Edit tour

Linux Analysis Report
SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf

Overview

General Information

Sample name:	SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf
Analysis ID:	1431615
MD5:	04d13cfaf7676bf680eba4e671030af9
SHA1:	5d78b935337aa43430e7376335a1bf75a8773ac0
SHA256:	51d6f3ebab00dac8430a22fb253425205a9e3b353a4f7ed90f534af7d55edd73
Tags:	elf
Infos:

Detection

Mirai

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Sample is packed with UPX

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431615
Start date and time:	2024-04-25 14:35:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf
Detection:	MAL
Classification:	mal84.troj.evad.linELF@0/0@105/0

Runtime Messages

Command:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf
PID:	5494
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

system is lnxubuntu20

SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5494, Parent: 5414, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf

SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf New Fork (PID: 5496, Parent: 5494)

SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf New Fork (PID: 5498, Parent: 5494)

SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf New Fork (PID: 5500, Parent: 5494)

SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf New Fork (PID: 5502, Parent: 5500)

SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf New Fork (PID: 5504, Parent: 5500)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
5494.1.00007f0640017000.00007f064002e000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5494.1.00007f0640017000.00007f064002e000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5494.1.00007f0640017000.00007f064002e000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x157e8:$x1: POST /cdn-cgi/ 0x15b6c:$s1: LCOGQGPTGP
5494.1.00007f0640017000.00007f064002e000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x157e8:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
5496.1.00007f0640017000.00007f064002e000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5496.1.00007f0640017000.00007f064002e000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5496.1.00007f0640017000.00007f064002e000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x157e8:$x1: POST /cdn-cgi/ 0x15b6c:$s1: LCOGQGPTGP
5496.1.00007f0640017000.00007f064002e000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x157e8:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
5498.1.00007f0640017000.00007f064002e000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5498.1.00007f0640017000.00007f064002e000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5498.1.00007f0640017000.00007f064002e000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x157e8:$x1: POST /cdn-cgi/ 0x15b6c:$s1: LCOGQGPTGP
5498.1.00007f0640017000.00007f064002e000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x157e8:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
5504.1.00007f0640017000.00007f064002e000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5504.1.00007f0640017000.00007f064002e000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5504.1.00007f0640017000.00007f064002e000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x157e8:$x1: POST /cdn-cgi/ 0x15b6c:$s1: LCOGQGPTGP
5504.1.00007f0640017000.00007f064002e000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x157e8:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
Process Memory Space: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5494	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
Process Memory Space: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5496	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
Process Memory Space: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5498	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
Click to see the 14 entries

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf	Virustotal: Detection: 55%			Perma Link
Source: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf	ReversingLabs: Detection: 67%

Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5494)	Socket: 127.0.0.1::29103	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	Socket: 0.0.0.0::81	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	Socket: 0.0.0.0::8443	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	Socket: 0.0.0.0::9009	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	Socket: 0.0.0.0::1337	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	Socket: 0.0.0.0::13883	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	Socket: 0.0.0.0::19481	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	Socket: 0.0.0.0::4444	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	Socket: 0.0.0.0::9789	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	Socket: 0.0.0.0::81	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	Socket: 0.0.0.0::8443	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	Socket: 0.0.0.0::9009	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	Socket: 0.0.0.0::1337	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	Socket: 0.0.0.0::13883	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	Socket: 0.0.0.0::19481	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	Socket: 0.0.0.0::4444	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	Socket: 0.0.0.0::9789	Jump to behavior

Source: global traffic

DNS traffic detected: DNS query: www.sushiking.world

Source: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf

String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 5494.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5494.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5496.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5496.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5498.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5498.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5504.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5504.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Source: LOAD without section mappings

Program segment: 0x8000

Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	SIGKILL sent: pid: 940, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	SIGKILL sent: pid: 940, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	SIGKILL sent: pid: 5496, result: successful	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	SIGKILL sent: pid: 767, result: successful	Jump to behavior

Source: 5494.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5494.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5496.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5496.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5498.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5498.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5504.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5504.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research

