fbe260a20035a1951521f4cc6e630b916265e5a436d1461aae241205853dab2b84f
SSDEEP:	768:5wZDTurE4A32GS39aYO6nxpL1HZdXPJ+Y6jesuxHQ3AhIwkt9AJgGlzDpGO+e:5w1urE4A3PoER45HZRQYSuxGBxXAVGe
TLSH:	F433F1F5260C06EBF9661235B1AB0BE00F3388706E677D4FEAEAC556C5145D134D7AE0
File Content Preview:	.ELF.....................E.....4.........4. ...(.............@...@.........D.................E...E.....h...h............sfga.......................W.......?.E.h4...@b..) ..]....-!....n's;..1...)..U..wC.:b{.N..0.._....j..q-.S.b..*.p....^#..................

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x45b6c8
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x400000	0x400000	0x1000	0x4c244	7.8945	0x6	RW	0x10000
LOAD	0x0	0x450000	0x450000	0xca68	0xca68	7.9564	0x5	R E	0x10000

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 08:37:01.019721985 CEST	55764	35342	192.168.2.23	212.70.149.14
Apr 23, 2024 08:37:01.214608908 CEST	35342	55764	212.70.149.14	192.168.2.23
Apr 23, 2024 08:37:01.951873064 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 23, 2024 08:37:03.231664896 CEST	42516	80	192.168.2.23	109.202.202.202
Apr 23, 2024 08:37:04.073199034 CEST	55766	35342	192.168.2.23	212.70.149.14
Apr 23, 2024 08:37:04.268450975 CEST	35342	55766	212.70.149.14	192.168.2.23
Apr 23, 2024 08:37:17.309741020 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 23, 2024 08:37:27.548326015 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 23, 2024 08:37:31.291354895 CEST	55768	35342	192.168.2.23	212.70.149.14
Apr 23, 2024 08:37:31.486609936 CEST	35342	55768	212.70.149.14	192.168.2.23
Apr 23, 2024 08:37:33.691425085 CEST	42516	80	192.168.2.23	109.202.202.202
Apr 23, 2024 08:37:33.932724953 CEST	55770	35342	192.168.2.23	212.70.149.14
Apr 23, 2024 08:37:34.127729893 CEST	35342	55770	212.70.149.14	192.168.2.23
Apr 23, 2024 08:37:36.938080072 CEST	55772	35342	192.168.2.23	212.70.149.14
Apr 23, 2024 08:37:37.134257078 CEST	35342	55772	212.70.149.14	192.168.2.23
Apr 23, 2024 08:37:58.263982058 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 23, 2024 08:38:04.157377958 CEST	55774	35342	192.168.2.23	212.70.149.14
Apr 23, 2024 08:38:04.352477074 CEST	35342	55774	212.70.149.14	192.168.2.23
Apr 23, 2024 08:38:07.152394056 CEST	55776	35342	192.168.2.23	212.70.149.14
Apr 23, 2024 08:38:07.346987009 CEST	35342	55776	212.70.149.14	192.168.2.23
Apr 23, 2024 08:38:09.792825937 CEST	55778	35342	192.168.2.23	212.70.149.14
Apr 23, 2024 08:38:09.987621069 CEST	35342	55778	212.70.149.14	192.168.2.23
Apr 23, 2024 08:38:12.438299894 CEST	55780	35342	192.168.2.23	212.70.149.14
Apr 23, 2024 08:38:12.633410931 CEST	35342	55780	212.70.149.14	192.168.2.23
Apr 23, 2024 08:38:15.077279091 CEST	55782	35342	192.168.2.23	212.70.149.14
Apr 23, 2024 08:38:15.272186041 CEST	35342	55782	212.70.149.14	192.168.2.23
Apr 23, 2024 08:38:18.195105076 CEST	55784	35342	192.168.2.23	212.70.149.14
Apr 23, 2024 08:38:18.390043020 CEST	35342	55784	212.70.149.14	192.168.2.23
Apr 23, 2024 08:38:18.741192102 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 23, 2024 08:38:21.231993914 CEST	55786	35342	192.168.2.23	212.70.149.14
Apr 23, 2024 08:38:21.427624941 CEST	35342	55786	212.70.149.14	192.168.2.23
Apr 23, 2024 08:38:24.354219913 CEST	55788	35342	192.168.2.23	212.70.149.14
Apr 23, 2024 08:38:24.549057007 CEST	35342	55788	212.70.149.14	192.168.2.23
Apr 23, 2024 08:38:51.572182894 CEST	55790	35342	192.168.2.23	212.70.149.14
Apr 23, 2024 08:38:51.767009020 CEST	35342	55790	212.70.149.14	192.168.2.23
Apr 23, 2024 08:38:54.638784885 CEST	55792	35342	192.168.2.23	212.70.149.14
Apr 23, 2024 08:38:54.833595037 CEST	35342	55792	212.70.149.14	192.168.2.23
Apr 23, 2024 08:39:21.857321024 CEST	55794	35342	192.168.2.23	212.70.149.14
Apr 23, 2024 08:39:22.052244902 CEST	35342	55794	212.70.149.14	192.168.2.23
Apr 23, 2024 08:39:24.238584042 CEST	41854	35342	192.168.2.23	212.70.149.10
Apr 23, 2024 08:39:24.433412075 CEST	35342	41854	212.70.149.10	192.168.2.23
Apr 23, 2024 08:39:24.433873892 CEST	41854	35342	192.168.2.23	212.70.149.10
Apr 23, 2024 08:39:24.435998917 CEST	41854	35342	192.168.2.23	212.70.149.10
Apr 23, 2024 08:39:24.630929947 CEST	35342	41854	212.70.149.10	192.168.2.23
Apr 23, 2024 08:39:24.631125927 CEST	41854	35342	192.168.2.23	212.70.149.10
Apr 23, 2024 08:39:24.825838089 CEST	35342	41854	212.70.149.10	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 08:37:00.205827951 CEST	57023	53	192.168.2.23	51.254.162.59
Apr 23, 2024 08:37:00.368906975 CEST	53	57023	51.254.162.59	192.168.2.23
Apr 23, 2024 08:37:00.370832920 CEST	41342	53	192.168.2.23	51.254.162.59
Apr 23, 2024 08:37:00.530855894 CEST	53	41342	51.254.162.59	192.168.2.23
Apr 23, 2024 08:37:00.530967951 CEST	42223	53	192.168.2.23	51.254.162.59
Apr 23, 2024 08:37:00.691401005 CEST	53	42223	51.254.162.59	192.168.2.23
Apr 23, 2024 08:37:00.691546917 CEST	35698	53	192.168.2.23	51.254.162.59