Source: classification engine

Classification label: mal84.troj.evad.linELF@0/0@105/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/490/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/791/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/794/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/795/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/853/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/917/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/780/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/661/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/782/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/940/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/767/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/888/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/725/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/769/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/726/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/803/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/806/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/807/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5496)	File opened: /proc/928/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3244/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/1583/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/2672/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3120/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3120/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3361/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3239/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/1577/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/1577/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/1610/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/1610/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/1299/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/1299/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3235/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/512/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/514/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/519/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/2946/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/2946/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/917/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/917/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/917/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3134/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3134/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/1593/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/1593/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3011/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3011/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3094/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3094/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/2955/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/2955/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3406/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/1589/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/1589/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3129/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3129/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/1588/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/1588/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3402/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3125/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3125/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3246/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3245/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/767/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/767/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/767/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/800/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/888/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/888/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/888/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/801/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/769/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/769/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/769/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/803/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/803/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/803/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/806/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/806/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/806/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/807/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/807/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/807/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/928/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/928/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/928/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/2956/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/2956/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3420/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/490/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/490/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/490/exe	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3142/fd	Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5502)	File opened: /proc/3142/exe	Jump to behavior

Source: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf

Submission file: segment LOAD with 7.9594 entropy (max. 8.0)

Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf (PID: 5494)

Queries kernel information via 'uname':

Jump to behavior

Source: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf, 5494.1.00007ffe8b864000.00007ffe8b885000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf, 5496.1.00007ffe8b864000.00007ffe8b885000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf, 5498.1.00007ffe8b864000.00007ffe8b885000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf, 5504.1.00007ffe8b864000.00007ffe8b885000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf
Source: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf, 5494.1.0000555fcfd5d000.0000555fcff2b000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf, 5496.1.0000555fcfd5d000.0000555fcff2b000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf, 5498.1.0000555fcfd5d000.0000555fcff2b000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf, 5504.1.0000555fcfd5d000.0000555fcff2b000.rw-.sdmp	Binary or memory string: _U!/etc/qemu-binfmt/arm
Source: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf, 5494.1.0000555fcfd5d000.0000555fcff2b000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf, 5496.1.0000555fcfd5d000.0000555fcff2b000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf, 5498.1.0000555fcfd5d000.0000555fcff2b000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf, 5504.1.0000555fcfd5d000.0000555fcff2b000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf, 5494.1.00007ffe8b864000.00007ffe8b885000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf, 5496.1.00007ffe8b864000.00007ffe8b885000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf, 5498.1.00007ffe8b864000.00007ffe8b885000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf, 5504.1.00007ffe8b864000.00007ffe8b885000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 5494.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5496.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5498.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5504.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5494, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5498, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 5494.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5496.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5498.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5504.1.00007f0640017000.00007f064002e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5494, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5498, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf	56%	Virustotal		Browse
SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf	68%	ReversingLabs	Linux.Trojan.Mirai
SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf	100%	Avira	ANDROID/Mirai.xofdu

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
www.sushiking.world	8%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.sushiking.world	unknown	unknown	false	8%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.110.48.149	unknown	Germany		57287	OTAVANET-ASCZ	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
79.110.48.149	TGIQpNxMb0.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OTAVANET-ASCZ	TGIQpNxMb0.elf	Get hash	malicious	Mirai	Browse	79.110.48.149
	skid.arm7.elf	Get hash	malicious	Mirai	Browse	79.110.49.174
	HROFrIvvVk.elf	Get hash	malicious	Mirai	Browse	79.110.49.195
	https://79.110.48.52/nicko.vbs	Get hash	malicious	Unknown	Browse	79.110.48.52
	PO_1100620230526.pdf(39kb).exe	Get hash	malicious	Remcos, RedLine, XpertRAT	Browse	79.110.48.151
	https://prc-homes.uk/wp-images/26738903/content/Security_on_your_card_account.html	Get hash	malicious	HTMLPhisher	Browse	79.110.48.18
	https://towntalkeg.com/wp-images/108373893032/Security_on_your_card_account.html	Get hash	malicious	HTMLPhisher	Browse	79.110.48.18
	0xc2s.x86.elf	Get hash	malicious	Unknown	Browse	79.110.48.91
	oWlBd5huKm.elf	Get hash	malicious	Unknown	Browse	79.110.48.116
	JSJRrcfx4B.elf	Get hash	malicious	Unknown	Browse	79.110.48.116