Apr 23, 2024 08:37:00.854940891 CEST	53	35698	51.254.162.59	192.168.2.23
Apr 23, 2024 08:37:00.855096102 CEST	44064	53	192.168.2.23	51.254.162.59
Apr 23, 2024 08:37:01.018590927 CEST	53	44064	51.254.162.59	192.168.2.23
Apr 23, 2024 08:37:03.215104103 CEST	48919	53	192.168.2.23	178.254.22.166
Apr 23, 2024 08:37:03.383570910 CEST	53	48919	178.254.22.166	192.168.2.23
Apr 23, 2024 08:37:03.383922100 CEST	48289	53	192.168.2.23	178.254.22.166
Apr 23, 2024 08:37:03.553550005 CEST	53	48289	178.254.22.166	192.168.2.23
Apr 23, 2024 08:37:03.553770065 CEST	55722	53	192.168.2.23	178.254.22.166
Apr 23, 2024 08:37:03.732379913 CEST	53	55722	178.254.22.166	192.168.2.23
Apr 23, 2024 08:37:03.732548952 CEST	44712	53	192.168.2.23	178.254.22.166
Apr 23, 2024 08:37:03.901050091 CEST	53	44712	178.254.22.166	192.168.2.23
Apr 23, 2024 08:37:03.901271105 CEST	41681	53	192.168.2.23	178.254.22.166
Apr 23, 2024 08:37:04.073013067 CEST	53	41681	178.254.22.166	192.168.2.23
Apr 23, 2024 08:37:06.268757105 CEST	47973	53	192.168.2.23	91.217.137.37
Apr 23, 2024 08:37:11.273215055 CEST	40486	53	192.168.2.23	91.217.137.37
Apr 23, 2024 08:37:16.277714968 CEST	36087	53	192.168.2.23	91.217.137.37
Apr 23, 2024 08:37:21.282233000 CEST	53760	53	192.168.2.23	91.217.137.37
Apr 23, 2024 08:37:26.286861897 CEST	46478	53	192.168.2.23	91.217.137.37
Apr 23, 2024 08:37:33.486946106 CEST	44936	53	192.168.2.23	134.195.4.2
Apr 23, 2024 08:37:33.575762033 CEST	53	44936	134.195.4.2	192.168.2.23
Apr 23, 2024 08:37:33.575910091 CEST	47910	53	192.168.2.23	134.195.4.2
Apr 23, 2024 08:37:33.664654016 CEST	53	47910	134.195.4.2	192.168.2.23
Apr 23, 2024 08:37:33.665003061 CEST	37225	53	192.168.2.23	134.195.4.2
Apr 23, 2024 08:37:33.754302025 CEST	53	37225	134.195.4.2	192.168.2.23
Apr 23, 2024 08:37:33.754481077 CEST	57467	53	192.168.2.23	134.195.4.2
Apr 23, 2024 08:37:33.843307972 CEST	53	57467	134.195.4.2	192.168.2.23
Apr 23, 2024 08:37:33.843544006 CEST	49473	53	192.168.2.23	134.195.4.2
Apr 23, 2024 08:37:33.932544947 CEST	53	49473	134.195.4.2	192.168.2.23
Apr 23, 2024 08:37:36.128396034 CEST	45522	53	192.168.2.23	51.254.162.59
Apr 23, 2024 08:37:36.288691044 CEST	53	45522	51.254.162.59	192.168.2.23
Apr 23, 2024 08:37:36.288975954 CEST	44504	53	192.168.2.23	51.254.162.59
Apr 23, 2024 08:37:36.448972940 CEST	53	44504	51.254.162.59	192.168.2.23
Apr 23, 2024 08:37:36.449203968 CEST	59696	53	192.168.2.23	51.254.162.59
Apr 23, 2024 08:37:36.610331059 CEST	53	59696	51.254.162.59	192.168.2.23
Apr 23, 2024 08:37:36.610567093 CEST	58804	53	192.168.2.23	51.254.162.59
Apr 23, 2024 08:37:36.774106026 CEST	53	58804	51.254.162.59	192.168.2.23
Apr 23, 2024 08:37:36.774358034 CEST	57680	53	192.168.2.23	51.254.162.59
Apr 23, 2024 08:37:36.937861919 CEST	53	57680	51.254.162.59	192.168.2.23
Apr 23, 2024 08:37:39.134449959 CEST	37583	53	192.168.2.23	1.1.1.1
Apr 23, 2024 08:37:44.139081955 CEST	51958	53	192.168.2.23	1.1.1.1
Apr 23, 2024 08:37:49.143667936 CEST	57835	53	192.168.2.23	1.1.1.1
Apr 23, 2024 08:37:54.148262978 CEST	41120	53	192.168.2.23	1.1.1.1
Apr 23, 2024 08:37:59.152828932 CEST	48532	53	192.168.2.23	1.1.1.1
Apr 23, 2024 08:38:06.352891922 CEST	56047	53	192.168.2.23	51.254.162.59
Apr 23, 2024 08:38:06.512665033 CEST	53	56047	51.254.162.59	192.168.2.23
Apr 23, 2024 08:38:06.512967110 CEST	32913	53	192.168.2.23	51.254.162.59
Apr 23, 2024 08:38:06.672508001 CEST	53	32913	51.254.162.59	192.168.2.23
Apr 23, 2024 08:38:06.672823906 CEST	36343	53	192.168.2.23	51.254.162.59
Apr 23, 2024 08:38:06.832411051 CEST	53	36343	51.254.162.59	192.168.2.23
Apr 23, 2024 08:38:06.832638979 CEST	53473	53	192.168.2.23	51.254.162.59
Apr 23, 2024 08:38:06.992146969 CEST	53	53473	51.254.162.59	192.168.2.23
Apr 23, 2024 08:38:06.992434978 CEST	35124	53	192.168.2.23	51.254.162.59
Apr 23, 2024 08:38:07.152070045 CEST	53	35124	51.254.162.59	192.168.2.23
Apr 23, 2024 08:38:09.347368956 CEST	44836	53	192.168.2.23	134.195.4.2
Apr 23, 2024 08:38:09.436312914 CEST	53	44836	134.195.4.2	192.168.2.23
Apr 23, 2024 08:38:09.436645031 CEST	55303	53	192.168.2.23	134.195.4.2
Apr 23, 2024 08:38:09.525543928 CEST	53	55303	134.195.4.2	192.168.2.23
Apr 23, 2024 08:38:09.525764942 CEST	36245	53	192.168.2.23	134.195.4.2
Apr 23, 2024 08:38:09.614806890 CEST	53	36245	134.195.4.2	192.168.2.23
Apr 23, 2024 08:38:09.614978075 CEST	60486	53	192.168.2.23	134.195.4.2
Apr 23, 2024 08:38:09.703597069 CEST	53	60486	134.195.4.2	192.168.2.23
Apr 23, 2024 08:38:09.703742981 CEST	56690	53	192.168.2.23	134.195.4.2
Apr 23, 2024 08:38:09.792481899 CEST	53	56690	134.195.4.2	192.168.2.23
Apr 23, 2024 08:38:11.988317013 CEST	45249	53	192.168.2.23	134.195.4.2
Apr 23, 2024 08:38:12.077138901 CEST	53	45249	134.195.4.2	192.168.2.23
Apr 23, 2024 08:38:12.081804037 CEST	38154	53	192.168.2.23	134.195.4.2
Apr 23, 2024 08:38:12.170972109 CEST	53	38154	134.195.4.2	192.168.2.23
Apr 23, 2024 08:38:12.171174049 CEST	42303	53	192.168.2.23	134.195.4.2
Apr 23, 2024 08:38:12.259927034 CEST	53	42303	134.195.4.2	192.168.2.23
Apr 23, 2024 08:38:12.260257959 CEST	38103	53	192.168.2.23	134.195.4.2
Apr 23, 2024 08:38:12.349139929 CEST	53	38103	134.195.4.2	192.168.2.23
Apr 23, 2024 08:38:12.349349976 CEST	50734	53	192.168.2.23	134.195.4.2
Apr 23, 2024 08:38:12.438083887 CEST	53	50734	134.195.4.2	192.168.2.23
Apr 23, 2024 08:38:14.633780003 CEST	51757	53	192.168.2.23	8.8.8.8
Apr 23, 2024 08:38:14.722126961 CEST	53	51757	8.8.8.8	192.168.2.23
Apr 23, 2024 08:38:14.722285986 CEST	35813	53	192.168.2.23	8.8.8.8
Apr 23, 2024 08:38:14.810353041 CEST	53	35813	8.8.8.8	192.168.2.23
Apr 23, 2024 08:38:14.810635090 CEST	50469	53	192.168.2.23	8.8.8.8
Apr 23, 2024 08:38:14.898578882 CEST	53	50469	8.8.8.8	192.168.2.23
Apr 23, 2024 08:38:14.898945093 CEST	53923	53	192.168.2.23	8.8.8.8
Apr 23, 2024 08:38:14.986776114 CEST	53	53923	8.8.8.8	192.168.2.23
Apr 23, 2024 08:38:14.987006903 CEST	57135	53	192.168.2.23	8.8.8.8
Apr 23, 2024 08:38:15.075104952 CEST	53	57135	8.8.8.8	192.168.2.23
Apr 23, 2024 08:38:17.272589922 CEST	37848	53	192.168.2.23	81.169.136.222
Apr 23, 2024 08:38:17.461401939 CEST	53	37848	81.169.136.222	192.168.2.23
Apr 23, 2024 08:38:17.461920977 CEST	52925	53	192.168.2.23	81.169.136.222
Apr 23, 2024 08:38:17.651691914 CEST	53	52925	81.169.136.222	192.168.2.23
Apr 23, 2024 08:38:17.652055979 CEST	38521	53	192.168.2.23	81.169.136.222
Apr 23, 2024 08:38:17.831685066 CEST	53	38521	81.169.136.222	192.168.2.23
Apr 23, 2024 08:38:17.831840038 CEST	51315	53	192.168.2.23	81.169.136.222
Apr 23, 2024 08:38:18.013098001 CEST	53	51315	81.169.136.222	192.168.2.23
Apr 23, 2024 08:38:18.013403893 CEST	54117	53	192.168.2.23	81.169.136.222
Apr 23, 2024 08:38:18.194746971 CEST	53	54117	81.169.136.222	192.168.2.23
Apr 23, 2024 08:38:20.390595913 CEST	34738	53	192.168.2.23	195.10.195.195
Apr 23, 2024 08:38:20.558585882 CEST	53	34738	195.10.195.195	192.168.2.23
Apr 23, 2024 08:38:20.558849096 CEST	54041	53	192.168.2.23	195.10.195.195
Apr 23, 2024 08:38:20.726454973 CEST	53	54041	195.10.195.195	192.168.2.23
Apr 23, 2024 08:38:20.726701975 CEST	41737	53	192.168.2.23	195.10.195.195
Apr 23, 2024 08:38:20.894826889 CEST	53	41737	195.10.195.195	192.168.2.23
Apr 23, 2024 08:38:20.895001888 CEST	50994	53	192.168.2.23	195.10.195.195
Apr 23, 2024 08:38:21.063225031 CEST	53	50994	195.10.195.195	192.168.2.23
Apr 23, 2024 08:38:21.063426971 CEST	35876	53	192.168.2.23	195.10.195.195
Apr 23, 2024 08:38:21.231611013 CEST	53	35876	195.10.195.195	192.168.2.23
Apr 23, 2024 08:38:23.427989960 CEST	58657	53	192.168.2.23	81.169.136.222
Apr 23, 2024 08:38:23.617257118 CEST	53	58657	81.169.136.222	192.168.2.23
Apr 23, 2024 08:38:23.617465973 CEST	46838	53	192.168.2.23	81.169.136.222
Apr 23, 2024 08:38:23.806201935 CEST	53	46838	81.169.136.222	192.168.2.23
Apr 23, 2024 08:38:23.806597948 CEST	50636	53	192.168.2.23	81.169.136.222
Apr 23, 2024 08:38:23.986159086 CEST	53	50636	81.169.136.222	192.168.2.23
Apr 23, 2024 08:38:23.986444950 CEST	56759	53	192.168.2.23	81.169.136.222
Apr 23, 2024 08:38:24.164601088 CEST	53	56759	81.169.136.222	192.168.2.23
Apr 23, 2024 08:38:24.164813995 CEST	33250	53	192.168.2.23	81.169.136.222
Apr 23, 2024 08:38:24.353857040 CEST	53	33250	81.169.136.222	192.168.2.23
Apr 23, 2024 08:38:26.549436092 CEST	46656	53	192.168.2.23	94.16.114.254
Apr 23, 2024 08:38:31.553945065 CEST	48061	53	192.168.2.23	94.16.114.254
Apr 23, 2024 08:38:36.558619976 CEST	40552	53	192.168.2.23	94.16.114.254
Apr 23, 2024 08:38:41.563102007 CEST	40363	53	192.168.2.23	94.16.114.254
Apr 23, 2024 08:38:46.567655087 CEST	45212	53	192.168.2.23	94.16.114.254
Apr 23, 2024 08:38:53.767502069 CEST	49115	53	192.168.2.23	51.77.149.139
Apr 23, 2024 08:38:53.937925100 CEST	53	49115	51.77.149.139	192.168.2.23
Apr 23, 2024 08:38:53.938299894 CEST	33322	53	192.168.2.23	51.77.149.139
Apr 23, 2024 08:38:54.124631882 CEST	53	33322	51.77.149.139	192.168.2.23
Apr 23, 2024 08:38:54.124851942 CEST	48634	53	192.168.2.23	51.77.149.139
Apr 23, 2024 08:38:54.297772884 CEST	53	48634	51.77.149.139	192.168.2.23
Apr 23, 2024 08:38:54.298439026 CEST	38623	53	192.168.2.23	51.77.149.139
Apr 23, 2024 08:38:54.467324018 CEST	53	38623	51.77.149.139	192.168.2.23
Apr 23, 2024 08:38:54.467756987 CEST	46267	53	192.168.2.23	51.77.149.139
Apr 23, 2024 08:38:54.638503075 CEST	53	46267	51.77.149.139	192.168.2.23
Apr 23, 2024 08:38:56.833980083 CEST	55896	53	192.168.2.23	91.217.137.37
Apr 23, 2024 08:39:01.838566065 CEST	55827	53	192.168.2.23	91.217.137.37
Apr 23, 2024 08:39:06.843570948 CEST	41061	53	192.168.2.23	91.217.137.37
Apr 23, 2024 08:39:11.847855091 CEST	50020	53	192.168.2.23	91.217.137.37
Apr 23, 2024 08:39:16.852495909 CEST	57705	53	192.168.2.23	91.217.137.37
Apr 23, 2024 08:39:24.053260088 CEST	54028	53	192.168.2.23	8.8.8.8
Apr 23, 2024 08:39:24.235625982 CEST	53	54028	8.8.8.8	192.168.2.23