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.976446472256899
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf
File size:	50'460 bytes
MD5:	04d13cfaf7676bf680eba4e671030af9
SHA1:	5d78b935337aa43430e7376335a1bf75a8773ac0
SHA256:	51d6f3ebab00dac8430a22fb253425205a9e3b353a4f7ed90f534af7d55edd73
SHA512:	44f6ae9f831f1dfecedc2bde4de461833d59fd3932f308f231dceeb52c7598ed29b00c25eee430a05b90bdfb7af70b0dd980f8ea9d530b9387e171d97d9385f9
SSDEEP:	768:DZZ1zSsAK2yJ9o8ZEQDnRsent7j/rI4Jnkfw9q3UELn7u1ygpowQNd26f2FRsYDy:DFzSFKv9j7Rsent7zZM5Ln7TC6QRsWkP
TLSH:	FB330138B0AB6AE39BB0731DC9E603D35E1DD73CB0A63D374411495E6B9111ABBE0987
File Content Preview:	.ELF..............(.........4...........4. ...(.....................................................................Q.td............................>. NUPX!....................j..........?.E.h;....#..$...o......4Y.....;G%H........)..%lD....3Y!...t...{.G_.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0xf8a0
Flags:	0x4000002
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8000	0x8000	0x8a8d	0x8a8d	7.9594	0x5	R E	0x8000
LOAD	0x1c1c	0x29c1c	0x29c1c	0x0	0x0	0.0000	0x6	RW	0x8000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 14:35:53.221513987 CEST	36940	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:35:53.516166925 CEST	80	36940	79.110.48.149	192.168.2.14
Apr 25, 2024 14:35:55.073951006 CEST	36942	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:35:55.373740911 CEST	80	36942	79.110.48.149	192.168.2.14
Apr 25, 2024 14:36:02.926868916 CEST	36944	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:36:03.225589991 CEST	80	36944	79.110.48.149	192.168.2.14
Apr 25, 2024 14:36:10.776891947 CEST	36946	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:36:11.075622082 CEST	80	36946	79.110.48.149	192.168.2.14
Apr 25, 2024 14:36:16.627656937 CEST	36948	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:36:16.923572063 CEST	80	36948	79.110.48.149	192.168.2.14
Apr 25, 2024 14:36:24.475373983 CEST	36950	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:36:24.769792080 CEST	80	36950	79.110.48.149	192.168.2.14
Apr 25, 2024 14:36:35.322810888 CEST	36952	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:36:35.642338991 CEST	80	36952	79.110.48.149	192.168.2.14
Apr 25, 2024 14:36:40.198215008 CEST	36954	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:36:40.489336014 CEST	80	36954	79.110.48.149	192.168.2.14
Apr 25, 2024 14:36:44.043971062 CEST	36956	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:36:44.363492966 CEST	80	36956	79.110.48.149	192.168.2.14
Apr 25, 2024 14:36:52.916291952 CEST	36958	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:36:53.212347031 CEST	80	36958	79.110.48.149	192.168.2.14
Apr 25, 2024 14:36:55.764997005 CEST	36960	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:36:56.085493088 CEST	80	36960	79.110.48.149	192.168.2.14
Apr 25, 2024 14:36:58.637823105 CEST	36962	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:36:58.932538986 CEST	80	36962	79.110.48.149	192.168.2.14
Apr 25, 2024 14:37:06.485517025 CEST	36964	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:37:06.781955957 CEST	80	36964	79.110.48.149	192.168.2.14
Apr 25, 2024 14:37:12.337038994 CEST	36966	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:37:12.631704092 CEST	80	36966	79.110.48.149	192.168.2.14
Apr 25, 2024 14:37:17.183814049 CEST	36968	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:37:17.479438066 CEST	80	36968	79.110.48.149	192.168.2.14
Apr 25, 2024 14:37:21.035142899 CEST	36970	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:37:21.330399990 CEST	80	36970	79.110.48.149	192.168.2.14
Apr 25, 2024 14:37:31.883419037 CEST	36972	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:37:32.175193071 CEST	80	36972	79.110.48.149	192.168.2.14
Apr 25, 2024 14:37:39.727855921 CEST	36974	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:37:40.023392916 CEST	80	36974	79.110.48.149	192.168.2.14
Apr 25, 2024 14:37:44.580938101 CEST	36976	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:37:44.876032114 CEST	80	36976	79.110.48.149	192.168.2.14
Apr 25, 2024 14:37:51.428133011 CEST	36978	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:37:51.722697973 CEST	80	36978	79.110.48.149	192.168.2.14
Apr 25, 2024 14:38:01.275347948 CEST	36980	80	192.168.2.14	79.110.48.149
Apr 25, 2024 14:38:01.574548006 CEST	80	36980	79.110.48.149	192.168.2.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 14:35:52.667831898 CEST	52469	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:35:52.778768063 CEST	53	52469	8.8.8.8	192.168.2.14
Apr 25, 2024 14:35:52.779138088 CEST	45049	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:35:52.889297962 CEST	53	45049	8.8.8.8	192.168.2.14
Apr 25, 2024 14:35:52.889434099 CEST	47605	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:35:52.999655962 CEST	53	47605	8.8.8.8	192.168.2.14
Apr 25, 2024 14:35:52.999883890 CEST	39392	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:35:53.111185074 CEST	53	39392	8.8.8.8	192.168.2.14
Apr 25, 2024 14:35:53.111275911 CEST	41524	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:35:53.221158028 CEST	53	41524	8.8.8.8	192.168.2.14
Apr 25, 2024 14:35:54.516706944 CEST	53393	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:35:54.628700018 CEST	53	53393	8.8.8.8	192.168.2.14
Apr 25, 2024 14:35:54.628849030 CEST	43840	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:35:54.738866091 CEST	53	43840	8.8.8.8	192.168.2.14