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Apr 23, 2024 08:37:06.812397957 CEST	192.168.2.23	192.168.2.1	8283	(Port unreachable)	Destination Unreachable
Apr 23, 2024 08:38:26.920032024 CEST	192.168.2.23	192.168.2.1	8283	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 23, 2024 08:37:00.205827951 CEST	192.168.2.23	51.254.162.59	0x2022	Standard query (0)	sex.secure-cyber-security	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:00.370832920 CEST	192.168.2.23	51.254.162.59	0x2022	Standard query (0)	sex.secure-cyber-security	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:00.530967951 CEST	192.168.2.23	51.254.162.59	0x2022	Standard query (0)	sex.secure-cyber-security	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:00.691546917 CEST	192.168.2.23	51.254.162.59	0x2022	Standard query (0)	sex.secure-cyber-security	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:00.855096102 CEST	192.168.2.23	51.254.162.59	0x2022	Standard query (0)	sex.secure-cyber-security	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:03.215104103 CEST	192.168.2.23	178.254.22.166	0xe980	Standard query (0)	kz.adolfhitler.su.W'fBBPV!PV,E4@@kmP}l0"n.6AW'fS66PV,PV!.EH(	13585	4961	false
Apr 23, 2024 08:37:03.383922100 CEST	192.168.2.23	178.254.22.166	0xe980	Standard query (0)	kz.adolfhitler.su.W'fNr66PV,PV!EH(3[5LW'f*sNNPV!PV,E@"F@@	960	43010	false
Apr 23, 2024 08:37:03.553770065 CEST	192.168.2.23	178.254.22.166	0xe980	Standard query (0)	kz.adolfhitler.su.W'f,66PV,PV!EH(5U5/W'f-NNPV!PV,E@"l@@	56768	43010	false
Apr 23, 2024 08:37:03.732548952 CEST	192.168.2.23	178.254.22.166	0xe980	Standard query (0)	kz.adolfhitler.su.W'f66PV,PV!EH(3T5ZW'fNNPV!PV,E@"o@@	56000	43010	false
Apr 23, 2024 08:37:03.901271105 CEST	192.168.2.23	178.254.22.166	0xe980	Standard query (0)	kz.adolfhitler.su.W'f566PV,PV!EH(4)5eW'fJJPV!PV,E<l@@	61120	43010	false
Apr 23, 2024 08:37:06.268757105 CEST	192.168.2.23	91.217.137.37	0x35bc	Standard query (0)	kz.adolfhitler.su.W'fneJJPV!PV,E<A@WE l@@HJPINGW'f?+NNPV.PV,E@<@@V[%&5	11424	47925	false
Apr 23, 2024 08:37:11.273215055 CEST	192.168.2.23	91.217.137.37	0x35bc	Standard query (0)	kz.adolfhitler.su.W'f<NNPV!PV,E@@i@@R[%5,5kzadolfhitlersusW'fBB	20566	42785	false
Apr 23, 2024 08:37:16.277714968 CEST	192.168.2.23	91.217.137.37	0x35bc	Standard query (0)	kz.adolfhitler.su.W'fBBPV!PV,E4[@@[[*gBfP_DS;fQ!W'fyNNNPV!PV,.E@D@	16401	20005	false
Apr 23, 2024 08:37:21.282233000 CEST	192.168.2.23	91.217.137.37	0x35bc	Standard query (0)	kz.adolfhitler.su.&W'f`NNPV!PV,E@EO@@M[%5,S5kzadolfhitlersus'W'f]BB	20566	42785	false
Apr 23, 2024 08:37:26.286861897 CEST	192.168.2.23	91.217.137.37	0x35bc	Standard query (0)	kz.adolfhitler.su.'W'f]BBPV!PV,E4a@@_S[[+T>V48_i+W'frJJPV!PV,.E<D6@	16390	51825	false
Apr 23, 2024 08:37:33.486946106 CEST	192.168.2.23	134.195.4.2	0xc918	Standard query (0)	sex.secure-cyber-security	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:33.575910091 CEST	192.168.2.23	134.195.4.2	0xc918	Standard query (0)	sex.secure-cyber-security	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:33.665003061 CEST	192.168.2.23	134.195.4.2	0xc918	Standard query (0)	sex.secure-cyber-security	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:33.754481077 CEST	192.168.2.23	134.195.4.2	0xc918	Standard query (0)	sex.secure-cyber-security	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:33.843544006 CEST	192.168.2.23	134.195.4.2	0xc918	Standard query (0)	sex.secure-cyber-security	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:36.128396034 CEST	192.168.2.23	51.254.162.59	0xa476	Standard query (0)	security.rebirth-network.su.	256	304	false
Apr 23, 2024 08:37:36.288975954 CEST	192.168.2.23	51.254.162.59	0xa476	Standard query (0)	security.rebirth-network.su.	256	304	false
Apr 23, 2024 08:37:36.449203968 CEST	192.168.2.23	51.254.162.59	0xa476	Standard query (0)	security.rebirth-network.su.	256	304	false
Apr 23, 2024 08:37:36.610567093 CEST	192.168.2.23	51.254.162.59	0xa476	Standard query (0)	security.rebirth-network.su.	256	304	false
Apr 23, 2024 08:37:36.774358034 CEST	192.168.2.23	51.254.162.59	0xa476	Standard query (0)	security.rebirth-network.su.	256	304	false
Apr 23, 2024 08:37:39.134449959 CEST	192.168.2.23	1.1.1.1	0x4657	Standard query (0)	kz.adolfhitler.su.8W'fJNNPV!PV,E@t@@Q5,KMFWkzadolfhitlersun=W'f41N	19968	0	false
Apr 23, 2024 08:37:44.139081955 CEST	192.168.2.23	1.1.1.1	0x4657	Standard query (0)	kz.adolfhitler.su.=W'f41NNPV!PV,E@t@@#5,4XFWkzadolfhitlersunBW'f'CN	19968	0	false
Apr 23, 2024 08:37:49.143667936 CEST	192.168.2.23	1.1.1.1	0x4657	Standard query (0)	kz.adolfhitler.su.BW'f'CNNPV!PV,E@y@@5,uFWkzadolfhitlersunFW'f.B	16896	0	false
Apr 23, 2024 08:37:54.148262978 CEST	192.168.2.23	1.1.1.1	0x4657	Standard query (0)	kz.adolfhitler.su.FW'f.BBPV!PV,E4\@@[[*gBfP_SfQGW'fTNNPV!.V,E@}@@h5,XFWkzadolfhitlersunLW'ffJ	74	0	false
Apr 23, 2024 08:37:59.152828932 CEST	192.168.2.23	1.1.1.1	0x4657	Standard query (0)	kz.adolfhitler.su.LW'ffJJPV!PV,E<@@FU#LW'f`66	80	22168	false
Apr 23, 2024 08:38:06.352891922 CEST	192.168.2.23	51.254.162.59	0xaa04	Standard query (0)	kz.adolfhitler.su.NW'f66PV,PV!E((E23;5`NW'fNNPV!PV,E@	16384	16401	false
Apr 23, 2024 08:38:06.512967110 CEST	192.168.2.23	51.254.162.59	0xaa04	Standard query (0)	kz.adolfhitler.su.NW'fB66PV,PV!E((E23;5NW'f8DNNPV!PV,E@	16384	16401	false
Apr 23, 2024 08:38:06.672823906 CEST	192.168.2.23	51.254.162.59	0xaa04	Standard query (0)	kz.adolfhitler.su.NW'f66PV,PV!E((E23;5NW'fNNPV!PV,E@	16384	16401	false
Apr 23, 2024 08:38:06.832638979 CEST	192.168.2.23	51.254.162.59	0xaa04	Standard query (0)	kz.adolfhitler.su.NW'f#66PV,PV!E((E23;5jNW'f$NNPV!PV,E@	16384	16401	false
Apr 23, 2024 08:38:06.992434978 CEST	192.168.2.23	51.254.162.59	0xaa04	Standard query (0)	kz.adolfhitler.su.OW'fR66PV,PV!E((E23;54]OW'fJSJJPV!PV,E<.@@Z3FN[b=#OW'fkK66PV,PV!E((@0FN[.QW'fLNNPV!PV,E@(@@K$5,5kz.adolfhitler.su.QW'fY66PV,PV!E((e>45$CQW'fNNPV!PV,E@.@@J5,-kzadolfhitle.sunQW'f66PV,PV!E((eM45i`QW'fNNPV!PV,E@.@@J5,Vkzadolfhitlersun.W'fa66PV,PV!E((e]55QW'fBbN.PV!PV,E@=@@JF5,kzadolfhitlersun..Q.'fm66PV,PV!E((es55FU!QW'fNNPV	8469	80	false
Apr 23, 2024 08:38:09.347368956 CEST	192.168.2.23	134.195.4.2	0xefa2	Standard query (0)	kz.adolfhitler.su.QW'fY66PV,PV!E((e>45$CQW'fNNPV!PV,E@.@@J5,-kzadolfhitle.sunQW'f66PV,PV!E((eM45i`QW'fNNPV!PV,E@.@@J5,Vkzadolfhitlersun.W'fa66PV,PV!E((e]55QW'fBbN.PV!PV,E@=@@JF5,kzadolfhitlersun..Q.'fm66PV,PV!E((es55FU!QW'fNNPV	8469	80	false
Apr 23, 2024 08:38:09.436645031 CEST	192.168.2.23	134.195.4.2	0xefa2	Standard query (0)	kz.adolfhitler.su.QW'f66PV,PV!E((eM45i`QW'fNNPV!PV,E@.@@J5,Vkzadolfhitlersun.W'fa66PV,PV!E((e]55QW'fBbN.PV!PV,E@=@@JF5,kzadolfhitlersun..Q.'fm66PV,PV!E((es55FU!QW'fNNPV	8469	80	false
Apr 23, 2024 08:38:09.525764942 CEST	192.168.2.23	134.195.4.2	0xefa2	Standard query (0)	kz.adolfhitler.su.QW'fa66PV,PV!E((e]55QW'fBbNNPV!PV,E@.@@JF5,kzadolfhitlersunQW'.m66PV,PV!E((es55FU!QW'fNNPV!PV,E@A.@Jr5,kzadolfhitlersunQW'f	13824	0	false
Apr 23, 2024 08:38:09.614978075 CEST	192.168.2.23	134.195.4.2	0xefa2	Standard query (0)	kz.adolfhitler.su.QW'fm66PV,PV!E((es55FU!QW'fNNPV!PV,E@.@@Jr5,kzadolfhitlersunQW'f	13824	0	false
Apr 23, 2024 08:38:09.703742981 CEST	192.168.2.23	134.195.4.2	0xefa2	Standard query (0)	kz.adolfhitler.su.QW'f66PV,PV!E((e55rcQW'fJJPV!PV,E<W.@@@FqN}#QW'f66PV,PV!E((@0F.qP*SW'.NNPV!PV,E@\@@J5,MAsiegheilhitersunTW'fS-6.PV,PV!E((f465i	0	21591	false
Apr 23, 2024 08:38:11.988317013 CEST	192.168.2.23	134.195.4.2	0xd7df	Standard query (0)	siegheil.hiter.su.TW'fS-66PV,PV!E((f465iTW'f?NNPV!PV,E@.@@J5,hsiegheilhitersunTW'f66PV,PV!E((f4$	535	53	false
Apr 23, 2024 08:38:12.081804037 CEST	192.168.2.23	134.195.4.2	0xd7df	Standard query (0)	siegheil.hiter.su.TW'f66PV,PV!E((f4$5 TW'fNNPV!PV,E@.@@J?5,XsiegheilhitersunTW'fW66PV,PV!E((g45?	84	22311	false
Apr 23, 2024 08:38:12.171174049 CEST	192.168.2.23	134.195.4.2	0xd7df	Standard query (0)	siegheil.hiter.su.TW'fW66PV,PV!E((g45?TW'fNNPV!PV,E@	16384	16401	false
Apr 23, 2024 08:38:12.260257959 CEST	192.168.2.23	134.195.4.2	0xd7df	Standard query (0)	siegheil.hiter.su.TW'fS66PV,PV!E((g45STW'fTNNPV!PV,E@	16384	16401	false
Apr 23, 2024 08:38:12.349349976 CEST	192.168.2.23	134.195.4.2	0xd7df	Standard query (0)	siegheil.hiter.su.TW'fD66PV,PV!E((g%45.TW'fJJPV!PV,E<.@@4F..1	61630	1536	false
Apr 23, 2024 08:38:14.633780003 CEST	192.168.2.23	8.8.8.8	0x13a4	Standard query (0)	kz.adolfhitler.su.VW'f66PV,PV!EH(v.5-VW'fnNNPV!PV,E@.@@5,kzado.fhitlersunVW'fq]66PV,PV!EH(t57VW'f^NNPV!	20566	39057	false
Apr 23, 2024 08:38:14.722285986 CEST	192.168.2.23	8.8.8.8	0x13a4	Standard query (0)	kz.adolfhitler.su.VW'fq]66PV,PV!EH(t57VW'f^NNPV!PV,E@.@@%5,ukzadolfhitle.sunVW'f66PV,PV!EH(@tm5%VW'fNNPV!PV,E@.@@5,hEkzadolfhitlersun.W'f66PV,PV!EH(kv5xVW'fNN.V!PV,E@I@@/5,[kzadolfhitlersunWW'f.%66PV,PV!EH(it5/WW'f-JJPV!PV,E	15585	56896	false
Apr 23, 2024 08:38:14.810635090 CEST	192.168.2.23	8.8.8.8	0x13a4	Standard query (0)	kz.adolfhitler.su.VW'f66PV,PV!EH(@tm5%VW'fNNPV!PV,E@.@@5,hEkzadolfhitlersun.W'f66PV,PV!EH(kv5xVW'fNN.V!PV,E@I@@/5,[kzadolfhitlersunWW'f.%66PV,PV!EH(it5/WW'f-JJPV!PV,E	15585	56896	false
Apr 23, 2024 08:38:14.898945093 CEST	192.168.2.23	8.8.8.8	0x13a4	Standard query (0)	kz.adolfhitler.su.VW'f66PV,PV!EH(kv5xVW'fNNPV!PV,E@.@@/5,[kzadolfhitlersunWW'fa%66	80	22168	false
Apr 23, 2024 08:38:14.987006903 CEST	192.168.2.23	8.8.8.8	0x13a4	Standard query (0)	kz.adolfhitler.su.WW'fa%66PV,PV!EH(it5/WW'f-JJPV!PV,E<	16384	16390	false
Apr 23, 2024 08:38:17.272589922 CEST	192.168.2.23	81.169.136.222	0xf50d	Standard query (0)	kz.adolfhitler.su.YW'fZ66PV,PV!EH(F2>Q5XbYW'faNNPV!PV,E@	16384	16401	false
Apr 23, 2024 08:38:17.461920977 CEST	192.168.2.23	81.169.136.222	0xf50d	Standard query (0)	kz.adolfhitler.su.YW'f66PV,PV!EH(Y2>Q5}YW'fNNPV!PV,E@	16384	16401	false
Apr 23, 2024 08:38:17.652055979 CEST	192.168.2.23	81.169.136.222	0xf50d	Standard query (0)	kz.adolfhitler.su.YW'f66PV,PV!E((z.BQ5yUYW'f`NNPV!PV,E@	16384	16401	false
Apr 23, 2024 08:38:17.831840038 CEST	192.168.2.23	81.169.136.222	0xf50d	Standard query (0)	kz.adolfhitler.su.ZW'f*366PV,PV!E((.BQ5s#ZW'f\4NNPV!PV,E@	16384	16401	false
Apr 23, 2024 08:38:18.013403893 CEST	192.168.2.23	81.169.136.222	0xf50d	Standard query (0)	kz.adolfhitler.su.ZW'f66PV,PV!E((-CQ5eZW'f!JJPV!PV,E<.@@8nF-If#ZW'.66PV,PV!E((@0F.PZW'fHOBBPV!PV,E4a.@_R[[+T>V48_i\W'fVVPV	8469	80	false
Apr 23, 2024 08:38:20.390595913 CEST	192.168.2.23	195.10.195.195	0xeee1	Standard query (0)	sex.secure-cyber-security.\W'f66PV,PV!EH(L65m\W'fVVPV!PV,EH@@	64704	43010	false
Apr 23, 2024 08:38:20.558849096 CEST	192.168.2.23	195.10.195.195	0xeee1	Standard query (0)	sex.secure-cyber-security.\W'f66PV,PV!EH(L165s\W'fVVPV!PV,EH<@@	56256	43010	false
Apr 23, 2024 08:38:20.726701975 CEST	192.168.2.23	195.10.195.195	0xeee1	Standard query (0)	sex.secure-cyber-security.\W'fk66PV,PV!EH(LD65\W'fVVPV!PV,EHR@@	50624	43010	false
Apr 23, 2024 08:38:20.895001888 CEST	192.168.2.23	195.10.195.195	0xeee1	Standard query (0)	sex.secure-cyber-security.]W'f66PV,PV!EH(Ln652~]W'fVVPV!PV,EH^@@	47552	43010	false
Apr 23, 2024 08:38:21.063426971 CEST	192.168.2.23	195.10.195.195	0xeee1	Standard query (0)	sex.secure-cyber-security.]W'f66PV,PV!EH(Lp65$]W'f:JJPV!PV,E<@@	62656	43010	false