Apr 25, 2024 14:35:54.738976002 CEST	34655	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:35:54.849262953 CEST	53	34655	8.8.8.8	192.168.2.14
Apr 25, 2024 14:35:54.849375963 CEST	37646	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:35:54.963306904 CEST	53	37646	8.8.8.8	192.168.2.14
Apr 25, 2024 14:35:54.963421106 CEST	51223	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:35:55.073767900 CEST	53	51223	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:02.373811960 CEST	44179	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:02.484035969 CEST	53	44179	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:02.484457016 CEST	49757	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:02.595824003 CEST	53	49757	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:02.596172094 CEST	60042	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:02.705996990 CEST	53	60042	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:02.706309080 CEST	50738	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:02.816265106 CEST	53	50738	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:02.816673040 CEST	39400	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:02.926618099 CEST	53	39400	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:10.225701094 CEST	59267	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:10.335484982 CEST	53	59267	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:10.335918903 CEST	39232	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:10.445992947 CEST	53	39232	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:10.446274042 CEST	36226	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:10.556318045 CEST	53	36226	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:10.556606054 CEST	42420	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:10.666426897 CEST	53	42420	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:10.666670084 CEST	45965	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:10.776696920 CEST	53	45965	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:16.075803041 CEST	50136	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:16.186052084 CEST	53	50136	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:16.186295986 CEST	53101	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:16.296236992 CEST	53	53101	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:16.296513081 CEST	59364	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:16.406744957 CEST	53	59364	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:16.407121897 CEST	34816	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:16.517071962 CEST	53	34816	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:16.517321110 CEST	47712	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:16.627244949 CEST	53	47712	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:23.923671961 CEST	33484	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:24.033617020 CEST	53	33484	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:24.033878088 CEST	58873	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:24.143893003 CEST	53	58873	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:24.144242048 CEST	35998	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:24.254231930 CEST	53	35998	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:24.254693031 CEST	49071	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:24.364819050 CEST	53	49071	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:24.365025997 CEST	58988	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:24.475192070 CEST	53	58988	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:34.769927979 CEST	42123	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:34.880193949 CEST	53	42123	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:34.880707026 CEST	38691	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:34.990986109 CEST	53	38691	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:34.991344929 CEST	45682	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:35.101419926 CEST	53	45682	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:35.101799965 CEST	57294	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:35.211910009 CEST	53	57294	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:35.212380886 CEST	49712	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:35.322513103 CEST	53	49712	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:39.642592907 CEST	46146	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:39.753504992 CEST	53	46146	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:39.753741026 CEST	41725	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:39.864743948 CEST	53	41725	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:39.865118027 CEST	48539	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:39.976707935 CEST	53	48539	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:39.976999044 CEST	38881	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:40.087167025 CEST	53	38881	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:40.087718964 CEST	57153	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:40.197959900 CEST	53	57153	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:43.489700079 CEST	47105	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:43.599848986 CEST	53	47105	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:43.600148916 CEST	56982	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:43.710405111 CEST	53	56982	