Apr 23, 2024 08:38:23.427989960 CEST	192.168.2.23	81.169.136.222	0x9b68	Standard query (0)	sex.secure-cyber-security._W'f)k66PV,PV!EH(g2=Q5!`h_W'fkVVPV!PV,EH@@.Q54.hsexsecure-cyber-securitys_W'f:M66PV,PV!EH(2=Q5h_W'fNV	0	22016	false
Apr 23, 2024 08:38:23.617465973 CEST	192.168.2.23	81.169.136.222	0x9b68	Standard query (0)	sex.secure-cyber-security._W'f:M66PV,PV!EH(2=Q5h_W'fNVVPV!PV,EH@@.Q54	39784	256	false
Apr 23, 2024 08:38:23.806597948 CEST	192.168.2.23	81.169.136.222	0x9b68	Standard query (0)	sex.secure-cyber-security._W'f/66PV,PV!E((.AQ5h_W'fMVVPV!PV,EH@@.jQ54	39784	256	false
Apr 23, 2024 08:38:23.986444950 CEST	192.168.2.23	81.169.136.222	0x9b68	Standard query (0)	sex.secure-cyber-security.`W'f66PV,PV!E((.AQ5h(h`W'fVVPV!PV,EH@@.iQ54	39784	256	false
Apr 23, 2024 08:38:24.164813995 CEST	192.168.2.23	81.169.136.222	0x9b68	Standard query (0)	sex.secure-cyber-security.`W'fAf66PV,PV!EH(2=PQ5h`W'fgJJPV!PV,E<@@.FnY:n#`W'f`66PV,PV!E((@0FnY;P+bW.f<bWWPV!PV,EIan@@Eh	43010	5982	false
Apr 23, 2024 08:38:26.549436092 CEST	192.168.2.23	94.16.114.254	0x4404	Standard query (0)	security.rebirth-network.su	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:38:31.553945065 CEST	192.168.2.23	94.16.114.254	0x4404	Standard query (0)	security.rebirth-network.su	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:38:36.558619976 CEST	192.168.2.23	94.16.114.254	0x4404	Standard query (0)	security.rebirth-network.su	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:38:41.563102007 CEST	192.168.2.23	94.16.114.254	0x4404	Standard query (0)	security.rebirth-network.su	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:38:46.567655087 CEST	192.168.2.23	94.16.114.254	0x4404	Standard query (0)	security.rebirth-network.su	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:38:53.767502069 CEST	192.168.2.23	51.77.149.139	0x9138	Standard query (0)	siegheil.hiter.su.}W'fO66PV,PV!E((/3M58}W'f<QNNPV!PV,E@	16384	16401	false
Apr 23, 2024 08:38:53.938299894 CEST	192.168.2.23	51.77.149.139	0x9138	Standard query (0)	siegheil.hiter.su.~W'f66PV,PV!E((5/3M5*8~W'fNNPV!PV,E@.@@3M5,H8	A (IP address)	0	false
Apr 23, 2024 08:38:54.124851942 CEST	192.168.2.23	51.77.149.139	0x9138	Standard query (0)	siegheil.hiter.su.~W'f-66PV,PV!E((a/3M58~W'fNNPV!PV,E@.@@3M5,o8siegheilhitersun.~.'f\|!66PV,PV!E((\|/3M58~W'f-#NNPV	8469	80	false
Apr 23, 2024 08:38:54.298439026 CEST	192.168.2.23	51.77.149.139	0x9138	Standard query (0)	siegheil.hiter.su.~W'f\|!66PV,PV!E((\|/3M58~W'f-#NNPV!PV,E@.@@3M5,Q8siegheilhitersun~W'f'66PV,PV!E((.n3M58~W'fAJJ	20566	42785	false
Apr 23, 2024 08:38:54.467756987 CEST	192.168.2.23	51.77.149.139	0x9138	Standard query (0)	siegheil.hiter.su.~W'f'66PV,PV!E((/n3M58~W'fAJJPV!PV,E<r	16384	16390	false
Apr 23, 2024 08:38:56.833980083 CEST	192.168.2.23	91.217.137.37	0x622c	Standard query (0)	kz.adolfhitler.su.W'fNNPV!PV,E@4@@[%5,=^b,kzadolfhitlersunW'f3N	19968	0	false
Apr 23, 2024 08:39:01.838566065 CEST	192.168.2.23	91.217.137.37	0x622c	Standard query (0)	kz.adolfhitler.su.W'f3NNPV!PV,E@)@@[%e5,wb,kzadolfhitlersunW'fN	19968	0	false
Apr 23, 2024 08:39:06.843570948 CEST	192.168.2.23	91.217.137.37	0x622c	Standard query (0)	kz.adolfhitler.su.W'fNNPV!PV,E@ @@[%d5,Tb,kzadolfhitlersunW'fN	19968	0	false
Apr 23, 2024 08:39:11.847855091 CEST	192.168.2.23	91.217.137.37	0x622c	Standard query (0)	kz.adolfhitler.su.W'fNNPV!PV,E@@@Q[%i5,6b,kzadolfhitlersunW'fJ	18944	0	false
Apr 23, 2024 08:39:16.852495909 CEST	192.168.2.23	91.217.137.37	0x622c	Standard query (0)	kz.adolfhitler.su.W'fJJPV!PV,E<C@@FV#W'f66	80	22168	false
Apr 23, 2024 08:39:24.053260088 CEST	192.168.2.23	8.8.8.8	0x2f05	Standard query (0)	security.rebirth-network.su	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 23, 2024 08:37:00.368906975 CEST	51.254.162.59	192.168.2.23	0x2022	Name error (3)	sex.secure-cyber-security	none	none	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:00.530855894 CEST	51.254.162.59	192.168.2.23	0x2022	Name error (3)	sex.secure-cyber-security	none	none	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:00.691401005 CEST	51.254.162.59	192.168.2.23	0x2022	Name error (3)	sex.secure-cyber-security	none	none	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:00.854940891 CEST	51.254.162.59	192.168.2.23	0x2022	Name error (3)	sex.secure-cyber-security	none	none	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:01.018590927 CEST	51.254.162.59	192.168.2.23	0x2022	Name error (3)	sex.secure-cyber-security	none	none	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:33.575762033 CEST	134.195.4.2	192.168.2.23	0xc918	Name error (3)	sex.secure-cyber-security	none	none	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:33.664654016 CEST	134.195.4.2	192.168.2.23	0xc918	Name error (3)	sex.secure-cyber-security	none	none	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:33.754302025 CEST	134.195.4.2	192.168.2.23	0xc918	Name error (3)	sex.secure-cyber-security	none	none	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:33.843307972 CEST	134.195.4.2	192.168.2.23	0xc918	Name error (3)	sex.secure-cyber-security	none	none	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:37:33.932544947 CEST	134.195.4.2	192.168.2.23	0xc918	Name error (3)	sex.secure-cyber-security	none	none	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:39:24.235625982 CEST	8.8.8.8	192.168.2.23	0x2f05	No error (0)	security.rebirth-network.su		212.70.149.10	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf PID: 6219, Parent PID: 6135

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf
Arguments:	/tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf PID: 6221, Parent PID: 6219

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf PID: 6223, Parent PID: 6221

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf PID: 6224, Parent PID: 6221

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf PID: 6226, Parent PID: 6221

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf PID: 6229, Parent PID: 6221

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: systemd PID: 6231, Parent PID: 1

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: journalctl PID: 6231, Parent PID: 1

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/usr/bin/journalctl
Arguments:	/usr/bin/journalctl --smart-relinquish-var
File size:	80120 bytes
MD5 hash:	bf3a987344f3bacafc44efd882abda8b

Chronological Activities

Analysis Process: systemd PID: 6252, Parent PID: 1

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: dbus-daemon PID: 6252, Parent PID: 1

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/usr/bin/dbus-daemon
Arguments:	/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
File size:	249032 bytes
MD5 hash:	3089d47e3f3ab84cd81c48fd406d7a8c

Chronological Activities

Analysis Process: gdm3 PID: 6265, Parent PID: 1320

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 6265, Parent PID: 1320

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gvfsd-fuse PID: 6267, Parent PID: 2038

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/usr/libexec/gvfsd-fuse
Arguments:	-
File size:	47632 bytes
MD5 hash:	d18fbf1cbf8eb57b17fac48b7b4be933

Chronological Activities

Analysis Process: fusermount PID: 6267, Parent PID: 2038

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/bin/fusermount
Arguments:	fusermount -u -q -z -- /run/user/1000/gvfs
File size:	39144 bytes
MD5 hash:	576a1b135c82bdcbc97a91acea900566

Chronological Activities

Analysis Process: systemd PID: 6268, Parent PID: 1

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: rsyslogd PID: 6268, Parent PID: 1

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/usr/sbin/rsyslogd
Arguments:	/usr/sbin/rsyslogd -n -iNONE
File size:	727248 bytes
MD5 hash:	0b8087fc907c42eb3c81a691db258e33

Chronological Activities

Analysis Process: gdm3 PID: 6271, Parent PID: 1320

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 6271, Parent PID: 1320

General

Start time (UTC):	06:36:59
Start date (UTC):	23/04/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemd PID: 6274, Parent PID: 1

General

Start time (UTC):	06:37:00
Start date (UTC):	23/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-journald PID: 6274, Parent PID: 1