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:43.710794926 CEST	45615	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:43.821178913 CEST	53	45615	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:43.821305037 CEST	56163	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:43.931778908 CEST	53	56163	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:43.932028055 CEST	33440	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:44.043735027 CEST	53	33440	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:52.363703012 CEST	49727	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:52.474004030 CEST	53	49727	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:52.474282026 CEST	47892	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:52.584362984 CEST	53	47892	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:52.585081100 CEST	51081	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:52.695110083 CEST	53	51081	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:52.695348024 CEST	49603	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:52.805581093 CEST	53	49603	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:52.805814028 CEST	43303	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:52.916052103 CEST	53	43303	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:55.212709904 CEST	39601	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:55.322877884 CEST	53	39601	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:55.323045969 CEST	50398	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:55.433415890 CEST	53	50398	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:55.433780909 CEST	40361	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:55.543982983 CEST	53	40361	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:55.544241905 CEST	53083	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:55.654165983 CEST	53	53083	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:55.654519081 CEST	34540	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:55.764712095 CEST	53	34540	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:58.085813999 CEST	40356	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:58.196177959 CEST	53	40356	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:58.196366072 CEST	45774	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:58.306366920 CEST	53	45774	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:58.306726933 CEST	46198	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:58.416826963 CEST	53	46198	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:58.417012930 CEST	57361	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:58.527149916 CEST	53	57361	8.8.8.8	192.168.2.14
Apr 25, 2024 14:36:58.527309895 CEST	49628	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:36:58.637516975 CEST	53	49628	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:05.932672977 CEST	45560	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:06.043242931 CEST	53	45560	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:06.043417931 CEST	55502	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:06.153645039 CEST	53	55502	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:06.153891087 CEST	60956	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:06.264126062 CEST	53	60956	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:06.264405012 CEST	37460	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:06.374516964 CEST	53	37460	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:06.374989033 CEST	53532	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:06.485299110 CEST	53	53532	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:11.782170057 CEST	45822	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:11.892780066 CEST	53	45822	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:11.892983913 CEST	51533	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:12.003513098 CEST	53	51533	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:12.003731966 CEST	37763	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:12.114222050 CEST	53	37763	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:12.114449978 CEST	44948	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:12.224642992 CEST	53	44948	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:12.224869967 CEST	45521	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:12.336755037 CEST	53	45521	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:16.631946087 CEST	56903	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:16.742044926 CEST	53	56903	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:16.742271900 CEST	48600	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:16.852586031 CEST	53	48600	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:16.852829933 CEST	54863	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:16.962939978 CEST	53	54863	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:16.963259935 CEST	40981	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:17.073307991 CEST	53	40981	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:17.073538065 CEST	43932	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:17.183480024 CEST	53	43932	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:20.479739904 CEST	46367	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:20.589993954 CEST	53	46367	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:20.590285063 CEST	56964	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:20.700437069 CEST	