General

Start time (UTC):	06:37:00
Start date (UTC):	23/04/2024
Path:	/lib/systemd/systemd-journald
Arguments:	/lib/systemd/systemd-journald
File size:	162032 bytes
MD5 hash:	474667ece6cecb5e04c6eb897a1d0d9e

Chronological Activities

Analysis Process: systemd PID: 6275, Parent PID: 1

General

Start time (UTC):	06:37:00
Start date (UTC):	23/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: dbus-daemon PID: 6275, Parent PID: 1

General

Start time (UTC):	06:37:00
Start date (UTC):	23/04/2024
Path:	/usr/bin/dbus-daemon
Arguments:	/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
File size:	249032 bytes
MD5 hash:	3089d47e3f3ab84cd81c48fd406d7a8c

Chronological Activities

Analysis Process: gdm3 PID: 6276, Parent PID: 1320

General

Start time (UTC):	06:37:00
Start date (UTC):	23/04/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 6276, Parent PID: 1320

General

Start time (UTC):	06:37:00
Start date (UTC):	23/04/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemd PID: 6277, Parent PID: 1

General

Start time (UTC):	06:37:00
Start date (UTC):	23/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-journald PID: 6277, Parent PID: 1

General

Start time (UTC):	06:37:00
Start date (UTC):	23/04/2024
Path:	/lib/systemd/systemd-journald
Arguments:	/lib/systemd/systemd-journald
File size:	162032 bytes
MD5 hash:	474667ece6cecb5e04c6eb897a1d0d9e

Chronological Activities

Analysis Process: systemd PID: 6278, Parent PID: 1

General

Start time (UTC):	06:37:00
Start date (UTC):	23/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: rsyslogd PID: 6278, Parent PID: 1

General

Start time (UTC):	06:37:00
Start date (UTC):	23/04/2024
Path:	/usr/sbin/rsyslogd
Arguments:	/usr/sbin/rsyslogd -n -iNONE
File size:	727248 bytes
MD5 hash:	0b8087fc907c42eb3c81a691db258e33

Chronological Activities

Analysis Process: systemd PID: 6280, Parent PID: 1

General

Start time (UTC):	06:37:00
Start date (UTC):	23/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: dbus-daemon PID: 6280, Parent PID: 1

General

Start time (UTC):	06:37:00
Start date (UTC):	23/04/2024
Path:	/usr/bin/dbus-daemon
Arguments:	/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
File size:	249032 bytes
MD5 hash:	3089d47e3f3ab84cd81c48fd406d7a8c

Chronological Activities

Analysis Process: systemd PID: 6281, Parent PID: 1

General

Start time (UTC):	06:37:01
Start date (UTC):	23/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-journald PID: 6281, Parent PID: 1

General

Start time (UTC):	06:37:01
Start date (UTC):	23/04/2024
Path:	/lib/systemd/systemd-journald
Arguments:	/lib/systemd/systemd-journald
File size:	162032 bytes
MD5 hash:	474667ece6cecb5e04c6eb897a1d0d9e

Chronological Activities

Analysis Process: systemd PID: 6282, Parent PID: 1

General

Start time (UTC):	06:37:01
Start date (UTC):	23/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: dbus-daemon PID: 6282, Parent PID: 1

General

Start time (UTC):	06:37:01
Start date (UTC):	23/04/2024
Path:	/usr/bin/dbus-daemon
Arguments:	/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
File size:	249032 bytes
MD5 hash:	3089d47e3f3ab84cd81c48fd406d7a8c

Chronological Activities

Analysis Process: systemd PID: 6283, Parent PID: 1

General

Start time (UTC):	06:37:01
Start date (UTC):	23/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: rsyslogd PID: 6283, Parent PID: 1

General

Start time (UTC):	06:37:01
Start date (UTC):	23/04/2024
Path:	/usr/sbin/rsyslogd
Arguments:	/usr/sbin/rsyslogd -n -iNONE
File size:	727248 bytes
MD5 hash:	0b8087fc907c42eb3c81a691db258e33

Chronological Activities

Analysis Process: systemd PID: 6285, Parent PID: 1

General

Start time (UTC):	06:37:01
Start date (UTC):	23/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-journald PID: 6285, Parent PID: 1

General

Start time (UTC):	06:37:01
Start date (UTC):	23/04/2024
Path:	/lib/systemd/systemd-journald
Arguments:	/lib/systemd/systemd-journald
File size:	162032 bytes
MD5 hash:	474667ece6cecb5e04c6eb897a1d0d9e

Chronological Activities

Analysis Process: systemd PID: 6286, Parent PID: 1

General

Start time (UTC):	06:37:01
Start date (UTC):	23/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: dbus-daemon PID: 6286, Parent PID: 1

General

Start time (UTC):	06:37:01
Start date (UTC):	23/04/2024
Path:	/usr/bin/dbus-daemon
Arguments:	/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
File size:	249032 bytes
MD5 hash:	3089d47e3f3ab84cd81c48fd406d7a8c

Chronological Activities

Analysis Process: systemd PID: 6287, Parent PID: 1

General

Start time (UTC):	06:37:01
Start date (UTC):	23/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-journald PID: 6287, Parent PID: 1

General

Start time (UTC):	06:37:01
Start date (UTC):	23/04/2024
Path:	/lib/systemd/systemd-journald
Arguments:	/lib/systemd/systemd-journald
File size:	162032 bytes
MD5 hash:	474667ece6cecb5e04c6eb897a1d0d9e

Chronological Activities

Analysis Process: systemd PID: 6288, Parent PID: 1

General

Start time (UTC):	06:37:01
Start date (UTC):	23/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: rsyslogd PID: 6288, Parent PID: 1

General

Start time (UTC):	06:37:01
Start date (UTC):	23/04/2024
Path:	/usr/sbin/rsyslogd
Arguments:	/usr/sbin/rsyslogd -n -iNONE
File size:	727248 bytes
MD5 hash:	0b8087fc907c42eb3c81a691db258e33

Chronological Activities

Analysis Process: systemd PID: 6292, Parent PID: 1

General

Start time (UTC):	06:37:02
Start date (UTC):	23/04/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: rsyslogd PID: 6292, Parent PID: 1

General

Start time (UTC):	06:37:02
Start date (UTC):	23/04/2024
Path:	/usr/sbin/rsyslogd
Arguments:	/usr/sbin/rsyslogd -n -iNONE
File size:	727248 bytes
MD5 hash:	0b8087fc907c42eb3c81a691db258e33

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf PID: 6219, Parent PID: 6135

General

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf PID: 6221, Parent PID: 6219

General

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf PID: 6223, Parent PID: 6221

General

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf PID: 6224, Parent PID: 6221

General

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf PID: 6226, Parent PID: 6221

General

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf PID: 6229, Parent PID: 6221

General

Chronological Activities

Analysis Process: systemd PID: 6231, Parent PID: 1

General

Chronological Activities

Linux Analysis Report
SecuriteInfo.com.Linux.Siggen.7232.1376.786.elf