53	56964	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:20.700660944 CEST	60682	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:20.810822964 CEST	53	60682	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:20.810986042 CEST	36197	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:20.922671080 CEST	53	36197	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:20.922801971 CEST	35251	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:21.034940004 CEST	53	35251	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:31.330609083 CEST	39788	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:31.440759897 CEST	53	39788	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:31.441097021 CEST	56948	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:31.551213026 CEST	53	56948	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:31.551711082 CEST	42388	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:31.661969900 CEST	53	42388	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:31.662432909 CEST	49574	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:31.772448063 CEST	53	49574	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:31.772984982 CEST	52984	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:31.883054018 CEST	53	52984	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:39.175451040 CEST	41364	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:39.285665035 CEST	53	41364	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:39.285955906 CEST	42071	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:39.396229029 CEST	53	42071	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:39.396469116 CEST	59005	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:39.506727934 CEST	53	59005	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:39.506943941 CEST	52969	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:39.617127895 CEST	53	52969	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:39.617381096 CEST	36095	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:39.727497101 CEST	53	36095	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:44.023943901 CEST	54801	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:44.134335041 CEST	53	54801	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:44.134815931 CEST	43644	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:44.245012045 CEST	53	43644	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:44.245371103 CEST	58392	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:44.355616093 CEST	53	58392	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:44.355856895 CEST	40990	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:44.470136881 CEST	53	40990	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:44.470386028 CEST	47704	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:44.580620050 CEST	53	47704	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:50.876216888 CEST	58350	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:50.986176014 CEST	53	58350	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:50.986282110 CEST	46347	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:51.096446991 CEST	53	46347	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:51.096741915 CEST	32942	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:51.206861019 CEST	53	32942	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:51.207231045 CEST	51193	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:51.317447901 CEST	53	51193	8.8.8.8	192.168.2.14
Apr 25, 2024 14:37:51.317687988 CEST	43612	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:37:51.427803040 CEST	53	43612	8.8.8.8	192.168.2.14
Apr 25, 2024 14:38:00.722796917 CEST	54187	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:38:00.833091974 CEST	53	54187	8.8.8.8	192.168.2.14
Apr 25, 2024 14:38:00.833425999 CEST	55910	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:38:00.943792105 CEST	53	55910	8.8.8.8	192.168.2.14
Apr 25, 2024 14:38:00.944044113 CEST	46409	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:38:01.054092884 CEST	53	46409	8.8.8.8	192.168.2.14
Apr 25, 2024 14:38:01.054349899 CEST	34737	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:38:01.164469004 CEST	53	34737	8.8.8.8	192.168.2.14
Apr 25, 2024 14:38:01.164791107 CEST	33343	53	192.168.2.14	8.8.8.8
Apr 25, 2024 14:38:01.275115967 CEST	53	33343	8.8.8.8	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 14:35:52.667831898 CEST	192.168.2.14	8.8.8.8	0x1fb5	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:35:52.779138088 CEST	192.168.2.14	8.8.8.8	0x1fb5	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:35:52.889434099 CEST	192.168.2.14	8.8.8.8	0x1fb5	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:35:52.999883890 CEST	192.168.2.14	8.8.8.8	0x1fb5	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:35:53.111275911 CEST	192.168.2.14	8.8.8.8	0x1fb5	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:35:54.516706944 CEST	192.168.2.14	8.8.8.8	0x97d	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:35:54.628849030 CEST	192.168.2.14	8.8.8.8	0x97d	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:35:54.738976002 CEST	192.168.2.14	8.8.8.8	0x97d	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:35:54.849375963 CEST	192.168.2.14	8.8.8.8	0x97d	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:35:54.963421106 CEST	192.168.2.14	8.8.8.8	0x97d	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:02.373811960 CEST	192.168.2.14	8.8.8.8	0xea56	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:02.484457016 CEST	192.168.2.14	8.8.8.8	0xea56	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:02.596172094 CEST	192.168.2.14	8.8.8.8	0xea56	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:02.706309080 CEST	192.168.2.14	8.8.8.8	0xea56	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:02.816673040 CEST	192.168.2.14	8.8.8.8	0xea56	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:10.225701094 CEST	192.168.2.14	8.8.8.8	0xbea	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:10.335918903 CEST	192.168.2.14	8.8.8.8	0xbea	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:10.446274042 CEST	192.168.2.14	8.8.8.8	0xbea	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:10.556606054 CEST	192.168.2.14	8.8.8.8	0xbea	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:10.666670084 CEST	192.168.2.14	8.8.8.8	0xbea	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:16.075803041 CEST	192.168.2.14	8.8.8.8	0x621	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:16.186295986 CEST	192.168.2.14	8.8.8.8	0x621	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:16.296513081 CEST	192.168.2.14	8.8.8.8	0x621	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:16.407121897 CEST	192.168.2.14	8.8.8.8	0x621	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:16.517321110 CEST	192.168.2.14	8.8.8.8	0x621	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:23.923671961 CEST	192.168.2.14	8.8.8.8	0x4b90	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:24.033878088 CEST	192.168.2.14	8.8.8.8	0x4b90	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:24.144242048 CEST	192.168.2.14	8.8.8.8	0x4b90	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:24.254693031 CEST	192.168.2.14	8.8.8.8	0x4b90	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:24.365025997 CEST	192.168.2.14	8.8.8.8	0x4b90	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:34.769927979 CEST	192.168.2.14	8.8.8.8	0x9782	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:34.880707026 CEST	192.168.2.14	8.8.8.8	0x9782	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:34.991344929 CEST	192.168.2.14	8.8.8.8	0x9782	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:35.101799965 CEST	192.168.2.14	8.8.8.8	0x9782	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:35.212380886 CEST	192.168.2.14	8.8.8.8	0x9782	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:39.642592907 CEST	192.168.2.14	8.8.8.8	0x7f8e	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:39.753741026 CEST	192.168.2.14	8.8.8.8	0x7f8e	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:39.865118027 CEST	192.168.2.14	8.8.8.8	0x7f8e	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:39.976999044 CEST	192.168.2.14	8.8.8.8	0x7f8e	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:40.087718964 CEST	192.168.2.14	8.8.8.8	0x7f8e	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:43.489700079 CEST	192.168.2.14	8.8.8.8	0xa929	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:43.600148916 CEST	192.168.2.14	8.8.8.8	0xa929	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:43.710794926 CEST	192.168.2.14	8.8.8.8	0xa929	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:43.821305037 CEST	192.168.2.14	8.8.8.8	0xa929	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:43.932028055 CEST	192.168.2.14	8.8.8.8	0xa929	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:52.363703012 CEST	192.168.2.14	8.8.8.8	0x7103	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:52.474282026 CEST	192.168.2.14	8.8.8.8	0x7103	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:52.585081100 CEST	192.168.2.14	8.8.8.8	0x7103	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:52.695348024 CEST	192.168.2.14	8.8.8.8	0x7103	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:52.805814028 CEST	192.168.2.14	8.8.8.8	0x7103	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:55.212709904 CEST	192.168.2.14	8.8.8.8	0x4e5c	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:55.323045969 CEST	192.168.2.14	8.8.8.8	0x4e5c	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:55.433780909 CEST	192.168.2.14	8.8.8.8	0x4e5c	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:55.544241905 CEST	192.168.2.14	8.8.8.8	0x4e5c	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:55.654519081 CEST	192.168.2.14	8.8.8.8	0x4e5c	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:58.085813999 CEST	192.168.2.14	8.8.8.8	0xc599	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:58.196366072 CEST	192.168.2.14	8.8.8.8	0xc599	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:58.306726933 CEST	192.168.2.14	8.8.8.8	0xc599	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:58.417012930 CEST	192.168.2.14	8.8.8.8	0xc599	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:36:58.527309895 CEST	192.168.2.14	8.8.8.8	0xc599	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:05.932672977 CEST	192.168.2.14	8.8.8.8	0x1d2b	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:06.043417931 CEST	192.168.2.14	8.8.8.8	0x1d2b	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:06.153891087 CEST	192.168.2.14	8.8.8.8	0x1d2b	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:06.264405012 CEST	192.168.2.14	8.8.8.8	0x1d2b	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:06.374989033 CEST	192.168.2.14	8.8.8.8	0x1d2b	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:11.782170057 CEST	192.168.2.14	8.8.8.8	0x3f7c	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:11.892983913 CEST	192.168.2.14	8.8.8.8	0x3f7c	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:12.003731966 CEST	192.168.2.14	8.8.8.8	0x3f7c	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:12.114449978 CEST	192.168.2.14	8.8.8.8	0x3f7c	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:12.224869967 CEST	192.168.2.14	8.8.8.8	0x3f7c	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:16.631946087 CEST	192.168.2.14	8.8.8.8	0x5446	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:16.742271900 CEST	192.168.2.14	8.8.8.8	0x5446	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:16.852829933 CEST	192.168.2.14	8.8.8.8	0x5446	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:16.963259935 CEST	192.168.2.14	8.8.8.8	0x5446	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:17.073538065 CEST	192.168.2.14	8.8.8.8	0x5446	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:20.479739904 CEST	192.168.2.14	8.8.8.8	0x6e6c	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:20.590285063 CEST	192.168.2.14	8.8.8.8	0x6e6c	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:20.700660944 CEST	192.168.2.14	8.8.8.8	0x6e6c	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:20.810986042 CEST	192.168.2.14	8.8.8.8	0x6e6c	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:20.922801971 CEST	192.168.2.14	8.8.8.8	0x6e6c	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:31.330609083 CEST	192.168.2.14	8.8.8.8	0x4668	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:31.441097021 CEST	192.168.2.14	8.8.8.8	0x4668	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:31.551711082 CEST	192.168.2.14	8.8.8.8	0x4668	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:31.662432909 CEST	192.168.2.14	8.8.8.8	0x4668	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:31.772984982 CEST	192.168.2.14	8.8.8.8	0x4668	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:39.175451040 CEST	192.168.2.14	8.8.8.8	0xe36f	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:39.285955906 CEST	192.168.2.14	8.8.8.8	0xe36f	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:39.396469116 CEST	192.168.2.14	8.8.8.8	0xe36f	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:39.506943941 CEST	192.168.2.14	8.8.8.8	0xe36f	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:39.617381096 CEST	192.168.2.14	8.8.8.8	0xe36f	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:44.023943901 CEST	192.168.2.14	8.8.8.8	0xcab7	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:44.134815931 CEST	192.168.2.14	8.8.8.8	0xcab7	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:44.245371103 CEST	192.168.2.14	8.8.8.8	0xcab7	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:44.355856895 CEST	192.168.2.14	8.8.8.8	0xcab7	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:44.470386028 CEST	192.168.2.14	8.8.8.8	0xcab7	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:50.876216888 CEST	192.168.2.14	8.8.8.8	0xb767	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:50.986282110 CEST	192.168.2.14	8.8.8.8	0xb767	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:51.096741915 CEST	192.168.2.14	8.8.8.8	0xb767	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:51.207231045 CEST	192.168.2.14	8.8.8.8	0xb767	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:37:51.317687988 CEST	192.168.2.14	8.8.8.8	0xb767	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:38:00.722796917 CEST	192.168.2.14	8.8.8.8	0xf202	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:38:00.833425999 CEST	192.168.2.14	8.8.8.8	0xf202	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:38:00.944044113 CEST	192.168.2.14	8.8.8.8	0xf202	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:38:01.054349899 CEST	192.168.2.14	8.8.8.8	0xf202	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:38:01.164791107 CEST	192.168.2.14	8.8.8.8	0xf202	Standard query (0)	www.sushiking.world	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5494, Parent PID: 5414

General

Start time (UTC):	12:35:51
Start date (UTC):	25/04/2024
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf
Arguments:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5496, Parent PID: 5494

General

Start time (UTC):	12:35:51
Start date (UTC):	25/04/2024
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5498, Parent PID: 5494

General

Start time (UTC):	12:35:51
Start date (UTC):	25/04/2024
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5500, Parent PID: 5494

General

Start time (UTC):	12:35:51
Start date (UTC):	25/04/2024
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5502, Parent PID: 5500

General

Start time (UTC):	12:35:51
Start date (UTC):	25/04/2024
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5504, Parent PID: 5500

General

Start time (UTC):	12:35:51
Start date (UTC):	25/04/2024
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

System Behavior

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5494, Parent PID: 5414

General

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5496, Parent PID: 5494

General

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5498, Parent PID: 5494

General

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5500, Parent PID: 5494

General

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5502, Parent PID: 5500

General

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf PID: 5504, Parent PID: 5500

Linux Analysis Report
SecuriteInfo.com.Linux.Siggen.9999.23595.2512.elf